Would a firewall prevent Sasser worm?

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

If I had a firewall would that prevent the Sasser worm infecting my
PC?

I mean, if another infected system cannot see my ports because they
are stealthed then presumably Sasser could not infect me?

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

>If I had a firewall would that prevent the Sasser worm infecting my
>PC?
>
>I mean, if another infected system cannot see my ports because they
>are stealthed then presumably Sasser could not infect me?

Yes, any firewall that blocks incoming port 445 will prevent infection
by the Sasser worm.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>
>>If I had a firewall would that prevent the Sasser worm infecting my
>>PC?
>>
>>I mean, if another infected system cannot see my ports because they
>>are stealthed then presumably Sasser could not infect me?
>
>
> Yes, any firewall that blocks incoming port 445 will prevent infection
> by the Sasser worm.
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

From Microsoft: "Customers who have enabled the Windows XP Firewall are
protected from the vector this worm attacks, which is TCP Port 139.
Most third party firewalls also block this attack vector by default."

g-w

 

[obiwan]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

<snip>
> Yes, any firewall that blocks incoming port
> 445 will prevent infection by the Sasser worm.

As long as someone won't write a variant
of the worm spreading by email too 🙂

Brain; the best firewall in the world (if one uses it)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 14:25:28 +0200, ObiWan spoketh

><snip>
>> Yes, any firewall that blocks incoming port
>> 445 will prevent infection by the Sasser worm.
>
>As long as someone won't write a variant
>of the worm spreading by email too 🙂
>
>Brain; the best firewall in the world (if one uses it)
>
>

We can only deal with the "known knowns". The "unknown unknowns" we'll
have to leave for Mr. Rumsfeld...

Currently, the Sasser worm only spreads by exploiting the LSASS buffer
overflow vulnerability through port 445.

Sasser.D now also sends an ICMP echo request, which will certainly show
up in many more logs 🙁

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Hi,

I agree with ObiWan, why use a firewall to filter some port if it can
be exploited in other ways ??

In this case, the "unknow" can be commonly suposed...

Real secure protect the source problem, not workarrounds... ;-)

Fix the overflow at lsass.exe!

ps.: A machine up2date today isn't enough.

Regards.

Mercenarie's Club Member => http://cdm.frontthescene.com.br
Front The Scene Team => http://www.frontthescene.com.br
Personal Page => http://ws.frontthescene.com.br

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Piotr Makley <pmakley@mail.com> writes:

]If I had a firewall would that prevent the Sasser worm infecting my
]PC?

]I mean, if another infected system cannot see my ports because they
]are stealthed then presumably Sasser could not infect me?

Sassler cannot infect you if you do not run Windows. Sassler cannot
infect you if you install the patch from Microsoft. A firewall might
help, but if you insist on not doing the first two you will always be in
danger. Note that a firewall has nothing to do with "stealthing" your
ports. It simply rejects all attempts to connect to ports except those
you deliberately open. You can do the same by not opening any ports
except those you absolutely need in the first place. What ports are open
on your system? Do you know?

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:

]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

]>If I had a firewall would that prevent the Sasser worm infecting my
]>PC?
]>
]>I mean, if another infected system cannot see my ports because they
]>are stealthed then presumably Sasser could not infect me?

]Yes, any firewall that blocks incoming port 445 will prevent infection
]by the Sasser worm.

Why is port 445 open on his system in the first place?

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>]>If I had a firewall would that prevent the Sasser worm infecting my
>]>PC?
>]>
>]>I mean, if another infected system cannot see my ports because they
>]>are stealthed then presumably Sasser could not infect me?
>
>]Yes, any firewall that blocks incoming port 445 will prevent infection
>]by the Sasser worm.
>
>Why is port 445 open on his system in the first place?

Port 445 is open by default on any W2K or WXP system unless you've
closed it somehow. Despite the fact that we all wish people would have
firewalls or at least a NAT router, we're not quite there yet...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
> Lars M. Hansen <badnews@hansenonline.net> writes:

> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

> ]>If I had a firewall would that prevent the Sasser worm infecting my
> ]>PC?
> ]>
> ]>I mean, if another infected system cannot see my ports because they
> ]>are stealthed then presumably Sasser could not infect me?

> ]Yes, any firewall that blocks incoming port 445 will prevent infection
> ]by the Sasser worm.

> Why is port 445 open on his system in the first place?

Becouse microsoft has it enabled and vulnerable by default.


