Alert:New worms, be aware of internal infection possibilities
From: Russ (Russ.Cooper@RC.ON.CA)Date: 10/01/02
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Oct 2002 02:07:29 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Two new worms are of particular concern due to the fact they spread via network shares.
Both rely upon open network shares, that is, shares which have no passwords. At greatest risk are systems configured with a Guest account enabled with no password, or, home systems running OS' which don't demand a userID/password (Win95/98/ME).
I guess someone (or more than one someone) has decided to prove me wrong in my criticism of the U.S. National Strategy to Secure Cyberspace's assertion that attacks against home user's passwords is a critical issue. That Strategy called for strong passwords for home users, I said we'd never seen an attack based on weak passwords. Here we have two attacks based on no password, so I guess it counts.
Anyway, my reason for mentioning this to NTBugtraq is that there's the possibility that these attacks may be brought inside your networks from poorly configured mobile machines, or machines which connect via part-time VPNs where the other end doesn't employ decent security practices.
Victimized systems randomly (and a poor randomization at that) establish NetBIOS connections to IP addresses. This results in UDP137 traffic first (directed NetBIOS name query), followed with TCP139 traffic.
In both cases you are likely to see higher than usual amounts of traffic on UDP137. If you have not previously established default deny rules, preventing UDP137 from entering, and more importantly, exiting your network via any gateways (including via VPNs), considering doing so. Preventing the UDP137 traffic from succeeding eliminates the threat of TCP139 traffic (in these cases).
If you do nothing else, ensure you block inbound and outbound UDP137 traffic. Not only will this stop annoying traffic from Exchange Servers (yours going outbound, others coming inbound), you'll prevent the spread of these worms. If you do have or get any infected hosts, you'll be able to use your router logs to identify them. Of course up-to-date AV definitions will also find them.
More information can be found at;
Bugbear
(note: Bugbear also sets up a listening webserver on TCP 36794)
http://vil.nai.com/vil/content/v_99728.htm
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
Scrup
http://vil.nai.com/vil/content/v_99729.htm
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
