Would a firewall prevent Sasser worm?

Discussion in 'Computer Security' started by Piotr Makley, May 4, 2004.

  1. Piotr Makley

    Piotr Makley Guest

    If I had a firewall would that prevent the Sasser worm infecting my
    PC?

    I mean, if another infected system cannot see my ports because they
    are stealthed then presumably Sasser could not infect me?
    Piotr Makley, May 4, 2004
    #1
    1. Advertising

  2. On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

    >If I had a firewall would that prevent the Sasser worm infecting my
    >PC?
    >
    >I mean, if another infected system cannot see my ports because they
    >are stealthed then presumably Sasser could not infect me?


    Yes, any firewall that blocks incoming port 445 will prevent infection
    by the Sasser worm.

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
    Lars M. Hansen, May 4, 2004
    #2
    1. Advertising

  3. Piotr Makley

    zz Guest

    Lars M. Hansen wrote:
    > On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
    >
    >
    >>If I had a firewall would that prevent the Sasser worm infecting my
    >>PC?
    >>
    >>I mean, if another infected system cannot see my ports because they
    >>are stealthed then presumably Sasser could not infect me?

    >
    >
    > Yes, any firewall that blocks incoming port 445 will prevent infection
    > by the Sasser worm.
    >
    > Lars M. Hansen
    > http://www.hansenonline.net
    > (replace 'badnews' with 'news' in e-mail address)


    From Microsoft: "Customers who have enabled the Windows XP Firewall are
    protected from the vector this worm attacks, which is TCP Port 139.
    Most third party firewalls also block this attack vector by default."

    g-w
    zz, May 4, 2004
    #3
  4. Piotr Makley

    ObiWan Guest

    <snip>
    > Yes, any firewall that blocks incoming port
    > 445 will prevent infection by the Sasser worm.


    As long as someone won't write a variant
    of the worm spreading by email too :)

    Brain; the best firewall in the world (if one uses it)
    ObiWan, May 4, 2004
    #4
  5. On Tue, 4 May 2004 14:25:28 +0200, ObiWan spoketh

    ><snip>
    >> Yes, any firewall that blocks incoming port
    >> 445 will prevent infection by the Sasser worm.

    >
    >As long as someone won't write a variant
    >of the worm spreading by email too :)
    >
    >Brain; the best firewall in the world (if one uses it)
    >
    >


    We can only deal with the "known knowns". The "unknown unknowns" we'll
    have to leave for Mr. Rumsfeld...

    Currently, the Sasser worm only spreads by exploiting the LSASS buffer
    overflow vulnerability through port 445.

    Sasser.D now also sends an ICMP echo request, which will certainly show
    up in many more logs :(

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
    Lars M. Hansen, May 4, 2004
    #5
  6. Piotr Makley

    Bill Unruh Guest

    Piotr Makley <> writes:

    ]If I had a firewall would that prevent the Sasser worm infecting my
    ]PC?

    ]I mean, if another infected system cannot see my ports because they
    ]are stealthed then presumably Sasser could not infect me?

    Sassler cannot infect you if you do not run Windows. Sassler cannot
    infect you if you install the patch from Microsoft. A firewall might
    help, but if you insist on not doing the first two you will always be in
    danger. Note that a firewall has nothing to do with "stealthing" your
    ports. It simply rejects all attempts to connect to ports except those
    you deliberately open. You can do the same by not opening any ports
    except those you absolutely need in the first place. What ports are open
    on your system? Do you know?
    Bill Unruh, May 4, 2004
    #6
  7. Piotr Makley

    Bill Unruh Guest

    Lars M. Hansen <> writes:

    ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

    ]>If I had a firewall would that prevent the Sasser worm infecting my
    ]>PC?
    ]>
    ]>I mean, if another infected system cannot see my ports because they
    ]>are stealthed then presumably Sasser could not infect me?

    ]Yes, any firewall that blocks incoming port 445 will prevent infection
    ]by the Sasser worm.

    Why is port 445 open on his system in the first place?
    Bill Unruh, May 4, 2004
    #7
  8. On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

    >Lars M. Hansen <> writes:
    >
    >]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
    >
    >]>If I had a firewall would that prevent the Sasser worm infecting my
    >]>PC?
    >]>
    >]>I mean, if another infected system cannot see my ports because they
    >]>are stealthed then presumably Sasser could not infect me?
    >
    >]Yes, any firewall that blocks incoming port 445 will prevent infection
    >]by the Sasser worm.
    >
    >Why is port 445 open on his system in the first place?


