Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

On Fri, 19 Aug 2005, Nick FitzGerald wrote:

> [EMAIL PROTECTED] to Ron DuFresne:
>
> > > Perhaps it does realte considering the above and considering that the unix
> > > world learned many of the evils of RCP services over ten years ago that
> > > seem to hit the M$ realm every few months, repeatedly...
> >
> > We used to call them rsploits when it was common in unix.  Friends and I
> > had a good chuckle when MS started repeating history, having rsploits of
> > its own.  I would love to deny all port 445 with layer-3 switches but this
> > would be like blocking portmap and expecting NFS to still mount.
> >
> > What have we learned from the past that we can apply to our MS networks,
> > since they have become a (un)necessary evil?  How neutered does an MS
> > workstation become if the RPC port is completely blocked from the outside?
> > Perhaps "mostly harmless" ?
> >
> > What would it take to write an RPC filter to only accept RPCs which we
> > actually care about?  In addition, why is PnP even an RPC accessible from
> > the outside (no, upnp is not a good reason)!?  Most importantly, we need
> > to eliminate the entire RPC attack vector in the future for Microsoft
> > systems -- this is not the first MS rsploit and we will certainly see
> > more.
>
> Why don't folk -- well, sys-admins anyway -- actually take the time to
> bother to learn what their systems do and how they work???
>


Ahh, but this is not an admin issue, it's the vendors issue.  Was similar
for sometime with SUNOS, when trying to disable RPC for production systems
one used to have to twist around sideways while tring to bend over
backwards.  Not the same these days now that SUN has learned the lesson
that M$ is re-propogating with thier "we'll do it our way, screw learning
via others lessons or sticking to standards".  Redmond has been bitten by
these issues in the past few years a number of times and will be bitten
again till they finally learn what took other vendors awhile to get the
point on as well.


[REST SNIPPED]


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Barrie Dempster]

On Thu, 2005-08-18 at 14:01 -0700, [EMAIL PROTECTED] wrote:
> What would it take to write an RPC filter to only accept RPCs which we
> actually care about? 

Not a lot, considering this already exists, MS's own product ISA does
this.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://reboot-robot.net
site: http://www.bsrf.org.uk
ca:   https://www.cacert.org/index.php?id=3

"He who hingeth aboot, geteth hee-haw" Victor - Still Game


smime.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Micheal Espinola Jr]

I agree that not all exploits need to or should be handled in such a
way, but this type of open-ended exploit where potentially anything
could have been dropped or altered on a system would force me as an
network/security/systems administrator to have to take appropriate
action to protect my employer.

Yep, it's defiantly extreme.  I wouldn't want to have to do it.  But,
I still would do it all the same.  In my experience the risk is just
too great not to.  Which is why we store data on secure servers, and
can multi-cast images for workstations for easy rebuilds.  Its a shame
not everyone can work in an environment where things like this can be
done that easily, but that doesn't mean that they shouldn't be done at
all.

I have yet to work work for an employer where my management and fellow
staff wouldn't be prepared to do the same - thank goodness.

I shudder to think about it happening to me...


On 8/19/05, Steve Kudlak <[EMAIL PROTECTED]> wrote:
> Micheal Espinola Jr wrote: 
> Absolutely. Once a system has been exploited in such a manner, it
> is
completely untrustable. It should most definitely be wiped.

The IT ppl
> in SDC (and many other places) need to all be lined up and
smacked Three
> Stooges style.

On 8/19/05, Donald J. Ankney <[EMAIL PROTECTED]>
> wrote:

> Any IT department that simply removes a worm and shoves a box back
into
> production has serious issues.

After a machine has been compromised, it
> should be wiped and rebuilt.

>  
> As a practical matter how many boxes are we talking about. I mean I have
> removed worms and viruses (note I don't use the l;ural virii because it is
> too close to the proper Latin Plural of "men";) and put boxes back into use.
> But not in places that are critical. Does one rebuiild everytime something
> goes wrong? Seems extreme to me. I dunno if this is the place to discuss
> issues like this. Now of course with worm designers getting more
> sophisticated it might be that more extereme measures should be taken
> earlier in the descision chain. Now if people implement a really adequate
> backup system, like everything over the last hour is safely backed up it
> might be possible to do that. Anyway it is an interesting case, easy to say
> now that I am disabled and watching from the sidelines.
> 
> Have Fun,
> Sends Steve
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Steve Kudlak]

Micheal Espinola Jr wrote:

  Absolutely.  Once a system has been exploited in such a manner, it is
completely untrustable.  It should most definitely be wiped.

The IT ppl in SDC (and many other places) need to all be lined up and
smacked Three Stooges style.

On 8/19/05, Donald J. Ankney <[EMAIL PROTECTED]> wrote:
  
  
Any IT department that simply removes a worm and shoves a box back
into production has serious issues.

After a machine has been compromised, it should be wiped and rebuilt.

  
  
  

As a practical matter how many boxes are we talking about. I mean I
have removed worms and viruses (note I don't use the l;ural virii
because it is too close to the proper Latin Plural of "men";) and put
boxes back into use. But not in places that are critical. Does one
rebuiild everytime something goes wrong? Seems extreme to me. I dunno
if this is the place to discuss issues like this. Now of course with
worm designers getting more sophisticated it might be that more
extereme measures should be taken earlier in the descision chain. Now
if people implement a really adequate backup system, like everything
over the last hour is safely backed up it might be possible to do that.
Anyway it is an interesting case, easy to say now that I am disabled
and watching from the sidelines.

Have Fun,
Sends Steve



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Micheal Espinola Jr]

Absolutely.  Once a system has been exploited in such a manner, it is
completely untrustable.  It should most definitely be wiped.

The IT ppl in SDC (and many other places) need to all be lined up and
smacked Three Stooges style.

On 8/19/05, Donald J. Ankney <[EMAIL PROTECTED]> wrote:
> 
> Any IT department that simply removes a worm and shoves a box back
> into production has serious issues.
> 
> After a machine has been compromised, it should be wiped and rebuilt.

-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Donald J. Ankney]

Any IT department that simply removes a worm and shoves a box back  
into production has serious issues.


After a machine has been compromised, it should be wiped and rebuilt.  
I don't trust myself to find everything that an intruder (or  
intruding software) may have done while in the system. I trust my  
disaster-recovery plan to make sure that rapid data restoration is  
possible after a machine is taken down and rebuilt.




