Slashdot Mirror
Win32 Blaster Worm is on the Rise
EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and
download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.
My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:
/a
shutdown
That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)
Visualize the world of wine
posted an article about it here http://www.baxter2.com/modules.php?name=News&file= article&sid=114
i have never seen a worm spread so fast! dangerously fast
who wants to rule the world?
Someone in my office just gave me a screen shot of a shutdown timer on their computer at home. Anyone used the removal tool yet and had any luck with it?
666-607: 6th floor apartment of the beast
Shouldn't the "Removal Tool" link point to a Linux ISO download site or something? I mean, this is slashdot... :-)
DOOM-DOOM-DOOM-DOOM DOOM * PANG*
At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.
OK this is getting old.....
fdisk :)
format
install FreeBSD or keep your copy of Winders up to date.
Dear all of you who are being hit by this attack:
Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.
I've been helping my friends get this NASTYNESS off of their machines too.
Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.
When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).
-Tim
I have hardware/external firewalls at work and home, and I haven't seen it. Is this just more unpatched/unprotected idiocy, or does it get around software firewalls too?
Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:
C:\WINDOWS>shutdown -a now
Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.
"Hu, ho, ho-ah-oh-oh-oh. Hu, ho ho-ah-oh-oh-oh. Mario Paint! Whoaaa!"
Another article here
If this thing wouldn't keep crashing computers, it would be spreading like greased wildfire.
Read more on SecurityFocus' mailing list.
BOO! TERRO
Funny, a few days ago I had my XP system exhibit the same problem (after using windowsupdate)... but I checked the event log and it told me that 0x70/0x71 was accessed by the BIOS unexpectedly.
After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Our office got closed yesterday cause of it. We got hit pretty badly.
My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".
I regularly report MSN spam to the Hotmail admins.
Please. I still remember when my system got hosed by a sendmail hole.
"Sufferin' succotash."
Internet Storm Center
Microsoft Bulletin
Note this is marked "Critical" now...
not patching your Windows machine... that's a paddling!
not using a firewall... that's a paddling!
not using Linux as you should be... you better believe that's a paddling!
I had to patch several computers at work, and I noticed that the patch installer software says something at the beginning like,
"Back up all your harddrives, we are not responsible if this program breaks your entire computer. Do you Accept?"
Well in the middle of a virus scare, nobody has time to back up every machine in the office. So that really doesn't make me feel comfortable. So far, so good though. No broken computers as of yet.
But another scary thought that crossed my mind while installing the patch... What if those smooth criminals had gotten into the microsoft servers and put a virus into that patch installer? That would be a killer!
If you need to use Windows, you might as well use win98.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Will internet come to a grinding halt or not?
Why would it ? Mostly clients, not servers, will be hit.
blah
* Go into Task Mgr -> Processes and Kill msblast.exe processes.
* Remove "Windows Auto Update" item in HKLM\..\Run folder in the Registry.
* >attrib -r \windows\system32\msblast.exe
* >del \windows\system32\msblast.exe
That should be it. Remember to patch your Windows.
McAfee has a removal tool that works well detects 28 other trojans/worms/virii too, if i remembered the name i'd let you know ;)
From Symantec's analysis:
If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?
Nahh....
If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.
Hell is being intelligent in a world full of idiots.
Can anyone be so kind to take this worm (since I already patched my system) and change windowsupdate.com to something more interesting like
sco.com
riaa.org
Thank you
Having trouble getting out to Windows Update. Looks like a lot of people are taking this one seriously.
Chip H.
This is just the thing that the hackers were waiting for, an open door into millions of computer systems. People havent patched because they either dont know about it, or dont know how.
Maybe the next worm should drain their paypal, epay, egold, and bank accounts into an account in the Caymans... format their hard drive just for good mesure and force people to open their eyes.
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
Ok, this will get me modded as a troll for life...
/.'ers all kept up on patches. :-)
but I'm surprised by all the posters so far who have this problem.
First, I thought we used Linux and BSD (or BSD and Linux).
Second, I thought
this is not a sig
A few minutes ago (about 14:45 my time), I tried this:
grep "DPT=13[5-9]" messages | grep -c "Aug 12"
643
Then I tried this:
grep "DPT=13[5-9]" messages | grep -c "Aug 11"
643
So it took less than 15 hours to reach yesterday's 24-hour total. Doesn't look too good. I suspect that fixing this will prove to be way beyond the abilities of a huge proportion of home users of Windows. Anyone who says that "Linux isn't ready for your Grandma" or whatever, should be forced to do community service for a week fixing this crap.
Reality is defined by the maddest person in the room
Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. Even the most clueless of windows users can click on a link and then click the "Yes" button. I can see my logs filling with failed attempts to bring down my machine already...
everytime i try to execute the removal tool downloaded from symantec, i get the stupid dialog box telling me the program has to shut down. what gives? i just kept trying until the log file showed that it'd managed to modify the registry before getting shut down, then i searched for all files with "msblast" in it and deleted them. anything else i should do? (can't install linux cos this isn't my computer)
No, I shouldn't. This worm isn't clogging up bandwidth or DoS/DDoS attacking routers and web servers like Code Red and Nimda did. This is just making WinNT and greater workstations and servers (should you actually be using a Windows OS on a server that isn't heavily protected) to reboot.
I run an ISP in Virginia, its nailing all of our Windows XP users.
the site loaded for me last night but looks like its begin really slow right now.. is microsoft feeling the slashdot effect??
I work at an ISP, and over half of our tech support calls yesterday were because of this worm. You wouldn't believe the number of people who thought we were somehow going into their computer and not only kicking them off the internet, but rebooting their computers. (Yes, sir, the tech support staff feels horribly underworked today, so we thought we'd make things more exciting and pi** off a few customers in the process.) I hope they find the person involved and perform medical experiments on him.
This tagline is copyrighted material. Please send $10 for an affordable replacement.
This is not an email virus. It is an RPC exploit.
The virus comes through tcp ports 4444 and 135, UDP port 69. FWIW, win98 and earlier don't use the RPC 'feature'.
Then try, really, really hard to stop laughing...
Cheers,
Ian
Have fun patching, windows lusers. Maybe linux isn't ready for the desktop, but this goes to show that windows isn't ready for the Internet.
I have to say...this worm is gettin around unlike any that I've seen before. Checking last night's firewall logs on my box at home I can see that I'm being scanned about twice a minute, though it tapered off a bit after midnight. Still, 517 port 135 scans between sunset and sunrise is a tad more than I'm used to.
- CurrentVersion--Run. After that, it's just a matter of deleting msblast.exe from %SYSTEMROOT% and tossing on the patch. Alternately, Symantec's removal tool is nice too.
I've had two or three people get ahold of me so far trying to remove it...Not too hard on 2k/XP machines. The shutdowns can be prevented by popping up Task Manager and killing msblast.exe's process, "windows auto update" from HKEY_LOCAL_MACHINE--Software--Microsoft--Windows-
Happy patching!
Yeah... nothing like that.
Other of course than the multitude of root kits out there, sendmail holes, bind holes, apache holes, anything else holes.
And yeah. Linux 7.2 - guess you havn't been around long enough to remember.
RTL Z (national television, all day business news), the Netherlands, this afternoon:
It was said that if you valued security, Microsoft wasn't the best solution. You'd be better off with Apple or Linux.
This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads.
the pun is mightier than the sword
Still tries to bring down Windows Update, but now it gets Slashdot to do the dirty work for it!
-Trick
Man, it's almost as bad as that Teddy Bear virus *cough*
Just set up a batchfile with the following:
/a
/a switch throws the shutdown into Abort.
shutdown
the
Of course, if you're getting hammered this isn't going to help much.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
...seriously...when are people going to get it? Windows is swiss-cheese bloatware. What good is an easy-to-use system if it breaks all the time? I can't decide what is more stupid: not running a firewall, not installing your patches, or running windows in the first place. --"I've never paid for a copy of Windows. I switched to Linux because I felt I wasn't getting my money's worth"--
While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.
There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.
All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.
If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...
"Sufferin' succotash."
Install now
karma capped
Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.
Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...
J.
You're only jealous cos the little penguins are talking to me.
1. Ctrl + Alt + Delete on windows xp and kill the msblast.exe process.
2. Open Windows Explorer, go to the C:\Windows\System32 folder and delete the msblast.exe program.
3. Start > Run > Regedit. Hit Edit then Find and type in msblast and remove the key in your registry.
4. Reboot.
5. Install the patch (Why didn't you do this during the month before you were hit with this poorly coded POS?)
6. Virus scan. Free online virus scan at http://housecall.antivirus.com.
Real simple folks.
amazingly, MSFT stock is still up on the day.
It's ironic. SCO has to spend big dollars on high priced legal help to spread FUD. Microsoft simply has to hire cheap, fresh-out-of-college programmers to write lazy code that lacks input boundary checking :-)
The Cert advisory can be found here
Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.
Looks like I'm going to have my work cut out for me today. I work in a computer repair shop, and every time stuff like this happens, it turns into a madhouse. Last time it happened was over Christmas time, with Yaha.
Bah.
here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"
who wants to rule the world?
According to the Beeb and their article once on a "...machine the malicious program also launches an attack against the Microsoft site that holds a software patch that keeps the worm out."
Nice twist of fate
Jaj
Every Windows Sysadmin should check these sites daily:
TechNet
TechNet HotFixes
And
WindowsUpdate
It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.
Debian
I've been trying to get relatives to fix the Windows DCOM security hole. At least two so far have said "oh! I didn't realize that was a security problem!" They thought the RPC service failing and causing a machine reboot was your everyday "bug", and since it just rebooted the machine (and even gave you 60 seconds to finish up what you were doing!), that it wasn't a big deal.
I think the 60 second thing is seen as a feature - along the lines of "see! Windows knows when its going to crash and lets you save your work first. Like the computer on Star Trek telling you how many seconds until there is a hull breach."
All of them heard the news about a security problem. None of them connected it with the problems they were having.
Finally, to make matters worse, Microsoft's page talks about patching the system, but says nothing about removing the worm. This is problematic since, as noted above, it can sometimes be pretty hard to download the patch if your computer wants to reboot in the middle of the download.
Some of our infected systems are getting the error "svchost.exe has generated errors and will be closed by windows" when opening outlook 2000. In addition, the control panel icons are in 2 rows with the scroll bar about a third of the way across the window, the remaining area of control panel window is blank white space. Add Remove programs is all messed up, can't be used, nor can "Computer Management" though "Users and Passwords" seems to work correctly. These systems are infected but so far, running the removal tool and the RPC patch does not fix these symptoms. Is this a seperate virus, "part 2" of the payload, or what? Anyone else ran into this and have a fix?
"Eagles may soar, but Weasel's don't get sucked into Jet Engines!"
To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)
Now you can actually *see* when the worm tries it's futile attack on your superior OS.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Seriously, best current practices dictate that before a compromised machine is reconnected to the 'net you:
Getting the patches without a 'net connection is left as an exercise to the reader.
..anyone combined the RPC-vuln with the recent Cisco IOS denial of service vulnerability?
Think about it.. What if the worm would have first infected X couple of other computers, and then DoS:ed every router in sight? Not a pretty sight, I say.
http://bbspot.com/News/2000/11/linux_bash.html
Now, it may just be me, but putting an easter egg in a virus is just kind of cute.
- WrexSoul
\/.
vvv
I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools
Regards/
JP
The facts expressed here belong to all, the opinions to me. The distinction between fact and opinion is yours to decide.
I know this is Slashdot and all the Linux users need their daily affirmation that they are right, but guys, lay off the common user. To expect someone over dialup to have Windows XP patched with the 200 MB of updates since XP came out is rather harsh. I know this hits more broadband users, but working in tech support, we have seen a fair amount of dialup users get hit as well. So before telling the everyday user to switch to Linux for their home machine, maybe we should get Microsoft to check their product for problems before shipping it out.
1. Get ahold of 233 MHZ box. Go ask your friendly SysAdmin who is very likely to have one of these lying around. Make sure you get a second NIC. 2. www.Smoothwall.org Linux firewall that is configurable via web interface. 3. Put firewall in between Windows and the internet. 4. PATCH YOUR WINDOWS BOXES. *me sees a picture of a big mean looking tux with Windows logo cowering behind it*
that if you do that, people (slashbots in particular) will turn around and scream bloody murder that MS is installing binaries automatically, which is of course "evil" on this site.
Though MS03-010 is included with Service Pack 4, MS03-026 is required/'can be installed' on either SP3 or SP4.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Another quick fix if you don't have enough time to apply the patch before shutdown. Go into Administrative tools, Services, find the RPC service. It gives you options of what to do if it unexpectedly dies. By default, it is set to shutdown after 60 seconds. You can change this to "Do nothing". Make sure you set it for the 1st, 2nd, and 3rd warning. So basicly now it will die, but it will go un-noticed.
I have a felling that there might be people in my are that have this virus "Network Associates said that many home broadband users were reporting heavy traffic on their net connection as a result of being infected by the worm. " BBC news I normaly get 200k/s and Its not like it is late in the evaning its 8:30am and I was getting 10.1k/s I should have the patch and all so Im not to woried
...this worm was created by some group like the US Government's Department of Homeland Security to avoid a nastier exploit later? Nothing forces people to install a patch like forced reboots after 60 seconds. Aside from the reboot, the worm is harmless... the lack of damage done seems suspicious.
My wife calls me upstairs last night.."The machine keeps shutting down".. Me: "what" *looks at task manager* Task Manager: msblast.exe Me: "Why isn't the firewall turned on?" Wife: "I Hate having to answer all of its questions, so I turned it off." Me: AAAARRRGGGHHH
To make sure it is up...
"your ISP is nailing WinXP users? Deliberatly? Cool!"
Even better. All of them are female.
Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool."
Not really... there have been several reports that the thing has flogged machines so badly that it might not be even posible to connect to windowsupdate/any other internet site. For proper removal instructions, take a look at CERT's advisory or Trendmicro's KB
My other OS is the MCP!
I welcome our new Skynet Overlords.
Oh, come on, people. He threw you a bone for fuck's sake. Linux 7.2? Sheesh!
Welcome to the corporate world. All things, including service packs, must be tested on all platforms with all applications before being deployed into the environment.
We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.
Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.
So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).
After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...
Why aren't they all patched? Because nothing moves fast in large installation bases.
My friend got hit by one of these guys last night, and I tried (long distance) to fix over the phone for a few hours but there is still a problem. Norton detected two viri: msblast and tftp3088 (I) deleted msblast from the HD, and removed all msblast registries. Updated XP with the latest patches. Stopped start-up processes. The problem is that while in regular mode, when trying to start task manager it starts minimized (iconified) and it allow you to maximize it. When trying to start regedit or msconfig, the program appears for a second and then dissappears. Tried a maximized-task-manager registry patch, but when trying to install it the same dissapearing act happens. Everything starts o.k. and maximizes in safe mode. Anyway, anybody knows anything about the tftp3088 problem? Google/yahoo returns nothing. Any ideas?
Absolutely zilch so far. I'm sure other major worms have shown up as a big spike. Move away folks, there's nothing to see.
When I am king, you will be first against the wall.
Love your sig
It's a great song!
I would like to say that constant updating and patching my Windows desktop protected me. I would like to say that my Linux firewall kept the bugger from penetrating my systems. Although both of those things probably protected me, truthfully, the main part of my protection yesterday when the worm hit my subnet was that my ISP suffered a major outage due to the worm. I was knocked off the internet for 12 hours during the brunt of it. Thank goodness for inefficiency!
Well, there's spam egg sausage and spam, that's not got much spam in it.
How can fairness of a rather small group of moderating reades be better than fairness of the whole group?
Doesn't it sound like "according to the result of public polls, the decisions of the government are more democratic than average public opinion"
We've have a bunch of people where I work whose clipboards are getting screwed up (aka. copy/paste doesn't work). I'm pretty sure it's related to this virus, but I haven't seen any articles associating the two. Has anyone else heard of a similar symptom?
"This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads."
Depends. If it comes out in the wash that this was written by someone affiliated with Linux. Then all this could backfire. "Gotta watch out for those geeks. They're dangerous".
Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.
thanks to this worm, i've noticed a dramatic decrease in the amount of spam i'm getting - roughly 150 to 200 per day is trapped by my spamassassin install. Today, only around 10 spams.
The university of hull has been hit really hard by this worm - it seems to have caught the sysadmins with their pants down. The whole campus is infected which is several thousand machines. The library cant issue books and only a few computers remain virus free. Why couldnt they have installed the patch or indeed blocked it at the firewall and routers - its cost most people here a days work and theres a lot of people ready to lynch the sysadmins.
The removal tool crashed on my (non-infected) Windows XP Pro, so don't count too much on it! Actually it crashed while opening a particular zip file (shown in the tool status line after the crash) and started to work fine after I removed that file.
download this security update
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Time Warner seems to be blocking port 135 now or something...I had hundreds upon hundreds of scans from other Roadrunner users last night, but not a whisper since I checked this morning.
I get enough junk mail as it is. I don't want to be reminded of people who are too stupid to patch their computer. Besides, it wouldn't work. Even though "the most clueless of windows users can click on a link and then click the 'Yes' button", remember that they DON'T. Windows update comes by default set up to check for updates periodically...then the screen pops up and asks you if you want to update. Unfortunately, the screen also gives you the option to turn off windows update, and that's what the clueless people choose, because they don't want to be "annoyed" by it.
Instead of bothering me with e-mails, Microsoft should remove the option to disable Windows Update from the "first use" screen. If you can't figure out how to go to system properties and disable/reschedule your windows update, you're not supposed to have it disabled. I think that would maintain quite a few computers with up-to-date patches.
Warning: Opinions known to be heavily biased.
Will this update run under Wine?
SecurityFocus says no MacOS EVER exploited once!
:
Firewalls have NEVER been required to prevent remote exploitation on a Mac. And yet pcs have had numerous exploits, other than this RPC exploit, firewall or not.
I find it both sad and amusing that some people still do not know that there are more secure platforms for webserving, adn indeed browsing.
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on ample historical evidence.
The Client OS for Mac (Mac OS) is equally devoid of any known remote exploits in internet history.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.
For years, except, for the last few weeks, the army has always used MacOS and has never had a breakin on a Mac. Unlike their other MS defacements.
http://uptime.netcraft.com/up/graph?site=www.arm y. mil
That is why the US Army gave up on MS IIS and got a Mac for a web server years ago.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 explo its and potential exploits in BugTraq) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.
SecurityFocus says no MacOS EVER exploited once! (Score:3, Interesting)
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Not hing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they
Oh right. Forgot. No MacOS X Viruses. Or worms. Or trojans.
Sorry about that.
Alternative "fix":
1) insert knoppix cd in drive
2) reboot computer
3) activate booting from cd in bios
Of those to whom much is given, much is required.
7.2??????? - I thought 2.6 was still in testing.
i got my dsl a month ago and all this time i only had 1 single port scan on my machine. but in the last 12 hours alone my firewall logs more than 650 attemts on port 135 thats on the average 1 attempt every 2 min. i checked some of the ips using ip2country and they seem to be coming from US mostly but some from korea, australia, uk, practically all over the world ( i live in Sri Lanka). i mean i have never seen a virus spread so fast. ppl are going to have a long think abt windows security after this. i mean sure ms issued a patch and everything but average person dont really check security bulletins and stuff and this virus will spread really fast. luck thing i configured my firewall to block these ports month ago :).
http://trenzterra.yupapa.com/
there is a link about a new worm on www.trendmicro.com: WORM_RPCSDBOT.A
Does anyone have any other info?
Because I was afraid that a new patch would CAUSE a problem (as they frequently do) and leave my system less stable than before. I guess I learned my lesson, install any piece of crap MS tells you to.
if we was to download every patch microsoft told us to we'd have 30 gb's of patches in a couple of months, i personally secured my box upon install and never intended to get patches from microsoft.
the fact that i'd have to go looking for this patch instead of being notified personally means that this is microsoft at fault and not the users themselves.
think about the people on dialup who don't want to spend all their time downloading 30mb patches every day (because believe me there's almost a new one every day).
i got hit once before blocking msblast.exe which i took to look very suspicious.
Won't print the payload, but its an RPC call so what is the point ?
--
iptables -I inetin 3 -i ppp0 -p tcp --dport 135 -j DROP
iptables -I inetin 4 -i ppp0 -p tcp --dport 139 -j DROP
iptables -I inetin 5 -i ppp0 -p tcp --dport 445 -j DROP
--
where inetin is your incoming rule chain, 3 is the position to insert it, ppp0 is your Internet facing interface.
Then zero your chain counters
--
iptables -Z inetin
--
And then watch them go up using
--
iptables -L inetin -v
--
ps. its not really a good idea to cut and paste, then compile and execute as root, code from a slashdot post, unless you understand exactly what it is doing.
I run an entire city govt network in Texas (~1000 computers). The worm ain't doing diddle-squat to us. Why? Because, like a nazi gestapo control freak, I have the access-lists-from-hell on all my routers, I have thorough and up-to-the-minute updated antivirus products with multiple layers and multiple brands of protection. I keep all my machines patched up to date as well. I do not allow my internal machines routeability, or even NATed routeability, to the wild public Internet. Everyone who must have access to the outside world has to go thru one of of my proxy servers. I've also got multiple iptables boxes serving as firewalls. I've got a PIX box sitting idle in the rack gathering dust because I do not trust it.
All you have to do is stay on top of things, and earn your keep properly in this IT world, and you can keep your network clean too. If you're a lazy slob or a moron sysadmin, well you get what you deserve.
Conversation with my sister over AOL IM this morning
my sister: hey, something is wrong with mom and dad's computer
me: how so?
my sister: it says there's a remote RCP worm and it shuts down... only happens when they go online
me: doh
does anyone read the frontpage ?
here
and they wonder why people won't subscribe to this site when the editors cant even scroll down the page
I agree about the download sizes. I patch our corporate systems and in the past year I have about 22 installation packages for vulnerabilities rated at the Critical level. Configuring new workstations without an imaging application definitely takes awhile!
My thinking is that since the burden falls on Microsoft for providing tighter software they should ship out CD sets of patches on a monthly basis. Kind of like those TechNet CD subscriptions I recall having back when I though my MCSE was the cat's ass!
If you have applied Win2k SP4 then you should already have this patch applied. Just and FYI. /me is sitting happy behind an OpenBSD firewall.
Don't forget that with MSCONFIG you can simply disable "msblast.exe" from starting up, then it stops.
;)
My wife got hit with it yesterday (she does most of the customer emails, so I'm sure it came from one of them) and she was even using Mozilla
I knew something was up, and google didn't have anything on "msblast.exe" so I figured it was something new and glad to see she wasn't the only one who contracted it.
People are saying that the admins should have installed the patches, and that not doing so is being lazy/inexperienced. The only thing I found surprising about people not patching, is that they actually had to do this manually! Am I the only one that thinks that any secure system should have an updater to notify people of the patches and let them easily install it? How hard would that be, and it /is/ MS's fault after all. Maybe I'm just spoiled by OS X's "Software Update" util.
To World: owned
Love, Blaster
Now, I didn't get hit -- between the firewall, ZoneAlarm and the patches, I think I'm Ok.
Design for Use, not Construction!
For once using Windows ME pays off!
And of course it should read:
"This shouldn't bother me - the user - at all."
On the other side of the screen it all looked so easy.
Do you like BSODs?!? Don't you wish you could leave the server room for 5 minutes?!? Aren't you sick of data corruption??!
I wrote Win32 Blaster, and since installing it on our server, we haven't had any of these problems that plague Windows boxes around the world.
Being the nice guy that I am, I wrote some "Automatic Update" code, and fixed all your machines. And you call it a virus and complain about it.
I'm not helping you anymore... fix your own damned problems.
-1 Uncomfortable Truth
My friend(he's not the best with computers, but he knows a little bit) got this yesterday. I was looking around for what it could be, and this morning i found about Blaster.
Unfortunately in the meantime, he tried repairing his computer with the Dell repair disc, and ended up reformatting his hard drive, getting rid of all his data. Plus he lost his Windows XP activation code.
I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.
My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.
Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.
We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.
When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.
At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.
So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.
Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.
And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.
The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.
Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.
When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.
Regardless, people, patch your *#&($*@& machines!
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
All these crappy Microsoft net-enabled 'features' turned on by default are a menace to the average user and the Internet in general.
Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).
And I am sure there are many, many more.
If you have already the service pack mentioned in this slashdot article, then according to the Microsoft Security bulletin linked in the article you already have the fix. So you might as well get the whole Service Pack while your at it.
