lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Aug 22 21:52:27 2005
From: jan at boyakasha.dk (Jan Nielsen)
Subject: Zotob Worm Remover

Todd, i would have to disagree with you on this issue, patching in my
book is not any kind of definite answer to these types of problems,
endpoint behaviour security is something that I lean more towards. 
This would enable you to define a set of generic behavioural patterns
for processes running on your machine, and would be a much better
defence against things you don't know about yet. 

I myself have an agent with a few basic O/S rules like :

- No application may write other applications memory space
- No application may inject code into other programs (dll hooks and
such)
- No application may access system functions from code executing in data
or stack space
- No application may capture keystrokes

This does quite abit to protect my laptop from unknown attacks, since in
my findings, this is the way most (if not all) attacks enter a host.

I would tell you what software I use but that would make this more of a
sales bulletin than an actual security related opinion.

just my 2 cents
Jan

-----Original Message-----
From: Todd Towles [mailto:toddtowles@...okshires.com] 
Sent: 22. august 2005 22:22
To: Ron DuFresne
Cc: full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] Zotob Worm Remover

This is correct for the first day, maybe two. Then unpatched laptops
leave the corporate network, hit the internet outside the firewall and
then bring the worm back right to the heart of the network the very next
day, bypassing the firewall all together. Firewall is just one step..it
isn't a solve all. Patching would be the only way to stop this threat in
all vectors. That was my point.

If you aren't blocking 445 on the border of your network, you have must
worse problems with Zotob.

> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne@...ternet.com] 
> Sent: Monday, August 22, 2005 3:15 PM
> To: Todd Towles
> Cc: n3td3v; full-disclosure@...ts.grok.org.uk
> Subject: RE: [Full-disclosure] Zotob Worm Remover
> 
> On Mon, 22 Aug 2005, Todd Towles wrote:
> 
> > Wireless really isn't a issue. You can get a worm from a 
> cat 5 as easy 
> > as you can from wireless. The problem was they weren't patched. Why 
> > weren't they patched? Perhaps Change policy slowed them 
> down, perhaps 
> > it was the fear of broken programs..perhaps it was the QA group..it 
> > doesn't really matter. They go the worm because they were 
> not patched.
> 
> And because they didn't properly filter port 445 is my understanding.
> Unpatched systems behind FW's that fliter 445 were untouched.
> 
> Thanks,
> 
> Ron DuFresne
> --
> "Sometimes you get the blues because your baby leaves you. 
> Sometimes you get'em 'cause she comes back." --B.B. King
>         ***testing, only testing, and damn good at it too!***
> 
> OK, so you're a Ph.D.  Just don't touch anything.
> 
> 
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