Slashdot Mirror

MS SQL Server

Outlook

Internet Information Server (IIS)

Internet Explorer

Word / Office

All versions of Windows running almost any email client

And if that's not enough, there are many more examples.

MS SQL Server

Outlook

Internet Information Server (IIS)

Internet Explorer

Word / Office

All versions of Windows running almost any email client

And if that's not enough, there are many more examples.

Backdoor routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:

• Delete files.
• Terminate processes.
• List processes and deliver the list to the hacker.
• Copy files.
• Start processes.
• List files and deliver the list to the hacker.
• Deliver intercepted keystrokes to the hacker in an encrypted form. This action could release confidential information typed on a computer (passwords, login details, and so on).
• Deliver the system information to the worm's creator in the following form:
  • User: <user name>
  • Processor: <type of processor used>
  • Windows version: <Windows version, build number>
  • Memory information: <Memory available, and so on>
  • Local drives, their types (for example, fixed/removable/RAM disk/CD-ROM/remote), as well as their physical characteristics.
• List the network resources and their types, and deliver the list to the worm's creator.

Read up:

Symantec writeup

It's distributed as either {.exe,.pif,.scr} which are all treated as applications in windows when you double click on them.

The browser/outlook vulnerability won't affect many people (and those it does probably already have problems). Mostly it's people blindly clicking on trojan.txt.exe (with hide file extensions left on so it looks like trojan.txt). Nice default setting, M$

You can fix the OS, but you can't fix the users. People who get hit by this have nobody to blame but themselves (or their Windows administrator).

Microsoft fixed this vulnerability more then 2 years ago. Why do people not update their software?

According to Symantec, Bugbear.B "uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability".

This worm does try hard to get on the 'net. Copied from Symantec.

If W32.Bugbear.B determines that the default e-mail address for the local system belongs to a banking company, it enables auto-dialing through the registry.
This is accomplished by setting the following value:

"EnableAutodial"="0000001"

in the registry key

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings

The worm contains a large list (over one thousand) of targeted bank domain names from around the world. This is likely in an attempt to steal passwords more effectively. Therefore, banking institutions may be considered to be more at at risk.

You know, we should get our information from a reputable and IT source like symantec who provides details on how to remove it rather than a news source owned by the people who make windows, the vulnerable software.

Admit that your security problems are a direct result of your insistance in violating the #1 rule of software design: YOU NEVER MIX CODE AND DATA TOGETHER. You have specifically engineered every product you sell to be scriptable. STOP IT!

For years Apple has had AppleScript, an extremely powerful scripting language. Almost every worthwhile Mac application is scriptable. In all the years that AppleScript has been around, how many times has this been exploited? Once, and it was a pretty poor job.

The problem is not the scriptability of Microsoft's products, it's just that they chose to make it a gee-whiz feature and get it out in the marketplace, instead of taking the time and doing it right.

~Philly

> That thing took 5 hours to remove and still i see side effects of it

And it would have taken you 2-3 hours to reinstall your computer and configure all your apps, right? And it would have been working perfectly when you are done? I can't imagine a technically literate Windows user not just reload Windows when things like this happen. It would probably save time and you'll have a fresh install when you're done.

I usually reload my Windows machine about once a month, and I don't have any performance problems. Granted, I shouldn't have to do this, but it's a lot easier to reload Windows and throw in my "reload CD" (which contains my unique drivers, favorite misc apps, and some important patches and codecs) and be done with it. The process usually takes 2 hours to get it exactly how I like it, which is a small price to pay for a machine running lean (especially with the stuff I throw at my machines).

And if that isn't simple enough for you, ever hear of Ghost?

Not so with Norton / Symantec -- I can't find a working piracy@... address for them

According to their anti-spam page, you can report spammers that offer Symantec products to spamwatch@symantec.com.

how about a program on the site that executed an IE browser pointed to the McAfee or norton which are trusted third parties, have removal tools available and have authorative descriptions on what the virus does and instructions for its manual removal.

One word: Tuxissa.

main page

Removal tool

Cleaned up my office yesterday very nicely.

main page

Removal tool

Cleaned up my office yesterday very nicely.

