Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther

[Omar Herrera <omar_herrera () BANXICO ORG MX>]

Jim, 

Antivirus Software is limited, if the patch is not applied as well, this
is because:

1) A machine will get infected again, as soon as another infected
machine  hits it on port 135 (AV software won't patch the vulnerability,
at least I can confirm that with McAfee).

2) Machines reboot, not because they are infected, but because another
infected machine strikes at port 135 with an exploit designed for
another O.S. version (this crashes the RPC and causes the machine to
reboot). This is only solved with the patch provided by Microsoft. There
is some probability that the worm will use the w2k overflow vector or
the winXP overflow vector (the advisory by Eeye has detailed
information:
http://www.eeye.com/html/Research/Advisories/AL20030811.html)

3) Since the infection rate of this virus is extremely high, it is
common to see more than 5 hits per minute to port 135; in this case,
machines would be rebooting just a few minutes after they were started
(or rebooted from the last time), this makes patching extremely
difficult because, sometimes, the patch is unable to finish before
another hit from the virus reboots the machine.

Some tips:

Since SMS uses port 135 and this traffic will be high on most networks,
SMS is almost rendered useless for automatic patching (also the timing
is critical).

Some colleagues have reported to me that they succeeded to install a
logon script on the domain to successfully patch the machines before
another hit reboots them (it takes nearly 40 seconds)

I've run across some problematic installations of Windows XP+ SP1, where
the patch is unable to install and the following error is displayed:
"Setup could not verify the integrity of the file Update.inf. Make sure
the Cryptographic service is running on this computer.". The solution is
to rename the following directory: \windows\system32\catroot2  to
anything you like (oldcatroot2 will do fine), after renaming the
directory, reapply the patch; here is the reference:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;822798

I hope this helps,

Omar Herrera, CISSP

Instituto Tecnológico y de Estudios Superiores de Monterrey, 
Mexico City Campus 
Information security topic and laboratory



> -----Mensaje original-----
> De: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] En nombre de Jim Moore
> Enviado el: Martes, 12 de Agosto de 2003 12:21 PM
> Para: SECURITY () LISTSERV EDUCAUSE EDU
> Asunto: [SECURITY] Interactions of AntiVirus and MBlaster/Lovsan-A &
> Stealther
>
> I am trying to understand how far Stealther and MBlaster/Lovsan-A get
> before the latest antivirus intercpts them.  What has alarmed me is
that
> I have some reports of a reboot preceding the A/V warning.
>
> Also, I am assuming that the most effective is when A/V is set to scan
> on every write.  However, you know that impacts performance and a lot
of
> people slide back to scanning at lunch time, or in the evening.  I
> assume that means that is then the window of opportunity for MBlaster.
>
> I am not an A/V expert, can someone validate assumptions, and describe
> how you handle it in communication to your end user community?
>
> Jim
> --
> --
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Telephone: (585)475-5406
> Fax:       (585)475-7950
>
> PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.