Tim Mullen, 2003-07-21
The hole's been announced, the patch has been released. Now there's nothing to do but wait for the worm to come and wreak its ugly havoc.
Colapse all |
Post comment
Waiting for the Worms
2003-07-21
Anonymous (1 replies)
Anonymous (1 replies)
Waiting for the Worms
2003-07-21
Anonymous (1 replies)
Anonymous (1 replies)
You firewall-cure-all people drive me crazy. A firewall is only a bandaid and should not be relied upon in any circumstance. Any system should be considered naked to the world and secured accordingly....
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
Anonymous
Anonymous
I'm definitly not a firewall cure all type of person, BUT if you are running a Microsoft server without a firewall (or other mitigating options) you are a fool. Yes a HIDS or application firewall is also, IMHO, necessary for a windows system as well as good policy and a tightened down system from t...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Worms
2003-07-21
Anonymous (1 replies)
Anonymous (1 replies)
Let's not forget about the mobile user plugging a vulnerable laptop into an unprotected home (or other remote) connection and then bringing the infection to the internal network....
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Worms
2003-07-21
blacklight
blacklight
Thanks for the comment: you struck a parallel in my mind between the mobile user using his employer supplied laptop to surf and download crap from all over the net and the joys and pleasures of unprotected sex.
If there is a rule that us security people should live by, it is that when it comes t...
[ more ] [ reply ]
If there is a rule that us security people should live by, it is that when it comes t...
[ more ] [ reply ]
Waiting for the Worms
2003-07-21
Jim Harrison (ISA_Dewd) (1 replies)
Jim Harrison (ISA_Dewd) (1 replies)
Nice article, Tim.
Unfortunately, the attack targets UDP-135, not TCP-135. I had to test this attack against ISA.
I'm also happy to report that successfully blocks this attack even when publishing RPC....
[ more ] [ reply ]
Unfortunately, the attack targets UDP-135, not TCP-135. I had to test this attack against ISA.
I'm also happy to report that successfully blocks this attack even when publishing RPC....
[ more ] [ reply ]
Waiting for the Worms
2003-07-24
Anonymous
Anonymous
Unfortunately 'ISA Dewd' you're both wrong..
The RPC endpoint mapper and vulnerable components can be accessed through the following ports (depending on server configuration):
tcp/80 through the RPC_CONNECT method
tcp/135
udp/135
tcp/593 - ncacn_http
Port 80 and 593 access require COM In...
[ more ] [ reply ]
The RPC endpoint mapper and vulnerable components can be accessed through the following ports (depending on server configuration):
tcp/80 through the RPC_CONNECT method
tcp/135
udp/135
tcp/593 - ncacn_http
Port 80 and 593 access require COM In...
[ more ] [ reply ]
Waiting for the Worms
2003-07-21
By bet is eEye will still get to name it (1 replies)
By bet is eEye will still get to name it (1 replies)
Just like any tornado that takes over the oceans, a worm that takes over the cyber seas can only be named by the person who first spots it in the wild and identify it's belonging....
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Worms
2003-07-21
Anonymous (1 replies)
Anonymous (1 replies)
Tornados don't take over the ocean. Hurricanes do. And even if, it would be a water spout, not a tornado. And you don't name them anyway. Bad analogy.
People get to name Hurricanes when they see the storm brewing, which is what Tim has done. I think it is great that he has already named somet...
[ more ] [ reply ]
People get to name Hurricanes when they see the storm brewing, which is what Tim has done. I think it is great that he has already named somet...
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
Anonymous (1 replies)
Anonymous (1 replies)
Waiting for the Naming
2003-07-21
Rick Deckard (1 replies)
Rick Deckard (1 replies)
Traditionally, naming worms is reserved for the person/group/company that captures the worm, deconstructs it, sees what it's doing, and then publishes this data. You know, same as astronomers works.
When you capture an anticipated forthcoming worm and get accurate data published first, then you ...
[ more ] [ reply ]
When you capture an anticipated forthcoming worm and get accurate data published first, then you ...
[ more ] [ reply ]
Waiting for the Naming
2003-07-21
Anonymous (2 replies)
Anonymous (2 replies)
You are mistaken. The "worm naming" tradition includes the guy who *wrote* the worm (morris), pieces of code inside the worm, what the people were drinking before they first saw the worm, and any other number of basis. Who the hell are you to tell the man that he can't name the thing? Besides, eEy...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Naming
2003-07-21
Rick Deckard (1 replies)
Rick Deckard (1 replies)
Perhaps, then, given your explanation, how slammer got it's name? Was it the author, or something in the code, or what XForce was drinking? No, in that case I believe it was because the worm slammed networks left, right, and center with the packets it was spraying out.
