HomeSec Warns Again About Microsoft's Insecurity

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

Pretty Bad

[the.jedi]

My friend works at MIT's network security.
From wednesday to thursday they're compromise rate
went from 3 computers an hour to 30.
Right now they're just blocking the RPC port
but the routers are starting to take some heavy
traffic. Looks like this one is going to be pretty
bad.

Re:Pretty Bad

[technix4beos]

Speaking of routers...

Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?

With more families getting online and having multiple computers in a network, wouldn't it make sense to install a router that protects against the silly port attacks?

I believe a router these days costs about $50 USD, so it's far cheaper to purchase one than to buy a software based "firewall" solution, that might be turned off by little johnny anyhow.

The Department of Homeland Security?

[Wacky_Wookie]

Sounds more like The Department of Homeland in-security :)

Joking aside I find the US media's "fear hyping" to be outrageous.

"It could happen to you" Is a major catch phrase for the US media, and they are not talking about winning the lottery.

I feel bad for the Poor slob(s)....

[curtisk]

....that works at Dept. of Homeland Security whose entire job will consists of keeping up to date with MS security advisories....

wonder how they (DoHS) are feeling about their OS investment already? :)

Switch campaign kick-off

[SgtChaireBourne]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

A second interesting thing is why just this particular bug is getting the publicity. There's been no shortage of remote exploits for that product line, old or new, this year. Is it part of the new marketing campaign that's just kicking in?

Along those lines, since most of the design flaws are downplayed for weeks/months/years after exploits are found. Apple, RedHat and SuSe have a good lead time to prepare switch campaigns.

I'm sure a dollar value can be put on the peace of mind and increase productivity that goes with moving to a better workstation platform.

Re:Switch campaign kick-off

[Cromac]

A second interesting thing is why just this particular bug is getting the publicity. There's been no shortage of remote exploits for that product line, old or new, this year. Is it part of the new marketing campaign that's just kicking in?

It's possible that the reason this bug is getting publicity by the Dept of Homeland Security and others didn't is simply because they know about this one. Yes, other security problems are out there and "known" but maybe not by the people at HS. Remember even though it's a large government agency the bottem line is it's still run by people who may not have all the facts.

Again..

[NetJunkie]

Patch your stuff and for goodness sake put up a firewall! RPC port open to the word? Why?!

Govt should use its own OS.

[sniggly]

It's time the government started to realize its own linux version has been developed to preclude vulnerabilities such as these that are caused mostly by sloppy programming.

Well engineered worms

[Catskul]

I think it is going to be worse if someone actually has an objective (ie terrorists) because all of the worms I have heard of have been fairly poorly engineered.

A well engineered worm would:

Work on many different system.

Use more than one security flaw. (spread by email, + kazaa, + IE hole, + sendmail hole)

Patch that flaw once compromised, and open a separate hole

Have at least different attack modes (slow and quiet and local sub nets, fast and hard and whole internet)

Build up to critical mass before initiating fast attack mode.

Attempt to hide itself from scans. (maybe randomly stop functioning for a while to offer false sense of security)

Adjust its fingerprint so that it isn't simple to find computers which have the worm (use different ports, different protocols, send some different data when filling buffers etc)

Offer a payload that makes patching difficult, goes after security websites that often offer patches, targets financial institutions, etc.

Patch other programs on the system, back to previous insecure versions.

And that's just off the top of my head. If someone really is sitting down and thinking about this, Im sure they could come up with much more dangerous specifications.

I think someone should be writing a competing worm that patches all vulnerable systems, just in case this breaks out in to a chrisis.

Re:Well engineered worms

[digitalunity]

In case you hadn't noticed, few virus writers are developing malicious code. It would appear that most of the internet worms of late are fairly innocuous, and their only design feature is the ability to replicate itself. However, there are others that send random files by e-mail to random people. That was kind of funny. No, if someone wanted to write some really mean code, they'd set up a worm that would find and infect at least a few hosts, and then destroy it's host OS. It wouldn't spread as fast as non-destructive worms, but it'd cause a lot of trouble for a lot of people.

Personally, this RPC bug doesn't really get me thinking much. Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming. Now, on the otherhand, if a live exploit for BGP4 was ever discovered and published, we'd be in a world of hurt for quite a while.

Re:Well engineered worms

[Finni]

Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming.

True, but that doesn't cover any/all cases at all. Businesses with Windows servers can't turn off RPC (and sometimes can't turn off DCOM) on their users' laptops, right? So a laptop user goes home and uses dialup, or he has broadband and no router and gets infected. No he comes back into work the next day. The MS-supplied patch doesn't work in all cases, so even if they have a good patching system and a great firewall, they've still got a compromised, infectious system on their LAN. Mobile-user VPN has the same risks.

