Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: MALICIOUS Witty worm -- port block recommendations
- From: Howell, Paul
- Date: Mon Mar 22 07:39:41 2004
Hi,
Sorry for getting this out so late.
My departments email server is exhange, and yes, it had black-ice installed.
As such, it was destroyed.
Email for me, just began working early this morning.
< paul
-----Original Message-----
From: owner-wg-security@internet2.edu
[mailto:owner-wg-security@internet2.edu] On Behalf Of Doug Pearson
Sent: Sunday, March 21, 2004 4:43 PM
To: wg-security@internet2.edu
Subject: MALICIOUS Witty worm -- port block recommendations
Dear all,
The newly discovered Witty[1] worm attacks Windows client and server systems
running ISS BlackICE and RealSecure firewall products. The worm is malicious
- it slowly destroys information on the host's hard drive while replicating.
Infected systems will have to be rebuilt from scratch, with a very high
probability of data loss. The worm payload is contained in a single UDP
packet with a source port of 4000 and a random destination port. Vulnerable
versions and patch information can be found at the ISS site[2].
Only systems running ISS BlackICE and RealSecure are affected, therefore
exposure will vary according to use of these products at your institution. A
substantial amount of infection has been reported at institutions of
higher-ed.
A method to slow down infection is through blocking of source port UDP 4000
inbound and outbound at your border and within your network if possible.
Blocking source UDP 4000 can cause hit-and-miss problems due to its use as
an ephemeral port for DNS and other services. It's possible these services
will recover through a retry to the next ephemeral.
Port blocking won't prevent the spread of infection if the worm has a hold
within your network. Blocking within your network will at best segment some
subnets that haven't been infected yet. Port blocking can reduce the rate of
spread of this infection. Strategies for port blocking need to be considered
at each institution according their vulnerability and potential as a source
for this infection to the Internet at large.
The worm began gaining strength on Saturday. There are many vulnerable
desktop systems that were turned off by their owners over the weekend.
Efforts should be undertaken to PREVENT THE OWNERS FROM arriving Monday
morning, TURNING ON THEIR MACHINE, only to have the machine immediately
infected with Witty, and exposed to corruption and data loss.
Regards,
Doug Pearson
REN-ISAC
http://www.ren-isac.net
[1] http://www.lurhq.com/witty.html
[2] http://xforce.iss.net/xforce/alerts/id/167
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
