1 Year Anniversary of Nimda Outbreak

dots and loops writes "Today marks one year to the date that the nimda worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!

One year, and still..

[molo]

Its hard to believe that its been one year and I'm still getting scans on my apache server. Are there really that many braindead admins??

Re:One year, and still..

[digitalsushi]

But how many of these machines are run by admins? (definition of admin being a professional)

Re:One year, and still..

[frank_adrian314159]

Its hard to believe that its been one year and I'm still getting scans on my apache server. Are there really that many braindead admins??

Actually, almost all of mine are coming from individual subscribers coming through big DSL-/Cable-based ISP's like RoadRunner, SW Bell, etc. For each incident, I fire off E-Mail to their security departments, giving times, IP's, etc. (I have set of log scanning scripts that generate them automatically. How's that for geekiness? No, you can't have them. They suck. That's high in geek factor, too :-). I've seen NO action taken by them. What a bunch of lamers. Do they really think their customers want to be infected and spew out into the net? The issue is that, really, as long as that $50/mo. comes in, they don't give a rat's ass.

The smaller DSL ISP's are usually on the job, though. They give me a small amount of hope.

our office got it.

[snatchitup]

We had just brought in a bunch of dot-com reject sys admins.

Suddenly you hear everyone talking about the NAMBLA virus. Seriously, it was a spoonerism, or whatever. But everyone was running around blaming NAMBLA. Finally we realized it was NIMDA.

Turns out there was a dude that got smoked out because he had kiddie porn on his PC. We just fired him.
But if it weren't for this virus, we'd wouldn't have had the witch hunt that found this perv.

Still kicking

[JediTrainer]

If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.

According to my logs (please be gentle), I've been hit 650 times yesterday.

Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.

Re:Still kicking

[pclminion]

If anybody is interested, I've developed WormScan [freshmeat.net] last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions).

I think I've heard of a similar program before. I might have even used it... Hmm, what was that program?

Oh, yeah! grep

(sorry man, I'm just pokin' fun)

Re:Still kicking

[laserjet]

Will you guys stop clicking his link? I am trying to download his program. Right now at a steady 0.6 KB/s because of all you bastards.

He said be GENTLE. Usually slashdotters are really gentle with links to servers, but today, why must everyone be so rude? One at a time!

Thanks.

Slapper

[Dynamoo]

Aww heck I hadn't realised Nimda was a year old.. maybe it's not a coincidence that Slapper is gearing up a huge P2P Apache-based worm for something.. maybe today?

Where did I put my hard hard? I think I might be needing it.

Nimbda?

[Second_Derivative]

I'm still getting nailed by Code Red. Weird how something can survive for two years without touching a single permanent storage device.

Slashdot uptime = 1 year

[msheppard]

And it's probably no coincidence that slashdot stats report 365days uptime today.

M@

NIMDA the sysadmins friend :-s a little anecdote

[fruey]

Oh... first of all, it's viruses. Not virus's... what the hell is that?

I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.

The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.

This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".

Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(

Hrm

[Alizarin+Erythrosin]

Why is it every time there's an addendum or update on a worm/virus report that Taco hasta remind us how much crap mail he gets?

The most long-lived virus/worm/trojan?

[burgburgburg]

CmdrTaco writes that he's still getting multiple Klez viruses after all this time. That begs the question: what has been the most long-lived virus/worm/trojan so far?

That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?

Re:The most long-lived virus/worm/trojan?

[mblase]

That begs the question: what has been the most long-lived virus/worm/trojan so far?

That's easy -- MAKE MONEY FAST!

Re:The most long-lived virus/worm/trojan?

[Telastyn]

a: Outlook
b: Win95-ME

Note: I am an NT admin in trade, and make such comments (mostly) in jest.

A limerick suiting this topic...

[Chagatai]

Nimda, Klez, and Red
Whilst fornicating in bed
Felt something new
Saying, "Melissa, is that you?"
And found Bill Gates naked, instead.

Cease and Desist

[DrSkwid]

Dear hikeran,

It has come to our attention that you published a portion of our copyrighted material. Namely the lyrics to the popular [but copyrighted] song : 'Happy Birthday To You'.

We would ask that you refrain from repeating this action and ask that you make the best effort to remove such violations made by you.

Should this matter be brought before us again we will demand a license fee payable to Warner Brothers.

The work has been subject to copyright laws since 1935 and doesn't expire until 2012.

For more details see here

Thank you,

Daffy & The Guys

Still getting hit

[rossz]

No doubt in celebration of the birthday, I got a number of nimda hits this morning.

mount -t smbfs password= //xx.xx.xx.xx/C$ /mnt/dork
vi /mnt/dork/boot.ini

Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".

umount /mnt/dork

Re:How to block Klez emails from my mailbox?

[Draoi]

Replying to the senders (the From: address) won't work, 'coz it's forged. Klez pulls email addresses from the victim's address book/inbox and uses them for the 'from'. You have to look deeper into the headers to find the culprit.

Here's one I just got;

From: webmaster <webmaster@msn.com>
Date: Wed Sep 18, 2002 15:03:16 Europe/Dublin
To: webmaster@christymoore.net
Subject: User code here
Return-Path: <tony_XXXXXXXX@oceanfree.net>
Received: from bubble.oceanfree.net ([212.2.162.35]) by ddandd.com (8.11.6/8.11.6) with ESMTP id g8IEADp05002 for <webmaster@christymoore.net>; Wed, 18 Sep 2002 15:10:13 +0100
Received: from [193.203.147.182] (helo=Qrxy) by bubble.oceanfree.net with smtp (Exim 3.33 #3) id 17rfQB-0002p3-00 for webmaster@christymoore.net; Wed, 18 Sep 2002 15:03:16 +0100
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=Z0z7O8r66243H01338eADBxj05jJ7LLMnHZ85
Me ssage-Id: <E17rfQB-0002p3-00@bubble.oceanfree.net>
Statu s:
Attachments: There is 1 attachment

Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blanked ...

The solution

[Mr_Silver]

It would appear that Taco doesn't read postings on Slashdot, even the ones modded +5.

Anyway, here is it again for Taco:

Put this in your .procmailrc file:

:0 B
* Content-Disposition: attachment
* name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
{
# Stick it somewhere
:0 B:
/dev/null
}

Of course, this is a bit drastic by throwing every file that ends in that type into the bin, so you may want to replace it with something like /home/username/mail/viruses

Finally (and this bit is especially for Taco) you will probably need to have a .forward file with the following in it:

|/usr/bin/procmail

Once you've done that, then finally we'll never heard again from you how many viruses a day you can get.

Re:Nimda

[Mandi+Walls]

See F-Secure for the current infection of the slapper worm, 5 days after discovery. Infected servers: < 14,000 total, according to them.

Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.

Help me out here.

Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.

Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.

slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.

So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]

Thank you.
--mandi

Re:our office got it.

[Mononoke]

Hmm...Am I the only one who finds it ironic that both the North American Man-Boy Love Association (NAMBLA) and kiddie porn are mentioned in the same post?

Like rain on your wedding day?

Re:Macs

[Mononoke]

Yup. Nimda: Just another app that won't run on Macs.

I do like being able to safely open all the interesting attachments Klez sends me. Interesting and funny stuff in there from time to time.