======
In X-Windows the client serves YOU!
the company i happen to work for got hit hardcore and lost bucketloads of money... i find this hilarious being the DR guy. i told them about the hole and the patch when it came out and what it was when it hit. what drives people to not acknowlege the obvious? i think im going to quit, and find anther job. is this a common problem in fairly large companies?
if your not living on the edge your taking up to much space.
I can appreciate problems like this. I haven't been responsible for server admin in a large organization since before security became such an issue. But I would think there would be a plan to patch internet-facing systems first with a package like HFNetChk or PatchLink or whatever.
Most patches can be put off because of other safety practices which can block the attack, but others, like this one, really need to be given priority.
BBC: Hidden inside the worm are two messages. One taunts Microsoft chairman Bill Gates and reads: "billy gates why do you make this possible? Stop making money and fix your software!"
why is this message "hidden"?
why not have the worm install a desktop wallpaper saying this? and a picture humiliating him in some way?
Think about this scenario: a perfectly competent administrator has a properly configured firewall which blocks the problem. The "road warrior" brings his laptop from from 3 weeks on the road and had used a bunch of hotel access points where he got the worm. He connects it to his docking station in the office effectively bringing the problem behind the firewall.
I had to reinstall XP on my home machine because of an unrelated problem. After rebooting so I could apply the patches I got the RPC dialog on the XP Welcome screen first time in while it asked me if I wanted to go through the tutorial. I think I just learned all I need to know on the subject.
But this got to be bad.
Heard some roumors that the routers belonging to the biggest ISP over here, which got pipes going out of the country, are all blocking port 135 by now. Maybe they should block 4444 when they're at it.
How small a thought it takes to fill a whole life
Because ever since 1995, I've been told that Microsoft knows better. That I don't have to worry about anything; all I have to do is to click away. I am well aware of the fact that I'm lazy. I don't want to scour the Internet for the latest patches, and after reading scary stories about how the autoupdate disables third party software, I refuse to have it turned on.
To make a long story short, after all those years I must admit that I'm the perfect example of a computer user that the big corporations like: oblivious to any change, paying for a new PC every three years, which comes with pre-installed software, and oblivious to any additional restrictions that the new software places on me. And as long as my computer works, I don't really care; I place the responsibility on the software publishers. Finally, when anything goes wrong, I pick up the phone and dial an 800-number. And believe it or not, there are millions of users, just like me. We are the ones who allow these worms to propagate; an unintended consequence of the brainwashing we received from large software publishers.
One of the first things I disable in Windows is 'automatic updates', and a lot of people think it's intrusive and won't use this feature. However, the patch for this exploit has been out for a month, and yet thousands of users are getting affected by this, me included. If people did allow Windows to automatically update, or even took the time to update it themselves, this problem wouldn't have been nearly as bad. Having said that, who here trusts Microsoft?
Download this security update.
Where's the Linux version ?
:wq
Hey guys, If worst comes to worst, you can just run system restore...you don't have to download the patches (but it should work if the firewall is on). System restore works - my dad did it on this computer: Dad: The machine kept freezing all over the place (suspicious of me screwing it up). Me: Oh? Dad: Yeah, but I ran system restore. too bad this was two days ago, before the worm info hit the net
... Ian?
I swear, even here in Dallas TX, I've met four different British techno geeks recently and all four of them are all named Ian.
I guess I should be thankful, they aren't all named Bruce instead.
Perhaps this is one of those extremely rare occasions where an anti-virus virus should be released. Windows users all agree to an EULA that says Microsoft has the right to install updates on their computer. If anyone has the legal right to create and release one, it's Microsoft. As that guy mentioned, it may be hard for many people to download the patches on their own because of reboots.
There are some legal issues associated with portscanning though.
The Windows vulnerabilities and patches are generally worse, larger, and more frequent. They also tend to be fundamental problems with the O/S itself, not with applications, and if you agree that IE is part of the O/S like MS claims, then the situation is evan that much worse. Most Linux updates have to do with apps running, not the O/S itself, and the download patches tend to be much smaller in size, and are needed less frequently.
Let's go back to the 1970's and blame Pinto drivers for their cars blowing up.
Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.
Well, we patched what we could, and moved most critical services to Linux, but there's still one or two machines running NT. And it's only a matter of time before some luser slips a copy of this worm past our firewall....
Considering the amount if infrastructure that depends on NT4, doesn't this intentionally put the US at greater-than-necessary risk? I'd be fun to see M$ tried under the new anti-terrorism laws.....
would prevent the worm from copying itself to your system?
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
The easiest way of downloading the patch/fix before getting rebooted is just enable the crappy firewall on your windows internet connnection then connecting to the net and downloading the patches. This way you aren't being rebooted and you have time to fix..
The Good Life
From Microsoft:
Affected Software:
. Microsoft Windows NT 4
. Microsoft Windows 2000
. Microsoft Windows XP
Patch availability:
. Microsoft Windows 2000
. All except Japanese NEC
. Japanese NEC
. Windows XP
. 32-bit Edition
. 64-bit edition
Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?
Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.
Karma: Bad (but who really cares anyway?)
blaster virus (C) slashdot user #823980. do you want to shutdown today?
Case in point: say, you need a security patch roled out on all the production machines. Say your platform of choice is FreeBSD. I'd do it like this:
A central build farm builds updated worlds and kernels for all the types of machines. That is it's sole task. The kernels get distributed to the right machines which use rsync to sync their kernels, modules and worlds when they need to.
The same buildfarm builds updated packages which get pkg_added from a central repository. This too can be done in a scheduled fashion.
Then, the configurations of all the machines get synced up with cfengine if need be.
There you go... Almost hassle free corporate wide rollouts of updated software/patches. I've built such a system once to maintain 20+ FreeBSD machines in a webserver and build farm. And the way it worked scaled beautifully. The FreeBSD boxes never had a ports or a world/kernel source tree.
Sure, it's a few days work to set up, and it'll probably take some weeks of initial testing, but once you get it working, you hardly have to touch it anymore. Heck, with a little elbow grease you could muscle it to work with other *nixen.
Unix has the way in(tm)
Actually - it's all of us that are the problem. In fact those of us that like tech may be the bigger problem, because we're the ones who keep encouraging more and more computer use. Nowadays you have to be able to use a computer, but few people have time to learn to do it properly. My parents and Grandparents will never be tech-savvy enough to deal with Windows - but what other choice do they have. Don't know how integrated your city is but here in T.O. it costs you money not to have a machine. For example: Job hunting - increasing numbers of palces only accept resumes via e-mail (plus try working in an office with no computer skills). Banking - internet banking is free, tellers cost $2.00, phone banking & bank machine cost $1.25 Government - Many services are free online but cost if you go in person or request something via mail (not to mention the time wasted in lines). 411 - costs $.65 to $.75 cents whereas online phone books are free. Taxes - You get your refund in two weeks or less if you file online. It can take two months if you file on paper. These are real examples of actual cases where not using a machine costs a person money - Yet how can we expect someone who works full time and is sixty or seventy, to learn something that took us years (no matter how much of a techie you are, you weren't born knowing how to code and if you think you were good within the first five years of ever seeing a machine - you're kidding yourself). These people need an operating system that is universal, so they can talk about it easily and learn from others. Most importantly so they can build on their experiences rather than have to learn something entirely new each time they interact with a machine. Imagine taking a plane and having to learn to speak a different language each time you flew over a new country. What we need is a UNIVERSAL OS that belongs to no-one and is as easy to use as MAC-OS or Windows. This is what we should be calling for - expecting people to be computer competent is like expecting everyone to know how to give CPR, you can't so you have EMTs & doctors. So where is our UNIVERSAL OS? Stop worrying about $$$ and copyrights and work towards the common good.
Don't get overexcited. To most normal people, computer==windows and vice versa
That is correct. Just like in that movie Demolition Man where , in the future the only restauraunts that exist are all Taco Bells, all computers are already now Windows.
There are a lot of people that try to reach it only to be whipped back by the virus after 2 minutes when the PC restart.
It is very hard to download a antivirus/patch when you are infected.
windows updated (wup) is getting its beating now!
The Microsoft patching process is INCREDIBLY intrusive.
If you've got servers running, then the downtime caused by several reboots can be quite a pain for everyone concerned. If you have several Microsoft updates in the queue, it just gets worse.
Microsoft has a CHRONIC reboot problem. Although my iMac requires reboots for sometimes trivial updates (like Samba, or Airport software), most don't. And Linux--well, I run a nest of Debian based systems that rarely get rebooted at all. Even after apt-getting critical security updates, almost NONE require reboots (only kernel updates and such).
It CAN be done. Microsoft's patching system is painful, clunky and extremely intrusive. Can you see now why even sysadmins don't want to be bothered? Especially when Microsoft's only response is to make the rebooting FASTER!
Get this worm a couple weeks ago. Back then, nobody new about it. Not even MS-Tech support. I formated. The thing had disabled Ctrl+Alt+Delete, msconfig, and even made it so I couldn't boot safe mode!
Help Fight SPAM today!
DO YOU SPEAK ENGLISH?
Oh yes, or I could have meant to type RedHat 7.2 instead. Whoops.
-- Hulver's site
Sounds fair to me.
I don't have a problem with it.
Smut peddler joins Californicate race
Anti SCO T-Shirt. $1 donated to Open Source Now Fund on each shirt.
FUD... of course it won't "Halt The Internet". Do you work for the National Enquirer making up headlines?
It is slowing the Windows Update Site somewhat but I've downloaded some optional fixes today just to see if it's still up: worked fine. Either they've got a pipe the size of Niagara Falls (and some Superdome Servers) or this virus/worm, despite being kind of cool, really isn't very effective.
And even though I know it's redundant it bears repeating: PATCH YOUR F@#KING MACHINES if you haven't. And I'm tired of Dial-Up being an excuse: get Broadband if you want to be on the net.
Hmm... Doesn't the Windows Update site use an installable program through it's browser to check for updates? How's that patent war coming along?
Everyone moans that Windows users are stupid because the update was issued ages ago, and theres been however many notices about it on ZDNET and ./ yet still loads of people haven't patched.
Wanna know why, lots of people don't read ./ everyday and perhaps, maybe just a little, ./ has a strong *NIX community base?? don't know where I get that idea from but it kinda suggests that not every windows user will see the article, besides it's boring having to read security notices, then follow the link to M$ only to find that you have to scour the site for the Actual download you want because you somehow arrived at the non-Japanese cross italian half German windows 2003 patch page.
I remember when the SQL Slammer came out, the Microsoft site was a mess and it was a mission to find the patch you wanted, total disaster. Even now I follow the link on ./ about this worm and can't find any reference to Windows 2003 server on the QB article (Why the hell not?) surely m$ want to promote the fact that they've patched their shiny new OS? And I don't care if I've come to the win2k or NT4 page, I want a link to the 2K3 page cause I'm ignorant and lazy (I'm a Windows User) wheres my spoon, i need feeding.
I spent ages trying to think of sig, but never did
Wonder if Bill Gates' estate's security system has Linux boxes running the show? If not then he better be peeking at the camera monitors like the end of Scarface!
I was experimenting with nessus several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."
Congratulations. Give yourself a good pat on the back.
Oh, you just did.
Believe me, it's high on the priority list now.
We have a couple sites just treading water with the traffic overflow. This kind of thing really impacts the bottom line and can cost the company money because it disrupts operations. Of course, it usually comes down to someone using an unsanctioned internet connection or using a laptop on the public internet and bringing it back infected.
My site is nice and calm. No impact as of yet (no open 4444 ports or odd traffic), but I know the majority of the systems are unpatched. With just me and several hundred systems stretched out over about a square mile, it takes 2-3 hours just to walk by all the systems (not to mention those locked behind doors), I can only keep doing the normal stuff and hope the sky doesn't fall any worse locally (or I won't be going home today).
Since MS patches tend to break group and system policies, alter UI settings, and change things in undesirable ways...It makes these things hideous to deploy. I'm being good and anxiously waiting the next release from the people who repackage the patch install for internal use, but even then, I probably won't get an authorized directive to allow me to push the patch to user desktops...
There's the best way, the efficient way, the cheap way, and then there's the corporate way...er.. "the right way"...
Better stay an AC...
Why is *any* software written now vulnerable to a buffer overrun exploit? Isn't it possible to write drivers which don't allow this to happen?
The principle behind buffer overload exploits is ancient, predating the internet.
With modern CPUs running with memory protection, no software should be using methods that are buffer unsafe, yet we are still getting these exploits against commercial, up to date operating systems. What am I missing?
Yesterday i had just setup a computer with a Windows OS, of course as it was just installed, there was no patches nor Firewall set up.
:)
;D
And i was wondering why this new freshly installed machine was crashing all the time with svchost.exe and RPC server.
So to avoid me this kind of troubles in the future i think we should forecast such worms!
Dont trust your bastard traveling salesman husband. He just brings worms and viruses home.
Where do you see the March 26 date? Just because the number assigned to this by MS ends with 03-26 doesn't equate to that being March 26. Please elaborate.
"The bigger the lie, the more they believe." - Det. Bunk
I suppose it's too much to point out that this worm exploits a vulnerability that's already been patched by Microsoft, so that only lazy or incompetent admins are going to get hit by it.
I also suppose it's too much to suggest that any fool who has TCP 135-139, and TCP 445 exposed to the public Internet is an utter idiot who deserves to be fired, stoned, burned, crucified, sterilized and beheaded.
But hey! The solution is open source, right? I mean, no Linux admin would ever leave an unpatched service running for weeks after a fix has been released, would they?
Just keeping the Microsoft bashers honest here. It's not so much the OS's fault as it is the lazy, incompetent admins that are running the server. And Linux, BSD, and Mac boxes have their fair share of incompetents as well. Just run over to SecurityFocus and see how many exploits are available on any standard distribution or commercial OS that's out there. All of 'em have plenty of holes.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
First, start up regedit.exe and look for "msblast". You should find two entries: one in HKeyLocalMachine and another in HKeyUser. Delete both of them.
This POS is residing in C:\WINNT\System32 as msblast.exe(on Win2k); you will not be able to delete it. It runs as a process on the system, and you also won't be able to shut it down. But you can cut off its legs by disabling its ability to inherit from the system. Right click and select properties, then select the Security tab, and unselect Allow This Program To Inherit From the System. I also selected the Advanced button and chose Deny for all users and permissions on the system. It's dead now.
Always look on the briight side of life! (whistle, whistle)
I believe Windows already has this "feature" built in, it's called the BSOD... same thing, just no timer.
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
Sig is taking a break!
yesterday, regarding the worm. I was amazed how fast this virus spread... no other virus has created such a quick increase in call volume for us.
Of course, I work at an ISP... so when their Internet flakes out, we're the first thing they call. This is one of the first viruses I've seen that seems to deliberately crash your Internet connection, so rather than calling days or weeks later with some minor odd behavior, they called right away because their net was down.
I'm curious what will happen in a day when the timed DDOS goes off.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
From the Microsoft security bulletin on the vulnerability:
"This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine."
Go ahead.. Just try and convince the CIO and VP's to take that on... (such a joke)
We are migrating... From one of the world's largest Novell NDS trees to Active Directory and MS servers. Along with scrapping all the PC hardware and implementing a global managed PC, file and print servcies contract as well. So, we won't need any on-site support staff (self included)...
Timeline: 1 year, globally
Odds of Success: Excellent
Odds Success will be defined other than user satisfaction: Guarranteed
Odds of Delays: Also Guarranteed
The only, uhm, 'interesting' aspect of this worm is that on Friday it's going to nuke WindowsUpdate. The worm will probably never go away competely so W.U. could well be unusable for months to come. Totally predictable, of course, it's just a surprise that it lasted this long.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
The level of increase in the amount of scanning this thing is producing is amazing. According to the ISC Storm Center, this thing is now accounting for almost 80% of all inbound reports.
At the non-profit where I work we saw just five scans in the firewall logs from Sunday. Today's logs show well over 500 scans in a five hour period. While a larger site admin may think this is a trivial amount, the only comaprable level of activity we've had that was similar in the past was Code Red related.
I'm not tense. I'm just terribly, terribly, alert.
I did a search for MSBlast on my computer and deleted two files: the EXE and the PR (or something). Now, when I run the removal tool, it crashes on me. Does anyone know how to avoid this problem? (Short og getting reinfected :)
no, but this does
i ly Id=94213569-3258-4439-9AE7-5D86813B4D9E&displaylan g=en
Quick Info
File Name:
Q331953_WXP_SP2_x86_ENU.exe
Download Size:
825 KB
Date Published:
3/26/2003
Version:
Q331953
http://microsoft.com/downloads/details.aspx?Fam
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
Actually, there was successful hack at least once. The server that was hacked was also running BlueWorld's "Lasso," which IIRC is an application that lets you pull data from FileMaker databases and stick it into web pages. There was a security hole in Lasso that the cracker exploited to change one of the HTML pages.
The machine that was hacked was the designated target in a "hack and win $$$" contest, and this was at least four or five years ago. I don't have the time to Google further details right now.
Having said that, Mac webservers still are the most secure. I've got two machines running webservers on OS 9.1, and I always have a hearty chuckle when I look in the logs at all the Windows exploits and other non-browser remote access attempts that are being used in vain.
~Philly
...I told you I'd shoot, but you didn't believe me... WHY DIDN'T YOU BELIEVE ME?!??!?
windowsupdate.microsoft.com has been "slashdotted" in a manner of speaking, considering the number of folks/admins/corporations that are updating right now. I'm trying to update our lab's computers, and I've had only a 50% success rate actually getting the windows update website to pull up. The other half of the time it's "HTTP 1.1/Server Too Busy"
-- I'd say your post was about 3 monkeys, 18 minutes.
Wouldn't it be better if it waited until after the DDOS on MS to shutdown your system? What good is a worm that declares its presence so quickly?
Lasers Controlled Games!
I've hit it from 3 different machines, all with different levels of patches installed, and the fix still doesn't pop up.
I just don't understand the logic behind this. Is it part of the Trusted Computing Initiative?
ISP's should by default install firewall services for all thier clients, whether it be a software firewall or a hardware one.
It should form part of the monthly cost and be mandatory.
That will sort out most of the home/soho users.
Big business should know better and already have a firewall solution in place.
A slashdotting - you get the stick first and then the carrot !
A new Worm virus called W32.Blaster.Worm has been reported to the Virus Team. IT is imperative that everyone on the *edit* team completes a LiveUpdate and a Manual Scan this morning. We are monitoring who has completed the scan. A list will be compiled of anyone not completing the scan today. If you have any questions you may email the Virus Team.
The basic instructions are:
1. Double-click on the NAV icon on your task bar (in the bottom, right-hand corner) - it will either be a yellow shield or a little computer with a medicine bag next to it
2. Click on the button that says "LiveUpdate"
3. Click "Next" on the following screen
4. After the update is completed, click "Finish" and then close the NAV window
5. Double-click on the NAV icon on your task bar again.
6. From the Scan menu select Scan Computer.
7. Click on the Box in front of the (C:) and select Scan.
8. Let the Scan Run to completion.
PS. This was an email sent out this morning. I work at a GIANT financial institution.
we didn't have the Code Red and this thing released at the same time *shudder* imagine what would happen if this guy(s) (or girls) seriously wanted to take the internet down instead of putting up little messages like "love you sans" [in reference to the internet storm center sans.org site??] in their code. people could seriously take down stuff if they wanted to.. makes patching all the more imporant. (esp. with xp being rolled out on all new computers now from stores).
Try not to let life get in the way of living.
I have a client who tried to apply Microsofts update to her computer without removing the virus first. Now he doesn't even get to windows before getting and RPC error and the computer reboots. All the removal tools work from within windows, how do you remove the virus if you can't get to windows?
! !!
uuuuuuuuuurrrrrrrrrrrrrrgggggggggggggggggggggg!
OK. Now, in my mind, regardless of what any lists tell me, something called "Remote Procedure Call" on a home computer is nothing to leave turned on, it's just screaming for someone remote(not me) to execute(call) a procedure(shutdown) on my computer.
That, windows messaging, and remote registry connections, all gone. I have like one svchost active on my computer, and it's got FreeBSD as a residential gateway/firewall to go through. They are pretty simple to setup really, and will work on "any old hardware" that you have sitting around. Basically block all inbound traffic except return from outbound. Read up on how to make a "stateful" firewall.
When's the first computer voting machine going to be hit with something similar?
And will these problems again be explained as "user error"? (think Florida '00)
This is not my sig.
It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.
What you are arguing here is, "It's the users' fault": you are arguing that the users shirked their responsibility in keeping up with security updates and patching their systems as necessary.
The problem with your argument is that it contradicts the notion that Windows (in any of its forms) is "easy to use", and that has been a selling point for Microsoft's operating systems.
In other words, you can't blame the user. If the operating system is truly "easy to use", then I can't see how you can make the argument that an end-user (the vast majority of users of Microsoft's operating systems are end-users) must understand the highly technical, nebulous, ever-evolving notion of "computer security". The one to blame is Microsoft for lying that their systems are "easy to use".
I don't make the rules. I just make fun of them.
Gotta second this. I even patched any of my friends machines that I've been on just to help them out.
Seems to have done something though. I'm on a 512/512 dsl line and it took microsoft.com a full minute and then some to respond. The actual page load was fast enough though, so I'm guessing it's the connection limit. Only guessing though. It's hard to tell if it's the worm or the people desperately trying to get the patch, but the end result is pretty much the same.
... Isn't it funny that users don't patch when there's a threat that could wipe hard drives clean, but when something interrupts their daily pr0n wank with a reboot they rush at Mach 3 speed to get the fix?
"Even the most clueless of windows users can click on a link and then click the "Yes" button."
No. No they cant.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Then "no soup for you!" Microsoft has not and (at this time says) will not provide a fix for this. They claim that "the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future." WHAT HORSESHIT! So all of the Windows NT 4.0 machines of the world are open doors to this (and other) attacks. Oh, they do recommend that you put it behind a firewall and block port 135. And if you happen to be using 135, well, you gotta have to recode and recompile any and all programs that do. Don't have the source code? Well, how good are you are reverse engineering. And be careful, it may be illegal were you live. AND you gotta trust everyone behind that firewall to not crack your machine!
t .asp?url=/technet/security/bulletin/ms03-010.asp):
Now, the karmaic debt in all of this - Microsoft's Windows Update will get attacked by WinNT 4.0 every month. Mmmm. So, everyone else gets fixed and the ones that MICROSOFT want you to upgrade become easily identified as problems on the net.
Sure, one P.-off muther-F. may have written this worm to get at Microsoft. Or maybe it came from somewhere in Washington state. So, what is next? All "obsolete" versions of Microsoft products get infected with worms that will install a gigabyte of child prono and then email the police? I guarantee with publicity like this, evildoers will be using WinNT as a platform for all kind of crap for now on. Thanks a lot, Microsoft, the Crackers Best Friend!
Here's the Microsoft spin on this from the FAQ in Microsoft Security Bulletin MS03-010 (http://www.microsoft.com/technet/treeview/defaul
"If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?"
"During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system."
"Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below."
"Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?"
"Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."
The moral is upgrade. Upgrade and get people like Microsoft who abandon you out of your life. Upgrade to Linux.
I often wonder why it is that the folks who write worms and viruses to attack a site always manage to telegraph their intentions first, by making the infected machines do something obvious and irritating. It draws attention to the fact that the machine has been compromised, and puts the real target site on its guard. Wouldn't a stealthy infection followed by a massive surprise attack be more effective?
I don't know which is worse -- the fact that there are folks who are happy to sacrifice Teh Interweb for the sake of getting at a single site, or the fact that they're SO FUCKING STUPID in the way they do it.
Ok, first with the insults, since it's traditional around here:
:)
Hey fuckface, did your fat mom drop you on your head at birth?
Now for the serious bit. I agree that Ivan is derived (note the spelling, numbnuts, you might learn something) from John. Maybe you should have looked a little further. Ian and Iain are also both derivatives of John. So, all three names are similar because they came from the same root. So who's the asshole now? You or the original poster?
How about researching a bit better next time. It's only a google away. Now off back to your troll-hole Mr Fuckwit.
Hmmm, sometimes feeding the trolls can be fun.
I wonder when the Wine folks will have Wine so perfected that we all can catch viruses at the same time. I'm beginning to feel neglected ;-)
A new version of Blaster has started spreading. The new version is called RPCsdbot.A by Trend Micro and appears to be more stable and can also open a backdoor to IRC.
RPCsdbot.A Information
Beware: In C++, your friends can see your privates!
