"Maarten" <[EMAIL PROTECTED]> writes: > I was wondering about the following scenario: > > Lots of corporate network are protected by firewalls and users are forced to > use a proxy server to connect to the internet. Because of the firewalling, > the worm will not be able to infect the clients directly from the Internet. > Of course there are always servers that are building bridges between the > corporate network and the internet or laptop users that get infected by > using their dial-up/DSL @ home. > > But if the worm enters the network through for instance an infected laptop, > can it still spread around on the network? By analyzing the threads on this > list and reading the info provided by anti-virus vendors I tend to draw the > following conclusion. > > - A worm can enter the network through an infected laptop/workstation or a > vulnerable server connected to the internet. > - these infected machines can exploit the vulnerability on other vulnerable > systems on the Internal network causing them to reboot (and reboot, and > reboot) > - since these other vulnerable systems are using a proxy server to connect > to the internet and a firewall prevents all other connections, tftp servers > on the Internet can not be accessed > - since tftp servers can not be accessed, msblaster.exe can not be > downloaded > - since msblaster.exe can not be downloaded these other systems will not > start to infect other systems... > > Am I correct on these last two points? Or is this only true in case someone > puts an infected laptop on the network (that is not able to connect to the > internet using tftp, while a webserver might be when it is located in a > misconfigured DMZ environment)?
Incorrect, for most setups. Some firewalls at the router (NAT, for instance) block packets into/out of the LAN. This means that machines from the internet cannot communicate with the LAN, and visa versa. However, machines on the LAN can communicate with *each other* (thus the ability to connect to the proxy server). So, if an infected system is introduced, it *can* spread to the LAN, but infections of systems on the internet will fail, as they cannot TFTP back to the firewalled box. >Of course this is only one worm variant > exploiting this vulnerability and we might have a totally different case on > the next one, but I am still curious if I am on the right track > understanding the impact of the worm. Yes, indeed. Had the worm author been more skilled, we probably would have seen a Code Red style worm, with the entire worm transmitted as shellcode in the initial packet exchange over 135/tcp. This would eliminate the efficacy of blocking TFTP (69/udp) or 4444/tcp. > I also read something about SP0|1|2 on W2K not being vulnerable to msblaster > (probably because of the "universal" offsets used). Is there anyone that can > confirm this finding? I can refute this finding. Windows 2000 (all service packs) is being actively exploited by this worm. Compromised Windows 2000 boxes have been probing fairly consistently. eEye's official write-up specifically mentions W2K Gold-SP2 as vulnerable. By "Universal" offset, they weren't kidding -- one offset works on Windows 2000 Gold-SP4, all languages, and one offset works on Windows XP Gold/SP1 32-bit, all languages. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
