RE: MSBLASTER Infecting despite 03-026 patch?

From: Joe Blatz (sd_wirelessat_private)
Date: Thu Aug 14 2003 - 08:08:38 PDT

Next message: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"

Previous message: Jay Woody: "Re: MSBlast and other known exploits.."
In reply to: Jonathan Bloomquist: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Mike Dresser: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

No. No! NO!

Do not use the presence of the registry key. This is
no more effective than WindowsUpdate or UpdateExpert.
Check for the files listed here:
http://support.microsoft.com/?kbid=823980

That is how to tell whether or not the patch is fully
installed.

--- Jonathan Bloomquist <bocasolutionsat_private>
wrote:
> I have been using the Retina DCOM scanner and it is
> working very well.  After patching some systems,
> they
> still scanned as vulnerable.  On NT, we were using
> the
> presence of the registry key
> HKLM\Software\Microsoft\Windows NT\Current
> Version\Hotfix\Q823980 to verify that the
> workstations
> were patched, but I found a workstation that had the
> registry key, but still scanned as vulnerable.
> 
> Apparently something interfered with the
> installation
> before the .dlls or .exe could be loaded but after
> the
> registry key was created.  Repatching the affected
> systems fixed them.  
> 
> This seemed to happen on workstations that were not
> up
> to service pack 6a.  The hotfix would terminate and
> the user would reboot without noticing the error.
> 
> --- Marc Maiffret <marcat_private> wrote:
> > I cant speak for the other tools but Retina's
> latest
> > version of the check
> > should be rather accurate. If your having any
> > problems though let me know.
> > 
> > Signed,
> > Marc Maiffret
> > Chief Hacking Officer
> > eEye Digital Security
> > T.949.349.9062
> > F.949.349.9538
> > http://eEye.com/Retina - Network Security Scanner
> > http://eEye.com/Iris - Network Traffic Analyzer
> > http://eEye.com/SecureIIS - Stop known and unknown
> > IIS vulnerabilities
> > 
> > | -----Original Message-----
> > | From: Carter, Mike
> > [mailto:Mike_Carterat_private]
> > | Sent: Monday, August 11, 2003 10:35 PM
> > | To: Charles Hamby; incidentsat_private
> > | Subject: RE: MSBLASTER Infecting despite 03-026
> > patch?
> > |
> > |
> > | This is something that really worries me, I've
> > heard it to.
> > | Also I am getting conflicting results when
> > scanning for the patch
> > | installation. I've been using MBSA, GFI LANguard
> > and Retina which all
> > | tell me something different.
> > | Which one should I trust??
> > | Or is there something else I should be using?
> > |
> > | Thanks
> > | Mike
> > |
> > | -----Original Message-----
> > | From: Charles Hamby [mailto:fixerat_private]
> > | Sent: Tuesday, August 12, 2003 5:13 PM
> > | To: incidentsat_private
> > | Subject: MSBLASTER Infecting despite 03-026
> patch?
> > |
> > |
> > | I have seen, and have heard other reports of,
> > msblaster.exe worm
> > | infecting a Windows computer that had the proper
> > KB patch specified by
> > | the 03-026 advisory.  In the instance I
> personally
> > saw it was a Windows
> > | XP Professional workstation that was completely
> > patched.  The person who
> > | used the workstation was surprised that they
> were
> > infected since they
> > | has applied the patch and I verified (via
> > Add/Remove Programs) that they
> > | did, indeed have the proper patch applied.  I
> > checked with my parent
> > | organization and they had been receiving
> sporadic
> > reports of patched
> > | machines being infected despite being patched. 
> > Unfortunately I removed
> > | the worm from the computer without copying it so
> I
> > don't have a backup
> > | of it for analysis.
> > |
> > |
> > |
> > | Has anyone else been seeing this phenomenon or
> do
> > they have any idea why
> > | this might have or might be happening? I know
> for
> > a fact the patch that
> > | was used came straight from Microsoft so I don't
> > suspect a faulty patch.
> > |
> > |
> > | Charles Hamby
> > |
> > |
> > |
> >
>
------------------------------------------------------------------------
> > | ---
> > |
> >
>
------------------------------------------------------------------------
> > | ----
> > |
> > |
> > |
> >
>
------------------------------------------------------------------
> > | ---------
> > |
> >
>
------------------------------------------------------------------
> > | ----------
> > |
> > |
> > 
> > 
> >
>
---------------------------------------------------------------------------
> >
>
----------------------------------------------------------------------------
> > 
> > 
> > 
> 
> 
> =====
> Jonathan Bloomquist, CISSP
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
> http://sitebuilder.yahoo.com
> 
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"
Previous message: Jay Woody: "Re: MSBlast and other known exploits.."
In reply to: Jonathan Bloomquist: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Marc Maiffret: "RE: MSBLASTER Infecting despite 03-026 patch?"
Next in thread: Mike Dresser: "RE: MSBLASTER Infecting despite 03-026 patch?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:50:37 PDT