Slashdot Mirror
Windows Virus Takes Out Gov't Agencies in MD, PA
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
The person who created this worm did so to show that Microsoft's software was insecure. Their methods are bad, but they've shown that no matter how good WinXP sounds compared with Win9.x, it is still made by Microsoft. If you don't want this kind of rubbish, don't use Microsoft.
Looks like viruses like this may help speed adoption on alternate operating systems (like linux, OSX, et. al) on the desktop quicker than a dozen ESR's with geek infantry in tow.
Spoke with both sides of the family this evening, going on about how messed up their computers were acting and all they had to go through to get it patched up. I listened and informed them how well my iBook and the relative merits of UN*X and they listened...
Thanks again, Bill!
... Windows Update once every couple weeks.
I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)
Are you, by any chance talking about MS Blaster Worm? ... Maybe then the media will get the idea too!
:/
Its good for us to keep using the correct terminology
Ok, time to get modded down.
How do you know this person was trying to get people to switch to Linux (or anything non-MS)? S/he could just be an ordinary asshole, without a point to prove.
I can forgive stupid home users, but shouldn't mission critical things like these patch every now and then? The hype surrounding this has been huge, and if you run unpatched microsoft stuff, well, good luck fixing it now. It will take a long time, but at least this worm can be fixed with little damage. Maybe this worm will get people to pay attention to security, but then again people said that about the last dozen MS worms.
STUPID!!
SAILING MISHAP
for a LOOOOONG time now
Three weeks isn't that long for a patch to be out. Many organizations actually test patches out on non-production machines before randomly installing software that Microsoft says is OK.
One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.
As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.
I would hope hospitals do not run critical systems a) on Microsoft software but especially b) on a LAN with any access to the internet. It's sheer lunacy if they do and could be used as grounds for a lawsuit. On the otherhand, they can do whatever they want with their accounting, cafeteria, and parking meter systems since a lawyer wouldn't pounce on that kind of ... wait ... I'm probably underestimating now.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
The patches have been available for a LOOOOONG time now.
What, three or four weeks? Here is the problem with Microsoft patches. Folks have been screwed more than once due to poor testing on Microsoft's part when the patches completely screw up your system forcing you to spend hours rolling things back to where they were or even completely reinstalling Windows. So, many IT folks are understandibly reluctant to employ these "patches" before adequate testing on their own systems. This may take a number of weeks.
Visit Jonesblog and say hello.
You bring up an interesting point. My father is a Windows 2000 administrator for a large multi-site hospital system(seven hospitals, 2 longterm care facilities and 35 clinics). Thankfully they stay up to date on the latest patches and have a good firewall so they were completely unaffected. They also recently went through an emergency preparedness drill making them take a look at what would happen on the computer side of things if say, a tornado wiped out such and such hospital. They look at things like, where do we keep the tape backups of patient records, what services are necessary for the billing department? For the most part, mission critical applications are mainframe issues, and patient records etc are isolated from silly internet-propagated worms.
My point is that if a staff has competent employees with an eye for security, usually viruses and worms' impact can be reduced to at most, a nuisance.
Still, I agree with you completely. Virus authors need to realize that it's not all just in fun. People don't "deserve it" just because they are vulnerable. And, you're not going to teach anyone a lesson. It's not l33t haxoring, it's childish and immature vandalism, plain and simple.
And I know this for a fact. I had a machine that I re-loaded XP on for a customer since he was upgrading his mootherboard. Friday I finish the windows load and I install all the patched available on the update page. Ran it once to get the first 80Mb of patches, ran it to get Media Player 9, ran it again to get the security patch for Media Player 9.
That's everything on the update page.
Installed Norton AV 2003 and got all the updates available as of last Friday. After doing that one would have a reasonable expectation of being safe against a problem, especially since the problem was discovered a full month ago.
Monday the customer called with the machine giving a 60 second countdown and rebooting.
Now even if the people at the MVA and other places *did* the updates from the updates page, they'd still be screwed.
