Slashdot Mirror
LovSan Clone Let Loose
JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."
Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.
"It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems."
To be fair, the media's not going to be interested in reporting that it's not as bad as it seems.
(Note: I'm not saying it's not that bad, I'm saying don't trust the media to tell is its dying.)
"Derp de derp."
Bill gates, why do you let this happen? any coincidence that the attack is exactly 1 month to the day that the hole was announced..
The war with islam is a war on the beast
The war on terror is a war for peace
Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovesan worm (also know as "Blaster").
Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.
Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.
Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.
that an antivirus lab announced that a new clone was on the way, not spreading but on the way.
Banaaaana!
I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.
When the source is open, the possibilities are endless.
windowsupdate.com is down.
The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.
Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
"Linux has its own problems. But you mod them -1 under the rug until the fsf site gets hax0red. troll but true. "
That was true like a year or two ago, but since this has come up I've been amazed at how things have changed here. It's not that it's turning pro-Microsoft, but the "Everything Linux does is perfect" attitude has settled back down to realistic levels.
I agree with you, though, Linux is a root password away from being ssh'd to hell.
"Derp de derp."
"All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update."
Guess they were just damned lucky there.
If we're lucky the power will be out and the worms won't be able to carry out their attack.
Sheesh, evil *and* a jerk. -- Jade
Nothing really changed other than the exe filenames and registry keys as far as I know. It doesn't even look like updated functionality from the author, just copycats.
How many times do people need to be told this?
- FSF FTP site gets hacked. Some people are mined for passwords.
- A significant proportion of all desktop machines on the internet are compromised by a self-propigating virus, and the internet is affected by the sheer quantity of traffic generated by the worm.
I think there's a slight difference of scale there.Those in the US north east and south east Canada.....
OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.
SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.
The Continue Generating Power For Most Of North America Server service failed to start due to the following error: The system cannot find the file specified.
"windowsupdate.com is down."
You can't expect Microsoft to know anything about computer hardware, and prepare for something like this in advance. They only sell software.
I am feeling left out. That worm is striking everything. Please, worm writers, try it out under WINE (http://www.winehq.org) before you release that worm. Better yet, write your worms in something cross-platform like Java. Oh wait, java doesn't have buffer so you can't do buffer overflows so most worms won't work. Never mind.
B:
C:
The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.
Get Firefox!
...that half of the people who were affected with slammer STILL havent patched their systems?
This uses the same vulnerability as before. Which means that if you were hit by but recovered from blaster, you'll be safe from this one. That said, this is a more virulent form, and will screw over unprotected networks even faster. But it won't be nearly as damaging as the original. This is just an example of an anti-virus software producer hyping up a virus to sell their product.
I think it's funny that I've had the patch since it's been out and almost everybody in the US doesn't have their boxes patched. It kinda pisses me off though, that M$ is not getting blamed for having the vulerability. Yes, nobody is perfect, I'm sure Linux and MacOS have exploits that can do the same things, except they don't make $498,324,059,872,309 a minute. The world needs to realise thats all bill wants to do: make money from idiots
Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
Download
Network admins have fun.
Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.
So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.
Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.
Is anything that doesn't forbid remote access *not* a root/sysadmin password away from being ssh-ed (or whatevered) to hell?
why does slashcode add random spaces in long lines
Yeah that sucked. Anyway, I find it interesting to note the common public reactions to these outbreaks of exploits.
For example, this link shows a CNN poll where "Doing Nothing" about the worm is tied with "already downloaded a patch" -- this is kind of interesting, since CNN would be a more "general user" audience than tech savvy folk here.
I wonder why no one seems to really care about computer security until it hits them with data loss, or worse.
Patches and backups are things people always promise to do "later" -- and, luckily for data recovery companies, later seldom comes.
I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems? Would you trace them to user negligence, or Microsoft software, or perhaps a combination of the two? Perhaps it's some other factor, such as the "dumbing-down" of computers by the media leading to common misconceptions?
Sometimes, as reports of Windows exploits become a daily news item, I often wonder when people will, en masse, decide they've simply had enough and switch?
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
Lovsan is a proprietry product of SCO. All users who are running Lovsan on their computers without a lisense will face charges of $5,000.
Lisensing fees start at $699 for home users.
