Afternoon, All.
http://www.computing.net/windows2000/wwwboard/forum/57476.html
http://www.computing.net/security/wwwboard/forum/11377.html
Any ideas on how this trojan/virus/whatever propagates? I'd really like to know how it got onto my system.
Cheers,
Scronty
http://www.computing.net/windows2000/wwwboard/forum/57476.html
http://www.computing.net/security/wwwboard/forum/11377.html
Any ideas on how this trojan/virus/whatever propagates? I'd really like to know how it got onto my system.
Cheers,
Scronty
most likely a remote exploit, scronty. There are some services running on your system that you cannot shut down, and unfortunatley some of these listen on sockets without filtering source IP... The best thing you can do is get hold of a firewall, if you're on cable/DSL and have a decent router/modem, it shoud allow you to set up NAT/PAT - Network/Port Address Translation. With this, you can effectively block out any traffic that you haven't made rules for (of course it also does mean you'll have to set up rules for the server software you use, but this is a small price to pay).
This can be combined with a personal firewall so that network-using applications will be MD5'ed or SHA'ed to verify they haven't been tampered with, and - this a hardware firewall can't do - see which programs send outgoing traffic. But I wouldn't trust a PFW by itself, there are ways to piece them.
This can be combined with a personal firewall so that network-using applications will be MD5'ed or SHA'ed to verify they haven't been tampered with, and - this a hardware firewall can't do - see which programs send outgoing traffic. But I wouldn't trust a PFW by itself, there are ways to piece them.
"A worm, dubbed Sasser by antivirus firms, was spreading slowly throughout the Internet on Saturday, taking advantage of a vulnerability in unpatched Windows systems to infect new hosts."
"The creation of the worm didn't surprise the Internet's security community. Security experts widely predicted that a worm would soon start spreading using that particular flaw by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS."
More: http://news.com.com/2100-7349_3-5203764.html?tag=nefd.top
http://www.microsoft.com/security/incident/sasser.asp
"The creation of the worm didn't surprise the Internet's security community. Security experts widely predicted that a worm would soon start spreading using that particular flaw by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS."
More: http://news.com.com/2100-7349_3-5203764.html?tag=nefd.top
http://www.microsoft.com/security/incident/sasser.asp
Dang thing got me good. I thought I had a virus at first, but then after a format and reinstall I was still getting Lsass.exe terminating unexpectedly. This worm will prolly be a record breaker.
what? formating an reinstalling just due to this little worm?
oh well;
i gotta say, it's funny to play with that thing. i think it doesn't any harm but spreading all over the net. i've just got the (HUGE, man how can you make a patch that big?!) patch from micro$oft and thats it.
the worm was opening connections to everywhere...
oh well;
i gotta say, it's funny to play with that thing. i think it doesn't any harm but spreading all over the net. i've just got the (HUGE, man how can you make a patch that big?!) patch from micro$oft and thats it.
the worm was opening connections to everywhere...
i think it doesn't any harm but spreading all over the net.
Causing random reboots (because of shellcode?) is bad enough for me. You can lose work and such.
i've just got the (HUGE, man how can you make a patch that big?!) patch
Probably because they have to redistribute a couple of DLL's?
Causing random reboots (because of shellcode?) is bad enough for me. You can lose work and such.
Just curious, is it a payload or a bug?
I would guess it's a bug, it certainly was a bug in the original blaster worm. Seems like RPC related exploits are pretty sensitive :)
It dose cotain shellcode that listens on port 9996. If your computer is reachable so that it can be infected then chances are this port is reachable too meaning anyone can get a command prompt with system privalages.
...which again is good reason why you should be firewalled and/or NAT'ed, and only forward specific ports to your computer.