Slashdot Mirror
When Will The Next Slammer Strike?
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
The same MS that didn't apply their *own* patches ?!?
Hmmm...
oh, wait, that's a different effect.
It's seems to be every 3 months or change of season. I'm betting on am IIS bug in March.
...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.
Then when they leave things unpatched and it happens again, you can yell, RTFM! STFU, Newb!
If they ever catch the guy that did this, I'm sure the news will give us all the "let's throw him in the Slammer" puns we can stomach.
I think we ought to make virus-protection code public and government funded.
I know way too many people who can't afford 50 bucks on a virus scanner or decent firewall software in College, and I saw Nimda infections up until the end of last year.
If people could get this type of thing for free - money that would ultimately ensure the safety of the net at large - I think it should be done.
The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).
Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)
I believe posters are recognized by their sig. So I made one.
Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high.
Wow, even SARC's director thinks a worm attack is likely? If someone that unbiased thinks so, I'd better upgrade my antivirus software now!
I'm glad there's a "Post Anonymously" option--I only wish the "Post Posthumously" option were still there.
Too many lazy admins out there so people should counter the bad worms with good worms. Yep its not that ethical at all but it has got to be better than crossing your fingers.
If people at least patch their system, things like this should never happen, but Microsoft should have made that secure in the first place to prevent this from happening. Face it, if someone can create a worm somehow causing all host/computer connected to send out 300 odd bytes to any random port to any random ip every millisecond or so, the net itself will be full of noise.
Or you can just physically locate all the major routers/backbone of the net and somehow disable it, physically... yeah, you, get up and demonstrate how vurnerable the net is!
Please direct all bug reports to
When is the next Microsoft product being released?
alias uptime="echo '5:33pm up 22342352324 days, 6:28, 2124315623 users, load average: 2432.40, 12312.31, 123123.19'"
In my opinion, there are two ways that people will react to the problem of exploits in computer software:
In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .
Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.
This is like stating the folks at a ballgame that bought popcorn, instead of the Hotdogs everyone got food poison from were affected as well due to restroom crowding. Shesh
Help fight continental drift.
It's just the problem of monocultures! Nothing less and nothing more...
My spirit takes a journey through my mind...
It isn't the Internet that is vulnerable, it is Microsoft products which are vulnerable. Those products in turn affect other systems due to the sheer number of computers running MS products. Start holding MS accountable for the bugs in their products and everyone benefits.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
MS products are too buggy for the internet. Even when MS comes out with patches sysadmins are extremely reluctant to apply them (even at Microsoft) in fear that the patch will cause more problems (ie BSOD) than it fixes. Remember Microsoft got hit by Slammer hard because it didn't install its own patches. Was Microsoft waiting for customers to beta test thier software before they even tried it themselves??? Plus the MS SQL server is not the only MS product that Slammer can infect......when are people going to hold Microsoft accountable for its lack of security and general poor coding??
"You helped our nation celebrate its bicentennial in 17 -- 1976." --George W. Bush, to Queen Elizabeth, Wash
This worm required rougly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.
I read that and my jaw just dropped.
This worm, from what I've read (these aren't my conclusions; I'm not that smart), did two very interesting things. The first is that it used one UDP to spread: no waiting around for the three-way TCP handshake, no hanging waiting for a reply, just send and move on to the next one. From what I understand, that's pretty new. Second, it caused most of its damage not by trashing filesystems or anything like that, but just by spewing *huge* amounts of traffic.
The first is interesting because as a tactic, it'll almost certainly be copied. The second is interesting because it probably won't be copied.
Well worth your time; it's fascinating -- and frightening -- reading. Get it here:
http://www.caida.org/analysis/security/sapphire
Carousel is a lie!
If we were to begin attacking either Iraq or North Korea, what amount of damage could they do by launching worms like this towards the US? Furthermore, what are the chances that they are busy looking for more exploits like this? After all, the US government does use a lot of M$ software.
Just my two cents though.
Give it about two weeks and everyone will forget what happened. Seems as though every time there is a net problem that effects 90% of the population it's big news and "a must fix problem." But we still have virii. Nothing has changed. So unless something is proposed in about 14 days, the masses will forget about it and it will loose it's panicy ferver that distrubing the masses unleashes.
Likelihood there will be another one: very high
Likelihood that it will affect a Microsoft product: pretty high
Likelihood that it will exploit a flaw that was fixed the summer before: almost certain
As far as i'm concerned those with low maintenence co-located servers should pay more attention to security bulletins so that when when a major patch does come out they can fix it, then when something does hit their several-year-old computer it won't be thrashed to death by modern worms.
, very well, thank you.
And not only that, nonprofits and edu can get the server version of Norton Anti-Virus for FREE from techsoup.com.
So it's doubly stupid that any college got hit.
The same MS that didn't apply their *own* patches ?!?
The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.
I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.
At the height of Code Red, I was getting hundreds of hits per day to my webserver.
That last worm effectively shut down portions of the Internet.
Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.
If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.
This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.
Fire and Meat. Yummy.
When pogs become the next big thing. Duh.
1. Put eggs in Microsoft basket
2. ????
3. Loss
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Who's to blame MS for making a patches that sometimes makes things worse and most sysadmins waits awhile before installing patches
Or is it all those sysadmins who didn't install the patch because of annoying reboots and problems with the new patch?
I fought the corporate America, and the corporate America bought the law.
I'm just about finished writing a new worm. Only problem is it has a giant elephant bug just sitting there squashing the whole damn program. Later on this evening I'll go elephant hunting with Ak-47 and a 30 round banana clip. Prepare to die Senor Elephant Bug.
Your fellow 133t HaX0r and Slashdotter,
David
If I told you, it wouldn't be a surpise.
I always liked the idea of releasing a worm that fixed the exploit it exploited, and then removes itself. I beleive someone did this in the past? But then I guess there's also the extra traffic it induces which'd be problematic in itself. Software vendors can't be expected to release perfect code all of the time (if ever), and people will always find bugs which can be exploited. I don't see any solution to this, other than the backup & recovery techniques.
Thing is, we're dealing with an industry (the IT industry) that does not have the safely regulations and standards common in older sectors. There is no standard saying what steps must be taken to prevent your own systems damaging others, and no regulatory body to enforce compliance. Worms like this are creating a pressure to bring IT into line with the more, hm, predictable business areas.
Over time, IT, like other industries, will move toward public safety standards such as we see in transport, manufacturing, finance, and all those *boring* businesses. It's a necessary part of the evolution of this industry from backrooms to ubiquity, I guess.
In 20 years time we'll probably see the government fining companies that don't patch their servers to a certain standard, just like we see airports and tire makers being fined now.
This just reinforces what I've been thinking for a while now... time to move away from IT iself and into IT law/management/business...
Whence? Hence. Whither? Thither.
Death of the Internet! Film at 11!
For all the publicity it gets, and tons of anecdotes that slammer really threw some places for a loop, it does seem that the system is pretty robust.
But OFFLINE BACKUPS seem to be more and more of a must. Slammer didn't have much of a payload, but something like this could, and any system your responsible for had better have plans...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Is that sometimes, its safer to wait to implement Microsoft patches and take your chances with a worm/virus...
As a NT admin.. I have to look at the odds... A worm might take down my operation - Frequency is about once every 3-4 months. Whereas I KNOW that half of the security patches will screw things up, and with new patches released about every week..I usually try to wait at least 2 weeks (a month if possible) before I apply any patches from MS.
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.
If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all?
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
I am very worried that future worms might tunnel through TCP/IP networks to other attached networks that may not be running TCP/IP - for instance, if a machine with a Bluetooth interface (for instant) is compromised from the Internet side and the worm payload contains code to use other devices on the local wireless net. Even the most trivial device might have an administrative interface in future.
Imagine if you will a worm that causes toast to be burned in kitchens worldwide! It's too horrible to contemplate.
Could I interest anyone in some toast?
"Banking services, which encrypt their data traffic over the public Internet, might have ground to a halt."
Sheesh. If you use VPNs over the internet, you're getting WAN connectivity and 95+% reliability on the cheap. But it's a trade off.
Get your own free personal location tracker
Following the IIS and SQL server worms, Exchange Server could be the next target. I predict this will happen within the next 6 months. The patches are probably out already but as per the last two worms, many Windows admins will fail to install the patches no matter how easy/difficult/risky they are to implement. As email is the current "killer" app on the net for business, this will create the greatest amount of havoc that we've seen to date.
No, it demonstrates just how vulnerable a number of sites on the Internet that ought to know better are. "The Internet" stayed running just fine, though it maybe slowed down a bit in places. I certainly didn't notice any noticeable reduction in spam over it.
My offtopic question is: why doesn't this happen with Linux ? (or does it happen with Linux?)
I don't use Linux and I'm not a bonafide geek (I've never had 'root' access, which seems to be one of the key requirements --- that may change now that I use Mac OS X), and I've always wondered why using fixes, new functions, patches, whatever, written by numerous different people hasn't turned Linux or other open source into a non-functioning morass of code. I read Eric Raymond's The Cathedral & the Bazaar but I didn't really feel like he answered the question, other than refering to the gospel of Linus "with enough eyes, any bug is shallow."
Isn't an operating system more complicated (or at least more fundamental) than an application? Why doesn't (or how often) does fixing one bug in Linux create two new ones?
blog-O-rama
foldplay your photos won't know what hit them.
1. The worm was strictly based on UDP 1434 transfer
.
I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
So: I rule our direct penetration from the Internet for most corporate environments.
2. Worm was memory resident only. Reboot cleared it.
Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
if they would be able to bring an already infected machine into work via VPN.
Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
is that this is NOT common.
So: I rule out employee remote access as a primary vector.
3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame )
I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.
The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
trusted partners - affectively a "fuse" linking the worlds computing infrastructures.
That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.
"very like a whale..."
If corporations are really interested in protecting themselves, they should stop slashing IT budgets and downsizing engineers. Security goes downhill fast when the techies are too busy to keep servers patched, and nobody is watching for idiots sticking database servers outside the corporate firewall.
Every company with an internet-enabled IT infrastructure needs to have a dedicated sysadmin AND a dedicated security admin. If a company can't afford two full-time geeks to keep things secure, then they need to outsource server hosting to a secure facility.
The bigger question is why isn't Microsoft being held responsible? DSC was held resobsible when one of their faulty switches brought down the East coast's telephone lines, Ford/Firestone were held responsible for their faulty tires, vehicles. Sure they have statements that they aren't responsible in their EULA, but come on, doctors getted sued even though people sign waivers. We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product
The ubiquitous presence of Microsoft products, coupled with their notorious vulnerabilities, is what puts the Internet environment in such a precarious state. This predicament is analogous to the supposed insidious danger for which environmentalists criticize so-called "frankenfoods."
The argument against genetically modified organisms in commercial farming says that big business will curtail bio-diversity by settling on one or two strains for each crop or livestock. A single virus or other bug could then wipe out that entire food supply in one fell swoop.
(Everyone is familiar with the potato famines in Europe and how it affected the impoverised who had come to rely on the potato as the sole staple in their diet.)
Personally, I'm fine with GMO's, but I think we are risking something along the lines of an "Internet potato famine" when we rely on a particular breed of computer products (a.k.a. Microsoft) that is riddled with such fatal flaws.
A little more "binary diversity" on the Internet would be a good thing.
quiquid id est, timeo puellas et oscula dantes.
Wait until mid-century, when nanotech is used everywhere, and hardware viruses and worms start appearing. Let's just hope that, by then, micro$oft will have been swept into the dustbin of history and nanotech will be open source...
Cancelling a meeting decreases your productivity? Whoa.
how to invest, a novice's guide
By all means then, call a lawyer, sue the bastards, file a class action suit. Don't just sit there and talk about "what should be done." Do.
The only reason we weren't killed this time was because a database product was exploited, not a core internet product.
Also, companies with hundreds or thousands of machines to administer will probably start buying large-scale third-party automated patch deployment systems. A system like Everguard or Patchlink or Bigfix will let you know where there are unpatched vulnerabilities on your network, help you patch them, and check that they've been patched.
Most of these systems are cross-platform and at least one uses a linux-based server.
I play Nerd-Folk!
They are the ones that *propagate* this crap. This includes most any other 'known' virus/worm/trojan.
While I agree Microsoft's track record is not good, no one is perfect.
Especially In this case as there WAS a fix.. just no one bothered to apply it. So cant blame the messenger this time. ( and yes they should have applied the patch unilaterally which IS unacceptable, but again many many people didn't, and are equally to blame for the massive troubles.. )
Yes there are *plenty* of other times you can blame Microsoft, but then again, you can *blame* other organizations ( OSS too ) as well for missing a hole out of potentially millions of lines of code.
Just be realistic, bashing one company isn't going to help any. ( and no I'm not a Microsoft fan, I'm just smart enough to see who is to blame. )
( oh, and I'm not saying don't crucify the writers of such things. They should all be strung up, right beside the spammers )
---- Booth was a patriot ----
Boy, how fast would everyone drop MS once and for all if this worm had been written to corrupt filesystems and/or destroy data? As it is, everyone will just try to patch their systems and whine a little bit, but at the end of the day they will still write out a check to Microsoft. Eventually, along will come a worm that will cripple Microsoft's ability to sell products any longer: when it becomes clear that using MS software is practically a guarantee that your data is vulnerable and could even be destroyed, Windows is finished; Microsoft is finished.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
I don't think it would set a disturbing precedent, lawsuits are about MONEY, plain and simple. Lawyers don't file lawsuits unless they can get money (for the most part, sure occasionally there is something filed for priciple, but it is a rarity). A class action against an OpenSource project wouldn't garner much more then maybe a couple thousand if even that. Which is by no means worth a lawyers time. Microsoft on the other hand......BILLIONS........
Just how difficult is it to comeup with some code that goes about finding vulnerable machines, makes them invulnerable, and tries to spend a modest amount of it's time finding more vulnerable machines.
Bring on the white-hat worms that actually fix problems, rather than cause them.
Sure - ethics must be a problem, but there must be some slightly-un-ethical white hats out there ready to give this a go?
Like other posters said, this does happen with Linux, but not as much. There are reasons why.
Many good Open Source projects will usually separate their releases into to branches: stable and experimental. For example, in the Linux kernel, if the second number is even (x.2.x or x.4.x), then it is a "stable" release. If the second number is odd (x.3.x or x.5.x), then it is an experimental release.
Most of the time new features are only put in the experimental release. There are features officially classified as experimental in the stable release, but you can only use them (or even see them) if you check the "prompt for development or incomplete drivers" option. There have been mishaps where a feature was added in the middle of a stable release and caused problems. One such example is the changes to the virtual memory system in about 2.4.4.
Another reason this doesn't happen as often is many of the serious open source programmers do everything they can to prevent/fix bugs and are paranoid about security. Microsoft doesn't seem to care. When I run win98, there are always system crashes, settings being changed when I don't want them to, unstable programs (which are supposedly being made by professional companies) making other programs/the whole system unstable.
In Linux, these problems are virtually nonexistant. I haven't seen many programs which will bring Linux down, and most of those don't crash the kernel. A buggy SVGAlib[1] program will either screw up the video or screw up the keyboard and disable virtual console switching[2]. XFree86 doesn't have this problem. Most buggy programs in X don't seem to affect it at all--there are problems such as X crashing with huge font sizes, but the main system was running fine. I just had to restart X. A misconfigured X may screw up the display, but most of the time I can use Ctrl-Alt-Backspace to kill X, display restores, and I fix the problem. Also, when Ctrl-Alt-Delete still works, it will properly shutdown the system--unlike Windows.
Linux/open source has problems, but Microsoft has many more. In my twenty some years of using computers, I haven't seen anyone produce crappy software as Microsoft--except for script kiddies and the low end of shareware programmers.
They do have project leaders and others who verify the patches. Open source projects don't accept just any old patch--there is a process of reviewing and testing submitted patches. This also varies from project to project. Some maintainters will just slap in anything, but the maintainers of very good and stable projects will try to understand what the patch is doing before even testing it out. It is a very long and arduous process to get a patch for a new feature into something like the Linux kernel. There are plenty of such patches floating around. For example, Openwall Linux is a kernel patch that adds security features. From what it sounds, it may never get into the official kernel...
An OS is the most fundamental part of the software. Any bug in the OS will often cause major problems everywhere. As to an OS being more complicated, it depends on the system and what you choose to define as the OS. Some people consider only the kernel/core part as the OS, and others include "essential" libraries--the definition of essential can vary greatly. Still some others include basic utility programs part of the OS.
Any change in a project can cause a new bug, but as I said, they review and test the patches, so this doesn't happen as much as you seem to think it would. The problem with Microsoft bug fixes is they don't seem to test their changes very well, and they often bundle new (and possibly unwanted) features/modifications with these fixes. These features/ mods may have bugs or cause other problems. The high-end open source projects shy away from this practice. That is why they have a different branch marked experimental (or unstable)-- people who want to test (or use) the bleeding edge features can do so without affecting the stable branch.
Footnotes:
[1] SVGAlib is a library which allows a program to draw graphics on the screen with a virtual console. This library is dangerous because it requires the program to run as root (often suid root, which means any user will have root access with the program until the program drops privileges). The framebuffer is slightly safer because it is a kernel driver and you don't have to run it as root. Both of these can easily leave the video card in a messed up state if the program doesn't use them properly.
[2] The virtual console is a part of the Linux kernel which handles the video display. In Linux there are multiple of these virtual consoles, and one can switch between them freely using the Alt key plus the arrows/function keys. Alt+F1 will switch to virtual console # 1. Alt+2 #2, and so on. A problem arises if a program sets raw keyboard mode (such as many SVGAlib/framebuffer programs do) as this disables the kernel from recognizing an Alt+function key as a request to change consoles.
(On the other hand, writing a stealth worm is probably harder than it looks. Some sites carefully scrutinize their network traffic, and it only takes one of them to spot you. But would they tell anyone else?)