RE: [Full-Disclosure] Re: new msblaster on the loose?

From: Robert Ahnemann (rahnemann_at_affinity-mortgage.com)
Date: 08/14/03

  • Next message: Stephen Clowater: "Fwd: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
    To: "Jay Woody" <jay_woody@tnb.com>, <list@dshield.org>, <full-disclosure@lists.netsys.com>, <david.vincent@mightyoaks.com>, <incidents@securityfocus.com>
    Date: Thu, 14 Aug 2003 11:19:12 -0500
    
    

    If it exploits the same vulnerability, won't it be LESS effective since many people have been hit and thus patched their systems? Wouldn't an effective blaster variant find a different loophole?

    -----Original Message-----
    From: Jay Woody [mailto:jay_woody@tnb.com]
    Sent: Thursday, August 14, 2003 10:12 AM
    To: list@dshield.org; full-disclosure@lists.netsys.com; david.vincent@mightyoaks.com; incidents@securityfocus.com
    Subject: [Full-Disclosure] Re: new msblaster on the loose?

    Guys, not to be weird, but wtf does this mean?

    >> And it says that's likely to mean a repeat of the outbreak we've
    seen during
    >> this week. The new variety of Lovesan exploits the same
    vulnerability.
    >>
    >> Kaspersky says that the number of infected systems is around the
    300,000
    >> mark, and the new variety may double this number.
    >>
    >> "In the worst case, the world community can face a global Internet
    slow down
    >> and regional disruption... to the World Wide Web," said Eugene
    Kaspersky,
    >> head of the labs.

    If people got hit and they patched, then how will this be a repeat?
    How will the numbers DOUBLE?! "In the worst case . . . "? No, in the
    worst case, New Kids on the Block could start a reunion tour. Give me a
    break, the first one hit, surely a bunch of people patched (even some of
    the people that didn't beforehand are surely smart enough to realize the
    error of their way now right?!). So any future infection is bound to be
    less unless it has figured out a different way to exploit it (in which
    case it really isn't the same worm is it?) or figures out a way to scan
    IP addresses that the first one didn't. I don't see anything saying
    that this worm is any different than the first one in those cases, so
    sounds like FUD to me.

    JayW

    >>> David Vincent <david.vincent@mightyoaks.com> 08/13/03 12:23PM >>>
    anyone else seeing this?

    ---------------

    http://www.theinquirer.net/?article=11018

    New version of Blaster worm on the loose
    Already

    By INQUIRER staff: Wednesday 13 August 2003, 16:51
    KASPERSKY LABS claimed this afternoon that there's already a new
    version of
    the Blaster/Lovesan worm on the loose.

    And it says that's likely to mean a repeat of the outbreak we've seen
    during
    this week. The new variety of Lovesan exploits the same vulnerability.

    Kaspersky says that the number of infected systems is around the
    300,000
    mark, and the new variety may double this number.

    "In the worst case, the world community can face a global Internet slow
    down
    and regional disruption... to the World Wide Web," said Eugene
    Kaspersky,
    head of the labs.

    The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE,
    different
    code compression, and different signatures in the body of the worm.

    ---------------

    David Vincent CNA/MCSE
    Network Administrator

    www.mightyOaks.com
    david.vincent@mightyoaks.com

    MIGHTY OAKS WIRELESS SOLUTIONS INC.
    209-3347 Oak Street
    Victoria, B.C. Canada V8X 1R2
    Phone: 250.386.9398 Fax: 250.386.9399
    Pager: 250.380.4575 Cell: 250.884.3000

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Stephen Clowater: "Fwd: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"