Security Incidents mailing list archives
Re: Blaster Recurrence
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 03 Feb 2004 12:17:40 +1300
"E. Jimmy Allotey" <jimmy () allotey com> wrote:
I am seeing some new occurences on reformatted machines on my network. They appeared on machines which were reformatted and connected to the network before installation of patches and anti-virus software (idiots!!!!) We have checked all the other machines here which were unaffected and they are fine. Our perimeters are blocked on all the named ports and yet the beast managed to get in.... For fear of sounding stupid, does anybody have any ideas??
Usual culprits are "firewall hoppers" and "neglected" machines. "Firewall hoppers" are usually laptops that come in from "outside" bringing the worm with them. This entry can be physical (carried into the building by a consultant, contractor, staff, other visitor) or virtual. The other common form is the remote office or home user connecting via VPN but with access to other non-firewalled networks (local dial-up/cable/DSL). "Neglected machines" are those distant print servers and other machines dedicated to a specific task (the door card readers, building services monitors, etc) that you just couldn't get whoever to accept should be in the machine room where they could be cared for and they could still manage, admin, etc by RDP, or network monitors/analyzers and the like that, by their nature do not have a single location. These machines are often suirrelled away in remote (and often undesirable!) places like photocopier rooms, broom cupboards and so on -- the kinds of places that all the tech staff hope some other staff member will deal with. I don't know where these machiens are in your building(s) and quite possibly you don't either (which is the problem! 8-) ). The brutal way to find these, if you have managed hubs, switches, etc is, to switch off every port on every hub, switch, etc that you cannot absolutely account for the location and patch status of whatever is patched into it. Without managed devices, the brutal way is to do the same manually, visiting every patch panel and pulling every patch that cannot be accounted for. Other options would be set up an IDS or honeypot -- it should see Blaster's traffic soon enough and at least tell you an IP to start tracing back. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Blaster Recurrence E. Jimmy Allotey (Feb 02)
- RE: Blaster Recurrence James C Slora Jr (Feb 02)
- Re: Blaster Recurrence Neil Anderson (Feb 02)
- RE: Blaster Recurrence Dave Paris (Feb 03)
- Re: Blaster Recurrence Nick FitzGerald (Feb 03)
- RE: Blaster Recurrence E. Jimmy Allotey (Feb 03)
- <Possible follow-ups>
- RE: Blaster Recurrence Henderson, Dennis K. (Feb 02)