According to Symantec's writeup, the infection sequence is as follows: 1. The attacking machine scans IP ranges by sending ICMP Echo (ping) requests. Addresses that respond to the ping are targeted. These pings have a 64-byte data payload of 64 bytes of hex AA. (these can be identified on a firewall or sniffer). 2. The attacking machine will attempt to exploit the target machine on either TCP port 135 (MS RPC exploit) or 80 (IIS WebDAV exploit). 3. Once exploited, a remote shell is created on the target machine. Unlike Blaster, this shell initiates the connection on the target back to the attacker, on a random TCP port between 666 and 765. 4. The attacking machine initiates a TFTP server, and instructs the target machine to connect and download dllhost.exe and svchost.exe. Once again, this is an outbound connection from the target to the attacker. 5. The target machine sets up the downloaded files as services and starts them, and attempts to spread the worm from that point. Since many firewalls are configured to block inbound connections but allow outbound, this allows the worm to get past a firewall through a vulnerable web server that has port 80 open on the firewall. The subsequent remote shell and TFTP connections are outbound, so unless these are blocked, the worm can get past the firewall and into a supposedly "secure" network. KJP --- "Logan Rogers-Follis - TNTNetworx.net" <loganat_private> wrote: > My questions is then. How does it get into a secure > network other than > e-mail, when nop machines are taken in and out fo > the network? It has > to spread orignally through something other than > TFTP...? > ===== There are no stupid questions, only stupid people asking them. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:11:51 PDT