lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Aug 23 02:20:34 2005
From: stuart at serverpeak.com (Stuart Low)
Subject: Zotob Worm Remover

I'm just going to be facetious here and say "What's Zotob"?

Seriously, you can have all the arguments you want about how worm X
infection rate is increased due to whatever reason but as J Tucker
pointed out it's the software that's the issue.

As for us *shrugs*, we don't suffer the plight of worms. I guess that's
the advantage of running a 100% Linux shop.

Stu

On Mon, 2005-08-22 at 22:08 +0100, James Tucker wrote:
> It seems to me that the attack was less than a week old from the start 
> date. Default settings on a relatively unchanged box would provide a 
> suitable window of opportunity given the availability of the worm to the 
> deployer. This is more important than network connectivity, which is not 
> of security concern as this is not the exploited layer. Disconnecting 
> networks is what you suggest when you're in trouble, not when you're 
> trying to maintain the daily balance of cost vs function. Moreover, 
> wireless is recieving the blame - however this will only continue whilst 
> your laptop is the device you are using. Eventually will you blame the 
> mobile phone companies for allowing "dangerous traffic" to flow through 
> the repeaters? What about sattelite links - should we filter those and 
> knock the latency up another notch? No, it's the software, once again. 
> Connectivity increases exposure, it doesn't decrease security - the two 
> are not one and the same. 1000 laptops in a city centre network becoming 
> infected less than a week from update release would be unsuprising 
> (read: defaults are once a week at 3). The security of these laptops was 
> not compromised by the wireless presence, it was a medium of travel 
> only. Now lets say, we go back in time and remove all of the wireless 
> NIC's. Now, there are only 750 laptops cause we can't generate as much 
> revenue (joke), and of these they're all still connected, just with a 
> different medium. The medium is (specification)centralised and routable 
> in the same manner (ah, so the medium can have 'implications' ;) -  the 
> infection rate is the same. Why? because they are all connected. It's 
> BEING CONNECTED not BEING WIRELESS that's the issue here. Yes you may 
> argue, pointlessly however, that wireless has increased average 
> connectivity, however once again, this is only a medium. It's 
> business/personal drive that requires connectedness, not the technology 
> itself.
> 
> Todd Towles wrote:
> > This is correct for the first day, maybe two. Then unpatched laptops
> > leave the corporate network, hit the internet outside the firewall and
> > then bring the worm back right to the heart of the network the very next
> > day, bypassing the firewall all together. Firewall is just one step..it
> > isn't a solve all. Patching would be the only way to stop this threat in
> > all vectors. That was my point.
> > 
> > If you aren't blocking 445 on the border of your network, you have must
> > worse problems with Zotob.
> > 
> > 
> >>-----Original Message-----
> >>From: Ron DuFresne [mailto:dufresne@...ternet.com] 
> >>Sent: Monday, August 22, 2005 3:15 PM
> >>To: Todd Towles
> >>Cc: n3td3v; full-disclosure@...ts.grok.org.uk
> >>Subject: RE: [Full-disclosure] Zotob Worm Remover
> >>
> >>On Mon, 22 Aug 2005, Todd Towles wrote:
> >>
> >>
> >>>Wireless really isn't a issue. You can get a worm from a 
> >>
> >>cat 5 as easy 
> >>
> >>>as you can from wireless. The problem was they weren't patched. Why 
> >>>weren't they patched? Perhaps Change policy slowed them 
> >>
> >>down, perhaps 
> >>
> >>>it was the fear of broken programs..perhaps it was the QA group..it 
> >>>doesn't really matter. They go the worm because they were 
> >>
> >>not patched.
> >>
> >>And because they didn't properly filter port 445 is my understanding.
> >>Unpatched systems behind FW's that fliter 445 were untouched.
> >>
> >>Thanks,
> >>
> >>Ron DuFresne
> >>--
> >>"Sometimes you get the blues because your baby leaves you. 
> >>Sometimes you get'em 'cause she comes back." --B.B. King
> >>        ***testing, only testing, and damn good at it too!***
> >>
> >>OK, so you're a Ph.D.  Just don't touch anything.
> >>
> >>
> >>
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