But the file download and execution therefore is the infection, the
buffer flow is merely the process that permits an automatic download and
execution to occur. If your av sigs are current they should prevent the
file from being written to disk (And perhaps thas where you're seeing
your alerts) and a the very least should block the file from executing).
How have you determined that you're actually seeing infections, rather
than infection attempts?
G
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia (at) UTMB (dot) EDU [email concealed]]
Sent: Tuesday, August 16, 2005 11:42 PM
To: Dowling, Gabrielle; womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin;
focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: wintbp.exe
Oh yes it's true for this worm. The systems rebooting is a symptom of
the buffer overflow. The infectious executable is downloaded to the
system after the buffer overflow occurs. The AV products WILL NOT stop
the system from being infected, they will find the downloaded file
afterwards! Patch the systems, that is imperitive.
-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg (at) sullcrom (dot) com [email concealed]]
Sent: Tue 8/16/2005 10:36 PM
To: Joswiak, Johnny G.; womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin;
focus-virus (at) securityfocus (dot) com [email concealed]
Cc:
Subject: RE: wintbp.exe
Despite what Russ Cooper posted on NTBugtraq two years ago in the wake
of Blaster, that is NOT true (and wasn't true then). While Blaster,
Sasser, and the recent MS05-039 exploits rely on a buffer overflow for a
remote infection mechanism, they all use the vulnerability to download
an infectuous executable to the target system, and av absolutely can
prevent the infection if sigs are in place. These are different from
pure memory worms like Code Red and SQL Slammer.
Also, McAfee for a while has had defenses in place for pure memory
worms, and I believe several other vendors have it in place now.
Regards,
Gaby
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia (at) UTMB (dot) EDU [email concealed]]
Sent: Tuesday, August 16, 2005 11:16 PM
To: womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: wintbp.exe
CA is calling it Win32.Peabot.A with a "Medium" alert, McAfee is calling
it "W32/IRCbot.worm!MS05-039", Symantec has the Zotob.e, etcetera.
Patch the systems, this is an MS05-039 exploit. The various antivirus
companies can only provide cleanup after the worm hits unless they have
buffer overflow protection like VSE8.0i provides (ok a plug but I like
it).
Hope this helps.
Johnny
-----Original Message-----
From: William O'Malley [mailto:wo (at) andrew.cmu (dot) edu [email concealed]]
Sent: Tue 8/16/2005 8:51 PM
To: Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Cc:
Subject: Re: wintbp.exe
__________________
This e-mail is sent by a law firm and contains information that may be
privileged and confidential. If you are not the intended recipient,
please delete the e-mail and notify us immediately.
buffer flow is merely the process that permits an automatic download and
execution to occur. If your av sigs are current they should prevent the
file from being written to disk (And perhaps thas where you're seeing
your alerts) and a the very least should block the file from executing).
How have you determined that you're actually seeing infections, rather
than infection attempts?
G
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia (at) UTMB (dot) EDU [email concealed]]
Sent: Tuesday, August 16, 2005 11:42 PM
To: Dowling, Gabrielle; womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin;
focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: wintbp.exe
Oh yes it's true for this worm. The systems rebooting is a symptom of
the buffer overflow. The infectious executable is downloaded to the
system after the buffer overflow occurs. The AV products WILL NOT stop
the system from being infected, they will find the downloaded file
afterwards! Patch the systems, that is imperitive.
-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg (at) sullcrom (dot) com [email concealed]]
Sent: Tue 8/16/2005 10:36 PM
To: Joswiak, Johnny G.; womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin;
focus-virus (at) securityfocus (dot) com [email concealed]
Cc:
Subject: RE: wintbp.exe
Despite what Russ Cooper posted on NTBugtraq two years ago in the wake
of Blaster, that is NOT true (and wasn't true then). While Blaster,
Sasser, and the recent MS05-039 exploits rely on a buffer overflow for a
remote infection mechanism, they all use the vulnerability to download
an infectuous executable to the target system, and av absolutely can
prevent the infection if sigs are in place. These are different from
pure memory worms like Code Red and SQL Slammer.
Also, McAfee for a while has had defenses in place for pure memory
worms, and I believe several other vendors have it in place now.
Regards,
Gaby
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia (at) UTMB (dot) EDU [email concealed]]
Sent: Tuesday, August 16, 2005 11:16 PM
To: womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: wintbp.exe
CA is calling it Win32.Peabot.A with a "Medium" alert, McAfee is calling
it "W32/IRCbot.worm!MS05-039", Symantec has the Zotob.e, etcetera.
Patch the systems, this is an MS05-039 exploit. The various antivirus
companies can only provide cleanup after the worm hits unless they have
buffer overflow protection like VSE8.0i provides (ok a plug but I like
it).
Hope this helps.
Johnny
-----Original Message-----
From: William O'Malley [mailto:wo (at) andrew.cmu (dot) edu [email concealed]]
Sent: Tue 8/16/2005 8:51 PM
To: Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Cc:
Subject: Re: wintbp.exe
__________________
This e-mail is sent by a law firm and contains information that may be
privileged and confidential. If you are not the intended recipient,
please delete the e-mail and notify us immediately.
[ reply ]