As for the Code Red exa...
[ more ] [ reply ]
As for the Code Red exa...
[ more ] [ reply ]
Waiting for the Naming
2003-07-22
Anonymous
Anonymous
Well, if it is "first to disassemble, PERIOD" then why do you say slammer was named for its effect? Anonymous is right. There are many examples of different ways to name a worm, not that any of it matters anyway. Grow up, and relax. Like I said before, this RPC deal is big so you should be worried ...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Concert
2003-07-22
Anonymous (1 replies)
Anonymous (1 replies)
I agree with you. If you want to look at tradition, look at the Mullster's record for calling worms. He predicted slammer to a t back when the strikeback stuff was going on and he was right. What is even funnier about the other guys analogy is that Mullen is actually a musician. he's got stuff o...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Concert
2003-07-22
Fatty Boom Cracker (2 replies)
Fatty Boom Cracker (2 replies)
What is even funnier about the other guys analogy is that Mullen is actually a musician. he's got stuff on his web site. i got a kick out of the bandstand line myself ;^)
++++
What is even funnier than that is he's about 300 lbs in weight. The mug shot must have been from when he was a two ye...
[ more ] [ reply ]
++++
What is even funnier than that is he's about 300 lbs in weight. The mug shot must have been from when he was a two ye...
[ more ] [ reply ]
Waiting for the Concert
2003-07-22
Brett Delaney
Brett Delaney
You make an excellent point. It is refreshing to see security professionals come here and engage in dialog that furthers understanding and educates those in need. Your insult about overweight people is indeed a valid and important factor to take into account when considering the overall effect of ...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Concert
2003-07-23
Anonymous
Anonymous
++++
> What is even funnier than that is he's about 300 lbs in weight.
> The mug shot must have been from when he was a two year old.
I believe you are confussing Tim Mullet with Ross Cooper.
Actually, they have never been seen or photographed together in the same room at the same time. This...
[ more ] [ reply ]
> What is even funnier than that is he's about 300 lbs in weight.
> The mug shot must have been from when he was a two year old.
I believe you are confussing Tim Mullet with Ross Cooper.
Actually, they have never been seen or photographed together in the same room at the same time. This...
[ more ] [ reply ]
Waiting for the Worms
2003-07-21
Anonymous (3 replies)
Anonymous (3 replies)
It Sounds like you don't have to have port 135 open to the wild to be devastated by this possible worm.
You could have an e-mail that installs it on one machine inside your network.
That machine would then have access to port 135 on of any number of computers on the protected network, say 1 or ...
[ more ] [ reply ]
You could have an e-mail that installs it on one machine inside your network.
That machine would then have access to port 135 on of any number of computers on the protected network, say 1 or ...
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
Stack (1 replies)
Stack (1 replies)
Waiting for the Worms
2003-07-23
Anonymous
Anonymous
There may not be harmful files in the e-mail it may simply point to a harmful url.
If you send enough emails directed at a particular business that you have issues with, eventually some unpatched machine will run the sript that loads the worm that could take down all the other computers behind ...
[ more ] [ reply ]
If you send enough emails directed at a particular business that you have issues with, eventually some unpatched machine will run the sript that loads the worm that could take down all the other computers behind ...
[ more ] [ reply ]
Waiting for the really bad guys
2003-07-22
Cable
Cable
I did a little searching on the web for the old /autotest routine to wipe a drive but found the below suggestions instead.
The worms to date have really been kind. Almost makes you believe they were released by someone who secretly cares. Else why would we all still have functional networks (an...
[ more ] [ reply ]
The worms to date have really been kind. Almost makes you believe they were released by someone who secretly cares. Else why would we all still have functional networks (an...
[ more ] [ reply ]
Waiting for the Worms
2003-07-23
Sam Schinke
Sam Schinke
The security credentials of the currently logged in user has nothing to do with the credentials of an exploitable service.
RPC runs as SYSTEM, as far as I know, and there is little hope of being able to run it in a less priviledged services account (so much depends on it).
Regards,
Sam...
[ more ] [ reply ]
RPC runs as SYSTEM, as far as I know, and there is little hope of being able to run it in a less priviledged services account (so much depends on it).
