Blaster vs. Kaht2

From: Marc Fossi <mfossi(at)securityfocus.com>
Date: Tue Aug 12 2003 - 13:48:41 EDT

I think that there seems to be a bit of confusion between Blaster (the worm) and Kaht2 (the exploit/autorooter). Some people may have been rooted by Kaht2 or one of the many other exploits available for the DCOM RPC vulnerability and are thinking they were hit by the worm.

As far as I know, the obvious signs of Blaster are a mutex named "BILLY", a file and process named "msblast.exe", and activity on ports 69(UDP) and 4444(TCP). Some of the exploits also use TCP 4444 for the remote shell (Blaster was based on one of these exploits), so this may be where some of the confusion lies.

Probably some people were rooted before yesterday, but checked their systems after hearing of the worm and assumed that they were hit by the worm, not one of the exploits.

Best policy if you were rooted - reformat and reinstall (with patches this time). Who knows what other surprises you might have waiting for you.

Cheers

Marc Fossi
Symantec Corp.
www.symantec.com

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

Received on Tue Aug 12 14:02:19 2003