Would a firewall prevent Sasser worm?

Discussion in 'Computer Security' started by Piotr Makley, May 4, 2004.

  1. Piotr Makley

    Piotr Makley Guest

    If I had a firewall would that prevent the Sasser worm infecting my
    PC?

    I mean, if another infected system cannot see my ports because they
    are stealthed then presumably Sasser could not infect me?
     
    Piotr Makley, May 4, 2004
    #1
    1. Advertisements

  2. On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
    Yes, any firewall that blocks incoming port 445 will prevent infection
    by the Sasser worm.

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
     
    Lars M. Hansen, May 4, 2004
    #2
    1. Advertisements

  3. Piotr Makley

    zz Guest

    From Microsoft: "Customers who have enabled the Windows XP Firewall are
    protected from the vector this worm attacks, which is TCP Port 139.
    Most third party firewalls also block this attack vector by default."

    g-w
     
    zz, May 4, 2004
    #3
  4. Piotr Makley

    ObiWan Guest

    As long as someone won't write a variant
    of the worm spreading by email too :)

    Brain; the best firewall in the world (if one uses it)
     
    ObiWan, May 4, 2004
    #4
  5. On Tue, 4 May 2004 14:25:28 +0200, ObiWan spoketh
    We can only deal with the "known knowns". The "unknown unknowns" we'll
    have to leave for Mr. Rumsfeld...

    Currently, the Sasser worm only spreads by exploiting the LSASS buffer
    overflow vulnerability through port 445.

    Sasser.D now also sends an ICMP echo request, which will certainly show
    up in many more logs :(

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, May 4, 2004
    #5
  6. Piotr Makley

    Bill Unruh Guest

    ]If I had a firewall would that prevent the Sasser worm infecting my
    ]PC?

    ]I mean, if another infected system cannot see my ports because they
    ]are stealthed then presumably Sasser could not infect me?

    Sassler cannot infect you if you do not run Windows. Sassler cannot
    infect you if you install the patch from Microsoft. A firewall might
    help, but if you insist on not doing the first two you will always be in
    danger. Note that a firewall has nothing to do with "stealthing" your
    ports. It simply rejects all attempts to connect to ports except those
    you deliberately open. You can do the same by not opening any ports
    except those you absolutely need in the first place. What ports are open
    on your system? Do you know?
     
    Bill Unruh, May 4, 2004
    #6
  7. Piotr Makley

    Bill Unruh Guest

    ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

    ]>If I had a firewall would that prevent the Sasser worm infecting my
    ]>PC?
    ]>
    ]>I mean, if another infected system cannot see my ports because they
    ]>are stealthed then presumably Sasser could not infect me?

    ]Yes, any firewall that blocks incoming port 445 will prevent infection
    ]by the Sasser worm.

    Why is port 445 open on his system in the first place?
     
    Bill Unruh, May 4, 2004
    #7
  8. On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
    Port 445 is open by default on any W2K or WXP system unless you've
    closed it somehow. Despite the fact that we all wish people would have
    firewalls or at least a NAT router, we're not quite there yet...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, May 4, 2004
    #8
  9. Piotr Makley

    ObiWan Guest

    Uh .. bad day ?!? I was just putting a little of sarcasm there :) !!
    Yes, got some "proof of concept" code here, know how it works :-/
    That's what I was saying I don't think it would take too much
    before we'll see a "mail spreading" variant, then, due to the
    high number of "don't use the brain, just click here" users it
    will become another treat :-(
     
    ObiWan, May 4, 2004
    #9
  10. On Tue, 4 May 2004 19:21:51 +0200, ObiWan spoketh
    Sorry, I thought my "unknown unknowns" comment was fairly humorous ...
    I expect there will be another worm exploiting the LSASS vulnerability
    (as well as other vulnerabilities listed in MS04-011) that'll be
    delivered through e-mail. Can't speculate on if it'll be a Sasser
    variation or not, but I'm almost willing to bet the farm that we'll see
    it by the end of the week...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, May 4, 2004
    #10
  11. Piotr Makley

    phn Guest

    Becouse microsoft has it enabled and vulnerable by default.
     
    phn, May 4, 2004
    #11
  12. Piotr Makley

    Bill Unruh Guest

    ]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

    ]>
    ]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
    ]>
    ]>]>If I had a firewall would that prevent the Sasser worm infecting my
    ]>]>PC?
    ]>]>
    ]>]>I mean, if another infected system cannot see my ports because they
    ]>]>are stealthed then presumably Sasser could not infect me?
    ]>
    ]>]Yes, any firewall that blocks incoming port 445 will prevent infection
    ]>]by the Sasser worm.
    ]>
    ]>Why is port 445 open on his system in the first place?

