[unisog] windows networking and udp 1026
eckman at umn.edu
Wed Dec 3 22:06:56 GMT 2003
Peter Moody wrote:
>>The traffic seems to have been related to a malware species that sends
>>pop-up spam inviting folks to download a free pop-up spam blocker. The
>>blocker is likely a Trojan horse that causes the victim's computer to begin
>>sending pop-up spam.
> I'm aware of what *this* popup scam did, but what I'm wondering about is
> future attacks. Is udp/1026 another vector for blaster like viruses?
> Is this another proto/port pair that needs to be blocked like tcp/135 or
From what I understand, yes, it is. I *think* that it is possible for a
worm to be crafted that sends itself over UDP like SQL Slammer. If not,
it certainly is possible for something to spread itself via this
vulnerability in a fashion similar to Blaster, where other components
such as tftp are used to help spread it.
If you don't want to take my word for it, Microsoft themselves have
called it "wormable" (Google: microsoft wormable messenger). If such a
worm made it in to the wild and were to try a range of UDP ports such as
1026-1050, we will probably all notice, even if none of our hosts are
vulnerable or if all UDP Ports selected are firewalled.
Even if a worm is never made, we still have to worry about the kiddies
using already publicly accessible exploit code, or even more advanced
attacks from those who have (possibly created their own) exploit code.
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the unisog