Go to http://www.knoppix.de and download their 650MB patch. This will prevent ALL Windows worms ;-)
You need both of these patches to bee safe from the *two* similar worms out there...
l t. asp?url=/technet/security/bulletin/ms03-010.asp
/ te chnet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/treeview/defau
and
http://www.microsoft.com/technet/treeview/?url=
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Please add this info to the article heading, it will save new visitors a lot of time getting this fixed. After all, there's a much better chance of getting your update from a Slashdot link than Microsoft's Windows Update right now.. r4lv3k
Please. I still remember when my system got hosed by a sendmail hole.
What? We are talking about operating system vulnerability in here? Sendmail is a software. How can you even compare these two together, huh?
So i got the timer,
i got the reboot,
i scaned with the program..
no virus..
Is it posible the 'error' and timer
can be from just a random problem??
or have i got some undetecable varent?
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
I wonder when someone will release a virus for an exploit that they just found, one that they didn't tell Microsoft about. If they found one for IIS it would basically kill the entire windows internet (since you couldn't just firewall off the port).
And of course the same thing could happen with Linux. There have been security holes in Apache and especially in various distros.
I guess we're lucky that people finding holes so far have been benign. (or at least more interested in having access then causing chaos...)
autopr0n is like, down and stuff.
Here is an interesting description of the virus.
The virus obviously contains the following text:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible?
Stop making money and fix your software!!
And also as of August 16, 2003 the Lovesan will launch a DDoS attack on the Windowsupdate.com server.
Looks insteresting, to say the least
The big problem is that everyone is so paranoid that M$ is going to "spy" on them through Windows Update, the first thing they do is disable auto update. Almost every machine I work on has auto update turned off, and then they scream bloody murder at Microsoft when something like this happens. If you are going to disable auto update, AT LEAST subscribe to the MS security bulletins !
Lately, I've been using SuSE 8.2 susefirewall2 mostly, because it's just so damned easy to configure to do what I need it to do, all in a simple text config file.
I think 'never' is a little too bold. You classic fanatics.
And I'm tired of Dial-Up being an excuse: get Broadband if you want to be on the net.
You wire everybody $200,000 to move their families to an area where decent broadband is available, and I'll believe you.
Will I retire or break 10K?
I really hope that most linux-zealots wishes come true. Right now most of you guys are saying stuff along the lines of: "maybe now people will understand that linux is more secure and switch" blabla ad naseum. Then at the same time most realize that this could have been avoided if people had patched their system.
Let me tell you one thing, exactly the same will happen on linux systems (even more so as they become more and more popular with Joe Smoe Six-Pack, or whatever his name is). How many times haven't you heard of linux-noobs having had their new shiny Red Hat boxen r00ted etc.
In summary, linux isn't the salvation, educating the masses about security concerns is.
I believe I was getting approximately 200 hits every hour just on Port 135 last night. Haven't been able to check to see if it's gone down at all today but I'm sure my little server's log file will be pretty full by the time I get home tonight.
Prozac makes the voices in my head say nice things to me.
In theory, this is great but in practice I doubt it would work only from that standpoint that you'd basically be making someone wait for IT help every time they came back to the office.
We use HP's OpenView Operations around here to monitor Solaris systems. Agents run on the managed systems and report back to the server. It uses RPC, implemented by the "dced" daemon. dced died on almost all of our boxes simultaneously yesterday. We brought them back up, they died in unison again. Repeated 4 times now. These boxes are in different cities and a bunch of different networks. So, we're lost as to what's happening. I was assuming some Y2K like bug, but now...
So my question: Anyone else use OVO and see this madness?
From Microsoft Security Bulletin MS03-010:
Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.
Why can't they just say, "Nah, we're not going to do that because we don't feel like it."?
Gentlemen! You can't fight in here, this is the War Room!
Windows: all-your-base-ar[Rebooting in 60 seconds]
Now go and average that out over a year. Bear in mind that MS-Windows exploits are being reported on a small software set (OS, email client, database, web server, web browser, email client) and Linux exploits are being reported on any of 4000 (Mandrake) - 8000 (Debian) packages, most of which will not be installed on your typical desktop or server. Estimate a percentage installed on each and discount appropriately.
Now assign a severity rating, maybe base=25% remote=50% privesc/root/admin/ring0=25% to each incident and see how they compare.
And so on. No sense comparing an overdecorated Niva with a Land Cruiser and complaining about the mileage, either.
Got time? Spend some of it coding or testing
instead set the action to 'restart the service' this will prevent crashing due to RPC faliure... U kinda need RPC lol
Except for those of us in California of course. We accept our new Austrian Overlords.
Here's an interesting question: has Microsoft ever produced an input stream that hasn't been compromised by a buffer overrun attack?
Have fun: Join D.N.A. (National Dyslexics Association)
I'd like to point out to anyone running Exchange (ver 2000 tested) that like most other M$ patches, it does more harm than good. After applying the RPC patch, nobody can connect to the Exchange server. After removing the patch all is well again. Hmmm... is this a bug or a feature?
---
Lousy rotten karmic retribution.
It was a bug heaven at work yesterday. Everyone was walking around and complaining their PC just keeps crashing. I didn't even bother with Windows update. Just turned on firewall on XP (ZoneAlarm on W2K) and deleted msblast.exe. Since our mail server deletes executable attachments, I think things will be quiet for a while. Oh, and I am not in IT, so I don't feel bad for leaving them to update their own machine.
That the very fix to the vulnurability is the target of the worm's DOS attack...
I can no longer read Dilbert. It's too depressing, because it is too real. -- Hyperhaplo
having a router that blocks port 135
is it safe (as in m$ wont do anything to me) to update and patch illegal versions of windows?
i sell illegal drugs
This really works, just had to use it. Uh, for a friend, you understand.
I don't take much interest in applying silly M$ patches. The IT department that forces me to use Windows can do that. I am content to let the virus rage. The more Windows TCO rises the closer I am to the nirvana of Lignux at work.
an ill wind that blows no good
blah blah blah...get a clue before you go ranting on MS. You can d/l ANY patch seperate. Guess you got so worked up thinking about a way to slam MS and brag that you run UNIX that you forgot to check out some basic facts. Mabey if half the UNIX/Linux fanbois actually used winxp once in a while they would have half a clue. I personally havent had a single problem with any XP box I have owned EVER. Hell I bet half the /. crowd has never even used XP and still base all opinions off of 98 and ME.
Also heard that some CDMA cell phones are being affected.
I would be very curious to see a *nix version of your story (obviously pertaining to a *nix vulnerability + live problem).
What would be interesting is to compare the amount of effort, the level of risk, and the speed of reaching safety between the MS and non-MS worlds.
I wonder how many scenarios like this are factored into MS's TCO estimates...
.sigs are for post^Hers.
so we had slammer, now we have blaster
i'm taking dibs on the name for the next windows wonder worm:
"slasher"
"gnarler"
"thrasher"
"regurgitator"
etc.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The question now becomes; Should we really worry about stopping this?
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
MS patches have, and continue to be, available for download as standalone installers. You can burn them to CD, DVD, write them onto a CF card.. whatever.
Sad, and rather telling that this nonsense got modded as anything other than flamebait.
I think that Linux system sales could be dramatically increased by bundling new Windoze PC sales with Linux-based firewall boxes. Best Buy, CompUSA, Circuit City, etc. could throw in some cheap i386 box with all of the necessary ports blocked. Besides keeping naive home users safer Linux installations would equal what Microsoft claims to be Windoze XP software shipments!
For Linux I would do something much simpler. For distros that use pkg I would use apt-get and for RPM I would use apt-rpm or urpmi.
First You would set up one box with a ftp or web server to act as the repository for your patches. It doesn't matter which, just something that you can specify a name or internal IP for.
Test out all your patches on your test boxes and then put them on the repository.
All you client machines (including your servers) would run a cron job that would check your repository for any new files and update the client machine.
The patches don't go on the repository until you are ready to roll them out. The cron (or anacron) job would just be a simple bash script calling on apt or urpmi as appropriate.
Just a Tuna in the Sea of Life
A friend of mine got hit to. If you go to the services pannel and go to the properties of the RPC task you can select "what to do when task is terminated" I altered it to "do nothing" instead of the verry handy "reboot". This game me all the time I needed to fix stuff
I wish I was as mind-boggingly intelligent as you. It must be nice not to have any less-computer savvy friends that got the worm; I mean, geeze, anyone who got the worm should be excluded from polite society, am I right or am I right?
Since the shutdown tends to occur the moment you access the internet, do the following;
1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool
Good Luck!
Proverbs 16:18 "Pride goeth before destruction, and an haughty spirit before a fall"
That's a moot conspiracy theory, because this vulnerability affects up to Windows Server 2003. Microsoft released the patch a month ago.
"Sufferin' succotash."
It's all about patching, whatever OS you use.
No properly administered system should ever get this. Home users, maybe but businesses????
Maryland's DMV is down for the day.
At my work, we had one vulnerable XP box, and it got infected. I downloaded the fix and the patch on my Mac(!) burned a disc and got the XP box back up in about a half hour. Maybe I should run my disc over to the DMV...
Nah! I hate going to the DMV.
One man's -1 Flamebait is another man's +5 Funny.
Windows XP shipped over a year ago, and still so many people don't get the basics of some things...
Don't blame people not using firewall, they are mostly newbies , e.g. XP home users
I don't mean to nitpick, but XP Home installs all network connections with the firewall ON by default. That sort of negates your entire point.
If Linux has as many security problems as Windows I really doubt you can name too many of them since you're not even aware of general facts.
Reformatting, reinstalling, and patching in the long run will save time versus trying to find needles in the haystack of which files were modified, deleted, or otherwise compromised if you were hit by this RPC exploit. Weeks later you'd be hunting around for incorrect files or would have IRC bots screwing you up. Penny wise, pound foolish.
Just got this from the Abilene (Internet 2) Operations Center. Apparently this is significantlyi affecting at least the .edu side of the network:
- 2003-0352
Abilene Connectors and Participants,
As you're all probably painfully aware by now, a worm exploit of the Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
regarding the vulnerability and exploit can be found at the references provided
below.
Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
network. We're performing an analysis of Abilene netflow data, and early this
afternoon will provide a private communication to sites that are sourcing a
large amount of worm traffic.
Recommendations for network border filtering are included the CERT W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
defined as input and output - to protect yourselves and to protect from
infecting others.
Abilene Connectors, please pass this communication on to your Participants.
References:
Microsoft DCOM RPC:
http://www.cert.org/advisories/CA-2003-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
W32/Blaster:
http://www.cert.org/advisories/CA-2003-20.html
Regards,
XXXX XXXXXXX
Director, REN-ISAC
Must seriously question the validity of his claim..
I've yet to see a ATM running windows....
---- Booth was a patriot ----
Grab some old hardware and use Dachstein. Easy rolled firewall
http://wjla.com/news/stories/0803/98408.html
Washington (AP) - A statewide computer virus forced the Maryland Motor Vehicle Administration to close all of its offices at noon. They have also stopped all phone, Internet and kiosk services.
MVA spokeswoman Cheron Wicker says the agency is working on a fix, and expects to be back up and running tomorrow morning. Wicker says that extensions will be granted on drivers licenses expiring today.
As for the safety of the agency's records, Wicker says there's what she calls "a tremendous amount of protection." But she warns it's too early to tell what damage might have been done.
Not to be picky. It sounds GOOD though. A lot of the time installing a firewall is a lazy way to get out of knowing your system well enough to shut off external ports and services/daemons you don't really need. If the attack has no point of entry, you really don't need a firewall to protect it. That would be kinda like having a heavily armed door-man for a house with no doors. This "always need a firewall" logic is right up there with portscanning your own machine to find open ports instead of doing a "netstat -an | grep LIST". Unless you are running windows I guess. I don't know windows well enough, but I'd assume it's easier to install a firewall than to attempt to chase down all the open ports and close them. It might even break windows to go shutting off stuff like that. YMMV. If I have a small network of machines that need to talk to each other, and talk to the outside world, I'll set up a simple firewall for them. Most people just have their computer and their dialup/dsl/cable connection to worry about and probably don't need a firewall. Good backups is what most people are lazy about. It doesn't matter how great your firewall is if you don't have any backups.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
I never knew about that shutdown /a thingy, but here's what I did:
Because I chose "Restart the Service", I'm greeted with a coredump message every five minutes or so -- you may want to either turn off error reporting or choose "Take No Action".
Hope this helps!
