lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1060748242.2303.205.camel@localhost> From: r.fulton at auckland.ac.nz (Russell Fulton) Subject: Blaster: will it spread without tftp? On Wed, 2003-08-13 at 14:13, Nick FitzGerald wrote: > "Maarten" <subscriptions@...tsuijker.com> wrote: > > > I was wondering about the following scenario: > <<snip>> > > - since these other vulnerable systems are using a proxy server to connect > > to the internet and a firewall prevents all other connections, tftp servers > > on the Internet can not be accessed > > Good up to here, but then... > > > - since tftp servers can not be accessed, msblaster.exe can not be > > downloaded > > No. > > When the worm connects from its current victim to a new, vulnerable > host it tells the new victim to TFTP the worm's .EXE from the current > victim machine where the worm briefly sets up a TFTP thread to serve > its .EXE. I can confirm this. We block tftp at the gateway (as well as all the MS ports 135-139, 445 etc.). An infected laptop was brought on to the internal network and half an hour later we had 500 infected systems and a very soggy network. Note, that those 500 was out of a total of 7500, we had managed to get the rest patched, another week and we would have only had a handful. Yes we are now investigating how we can speed up patch deployment ;-) -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.
Powered by blists - more mailing lists