Re: MS-Blast scripts

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 14 Aug 2003 16:18:28 -0500

Hi Mark,

Cool, that's what I was thinking. None of my networks have been touched,
but that might be due to all laptops require ICF. However, there has
been an element of luck, because no VPN clients introduced the bug and
none of my VPN servers have VPNq installed yet, and the CMAK client
pieces have not been distributed.

This does bring up a very very good point. Untrusted machines (machines
such as laptops and VPN clients should not connect directly to the
trusted network. VPN clients can connect to a DMZ can access published
servers. Laptops should connect to their own network and access
resources via published servers as well. Sort of like what we all
naturally do with WLAN hosts.

Hey Mark, you just gave me an idea for another article :-)

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
Sent: Thursday, August 14, 2003 4:08 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: MS-Blast scripts


http://www.ISAserver.org


Tom,

may I cite NAI on this:

====================
This worm spreads by exploiting a recent vulnerability in Microsoft
Windows. The worm scans the local class C subnet, or other random
subnets, on port 135. Discovered systems are targeted. Exploit code is
sent to those systems, instructing them to download and execute the file
MSBLAST.EXE from a remote system via TFTP. 
The worm contains a payload to initiate a Denial of Service attack
against windowsupdate.com after August 16. The worm only checks the
local system date upon execution. If an infected system is left on and
the date rolls over to Aug 16, the payload will not kick off until the
system is restarted. 

This payload involves sending 20 bytes SYN packets to windowsupdate.com
on TCP port 80 for the purpose of preventing users from patching their
systems via Windows Update. The source IP address is spoofed on each
packet, using a random local CLASS B IP. 

[...]

However, unless the system has been (MS03-026) patched, it is
susceptible to the buffer overflow attack from an infected host machine.
An infected machine (running msblast.exe) will send out malformed
packets across the local subnet to the RPC service running on port 135.
When these packets are received by any unpatched system, it will create
a buffer overflow and crash the RPC service on that system. All this can
occur without the worm actually being on the machine. This means that
the remote shell will still get created on TCP port 4444, and the system
may unexpectedly crash upon receiving malformed exploit code. 
====================

I agree that imho the only way for the worm to get into a secured
network would be by physically moving an infected machine into it. Of
course there's always a chance that some machine has its own internet
access for whatever reasons (maybe online banking) and gets infected
that way.

When the exploit was being discussed the first time, I said I was pretty
sure that my setups would be safe, and you know what - they still are
thanks to ISA and a proper configuration. By now I have the machines
patched, so everything's at ease :)

Mark


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » Re: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---