lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1060748242.2303.205.camel@localhost>
From: r.fulton at auckland.ac.nz (Russell Fulton)
Subject: Blaster: will it spread without tftp?

On Wed, 2003-08-13 at 14:13, Nick FitzGerald wrote:
> "Maarten" <subscriptions@...tsuijker.com> wrote:
> 
> > I was wondering about the following scenario:
> <<snip>>
> > - since these other vulnerable systems are using a proxy server to connect
> > to the internet and a firewall prevents all other connections, tftp servers
> > on the Internet can not be accessed
> 
> Good up to here, but then...
> 
> > - since tftp servers can not be accessed, msblaster.exe can not be
> > downloaded
> 
> No.
> 
> When the worm connects from its current victim to a new, vulnerable 
> host it tells the new victim to TFTP the worm's .EXE from the current 
> victim machine where the worm briefly sets up a TFTP thread to serve 
> its .EXE.

I can confirm this.  We block tftp at the gateway (as well as all the MS
ports 135-139, 445 etc.).  An infected laptop was brought on to the
internal network and half an hour later we had 500 infected systems and
a very soggy network.

Note, that those 500 was out of a total of 7500, we had managed to get
the rest patched, another week and we would have only had a handful. 
Yes we are now investigating how we can speed up patch deployment ;-)

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