[unisog] zotob and returning students, what are you going to do?

Ken Connelly Ken.Connelly at uni.edu
Fri Aug 19 17:16:08 GMT 2005


I think you've got a couple different things confused.  As I understand 
it, Zotob goes after the MS05_039 vuln, which seems to be pretty well 
protected by XP SP2.  And msdss.dll is related to the IE vuln.  I don't 
think that XP SP2 buys you any protection for the msdss vuln.

- ken

Mark Wilson wrote:

>Can someone clarify some things about this vulnerablity and remediation
>measures?  According to http://isc.sans.org/ "You are only vulnerable if
>you have msdds.dll installed on your system.   The vulnerable version
>is: 7.0.9064.9112 . Later versions are not vulnerable (in particular
>7.10.x)"
>
>A couple of questions:
>1. Is Windows XP SP2 vulnerable (seems like I have read it is not
>vulnerable)?  What if the vulnerable version of msdds.dll is on the XP
>box?
>2. If the NON-vulnerable dll is installed , does the kill bit have to
>be set?
>
>Mark Wilson
>GCIA, CISSP #53153
>Network Security Specialist
>Auburn University
>(334) 844-9347
>
>  
>
>>>>marchany at vt.edu wrote on 8/19/2005 9:12:20 AM:
>>>>        
>>>>
>>whatever the problems with XP, the majority of zotob hits here have 
>>been on 
>>faculty/staff systems not student systems. We're in the middle of 
>>student 
>>checkin and most of the students have XP SP2 systems. They also have
>>    
>>
>to 
>  
>
>>run a 
>>VTNET CD before they connect to our net. That CD makes sure the FW is
>>    
>>
>
>  
>
>>up, auto 
>>updates are set and the latest AV software is installed. We're hoping
>>    
>>
>
>  
>
>>our 
>>security sessions during freshman orientation have taken hold. They 
>>appear to 
>>have done so last year.
>>
>>We're using the York U scanner and Nessus plugins to sweep our nets 
>>hourly.
>>
>>Of course, we have to deal with vendor software that enables
>>    
>>
>exceptions 
>  
>
>>for 
>>the FW.....
>>
>>	-r.
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org 
>>http://www.dshield.org/mailman/listinfo/unisog
>>    
>>
>
>  
>
>------------------------------------------------------------------------
>
>BEGIN:VCARD
>VERSION:2.1
>X-GWTYPE:USER
>FN:Wilson, Mark
>TEL;WORK:(334) 844-9347
>ORG:;Info Tech-Telecom & Media Sup
>EMAIL;WORK;PREF;NGW:wilsodm at auburn.edu
>N:Wilson;Mark
>TITLE:INFO TECH  MASTER SPEC
>END:VCARD
>
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>

-- 
- Ken
=================================================================
Ken Connelly Systems and Operations Manager, ITS Network Services
University of Northern Iowa           Cedar Falls, IA  50614-0121
email: Ken.Connelly at uni.edu
phone: (319) 273-5850   fax: (319) 273-7373

It's much more important to know what you don't know than what you do know!




More information about the unisog mailing list