lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Aug 22 22:07:34 2005
From: jftucker at gmail.com (James Tucker)
Subject: Zotob Worm Remover

It seems to me that the attack was less than a week old from the start 
date. Default settings on a relatively unchanged box would provide a 
suitable window of opportunity given the availability of the worm to the 
deployer. This is more important than network connectivity, which is not 
of security concern as this is not the exploited layer. Disconnecting 
networks is what you suggest when you're in trouble, not when you're 
trying to maintain the daily balance of cost vs function. Moreover, 
wireless is recieving the blame - however this will only continue whilst 
your laptop is the device you are using. Eventually will you blame the 
mobile phone companies for allowing "dangerous traffic" to flow through 
the repeaters? What about sattelite links - should we filter those and 
knock the latency up another notch? No, it's the software, once again. 
Connectivity increases exposure, it doesn't decrease security - the two 
are not one and the same. 1000 laptops in a city centre network becoming 
infected less than a week from update release would be unsuprising 
(read: defaults are once a week at 3). The security of these laptops was 
not compromised by the wireless presence, it was a medium of travel 
only. Now lets say, we go back in time and remove all of the wireless 
NIC's. Now, there are only 750 laptops cause we can't generate as much 
revenue (joke), and of these they're all still connected, just with a 
different medium. The medium is (specification)centralised and routable 
in the same manner (ah, so the medium can have 'implications' ;) -  the 
infection rate is the same. Why? because they are all connected. It's 
BEING CONNECTED not BEING WIRELESS that's the issue here. Yes you may 
argue, pointlessly however, that wireless has increased average 
connectivity, however once again, this is only a medium. It's 
business/personal drive that requires connectedness, not the technology 
itself.

Todd Towles wrote:
> This is correct for the first day, maybe two. Then unpatched laptops
> leave the corporate network, hit the internet outside the firewall and
> then bring the worm back right to the heart of the network the very next
> day, bypassing the firewall all together. Firewall is just one step..it
> isn't a solve all. Patching would be the only way to stop this threat in
> all vectors. That was my point.
> 
> If you aren't blocking 445 on the border of your network, you have must
> worse problems with Zotob.
> 
> 
>>-----Original Message-----
>>From: Ron DuFresne [mailto:dufresne@...ternet.com] 
>>Sent: Monday, August 22, 2005 3:15 PM
>>To: Todd Towles
>>Cc: n3td3v; full-disclosure@...ts.grok.org.uk
>>Subject: RE: [Full-disclosure] Zotob Worm Remover
>>
>>On Mon, 22 Aug 2005, Todd Towles wrote:
>>
>>
>>>Wireless really isn't a issue. You can get a worm from a 
>>
>>cat 5 as easy 
>>
>>>as you can from wireless. The problem was they weren't patched. Why 
>>>weren't they patched? Perhaps Change policy slowed them 
>>
>>down, perhaps 
>>
>>>it was the fear of broken programs..perhaps it was the QA group..it 
>>>doesn't really matter. They go the worm because they were 
>>
>>not patched.
>>
>>And because they didn't properly filter port 445 is my understanding.
>>Unpatched systems behind FW's that fliter 445 were untouched.
>>
>>Thanks,
>>
>>Ron DuFresne
>>--
>>"Sometimes you get the blues because your baby leaves you. 
>>Sometimes you get'em 'cause she comes back." --B.B. King
>>        ***testing, only testing, and damn good at it too!***
>>
>>OK, so you're a Ph.D.  Just don't touch anything.
>>
>>
>>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