Slashdot Mirror
Windows Virus Takes Out Gov't Agencies in MD, PA
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
C'mon, this is getting so old ... but I guess that's the really pity, isn't it? Gives cities like Munich the last laugh.
A feeling of having made the same mistake before: Deja Foobar
DSL reports has a security forum that has been taking this sucker apart and giving us the code:
r oo t=security,1~mode=flat
have a look:
http://www.dslreports.com/forum/remark,7649146~
Bringing down the DMV may be the best use anyone's ever found for a virus.
It's good to use your head, but not as a battering ram.
We discovered we got hit when our Sonicwall connections hit the limit every 10 minutes. It took us two tries to clean it all up.
And who was it who brought it into the office? The CEO. He thought he had a virus but connected to the network anyway. Mod that funny if you will but try being part of our network support team.
"She's a West Texas girl, just like me" - G.W Bush Iraqis
Looks like viruses like this may help speed adoption on alternate operating systems (like linux, OSX, et. al) on the desktop quicker than a dozen ESR's with geek infantry in tow.
Spoke with both sides of the family this evening, going on about how messed up their computers were acting and all they had to go through to get it patched up. I listened and informed them how well my iBook and the relative merits of UN*X and they listened...
Thanks again, Bill!
Are you, by any chance talking about MS Blaster Worm? ... Maybe then the media will get the idea too!
:/
Its good for us to keep using the correct terminology
Ok, time to get modded down.
How do you know this person was trying to get people to switch to Linux (or anything non-MS)? S/he could just be an ordinary asshole, without a point to prove.
I can forgive stupid home users, but shouldn't mission critical things like these patch every now and then? The hype surrounding this has been huge, and if you run unpatched microsoft stuff, well, good luck fixing it now. It will take a long time, but at least this worm can be fixed with little damage. Maybe this worm will get people to pay attention to security, but then again people said that about the last dozen MS worms.
STUPID!!
SAILING MISHAP
When they find the Linux users who did this I hope they lock them up and throw away the key.
So all someone has to do is dislike Gates and Microsoft, write an Windows virus, and they are automatically considered a Linux user?
Cool.
The unofficial
The patches have been available for a LOOOOONG time now.
What, three or four weeks? Here is the problem with Microsoft patches. Folks have been screwed more than once due to poor testing on Microsoft's part when the patches completely screw up your system forcing you to spend hours rolling things back to where they were or even completely reinstalling Windows. So, many IT folks are understandibly reluctant to employ these "patches" before adequate testing on their own systems. This may take a number of weeks.
Visit Jonesblog and say hello.
..they are an "ordinary asshole," as opposed to an asshole "trying to get people to switch to Linux" ?
The unofficial
You bring up an interesting point. My father is a Windows 2000 administrator for a large multi-site hospital system(seven hospitals, 2 longterm care facilities and 35 clinics). Thankfully they stay up to date on the latest patches and have a good firewall so they were completely unaffected. They also recently went through an emergency preparedness drill making them take a look at what would happen on the computer side of things if say, a tornado wiped out such and such hospital. They look at things like, where do we keep the tape backups of patient records, what services are necessary for the billing department? For the most part, mission critical applications are mainframe issues, and patient records etc are isolated from silly internet-propagated worms.
My point is that if a staff has competent employees with an eye for security, usually viruses and worms' impact can be reduced to at most, a nuisance.
Still, I agree with you completely. Virus authors need to realize that it's not all just in fun. People don't "deserve it" just because they are vulnerable. And, you're not going to teach anyone a lesson. It's not l33t haxoring, it's childish and immature vandalism, plain and simple.
Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.
And I know this for a fact. I had a machine that I re-loaded XP on for a customer since he was upgrading his mootherboard. Friday I finish the windows load and I install all the patched available on the update page. Ran it once to get the first 80Mb of patches, ran it to get Media Player 9, ran it again to get the security patch for Media Player 9.
That's everything on the update page.