--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:

]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

]>Lars M. Hansen <badnews@hansenonline.net> writes:
]>
]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
]>
]>]>If I had a firewall would that prevent the Sasser worm infecting my
]>]>PC?
]>]>
]>]>I mean, if another infected system cannot see my ports because they
]>]>are stealthed then presumably Sasser could not infect me?
]>
]>]Yes, any firewall that blocks incoming port 445 will prevent infection
]>]by the Sasser worm.
]>
]>Why is port 445 open on his system in the first place?

]Port 445 is open by default on any W2K or WXP system unless you've
]closed it somehow. Despite the fact that we all wish people would have
]firewalls or at least a NAT router, we're not quite there yet...

?? Again, why is port 445 open anyway? You advocate that the user gets a
firewall. Surely it would be easier just to close port 445 or any ports
not absolutely needed than it would be to get and properly set up a
firewall. Or are you saying it is impossible to close many ports on a
Win machine?
This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
cannot see the dirt". Why not just wash? If you cannot wash for some
reason then maybe a skimask would be an option, but surely advocating it
as the first thing to do is silly.

"Close all ports that you do not absolutely need on your machine"
should surely be the first bit of advice. Then after you have done that
also install a firewall for that extra bit of protection.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c78mat$4ps$1@string.physics.ubc.ca>,
unruh@string.physics.ubc.ca says...
> "Close all ports that you do not absolutely need on your machine"
> should surely be the first bit of advice. Then after you have done that
> also install a firewall for that extra bit of protection.

The problem is that most people don't have a clue as to how to close
ports, setup IPSec rules, etc... Most people don't even know to enable
the ICF on their machines.

The best thing people can do is purchase a cheap router with NAT and use
it from the moment they get their computer. This lets them download the
updates, install and update the AV software, etc... before they have a
chance to get hacked.

I put this back on the ISP's - they provide a open connection and don't
warn the unsuspecting public about the risk/problems. If they just
enabled NAT by default on their routers (DSL or Cable) most of this
problem would go away.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:10:37 +0000 (UTC), Bill Unruh spoketh

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
>
>]>Lars M. Hansen <badnews@hansenonline.net> writes:
>]>
>]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>]>
>]>]>If I had a firewall would that prevent the Sasser worm infecting my
>]>]>PC?
>]>]>
>]>]>I mean, if another infected system cannot see my ports because they
>]>]>are stealthed then presumably Sasser could not infect me?
>]>
>]>]Yes, any firewall that blocks incoming port 445 will prevent infection
>]>]by the Sasser worm.
>]>
>]>Why is port 445 open on his system in the first place?
>
>]Port 445 is open by default on any W2K or WXP system unless you've
>]closed it somehow. Despite the fact that we all wish people would have
>]firewalls or at least a NAT router, we're not quite there yet...
>
>?? Again, why is port 445 open anyway? You advocate that the user gets a
>firewall. Surely it would be easier just to close port 445 or any ports
>not absolutely needed than it would be to get and properly set up a
>firewall. Or are you saying it is impossible to close many ports on a
>Win machine?

Yes, port 445 are difficult to close on a Windows computer. It's the
port used by what's commonly known as "Windows Networking", which means
sharing files and printers over a network. There are ways of closing it,
but it takes a little reading...

>This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
>cannot see the dirt". Why not just wash? If you cannot wash for some
>reason then maybe a skimask would be an option, but surely advocating it
>as the first thing to do is silly.

No comment ...

>
>"Close all ports that you do not absolutely need on your machine"
>should surely be the first bit of advice. Then after you have done that
>also install a firewall for that extra bit of protection.

If all ports are closed, then there's little need for a firewall. If
there are some ports left open, then the firewall will need to allow
those ports anyways, unless the firewall is there to restrict the IP
addresses that'll gain access or because it does protocol validation.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 18:47:03 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>Yes, port 445 are difficult to close on a Windows computer. It's the
>port used by what's commonly known as "Windows Networking", which means
>sharing files and printers over a network. There are ways of closing it,
>but it takes a little reading...
With NAT firewalls at the $19.99 range on sale (or sometimes after
rebate) there is no reason DSL and Cable modem users should be
directly connected anymore.

That whole idea foisted on us by the telcos and cable companies has
caused so many problems it is beyond comprehension.

I have never had a persistent connection to the internet with no
routing/filtering capabilities. And there is no reason anyone should.

Was it here that someone posted the spam emissions of ATTBI and one
other network's trojaned machines was 1.6 billion messages a day? I
can't lay my hand on that post. But that is reason enough that
everyone who has a computer connected to the internet should have and
use a NAT router as a minimum.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
spoketh

>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>> Lars M. Hansen <badnews@hansenonline.net> writes:
>
>> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>> ]>If I had a firewall would that prevent the Sasser worm infecting my
>> ]>PC?
>> ]>
>> ]>I mean, if another infected system cannot see my ports because they
>> ]>are stealthed then presumably Sasser could not infect me?
>
>> ]Yes, any firewall that blocks incoming port 445 will prevent infection
>> ]by the Sasser worm.
>
>> Why is port 445 open on his system in the first place?
>
>Becouse microsoft has it enabled and vulnerable by default.

"Vulnerable by default"? What the F*** does that mean? Does that mean
when the next vulnerability for linux are discovered, the Microsoft camp
can claim that linux are "vulnerable by default"?

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>"Vulnerable by default"? What the F*** does that mean? Does that mean
>when the next vulnerability for linux are discovered, the Microsoft camp
>can claim that linux are "vulnerable by default"?

Gosh, I can't remember the last remote vulnerability for Linux. Can
you? I've been swept away by the flood of Winders vulnerabilities.
Linux would really have to get on the ball if it's going to catch the
MotherShip.

 

[Tim]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in message news:<bapf909rbrkcvqp4nasstjsfacj8f105i6@4ax.com>...

> >Becouse microsoft has it enabled and vulnerable by default.
>
> "Vulnerable by default"? What the F*** does that mean? Does that mean
> when the next vulnerability for linux are discovered, the Microsoft camp
> can claim that linux are "vulnerable by default"?

Well, you must admit that with Microsoft adopting the Secure Software
Initiatives during the writing of XP and 2000 (the only OS's
vulnerable to Sasser) and with the vulnerability being EXACTLY the
same buffer-overflow of the sort they've spent more than five years
patching in other versions, and most ironically the vulnerability is
in what they call the "Local Security Authority Service" -- it does
rather scream negligence.

Sure, they fixed it a month ago... but if you're able to clobber the
very security system itself by sending data, then I'm sorry, but
you've really got to call that "shipped vulnerable".

I am not saying that Mac's or Linux PCs are better, but it's like
being a surgeon that just held a press-conference praising and
proclaiming your attention to cleanliness, and then going into surgery
using used dental-floss for sutures. If it's not technically
malpractice, then it is at least general-knowledge for
industrial-strength incompetence.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:10:37 +0000 (UTC), unruh@string.physics.ubc.ca
(Bill Unruh) wrote:

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

>]Port 445 is open by default on any W2K or WXP system unless you've
>]closed it somehow. Despite the fact that we all wish people would have
>]firewalls or at least a NAT router, we're not quite there yet...
>
>?? Again, why is port 445 open anyway? You advocate that the user gets a
>firewall. Surely it would be easier just to close port 445 or any ports
>not absolutely needed than it would be to get and properly set up a
>firewall. Or are you saying it is impossible to close many ports on a
>Win machine?
>This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
>cannot see the dirt". Why not just wash? If you cannot wash for some
>reason then maybe a skimask would be an option, but surely advocating it
>as the first thing to do is silly.
>
>"Close all ports that you do not absolutely need on your machine"
>should surely be the first bit of advice. Then after you have done that
>also install a firewall for that extra bit of protection.

Without port 445, I am unable to share the printer on our network. So
when I edit the registry to close this port, we can't print from XP
computers. We're relying on our router/firewall.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 19:16:36 GMT, "------>That Way!"
<traxless@yahoo.com> wrote:
>
>>"Close all ports that you do not absolutely need on your machine"
>>should surely be the first bit of advice. Then after you have done that
>>also install a firewall for that extra bit of protection.
>
>Without port 445, I am unable to share the printer on our network. So
>when I edit the registry to close this port, we can't print from XP
>computers. We're relying on our router/firewall.
But port 445 doesn't need to be open from outside your network.
That's the problem.

 

[obiwan]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

> ><snip>
> >> Yes, any firewall that blocks incoming port
> >> 445 will prevent infection by the Sasser worm.
> >
> >As long as someone won't write a variant
> >of the worm spreading by email too 🙂
> >
> >Brain; the best firewall in the world (if one uses it)
> >
> >
>
> We can only deal with the "known knowns". The "unknown unknowns"
> we'll have to leave for Mr. Rumsfeld...

Uh .. bad day ?!? I was just putting a little of sarcasm there 🙂 !!

> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
> overflow vulnerability through port 445.

Yes, got some "proof of concept" code here, know how it works :-/

> Sasser.D now also sends an ICMP echo request, which will certainly show
> up in many more logs 🙁

That's what I was saying I don't think it would take too much
before we'll see a "mail spreading" variant, then, due to the
high number of "don't use the brain, just click here" users it
will become another treat :-(

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 19:21:51 +0200, ObiWan spoketh

>> ><snip>
>> >> Yes, any firewall that blocks incoming port
>> >> 445 will prevent infection by the Sasser worm.
>> >
>> >As long as someone won't write a variant
>> >of the worm spreading by email too 🙂
>> >
>> >Brain; the best firewall in the world (if one uses it)
>> >
>> >
>>
>> We can only deal with the "known knowns". The "unknown unknowns"
>> we'll have to leave for Mr. Rumsfeld...
>
>Uh .. bad day ?!? I was just putting a little of sarcasm there 🙂 !!

Sorry, I thought my "unknown unknowns" comment was fairly humorous ...

>
>> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
>> overflow vulnerability through port 445.
>
>Yes, got some "proof of concept" code here, know how it works :-/
>
>> Sasser.D now also sends an ICMP echo request, which will certainly show
>> up in many more logs 🙁
>
>That's what I was saying I don't think it would take too much
>before we'll see a "mail spreading" variant, then, due to the
>high number of "don't use the brain, just click here" users it
>will become another treat :-(
>
>

I expect there will be another worm exploiting the LSASS vulnerability
(as well as other vulnerabilities listed in MS04-011) that'll be
delivered through e-mail. Can't speculate on if it'll be a Sasser
variation or not, but I'm almost willing to bet the farm that we'll see
it by the end of the week...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On 4 May 2004 17:02:25 -0500, Micheal Robert Zium spoketh

>Lars M. Hansen wrote:
>
>>"Vulnerable by default"? What the F*** does that mean? Does that mean
>>when the next vulnerability for linux are discovered, the Microsoft camp
>>can claim that linux are "vulnerable by default"?
>
>Gosh, I can't remember the last remote vulnerability for Linux. Can
>you? I've been swept away by the flood of Winders vulnerabilities.
>Linux would really have to get on the ball if it's going to catch the
>MotherShip.

No, the last remote access vulnerability I recall was some SSH related
issue about a year ago.

The reason I had an issue with the statement was that it sounded like
Microsoft intentionally left something vulnerable in their OS, which is
preposterous.

I consider every computer vulnerable after the initial OS installation,
regardless of OS. Its only after patches have been applied and services
properly configured (or removed as the case may be) that the computer
becomes less of a security risk. Unfortunately, unless programmers
become perfect, we'll always have imperfect software. Windows have had a
couple of big issues in the past few months (DCOM and now LSASS), and
unfortunately, people are not good at patching their computer.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 12:29:17 -0700, Steevo@my-deja.com spoketh

>On Tue, 04 May 2004 18:47:03 GMT, Lars M. Hansen
><badnews@hansenonline.net> wrote:
>>Yes, port 445 are difficult to close on a Windows computer. It's the
>>port used by what's commonly known as "Windows Networking", which means
>>sharing files and printers over a network. There are ways of closing it,
>>but it takes a little reading...

>With NAT firewalls at the $19.99 range on sale (or sometimes after
>rebate) there is no reason DSL and Cable modem users should be
>directly connected anymore.

I wholeheartedly agree with you. Forsaking happy-meals for a couple of
days is enough to pay for the protection of a NAT router. Although not
perfect in every way, it is an affordable solution for almost every
household. If you can afford a computer, you should be able to afford
the NAT router as well.

>
>That whole idea foisted on us by the telcos and cable companies has
>caused so many problems it is beyond comprehension.

Luckily, here, Comcast doesn't care. They don't support it, but if you
hook it up, they won't complain.



Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 20:27:32 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>>
>>That whole idea foisted on us by the telcos and cable companies has
>>caused so many problems it is beyond comprehension.
>
>Luckily, here, Comcast doesn't care. They don't support it, but if you
>hook it up, they won't complain.
What I meant to say was the dsl modems and cable modems should be
banned if they lack such filtering/routing. They are just too much
trouble.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 20:27:32 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>>
>>That whole idea foisted on us by the telcos and cable companies has
>>caused so many problems it is beyond comprehension.
>
>Luckily, here, Comcast doesn't care. They don't support it, but if you
>hook it up, they won't complain.

I found that quote

http://www.senderbase.org/ calculates comcast.net / attbi.com is
spewing over 1.5 billion e-mails per day, from 45889 hosts of
which only a handful are legitimate mail relays.

Are most of those machines trojaned? Being abused by spammers?
Yes, and if those users had even a $20 NAT firewall this would be
less, lots less. Would it be eliminated by a NAT firewall? No. But
it would be a fraction of what it is now.