Will WormGuard protect from WIN32.BLASTER.WORM?

Discussion in 'WormGuard' started by ChrisP, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Will WormGuard prevent WIN32.BLASTER.WORM from infecting a system?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi ChrisP,
    there's no reason why not!
    You might like to add the msblast.exe and teekid.exe to the blocked files list.
    Further in your firewall block incoming as well as outbound traffic on ports 69, 135, 445, 4444 (i did on both TCP and UDP to be extra sure)
    But WG looks at malicious code anyway, even if you would not have added those files.
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The truth - to prevent being infected by the MS Blaster worm, you shouldn't rely on your anti-virus or anti-worm scanner - just use that to detect if you're already infected, and to disinfect if anything was found. To actually stop the worm from being able to infect your system, you'll need to apply Microsoft's patch - http://www.microsoft.com/security/incident/blast.asp
    Doing that will essentially close the door that the worm uses to break into systems. MS Blaster is a unique worm - it doesn't use conventional methods to infect, instead it scans for computers that are vulnerable to a particular remote attack. It's not the job of your anti-virus/anti-other scanner to ensure your system is patched from such vulnerabilities, all scanners can do is detect and disinfect -after- the infection, so it's just as important to keep up-to-date with security patches as it is to keep up-to-date with anti-virus definitions.

    Best regards,
    Wayne
     
  4. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    OK, But will wormguard protect a system from this worm if:

    1) The filename is not added to the blocked list

    2) The PC has not had the appropriate security patchec installed.

    If it does, then I would think wormguard is worth registering. I guess many people out there would like to know. - Over to you diamond cs!
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't worry ChrisP, i have WG since it's first version and it saved my computer's life rather often.
    Till recently i never added special files to block as it's way is different from a av/at product which need specific references in their databases, WG just works different. If DCS had thought it to be of first importance, would you thing they would have left us without updated databases all those years? It's one of the strengths, not being necessary but you can add them if you like or ease blocking. The blocked file can be looked at in the safe mode, the whole source.
    WG does so much more, blocking files like the HTA and others from wegsites getting installed on your system, you name it, blocking worms and malicious scripts, without crippling your computer for blocking every script from running.
    If you would want something for just and only the msblast.exe there must be free tools to remove it once it's there but prevention .... hmm i might have a more holistic view on things and like prevention, interaction and my sound mind, taking measures and recognizing when something seems suspicious and hoping to make the right decissions dealing with it.
    The nice part with WG is you can use it as a set and forget as it is there all invisible in the bottom of the system securing and checking and only pops up if there is something needing our attention.

    Of course i have more layers of security with TDS and it's exec protection which recently absolutely refused to let a file run i had allowed even though WG told me not to and the file happened to be real nasty code from reliable source so i could warn the site and staying unharmed.

    Generally spoken the DCS tools keep us users in the drivers seat, while you can choose for set and forget too.
    WG just mentioned, TDS of course you can set the updating automated and there are scripts and tips to have the full system scan done automated while the resident exec protection keeps protecting all time but it would not be fun for me to use it only that way as there are so many tools in it for much more stuff.......
    In cooperation with Port Explorer, of course, set and forget just watch the screen for the red colored connections which are hidden and might be suspicious if you didn't allow the processes connected to run and you can block them for in- or outbound traffic or block them completely and spy every bit of every packet of data sent to you and so much more...
    You know, it is not just the msblast.exe this moment, for if infected, and cleansed out, you can almost be sure a series of backdoors was planted on unprotected systems in the weeks before to be activated at wish of the sender of them.
    They could not have been planted via websites with WG, they can't run with TDS exec protection and WG and their connections can't be invisible with PE and all three of them help you extra...
    And not to forget to add to the arsenal the RegistryProt to prevent modifications on the registry, AutoStartViewer to see all that is autostarting on your system, including services and drivers, the APM enabling you to control targetted processes and there is so much more.....
    Oh and mIRC users should not forget the Mirclean tools...
    All available on the Products page
    The service goes so much further, books to read and get further education, the pages with special info one doesn't find elsewhere with tests and more background info, and of course every opportunity to get the feel of the DCS team and products.
    WormGuard? take the ongoing nasties serious but the DCS products take the fear away.
    Blaster? Hmm just be wise and do take some measures. Are you on XP/NT/Win2000? You know what to do. Win95/98/ me ? do the same as even though the 9x series is not vulnerable for this threat if not well protected one could be abused in the spoofing and Ddossing. So configure the firewall to block a series of ports as mentioned above and i was told to add port 593 to that (when i'm not all sure if it's incoming or outgoing i block both, as we still have some 65000 other ports to use).
    Now off to scan your system on highest sensitivity deep scanning every bit on it! and make sure you continue with a clean system. Happy internetting!
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Wormguard was released some time ago, and to be a revolutionary product again as it was, it needs to be rebuilt from the ground up :) Its coming but for now you can add msblast.exe and it wont be able to run

