Full Disclosure mailing list archives
Re: Blaster: will it spread without tftp?
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 13 Aug 2003 16:17:22 +1200
On Wed, 2003-08-13 at 14:13, Nick FitzGerald wrote:
"Maarten" <subscriptions () hartsuijker com> wrote:I was wondering about the following scenario:<<snip>>- since these other vulnerable systems are using a proxy server to connect to the internet and a firewall prevents all other connections, tftp servers on the Internet can not be accessedGood up to here, but then...- since tftp servers can not be accessed, msblaster.exe can not be downloadedNo. When the worm connects from its current victim to a new, vulnerable host it tells the new victim to TFTP the worm's .EXE from the current victim machine where the worm briefly sets up a TFTP thread to serve its .EXE.
I can confirm this. We block tftp at the gateway (as well as all the MS ports 135-139, 445 etc.). An infected laptop was brought on to the internal network and half an hour later we had 500 infected systems and a very soggy network. Note, that those 500 was out of a total of 7500, we had managed to get the rest patched, another week and we would have only had a handful. Yes we are now investigating how we can speed up patch deployment ;-) -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd), (continued)
- RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd) Daniele Muscetta (Aug 14)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) morning_wood (Aug 12)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Evans, Arian (Aug 12)
- Blaster: will it spread without tftp? Maarten (Aug 12)
- Re: Blaster: will it spread without tftp? Craig Pratt (Aug 12)
- Re: Blaster: will it spread without tftp? Maarten Hartsuijker (Aug 12)
- Re: Blaster: will it spread without tftp? Jim Clausing (Aug 12)
- Re: Blaster: will it spread without tftp? Matthew Murphy (Aug 12)
- RE: Blaster: will it spread without tftp? Derek Soeder (Aug 12)
- Re: Blaster: will it spread without tftp? Nick FitzGerald (Aug 12)
- Re: Blaster: will it spread without tftp? Russell Fulton (Aug 12)
- Re: Blaster: will it spread without tftp? Gregory Steuck (Aug 13)
- Blaster: will it spread without tftp? Maarten (Aug 12)
- Re: Blaster: will it spread without tftp? Valdis . Kletnieks (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Ron DuFresne (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gregory Steuck (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Mike (Aug 13)