VadaVaka General Forums General Stuff v
Fix for reboot worm

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Linear Mode
Fix for reboot worm
Guest
Unregistered
 
#12
08-14-2003, 03:13 PM
I'd like to go a step further and suggest ports 139 and 445 should also be blocked ... These are microsoft networking ports and should only really be used internally to your lan/machine.

Quote:CERT Advisory CA-2003-20 W32/Blaster worm

  Original issue date: August 11, 2003
  Last revised: --
  Source: CERT/CC

  A complete revision history is at the end of this file.

Systems Affected

    * Microsoft Windows NT 4.0
    * Microsoft Windows 2000
    * Microsoft Windows XP
    * Microsoft Windows Server 2003

Overview

  The  CERT/CC  is receiving reports of widespread activity related to a
  new piece of malicious code known as W32/Blaster. This worm appears to
  exploit  known  vulnerabilities in the Microsoft Remote Procedure Call
  (RPC) Interface.

I. Description

  The  W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
  interface  as  described  in VU#568148 and CA-2003-16. Upon successful
  execution,  the  worm  attempts  to  retrieve  a  copy  of  the  file
  msblast.exe  from  the compromising host. Once this file is retrieved,
  the  compromised  system  then  runs  it and begins scanning for other
  vulnerable  systems to compromise in the same manner. In the course of
  propagation,  a TCP session to port 135 is used to execute the attack.
  However,  access  to  TCP  ports  139  and 445 may also provide attack
  vectors  and should be considered when applying mitigation strategies.
  Microsoft  has  published  information  about  this  vulnerability  in
  Microsoft Security Bulletin MS03-026.

  Lab testing has confirmed that the worm includes the ability to launch
  a TCP SYN flood denial-of-service attack against windowsupdate.com. We
  are  investigating  the  conditions  under  which  this  attack  might
  manifest  itself.  Unusual  or unexpected traffic to windowsupdate.com
  may  indicate an infection on your network, so you may wish to monitor
  network traffic.

  Sites  that do not use windowsupdate.com to manage patches may wish to
  block  outbound traffic to windowsupdate.com. In practice, this may be
  difficult  to  achieve, since windowsupdate.com may not resolve to the
  same    address    every  time.  Correctly  blocking  traffic  to
  windowsupdate.com  will require detailed understanding of your network
  routing  architecture,  system  management  needs, and name resolution
  environment. You should not block traffic to windowsupdate.com without
  a thorough understanding of your operational needs.

  We  have  been in contact with Microsoft regarding this possibility of
  this denial-of-service attack.
Reply


Messages In This Thread
Fix for reboot worm - by Gwarsbane - 08-12-2003, 11:26 AM
Fix for reboot worm - by PIX - 08-12-2003, 11:48 AM
Fix for reboot worm - by brokend - 08-12-2003, 12:27 PM
Fix for reboot worm - by Power and Glory - 08-12-2003, 10:32 PM
Fix for reboot worm - by _Acid_Head_ - 08-12-2003, 11:21 PM
Fix for reboot worm - by Guest - 08-13-2003, 01:58 AM
Fix for reboot worm - by _Acid_Head_ - 08-13-2003, 03:13 PM
Fix for reboot worm - by Power and Glory - 08-13-2003, 04:26 PM
Fix for reboot worm - by kermit - 08-13-2003, 05:03 PM
Fix for reboot worm - by kermit - 08-13-2003, 11:01 PM
Fix for reboot worm - by PIX - 08-13-2003, 11:12 PM
Fix for reboot worm - by Guest - 08-14-2003, 03:13 PM
Fix for reboot worm - by PIX - 08-15-2003, 10:22 AM

Forum Jump:


Users browsing this thread: 3 Guest(s)