Re: Blaster: will it spread without tftp?

[Nick FitzGerald <nick () virus-l demon co uk>]

"Maarten" <subscriptions () hartsuijker com> wrote:

> I was wondering about the following scenario:
<<snip>>
> - since these other vulnerable systems are using a proxy server to connect
> to the internet and a firewall prevents all other connections, tftp servers
> on the Internet can not be accessed

Good up to here, but then...

> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded

No.

When the worm connects from its current victim to a new, vulnerable 
host it tells the new victim to TFTP the worm's .EXE from the current 
victim machine where the worm briefly sets up a TFTP thread to serve 
its .EXE.

> - since msblaster.exe can not be downloaded these other systems will not
> start to infect other systems...

Nope, because of the above.

> Am I correct on these last two points? Or is this only true in case someone
> puts an infected laptop on the network (that is not able to connect to the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)? Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different case on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.

You seem to have missed the important point that the worm acts as its 
own TFTP server for infecting the next host.

> I also read something about SP0|1|2 on W2K not being vulnerable to msblaster
> (probably because of the "universal" offsets used). Is there anyone that can
> confirm this finding?

I believe this is now well confirmed to be incorrect.

...

A further observation I've not seen elsewhere is just begging to be 
made, and as it indirectly relates to TFTP, why not here...

"Least privilege" and "minimized services" are standard security 
mantra, right?  If so, WTF do so many Windows boxes even have TFTP 
client executables installed?  What proportion of "normal users" has 
_any_ real need for TFTP these days?  In fact, who in their right mind 
would use it at all??  Ditto RCP and RSH amongst much other archaic 
and/or arcane crap that MS seems to feel "needs" to be on every box 
under the sun.

Sure, removing these tools does not completely fix your boxes, but by 
setting the bar higher you should be increasing the average complexity 
needed for any possible attack scenario to be successfully exploited 
_on your boxes_.  In turn, that reduces the likely success of something 
like this that seems to have been thrown together in ten minutes by 
some ankle-biting skiddie...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html