|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: RPC errors
In message <[email protected]>, "Dominic J. Eidson" writes: > >On Mon, 11 Aug 2003, Jack Bates wrote: > >> Sean Donelan wrote: >> >> > http://isc.sans.org/diary.html?date=2003-08-11 >> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a >> > vulnerable system, it will spawn a shell and use it to download the actual >> > worm via tftp. >> > >> > The name of the binary is msblast.exe. It is packed with UPX and will self >> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes >> > packed: > >Has anyone seen/heard of this virus propagating through email in any way? > >We appear to have been infected on a network that is very heavily >firewalled from the outside, and are trying to track down possibly entry >methods the worm might have had... A large number of networks have unknown and unauthorized back doors. If it's a decent-sized network and you haven't audited it, don't assume that the firewalling is effective. (My co-author on "Firewalls and Internet Security" book, Bill Cheswick, is CTO of a startup that maps intranets for just this reason.) --Steve Bellovin, http://www.research.att.com/~smb
|