Re: Blaster: will it spread without tftp?

[Craig Pratt <craig () strong-box net>]

On Tuesday, Aug 12, 2003, at 13:19 US/Pacific, Maarten wrote:
> I was wondering about the following scenario:
>
> Lots of corporate network are protected by firewalls and users are 
> forced to
> use a proxy server to connect to the internet. Because of the 
> firewalling,
> the worm will not be able to infect the clients directly from the 
> Internet.
> Of course there are always servers that are building bridges between 
> the
> corporate network and the internet or laptop users that get infected by
> using their dial-up/DSL @ home.
>
> But if the worm enters the network through for instance an infected 
> laptop,
> can it still spread around on the network? By analyzing the threads on 
> this
> list and reading the info provided by anti-virus vendors I tend to 
> draw the
> following conclusion.
>
> - A worm can enter the network through an infected laptop/workstation 
> or a
> vulnerable server connected to the internet.

yeah

> - these infected machines can exploit the vulnerability on other 
> vulnerable
> systems on the Internal network causing them to reboot (and reboot, and
> reboot)

yeah

> - since these other vulnerable systems are using a proxy server to 
> connect
> to the internet and a firewall prevents all other connections, tftp 
> servers
> on the Internet can not be accessed

yeah - but msblast uses the infected host as a tftp server. There are 
no centralized servers involved.

> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded

nope. It can be downloaded from the infected host(s). It'll spread 
inside the Intranet just fine.

> - since msblaster.exe can not be downloaded these other systems will 
> not
> start to infect other systems...

nope. The infected systems will seek out new targets.

> Am I correct on these last two points? Or is this only true in case 
> someone
> puts an infected laptop on the network (that is not able to connect to 
> the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)? Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different 
> case on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.

Buckle your seatbelt, it's going to be a bumpy night - at least for 
you. ;^)

And be glad msblast doesn't do more damage. It could have been sooo 
much worse. But I'm sure the bad ones are waiting in the wings.

> I also read something about SP0|1|2 on W2K not being vulnerable to 
> msblaster
> (probably because of the "universal" offsets used). Is there anyone 
> that can
> confirm this finding?

Can't comment on that.

> maarten

Craig

---
Craig Pratt
Strongbox Network Services Inc.
mailto:craig () strong-box net
dtmf:503.706.2933


--
This message checked for dangerous content by MailScanner on StrongBox.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html