Saying your OS is the best because more people use it is like saying MacDonalds make the best food
i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.
i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?
somethings smells here.
eric
I'm surprised someone doesn't write a worm to patch the vulnerability and clean the system, if already compromised. After all, if you don't mind leaving yourself open to attack by a malicious worm, how can you complain about getting repaired by one that is beneficial?
christ, right after i wander over to symantec's website to see what this thing really is. the few friends of mine that i've talked to about this, they told me it was some kind of security breaching attack against a system, and that msblast.exe is the program that a hacker can use to remotely control a pc, perhaps to host an ftp server or some other hoopla. then i received some distressful emails from the ITS department at my university, saying many of the computers have been infected but are now isolated in an attempt to control the spreading of this thing. then yesterday, i was at work and in the course of only three hours i had two people come up to me asking about antivirus software (i work in retail) - they were infected. i wasn't sure what to make of this new threat at that point, so i told them that norton may or may not be able to help. then when i got home and checked out what symantec had to say, all the documentation was already done on this new strain of worm. so it is, after all, a destructive worm that reproduces itself, no hacking involved. i read the whole thing, and then i read microsoft's security bulliten (which is more vague, the only important thing it has to say is that you need to patch your os and tells you where to get the patch). so it's simple. just patch your os, update virus defenitions. and run fixblast.exe courtesy of symantec. designed to remove any threat. i have already helped one person by personally removing the virus from her system by using that simple sweeping program, which simply scans your computer for the registry keys and msblast.exe and removes it if found. it was pathetically easy. and symantec's documentation backs me up on this; it is very easy to remove using their tool, not as easy but still not challenging to do it manually either (instructions are that are also available). today i received another email from ITS, a new strain is out, and all the computers on the network are preparing for a massive DOS attack against windowsupdate.microsoft.com (not sure if that address is correct, tell me if i'm wrong). how they know this or why someone would want to do something so completely insane with this worm is beyond me. the point being, it can easily be fixed, and thanks to dedicated teams like symantec, virus threats can be kept to a minimum in combination with prevention awareness.
Yes, and notice that their anti-virus program detects both versions of the virus (the old and the "expectant" one) without even an UPDATE? Hmmmm... ;)
The Gates-borg still exists. http://slashdot.org/topics.shtml scroll down to the Ms. It's in the far left column. The four-color thing is for Windows.
We're gonna get 'wormed' again.
I spent the better part of today patching systems for (l)users that couldn't patch their systems themselves and the rest of the day I spent fixing machines that hung when they rebooted after the patch.
I guess I know what I'll be doing tomorrow.
Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047
You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.
When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.
Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.
This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.
Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.
I'm just trying to figure out who or what came up with the name "LoveSan" and why? variations on "blaster" make sense because the name of the original executable was wblaster.exe and the intention was obviously to "blast" windows update or unpatched windows users or microsoft or whatever, but "LoveSan"? Am I missing something here?
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
This all gives me a buzz. I think I am quite sad. Maybe pathetic is a better word.
So is AIDS.
This might be off-topic. I have a question on "Net slowdowns are expected over the weekend when both versions of the virus start their attack."
Is this why slashdot.org feels slow/not responding and have missing images? All other Web sites seem fine. I noticed this at work, home, etc. with Mozilla v1.4.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Example... Blackboard
Very expensive, very fragile, very insecure.
It if wasn't for Slammer they probably wouldn't even support Service Pack 6 yet.
Hey AV experts, just wait till the 17th to post a fix, please?, in the meantime, have fun, enjoy the beach, watch windowsupdate.com as it goes DoSed, what a wonderful life!. At last a virus that goes to the source of the problem. hehehe I think I'll get some Karma for saying this, well, some Karma is not too bad!.
I really hate windows, I use linux. Anyways I wanted to patch my father's laptop. I opened the windows update ... then I got the worm with the fucking shutdown message. I am clueless in windows, so after 2 hours of fiddling, I changed a setting in:
Network Connections -> Local Area Connections -RightClick->Properties ->(Uncheck) Client for Microsoft Networks.
After that I was able to patch the system easily.BTW, I think I got another variant, because I couldn't find any registry keys with those names.
I reckon it's time for a special breed of paranoids that live only on /. to post.... The ones that believe the anti-virus companies write the viruses.
Then of course you have the virii versus viruses argument...
This guy is way out there
Today I did a W2K3 server install, and tried to go to Windows update to patch the thing. No go. It was slashdotted over a period of at least an hour.
I turned the bleeding thing off.
I wonder how many people have tried to update on news of the worm, and given up because they couldn't get through. I can't imagine what is going to happen Saturday.
If this worm didn't exist, the systems would remain unpatched until some much more destructive exploit was distibuted (say, deleting all your files).
Think of it as vaccination - a mild form to shore up our defenses, so a killer form doesn't get us.
It's not wasting time, I'm educating myself.
It could be that way. But if you'll allow me to play Devil's Advocate/Anti-virus Advocate (they're so similar) for a moment; it's possible that they happended to notice the modified version out there on the 'net first, then checked their most recent virus defs and determined that their software was able to detect both versions. At this part, the infomration was gleefully experssed to the marketing dept. and the "news brief" was made. Or perhaps it's all just a SNAFU. Does anybody have a copy of this AV software and the new virus version so we can verify the company's claim?