Regards,
Sam...
[ more ] [ reply ]
Bravo
2003-07-21
Anonymous (2 replies)
Anonymous (2 replies)
Mr. Mullen-
I think this is a great article. I think it takes some guts to make a prediction like that, but I think in this case you will be right. Mescaline really is a great name too.
I also really respect the fact that though you do "consulting for companies including Microsoft" that you...
[ more ] [ reply ]
I think this is a great article. I think it takes some guts to make a prediction like that, but I think in this case you will be right. Mescaline really is a great name too.
I also really respect the fact that though you do "consulting for companies including Microsoft" that you...
[ more ] [ reply ]
Bravo
2003-07-23
Anonymous (2 replies)
Anonymous (2 replies)
He's an idiot
It won't become a worm because its a complex heap overflow.. and requires brute forcing of the correct offsets
Some technical understanding please, before SF authors like this hype up vulnerabilities?...
[ more ] [ reply ]
It won't become a worm because its a complex heap overflow.. and requires brute forcing of the correct offsets
Some technical understanding please, before SF authors like this hype up vulnerabilities?...
[ more ] [ reply ]
Bravo
2003-07-25
Brett Delaney
Brett Delaney
You should contact Microsoft, LSD, Dave Eitel, and everyone else who has had exploit code for this buffer overflow, er I mean heap overflow, because they should know that there code won't work.
Strange how it works anyway though isn't it? You should get LSD to retract their advisory, oh and MS t...
[ more ] [ reply ]
Strange how it works anyway though isn't it? You should get LSD to retract their advisory, oh and MS t...
[ more ] [ reply ]
Bravo
2003-07-26
Anonymous
Anonymous
You should check your facts, particularly if you are going to call people names. It is most certainly a buffer overflow, and just because it is difficult for you to exploit, does noto mean it is difficult for me. It is quite easy.
A little technical understanding please, before you post to gro...
[ more ] [ reply ]
A little technical understanding please, before you post to gro...
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
Anonymous
Anonymous
Can't see what all the fuss is about as long as every Windows box by default listens on port 445 in addition to 135 and can easily be shut down remotely, have individual processes killed asf. Tools like "Advanced Remote Info" and others are out there and without a firewall you're lost at sea without...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
Dan Jenkins
Dan Jenkins
An excellent article. I am afraid he is right. There will still be a lot of unpatched, unprotected systems a few months down the road. There will be some exploit to take advantage of it. As several others noted, firewalls won't protect the inside of the network, once it comes in via a laptop, email ...
[ more ] [ reply ]
[ more ] [ reply ]
Waiting for More Info?
2003-07-22
Penguinisto
Penguinisto
"Secure By Default" aside (sorry - couldn't resist ;) ), a firewall alone isn't going to cut it.
Only time will tell, natch. I do agree with you 100% though - in that The Big Benefactors of All Script Kiddies Everywhere are prolly wasting no time in writing malware that will test the patching abi...
[ more ] [ reply ]
Only time will tell, natch. I do agree with you 100% though - in that The Big Benefactors of All Script Kiddies Everywhere are prolly wasting no time in writing malware that will test the patching abi...
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
ICMPType8
ICMPType8
Network/System Security 101: Best Practices
1. Harden system
2. Probe system
3. Utilize a host based firewall (IPChains, ZoneAlarm, Tiny, etc.)
4. Probe system again
5. Place system behind a hardware based firewall with STRONG ACL management
6. Probe system again
7. Install a NIDS on same n...
[ more ] [ reply ]
1. Harden system
2. Probe system
3. Utilize a host based firewall (IPChains, ZoneAlarm, Tiny, etc.)
4. Probe system again
5. Place system behind a hardware based firewall with STRONG ACL management
6. Probe system again
7. Install a NIDS on same n...
[ more ] [ reply ]
Waiting for the Worms
2003-07-22
blacklight
blacklight
I've seen a couple of Windows servers where some clueless genius installed IIS4, SQL Server and Exchange Server on the same machine, and put it up on the 'Net. I wouldn't be surprised if most of the machines whose SQL Server was attacked were actually dual IIS/SQL machines.
Cramming apps on the s...
[ more ] [ reply ]
Cramming apps on the s...
[ more ] [ reply ]
The Making is in The Progress...
2003-07-25
Anonymous (1 replies)
Anonymous (1 replies)
[ more ] [ reply ]