Educause Security Discussion mailing list archives
Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther
From: Omar Herrera <omar_herrera () BANXICO ORG MX>
Date: Tue, 12 Aug 2003 14:31:12 -0500
Jim, Antivirus Software is limited, if the patch is not applied as well, this is because: 1) A machine will get infected again, as soon as another infected machine hits it on port 135 (AV software won't patch the vulnerability, at least I can confirm that with McAfee). 2) Machines reboot, not because they are infected, but because another infected machine strikes at port 135 with an exploit designed for another O.S. version (this crashes the RPC and causes the machine to reboot). This is only solved with the patch provided by Microsoft. There is some probability that the worm will use the w2k overflow vector or the winXP overflow vector (the advisory by Eeye has detailed information: http://www.eeye.com/html/Research/Advisories/AL20030811.html) 3) Since the infection rate of this virus is extremely high, it is common to see more than 5 hits per minute to port 135; in this case, machines would be rebooting just a few minutes after they were started (or rebooted from the last time), this makes patching extremely difficult because, sometimes, the patch is unable to finish before another hit from the virus reboots the machine. Some tips: Since SMS uses port 135 and this traffic will be high on most networks, SMS is almost rendered useless for automatic patching (also the timing is critical). Some colleagues have reported to me that they succeeded to install a logon script on the domain to successfully patch the machines before another hit reboots them (it takes nearly 40 seconds) I've run across some problematic installations of Windows XP+ SP1, where the patch is unable to install and the following error is displayed: "Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer.". The solution is to rename the following directory: \windows\system32\catroot2 to anything you like (oldcatroot2 will do fine), after renaming the directory, reapply the patch; here is the reference: http://support.microsoft.com/default.aspx?scid=kb;EN-US;822798 I hope this helps, Omar Herrera, CISSP Instituto Tecnológico y de Estudios Superiores de Monterrey, Mexico City Campus Information security topic and laboratory
-----Mensaje original----- De: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] En nombre de Jim Moore Enviado el: Martes, 12 de Agosto de 2003 12:21 PM Para: SECURITY () LISTSERV EDUCAUSE EDU Asunto: [SECURITY] Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther I am trying to understand how far Stealther and MBlaster/Lovsan-A get before the latest antivirus intercpts them. What has alarmed me is
that
I have some reports of a reboot preceding the A/V warning. Also, I am assuming that the most effective is when A/V is set to scan on every write. However, you know that impacts performance and a lot
of
people slide back to scanning at lunch time, or in the evening. I assume that means that is then the window of opportunity for MBlaster. I am not an A/V expert, can someone validate assumptions, and describe how you handle it in communication to your end user community? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0
********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Jim Moore (Aug 12)
- <Possible follow-ups>
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Gary Dobbins (Aug 12)
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Jim Moore (Aug 12)
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Omar Herrera (Aug 12)