On a related subject, let me take this opportunity to mention that Vmyths exists and it's cool.
Furry cows moo and decompress.
"Try getting Windows without a GUI, or SMB."
Just playing Devil's Advocate here, the 'Windows without a GUI' bit makes it tougher to crack. I think NG's point was that since Linux is CLI driven, SSH is a perfect way to go in and do what you want remotely. All it takes is to know the root password. You don't even need to guess what the login name is. (Windows is NO better in this respect.)
MS went GUI happy, which means one has to be rather creative about how they use CMD.exe to do their dirty work. This is not the strongest defense, but it is worth noting. To work with Windows remotely, the GUI is the biggest hurdle, and at the same time it makes things more difficult for the would-be hacker.
Just to be clear, that was Devil's Advocate talk, not MS apologist.
OK so its a clone but surely I wasn't the only one who though of this?
/. readers are too young.
sigh
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
And yet again. The BMFH will return to hell one day and that gives all of us, his victims, solace.
"Is anything that doesn't forbid remote access *not* a root/sysadmin password away from being ssh-ed (or whatevered) to hell? "
What was flamebait about that? It's a little off-topic, but I'm really curious what the answer is. I've used Linux a little and SSH + Root Password = completely exposed system. I am naieve, I don't know all there is to know about Linux. Is there somebody who can tell me my understanding is incorrect?
"Derp de derp."
To my great surprise, Slashdot is almost impossible to view and post on since this "attack". Mozilla barfs on Slashdot every time but Konqueror is delivering for me right now albeit w/ a few reloads here and there.
This guy is way out there
n/t
One major manufacturing facility in Taiwan that I work with had its internal network hit including control devices running on Windows NT. It probably caused between 1 to 2 million dollars in damage because of production delays.
I had to stay up till 12am trying to figure what the crap was going on with my equipment when it was communicating with those stupid NT servers. We're running Redhat and I was sitting there using tcpdump trying to figure out what was wrong with the packets.
It looks normal from the Redhat side, but you'll get no responses from the Application layer on the NT side. It must flood the send pipe in the TCP/IP socket layer on the NT side.
WARNING: If you're running Linux in the Enterprise and you're interfacing NT, you'll be blamed first. Just know it ain't your fault.
From the makers of Windows XP, comes the latest release of their highly-propped OS, simply entitled "Windows 95". Features include a lack of active viruses, stuff that works, and things that don't move when you don't click on them. Says one enthusiastic tech support employee, "This is great. I haven't pissed since Service Pack 2."
Damn if you are going to write a worm make it do some damage. You back hats are really starting to bore the shit out of me.
For instance take this worm and add the ability for it to seek the network for every single excel spread sheet it can find and randomly mix up a couple of cell values. Then have it set the access time back to the original.
Hell just write a few bytes to a random location in any file you can access.
Come on black hats, quit boring me!
Got Code?
OK - I've been administering my employers corporate network for the past 10 years. Ever since we got onto the Internet we secured our infrastructure at the perimiter by blocking all incoming traffic at the border router destined for a port below 1024 except for valid services on valid ports.
Now, I know ISP's just sell bandwidth to people, and such filters would annoy a lot of customers, but WHY CAN'T ISP'S BLOCK ALL TRAFFIC TO PORTS 135-139, 445, & 593 AND STOP THESE WORMS ?
Seriously, there is no good/sane reason for anyone to use Windows RPC and SMB traffic over the Internet - those ports are for internal use only and should not be exposed to the outside world.
THESE PEOPLE ARE JUST PLAIN NUTS - OR WORSE
LoveSan: The Attack of the Clones
My Windows box has one network card. It is thus both "the internet interface" as well as the connection to the "corporate network". As well as everything else.
Why are you surprised that the RPC can't tell the difference? There's only one interface.
That's either a great troll or a thoughtless statement. Tell me, in precise detail, how Microsoft is supposed to expose the RPC service to the local corporate network (where it is not "useless" by any means) but not expose the same service to "the internet". On a single network card.
There are two solutions to the RPC problem: have the corporate router block RPC from outside -- which has nothing to do with your machine -- and/or install a packet filter on the local system to drop RPC requests not coming from corporate systems. How Microsoft is supposed to magically know what those corporate systems are during installation, of course, is a pesky minor detail that we don't like to mention on /.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
The worms are a conspiracy by CON-ED to conserve power. They figured that shutting down millions of PC's would reduce the load on the grid so they launched the worms.
This was done so the workers wouldn't have to go out in the heat and string extra wire to run more A/C units at the CON-ED office.
Do you want automatic up-to-date patching of Windows vulnerabilities, or do you want to be able to know what you're getting.
Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
I agree that everyone should at least check out windowsupdate.com every once in awhile, but I am always hesitant to update my windows box. Windows Media Player 9??? Don't need it, don't want DRM.
So don't install it. It's not in the Critical Updates section.
What about SP1 deactivating xp installs with pirate serial numbers?
Impossible, because SP1 won't even install on machines with pirate serial numbers. Nothing is "deactivated." That's not even a valid criticism anyway, since you're talking about pirated copies of Windows. Next.
I've had DirectX updates that actually crashed previously working games (not lately though, gotta say that's getting better).
Your experience is in the minority. Sounds like a driver issue (seriously).
I like to wait to update my box for about a week or so to see if there is any outcry about some nasty thing Microsoft slips into the update.
There wasn't any outcry over this one. As a matter of fact, the exploit and patch were covered everywhere (including Slashdot), and even the government told people to install the patch, TWICE.
I'll bet I am not alone.
It was a tiny 800kb patch that plugs a hole in RPC. Bite the bullet and install the damn patch.
As far as Blaster is concerned, I rely on independant firewall and antivirus applications to deal with these threats. IMHO it works better than relying on MS to secure their OS.
How silly. You'd rather avoid patching your system with critical updates released by its publisher? Like you don't apply critical Linux patches when necessary.
"Sufferin' succotash."
While some companies in the AV industry have shown (ahem) questionable ethics in the past, I think it's stretching to say they WRITE the viruses, rather than just hype them.
... some of our ideas would have been quite evil indeed. And most of us were pretty good programmers.
...
For one thing, there are plenty of idiots out there quite willing to write a virus for free.
For another, if the viruses/worms/trojans were written by the AV firms, they'd be MUCH better. My co-workers and I would regularly discuss how one could, hypothetically, write the ultimate virus
Contrast that with the true nature of most successful 'in the wild' viruses -- most of which aren't that well written
It's getting a little too easy to randomly reference SCO in some way for a +5 Funny.
Just my opinion. I'm tired of this same "joke" showing up in every article.
"Sufferin' succotash."
What I'm really surprised is that there hasn't been a more lethal payload.
SYN flooding Microsoft? And the wrong domain anyway? That's just lazy. Where's the work ethic the hackers had ten years ago when a virus would wipe you out completely?
Now, I patched within a week of the original notice, I have a NAT-based router in the way, and I'm running ZoneAlarm. I may be wrong, but any one of those ought to have prevented infection. With that many 'proofs' against it, and other possibilities (including XP's own firewall), I'm truly surprised there are so many infected machines out there.
Then again, at least my corporation is using this as an excuse to finally patch our Win2K-based machines to SP3, while installing the RPC patch.
And they're certainly firewalled... but there are folks who use their company laptops to dial AOHell, and got blasted. *sigh*
Design for Use, not Construction!
My parents windows 2k and windows xp boxes are safe from this bug, thanks to a single, very basic security fix: rename the Administrator account, make sure it has a password, and then make sure no other user has Administrator rights on the computer.
What was it a month or two ago that Microsoft said they were going to start charging for updates? If they were to start doing that tomorrow Microsoft will become richer adn more powerful because every will remember this adn start paying for the updates because they don't want to see this happen to their system again. Very few people even realize there are other options out there for operating systems. I hope people start waking up soon.
I assure you this virus has a *totally* different name.
Not to nitpick, but none of the machines I have running Free/OpenBSD allow remote root login. OpenSSH was configured like that by default. So in actuality, to get in without using an exploit, you would have to know the username and password of a user in the 'wheel' group and then su to root. Besides...Windows XP ships with the remote desktop turned on by default. Not sure what protections there are on trying to log in through that (never used XP much, but it was on on a computer I built for someone, turned it off in services.)
And the muscular cyborg German dudes dance with sexy French Canadians
Just an idea: Why not make a clone of this virus, which would erase the other clones and close the door behind?
Since a stand-alone program has more chances of being transmitted everywhere than any windows update or patch requiring user intervention, I'm sure it would help a lot to remove any remnants of this worm attack...
Can anybody code this? I guess antivirus companies don't want to do that, that would kill their business!
Why doesn't someone just make a third version of the worm that installs the patch after it infects a machine, so that everyone's machines get fixed automatically?
It is very easy to configure OpenSSH to not allow remote root login. 'PermitRootLogin no'. Newer versions of OpenSSH have that as a default, so you would have to actively allow root logon.
And the muscular cyborg German dudes dance with sexy French Canadians
The desktop world is ruled (by numbers, anyway) by Microsoft. Any potential malware s'kiddie can knock together some malware in a few hours, dump it into some unsuspecting newsgroup somewhere or email it to his Outlook-using mates and start an epidemic relatively easily. The sheer number of vulnerable machines makes that easy.