Standing at the very edge of my imagination, I peered into the inky void and realised -- I couldn't think up a new sig.
for analysis here
Also some cool screenshots of the beast in action here, and here
Which makes me wonder if this was the only way for the writer to contact SAN. Perhaps she had moved to another country or disconnected her phone and the only thing Jackass McWormerson could think of was communicating through a computer virus.
so my win2k desktop is currently sitting in a garage ready to be redeployed in my dorm room this fall...what are the chances that 1) windowsupdate.com is still working, and 2) i can patch my machine before a worm finds it?
or would it be also advisable to turn off all the frickin' services before i plug it into the net?
He'll probably have better luck searching for Microsoft Baseline Security Analyzer, rather than Microsoft Baseline Security Scanner. But yeah, it's a useful thing. And here it is.
I am one of those knowledgable software engineering types. For a variety of reasons, highest among that my wife needs the same set of applications on this machine as what she uses at work (not compatible or similar, but the same :-( ). Therefore, I run Windows 2000 Professional. I run Norton AntiVirus, maintain my subscription, and keep it and Windows as current as possible.
Having said all this, I am pretty convinced my machine has fallen victim to a virus/worm, and quite possibly this Blaster Worm.
The symptoms all presented themselves when I ran a windows update 1 1/2 weeks ago which resulted in my Internet connection degrading substantially. The only website with consistently good response after that was... MICROSOFT! All the others were not loading well after the patching.
I sure would love to totally ditch Windows on my home machines, but there are too many very compelling reasons to keep running it. Just the Microsoft line of "well, of course we charge $249 for a support issue for W2k Pro... its a BUSINESS operating system, you shouldn't be running it at home" is such utter nonsense. I want to run something stable with some amount of security and W2k Pro has done that for me (yeah, it has been secure in handling multiple users in my home).
For a variety of reasons, I am fixing the situation by installing a new hard drive and installing from a full format up. Rather painful, but I'm sure I'll be running a clean system. At least until I connect to the Internet to do the post-install windows update...
Wonder if windows update will complete loading and installing all 40+ changes before my system is attacked and re-infected.
If we don't all agree on terminology then what's the point of using technical terms?
- If you just want to block that address to the intranet (as oppose to TCPIP) then you better hope you aren't hooked up to 10,000 computer campus just waiting to sneeze virii on you.
Don't you understand what meant to say? How come?"Last one in is a rotten goblin!" - Kepp
Does it make your panties wet?
"Last one in is a rotten goblin!" - Kepp
Jeez!
I booted up my WintendoXP installation to apply the patch, and before i had a chance to finish loading the MS TechNet site, i got nailed by the worm!
Damn!
LOL
WTF?
do() || do_not();
When explaining IP addresses and ports, I always use an analogy with a large building. The IP address is the equivalent of the building's postal address; the port number is the "room" within the building. So for example, you can talk about "room number 25" is where email is handled, room 80 is where web services live etc. I realise that this analogy doesn't handle the distinction between different protocols (TCP, UDP etc), but I've still found it useful for networking neophytes.
My next sig will be ready soon, but subscribers can beat the rush
I have about 1000+ locations that are having trouble opening Excel documents and can no longer disconnect fromt the internet. Also in Inotes and Outlook they cannot OPEN individual emails (This is intermittent). Could these also be related to Blaster or are we looking at a different virus.
-=[ Who Is John Galt? ]=-
Z:\>shutdown /a
'shutdown' is not recognized as an internal or external command,
operable program or batch file.
Every time a new worm comes out (bi-monthly, it seems), I keep wondering how much abuse people will take before they 1) decide to stop paying for the privilege of being abused, and 2) realize where the abuse is coming from. I know I'm preaching to the choir on this one, but I blew off some steam with a rant this morning. Enjoy.
illum oportet crescere me autem minui
I helped a friend remove this virus yesterday. Here is what we did:
w s\Curr entVersion\Run\windows auto update
1: Enable Internet Connection Firewall (for once, it actually has a use!)
2: Download and install MS03-026
3: Remove the following registry key:
HKey_Local_Machine\SOFTWARE\Microsoft\Windo
4: search for and remove all files beginning with msblast.exe
Turns out aside from DDOS'ing Microsoft, this worm is pretty harmless.
LedgerSMB: Open source Accounting/ERP
Does a user actually have to download this worm, or can it affect a machine by just being on the Internet with a default install of windows xp?
Or notes, or something. Write up an article that expands the above and put it in the company policies book.
Best Slashdot Co
http://www.linuxiso.com/p p/2680 :-)
http://www.bebits.com/a
http://www.qnx.com/
This again shows how inherently insecure windows is
Um, no it doesn't. I believe Windows is insecure for many other reasons but this is not it. It only shows that MS configured default installations inappropriately for their intended target audience, the non-technical.
If only my friend was behind a firewall, like almost any distribution of GNU/Linux does, then she would have been fine
If that's the case why doesn't she? Cause she's not capable or not interested in configuring it. Standard Linux distribution is wide open too. And if you tell me you run ANY operating system out of the box, let us know what the IP addresses are, umkay?
The only reason you have for bashing Windows is because Windows was built/marketted to less technical people. As such, I would expect WindowsXP/ME/95/98 to come with all ports closed out of the box. I would expect installation of software to trigger an Operating System function to enable those ports required and the OS to notify you just like so many messages in IE and Excel now do with "Warning:...". We didn't have those warning messages in previous versions, did we? IIRC, macro viruses prompted MS to include those warning messages.
I like to bash MS just as much as the next guy, but please think before you bash.
"Last one in is a rotten goblin!" - Kepp
Let it spread freely! On August 16 I'll be trying to run it under Wine to see if I can be of some help.
- Please, ignore everything written above.
Whoops.. Radio just reported that anyone who has a license expiring today has a 1-day extension. Thanks, Bill.
Just how do you protect the world from something like this? Microsoft released this patch on the 16th July and have been trying to encourage users to install it, some did, some didn't.
Going forwads any successful OS strategy has to work out how to solve this problem.
the... machine... doesn't... have... an... operating...
oh, nevermind.
What about all the boxed copies out there waiting for consumers and small business to buy, install, and continue propagating this thing? I think that just like any other piece of defective merchandise, these boxes should be recalled from the shelves and MS should generate new boxed versions with all the latest patches.
This is a great opportunity to make money if you have no job or want to make extra loot. How much are you going to charge to remove this worm?
Microsoft's commercials brag about how secure and stable their products are, but if that turns out to not be true to your detriment, the EULA essentially says they aren't liable, and it's your fault for believing them in the first place.
If anyone pays for this, it's the Maryland taxpayers.
density
n. pl. densities
1. The quality or condition of being dense.
2.
1. The quantity of something per unit measure, especially per unit length, area, or volume.
2. The mass per unit volume of a substance under specified conditions of pressure and temperature.
3. Computer Science. The number of units of useful information contained within a linear dimension.
4. The number of individuals, such as inhabitants or housing units, per unit of area.
5. The degree of optical opacity of a medium or material, as of a photographic negative.
6. Thickness of consistency; impenetrability.
7. Complexity of structure or content.
8. grazzy (56382)
In the article running about the RPC virus today, the text of the article tells people to install a patch that corrects against the security flaw discussed in MS03-010.i ew/default. asp?url=/technet/security/bulletin/ms03-010.asp
i ew/default. asp?url=/technet/security/bulletin/ms03-026.asp
/.-recommended patches wont protect the system. Follow the URL for the second link to get the real patches.
http://www.microsoft.com/technet/treev
However, the RPC virus is exploiting the hole in MS03-026.
http://www.microsoft.com/technet/treev
In short, SLASHDOT IS PROVIDING DANGEROUSLY BAD INFO.
The
This space for rent.
A lot of telefony and IP Telefony systems are going down at present time... Several big european and american companies relying on IP telefony are affected. The software by the famous big router company is running on Windows2000... Even GSM, SMS and MMS services are affected...
And Ian's derived from John in much the same manned.
Also, it's "i*n".
Actually this will still leave the system open to further intrustion. Best bet is to unplug from the internet,enable the Win XP firewall, then reconnect (may need reboot). Will buy you time to get back online and get the fix.
Proverbs 16:18 "Pride goeth before destruction, and an haughty spirit before a fall"
Pretty easily. You take a list of gov't decisions, and a list of public decisions (not general opinion survey, but specific public opinions).
You let the public (but not the gov't) assess the fairness (i.e., Metamoderation) of each decision.
You will find that it's fairly easy to determine that the gov't makes more fair decisions than the mob in the opinion of the mob. Or not.
As an example of the gov't making more fair decisions than the mob--Civil rights in the 1960s.
"America has done some terrible things. But I know that Americans don't cheer when innocents die." -Dave Barry
as of late last night, which is when the large number of port 135 hits to my Linux server abruptly stopped. Good for Comcast!
There's also:
"If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG."
This is the "if it was popular" argument making an apperance. Problem is that it ignores a simple fact. Security is a process, not an add-on. If one starts with that as a basis through the software development process, then one decreases (never eliminates, but then security has always been about "risk managment, not absolutes), the chances of having a security breach. So it's not about popularity, but the attitude that developers have toward security. Yeah! As you said we have our coding flaws, but one also must look at how a problem is handled, in both communities. And finally that above process results in our "flaws" not getting out of hand, and destroying the world. Kind of the way "flaws" in aviation airframes are handled. A "flaw" in the metal only goes so far, then it is stopped, instead of continuing until the whole airframe fails, killing everyone aboard.
Maryland just shut down their DMV operation for the day because of this virus.
... Linux ... Linux ...
Repeat after me....
Linux
Never Politically Correct ~ I prefer the facts If you don't like what I say, get a life, or comment yourself.
Our university has just shut out all traffic from outside the system. That's almost as good as a DoS.
Guess who's firewall just happens to have port 4444 open for his FTP server?
Uh, if you'll excuse me, I'm going home for lunch...
So how would a worm do that, absent a central point of communication? I suppose it could track reinfection attempts, and switch to DDOS mode when the number of reinfection attempts/minute gets high enough. Or I suppose it could keep some sort of generational counter that increments with every new infection, switching to DDOS mode when it has travelled through enough hosts. Of course, you wouldn't want to make it too easy for the authorities to track down patient 0...
Another idea is to read top news sites and look for certain strings - when the news media finds out, get nasty. Since this would probably cause the news media to use all sorts of euphemisms to avoid the trigger strings, maybe it should hunt through the slashdot comments - because someone will certainly post a comment of the form "I've analyzed the worm, here are the strings it's looking for:
I guess a fourth option is for the worm author (or someone associated with the worm author) to trigger it themselves. Say, when the worm connects to port 4444 to send the command to tftp over a copy, they get back a string saying "it's time". Then that host (and any host which later tries to reinfect it, etc.) switches to DDOS mode. Since this would only be necessary once, it'd be almost untraceable. (Especially if done through one of those wide open socks proxies the spammers are always using) This option, combined with a procedure for cryptographically signing updates, actually has some possibilities for generic updates to the worm.
It occurs to me that the worm author needn't have targetted windows update. Imagine if this worm appeared to have originated from inside Microsoft and targetted Microsoft's large enemies (IBM, RedHat, the AG office of the states who are still suing them, some EU agencies, etc.) I wonder if the political fallout from that would be noticeable?
Imagine being one of those help desk folks manning the phones. I can't imagine the beating they're taking. Maybe the MSBLAST will have a telco equivalent. A 'hammer' application that will pound calls into their queue until they are forced to sign off their phones and run to the nearest exit!
Now I'm wondering if this hole exists in the windows build on the x-box. The hole is supposedly in every system since 95/98, and the X-box still has all the networking code in place. What a funny day it would be when a virus get's sent out to everybody on x-box live, nuking their x-box (unless you've modded to linux :D).
/me awaits hordes of e-mailss from Microsoft lawyers
It's not stupid. It's advanced.
Now being cheap isn't the only reason to keep my MS-box frozen on Win98SE.
Anybody want a peanut?
Heaven help anyone standing nearby when he inhales.
Her regional office received a call in the late morning from central office: "Turn off all the computers. Don't turn them back on until we call you again".
Needless to say, she isn't getting much work done.
simon
home page
I'm sure just about everyone here would agree that you deserve a commendation. I'd be really interested in finding out how things work out for you though.
Good Luck my friend
BWAH...HAH...HAH!
Bob McKenzie: Fleshy headed mutant, are you friendly?
Doug McKenzie (As the fleshy headed mutant): No way, eh! Ra-radiation has made me an enemy of civilization!
My brother last night called me about his computer shutting down in 60 secs or less. I had him do the msconfig/ctrl-alt-del to find any viruses he may have downloaded.
