w32 blaster worm

I cleaned this off some computers yesterday.
Can someone explain to me how the computers got infected in this case - I
mean besides the fact that they did not patch them.
They are a small workgroup (5 XP Pro machines) and have accounts at a local
ISP.
Each computer has a modem and dials up to the Internet as needed.
They do not have full time access and each time they dial they get a new IP
for that session.
I read that this (blaster) uses port scanning to find open TCP ports and
install itself. It would seem that because they connect through an ISP they
would not be venerable, no open ports would be seen, but they were - so here
I go showing my ignorance. Does it scan so fast that it could find all 5
computers on different dynamic IP's? Do these dynamic IP's show up on the
Internet even through the ISP connection? I would have thought that there
was some sort of NAT being preformed at the ISP? Is there something the ISP
should have done? Really confused here. I thought that it did not spread
internally on a workgroup but rather that only through the Internet?
Any answers would be appreciated that will shed some light on this.
Except Tracker - been reading off and on for a few months and it is obvious
even to someone as ignorant as I am that she doesn't have a clue. He advice
on the OS side of things is often either wrong or dangerous and I do know a
bit more about OS then security of OS. Trying to expand my horizons by
learning more you see.

Linda

Linda

I have read that the blaster worm is through listening ports only. Maybe
not only that way? How did it get through the dial-up at the ISP??
Linda
"Bit Twister" <> wrote in message
news:...
> On Wed, 13 Aug 2003 11:04:23 -0600, Linda wrote:
> > I cleaned this off some computers yesterday.
> > Can someone explain to me how the computers got infected in this case -
I
> > mean besides the fact that they did not patch them.
>
> You catch malware through services which listen on ports for
> connections. The malware exploits the service which turns control over
> to the malware.
>
> Your other methods for having malware is through email, downloaded
> files or infected media ie diskettes and last but not lease, all the
> wonderful feature rich goodies provided by your browser and other
> programs hooked back into the OS.

Linda

On Wed, 13 Aug 2003 11:32:14 -0600, Linda wrote:
> I have read that the blaster worm is through listening ports only. Maybe
> not only that way? How did it get through the dial-up at the ISP??

An infected pc contacted the service which listens on port 135.

The worm used the target service to download enough code to complete
the infection and start spreading again.

Bit Twister

"Linda" <> wrote:

>I have read that the blaster worm is through listening ports only. Maybe
>not only that way? How did it get through the dial-up at the ISP??

The dial-up is basically networking over a phone-line. User on one
end. ISP at the other. The modem at the ISP is connected to the net.
Incoming traffic to the IP of that connection is forwarded to the
customer's computer. This may be legitimate traffic or it may be
malicious. If the customer's computer is vulnerable to that malicious
traffic.....

Roger

somebody@compusmart.ab.ca

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Linda wrote:
> I cleaned this off some computers yesterday.
> Can someone explain to me how the computers got infected in this case - I
> mean besides the fact that they did not patch them.
> They are a small workgroup (5 XP Pro machines) and have accounts at a
> local ISP.

I take that to mean these 5 computers are networked.

> Each computer has a modem and dials up to the Internet as needed.
> They do not have full time access and each time they dial they get a new
> IP for that session.

That's sufficient. It doesn't take long to get infected if vulnerable. All
you have to do is be unlucky enough to have one of the computers online at
the time the IP it has been assigned by the ISP is probed and stay online
for the seconds it takes for the worm to propogate. Once that's happened
the likelyhood of it infecting the remaining 4 computers on the LAN within
a reasonably short time is pretty high.

> I read that this (blaster) uses port scanning to find open TCP ports and
> install itself. It would seem that because they connect through an ISP
> they would not be venerable, no open ports would be seen, but they were -

Only extremely odd ISPs use NAT or filter ports on behaf of their customers
in my experience. The one exception being many force you through a proxy on
outgoing port 80 to be able to cache web traffic and thus reduce the load
on their link(s) to the net as a whole.