On Aug 17, 2005, at 12:15 PM, Jason Coombs wrote:

American Express has been unable to provide me with customer  
service by telephone since the outbreak began.


Larry, you of all people can't possibly believe that the scope of  
this incident is limited to what you read in the news.


Furthermore, do you truly believe that the worms are the point here?

The worms cause a distraction, and the media plus the antivirus  
industry collaborate to make victims believe that they can recover  
from the incident just by shutting down the worm.


What about attacks that took place with the worms as cover? How  
many high-value systems just got compromised, and will remain so,  
by something other than the worms' code -- where the victim won't  
even bother to investigate that possibility because they feel like  
the worm was the incident.


Regards,

Jason Coombs
[EMAIL PROTECTED]

-Original Message-
From: "Larry Seltzer" <[EMAIL PROTECTED]>
Date: Wed, 17 Aug 2005 08:20:17
To:"'Micheal Espinola Jr'" <[EMAIL PROTECTED]>,   [EMAIL PROTECTED]>

Subject: RE: [Full-disclosure] Disney Down?


"So patch your systems, but don't miss your kid's play in order  
to do it.



We've seen a lot worse than this in the past."


Brilliant advise[sic]!



Yeah, clearly I timed the column badly, but I still think there's  
more smoke

than fire on this outbreak. If it had been International Paper or some
company like that rather than media outlets I suspect it wouldn't  
be getting
all this attention. I also think it's fair to say that when it dies  
down,
relatively soon, it won't achieve the endemic status of Blaster and  
Sasser

because it will have little or no presence on consumer systems.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Technica Forensis]

On 8/17/05, Jason Coombs <[EMAIL PROTECTED]> wrote:
> What about attacks that took place with the worms as cover? How many high-
> value systems just got compromised, and will remain so, by something other 
> than the worms' code -- where the victim won't even bother to investigate 
> that 
> possibility because they feel like the worm was the incident.

And he will gladly testify that this worm downloaded porn onto his
client's computers
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[James Tucker]

[EMAIL PROTECTED] wrote:

On Wed, 17 Aug 2005, Ron DuFresne wrote:


Perhaps it does realte considering the above and considering that the unix
world learned many of the evils of RCP services over ten years ago that
seem to hit the M$ realm every few months, repeatedly...




We used to call them rsploits when it was common in unix.  Friends and I
had a good chuckle when MS started repeating history, having rsploits of
its own.  I would love to deny all port 445 with layer-3 switches but this
would be like blocking portmap and expecting NFS to still mount.


Have you considered utilising the IPSec filters, this is a common 
suggestion from the beast themselves.



What have we learned from the past that we can apply to our MS networks,
since they have become a (un)necessary evil?  How neutered does an MS
workstation become if the RPC port is completely blocked from the outside?  
Perhaps "mostly harmless" ? 


Well it looses most of it's active directory integration if that's what 
you mean. Users can still log in though, and in fact can still access 
remote shares. Admins have trouble with remote administration however, 
but often a well configured Kerberos telnet session can be more useful 
that MMC plugins anyway. Just ensure the service is _properly_ configured.



What would it take to write an RPC filter to only accept RPCs which we
actually care about?  In addition, why is PnP even an RPC accessible from
the outside (no, upnp is not a good reason)!?  Most importantly, we need
to eliminate the entire RPC attack vector in the future for Microsoft
systems -- this is not the first MS rsploit and we will certainly see
more.


Er, you're gunna be trawling ALOT of RPC. You can do most anything 
through that port, it's very functional indeed. As above, I'd start with 
IPSec. Er, this is the system through which we provide most application 
and desktop management, to get to pnp is not a strange thing to have 
access to at all, moreover it get's used quite alot in big installations 
where driver deployment by audit is important.



Your thoughts?


The RPC functionality provided has been the biggest flaw in secuirty for 
MS in recent years.
The RPC functionality provided has been the biggest contributor to 
reducing TCO in the enterprise where it's functionality is properly 
utilised.




-Eric



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Nick FitzGerald]

[EMAIL PROTECTED] to Ron DuFresne:

> > Perhaps it does realte considering the above and considering that the unix
> > world learned many of the evils of RCP services over ten years ago that
> > seem to hit the M$ realm every few months, repeatedly...
> 
> We used to call them rsploits when it was common in unix.  Friends and I
> had a good chuckle when MS started repeating history, having rsploits of
> its own.  I would love to deny all port 445 with layer-3 switches but this
> would be like blocking portmap and expecting NFS to still mount.
> 
> What have we learned from the past that we can apply to our MS networks,
> since they have become a (un)necessary evil?  How neutered does an MS
> workstation become if the RPC port is completely blocked from the outside?  
> Perhaps "mostly harmless" ? 
> 
> What would it take to write an RPC filter to only accept RPCs which we
> actually care about?  In addition, why is PnP even an RPC accessible from
> the outside (no, upnp is not a good reason)!?  Most importantly, we need
> to eliminate the entire RPC attack vector in the future for Microsoft
> systems -- this is not the first MS rsploit and we will certainly see
> more.

Why don't folk -- well, sys-admins anyway -- actually take the time to 
bother to learn what their systems do and how they work???

OK, MS does not make this astoundingly easy in many cases, but there 
are some very good (amongst some very, very poor) "hardening guides" 
out there written by folk who do know what they are talking about AND 
that explain why you should use, or at least might consider, each 
option, and why some options are only suitable in certain scenarioes.

Of course, when it comes to OSes like XP Home, the security stance has 
always been "everything that has worked before must keep working" so, 
rather than learning from their long history of mistakes and fixing 
things, MS compounded those mistakes by rolling them all together in a 
nice shiny new box with an even bigger marketing budget...

SP2 shows that, in fact, after too many, too embarrassing, too big to 
hide from the media virus and worm outbreaks due largely to the fact 
that it had been taking this entirely irresponsible approach to 
security (especially for those of its customers who needed the most 
help with such things), even the 800lb Gorilla known as Microsoft _can_ 
change.  We won't debate how much and whether it's enough, though I 
doubt few here would disagree that "there's a fair way to go yet" 
pretty much covers it...

Instead of making an everything on, working out of the box, approach 
even MS may be working its way to the "only enable it if it's needed 
for basic functionality" approach.

