Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

shutdown /a

[mjmalone]

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

Re:shutdown /a

[Pionar]

>Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.

You actually believe that reading /. makes you smart? Apparently, you never read comments below 5.

Re:shutdown /a

[whiteranger99x]

Apparently, you never read comments below 5.

In some cases even THAT doesn't mean you'll see smart comments

(hell, look at MY 5 point comments sometime lol ;)

Re:shutdown /a

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Re:shutdown /a

[TedCheshireAcad]

How creepy. I was setting up a relative's DSL modem yesterday, when I saw that the RPC service was shutting down the machine. Thought it was just Windows XP being retarded, but I guess it's time for a new visit.

The box hadn't been on the internet for more than 15 minutes.

Re:shutdown /a

[mjmalone]

He was connecting to it remotely. Also, it's hard to download patches when you aren't connected to the net.

Re:shutdown /a

[Tony+Hoyle]

Rule 1: The first thing you do when putting any system on the net is make sure it's behind a firewall.
Rule 2: See rule 1. Then do it.

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Re:shutdown /a

[Jugalator]

Home users, maybe but businesses????

The largest ISP in Sweden, Telia, had 40 servers collapse from this virus and in effect prevented 16,000 users from logging on to their ADSL service. That gives you a great deal of confidence in an ISP, right? ;-)

Re:shutdown /a

[Eric+Ass+Raymond]

Smart-alec. It is evident that you do not administer anything complex..

Ever thought that's it's good practise to burn Service Packs and any critical patches on a CD-RW as they come by using an already secured computer? Then you don't have to expose your new setup? I know it's folly to trust the default Windows installation and don't fool yourself into thinking that a common distribution like RedHat 8/9 is secure out of box.

Do not connect to the net until you've secured the box. Standad practise and pure common sense when you think about it.

Re:shutdown /a

[MmmmJoel]

"Thought it was just Windows XP being retarded"

It is Windows XP being retarded. Don't second-guess yourself!

Re:shutdown /a

[ChiefArcher]

Supposively, if they don't fix it by this weekend, all the infected boxes are going to attack microsoft's website all at once.

So in my opinion.... Don't patch it :)

ChiefArcher

Re:shutdown /a

[MSG]

don't fool yourself into thinking that a common distribution like RedHat 8/9 is secure out of box.

A common distribution, like Red Hat Linux 8/9, has a firewall on by default.

Re:shutdown /a

[MSG]

You can also turn on the firewall in Windows XP and download the patches. That's what I did on my girlfriend's PC.

Funny thing is I had her computer about a month ago, and I applied all of the available patches, followed the HOWTO's I could find on shutting off services to secure XP, and turned on the personal firewall on her dialup connection, and she *still* got hit. I guess RPC isn't in the list of services that you should disable... What freaks me out is that something turned off that firewall, though. I have no idea what. Does anyone know of any common Windows software that turns off XP's firewall?

Re:shutdown /a

[Zak3056]

You actually believe that reading /. makes you smart?

Yeah, what do you think this is, a Holiday Inn Express or something?

Re:shutdown /a

[zoombat]

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

Re:shutdown /a

[RoLi]

I mean that's how you're supposed to setup any operating system. No net connection until you've got all the necessary patches installed and firewalls set up.

Exactly! It's pretty easy, actually:

• Unplug Internet connection
• Download patches from the Internet
• Set up firewall
• Plug in Internet connection

If that doesn't work, just send an email to support@microsoft.com

Re:shutdown /a

your_girlfriend.exe

Re:shutdown /a

[Eric+Ass+Raymond]

Indeed.

I admit the default security of a fresh Windows installation is (or, after Windows 2003 Server: has been) abyssmal. That's why every self-respecting administrator does either have the new setups behind a proper firewall or he/she has stacks of CDs with all the relevant Service Packs and critical patches on them.

I don't see how something like a default Redhat 7.2 or 8.0 installation would be different. Every conceivable exploit is known not only to the real pros but to script kiddies (or actually their root kits) too.

Re:shutdown /a

[MikeDX]

I think you need to get the dvd boset for ALL of the security updates

Re:shutdown /a

[RocketScientist]

Shutdown is native in XP Pro, but it is also installable from the resource kits. It's pretty handy, it lets you remote shutdown machines over the network.

Re:shutdown /a

[bigberk]

Uh... why didn't he just unplug the net cable and install the patches?

Bravo!! I was waiting for this to come up in an interesting context, and this worm illustrates the problem perfectly.

The reason you can no longer unplug the network cable and install patches for Microsoft products is because Microsoft (and other companies) want you to be constantly connected to the Internet. This way your computer can constantly exchange digital rights and other background data. And since everyone is running those pretty little web based installers, you have little knowledge of what's really being transferred to and from your computer.

I run UNIX servers; when I need to install patches, I simply download them from another computer and burn them to a CD. My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Just wait for the chaos that will happen when we go back to centralized computing; you won't even be able to use your word processor without a network connection. And then when networks fail, nobody will be able to do any work.

Wait a couple years and then laugh ;)

Re:shutdown /a

[Geek+of+Tech]

That almost makes me want to infect my box. Oh well.

Re:shutdown /a

Supposively, you passed your University's language competency test.

I may be wrong.

Re:shutdown /a

[OutRigged]

My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

Re:shutdown /a

[TwistedGreen]

What do you mean? They obviously did it to protect their customers from getting the virus!

Yeah, that's the ticket...

Re:shutdown /a

[Silvers]

I just installed the patch on a WinXP Home machine. Upon reconnecting to the internet, it got infected again.

The patch, as stated elsewhere, does not work on all machines.

I turned on the firewall hoping that will fix

Re:shutdown /a

[Brad+Cossette]

There's a (I think) better alternative, though a little tricker to run.

In WinXP (works for Home or Pro), run "Dcomcnfg", double click on component services, d-click on computer, r-click on My computer and select properties. Select the Default Properties Tab and uncheck "Enabled Distributed COM on this computer".

This'll shut down that subsystem which is vulnerable to the attack in the first place, and give you time to update patches etc. Works even if the virus is currently in place (you'll still need to remove it later).

A friend of mine got nailed with this last night, she's a mother of 3 knows jack about computers (mind you, I know jack about raising a family so we're even). No firewall, and didn't even know there was a "Windows Update" option to upgrade her OS. As much as I don't like a "Big Brother" type interferance from Microsoft (especially them), its situations like this which make me think that having them forcing updates remotely to PC's may not be a bad thing - some people just don't know, and don't want to have to worry about stuff like that.

Re:shutdown /a

[rworne]

(Score:2, Insightful) for a post recommending you download patches with your network cable unplugged. Wow, Slashdot is a haven for those with technical know-how, isn't it.

Perhaps he was meaning to suggest using a wireless access point. That way there is no physical medium for the virus to travel over.

Re:shutdown /a

[walt-sjc]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)

I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.

Re:shutdown /a

[Samari711]

i'd like to see you download the patch in under 60 seconds, and without a tinfoil beanie

Re:shutdown /a

Unless the virus becomes airborne, in which case I'm covering my box with surgical masks and insulating blankets.

Looks like my computer is suffering from a high fever now. I'll give it plenty of fluids and some bedrest.

Re:shutdown /a

[Nucleon500]

Does the worm work with Wine?

Re:shutdown /a

[sharkey]

In some cases even THAT doesn't mean you'll see smart comments

Right. You still see the "editor's" comments in the article itself.

Re:shutdown /a

[sharkey]

Does anyone know of any common Windows software that turns off XP's firewall?

Give Win32 Blaster a try. It shuts down the firewall, and more. Or so I've been led to believe.

Re:shutdown /a

[CMECC]

According to what I read, there was a preparatory worm a few weeks ago which went basically undetected, since its payload did no drastic harm except opening ports. Those newly opened ports allowed otherwise patched PC to be affected by msblast.exe.

Re:shutdown /a

[inKubus]

Sorry to whore this out here, but has anyone actually looked at the patch? I mean, this affects a rather important part of the Windows operating system. RPC is used for interprocess communication, named pipes, etc. Couldn't the CIA or something put a bug in it that will forward everything you cut and paste, type, send, etc. to some other entity? And what better way to get the masses to install it than a little worm to exploit a hole they purposely left open?

Furthermore, Microsoft paid out $520M only yesterday due to patent infringement with a component in MSIE.

I mean, I'm all patched up, so I know I'm safe but.. oh shit.. the shutdown timer just popped up! Microsoft must be reading what I'm typing. If only I can do this thing quick enough. OH FUCK I have to wait 20 seconds from the time I hit the reply button til when I press submit and it's getting down near 1 nowwwww

Re:shutdown /a

[dwillden]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I myself have spent most of today trying to clean it off my laptop. I wanted to comment on Norton's falings on this. My system had crashed once before I recieved a Liveupdate from Norton that immediately detected it. In otherwords it was slamming systems and Norton couldn't see it.

Then even though I had followed all the steps to clean it off, Including verifying that the registry key was cleared and that the msblast.exe was deleted, I was still getting the shutdowns. I'd also like to note that I was able to be online for a while without a crash if I avoided using any MS internet software. using Opera and Mozilla I was able to stay on long enough to dl the updates and cleaner tools

Re:shutdown /a

[1davo]

In a knee-jerk reaction, I quickly downloaded the patch from Redmond and fired it up...

Once I saw the messages saying "Pardon me while I inspect your system...

Then some dialog box popped up with some message about third party blah blah blah.

I came to my senses. Wait just a darn minute. I have not seen the effects of this worm/virus.

So I killed the process. Bring on the RPC crap - it has to be alot better than Bill drilling any deeper into my vanilla laptop used only for browsing the web.

Whew - dodged another one...

Windows & security - the double bind theory of computing.

it hit me this morning!

