[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200308181132.46583.jonathan@xcorps.net>
From: jonathan at xcorps.net (Jonathan Rickman)
Subject: Re: [Dshield] new msblaster on the loose?
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 18 August 2003 10:20, Redaktion - Kryptocrew wrote:
> hi list,
>
> take a look to trendmicro, thats new:
> http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id
>=55745&VName=WORM_MSBLAST.D&VSect=T
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
- --
Jonathan Rickman
X Corps Security
http://www.xcorps.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBP0DxcTTwrX0N9QH/AQHK/QgAicqq+xHeOaZKJonUdRsHo+Fdj0ojGiUp
ZaSyBn4DjzwF7tr1VVbat2eUZj2EBfjaArV5CwVuGga28/JDeVRExtjRxW5sAOUI
IzvjZt6NTK+9RaMEfIAwFOlua+ov2gG8lo95S8DlBqaW4a4H/KvZHqrNHORpTGSB
wnrCBG5r9ah0tcwDVMhxQDupPzfgrTdoYeTq+5K1OYRRQEP/H7XFRC+uCt0gyoOM
Ljxb2Hcfl7qSatKgglQYIQU2sTXB3m1hoNXTSxUDOg6ZH3isAWupJIlZw+/3AJCG
h0EDgu18FnNOhlGYPa1hL3Wq2KpEjQmzN6Z5zFSFjtx5rfh3kTVjGg==
=qeAv
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists