MS05-039 Exploit Code Now a Worm - Zotob
Page 1 of 5 123 ... LastLast
Results 1 to 10 of 42

Thread: MS05-039 Exploit Code Now a Worm - Zotob

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    MS05-039 Exploit Code Now a Worm - Zotob

    I already have a thread started on this (dealing with the raw exploit code) but I want to be SURE that no one misses this.

    I watched the underground tune this last week. There was no question it was coming. There is now a worm, Zotob, which exploits MS05-039. GET THOSE PATCHES OUT!!

    http://isc.sans.org/diary.php?date=2005-08-14
    http://securityresponse.symantec.com...2.zotob.a.html

    If you are unlucky enough to have a Symantec consumer release of their antivirus product, you wont be getting a signature until Wednesday. Have fun with that!

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Description:
    Zotob.A is a MyTob-cloned worm which exploits the MS05-039, "Microsoft Plug-and-Play Buffer Overflow Vulnerability". Zotob.A is a HIGH-severity threat because it has only been days since Microsoft Corp.'s vulnerability disclosure, and because many systems likely have not yet been patched, making them vulnerable to the worm. There are multiple compiled exploit codes for this vulnerability in the wild, and it is likely that additional malicious codes attacking MS05-039 will emerge in the near future.

    Worm Message:
    MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi thehorse13,

    I've been expecting this for awhile...

    http://www.antionline.com/showthread...0&pagenumber=1
    AntiOnline - Worm hole in Windows 2000

    http://www.antionline.com/showthread...hreadid=269843
    Um... yea, you need to patch NOW!

    got the patch off a link in your first thread...AVG updated as well...I assume that's all you need...it caught my interest right away because I run Windows 2000.

    Hopefully, everyone here who's vunerable will have done something by now.

    Eg

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Worm spreading through Microsoft Plug-and-Play flaw
    by Robert Lemos, SecurityFocus

    ...

    "Zotob is not going to become another Sasser," F-Secure's researchers said on the virus lab's blog. The worm does not infect computers running Windows XP Service Pack 2 nor Windows 2003, as those systems are somewhat protected against the Windows Plug-and-Play vulnerability. Machines that block port 445 using a firewall will also not be vulnerable, the company said. "As a result, the majority of Windows boxes on the Net won't be hit by (the worm)," the blog stated.
    ...


    Source
    So the clueless, uninformed, and lazy will be the major recipients of this bounty from cracker land. It's almost a digital darwinism.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi zencoder,

    out of curiousity...how can I check to see if my firewall blocks port 445?

    I run ZoneAlarm.

    Eg

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Hmmmmm. I don't know, for certain...I haven't used ZA in a LONG time. You could go to someplace like GRC.com (gibson research something or other) and run his Shields Up scan... I bet broadbandreports.com has a tool that does this too. Basically a consensual port scan automated from a website. Gibson always seemed a bit obsessively creepy to me, but he always had decent info. Haven't been there since...well, since I last used ZA.

    You could also run nmap against your Win2k system from another system, if you have the right setup and resources.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    This is a nice little program that takes closes several vulnerable ports in Windows -- DCOM, NetBios, etc. Lifted from a sec_ware tutorial on svchost, I believe.

    http://www.firewallleaktester.com/wwdc.htm
    Windows Worms Doors Cleaner.

    BTW Eg., this is a tool from the same site that will tell you if anything can be sent out on 445. Done by Gibson, mentioned by Zencoder. Zone Alarm Free doesn't allow manual port blocking and doesn't tell you what is blocked, AFAIK.

    http://www.firewallleaktester.com/leaktest1.htm
    Leaktest.
    .

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    eg if you have a fw it's probably closed but if you want to be sure...one of our members has an nmap you could use online to get a remote scan.

    http://www.michiels.nu/nmap_body.php

    <forgot to put the address>


    nice links hesperus
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by zencoder
    Gibson always seemed a bit obsessively creepy to me, but he always had decent info. Haven't been there since...well, since I last used ZA.

    Dude I haxxored teh Gibson! haxxor the planet y0.


    Story so far:

    Dade Murpy is trying to patch his Windows box before the worm steals 25 M dollars and sinks oil tankers all over the world!

  10. #10
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Tedob1,

    Thanks !I'll check it out.

    You have given out too many AntiPoints today, try again later.
    Eg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •