w32 blaster worm

Discussion in 'Computer Security' started by Linda, Aug 13, 2003.

  1. Linda

    Linda Guest

    I cleaned this off some computers yesterday.
    Can someone explain to me how the computers got infected in this case - I
    mean besides the fact that they did not patch them.
    They are a small workgroup (5 XP Pro machines) and have accounts at a local
    ISP.
    Each computer has a modem and dials up to the Internet as needed.
    They do not have full time access and each time they dial they get a new IP
    for that session.
    I read that this (blaster) uses port scanning to find open TCP ports and
    install itself. It would seem that because they connect through an ISP they
    would not be venerable, no open ports would be seen, but they were - so here
    I go showing my ignorance. Does it scan so fast that it could find all 5
    computers on different dynamic IP's? Do these dynamic IP's show up on the
    Internet even through the ISP connection? I would have thought that there
    was some sort of NAT being preformed at the ISP? Is there something the ISP
    should have done? Really confused here. I thought that it did not spread
    internally on a workgroup but rather that only through the Internet?
    Any answers would be appreciated that will shed some light on this.
    Except Tracker - been reading off and on for a few months and it is obvious
    even to someone as ignorant as I am that she doesn't have a clue. He advice
    on the OS side of things is often either wrong or dangerous and I do know a
    bit more about OS then security of OS. Trying to expand my horizons by
    learning more you see.

    Linda
     
    Linda, Aug 13, 2003
    #1
    1. Advertising

  2. Linda

    Linda Guest

    I have read that the blaster worm is through listening ports only. Maybe
    not only that way? How did it get through the dial-up at the ISP??
    Linda
    "Bit Twister" <> wrote in message
    news:...
    > On Wed, 13 Aug 2003 11:04:23 -0600, Linda wrote:
    > > I cleaned this off some computers yesterday.
    > > Can someone explain to me how the computers got infected in this case -

    I
    > > mean besides the fact that they did not patch them.

    >
    > You catch malware through services which listen on ports for
    > connections. The malware exploits the service which turns control over
    > to the malware.
    >
    > Your other methods for having malware is through email, downloaded
    > files or infected media ie diskettes and last but not lease, all the
    > wonderful feature rich goodies provided by your browser and other
    > programs hooked back into the OS.
     
    Linda, Aug 13, 2003
    #2
    1. Advertising

  3. Linda

    Bit Twister Guest

    On Wed, 13 Aug 2003 11:32:14 -0600, Linda wrote:
    > I have read that the blaster worm is through listening ports only. Maybe
    > not only that way? How did it get through the dial-up at the ISP??


    An infected pc contacted the service which listens on port 135.

    The worm used the target service to download enough code to complete
    the infection and start spreading again.
     
    Bit Twister, Aug 13, 2003
    #3
  4. Linda

    Guest

    Re: Re: w32 blaster worm

    "Linda" <> wrote:

    >I have read that the blaster worm is through listening ports only. Maybe
    >not only that way? How did it get through the dial-up at the ISP??


    The dial-up is basically networking over a phone-line. User on one
    end. ISP at the other. The modem at the ISP is connected to the net.
    Incoming traffic to the IP of that connection is forwarded to the
    customer's computer. This may be legitimate traffic or it may be
    malicious. If the customer's computer is vulnerable to that malicious
    traffic.....

    Roger
     
    , Aug 13, 2003
    #4
  5. Linda

    Frode Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Linda wrote:
    > I cleaned this off some computers yesterday.
    > Can someone explain to me how the computers got infected in this case - I
    > mean besides the fact that they did not patch them.
    > They are a small workgroup (5 XP Pro machines) and have accounts at a
    > local ISP.


    I take that to mean these 5 computers are networked.

    > Each computer has a modem and dials up to the Internet as needed.
    > They do not have full time access and each time they dial they get a new
    > IP for that session.


    That's sufficient. It doesn't take long to get infected if vulnerable. All
    you have to do is be unlucky enough to have one of the computers online at
    the time the IP it has been assigned by the ISP is probed and stay online
    for the seconds it takes for the worm to propogate. Once that's happened
    the likelyhood of it infecting the remaining 4 computers on the LAN within
    a reasonably short time is pretty high.

    > I read that this (blaster) uses port scanning to find open TCP ports and
    > install itself. It would seem that because they connect through an ISP
    > they would not be venerable, no open ports would be seen, but they were -


    Only extremely odd ISPs use NAT or filter ports on behaf of their customers
    in my experience. The one exception being many force you through a proxy on
    outgoing port 80 to be able to cache web traffic and thus reduce the load
    on their link(s) to the net as a whole.

    The only two ways (apart from staying offline or running an OS that isn't
    vulnerable to begin with) of avoiding infection are 1) be firewalled/NATed
    or 2) be patched.

    > I thought that it did not spread internally on a workgroup but
    > rather that only through the Internet?


    It's all IP based. Unless the worm went through extra effort to detect what
    subnet the computer was on and *not* probe that net, it would be just as
    likely to hit those IPs as any others.

    Some info on its inner workings in case you're curious
    http://tinyurl.com/jozm (Symantec Security Response site)

    > Any answers would be appreciated that will shed some light on this.
    > Except Tracker


    Clever girl. You, that is, not Tracker.


    - --
    Frode

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBPzqDOuXlGBWTt1afEQLljQCgkzjqUW1FAtNr5I0h9fOKN6rjHSsAnRNk
    UZbNeThHdariTP4/+4BiaDYm
    =SCQ2
    -----END PGP SIGNATURE-----
     
    Frode, Aug 13, 2003
    #5
  6. Linda

    Leythos Guest

    In article <0hu_a.33$>, says...
    > I cleaned this off some computers yesterday.
    > Can someone explain to me how the computers got infected in this case - I
    > mean besides the fact that they did not patch them.
    > They are a small workgroup (5 XP Pro machines) and have accounts at a local
    > ISP.
    > Each computer has a modem and dials up to the Internet as needed.
    > They do not have full time access and each time they dial they get a new IP
    > for that session.


    How they get an IP does not make any difference - an IP from a dial up
    connection is just as open as a cable modem or DSL modem connection,
    it's just not as fast.

    All your ports are exposed when they dial into the ISP, and since each
    user has the ability to access the other users computer the RCP calls
    are authorized.

    I've seen dial-up clients hacked while downloading the Windows Update
    Patches.

    Get them a LAN MODEM that also provides NAT and they will be safe from
    this type of thing.

    Mark

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Aug 14, 2003
    #6
  7. Linda

    Linda Guest

    "Bit Twister" <> wrote in message
    news:...
    > On Wed, 13 Aug 2003 11:32:14 -0600, Linda wrote:
    > > I have read that the blaster worm is through listening ports only.

    Maybe
    > > not only that way? How did it get through the dial-up at the ISP??

    >
    > An infected pc contacted the service which listens on port 135.
    >
    > The worm used the target service to download enough code to complete
    > the infection and start spreading again.


    OK, so, one of the computers was on the Internet long enough to get
    infected - easy to believe as it is not unusual for a connection to be open
    for an hour or more. The ISP just passes traffic through and the worm with
    its port scanning gets a response on port 135 from xxx.xxx.xxx.xxx that it
    (the computer) is listening and will accept requests for service on that
    port. The worm code is downloaded. So far I think I am understanding.
    Then, can this worm also infect other computers within the workgroup or must
    the worm get a response from each computer? Keeping in mind that they are
    all using a fairly narrow range of IP addresses from the ISP it would not
    take long to scan the whole range.
    Then we get to the ... start spreading again ... part. Do infected
    computers also begin port scanning looking for a positive response? Is the
    infection usually coming from a handful or more computers that the hackers
    are using to spread the worm or are infected computers also used to spread
    it?
    Thanks for your replies, the more I know the better I can protect the
    computers I am responsible for.
    Linda
     
    Linda, Aug 14, 2003
    #7
  8. Linda

    Bit Twister Guest

    On Wed, 13 Aug 2003 21:16:33 -0600, Linda wrote:
    > The ISP just passes traffic through


    Yep, just like the telephone office.

    > and the worm with
    > its port scanning gets a response on port 135 from xxx.xxx.xxx.xxx that it
    > (the computer) is listening and will accept requests for service on that
    > port. The worm code is downloaded. So far I think I am
    > understanding.


    You got it.

    > Then, can this worm also infect other computers within the workgroup or must
    > the worm get a response from each computer? Keeping in mind that they are
    > all using a fairly narrow range of IP addresses from the ISP it would not
    > take long to scan the whole range.


    That depends on the malware. Some are smart. some are not.

    >
    > Then we get to the ... start spreading again ... part. Do infected
    > computers also begin port scanning looking for a positive response?


    Yes.

    > Is the
    > infection usually coming from a handful or more computers that the hackers
    > are using to spread the worm or are infected computers also used to spread
    > it?


    They work just like the flu or colds. :)

    > Thanks for your replies, the more I know the better I can protect the
    > computers I am responsible for.


    You can look around on
    http://www.cert.org (2'nd box from bottom left)
    http://www.cert.org/advisories/
    http://www.guninski.com/ (left selection)
    to get a feel for your task.
     
    Bit Twister, Aug 14, 2003
    #8
  9. Linda

    Guest

    "Linda" <> wrote:

    >I have a cable modem with a router behind for my local network. Going to

    grc.com and running the tests it seems that my router does not respond
    to requests from any ports.

    Good. Make sure the router is configured for maximum security

    >I know I can still get a virus from an infected email.


    And maliciously crafted html. And through the floppy drive, etc.

    >I did download and install the patch, but, was I probably pretty

    safe from it (this one at least) anyway because of the router that
    does not respond?

    Yes. But still a good idea to be patched up.

    >Now I am reading that HTML, not only HTML email - which I delete, but also
    >web sites can pose a threat.


    It does not matter if it is in the browser or in the e-mail: maliciously crafted html
    code poses a threat if the page is displayed and the system is not
    configured to safely handle that threat. Simply previewing a malicious
    html can pose a threat if the zone id not safely configured.

    >Anyone have a good article/white paper on this
    >I would appreciate a link to the web site part of this.


    IE splits the world in several zones with configurable security settings.
    By default any internet site visited is in the Internet Zone. The
    general approach is to tighten the security settings in the Internet
    Zone in IE. .

    The main annoyance in having tight Internet Zone settings is that some
    sites don't display as intended, or don't display at all.

    If you trust the site (judgement call), place the site in the Trusted
    Zone, which you have configured for lower security

    PowerTweaks is convenient for moving a site into the Trusted Zone
    http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.asp
    The page says that it is for IE5, but it does work with IE6.

    There is also a Restricted Zone where you can set security even
    tighter than in Internet Zone.

    Outlook and OE take their security setting from IE. Make sure the
    zone is "Restricted" for the e-mail. (Set this is Outlook or OE)

    Some googling gave
    http://www.google.com/search?sourceid=navclient&q=internet explorer zones
    http://www.microsoft.com/technet/tr...l=/technet/columns/security/5min/5min-102.asp
    http://www.newfangled.san-jose.ca.us/Hacking WinMe/Security Zones/index.html

    Some interesting read here:
    http://www.nsclean.com/psc-exe2.html
    http://www.guninski.com/

    You might also want to google for W2K, if that's for you're using.
    security in general. Disabling of unneeded services. Security
    policy, etc. There are many ways to increase the security.

    And keep the system's patches and AV definition files up date.

    Are you running a software firewall to monitor and control outgoing
    traffic? The combination of NAT/router and software firewall is a
    great combination.

    OK. That's it for now though I'm probably forgetting a whole bunch of
    things.

