Slashdot Mirror
When Will The Next Slammer Strike?
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
The same MS that didn't apply their *own* patches ?!?
Hmmm...
...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.
I think we ought to make virus-protection code public and government funded.
I know way too many people who can't afford 50 bucks on a virus scanner or decent firewall software in College, and I saw Nimda infections up until the end of last year.
If people could get this type of thing for free - money that would ultimately ensure the safety of the net at large - I think it should be done.
The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).
Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)
I believe posters are recognized by their sig. So I made one.
Too many lazy admins out there so people should counter the bad worms with good worms. Yep its not that ethical at all but it has got to be better than crossing your fingers.
If people at least patch their system, things like this should never happen, but Microsoft should have made that secure in the first place to prevent this from happening. Face it, if someone can create a worm somehow causing all host/computer connected to send out 300 odd bytes to any random port to any random ip every millisecond or so, the net itself will be full of noise.
Or you can just physically locate all the major routers/backbone of the net and somehow disable it, physically... yeah, you, get up and demonstrate how vurnerable the net is!
Please direct all bug reports to
When is the next Microsoft product being released?
alias uptime="echo '5:33pm up 22342352324 days, 6:28, 2124315623 users, load average: 2432.40, 12312.31, 123123.19'"
In my opinion, there are two ways that people will react to the problem of exploits in computer software:
In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .
Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
MS products are too buggy for the internet. Even when MS comes out with patches sysadmins are extremely reluctant to apply them (even at Microsoft) in fear that the patch will cause more problems (ie BSOD) than it fixes. Remember Microsoft got hit by Slammer hard because it didn't install its own patches. Was Microsoft waiting for customers to beta test thier software before they even tried it themselves??? Plus the MS SQL server is not the only MS product that Slammer can infect......when are people going to hold Microsoft accountable for its lack of security and general poor coding??
"You helped our nation celebrate its bicentennial in 17 -- 1976." --George W. Bush, to Queen Elizabeth, Wash
This worm required rougly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.
I read that and my jaw just dropped.
This worm, from what I've read (these aren't my conclusions; I'm not that smart), did two very interesting things. The first is that it used one UDP to spread: no waiting around for the three-way TCP handshake, no hanging waiting for a reply, just send and move on to the next one. From what I understand, that's pretty new. Second, it caused most of its damage not by trashing filesystems or anything like that, but just by spewing *huge* amounts of traffic.
The first is interesting because as a tactic, it'll almost certainly be copied. The second is interesting because it probably won't be copied.
Well worth your time; it's fascinating -- and frightening -- reading. Get it here:
http://www.caida.org/analysis/security/sapphire
Carousel is a lie!
If we were to begin attacking either Iraq or North Korea, what amount of damage could they do by launching worms like this towards the US? Furthermore, what are the chances that they are busy looking for more exploits like this? After all, the US government does use a lot of M$ software.
Just my two cents though.
Give it about two weeks and everyone will forget what happened. Seems as though every time there is a net problem that effects 90% of the population it's big news and "a must fix problem." But we still have virii. Nothing has changed. So unless something is proposed in about 14 days, the masses will forget about it and it will loose it's panicy ferver that distrubing the masses unleashes.
Likelihood there will be another one: very high
Likelihood that it will affect a Microsoft product: pretty high
Likelihood that it will exploit a flaw that was fixed the summer before: almost certain
As far as i'm concerned those with low maintenence co-located servers should pay more attention to security bulletins so that when when a major patch does come out they can fix it, then when something does hit their several-year-old computer it won't be thrashed to death by modern worms.
, very well, thank you.
And not only that, nonprofits and edu can get the server version of Norton Anti-Virus for FREE from techsoup.com.
So it's doubly stupid that any college got hit.
The same MS that didn't apply their *own* patches ?!?
The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.
I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.
At the height of Code Red, I was getting hundreds of hits per day to my webserver.
That last worm effectively shut down portions of the Internet.
Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.
If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.
This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.
Fire and Meat. Yummy.
When pogs become the next big thing. Duh.
What the hell, I got karma to burn. :)
... thank you, Office Space
Not just let's throw him in the Slammer. Let's throw him in Federal Pound-Me-In-The-Ass prison [*] with a cellmate who's affectionately known as... the Slammer.
"So, Mr. Worm Writer, are you enjoying your cellmate's one-eyed worm?"