So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the download off of other IP addresses and servers... so I went back to SARC document and added the new IP addresses to the block list. For two weeks, I checked the page twice a day to see if the list changed. Since then, the problem stopped.

As far as HotBar is concerned, I setup the internal DNS caching server to be authoritative for the hotbar.com zone and pointed it to a non-active IP in the local subnet. That fixed much of the problem of people installing it... :)

IMO too much time is spent ranting about how Tha Man is keeping the $30/mo broadband user down by not allowing the minority who know how to run a secure server to use their residential line as a commercial line. We should be putting a hell of a lot more energy bitching about the masses of clueless users who randomly click on any email attachment they get, setup their P2P apps in slut-mode, and otherwise connect to the Internet in such a way that they become:

1. just another hop for viruses to propagate through
2. just another misconfigured AnalogX proxy or Lovgate infected SMTP/NNTP open relay
3. just another DDoS drone host

Its a myth that spam only comes from networks in Asia that don't give a damn. It comes from Ma and Pa's Windows 98 box that got infected with one of several variants of Lovgate and helps spam the planet, all from their speedy little DSL/cable connection.

Before the /. community jumps down AOL's throat at this carpet-bomb tactic, we need to realize that it is a business response to the realities of security on broadband networks. If users took responsibility for their connections and had good firewalls, anti-virus and intelligent email practices then this problem probably wouldn't exist.

IMO too much time is spent ranting about how Tha Man is keeping the $30/mo broadband user down by not allowing the minority who know how to run a secure server to use their residential line as a commercial line. We should be putting a hell of a lot more energy bitching about the masses of clueless users who randomly click on any email attachment they get, setup their P2P apps in slut-mode, and otherwise connect to the Internet in such a way that they become:

1. just another hop for viruses to propagate through
2. just another misconfigured AnalogX proxy or Lovgate infected SMTP/NNTP open relay
3. just another DDoS drone host

Its a myth that spam only comes from networks in Asia that don't give a damn. It comes from Ma and Pa's Windows 98 box that got infected with one of several variants of Lovgate and helps spam the planet, all from their speedy little DSL/cable connection.

Before the /. community jumps down AOL's throat at this carpet-bomb tactic, we need to realize that it is a business response to the realities of security on broadband networks. If users took responsibility for their connections and had good firewalls, anti-virus and intelligent email practices then this problem probably wouldn't exist.

Symantec seems to think differently than you as to how nimda spreads itself.

I used PC Anywhere (under windows 2000) for a few years, and it's a good product.

You can acces a remote PC, but also transfer files. It uses an efficient compression method, and can use encryption.

This is news for nerds after all! A little bit of research on my part has revealed the following:

1. DNS servers for aljazeera.net are ALJNS1SA.NAV-LINK.net. 172800 IN A 217.26.193.15
   NS3.aljazeera.net. 172800 IN A 213.30.180.218 Neither DNS server can be accessed or pinged. A traceroute to 217.26.193.15 bombed out very close to home as unreachable (5th hop, still in my ISP). A traceroute for 213.30.180.218 got to Paris, then to an unknown location on the same network and then it made three jumps to IPs and got stuck! It ended at (s/star*/*/, damn lameness filter) 12 2547 ms 2543 ms 2359 ms so-1-0-0.mp1.Paris1.Level3.net [212.187.128.41]
   13 3124 ms 2295 ms 1919 ms unknown.Level3.net [212.73.240.71]
   14 2078 ms 2735 ms 3383 ms 212.73.242.66
   15 2377 ms 2263 ms 2262 ms 213.30.129.210
   16 2359 ms 2479 ms 2327 ms 213.30.128.126
   17 star* star* star* Request timed out.
   ...
   100 star* star* star* Request timed out.
2. netcraft's report shows up two ip addresses and two netblock owners for www.aljazeera.net (either constant changing or more likely load-balancing). The netblock owners are French Navlink for 217.26.193.10 and Horizons Media and Information Services Private Residence Hoboken NJ 07030 US for 64.106.198.10, though this IP was registered to ARIN until the 21st March. Both are running IIS/5 and it looks like they've been doing things daily from the 20th-25th March. Both IP addresses are un pingable. The 217 address also drops at one of my ISPs boxes on a traceroute, while the 64 address gets dropped at a verio ip in london.
3. The whois record for aljazeera is a little strange (Jazeera Space Channel, hotmail address and po box?).

Symantec have a incredible list of recent threats (I was stunned how long it was). 6 were discovered since the 24th of March including 3 backdoors. Is it reasonable to think that this could simply be a virus/worm/backdoor based DOS?

The worm spreads by sending itself to e-mail addresses on an infected machine and tries to disable anti-virus and other security software and infect certain files on the hard disk.

you could have said

The worm infects Microsoft operating systems newer than version 3.1. It mails itself to e-mail addresses it finds, tries to disable anti-virus and other security software, and infects files.

Credit should be given where credit is due. Many of those who work on software that is not so full of holes resent the popular equations PC=Microsoft and PC=buggy/insecure. Also, users of newer Microsoft operating systems should be alarmed so that they might defend themselves. Not everyone has time to look up the Symantec warning.

It would also be nice to know what kinds of servers are being defaced.

Number of Windows related viruses over the years...
Too many to count

Cost due to Windows server based attacks on a global scale...
gazillions

Number of Linux viruses released to the masses...
1 maybe 2

The cost due to a Linux virus on a global scale...
0 USD.

The price for a Linux admin's good night's rest because he/she doesn't have to worry about security attacks? Priceless...


For everything else, there's a CC EAL4 cert, symantic or norton.

• Performance: GDisk is command-line driven and much quicker than FDisk. It allows you to define standard configurations in a batch file and apply them to multiple computers.
• Disk space: GDisk uses disk space better. It is more aggressive in finding free space on the disk for new partitions. In virtually every case it will find space that is ignored by FDisk (this space can vary between 0.5 MB and 16 MB). GDisk reduces slack space (disk wastage). GDisk is more aggressive than the FORMAT utility provided with Windows 95 in attempting to keep cluster sizes small. For some partition sizes, GDisk is able to format partitions with cluster sizes that are half the size that FORMAT would select, resulting in an effective 10-35% increase in drive capacity.
• Partition management: GDisk allows you to hide partitions, so you can have more than one Primary DOS partition with different versions of DOS or Windows in each partition. Normally, it is not possible to have more than one DOS or Windows installation on the same computer. The ability to hide partitions allows the computer to boot into any selected bootable partition, ignoring other installations of the same operating system in other partitions.
• Avoid known FDisk problems: The FDisk supplied with Windows 95 has a problem that can create overlapping partitions that will almost certainly lead to corruption of existing partitions. The same problem can also result in partitions that extend past the end of the disk, which can cause permanent damage to the drive when the partition is formatted. This is the one situation in which GDisk does not imitate the exact behavior of FDisk, even with the compatibility switch turned on. The FDisk supplied with Windows 95 has a problem in which it is not possible to delete newly created partitions if the provisionally assigned drive letter to the new drive matches a drive letter currently assigned to a CD-ROM device. GDisk allows the partitions to be deleted even if the new drive letter is currently assigned.
• Diagnosis: GDisk is useful as a diagnostic tool. It performs extensive integrity verification checks on the partition tables before performing any operations on the drive. GDisk can display the partition information in a raw cylinder/head/sector format. This may be of use to technicians investigating problems with a computer's partition table.
• DoD specifications: GDisk.exe conforms to most current US Department of Defense (DoD) specifications.

• Display partition information (/STATUS)
• Create a partition (/CRE)
• Delete a partition (/DEL)
• Activate or deactivate a partition (/ACT and /-ACT)
• Hide or unhide a partition (/HIDE and /-HIDE)
• Reinitialize the master boot record (/MBR)
• Wipe the disk surface (/DISKWIPE)

• Performance: GDisk is command-line driven and much quicker than FDisk. It allows you to define standard configurations in a batch file and apply them to multiple computers.
• Disk space: GDisk uses disk space better. It is more aggressive in finding free space on the disk for new partitions. In virtually every case it will find space that is ignored by FDisk (this space can vary between 0.5 MB and 16 MB). GDisk reduces slack space (disk wastage). GDisk is more aggressive than the FORMAT utility provided with Windows 95 in attempting to keep cluster sizes small. For some partition sizes, GDisk is able to format partitions with cluster sizes that are half the size that FORMAT would select, resulting in an effective 10-35% increase in drive capacity.
• Partition management: GDisk allows you to hide partitions, so you can have more than one Primary DOS partition with different versions of DOS or Windows in each partition. Normally, it is not possible to have more than one DOS or Windows installation on the same computer. The ability to hide partitions allows the computer to boot into any selected bootable partition, ignoring other installations of the same operating system in other partitions.
• Avoid known FDisk problems: The FDisk supplied with Windows 95 has a problem that can create overlapping partitions that will almost certainly lead to corruption of existing partitions. The same problem can also result in partitions that extend past the end of the disk, which can cause permanent damage to the drive when the partition is formatted. This is the one situation in which GDisk does not imitate the exact behavior of FDisk, even with the compatibility switch turned on. The FDisk supplied with Windows 95 has a problem in which it is not possible to delete newly created partitions if the provisionally assigned drive letter to the new drive matches a drive letter currently assigned to a CD-ROM device. GDisk allows the partitions to be deleted even if the new drive letter is currently assigned.
• Diagnosis: GDisk is useful as a diagnostic tool. It performs extensive integrity verification checks on the partition tables before performing any operations on the drive. GDisk can display the partition information in a raw cylinder/head/sector format. This may be of use to technicians investigating problems with a computer's partition table.
• DoD specifications: GDisk.exe conforms to most current US Department of Defense (DoD) specifications.

• Display partition information (/STATUS)
• Create a partition (/CRE)
• Delete a partition (/DEL)
• Activate or deactivate a partition (/ACT and /-ACT)
• Hide or unhide a partition (/HIDE and /-HIDE)
• Reinitialize the master boot record (/MBR)
• Wipe the disk surface (/DISKWIPE)

>That's why I run this.

Symantec has an explanation page here

Symantec Manhunt (formerly Recourse) is a commercial IDS which kicks the crap out of every other IDS I've ever used. It runs on Solaris (or Windows for the foolhardy) and looks for traffic anomolies. You can compile in snort rules for it to check against and it just flies. It will correlate events from multiple sources or Manhunt nodes and can reconfigure your routers in real time to block DoS attacks. I don't work for Symantec and don't like most of their tools, but buying Recourse gave them a slick IDS.

[...]but keep in mind that Slammer affected SQL Server 2000, which isn't usually running on a desktop machine.

From the Symantec Website: "W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000." So, yes, it often runs on the desktop.

I saw this first hand. When Opaserv variants were coming out almost weekly last fall, Symantec was very slow to acknowledge their existance. A few people I know sent them executables of a new variant on October 19. Finally, on October 23, they announced they "Discovered" it...4 DAYS AFTER WE SENT IT TO THEM! Those Symantec liars didn't even tell us that they discovered it, but they're working on a fix. No, they sat on the virus for 4 days! (Want proof? Check out Symantec's Oct 23 discover day for brasil.pif, here, and compare that with the Oct 19 date that many of us first noticed that virus on this discussion sire here.) And of course, following true to Symantec policy, they claimed to have released a fix either the day of discovery or the the next day...to show they're working hard for their customers.

Stupid liars.

From the Symantec Web Site:

For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised. This combination of comprehensive up-to-the-minute attack data combined with effective solutions, patches, and countermeasures enable corporations to protect information infrastructure while avoiding downtime and lost productivity.

It sounds to me like a Tech Security company trying to boost sales of their new Threat Management System and Alert Services by stretching the truth. And we all know the sales and marketing folks would not blink an eye at fudging facts to sell their products.

Does this mean Symantec had anything to do with the Slammer virus (as Michael alluded to), I don't think so (and honestly to make an accusation like that is just plain ignorant).

Just my take. Now let the negative modding begin.

What I think is really interesting is that SARC's own advisory about SQL Slammer says that Norton AntiVirus virus defintion will never be able to detect this threat because it exists only in memory and never tries to write itself to any disk. Simply put, it comes in over an open port, and then uses the exploit to get itself into RAM. Once in RAM, it's too late to do anything, the worm owns the box.