Re:Well engineered worms

[WhiteWolf666]

Or, maybe, create a set of worms

IANAWC (I am not a worm creator), but, you could have all kinds of worms running around. One that attacked on a large scale, seeking to infect as many systems as possible. Then it would download extra components as needed, but otherwise sit dormant, awaiting the final component. One that sought out unpatched, vulernable, Windows 2000/XP boxes, to use as a permanent base of operations (This one could be BIG). One that sought out infected systems, and modified the worm continuously, to confuse scanners. Any maybe, you could even have the dang things self-destruct? I don't know much about this, but you can setup applications on a Windows 2000/XP box that won't run until the next realmode boot, right? If it installs itself as a system file, scanners won't be able to remove it unless they run before the system is fully booted up. But if your worm runs the next time pre-bootup system maintenance is scheduled, and runs before any other task, you could have it eat the harddrive.

If one were to prepare this sort of thing ahead of time, and released the worms one by one, most of the security community wouldn't anticipate the attack. Especially if they were all encrypted, and you released them in a quick enough period such that it would not be obviously that they were working together until after the fact.

The other thing I wonder is why worms haven't targeted the infrastructure of weak networks. Like that worm that was discovered on the comcast dns servers. If somewhere were to create something that attacked the Windows 2000/XP (or any other operating system, but Windows seems like it would be the most vulnerable) TCP/IP stack, and only attacked systems behind vulnerable routers, and then utilized the hacked TCP/IP stack and hacked routers to hide all of the traffic, it would be extremely hard for anyone to tell what had happened, right?

Of course, all of the things I have just said won't work, as I've described them. My knowledge of this topic is just too limited to really make much sense, but my point is I don't think we have seen a coordinated effort to run multiple, smaller worms in concert. This way you can spread a rapid, smaller infection, and use it to pave the way for a much more deadly, and harder to remove infection.

Re:Well engineered worms

[nat5an]

Well, admins can turn off RPC on their users' laptops. The average user probably has no need for this service to be running. Of course, you never know what Microsoft is using it for. You turn off the RPC service, and suddenly 10 unrelated things stop working. Such is the fun of being a Windows Admin (and I would know).

Re:Well engineered worms

[tsa]

And since most users are completely incompetent in configuring and securing their PC, if I had a business I would forbid them to use their own computers for work.

Re:Well engineered worms

[Vainglorious+Coward]

In case you hadn't noticed, few virus writers are developing malicious code.

While it's generally true that historically, most viruses have had feeble or non-existent payloads, the evidence is strong that some of the waves of infection this year have been created by spam gangs, using viral infections to install proxy software.

Re:How big a threat is this?

[dreamchaser]

The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

Perhaps ISP's should just block RPC at their routers that feed broadband users. I can't think of any good reason most people would want it to be exposed anyways, on a residential broadband account at least.

Re:How big a threat is this?

[Xformer]

That, or ditch Windows entirely (novel idea, I know :-)

Re:How big a threat is this?

[GrenDel+Fuego]

These days you can buy a computer for not much more than the price of Windows XP home (retail version).

They're not great machines, but they're better than a PII 266mhz.

Or as other people said, ditch windows entirely.

Homeland INSecurity Spinning a Bad Decision

[FreeUser]

Think of it as "Homeland Security eats its own dog food..." In other words, they are using the same operating system that the vast majority of people use, so they will experience the same vulnerabilities. They'll be able to advise people about computer security from first-hand experience, not just from a few pristine 'test lab' machines.

That's a good spin on an incredibly incompetent IT decision, but at the end of the day, spin is all it is.

You want a testbed for vulerability? Fine. Set up a windows lab with its own dedicated internet connection and absolutely no way to talk to the rest of your internal network. Catalog, experience, and enjoy the chaos that ensues.

Do not, I repeat, do not deploy it as your platform for collecting, collating, analyzing, and addressing security threats. What good is Homeland INSecurity going to be when they need to address a real, meatspace threat and a Microsoft worm has taken down most of their IT infrastructure?

Some perhaps, but they certainly will be operating at a severely degraded effeciency level.

Re:How big a threat is this?

[los+furtive]

I agree with you. But if you have 128megs of ram (or even 64), I would strongly recommend upgrading to Windows 2000, for the stability alone. A P2 266/300/350 with Win2K is a fine machine.

Port blocking

[Gothmolly]

Is it me (insert tinfoil hat joke), or is anyone else disturbed by the increasing tendency of ISPs and vendors to say 'just block port xxx' on your network connection, as a response to problems? Is this one more step on the road of converting the Internet to simply an MSN-ified WWW? Where does the small, independent content creator turn as more and more barriers to market entry are enacted, either by FUDding ISPs, lobbying Congress, and blatant stupidity?

