dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
18
share rss forum feed


Jan Janowski
Premium
join:2000-06-18
Skokie, IL
Reviews:
·Comcast

1 edit
reply to vic102482

Re: Blackice "Witty" Worm: source port 4000 UDP

I'm using a Linksys BEFSX41 followed by BlackIce V3.6ccg
and I have yet to see anything get past the Linky, (BID is Silent) and BID is cranked up all the way (Paranoid, with audible & visual alerts at max sensitivity)...

So far nothing here.....
But today's UDP 4000 probes are directed at my Local 46657



jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.

I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

said by jeisenberg:
In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.

I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example.

But, I can tell you that this is one of the reasons I haven't done this. I would want an old, cheap PC with absolutely nothing of consequence on it, and for which I could completely restore not only the hard drive image, but -- if necessary -- the hard drive itself before I'd try this. Well, I don't have one. (And I would also totally isolate it from machines behind the firewall or second router.)

There are people here (gkweb comes to mind), who routinely put machines up, let them get slaughtered, and then take them down and reconstitute them. (After a few repeats, one can pretty much automate this process, I suspect, but I'm not there yet.) This is inherently a dangerous process and I doubt you're going to see anyone publish directions on how to do it. It's not so much that some of these guys worry that they're going to miss something, so much as them worrying that someone might read the process they enumerate and then decide to do the same thing -- eliminating some of the steps in the process as being "unnecessary".
--
Regards, Joseph V. Morris


jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip

said by jvmorris:
(And I would also totally isolate it from machines behind the firewall or second router.)
Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

said by jeisenberg:
. . . Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.
When (and if) I do this, there's definitely going to be a second router/firewall inline.

As for using the software firewall (which I presume you're really using primarily for its logging function), I would point out that PhatBot, in particular, has a very extensive list of AV/AT/PSF applications that it will attempt to nullify -- and Witty of these suckers is the only one I've seen to date that tries to work by exploiting a vulnerability in a particular PSF; the others rely on social engineering to get 'on the box'.

In other words, I would always consider the box in the DMZ 'at risk' (regardless of what security applications are installed on it) and I certainly would not depend on software applications (residing on that box) to isolate it from the rest of my machines. (And it's gonna get worse out there, RSN.)
--
Regards, Joseph V. Morris

psloss
Premium
join:2002-02-24
Lebanon, KS

2 edits
reply to jvmorris

said by jvmorris:
said by jeisenberg:
In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.

I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example.
Here's a quickie, which is that at first blush I don't know that I can make as good an argument for leaving the system up vs. the argument that jeisenberg makes for taking it down.

Because the maliciousness of this malware is independent of how it infects the system. In other words, MyDoom could have just as easily added the gradual hard drive trashing code.

However, in the case of a security conscious person like jeisenberg, he still has his common sense to defend against something like MyDoom...whereas something like Witty or SQL Slammer may act quickly enough to defeat that type of common sense. (Or, well, make it largely irrelevant.)

I'm sure with more consideration there are likely better arguments...

As you noted in the rest of your post, one can better insulate against critical data loss by using either a "disposable" system or a system with disposable data.

That's what I'm doing here. I'm running custom network applications on a system with disposable data. There's no security software or security configurations on it. Which doesn't mean that it couldn't be brought down very quickly in a similar manner to this malware -- all it would take is someone finding and exploiting a similar issue with Pcap (for example).

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

Philip,

said by psloss:
... Because the maliciousness of this malware is independent of how it infects the system. In other words, MyDoom could have just as easily added the gradual hard drive trashing code.
Thanks for adding that. I didn't make that point terribly well. And, indeed, for almost three years now, people have been asking "Why's there no destructive code?" Well, now we've seen it (once again, after a long hiatus).
quote:
. . . . As you noted in the rest of your post, one can better insulate against critical data loss by using either a "disposable" system or a system with disposable data. . . . .
Yeah, I think to do this (in any prudent manner), you've got to have a box that you're willing to sacrifice completely if it comes to that -- because it may.
And, again, the box really need to be totally isolated from one's operational machines (i.e., the machines that one really uses for getting things done on the 'net).
--
Regards, Joseph V. Morris


keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
reply to jeisenberg

Jeisenberg, this really belongs in another thread, but what hardware firewall do you have?

MyNetWatchman can process the logs of many NAT routers and firewalls, including a few not directly mentioned here:

»www.mynetwatchman.com/setup.asp