All I want is these virus programmers, their fingers, a ball-peen hammer and 5 minutes...it's all the time I'd need
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
Comcast as a whole got blasted, not surprising.
& sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=93 40
A win2k sp3 machine I patched has something like 16 critical updates needed. Several reboots.
That's too much downtime. You can update just about everything but the kernel in linux/bsd without a reboot. Going through this every couple of days is a drag!
The architecture is fundamentally broken: the enabling stuff by default; implementing dozens of new ways for strangers to do things to your computer without your knowledge (as features!) with each release; welding mere applications (web browser, email client) to the OS, having them run with system priviledges, and making it impossible to remove...
Finally - windows update is fundamentally broken. It will report success when the patching operation fails. This is one way:
http://www.ntbugtraq.com/default.asp?pid=36
They need to start over. Maybe if they start clean they can come up with something that compares to Linux.
The fact is, there is no 'secure' operating system, but there are enough things that can be done to prevent virus infections that any large company stricken by this virus should fire their IT staff TODAY.
What company does NOT demand auto updating anti-virus software on every system connecting to their corporate network? What company does not have a person in charge of installing MS patches within 24-48 hours of their availability? Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.
Viruses are a reality for Windows networks, and companies without policies and recovery plans to deal with them should fire their staffs and get competent people in place. Businesses need to understand that competancy costs MONEY, so if your IT people are paid dirt wages, your network is a sitting duck, trust me. Can your MCSE who cant tell you what circular logging does on an Exchange installation. Fire the fool who told you to build trusts between multiple AD forests, I dont care how reasonable his explaination was. I see this shit every day, because 80% of Windows admins suck monkey dick. Microsoft is on their 3rd round of creating a certification program. Maybe they should consider taking the aftermarket PROFIT out of it, and stop caring about pass/fail rates long enough to get a core group of people who know what the fuck they are doing?
There is no excuse for this shit anymore. A virus attack on a company running Windows these days should mean an instant termination of the staff that let it happen.
I believe this is a side effect of the Windows dominant world. Many people have no idea that there is an alternative. If you look back at the media coverage of any of the many Outlook/OE and IE related viruses and worms, like Melissa, and many others.. You will find people claiming that it is an "email" virus. It is not, it is an OE/Outlook virus and can ONLY spread if using those products. 99% of the time, if you are not using a MS provided mail client/web browser you would be completely safe even with no firewall and virus scanner from those "email" viruses, although not the case here with MS Blaster. I think if the media stated that fact every time this happened, it might sink into peoples heads that it might be a good idea to look for something else. Funny that this virus name actually contains a reference to Microsoft being called MSBlaster. I wonder if they tried to get that changed, funny how they call it Blaster, not MSBlaster like everyone else.
Bad boys rape our young girls but Violet gives willingly.
It's like digging a hole in the water. (In this metaphor, the water is NOT frozen, 'kay?)
We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.
Patches can introduce bugs. Microsoft does not test their patches against all software in the world; they certainly don't test it against all custom software.
Suppose you've got a mission critical app. Suppose the folks that wrote this app went out of business in 2000. Suppose it incorporates a library that includes a control that uses a deprecated interface to call an obsolete method. Suppose this method returns a value of 127 for a particular failure. Suppose that this failure is one that should not be retried in this environment because it would another intitiate query to master database in Frankfurt. Suppose that a patch (incorrectly) causes this interface to begin returning 63 for that failure code. Suppose that what USED to be failure 63 should be retried 255 times. Suppose that one day this particular failure (was 127, now 63) occurs.
Now suppose that you're the boss of that guy who convinced you last week "We don't need to test patches apps from Microsoft before deploying them enterprise-wide." and your boss wants to know why his boss in Frankfurt is on the line.
Now you know why I'm unemployed.
Until they can release an OS that goes a couple of weeks between major vulnerability discoveries, they're fucked! And so are you. Don't you think IT staffs have other responsibilities? Do you realize how many updates there have been this year? How many of them require a reboot?