Installed Norton AV 2003 and got all the updates available as of last Friday. After doing that one would have a reasonable expectation of being safe against a problem, especially since the problem was discovered a full month ago.
Monday the customer called with the machine giving a 60 second countdown and rebooting.
Now even if the people at the MVA and other places *did* the updates from the updates page, they'd still be screwed.
All I want is these virus programmers, their fingers, a ball-peen hammer and 5 minutes...it's all the time I'd need
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
The fact is, there is no 'secure' operating system, but there are enough things that can be done to prevent virus infections that any large company stricken by this virus should fire their IT staff TODAY.
What company does NOT demand auto updating anti-virus software on every system connecting to their corporate network? What company does not have a person in charge of installing MS patches within 24-48 hours of their availability? Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.
Viruses are a reality for Windows networks, and companies without policies and recovery plans to deal with them should fire their staffs and get competent people in place. Businesses need to understand that competancy costs MONEY, so if your IT people are paid dirt wages, your network is a sitting duck, trust me. Can your MCSE who cant tell you what circular logging does on an Exchange installation. Fire the fool who told you to build trusts between multiple AD forests, I dont care how reasonable his explaination was. I see this shit every day, because 80% of Windows admins suck monkey dick. Microsoft is on their 3rd round of creating a certification program. Maybe they should consider taking the aftermarket PROFIT out of it, and stop caring about pass/fail rates long enough to get a core group of people who know what the fuck they are doing?
There is no excuse for this shit anymore. A virus attack on a company running Windows these days should mean an instant termination of the staff that let it happen.
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
Doesn't mean there is a agenda but there could be.
"A good friend will bail you out of jail. A true friend will be sitting next to you saying, 'damn....that was fun!'"
I wonder if this will eventually become a regular segment, like the weather
I can see it now... a fat bald guy standing in front a colorful map of the US pointing at little cardboard cut outs of 'hax0r' and '0wn3d' talking about an 'outbreak of DDOS across the midwest' and a 'hacker front coming up the eastern seaboard.'
There could also be a five-day patch forecast, and to wrap it all up he could say happy birthday to really old sysadmins and shoutouts to servers with really long uptime.
I believe this is a side effect of the Windows dominant world. Many people have no idea that there is an alternative. If you look back at the media coverage of any of the many Outlook/OE and IE related viruses and worms, like Melissa, and many others.. You will find people claiming that it is an "email" virus. It is not, it is an OE/Outlook virus and can ONLY spread if using those products. 99% of the time, if you are not using a MS provided mail client/web browser you would be completely safe even with no firewall and virus scanner from those "email" viruses, although not the case here with MS Blaster. I think if the media stated that fact every time this happened, it might sink into peoples heads that it might be a good idea to look for something else. Funny that this virus name actually contains a reference to Microsoft being called MSBlaster. I wonder if they tried to get that changed, funny how they call it Blaster, not MSBlaster like everyone else.
Bad boys rape our young girls but Violet gives willingly.
My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.
It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.
So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?
Let me get this straight, patient monitoring systems are plugged into the same LAN in which doctors, admins, and what-not are free to plug in their laptops? I don't work in a hospital but even we have DMZ subnets for more sensitive parts of our network. I can't (or rather don't want to) believe that hospitals don't segment their networks the same way.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
It's like digging a hole in the water. (In this metaphor, the water is NOT frozen, 'kay?)
We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.
Patches can introduce bugs. Microsoft does not test their patches against all software in the world; they certainly don't test it against all custom software.
Suppose you've got a mission critical app. Suppose the folks that wrote this app went out of business in 2000. Suppose it incorporates a library that includes a control that uses a deprecated interface to call an obsolete method. Suppose this method returns a value of 127 for a particular failure. Suppose that this failure is one that should not be retried in this environment because it would another intitiate query to master database in Frankfurt. Suppose that a patch (incorrectly) causes this interface to begin returning 63 for that failure code. Suppose that what USED to be failure 63 should be retried 255 times. Suppose that one day this particular failure (was 127, now 63) occurs.
