RE: Zotob Worm Remover

["Todd Towles" <toddtowles () brookshires com>]

This is correct for the first day, maybe two. Then unpatched laptops
leave the corporate network, hit the internet outside the firewall and
then bring the worm back right to the heart of the network the very next
day, bypassing the firewall all together. Firewall is just one step..it
isn't a solve all. Patching would be the only way to stop this threat in
all vectors. That was my point.

If you aren't blocking 445 on the border of your network, you have must
worse problems with Zotob.

> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne () winternet com] 
> Sent: Monday, August 22, 2005 3:15 PM
> To: Todd Towles
> Cc: n3td3v; full-disclosure () lists grok org uk
> Subject: RE: [Full-disclosure] Zotob Worm Remover
>
> On Mon, 22 Aug 2005, Todd Towles wrote:
>
> > Wireless really isn't a issue. You can get a worm from a 
> cat 5 as easy 
> > as you can from wireless. The problem was they weren't patched. Why 
> > weren't they patched? Perhaps Change policy slowed them 
> down, perhaps 
> > it was the fear of broken programs..perhaps it was the QA group..it 
> > doesn't really matter. They go the worm because they were 
> not patched.
>
> And because they didn't properly filter port 445 is my understanding.
> Unpatched systems behind FW's that fliter 445 were untouched.
>
> Thanks,
>
> Ron DuFresne
> --
> "Sometimes you get the blues because your baby leaves you. 
> Sometimes you get'em 'cause she comes back." --B.B. King
>         ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/