[Dshield] DCOM morning after

Ben Robson ben at robson.ph
Tue Aug 12 16:23:07 GMT 2003


OK,

We're going the next layer in towards techie here....

Yes, the worm could burrow its way in via a VPN or a WAN.

I would make two points here.

If an organisation has investigated and implemented a VPN solution, then 
at some point they have given consideration to security, otherwise 
they'd just allow Citrix (or some such tool) clear text over the wire.  
Assuming they have given -some- thought to security I would hope that 
they don't just plug the VPN straight in to their internal network.  I 
would also hope that they don't allow the user of the other VPN end 
point to exist without a firewall.  If this is done they may as well not 
have a firewall at all.

Regarding WAN links, yes there is a much more historical reason for 
these existing in the corporate network.  The trick here I think is to 
improve the nature of the education we give the corporate community to 
treat all networks not physically connected to their LAN as "external" 
and as such need to be on the otherside of some fsort of firewalling 
capability.

The combined point that needs to be put to the community is to ru by the 
rule, "If it didn't originate on your LAN, treat it as hostile until it 
proves otherwise."  In other words ensure all data originating from 
outside your LAN environment crosses some sort of border protection 
prior to entry on to the network.  Even if it comes via trusted WAN, 
VPN, leased line, PPP, diskette, CD, printer and scanner.

Having said all this I am still seeing postings from -large- numbers of 
people speaking about their place of employment being infected.  This 
says to me that organisations in recent history are still connecting 
devices direct to the 'net with -no- protection in place at all.

BenR.



Mark Squire wrote:

