Slashdot Mirror
Windows Virus Takes Out Gov't Agencies in MD, PA
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
DSL reports has a security forum that has been taking this sucker apart and giving us the code:
r oo t=security,1~mode=flat
have a look:
http://www.dslreports.com/forum/remark,7649146~
My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them. I guess a few computers were infected with this worm and they wanted to ensure things were taken care of. So, here's the deal: I figure that today alone, due to lost productivity, salaries, benefits etc.... this company lost $250k from this worm. So, I ask: When are companies going to wake up and realize that the fundamental foundations that Windows are built on are flawed when it comes to security? There have got to be studies out there examining total cost of ownership of the various platforms. For instance, I spent a couple days of my time updating our remaining Wintel systems to guard against this virus and am soooo happy 95% of my work is done on OS X.
Visit Jonesblog and say hello.
Somebody's trying to run a plant dependent upon Microsoft...
I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).
and how many switched after Code Red? ILoveYou? the countless others? Those who got inffected either had someone take care of it or just reinstalled the system. This is what they are trained to do and expect it with computers.
The 10pm news here in Philly interviewed one of the city's IT guys. He stuttered and stammered his way through the whole thing, and looked to me like a man afraid for his job as he claimed that there was "no warning and no way to be prepared for this"-- not a verbatim quote, but close enough.
I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.
Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.
~Philly
According to the DSLReports thread posted/linked above, people who were up to date with their Windows Update or had Windows Auto-Update on still got hit. :-/
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.
My bad. I made a bad link that wasnt what I wanted:
r oo t=security,1~mode=flat
If you wanna look at the code its HERE:
http://www.dslreports.com/forum/remark,7652257~
The grain of salt is that they are reverse engineering. But it still is there and interesting.
Again my appologies.
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
Doesn't mean there is a agenda but there could be.
"A good friend will bail you out of jail. A true friend will be sitting next to you saying, 'damn....that was fun!'"
My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.
It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.
So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?
I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.
It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.
Life support systems, heart monitors, and other devices of that sort are not plugged into a LAN. The requirements for those kind of devices is unbelievable -- I actually feel sorry for anyone who has to work on such systems, after having seen what kind of hoops those devices have to go through.
The worm contains the following text, which is never displayed:
So it seems the creator did have a point to prove.
How could I say to men: "Speak louder, shout! For I am deaf!"? -Ludwig van Beethoven
I just got back from visiting "the relatives" all of last week. Heartland area of the US. Farm-type folks that grow food many of you eat. Anyway, the parent poster's statement is correct. These people have a few PC's as a matter of modern necessity. One of these (win98) runs a payroll app, is connected via dialup to the internet, is connected via ethernet to two other "critical" systems running WFW3.11, and was running a *completely* unpatched version of IE4.0 / Outlook Express. Oddly, they didn't have near the problems one might expect for all this (impressively, ad-aware came up clean aside from cookies) but when I mentioned "Windows Update", which sits right there on the Start Menu plain as day, to my relative who runs the '98 box, all I got was "what's that?".
My early-teen cousin was running his family's 98 box similarly. Unpatched. Ad-aware found all manner of crap that might just have, with luck, woken him up. Still, I had to explain all this nonsense, including *what* windows update was, *how* to run it (click here, click here, look the list over, click this, wait. reboot. repeat until the list is empty), how spy-ware/ad-ware differs from virii/worms, etc.
These aren't stupid people. Ignorant of the complexity of things that we all here take for granted. (In fact, I'd wager we give "joe sixpack" too much credit, not that I'm calling dumb on the world or anything.) It is just that their priorities are differently aligned than the hobbyist/admin types here (or that of people who try to design software with these people in mind, even). It was an eye-opening experience.
Now, to the credit of my linux geek membership, I might be able to upgrade the WFW systems to hardware made inside this decade and run the critical software in dosemu or the like, put the dialup on a firewall, and other things before they get convinved to shell out $20,000 on software and hardware upgrades this time next year.