That's an easy question to answer.
The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.
Being User Secure and being Architecturely(sp?) secure are two very different things.
The reason why it is so easy to attack MS machines is because they insist on running what really should be considered User space applications as part of the Kernel space, IE is a good example as is Office.
CAn'T CompreHend SARcaSm?
A security patch should not break code. Were I "the boss of that guy," I would consider Microsoft to be at fault.
Sounds like a time for damage control and updating that app or library (even if it means using a disassembler).
As for deploying at a large enterprise, it would be wise to test mission critical apps before doing so. But such testing should be routine and be completed ASAP.
The unofficial
Microsoft often releases patches for these types of worms and viruses, but the problem becomes that sometimes their patches end up breaking a hell of a lot more than they fix.
Companies, and government institutions cannot just patch and go. They have to test the patches on an isolated computer to ensure that EVERY SINGLE program they need to use is not affected adversly by the patches. Any idea how many MS patches for Windows alone are out there? It's a wonder IT people at companies/government are even half as caught up as they are.
Just imagine if your health insurance provider's IT supervisor just went and patched every time without testing; and one day the program they use to keep things up to date won't work because of a MS patch that broke it. Suddenly you're without health insurance. God help you if you get hurt in the time it takes for them to figure out what broke the program and try and fix it.
That's why it doesn't matter that MS releases these patches. Sometimes they fuck up a lot more than they fix, and companies and government institutions simply cannot take the risk of installing every single security patch from MS (often released weekly) because of this.
Thursdae
There are worse things that just wiping a hard drive. Wiping all data is obvious, and you know it happened.
What if a virus was capable of recognizing some common file types, and making a few changes?
Every so often adding or subtracting from a cell in a spreadsheet? Finding a CAD file and changing the thickness of some metal?
How about an easy one? Social Security Numbers are easy to identify - what if a virus looked for them in files, and changed a digit in a few of them at random?
What's worse than no data?
Data that you have no idea if it is correct or incorrect, and have no idea if any of your backups are correct or incorrect.
I can imagine the day when the unknown security hole of the future comes careening through that expansive windows network and microsoft hasn't made a patch yet. I wonder how long before someone dies. Nothing personal, but I'd never consider Windows 2000 secure enough to bet my life, or anyone else's life on it. No FUD intended here. I'm being as serious as a heart attack. I'd go so far as to say that putting mission critical hospital systems on the Windows 2000 platform is criminal. I'd never trust my life, or a loved ones life considering their track record. And yes it IS that big of a deal. And it IS that serious. What you are describing is a serious tragedy waiting to happen. It's only a matter of time.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Unfortunately, under current laws and regulations, Microsoft is not held liable if their security patches break your system. They're also not held liable if a virus/worm hits you befor they can patch it. In fact, no matter what Microsoft's software ends up doing to your buisness, they aren't liable for anything.
So consider it Microsoft's fault all you want, but they won't be forced to do anything about it.
In the end, the company is going to want to blame someone they can do something to, which means their employees.
Thursdae
Getting hit by this worm demands complete apathy towards patching your system. One faculty member at the University I do tech for was complaining about doing patches. It's so hard to open IE go to tools and then Windows Update and click a couple buttons. If that. We tend to set Windows to automatically download and install critical patches and then cross our fingers and hope the users are too lazy to disable it.
In my case I just run a $50 router with NAT that blocks everything I don't need which makes the entire house network of around 10 computers immune from this worm regardless if they're patched or not.
This worm doesn't prove anything. Linux users need to be patching their systems as well and when it becomes mainstream it'll be the target of script kiddies as well. It's just pointing out what techs all know: people are lazy and don't care until it's a problem.
Ben
Work Safe Porn
What was it that really made the worm possible?
Leaving RPC open by default. As much as I like where you are trying to come from, this is indeed a Microsoft problem that they created themselves. When you have 50 FUCKING BILLION dollars in the bank, a major majority of the market, and this type of crap keeps happening, you should probably think about spending a few billion on making products that don't cost your customers insane amounts of money and lost productivity due to down time because of pathetic security and coding practices. It's just a thought.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Virus authors need to realize that it's not all just in fun.
