Slashdot Mirror
Windows Virus Takes Out Gov't Agencies in MD, PA
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
C'mon, this is getting so old ... but I guess that's the really pity, isn't it? Gives cities like Munich the last laugh.
A feeling of having made the same mistake before: Deja Foobar
The person who created this worm did so to show that Microsoft's software was insecure. Their methods are bad, but they've shown that no matter how good WinXP sounds compared with Win9.x, it is still made by Microsoft. If you don't want this kind of rubbish, don't use Microsoft.
DSL reports has a security forum that has been taking this sucker apart and giving us the code:
r oo t=security,1~mode=flat
have a look:
http://www.dslreports.com/forum/remark,7649146~
Bringing down the DMV may be the best use anyone's ever found for a virus.
It's good to use your head, but not as a battering ram.
We discovered we got hit when our Sonicwall connections hit the limit every 10 minutes. It took us two tries to clean it all up.
And who was it who brought it into the office? The CEO. He thought he had a virus but connected to the network anyway. Mod that funny if you will but try being part of our network support team.
"She's a West Texas girl, just like me" - G.W Bush Iraqis
Looks like viruses like this may help speed adoption on alternate operating systems (like linux, OSX, et. al) on the desktop quicker than a dozen ESR's with geek infantry in tow.
Spoke with both sides of the family this evening, going on about how messed up their computers were acting and all they had to go through to get it patched up. I listened and informed them how well my iBook and the relative merits of UN*X and they listened...
Thanks again, Bill!
... Windows Update once every couple weeks.
I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)
Are you, by any chance talking about MS Blaster Worm? ... Maybe then the media will get the idea too!
:/
Its good for us to keep using the correct terminology
Ok, time to get modded down.
How do you know this person was trying to get people to switch to Linux (or anything non-MS)? S/he could just be an ordinary asshole, without a point to prove.
I can forgive stupid home users, but shouldn't mission critical things like these patch every now and then? The hype surrounding this has been huge, and if you run unpatched microsoft stuff, well, good luck fixing it now. It will take a long time, but at least this worm can be fixed with little damage. Maybe this worm will get people to pay attention to security, but then again people said that about the last dozen MS worms.
STUPID!!
SAILING MISHAP
My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them. I guess a few computers were infected with this worm and they wanted to ensure things were taken care of. So, here's the deal: I figure that today alone, due to lost productivity, salaries, benefits etc.... this company lost $250k from this worm. So, I ask: When are companies going to wake up and realize that the fundamental foundations that Windows are built on are flawed when it comes to security? There have got to be studies out there examining total cost of ownership of the various platforms. For instance, I spent a couple days of my time updating our remaining Wintel systems to guard against this virus and am soooo happy 95% of my work is done on OS X.
Visit Jonesblog and say hello.
for a LOOOOONG time now
Three weeks isn't that long for a patch to be out. Many organizations actually test patches out on non-production machines before randomly installing software that Microsoft says is OK.
I keep hearing that windows 2k3 is the most secure windows, but (and I'm truly asking), what makes people say so? I'm using it at home. Evidence for: logs changes, logs every reboot and needs you to enter a reason, insists that every site (including google) has a security issue, comes with almost everything disabled, doesn't let users use shockwave et al without permission, probably some bug fixes. Evidence against: see the article above. At least it informed me afterwards that the computer unexpectedly rebooted . . .
PS: Please don't mod me for flaming, I'm really wondering what inner changes there are, other than the ones above that give the impression of security.
One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.
As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.
When they find the Linux users who did this I hope they lock them up and throw away the key.
So all someone has to do is dislike Gates and Microsoft, write an Windows virus, and they are automatically considered a Linux user?
Cool.
The unofficial
I would hope hospitals do not run critical systems a) on Microsoft software but especially b) on a LAN with any access to the internet. It's sheer lunacy if they do and could be used as grounds for a lawsuit. On the otherhand, they can do whatever they want with their accounting, cafeteria, and parking meter systems since a lawyer wouldn't pounce on that kind of ... wait ... I'm probably underestimating now.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
The patches have been available for a LOOOOONG time now.
What, three or four weeks? Here is the problem with Microsoft patches. Folks have been screwed more than once due to poor testing on Microsoft's part when the patches completely screw up your system forcing you to spend hours rolling things back to where they were or even completely reinstalling Windows. So, many IT folks are understandibly reluctant to employ these "patches" before adequate testing on their own systems. This may take a number of weeks.
Visit Jonesblog and say hello.
..they are an "ordinary asshole," as opposed to an asshole "trying to get people to switch to Linux" ?
The unofficial
Somebody's trying to run a plant dependent upon Microsoft...
I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).
The 10pm news here in Philly interviewed one of the city's IT guys. He stuttered and stammered his way through the whole thing, and looked to me like a man afraid for his job as he claimed that there was "no warning and no way to be prepared for this"-- not a verbatim quote, but close enough.
I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.
Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.
~Philly
You bring up an interesting point. My father is a Windows 2000 administrator for a large multi-site hospital system(seven hospitals, 2 longterm care facilities and 35 clinics). Thankfully they stay up to date on the latest patches and have a good firewall so they were completely unaffected. They also recently went through an emergency preparedness drill making them take a look at what would happen on the computer side of things if say, a tornado wiped out such and such hospital. They look at things like, where do we keep the tape backups of patient records, what services are necessary for the billing department? For the most part, mission critical applications are mainframe issues, and patient records etc are isolated from silly internet-propagated worms.
My point is that if a staff has competent employees with an eye for security, usually viruses and worms' impact can be reduced to at most, a nuisance.
Still, I agree with you completely. Virus authors need to realize that it's not all just in fun. People don't "deserve it" just because they are vulnerable. And, you're not going to teach anyone a lesson. It's not l33t haxoring, it's childish and immature vandalism, plain and simple.
The patches have been available for a LOOOOONG time now. They should have patched. They can't whine now. End of story.
---
I've had to patch several Windows 2000 boxes for clueless friends and mothers of friends.
The patch is ony 1.3 Megs or so, but the problem is that you have to have SP3 or higher to apply the patch and going from no service pack to SP4 takes 11 hours over a 56K connection.
Try explanig that over the phone.
It woulden't be so bad if Windows 2000 had a servacable firewall - there's one hidden in the managment console thingy.
It's really pathetetic that in the year 2000 - ALL of the free unixes had decent, available firewalls, and most of them fit under 60 Megs.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.
And I know this for a fact. I had a machine that I re-loaded XP on for a customer since he was upgrading his mootherboard. Friday I finish the windows load and I install all the patched available on the update page. Ran it once to get the first 80Mb of patches, ran it to get Media Player 9, ran it again to get the security patch for Media Player 9.
That's everything on the update page.
Installed Norton AV 2003 and got all the updates available as of last Friday. After doing that one would have a reasonable expectation of being safe against a problem, especially since the problem was discovered a full month ago.
Monday the customer called with the machine giving a 60 second countdown and rebooting.
Now even if the people at the MVA and other places *did* the updates from the updates page, they'd still be screwed.
All I want is these virus programmers, their fingers, a ball-peen hammer and 5 minutes...it's all the time I'd need
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
My bad. I made a bad link that wasnt what I wanted:
r oo t=security,1~mode=flat
If you wanna look at the code its HERE:
http://www.dslreports.com/forum/remark,7652257~
The grain of salt is that they are reverse engineering. But it still is there and interesting.
Again my appologies.
Comcast as a whole got blasted, not surprising.
& sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=93 40
A win2k sp3 machine I patched has something like 16 critical updates needed. Several reboots.
That's too much downtime. You can update just about everything but the kernel in linux/bsd without a reboot. Going through this every couple of days is a drag!
The architecture is fundamentally broken: the enabling stuff by default; implementing dozens of new ways for strangers to do things to your computer without your knowledge (as features!) with each release; welding mere applications (web browser, email client) to the OS, having them run with system priviledges, and making it impossible to remove...
Finally - windows update is fundamentally broken. It will report success when the patching operation fails. This is one way:
http://www.ntbugtraq.com/default.asp?pid=36
They need to start over. Maybe if they start clean they can come up with something that compares to Linux.
I have many systems in many hospitals and they are windows based.
Am I scared of what could happen?
You bet your life.
One of the corprate hospitals (oh yeah, they can own those too) I support had, at last report, five servers in there local server room completely down. The traffic alone on the network hindered my system, but we are still up, and a patch time is set.
"... is set?" you say?
Downtime is a HUGE issue for my company. If our system isn't up, a major communtication link that ALL hospitals rely on in one fashion or another is gone. The last thing I need is to get a call saying that a Radiologist's report on an ER patient didn't get seen or heard by the ER physician in time to save a life. You want to talk mission critical systems? 24/7 with human lives at stake. I don't think it can get more serious than that.
