Educause Security Discussion mailing list archives
Re: FW: W32/Blaster on Abilene
From: SECURITY SECURITY <SECURITY () MAIL MCG EDU>
Date: Fri, 15 Aug 2003 13:26:06 -0400
We set up a test environment in the lab, to include a PC infected with the W32.Blaster worm. We tried to get the windowsupdate.com part of the worm to launch by changing the date stamp on the PC to the 16th and rebooting. We were unsuccessful to get this to work. Has anyone been successful in a lab environment on getting this to work? Thanks James Van Meter Manager, Network Security Medical College of Georgia
mbruhn () INDIANA EDU 8/12/2003 2:42:07 PM >>>
The list of sourcing site that Doug mentions below will include Abilene-connected campuses as well as those other campuses that are generating a lot of worm traffic to Abilene-connected campuses. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research -- cacr.iu.edu Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: renisac Sent: Tuesday, August 12, 2003 12:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: W32/Blaster on Abilene As you're all probably painfully aware by now, a worm exploit of the Microsoft DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details regarding the vulnerability and exploit can be found at the references provided below. Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the network. We're performing an analysis of Abilene netflow data, and early this afternoon will provide a private communication to sites that are sourcing a large amount of worm traffic. Recommendations for network border filtering are included the CERT W32/Blaster advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be defined as input and output - to protect yourselves and to protect from infecting others. References: Microsoft DCOM RPC: http://www.cert.org/advisories/CA-2003-16.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 W32/Blaster: http://www.cert.org/advisories/CA-2003-20.html Regards, Doug Pearson Director, REN-ISAC Indiana University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- FW: W32/Blaster on Abilene Bruhn, Mark S. (Aug 12)
- <Possible follow-ups>
- Re: FW: W32/Blaster on Abilene SECURITY SECURITY (Aug 15)
- W32/Blaster on Abilene Doug Pearson (Aug 17)