how did this virus get in

[-keevill-]

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere?? Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"? Which machine brought
it in is my big curiosity.
Any ideas appreciated.

 

[-keevill-]

Nothing even in the event log of each machine??

Unless you monitor the activity of your users, you probably can't
tell. But to answer your question, it is what is referred to as
"stupid people".

 

[The Borg]

My guess:
Unpatched machines and a wacky Firewall ????

Probably the machine of an Administrator who should have known better.
Or just had too much things to do that he totally forgot to protect his own
system.
The workload of an administrator grows heavier every month.

Working alone as an administrator?

You absolutly need a counterpart to discuss new security-issues IRL.

Try to make contact with the administrator your company does business with.
Together you can form a team simply in exchanging ideas and concerns.

Isn't it a nice idea to have someone somewhere else to talk to, to make
company-systems somewhat safer?
So you're not alone?

Nice group this is, but in most of the cases the harm has already been done,
You're too late when you come to this group... I'm sorry, nearly only
problems here.

Not a good starting point in tackling security issues.

You have to be ahead of that nowadays.

This is only a sort of ER

Is there a doctor in the room?
--
Greetz,
The Borg
(Replies are always appreciated...)
(e-mail address removed)
(remove ".geenspam" in order to reply properly)
http://computer.clubs.nl/antivirus
Never fly in the same cockpit with someone braver than you.

 

[Sugien]

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere?? Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"? Which machine brought
it in is my big curiosity.
Any ideas appreciated.

Hmmm what is it that is said about blaster? you don't catch it,
rather it catches you! iow, it doesn't arrive in email but rather an
infected machine sends out packets to machines using random IP address and
when it finds a unpatched machine it uses the hole/bug and the resulting
buffer overflow infects your machine. But then I could be wrong; because
personally I only give such reports of infection a casual reading and tend
to forget quickly; because I have to date *never* (unknowingly, but have
infected my self on my pig/test machine to test what happens and that way
best figure out how to protect myself) been infected by an email virus, or
been the victim of a hole/bug; because for one thing I practice safe hex,
and never open attachments from a unknown source and even from a known
source I scan it and then if it looks safe I email the one that sent it to
me to ask if they did indeed send it to me to make sure the attachment
wasn't sent by there machine because they were infected.
But If I were to guess I would say you didn't get infected by email;
but rather by a buffer over flow and someone's system picked your IP and
used the buffer overflow. The other way you may have been infected is
someone brought into the office an infected disk because they took some work
home and then brought the work (and the virus) back on the virus.

 

[-keevill-]

Tx for input here.
Would a firewall have assisted / prevented this here? I am ashamed to admit
I have not set up a firewall because we are disconnected every 6 hours by
the ISP and a new IP address is assigned AND we use NAT to share the
connection ( oh yes ... and I am lazy !! ) . I will install one now but
would it have helped in this case?

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere?? Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"? Which machine brought
it in is my big curiosity.
Any ideas appreciated.

Hmmm what is it that is said about blaster? you don't catch it,
rather it catches you! iow, it doesn't arrive in email but rather an
infected machine sends out packets to machines using random IP address and
when it finds a unpatched machine it uses the hole/bug and the resulting
buffer overflow infects your machine. But then I could be wrong; because
personally I only give such reports of infection a casual reading and tend
to forget quickly; because I have to date *never* (unknowingly, but have
infected my self on my pig/test machine to test what happens and that way
best figure out how to protect myself) been infected by an email virus, or
been the victim of a hole/bug; because for one thing I practice safe hex,
and never open attachments from a unknown source and even from a known
source I scan it and then if it looks safe I email the one that sent it to
me to ask if they did indeed send it to me to make sure the attachment
wasn't sent by there machine because they were infected.
But If I were to guess I would say you didn't get infected by email;
but rather by a buffer over flow and someone's system picked your IP and
used the buffer overflow. The other way you may have been infected is
someone brought into the office an infected disk because they took some work
home and then brought the work (and the virus) back on the virus.


--
/}
@###{ ]::::::::::ino-Soft Software::::::::::::>
\}
Live WebCam http://www.dino-soft.org/cam

 

[dave]

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere?? Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"? Which machine brought
it in is my big curiosity.
Any ideas appreciated.

Silly MSCE, 'safe' is for the ignorant.

For Blaster, you obviously have an open port in your firewall,
And you probably still do.

Solution:
Find the open port, and close it.

For SOBIG-F, someone in the organization, or your emailer,
opened a virus infected e-mail.


Solution if Person:
Please proceed to your nearest gun shop, and purchase the
anti-idiot user device with 30 rounds of ammunition, and
eliminate user ... < smirk >

Solution if emailer:
Switch to Linux, install sylpheed, qmail, and spamassasin.