The fact is, there is no 'secure' operating system, but there are enough things that can be done to prevent virus infections that any large company stricken by this virus should fire their IT staff TODAY.
What company does NOT demand auto updating anti-virus software on every system connecting to their corporate network? What company does not have a person in charge of installing MS patches within 24-48 hours of their availability? Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.
Viruses are a reality for Windows networks, and companies without policies and recovery plans to deal with them should fire their staffs and get competent people in place. Businesses need to understand that competancy costs MONEY, so if your IT people are paid dirt wages, your network is a sitting duck, trust me. Can your MCSE who cant tell you what circular logging does on an Exchange installation. Fire the fool who told you to build trusts between multiple AD forests, I dont care how reasonable his explaination was. I see this shit every day, because 80% of Windows admins suck monkey dick. Microsoft is on their 3rd round of creating a certification program. Maybe they should consider taking the aftermarket PROFIT out of it, and stop caring about pass/fail rates long enough to get a core group of people who know what the fuck they are doing?
There is no excuse for this shit anymore. A virus attack on a company running Windows these days should mean an instant termination of the staff that let it happen.
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
Doesn't mean there is a agenda but there could be.
"A good friend will bail you out of jail. A true friend will be sitting next to you saying, 'damn....that was fun!'"
I believe this is a side effect of the Windows dominant world. Many people have no idea that there is an alternative. If you look back at the media coverage of any of the many Outlook/OE and IE related viruses and worms, like Melissa, and many others.. You will find people claiming that it is an "email" virus. It is not, it is an OE/Outlook virus and can ONLY spread if using those products. 99% of the time, if you are not using a MS provided mail client/web browser you would be completely safe even with no firewall and virus scanner from those "email" viruses, although not the case here with MS Blaster. I think if the media stated that fact every time this happened, it might sink into peoples heads that it might be a good idea to look for something else. Funny that this virus name actually contains a reference to Microsoft being called MSBlaster. I wonder if they tried to get that changed, funny how they call it Blaster, not MSBlaster like everyone else.
Bad boys rape our young girls but Violet gives willingly.
It's really their own fault. Any enterprise running mission critical systems should pach their systems. It doesn't matter Windows has more flaws than Linux. A solid security policy is a must regardless of OS.
I remember when this vuln was announced, I hit windows update that day (7/16), and lo and behold, it was a critical update... Remember how this vuln was all over the news? Remember how "the authorities" were listening in on chatrooms and saying there was a lot of talk about an exploit? I certainly remember all of this, so I say screw those who didn't patch. What's better, installing a patch that screws your system when you can blame that on MS, or not installing the patch and having no one to blame but yourself?
Shift happens. Fire it up.
My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.
It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.
So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?
Let me get this straight, patient monitoring systems are plugged into the same LAN in which doctors, admins, and what-not are free to plug in their laptops? I don't work in a hospital but even we have DMZ subnets for more sensitive parts of our network. I can't (or rather don't want to) believe that hospitals don't segment their networks the same way.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
It's like digging a hole in the water. (In this metaphor, the water is NOT frozen, 'kay?)
We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.
How could one already be infected if their computer hasn't been running? Maybe he's implying "as soon as you turn on your computer you'll be infected", I don't know.
Millions of unprotected personal computers remain vulnerable to the worm, which can infect any machine connected to the Internet, experts said Tuesday.
Really? I thought it was only Win2k, XP, and 03, not every computer on the planet. But experts said so, so I guess it must be true.
The worm attacks computers through a flaw in the part of Windows that allows computers to share files and control Inter net traffic. Four versions of Windows operating systems are targeted: Windows NT, Windows 2000, Windows XP and Windows Server 2003.
Oh you are aware it doesn't affect every computer on the planet. That's good because five paragraphs before you said it did and now you're contradicting yourself. Wonderful
"This is certainly a capable person who did this," Sundwall said. "In most cases, it takes about six to nine months for a worm to appear after a patch is released. This is certainly something that did occur quicker than we are accustomed to."
Because it is just so hard to create a self replicating buffer overflow program. It's not like this is down to a science. The statement implies a team of developers would have to sit down for a year to create something this "sophisticated". It couldn't be that MS products are inherently insecure and easily exploitable. There are thousands if not millions of people "capable" of this, just not immature enough.