[*]
Thing is, we're dealing with an industry (the IT industry) that does not have the safely regulations and standards common in older sectors. There is no standard saying what steps must be taken to prevent your own systems damaging others, and no regulatory body to enforce compliance. Worms like this are creating a pressure to bring IT into line with the more, hm, predictable business areas.
Over time, IT, like other industries, will move toward public safety standards such as we see in transport, manufacturing, finance, and all those *boring* businesses. It's a necessary part of the evolution of this industry from backrooms to ubiquity, I guess.
In 20 years time we'll probably see the government fining companies that don't patch their servers to a certain standard, just like we see airports and tire makers being fined now.
This just reinforces what I've been thinking for a while now... time to move away from IT iself and into IT law/management/business...
Whence? Hence. Whither? Thither.
I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.
If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all?
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
"Banking services, which encrypt their data traffic over the public Internet, might have ground to a halt."
Sheesh. If you use VPNs over the internet, you're getting WAN connectivity and 95+% reliability on the cheap. But it's a trade off.
Get your own free personal location tracker
My offtopic question is: why doesn't this happen with Linux ? (or does it happen with Linux?)
I don't use Linux and I'm not a bonafide geek (I've never had 'root' access, which seems to be one of the key requirements --- that may change now that I use Mac OS X), and I've always wondered why using fixes, new functions, patches, whatever, written by numerous different people hasn't turned Linux or other open source into a non-functioning morass of code. I read Eric Raymond's The Cathedral & the Bazaar but I didn't really feel like he answered the question, other than refering to the gospel of Linus "with enough eyes, any bug is shallow."
Isn't an operating system more complicated (or at least more fundamental) than an application? Why doesn't (or how often) does fixing one bug in Linux create two new ones?
blog-O-rama
foldplay your photos won't know what hit them.
1. The worm was strictly based on UDP 1434 transfer
.
I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
So: I rule our direct penetration from the Internet for most corporate environments.
2. Worm was memory resident only. Reboot cleared it.
Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
if they would be able to bring an already infected machine into work via VPN.
Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
is that this is NOT common.
So: I rule out employee remote access as a primary vector.
3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame )
I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.
The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
trusted partners - affectively a "fuse" linking the worlds computing infrastructures.
That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.
"very like a whale..."
The bigger question is why isn't Microsoft being held responsible? DSC was held resobsible when one of their faulty switches brought down the East coast's telephone lines, Ford/Firestone were held responsible for their faulty tires, vehicles. Sure they have statements that they aren't responsible in their EULA, but come on, doctors getted sued even though people sign waivers. We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product
Wait until mid-century, when nanotech is used everywhere, and hardware viruses and worms start appearing. Let's just hope that, by then, micro$oft will have been swept into the dustbin of history and nanotech will be open source...
Cancelling a meeting decreases your productivity? Whoa.
how to invest, a novice's guide
Also, companies with hundreds or thousands of machines to administer will probably start buying large-scale third-party automated patch deployment systems. A system like Everguard or Patchlink or Bigfix will let you know where there are unpatched vulnerabilities on your network, help you patch them, and check that they've been patched.
Most of these systems are cross-platform and at least one uses a linux-based server.
I play Nerd-Folk!
Boy, how fast would everyone drop MS once and for all if this worm had been written to corrupt filesystems and/or destroy data? As it is, everyone will just try to patch their systems and whine a little bit, but at the end of the day they will still write out a check to Microsoft. Eventually, along will come a worm that will cripple Microsoft's ability to sell products any longer: when it becomes clear that using MS software is practically a guarantee that your data is vulnerable and could even be destroyed, Windows is finished; Microsoft is finished.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
Especially In this case as there WAS a fix.. just no one bothered to apply it.
It's been mentioned before, but it bears repeating: some subsequent security patches remove the fix.
Further, Microsoft has a track record of releasing security patches that break or touch unrelated stuff, roll back other fixes, give Bill admin rights on your computer, or just plain hose your box. Because of this (and the volume of patches), keeping up with security on MS boxes is not a task to be taken lightly. You test and test and schedule downtime, and it still bites you. This is the root of this particular thornbush.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Just how difficult is it to comeup with some code that goes about finding vulnerable machines, makes them invulnerable, and tries to spend a modest amount of it's time finding more vulnerable machines.
Bring on the white-hat worms that actually fix problems, rather than cause them.
Sure - ethics must be a problem, but there must be some slightly-un-ethical white hats out there ready to give this a go?