Re: Blaster Recurrence

[Nick FitzGerald <nick () virus-l demon co uk>]

"E. Jimmy Allotey" <jimmy () allotey com> wrote:

> I am seeing some new occurences on reformatted machines on my network.
> They appeared on machines which were reformatted and connected to the
> network before installation of patches and anti-virus software
> (idiots!!!!) We have checked all the other machines here which were
> unaffected and they are fine.  
>
> Our perimeters are blocked on all the named ports and yet the beast
> managed to get in....
>
> For fear of sounding stupid, does anybody have any ideas??

Usual culprits are "firewall hoppers" and "neglected" machines.

"Firewall hoppers" are usually laptops that come in from "outside" 
bringing the worm with them.  This entry can be physical (carried into 
the building by a consultant, contractor, staff, other visitor) or 
virtual.  The other common form is the remote office or home user 
connecting via VPN but with access to other non-firewalled networks 
(local dial-up/cable/DSL).

"Neglected machines" are those distant print servers and other machines 
dedicated to a specific task (the door card readers, building services 
monitors, etc) that you just couldn't get whoever to accept should be 
in the machine room where they could be cared for and they could still 
manage, admin, etc by RDP, or network monitors/analyzers and the like 
that, by their nature do not have a single location.  These machines 
are often suirrelled away in remote (and often undesirable!) places 
like photocopier rooms, broom cupboards and so on -- the kinds of 
places that all the tech staff hope some other staff member will deal 
with.  I don't know where these machiens are in your building(s) and 
quite possibly you don't either (which is the problem!  8-) ).  The 
brutal way to find these, if you have managed hubs, switches, etc is, 
to switch off every port on every hub, switch, etc that you cannot 
absolutely account for the location and patch status of whatever is 
patched into it.  Without managed devices, the brutal way is to do the 
same manually, visiting every patch panel and pulling every patch that 
cannot be accounted for.  Other options would be set up an IDS or 
honeypot -- it should see Blaster's traffic soon enough and at least 
tell you an IP to start tracing back.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------