The installed base of Windows boxes also means that, despite MS not opening up their code to anyone (except governments and universities willing to sign away their first-born as insurance against breaking the NDA), large numbers of people spend vast tracts of time throwing McValue Meal-sized URLs at web-servers and mutant packets at RPC interfaces.
Lots of people x Lots of time x Lots of machines = lots of vulnerabilities found...
Now consider *nix. It has a number of advantages straight off the block:
- It's open source. Code that finds its way into the kernel goes through the best peer-review system available; public scrutiny.
- Generally, the people who run *nix are more tech-savvy than an average Joe Blow.
- Any vulnerabilities that are found get acknowledged and fixed very quickly.
But what would happen if *nix had the sort of desktop penetration that Windows does? How quickly would the kind of person that thinks a computer case is called a 'hard drive' apply a *nix security patch? If *nix was that popular, how many more people would devote vast tracts of time to finding obscure security holes and vulnerabilities?Just a thought. Now flame away ;)
Windows Tweaks
remember Dr Solomon ?
here read this from the man himself , should clear up your doubts about virus companies create viruses
Since that word does not occure in the original posting I believe you are the troll, faggot.
To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)
Now you can actually *see* when the worm tries it's futile attack on your superior OS.
nmap youriprange -p 4444 | grep open this will find infected machines..
Got Code?
Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:
1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.
2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.
If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.
All Windoze boxes ought to be r00ted!!!!!!11
Of Course there are lots of famous events, etc. that have aniversaries every day, so this might be a coincidence. Also, since it's a Saturday, and "everybody's off" then that might be why the attack is on the 16th, more people will be surfing, and if infected, send out the virus to more machines, and IT and repair folks will be called in on an off day.
Thank you!
"Derp de derp."
Symantec Antivirus Research Center (at http://www.sarc.com) also reported this morning a second clone that's been renamed "Penis32.exe". Really.
So, screw you and screw Microsoft.
Just in case others got misled by the general press reports: The MSBlast (and its two known variants) worm attack against WindowsUpdate.com will really start at 4 a.m. Pacific Friday (Redmond time). As noted in this News.com piece the widely-reported "midnight" is really "when a PC clock shows midnight" -- whenever Friday becomes Saturday, starting across the International Date Line in Anadyr, Russia. Set your TiVos accordingly, assuming you have power.
I was asked today why Mac OS doesn't have the same problem as Windows (in this case, XP and 2000, primarily). Simple: Three percent mass market penetration does not an appealing target make for a virus-writer who wants to be notorious.
Oddly, it's almost a badge of honor for an OS to be the target of virus writers. It means there's enough of an installed base to make it a tempting target.
(And no, none of this is a comment on the functionality or benefits of any specific OS. Just the market penetration at this time.)
One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus
Professor Turing would like to have a word with you...
That's what a polymorphic virus is all about. See here for a very short definition. AV programs have known about this for a *long* time and have had some success defeating that approach. Do a google search for "Virus Heuristics" if you are interested.
Someone ought to make a worm that simply wipes the harddrive of any infected system immediately and permanently.
That way *maybe* some people might realize microsoft security really sucks, and that it can hit them, and hit them hard.
I think this would be a horrible thing to do, but at least it would probably be the last of its kind (the last worm ever I mean by that).
msblaster runs BarterTown
Having spent many hours cleaning up this mess I have to say that we are actually pretty fortunate.
If this worm had been a little better written (not a lot, a little) and had targeted the financial infrastructure, the free world could be in serious financial trouble right now.
As it is, this worm has cost millions and millions of dollars. Imagine what would have happened if it had targeted financial transaction institutions rather than Microsoft!
1. Why is RPC running by default in the first place?
2. Even if RPC is running by default in the first place, why haven't you patched?
3. Even if RPC is running by default in the first place, and you haven't patched, why aren't you behind a firewall of some type?
4. If you are not behind a firewall of some type, you are an ass.
... that symantec's fixblast doesnt' remove the progenitor of msblast.exe, the spybot worm and it's payload: msconfig35.exe, the 4 random-character copies of msconfig35.exe, webdav.exe, or the tftpXXXX copies.
I've seen these files on every machine i've cleaned msblast off of, they appeared on these machines last saturday (in every case), and norton anti-virus only sees webdav.exe, not the rest.
EVEN WITH fixblast.exe, this saga ain't even close to over yet.
Gee, when do us Mac OS X/Linux/BSD users get in on the worm/virus fun? I feel so neglected.
well, yes I suppose the comment above is "redundant"
but then so is this stupid repeating cycle of amateur software bringing down 1/3 of the worlds computing infrastucture every month
this will NEVER stop until Microsoft is held liable $$-wise for their slipshod money-extraction approach to software design
and if you set the delay between logout failures to several minutes, that cracking attempt would take so long that fewer systems would be breached in a day than would be breached in the NT (et al clones) by a worm attacking bad software in a minute. or - you could simply not offer ssh!