Already hearing it as an excuse...

[Satan's+Librarian]

For boxen being broken at ISP's. Interland trashed a rather important co-located server for us over the weekend, and blamed it on a "Worm" referencing this bug. AFAIK, no worm has yet been released, and certainly none was out then - anyone else been fed this kind of b.s.? Anyone heard of any truth to it at all?

As far as DoHs getting in on the action - I think they'll cry wolf at anything to keep interest. The more afraid the public is on a daily basis, the more they are legitimized. I was appalled the other day to see this article on the front page a few days ago - no shit guys, thanks for the press release. Ya know what else? .COM stocks might not be the best investment if the company hasn't produced a product.

Obviously this hole is a major one, but we've kinda known that unfirewalled Windows boxen on the net are a Bad Thing (tm). This hasn't changed, and it's not much more likely now for a worm to run rampant through everything that it was in the past - it'll happen, it'll suck, and everyone will do the same fire drill as every other time it happened. And a few, bright IT departments will switch to FreeBSD or similar for their external machines or put up a bloody firewall.

How much more secure would we be with Linux?

[Eric+Damron]

I'm very much pro-Linux. I switched from Microsoft to Linux years ago. It was kind of hard because so many "fun" programs could only be had in Windows. So I ran a dual boot for quite some time.

I finally removed Windows altogether. After a few months of running only Linux it struck me. My system had NEVER crashed after doing so. Programs would sometimes hang but the system stayed up, not requiring a reboot. It was like an epiphany. I just started laughing!

I was also relieved that I no longer had to worry so much about viruses. Or do I?

My question is: If Linux becomes the dominate desktop and virus writers switch their main focus onto my OS of choice, would we be in as bad a shape as Microsoft's XP, 2000, etc?

Re:How big a threat is this?

[toddestan]

And they also said Windows 95 would run on a 386 with 4MB of ram. Anyone ever try that? They also said Windows 98 will run on a 486-66 with 8MB of ram. I've seen that and it's not pretty.

It is possible, and it is useable, it certainly is not too responsive.

Security alerts and bad economy

[just+fiddling+around]

Slightly offtopic, but here goes:

As there is a permanent terrorist alert going on, could it be possible that everybody is scared from going about and conducting their business? Can this explain USA's shitty economy while Canada's is better than ever and the CA$ is constantly going up?

[tasteless joke]
Go MiniHomeSec! Let us commie canadians get on top!
[/tasteless joke]

A little gotcha

I see that to apply the Windows patch on the Win 2k machines you gotta have Service Pack 3 or higher. Question: Isn't that the Service Pack at which the wonderful new licensing scheme kicks in? How convienient.

Scanning != virus

[intermodal]

Did anyone else notice that they equated scanning to cracking? While I know that's certainly one of the possible preludes to attacks, it's certainly not a definite. I've used scanners quite legitimately more than once (checking what was visible from outside a firewall for my father in law, and testing to see if a non-responding server that I myself was responsible for even had its services running, despite it not being at my present locality). The internet was built to be open initially, and while it's understandable that it now needs security, people need to realize there's more to the internet than ports 80 and 6667, (plus those ones that most users don't ever see, like their port 25 services or port , ). There is far more to networking than HTTP, and the internet is a network.

It's getting to where knowledge is a crime, and while I feel it would be prudent to learn more and more about computer security, I fear that merely knowing it might make me liable to be wrongly prosecuted. There's just come to be so many legal barriers or poltergeists that it just carries too great of risks for the curious to enter the field.

HomeSec should stay out of this

[gad_zuki!]

Wow, a malicious worm. I'm completely bewildered by the fact that melissa, code red, etc didn't have a seriously nasty payload. It seems like the virus authors just wanted propagation for bragging rights. It wouldn't be so tough to write a function that will corrupt the registry or start formatting important parts of the disk after x amount of hours.

Windows has yet to see a serious threat by a popular worm and when it does there will be a lot of heat on Microsoft, whether they deserve it or not. "Wintel everywhere" is a classic eggs in one basket gambit and heads are going to roll if 1/3rd of all computers on the internet suddenly refuse to boot up again. Something like 40% (?) of all computers on the net are not behind a firewall and who knows how many are patched.

What I'm afraid of is that if something this bad and on this scale happens then DRM will go from controversial content protection to a Tom Ridge mandated upgrade. Your computer WILL download the newest patch and you will not rip MP3s from the newest Shania Twain CD or face the consequences (ISP banning you, fines, etc).