Full Disclosure mailing list archives
RE: smarter dcom worm
From: Joey <joey2cool () yahoo com>
Date: Wed, 13 Aug 2003 14:08:18 -0700 (PDT)
...or AV/Firewall killing.msblast is very sloppy. The fact that it uses the old code that reboots the computer ruined their hopes of spreading undetected. Now if you are unpatched, chances are(random IP generating taken into account), your computer will reboot at least once a day or more. Some people might just shut their computer off and call for repair, not realizing that the problem is because they are connected to the internet.Overall i think microsoft is to blame for allowing the RPC service to be available on the internet. They are saying it was never meant to be on the internet, yet their NT line has always been designed for internet use. Even with the patch, port 135 is still open. You have no option to close that port if you are installing a fresh copy of windows. With other OSs(like linux) you have a complete list of packages that you can enable or disable, while microsoft hides most. They even force you to install their crappy Windows Messanger program(which also ! listens on ports). Now you need to first be disconnected from the internet while you enable the firewall so you wont get rooted automatically!Hasn't Microsoft gotten wise that their products are full of security holes? What other OS/webserver/browsers have more buffer overflows with arbituary code execution than those developed by MS? I don't believe this trend will stop as their current policy on the RPC vulnerability and blaster worm was that the RPC service should never be exposed to the internet. Why doesn't it then at least be limitied to localhost or LAN connections?Since the exploit was released for the most "important" service in windows that supposedly makes windows impossible to run if you disable it, I think microsoft has no credibility to say their OSs are secure or "most secure version of windows ever" because there is NO SECURITY. Their server line is joke as well because the exploit effected them too. Think of someone with a limited user account at a university or co! rporate windows 2000/2003 active directory managed network. With an unpatched DC, they would have the ability to have unrestricted access to everyone elses accounts ect by rooting it. Changing grades, stealing financial information ect.Just my two cents.--- gml wrote:> Maybe even some polymorphic code and PE injection.> --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software
Current thread:
- smarter dcom worm Justin Shin (Aug 12)
- RE: smarter dcom worm gml (Aug 12)
- Re: smarter dcom worm SPAM (Aug 13)
- RE: smarter dcom worm gml (Aug 13)
- Firewalls Geo. (Aug 13)
- Re: New msbalster? Jeremiah Cornelius (Aug 13)
- Re: Firewalls Ron DuFresne (Aug 13)
- Re: Firewalls Joey (Aug 13)
- Re: Firewalls CHeeKY (Aug 13)
- Re: Firewalls Nathan Seven (Aug 14)
- Re: smarter dcom worm SPAM (Aug 13)
- RE: smarter dcom worm gml (Aug 12)
- RE: smarter dcom worm Joey (Aug 13)
- Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- RE: smarter dcom worm gml (Aug 13)
- Re: smarter dcom worm Gabe Arnold (Aug 13)
- <Possible follow-ups>
- RE: smarter dcom worm Kerry Steele (Aug 13)
- FW: smarter dcom worm Bassett, Mark (Aug 13)