Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

If I had a firewall would that prevent the Sasser worm infecting my  
PC?
 
I mean, if another infected system cannot see my ports because they  
are stealthed then presumably Sasser could not infect me?

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
 
>If I had a firewall would that prevent the Sasser worm infecting my  
>PC?
>
>I mean, if another infected system cannot see my ports because they  
>are stealthed then presumably Sasser could not infect me?
 
Yes, any firewall that blocks incoming port 445 will prevent infection
by the Sasser worm.
 
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>  
>  
>>If I had a firewall would that prevent the Sasser worm infecting my  
>>PC?
>>
>>I mean, if another infected system cannot see my ports because they  
>>are stealthed then presumably Sasser could not infect me?
>  
>  
> Yes, any firewall that blocks incoming port 445 will prevent infection
> by the Sasser worm.
>  
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)
 
 From Microsoft: "Customers who have enabled the Windows XP Firewall are  
protected from the vector this worm attacks, which is TCP Port 139.  
Most third party firewalls also block this attack vector by default."
 
g-w

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

<snip>
> Yes, any firewall that blocks incoming port
> 445 will prevent infection by the Sasser worm.
 
As long as someone won't write a variant
of the worm spreading by email too :-)
 
Brain; the best firewall in the world (if one uses it)

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 14:25:28 +0200, ObiWan spoketh
 
><snip>
>> Yes, any firewall that blocks incoming port
>> 445 will prevent infection by the Sasser worm.
>
>As long as someone won't write a variant
>of the worm spreading by email too :-)
>
>Brain; the best firewall in the world (if one uses it)
>
>
 
We can only deal with the "known knowns". The "unknown unknowns" we'll
have to leave for Mr. Rumsfeld...
 
Currently, the Sasser worm only spreads by exploiting the LSASS buffer
overflow vulnerability through port 445.  
 
Sasser.D now also sends an ICMP echo request, which will certainly show
up in many more logs
 
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Piotr Makley <pmakley@mail.com> writes:
 
]If I had a firewall would that prevent the Sasser worm infecting my  
]PC?
 
]I mean, if another infected system cannot see my ports because they  
]are stealthed then presumably Sasser could not infect me?
 
Sassler cannot infect you if you do not run Windows. Sassler cannot
infect you if you install the patch from Microsoft. A firewall might
help, but if you insist on not doing the first two you will always be in
danger. Note that a firewall has nothing to do with "stealthing" your
ports. It simply rejects all attempts to connect to ports except those
you deliberately open. You can do the same by not opening any ports
except those you absolutely need in the first place. What ports are open
on your system? Do you know?

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:
 
]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
 
]>If I had a firewall would that prevent the Sasser worm infecting my  
]>PC?
]>
]>I mean, if another infected system cannot see my ports because they  
]>are stealthed then presumably Sasser could not infect me?
 
]Yes, any firewall that blocks incoming port 445 will prevent infection
]by the Sasser worm.
 
Why is port 445 open on his system in the first place?

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
 
>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>]>If I had a firewall would that prevent the Sasser worm infecting my  
>]>PC?
>]>
>]>I mean, if another infected system cannot see my ports because they  
>]>are stealthed then presumably Sasser could not infect me?
>
>]Yes, any firewall that blocks incoming port 445 will prevent infection
>]by the Sasser worm.
>
>Why is port 445 open on his system in the first place?
 
Port 445 is open by default on any W2K or WXP system unless you've
closed it somehow. Despite the fact that we all wish people would have
firewalls or at least a NAT router, we're not quite there yet...
 
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

> ><snip>
> >> Yes, any firewall that blocks incoming port
> >> 445 will prevent infection by the Sasser worm.
> >
> >As long as someone won't write a variant
> >of the worm spreading by email too :-)
> >
> >Brain; the best firewall in the world (if one uses it)
> >
> >
>
> We can only deal with the "known knowns". The "unknown unknowns"
> we'll have to leave for Mr. Rumsfeld...
 
Uh .. bad day ?!? I was just putting a little of sarcasm there :-) !!
 
> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
> overflow vulnerability through port 445.
 
Yes, got some "proof of concept" code here, know how it works :-/
 
> Sasser.D now also sends an ICMP echo request, which will certainly show
> up in many more logs
 
That's what I was saying I don't think it would take too much
before we'll see a "mail spreading" variant, then, due to the
high number of "don't use the brain, just click here" users it
will become another treat :-(

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 19:21:51 +0200, ObiWan spoketh
 
>> ><snip>
>> >> Yes, any firewall that blocks incoming port
>> >> 445 will prevent infection by the Sasser worm.
>> >
>> >As long as someone won't write a variant
>> >of the worm spreading by email too :-)
>> >
>> >Brain; the best firewall in the world (if one uses it)
>> >
>> >
>>
>> We can only deal with the "known knowns". The "unknown unknowns"
>> we'll have to leave for Mr. Rumsfeld...
>
>Uh .. bad day ?!? I was just putting a little of sarcasm there :-) !!
 
