Full Disclosure mailing list archives
RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 12 Aug 2003 13:52:52 -0500
Chris, #That's only good if you're at home and they would also need to be savy #enough to know how to configure it properly 2000 and XP have builtin IP packet filters. XP has a "personal firewall". I'm not sure what being at home (or being elsewhere) has to do with it, but the fact remains that the technology is there. The packet filtering is rather IP-chains like; it's completely stateless, and configuration is a manual process requiring basic TCP/IP knowledge. Once you turn on the packet filtering, you either allow all, or deny all and then allow specific ports (unidirectional, TCP, UDP, and "IP"). XP's "firewall" has several pre-defined higher layer protocols that you can enable with a checkbox, and is a bit more user-friendly in terms of distinguishing between inbound and outbound traffic. Regarless of ease of use: it's there, it's free, and fully functional. Cheers, Arian # #-----Original Message----- #From: full-disclosure-admin () lists netsys com #[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Richard #Stevens #Sent: Tuesday, 12 August 2003 11:15 p.m. #To: Chris Garrett; full-disclosure () lists netsys com #Subject: RE: [Full-disclosure] ISS Security Brief: "MS Blast" #MSRPC DCOM #Worm Propagation (fwd) # # #I must be missing something here... xp home & pro both have a #"click and #forget" firewall? # #why arent people using it? # # # -----Original Message----- # From: Chris Garrett [mailto:somatose () cox net] # Sent: Tue 12/08/2003 05:59 # To: full-disclosure () lists netsys com # Cc: # Subject: Re: [Full-disclosure] ISS Security Brief: "MS Blast" #MSRPC DCOM Worm Propagation (fwd) # # # # I had a friend infected with the worm earlier today, at about #17:00EST. He was # running Windows XP Home edition. He called me because his #computer had been # rebooting "spontaneously," and whenever he would go to google to #search for a # strange binary he saw [msblast.exe], he either found nothing or #was mysterious # redirected to some strange website. At least, I believe that was #his # description. I hadn't seen any reports of MSBlast on FD before #this point, but I # was almost certain it was a worm of some sort using the DCOM RPC #exploit. I had # him check the registry, remove the keys, and delete .*msblast.*. #I also had him # disable DCOM, since I doubted he was using anything that #utilized it, then # directed him to the MS03-26 patch. This was all based on a guess #that it he was # infected by something DCOM related [makes sense given the #massive publicity and # severity of this vulnerability]. I wasn't certain if any other #files were # corrupted at the time, but those simple measures seemed to do #the job. Imagine # my surprise when 10 minutes later, I receive and FD email #reporting the release # of a worm identified by an msblast binary. # # My friend also reported to me that /somehow/ his Norton #Auto-Protect had been # disabled. Now, I don't know if that was the worm [as I've not #seen any analyses # thusfar to suggest that the worm does that], or if it was #something he had # disabled, accidentally, at some point. # # In short, XP is affected, as well. And I would imagine his #computer kept # rebooting because other systems within the class B range he was #on were # constantly probing his system and trying the 2K offset, and not #because of the # worm that had already infected his system [which was my #original, incorrect, # impression, before the analyses put out by ISC, XFocus, and #Norton]. # # Christopher Garrett III # Inixoma, Incorporated # # _______________________________________________ # Full-Disclosure - We believe in it. # Charter: http://lists.netsys.com/full-disclosure-charter.html # # #_______________________________________________ #Full-Disclosure - We believe in it. #Charter: http://lists.netsys.com/full-disclosure-charter.html # #_______________________________________________ #Full-Disclosure - We believe in it. #Charter: http://lists.netsys.com/full-disclosure-charter.html # The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd), (continued)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Jonathan Rickman (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Dennis Heaton (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gordon Ewasiuk (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Jeremiah Cornelius (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Nick FitzGerald (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Joey (Aug 13)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Joey (Aug 14)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Jonathan Rickman (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) morning_wood (Aug 12)
- Blaster: will it spread without tftp? Maarten (Aug 12)
- Re: Blaster: will it spread without tftp? Craig Pratt (Aug 12)
- Re: Blaster: will it spread without tftp? Maarten Hartsuijker (Aug 12)
- Re: Blaster: will it spread without tftp? Jim Clausing (Aug 12)
- Re: Blaster: will it spread without tftp? Matthew Murphy (Aug 12)
- RE: Blaster: will it spread without tftp? Derek Soeder (Aug 12)
- Re: Blaster: will it spread without tftp? Nick FitzGerald (Aug 12)
- Re: Blaster: will it spread without tftp? Russell Fulton (Aug 12)
- Re: Blaster: will it spread without tftp? Gregory Steuck (Aug 13)