Security Basics mailing list archives
RE: Purging Blaster.worm
From: "Jay Woody" <jay_woody () tnb com>
Date: Thu, 14 Aug 2003 13:06:56 -0500
This infection doesn't seem to be able to get past a properly configured firewall, with ports 4400 and 135 locked down, which could be why it's been so widespread, eh? ;-) What does that tell us?
Guys, I hate to beat a dead horse here, but I continue to see posts like this. A "properly configured firewall" is a very small part of this answer. Some people need NetBIOS inside and they use TFTP to the outside, etc. The answer was to be freaking patched. To see 100's of smart people warn you to be patched for 3 or 4 weeks and then when it hits to go, "Man, I thought our firewall would stop it." shows that you aren't reading the bulletin to begin with. Ever since Code Red waltzed in over port 80, the answer stopped being a firewall. They are great and they can slow it down and give you a little time to patch, but they will just keep changing ports (I think I saw 593 now as one to block) and changing ports. The firewall can stop some crap, but the answer is to freaking patch the systems. In this case, no one knew to block 69 until it hit for example. 69 is legitimate for anyone that uses TFTP. ow is a firewall that has been configured to allow 69 going to stop that? Maybe I am a little sensitive to this, being the firewall guy and all, but come on people. I stopped 135, 136, 445, 4444 and a host of others and you know what, it still hit. Know what it hit, a couple of freaking laptops from home. They brought it in and my firewall did d!ck as it bounced around from floor to floor. Sure I could shut off 69 and keep it from hitting the world, but that didn't stop all the UNPATCHED workstations from getting this thing. The answer is to freaking listen to the community and patch the boxes. Don't count on a firewall or anti-virus to protect you. All this took was a little 800K patch and you would have had NO PROBLEMS at all. You had 3 or 4 weeks to get it out. And it worked with SP6 in NT, SP2 in 2K and I think SP1 in XP, so you didn't even have to roll a SP out with it. That was the answer. Patch. I'll do the best I can to block the crap from the outside, but when you let it walk in the backdoor, there ain't a lot I can do, but sit back and laugh. Oh, and explain over and over again why for 3 weeks now I warned you to patch the workstations (that is what happened here at least) and told you the firewall couldn't stop it. JayW
"Bob Walker" <bobwalker8 () comcast net> 08/14/03 12:47AM >>>
We've had a crush of systems coming in the last 2 days in our small store/shop, and yes, the Symantec removal tool works great. I think the key is booting the system up in safe mode, running the removal tool, then rebooting and connecting directly to http://symantec.com and following the link there on the left side of the page to http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm .html. That will have a link directly to Microsoft's patch for this worm, http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS03-026.asp. Download the patch, install it, and the system is back out the door. I've personally done about 15-20 of these repairs over the last 2 days. Hasn't left much time for motherboard replacements, OS reloads, etc, but it's been easy money :-) I've seen some speculation here about possible reinfection between the short time you're connected to the web after running the removal tool but before the patch is installed. That hasn't been my experience here at all, but the fact that we're running a broadband connection behind a pretty good firewall has probably mitigated that possibility considerably. This infection doesn't seem to be able to get past a properly configured firewall, with ports 4400 and 135 locked down, which could be why it's been so widespread, eh? ;-) What does that tell us? Regards, Bob -----Original Message----- From: Jose Guevarra [mailto:jose () iquest ucsb edu] Sent: Tuesday, August 12, 2003 7:07 PM To: security-basics () securityfocus com Subject: Purging Blaster.worm Hi, Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable? thanx, ============ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Ethics Question, (continued)
- Re: Ethics Question Schneider Sebastian (Aug 21)
- Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
- Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- RE: Purging Blaster.worm Blaxes (Aug 16)
- RE: Purging Blaster.worm Preston, Tony (Aug 13)
- RE: Purging Blaster.worm Rory (Aug 13)
- Re: Purging Blaster.worm Jay Woody (Aug 13)
- RE: Purging Blaster.worm Parolini, Walter A REV:EX (Aug 13)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
- RE: Purging Blaster.worm David Gillett (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 15)
- RE: Purging Blaster.worm Vachon, Scott (Aug 15)
- RE: Purging Blaster.worm Jay Woody (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 18)
- RE: Purging Blaster.worm Alfred . Diggs (Aug 19)
- RE: Purging Blaster.worm Meidinger Chris (Aug 20)