Re: Yet another Mass e-mail worm TM - Gibe-F/Swen-A - E-mail from Microsoft

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 09/20/03


Date: Sat, 20 Sep 2003 05:22:01 GMT

Rev Turd Fredericks <turdfred@catholic.org> said:
>>> My wife got the msblast virus merely by turning off her firewall
>>> to play a game.
...
>The firewall was disabled because it sometimes interferes with the
>game, I have since fixed that and the game can be played with the
>firewall on.
...
>The only reason we found out was when she renabled her firewall, the
>firewall warning window popped up and asked "msblast.exe requests a
>connection to IP xxx.xxx.xxx.xxx". msblast takes advantage of an RPC
>vulnerability.

And fixes to close the RPC hole used by msblast were published by
Microsoft some months before the msblast attack, if I recall correctly.

If the machine in question is running NT 4.0 workstation, it might be
that the fix is not available, as the OS is no longer supported by MS,
in which case the firewall is the only remaining protection. But _if_
the OS was something for which the fix was available, this infection
was caused by user ignorance/neglicience.

It is unfortunate the Internet has turned this way, that everyone
connecting to it must be acutely aware of security issues. And it is
unfortunate the integrity of software available is what it is (for
those starting to advocate open source software at this point, look
at recent issues with sendmail, OpenSSH, some ftp daemons, etc; perhaps
not as bad as Microsoft side, but not completely solid, either).

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)