[Full-Disclosure] Re: [Dshield] new msblaster on the loose?

Jonathan Rickman jonathan at xcorps.net
Mon Aug 18 15:31:55 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----

On Monday 18 August 2003 10:20, Redaktion - Kryptocrew wrote:
> hi list,
>
> take a look to trendmicro, thats new:
> http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id
>=55745&VName=WORM_MSBLAST.D&VSect=T

Let's see...

Does it magically boot the system off known good media to check for 
rootkits/backdoors/trojans/[insert favorite evil here]??? 

No.

Does it magically monitor the traffic to and from the machine for a 
reasonable period of time to ensure that nothing is amiss???

No.

Does it reinstall the host OS from the original media and restore the last 
known good backup???

No.

So...what does it do? 

It patches the hole and wipes out the worm if present, then deletes itself 
in 2004. Great...except, MSBlaster wasn't the only thing that took 
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has 
no cause to take any of the above steps because from his view, sitting in 
his office running the latest eEye scanner, the machine was never 
vulnerable.


When will folks figure out that these so called "good worms" are not a good 
thing?  The failure of the author to take note of such fundamental flaws in 
his or her logic suggests that they have no business doing anything, much 
less volunteering to correct the world's problems. Of course, this could be 
a deliberate cover-up...but somehow I think it's just another security 
cowboy trying to save the world.

- -- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBP0DxcTTwrX0N9QH/AQHK/QgAicqq+xHeOaZKJonUdRsHo+Fdj0ojGiUp
ZaSyBn4DjzwF7tr1VVbat2eUZj2EBfjaArV5CwVuGga28/JDeVRExtjRxW5sAOUI
IzvjZt6NTK+9RaMEfIAwFOlua+ov2gG8lo95S8DlBqaW4a4H/KvZHqrNHORpTGSB
wnrCBG5r9ah0tcwDVMhxQDupPzfgrTdoYeTq+5K1OYRRQEP/H7XFRC+uCt0gyoOM
Ljxb2Hcfl7qSatKgglQYIQU2sTXB3m1hoNXTSxUDOg6ZH3isAWupJIlZw+/3AJCG
h0EDgu18FnNOhlGYPa1hL3Wq2KpEjQmzN6Z5zFSFjtx5rfh3kTVjGg==
=qeAv
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




More information about the list mailing list