I don't think virus authors are the point. It's easy to make obvious statements about how childish and irresponsible this guy is, but it's not like he invented worms. There were possible and probable before he sat down to code this one. So if people die in the hospital the blame rests with the people who administer the networks, the machines and the hospital. And Microsoft. It's their responsibility.
I think the people who write these things serve a useful purpose in strengthening security - like eating dirt when you're young helps you build your immune system.
Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
> I say screw those who didn't patch
/insert obrant about how Windows is a poor system in regards to security and how patches and virus scanners are post-attack fixes. Someone has to get infected first you know. //or insert obrant how how Bush's DOJ let MS off and now we are sowing the seeds of cronyism.
1. Companies may still be evaluating it before putting it on their production servers. So if their e-commerce site went down because of this patch would you also say "screw them for not testing properly?"
2. "Road Warrior" laptop users who tech support hasn't had a chance to update yet.
3. Home users who dutifully update their virus scanners, pay Norton, and are careful not to open wacky attachment but have no idea about how remote exploits worked.
4. Failed patches and false positives.
5. New computers straight from dell or whomever that bundle and auto-setup everything except autoupdate. Hmmm, that sounds like a big problem to me.
6. "Early victims" who were infected well before the patch was available or before their computers could download it automatically.
7. The technical clueless that have no idea what a virus is or let alone a worm is. Who's job is it to teach them the ins and outs of security? Maybe MS could make a more secure product or at least put as much effort into alerting the user about security as it does trying to break competitors. Crazy, I know.
"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."
How about downloading security patches, too?
Like it or not, Windows systems need a solid antivirus policy in place; even if you filter at the firewall/mail gateway/web proxy, viruses will still find a way into your network.
Let's try to imagine if it carried a Chernobyl-like payload, or the feared root name server DDoS. Man, that's scary. So, the first one with an exploit ruins it for the rest, as at least some of the world finally realizes that it needs to patch, rendering the real killer-virus less effective, should it ever see the light of day.
I guess in that context, we should be grateful. It's kinda like if your're walking down the street in a bad neighborhood. Wouldn't you rather have some a**hole just slap you in the face, rather than said person walking up and shooting you?
Good point, but NOBODY seems to fault Microsoft in this issue. They hold some of the blame for this, and I hope that people start to wake up and realize that this IS the additional cost of working with a Microsoft system. This has to be factored in with the total cost of ownership. But yet you NEVER see this in a Gartner report. Why? I spend around 1-2 hours a week on average working with virus issues on our Microsoft software and almost ZERO on all our other systems.
Gates and company made Windows programs easy to integrate (DDE, OLE etc) but they NEVER took security seriously, then when they started to make a NOS and those same BAD habits followed. Remember that Windows 95 use to send your password in CLEAR TEXT over the network!!! What serious company in their right mind (in the 90's) would have designed anything that way? They ignored security to give people like you "features". Well now one of those "features" is an un-secure operating system.
I could just imagine people that own a GM car had some hacker who could use the onstar stuff to shut down their car while they were in it. Granted, I think they would be initially mad at the person who caused this, but if it happened again and again and again and again, they would probably not buy a GM car again, and their anger would turn to GM. I wonder when this type of thinking will turn to Microsoft. How many systems will have to be down for days?
Yes I realize that this can't happen with a GM car, I am just using it as an example.
By the way, did you try and get a patch from their site yesterday? That sure was fun!!! I actually managed to get one 98 system updated at around 8:00pm est.
The more I learn about science, the more my faith in God increases.
Why is it Microsoft's fault when THE PATCH WAS RELEASED A MONTH AGO? A simple ~800kb patch. The exploit even made a Slashdot headline, so it was well-reported.
The fault lies in those people who don't patch the operating system with the critical updates put out by its maker.
"Sufferin' succotash."