/.). However, my computer has been up and running kazaa on a static IP off a cable modem for the past 10 days while I have been on vacation.
This morning my dad's office has the same problem (then I knew to check
Silly me, I patch my computer to avoid headaches.
So, a baseless accusation of patches causing other problems (no examples given, of course). A complete ignorance of the fact that a filesystem-corrupting Linux kernel was once released.
People bitch if the hole is there, and people bitch even when Microsoft has released a patch and yet certain people don't install it. Sounds like you just have a chip on your shoulder.
"Sufferin' succotash."
Doesn't my freedom of speech protect my ability to make up my own words? ;)
thanks for the grammar lesson.
-Tim
"VIRUS" => (virus,worm,trojan,any-malware-that-spreads)
after you know you're infected, boot into windows. disable dcom via dcomcnfg -> components -> computers -> my computer properties. reboot into windows and use stinger or some other tool to get rid of the worm...then download the windows patches. if you need DCOM, turn it on. most users won't.
-Lucas
Here is a nice command line utility to scan your network for vulnerable machines. It gives you a neat list of patched and compromisable computers.
- 026rpc.php
http://www.iss.net/support/product_utilities/ms03
I know, I know, there are a lot of problems in this analogy but at the most basic level it helps explain the concept of a port to a non-technical person.
From their Service Page located at: http://www.comcast.net/memberservices/index.jsp?tm p=null
Comcast Portal/Homepage
The Comcast Homepage is currently unavailable. Our technicians are aware of the situation and are working to resolve the issue. This outage was logged at : 8/10/2003 10:53:00 PM EDT. As of 8/12/2003 3:06:10 PM EDT, this outage is cleared.
General Outage
Connection to the Internet is currently unavailable. Our technicians are aware of the situation and are working to resolve the issue. This outage was logged at : 8/11/2003 4:30:00 PM EDT. As of 8/12/2003 3:03:20 PM EDT, this outage is cleared.
*****
I don't know if it was intentional but the same page showed all services working normally all day yesterday and today until an hour ago. Unfortunately for Comcast Cable Modem customers their net was down (at least in the Vancouver Washington and Portland Oregon areas) which they finally admitted on the telephone.
Anyone care to recommend a good firewall or perhaps firewall/router box for a home/small business network.
Not personal/single machine jobs, but standalone units.
...and I know that sounds like pedantic geekish zealotry, but it's exactly what I did. RedHat, Lindows, Knoppix, and Suse all demonstrate that Linux is mature enough to fully replace Windows. I got this worm last Wednesday, and I've been using Linux since. Granted, it wasn't a out-of-the-blue switch - I had considerable dabbling under my belt, but this time its for real. All we need is for Wine to fix that little "reentrant libc, multithreading not enabled on compile" issue, and Linux can realistically crush microsoft.
Better yet...get a Mac.
This is the reason why I check Windows Update at least 4-5 times per week and also run McAfee VirusScan 7.0 with both AntiVirus and Firewall functions active under Windows 2000 Professional (SP4).
I was wondering why the VirusScan program was running up a lot of messages about port probes being blocked until I heard about the Blaster worm yesterday.
It's things like that that should encourage Windows 2000/XP and even Linux users to be very vigilant for any security issues. People forget that commercial distributions of Linux aren't paragons of security, either; the default configuration install often has vulnerabilities that can be easily exploited.
Ugh. I'm so glad someone pointed out the fact that those of us in the real computing world can't blindly apply every service pack and hotfix willy nilly, lest we break some stupid custom app or turn every one of 10,000+ PCs into bluescreened paperweights.
Also, applying 20 hotfixes per month on servers that run 24/7 for a worldwide userbase is just not gonna happen. You realize this early on, when you try to be good and inadvertently kill something dead. Not like there's a lack of trust, or anything...
EOM
This is when you say,
A new use for the "don't ask, don't tell" mantra.
Mom says my
Looking at the outgoing logs of the local firewall, I saw an infected portable trying to connect to sequential IPs on port 135... it seems to me that the virus could have done a lot more damage if it first started by scanning the local subnet it was on (i.e. the 192.168.1.* lan it was located on with lots of PCs), and then looking around on those "random" IPs... why did it spare my office so gently? ;-)
Greg
Loopsh of fury.
Yet another one that is stopped by a properly configured firewall. I can understand some of these large ISPs not getting all their servers patched but come one... this one should have been caught by a firewall.
"Times may change, but standards must remain the same." - George Carlin.
Internet was out for me in Seattle, while a co-worker of mine had no problems. I'm finally back up and running and everything appears to be back to normal. From midnight last night until noon today the modem was unable to get online. Comcast's techs said this was a nationwide problem, when I called them earlier and that I'd be credited for the downtime. That's somewhat of a relief.
Not that i dont belive you, but it would be intersting to see it in a brochure or something..
:)
I would then know to avoid any bank using that model of ATM
I've just never seen such an animal in my area ( midwest US ) Doesnt mean they cant exist elsewhere...
---- Booth was a patriot ----
FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????
Sorry but you dont obviously dont know what RPC is used for on windows. It's used from everything ranging from Outlook client connecting to Exchange, to accessing a UNC share, to authenticating to a AD domain controller. Unless your server never talks to any outside machines, and basically isnt on a network, this worm concerns you.
It's very easy to get this in a business environment, prolly moreso than at home (though home machines would stay infected longer and therefore infect more people due to home users' lax firewalling and virus dat updating habits).
you're just a stupid bitch that can't deal with the imperfection of man.
The Win32 Blaster Worm pretty much slashdotted Dell's support number. I have a problem with the laptop (namely, the Latitude keyboard issue), but I have been disconnected over the weekend when calling Dell.
The economic cost of this bug must be up there compared to previous outbreaks. How infectious is it?
A NYC lawyer blogs. http://www.chuangblog.com/
Only let those ports you NEED open be open. Ports 1-1024 should NEVER be left open, unless you're running a service on them (and 99.999% of Windows machines aren't).
Next time, you don't have to worry about the latest exploit, and closing yet another hole in your firewall.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I think Microsoft should be required to put a notice on the box, saying "Using Windows XP for Internet access requires a broadband connection". If you've got dialup, there's just no way you're going to be downloading those 50MB service packs, and if you're not downloading them, you're a menace to the rest of the net.
(Or at least, the rest of the net that's dumb enough to run Windows.)
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
this looks like an act for all the right reasons, done wrong on a group of people for all the wrong reasons look right. :o)
I was down at my church this afternoon updating their machine.
It has ZoneAlarm so it's probably safe for now.
But oddly, in the hour or so I was watching, ZA did not hear one connection attempt on port 135. They have Verizon DSL.
The biggest clue that you have this worm is supposed to be when you get the RPC error message, and the system states it's going to shut down, right? Now, if the system is going to shut down every time you boot it up, less than a minute after startup, when is it going to spread it's self? I'm a 'tech support lackie' unfortunately, and that's been bugging me since the second person I talked to with this problem. But, I took more than 20 calls yesterday just about this worm, and every one of them had either 60 second or 30 second counters staring them in the face, and I can't see the thing spreading as rampant as it has if it shuts down every system it gets on less than a minute after boot. Personally, I don't think every system that has the worm has the error message. Which would mean there are still a whole lot of stupid end users out there still connected to the net, still spreading this thing around. But, that's just an opinion from a stupid tech support lackie.
It's great working for tech support for a broadband isp and watching a new customer get infected w/ a virus as soon as you finish helping him/her configuring a brand new computer --they are usually very appreciative w/ the great job you just did helping getting everything setup :P
I've been cleaning a bunch of systems at the Uni and all you need to do is boot into safe mode without networking,
disable system restore
search for msblast*.*
delete all occurances
reboot into normal mode and patch
enable system restore
it'd also be a good time to spend that $50 a buy a router with NAT which you should have anyway. And also spring for $50 or so and get McAfee or Norton virus protection which you should have anyway.
Even if my machine wasn't updated it wouldn't be affected simply because my router blocks everything except FTP, HTTP, SMTP and POP3
Ben
Work Safe Porn
Instead of everyone bitching about how much MS sucks, maybe a good Microsoftie here can try to run the DCOM exploit on random IP addresses, then copy up psexec.exe and kill.exe to the user's HD, kill the msblast.exe process, upload a patched copy of the dll, and merge the registry fix?
Can't see why it wouldn't work, you'd be doing the Net community a favor, and best of all you'd get props for using the same exploit to help solve the problem.
Can anyone come up with a good reason why this wouldn't work?
Quote: Machines infected with the worm are programmed to launch a denial of service (DoS) attack against Microsoft's Windows Update website on the 16th of each month, starting in August 2003.
Okay, I know the possibility of this is remote, but you might print out a couple articles and a page of links
(or just a Google search?=blaster+worm)
so he can see that you saw the scale of this threat before it happened, and you were working (above and beyond) for the benefit of the company.
Or you could take a hatchet in case he chooses to ignore the data you give him.
Mom says my
What forum are you reading? All the posts blaming users are from Microsoft apologists, not Linux users. Wait, then again, a highly moderated post spuriously taking Linux users to task must mean this is Slashdot.
So, after first hearing about this (minus the name and platform) I of course said, "Microsoft product most likely..." Either I am psychic or I am just observant of consistency and trends. I also laugh at the hoards of excuse makers (not even paid by Microsoft) that fall all over themselves trying to actually justify yet another example of MS incompetence and untrustworthiness (in trendy / buzz word nemenclature or real world use). By justifying and excusing MS's unreliability they feel they can also justify their own lack of competence in making good buying and integration decisions.
Hahahahaha
Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" Actually, I got an email from Microsoft on August 4, telling me all about it! I imagine everyone who registered their software got the message as well. That should mean that all 347 legal users of Microsoft Windows were well protected. *** PLEASE NOTE: Due to the critical importance of this message, this communication is being sent to all of our Microsoft customers to alert you of this Security Bulletin. *** It has been widely reported in the press and on Microsoft's own web site, that on July 16th we released a critical security bulletin (MS03-026) and a patch regarding a vulnerability in the Windows operating system. We wanted to make sure that if you were not aware of this bulletin and corresponding patch that you take a moment to go to http://www.microsoft.com/security/ security_bulletins/ ms03-026.asp to find out if you are running an affected version of the Windows operating system and get the specific information as to what you need to do to apply this patch if you have not already. Although we encourage you to pay attention to all security bulletins and to deploy patches in a timely manner we wanted to call special attention to this particular instance as we have become aware of some activity on the internet that we believe increases the likelihood of the exploitation of this vulnerability. Specifically, code has been published on several web sites that would allow someone to spread a worm/virus that takes advantage of the vulnerability in question thereby impacting your computing environment. Although it is our goal to produce the most secure and dependable products possible, we do become aware of these types of vulnerabilities. In order to minimize the risks of such vulnerabilities to your computing environment, we encourage you to subscribe to the Windows Update service by going to http://www.windowsupdate.com and also subscribe to Microsoft's security notification service at http://register.microsoft.com/ subscription/subscribeme.asp?ID=135 if you have not already. By subscribing to these two services you will automatically receive information on the latest software updates and the latest security notifications thereby improving the likelihood that your computing environment will be safe from worms and viruses that occur. We apologize for any inconvenience the implementation of this patch might cause and appreciate you taking the time to update your system. Thank you, Microsoft Corporation
I found out about the worm on Monday, approximately 2PM PST. Did not hear any news regarding this on any of the big TV networks UNTIL 6AM (PST) the following morning.
Rather than simply just users being clueless, there's a large number of users being kept clueless by the news media. Assuming that 100,000 users would catch an early (eg; 2-3 hours after worm insertion) report on CNN, for example, then you would have at least 75,000-90,000 who could have patched their systems.
But instead, the worm was given close to 20 hours to spread amongst that 100,000 users, who, not being average readers of Slashdot or what have you, never patched their systems, even up til now.
Hell, according to a friend who works within the bowels of IBM, their R&D departments and related servers caught the worm, and everyone's scrambling like mad to fix it.
So who, other than Microsoft (who did put a patch for just such an exploit) is to blame?
(1) The author of the worm, naturally.
(2) The news media, for failing to bring this to the public's attention (yeah, covering Arnold Schwartzenegger's political relevance is SO much more important than keeping people in the other 49 states informed)
(3) Windows users, who, despite the patch being available for a month, and the security warnings for longer, still refused to install the nessesary patches.
