RE: another new worm submission

["Perrymon, Josh L." <PerrymonJ () bek com>]

I agree.

Anyone that would have those ports open has a *lot more to worry about that
cleaning a few worm infections.
That's not the case here. This infection was caused by a remote user not a
Lan user.
With several hundred laptops it's hard have 0 exposure. As with any growing
security 
practice and today's decreased budgets areas of focus are determined on risk
exposure.

Anywho-
I found the Trojan to be backdoor.nibu.g- although Symantec AV didn't pick
it up until tonight.

I think this is a good example that perimeter security is only part of the
battle. 
Tomorrow's morning meeting will stress the importance of desktop firewalls
again and a good patch management process.
You can talk until your blue in the face to upper management but I find 90%
to be reactive.

Oh well-

JP





-----Original Message-----
From: Ron DuFresne [mailto:dufresne () winternet com]
Sent: Saturday, June 05, 2004 5:38 PM
To: Jerry Heidtke
Cc: Paul Schmehl; full-disclosure () netsys com
Subject: Re: [Full-disclosure] another new worm submission



        [SNIP]

> > > How are these system getting compromised? Why don't you have this patch
> > > deployed yet? Why are these systems reachable from the Internet over
> > > port
> > > 445?
> > For someone who knows nothing about his network, you sure are willing
> > to make a lot of assumptions. You admit you don't know how the systems
> > were compromised and you don't know what compromised them, yet you
> > castigate him for leaving port 445 open and not patching and you
> > assume this happened *remotely*?
> > >


        [SNIP]

> You're right, I made an assumption that the systems were being
> compromised remotely rather than being deliberately and maliciously
> hacked by insiders. Would this somehow be less of a problem? Having
> systems with routable addresses reachable through port 445 is the most
> likely avenue of compromise, if this is not the case then Josh would be
> well advised to determine exactly what is going on with his network.

Agreed here, anyone sitting with exposed windows specific ports on the
insecure Internet <e.g. 445, 135-139, udp as well as tcp, etc> is pretty
much deserving of what hits them these days.  Without tackling that
side of the coin, it's going to be pretty hard for these folks to
determine if the troubles they are facing is internal or not.
Without control of the perimiter choke point, how can one even
think to start to look at controls of the whole danged wire inside?
Perhaps we need to adapt  personal firewall day to a monthly thing for
the next 5 years or more to help these clueless souls.

        [SNIP]

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html