    ]Port 445 is open by default on any W2K or WXP system unless you've
    ]closed it somehow. Despite the fact that we all wish people would have
    ]firewalls or at least a NAT router, we're not quite there yet...

    ?? Again, why is port 445 open anyway? You advocate that the user gets a
    firewall. Surely it would be easier just to close port 445 or any ports
    not absolutely needed than it would be to get and properly set up a
    firewall. Or are you saying it is impossible to close many ports on a
    Win machine?
    This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
    cannot see the dirt". Why not just wash? If you cannot wash for some
    reason then maybe a skimask would be an option, but surely advocating it
    as the first thing to do is silly.

    "Close all ports that you do not absolutely need on your machine"
    should surely be the first bit of advice. Then after you have done that
    also install a firewall for that extra bit of protection.
     
    Bill Unruh, May 4, 2004
    #12
  13. Piotr Makley

    Leythos Guest

    The problem is that most people don't have a clue as to how to close
    ports, setup IPSec rules, etc... Most people don't even know to enable
    the ICF on their machines.

    The best thing people can do is purchase a cheap router with NAT and use
    it from the moment they get their computer. This lets them download the
    updates, install and update the AV software, etc... before they have a
    chance to get hacked.

    I put this back on the ISP's - they provide a open connection and don't
    warn the unsuspecting public about the risk/problems. If they just
    enabled NAT by default on their routers (DSL or Cable) most of this
    problem would go away.
     
    Leythos, May 4, 2004
    #13
  14. Piotr Makley

    Wendel Guest

    Hi,

    I agree with ObiWan, why use a firewall to filter some port if it can
    be exploited in other ways ??

    In this case, the "unknow" can be commonly suposed...

    Real secure protect the source problem, not workarrounds... ;-)

    Fix the overflow at lsass.exe! :)

    ps.: A machine up2date today isn't enough.

    Regards.

    Mercenarie's Club Member => http://cdm.frontthescene.com.br
    Front The Scene Team => http://www.frontthescene.com.br
    Personal Page => http://ws.frontthescene.com.br
     
    Wendel, May 4, 2004
    #14
  15. On Tue, 4 May 2004 18:10:37 +0000 (UTC), Bill Unruh spoketh
    Yes, port 445 are difficult to close on a Windows computer. It's the
    port used by what's commonly known as "Windows Networking", which means
    sharing files and printers over a network. There are ways of closing it,
    but it takes a little reading...
    No comment ...
    If all ports are closed, then there's little need for a firewall. If
    there are some ports left open, then the firewall will need to allow
    those ports anyways, unless the firewall is there to restrict the IP
    addresses that'll gain access or because it does protocol validation.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, May 4, 2004
    #15
  16. On Tue, 4 May 2004 18:07:15 +0000 (UTC),
    spoketh
    "Vulnerable by default"? What the F*** does that mean? Does that mean
    when the next vulnerability for linux are discovered, the Microsoft camp
    can claim that linux are "vulnerable by default"?

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, May 4, 2004
    #16
  17. A default environment is one which is in effect if no substitute is
    explicitly selected. Vulnerability means the presence of a weakness which is
    exposed to attack. I'm leaving it to you to combine these definitions.

    F***s set.

    Thor
     
    Thor Kottelin, May 4, 2004
    #17
  18. Piotr Makley

    Claudio Guest

    The problem will not go away.
    Look at my case. My ISP (FastWeb in Itay) has implemented a somewhat
    weird solution: I am connected to their router which has NAT enabled.
    This it is not a safety choice but a must since behind their router
    they use IPs not allocated by APNIC
    This looks at first sight a safe approach.
    However if i look at the log of MY own hardware router is full of
    attempts to reach port 135, 136, 137, 138, 139, 445, etc.
    They are from other users like me which are behind the same ISP
    router and are all scanning in the range of IPs assigned by the ISP's
    DHCP.
    Most of this guys are infected by warms, virus, etc. , but they don't
    know it. All is needed is one infected computer behind the ISP router
    and it will spread the problem pretty fast.

    While writing I am checking my router log. Between 21:31 and 21:37 I
    see the following attempts (in sequence) : port 445, 135, 445, 135,
    445, 445. Roughly one a minute.
     
    Claudio, May 4, 2004
    #18
  19. Piotr Makley

    CyberDroog Guest

    Yes. Provided the ports in question are closed, a firewall will prevent
    infection.
     
    CyberDroog, May 4, 2004
    #19
  20. Gosh, I can't remember the last remote vulnerability for Linux. Can
    you? I've been swept away by the flood of Winders vulnerabilities.
    Linux would really have to get on the ball if it's going to catch the
    MotherShip.
     
    Micheal Robert Zium, May 4, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.