    Alternatively TDS-3 should detect any worm that uses the DCOM exploit if that worm installs a file to then spread further (just like this worm does)

    Which brings me to a point, Wormguard and TDS will be more split in detection in the future, TDS will only detect VERY popular worms, Wormguard will be the worm-only product
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And scripts i hope too still or do we get back a separate script detection/viewer/blocker tool like we had before this WG came?
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    WormGuard 4 protects against all worms, including script worms and binary worms. It includes both heuristics for scripts and binaries as well as a signature system.

    -Jason-
     
  9. charles Ray

    charles Ray Guest

    Is there a list somewhere of all the items we "probably should" have in the blocked files list of Wormguard 3?

    I haven't added any since I installed until reading this post....added teekids.exe and msblast.exe. :eek:
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I hardly added any either, as WG works in other ways of detecting malicious code anyway, but if you like some suggestions, in this thread are some suggestions if you like.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The best place to get default worm EXE names is SARC, www.sarc.com just go through the latest @mm ones looking for filenames worms arrive as in emails. Once they execute they may copy to new filenames and some of these could be added too.. if your AV is up to date you should only need to add the absolute latest filenames anyway ? :)
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :D thank good new worm guard comeing out
     
  13. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    Its not right that DiamondCS is misleading people regarding Blaster (LoveSan). The answer to the question does Worm Guard 3 protect from/detect Win32.Blaster.Worm is NO. Having a list of a blocked file name list isn't a solution either because someone has the right to rename a legitimate product like Port Explorer to MSBLAST.exe. It is Worm Guards job to tell if something has malicous scripts and worm like characteristics, not for a very ineffective method in having blocked file names. Any legit or unlegit file can be named almost anything, not sure why DiamondCS doesn't understand that basic concept.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Different from possible av/at products, WG doesn't need a name to be blocked, it looks for malicious code anyway in files. I'm sure you did several tests by now and see for yourself the strength and detection.
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    wizardavc,

    Noone said a blocklist was perfect, and if anyone doesn't have an updated antivirus and the vulnerability patch by now, you cant expect miracles o_O There is no misleading, we dont guarantee that Wormguard will block the worm - in fact Wayne posted in length about protection against this worm.

    TDS will detect these and new variants :) In fact TDS will detect anything that uses the DCOM vulnerability, if it loads (like a worm) a memory scan will detect the vulnerability code in memory.

    You can rename your Port Explorer to MSBLAST.exe if you wish, nothing will happen :D
     
  16. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    And I am just wondering why this is an issue because the user who can rename any file on his pc is also the user who edits and maintaince the block list in Wormguard. So what?

    BTW there are so called 'generic antivirus programs' on the market who also use this method of file blocking.

    wizard
     
  17. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    wizardavc,
    Let's put this into perspective. The way you're describing it you'd think that that was Wormguards only detection capability, but filename blocking is just one _additional, optional_ capability of Wormguard - it sounds like you don't want to use it, so don't - you don't have to, Wormguard gives you that option, so what are you complaining about?

    Simply because a detection technique isn't perfect doesn't mean it shouldn't be made available to users -- _no_ detection technique is perfect, and even the most advanced techniques can be fooled. You said that filenames can be patched with a hex editor, but so can signatures that AV engines use - its the same thing, just hex editing a few bytes. Yes all files can be renamed, but most worms send themselves out with static filenames. Likewise, a lot of trojans install themselves with static filenames. In the case of worms, only one person - the person spreading the worm - would have any desire to patch the name of the worm, so in those cases filename blocking is extremely effective.

    Again, it's just an additional capability so if you don't want to use it, you don't have to - the choice is all yours.

    Regards,
    Wayne
     
Thread Status:
Not open for further replies.