Jump to content
Sign in to follow this  
savya

Sasser Worm

Recommended Posts

You can?t clean a compromised system by patching it. Patching only removes the vulnerability. Upon getting into your system, the attacker probably ensured that there were several other ways to get back in.

 

? You can?t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can?t find any more may only mean you don?t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.

 

? You can?t clean a compromised system by using some ?vulnerability remover.? Let?s say you had a system hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn?t. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn?t think so.

 

? You can?t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can?t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can?t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can?t just patch the system.

 

? You can?t clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.

 

? You can?t trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data.

 

? You can?t trust the event logs on a compromised system. Upon gaining full access to a system, it is simple for an attacker to modify the event logs on that system to cover any tracks. If you rely on the event logs to tell you what has been done to your system, you may just be reading what the attacker wants you to read.

 

? You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system.

 

? The only way to clean a compromised system is to flatten and rebuild. That?s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don?t want to see you doing that.

 

 

This list makes patching look not so bad, yes? We may hate patches, but the alternative is decidedly worse.

 

 

Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I

 

Security Program Manager

Microsoft Corporation

 

Share this post


Link to post
Share on other sites

COPY & PASTE? laugh.gif HA HA

 

Hello this is a problem of MSN not mine billgates COMPANY developed a windows operating system but why he still needs feedback? to update the system... so that it means the programmers doesnt have the guts to say that the system is 100% perfect. ini?

there are so many ways to solve the problems doesnt matter ONE should know that This is a game. and it shows u how much time u have devoted on your system.Unless u know about the programming side u r lost my friend... copying and pasting is very simple task. U should understand the background AS WELL.

 

Jesper M. Johansson, Security Program Manager

Microsoft Corporation wrote this stuff sounds good but that doesnt mean he is 100% correct... The Microsoft Virus Party Line. Learn it. Know it. Live it.

I basically use Linux rather than windows operating system..

 

About Sasser worm what is it? how many types of sasser worm are there etc.. first of all u should know that. Where it attacks. What is RPC why windows shuts down in 60 seconds (countdown). what is lsase.exe, so many things, where worm hits ETC.. Little Knowledge is a dangerous thing.

 

If your machine is behind a NAT router and /or personal firewall, your system should be safe from external instrusion. But this new worm is exploiting one of the Windows vulnerabilities disclosed by Microsoft's April patches, which allows for the execution of code in remote machines, which is always dangerous. Have u noticed that no check it before u cut and paste..

 

Your three musketeers:

1. DCOMbobulator:- this allows any windows user to easily verify the effectiveness of Microsoft's recent critical DCOM patch. confirmed reports have demonstrated the the patch is not always effective in eliminating DCOM's remote exploit vulnerability. But more importantly, since DCOM is virtually unused and unneeded facility. Disable DCOM.. but how on next discussion..

 

2. Shoot the Messanger: Even before the latest DCOM/RPC vulnerability, many windows users were being annoyed by "pop-up Spam" notices appearing on their desktops. This intrusion is also facilitated by an exploitation of port 135. this shoot the messanger utility furthers the security of windows by quickly and easily shutting down the "windows Messanger" server that should never been running by default in the first place.

 

3. Unplug n' pray: UnPnp easily disables the dangerous, and almost always unnecessary, Universal Plug and Play service.

 

What r these they r three top most popular windows security-enhancing utility. check that not the antivirus mate..

 

If u know THEASE THAN u can gurantee 100%.

 

XPdite: A Critical Security Vulnerability Exists in Windows XP. (Surprise) Actually, there are many, but handle them one at a time. This particular vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is already being exploited on the Internet.

DRDos:

IDServe:

Wizmo: ETC..

 

Now What is RPC? (Attacker gains access via RPC hole)

RPC is a network-programming model for point-to-point communication within or between software applications. In RPC sender makes a request in the form of a procedure, function, or method call. RPC translates these calls into request sent over the network to the intended destination. The RPC recipient then process the request based on the procedure name and argument list, sending a response to the sender when complete. Generally RPC application implement software modules called “proxies” and “stubs” that broker the remote calls and make them appear to the programmer the same as local procedure calls (LPC). RPC calling applications usually operate synchronously, waiting for the remote procedure to return a result. RPC incorporates timeout logic to handle network failures or other situations where RPCs do not return etc..

 

How RPC Works

An RPC is analogous to a function call. Like a function call, when an RPC is made, the calling arguments are passed to the remote procedure and the caller waits for a response to be returned from the remote procedure. The client makes a procedure call that sends a request to the server and waits. The thread is blocked from processing until either a reply is received, or it times out. When the request arrives, the server calls a dispatch routine that performs the requested service, and sends the reply to the client. After the RPC call is completed, the client program continues. RPC specifically supports network applications etc..

 

 

your Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I Security Program Manager didnt wrote anything about this did he?

well good luck TO BE CONTINUED....

 

 

Share this post


Link to post
Share on other sites

QUOTE (savya @ May 12 2004, 11:59 PM)
Check this link about Virus Alert.... I will 100% gurantee if u have any problem with this virus i will sort it out without the help of anti virus ......... any doubt?

check this link

Check this links mates

I use LINUX !! tongue.gif

 

No problem at all coz most of the virus they are written for windows, and it doesn't do any harm to those PCs who has a Linux software. biggrin.gif

Share this post


Link to post
Share on other sites

Oh thanks Shima

 

Its good to know that u r familier to Linux well thankx again for the reply.

 

Then u r from German

 

Then You will understand this its your sig only..

 

Zu lieben ist nichts...., um zu sein liebte ist etwas..., um zu lieben und zu sein liebte ist alles.

Share this post


Link to post
Share on other sites

QUOTE (savya @ May 13 2004, 08:49 PM)
Oh thanks Shima

Its good to know that u r familier to Linux well thankx again for the reply.

Then u r from German

Then You will understand this its your sig only..

Zu lieben ist nichts...., um zu sein liebte ist etwas..., um zu lieben und zu sein liebte ist alles.

Zu lieben ist nichts.

Geliebt zu werden ist wenig.

Zu lieben und gleichzeit geliebt zu werden ist alles.

 

Well this is the right translation of my sig. Anyway thanx for your best try. biggrin.gif

Share this post


Link to post
Share on other sites

Sasser A riock the world, My uncle computer was one of those earliest victim. I downloaded the sasser removal tool from my computer and tried to apply it. Didn't work. I had to block thr port manually. I first tried with the XP buitlt in firewall, only work for a while then again NT AUTHORITY SYSTEM SHUTDOWN began. Now the last resort was to use the third party firewall. Symantec did the good job and then I applied the sasser removal tool. This is how SASSER CAN BE CHALLENGED

 

cLEVER sasser BOY, He took the advantage of the NT services.

 

SAVYA JYU, WHAT IS YOUR GUARANTED WAY? CAN YOU ENLIGHTEN US?

 

raju

A+, Network+, MCSE (running)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.