Sorry, I thought my "unknown unknowns" comment was fairly humorous ...  
 
>
>> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
>> overflow vulnerability through port 445.
>
>Yes, got some "proof of concept" code here, know how it works :-/
>
>> Sasser.D now also sends an ICMP echo request, which will certainly show
>> up in many more logs
>
>That's what I was saying I don't think it would take too much
>before we'll see a "mail spreading" variant, then, due to the
>high number of "don't use the brain, just click here" users it
>will become another treat :-(
>
>
 
I expect there will be another worm exploiting the LSASS vulnerability
(as well as other vulnerabilities listed in MS04-011) that'll be
delivered through e-mail. Can't speculate on if it'll be a Sasser
variation or not, but I'm almost willing to bet the farm that we'll see
it by the end of the week...
 
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:
 
]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
 
]>Lars M. Hansen <badnews@hansenonline.net> writes:
]>
]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
]>
]>]>If I had a firewall would that prevent the Sasser worm infecting my  
]>]>PC?
]>]>
]>]>I mean, if another infected system cannot see my ports because they  
]>]>are stealthed then presumably Sasser could not infect me?
]>
]>]Yes, any firewall that blocks incoming port 445 will prevent infection
]>]by the Sasser worm.
]>
]>Why is port 445 open on his system in the first place?
 
]Port 445 is open by default on any W2K or WXP system unless you've
]closed it somehow. Despite the fact that we all wish people would have
]firewalls or at least a NAT router, we're not quite there yet...
 
?? Again, why is port 445 open anyway? You advocate that the user gets a
firewall. Surely it would be easier just to close port 445 or any ports
not absolutely needed than it would be to get and properly set up a
firewall. Or are you saying it is impossible to close many ports on a
Win machine?
This is like  an exchange "I've got some dirt on my face" "Buy a skimask so people
cannot see the dirt". Why not just wash? If you cannot wash for some
reason then maybe a skimask would be an option, but surely advocating it
as the first thing to do is silly.  
 
"Close all ports that you do not absolutely need on your machine"
should surely be the first bit of advice. Then after you have done that
also install a firewall for that extra bit of protection.

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
> Lars M. Hansen <badnews@hansenonline.net> writes:
 
> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
 
> ]>If I had a firewall would that prevent the Sasser worm infecting my  
> ]>PC?
> ]>
> ]>I mean, if another infected system cannot see my ports because they  
> ]>are stealthed then presumably Sasser could not infect me?
 
> ]Yes, any firewall that blocks incoming port 445 will prevent infection
> ]by the Sasser worm.
 
> Why is port 445 open on his system in the first place?
 
Becouse microsoft has it enabled and vulnerable by default.
 
 
--  
Peter Håkanson          
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c78mat$4ps$1@string.physics.ubc.ca>,  
unruh@string.physics.ubc.ca says...
> "Close all ports that you do not absolutely need on your machine"
> should surely be the first bit of advice. Then after you have done that
> also install a firewall for that extra bit of protection.
 
The problem is that most people don't have a clue as to how to close  
ports, setup IPSec rules, etc... Most people don't even know to enable  
the ICF on their machines.
 
The best thing people can do is purchase a cheap router with NAT and use  
it from the moment they get their computer. This lets them download the  
updates, install and update the AV software, etc... before they have a  
chance to get hacked.
 
I put this back on the ISP's - they provide a open connection and don't  
warn the unsuspecting public about the risk/problems. If they just  
enabled NAT by default on their routers (DSL or Cable) most of this  
problem would go away.
 
 
 
--  
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Hi,
 
I agree with ObiWan, why use a firewall to filter some port if it can
be exploited in other ways ??
 
In this case, the "unknow" can be commonly suposed...
 
Real secure protect the source problem, not workarrounds... ;-)
 
Fix the overflow at lsass.exe!
 
ps.: A machine up2date today isn't enough.
 
Regards.
 
Mercenarie's Club Member =>  http://cdm.frontthescene.com.br
Front The Scene Team     =>  http://www.frontthescene.com.br
Personal Page            =>  http://ws.frontthescene.com.br

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:10:37 +0000 (UTC), Bill Unruh spoketh
 
>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
>
>]>Lars M. Hansen <badnews@hansenonline.net> writes:
>]>
>]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>]>
>]>]>If I had a firewall would that prevent the Sasser worm infecting my  
>]>]>PC?
>]>]>
>]>]>I mean, if another infected system cannot see my ports because they  
>]>]>are stealthed then presumably Sasser could not infect me?
>]>
>]>]Yes, any firewall that blocks incoming port 445 will prevent infection
>]>]by the Sasser worm.
>]>
>]>Why is port 445 open on his system in the first place?
>
>]Port 445 is open by default on any W2K or WXP system unless you've
>]closed it somehow. Despite the fact that we all wish people would have
>]firewalls or at least a NAT router, we're not quite there yet...
>
>?? Again, why is port 445 open anyway? You advocate that the user gets a
>firewall. Surely it would be easier just to close port 445 or any ports
>not absolutely needed than it would be to get and properly set up a
>firewall. Or are you saying it is impossible to close many ports on a
>Win machine?
 
Yes, port 445 are difficult to close on a Windows computer. It's the
port used by what's commonly known as "Windows Networking", which means
sharing files and printers over a network. There are ways of closing it,
but it takes a little reading...  
 
>This is like  an exchange "I've got some dirt on my face" "Buy a skimask so people
>cannot see the dirt". Why not just wash? If you cannot wash for some
>reason then maybe a skimask would be an option, but surely advocating it
>as the first thing to do is silly.  
 
No comment ...  
 
>
>"Close all ports that you do not absolutely need on your machine"
>should surely be the first bit of advice. Then after you have done that
>also install a firewall for that extra bit of protection.
 
If all ports are closed, then there's little need for a firewall. If
there are some ports left open, then the firewall will need to allow
those ports anyways, unless the firewall is there to restrict the IP
addresses that'll gain access or because it does protocol validation.  
 
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
spoketh
 
>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>> Lars M. Hansen <badnews@hansenonline.net> writes:
>
>> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>> ]>If I had a firewall would that prevent the Sasser worm infecting my  
>> ]>PC?
>> ]>
>> ]>I mean, if another infected system cannot see my ports because they  
>> ]>are stealthed then presumably Sasser could not infect me?
>
>> ]Yes, any firewall that blocks incoming port 445 will prevent infection
>> ]by the Sasser worm.
>
>> Why is port 445 open on his system in the first place?
>
>Becouse microsoft has it enabled and vulnerable by default.
 
"Vulnerable by default"? What the F*** does that mean? Does that mean
when the next vulnerability for linux are discovered, the Microsoft camp
can claim that linux are "vulnerable by default"?  
 
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:10:37 +0000 (UTC), unruh@string.physics.ubc.ca
(Bill Unruh) wrote:
 
>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
 
>]Port 445 is open by default on any W2K or WXP system unless you've
>]closed it somehow. Despite the fact that we all wish people would have
>]firewalls or at least a NAT router, we're not quite there yet...
>
>?? Again, why is port 445 open anyway? You advocate that the user gets a
>firewall. Surely it would be easier just to close port 445 or any ports
>not absolutely needed than it would be to get and properly set up a
>firewall. Or are you saying it is impossible to close many ports on a
>Win machine?
>This is like  an exchange "I've got some dirt on my face" "Buy a skimask so people
>cannot see the dirt". Why not just wash? If you cannot wash for some
>reason then maybe a skimask would be an option, but surely advocating it
>as the first thing to do is silly.  
>
>"Close all ports that you do not absolutely need on your machine"
>should surely be the first bit of advice. Then after you have done that
>also install a firewall for that extra bit of protection.
 
Without port 445, I am unable to share the printer on our network.  So
when I edit the registry to close this port, we can't print from XP
computers.  We're relying on our router/firewall.

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 18:47:03 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>Yes, port 445 are difficult to close on a Windows computer. It's the
>port used by what's commonly known as "Windows Networking", which means
>sharing files and printers over a network. There are ways of closing it,
>but it takes a little reading...  
With NAT firewalls at the $19.99 range on sale (or sometimes after
rebate) there is no reason DSL and Cable modem users should be
directly connected anymore.  
 
That whole idea foisted on us by the telcos and cable companies has
caused so many problems it is beyond comprehension.  
 
I have never had a persistent connection to the internet with no
routing/filtering capabilities.  And there is no reason anyone should.
 
Was it here that someone posted the spam emissions of ATTBI and one
other network's trojaned machines was 1.6 billion messages a day?  I
can't lay my hand on that post.  But that is reason enough that
everyone who has a computer connected to the internet should have and
use a NAT router as a minimum.