    Port 445 is open by default on any W2K or WXP system unless you've
    closed it somehow. Despite the fact that we all wish people would have
    firewalls or at least a NAT router, we're not quite there yet...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
    Lars M. Hansen, May 4, 2004
    #8
  9. Piotr Makley

    ObiWan Guest

    > ><snip>
    > >> Yes, any firewall that blocks incoming port
    > >> 445 will prevent infection by the Sasser worm.

    > >
    > >As long as someone won't write a variant
    > >of the worm spreading by email too :)
    > >
    > >Brain; the best firewall in the world (if one uses it)
    > >
    > >

    >
    > We can only deal with the "known knowns". The "unknown unknowns"
    > we'll have to leave for Mr. Rumsfeld...


    Uh .. bad day ?!? I was just putting a little of sarcasm there :) !!

    > Currently, the Sasser worm only spreads by exploiting the LSASS buffer
    > overflow vulnerability through port 445.


    Yes, got some "proof of concept" code here, know how it works :-/

    > Sasser.D now also sends an ICMP echo request, which will certainly show
    > up in many more logs :(


    That's what I was saying I don't think it would take too much
    before we'll see a "mail spreading" variant, then, due to the
    high number of "don't use the brain, just click here" users it
    will become another treat :-(
    ObiWan, May 4, 2004
    #9
  10. On Tue, 4 May 2004 19:21:51 +0200, ObiWan spoketh

    >> ><snip>
    >> >> Yes, any firewall that blocks incoming port
    >> >> 445 will prevent infection by the Sasser worm.
    >> >
    >> >As long as someone won't write a variant
    >> >of the worm spreading by email too :)
    >> >
    >> >Brain; the best firewall in the world (if one uses it)
    >> >
    >> >

    >>
    >> We can only deal with the "known knowns". The "unknown unknowns"
    >> we'll have to leave for Mr. Rumsfeld...

    >
    >Uh .. bad day ?!? I was just putting a little of sarcasm there :) !!


    Sorry, I thought my "unknown unknowns" comment was fairly humorous ...

    >
    >> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
    >> overflow vulnerability through port 445.

    >
    >Yes, got some "proof of concept" code here, know how it works :-/
    >
    >> Sasser.D now also sends an ICMP echo request, which will certainly show
    >> up in many more logs :(

    >
    >That's what I was saying I don't think it would take too much
    >before we'll see a "mail spreading" variant, then, due to the
    >high number of "don't use the brain, just click here" users it
    >will become another treat :-(
    >
    >


    I expect there will be another worm exploiting the LSASS vulnerability
    (as well as other vulnerabilities listed in MS04-011) that'll be
    delivered through e-mail. Can't speculate on if it'll be a Sasser
    variation or not, but I'm almost willing to bet the farm that we'll see
    it by the end of the week...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
    Lars M. Hansen, May 4, 2004
    #10
  11. Piotr Makley

    Guest

    In comp.security.misc Bill Unruh <> wrote:
    > Lars M. Hansen <> writes:


    > ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh


    > ]>If I had a firewall would that prevent the Sasser worm infecting my
    > ]>PC?
    > ]>
    > ]>I mean, if another infected system cannot see my ports because they
    > ]>are stealthed then presumably Sasser could not infect me?


    > ]Yes, any firewall that blocks incoming port 445 will prevent infection
    > ]by the Sasser worm.


    > Why is port 445 open on his system in the first place?


    Becouse microsoft has it enabled and vulnerable by default.


    --
    Peter Håkanson
    IPSec Sverige ( At Gothenburg Riverside )
    Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.
    , May 4, 2004
    #11
  12. Piotr Makley

    Bill Unruh Guest

    Lars M. Hansen <> writes:

    ]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

    ]>Lars M. Hansen <> writes:
    ]>
    ]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
    ]>
    ]>]>If I had a firewall would that prevent the Sasser worm infecting my
    ]>]>PC?
    ]>]>
    ]>]>I mean, if another infected system cannot see my ports because they
    ]>]>are stealthed then presumably Sasser could not infect me?
    ]>
    ]>]Yes, any firewall that blocks incoming port 445 will prevent infection
    ]>]by the Sasser worm.
    ]>
    ]>Why is port 445 open on his system in the first place?

    ]Port 445 is open by default on any W2K or WXP system unless you've
    ]closed it somehow. Despite the fact that we all wish people would have
    ]firewalls or at least a NAT router, we're not quite there yet...

