Educause Security Discussion mailing list archives

FW: W32/Blaster on Abilene

From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Tue, 12 Aug 2003 13:42:07 -0500

The list of sourcing site that Doug mentions below will include
Abilene-connected campuses as well as those other campuses that are
generating a lot of worm traffic to Abilene-connected campuses.  

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research --
cacr.iu.edu

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: renisac 
Sent: Tuesday, August 12, 2003 12:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: W32/Blaster on Abilene


As you're all probably painfully aware by now, a worm exploit of the
Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11.
Details
regarding the vulnerability and exploit can be found at the references
provided
below.

Worm traffic on Abilene is very high, peaking at 7%+ of all packets on
the
network. We're performing an analysis of Abilene netflow data, and early
this
afternoon will provide a private communication to sites that are
sourcing a
large amount of worm traffic.

Recommendations for network border filtering are included the CERT
W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should
be
defined as input and output - to protect yourselves and to protect from
infecting others.

References:

Microsoft DCOM RPC:
        http://www.cert.org/advisories/CA-2003-16.html
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352

W32/Blaster:
        http://www.cert.org/advisories/CA-2003-20.html


Regards,

Doug Pearson
Director, REN-ISAC
Indiana University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

FW: W32/Blaster on Abilene Bruhn, Mark S. (Aug 12)
- <Possible follow-ups>
- Re: FW: W32/Blaster on Abilene SECURITY SECURITY (Aug 15)
- W32/Blaster on Abilene Doug Pearson (Aug 17)