Professor Turing would like to have a word with you...
So would Godel.
To ensure perfect aim, shoot first and call whatever you hit the target
I was updating a couple computers tonight, and at 10:20 Central Time, windows update worked great. At 10:30 windows update and microsoft.com website is unaccessible.
Nothing, Nada.
I guess in a weird sort of way, its ironic.
Anyone else notice that microsoft isnt repsonding, ive tried through megaproxy and anonymizer just to make sure it isnt me :)
I don't know that even talking about windows 2003 is realistic at this point in time. If you are using any sort of production database, it most likely will not have been certified to run on 2003 yet - which means most companies will not have deployed it yet. I guess if you're running just MS products, you'd be fine, but that's probably the minority, not the majority. As for your second comment that you doubt there'd be any more vulnerabilities for the rest of the year, again - I believe it's because it's not yet widely deployed. Give it some time. More vulnerabilities will show up. They always do (I'm not just talking windows here. Happens on every platform).
There are massive legal rammifications to this.
:
Firstly, the second strain of the virus is clearly derived from
the first strain. This is blatant piracy, and a violation of the
cherished IP of the original authors.
The original author of the virus is now in a position to reap a windfall, by
- Suing the second author to the tune of $3Bn for having blatantly stolen their code.
- Suing the thousands of owners of infected machines because they may be running pirated code in violation of the DMCA.
- Offering infected users a $699 licence fee for running the derived virus, which will protect them from any further legal action.
What the authors of the second, derived virus have done is abominable, and shows a callous disregard for the IP rights of the original authors. They are nothing but pirates, and a threat to the wholesome values of benign free-trade capitalism.
-----------------------
+5 Interesting? How about r-utils? How about Samba, Samba will happily share out any interface you want. DHCPD, that bites a lot of home firewall hobbyist types by running happily on their external interface. lpd, jeez, tell me if you've heard this one before.
How exactly would MS know which interface is "Internet Facing". If Windows sees a NIC with a "public" IP, it shouldn't allow RPC? Many networks don't rely on NAT for their warm fuzzy security feelings. Many networks have lots of machines with "non-private" IPs on secretaries desktops. If they protect their network appropriately, they're safe.
Not everyone uses NAT. Some people even think that NAT is ugly, broken and gives a very false sense of security.
Go figure.
I like music
Same symptoms as MSBlaster, but with a file named "tftp3612" in the startup menu. What should I do - who do I call?
Humor from a Genetically Molested Mind
> If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.
that's a bad apples/oranges comparison. nobody went out of their way to open port 135 and no body requested it when they bought MS/*T. it was put in as a marketing tool to provide a marketplace perceived advantage.
windoze and linux are not the same with respect to buffer overflows either. the holes in linux are fixed before exploitation by concerned developers who test the software independently of their 'employer' - not worked on after the threat is known. most of the mass-market linux distros have long been in the mode of forcing the knowlegable to to create situations that can be exploited, but leave the default configurations much more safe than the M$ offerings.
It has been my experience that older computer users (such as my mom & dad, who are in their 50s) do not like installing automatic updates from Microsoft (keep in mind, the update was labeled as critical so it was delivered automatically) because they believe it'll mess up their system. I believe this, and lazy sysadmins, are the reasons why worms like this propagate so quickly.
They should keep it in their sock drawer as God intended.
KFG
Frankly I don't care if it's Microsoft's fault for writing buggy insecure code, or the user's fault for not keeping up on patches Microsoft released months ago. It's all stupid, and we shouldn't have to deal with it. Over here in California, Ventura County burned about $70G over this stupid worm.
One way or the other, Linux isn't affected. Neither are Macs (which are Unix now anyway). Isn't anybody on the Windows side of the fence getting tired of this by now?
Time to switch to an OS that doesn't do this.
*nix, anyone?
Is this why slashdot.org feels slow/not responding and have missing images? All other Web sites seem fine. I noticed this at work, home, etc. with Mozilla v1.4.
I've had the same experience with slashdot.org the last couple days. I use Mozilla Firebird 0.6.1+, and I've also tried going to slashdot.org with IE 6.0, with similar (though less severe seeming) results.
What's wrong with Slashdot lately?
Wonder if Microsoft is pointing the domain names to new server IP addresses to thwart the attack before it begins (assuming the worm code works that way). Until the domain name servers update themselves and that update propogates, microsoft.com and Windows Update will appear to be gone, even if they are still up at the new IP addresses.
That's how whitehouse.gov deflected a similar attack a couple of years ago. And it worked.
Just a guess.
Has anyone else noticed that microsoft.com is timing out tonight?
The Matrix is real... but I'm only visiting!
In my experience with windows update is that many of the patches can actually mess up some systems(mine for example :( ) and many people are much less enthusiastic about applying patches. Also, some IT guys test these patches themselves before putting them on all computers.
Thats all well interesting, but incorrect. You forgot to say
"and I hope you notice when he/she hacks your system."
The gender neutral third person singular pronoun in english is "he." It happens to be the same as the masculine one, this does not make it an error.
All it takes is to know the root password. You don't even need to guess what the login name is. (Windows is NO better in this respect.)
To be fair, you can change the name of the Administrator account in Windows 2000, and perhaps other versions. That helps, doesn't it?
uh, leave all the ports closed, and then let people who know what they're doing open them. A corporate install should be the one that has to do a little extra work to open up this service, if they want it.
This is a copy of a message I sent to a mailing list some time back. They are the guidelines I use when updating my Windows system.
______________________
Some tricks -- mostly born out of antipathy and paranoia -- on dealing with Windoze Update:
Other things you might want to do:
Although I mostly live in Win2K (when I'm not in Linux or BeOS), I have a Win98 partition that's still working fine without a single re-install. Basically, if you take a minimalist approach, and presume Microsoft to be an untrustworthy/unreliable source, you can greatly extend the life of your Windows installation.
Schwab
Editor, A1-AAA AmeriCaptions
If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms.
I don't buy it. When such vulnerabilities do appear in Linux (ssh, RedHat lpd) it seems to me that worms appear as well. But there haven't been any Linux worms in the last year or so, while there have been several Windows worms. How can you explain this?
I suspect that the only explanation is that Windows has more of these severe vulnerabilities which can be exploited to make viruses/worms. As I mentioned in another thread, I don't think that there are any Linux vulnerabilities right now which are of the proper type to allow worms to propogate. The vulnerabilities which are known are less severe than that (mostly local DoS or gaining root access from a user shell) and often involve programs which are unusual or at least optional, not vital services. I have the feeling that people fail to make these distinctions (more vs. less severe, required vs. optional software) when they argue that Linux could be "wormed" just as easily as Windows. Instead, I would argue that Windows has more _severe_ bugs than Linux, and that severity, not marketshare, is why it keeps getting hit so hard.
Seriously....
I have a theory that Windows users actually enjoy these virus attacks for the same reason that Americans allow themseslves to be fooled into supporting baseless wars: because it makes their dull lives seem more interesting.
If everyone switched to invulnerable systems like Jaguar they'd have no excuse to put off that annual financial report.
-- thinkyhead software and media
Hwahaha...
My OpenBSD server allows remote access.
There is only one user that is allowed to log in via ssh, with a strange username and password.
This user logs in to a fake shell that responds with errors to every command entered.
One specific string will cause it to quietly start (restricted) sh, after supplying the error message.
The only command available in this restricted shell is su.
This user is not in the wheel group, so you can't su to root directly.
(yes, i know, this is absurd security)
Thus, in order to get remote root access, you have to know:
or, I suppose, a remote hole in ssh...
Either way, I'm glad I've got my NAT modem, firewall software and patches in place. That said, my work place got hit bad yesterday - they forgot to guard against a laptop from outside bringing the thing in straight past the firewall - oops.
Go permanent? In your dreams and my worst nightmares.
Since the brand of OS afflicted is only supported one or two service pack back in time, one might ask,
"So is this really just a marketing push to get admin rights on users that refused the terms and conditions of earlier service packs?"
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Erm. I might be showing my ignorance, but wasnt turings problem that you couldnt know how long the code would take to execute (if at all).
That doesnt rule out running it for x amounts of opcodes (like, say 2-300) and seeing what happens.
If I remember right, thunderbyte did something like that in the 90's. That was a *damn* fine virus checker. I remember it once finding a virus, not knowing what it was, but flagging it.
I spent the next month (being a kid and all with little else to do) writing a cleaner for the virus (which I remember was no-frills-dudley, and f-prot etal wouldnt clean) and massively increasing my knowledge of x86 assembly.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
You don't even need to guess what the login name is. (Windows is NO better in this respect.)
At the company where I work, one of the first things that is done to each new Windows install is to change the name of the admin account. Not create a new one, mind, but to change the name of the existing one. I'm not sure if that's possible under NT (been a looong time...), but certainly from 2k upwards it is.
It's official. Most of you are morons.
I've written programs that use RPC to control and monitor certain types of equipment. In my case, one of the main benefits of the software was that the user could operate the equipment from anywhere in the World. Why should I be prevented from using RPC across the Internet?
Mea navis aericumbens anguillis abundat
Ummm .. without sounding too stupid.. but has anyone looked at the M$ attack??