Of course, when MS gets to that position, there will then be hell to 
pay when the installation scripts for most third-party apps, drivers, 
etc start undoing all MS' good work and do the "set everything on 
because we know our cr*ppy product works if it is set that way".


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[fd]

On Wed, 17 Aug 2005, Ron DuFresne wrote:
> 
> Perhaps it does realte considering the above and considering that the unix
> world learned many of the evils of RCP services over ten years ago that
> seem to hit the M$ realm every few months, repeatedly...
> 

We used to call them rsploits when it was common in unix.  Friends and I
had a good chuckle when MS started repeating history, having rsploits of
its own.  I would love to deny all port 445 with layer-3 switches but this
would be like blocking portmap and expecting NFS to still mount.

What have we learned from the past that we can apply to our MS networks,
since they have become a (un)necessary evil?  How neutered does an MS
workstation become if the RPC port is completely blocked from the outside?  
Perhaps "mostly harmless" ? 

What would it take to write an RPC filter to only accept RPCs which we
actually care about?  In addition, why is PnP even an RPC accessible from
the outside (no, upnp is not a good reason)!?  Most importantly, we need
to eliminate the entire RPC attack vector in the future for Microsoft
systems -- this is not the first MS rsploit and we will certainly see
more.

Your thoughts?

-Eric



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[imipak]

Larry Seltzer wrote:

> none of the current attacks will directly infect Windows XP systems,
> including consumer systems, and therefore will not linger there. To
> illustrate the point, it's a long time now since the RPC/DCOM bug
> was patched and still there are lots of infected systems out there
> spitting Blaster at the world; how many do you think are in Fortune
> 500 companies as opposed to consumer systems?
>


And what proportion of Internet-connected Windows PCs on the planet
belong to Fortune 500 companies, do you think?

And anyway -- I've personally witnessed 'Fortune 500' corps doing some
pretty astonishing stupidly insecure things, and I'm sure lots of
other FD'ers have their own horror stories. Take a few experienced
network and sysadmins to the pub some time... (Now I copme to think of
it -- is anyone collecting real world infosec horror stories?)

pip pip,


/i

-- 
And what exactly is a dream?
And what exactly is a joke?
- Syd Barrett
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[fd]

On Thu, 18 Aug 2005, pingywon wrote:

> Disney world CLOSED !
> 
> 
> ..it cant be ..blame it on the terrorists and save face Mickey

It must be 'cause of the hand-geometry biometric scanners they are 
using... someone must not have liked giving up their metrics ;)

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

On Wed, 17 Aug 2005, Micheal Espinola Jr wrote:

> >From my perspective, developing a patch and applying a patch are two
> different life cycles.  I'm no developer, but I know what it takes to
> properly test and roll-out patches within my (current and previous)
> organization(s).
>
> I don't pretend to believe that all patches are the same, but this PnP
> patch is one of the less difficult to deal with in terms of a
> roll-out.  I truly believe this recent worm could have been avoided if
> MS05-039 was taken more seriously.

Isn't this like the second or third time M$ has been bitten by pnp within
the past say two to three years?  So, is this an example of the M$
tendency to not fully patch the affected system/service, but to only
address a "current" potential which has been a thing that's bitten them in
the past many many times as well?


>
> I cannot say as to why MS hasn't addressed any other outstanding
> issues.  While it's a valid concern of mine as well, it really doesn't
> relate to the discussion regarding the MS05-039 fiasco.
>


Perhaps it does realte considering the above and considering that the unix
world learned many of the evils of RCP services over ten years ago that
seem to hit the M$ realm every few months, repeatedly...


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

[SNIP]

>
> Greg Smith, the county's assessor, recorder and clerk, said "As long
> as we're up (today), we'll be fine"  Greg Smith is a thinking much too
> lightly of the situation.  Their systems just got hit with an exploit
> that allows for remote code execution and elevation of privilege.  If
> I was him, I would be very concerned about data theft, and performing
> network wide audits.
>
> "Yesterday's crash marked the third time in recent weeks that
> significant computer problems have affected county government."  Well,
> enough said about Greg Smith or whoever manages SDC's systems...
>
> Lets take a look at the ISS advisory that makes a respectful analysis
> of the phrase "code execution and elevation of privilege":
>
> "Successful exploitation of this vulnerability could be leveraged to
> gain complete control over target systems, and might lead to malware
> installation, exposure of confidential information, or further network
> compromise. Due to the widespread use of the affected operating
> systems and the critical nature of component affected, it is likely
> that servers and desktops used for a wide variety of purposes are
> vulnerable to this issue."
>
> The initial exploited fault aside, I see no excuse for this.
>
>


Of course you are correct, there is NO excuse for this in any setting,
yet, considering the past ten years of GAO audits and advisories on the
federal side of gvt systems, what makes one think that state and local
county govs would have any better standing?  Part of the problemsis that
govs wish to pay nothing and get everything in return, and are extremely
poor in fetting out raises and tend to pull back emenesly on the benfit
packages, if one can really lable them such.  So, they tend to get "what
they pay for", which in the case of the gov site I work under, is a bunch
of certified idiots that lack the skills to do what they have been tasked
to do.  Their vested interst lies in a "proper pulic presentation,
meaning they don't hire folks that lack a suit and tie, and thus have
missed out in recruiting into their realm persons with the skills to
actually make a difference, if not for the folllowing:  Not to mention
that no one wishes to take responsibility, for that might also task then
to accountability.  I can tell you for a fact that since our unskilled
sec folks where I work won;t go "outside the border"  to discover vulln
info that they did not get a clue about the recent trojan till far after
the fact that many sites had been hit by it.  In fact their announcemnt
came out this AM, from their multi-state vuln/sploit notification council...

There is no excuse for doing below minimum and little excuse for scrapping
along at minimum, with taxpayers footing the bill, but that's life in gov
settings and more so perhaps in state and county govs that lack the
auditing controls like the GAO 


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Micheal Espinola Jr]

>From my perspective, developing a patch and applying a patch are two
different life cycles.  I'm no developer, but I know what it takes to
properly test and roll-out patches within my (current and previous)
organization(s).

I don't pretend to believe that all patches are the same, but this PnP
patch is one of the less difficult to deal with in terms of a
roll-out.  I truly believe this recent worm could have been avoided if
MS05-039 was taken more seriously.

I cannot say as to why MS hasn't addressed any other outstanding
issues.  While it's a valid concern of mine as well, it really doesn't
relate to the discussion regarding the MS05-039 fiasco.


