Zotob MS05-39 Plug-and-Play vulnerability

Discussion in 'malware problems & news' started by Starrob, Aug 14, 2005.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This was quoted on the DLSReports forum. You can see how easily Zotob can be prevented from infecting:

    Any one with a properly configured firewall would stop this in its tracks.

    EDIT: LinkLogger on DSLR notes that Zotob is sending its probes to port 445 in pairs - the second one a few seconds later. I've confirmed this in my Kerio Log.

    An intrusion prevention/anti-execution protection w/whitelist would block this from unpacking/loading.

    Any good registry monitor would block the adding of a value in a Run Key; a lock-down system would wipe the entry and everything else the worm brought in, on a reboot.

    All of this done w/o worrying whether or not an AV program would catch it.

    So, unless some other unknown way of entering is discovered, this worm should never have infected anyone.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Aug 17, 2005
  3. www

    www Guest

    Would GRC's UnPlug n' Pray protect a computer from this threat? I have it installed on my computer and Plug and Play disabled.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    That tool is for Universal Plug and Play - UPnP - different than PnP. See paragraphs 3 and 4 Here

    While disabling UPnP is fashionable, turning off the PnP service is not necessary- if you have the proper preventative measures in place - for you will lose the functionality of ease of installing new hardware. See PnP

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.