The only two ways (apart from staying offline or running an OS that isn't
vulnerable to begin with) of avoiding infection are 1) be firewalled/NATed
or 2) be patched.

> I thought that it did not spread internally on a workgroup but
> rather that only through the Internet?

It's all IP based. Unless the worm went through extra effort to detect what
subnet the computer was on and *not* probe that net, it would be just as
likely to hit those IPs as any others.

Some info on its inner workings in case you're curious
http://tinyurl.com/jozm (Symantec Security Response site)

> Any answers would be appreciated that will shed some light on this.
> Except Tracker

Clever girl. You, that is, not Tracker.


- --
Frode

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPzqDOuXlGBWTt1afEQLljQCgkzjqUW1FAtNr5I0h9fOKN6 rjHSsAnRNk
UZbNeThHdariTP4/+4BiaDYm
=SCQ2
-----END PGP SIGNATURE-----

Frode

In article <0hu_a.33$>, says...
> I cleaned this off some computers yesterday.
> Can someone explain to me how the computers got infected in this case - I
> mean besides the fact that they did not patch them.
> They are a small workgroup (5 XP Pro machines) and have accounts at a local
> ISP.
> Each computer has a modem and dials up to the Internet as needed.
> They do not have full time access and each time they dial they get a new IP
> for that session.

How they get an IP does not make any difference - an IP from a dial up
connection is just as open as a cable modem or DSL modem connection,
it's just not as fast.

All your ports are exposed when they dial into the ISP, and since each
user has the ability to access the other users computer the RCP calls
are authorized.

I've seen dial-up clients hacked while downloading the Windows Update
Patches.

Get them a LAN MODEM that also provides NAT and they will be safe from
this type of thing.

Mark

--
--

(Remove 999 to reply to me)

Leythos

"Bit Twister" <> wrote in message
news:...
> On Wed, 13 Aug 2003 11:32:14 -0600, Linda wrote:
> > I have read that the blaster worm is through listening ports only.
Maybe
> > not only that way? How did it get through the dial-up at the ISP??
>
> An infected pc contacted the service which listens on port 135.
>
> The worm used the target service to download enough code to complete
> the infection and start spreading again.

OK, so, one of the computers was on the Internet long enough to get
infected - easy to believe as it is not unusual for a connection to be open
for an hour or more. The ISP just passes traffic through and the worm with
its port scanning gets a response on port 135 from xxx.xxx.xxx.xxx that it
(the computer) is listening and will accept requests for service on that
port. The worm code is downloaded. So far I think I am understanding.
Then, can this worm also infect other computers within the workgroup or must
the worm get a response from each computer? Keeping in mind that they are
all using a fairly narrow range of IP addresses from the ISP it would not
take long to scan the whole range.
Then we get to the ... start spreading again ... part. Do infected
computers also begin port scanning looking for a positive response? Is the
infection usually coming from a handful or more computers that the hackers
are using to spread the worm or are infected computers also used to spread
it?
Thanks for your replies, the more I know the better I can protect the
computers I am responsible for.
Linda

Linda

On Wed, 13 Aug 2003 21:16:33 -0600, Linda wrote:
> The ISP just passes traffic through

Yep, just like the telephone office.

> and the worm with
> its port scanning gets a response on port 135 from xxx.xxx.xxx.xxx that it
> (the computer) is listening and will accept requests for service on that
> port. The worm code is downloaded. So far I think I am
> understanding.

You got it.

> Then, can this worm also infect other computers within the workgroup or must
> the worm get a response from each computer? Keeping in mind that they are
> all using a fairly narrow range of IP addresses from the ISP it would not
> take long to scan the whole range.

That depends on the malware. Some are smart. some are not.

>
> Then we get to the ... start spreading again ... part. Do infected
> computers also begin port scanning looking for a positive response?

