It has been released so make sure you have the newest critical updates installed. KB835732 is the patch for it if you want to check that its installed.
Viscious new worm Sasser..Patch now!
- Thread starter Bucksnort
- Start date
As always, tread carefully when installing MS Patches and Updates.
Your computer stops responding, you cannot log on to Windows
Your computer stops responding, you cannot log on to Windows
That applies to Win 2000 and you simply disable IPSEC service if problem is encountered. No one should use IPSEC.
No one should use IPSec??
Yes there are issues with MS04-011. Here are the known issues: http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
Sasser is a potential disaster. If you refuse to patch because you are worried about problems with the patch, you will be in a world of hurt. Sasser requires no user intervention to propogate. It is not spread through email, and users do not have to click on anything to launch it.
Here are some links on this new worm:
http://www.microsoft.com/security/incident/sasser.asp
http://netsecurity.about.com/cs/virusesworms/a/aa050104.htm
http://vil.nai.com/vil/content/v_125007.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?ID=39012
Yes there are issues with MS04-011. Here are the known issues: http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
Sasser is a potential disaster. If you refuse to patch because you are worried about problems with the patch, you will be in a world of hurt. Sasser requires no user intervention to propogate. It is not spread through email, and users do not have to click on anything to launch it.
Here are some links on this new worm:
http://www.microsoft.com/security/incident/sasser.asp
http://netsecurity.about.com/cs/virusesworms/a/aa050104.htm
http://vil.nai.com/vil/content/v_125007.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?ID=39012
"No one should use IPSec??"
IPSEC Services - manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. Only leave on if you are using IPSec. Opens Port 500.
Recommendation: Disabled
Posted earlier by member Monzie referencing UK Security. Another fine services site along with BlackViper.
http://www.uksecurityonline.com/husdg/windowsxp/disableservices.htm
IPSEC Services - manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. Only leave on if you are using IPSec. Opens Port 500.
Recommendation: Disabled
Posted earlier by member Monzie referencing UK Security. Another fine services site along with BlackViper.
http://www.uksecurityonline.com/husdg/windowsxp/disableservices.htm
That site spouts FUD and useless misinformation. DNS client recommended disabled? NTP is a security risk? Disable your DHCP client? Even on a stand alone machine, almost all of these services are necessary.
I have spoken with many a customer who followed one of these guides and then didn't have a functioning computer. For example, the DHCP client service is the service responsible for registering DNS records, even on machines with a static IP. Maybe not a big deal on a stand alone box, but people use these guides for all types of machines.
DNS client? I guess if you never use the Internet you can disable that. NTP? They don't want you to sync your clock? On a domain, NTP is necessary otherwise Kerberos will not function.
I realize this guide is for home users, but there are still many services in that list that should be left on.
As far as IPSec, you missed my point. Your guide even says that it should be disabled only if you aren't using IPSec. What if you are? According to you, nobody should be using IPSec...why?
I have spoken with many a customer who followed one of these guides and then didn't have a functioning computer. For example, the DHCP client service is the service responsible for registering DNS records, even on machines with a static IP. Maybe not a big deal on a stand alone box, but people use these guides for all types of machines.
DNS client? I guess if you never use the Internet you can disable that. NTP? They don't want you to sync your clock? On a domain, NTP is necessary otherwise Kerberos will not function.
I realize this guide is for home users, but there are still many services in that list that should be left on.
As far as IPSec, you missed my point. Your guide even says that it should be disabled only if you aren't using IPSec. What if you are? According to you, nobody should be using IPSec...why?
I agree, many of those "tweak guides" are FUD. They're extremely overzealous about saving memory even when disabling a service might only give you an extra 100k... and the ones with "performance tweaks" never have any documented proof that the tweaks work, so everyone just THINKS they work due to the Placebo effect.
ok, when you say it requires no user intervention to propogate....will it go through enterprise firewalls?
currently I'm blocking TCP 445, 5554, 9996, is that enough?
thx!
-FP
You should probably block 139 also. But all ports should be blocked on your firewall anyway. Only open the ports you need (such as 80), not the other way around.
you're right, the only open ports are 443 and other services that we provide, with that said, with ports 139, 445, 5554, and 9996 blocked by the firewall, will the virus still come in?
sigh...so true
but I'm glad that closing those ports are sufficient from an external stand point.
Internally, that's another story.
Internally it's more of a policy issue. With a good network use policy, these issues can be taken care of.
Originally posted by: n0cmonkey
Internally it's more of a policy issue. With a good network use policy, these issues can be taken care of.
that depends on the corporate culture...if the big boss says open it, ya open it
best way then is to provide layers and hope it all get's filtered.This worm caught us yesterday and infected a networks from South America to North America. About 700 computers total. We just completed an upgrade from intel 350 machines running 98SE to intel 3 gig machines running XP Pro. ST did not patch the systems and "down we are"! It can be easily removed, but it's gonna be a pain in the butt with all these infections.
Not sure when we will be up & running again. Too bad, we use to have an ST Person on site in every plant, but they eliminated their jobs and hired a firm in North America for support. The are unwilling to give anyone administrator rights in any of the plants because they said they can do anything remote, including hard drive restores.
The worst part, we have seperate process networks that talk to the main network. The virus spread to our process systems and shut down some pretty important stuff. I spent all day Saturday in the plant trying to keep processes running. We don't believe in firewalls either... :disgust:
Not sure when we will be up & running again. Too bad, we use to have an ST Person on site in every plant, but they eliminated their jobs and hired a firm in North America for support. The are unwilling to give anyone administrator rights in any of the plants because they said they can do anything remote, including hard drive restores.
The worst part, we have seperate process networks that talk to the main network. The virus spread to our process systems and shut down some pretty important stuff. I spent all day Saturday in the plant trying to keep processes running. We don't believe in firewalls either... :disgust:
Damn. That's why a company should never skimp on the quality of their own employees when it comes to managing the IT infrastructure. If you had good guys at each site then at least a few of them would of realised what was happening and could of taken steps to stop it...
Now you had a bunch of clueless (as in computer literacy, not intelligence
) users trying to "phone home" or call the support place to find out what is happening and that service place is probably getting swapped because the same thing was happenning to half the planet at the same time.Of course the worm infections also mean that your network is a script-kiddie's play ground, hopefully some 14 year old doesn't figure out what is happenning and decides to inform his buddies on the 12 or so IRC channels he visits everyday.
That stuff realy realy sucks
IT and security departments are worthless. They spend money all over the place, but they don't *MAKE* any money.
Originally posted by: n0cmonkey
IT and security departments are worthless. They spend money all over the place, but they don't *MAKE* any money.
They might not MAKE money (they are not supposed to) but are a neccessary evil to keep the
Dataminers and Script Kiddies in check.
Originally posted by: LiLithTecH
Originally posted by: n0cmonkey
IT and security departments are worthless. They spend money all over the place, but they don't *MAKE* any money.
They might not MAKE money (they are not supposed to) but are a neccessary evil to keep the
Dataminers and Script Kiddies in check.
I don't think you picked up on the sarcasm there...
Folks, we have some updated information and a detection tool available now. Please check this page out.
http://www.microsoft.com/security/incident/sasser.asp
http://www.microsoft.com/security/incident/sasser.asp
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter