lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 01 May 2004 23:40:49 +0200
From: Gadi Evron <ge@...uxbox.org>
To: kers0r <root@...lum-nz.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Will the Sasser worm become the next Blaster?


kers0r wrote:
> 
> The LSASS Sasser worm is spreading through the documented MS04-011 (LSASS) vulnerability. Presently this worm has not gotten to plague proportions but statistically it may well. 
> 
> Apart from the Sasser worm problem, there also remains the problem of human hackers exploiting this hole. Warez ftp hackers have already started using an exploit targeting unpatched systems creating "pubstro" warez dumps. The DCOM vulnerability saw numerous script kiddie tools created that allowed trojan hackers to upload and run trojan servers, will we see another wave of tools being created? 

As to the FTP component of Sasser and how to scan for it, see below.

We encounter new worms and new exploits on practically a daily bases. 
Kiddies port-scan for open Trojan ports and vulnerable systems so much 
that you can't even keep track and your logs grow out of proportion.

It was clear that a worm would use this exploit soon, and I am one of 
those who support the "historical view" of how long it takes for a worm 
to be created after a serious vulnerability is found and a POC becomes 
public. However, I do not really find the need for speculation.

The vulnerability has been out for a while now, and it was patched. 
Firewall companies with application filtering capabilities, Application 
Firewalls, etc. have all added filtering for it, as have all the network 
vulnerability scanners (detection rules).

Would that stop any network worm from becoming "huge"? No. Would that 
worm become huge? Maybe. Would it help slow down a worm? Definitely. 
This is not a 0-day. It won't be another Code Red. Would it be big? It 
already is, but how many big worms do we see in a month?

What I suggest is doing what one can. Patching, updating AV solutions, 
running snort rules (Martin Overton's snort rules for Sasser.A and 
Sasser.B can be found at: http://arachnid.homeip.net/cgi-bin/blah/Blah.pl).

Being prepared is always a good idea, but the media frenzy will be huge 
as it is, why add to it?

About your concerns with warez FTP bases, etc., Well... the 
vulnerability, POCs and tools have been out for a while. Kiddies always 
find new homes and break into systems, I don't really see how one 
vulnerability would make a difference, and it haven't thus far.

As to the worm, it IS very interesting, and might be a serious threat 
for a while. How big exactly we will only know Monday morning, EU time, imo.

You can find a really good analysis of the worm by Joe Stewart at LURHQ:
http://www.lurhq.com/sasser.html

On a half related note on scanning for Sasser, as kiddies will soon 
start scanning anyway, might as well help admins out -
I was told on the TH-Research (the Trojan Horses Research mailing list - 
http://ecompute.org/th-list) online war room that if you simply port 
scan for Sasser you get many false positives, as that port (5554) is 
also used by Oracle. If you get "200 OK" as a reply though in the first 
packet, it's Sasser.

	Gadi Evron.

-- 
Email: ge@...uxbox.org. Backup: ge@...p.mx.dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450



Powered by blists - more mailing lists