[baxterux]

posted an article about it here http://www.baxter2.com/modules.php?name=News&file= article&sid=114 i have never seen a worm spread so fast! dangerously fast

Re:it hit me this morning!

[Theatetus]

i have never seen a worm spread so fast!

Somebody wasn't administering Windows-based networks back in 1999-2000. Ah, the heady days of damaging Office macros...

Microsoft Developer 1: Hey, Fred, let's include in our Office suite a macro development environment that can access the entire OS's API!
Microsoft Developer 2: Good idea, Jim, I'll get working on it. This should ensure that even the ditzy office manager can easily create executables that will take down the entire network!

Good timing...

[tbase]

Someone in my office just gave me a screen shot of a shutdown timer on their computer at home. Anyone used the removal tool yet and had any luck with it?

Re:Good timing...

[brejc8]

The removal tool takes several minutes to run.
Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
Then run the tool afterwards to ensure it has
gone.
The exact patch needed is here
http://www.microsoft.com/technet/treeview/de fault. asp?url=/technet/security/bulletin/MS03-026.asp

Re:Good timing...

[irc.goatse.cx+troll]

Something similer happened to me yesterday. A friend of mine immed me saying his computer kept saying it had 60 seconds to reboot, and something about rpc crashing. So I responded with a screenshot of dir c:\ running on his machine.
Moral of the story: I'm an asshole.
(For the record, I then told him where to get the patch, and how to cancle a running shutdown.)

Re:Good timing...

[irc.goatse.cx+troll]

shutdown -a in a console. you need to be administrator I believe. (yes, thats -a, contrary to windows normal use of /a)

Wrong link

[JPelzer]

Shouldn't the "Removal Tool" link point to a Linux ISO download site or something? I mean, this is slashdot... :-)

Re:Wrong link

[TopShelf]

Preferably SCO's, right? Might as well burn up their servers...

The Rise

[mao+che+minh]

DOOM-DOOM-DOOM-DOOM DOOM *PANG*
DOOM-DOOM-DOOM-DOOM DOOM * PANG*

At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.

OK this is getting old.....

Re:The Rise

Coincidence??

Nope. The whole world revolves around your movie watching habits.

Much better removal tool..

[_14k4]

fdisk
format
install FreeBSD or keep your copy of Winders up to date. :)

Re:Much better removal tool..

I tried that and nothing happened ??

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\>fdisk
'FDISK' is not recognized as an internal or external command,
operable program or batch file.

C:\>format
Required parameter missing -

C:\>install FreeBSD

C:\>WTF !!!

Honest question

[lseltzer]

Dear all of you who are being hit by this attack:

Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.

Re:Honest question

[CaptainBaz]

Because our proxy blocks .exe downloads. Yes, even from windowsupdate. No, really...

Re:Honest question

[killmenow]

(Better yet)

To whom it may concern:
Why aren't you blocking stupid useless open ports from the Internet? There are freely available tools if you insist on running Windows. Then again, most electronics stores sell standalone broadband firewall/routers. If you used one of those, you could take your time and patch whenever you feel like it...

I tell all those in my circle of influence: never connect to the Internet without a firewall in place. It makes no difference what your host OS is. At the least, you should be running a host-based firewall like Zone Alarm or ipchains/ipfilter/etc. Even better is a standalone box that does nothing but firewall. It's just prudence...even on a simple home PC or LAN.

Re:Honest question

[caluml]

Why aren't you blocking stupid useless open ports from the Internet?

Most people:
What's a port?
Do I have any?
How can I check?

Re:Honest question

[jav1231]

Ummm..is it not functionally inhibitive to block port 80 on a webserver? That's the port this is using. It's using a DCOM exploit, not just standard RPC. JAV

Re:Honest question

[M.+Silver]

Because Windows bugs you to turn on Automatic Updates.

A lot of people shut that off after a patch awhile back that smoked JavaScript. (And guess what? It requires JavaScript to perform Automatic Updates, so they couldn't download the patch that fixed the patch.) I mean, when the first "visible" thing the Update does brings your system to its knees, and requires you to pay a tech to fix it, Joe Average User is going to be a little confused about exactly how it's supposed to *protect* you from a virus that brings your system to its knees, and requires you to pay a tech to fix it...

Re:Honest question

[ANTI]

1. Because I came back from vacation today. And didn't even make it through half of my email before my RPC service restarted _itself_.
2. Because apt-get upgrade runs daily on my other systems and I'm just not used to _manually_ installing security updates.
3. Because the exploit existed for at least 7 years ... and nothing ever happened.
4. Because I'm within a corporate intranet with f..scking expensive cisco switches that could easily stop the worm on the medium.

I could give you hundreds more,
but it all boils down to:
This shouldn't bother me - the user - not at all.

Re:Honest question

[AKnightCowboy]

Why didn't I install the patch? Because, quite frankly, I don't want to spend a couple hours a week patching my machines.

Don't be ridiculous. For one thing it doesn't take that long to run Windows Update once a week, and for another you could just use auto update if you're that lazy. Have it run at 3am and download+update any new critical patches. Hopefully on newer versions of Windows they will make that the default so Mom and Pop don't have to even worry about it.

When your computer connects to the Internet it'll automatically download patches and apply them. In fact, you shouldn't have a choice whether it does it or not. Maybe make it a complicated registry hack to shut it off. Too many people are lazy or inept and don't apply patches which results in worms like this spreading.

Re:Honest question

[killmenow]

My Grandma is definitely a keeper. She wouldn't touch a computer. She just found out there's this thing called "cable" for your TV...although she's not very fond of it.

Re:Honest question

[Maserati]

I had to explain ports and firewalls to one of our Account Services people yesterday. My analogy was a company with oine main number and everyone else on extensions behind that number. So if calling their number (IP address) and asking for extension 80 (port) lets you talk to Janie (900.69.69.69:69) then that's just like connecting to a web server at an address:port combination.

Specifically, we were trying to figure out if a clients BOFH was a BOFH, a PFY or a PHB. We think he's a PHB since there's a lot of money (cash and obligations) sunk into a project that needs a port opened in their firewall and he won't/can't/hasn't opened it up yet.

This may still be better than the other (former) client who put two people in our office using VPN to connect to their home network... and then changed their proxy configuration without telling anyone (like their helpdesk). It took me a week of phone tag to get one of their network analysts to finally say "OK, try this". Then they sent her an XP laptop with that setting locked into the old-and-wrong setting. I think she had to ship it back since they wouldn't cut loose with the admin password. Neither would I, but the box would have worked before I sent it out. We aren't suing them for specifically "rampant idiocy", but that MUST be a factor. We're suing them, a spokesfigure was perp-walked recently and business is way down. I wonder how long they'll manage to stay out of Chapter 11.

Stupid people suffer.

Re:Honest question

[Ilgaz]

Well, I wonder why MS opens RPC (135) to outside World.

Yes yes, services use it, as Steve Gibson's sayin "impossible to close without firewall" ...

Don't blame people not using firewall, they are mostly newbies , e.g. XP home users. Ask the real question: Why you open a port outside World by default OS install?

Everyone knew port 135 would be exploited in a real bad way before, that was just a matter of time.

If os is a client only, do not turn on rpc listening on port 135... Its THAT hard?

Re:Honest question

[jafuser]

I honestly begin to wonder if security is deliberately kept as a minimal concern with Windows so that people who own versions of the operating system that have fallen out of support are *forced* to upgrade.

What recourse does a person running an older version of windows have if their "obsolete" operating system becomes completely unusable due to prominent exploits?

This could be especially problematic if you are depending on some really complicated applications which will not run on the newer operating systems.

Re:Honest question

[andrewmc]

Why hadn't you applied the patch before?

Because it's not always that easy. Have you ever tried convincing very busy people to apply a patch when Windows Update has completely screwed their machine twice before? They'd rather risk spending an hour cleaning up after than risk another full day reinstalling and reconfiguring their machines. Having seen what happened the last time, I can understand their point of view (even if I don't agree myself).

Re:Honest question

[wfrp01]

What's a port?
Do I have any?
How can I check?

A place where ships are safe from storms. See also 'port of entry'.
You have an output port on your behind.
Do yoga.

Re:Honest question

[jafuser]

That said, none of my machines have been infucted

Was that a deliberate misspelling? =)

Re:Honest question

Anonymous for obvious reasons.

Until the end of last week, every machine at my work except my own, and those of two others in my group, was vulnerable (tested using the eEye scanner - nice tool BTW.) Everything else, including the crappy Exchange server, our sales lead database, the NOC helpdesk database and several other useless Windows servers, and of course all the desktops and road warriors' laptops were vulnerable. I kicked up shit over it, but the tech. dept (I'm a security consultant... the employer is a managed services security corporation...) didn't seem to grasp any idea of the urgency of the problem.

Eventually I got into trouble. My boss asked me what I was working on - I told him & added "oh, and the other non-chargeable stuff of course." "_what_ non-chargeable stuff?" "Well, for starters I'm trying to make sure we get patched against the gaping DCOM hole." (blank look, brief explanation of the problem.) "That's someone else's problem, you're not paid to worry about things like that!" I gave him a printout of the eEye tool's report, showing "VULNERABLE -VULNERABLE -VULNERABLE" all down the list. I pulled up a command prompt on teh mail server. He got it. The next morning I got a call from tech asking for help with fix, what was the problem, best fix for it, etc etc. The boss had passed the list on to tech.

Now, I have a sudden unexpected "review meeting" scheduled with the BIG boss. Guess what's going to happen? I'm going to get a strip torn off me for (a)noticing, (b) caring and (c) doing something about this enormous problem which could conceivably have wiped out the company. Bitter? However did you get _that_ idea?

