RE: Purging Blaster.worm

>> This infection doesn't seem to be able to get past a
>> properly configured firewall, with ports 4400 and 135
>> locked down, which could be why it's been so
>> widespread, eh? ;-) What does that tell us?

Guys, I hate to beat a dead horse here, but I continue to see posts like this. A "properly configured firewall" is a very small part of this answer. Some people need NetBIOS inside and they use TFTP to the outside, etc. The answer was to be freaking patched. To see 100's of smart people warn you to be patched for 3 or 4 weeks and then when it hits to go, "Man, I thought our firewall would stop it." shows that you aren't reading the bulletin to begin with. Ever since Code Red waltzed in over port 80, the answer stopped being a firewall. They are great and they can slow it down and give you a little time to patch, but they will just keep changing ports (I think I saw 593 now as one to block) and changing ports. The firewall can stop some crap, but the answer is to freaking patch the systems. In this case, no one knew to block 69 until it hit for example. 69 is legitimate for anyone that uses TFTP. ow is a firewall that has been configured to allow 69 going to stop that?

Maybe I am a little sensitive to this, being the firewall guy and all, but come on people. I stopped 135, 136, 445, 4444 and a host of others and you know what, it still hit. Know what it hit, a couple of freaking laptops from home. They brought it in and my firewall did d!ck as it bounced around from floor to floor. Sure I could shut off 69 and keep it from hitting the world, but that didn't stop all the UNPATCHED workstations from getting this thing. The answer is to freaking listen to the community and patch the boxes. Don't count on a firewall or anti-virus to protect you.

All this took was a little 800K patch and you would have had NO PROBLEMS at all. You had 3 or 4 weeks to get it out. And it worked with SP6 in NT, SP2 in 2K and I think SP1 in XP, so you didn't even have to roll a SP out with it. That was the answer. Patch. I'll do the best I can to block the crap from the outside, but when you let it walk in the backdoor, there ain't a lot I can do, but sit back and laugh. Oh, and explain over and over again why for 3 weeks now I warned you to patch the workstations (that is what happened here at least) and told you the firewall couldn't stop it.

JayW

>>> "Bob Walker" <bobwalker8@comcast.net> 08/14/03 12:47AM >>> We've had a crush of systems coming in the last 2 days in our small store/shop, and yes, the Symantec removal tool works great. I think the
key is booting the system up in safe mode, running the removal tool, then rebooting and connecting directly to http://symantec.com and following the link there on the left side of the page to http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm

.html. That will have a link directly to Microsoft's patch for this worm,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur

ity/bulletin/MS03-026.asp. Download the patch, install it, and the system is back out the door. I've personally done about 15-20 of these
repairs over the last 2 days. Hasn't left much time for motherboard replacements, OS reloads, etc, but it's been easy money :-)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I've seen some speculation here about possible reinfection between the short time you're connected to the web after running the removal tool but before the patch is installed. That hasn't been my experience here
at all, but the fact that we're running a broadband connection behind a
pretty good firewall has probably mitigated that possibility considerably. This infection doesn't seem to be able to get past a properly configured firewall, with ports 4400 and 135 locked down, which
could be why it's been so widespread, eh? ;-) What does that tell us?

Regards,
Bob

-----Original Message-----
From: Jose Guevarra [mailto:jose@iquest.ucsb.edu] Sent: Tuesday, August 12, 2003 7:07 PM
To: security-basics@securityfocus.com
Subject: Purging Blaster.worm

Hi,

 Has anyone successfully purged the MSBlaster worm. There is a tool out
there that can do it but is it reliable?

thanx,

---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------