You'll notice some of my excerpts are quotes from within the article, and not necessarily the words of the author. The author still choose to include this malformed crap.
I would recommend seeing this older Slashdot article concerning the worm or going to google to find better written information on the matter. The facts within the new article are interesting, but so blatantly misrepresented it's annoying and I would view an alternative source.
Beware blue cats moving at
Patches can introduce bugs. Microsoft does not test their patches against all software in the world; they certainly don't test it against all custom software.
Suppose you've got a mission critical app. Suppose the folks that wrote this app went out of business in 2000. Suppose it incorporates a library that includes a control that uses a deprecated interface to call an obsolete method. Suppose this method returns a value of 127 for a particular failure. Suppose that this failure is one that should not be retried in this environment because it would another intitiate query to master database in Frankfurt. Suppose that a patch (incorrectly) causes this interface to begin returning 63 for that failure code. Suppose that what USED to be failure 63 should be retried 255 times. Suppose that one day this particular failure (was 127, now 63) occurs.
Now suppose that you're the boss of that guy who convinced you last week "We don't need to test patches apps from Microsoft before deploying them enterprise-wide." and your boss wants to know why his boss in Frankfurt is on the line.
Now you know why I'm unemployed.
Until they can release an OS that goes a couple of weeks between major vulnerability discoveries, they're fucked! And so are you. Don't you think IT staffs have other responsibilities? Do you realize how many updates there have been this year? How many of them require a reboot?
That's an easy question to answer.
The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.
Formatting hard drives? Screwing up the BIOS? We'd still be lucky if that was all that happens.
The idea that scares me is a slowly spreading virus - hiding as well as it can, and remaining on systems for months or years.
I had a full description of a possible payload, and the effects it could have, but I thought better and deleted it.
All I will say, is that a virus that targeted not the computers, but the business processes of the company that uses them could do some major damage.
I've been knocking on doors for a job since I was laid off on December 24th. It seems most of the hospitals have contracted out their IT positions rather than have them in-house.
Hey when I was a contractor I walked in, did what they asked me to do, then went on to the next job site. I didn't go around asking if they had seperate LANs for sensitive equipment because...well...I was paid salary and wanted to go home after my 10 hr day. I'm sure the current contractors feel the same way.
Being a local sysadmin/network admin is different. It's your baby, you get the call at 3am when things go bad, you make sure that doesn't happen. Too bad employers don't see that and I bet you this one still doesn't see it that way.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
Being User Secure and being Architecturely(sp?) secure are two very different things.
The reason why it is so easy to attack MS machines is because they insist on running what really should be considered User space applications as part of the Kernel space, IE is a good example as is Office.
I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.
It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.
If the worm we got autostarts anything, it uses one of the sneakier methods. I didn't check the ini files, but I did check out both run and both runonce keys and there was nothing unexpected in any of them. File sizes and dates on the files that were there matched a clean system (although that's not a guarantee, I didn't run checksums). The damage to explorer, IE, and Word did survive a reboot, however, so it modifies something on the system. We had the system up for the better part of an hour on the network, watching ethereal on the switch's mirror port, and didn't see any strange traffic, so I don't know what triggers it's spread. The dial-in client that was one of the original vectors had been connected for something like 8 hours when it started scanning, and we are it's internet access so it couldn't have been (easily) infected from outside today without us seeing it (we were monitoring after central's exchange server went boom), so I strongly suspect it's got a timer or trigger to start scanning. (Maybe idle time? It started roughly half an hour after they closed for the night, hence us kicking them off and revoking their dial-in privliges instead of just calling them.) I didn't catch any actual infections in the packet dumps, only scans after the vulnerable machines had already been hit, so I don't have a network dump, but I'll hook an infected machine to the test network in the morning and try to get one. If I can talk the manager into leaving me alone for long enough I'll try to get it to infect a dummy machine I've imaged and see exactly what changes it makes. Anyways, good luck to anyone still playing with these things.
No problem, Sir. We'll just switch our AI on and squash this thing. Skynet is ready to go live.
Am I the only one who heard Roxette to sing "I'm gonna get blitzed for some sex"?
CAn'T CompreHend SARcaSm?
A security patch should not break code. Were I "the boss of that guy," I would consider Microsoft to be at fault.
Sounds like a time for damage control and updating that app or library (even if it means using a disassembler).
As for deploying at a large enterprise, it would be wise to test mission critical apps before doing so. But such testing should be routine and be completed ASAP.
The unofficial
This is unfortunate, as the most entertaining worms/virii are those that contain broken English. Example:
VERY JOKE! See US President and FBI Secrets!
However, to the dismay of many a sys-admin, this worm is not VERY JOKE. Sigh.
Microsoft often releases patches for these types of worms and viruses, but the problem becomes that sometimes their patches end up breaking a hell of a lot more than they fix.
Companies, and government institutions cannot just patch and go. They have to test the patches on an isolated computer to ensure that EVERY SINGLE program they need to use is not affected adversly by the patches. Any idea how many MS patches for Windows alone are out there? It's a wonder IT people at companies/government are even half as caught up as they are.
Just imagine if your health insurance provider's IT supervisor just went and patched every time without testing; and one day the program they use to keep things up to date won't work because of a MS patch that broke it. Suddenly you're without health insurance. God help you if you get hurt in the time it takes for them to figure out what broke the program and try and fix it.
That's why it doesn't matter that MS releases these patches. Sometimes they fuck up a lot more than they fix, and companies and government institutions simply cannot take the risk of installing every single security patch from MS (often released weekly) because of this.
Thursdae
There are worse things that just wiping a hard drive. Wiping all data is obvious, and you know it happened.
What if a virus was capable of recognizing some common file types, and making a few changes?
Every so often adding or subtracting from a cell in a spreadsheet? Finding a CAD file and changing the thickness of some metal?
How about an easy one? Social Security Numbers are easy to identify - what if a virus looked for them in files, and changed a digit in a few of them at random?
What's worse than no data?
Data that you have no idea if it is correct or incorrect, and have no idea if any of your backups are correct or incorrect.
I can imagine the day when the unknown security hole of the future comes careening through that expansive windows network and microsoft hasn't made a patch yet. I wonder how long before someone dies. Nothing personal, but I'd never consider Windows 2000 secure enough to bet my life, or anyone else's life on it. No FUD intended here. I'm being as serious as a heart attack. I'd go so far as to say that putting mission critical hospital systems on the Windows 2000 platform is criminal. I'd never trust my life, or a loved ones life considering their track record. And yes it IS that big of a deal. And it IS that serious. What you are describing is a serious tragedy waiting to happen. It's only a matter of time.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
I was at the gym for the 3pm NZST news today, and Microsoft took a hammering. Only Microsoft Systems are affected... MSFT this, MSFT that - I'd like to see what Microsoft New Bliss-Land do to spin this.
I've just checked their NZ home page and they are soliciting for feedback on customer feelings towards MSFT today, and have some obvious customer advice in big, bright colours. Microsoft US doesn't seem to care in comparision.
The feedback form has three cute faces with various different states from happy to angry on them. Perhaps you may want to give them some feedback to ;)
Unfortunately, under current laws and regulations, Microsoft is not held liable if their security patches break your system. They're also not held liable if a virus/worm hits you befor they can patch it. In fact, no matter what Microsoft's software ends up doing to your buisness, they aren't liable for anything.
So consider it Microsoft's fault all you want, but they won't be forced to do anything about it.
In the end, the company is going to want to blame someone they can do something to, which means their employees.
Thursdae
Getting hit by this worm demands complete apathy towards patching your system. One faculty member at the University I do tech for was complaining about doing patches. It's so hard to open IE go to tools and then Windows Update and click a couple buttons. If that. We tend to set Windows to automatically download and install critical patches and then cross our fingers and hope the users are too lazy to disable it.
In my case I just run a $50 router with NAT that blocks everything I don't need which makes the entire house network of around 10 computers immune from this worm regardless if they're patched or not.
This worm doesn't prove anything. Linux users need to be patching their systems as well and when it becomes mainstream it'll be the target of script kiddies as well. It's just pointing out what techs all know: people are lazy and don't care until it's a problem.
Ben
Work Safe Porn
Has anyone compiled a list to see something like how much M$ has cost the world due to insecure software?
I would guess it's a couple billion dollars by now. Why does no one care?
What was it that really made the worm possible?
Leaving RPC open by default. As much as I like where you are trying to come from, this is indeed a Microsoft problem that they created themselves. When you have 50 FUCKING BILLION dollars in the bank, a major majority of the market, and this type of crap keeps happening, you should probably think about spending a few billion on making products that don't cost your customers insane amounts of money and lost productivity due to down time because of pathetic security and coding practices. It's just a thought.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Virus authors need to realize that it's not all just in fun.
