|
-
August 15th, 2005, 01:27 AM
#1
MS05-039 Exploit Code Now a Worm - Zotob
I already have a thread started on this (dealing with the raw exploit code) but I want to be SURE that no one misses this.
I watched the underground tune this last week. There was no question it was coming. There is now a worm, Zotob, which exploits MS05-039. GET THOSE PATCHES OUT!!
http://isc.sans.org/diary.php?date=2005-08-14
http://securityresponse.symantec.com...2.zotob.a.html
If you are unlucky enough to have a Symantec consumer release of their antivirus product, you wont be getting a signature until Wednesday. Have fun with that!
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 15th, 2005, 02:08 AM
#2
Description:
Zotob.A is a MyTob-cloned worm which exploits the MS05-039, "Microsoft Plug-and-Play Buffer Overflow Vulnerability". Zotob.A is a HIGH-severity threat because it has only been days since Microsoft Corp.'s vulnerability disclosure, and because many systems likely have not yet been patched, making them vulnerable to the worm. There are multiple compiled exploit codes for this vulnerability in the wild, and it is likely that additional malicious codes attacking MS05-039 will emerge in the near future.
Worm Message:
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
August 15th, 2005, 02:11 AM
#3
Hi thehorse13,
I've been expecting this for awhile...
http://www.antionline.com/showthread...0&pagenumber=1
AntiOnline - Worm hole in Windows 2000
http://www.antionline.com/showthread...hreadid=269843
Um... yea, you need to patch NOW!
got the patch off a link in your first thread...AVG updated as well...I assume that's all you need...it caught my interest right away because I run Windows 2000.
Hopefully, everyone here who's vunerable will have done something by now.
Eg 
-
August 15th, 2005, 02:16 AM
#4
Worm spreading through Microsoft Plug-and-Play flaw
by Robert Lemos, SecurityFocus
...
"Zotob is not going to become another Sasser," F-Secure's researchers said on the virus lab's blog. The worm does not infect computers running Windows XP Service Pack 2 nor Windows 2003, as those systems are somewhat protected against the Windows Plug-and-Play vulnerability. Machines that block port 445 using a firewall will also not be vulnerable, the company said. "As a result, the majority of Windows boxes on the Net won't be hit by (the worm)," the blog stated.
...
Source
So the clueless, uninformed, and lazy will be the major recipients of this bounty from cracker land. It's almost a digital darwinism.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
August 15th, 2005, 02:19 AM
#5
Hi zencoder,
out of curiousity...how can I check to see if my firewall blocks port 445?
I run ZoneAlarm.
Eg
-
August 15th, 2005, 02:26 AM
#6
Hmmmmm. I don't know, for certain...I haven't used ZA in a LONG time. You could go to someplace like GRC.com (gibson research something or other) and run his Shields Up scan... I bet broadbandreports.com has a tool that does this too. Basically a consensual port scan automated from a website. Gibson always seemed a bit obsessively creepy to me, but he always had decent info. Haven't been there since...well, since I last used ZA.
You could also run nmap against your Win2k system from another system, if you have the right setup and resources.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
August 15th, 2005, 02:43 AM
#7
This is a nice little program that takes closes several vulnerable ports in Windows -- DCOM, NetBios, etc. Lifted from a sec_ware tutorial on svchost, I believe.
http://www.firewallleaktester.com/wwdc.htm
Windows Worms Doors Cleaner.
BTW Eg., this is a tool from the same site that will tell you if anything can be sent out on 445. Done by Gibson, mentioned by Zencoder. Zone Alarm Free doesn't allow manual port blocking and doesn't tell you what is blocked, AFAIK.
http://www.firewallleaktester.com/leaktest1.htm
Leaktest.
-
August 15th, 2005, 03:37 AM
#8
eg if you have a fw it's probably closed but if you want to be sure...one of our members has an nmap you could use online to get a remote scan.
http://www.michiels.nu/nmap_body.php
<forgot to put the address>
nice links hesperus
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 15th, 2005, 03:47 AM
#9
Originally posted here by zencoder
Gibson always seemed a bit obsessively creepy to me, but he always had decent info. Haven't been there since...well, since I last used ZA.
Dude I haxxored teh Gibson! haxxor the planet y0.
Story so far:
Dade Murpy is trying to patch his Windows box before the worm steals 25 M dollars and sinks oil tankers all over the world!
-
August 15th, 2005, 03:47 AM
#10
Hi Tedob1,
Thanks !I'll check it out.
You have given out too many AntiPoints today, try again later.
Eg
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