I fuckin' HATE corporate politics. But most people just seem to go along with it as a necessary evil, and politics dictates that if you see the tech department screwing up, you LET THEM, so that your boss and their boss can score points off them in the grand willy-waving competition that passes for normal life in such places.

This is a security company - and I've done something wrong.
*sigh* sometimes I despair for humanity.

Nasty little bugger

[snack]

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Re:Nasty little bugger

[ChiChiCuervo]

I discovered spybot on a friends computer last saturday. It appears to be a "prequel" to our friend slammer here. My guess is that spybot created a number of staging hosts in order to quickly propagate slammer yesterday afternoon.

However, there are alot of nasty little payloads that spybot brings in. I'd recommend googling for msconfig35.exe for removal instructions for the spybot payload.

Cancelling this problem

[UnassumingLocalGuy]

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

Re:Cancelling this problem

[rkz]

you don't need the "now" this is not unix.

A BBC link

[azzy]

Another article here

Virus

If this thing wouldn't keep crashing computers, it would be spreading like greased wildfire.

It is not easy, one stop!

[Eric+Ass+Raymond]

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list.

RPC?

[Quasar1999]

Funny, a few days ago I had my XP system exhibit the same problem (after using windowsupdate)... but I checked the event log and it told me that 0x70/0x71 was accessed by the BIOS unexpectedly.

After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.

In addition...

[OrthodonticJake]

My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".

Re:In addition...

[iworm]

Yup! I know it is fun to bash MS (and generally easy) but XP has a quite decent firewall built-in, if only people would turn the damn thing on!!

I think that it would be sensible to have it enabled by default, but obviously Microsoft think otherwise. And yer-average punter won't even know what it is, let alone enable it. Shame, 'cos it works OK.

Re:Fscking Windows.

[Overly+Critical+Guy]

Please. I still remember when my system got hosed by a sendmail hole.

also

[BigBir3d]

Internet Storm Center

Microsoft Bulletin

Note this is marked "Critical" now...

Risky business

[Doesn't_Comment_Code]

I had to patch several computers at work, and I noticed that the patch installer software says something at the beginning like,
"Back up all your harddrives, we are not responsible if this program breaks your entire computer. Do you Accept?"

Well in the middle of a virus scare, nobody has time to back up every machine in the office. So that really doesn't make me feel comfortable. So far, so good though. No broken computers as of yet.

But another scary thought that crossed my mind while installing the patch... What if those smooth criminals had gotten into the microsoft servers and put a virus into that patch installer? That would be a killer!

If you need to use Windows, you might as well use win98.

Re:Risky business

[DrRiffic]

there is no RPC in win9x

win9x is not affected by this vuln

read -> comprehend -> post

Nice touch.

[bbum]

From Symantec's analysis:

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?

Nahh....

Re:Nice touch.

[fizbin]

Could/Would this be illegal and/or dangerous?

In the form you described, yes.

It is a significantly more gray area if you were to listen for attempts on your machine and, after receiving an active probe (not just a SYN packet, because single SYNs are very fakeable), hit the attacking machine with something that used this vulnerability to wipe out the virus.

If you want to stretch things, it might even be acceptable to then download and install the microsoft security patch (although that's pushing things a bit). Maybe. Much more acceptable would be to replace the worm with something that looked sufficiently like the worm to prevent re-infection, but did nothing.

However, creating and releasing a "beneficial virus" is just flat out illegal and dangerous. Have you ever written code that worked exactly as it was supposed to, on systems you've never seen? Have you ever gotten a piece of code bug-free before the first large test? Have you ever created a binary that someone could look at and easily verify behaved exactly as advertised?

The idea is that so long as you are disarming a machine that has directly attacked one of your machines, you are on defensible moral (IANAL, so I won't talk about legal) ground. However, forcing an update on a third party, or even doing more than the minimum necessary to disarm the machine attacking you, places you in the same category as the original virus writer - you cannot know all the effects of your actions, therefore doing more than the absolute minimum necessary is irresponsible.

A little something they left out...

[EvilNight]

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

Re:A little something they left out...

[BrainInAJar]

Turn off the timer.

Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"

Windows Update slashdotted?

[chiph]

Having trouble getting out to Windows Update. Looks like a lot of people are taking this one seriously.

Chip H.

Re:Windows Update slashdotted?

[javatips]

or maybe the machine reboots every 60s

Re:Windows Update slashdotted?

[cybercuzco]

Actually symmantec says that the virus will also ddos the windows update server if its august OR after the 15th of the month. So since its august, its probably much more intense than a usual slashdotting considering the amount of people with this virus

Coincidence

[ctid]

A few minutes ago (about 14:45 my time), I tried this:

grep "DPT=13[5-9]" messages | grep -c "Aug 12"
643

Then I tried this:

grep "DPT=13[5-9]" messages | grep -c "Aug 11"
643


So it took less than 15 hours to reach yesterday's 24-hour total. Doesn't look too good. I suspect that fixing this will prove to be way beyond the abilities of a huge proportion of home users of Windows. Anyone who says that "Linux isn't ready for your Grandma" or whatever, should be forced to do community service for a week fixing this crap.

Re:Coincidence

[Politburo]

Anyone who says that "Linux isn't ready for your Grandma" or whatever, should be forced to do community service for a week fixing this crap.

Fine with me, so long as you're ready to help my grandparents (and parents, and uncles, and..) install and setup Linux!

If you're one of the people that uses Linux as an excuse to not help people with Windows, guess what, you *don't* want normal people moving to Linux! You will suddenly be the tech support go-to guy again. Except this time you'll have to explain how to setup IPTables. Good luck!

This bug doesn't change the fact that Linux isn't ready for our grandparents.

Echoes

[saskwach]

Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. Even the most clueless of windows users can click on a link and then click the "Yes" button. I can see my logs filling with failed attempts to bring down my machine already...

Re:Echoes

[fishbert42]

'You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail.'

Actually, in my hotmail spam repository account I already do get tons of messages saying things like that. But, I don't think they're talking about computer security. =)

Re:Echoes

[pjt48108]

"Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them?"

People don't patch because, quite simply (not that it is true by any means), Windows is supposed to be perfect already, needing no further work. "Where do you want to go today" (besides offline)?

Also, I would hazard to guess that most broadband providers don't know the email addresses of their customers (would YOU give up your addy to Comcrap? Not ME, bub!). Broadband providers care not a bit about communicating with customers, unless it is to request payment for services rendered.

"You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. "

Microsoft runs Hotmail. I have a Hotmail account, but I use an iMac, therefore it doesn't apply to me, so I would not want to get that message.

Besides... It would be just another message in my/your 'other Hotmail folder,' meaning it would be ignored as just another spam mail.

I agree with an earlier post, though. Everyone who says "Linux isn't ready for your grandma" should be forced to do community service cleaning this crap up. AND maybe doing weekly patches on all the Wintel machines in his/her neighborhood. AND maybe making sure certain ports are closed on those same PCs.

I could go on (but I won't).

Re:Echoes

[AbbyNormal]

Isn't this a little like your Electric Company asking reminding you to not make toast while taking a bath?

It ain't their job...its just common sense.

Re:Echoes

[doon]

To play the bad guy here, If people got used to doing this, all you need to do is fake an e-mail to said ISP's customers along with a link to some site that installs an even better worm/virus/spyware/malware/etc... The "ohh shiny"...Click syndrome would strike big time. Remember these are the same people that wind up giving out their CC/Paypal account info because of an "Official" looking e-mail.

Now how is the Isp going to keep track of what their Customers run. How are we supposed to get in touch with them? Looking at our maillogs (I admin a small, 13K or so ISP). Half or our customers don't even check their e-mail we provide them, their boxes just sit and collect spam until they hit quota. So it would be for naught. Even when we do send out e-mails most people ignore them anyway. Or call tech support to ask what they have to do.

Enough babbling out of me. I guess I need a lot more sleep, the 2 hours last night is no where near enough.

Will it halt the Internet?

[mao+che+minh]

No, I shouldn't. This worm isn't clogging up bandwidth or DoS/DDoS attacking routers and web servers like Code Red and Nimda did. This is just making WinNT and greater workstations and servers (should you actually be using a Windows OS on a server that isn't heavily protected) to reboot.

Re:Will it halt the Internet?

[MarcQuadra]

I'm inside a major bank right now (3rd biggest in USA?), and our entire network is having issues. I keep having to disconnect from the proxies and reconnect bacause they're dropping my connections. I don't think there are many machines on the inside with the worm, and under 5% of our machines are nt-based (the rest is win98, on Novell/NT servers).

It seems that the only machines inside that have this are portables, which probably picked it up from the outside, and some departments who run their own servers for testing and development (and often have under-the-radar links to the outside so the dept. admins can play with them). InfoSec is pulling the plug on anything that shows symptoms, which means that servers keep dis and re-appearing. The PC-support work queue in Rhode Island usually has 3-10 items in it, and I'm counting 40 right now.

I'm also getting calls from remote sites connected through frame-relays that are saying they can't access anything reliably if it's off their LAN.

I'm quite thankful for our InfoSec folks, and the fact that we use Novell for most servers, I'll be sad to see it go to XP/2003 in the fall...

Worm

[WesLsoN]

I run an ISP in Virginia, its nailing all of our Windows XP users.

This thing hit our customers yesterday...

[Snarfangel]

I work at an ISP, and over half of our tech support calls yesterday were because of this worm. You wouldn't believe the number of people who thought we were somehow going into their computer and not only kicking them off the internet, but rebooting their computers. (Yes, sir, the tech support staff feels horribly underworked today, so we thought we'd make things more exciting and pi** off a few customers in the process.) I hope they find the person involved and perform medical experiments on him.

Re:This thing hit our customers yesterday...

