Full Disclosure mailing list archives

RE: smarter dcom worm

From: Joey <joey2cool () yahoo com>
Date: Wed, 13 Aug 2003 14:08:18 -0700 (PDT)

...or AV/Firewall killing.msblast is very sloppy. The fact that it uses the old code that reboots the computer ruined
their hopes of spreading undetected. Now if you are unpatched, chances are(random IP generating taken into account),
your computer will reboot at least once a day or more. Some people might just shut their computer off and call for
repair, not realizing that the problem is because they are connected to the internet.Overall i think microsoft is to
blame for allowing the RPC service to be available on the internet. They are saying it was never meant to be on the
internet, yet their NT line has always been designed for internet use. Even with the patch, port 135 is still open. You
have no option to close that port if you are installing a fresh copy of windows. With other OSs(like linux) you have a
complete list of packages that you can enable or disable, while microsoft hides most. They even force you to install
their crappy Windows Messanger program(which also !
listens
on ports). Now you need to first be disconnected from the internet while you enable the firewall so you wont get
rooted automatically!Hasn't Microsoft gotten wise that their products are full of security holes? What other
OS/webserver/browsers have more buffer overflows with arbituary code execution than those developed by MS? I don't
believe this trend will stop as their current policy on the RPC vulnerability and blaster worm was that the RPC service
should never be exposed to the internet. Why doesn't it then at least be limitied to localhost or LAN connections?Since
the exploit was released for the most "important" service in windows that supposedly makes windows impossible to run if
you disable it, I think microsoft has no credibility to say their OSs are secure or "most secure version of windows
ever" because there is NO SECURITY. Their server line is joke as well because the exploit effected them too. Think of
someone with a limited user account at a university or co!
rporate
windows 2000/2003 active directory managed network. With an unpatched DC, they would have the ability to have
unrestricted access to everyone elses accounts ect by rooting it. Changing grades, stealing financial information
ect.Just my two cents.--- gml wrote:> Maybe even some polymorphic code and PE injection.>

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

Current thread:

smarter dcom worm Justin Shin (Aug 12)
- RE: smarter dcom worm gml (Aug 12)
  - Re: smarter dcom worm SPAM (Aug 13)
    - RE: smarter dcom worm gml (Aug 13)
    - Firewalls Geo. (Aug 13)
    - Re: New msbalster? Jeremiah Cornelius (Aug 13)
    - Re: Firewalls Ron DuFresne (Aug 13)
    - Re: Firewalls Joey (Aug 13)
    - Re: Firewalls CHeeKY (Aug 13)
    - Re: Firewalls Nathan Seven (Aug 14)
    - RE: smarter dcom worm Joey (Aug 13)
    - Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- Re: smarter dcom worm Jedi/Sector One (Aug 12)
- RE: smarter dcom worm Marc Maiffret (Aug 12)
  - Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
  - RE: smarter dcom worm gml (Aug 13)
    - Re: smarter dcom worm Gabe Arnold (Aug 13)
- <Possible follow-ups>
- RE: smarter dcom worm Kerry Steele (Aug 13)
- FW: smarter dcom worm Bassett, Mark (Aug 13)