[MLUG] SANS on the W32/Blaster worm

[Mike Miller <EMAIL:PROTECTED>]

FYI...

                 -- Security Alert Consensus --
                       Number 032 (03.32)
                  Thursday, August 14, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

About the W32/Blaster worm: Yeah, it was painful, but it could have been
worse. That is, unless you allow arbitrary TFTP traffic to pass through
your network and gateways.

Come on folks, this is not a well-written worm. Its method of scanning
for new hosts is slow and not as effective as it could be. It requires
not only port 135 access but also port 69 (TFTP) access. Just imagine
if the worm pulled everything in over the established connection (rather
than using TFTP) and it was more efficient at scanning. If you think
the current incarnation was a nightmare....

One common situation popped up often enough that we feel it important
to comment. Many folks locked down their gateways and checked their
perimeter servers for vulnerability. Satisfied that nothing could come
in from the Internet, they were humbled when an internal employee
brought in an infected laptop from home. Sure, the servers were OK, but
the desktops proved to be a fertile worm incubation playground.

Moral to the story: Security doesn't stop at the perimeter. From the
mightiest of servers to the lowliest of desktops, and all print servers
in-between, everything needs to be patched when dealing with a
nondiscriminatory worm.

CERT writeup of the W32/Blaster worm:
http://archives.neohapsis.com/archives/cert/2003-q3/0008.html

Until next week,
--Security Alert Consensus Team
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members