I don't think virus authors are the point. It's easy to make obvious statements about how childish and irresponsible this guy is, but it's not like he invented worms. There were possible and probable before he sat down to code this one. So if people die in the hospital the blame rests with the people who administer the networks, the machines and the hospital. And Microsoft. It's their responsibility.
I think the people who write these things serve a useful purpose in strengthening security - like eating dirt when you're young helps you build your immune system.
Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
Hahaha... you have faith.
/etc filesystem and thought unplugging the machine would fix it. (So all the databases were f-ed up too)
Back in the day, I was called to a hospital in the middle of nowhere that stored everything (patient records, accounting, etc) on a single IBM AIX box.
Someone who was supposed to be an admin blasted the
The last backup had been made approximately 3 years before and the system had been upgraded several times. Nobody knew what version the system was actually on, and the one contractor who did was climbing a mountain somewhere. (This is happening at 2AM saturday) It was also in "Trusted" mode.
To make a long story short, we eventually got in and got everything up on Sunday night.
Lesson #5675: Never underestimate the incompetence of hostpital IT staff. (Particularly small hospitals).
So, as a Philadelphia area resident can anyone get me a list of infected business/departments so I can fill the positions of the soon-to-be-fired IT Staff?
Yes - I am partly serious.
That we may never get rid of this worm completely, at least not for a long time...
Patches for the hole, except for Windows NT 4.0, which the company no longer supports, were put online by Microsoft.
Source: Channel NewsAsia
There are A LOT of companies still running NT on both servers and workstations, last time I was in a major server room at Big Blue, well I won't name clients, but several large name clients have NT based server solutions. Yes I know blocking certain ports will stop it from getting in, but there is still potential for many NT systems not to have those ports blocked now, or in the future.
Depends on what the NAT is doing for you. If (for instance) you have a LAN behind the router but at the same time have an internal mailserver, you'll almost have to have at least the mail ports locked to a live interface inside (unless you're doing something unusual with your mailserver, and your ISP is providing store and forward with you only connecting on demand.) Is your router only passing traffic over the mail ports to that box, and is that box not running any Windows server OS?
And this is all assuming that no one in your org has a laptop - our machines are all patched. 'Ceptin' for a person who's personal laptop appears on the network, and who went on vacation three weeks ago.
Fortunately, all of our machines are long patched, so even if this person had decided to plug in after seeing the 'funny behavior' on the laptop, it wouldn't have been able to get far on our LAN.
Most home machines which are behind NAT "routers" don't do port filtering outbound. So if a kid gets something bad when she's at school and comes home to the DSL feed a) your XP box is infected and b) you've got two machines searching the net for further targets over your DSL feed.
> I say screw those who didn't patch
/insert obrant about how Windows is a poor system in regards to security and how patches and virus scanners are post-attack fixes. Someone has to get infected first you know. //or insert obrant how how Bush's DOJ let MS off and now we are sowing the seeds of cronyism.
1. Companies may still be evaluating it before putting it on their production servers. So if their e-commerce site went down because of this patch would you also say "screw them for not testing properly?"
2. "Road Warrior" laptop users who tech support hasn't had a chance to update yet.
3. Home users who dutifully update their virus scanners, pay Norton, and are careful not to open wacky attachment but have no idea about how remote exploits worked.
4. Failed patches and false positives.
5. New computers straight from dell or whomever that bundle and auto-setup everything except autoupdate. Hmmm, that sounds like a big problem to me.
6. "Early victims" who were infected well before the patch was available or before their computers could download it automatically.
7. The technical clueless that have no idea what a virus is or let alone a worm is. Who's job is it to teach them the ins and outs of security? Maybe MS could make a more secure product or at least put as much effort into alerting the user about security as it does trying to break competitors. Crazy, I know.
Life support systems, heart monitors, and other devices of that sort are not plugged into a LAN. The requirements for those kind of devices is unbelievable -- I actually feel sorry for anyone who has to work on such systems, after having seen what kind of hoops those devices have to go through.
The worm contains the following text, which is never displayed:
So it seems the creator did have a point to prove.
How could I say to men: "Speak louder, shout! For I am deaf!"? -Ludwig van Beethoven
"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."
How about downloading security patches, too?
