[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAg2ZzuQ4fWEGEU2WMMis14cKAAAAQAAAA7dJGcFX8806qOuPN6mZD7QEAAAAA@ihug.co.nz>
From: mjcarter at ihug.co.nz (Mike)
Subject: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
The reason I mentioned being at home is that if the users are on
corporate LANs they are then tied to the restrictions of that network
and it's policies which quite often means "we control you, you don't
have any control"
I agree with you, it's there and should be used (where appropriate) at
home for instance.
I also agree with other postings I've seen that mention a "certain level
of skill required"
The problem with trying to educate users at any level is that they are
normaly too busy making deadlines (unless they have a personal interest)
, don't want to know or don't care and are told by those above them that
IT is there to do it for them!
Cheers
Mike
-----Original Message-----
From: Evans, Arian [mailto:Arian.Evans@...hnetsecurity.com]
Sent: Wednesday, 13 August 2003 6:53 a.m.
To: Chris Garrett
Cc: Richard Stevens; full-disclosure@...ts.netsys.com; Mike
Subject: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM
Worm Propagation (fwd)
Chris,
#That's only good if you're at home and they would also need to be savy
#enough to know how to configure it properly
2000 and XP have builtin IP packet filters. XP has a "personal
firewall".
I'm not sure what being at home (or being elsewhere) has to do with it,
but the fact remains that the technology is there. The packet filtering
is rather IP-chains like; it's completely stateless, and configuration
is a manual process requiring basic TCP/IP knowledge.
Once you turn on the packet filtering, you either allow all, or deny all
and then allow specific ports (unidirectional, TCP, UDP, and "IP").
XP's "firewall" has several pre-defined higher layer protocols that you
can enable with a checkbox, and is a bit more user-friendly in terms of
distinguishing between inbound and outbound traffic.
Regarless of ease of use: it's there, it's free, and fully functional.
Cheers,
Arian
#
#-----Original Message-----
#From: full-disclosure-admin@...ts.netsys.com
#[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Richard
#Stevens
#Sent: Tuesday, 12 August 2003 11:15 p.m.
#To: Chris Garrett; full-disclosure@...ts.netsys.com
#Subject: RE: [Full-Disclosure] ISS Security Brief: "MS Blast"
#MSRPC DCOM
#Worm Propagation (fwd)
#
#
#I must be missing something here... xp home & pro both have a
#"click and
#forget" firewall?
#
#why arent people using it?
#
#
# -----Original Message-----
# From: Chris Garrett [mailto:somatose@....net]
# Sent: Tue 12/08/2003 05:59
# To: full-disclosure@...ts.netsys.com
# Cc:
# Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast"
#MSRPC DCOM Worm Propagation (fwd)
#
#
#
# I had a friend infected with the worm earlier today, at about
#17:00EST. He was
# running Windows XP Home edition. He called me because his
#computer had been
# rebooting "spontaneously," and whenever he would go to google to
#search for a
# strange binary he saw [msblast.exe], he either found nothing or
#was mysterious
# redirected to some strange website. At least, I believe that was
#his
# description. I hadn't seen any reports of MSBlast on FD before
#this point, but I
# was almost certain it was a worm of some sort using the DCOM RPC
#exploit. I had
# him check the registry, remove the keys, and delete .*msblast.*.
#I also had him
# disable DCOM, since I doubted he was using anything that
#utilized it, then
# directed him to the MS03-26 patch. This was all based on a guess
#that it he was
# infected by something DCOM related [makes sense given the
#massive publicity and
# severity of this vulnerability]. I wasn't certain if any other
#files were
# corrupted at the time, but those simple measures seemed to do
#the job. Imagine
# my surprise when 10 minutes later, I receive and FD email
#reporting the release
# of a worm identified by an msblast binary.
#
# My friend also reported to me that /somehow/ his Norton
#Auto-Protect had been
# disabled. Now, I don't know if that was the worm [as I've not
#seen any analyses
# thusfar to suggest that the worm does that], or if it was
#something he had
# disabled, accidentally, at some point.
#
# In short, XP is affected, as well. And I would imagine his
#computer kept
# rebooting because other systems within the class B range he was
#on were
# constantly probing his system and trying the 2K offset, and not
#because of the
# worm that had already infected his system [which was my
#original, incorrect,
# impression, before the analyses put out by ISC, XFocus, and
#Norton].
#
# Christopher Garrett III
# Inixoma, Incorporated
#
# _______________________________________________
# Full-Disclosure - We believe in it.
# Charter: http://lists.netsys.com/full-disclosure-charter.html
#
#
#_______________________________________________
#Full-Disclosure - We believe in it.
#Charter: http://lists.netsys.com/full-disclosure-charter.html
#
#_______________________________________________
#Full-Disclosure - We believe in it.
#Charter: http://lists.netsys.com/full-disclosure-charter.html
#
The information transmitted in this e-mail is intended only for the
addressee and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use
of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject
them to criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the
communication from any computer or network system.
Powered by blists - more mailing lists