Re: Virus or no virus sasser/blaster
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 12/15/04
- Next message: it_exprt: "Re: Hackdefender clb.exe"
- Previous message: Alex.V.Prokhorov: "Re: Lsass.exe"
- Maybe in reply to: cquirke (MVP Win9x): "Re: Virus or no virus sasser/blaster"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 15 Dec 2004 14:02:19 +0200
On Mon, 15 Nov 2004 05:31:19 -0800, Andreas Menzies
>Hi, I have a laptop from a customer that is showing signs of either sasser or
>blaster. It shutsdowns with a 60 second Nt/aurhtority etc warning and LSASS
Some malware are "sentinels"; they are nature's way of telling you
that your risk management sucks large:
Opaserv - don't F&PS the startup axis, dummy
Lovesan - patch yer RPC/DCOM and use a firewall
Sasser - patch yer LSASS and use a firewall
Kak - risk-manage or avoid OE
Various "but I didn't click anything!" - upgrade IE (MIME-spoof)
>I have scanned with Norton and AVG and they do not detect a virus.
Two points:
1) Norton av and AVG are Windows-based
So unless you use the "rescue disk" forms and these forms are safely
up-to-date and scan for everything, they are informal. As such, the
value they have is in preventing infection. Once penetrated, and you
find youself chasing *active* malware, they are non-exclusionary.
2) Direct network attackers DoS before they infect
This is why the generic protection against such attacks is firewall
and NAT, and not antivirus. The Denial of Service effects (crashing
exposed network services such as RPC and LSASS, which thanks to bad
settings may cause the OS to restart) are due to attempts to probe the
exposed services' ports, and happen before any malware code enters the
PC. So there's nothing for the av to do, at this point.
Specifically: Pure network attacks that exploit "unchecked buffers"
are usually quite brittle, requiring the attack packet to be perfectly
crafted for that OS version. In the case of RPC and Lovesan, this
attack packet "shape" differs for Win2000 vs. XP, so an attack aimed
at one OS will crash the service of the other OS, without infecting.
>I have updated XP with the relavent security patches
Method detail may be important there, esp. if malware is or has been
(think residual settings in HOSTS etc.) active. The patches you think
you got, may not be in place.
Also, where Lovesan et al are concerned; be aware that the original
RPC patch on July 2003 was revised in September 2003 to fix additional
defects. AFAIK most RPC attackers rely on the original defects, but
new ones might look for what was fixed in September that was still
unfixed after july's patch (original Lovesan dates from August 2003).
>and taken XP to the latest SP1 update
AFAIK, SP1 predates RPC and LSASS fixes, and may undo them!
>(no going to use SP2 on this laptop).
As you wish; be careful to patch against this month's IFRame etc.
holes in IE, and expect issues with malformed .JPG as it's hard to
enforce GDIPlus safety in pre-SP2 PCs.
>I switch ed of system restore, scanned in safe mode, applied the relavent
>patches, it worked for about a day now back on site and the same symptons.
My guess: Patches + SP1 = unpatched, vs. SP1 + patches = OK.
Thinking specifically about RPC/DCOM and LSASS here.
Also: Use a firewall! If NAT or edgepoint firewall usually protects
you against internet attacks, then consider intra-LAN infection.
>---------- ----- ---- --- -- - - - -
On the 'net, *everyone* can hear you scream
>---------- ----- ---- --- -- - - - -
- Next message: it_exprt: "Re: Hackdefender clb.exe"
- Previous message: Alex.V.Prokhorov: "Re: Lsass.exe"
- Maybe in reply to: cquirke (MVP Win9x): "Re: Virus or no virus sasser/blaster"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