(4) The usual braying "Hurh hurh, Windoze users are dummies!" linux zealots. Preferring to bask in their self proscribed superiority, rather than work to change the philosophy (*) that led to the worm's creation (it takes a philosophy to justify any sociopathic behavior).
*To use the tired car analogy, if one doesn't like Ford vehicles, does that give them the right to run around slashing the tires of, or cutting the brake lines of every Ford they see on the street (in hopes that Ford will be driven out of business for faulty brake lines)? And yet, that is what the worm and virus authors want to do. It ain't about improving Windows or changing the laws, it's about trying to topple Microsoft and ruining as many of their user's computers as possible.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
I manage too solwe the problem with rebooting.
Try Control panel>administrative tools>services
than right click on Remote procedure call(RPC) and click on properties>recovery, adjust to "take no action"
This utitilty should buy you enough time to download those patches you need.
Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.
(Originally taken from rec.humor.funny).
"Prepare for the worst - hope for the best."
i just patched my main win32 box yesterday, there are two others in here that have shown no ill effects, but then again i am behind a shorewall firewall under RedHat 8 that only opens a smattering of ports and route em to specific IP addresses (80, 21, 22, 8767, 6112, and 68xx (BT) i think i'll turn on logging for 135, see how many iris hits i get.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
I work for a disreputable ISP whose 3 letter acronym is not AOL *hint hint*
/ FixBlast.exe which will automatically load the patch site after its done removing the virus.
the steps we are telling them to do is enable ICF in windows xp then download the patch from windowsupdate.com then goto housecall.antivirus.com to remove the virus...
try walking a customer through that
the esiest fix I have found is symantecs fix,http://securityresponse.symantec.com/avcenter
or you can call 1 866 PC SAFETY, if your in canada dont bother calling it wont work trust me ive tried
There's a much different attitude and awareness about bugs perpetuated by Microsoft than by the free software community. I can't say it any better than Neal Stephenson did in In the Beginning
People are more likely to be diligent about applying Linux patches because they know that it isn't bug-free, that bugs are constantly being found and squashed, and this is stated upfront by the people who develop and sell it. Because Microsoft treats bugs like things to be swept quietly under the rug, people get surprised when something like this happens -- even people who should know better, like admins.
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
Just a measure of Port 135 scans from the last 5 & 1/2 weeks. Scan totals are for full weeks with exception of current week. The current week only shows 8/10 thru present 5 weeks ago - 419 4 weeks ago - 366 3 weeks ago - 278 2 weeks ago - 520 1 weeks ago - 596 Current week - 1684 Most hits from current week are from last night.
143 - 93 = 14???
here in the real world; 143 - 93 = $50
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
Having developed a number of Windows based applications, primarily related to the 3D environment Active Worlds using both Visual Basic and C++ , it became painfully apparent that for every 1,000 lines of code ... 200 lines of error trapping code was needed. What was to be a weekend project sometimes turned into months of development. That having been said, MS Windows must be certainly millions of lines of code ... perhaps billions. Nobody knows but it is hundreds of megabytes to install it. Given the scope of this project, it must be divided into teams and at best there will be gaps. Given what little I know of the coprorate culture at MS, Mr. Balmer and Mr. Gates leave little room for individual programmers outside to play. I think they are tasked to death frankly. I would suspect that there are a fair number of people who knew of this vulnernability and either put on other projects or flat out told to not expose it because we are behind schedule. This, in my estimation is what takes open source to a new level of legitimacy.
I can't find a DCOM patch for Alpha platforms?
Anyone? Bueller?
YES, there is a McDonald's in Hanoi Square.
When you see this graphic on their homepage: http://www.microsoft.com/homepage/images/2003/aler ticon.jpg
(be sure you take the space out, campers).
It seems the Blaster worm also creates a DOS attack on the Windowsupdate.com website.
Funny if you've been trying to update your Winders.
Eh, perhaps not funny, but an interesting response from MS.
I don't know about you guys, but this worm is working out *great* for me. I used to have to begin tech support calls with "did you reboot your computer". It turns out Windows is wicked stable if you only run it for 60 seconds at a time!
I swear nobody I knew ever thought of just setting back the clock when Y2K was coming. I did! But who would listen?
"Wireless : LAN
Got this from one of those advisory sites...
\ Run
/.er, if he tells Bill Gates to stop making money. This would make a great interview, I think.
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion
So, it wasn't CmdrTaco...
Anyhow, it must be a
p.s. First Post!
SAILING MISHAP
I'll be honest: I'm stuck in a Windows shop with a bunch of people whose prevalent attitude is "if it ain't broke, don't fix it." As a result, since I'm the only one who's had experience dealing with getting the shit out there to the clients to prevent this sort of thing, I've been tasked with getting a solution made so we can roll out the patch remotely.
.MSI file for the GPO.
Here are the restrictions: we don't have (and won't pay for/setup) SMS, and we are using Active Directory. I've already got a GPO setup so we can distributed SP4 via Group Policy, but does anyone know of a way to distribute security updates by a GPO? Unfortunately, Microsoft only provides an EXE, no
I know it's a long shot, but I'm interested in what other shops are doing. Sadly, WinINSTALL LE for making MSIs doesn't function. Anyone have any ideas?
Schwarzenegger, uber alles,
Schwarzenegger, uuuuber alles!
[/Jello]
2 hotshot IT managers must patch 50 computers
Install in 60 seconds
The patch did not work. It is almost 4:00 am, most NT people in my company have been awake for 3 hours now trying to apply a new version of the patch.
Welcome to the MS world.
Sorry to be an AC, our Win SAs (which are not cowboys by any stretch of the imagination) are working overtime to apply a new version of the patch.
Frankly, how many of this nastiness do we need before moving to a different OS?
WinXP professional was $299 new, full version when it came out -- identical to Windows 2000. Expensive, yes, but you're also paying for an OS which supports hundreds of thousands of more apps. To most people, that's worth it.
FYI. This patch breaks RPC for 3d studio max versions 3 thru 5.1. If you use 3ds max, DO NOT APPLY THIS PATCH. It will definitely corrupt your max files. There's a now patch to the patch if you call MS support, apparently.
Thanks Discreet and MS...
http://www.discreet.com/support/max (under breaking news) (sorry, can't check the URL right now, as it looks like Discreet is down...maybe they got hit as well...oh, the irony...)
I got a bunch of calls for this today too. I dont pay attention to Windows updates since I only use windows at work behind a Linux firewall, so I had no idea there was a patch. The first call I got on this I spent about an hour getting a woman to download a firewall in the five minutes she got to be online before the worm hit and we had to start over. You have no idea how hard it is to get old people to navigate three web pages and click an install. And they never seem to get that they have a limited amount of time. One jagoff was yelling at me because "I wasnt giving him enough time to do this." Finally had to email him the patch installer and have hime tell his wife when to pull the network plug when the DL was finished. What a bitch call.
You are implying in you post that the designers of these worms and viruses are Linux "zealots" and I take issue with that.
The correct analogy would be to equate Linux proponents with users of a safe car saying "I told you so" to a motorbike driver, that is for the nth time in the hospital, after insisting to ride closing his eyes a motorbike of a manufacturer known for its cavalier attitude to safety and security. Oh yes, he was hit by a bad driver, and the bad driver deserves whatever he gets, but the motorbike guy is not doing himself any favours by driving in perilous conditions.
IANAL but write like a drunk one.
... he will suck it up and install Linux since patching is not working (see the several reports on that on this thread) and since most probably MS has abandoned him if using "old" (as defined by MS) versions of Windows.
And sorry to bust your train of thought but I see very few people mocking Windows users, in general i see a fastidious "yet again" aimed more at the software manufacturer.
IANAL but write like a drunk one.
a 'sploit is a 'sploit. Although you can limit the damage by giving web servers and other weak restricted shells. There have been 'access promotion' exploits for Linux too, though.
autopr0n is like, down and stuff.
Did you ever notice how only OLD products can't be repaired, but the latest ones ALWAYS can? I always wondered why this is, since the old product was once a new product, and problems cannot be adequately predicted by companies like Microsoft. I would wager that NT 4.0 and even 3.5 could be patched, but it's not economically feasable because refusal to do so leads to revenue via upgrades to repairable product. Fixing the problem is "no profit".
EddyB43 90t 0\/\/n3D :)
some1 own mikedx plz and pgpwipe div :)
Did you read the parent post dumb fuck?
129 for OS X
143 for Windows XP Pro
The difference is $14 or are you a complete moron?
Next time read the posts before making yourself look like a dumb fuck (or confirming the truth that you are a dumb fuck).
Chip on my shoulder? CHIP ON MY SHOULDER!?!? Why you no good, stinking, linux hugging, twelve sandwich eating, slackware loading, All your bases are belong to us quoting, er ah jerk! Seems like you just don't like varying opinions. Slashdot is LIVING PROOF that I don't need facts to back up a microsoft critisism. It wasn't bitching either. I am not ignorant nor do I care that a corrupt Linux Kernal was released. I think Linux is a waste of time. Sort of like reading your response to my post was a waste of time. Or your mother feeding you when you were a baby was a waste of time. Have a nice day you elite hacker!
I've stopped answering all the texts I'm getting about what a remote procedure call is with a technical answer. I now have a stock reply:
"To you, 25 quid"
1st, any smart XP user would already have Mike Lin's Startup Control Panel installed.
Fact is no Geek with XP would be without it, it makes things piss easy.
2nd, once one notices the 60 second reboots (after windows has fully loaded), after a fresh reboot, one will quickly ctrl-alt-del & end any out of the ordinary processes
3rd (either now or after a reboot), one will open up Mike Lin's Startup Control Panel & notice a new startup process called MSblast.exe, taged as a Windows update utility. One will disable it (untick it), meaning it won't run on startup. (it actually appears twice, obviously to get people who don't notice, meaning one has to disable one entry & delete the other entry, which is just a 'right click, click delete, then click ok' routine). One then reboots.
4/ One now runs the find file routine & it turns up exactly where you think it probably is (Startup CPL shows the address of most processes, but for some reason not all of them) windows/system 32. Now as it's tagged as 'Windows update tool' (or something like that, I can't remember the 3rd word), one might worry if deleting it might hurt the system. Afterall 'Windows update' in a intigral part of XP. However like all geeks, one's using XP Corporate which has that disabled, so why is was it running in the background, seeemingly causing problems till it was disabled? So one right-clicks 'My Computer', clicks 'properties' & notices that 'windows update' is still all greyed out, as per normal, meaning the computer's not using 'Windows Update', meaning MSblast.exe is not what it appears.
5/ Time for deletion. One drags msblast.exe to a floppy in case it is needed & things fuckup without it, then I delete & empty the recycle business.
6/ Wonder how it got into the Windows/system 32 directory in the 1st place.
I did, this has been my 4th 1999 !
In Soviet America the banks rob you!
The Internet connection for entire India to the US is on 1.2GBPS bandwidth - try connecting to M$ Windows Update Servers when a million others are usiing it at the same time.
Most dont have broadband and even companies share a 56K ISDN or Dialup line!
With all the US companies moving their software operations to India/Asia - this reliance on M$ is only going to get worse. I dont feel too sorry for the 95% or so pirated Windows OS users in India.
How much TIME do you spend maintaining your "updates"? Do you let your boss know tht when you run TCO analysis vs UNIX/Mac's for your servers?
And read the one post about how just ONE laptop user who takes his computer home, restores his OS and gets the worm, comes back into your network and promptly starts DOS attacks?
I do, however, sincerely hope that people like you NEVER convert to UNIX or MacOS X - at least you can be a soft target for all these college kids/Russian/Asian hackers out there.
Finally (and its getting stale) - 15 years using a Mac and NOT A single Virus yet!
AM
Yes, it does work quite well with wine, as confirmed by tcpdump. I will be sure to have it running this weekend just in case the rumors are true. I mean, sure I could just reverser engineer it, but that's just not as fun as running it an entire weekend and watching all the ip's of recently infected users go by in my tcpdump output. BTW, Anyone in the 85.221.22.* ip block running an unpatched NT derivative, sorry, but I had to test it.
I work for a large broadband ISP, and the tracked cases of our customers calling in about this worm is around 7,000 and climbing. I hope this thing blows over soon...
Examples?
Female Prison Rape in NY
Hi. ;)
I forgot to thank you for your reply in my journal. Not that it really helps.. I guess I should start doing sports in order to really wake up.. and unplugging the net would be bad because it'll leave me with no music. But you still tried and it was nice.
-0-0- idle