Full Disclosure mailing list archives
RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
From: "Mike" <mjcarter () ihug co nz>
Date: Wed, 13 Aug 2003 21:21:51 +1200
The reason I mentioned being at home is that if the users are on corporate LANs they are then tied to the restrictions of that network and it's policies which quite often means "we control you, you don't have any control" I agree with you, it's there and should be used (where appropriate) at home for instance. I also agree with other postings I've seen that mention a "certain level of skill required" The problem with trying to educate users at any level is that they are normaly too busy making deadlines (unless they have a personal interest) , don't want to know or don't care and are told by those above them that IT is there to do it for them! Cheers Mike -----Original Message----- From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] Sent: Wednesday, 13 August 2003 6:53 a.m. To: Chris Garrett Cc: Richard Stevens; full-disclosure () lists netsys com; Mike Subject: RE: [Full-disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Chris, #That's only good if you're at home and they would also need to be savy #enough to know how to configure it properly 2000 and XP have builtin IP packet filters. XP has a "personal firewall". I'm not sure what being at home (or being elsewhere) has to do with it, but the fact remains that the technology is there. The packet filtering is rather IP-chains like; it's completely stateless, and configuration is a manual process requiring basic TCP/IP knowledge. Once you turn on the packet filtering, you either allow all, or deny all and then allow specific ports (unidirectional, TCP, UDP, and "IP"). XP's "firewall" has several pre-defined higher layer protocols that you can enable with a checkbox, and is a bit more user-friendly in terms of distinguishing between inbound and outbound traffic. Regarless of ease of use: it's there, it's free, and fully functional. Cheers, Arian # #-----Original Message----- #From: full-disclosure-admin () lists netsys com #[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Richard #Stevens #Sent: Tuesday, 12 August 2003 11:15 p.m. #To: Chris Garrett; full-disclosure () lists netsys com #Subject: RE: [Full-disclosure] ISS Security Brief: "MS Blast" #MSRPC DCOM #Worm Propagation (fwd) # # #I must be missing something here... xp home & pro both have a #"click and #forget" firewall? # #why arent people using it? # # # -----Original Message----- # From: Chris Garrett [mailto:somatose () cox net] # Sent: Tue 12/08/2003 05:59 # To: full-disclosure () lists netsys com # Cc: # Subject: Re: [Full-disclosure] ISS Security Brief: "MS Blast" #MSRPC DCOM Worm Propagation (fwd) # # # # I had a friend infected with the worm earlier today, at about #17:00EST. He was # running Windows XP Home edition. He called me because his #computer had been # rebooting "spontaneously," and whenever he would go to google to #search for a # strange binary he saw [msblast.exe], he either found nothing or #was mysterious # redirected to some strange website. At least, I believe that was #his # description. I hadn't seen any reports of MSBlast on FD before #this point, but I # was almost certain it was a worm of some sort using the DCOM RPC #exploit. I had # him check the registry, remove the keys, and delete .*msblast.*. #I also had him # disable DCOM, since I doubted he was using anything that #utilized it, then # directed him to the MS03-26 patch. This was all based on a guess #that it he was # infected by something DCOM related [makes sense given the #massive publicity and # severity of this vulnerability]. I wasn't certain if any other #files were # corrupted at the time, but those simple measures seemed to do #the job. Imagine # my surprise when 10 minutes later, I receive and FD email #reporting the release # of a worm identified by an msblast binary. # # My friend also reported to me that /somehow/ his Norton #Auto-Protect had been # disabled. Now, I don't know if that was the worm [as I've not #seen any analyses # thusfar to suggest that the worm does that], or if it was #something he had # disabled, accidentally, at some point. # # In short, XP is affected, as well. And I would imagine his #computer kept # rebooting because other systems within the class B range he was #on were # constantly probing his system and trying the 2K offset, and not #because of the # worm that had already infected his system [which was my #original, incorrect, # impression, before the analyses put out by ISC, XFocus, and #Norton]. # # Christopher Garrett III # Inixoma, Incorporated # # _______________________________________________ # Full-Disclosure - We believe in it. # Charter: http://lists.netsys.com/full-disclosure-charter.html # # #_______________________________________________ #Full-Disclosure - We believe in it. #Charter: http://lists.netsys.com/full-disclosure-charter.html # #_______________________________________________ #Full-Disclosure - We believe in it. #Charter: http://lists.netsys.com/full-disclosure-charter.html # The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Blaster: will it spread without tftp?, (continued)
- Re: Blaster: will it spread without tftp? Maarten Hartsuijker (Aug 12)
- Re: Blaster: will it spread without tftp? Jim Clausing (Aug 12)
- Re: Blaster: will it spread without tftp? Matthew Murphy (Aug 12)
- RE: Blaster: will it spread without tftp? Derek Soeder (Aug 12)
- Re: Blaster: will it spread without tftp? Nick FitzGerald (Aug 12)
- Re: Blaster: will it spread without tftp? Russell Fulton (Aug 12)
- Re: Blaster: will it spread without tftp? Gregory Steuck (Aug 13)
- Re: Blaster: will it spread without tftp? Valdis . Kletnieks (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Ron DuFresne (Aug 12)
- Re: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Gregory Steuck (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Mike (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Richard Stevens (Aug 13)
- RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd) Schmehl, Paul L (Aug 15)