McAfee and Blaster / LovSan
14 August 2003, 09:53 AM
#1
Scooby Senior
Thread Starter
Good information for McAfee customers, reads like a bit of an advert so Mods feel free to delete it.
This past Monday, many of our customers were exposed to an attempt
to exploit a vulnerability in some versions of the Microsoft Windows
operating system. This vulnerability, referred to as the Microsoft
RPC buffer overflow vulnerability (MS03-026), was something that we
initially told you about a little more than two weeks ago. Since
that time, the vulnerability has been exploited and an active worm
exists (W23/Lovsan.worm). Any vulnerable Windows desktop or server
connected to the Internet may be open to an attack. By exploiting
the RPC vulnerability in Windows, the worm is able to execute
(without requiring any action on the part of the user) and could
potentially crash machines, causing downtime, and continue to
spread to vulnerable computers for further propagation. This
worm is still moving aggressively across the Internet. We're
making sure you are protected.
The McAfee Protection-in-Depth Strategy
The McAfee® Protection-in-Depth™ Strategy delivers the
industry's only complete set of system and network protection
solutions differentiated by intrusion prevention technology that
can detect and block the W32/Lovsan.worm before it can cause
damage to systems and networks. With the core components of the
McAfee Protection-in-Depth Strategy, customers can take immediate
steps to identify and resolve occurrence of the Lovan.worm.
McAfee System Protection Solutions
McAfee ThreatScan
The latest ThreatScan signature (2003-08-12) includes detection
of the W32/Lovsan.worm virus. This signature is available for
ThreatScan v2.0, v2.1, and v2.5. By using ThreatScan, customers
can detect incidents of the LovSan.worm.
Network Associates Stinger Tool
An update has been made available to the Stinger tool so that
customers can stop further infection of desktop PCs, download
the required Microsoft software patches and re-establish the
security of infected desktop systems. This is a no-cost tool
available through the Network Associates Website.
McAfee Entercept System Intrusion Prevention
McAfee Entercept® stopped the W32/Lovsan.worm before it was a
known threat/attack. The McAfee Entercept solution provides
patented protection against exploitation by code execution as
a result of buffer overflows, protecting the integrity of the
server. This protection functions whether or not the server has
the latest security patch installed. The McAfee Entercept solution
and its patented technology safeguard servers against buffer
overflows, without any signature or code updates.
McAfee Desktop Firewall
McAfee Desktop Firewall would block access to TCP port 135 if no
legitimate applications where defined to make use of the port,
and would have prevented the worm from opening TCP port 4444.
This would prevent infected systems from further propagating
the worm. Even if the worm had been executed by a unsuspecting
user (received for example, in email) the worm would not have
been able to connect to any remote computer system, in effect
isolating the infected computer on the network.
McAfee VirusScan® Anti-Virus Software
McAfee Anti-Virus solutions protected against W32/Lovsan.worm
before it was even discovered. W32/Lovsan.worm exploits the
MS03-026 vulnerability, and McAfee anti-virus solutions with
signatures updated since August 8, 2003, are able to detect a
variety of threats containing code that attempts to exploit that
vulnerability. By scanning files as they are saved to disk,
downloaded through the Internet gateway, or as they pass through
the email server, McAfee anti-virus solutions can detect and
eradicate W32/Lovsan.worm from your environment.
McAfee Network Protection Solutions
Sniffer® Distributed and Sniffer Portable Software
Sniffer Technologies filters can be used to alert managers to
the presence of the malicious worm exploiting the Microsoft RPC
buffer overflow vulnerability. Sniffer Technologies filters for
Sniffer Portable and Sniffer Distributed can identify the
Lovsan.worm used to exploit Microsoft RPC vulnerability and to
monitor traffic on TCP port 135.
McAfee IntruShield Network Intrusion Prevention
McAfee IntruShield® can both detect and block W32/Lovsan.worm,
stopping it before it even reaches the targeted host computer.
Users that have updated their systems with signature set 1.5.9.3,
released on July 22, 2003, are fully protected from this worm.
Users who have not yet updated their systems will be notified of
suspicious activity via the McAfee IntruShield anomaly detection
engine. Users who have not updated should do so immediately.
InfiniStream Security Forensics
InfiniStream™ Security Forensics mining capabilities can
pinpoint the infected machines, and the source of infection,
reducing mean time to resolution and the chances of reoccurrence.
Furthermore, as the new variants of the worm are introduced,
InfiniStream enables customers to rapidly isolate destructive
email payloads for verification through the WebImmune online
virus scanning system.
We're Here to Help
Our legacy is built on helping our customers protect their
business by protecting the security and availability of the
technology that powers it. As part of our McAfee Protection-in-Depth
Strategy, we offer a full range of emergency services that
complement the technology solutions identified above.
To help you, we've documented all the steps to resolve this
issue on our Website under “Security HQ” at the link below:
This past Monday, many of our customers were exposed to an attempt
to exploit a vulnerability in some versions of the Microsoft Windows
operating system. This vulnerability, referred to as the Microsoft
RPC buffer overflow vulnerability (MS03-026), was something that we
initially told you about a little more than two weeks ago. Since
that time, the vulnerability has been exploited and an active worm
exists (W23/Lovsan.worm). Any vulnerable Windows desktop or server
connected to the Internet may be open to an attack. By exploiting
the RPC vulnerability in Windows, the worm is able to execute
(without requiring any action on the part of the user) and could
potentially crash machines, causing downtime, and continue to
spread to vulnerable computers for further propagation. This
worm is still moving aggressively across the Internet. We're
making sure you are protected.
The McAfee Protection-in-Depth Strategy
The McAfee® Protection-in-Depth™ Strategy delivers the
industry's only complete set of system and network protection
solutions differentiated by intrusion prevention technology that
can detect and block the W32/Lovsan.worm before it can cause
damage to systems and networks. With the core components of the
McAfee Protection-in-Depth Strategy, customers can take immediate
steps to identify and resolve occurrence of the Lovan.worm.
McAfee System Protection Solutions
McAfee ThreatScan
The latest ThreatScan signature (2003-08-12) includes detection
of the W32/Lovsan.worm virus. This signature is available for
ThreatScan v2.0, v2.1, and v2.5. By using ThreatScan, customers
can detect incidents of the LovSan.worm.
Network Associates Stinger Tool
An update has been made available to the Stinger tool so that
customers can stop further infection of desktop PCs, download
the required Microsoft software patches and re-establish the
security of infected desktop systems. This is a no-cost tool
available through the Network Associates Website.
McAfee Entercept System Intrusion Prevention
McAfee Entercept® stopped the W32/Lovsan.worm before it was a
known threat/attack. The McAfee Entercept solution provides
patented protection against exploitation by code execution as
a result of buffer overflows, protecting the integrity of the
server. This protection functions whether or not the server has
the latest security patch installed. The McAfee Entercept solution
and its patented technology safeguard servers against buffer
overflows, without any signature or code updates.
McAfee Desktop Firewall
McAfee Desktop Firewall would block access to TCP port 135 if no
legitimate applications where defined to make use of the port,
and would have prevented the worm from opening TCP port 4444.
This would prevent infected systems from further propagating
the worm. Even if the worm had been executed by a unsuspecting
user (received for example, in email) the worm would not have
been able to connect to any remote computer system, in effect
isolating the infected computer on the network.
McAfee VirusScan® Anti-Virus Software
McAfee Anti-Virus solutions protected against W32/Lovsan.worm
before it was even discovered. W32/Lovsan.worm exploits the
MS03-026 vulnerability, and McAfee anti-virus solutions with
signatures updated since August 8, 2003, are able to detect a
variety of threats containing code that attempts to exploit that
vulnerability. By scanning files as they are saved to disk,
downloaded through the Internet gateway, or as they pass through
the email server, McAfee anti-virus solutions can detect and
eradicate W32/Lovsan.worm from your environment.
McAfee Network Protection Solutions
Sniffer® Distributed and Sniffer Portable Software
Sniffer Technologies filters can be used to alert managers to
the presence of the malicious worm exploiting the Microsoft RPC
buffer overflow vulnerability. Sniffer Technologies filters for
Sniffer Portable and Sniffer Distributed can identify the
Lovsan.worm used to exploit Microsoft RPC vulnerability and to
monitor traffic on TCP port 135.
McAfee IntruShield Network Intrusion Prevention
McAfee IntruShield® can both detect and block W32/Lovsan.worm,
stopping it before it even reaches the targeted host computer.
Users that have updated their systems with signature set 1.5.9.3,
released on July 22, 2003, are fully protected from this worm.
Users who have not yet updated their systems will be notified of
suspicious activity via the McAfee IntruShield anomaly detection
engine. Users who have not updated should do so immediately.
InfiniStream Security Forensics
InfiniStream™ Security Forensics mining capabilities can
pinpoint the infected machines, and the source of infection,
reducing mean time to resolution and the chances of reoccurrence.
Furthermore, as the new variants of the worm are introduced,
InfiniStream enables customers to rapidly isolate destructive
email payloads for verification through the WebImmune online
virus scanning system.
We're Here to Help
Our legacy is built on helping our customers protect their
business by protecting the security and availability of the
technology that powers it. As part of our McAfee Protection-in-Depth
Strategy, we offer a full range of emergency services that
complement the technology solutions identified above.
To help you, we've documented all the steps to resolve this
issue on our Website under “Security HQ” at the link below:
Thread
Thread Starter
Forum
Replies
Last Post
LeeMac
Computer & Technology Related
2
14 August 2003 06:08 PM