[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Blaster: will it spread without tftp?

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] Blaster: will it spread without tftp?
From: "Maarten" <subscriptions@hartsuijker.com>
Date: Tue, 12 Aug 2003 22:19:19 +0200

I was wondering about the following scenario:

Lots of corporate network are protected by firewalls and users are forced to
use a proxy server to connect to the internet. Because of the firewalling,
the worm will not be able to infect the clients directly from the Internet.
Of course there are always servers that are building bridges between the
corporate network and the internet or laptop users that get infected by
using their dial-up/DSL @ home.

But if the worm enters the network through for instance an infected laptop,
can it still spread around on the network? By analyzing the threads on this
list and reading the info provided by anti-virus vendors I tend to draw the
following conclusion.

- A worm can enter the network through an infected laptop/workstation or a
vulnerable server connected to the internet.
- these infected machines can exploit the vulnerability on other vulnerable
systems on the Internal network causing them to reboot (and reboot, and
reboot)
- since these other vulnerable systems are using a proxy server to connect
to the internet and a firewall prevents all other connections, tftp servers
on the Internet can not be accessed
- since tftp servers can not be accessed, msblaster.exe can not be
downloaded
- since msblaster.exe can not be downloaded these other systems will not
start to infect other systems...

Am I correct on these last two points? Or is this only true in case someone
puts an infected laptop on the network (that is not able to connect to the
internet using tftp, while a webserver might be when it is located in a
misconfigured DMZ environment)? Of course this is only one worm variant
exploiting this vulnerability and we might have a totally different case on
the next one, but I am still curious if I am on the right track
understanding the impact of the worm.

I also read something about SP0|1|2 on W2K not being vulnerable to msblaster
(probably because of the "universal" offsets used). Is there anyone that can
confirm this finding?

maarten

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Blaster: will it spread without tftp?
  - From: Jim Clausing <clausing@ieee.org>
- Re: [Full-Disclosure] Blaster: will it spread without tftp?
  - From: Craig Pratt <craig@strong-box.net>
- RE: [Full-Disclosure] Blaster: will it spread without tftp?
  - From: "Derek Soeder" <dsoeder@eeye.com>
- Re: [Full-Disclosure] Blaster: will it spread without tftp?
  - From: "Matthew Murphy" <mattmurphy@kc.rr.com>
- Re: [Full-Disclosure] Blaster: will it spread without tftp?
  - From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Re: [Full-Disclosure] Blaster: will it spread without tftp?
  - From: Valdis.Kletnieks@vt.edu

References:
- RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
  - From: "Evans, Arian" <Arian.Evans@fishnetsecurity.com>

Prev by Date: RE: [Full-Disclosure] aside: worm vs. worm?
Next by Date: Re: [Full-Disclosure] aside: worm vs. worm?
Prev by thread: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
Next by thread: Re: [Full-Disclosure] Blaster: will it spread without tftp?
Index(es):
- Date
- Thread