    ?? Again, why is port 445 open anyway? You advocate that the user gets a
    firewall. Surely it would be easier just to close port 445 or any ports
    not absolutely needed than it would be to get and properly set up a
    firewall. Or are you saying it is impossible to close many ports on a
    Win machine?
    This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
    cannot see the dirt". Why not just wash? If you cannot wash for some
    reason then maybe a skimask would be an option, but surely advocating it
    as the first thing to do is silly.

    "Close all ports that you do not absolutely need on your machine"
    should surely be the first bit of advice. Then after you have done that
    also install a firewall for that extra bit of protection.
    Bill Unruh, May 4, 2004
    #12
  13. Piotr Makley

    Leythos Guest

    In article <c78mat$4ps$>,
    says...
    > "Close all ports that you do not absolutely need on your machine"
    > should surely be the first bit of advice. Then after you have done that
    > also install a firewall for that extra bit of protection.


    The problem is that most people don't have a clue as to how to close
    ports, setup IPSec rules, etc... Most people don't even know to enable
    the ICF on their machines.

    The best thing people can do is purchase a cheap router with NAT and use
    it from the moment they get their computer. This lets them download the
    updates, install and update the AV software, etc... before they have a
    chance to get hacked.

    I put this back on the ISP's - they provide a open connection and don't
    warn the unsuspecting public about the risk/problems. If they just
    enabled NAT by default on their routers (DSL or Cable) most of this
    problem would go away.



    --
    --

    (Remove 999 to reply to me)
    Leythos, May 4, 2004
    #13
  14. Piotr Makley

    Wendel Guest

    Hi,

    I agree with ObiWan, why use a firewall to filter some port if it can
    be exploited in other ways ??

    In this case, the "unknow" can be commonly suposed...

    Real secure protect the source problem, not workarrounds... ;-)

    Fix the overflow at lsass.exe! :)

    ps.: A machine up2date today isn't enough.

    Regards.

    Mercenarie's Club Member => http://cdm.frontthescene.com.br
    Front The Scene Team => http://www.frontthescene.com.br
    Personal Page => http://ws.frontthescene.com.br
    Wendel, May 4, 2004
    #14
  15. On Tue, 4 May 2004 18:10:37 +0000 (UTC), Bill Unruh spoketh

    >Lars M. Hansen <> writes:
    >
    >]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
    >
    >]>Lars M. Hansen <> writes:
    >]>
    >]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
    >]>
    >]>]>If I had a firewall would that prevent the Sasser worm infecting my
    >]>]>PC?
    >]>]>
    >]>]>I mean, if another infected system cannot see my ports because they
    >]>]>are stealthed then presumably Sasser could not infect me?
    >]>
    >]>]Yes, any firewall that blocks incoming port 445 will prevent infection
    >]>]by the Sasser worm.
    >]>
    >]>Why is port 445 open on his system in the first place?
    >
    >]Port 445 is open by default on any W2K or WXP system unless you've
    >]closed it somehow. Despite the fact that we all wish people would have
    >]firewalls or at least a NAT router, we're not quite there yet...
    >
    >?? Again, why is port 445 open anyway? You advocate that the user gets a
    >firewall. Surely it would be easier just to close port 445 or any ports
    >not absolutely needed than it would be to get and properly set up a
    >firewall. Or are you saying it is impossible to close many ports on a
    >Win machine?


    Yes, port 445 are difficult to close on a Windows computer. It's the
    port used by what's commonly known as "Windows Networking", which means
    sharing files and printers over a network. There are ways of closing it,
    but it takes a little reading...

    >This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
    >cannot see the dirt". Why not just wash? If you cannot wash for some
    >reason then maybe a skimask would be an option, but surely advocating it
    >as the first thing to do is silly.


    No comment ...

    >
    >"Close all ports that you do not absolutely need on your machine"
    >should surely be the first bit of advice. Then after you have done that
    >also install a firewall for that extra bit of protection.


    If all ports are closed, then there's little need for a firewall. If
    there are some ports left open, then the firewall will need to allow
    those ports anyways, unless the firewall is there to restrict the IP
    addresses that'll gain access or because it does protocol validation.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
    Lars M. Hansen, May 4, 2004
    #15
  16. On Tue, 4 May 2004 18:07:15 +0000 (UTC),
    spoketh

    >In comp.security.misc Bill Unruh <> wrote:
    >> Lars M. Hansen <> writes:

    >
    >> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

    >
    >> ]>If I had a firewall would that prevent the Sasser worm infecting my
    >> ]>PC?
    >> ]>
    >> ]>I mean, if another infected system cannot see my ports because they
    >> ]>are stealthed then presumably Sasser could not infect me?

