Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

Honest question

[lseltzer]

Dear all of you who are being hit by this attack:

Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.

Re:Honest question

[caluml]

Why aren't you blocking stupid useless open ports from the Internet?

Most people:
What's a port?
Do I have any?
How can I check?

Re:Honest question

[Maserati]

I had to explain ports and firewalls to one of our Account Services people yesterday. My analogy was a company with oine main number and everyone else on extensions behind that number. So if calling their number (IP address) and asking for extension 80 (port) lets you talk to Janie (900.69.69.69:69) then that's just like connecting to a web server at an address:port combination.

Specifically, we were trying to figure out if a clients BOFH was a BOFH, a PFY or a PHB. We think he's a PHB since there's a lot of money (cash and obligations) sunk into a project that needs a port opened in their firewall and he won't/can't/hasn't opened it up yet.

This may still be better than the other (former) client who put two people in our office using VPN to connect to their home network... and then changed their proxy configuration without telling anyone (like their helpdesk). It took me a week of phone tag to get one of their network analysts to finally say "OK, try this". Then they sent her an XP laptop with that setting locked into the old-and-wrong setting. I think she had to ship it back since they wouldn't cut loose with the admin password. Neither would I, but the box would have worked before I sent it out. We aren't suing them for specifically "rampant idiocy", but that MUST be a factor. We're suing them, a spokesfigure was perp-walked recently and business is way down. I wonder how long they'll manage to stay out of Chapter 11.

Stupid people suffer.

Re:Honest question

[Ilgaz]

Well, I wonder why MS opens RPC (135) to outside World.

Yes yes, services use it, as Steve Gibson's sayin "impossible to close without firewall" ...

Don't blame people not using firewall, they are mostly newbies , e.g. XP home users. Ask the real question: Why you open a port outside World by default OS install?

Everyone knew port 135 would be exploited in a real bad way before, that was just a matter of time.

If os is a client only, do not turn on rpc listening on port 135... Its THAT hard?

Precisely

[Overly+Critical+Guy]

There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.

All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...

Re:Precisely

[aug24]

I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

Did you merrily click past the EULA that said if it destroyed your system and data it wasn't MS's fault or responsibility? Did you install on one box and then do a complete round of System Test, or did you just blindly trust MS?

J.

Re:shutdown /a

[Tony+Hoyle]

Rule 1: The first thing you do when putting any system on the net is make sure it's behind a firewall.
Rule 2: See rule 1. Then do it.

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

There are several reasons...

[aug24]

Have you met many people who are MS sysadmins? A good proportion of those that I have met are Joe User types who have knowledge of how to set up, auto-reboot and backup machines, and not a lot more.

Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.

Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...

J.

Re:There are several reasons...

[Tyler+Eaves]

2 "windows" holes versus 9 "linux" holes?

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.

Does windows still have 2 holes once you factor in Exchage, Outlook Express, IIS, IE, Office, SQL Server etc?

Re:There are several reasons...

[koa]

Heres another problem I see with this whole thing. WHY does this patach REQUIRE a reboot after installation? One would think that by 2003 Production server uptime would at LEAST be somewhere on the minds of the people in Redmond! I mean, look- you stop the effected service (windows can do this y'know!) then you replace files.. then START the services back up. I would write more in this post but I accidentally moved my mouse and I need to reboot my machine for the changes to take effect!

Stop Blaming Users, Blame Microsoft

[mizidymizark]

I know this is Slashdot and all the Linux users need their daily affirmation that they are right, but guys, lay off the common user. To expect someone over dialup to have Windows XP patched with the 200 MB of updates since XP came out is rather harsh. I know this hits more broadband users, but working in tech support, we have seen a fair amount of dialup users get hit as well. So before telling the everyday user to switch to Linux for their home machine, maybe we should get Microsoft to check their product for problems before shipping it out.

Re:Honest question [Corporate Answer]

Welcome to the corporate world. All things, including service packs, must be tested on all platforms with all applications before being deployed into the environment.

We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.

Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.

So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).

After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...

Why aren't they all patched? Because nothing moves fast in large installation bases.

Re:Just seen an ATM affected...

[Zak3056]

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.
Then try, really, really hard to stop laughing...

I don't know why I have to point this out, but that's NOT funny--it's freaking SCARY.

This is not FUD

[JRHelgeson]

The security community has been saying for nearly a month that people needed to update their machines. We watched as the hacker community perfected their code for the RPC/DCOM vulnerability and posted their work on hacker sites and discussion groups. Yet the more we begged and pleaded people to update their machines, the more I heard "Aw, they're just hyping the FUD factor."

Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.

When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.

Regardless, people, patch your *#&($*@& machines!

Laptops

[mrscott]

Think about this scenario: a perfectly competent administrator has a properly configured firewall which blocks the problem. The "road warrior" brings his laptop from from 3 weeks on the road and had used a bunch of hotel access points where he got the worm. He connects it to his docking station in the office effectively bringing the problem behind the firewall.

Re:Linux people: Rejoice!

[Junks+Jerzey]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:

1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.

2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.

If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.

Re:Sad really

[b-baggins]

Now, this being modded as funny is REALLY sad.

Apple's versioning is as follows: .x = new release = full price .xy = maintenance upgrade = free.

So, 10.1 was full price. 10.1.1 was free. 10.2 was full price. 10.2.6 was free. 10.3 is full price. 10.3.x will be free. 10.4 will be full price, etc.

Apple does not sell upgrade CDs. You buy a full install. This means you don't need to have any previous version of OS X on the machine. So compate the right things. So let's put this in terms the Microsoft Marketing Influenced(TM) can understand.

I paid $129 for the full version of OS X. You paid $299 for the full version of Windows2000 Professional.

I paid $129 for the full version of Jaguar. You paid $399 for the full version of WindowsXP Professional.

I will pay $129 for the full version of Panther. You will pay >$399 for the full version of Longhorn Professional.

Now who should we laugh at?

For all the ranting slashdotters do on how stupid the non-tech/geek person is, I find it hilarious that such a logical, programmer-centric versioning system totally confuses said slashdotter.

I guess MS was pretty smart to call Winnt 5 Windows 2000, and Winnt 5.1 Windows XP, or you'd all be screaming about that $399 "upgrade" as well.