I hate the world....and port 445
I sometimes wonder if there is such a thing as a single, redeemable person in this world at times. Btw, if you haven't noticed I'm in a bad mood today.
All this latest worm crap (W32.Zotob.x, RBOT.CBQ, RBOT.CBR, etc) has really only served to futher irritate me. Although I found venting my anger towards my sister has served to calm me.
The lastest worm already has 5 different variations. All of which use port 445 to spread. SBC has been blocking port 445 from the router to the customer for the past 2 years on all dynamic customers. So thank god for that, at least it means the spreading was stopped. But now after all the FUD spread by CNN we've got 5000 deskchair system admin's saying about how they'd of had this patch out already and how stupid large companies are for getting caught w/ their pants down. Since I spent most of my evening last night on conference calls regarding this and assessing the level of possible impact upon, let me share some opinions.
1. Updates. Great for end users, yes, they should be running them often. But for a large company, there's no way they can roll out a critical update to 10k + users within a week. There's no way to test that patch on every program and system that quickly.
2. Apple/*nix users. Just because your OS isn't affected by this doesn't mean that if it was as popular as WinXP that it wouldn't be. Stop being stupid and bragging about how bullet proof OS X is, when it's just security through obscurity.
3. Permissions. Some corporations deny users the ability to run windows update unless they have administrator rights. I myself am limited on the corporate network when I'm logged in as a user (thankfully I have admin rights because I requested them). So sometimes it isn't the users fault, because they couldn't run them if they wanted to.
2. Apple/*nix users. Just because your OS isn't affected by this doesn't mean that if it was as popular as WinXP that it wouldn't be. Stop being stupid and bragging about how bullet proof OS X is, when it's just security through obscurity.
3. Permissions. Some corporations deny users the ability to run windows update unless they have administrator rights. I myself am limited on the corporate network when I'm logged in as a user (thankfully I have admin rights because I requested them). So sometimes it isn't the users fault, because they couldn't run them if they wanted to.
Comments
DATE:
wow, i've never even heard of that idea before...it's pretty radical honestly (and I mean radical in the true sense of the word, and not the teenage mutant turtle way). I'm not sure about setting up an irc server, but at the very least you could just null route those ip's and prevent remote control at least...
brilliant!
http://images.usatoday.com/money/_photos/2004/12/27/inside1-guinness.jpg
--------
Posted by: Dennis Judd | May 18, 2006 11:50 AM
DATE:
blah.
this could have been fixed if people listened to some ideas that are out of the box. but they dont, because everyone on the security teams are too busy talking about putting on fw rules on their pixes (which btw, die quite easily) and using their ids/sniffer boxes to see whose infected.
waste of time.
the answer is simple:
setup an irc server on the command & control ip addrs that the bots/virus communicate with.
find what individual channel the bots join, and send the bot uninstall command (every piece of bot malware has one). it only takes a few minutes to add the virtual addrs to a box and only a few moments more to route the traffic there.
instantly, every computer is uninfected. as long as you have the acls in place, you prevent re-infection.
but no. why? because this is what happens when you let a buncha enterprise/it people run the security show who think the answer is vendor hw & sw to every solution.
Posted by: thomas angrignon | May 18, 2006 11:50 AM
DATE:
That's a unique approach, I like it. As far as the patch distribution goes, where I work we use a product called radia. I actually really think it's a cool program. I believe HP bought the novadigm company that makes it about a year ago, so hopefully it doesn't completely go to crap, but on our network it holistically manages well over 10,000 xp boxes...and seems to do a good job too.
Posted by: Anonymous | May 18, 2006 11:50 AM