[brakk]

pi**

Just say it. PISS PISS PISS

Slashdot doesn't restrict any words. If you want to protect people from your "bad" language, then change your wording.

Just seen an ATM affected...

[mccalli]

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.

Then try, really, really hard to stop laughing...

Cheers,
Ian

Re:Just seen an ATM affected...

[Zak3056]

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.
Then try, really, really hard to stop laughing...

I don't know why I have to point this out, but that's NOT funny--it's freaking SCARY.

Re:Just seen an ATM affected...

[pubjames]

There was a trial about ten years ago. A retired policeman went on holiday and whilst he was away his money was taken from his Halifax account via an ATM. Halifax took him to court because they said that their security was infallible and the man must have given his ATM card to someone to extract money whilst he was on holiday to defraud the Halifax. The man lost.

I actually met the person who was an expert witness on the trial for the defence. He was a specialist in IT security for banks and a good man, but he said it was impossible to get the jury to understand the complexities involved in ATM security. He was as you can imagine very sad that the man he was defending had lost.

I can't find anything on Google about it. It must have been 1992 or '93 I guess.

Re:Just seen an ATM affected...

[doon]

Hopefully the ATM isn't on the Internet, and it is on a private network that has infected hosts on it.

If it was just out on the net and got hit by that I would be pulling all my money from that bank rather quickly.

Re:Just seen an ATM affected...

[Mr_Silver]

There was a trial about ten years ago. A retired policeman went on holiday and whilst he was away his money was taken from his Halifax account via an ATM. Halifax took him to court because they said that their security was infallible and the man must have given his ATM card to someone to extract money whilst he was on holiday to defraud the Halifax. The man lost.

Good memory!

His name was John Munden and it was October 1992.

Some articles are here and here about it.

Re:Just seen an ATM affected...

specifically, running it on an ATM that's connected to the Internet...

Re:Just seen an ATM affected...

[Dalcius]

An ATM running an open and unpatched SMB on a network that, directly or not, is exposed to the internet...

Some things are completely understandable. But this just makes me want to sit down with the IT guy who dempt this up and ask him what the hell he was thinking.

Re:Just seen an ATM affected...

[Zak3056]

No it isn't. Seriously. While it would certainly inconvenience you if the ATM were to crash while you're using it (including up to a lost card, if it's an older machine that still "takes" the card instead of swiping it), the transaction model should ensure that even if a machine were to crash or be disconnected in the middle of a transaction, the transaction will be completely unrolled. That's the point of transactions, and these machines are designed to deal with failures.

You're wrong--it's not scary that the ATM is running Windows. It's not even scary that the ATM is in a reboot loop. What's scary is the ATM is connected to a public network (or connected to machines connected to the public network) such that it was able to contract this virus.

Inconvenience has NOTHING to do with it.

Re:Fscking Windows.

[Jellybob]

Nothing like this would ever happen on a UNIX platform like Linux.
I'm Still using Linux 7.2, and that's rock solid. Never had to update it.

Yeah... nothing like that.

Other of course than the multitude of root kits out there, sendmail holes, bind holes, apache holes, anything else holes.

And yeah. Linux 7.2 - guess you havn't been around long enough to remember.

on national television just a few minutes ago

[Basje]

RTL Z (national television, all day business news), the Netherlands, this afternoon:

It was said that if you valued security, Microsoft wasn't the best solution. You'd be better off with Apple or Linux.

This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads.

Virus, not starring Jamie Lee Curtis.

[Channard]

Man, it's almost as bad as that Teddy Bear virus *cough*

You got the wrong security bulletin

[daun3507]

While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

Precisely

[Overly+Critical+Guy]

There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.

All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...

Re:Precisely

[aug24]

I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

Did you merrily click past the EULA that said if it destroyed your system and data it wasn't MS's fault or responsibility? Did you install on one box and then do a complete round of System Test, or did you just blindly trust MS?

J.

Re:Precisely

[antibryce]

My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network...

Because MS patches are often just as poorly written as their base software is? Patches take time to roll out on production servers because they have been known to break things.

Re:Precisely

[zoombat]

I can't think of any reason why someone shouldn't be doing the same to their Windows network

Your point is certainly valid, but what makes this particular problem frustrating is not that it was a widely publicized hole, but that Microsoft's tools (e.g. Windows Update) for checking patch status are wholly inadiquate. There has been a fair amount of discussion on NTBugTraq on this point leading up to the worm discovery.

Also, 30 days to test an impliment a patch on mission-critical production systems is sometimes more difficult than it seems like it should be.

Re:Precisely

[aug24]

I'm an idiot? You don't even know to capitalise the first letter in a sentence!

MS have released broken patches in the past you moron. Hence big businesses doesn't usually let admins apply patches to production machines without regression testing, hence my question. That's one reason why it takes so long for patches to get applied.

Also, I wasn't comparing any OS with any other, so leave out the 'Linux is just as bad' rant. How old are you?!

J.

Re:Precisely

[aug24]

Do you do this for every piece of software you install from reputable sources?

Firstly, MS patches have been broken before, so they're not that reputable. Plus they have ten times as many problems as, for example, Sun.

Now on to the main point: You've never worked for a big corporation have you? That's exactly what happens. Of course I don't at home, but I'm not going to worry too much if I have to reinstall one machine - big corps have thousands and hence need to do full regression tests, which is why the MS patch-of-the-week is such a pain.

J.

Re:Precisely

[Overly+Critical+Guy]

I mention Linux because it's a double standard here. The fact you use the word "jabbering" tells me I clearly struck a nerve.

Call me incompetent if you want. It's incompetent not to install "critical" updates from the company who made your freaking operating system. My network went 100% untouched. You're the one whining.

Re:Precisely

[Slime-dogg]

Heh. Not only can MS updates break things, there are other factors that come into play here. We have an http uploading control that we use in conjunction with a web application. It relied upon IIS's willingness to accept malformed HTTP headers (there was an extra null character appended to the end). It was a bug that was uncaught, because IIS accepted those headers.

MS released a patch about a month ago that tightened the security of IIS. I've got no problem with that. Instead of accepting malformed headers, it denied all of them. This broke the control that we were using, causing a down time for our production application.

It probably cost us a bit of money. It was not directly caused by a MS patch, I'm more inclined to blame the company that produced the control. The fact of the matter, however, was that a MS patch was applied without being tested in a production environment. Something broke. It's best to do some QA on your systems before updating, even if MS isn't the one at fault. It's just good practice, and can save your butt in the long run.

Another useful tool

[snake_dad]

Install now

There are several reasons...

[aug24]

Have you met many people who are MS sysadmins? A good proportion of those that I have met are Joe User types who have knowledge of how to set up, auto-reboot and backup machines, and not a lot more.

Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.

Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...

J.

Re:There are several reasons...

[Tyler+Eaves]

2 "windows" holes versus 9 "linux" holes?

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.

Does windows still have 2 holes once you factor in Exchage, Outlook Express, IIS, IE, Office, SQL Server etc?

Re:There are several reasons...

[aug24]

I honestly didn't mean that to sound MS bashing - that's just my analysis. It's no excuse, but lots of companies do employ unskilled-ish people to admin their Windows machines, cos they can do the basics.

Anyway: Linux had nine? Bollocks. I'm sure various packages associated with Open Source had vulnerabilities, but the kernel? No. Prove me wrong.

J.

Re:There are several reasons...

[Surreal_Streaker]

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)?

IE is not a core part of the core Linux operating system no matter what you've heard.

Re:There are several reasons...

[koa]

Heres another problem I see with this whole thing. WHY does this patach REQUIRE a reboot after installation? One would think that by 2003 Production server uptime would at LEAST be somewhere on the minds of the people in Redmond! I mean, look- you stop the effected service (windows can do this y'know!) then you replace files.. then START the services back up. I would write more in this post but I accidentally moved my mouse and I need to reboot my machine for the changes to take effect!

Re:There are several reasons...

[p00ya]

Have you met many people who are MS sysadmins? A good proportion of those that I have met are Joe User types who have knowledge of how to set up, auto-reboot and backup machines, and not a lot more.

Just like a good proportion of the people who call themselves "linux sysadmins" I know have managed to work their way through the mandrake or redhat install process and are able to declare that they have triumphed against "M$" and that they are right now basking in the freedoms of open source and Free software. Armed with a knowledge of how to use KATE to edit whatever they can get their hands on in /etc/ to the point where they can setup proftpd and an httpd on their home box, they can then find their way into maintaining small-business webservers. To which,

So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.

applies just as easily. C'mon, MCSE quals aren't rocket science, but you can afford the windows sysadmins some dignity. It's not so much about the OS itself, it's about who's using it.

Re:There are several reasons...

[p00ya]

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.

I seem to be doing quite well with all the boxes I can still root using the ptrace kernel exploit. That's one ;)

CERT advisory notice....

[JaJ_D]

The Cert advisory can be found here

to disable the forced shutdowns...(XP)

[j0se_p0inter0]

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

screenshots on msblast

[baxterux]

here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"

Also.......

[JaJ_D]

According to the Beeb and their article once on a "...machine the malicious program also launches an attack against the Microsoft site that holds a software patch that keeps the worm out."

Nice twist of fate

Jaj

no crash? still not safe.

[dr+bacardi]

You know you've got it when a 60 second shutdown timer pops up on your screen.

This was a bug in the first version of the worm, it has since been fixed so that no shutdown occurs. see http://lists.insecure.org/lists/fulldisclosure/200 3/Aug/0418.html for the updated version.

* - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus
* preventing crash of RPC service on remote machine.

Sad really

[BoomerSooner]

Every Windows Sysadmin should check these sites daily:
TechNet
TechNet HotFixes
And
WindowsUpdate

It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.