It's not a new problem. Nor is any amount of wishful thinking is going to fix the problem, Microsoft's products just aren't engineered for security. It's a problem that would take years to fix. Bill Gates himself made allusions to the U.S. Apollo space program of the 1960's which was $25 billion over 10 years. However, for the time being, the security issue is treated like a PR problem and the customers are taking the lumps.
A this point the problem is sociological or psychological. Like any other cult, Microsoft provides a sense of purpose and belonging to it supporters. Note that neither a technical background nor even an analytical way of thinking is a prerequisite, thus fulfilling even the unconditional acceptance aspect of a cult.
As much as IT staff and, especially IT manangers, admire the personal wealth of Bill Gates, they just need to be able to let go of Windows and move on.
Move on, either to Macintosh or Linux or QNX or BSD or Novell there are many choice. There will be some up front costs, but even without the viruses and worms these upfront costs will be offset by the number of maintenance hours saved.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Let's try to imagine if it carried a Chernobyl-like payload, or the feared root name server DDoS. Man, that's scary. So, the first one with an exploit ruins it for the rest, as at least some of the world finally realizes that it needs to patch, rendering the real killer-virus less effective, should it ever see the light of day.
I guess in that context, we should be grateful. It's kinda like if your're walking down the street in a bad neighborhood. Wouldn't you rather have some a**hole just slap you in the face, rather than said person walking up and shooting you?
MEDICAL DATA CAPTURE STUFF NEEDS TO BE VALIDATED AGAINST FDA REQUIREMENTS. THIS IS *HARD* AND YOU DON'T GET IT BY ACCIDENT.
Ask anyone who's worked on a validated or 21CFR11-compliant system.
I can't breathe on our systems without exhaustive revalidation procedures and that's the way it should be.
It's very easy to poke fun at sectors you have no experience of, but rest assured all the checks and balances you think should be there, ARE. And then some.
I know /. is the place to bash the microsofties, but don't let it get to your head. Remember, anything with the name Microsoft gets instant press, outside the techies the public thinks "apache" is the old movie name for a First Nations tribe.
.exe. Even then you get guys like this story highlights:
I regularly do security audits of all kinds of systems. When I walk in to a microsoft shop I can immediately tell how it goes. If the sysop says "I don't trust the patches, I test them, but they're not deployed unless there's a REAL problem" It won't go well, those guys usually don't update virus files either. On the other hand if the sysop is using patch management practices he can often go out in real time and check the current status of a server, workstation, and active version of the virus definition file in realtime (they usually have good WRITTEN policies on unauthorized (untested) soft/hardware with sanctioned backup). I haven't found malware in any of the latter cases.
I've yet to find a good *.nix shop. They often have good processes and procedures that SHOULD avoid problems, but the truth is it's easier to sign a piece of paper that says sourcecode was patched and applied than to actually do it. Things look great on paper. Check the source or decompile sendmail (one of my favorite targets) and it's another story. I'm still finding the same hole T.Morris used years ago on active servers. The excuse is always the same, "that was the way it came, shouldn't that have been fixed in the distro by now?" (i.e. too lazy to look, just signed the paper). Many don't even check SANS or CERT regularly. At least windows will notify you when critical updates are available, and all you have to do to apply it is run the
"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."
(How did this guy get his position or experience? Even "end-users" successfully use critical update with relatively NO technical experience or fiscal responsibility.)
Any sysadmin that can't keep a system patched, or falsifies patch records should be punished up to and including dismissal as far as I'm concerned.
Incidently, just so you know my audit document is the CERT advisories on securing systems. If you want a great basic book try OReillys "Practical Unix and Internet Security"
Has anyone figured out yet that as far as I'm concerned the problem is NOT theoretical design differences in OSs as much as the incompetance of the people running them?
It doesn't matter what you wrap your emotions around, Reality is a brick wall specifically designed to scramble eggs
Why is it Microsoft's fault when THE PATCH WAS RELEASED A MONTH AGO? A simple ~800kb patch. The exploit even made a Slashdot headline, so it was well-reported.
The fault lies in those people who don't patch the operating system with the critical updates put out by its maker.
"Sufferin' succotash."
