As many have noticed, there has been a huge surge in some probes to Windows NT system ports. People who have not kept up with the windows updates, and don't have a properly configured firewall installed are being shutdown remotely against their will. All because they didn't know, or didn't care enough to keep up with it.

On BBR it seems quite a few members are coming out of the woodwork as they are having this problem, and its funny. They are now just finding out that it could have been much more serious, and some still just want to apply the patch only. One guy was asking on behalf of customers as he works at BestBuy, and doesn't want to recommend a firewall to customers.

This could have been much worse, it could have been like Code Red for RPC, and I think most people remember when Code Red happened.... There were so many systems infected so quickly that it could not be controlled until people actually started patching their systems.

I wonder when people will realize that they need to protect their NT Operating system as its always acting as a server, but many still don't know or care about it until its too late. As it goes with most security issues, and common mistakes of running warez/p2p files.

{QUOTE-> I wonder when people will realize that they need to protect their NT Operating system as its always acting as a server, but many still don't know or care about it until its too late. As it goes with most security issues, and common mistakes of running warez/p2p files. <-QUOTE}

Amen to that, BlitzenZeus.

regards,

paul

I'm still reading the main thread on this at DSLR, but, just a couple hours ago (where I am in the thread), even the patch wasn't fully stopping this.

Unpatched systems were getting easily infected and start infecting others, while patched systems were have RPC crash, which was shutting down their systems.

It is very interesting to see all kinds of people who just days ago were probably participating in the thread over there about how paranoid people are who care about things like firewalls and ATs, etc. And now these people are getting directly impacted because they don't run a firewall. :-\

I believe this is the patch that will prevent the exploit:
Microsoft TechNet (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp)
--There have been reports that the patch hasn't worked against this new exploit. Although if you don't have this update, apply it anyway since it might be the worm that continues to shutdown your system.

However if these people would have just ran a properly configured firewall this worm would not have gotten as much traffic as it has caused recently.

{QUOTE-> quoting: LowWaterMark link=board=23;threadid=12324;start=0#msg79228 date=1060651008]
It is very interesting to see all kinds of people who just days ago were probably participating in the thread over there about how paranoid people are who care about things like firewalls and ATs, etc. And now these people are getting directly impacted because they don't run a firewall. :-\
<-QUOTE}

Yes, there were many people who believed that they didn't need to run a firewall, and they were ok without one with listening NT services. Now many of these people are being shown that they were wrong, and have become part of the problem. All because they didn't care...

Another thread with more information on it
RPC DCOM Exploit - Widespread use...
(http://www.wilderssecurity.com/showthread.php?t=11991)

It sounds like I got a worm from not running a firewall and I need a patch.
This is a windows 98 work station with a pentium II chip.
I am sending this message from my laptop and need specific instructions as to how to get this problem resolved on my desktop.
I always had Mcafee antivirus working and thought firewall came with it.
I checked for viruses but nothing detected.

Hi 5151,

I haven't yet seen an analysis of the msblast worm but the vulnerability that it exploits does not exist on Win95/98 or Windows ME so I very much doubt you are hit with it.

What have you been encountering that is leading you to believe that something is wrong?

Thanks,

Dan

..Nevertheless, it wouldn't hurt to have a look at the extensive removal instructions provided by Sophos (http://www.sophos.com/support/disinfection/blastera.html) for example.

Good luck, and keep us posted!

regards.

paul

W32/Blaster-A

I have not seen any win98 machines infected but ...

Here is a removal tool you could run and if you are not infected you will know right away..maybe Paul will put it in his download area...

caution direct link to removal tool
http://updates.pandasoftware.com/pq/gen/blaster/pqremove.com
Copyright (C) Panda Software 2003.

______________________________________


Also see here if you want other tools..

http://www.gladiator-antivirus.com/

Blitzenzeus: still, I've no doubt that many sans any type of firewall who were infected (and certainly those who weren't only because they were patched) will not run a firewall after this is over. They'll just deal with it on a case by case basis as if this event was just an aberration, not a kind of potential ongoing threat as long as they have open ports exposed on the net.

Apparently this exploit only targeted the vulnerability for which the patch was designed (one imagines that was intentional). The next time, however, this might not be the case.

Over at DDR many people have made come to the conclusion that this worm was designed to force people to patch their computers hopefully some will install firewalls too.

It seems atleast for the moment it has caught most peoples attention. What we really need to do is get the mainstream media, or a means to communicate with most users, to install a firewall and learn how to configure it properly to help precent future worms.

It seems that this sentiment of people not learning from past mistakes keeps on cropping up after each new major outbreak. Admins and users alike are lucky that this worm isn't malious. If it was they'd have learnt the hard way why a firewall is important. It seems that most people understand the need to learn from history; to stop repeating the same mistakes. Yet when it comes to computers and the internet they wallow in their own ignorance and seem to lose all common sense.

One day this isn't going to be a wake-up call, and many will be burnt.