Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blaster: will it spread without tftp?

From: Russell Fulton <r.fulton () auckland ac nz>
Date: 13 Aug 2003 16:17:22 +1200
On Wed, 2003-08-13 at 14:13, Nick FitzGerald wrote:

"Maarten" <subscriptions () hartsuijker com> wrote:


I was wondering about the following scenario:

<<snip>>

- since these other vulnerable systems are using a proxy server to connect
to the internet and a firewall prevents all other connections, tftp servers
on the Internet can not be accessed


Good up to here, but then...


- since tftp servers can not be accessed, msblaster.exe can not be
downloaded


No.

When the worm connects from its current victim to a new, vulnerable 
host it tells the new victim to TFTP the worm's .EXE from the current 
victim machine where the worm briefly sets up a TFTP thread to serve 
its .EXE.


I can confirm this.  We block tftp at the gateway (as well as all the MS
ports 135-139, 445 etc.).  An infected laptop was brought on to the
internal network and half an hour later we had 500 infected systems and
a very soggy network.

Note, that those 500 was out of a total of 7500, we had managed to get
the rest patched, another week and we would have only had a handful. 
Yes we are now investigating how we can speed up patch deployment ;-)

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: