Full Disclosure mailing list archives
RE: Zotob Worm Remover
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 22 Aug 2005 16:44:43 -0500
James, I agree with you. It was n3td3v that stated the following - "The wireless devices were most likely the primary source of the spread. Media outlets are reporting wireless devices were only an accessory to the spread of the worm." I agree with Jan, that host based IPS could have stopped this. Cisco's CSA is a good example of this type of technology. Host based IPS system are commonly seen as anti-rootkit solutions, which is also a very very good thing to have. But patch management should not be overlooked just because you have a host IPS. The host IPS will give you time to patch, but patch management is the last line of defense for vulns. I never said it should be the first or only line of defense. I am very firm believer in the defense in depth methodology. -Todd
-----Original Message----- From: James Tucker [mailto:jftucker () gmail com] Sent: Monday, August 22, 2005 4:08 PM To: Todd Towles Cc: Ron DuFresne; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Zotob Worm Remover It seems to me that the attack was less than a week old from the start date. Default settings on a relatively unchanged box would provide a suitable window of opportunity given the availability of the worm to the deployer. This is more important than network connectivity, which is not of security concern as this is not the exploited layer. Disconnecting networks is what you suggest when you're in trouble, not when you're trying to maintain the daily balance of cost vs function. Moreover, wireless is recieving the blame - however this will only continue whilst your laptop is the device you are using. Eventually will you blame the mobile phone companies for allowing "dangerous traffic" to flow through the repeaters? What about sattelite links - should we filter those and knock the latency up another notch? No, it's the software, once again. Connectivity increases exposure, it doesn't decrease security - the two are not one and the same. 1000 laptops in a city centre network becoming infected less than a week from update release would be unsuprising (read: defaults are once a week at 3). The security of these laptops was not compromised by the wireless presence, it was a medium of travel only. Now lets say, we go back in time and remove all of the wireless NIC's. Now, there are only 750 laptops cause we can't generate as much revenue (joke), and of these they're all still connected, just with a different medium. The medium is (specification)centralised and routable in the same manner (ah, so the medium can have 'implications' ;) - the infection rate is the same. Why? because they are all connected. It's BEING CONNECTED not BEING WIRELESS that's the issue here. Yes you may argue, pointlessly however, that wireless has increased average connectivity, however once again, this is only a medium. It's business/personal drive that requires connectedness, not the technology itself. Todd Towles wrote:This is correct for the first day, maybe two. Thenunpatched laptopsleave the corporate network, hit the internet outside thefirewall andthen bring the worm back right to the heart of the network the very next day, bypassing the firewall all together. Firewall is just one step..it isn't a solve all. Patching would be the only way to stop this threat in all vectors. That was my point. If you aren't blocking 445 on the border of your network, you have must worse problems with Zotob.-----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Monday, August 22, 2005 3:15 PM To: Todd Towles Cc: n3td3v; full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Zotob Worm Remover On Mon, 22 Aug 2005, Todd Towles wrote:Wireless really isn't a issue. You can get a worm from acat 5 as easyas you can from wireless. The problem was they weren'tpatched. Whyweren't they patched? Perhaps Change policy slowed themdown, perhapsit was the fear of broken programs..perhaps it was the QAgroup..itdoesn't really matter. They go the worm because they werenot patched. And because they didn't properly filter port 445 is myunderstanding.Unpatched systems behind FW's that fliter 445 were untouched. Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Zotob Worm Remover, (continued)
- RE: Zotob Worm Remover Ron DuFresne (Aug 22)
- RE: Zotob Worm Remover Todd Towles (Aug 22)
- RE: Zotob Worm Remover Todd Towles (Aug 22)
- RE: Zotob Worm Remover Jan Nielsen (Aug 22)
- RE: Zotob Worm Remover Aditya Deshmukh (Aug 22)
- Re: Zotob Worm Remover James Tucker (Aug 22)
- Re: Zotob Worm Remover Stuart Low (Aug 22)
- Re: Zotob Worm Remover Valdis . Kletnieks (Aug 22)
- Re: Zotob Worm Remover pingywon (Aug 22)
- RE: Zotob Worm Remover Jan Nielsen (Aug 22)
- RE: Zotob Worm Remover Ron DuFresne (Aug 23)
- Re: Zotob Worm Remover MadHat (Aug 23)