On 8/17/05, Geo. <[EMAIL PROTECTED]> wrote:
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Micheal
> Espinola Jr
> 
> 
> >>Regardless of "a LOT of Windows 2000 out there...", these companies
> weren't bitten the same day the initial exploit was released.  6 days
> is plenty of time to have tested compatibility and to distribute the
> patch.<<
> 
> How can you allow a vendor to take 6 months to a year to release a patch and
> then say 6 days is plenty of time to test and patch?
> 
> You know, I was sure when MS announced there would be 6 patches for august
> that one of them would be one of these
> http://www.eeye.com/html/research/upcoming/index.html but I guess not... 141
> days and counting, and it will get released when MS hears that someone has
> written and released an exploit for it, then of course all of us have 6 days
> to live..
> 
> Geo.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Jason Coombs]

American Express has been unable to provide me with customer service by 
telephone since the outbreak began.

Larry, you of all people can't possibly believe that the scope of this incident 
is limited to what you read in the news.

Furthermore, do you truly believe that the worms are the point here?

The worms cause a distraction, and the media plus the antivirus industry 
collaborate to make victims believe that they can recover from the incident 
just by shutting down the worm.

What about attacks that took place with the worms as cover? How many high-value 
systems just got compromised, and will remain so, by something other than the 
worms' code -- where the victim won't even bother to investigate that 
possibility because they feel like the worm was the incident.

Regards,

Jason Coombs
[EMAIL PROTECTED]

-Original Message-
From: "Larry Seltzer" <[EMAIL PROTECTED]>
Date: Wed, 17 Aug 2005 08:20:17 
To:"'Micheal Espinola Jr'" <[EMAIL PROTECTED]>,   

Subject: RE: [Full-disclosure] Disney Down?

>>"So patch your systems, but don't miss your kid's play in order to do it.
We've seen a lot worse than this in the past."
>>Brilliant advise[sic]!

Yeah, clearly I timed the column badly, but I still think there's more smoke
than fire on this outbreak. If it had been International Paper or some
company like that rather than media outlets I suspect it wouldn't be getting
all this attention. I also think it's fair to say that when it dies down,
relatively soon, it won't achieve the endemic status of Blaster and Sasser
because it will have little or no presence on consumer systems.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Jan Nielsen]

I have been running the virus on my vmware xp sp1 with a software
package on it called Cisco Security Agent, sort of a HIDS package which
I basically have set up to log all system events to
file/api/memory/network functions without blocking them. 

For those who are interested the log is here :
http://www.boyakasha.dk/virusevents.log

Regards
Jan

-Original Message-
From: Jan Nielsen [mailto:[EMAIL PROTECTED] 
Sent: 17. august 2005 17:36
To: 'full-disclosure@lists.grok.org.uk'
Subject: RE: [Full-disclosure] Disney Down?

I was at a customer today with this problem, initially their network was
acting up and some ppl, couldn't logon to the servers in the morning. 
We found the file "kilo.exe" on some machines that apparently had not
been patched, one thing I noticed while running this file on a vmware xp
sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
and logs in to it with password : 146751dhzx
Then it sets a few commands :

JOIN #100+
MODE #100+ +nts

Which for an RBOT virus in itself is nothing special, but I noticed one
thing in my sniffer trace that got me a bit worried, this is a packet
sent from the infected pc to the irc server :

   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00  ..S+).g...E.
0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc  [EMAIL PROTECTED]
0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1... "..[P.
0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1PRIVMSG #1
0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+ :[.NTScan.]:
0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d   Weakpassword...
0060   0a   .

Anyone know what this could be ?

Regards
Jan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 17. august 2005 00:54
To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Geo.]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Micheal
Espinola Jr


>>Regardless of "a LOT of Windows 2000 out there...", these companies
weren't bitten the same day the initial exploit was released.  6 days
is plenty of time to have tested compatibility and to distribute the
patch.<<

How can you allow a vendor to take 6 months to a year to release a patch and
then say 6 days is plenty of time to test and patch?

You know, I was sure when MS announced there would be 6 patches for august
that one of them would be one of these
http://www.eeye.com/html/research/upcoming/index.html but I guess not... 141
days and counting, and it will get released when MS hears that someone has
written and released an exploit for it, then of course all of us have 6 days
to live..

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Peter Besenbruch]

Fergie (Paul Ferguson) wrote:

I'll tell you why -- [snip]


So there you have it -- there's still a LOT of Windows 2000 out 
there...


Having said that, you also have to realize that from the time the 
MS05-039 vulnerability was disclose (and the exploit code was 
released the same day), to the time that very large enterprises had 
to deploy it was very, very short compared to threats of the past.


When reading Seltzer's article, it's easy enough to see the gaping hole
in his logic. He basically argued that XP and 2003 were not going to be
affected (he appears to be changing his mind on this), and that
corporations that used 2000 all used firewalls. Unfortunately, he failed
to see the effect an infected laptop would have, of bringing an infected
machine inside the perimeter.


-- Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:



You [Seltzer] also say, "If it had been International Paper or some
company like that rather than media outlets I suspect it wouldn't be
getting all this attention". While this is likely true, this
exemplifies the need to take security matters more seriously.


I question this a little. First, I haven't heard anything about
International Paper, but have heard about SBC, UPS and quite a few 
others. I also suspect many more companies were severely impacted, but 
won't step forward to admit it. The news agencies, to their credit, DID 
admit it and reported it.


...I'm not trying to badger you, but in light of the Disney, CNN, ABC, 
and The New York Times mishaps (amongst others), I must admit that 
I'm glad I don't follow your column or style of advise.


No kidding. Nor do I like Seltzer's lack of candor after being caught so
far off base. It's a very human reaction, but one which damages his
credibility and sullies the reputation of eWeek.

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Micheal Espinola Jr]

This issue effects XP and W2K3 systems as well.  I don't see the
argument of W2K being "on the back burner" as having any relation to
this thread.

Regardless of "a LOT of Windows 2000 out there...", these companies
weren't bitten the same day the initial exploit was released.  6 days
is plenty of time to have tested compatibility and to distribute the
patch.

PnP is not a show stopper when it comes to patch compatibility testing
- especially considering the fact that the exploit allows for remote
code execution and elevation of privilege.  Perhaps certain people
need to learn or take a refresher course of what that exactly implies.

