|
|
W32.blaster Activity |
W32.blaster Activity Above is a graph showing all the packets aimed at port 135 that arrived on August 12, 2003 CDT at the Elijah Laboratories Inc. network at 69.3.23.104/29. Since the traffic seemed to pick up after noontime, and tapered off quickly in the evening hours, we do not expect this to be as major of a threat to the internet as many in the security community have been predicting. This is perhaps because some of the major ISPs have started blocking both inbound and outbound port 135 traffic at their routers, thus quickly hindering the spread of this plague by means of a sort of electronic quarentine. Special thanks go to Cox Cable and the Department of Homeland Security for taking the initiative in this! A news article stated that Korea had blocked port 4444, which is the port the worm opens a back door on to download the main portion of its code image. While this indeed would keep the worm from spreading, because the infection would start, but not finish, it was really the wrong port to block. The correct port to block is 135, as that will keep the infection from even starting on those machines protected by the block. What Korea did was ill-informed, as they now have a large base of partially infected machines with a back door wide open. This back door has a shell running on it, and anybody or anything that can talk to an infected machine's port 4444 owns that machine! So have fun, Korea, when you remove that block, or even when your own local hackers (who are already behind those firewalls) discover all those back doors left wide open swinging on the hinges. Things could get interesting! And, yes, this network was hit by Korean machines attempting to run the W32.blaster exploit, so we know they do have infected machines. |
|