    >
    >> ]Yes, any firewall that blocks incoming port 445 will prevent infection
    >> ]by the Sasser worm.

    >
    >> Why is port 445 open on his system in the first place?

    >
    >Becouse microsoft has it enabled and vulnerable by default.


    "Vulnerable by default"? What the F*** does that mean? Does that mean
    when the next vulnerability for linux are discovered, the Microsoft camp
    can claim that linux are "vulnerable by default"?

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
    Lars M. Hansen, May 4, 2004
    #16
  17. "Lars M. Hansen" wrote:
    >
    > On Tue, 4 May 2004 18:07:15 +0000 (UTC),
    > spoketh
    >
    > >In comp.security.misc Bill Unruh <> wrote:


    > >> Why is port 445 open on his system in the first place?

    > >
    > >Becouse microsoft has it enabled and vulnerable by default.

    >
    > "Vulnerable by default"? What the F*** does that mean?


    A default environment is one which is in effect if no substitute is
    explicitly selected. Vulnerability means the presence of a weakness which is
    exposed to attack. I'm leaving it to you to combine these definitions.

    F***s set.

    Thor

    --
    http://thorweb.anta.net/ IRCnet #areena
    Thor Kottelin, May 4, 2004
    #17
  18. Piotr Makley

    Claudio Guest

    On Tue, 04 May 2004 18:11:22 GMT, Leythos <> wrote:

    >I put this back on the ISP's - they provide a open connection and don't
    >warn the unsuspecting public about the risk/problems. If they just
    >enabled NAT by default on their routers (DSL or Cable) most of this
    >problem would go away.


    The problem will not go away.
    Look at my case. My ISP (FastWeb in Itay) has implemented a somewhat
    weird solution: I am connected to their router which has NAT enabled.
    This it is not a safety choice but a must since behind their router
    they use IPs not allocated by APNIC
    This looks at first sight a safe approach.
    However if i look at the log of MY own hardware router is full of
    attempts to reach port 135, 136, 137, 138, 139, 445, etc.
    They are from other users like me which are behind the same ISP
    router and are all scanning in the range of IPs assigned by the ISP's
    DHCP.
    Most of this guys are infected by warms, virus, etc. , but they don't
    know it. All is needed is one infected computer behind the ISP router
    and it will spread the problem pretty fast.

    While writing I am checking my router log. Between 21:31 and 21:37 I
    see the following attempts (in sequence) : port 445, 135, 445, 135,
    445, 445. Roughly one a minute.
    Claudio, May 4, 2004
    #18
  19. Piotr Makley

    CyberDroog Guest

    On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley <> wrote:

    >If I had a firewall would that prevent the Sasser worm infecting my
    >PC?
    >
    >I mean, if another infected system cannot see my ports because they
    >are stealthed then presumably Sasser could not infect me?


    Yes. Provided the ports in question are closed, a firewall will prevent
    infection.

    ---
    LAWYER, n. One skilled in circumvention of the law.

    - Ambrose Bierce
    CyberDroog, May 4, 2004
    #19
  20. Lars M. Hansen wrote:

    >"Vulnerable by default"? What the F*** does that mean? Does that mean
    >when the next vulnerability for linux are discovered, the Microsoft camp
    >can claim that linux are "vulnerable by default"?


    Gosh, I can't remember the last remote vulnerability for Linux. Can
    you? I've been swept away by the flood of Winders vulnerabilities.
    Linux would really have to get on the ball if it's going to catch the
    MotherShip.
    Micheal Robert Zium, May 4, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gareth not NLL or anybody else.

    Sasser worm

    Gareth not NLL or anybody else., May 1, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    517
    Gareth not NLL or anybody else.
    May 1, 2004
  2. Alasdair Baxter

    Sasser Worm.

    Alasdair Baxter, May 2, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    528
    Alasdair Baxter
    May 3, 2004
  3. Pistol Pete

    Worm/Sasser.C

    Pistol Pete, May 4, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    908
    °Mike°
    May 4, 2004
  4. WCH

    Sasser worm? Can't even log on to W2k

    WCH, May 6, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    710
    Ron Martell
    May 7, 2004
  5. Brett Roberts

    Removal tool for Sasser.A & Sasser.B

    Brett Roberts, May 2, 2004, in forum: NZ Computing
    Replies:
    2
    Views:
    317
    MikeN
    May 14, 2004
Loading...

Share This Page