Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS05-039 Worm in the Wild

Posted by CmdrTaco on from the brace-for-impact dept.

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

2 of 252 comments (clear)

  1. Re:What drives people to do this... by RAMMS+EIN · · Score: 5, Interesting

    What drives them is probably a sense of achievement. By creating a working worm they can prove something to themselves, their friends, and/or the world. And it seems to work, some people got security jobs because of the exploits they made.

    As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:

      - give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
      - make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
      - don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
      - maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.

    --
    Please correct me if I got my facts wrong.
  2. Re:Firewalls offer limited protection only by johu · · Score: 5, Interesting

    We have all workstations configured with local firewall rules that prohibit most outbound traffic unless IP address is from our intranet address range. If it's not only DHCP client, DNS client, AV updates and VPN to corporate network is allowed. Inbound traffic is completely blocked when plugged to foreign network. Even when within our network there's strict rules blocking everything as default and only allowing limited set of ports if traffic is coming from subnet used by helpdesk.

    Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.

    Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.

    This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.

    Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.

    Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.

    Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.