They then proceed to show how this worm can be blocked using Symantec's line firewall products, and offer a free removal tool for people who already know they have an infected machine... but it seems very clear that Norton Antivirus alone is not going to protect you from this threat.

I had the same thought. It reads like a Tom Clancy novel. I wondered, "Gee, w32.leaves.worm must be a pretty serious threat from the sound of it." Then I read this. Feh.

btw the author was Shane Harris.

Here is Symantec and mcafee info about that worm.

I have to agree that all of those applications will become your next best friend, if you're supporting a bunch of workstations (50+). I would also include Ghost and Altiris LabExpert to the list, as two other very good products. These two products may be slightly better for non-profit company, however, as they generally cost less money.

However, Microsoft's EULA prevents a user from doing this, even if they have 20 copies of Windows.

Surely this isn't correct... is it?

I'm afraid it is, but companies/schools/everyone ignores this all the time with products like Norton Ghost or PQDI.

With NT4 and 2K Ghost Walker (or some other tool) was also required to make sure your cloned machines had different sids (I'm not sure if that is still true with XP).

At every company I've ever worked all desktop windows boxes are made from one of these cloning programs, so it can't be that illegal, right :)

Coincidentally Syantec also has a honeypot product.

Someone asked me this and I laughed, "My question is, do they have a captain's chair where a Symantec security officer can casually command the launching of electronic countermeasures?" :)

Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server.

Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server.

Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server.

Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server.

Yeah, the guy's obviously making it up.

And since it doesn't exist, there's no reason for MS to release a patch to fix the vulnerability, right?

Obviously, you're intelligent and checked Google before flaming away.

Sorry, You might want to check your sources, as NO virus to knowledge has nor will be able to destroy a Hard Drive or BIOS on the physical level. Yes, it may rewrite sectors and the like, but no damage to the drive other than wear and tear: Your lesson on OpaServ

we see a worm exploiting this, remember the last worm that was executed without even opening a file.

We have made a bet on Windows, and we believe that customers are getting value from the bet we made,'' said Houston, ``and we're going to continue doing what we've been doing for customers.

Is that so, Mr. Houston?

DOS did little more than provide a way to execute programs, and a way for programs to get at the hardware. That's exactly why I liked it. I used DOS exclusively for a long time. (Sorry - I didn't have a *NIX at my disposal) I didn't start using Windows 3.1 until Windows 95 was gearing up for OSR2. I had to switch to a GUI because I just had to try this "web browser" thing I kept seeing on BBSes for download. Did anyone ever have DOS freeze up the computer? I mean DOS by itself, without anything else running? Even Linux, my OS of choice, can do that. And Windows is known for it.

Anyway, the whole reason I wrote this is to say that as long as I still have a use for Ghost, I will still have a use for DOS.

a company i used to work for used symantec's intruder alert on the inside of our network monitoring our servers and snort outside outside of the firewall in a dmz monitoring traffic going to the firewall.

On one hand it seems interesting that one can potentially have something that "can be built to do exactly what it should and no more" but with that comes the problem (headache perhaps?) of the reauthorization of every new executable/binary/process ect that was not initially thought up during the install process. Now with persistent processes, what is one "allows" a program that is initially thought of as secure, then it is discovered that it has a horrible bug that compromises the system? Does it stop the unwanted processes, or does it allow them because the permission is already set to, with the idea in mind that if you think something is secure, it is.

Although a good idea, it can also stop one from doing some interesting things, for instance, using your web browser to look at pictures. You can easily use a Picture editing program like Gimp to view it, or you can use an image previewing device, which both are made to look at pictures, or your web browser, which is made to look at information in general that is online, but not necessarily used to preview pictures.

Now with EAL4, that is equal to Symantec Enterprise Firewall (Which of course means crap if you know the flaws that are within the coding structure)

But it means EAL4 requires more through design description, a subset of implementation, and improved mechanisms and/or procedures that provide confidence that the TOE will not be tampered with during development or delivery

That leaves the impression that as long as only the developers and the beta testers have it, it could be rated EAL to the highest power... even after all the flaws are discovered.

Moot point..

He needs to stay on Windows because all the porn trojan viruses are only for IE and Windows.

Symantec appears to be running a scary halloween special as well...

Oh, and this place is much scarier than any graveyeard.