RE: Blaster Recurrence

["James C Slora Jr" <Jim.Slora () phra com>]

E. Jimmy Allotey wrote Friday, January 30, 2004 12:55

> I am seeing some new occurences on reformatted machines on my network.
> They appeared on machines which were reformatted and 
> connected to the network before installation of patches and 
> anti-virus software
> (idiots!!!!) We have checked all the other machines here 
> which were unaffected and they are fine.  

Either your users found an oddball infection vector (not too likely on
multiple new builds), or something on your network is still infected.

Sniff the LAN for Blaster traffic. It is the only way to be confident you
have caught everything. If you are in a switched environment, it might be
easiest to sniff at a router or just inside the firewall. Ideally, keep on
sniffing forever.

The list of _possible_ infection vectors is pretty long.

Common possibilities:
Some printers and copiers run embedded Windows NT or 2000 that can be
infected. 
Wireless connections. 
Visitors' computers. 
Employees' home computers "temporarily" connected at work. 
Builds being performed at home. 
Machines that appear patched may not actually be. 
A machine was just plain missed in the patch records.

Lesser possibilities:
Infected ghost images. 
Hostile web sites.
Hostile user.
Hostile email.
VPN connections (what's the RFC for BoI - Blaster over IPSec?) :-) . 

Etc etc.


---------------------------------------------------------------------------
----------------------------------------------------------------------------