Re: Virus Outbreak Attacking MS05-039

Many security admins continually implement a 'hard core, soft shell'
model, which causes many of these types of vulnerabilities to spread. 
If at all possible, one of the best solutions to limit the range of
attach, I believe is separate any neccesary MS boxes into small
subdomains / virtualdomains protected by caching proxy boxes running
inexpensive OS's such as clarkconnect.  Once that level of protection
is in place, along with a corporate solution for patching machines /
updating virus definitions on a daily basis.  Just my 2 cents.

Chris

On 8/15/05, Mike <mjcarter@ihug.co.nz> wrote:
> I don't believe you can exploit MS05-039 on anything other than 445, Note
> that this thing doesn't spread via 445 it gains access through the exploit
> to start an FTP session and spreads via FTP. Of course it's always possible
> that the virus switches to a different vulnerability, it does have the
> ability to update but then we would be talking about a new variant.
>
> Mike
>
> -----Original Message-----
> From: Meni Milstein [mailto:meni@menimilstein.com]
> Sent: Tuesday, August 16, 2005 7:08 AM
> To: 'Ziots, Edward'; 'Mike'
> Cc: focus-virus@securityfocus.com
> Subject: RE: Virus Outbreak Attacking MS05-039
>
> Wow... what I meant to bring up was the question whether there was some
> other way this thing is spreading OTHER than 445 TCP.
>
> Meni.
>
>
> -----Original Message-----
> From: Ziots, Edward [mailto:EZiots@Lifespan.org]
> Sent: Monday, August 15, 2005 7:58 PM
> To: 'Meni Milstein'; 'Mike'
> Cc: focus-virus@securityfocus.com
> Subject: RE: Virus Outbreak Attacking MS05-039
>
> Well think of other avenues of attack, VPN, Dial-up unpatches systems being
> connected to your systems by vendors, just many many ways around the fun
> "firewall will protect us from everything"
>
> Z
>
> Edward Ziots
> Network Engineer
> Windows/Citrix Administrator
> Lifespan Organization
> MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
> eziots@lifespan.org
> 401-639-3505 (Cell)
> 401-444-6926 (Office)
> 401-350-5284 (Pager)
>
>
> -----Original Message-----
> From: Meni Milstein [mailto:meni@menimilstein.com]
> Sent: Monday, August 15, 2005 2:00 PM
> To: 'Mike'
> Cc: focus-virus@securityfocus.com
> Subject: RE: Virus Outbreak Attacking MS05-039
>
>
> As far as I know, if you are firewalled correctly and have your 445 tcp port
> shut to the outside - this thing should NOT be able to get in.
> Am I wrong?
>
> Meni Milstein.
> http://www.lcs-guides.com
>
>
>
> -----Original Message-----
> From: Mike [mailto:mjcarter@ihug.co.nz]
> Sent: Monday, August 15, 2005 3:41 PM
> To: focus-virus@securityfocus.com
> Subject: Virus Outbreak Attacking MS05-039
>
> Hi List,
> Yesterday one of my customers was hit hard by what appears to be a variant
> of zotob.
> http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
>
> This one was very (noisy) crashing services.exe and forcing re-boots on
> unpatched WIN2K machines. The boxes we've had a chance to look at were not
> infected, but were unpatched. We hope to have samples today from the same
> network and have a closer look.
>
> It's time to get patching!
>
> Regards
> Mike
>
> Mike
>
> Information Security and Logistics
> www.infosec.co.nz