RE: Purging Blaster.worm
From: Jay Woody (jay_woody_at_tnb.com)
Date: 08/14/03
- Previous message: Scott M. Trieste: "Re: CISCO Data"
- Maybe in reply to: Jose Guevarra: "Purging Blaster.worm"
- Next in thread: Jay Woody: "RE: Purging Blaster.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Aug 2003 13:06:56 -0500 To: <bobwalker8@comcast.net>, <security-basics@securityfocus.com>
>> This infection doesn't seem to be able to get past a
>> properly configured firewall, with ports 4400 and 135
>> locked down, which could be why it's been so
>> widespread, eh? ;-) What does that tell us?
Guys, I hate to beat a dead horse here, but I continue to see posts
like this. A "properly configured firewall" is a very small part of
this answer. Some people need NetBIOS inside and they use TFTP to the
outside, etc. The answer was to be freaking patched. To see 100's of
smart people warn you to be patched for 3 or 4 weeks and then when it
hits to go, "Man, I thought our firewall would stop it." shows that you
aren't reading the bulletin to begin with. Ever since Code Red waltzed
in over port 80, the answer stopped being a firewall. They are great
and they can slow it down and give you a little time to patch, but they
will just keep changing ports (I think I saw 593 now as one to block)
and changing ports. The firewall can stop some crap, but the answer is
to freaking patch the systems. In this case, no one knew to block 69
until it hit for example. 69 is legitimate for anyone that uses TFTP.
ow is a firewall that has been configured to allow 69 going to stop
that?
Maybe I am a little sensitive to this, being the firewall guy and all,
but come on people. I stopped 135, 136, 445, 4444 and a host of others
and you know what, it still hit. Know what it hit, a couple of freaking
laptops from home. They brought it in and my firewall did d!ck as it
bounced around from floor to floor. Sure I could shut off 69 and keep
it from hitting the world, but that didn't stop all the UNPATCHED
workstations from getting this thing. The answer is to freaking listen
to the community and patch the boxes. Don't count on a firewall or
anti-virus to protect you.
All this took was a little 800K patch and you would have had NO
PROBLEMS at all. You had 3 or 4 weeks to get it out. And it worked
with SP6 in NT, SP2 in 2K and I think SP1 in XP, so you didn't even have
to roll a SP out with it. That was the answer. Patch. I'll do the
best I can to block the crap from the outside, but when you let it walk
in the backdoor, there ain't a lot I can do, but sit back and laugh.
Oh, and explain over and over again why for 3 weeks now I warned you to
patch the workstations (that is what happened here at least) and told
you the firewall couldn't stop it.
JayW
>>> "Bob Walker" <bobwalker8@comcast.net> 08/14/03 12:47AM >>>
We've had a crush of systems coming in the last 2 days in our small
store/shop, and yes, the Symantec removal tool works great. I think
the
key is booting the system up in safe mode, running the removal tool,
then rebooting and connecting directly to http://symantec.com and
following the link there on the left side of the page to
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
.html. That will have a link directly to Microsoft's patch for this
worm,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS03-026.asp. Download the patch, install it, and the
system is back out the door. I've personally done about 15-20 of
these
repairs over the last 2 days. Hasn't left much time for motherboard
replacements, OS reloads, etc, but it's been easy money :-)
I've seen some speculation here about possible reinfection between the
short time you're connected to the web after running the removal tool
but before the patch is installed. That hasn't been my experience
here
at all, but the fact that we're running a broadband connection behind
a
pretty good firewall has probably mitigated that possibility
considerably. This infection doesn't seem to be able to get past a
properly configured firewall, with ports 4400 and 135 locked down,
which
could be why it's been so widespread, eh? ;-) What does that tell us?
Regards,
Bob
-----Original Message-----
From: Jose Guevarra [mailto:jose@iquest.ucsb.edu]
Sent: Tuesday, August 12, 2003 7:07 PM
To: security-basics@securityfocus.com
Subject: Purging Blaster.worm
Hi,
Has anyone successfully purged the MSBlaster worm. There is a tool
out
there that can do it but is it reliable?
thanx,
============
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Scott M. Trieste: "Re: CISCO Data"
- Maybe in reply to: Jose Guevarra: "Purging Blaster.worm"
- Next in thread: Jay Woody: "RE: Purging Blaster.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