"ILOVEYOU" virus 2.6 - 15.0 Billion
BBC California-based IT consultancy Computer Economics estimated worldwide damage to be $2.6bn by the end of Thursday. It said that figure could soar to $10bn by next week.
USAToday
Lloyds of London put the estimate for Love Bug at $15 billion.
Melissa 1 Billion
USAToday
the economic damage from the Melissa virus in 1999 to be about $1 billion.
CodeRed 2.6 Billion
BizJournals.com
"Code Red, which started in mid-July, so far has cost the U.S. economy $2.6 billion."
Klez 9 Billion
The Register
"The Klez virus last year cost businesses $9 billion worldwide in lost productivity,"
SirCAM 1 Billion
BSTPierre.org
"SirCam", which also propagates through email, cost $1 billion.
TOTAL for these alone: at least 16.2 - 28.6 billion
Acts of massive stupidity are almost never covered by warranty. --me.
Here's a rundown of what I've found out dealing with the MSBlast worm, some of which wasn't posted to the list yet (or I just missed it). Luckily my systems here were patched before this came out, but a few people brought in laptops that weren't patched, so here's what to expect.
/a" to abort the shutdown.)
MSBlast Symptoms:
Windows XP: Computer displays a message that the computer will shut down in 60 seconds.
Go to a command prompt and type "shutdown
This indicates that your computer is infected with the MSBlast worm.
Windows 2000: Computer displays an error message about "svchost.exe" fatal errors. Odd behavior follows, such as not being able to drag-and-drop certain items, Internet Explorer context menus (right click menus) don't work properly, and other bizarre behavior.
This _does_not_ necessarily mean that a computer has the worm, but the svchost.exe could be crashing as a result of the worm trying to get in. However, you should still run the removal tool to make sure.
Some people have associated this with the install of Service Pack 4, but it appears to be coincidental and not related to the SP4 install. However, SP4 does seem to have it's own user-reported set of issues unrelated to this worm, as discussed here:
http://www.w2knews.com/anecdotes.htm
Windows ME/98/95: Unaffected by this worm.
Windows Update: Windows Update is running incredibly slowly.
You may or may not be able to get in to update your system. This is due to the fact that millions of people are all hitting the service at once trying to get the patch to stop this worm. If you keep trying, you will eventually get in, but it may take a number of tries and 5 minutes or so per try. Additionally, you may get an HTTP 1.1 Server Too Busy error message even after you are in. Just keep clicking on the "Review and Install Updates" link on the left side pane and it will eventually let you in. When it does make a connection, the window or system may appear to hang for up to a minute or two. Just wait it out and it will eventually wake back up with the Blindly-Accept-Our-New-License-Terms window. Read the license terms thoroughl and print out a copy for your files (sorry, couldn't resist) and then OK" and the updates will then download (slowly) the needed files and install them.
To make matters worse, the worm will start a Denial of Service attack against the Windows Update site on Saturday Aug 16, so if you think it's bad now, you aint seen nothing yet.
Worm Trivia: The worm contains the following text, which is not displayed on the screen:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
If you experience either of the above symptoms on your PC's, you need to apply the appropriate patch from here immediately:
Windows XP Security Patch:
http://download.microsoft.com/download/9/8/b/98bcf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe
Windows 2000 Security Patch:
http://download.microsoft.com/download/0/1/f/01fdd 40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB8239 80-x86-ENU.exe
Windows NT 4.0 Security Patch:
http://download.microsoft.com/download/6/5/1/651c3 333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Wind ows NT 4.0 Terminal Server Edition Security Patch:
http://download.microsoft.com/download/4/6/c/46c9c 414-19ea-4268-a430-53722188d489/Q823980i.EXE
Wind ows Server 2003 Security Patch:
http://download.microsoft.com/download/8/f/2/8f211 31d-9df3-4530-802a-2780629390b9/WindowsServer2003- KB823980-x86-ENU.exe
Then, run this program to scan your system for any remaining parts of the worm.
Removal Tool:
http://securityresponse.symantec.com/avcenter/Fix