And I'd say it is just that simple when you consider the fact that San
Diego County waited to install the patch *the night after* they got
hit by the worm.  *That's* why organizations like San Diego County,
with ~12,000 Win2k hosts, were bitten so badly.

Greg Smith, the county's assessor, recorder and clerk, said "As long
as we're up (today), we'll be fine"  Greg Smith is a thinking much too
lightly of the situation.  Their systems just got hit with an exploit
that allows for remote code execution and elevation of privilege.  If
I was him, I would be very concerned about data theft, and performing
network wide audits.

"Yesterday's crash marked the third time in recent weeks that
significant computer problems have affected county government."  Well,
enough said about Greg Smith or whoever manages SDC's systems...

Lets take a look at the ISS advisory that makes a respectful analysis
of the phrase "code execution and elevation of privilege":

"Successful exploitation of this vulnerability could be leveraged to
gain complete control over target systems, and might lead to malware
installation, exposure of confidential information, or further network
compromise. Due to the widespread use of the affected operating
systems and the critical nature of component affected, it is likely
that servers and desktops used for a wide variety of purposes are
vulnerable to this issue."

The initial exploited fault aside, I see no excuse for this.


On 8/17/05, Fergie (Paul Ferguson) <[EMAIL PROTECTED]> wrote:
> It's not that simple.
> 
> Why such success with a worm targeted at specific
> vulnerabilities in Win2k?
> 
> I'll tell you why -- the answer is spelled out (correctly)
> in an article written by Ina Fried in a June 28th, 2005,
> C|Net News article entitled "Windows 2000 moves to the
> back burner", which discussed Microsoft's end-of-life
> support for the OS platform.
> 
> Here are a couple of key excerpts:
> 
> [snip]
> 
> Microsoft on Tuesday issued what is expected to be its last significant 
> revision of Windows 2000.
> 
> The software maker released what it calls an Update Rollup for the 5-year-old 
> operating system, which is due to shift at the end of this month from 
> receiving mainstream support to extended support. Microsoft does not 
> generally add features to a product under extended support, and the Update 
> Rollup is largely a collection of previously released patches as opposed to a 
> batch of new features.
> 
> In addition to already released fixes, the collection "may contain fixes for 
> non-public low- and moderate-level security issues that did not warrant 
> individual security bulletins," a Microsoft representative said.
> 
> [...and:]
> 
> Although Windows 2000 has been followed by several other Windows versions, 
> the software remains extremely popular in corporations and small businesses. 
> It still accounts for nearly half of all Windows-based business desktops, 
> according to a recent survey by AssetMetrix.
> 
> [snip]
> 
> http://news.com.com/Windows+2000+moves+to+the+back+burner/2100-1016_3-5766696.html
> 
> So there you have it -- there's still a LOT of Windows 2000 out there...
> 
> Having said that, you also have to realize that from the time
> the MS05-039 vulnerability was disclose (and the exploit code was
> released the same day), to the time that very large enterprises
> had to deploy it was very, very short compared to threats of the
> past.
> 
> That's why organizations like San Diego County, with ~12,00
> Win2k hosts, were bitten so badly.
> 
> http://www.signonsandiego.com/news/metro/20050817--7m17worm1.html
> 
> It's just not that simple...
> 
> - ferg
> 
> 
> -- Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:
> 
> Thanks for correcting my spelling error.
> 
> You mention that this issue "will have little or no presence on
> consumer systems", but you do realize that you are writing for the
> "Enterprise News & Reviews" magazine, eWeek - right?  You also realize
> that MS05-039 effects the current "consumer" version of Microsoft
> Windows (aka Windows XP) - right?
> 
> You also say, "If it had been International Paper or some company like
> that rather than media outlets I suspect it wouldn't be getting all
> this attention".  While this is likely true, this exemplifies the need
> to take security matters more seriously.  MS05-039 wa

Re: [Full-disclosure] Disney Down?

[Mike Sawicki]

On Wed, Aug 17, 2005 at 11:07:26AM -0700, [EMAIL PROTECTED] wrote:
> 
> 
> 
> On Tue, 16 Aug 2005 [EMAIL PROTECTED] wrote:
> > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.CBQ
> > Symantec: Win32.Zotob.E
> > McAfee: exploit-dcomrpc
> > Kaspersky: Net-Worm.Win32.Small.d
> 
> The IRC server this worm uses is 72.20.27.115, #tbp -- does anyone know
> what port?  Is the host down from the virus's DoS of the IRC server?
> 

It looks like many major ISPs have null routed or prohibited access
to this address.

--
Mike Sawicki ([EMAIL PROTECTED])
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[fd]

On Tue, 16 Aug 2005 [EMAIL PROTECTED] wrote:
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.CBQ
> Symantec: Win32.Zotob.E
> McAfee: exploit-dcomrpc
> Kaspersky: Net-Worm.Win32.Small.d

The IRC server this worm uses is 72.20.27.115, #tbp -- does anyone know
what port?  Is the host down from the virus's DoS of the IRC server?


-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Fergie (Paul Ferguson)]

It's not that simple.

Why such success with a worm targeted at specific
vulnerabilities in Win2k?

I'll tell you why -- the answer is spelled out (correctly)
in an article written by Ina Fried in a June 28th, 2005,
C|Net News article entitled "Windows 2000 moves to the
back burner", which discussed Microsoft's end-of-life
support for the OS platform.

Here are a couple of key excerpts:

[snip]

Microsoft on Tuesday issued what is expected to be its last significant 
revision of Windows 2000.

The software maker released what it calls an Update Rollup for the 5-year-old 
operating system, which is due to shift at the end of this month from receiving 
mainstream support to extended support. Microsoft does not generally add 
features to a product under extended support, and the Update Rollup is largely 
a collection of previously released patches as opposed to a batch of new 
features.

In addition to already released fixes, the collection "may contain fixes for 
non-public low- and moderate-level security issues that did not warrant 
individual security bulletins," a Microsoft representative said.

[...and:]

Although Windows 2000 has been followed by several other Windows versions, the 
software remains extremely popular in corporations and small businesses. It 
still accounts for nearly half of all Windows-based business desktops, 
according to a recent survey by AssetMetrix.

[snip]

http://news.com.com/Windows+2000+moves+to+the+back+burner/2100-1016_3-5766696.html

So there you have it -- there's still a LOT of Windows 2000 out there...

Having said that, you also have to realize that from the time
the MS05-039 vulnerability was disclose (and the exploit code was
released the same day), to the time that very large enterprises
had to deploy it was very, very short compared to threats of the
past.

That's why organizations like San Diego County, with ~12,00
Win2k hosts, were bitten so badly.

http://www.signonsandiego.com/news/metro/20050817--7m17worm1.html

It's just not that simple...

- ferg


-- Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:

Thanks for correcting my spelling error.

You mention that this issue "will have little or no presence on
consumer systems", but you do realize that you are writing for the
"Enterprise News & Reviews" magazine, eWeek - right?  You also realize
that MS05-039 effects the current "consumer" version of Microsoft
Windows (aka Windows XP) - right?

You also say, "If it had been International Paper or some company like
that rather than media outlets I suspect it wouldn't be getting all
this attention".  While this is likely true, this exemplifies the need
to take security matters more seriously.  MS05-039 was issued on
August 9, 2005, and major companies were still exploited 6 days later.
 Your own story emphasizes the lack of consideration that is still
being given to security vulnerabilities, even though Microsoft is
continuously scrutinized at a product level for what is increasingly
related to poor administrative and security practices.

Applying this particular patch takes mere moments to download (a
500-600k file depending on your OS), moments to install, and a
recommended reboot (although only 3% of the systems I personally
patched technically required it).

The entire procedure for patching a single system would require less
than 5 minutes to perform (omitting the time of the reboot). 
Distribution of this patch on scale is also relatively trivial for
someone whose position it is to do it.

Trivializing this (or any) security patch is quite a gamble.  As
Security Center Editor for eWeek, it surprises me that you would take
such a position.  Any vulnerability that would allow for remote code
execution and elevation of privilege should be treated as a top
priority, from both internal and external attack vectors.  An issue
such as this should not be treated as a likelihood; it should be
treated as a possibility.  When you think in this manner, your
priorities change.

I'm not trying to badger you, but in light of the Disney, CNN, ABC,
and The New York Times mishaps (amongst others), I must admit that I'm
glad I don't follow your column or style of advise.



On 8/17/05, Larry Seltzer <[EMAIL PROTECTED]> wrote:
> >>"So patch your systems, but don't miss your kid's play in order to do it.
> We've seen a lot worse than this in the past."
> >>Brilliant advise[sic]!
> 
> Yeah, clearly I timed the column badly, but I still think there's more smoke
> than fire on this outbreak. If it had been International Paper or some
> company like that rather than media outlets I suspect it wouldn't be getting
> all this attention. I also think it's fair to say that when it dies down,
> relatively soon, it won't achieve the endemic status of Blaster and Sasser
> because it will have little or no presence on consumer systems.
> 
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.ziffdavis.com/seltzer
> Contributing Editor, PC Magazine
> [E

RE: [Full-disclosure] Disney Down?

[Larry Seltzer]

>>you do realize that you are writing for the "Enterprise News & Reviews"
magazine, eWeek - right?  

Yeah. Online we get a little leeway on such things, and anyway it's beside
the point of that statement, which was that none of the current attacks will
directly infect Windows XP systems, including consumer systems, and
therefore will not linger there. To illustrate the point, it's a long time
now since the RPC/DCOM bug was patched and still there are lots of infected
systems out there spitting Blaster at the world; how many do you think are
in Fortune 500 companies as opposed to consumer systems?

>>You also realize that MS05-039 effects the current "consumer" version of
Microsoft Windows (aka Windows XP) - right?

The vulnerability does, but not any (to my knowledge, as of 12:something on
Wednesday) of the exploits. It affects Windows XP differently than it does
Windows 2000; with Windows XP SP1 it requires an authenticated user, with
SP2 it requires an authenticated user with "log on locally" rights. This
means that the worm will have to add something like a dictionary attack to
look for weak user/password combinations.

I don't disagree with what you say about security practices and the need to
patch quickly. This attack came on very quickly and I think it reveals more
about bad general security practices than slow patching practices. 

>>Any vulnerability that would allow for remote code execution and elevation
of privilege should be treated as a top priority, from both internal and
external attack vectors. 

It's clear that large companies won't patch immediately without some
testing, and I can respect that. The answer isn't that they should shut up
and patch, it's that they should have effective layered security practices
in place that would mitigate attacks such as this even without the patches.
I shouldn't be surprised that there is so much bad security out in Fortune
500-land, but the answer to it is not to patch next-day.

And I still think that the overall scale of this attack was exaggerated
because it was media that was hit, and that the worm doesn't have long-term
legs.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Micheal Espinola Jr]

Thanks for correcting my spelling error.

You mention that this issue "will have little or no presence on
consumer systems", but you do realize that you are writing for the
"Enterprise News & Reviews" magazine, eWeek - right?  You also realize
that MS05-039 effects the current "consumer" version of Microsoft
Windows (aka Windows XP) - right?

You also say, "If it had been International Paper or some company like
that rather than media outlets I suspect it wouldn't be getting all
this attention".  While this is likely true, this exemplifies the need
to take security matters more seriously.  MS05-039 was issued on
August 9, 2005, and major companies were still exploited 6 days later.
 Your own story emphasizes the lack of consideration that is still
being given to security vulnerabilities, even though Microsoft is
continuously scrutinized at a product level for what is increasingly
related to poor administrative and security practices.

Applying this particular patch takes mere moments to download (a
500-600k file depending on your OS), moments to install, and a
recommended reboot (although only 3% of the systems I personally
patched technically required it).

The entire procedure for patching a single system would require less
than 5 minutes to perform (omitting the time of the reboot). 
Distribution of this patch on scale is also relatively trivial for
someone whose position it is to do it.

Trivializing this (or any) security patch is quite a gamble.  As
Security Center Editor for eWeek, it surprises me that you would take
such a position.  Any vulnerability that would allow for remote code
execution and elevation of privilege should be treated as a top
priority, from both internal and external attack vectors.  An issue
such as this should not be treated as a likelihood; it should be
treated as a possibility.  When you think in this manner, your
priorities change.

I'm not trying to badger you, but in light of the Disney, CNN, ABC,
and The New York Times mishaps (amongst others), I must admit that I'm
glad I don't follow your column or style of advise.



