[60462] in North American Network Operators' Group
Re: RPC errors
daemon@ATHENA.MIT.EDU (Henry Linneweh)
Tue Aug 12 18:08:35 2003
Date: Tue, 12 Aug 2003 15:08:01 -0700 (PDT)
From: Henry Linneweh <hrlinneweh@sbcglobal.net>
To: "Steven M. Bellovin" <smb@research.att.com>,
"Dominic J. Eidson" <sauron@the-infinite.org>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <20030812205233.D499E7B43@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
--0-287999935-1060726081=:60679
Content-Type: text/plain; charset=us-ascii
This should help some for people who are worried
http://securityresponse.symantec.com/avcenter/FixBlast.exe
-Henry
"Steven M. Bellovin" <smb@research.att.com> wrote:
In message
,
"Dominic J. Eidson" writes:
>
>On Mon, 11 Aug 2003, Jack Bates wrote:
>
>> Sean Donelan wrote:
>>
>> > http://isc.sans.org/diary.html?date=2003-08-11
>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
>> > vulnerable system, it will spawn a shell and use it to download the actual
>> > worm via tftp.
>> >
>> > The name of the binary is msblast.exe. It is packed with UPX and will self
>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
>> > packed:
>
>Has anyone seen/heard of this virus propagating through email in any way?
>
>We appear to have been infected on a network that is very heavily
>firewalled from the outside, and are trying to track down possibly entry
>methods the worm might have had...
A large number of networks have unknown and unauthorized back doors.
If it's a decent-sized network and you haven't audited it, don't assume
that the firewalling is effective. (My co-author on "Firewalls and
Internet Security" book, Bill Cheswick, is CTO of a startup that maps
intranets for just this reason.)
--Steve Bellovin, http://www.research.att.com/~smb
--0-287999935-1060726081=:60679
Content-Type: text/html; charset=us-ascii
<DIV>This should help some for people who are worried</DIV>
<DIV><A href="http://securityresponse.symantec.com/avcenter/FixBlast.exe">http://securityresponse.symantec.com/avcenter/FixBlast.exe</A></DIV>
<DIV> </DIV>
<DIV>-Henry<BR><BR><B><I>"Steven M. Bellovin" <smb@research.att.com></I></B> wrote:</DIV>
<DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid; WIDTH: 100%"><BR>In message <PINE.LNX.4.33.0308121243210.814-100000@MORANNON.THE-INFINITE.ORG>, <BR>"Dominic J. Eidson" writes:<BR>><BR>>On Mon, 11 Aug 2003, Jack Bates wrote:<BR>><BR>>> Sean Donelan wrote:<BR>>><BR>>> > http://isc.sans.org/diary.html?date=2003-08-11<BR>>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a<BR>>> > vulnerable system, it will spawn a shell and use it to download the actual<BR>>> > worm via tftp.<BR>>> ><BR>>> > The name of the binary is msblast.exe. It is packed with UPX and will self<BR>>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes<BR>>> > packed:<BR>><BR>>Has anyone seen/heard of this virus propagating through email in any way?<BR>><BR>>We appear to have been infected on a network that is very
heavily<BR>>firewalled from the outside, and are trying to track down possibly entry<BR>>methods the worm might have had...<BR><BR>A large number of networks have unknown and unauthorized back doors. <BR>If it's a decent-sized network and you haven't audited it, don't assume <BR>that the firewalling is effective. (My co-author on "Firewalls and <BR>Internet Security" book, Bill Cheswick, is CTO of a startup that maps <BR>intranets for just this reason.)<BR><BR><BR>--Steve Bellovin, http://www.research.att.com/~smb<BR><BR></BLOCKQUOTE></DIV>
--0-287999935-1060726081=:60679--