>You would think so, however what about VPN's, and WAN links?  Both can
>sometimes circumvent firewall security depending on how they are set up.
>
>  
>
>>-----Original Message-----
>>From: Ben Robson [mailto:ben at robson.ph] 
>>Sent: Tuesday, August 12, 2003 8:04 AM
>>To: General DShield Discussion List
>>Subject: Re: [Dshield] DCOM morning after
>>
>>
>>Am I the only one -stunned- by the number of companies and 
>>professional 
>>organisations being infected by thisworm?
>>
>>Given its infection path is via port 135, and nobody should be 
>>permitting this in to or out of their network (filtered at 
>>the firewall) 
>>this should only be impacting home users (who are less likely 
>>to have a 
>>firewall).
>>
>>What the number of organisaitonal infections tells me is how many 
>>organisations -still- don't run even the most rudimentary of 
>>firewalls.
>>
>>I think some shareholders who get wind of their companies 
>>being infected 
>>should hang their directors out to dry on this one.
>>
>>BenR.
>>
>>Stephane Grobety wrote:
>>
>>    
>>
>>>Hello Jonathan,
>>>
>>>Tuesday, August 12, 2003, 3:50:22 PM, you wrote:
>>>
>>>JR> Received: from iceman.incidents.org ([63.100.47.43])
>>>JR>         by mail.fulgan.com (Merak 6.0.3) with SMTP id JHA74159
>>>JR>         for <security at admin.fulgan.com>; Tue, 12 Aug 
>>>      
>>>
>>2003 16:08:15 
>>    
>>
>>>JR> +0200
>>>JR> Received: (qmail 16700 invoked from network); 12 Aug 
>>>      
>>>
>>2003 14:06:40 -0000
>>    
>>
>>>JR> Received: from chipper2-int (HELO viper.incidents.org) 
>>>      
>>>
>>(10.36.0.2)
>>    
>>
>>>JR>   by 0 with SMTP; 12 Aug 2003 14:06:40 -0000
>>>JR> Received: from localhost.localdomain (chipper2 [127.0.0.1])
>>>JR> 	by viper.incidents.org (8.11.6/8.11.6) with ESMTP id 
>>>      
>>>
>>h7CE6bH23486;
>>    
>>
>>>JR> 	Tue, 12 Aug 2003 10:06:37 -0400
>>>JR> Received: from dshield.org (charlie [10.51.0.11])
>>>JR> 	by viper.incidents.org (8.11.6/8.11.6) with ESMTP id 
>>>      
>>>
>>h7CDoXH22100
>>    
>>
>>>JR> 	for <list at viper.uunet>; Tue, 12 Aug 2003 09:50:34 -0400
>>>JR> Received: (qmail 27268 invoked from network); 12 Aug 
>>>      
>>>
>>2003 13:50:28 -0000
>>    
>>
>>>JR> Received: from mta01.alltel.net (HELO 
>>>      
>>>
>>mta01-srv.alltel.net) (166.102.165.143)
>>    
>>
>>>JR>   by 0 with SMTP; 12 Aug 2003 13:50:28 -0000
>>>JR> Received: from abacus.xcorps.net ([166.102.231.57]) by 
>>>      
>>>
>>mta01-srv.alltel.net
>>    
>>
>>>JR>           with ESMTP
>>>JR>           id 
>>>      
>>>
>><20030812135024.TNGL17462.mta01-srv.alltel.net at abacus.xcorps.net>
>>    
>>
>>>JR>           for <list at dshield.org>; Tue, 12 Aug 2003 08:50:24 -0500
>>>JR> From: Jonathan Rickman <jonathan at xcorps.net>
>>>JR> Organization: X Corps Security
>>>JR> To: General DShield Discussion List <list at dshield.org>
>>>JR> Subject: Re: [Dshield] DCOM morning after
>>>JR> Date: Tue, 12 Aug 2003 09:50:22 -0400
>>>JR> User-Agent: KMail/1.5.9.1i
>>>JR> References: 
>>>      
>>>
>><9F3B43C638622B45B013654517B61D9B0773A9 at banana-jr-6k.nmefdn.org>
>>    
>>
>>>JR> In-Reply-To: 
>>>      
>>>
>><9F3B43C638622B45B013654517B61D9B0773A9 at banana-jr-6k.nmefdn.org>
>>    
>>
>>>JR> MIME-Version: 1.0
>>>JR> Content-Disposition: inline
>>>JR> Content-Type: text/plain;
>>>JR>   charset="iso-8859-1"
>>>JR> Content-Transfer-Encoding: 7bit
>>>JR> Message-Id: <200308120950.22228.jonathan at xcorps.net>
>>>JR> X-Envelope-To: list at dshield.org
>>>JR> X-Mailman-Approved-At: Tue, 12 Aug 2003 10:03:26 -0400
>>>JR> X-BeenThere: list at dshield.org
>>>JR> X-Mailman-Version: 2.1
>>>JR> Precedence: list
>>>JR> Reply-To: General DShield Discussion List <list at dshield.org>
>>>JR> List-Id: General DShield Discussion List <list.dshield.org>
>>>JR> List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
>>>JR> 	<mailto:list-request at dshield.org?subject=unsubscribe>
>>>JR> List-Archive: <http://www.dshield.org/pipermail/list>
>>>JR> List-Post: <mailto:list at dshield.org>
>>>JR> List-Help: <mailto:list-request at dshield.org?subject=help>
>>>JR> List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
>>>JR> 	<mailto:list-request at dshield.org?subject=subscribe>
>>>JR> Sender: list-bounces at dshield.org
>>>JR> Errors-To: list-bounces at dshield.org
>>>
>>>JR> On Tuesday 12 August 2003 09:07, Paul Marsh wrote:
>>> 
>>>
>>>      
>>>
>>>>>Good Morning All:
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>JR> There have been several reports on the incidents list suggesting 
>>>JR> that patched machines are being infected in some cases.
>>>
>>>The reason behind this is that windows update only uses the 
>>>      
>>>
>>registry to 
>>    
>>
>>>verify wether a patch has been applied or not. If a user has used 
>>>windows restore point or has installed patches out of order, then it 
>>>might be that the machine is vulnerable again, but windows 
>>>      
>>>
>>update won't 
>>    
>>
>>>detect this.
>>>
>>>To correct the problem, you can either use one of the free DCOM 
>>>vulnerability scsanners available and manually re-patch all 
>>>      
>>>
>>vulnerable 
>>    
>>
>>>machines or you can use a tool like HFNetChk to do the job 
>>>      
>>>
>>for you (it 
>>    
>>
>>>will do a checksum and version check on the files, not trust the 
>>>registry).
>>>
>>>That, at least, fixed all machines on my network that where still 
>>>vulnerable even after being patched. However, if anyone has actually 
>>>SEEN a machine that is still vulnerable after it was patched (and by 
>>>that, I mean the last thing you've done on it was manually 
>>>      
>>>
>>applied the 
>>    
>>
>>>patch or you've checked the version and checksum of the 
>>>      
>>>
>>involved files 
>>    
>>
>>>so you KNOW they are the good ones), then I'd very much like to hear 
>>>about it.
>>>
>>>Good luck,
>>>Stephane
>>> 
>>>
>>>      
>>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>>
>>    
>>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>




More information about the list mailing list