On 8/17/05, Larry Seltzer <[EMAIL PROTECTED]> wrote:
> >>"So patch your systems, but don't miss your kid's play in order to do it.
> We've seen a lot worse than this in the past."
> >>Brilliant advise[sic]!
> 
> Yeah, clearly I timed the column badly, but I still think there's more smoke
> than fire on this outbreak. If it had been International Paper or some
> company like that rather than media outlets I suspect it wouldn't be getting
> all this attention. I also think it's fair to say that when it dies down,
> relatively soon, it won't achieve the endemic status of Blaster and Sasser
> because it will have little or no presence on consumer systems.
> 
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.ziffdavis.com/seltzer
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
> 
> 
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[DudeVanWinkle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

While the viri will be found and removed, the passwords might remain
(especially in a domain).

hmm good _bad_ thinking

- -Dude
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDA12iOjxwThxio44RAroWAJwOqhzafLpLucTS4JgSXIEpXQZm9wCfeGg5
SHepK9LUpRna+kWXO4g8l1U=
=OnQp
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Jan Nielsen]

Yes i noticed that, what i am wondering is if the msg sent is to
indicate that the local user password is weak in some way ? does anyone
know this ntscan util ? is it maybe a part of the RBOT design or
something, I have run it thorough IDA 4.8 dissasembler and the function
imported correspond to the ones I have seen, so I don't think there are
any unpleasant surprises hidden withen the program, but still it would
be nice to know if this somehow is compromising some credentials on the
customers installed base ?

Jan


-Original Message-
From: John Smith [mailto:[EMAIL PROTECTED] 
Sent: 17. august 2005 17:41
To: Jan Nielsen
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Disney Down?

I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so 
it appears to be joining the channel and getting paramaters for this 
"ntscan program"

--M

Jan Nielsen wrote:
> I was at a customer today with this problem, initially their network
was
> acting up and some ppl, couldn't logon to the servers in the morning. 
> We found the file "kilo.exe" on some machines that apparently had not
> been patched, one thing I noticed while running this file on a vmware
xp
> sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
> and logs in to it with password : 146751dhzx
> Then it sets a few commands :
> 
> JOIN #100+
> MODE #100+ +nts
> 
> Which for an RBOT virus in itself is nothing special, but I noticed
one
> thing in my sniffer trace that got me a bit worried, this is a packet
> sent from the infected pc to the irc server :
> 
>    00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00
..S+).g...E.
> 0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc
[EMAIL PROTECTED]
> 0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1...
"..[P.
> 0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1PRIVMSG
#1
> 0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+
:[.NTScan.]:
> 0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d
Weakpassword...
> 0060   0a   .
> 
> Anyone know what this could be ?
> 
> Regards
> Jan
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: 17. august 2005 00:54
> To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] Disney Down?
> 
> MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)
> 
> Trend Micro: WORM_RBOT.CBQ -
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
> T.CBQ
> Symantec: Win32.Zotob.E
> McAfee: exploit-dcomrpc
> Kaspersky: Net-Worm.Win32.Small.d
> 
> This is what is on CNN right now.
> 
> -Original Message-
> From: [EMAIL PROTECTED] on behalf of David
Wilde
> Sent: Tue 8/16/2005 5:13 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: [Full-disclosure] Disney Down?
>  
> A buddy of mine who's fiance works for Disney just told me that they
> have sent everyone home for the day.  When I say everyone I mean,
> Disney Land, Disney World, Disney Corporate, etc...  He's not sure
> what the virus is called but it's apparently very nasty.  Anyone have
> any more info on this?
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Michael Young]

I believe NTScan will attempt to crack share passwords to further spread the
worm itself.  What concerns me is that this vulnerability is exploitable
with local privileges under XP/2003 systems.  Weak accounts will make XP
system infection a definite possibility.

Thank you,
 
Michael Young
IT Consultant
Miles Technologies
 
Tel: 856.439.0999
[EMAIL PROTECTED]
 
Visit our website at www.milestechnologies.com
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jan Nielsen
Sent: Wednesday, August 17, 2005 11:36 AM
To: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

I was at a customer today with this problem, initially their network was
acting up and some ppl, couldn't logon to the servers in the morning. 
We found the file "kilo.exe" on some machines that apparently had not
been patched, one thing I noticed while running this file on a vmware xp
sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
and logs in to it with password : 146751dhzx
Then it sets a few commands :

JOIN #100+
MODE #100+ +nts

Which for an RBOT virus in itself is nothing special, but I noticed one
thing in my sniffer trace that got me a bit worried, this is a packet
sent from the infected pc to the irc server :

   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00  ..S+).g...E.
0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc  [EMAIL PROTECTED]
0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1... "..[P.
0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1PRIVMSG #1
0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+ :[.NTScan.]:
0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d   Weakpassword...
0060   0a   .

Anyone know what this could be ?

Regards
Jan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 17. august 2005 00:54
To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Fergie (Paul Ferguson)]

See:

http://www.f-secure.com/weblog/#0631

It could be any one of 11 variants at this point...

- ferg


-- "Jan Nielsen" <[EMAIL PROTECTED]> wrote:

I was at a customer today with this problem, initially their network was
acting up and some ppl, couldn't logon to the servers in the morning. 
We found the file "kilo.exe" on some machines that apparently had not
been patched, one thing I noticed while running this file on a vmware xp
sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
and logs in to it with password : 146751dhzx
Then it sets a few commands :

JOIN #100+
MODE #100+ +nts

Which for an RBOT virus in itself is nothing special, but I noticed one
thing in my sniffer trace that got me a bit worried, this is a packet
sent from the infected pc to the irc server :

   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00  ..S+).g...E.
0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc  [EMAIL PROTECTED]
0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1... "..[P.
0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1PRIVMSG #1
0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+ :[.NTScan.]:
0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d   Weakpassword...
0060   0a   .

Anyone know what this could be ?

Regards
Jan



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[John Smith]

I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so 
it appears to be joining the channel and getting paramaters for this 
"ntscan program"


--M

Jan Nielsen wrote:

I was at a customer today with this problem, initially their network was
acting up and some ppl, couldn't logon to the servers in the morning. 
We found the file "kilo.exe" on some machines that apparently had not

been patched, one thing I noticed while running this file on a vmware xp
sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
and logs in to it with password : 146751dhzx
Then it sets a few commands :

JOIN #100+
MODE #100+ +nts

Which for an RBOT virus in itself is nothing special, but I noticed one
thing in my sniffer trace that got me a bit worried, this is a packet
sent from the infected pc to the irc server :

   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00  ..S+).g...E.
0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc  [EMAIL PROTECTED]
0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1... "..[P.
0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1PRIVMSG #1
0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+ :[.NTScan.]:
0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d   Weakpassword...
0060   0a   .

