On Wed, 2003-08-13 at 14:13, Nick FitzGerald wrote: > "Maarten" <[EMAIL PROTECTED]> wrote: > > > I was wondering about the following scenario: > <<snip>> > > - since these other vulnerable systems are using a proxy server to connect > > to the internet and a firewall prevents all other connections, tftp servers > > on the Internet can not be accessed > > Good up to here, but then... > > > - since tftp servers can not be accessed, msblaster.exe can not be > > downloaded > > No. > > When the worm connects from its current victim to a new, vulnerable > host it tells the new victim to TFTP the worm's .EXE from the current > victim machine where the worm briefly sets up a TFTP thread to serve > its .EXE.
I can confirm this. We block tftp at the gateway (as well as all the MS ports 135-139, 445 etc.). An infected laptop was brought on to the internal network and half an hour later we had 500 infected systems and a very soggy network. Note, that those 500 was out of a total of 7500, we had managed to get the rest patched, another week and we would have only had a handful. Yes we are now investigating how we can speed up patch deployment ;-) -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
