RE: cuebot-d infection method

["Jason Burton" <jab () leximedia net>]

 Something w/MS Technologies. Ie. ISA Server (2004+) I believe, have whats
called VPN Quarantine. Which allows you to check and limit access based on
ie. If the user has proper virus definitions etc. before they get full
access to your network. 

Just something I thought Id add. ---


Jason


-----Original Message-----
From: Irwan Ismail [mailto:irwan.ismail () gmail com] 
Sent: Thursday, August 25, 2005 12:40 AM
To: Matt Stockdale
Cc: jeff () jeffbryner com; incidents () securityfocus com
Subject: Re: cuebot-d infection method

I think you should know that blocking ports at the firewall isn't enough
anymore these days. With VPNs and remote access, your teleworker & mobile
users can easily get infected at home (or wherever they may be) while
there's an open path directly into your organization.

On 8/25/05, Matt Stockdale <mstockda () logicworks net> wrote:
> Jeff -
>
>   I've just cleaned up four machines here, all Windows 2000. We're 
> scratching our heads, as the "published" propagation method is over 
> port 445, which wasn't open on the firewall.
>
>   We suspect it may have come through the client's VPN access, or 
> maybe someone wrapped this backdoor in another exploit for delivery.
>
> Thanks,
>   Matt
>
> On Wed, 2005-08-24 at 12:03, Jeff Bryner wrote:
> > I've seen a couple cuebot-d infections over the last couple days and 
> > am trying to track down the source of them. Has anyone seen enough 
> > of this to know the universe of ways the pc gets initially infected?
> >
> > The pcs that have gotten infected have mcafee running on them  which 
> > incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is 
> > requested. It didn't seem to pick it up *until* a scan was requested.
> >
> > The writeup at 
> > http://www.sophos.com/virusinfo/analyses/w32cuebotd.html
> > fits the scenario, but it doesn't say exactly what the initial 
> > infection vector is.
> >
> > Thanks for any help.
> >
> > Jeff
> > CISSP, GCIH, GCFA