Your fellow workers, and your company, will thank you.

have a nice day

 

[Julie Brandon]

Tx for input here.
Would a firewall have assisted / prevented this here? I am ashamed to admit
I have not set up a firewall because we are disconnected every 6 hours by
the ISP and a new IP address is assigned AND we use NAT to share the
connection ( oh yes ... and I am lazy !! ) . I will install one now but
would it have helped in this case?

In this case... Yes, a firewall ought to have helped. As would keeping
your operating systems up-to-date with the latest critical security fixes
(the vulnarability that blaster and welchi [sp.] used was fixed with a patch
available at windows update a month before blaster appeared.) *8-(

Sorry to hear you had so much trouble.

Ta-ra,
Julie

BTW If dynamic IPs cause such a hassle to you config, why not use an ISP who
can provide you with a static IP; we've been using such ISPs in UK since
'93.

 

[Sugien]

Tx for input here.
Would a firewall have assisted / prevented this here? I am ashamed to admit
I have not set up a firewall because we are disconnected every 6 hours by
the ISP and a new IP address is assigned AND we use NAT to share the
connection ( oh yes ... and I am lazy !! ) . I will install one now but
would it have helped in this case?


opened

I use a router which has a router and also NAT and I have a dynamic IP and I
have never had any problems; but to answer your question yes a firewall most
likely would have stopped blaster entering your system or at least warned
you.

 

[FromTheRafters]

Those worms do not come from e-mail. They come by way
of an exploit of a buffer overrun vulnerability in the DCOM
RPC service.

MS03-026

 

[Anonymous Sender]

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet
we got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere?? Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
brought it in is my big curiosity.
Any ideas appreciated.

you receive monies for this what you say
`manage a network of 40 machines'

scary

 

[David]

The blaster worm gets in via the network, not via email. First off, all the
machines that got infected with blaster were not up to date as far as MS
patches are concerned. Only a month window this time between when the patch
and info came out and when the infection was released to the wild. Not as
much time as some in the past but this shows how important it is now to
patch quickly. The infection gets in via port 135. Many can block this port
coming in from the internet on border routers and/or firewalls but many if
not most LANS need it internally for proper functionality of specific
services. If your border firewall had 135 blocked, do you have laptops that
move in and out of the network? If so it could have been brought into the
LAN from one of these machines. Since this port is probably necessary to
have open to the LAN on some or all of your machines they would need to
have been patched once a single machine was infected. Up to date AV software
might have helped, but the problem is that definitions for new exploits do
not come out until after the worm is released in the wild, gets reported,
and analyzed. Some of the initial definitions are released in a matter of
hours these days but then you still only get them relatively quickly if your
AV software is configured to do automatic updates or you just happen to be
lucky enough to be doing a manual update at the right time.

Welchia gets in via either port 135 or unpatched IIS servers on port 80. I
suspect in your case it came in through the same hole using the same machine
and exploit that started your blaster infestation.

 

[An Metet]

is drive A blankd off and locked

a true expert chimes in

user error

no administrator error

 

[Zvi Netiv]

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ).

This is good practice, but insufficient, as there are countless threats that do
not spread through e-mail.

All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!

Why do you think that NAV can protect from Blaster and Welchia?

However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere??

Blame yourself. Why weren't all workstations patched?

Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"?

It isn't, but e-mail isn't how Blaster entered the system.

Which machine brought it in is my big curiosity.

Wrong question!

 

[Conor]

I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere??

Yes, it's quite easy. The person who is responsible for the computers
getting infected with the Blaster virus is YOU. YOU as the admin had
the responsibility of patching the computers with the update Microsoft
released IN JULY. YOU as the admin were responsible for ensuring Port
135 was blocked to the outside world.

In other words, tough shit the buck stops with you.


--
________________________
Conor Turton
(e-mail address removed)
ICQ:31909763
________________________

 

[Conor]

Unless you monitor the activity of your users, you probably can't
tell. But to answer your question, it is what is referred to as
"stupid people".

i.e the Admin.

--
________________________
Conor Turton
(e-mail address removed)
ICQ:31909763
________________________

 

[Conor]

Tx for input here.
Would a firewall have assisted / prevented this here? I am ashamed to admit
I have not set up a firewall because we are disconnected every 6 hours by
the ISP and a new IP address is assigned AND we use NAT to share the
connection ( oh yes ... and I am lazy !! ) . I will install one now but
would it have helped in this case?

OMG, are you even competent enough to be an admin. A decent firewall
doesn't givw a shit about the different IP address. How do you think
people on dialup manage?


--
________________________
Conor Turton
(e-mail address removed)
ICQ:31909763
________________________