[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Blaster: will it spread without tftp?
- To: Maarten <subscriptions@hartsuijker.com>
- Subject: Re: [Full-Disclosure] Blaster: will it spread without tftp?
- From: Jim Clausing <clausing@ieee.org>
- Date: Tue, 12 Aug 2003 17:42:38 -0400 (EDT)
This is incorrect. It will tftp back to the machine that infected
it. I've spent the past 12 hours cleaning up a network where tftp to the
internet was blocked.
---Jim
On or about Tue, 12 Aug 2003, Maarten pontificated thusly:
> I was wondering about the following scenario:
>
> Lots of corporate network are protected by firewalls and users are forced to
> use a proxy server to connect to the internet. Because of the firewalling,
> the worm will not be able to infect the clients directly from the Internet.
> Of course there are always servers that are building bridges between the
> corporate network and the internet or laptop users that get infected by
> using their dial-up/DSL @ home.
>
> But if the worm enters the network through for instance an infected laptop,
> can it still spread around on the network? By analyzing the threads on this
> list and reading the info provided by anti-virus vendors I tend to draw the
> following conclusion.
>
> - A worm can enter the network through an infected laptop/workstation or a
> vulnerable server connected to the internet.
> - these infected machines can exploit the vulnerability on other vulnerable
> systems on the Internal network causing them to reboot (and reboot, and
> reboot)
> - since these other vulnerable systems are using a proxy server to connect
> to the internet and a firewall prevents all other connections, tftp servers
> on the Internet can not be accessed
> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded
> - since msblaster.exe can not be downloaded these other systems will not
> start to infect other systems...
>
> Am I correct on these last two points? Or is this only true in case someone
> puts an infected laptop on the network (that is not able to connect to the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)? Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different case on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.
>
> I also read something about SP0|1|2 on W2K not being vulnerable to msblaster
> (probably because of the "universal" offsets used). Is there anyone that can
> confirm this finding?
>
> maarten
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html