RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

• Previous message: Sebastian Niehaus: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"
• Maybe in reply to: Darren Reed: "[Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
• Next in thread: Maarten: "[Full-Disclosure] Blaster: will it spread without tftp?"
• Reply: Maarten: "[Full-Disclosure] Blaster: will it spread without tftp?"
• Reply: Ron DuFresne: "RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
• Reply: Mike: "RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Chris Garrett" <somatose@cox.net>
Date: Tue, 12 Aug 2003 13:52:52 -0500

Chris,

#That's only good if you're at home and they would also need to be savy
#enough to know how to configure it properly

2000 and XP have builtin IP packet filters. XP has a "personal
firewall".

I'm not sure what being at home (or being elsewhere) has to do with it,
but the fact remains that the technology is there. The packet filtering
is rather IP-chains like; it's completely stateless, and configuration
is
a manual process requiring basic TCP/IP knowledge.

Once you turn on the packet filtering, you either allow all, or deny all
and then allow specific ports (unidirectional, TCP, UDP, and "IP").

XP's "firewall" has several pre-defined higher layer protocols that
you can enable with a checkbox, and is a bit more user-friendly in
terms of distinguishing between inbound and outbound traffic.

Regarless of ease of use: it's there, it's free, and fully functional.

Cheers,

Arian
 
#
#-----Original Message-----
#From: full-disclosure-admin@lists.netsys.com
#[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Richard
#Stevens
#Sent: Tuesday, 12 August 2003 11:15 p.m.
#To: Chris Garrett; full-disclosure@lists.netsys.com
#Subject: RE: [Full-Disclosure] ISS Security Brief: "MS Blast"
#MSRPC DCOM
#Worm Propagation (fwd)
#
#
#I must be missing something here... xp home & pro both have a
#"click and
#forget" firewall?
#
#why arent people using it?
#
#
# -----Original Message-----
# From: Chris Garrett [mailto:somatose@cox.net]
# Sent: Tue 12/08/2003 05:59
# To: full-disclosure@lists.netsys.com
# Cc:
# Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast"
#MSRPC DCOM Worm Propagation (fwd)
#
#
#
# I had a friend infected with the worm earlier today, at about
#17:00EST. He was
# running Windows XP Home edition. He called me because his
#computer had been
# rebooting "spontaneously," and whenever he would go to google to
#search for a
# strange binary he saw [msblast.exe], he either found nothing or
#was mysterious
# redirected to some strange website. At least, I believe that was
#his
# description. I hadn't seen any reports of MSBlast on FD before
#this point, but I
# was almost certain it was a worm of some sort using the DCOM RPC
#exploit. I had
# him check the registry, remove the keys, and delete .*msblast.*.
#I also had him
# disable DCOM, since I doubted he was using anything that
#utilized it, then
# directed him to the MS03-26 patch. This was all based on a guess
#that it he was
# infected by something DCOM related [makes sense given the
#massive publicity and
# severity of this vulnerability]. I wasn't certain if any other
#files were
# corrupted at the time, but those simple measures seemed to do
#the job. Imagine
# my surprise when 10 minutes later, I receive and FD email
#reporting the release
# of a worm identified by an msblast binary.
#
# My friend also reported to me that /somehow/ his Norton
#Auto-Protect had been
# disabled. Now, I don't know if that was the worm [as I've not
#seen any analyses
# thusfar to suggest that the worm does that], or if it was
#something he had
# disabled, accidentally, at some point.
#
# In short, XP is affected, as well. And I would imagine his
#computer kept
# rebooting because other systems within the class B range he was
#on were
# constantly probing his system and trying the 2K offset, and not
#because of the
# worm that had already infected his system [which was my
#original, incorrect,
# impression, before the analyses put out by ISC, XFocus, and
#Norton].
#
# Christopher Garrett III
# Inixoma, Incorporated
#
# _______________________________________________
# Full-Disclosure - We believe in it.
# Charter: http://lists.netsys.com/full-disclosure-charter.html
#
#
#_______________________________________________
#Full-Disclosure - We believe in it.
#Charter: http://lists.netsys.com/full-disclosure-charter.html
#
#_______________________________________________
#Full-Disclosure - We believe in it.
#Charter: http://lists.netsys.com/full-disclosure-charter.html
#

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Sebastian Niehaus: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"
• Maybe in reply to: Darren Reed: "[Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
• Next in thread: Maarten: "[Full-Disclosure] Blaster: will it spread without tftp?"
• Reply: Maarten: "[Full-Disclosure] Blaster: will it spread without tftp?"
• Reply: Ron DuFresne: "RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
• Reply: Mike: "RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]