RE: Detecting Blaster

• Previous message: Q?=offtopicQ=20?=: "Re: DCOM patch + Exchange"
• Maybe in reply to: Bob Sadler: "Detecting Blaster"
• Next in thread: David A Cavalieri: "RE: Detecting Blaster"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 14 Aug 2003 13:54:20 -0700
To: bobs@LEAWOOD.ORG, focus-ms@securityfocus.com

Most of the time the worm traffic will select address space for which
there is no route within your network - that is especially true of the
first version of msblaster. That means that almost always the traffic
will head towards the route of last resort or your default route (towards
the Internet).

You shouldn't let TCP port 135 outbound through your firewall anyhow.
Simply set an ACL to deny the packets and log the activity to a syslog
server. This gives you a fairly good way to see what is going on.

Once you have identified a suspect system (which is easy to see due to
the traffic frequency and patterns of scanning) - check the registry
with the NT4 resource kit tool "reg.exe" in the ussual places that the
worms are setting their keys to restart.

Syntax:

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/S \\<IP ADDR>

You can also use the "reg.exe" tool to disable the DCOM reg key (which
is not totally effective for all versions), or to delete the offending
worm registry key - followed by a reboot (using the shutdown tool from
the resource kit).

example...

reg update HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N \\<IP
ADDR>

Hope this helps!

0b

-----Original Message-----
From: Bob Sadler [mailto:bobs@LEAWOOD.ORG]
Sent: Thursday, August 14, 2003 12:14 PM
To: focus-ms@securityfocus.com
Subject: Detecting Blaster

I have been trying to figure out if there is a way that I can detect
signs of Blaster on a large number of machines on a network without
having to actually visit each one.

I have a port scanner (Ethereal) and have it setup to look at any frame
with destination port 135. Is there a better way to do this, or is the
way I'm trying to do this all wrong in the first place?

Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194

Get a Life! Get TWO! Play Second Life!
http://secondlife.com/ss/?u=b4ebbfdd6af98a027fa7e89a86c55a68

---------------------------------------------------------------------
------
Your network firewall and IDS products do not prevent Web application

attacks - the most common form of online exploitation- resulting in Web

defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------
------

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------

• Previous message: Q?=offtopicQ=20?=: "Re: DCOM patch + Exchange"
• Maybe in reply to: Bob Sadler: "Detecting Blaster"
• Next in thread: David A Cavalieri: "RE: Detecting Blaster"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]