Slashdot Mirror
Windows Virus Takes Out Gov't Agencies in MD, PA
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
DSL reports has a security forum that has been taking this sucker apart and giving us the code:
r oo t=security,1~mode=flat
have a look:
http://www.dslreports.com/forum/remark,7649146~
My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them. I guess a few computers were infected with this worm and they wanted to ensure things were taken care of. So, here's the deal: I figure that today alone, due to lost productivity, salaries, benefits etc.... this company lost $250k from this worm. So, I ask: When are companies going to wake up and realize that the fundamental foundations that Windows are built on are flawed when it comes to security? There have got to be studies out there examining total cost of ownership of the various platforms. For instance, I spent a couple days of my time updating our remaining Wintel systems to guard against this virus and am soooo happy 95% of my work is done on OS X.
Visit Jonesblog and say hello.
Somebody's trying to run a plant dependent upon Microsoft...
I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).
and how many switched after Code Red? ILoveYou? the countless others? Those who got inffected either had someone take care of it or just reinstalled the system. This is what they are trained to do and expect it with computers.
Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
Doesn't mean there is a agenda but there could be.
"A good friend will bail you out of jail. A true friend will be sitting next to you saying, 'damn....that was fun!'"
My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.
It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.
So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?
I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.
It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.
I just got back from visiting "the relatives" all of last week. Heartland area of the US. Farm-type folks that grow food many of you eat. Anyway, the parent poster's statement is correct. These people have a few PC's as a matter of modern necessity. One of these (win98) runs a payroll app, is connected via dialup to the internet, is connected via ethernet to two other "critical" systems running WFW3.11, and was running a *completely* unpatched version of IE4.0 / Outlook Express. Oddly, they didn't have near the problems one might expect for all this (impressively, ad-aware came up clean aside from cookies) but when I mentioned "Windows Update", which sits right there on the Start Menu plain as day, to my relative who runs the '98 box, all I got was "what's that?".
My early-teen cousin was running his family's 98 box similarly. Unpatched. Ad-aware found all manner of crap that might just have, with luck, woken him up. Still, I had to explain all this nonsense, including *what* windows update was, *how* to run it (click here, click here, look the list over, click this, wait. reboot. repeat until the list is empty), how spy-ware/ad-ware differs from virii/worms, etc.
These aren't stupid people. Ignorant of the complexity of things that we all here take for granted. (In fact, I'd wager we give "joe sixpack" too much credit, not that I'm calling dumb on the world or anything.) It is just that their priorities are differently aligned than the hobbyist/admin types here (or that of people who try to design software with these people in mind, even). It was an eye-opening experience.
Now, to the credit of my linux geek membership, I might be able to upgrade the WFW systems to hardware made inside this decade and run the critical software in dosemu or the like, put the dialup on a firewall, and other things before they get convinved to shell out $20,000 on software and hardware upgrades this time next year.