Re:Sad really

[harrkev]

It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.

Yup. Until Micro$oft issues a patch which breaks something else. Then some part of your server dies.

Wait... This is Micro$oft we are talking about. They would NEVER release a patch with bad side-effects. The test all of their stuff extensively before releasing.

Re:Sad really

[RoLi]

Check daily for patches on your software, patch it, reboot, get back to work.

Too bad that this "check daily, patch, reboot" procedures never get mentioned in any MS-paid TCO-analysis.

Re:Sad really

[b-baggins]

What absolutely amazes me is that people so casually accept that "patch and reboot" is an acceptable aspect of an operating system.

In a rational world, Windows should have been tossed out of the business door two years ago as a piece of junk product.

I'll just keep reading all this panic and scrambling from the quiet comfort of my OS X machine.

Re:Sad really

[aziraphale]

> Check daily for patches on your software, patch it, reboot, get back to work

Actually, the most common cause of a 'forced reboot' on any of my Windows systems nowadays isn't an MS patch (neither of the last couple of RPC vulnerability patches required a reboot on WinXP or 2003) - it's Norton Antivirus. NAV uite often seems to download something that requires a full reboot of the machine. Quite why it's possible to patch the OS without a reboot, but an application can't restart itself cleanly without a full restart I have no idea...

Re:Sad really

[zoombat]

It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.

Actually, I think you're over-simplifying the process somewhat:

• If you run any mission-critical applications, you'd better be testing the patches before you deploy them - especially ones that don't have an uninstaller.
• Often down-time needs to be scheduled (especially on servers) which always occurs when you need to reboot after installing the patch.
• Being the guinea pig for just-released patches can be problematic if there are problems with the patch. Generally waiting a couple days is a decent idea to see if MS amends their bulletin or people report problems with the patch.
• Tracking down and patching mobile users can be difficult, especially if they are off-site, but failure to do so can increase risk of future exposure.

I guess the last one applies more to Network Admins than System Admins, but they tend to be hard to separate these days. Oh, and all these items are significantly more problematic in the case of a service pack release, as more things tend to be effected...

Re:Sad really

[TCM]

Where's the "test, test, test" part?

Re:Sad really

[harrkev]

Congratulations on the stereotypical Slashdot posts. Dollar signs in Microsoft's name, unbased claims of patches breaking things, and sarcastic quips at the end.

I know that you are a troll, but I can't help it...

Gee. I seem to remember that about a year ago, Microsoft withdrew a patch because it was buggy. This means that even though I formed it as a joke, IT HAS HAPPENED . If it had NOT happened, then you could feel free to tear into me.

It has also been revealed that Micro$ sells their $190 operating system, but could sell it for under $50 and still make a profit. They sell it for more because the CAN. The average person has no choice. Microsoft has them by the short hairs. It is called a MONOPOLY (no, not the board game). Look it up. Your best buddy, Billy G. was found the be the head of a convicted monopolist corporation. It just completely sucks that the government let them off easy (at least there is still hope for Europe).

Of course there is also the fact that the cost of Word has skyrocketed since the demise of WordPerfect.

Now, about that Kernel release which corrupts filesystems -- was that an even or an odd release? You do know that the odd ones are to be considered alpha or beta quality, don't you? (hint: this means that the software is NOT guaranteed to be stable).

Also, the number of holes last month for Linux probably includes all of the associated stuff that goes with it: various servers and applications and such. Take the Microsoft number and add in the holes for the web browser, web server, database server, office, and so on. Then, let's talk numbers.

In short, grow a clue or turn your 'puter off.

Re:Sad really

[b-baggins]

Now, this being modded as funny is REALLY sad.

Apple's versioning is as follows: .x = new release = full price .xy = maintenance upgrade = free.

So, 10.1 was full price. 10.1.1 was free. 10.2 was full price. 10.2.6 was free. 10.3 is full price. 10.3.x will be free. 10.4 will be full price, etc.

Apple does not sell upgrade CDs. You buy a full install. This means you don't need to have any previous version of OS X on the machine. So compate the right things. So let's put this in terms the Microsoft Marketing Influenced(TM) can understand.

I paid $129 for the full version of OS X. You paid $299 for the full version of Windows2000 Professional.

I paid $129 for the full version of Jaguar. You paid $399 for the full version of WindowsXP Professional.

I will pay $129 for the full version of Panther. You will pay >$399 for the full version of Longhorn Professional.

Now who should we laugh at?

For all the ranting slashdotters do on how stupid the non-tech/geek person is, I find it hilarious that such a logical, programmer-centric versioning system totally confuses said slashdotter.

I guess MS was pretty smart to call Winnt 5 Windows 2000, and Winnt 5.1 Windows XP, or you'd all be screaming about that $399 "upgrade" as well.

The Danger of Bug Complacency

[OpenYourEyes]

I've been trying to get relatives to fix the Windows DCOM security hole. At least two so far have said "oh! I didn't realize that was a security problem!" They thought the RPC service failing and causing a machine reboot was your everyday "bug", and since it just rebooted the machine (and even gave you 60 seconds to finish up what you were doing!), that it wasn't a big deal.

I think the 60 second thing is seen as a feature - along the lines of "see! Windows knows when its going to crash and lets you save your work first. Like the computer on Star Trek telling you how many seconds until there is a hull breach."

All of them heard the news about a security problem. None of them connected it with the problems they were having.

Finally, to make matters worse, Microsoft's page talks about patching the system, but says nothing about removing the worm. This is problematic since, as noted above, it can sometimes be pretty hard to download the patch if your computer wants to reboot in the middle of the download.

Linux people: Rejoice!

[Eudial]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
}

// end mblaster_l.c

Re:Linux people: Rejoice!

[Junks+Jerzey]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:

1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.

2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.

If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.

Removal bad! Reformat good!

[c0y]

Sure, go ahead and use that removal tool. And ignore the fact that you've probably been gang raped by a bunch of skript kiddies for the last month.

Seriously, best current practices dictate that before a compromised machine is reconnected to the 'net you:

1. Reformat
2. Reinstall from manufacturer's original media
3. Apply all necessary security patches.

Getting the patches without a 'net connection is left as an exercise to the reader.

THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS

[kunsan]

I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

Regards/
JP

Stop Blaming Users, Blame Microsoft

[mizidymizark]

I know this is Slashdot and all the Linux users need their daily affirmation that they are right, but guys, lay off the common user. To expect someone over dialup to have Windows XP patched with the 200 MB of updates since XP came out is rather harsh. I know this hits more broadband users, but working in tech support, we have seen a fair amount of dialup users get hit as well. So before telling the everyday user to switch to Linux for their home machine, maybe we should get Microsoft to check their product for problems before shipping it out.

Another quick fix

[x.Draino.x]

Another quick fix if you don't have enough time to apply the patch before shutdown. Go into Administrative tools, Services, find the RPC service. It gives you options of what to do if it unexpectedly dies. By default, it is set to shutdown after 60 seconds. You can change this to "Do nothing". Make sure you set it for the 1st, 2nd, and 3rd warning. So basicly now it will die, but it will go un-noticed.

Shoot The messenger...

[decepetion]

My wife calls me upstairs last night.."The machine keeps shutting down".. Me: "what" *looks at task manager* Task Manager: msblast.exe Me: "Why isn't the firewall turned on?" Wife: "I Hate having to answer all of its questions, so I turned it off." Me: AAAARRRGGGHHH

Re:Shoot The messenger...

[doon]

Ahh that is why I have the firewall in front of the wife's machine. So she can't turn it off. :)

Proper removal instructions

[XSforMe]

Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool."
Not really... there have been several reports that the thing has flogged machines so badly that it might not be even posible to connect to windowsupdate/any other internet site. For proper removal instructions, take a look at CERT's advisory or Trendmicro's KB

I might not be speaking for everyone, but I say:

[burgburgburg]

I welcome our new Skynet Overlords.

Re:Fscking Windows.

Oh, come on, people. He threw you a bone for fuck's sake. Linux 7.2? Sheesh!

Re:Honest question [Corporate Answer]

Welcome to the corporate world. All things, including service packs, must be tested on all platforms with all applications before being deployed into the environment.

We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.

Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.

So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).

After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...

Why aren't they all patched? Because nothing moves fast in large installation bases.

Re:A sure fire method to solve this RPC exploit

[caluml]

I paddle my wife, but she still insists on using Windoze.

Threaten to not paddle her - that might make her change.
(She might be darker than you think!)

Calling it what it is: A "Windows" virus

[FunWithHeadlines]

I heard about this latest virus scare on the radio, and I noticed it was called a "Windows virus" this time, and not the usual "computer virus." It seems even non-techies are finally catching on that these are Windows problems being exploited, and if you run non-Windows machines you are unaffected.

Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.

Re:Calling it what it is: A "Windows" virus

[Loundry]

They are trying to differentiate it from an "email virus." They are labeling it because of it's entry point, not OS.

I think you may be right. If the worm spread itself solely due to a flaw in Microsoft Outlook (I know, perish the thought!), then would the mainstream press have labeled it as an "e-mail virus" or a "Micorosoft Outlook virus"? My guess is that it would be the former with the real culprit mentioned as an afterthought.

Re:60 second timer

[razberry636]

Of course, if you're getting hammered this isn't going to help much.

A nasty work is quickly spreading across the internet forcing about 90 percent of the connected computers to become inoperable. Thousands of phones are ringing at IT desks all over the world. On the other ends of those phones are screaming, panicky users crying because their computers won't work. Management is calling because now you're the bottleneck causing inefficiency in the team, and you might need to start looking for a new job if this isn't taken care of. And then you trip over a network cable.

I think getting hammered is the best thing to do right now.

Nice side effect - no spam!

[Krafty+Koder]

thanks to this worm, i've noticed a dramatic decrease in the amount of spam i'm getting - roughly 150 to 200 per day is trapped by my spamassassin install. Today, only around 10 spams.

NO

[TrekkieGod]

Shouldn't broadband providers be sending emails to their clients with a link in them?

I get enough junk mail as it is. I don't want to be reminded of people who are too stupid to patch their computer. Besides, it wouldn't work. Even though "the most clueless of windows users can click on a link and then click the 'Yes' button", remember that they DON'T. Windows update comes by default set up to check for updates periodically...then the screen pops up and asks you if you want to update. Unfortunately, the screen also gives you the option to turn off windows update, and that's what the clueless people choose, because they don't want to be "annoyed" by it.

Instead of bothering me with e-mails, Microsoft should remove the option to disable Windows Update from the "first use" screen. If you can't figure out how to go to system properties and disable/reschedule your windows update, you're not supposed to have it disabled. I think that would maintain quite a few computers with up-to-date patches.

Excuses not to be patched

[unfortunateson]

Yeah, it's stupid, but there's a lot of machines that won't get patched:

• Dialup -- those patches are big
  
• FUD about Windows Update watching your machine for bootleg licenses
  
• but most of all, warnings from folks such as Brian Livingston and Woody Leonhard about flawed patches prompt folks like me to delay installation of just about any patch for at least a week, to see if they'll patch the patches.
  

Now, I didn't get hit -- between the firewall, ZoneAlarm and the patches, I think I'm Ok.

Ha!

[Bedevere]

For once using Windows ME pays off!

All you do is complain

[ShieldW0lf]

Do you like BSODs?!? Don't you wish you could leave the server room for 5 minutes?!? Aren't you sick of data corruption??!

I wrote Win32 Blaster, and since installing it on our server, we haven't had any of these problems that plague Windows boxes around the world.

Being the nice guy that I am, I wrote some "Automatic Update" code, and fixed all your machines. And you call it a virus and complain about it.

I'm not helping you anymore... fix your own damned problems.

Honest answer

[djembe2k]

OK, maybe I'm not really who you are aiming this question at, but probably those folks aren't going to answer, or give the serious and honest answer you're looking for, so I'm what you are going to get.

I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.

My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.

Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.

We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.

When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.

At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.

So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.

Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.

And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.

The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.

Re:Honest answer

[allism]

Monitoring slashdot...I need to remember that phrase if I ever get reprimanded for excessive internet activity...

seriously, though, I, for one, thank you on the behalf of all us little peon users for testing before patching. I swear, the next time the sysadmin comes around an installs something on my computer that means I have to spend hours fixing my computer before I can do any more of my real work, I'm gonna kick him in the shins...

This is not FUD

[JRHelgeson]

The security community has been saying for nearly a month that people needed to update their machines. We watched as the hacker community perfected their code for the RPC/DCOM vulnerability and posted their work on hacker sites and discussion groups. Yet the more we begged and pleaded people to update their machines, the more I heard "Aw, they're just hyping the FUD factor."

Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.

When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.

Regardless, people, patch your *#&($*@& machines!

RPC, NetBios etc are a menace

[g8oz]

All these crappy Microsoft net-enabled 'features' turned on by default are a menace to the average user and the Internet in general.

Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).

And I am sure there are many, many more.

Windows 2000 Service Pack 4 has fix

[Knight2K]

If you have already the service pack mentioned in this slashdot article, then according to the Microsoft Security bulletin linked in the article you already have the fix. So you might as well get the whole Service Pack while your at it.

the best part....

[rokzy]

BBC: Hidden inside the worm are two messages. One taunts Microsoft chairman Bill Gates and reads: "billy gates why do you make this possible? Stop making money and fix your software!"

why is this message "hidden"?
why not have the worm install a desktop wallpaper saying this? and a picture humiliating him in some way?

Laptops

[mrscott]

Think about this scenario: a perfectly competent administrator has a properly configured firewall which blocks the problem. The "road warrior" brings his laptop from from 3 weeks on the road and had used a bunch of hotel access points where he got the worm. He connects it to his docking station in the office effectively bringing the problem behind the firewall.

Re:Laptops

[Havokmon]

Think about this scenario: a perfectly competent administrator has a properly configured firewall which blocks the problem. The "road warrior" brings his laptop from from 3 weeks on the road and had used a bunch of hotel access points where he got the worm. He connects it to his docking station in the office effectively bringing the problem behind the firewall.

Yeppers. I was waiting for a 'Road Warrior' to return (I consult on Friday afternoons only) so I could update his laptop. Upon seeing the news this morning, I sent him an email with instructions (crossing fingers!) on how to use Windows Update.

He called me about his system strangely rebooting before he even read my email. :(

Re:Laptops

[zoombat]

Yeppers. I was waiting for a 'Road Warrior' to return (I consult on Friday afternoons only) so I could update his laptop. Upon seeing the news this morning, I sent him an email with instructions (crossing fingers!) on how to use Windows Update.

Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion about this very patch (MS03-026).

Re:Laptops

The opposite is true too. I keep getting told there's a critical security patch, and download it, reboot only to be told I need the same security patch over and over again.

Re:Laptops

[silas_moeckel]

Thats why you require laptops to have firewalling on them especialy for sales guys.

Outside consultants are harder to deal with realy this is why you us an IDS to see whats happening inside your firewall(s) and reset and shun nastyness. It also helps to stop those programming team security audits (watch a programmer when his port gets turned off for 30 minutes as he tries portscan a box they turn so red it's funny) allways get this in corprate documentation perferably with a set off the IDS and it's a terminatable offence.

Re:Laptops

[raju1kabir]

He connects it to his docking station in the office effectively bringing the problem behind the firewall.

That's one reason why desktop computers inside the office should be segmented into groups as small as practical. Put them in little subnets and don't route between them. Printers and servers should be on separate subnets that do get routed. This way people can only contaminate their own little workgroup; everything else moves through centralized servers where you do aggressive virus scanning. There's no reason in an office environment for one desktop to talk directly with another.

This wouldn't stop a worm that messed with the subnet mask but I'm not aware of any that do.

Re:Laptops

[surprise_audit]

This wouldn't stop a worm that messed with the subnet mask but I'm not aware of any that do.

You know, I often wonder how many hackers, virus writers, terrorists, etc read forums like this looking for ideas... It's kinda like a company issuing V1.0 of a piece of software, then using customer feedback to design the new features for V2.0.

Automatic updates

[RonnyJ]

One of the first things I disable in Windows is 'automatic updates', and a lot of people think it's intrusive and won't use this feature. However, the patch for this exploit has been out for a month, and yet thousands of users are getting affected by this, me included. If people did allow Windows to automatically update, or even took the time to update it themselves, this problem wouldn't have been nearly as bad. Having said that, who here trusts Microsoft?

Re:Automatic updates

[Zed2K]

I don't understand how its intruisive. It puts up a very small icon in the bottom that tells you when there is a new upgrade. It downloads when you ask it to and then installs when you tell it to all in the background. Its not like it pops up this huge box that takes up the whole screen with flashing text and no ignore button.

Everyone who gets bit by this deserves it.

Re:Automatic updates

[PeteyG]

It pops up, partially covering part of the system tray and a bit of the desktop.

It has a fucking annoying 'pooaaAAHP!' sound.

It takes up an icon in the system tray. I hate icons in the system tray. Makes me look like a loser who has too many 'Banzai Buddy' programs installed.

And after getting hit by this worm, I am now going to turn it back on on my home XP install. : )

Re:The problem with that is

[WNight]

That's the legacy of MS policies like "DOS ain't done till Lotus don't run!"

You just know you'll let auto-update run and one day it'll "disable" your MP3s because WMV offer so much more security, or something similar.

Update

[Etyenne]

Download this security update.

Where's the Linux version ?

anti-virus virus

[dtfinch]

Perhaps this is one of those extremely rare occasions where an anti-virus virus should be released. Windows users all agree to an EULA that says Microsoft has the right to install updates on their computer. If anyone has the legal right to create and release one, it's Microsoft. As that guy mentioned, it may be hard for many people to download the patches on their own because of reboots.

There are some legal issues associated with portscanning though.

No patch for NT4 --- Thanks M$ !

[menscher]

Micro$haft says:

Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.

Well, we patched what we could, and moved most critical services to Linux, but there's still one or two machines running NT. And it's only a matter of time before some luser slips a copy of this worm past our firewall....

Considering the amount if infrastructure that depends on NT4, doesn't this intentionally put the US at greater-than-necessary risk? I'd be fun to see M$ tried under the new anti-terrorism laws.....

Prophylactic?

[b1t+r0t]

Does anyone know if a simple:

mkdir \winnt\system32\msblast.exe

would prevent the worm from copying itself to your system?

Re:Prophylactic?

[Megane]

Not only that, but the patch requires a reboot to take effect. Not everybody can afford to reboot a server at just any old time. The above method prevents the worm from copying itself onto your machine without needing a reboot. Something like that isn't without precedent. The old internet worm of ages back could be prevented from spreading by simply adding a symbol to a library file.

However, it won't stop the worm from affecting your system. This morning I found copy & paste not working right in Mozilla, and Start->Settings->Network and Dial-up Connections just brought up an empty window. But there was no msblast.exe. Apparently I had been hit by the worm, but it wasn't able to use TFTP to copy over and run the code. (FWIW, I had installed the patch but not yet restarted the machine.)

So while that cheesy mkdir will probably prevent the worm from spreading (not a bad goal in itself), it apparently won't prevent the exploit from making your system flaky.

And Zed2K really needs to calm down and stop acting like such a know-it-all.

Auto Update?

[ttyp0]

I know all our Windows boxes at the office use the "auto update" feature to download patches at 3am each night. I figured most people would be using this great feature. Instead of trying to keep up with all the security fixes, I let Microsoft push them to me.

Anti SCO T-Shirt. $1 donated to Open Source Now Fund on each shirt.

Re:Auto Update?

[KodaK]

811493. That's a number I'll never forget. I used to use the Auto Update feature too, until that patch came out.

When my machines applied that patch, the very next day they slowed to a crawl. Unusable crawl. Clicking start & Run would take literaly 5 minutes. It turns out that there was an incompatibility between that patch and our antivirus software. It took them a couple of days to figure that out, even though I told them that was the case as soon as we got it.

Anyway, don't automaticaly install updates. Stay up on the patches, sure. Deploy them in some other way (I use the domain log on scripts) when you're sure they won't screw anything up. Do your testing as quickly as possible.

Re:Admins are not lazy

[g0hare]

Maybe you could try Microsoft's FREE Software Update Service (SUS) which lets you download all updates to a centtral server, approve the ones that work and automatically deploy them to your Active Directoy clients - I patched 64 machines in less than 10 minutes of my time. I sure hope knowing how to use MIcrosoft products doesn't get me banned from Slashdot...

Re:Admins are not lazy

[Capt_Troy]

Ummm... Isn't that what the automatic update thing does? You can set it to automatically download and install critical updates, or warn you when they are available. Am I missing something? It seems like windows has had this for a long time now.

T.

Nessus did this attack months ago

[four12]

I was experimenting with nessus several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."

Wrong

[johnburton]

You know you've got it when a 60 second shutdown timer pops up on your screen

Actually this is what happens when it fails to infect your system and crashes the process instead. So you know you've not got it when you see this.

Over 100 calls in one hour...

[The+Raven]

yesterday, regarding the worm. I was amazed how fast this virus spread... no other virus has created such a quick increase in call volume for us.

Of course, I work at an ISP... so when their Internet flakes out, we're the first thing they call. This is one of the first viruses I've seen that seems to deliberately crash your Internet connection, so rather than calling days or weeks later with some minor odd behavior, they called right away because their net was down.

I'm curious what will happen in a day when the timed DDOS goes off.

Famous last words

[dtfinch]

From the Microsoft security bulletin on the vulnerability:

"This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine."

writeup is bollocks

[Cally]

Sorry, this writeup is wrong in almost every respect. I work at an Infosec co BTW so I do know what I'm talking about.

• It's not "on the rise" - luckily, this one's a slow spreader and not terribly effective due to the use of tftp which easily limits it's spread. The _real_ worm won't do anything so dull.
  
  
• You don't know you've got it when you get a shutdown timer. The worm uses the oc192-dcom.c exploit, which contains the universal offsets which don;t crash the service. The reboots are a symptom that you're being hit by worm /traffic/, and you're vulnerable. You may already have it; you may not.
  
  
• It's not an easy one to stop. There are reports that the MS patch doesn't fix the issue in every case. In addition, there's another similar DCOM exploit for which Microsoft HAS NOT RELEASED A PATCH. Fortunately, it's just a DoS...
  
  
• Finally, if you've been owned by this worm, don't waste time messing about with a "removal tool". Back up your data, reformat, reinstall. Or, better, install Linux or BSD :)
  
  

The only, uhm, 'interesting' aspect of this worm is that on Friday it's going to nuke WindowsUpdate. The worm will probably never go away competely so W.U. could well be unusable for months to come. Totally predictable, of course, it's just a surprise that it lasted this long.

Re:I suppose it's too much

[ctid]

I suppose it's too much to point out that this worm exploits a vulnerability that's already been patched by Microsoft, so that only lazy or incompetent admins are going to get hit by it.

I think you mean lazy and incompetent admins, plus thousands upon thousands of home users who have no idea what a patch is, or what a firewall is, or what ports are in this context. It appears that you'd want nearly all home users of Windows XP to be "stoned, burned, crucified, sterilized and beheaded". That seems a bit extreme to me.

The reason I am gloating (I can't speak for other slashdotters) is that I'm sick of reading that Linux is not ready for the desktop because it's too difficult to use. I'm looking forward to the many many accounts of normal Windows users who are able to successfully patch their systems in the sixty seconds they have before it shuts itself down again.

If ATMs, then what else?

[Tired_Blood]

When's the first computer voting machine going to be hit with something similar?

And will these problems again be explained as "user error"? (think Florida '00)

Microsoft DoSed

[ravenlock]

Seems to have done something though. I'm on a 512/512 dsl line and it took microsoft.com a full minute and then some to respond. The actual page load was fast enough though, so I'm guessing it's the connection limit. Only guessing though. It's hard to tell if it's the worm or the people desperately trying to get the patch, but the end result is pretty much the same.

... Isn't it funny that users don't patch when there's a threat that could wipe hard drives clean, but when something interrupts their daily pr0n wank with a reboot they rush at Mach 3 speed to get the fix?

Re:Why are Brit Geeks all named...

[kiwimate]

Well, I'm in Philadelphia and I'm named Ian, but I'm from New Zealand.

However, my parents are originally from England, which means I have a distinct British tinge to my accent. Oh, and most of my family still lives over there...close enough?

(By the way, of course they're not all named Bruce -- that'll be the Australians.)

Use Windows NT 4.0?

[UrGeek]

Then "no soup for you!" Microsoft has not and (at this time says) will not provide a fix for this. They claim that "the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future." WHAT HORSESHIT! So all of the Windows NT 4.0 machines of the world are open doors to this (and other) attacks. Oh, they do recommend that you put it behind a firewall and block port 135. And if you happen to be using 135, well, you gotta have to recode and recompile any and all programs that do. Don't have the source code? Well, how good are you are reverse engineering. And be careful, it may be illegal were you live. AND you gotta trust everyone behind that firewall to not crack your machine!

Now, the karmaic debt in all of this - Microsoft's Windows Update will get attacked by WinNT 4.0 every month. Mmmm. So, everyone else gets fixed and the ones that MICROSOFT want you to upgrade become easily identified as problems on the net.

Sure, one P.-off muther-F. may have written this worm to get at Microsoft. Or maybe it came from somewhere in Washington state. So, what is next? All "obsolete" versions of Microsoft products get infected with worms that will install a gigabyte of child prono and then email the police? I guarantee with publicity like this, evildoers will be using WinNT as a platform for all kind of crap for now on. Thanks a lot, Microsoft, the Crackers Best Friend!

Here's the Microsoft spin on this from the FAQ in Microsoft Security Bulletin MS03-010 (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/ms03-010.asp):

"If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?"

"During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system."

"Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below."

"Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?"

"Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."

The moral is upgrade. Upgrade and get people like Microsoft who abandon you out of your life. Upgrade to Linux.

New version of Blaster is starting to appear

[Jugalator]

A new version of Blaster has started spreading. The new version is called RPCsdbot.A by Trend Micro and appears to be more stable and can also open a backdoor to IRC.

RPCsdbot.A Information

Ok,

[sjwt]

So i got the timer,
i got the reboot,
i scaned with the program..
no virus..

Is it posible the 'error' and timer
can be from just a random problem??

or have i got some undetecable varent?

Wow

[autopr0n]

I wonder when someone will release a virus for an exploit that they just found, one that they didn't tell Microsoft about. If they found one for IIS it would basically kill the entire windows internet (since you couldn't just firewall off the port).

And of course the same thing could happen with Linux. There have been security holes in Apache and especially in various distros.

I guess we're lucky that people finding holes so far have been benign. (or at least more interested in having access then causing chaos...)

Re:Wow

[antiMStroll]

Apache != Linux any more than Apache on Windows = 2k Server. Nice try. This is a true vulnerability of the core OS, not a 3rd party app. Apples calling the kettle black.

Re:Remote Procedure Call

[PurpleFloyd]

RPC isn't just for over-the-network calls; it's also what some Win32 apps use for interprocess communication. Thus, if RPC is borked, your whole system is in trouble (I had a system where the RPC DLLs were corrupted; I couldn't even use simple things like copy and paste, since programs couldn't communmicate with the clipboard buffer).

The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.

Holes in what?

[leonbrooks]

Linux: The kernel (1). Stuff commonly exposed by a desktop Linux installation (0). Remote all-your-base-are-belong-to-us exploits (0).

Windows: all-your-base-ar[Rebooting in 60 seconds]

Now go and average that out over a year. Bear in mind that MS-Windows exploits are being reported on a small software set (OS, email client, database, web server, web browser, email client) and Linux exploits are being reported on any of 4000 (Mandrake) - 8000 (Debian) packages, most of which will not be installed on your typical desktop or server. Estimate a percentage installed on each and discount appropriately.

Now assign a severity rating, maybe base=25% remote=50% privesc/root/admin/ring0=25% to each incident and see how they compare.

And so on. No sense comparing an overdecorated Niva with a Land Cruiser and complaining about the mileage, either.

Correct method to circumvent the virus

[mortisnoir]

Since the shutdown tends to occur the moment you access the internet, do the following;

1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool

Good Luck!

Re:you think MS is going to go down easy?

[gregarican]

You are a clown. The lack of Linux boxes you claim shows your lack of knowledge. Linux Apache servers run a decent amount of the Internet's web content there, sparky.

If Linux has as many security problems as Windows I really doubt you can name too many of them since you're not even aware of general facts.

Reformatting, reinstalling, and patching in the long run will save time versus trying to find needles in the haystack of which files were modified, deleted, or otherwise compromised if you were hit by this RPC exploit. Weeks later you'd be hunting around for incorrect files or would have IRC bots screwing you up. Penny wise, pound foolish.

