Chris,
NO offense but I am the security admin for my network, and we implement
defense in depth and system level hardening at the OS core and working
outwards to the firewall and DMZ and internet router, so as to take a
layered approach. Its more work, but if planned and implemented properly it
makes it that much harder to crack each layer of security to get to the OS
just to find out its patched and all the functionality you thought you was
going to exploit doesnt work. To say that many security admins implement a
hard core soft shell model is a little off base. I would almost say these
days it takes a hard core, harder shell approach in which the firewall is
only 1st level of defense not the last, this is followed up by IPS and IDS,
Honeypots, system level access hardening,and vulnerability scanning to
validate the system level access hardening ( Retina, ISS, foundstone,
Metasploit ( One of my faves). A comprehensive patch management solution and
AV solution, along with continuously monitoring the changes and controlling
what comes into and goes out of your network. The other area that tends to
put the swiss-cheese holes in your security plan are the FDA regulated and
Vendor controlled systems, but these have been a thorn in my side ever since
I have been in my position and usually neither of these entities get the
idea of security or know what to do sometimes to comply with an
organizations security policy. ( Note: I will not name names of companies
that have a track record of poorly implemented and insecure systems which
they tout to there customers as cutting-edge healthcare systems, but trust
me you see there ad's all the time on TV, just connect the dot's you will
figure out whom I am talking about) I work on a network with over 300+
Servers 7000 workstations and 4 locations, so getting this right is no
trivial matter and its not something you implement over-night..
Just my point of view feel free to chime in,
Edward Ziots
Network Engineer
Windows/Citrix Administrator
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
eziots@lifespan.org
401-639-3505 (Cell)
401-444-6926 (Office)
401-350-5284 (Pager)
-----Original Message-----
From: Chris Wensink [mailto:chris.wensink@gmail.com]
Sent: Monday, August 15, 2005 6:10 PM
To: meni@menimilstein.com
Cc: focus-virus@securityfocus.com
Subject: Re: Virus Outbreak Attacking MS05-039
Many security admins continually implement a 'hard core, soft shell'
model, which causes many of these types of vulnerabilities to spread.
If at all possible, one of the best solutions to limit the range of
attach, I believe is separate any neccesary MS boxes into small
subdomains / virtualdomains protected by caching proxy boxes running
inexpensive OS's such as clarkconnect. Once that level of protection
is in place, along with a corporate solution for patching machines /
updating virus definitions on a daily basis. Just my 2 cents.
Chris
On 8/15/05, Mike <mjcarter@ihug.co.nz> wrote:
I don't believe you can exploit MS05-039 on anything other than 445, Note
that this thing doesn't spread via 445 it gains access through the exploit
to start an FTP session and spreads via FTP. Of course it's always
possible
that the virus switches to a different vulnerability, it does have the
ability to update but then we would be talking about a new variant.
Mike
-----Original Message-----
From: Meni Milstein [mailto:meni@menimilstein.com]
Sent: Tuesday, August 16, 2005 7:08 AM
To: 'Ziots, Edward'; 'Mike'
Cc: focus-virus@securityfocus.com
Subject: RE: Virus Outbreak Attacking MS05-039
Wow... what I meant to bring up was the question whether there was some
other way this thing is spreading OTHER than 445 TCP.
Meni.
-----Original Message-----
From: Ziots, Edward [mailto:EZiots@Lifespan.org]
Sent: Monday, August 15, 2005 7:58 PM
To: 'Meni Milstein'; 'Mike'
Cc: focus-virus@securityfocus.com
Subject: RE: Virus Outbreak Attacking MS05-039
Well think of other avenues of attack, VPN, Dial-up unpatches systems
being
connected to your systems by vendors, just many many ways around the fun
"firewall will protect us from everything"
Z
Edward Ziots
Network Engineer
Windows/Citrix Administrator
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA, Security +, Network +
eziots@lifespan.org
401-639-3505 (Cell)
401-444-6926 (Office)
401-350-5284 (Pager)
-----Original Message-----
From: Meni Milstein [mailto:meni@menimilstein.com]
Sent: Monday, August 15, 2005 2:00 PM
To: 'Mike'
Cc: focus-virus@securityfocus.com
Subject: RE: Virus Outbreak Attacking MS05-039
As far as I know, if you are firewalled correctly and have your 445 tcp
port
shut to the outside - this thing should NOT be able to get in.
Am I wrong?
Meni Milstein.
http://www.lcs-guides.com
-----Original Message-----
From: Mike [mailto:mjcarter@ihug.co.nz]
Sent: Monday, August 15, 2005 3:41 PM
To: focus-virus@securityfocus.com
Subject: Virus Outbreak Attacking MS05-039
Hi List,
Yesterday one of my customers was hit hard by what appears to be a variant
of zotob.
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
This one was very (noisy) crashing services.exe and forcing re-boots on
unpatched WIN2K machines. The boxes we've had a chance to look at were not
infected, but were unpatched. We hope to have samples today from the same
network and have a closer look.
It's time to get patching!
Regards
Mike
Mike
Information Security and Logistics
www.infosec.co.nz
