You can't rely on AV signatures to stop viruses infecting machines
vulnerable to MS05-039 period! AV is reactive by design, and therefore
won't/can't protect the vulnerable against the ever increasing types and
variants.
Patching and/or other measures need to be taken, you can have the most "up
to date" signature and still get hit hard. How much damage can occur purely
from the constant reboots? I imagine there are quite a few admins dealing
with hardware failures due to that right now.
Mike
www.infosec.co.nz
-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg@sullcrom.com]
Sent: Wednesday, August 17, 2005 4:19 PM
To: Joswiak, Johnny G.; womalley@cmu.edu; Schlegel, Justin;
focus-virus@securityfocus.com
Subject: RE: wintbp.exe
But the file download and execution therefore is the infection, the
buffer flow is merely the process that permits an automatic download and
execution to occur. If your av sigs are current they should prevent the
file from being written to disk (And perhaps thas where you're seeing
your alerts) and a the very least should block the file from executing).
How have you determined that you're actually seeing infections, rather
than infection attempts?
G
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia@UTMB.EDU]
Sent: Tuesday, August 16, 2005 11:42 PM
To: Dowling, Gabrielle; womalley@cmu.edu; Schlegel, Justin;
focus-virus@securityfocus.com
Subject: RE: wintbp.exe
Oh yes it's true for this worm. The systems rebooting is a symptom of
the buffer overflow. The infectious executable is downloaded to the
system after the buffer overflow occurs. The AV products WILL NOT stop
the system from being infected, they will find the downloaded file
afterwards! Patch the systems, that is imperitive.
-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg@sullcrom.com]
Sent: Tue 8/16/2005 10:36 PM
To: Joswiak, Johnny G.; womalley@cmu.edu; Schlegel, Justin;
focus-virus@securityfocus.com
Cc:
Subject: RE: wintbp.exe
Despite what Russ Cooper posted on NTBugtraq two years ago in the wake
of Blaster, that is NOT true (and wasn't true then). While Blaster,
Sasser, and the recent MS05-039 exploits rely on a buffer overflow for a
remote infection mechanism, they all use the vulnerability to download
an infectuous executable to the target system, and av absolutely can
prevent the infection if sigs are in place. These are different from
pure memory worms like Code Red and SQL Slammer.
Also, McAfee for a while has had defenses in place for pure memory
worms, and I believe several other vendors have it in place now.
Regards,
Gaby
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia@UTMB.EDU]
Sent: Tuesday, August 16, 2005 11:16 PM
To: womalley@cmu.edu; Schlegel, Justin; focus-virus@securityfocus.com
Subject: RE: wintbp.exe
CA is calling it Win32.Peabot.A with a "Medium" alert, McAfee is calling
it "W32/IRCbot.worm!MS05-039", Symantec has the Zotob.e, etcetera.
Patch the systems, this is an MS05-039 exploit. The various antivirus
companies can only provide cleanup after the worm hits unless they have
buffer overflow protection like VSE8.0i provides (ok a plug but I like
it).
Hope this helps.
Johnny
-----Original Message-----
From: William O'Malley [mailto:wo@andrew.cmu.edu]
Sent: Tue 8/16/2005 8:51 PM
To: Schlegel, Justin; focus-virus@securityfocus.com
Cc:
Subject: Re: wintbp.exe
__________________
This e-mail is sent by a law firm and contains information that may be
privileged and confidential. If you are not the intended recipient,
please delete the e-mail and notify us immediately.