Anyone know what this could be ?

Regards
Jan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 17. august 2005 00:54

To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they

have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Jan Nielsen]

I was at a customer today with this problem, initially their network was
acting up and some ppl, couldn't logon to the servers in the morning. 
We found the file "kilo.exe" on some machines that apparently had not
been patched, one thing I noticed while running this file on a vmware xp
sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
and logs in to it with password : 146751dhzx
Then it sets a few commands :

JOIN #100+
MODE #100+ +nts

Which for an RBOT virus in itself is nothing special, but I noticed one
thing in my sniffer trace that got me a bit worried, this is a packet
sent from the infected pc to the irc server :

   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00  ..S+).g...E.
0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc  [EMAIL PROTECTED]
0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1... "..[P.
0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1PRIVMSG #1
0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+ :[.NTScan.]:
0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d   Weakpassword...
0060   0a   .

Anyone know what this could be ?

Regards
Jan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 17. august 2005 00:54
To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Larry Seltzer]

>>I also think it's fair to say that when it dies down, relatively soon, it
won't achieve the endemic status of Blaster and Sasser because it will have
little or no presence on consumer systems. 

Actually, I take that back a bit; I'm sure the Windows XP-based worms and
bots will adopt MS05-039 as one of the many techniques they use to try to
spread, but before too long there won't be much actual infection going on
via this vulnerability.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Larry Seltzer]

>>"So patch your systems, but don't miss your kid's play in order to do it.
We've seen a lot worse than this in the past."
>>Brilliant advise[sic]!

Yeah, clearly I timed the column badly, but I still think there's more smoke
than fire on this outbreak. If it had been International Paper or some
company like that rather than media outlets I suspect it wouldn't be getting
all this attention. I also think it's fair to say that when it dies down,
relatively soon, it won't achieve the endemic status of Blaster and Sasser
because it will have little or no presence on consumer systems.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[xyberpix]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

That goes for me as well please, I need a copy of this urgently as well.
Off list though please.

Thanks

xyberpix

On 16 Aug 2005, at 23:57, Poof wrote:


If somebody could email me a sample of this off-list I'd very much
appreciate it.

Thanks,

~

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 3:54 PM
To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? 
VName=WORM_RBO

T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David  
Wilde

Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?

A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDAynjcRMkOnlkwMERAgJEAJ47wFJ4Cg38TreyK7464R3/Tq726ACfWeQa
bEKByd68XI+kKYhk30e9Jss=
=z+/B
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Micheal Espinola Jr]

"So patch your systems, but don't miss your kid's play in order to do
it. We've seen a lot worse than this in the past."

Brilliant advise!


On 8/17/05, Peter Besenbruch <[EMAIL PROTECTED]> wrote:
> Frank Stein wrote:
> > check cnn.com now. according to them, a new win2000 virus out now in
> > the wild and infecting at a rapid rate.
> >
> > http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html
> >
> > maybe this is the one.
> 
> Check out this article by Larry Seltzer of eWeek, where he predicts
> earlier on August 16 that MS05-039 "is just not a conducive bug."
> http://www.eweek.com/article2/0,1895,1848696,00.asp
> 
> I look forward to Mr Seltzer's updates. ;)
> --
> Hawaiian Astronomical Society: http://www.hawastsoc.org
> HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Peter Besenbruch]

Frank Stein wrote:

check cnn.com now. according to them, a new win2000 virus out now in
the wild and infecting at a rapid rate.

http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

maybe this is the one.


Check out this article by Larry Seltzer of eWeek, where he predicts 
earlier on August 16 that MS05-039 "is just not a conducive bug."

http://www.eweek.com/article2/0,1895,1848696,00.asp

I look forward to Mr Seltzer's updates. ;)
--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Morning Wood]

>check cnn.com now. according to them, a new win2000 virus out now in
>the wild and infecting at a rapid rate.

this is soo last week ( gah! )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Frank Stein]

check cnn.com now. according to them, a new win2000 virus out now in
the wild and infecting at a rapid rate.

http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

maybe this is the one.

On 8/16/05, David Wilde <[EMAIL PROTECTED]> wrote:
> A buddy of mine who's fiance works for Disney just told me that they
> have sent everyone home for the day.  When I say everyone I mean,
> Disney Land, Disney World, Disney Corporate, etc...  He's not sure
> what the virus is called but it's apparently very nasty.  Anyone have
> any more info on this?
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Morning Wood]

Has anyone noticed this all took place on Monday? 3 full days after the worm
was released.
Seems to me that theseCorps's were infected on Monday from ( proable ) users
connecting to internal networks via laptop's brought in from home, after
being connected to their home connections and their laptops were unpatched.
This is not a microsoft/worm problem, this is a internal network issue for
those Corp's affected. They should have had proper filtering in place ( esp
after the MsBlaster fiasco ).

my2bits,
mw
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[pingywon]

Disney world CLOSED !


.it cant be ..blame it on the terrorists and save face Mickey


- Original Message - 
From: "David Wilde" <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, August 16, 2005 6:13 PM
Subject: [Full-disclosure] Disney Down?


A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Poof]

If somebody could email me a sample of this off-list I'd very much
appreciate it.

Thanks,

~

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 3:54 PM
To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[sk3tch]

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Disney Down?

[Andre Protas]

They're still open for business; at least DisneyLand is until midnight.

 
Signed,

Andre Derek Protas
Security Researcher
eEye Digital Security
aprotas eeye com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Dave @ Allnix, LLC]

> A buddy of mine who's fiance works for Disney just told me that they
> have sent everyone home for the day.  When I say everyone I mean,
> Disney Land, Disney World, Disney Corporate, etc...  He's not sure
> what the virus is called but it's apparently very nasty.  Anyone have
> any more info on this?
>

I also heard from my friend who works at T-Mobile of the same thing.  They
all got sent home b/c something nailed their network pretty good.



Dave

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Fergie (Paul Ferguson)]

Perhaps the same problem as CNN, ABC, etc:

http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

- ferg




-- David Wilde <[EMAIL PROTECTED]> wrote:

A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/