    Roger
     
    , Aug 14, 2003
    #9
  10. Linda

    Linda Guest

    "Leythos" <> wrote in message
    news:...
    > In article <0hu_a.33$>, says...
    > > I cleaned this off some computers yesterday.
    > > Can someone explain to me how the computers got infected in this case -

    I
    > > mean besides the fact that they did not patch them.
    > > They are a small workgroup (5 XP Pro machines) and have accounts at a

    local
    > > ISP.
    > > Each computer has a modem and dials up to the Internet as needed.
    > > They do not have full time access and each time they dial they get a new

    IP
    > > for that session.

    >
    > How they get an IP does not make any difference - an IP from a dial up
    > connection is just as open as a cable modem or DSL modem connection,
    > it's just not as fast.
    >
    > All your ports are exposed when they dial into the ISP, and since each
    > user has the ability to access the other users computer the RCP calls
    > are authorized.
    >
    > I've seen dial-up clients hacked while downloading the Windows Update
    > Patches.
    >
    > Get them a LAN MODEM that also provides NAT and they will be safe from
    > this type of thing.
    >
    > Mark
    >
    > --
    > --
    >
    > (Remove 999 to reply to me)


    Thanks to all thet responded - off to read now.
    Linda
     
    Linda, Aug 14, 2003
    #10
  11. Linda

    toro Guest

    On Wed, 13 Aug 2003 21:28:38 -0600, "Linda" <> wrote:

    > I take it then that all computers were probably
    >infected through the Internet as they were all in the same IP range - so to
    >speak.


    Well, basically if they are using the same ISP they _are_ on the same
    IP range or subnet. Each ISP is assigned an IP range from where users
    get their IP address on the Internet when they are connected to him.
    For example, if my ISP uses the range 193.210.0.0 - 193.210.255.255
    then his subnet mask would be 255.255.0.0, which means that he has
    255*255 IP addresses available for his customers. When I dial up to
    one of his servers, I would get an available IP address in that range,
    like 193.210.100.100. Thanks to my ISP DNS servers I have now an IP
    address that the whole world can see, but I don't have a firewall or
    any other kind of protection unless I install some.
    So when an online port scanner, malicious or not scans IP ranges, if
    your computer is connected to the Internet it has an IP which belongs
    to an ISP's IP range.

    HTH :)

    --
    ____________________________________________________
    \___fwtis AT cha /__ / ACK and thou_______/
    \______DOT forthnet / / shall receive_____/
    \____DOT gr /_/ RLU#306453______/
     
    toro, Aug 14, 2003
    #11
  12. Linda

    Mark Guest

    When you dial up to your ISP they provide you with .. daaadaaa the Internet
    :)

    So there's your little PC sitting on the big bad Internet, naked as the day
    it was born.

    Install a software firewall on each PC will help with many port based
    attacks (not all). Also make sure your PCs are updated with all the latest
    security patches from Microsoft.

    You can also get trojan scanners or anti-virus products that can scan and
    monitor for trojans. Some firewalls actively search for them too.



    "Linda" <> wrote in message
    news:6Hu_a.35$...
    > I have read that the blaster worm is through listening ports only. Maybe
    > not only that way? How did it get through the dial-up at the ISP??
    > Linda
     
    Mark, Aug 20, 2003
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. benrand
    Replies:
    0
    Views:
    453
    benrand
    Nov 21, 2003
  2. David H. Lipman

    w32/sdbot.worm do not download or open

    David H. Lipman, Apr 16, 2004, in forum: MCSE
    Replies:
    5
    Views:
    601
  3. Miggsee

    w32.novarg.a@mm <worm>

    Miggsee, Jan 27, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    752
    °Mike°
    Jan 27, 2004
  4. EricP

    When the W32 Blaster worm was working,

    EricP, Sep 8, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    408
    EricP
    Sep 8, 2004
  5. Lord Shaolin
    Replies:
    6
    Views:
    2,724
    John Tate
    Aug 20, 2003
Loading...

Share This Page