Yes.

> Is the
> infection usually coming from a handful or more computers that the hackers
> are using to spread the worm or are infected computers also used to spread
> it?

They work just like the flu or colds.

> Thanks for your replies, the more I know the better I can protect the
> computers I am responsible for.

You can look around on
http://www.cert.org (2'nd box from bottom left)
http://www.cert.org/advisories/
http://www.guninski.com/ (left selection)
to get a feel for your task.

Bit Twister

"Linda" <> wrote:

>I have a cable modem with a router behind for my local network. Going to
grc.com and running the tests it seems that my router does not respond
to requests from any ports.

Good. Make sure the router is configured for maximum security

>I know I can still get a virus from an infected email.

And maliciously crafted html. And through the floppy drive, etc.

>I did download and install the patch, but, was I probably pretty
safe from it (this one at least) anyway because of the router that
does not respond?

Yes. But still a good idea to be patched up.

>Now I am reading that HTML, not only HTML email - which I delete, but also
>web sites can pose a threat.

It does not matter if it is in the browser or in the e-mail: maliciously crafted html
code poses a threat if the page is displayed and the system is not
configured to safely handle that threat. Simply previewing a malicious
html can pose a threat if the zone id not safely configured.

>Anyone have a good article/white paper on this
>I would appreciate a link to the web site part of this.

IE splits the world in several zones with configurable security settings.
By default any internet site visited is in the Internet Zone. The
general approach is to tighten the security settings in the Internet
Zone in IE. .

The main annoyance in having tight Internet Zone settings is that some
sites don't display as intended, or don't display at all.

If you trust the site (judgement call), place the site in the Trusted
Zone, which you have configured for lower security

PowerTweaks is convenient for moving a site into the Trusted Zone
http://www.microsoft.com/windows/ie/...ss/pwrtwks.asp
The page says that it is for IE5, but it does work with IE6.

There is also a Restricted Zone where you can set security even
tighter than in Internet Zone.

Outlook and OE take their security setting from IE. Make sure the
zone is "Restricted" for the e-mail. (Set this is Outlook or OE)

Some googling gave
http://www.google.com/search?sourcei...plorer+zone s
http://www.microsoft.com/technet/tre...n/5min-102.asp
http://www.newfangled.san-jose.ca.us...nes/index.html

Some interesting read here:
http://www.nsclean.com/psc-exe2.html
http://www.guninski.com/

You might also want to google for W2K, if that's for you're using.
security in general. Disabling of unneeded services. Security
policy, etc. There are many ways to increase the security.

And keep the system's patches and AV definition files up date.

Are you running a software firewall to monitor and control outgoing
traffic? The combination of NAT/router and software firewall is a
great combination.

OK. That's it for now though I'm probably forgetting a whole bunch of
things.

Roger

somebody@compusmart.ab.ca

"Leythos" <> wrote in message
news:...
> In article <0hu_a.33$>, says...
> > I cleaned this off some computers yesterday.
> > Can someone explain to me how the computers got infected in this case -
I
> > mean besides the fact that they did not patch them.
> > They are a small workgroup (5 XP Pro machines) and have accounts at a
local
> > ISP.
> > Each computer has a modem and dials up to the Internet as needed.
> > They do not have full time access and each time they dial they get a new
IP
> > for that session.
>
> How they get an IP does not make any difference - an IP from a dial up
> connection is just as open as a cable modem or DSL modem connection,
> it's just not as fast.
>
> All your ports are exposed when they dial into the ISP, and since each
> user has the ability to access the other users computer the RCP calls
> are authorized.
>
> I've seen dial-up clients hacked while downloading the Windows Update
> Patches.
>
> Get them a LAN MODEM that also provides NAT and they will be safe from
> this type of thing.
>
> Mark
>
> --
> --
>
> (Remove 999 to reply to me)

Thanks to all thet responded - off to read now.
Linda

Linda