Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lessons Learned From Blaster

Posted by timothy on from the evil-compounds-itself dept.

CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue. Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."

4 of 312 comments (clear)

  1. Re:How many times do people have to be told by keefey · · Score: 5, Insightful

    I thought Blaster was a RPC virus, i.e. not one broacast via email? I'm sure that's the one that got me a couple of times before I installed a decent firewall (you have 5 seconds to close all work...). Bloody swine of a thing it was - I'd always seem to be winning at Counterstrike too! (Well, that was my excuse, anyway)

  2. Contractor Laptop by eltoyoboyo · · Score: 5, Insightful

    A contractor using the guest offices brought Blaster inside. His laptop infected the security-counter image-storage system, which then found its way to the HR server. That in turn spawned the infections to the HR XP laptops where the patch failed.

    The first thing you learn in ANY security job is that most breaches are from the inside.

    As someone standing right behind the front lines, I will tell you that employees with laptops are the worst. Most end up with administrator access (not that hard to crack if you don't have it). And the fact that they bring their computers home and on the road makes them feel a certain entitlement to install whatever they feel like. Contractors are even worse, since most of the time these laptops ARE their personal PCs. Desktops and servers inside the DMZ are the least likely originators of malware. (Not to say you couldn't surf pr0n on the company mail server as an admin. But then you deserve what you get.)

    Network admins need to lock down MAC addresses and start treating their network like the PBX folks. Nothing gets wired except approved company equipment.

    --
    Have you Meta Moderated t
  3. A little too secure for our own good... by LostCluster · · Score: 5, Insightful

    A key paragraph in the story...
    "We had to do some research, but we found out that the way we locked down the users prevented the patch from running properly," lamented one of the policy admins. "What we discovered was that the software restriction policy for the local computer allowed only local computer administrators to select trusted publishers. Because our patch agent ran as a pseudo user, the agent did not have the necessary rights. This was causing the failure. We changed the group policy for the HR systems so that we can patch remotely from now on."

    Sometimes, locking your system too tightly ends up locking the keys in the car. When you really need something to run, it doesn't...

  4. Included in TCO? by Quixote · · Score: 5, Insightful
    Every time a "Linux -vs- Microsoft" study comes out (for example , or see this), I never see any mention of the costs of these combatting these virii, even though virii have been plaguing MS systems from the DOS days. Why don't these "studies" include the cost of re-installing infected machines, anti-virus software, firewall software, continuous monitoring, etc. ?

    On the one hand, virus writers are aggressively pursued and prosecuted with claimed damages of billions of dollars; on the other hand, these losses are not included in the TCO of Windows! What gives?