Re: [Full-Disclosure] Blaster: will it spread without tftp?

From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: 08/12/03

  • Next message: Reveret Julien: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS" 
    To: "Full Disclosure" <full-disclosure@lists.netsys.com>
Date: Tue, 12 Aug 2003 16:48:27 -0500

    "Maarten" <subscriptions@hartsuijker.com> writes:

    > I was wondering about the following scenario:
    >
    > Lots of corporate network are protected by firewalls and users are forced
    to
    > use a proxy server to connect to the internet. Because of the firewalling,
    > the worm will not be able to infect the clients directly from the
    Internet.
    > Of course there are always servers that are building bridges between the
    > corporate network and the internet or laptop users that get infected by
    > using their dial-up/DSL @ home.
    >
    > But if the worm enters the network through for instance an infected
    laptop,
    > can it still spread around on the network? By analyzing the threads on
    this
    > list and reading the info provided by anti-virus vendors I tend to draw
    the
    > following conclusion.
    >
    > - A worm can enter the network through an infected laptop/workstation or a
    > vulnerable server connected to the internet.
    > - these infected machines can exploit the vulnerability on other
    vulnerable
    > systems on the Internal network causing them to reboot (and reboot, and
    > reboot)
    > - since these other vulnerable systems are using a proxy server to connect
    > to the internet and a firewall prevents all other connections, tftp
    servers
    > on the Internet can not be accessed
    > - since tftp servers can not be accessed, msblaster.exe can not be
    > downloaded
    > - since msblaster.exe can not be downloaded these other systems will not
    > start to infect other systems...
    >
    > Am I correct on these last two points? Or is this only true in case
    someone
    > puts an infected laptop on the network (that is not able to connect to the
    > internet using tftp, while a webserver might be when it is located in a
    > misconfigured DMZ environment)?

    Incorrect, for most setups. Some firewalls at the router (NAT, for
    instance) block packets into/out of the LAN. This means that machines from
    the internet cannot communicate with the LAN, and visa versa. However,
    machines on the LAN can communicate with *each other* (thus the ability to
    connect to the proxy server). So, if an infected system is introduced, it
    *can* spread to the LAN, but infections of systems on the internet will
    fail, as they cannot TFTP back to the firewalled box.

    >Of course this is only one worm variant
    > exploiting this vulnerability and we might have a totally different case
    on
    > the next one, but I am still curious if I am on the right track
    > understanding the impact of the worm.

    Yes, indeed. Had the worm author been more skilled, we probably would have
    seen a Code Red style worm, with the entire worm transmitted as shellcode in
    the initial packet exchange over 135/tcp. This would eliminate the efficacy
    of blocking TFTP (69/udp) or 4444/tcp.

    > I also read something about SP0|1|2 on W2K not being vulnerable to
    msblaster
    > (probably because of the "universal" offsets used). Is there anyone that
    can
    > confirm this finding?

    I can refute this finding. Windows 2000 (all service packs) is being
    actively exploited by this worm. Compromised Windows 2000 boxes have been
    probing fairly consistently. eEye's official write-up specifically mentions
    W2K Gold-SP2 as vulnerable. By "Universal" offset, they weren't kidding --
    one offset works on Windows 2000 Gold-SP4, all languages, and one offset
    works on Windows XP Gold/SP1 32-bit, all languages.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Reveret Julien: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"

    Relevant Pages

    • Re: Outgoing POP3 email missing/lost/not received
      ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
      (microsoft.public.windows.server.sbs)
    • Re: Connect the SBS to a remote IIS for Internet Printing
      ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
      (microsoft.public.windows.server.sbs)
    • Re: ISA 2006 Basic Configuration
      ... Why would we point Preferred DNS to itself? ... Configuring the Internal Network Interface ... In the Internet Protocol Properties dialog box, ... Select the Use the following DNS server addresses option. ...
      (microsoft.public.isa.configuration)
    • RE: Server Re-Setup Help
      ... This newsgroup only focuses on SBS technical issues. ... If you setup network like above, ... server is transferred in internet since they have different public IP. ...
      (microsoft.public.windows.server.sbs)
    • Re: One computer on 2 networks
      ... On the server take the new "internet Nic" and set it up properly for the ... Create a static route in the OS's routing table that uses the LAN Router ... don't work in the Network Admin Dept. I'm a developer. ...
      (microsoft.public.windows.server.networking)
    Loading