Now suppose that you're the boss of that guy who convinced you last week "We don't need to test patches apps from Microsoft before deploying them enterprise-wide." and your boss wants to know why his boss in Frankfurt is on the line.
Now you know why I'm unemployed.
Until they can release an OS that goes a couple of weeks between major vulnerability discoveries, they're fucked! And so are you. Don't you think IT staffs have other responsibilities? Do you realize how many updates there have been this year? How many of them require a reboot?
That's an easy question to answer.
The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.
I've been knocking on doors for a job since I was laid off on December 24th. It seems most of the hospitals have contracted out their IT positions rather than have them in-house.
Hey when I was a contractor I walked in, did what they asked me to do, then went on to the next job site. I didn't go around asking if they had seperate LANs for sensitive equipment because...well...I was paid salary and wanted to go home after my 10 hr day. I'm sure the current contractors feel the same way.
Being a local sysadmin/network admin is different. It's your baby, you get the call at 3am when things go bad, you make sure that doesn't happen. Too bad employers don't see that and I bet you this one still doesn't see it that way.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.
It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.
A security patch should not break code. Were I "the boss of that guy," I would consider Microsoft to be at fault.
Sounds like a time for damage control and updating that app or library (even if it means using a disassembler).
As for deploying at a large enterprise, it would be wise to test mission critical apps before doing so. But such testing should be routine and be completed ASAP.
The unofficial
There are worse things that just wiping a hard drive. Wiping all data is obvious, and you know it happened.
What if a virus was capable of recognizing some common file types, and making a few changes?
Every so often adding or subtracting from a cell in a spreadsheet? Finding a CAD file and changing the thickness of some metal?
How about an easy one? Social Security Numbers are easy to identify - what if a virus looked for them in files, and changed a digit in a few of them at random?
What's worse than no data?
Data that you have no idea if it is correct or incorrect, and have no idea if any of your backups are correct or incorrect.
I can imagine the day when the unknown security hole of the future comes careening through that expansive windows network and microsoft hasn't made a patch yet. I wonder how long before someone dies. Nothing personal, but I'd never consider Windows 2000 secure enough to bet my life, or anyone else's life on it. No FUD intended here. I'm being as serious as a heart attack. I'd go so far as to say that putting mission critical hospital systems on the Windows 2000 platform is criminal. I'd never trust my life, or a loved ones life considering their track record. And yes it IS that big of a deal. And it IS that serious. What you are describing is a serious tragedy waiting to happen. It's only a matter of time.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Has anyone compiled a list to see something like how much M$ has cost the world due to insecure software?
I would guess it's a couple billion dollars by now. Why does no one care?
Hahaha... you have faith.
/etc filesystem and thought unplugging the machine would fix it. (So all the databases were f-ed up too)
Back in the day, I was called to a hospital in the middle of nowhere that stored everything (patient records, accounting, etc) on a single IBM AIX box.
Someone who was supposed to be an admin blasted the
The last backup had been made approximately 3 years before and the system had been upgraded several times. Nobody knew what version the system was actually on, and the one contractor who did was climbing a mountain somewhere. (This is happening at 2AM saturday) It was also in "Trusted" mode.
To make a long story short, we eventually got in and got everything up on Sunday night.
Lesson #5675: Never underestimate the incompetence of hostpital IT staff. (Particularly small hospitals).
"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."
How about downloading security patches, too?
Let's try to imagine if it carried a Chernobyl-like payload, or the feared root name server DDoS. Man, that's scary. So, the first one with an exploit ruins it for the rest, as at least some of the world finally realizes that it needs to patch, rendering the real killer-virus less effective, should it ever see the light of day.
I guess in that context, we should be grateful. It's kinda like if your're walking down the street in a bad neighborhood. Wouldn't you rather have some a**hole just slap you in the face, rather than said person walking up and shooting you?