Internet 2 Ops letter regarding Blaster traffic

[jgaynor]

Just got this from the Abilene (Internet 2) Operations Center. Apparently this is significantlyi affecting at least the .edu side of the network:

Abilene Connectors and Participants,

As you're all probably painfully aware by now, a worm exploit of the Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
regarding the vulnerability and exploit can be found at the references provided
below.

Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
network. We're performing an analysis of Abilene netflow data, and early this
afternoon will provide a private communication to sites that are sourcing a
large amount of worm traffic.

Recommendations for network border filtering are included the CERT W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
defined as input and output - to protect yourselves and to protect from
infecting others.

Abilene Connectors, please pass this communication on to your Participants.

References:

Microsoft DCOM RPC:
http://www.cert.org/advisories/CA-2003-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2003-0352

W32/Blaster:
http://www.cert.org/advisories/CA-2003-20.html

Regards,

XXXX XXXXXXX
Director, REN-ISAC

msblast.exe available...

[dark-br]

for analysis here

Also some cool screenshots of the beast in action here, and here

Wouldn't it be embarrassing

[eggarsuit]

to be "SAN"? I can't think of a worse way to tell someone that you love them. Whatever happened to sending flowers?

Which makes me wonder if this was the only way for the writer to contact SAN. Perhaps she had moved to another country or disconnected her phone and the only thing Jackass McWormerson could think of was communicating through a computer virus.

Excel and Dial Up Related Also

[kenp2002]

I have about 1000+ locations that are having trouble opening Excel documents and can no longer disconnect fromt the internet. Also in Inotes and Outlook they cannot OPEN individual emails (This is intermittent). Could these also be related to Blaster or are we looking at a different virus.

Re:Gimme A Chance!!

[dirtydiaper]

Don't worry I know your problem.. You put the wrong boot disk in.. The one you want is the CD that says LINUX not Microsoft Windows XP. If that doesnt work.. Open up you case and find the worm.. They are a brownish colour some are a couple inches long.. good luck!

Actual Removal Instructions:

[einhverfr]

I helped a friend remove this virus yesterday. Here is what we did:

1: Enable Internet Connection Firewall (for once, it actually has a use!)
2: Download and install MS03-026
3: Remove the following registry key:
HKey_Local_Machine\SOFTWARE\Microsoft\Window s\Curr entVersion\Run\windows auto update
4: search for and remove all files beginning with msblast.exe

Turns out aside from DDOS'ing Microsoft, this worm is pretty harmless.

Re:Actual Removal Instructions:

[einhverfr]

Yeah, rebooting your computer every minute.

Actually to be technically accurate, it is the RPC overflow that reboots your computer. The worm worm on your computer is actually rebooting *other peoples' computers* every minute ;-)

Re:Gimme A Chance!!

[devphaeton]

Don't worry I know your problem.. You put the wrong boot disk in.. The one you want is the CD that says LINUX not Microsoft Windows XP. If that doesnt work.. Open up you case and find the worm.. They are a brownish colour some are a couple inches long.. good luck!

Hell no. All over /. all you hear is LINUX LINUX LINUX. All over CNET and TechTV all you hear is LINUX LINUX LINUX. Screw you guys and your Monopoly. I'm switching to Windows, The Alternative OS.

Luckily, it's an easy one to stop:

[mmu_man]

http://www.linuxiso.com/
http://www.bebits.com/ap p/2680
http://www.qnx.com/ :-)

Why stop it?

[Nasheer]

From F-Secure Virus Information:

Starting from 16 of August machines infected with Lovsan will send massive amount of packets to windowsupdate.com. 40 byte packets are sent in 20 millisecond intervals to port 80. This might cause a Distributed Denial-of-Service attack on that website.

Let it spread freely! On August 16 I'll be trying to run it under Wine to see if I can be of some help.

Maryland MVA

Whoops.. Radio just reported that anyone who has a license expiring today has a 1-day extension. Thanks, Bill.

Re:RPC Exploit, not virus ?

[Keeper]

No. Windows ME isn't either.

Win95, 98, 98SE, and ME are all based off of the same codebase. All are unaffected.

WinNT, Win2k, WinXP, and Win2k3 are all based off of the same codebase. All unpatched machines are targets.

Comcast appears to be filtering ports 135 and 445

[Brian+Stretch]

as of late last night, which is when the large number of port 135 hits to my Linux server abruptly stopped. Good for Comcast!

No, But You May Get Locked Out Anyway

[digital_franciscan]

Our university has just shut out all traffic from outside the system. That's almost as good as a DoS.

Strange Brew

[Fastball]

Bob McKenzie: Fleshy headed mutant, are you friendly?
Doug McKenzie (As the fleshy headed mutant): No way, eh! Ra-radiation has made me an enemy of civilization!

another way...

[headblur]

after you know you're infected, boot into windows. disable dcom via dcomcnfg -> components -> computers -> my computer properties. reboot into windows and use stinger or some other tool to get rid of the worm...then download the windows patches. if you need DCOM, turn it on. most users won't.

Easy way it can get into a corporate network

[Nintendork]

We can't make sure that all our home users with VPN access have a firewall. They get infected, VPN in, and infect the intranet.

-Lucas

Cmd line tool to scan network for vuln. computers

[OmegaGX]

Here is a nice command line utility to scan your network for vulnerable machines. It gives you a neat list of patched and compromisable computers.

http://www.iss.net/support/product_utilities/ms03- 026rpc.php

Re:Remote Procedure Call

[mr3038]

unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality.

Actually, it's possible to close all ports in windows, but it's harder than it should be. Just close all those services that nobody needs and run dcomcnfg.exe and remove all remote DCOM/COM+/whatever support. If you know that you need those, you obviously shouldn't do this. But if you know that you need those protocols, you probably work for Microsoft anyway. Dinkumware's fport helps you to find out which programs keep all those ports open.

Yes, the default settings from redmond are brain-dead at best - what else is new?

I don't run a firewall on my windows workstation but on the other hand it doesn't have any ports open, other than those opened by Mozilla to browse the web and those opened by miranda. Having a firewall doesn't help with those ports. Obviously, running a firewall could help catching software that's trying to call home, but I don't run every random piece of software I can get my hands on. If somebody can still crash a windows that doesn't have a single port open, you're fucked anyway.

The 50MB update problem

[metamatic]

I think Microsoft should be required to put a notice on the box, saying "Using Windows XP for Internet access requires a broadband connection". If you've got dialup, there's just no way you're going to be downloading those 50MB service packs, and if you're not downloading them, you're a menace to the rest of the net.

(Or at least, the rest of the net that's dumb enough to run Windows.)

Mainstream news is REALLY on the ball.

[NeuroManson]

I found out about the worm on Monday, approximately 2PM PST. Did not hear any news regarding this on any of the big TV networks UNTIL 6AM (PST) the following morning.

Rather than simply just users being clueless, there's a large number of users being kept clueless by the news media. Assuming that 100,000 users would catch an early (eg; 2-3 hours after worm insertion) report on CNN, for example, then you would have at least 75,000-90,000 who could have patched their systems.

But instead, the worm was given close to 20 hours to spread amongst that 100,000 users, who, not being average readers of Slashdot or what have you, never patched their systems, even up til now.

Hell, according to a friend who works within the bowels of IBM, their R&D departments and related servers caught the worm, and everyone's scrambling like mad to fix it.

So who, other than Microsoft (who did put a patch for just such an exploit) is to blame?

(1) The author of the worm, naturally.

(2) The news media, for failing to bring this to the public's attention (yeah, covering Arnold Schwartzenegger's political relevance is SO much more important than keeping people in the other 49 states informed)

(3) Windows users, who, despite the patch being available for a month, and the security warnings for longer, still refused to install the nessesary patches.

(4) The usual braying "Hurh hurh, Windoze users are dummies!" linux zealots. Preferring to bask in their self proscribed superiority, rather than work to change the philosophy (*) that led to the worm's creation (it takes a philosophy to justify any sociopathic behavior).

*To use the tired car analogy, if one doesn't like Ford vehicles, does that give them the right to run around slashing the tires of, or cutting the brake lines of every Ford they see on the street (in hopes that Ford will be driven out of business for faulty brake lines)? And yet, that is what the worm and virus authors want to do. It ain't about improving Windows or changing the laws, it's about trying to topple Microsoft and ruining as many of their user's computers as possible.

Understanding Win2K Security Rating (mildly OT)

[Embedded+Geek]

Jonathan Shapiro of the Johns Hopkins University Information Security Institute recently posted a commentary on the fact that Windows 2000 (with service pack 3) has been assigned a Common Criteria certification Evaluation Assurance Level (EAL) level of 4. In response to the question "What does this mean?", he replies:

Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

(Originally taken from rec.humor.funny).

Re:Remote Procedure Call

[PurpleFloyd]

RPC is used to call other programs' functions remotely; it's a network-transparent protocol that lets an application run a function from another process, and recieve the data returned. While it's designed to work well over networks, it doesn't have to be run over anything but one system: many Windows apps use it, including MS Installer and MS Office. It's a form of IPC; it's somewhat similar to BSD-style sockets (another network-transparent IPC system more often encountered under UNIX/Linux, and, of course, on the Internet; sockets differ from RPC calls in that they're based around datastreams rather than functions).

IPC is more a problem with multiple solutions than an implementation; RCP, shared memory, BSD sockets, pipe links, and other IPC implementations are used based on what is best for the specific application.

Re:Does it work with wine?

[daemon1010011010]

Yes, it does work quite well with wine, as confirmed by tcpdump. I will be sure to have it running this weekend just in case the rumors are true. I mean, sure I could just reverser engineer it, but that's just not as fun as running it an entire weekend and watching all the ip's of recently infected users go by in my tcpdump output. BTW, Anyone in the 85.221.22.* ip block running an unpatched NT derivative, sorry, but I had to test it.