I just got back from visiting "the relatives" all of last week. Heartland area of the US. Farm-type folks that grow food many of you eat. Anyway, the parent poster's statement is correct. These people have a few PC's as a matter of modern necessity. One of these (win98) runs a payroll app, is connected via dialup to the internet, is connected via ethernet to two other "critical" systems running WFW3.11, and was running a *completely* unpatched version of IE4.0 / Outlook Express. Oddly, they didn't have near the problems one might expect for all this (impressively, ad-aware came up clean aside from cookies) but when I mentioned "Windows Update", which sits right there on the Start Menu plain as day, to my relative who runs the '98 box, all I got was "what's that?".
My early-teen cousin was running his family's 98 box similarly. Unpatched. Ad-aware found all manner of crap that might just have, with luck, woken him up. Still, I had to explain all this nonsense, including *what* windows update was, *how* to run it (click here, click here, look the list over, click this, wait. reboot. repeat until the list is empty), how spy-ware/ad-ware differs from virii/worms, etc.
These aren't stupid people. Ignorant of the complexity of things that we all here take for granted. (In fact, I'd wager we give "joe sixpack" too much credit, not that I'm calling dumb on the world or anything.) It is just that their priorities are differently aligned than the hobbyist/admin types here (or that of people who try to design software with these people in mind, even). It was an eye-opening experience.
Now, to the credit of my linux geek membership, I might be able to upgrade the WFW systems to hardware made inside this decade and run the critical software in dosemu or the like, put the dialup on a firewall, and other things before they get convinved to shell out $20,000 on software and hardware upgrades this time next year.
Here's a rundown of what I've found out dealing with the MSBlast worm, some of which wasn't posted to the list yet (or I just missed it). Luckily my systems here were patched before this came out, but a few people brought in laptops that weren't patched, so here's what to expect.
/a" to abort the shutdown.)
MSBlast Symptoms:
Windows XP: Computer displays a message that the computer will shut down in 60 seconds.
Go to a command prompt and type "shutdown
This indicates that your computer is infected with the MSBlast worm.
Windows 2000: Computer displays an error message about "svchost.exe" fatal errors. Odd behavior follows, such as not being able to drag-and-drop certain items, Internet Explorer context menus (right click menus) don't work properly, and other bizarre behavior.
This _does_not_ necessarily mean that a computer has the worm, but the svchost.exe could be crashing as a result of the worm trying to get in. However, you should still run the removal tool to make sure.
Some people have associated this with the install of Service Pack 4, but it appears to be coincidental and not related to the SP4 install. However, SP4 does seem to have it's own user-reported set of issues unrelated to this worm, as discussed here:
http://www.w2knews.com/anecdotes.htm
Windows ME/98/95: Unaffected by this worm.
Windows Update: Windows Update is running incredibly slowly.
You may or may not be able to get in to update your system. This is due to the fact that millions of people are all hitting the service at once trying to get the patch to stop this worm. If you keep trying, you will eventually get in, but it may take a number of tries and 5 minutes or so per try. Additionally, you may get an HTTP 1.1 Server Too Busy error message even after you are in. Just keep clicking on the "Review and Install Updates" link on the left side pane and it will eventually let you in. When it does make a connection, the window or system may appear to hang for up to a minute or two. Just wait it out and it will eventually wake back up with the Blindly-Accept-Our-New-License-Terms window. Read the license terms thoroughl and print out a copy for your files (sorry, couldn't resist) and then OK" and the updates will then download (slowly) the needed files and install them.
To make matters worse, the worm will start a Denial of Service attack against the Windows Update site on Saturday Aug 16, so if you think it's bad now, you aint seen nothing yet.
Worm Trivia: The worm contains the following text, which is not displayed on the screen:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
If you experience either of the above symptoms on your PC's, you need to apply the appropriate patch from here immediately:
Windows XP Security Patch:
http://download.microsoft.com/download/9/8/b/98bcf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe
Windows 2000 Security Patch:
http://download.microsoft.com/download/0/1/f/01fdd 40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB8239 80-x86-ENU.exe
Windows NT 4.0 Security Patch:
http://download.microsoft.com/download/6/5/1/651c3 333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Wind ows NT 4.0 Terminal Server Edition Security Patch:
http://download.microsoft.com/download/4/6/c/46c9c 414-19ea-4268-a430-53722188d489/Q823980i.EXE
Wind ows Server 2003 Security Patch:
http://download.microsoft.com/download/8/f/2/8f211 31d-9df3-4530-802a-2780629390b9/WindowsServer2003- KB823980-x86-ENU.exe
Then, run this program to scan your system for any remaining parts of the worm.
Removal Tool:
http://securityresponse.symantec.com/avcenter/Fix