Battling Blaster/LoveSan

Patches from Cisco, Mandrake Linux, Debian Beware Blaster/LoveSan Navy unifies its monitoring networks, and other interesting reading

Pardon the pun, but I feel blasted. Looking for a little rest and relaxation while on vacation this week in Western Mass. I was called to duty to help eliminate this pesky Blaster/LoveSan/what-ever-you-want-to-call-it virus from a relative's Windows XP machine.

Every five minutes the machine was shutting down thanks to this latest pest making it difficult at best to grab the necessary information and files to purge the machine of this beast. Compounding the problem: a dial-up Internet connection. I used the Sophos Blaster FAQ page as my guide:
http://www.sophos.com/support/disinfection/blastera.html

On the first attempt to download the Resolve cleaning program, the machine shutdown after 98% of the application was downloaded. Try two succeeded and the virus was cleaned... for about five minutes. Oh, and even though Norton Anti-Virus had the latest data files and could spot the infection, all it did was tell me it was there, but could do nothing about it. After hitting "ok" the same message just kept appearing. Real helpful.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Pardon the pun, but I feel blasted. Looking for a little rest and relaxation while on vacation this week in Western Mass. I was called to duty to help eliminate this pesky Blaster/LoveSan/what-ever-you-want-to-call-it virus from a relative's Windows XP machine.

Every five minutes the machine was shutting down thanks to this latest pest making it difficult at best to grab the necessary information and files to purge the machine of this beast. Compounding the problem: a dial-up Internet connection. I used the Sophos Blaster FAQ page as my guide:
http://www.sophos.com/support/disinfection/blastera.html

On the first attempt to download the Resolve cleaning program, the machine shutdown after 98% of the application was downloaded. Try two succeeded and the virus was cleaned... for about five minutes. Oh, and even though Norton Anti-Virus had the latest data files and could spot the infection, all it did was tell me it was there, but could do nothing about it. After hitting "ok" the same message just kept appearing. Real helpful.

Trying to download the patch from Microsoft via Windows Update was a major pain because by the time the site figured out all the patches that this machine needed, the virus was back and the machine was shutting down. Renaming all the TFTP executables on the system did not stem the tide either. I am really surprised that I have hair left on my head. I followed all the recommended blocking steps (XP's Internet Protection scheme) and disabling Distributed COM, which gave me just enough time to grab the patch I needed (went directly to the patch info page instead of through Windows Update), get installed and cleanse the machine one more time. Total time was 90-plus minutes.

I can't imagine what it was like for IT staffs battling an infection across hundreds of machines. Thankfully, I only had to deal with one. Some organizations have learned from past infections and put into place an aggressive protection scheme, they are the lucky ones.
http://www.nwfusion.com/news/2003/0814atabos.html

Some were not so lucky:
http://www.nwfusion.com/go2/0811bug2a.html

Hopefully, most of you made it through the mess unscathed.

For more on the virus:

Update: Blaster worm infections spreading rapidly
Network World, 08/12/03.
http://www.nwfusion.com/news/2003/0812blastinfect.html

Sophos description of the virus and its variants:
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://www.sophos.com/virusinfo/analyses/w32blasterb.html
http://www.sophos.com/virusinfo/analyses/w32rpcspybota.html

July 16th advisory from Microsoft regarding the flaw that blaster exploits:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

CERT advisory:
http://www.cert.org/advisories/CA-2003-20.html

Today's bug patches and security alerts:

CERT warns of flaw in GNU Project FTP Server compromise

According to an alert from CERT, the primary FTP servers for the GNU Project maintained by the Free Software Foundation had a root compromise. Users downloading code from this and other related sites should watch for potential malicious code. For more, go to:
http://www.cert.org/advisories/CA-2003-21.html
**********

Cisco patches CiscoWorks CMF

According to an alert from Cisco, "Two vulnerabilities exist in CiscoWorks Common Management Foundation (CMF) versions prior to and including 2.1. The first vulnerability is a privilege escalation vulnerability where a guest user may obtain administrative privileges within the application via a specially crafted URL. The second vulnerability is an ability to run arbitrary commands on the CiscoWorks server due to an error in processing user input." For more, go to:
http://www.cisco.com/warp/public/707/cisco-sa-20030813-cmf.shtml
**********

Mandrake Linux releases patch for postfix

A new version of postfix, a mail transfer agent, is available that fix two vulnerabilities in older versions of the software. One flaw could be exploited in a denial-of-service (DoS) attack against the affected machine. Another flaw could be exploited to use postfix as a distributed DoS tool for launching attacks against random IP addresses. For more, go to:
http://www.nwfusion.com/go2/0811bug2b.html

Mandrake Linux issues fix for PHP

A number of vulnerabilities have been found in Mandrake Linux's implementation of PHP. A couple flaws were found in the mail() function, which could be exploited to modify command line arguments. Another flaw could be used to insert malicious code into a Web page. For more, go to:
http://www.nwfusion.com/go2/0811bug2c.html
**********

Debian patches xpcd

A buffer overflow in Debian's xpcd could be exploited by a local attacker to gain root privileges on the affected machine. For more, go to:
http://www.debian.org/security/2003/dsa-368

Debian issues fix for man-db

A previous patch for man-db did not properly fix the problem it was intended to solve. A new version of the patch is now available.
http://www.debian.org/security/2003/dsa-364

Debian warns of flaw in pam-pgsql

A vulnerability in the pam-pgsql module for Debian could be exploited by a malicious user to execute arbitrary code with the privileges of the application requesting PAM authentication. For more, go to:
http://www.debian.org/security/2003/dsa-370

Debian patches overflow in zblast

A buffer overflow exists in the game zblast that can be triggered when saving a high score. A local user could exploit the flaw to gain the privileges of the "games" group. For more, go to:
http://www.debian.org/security/2003/dsa-369
**********

Today's roundup of virus alerts:

W32/Randex-D - A Trojan horse that "listens" to a specific IP address for further instructions. The virus spreads via network shares with weak passwords. (Sophos)
**********

From the intersting reading department:

Product Peek: WholeSecurity Confidence Online Enterprise Edition

WholeSecurity's Confidence Online provides a layer of protection for known and unknown Windows clients remotely connecting to your network. Network World, 08/11/03.
http://www.nwfusion.com/reviews/2003/0811prodpeek.html

Navy unifies its monitoring networks

The U.S. Navy has put its Naval Network Warfare Command in charge of monitoring the Navy's hundreds of different networks used by more than 400,000 personnel around the world in order to detect security violations. Network World, 08/11/03.
http://www.nwfusion.com/news/2003/0811navy.html

Symantec set to release security appliance line

Fulfilling a promise it made earlier in the year, Symantec will release next month a line of gateway security appliances, the Symantec Gateway Security Appliance 5400 Series. IDG News Service, 08/11/03.
http://www.nwfusion.com/news/2003/0811symantec.html

Read more about security in Network World's Security section.