From what I can see it spoof's a SYN to windowsupdate.com. So apart from rebooting after a reinfection and therefore restarting the attack after the date (15/8) it's gonna hurt ISP's DNS, but properly setup networks shouldn't forward spoof's. So the problem is what??
A hit on DNS (once per minute), and border injection points dropping spoofs. So the last-mile gets a bit choked... bummer. Whats the prob???
Not trying to troll but???
Here is the download for the english W2K version. Guess Microsoft is using some sort of traffic shaper to reduce the load because I can't reach any of their web sites.
how do you tell them apart?
:)
*hides_in_bombshelter*
the computer is online
i am not at it
what a waste of ressources
...joe sixpack on dial-up is going to let windows update the 36MB of stuff advertised (i shit you not: the last 5 machines i've built have advertised between 36 and 69 FRICKING MEG of windows update - and that's not including service pack 1 which i applied from CD. shame MS don't separate the security hotfixes from media player 9 and the rest of the crap they push at you through windowsupdate.com...
Perhaps to not be redundant, most appear to view this as a comedy issue. Maybe all future Microsoft security issues, worms and trojans should be filed under the comic section?
It is certainly redundant to state the simple solution is to abandon all Microsoft products. There must be hundreds of exploits 'widely known among hackers' but not known to Microsoft and/or published. Any 'hacker' worth his salt can get into any NT type server with a minimal effort and can certainly get to clients and install servers. The truth of he matter is us old hacks are really bored with Microsoft.
if you don't already know, head on over to Symantec's blaster removal site to fix any systems that have already been infected.
there are many systems infected on our apartment network, and everyone is looking at me to fix them.
i think i will wait until sometime next week. i mean, how many times can you legally DOS microsoft?
this should be fun...
How else would the government watch your computer if they can't get in thru a back door? This TIA garbage and governments of the world mandating backdoors is to blame.
Just ask RSA http://www.rsasecurity.com/ about the USA NSA visiting them and demanding keys to crack their encryption products.
Now you've done it.
They're coming to get me.
I hear the footsteps coming up the walkway.
Protect me open source!!!
Could you imagine the mayhem if the RPC flaw was not reported? If the worm was written without anyone's knowledge? If the payload were on Microsoft *and* Antivirus update sites? All it would take is a bughunter to change hats. It gives me the heebies.
This comes from the latin language: virus -> virii, as cactus -> cactii. :)
I know it sounds strange, but it's real. Ok, it's not part of the english language, but it's valid as latin. Many words were imported directly form latin, so it is accepted, even if it is not widely used.
I kinda love weirdo things, so i like these plural forms
Well, I don't think the parent was talking about OpenBSD in his question. Everyone knows that OpenBsd has the security of a stone tablet because it is made out of stone.
Don't people who write viruses realize that they're really just making it harder to get their porn fix by slowing down the internet?
I certianly don't like the idea of Microsoft knowing that my media player is playing "Azlea is fricking rad," but the last time I read a slashdot rant about Windows Media Player, the general swell was that there were no viable alternatives for playing AVIs - on Win32 or Linux. Please update me.
Especially if /. keeps serving up 7MB(!) adverts.
_O_
.|< The named which can be named is not the true named
Ok. Troll me if you want, but isn't Microsoft (TM, (C) and so on..) really a kind of "financial transaction institutions" ? I fundamentaly have nothing against Microsoft, but i cannot stand the price they are requesting for such a piece of software. I call it basic fund extortion, when they ask the home user, about 350$ for WindowsXP home, and 650$ for OfficeXP. Free trade mode is on, I know, but... It's annoying i think. And it makes them loose money due to piracy (i'm sure they'd sell more if it were cheaper).
MS is getting into the antivirus and firewall software business. That's why they bought GeCad.
media player classic is great, and winamp is alright.
Symantec lists *three* versions on their web site. One of which has its executable named penis32.exe (the B worm uses penis32.exe and the C worm uses teekids.exe)
Source: http://www.sarc.com
LedgerSMB: Open source Accounting/ERP
So I'd say we need some better arguments if we want to make this thread a valid OS-security pissing contest ;-)
Programming can be fun again. Film at 11.
Thanks for the reply,... I am surprised anyone read it considering I was modded down twice: once as offtopic (probably right) and once as troll (fscking anti-MS zealots!). I wasn't aware of a seperate windows icon. Thanks!
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
"It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems."
Huh, it took me five minutes to fetch and apply the patch over dialup. Of course, if I'd waited to be infected, then I'd have to d/l the cleaner too. So, ten minutes. How hard could it be?
Incidentally, IIRC the folks with real statistics say that the rate of new infections is DEcreasing.
In the first place, there are too many patches. At some point, you gotta blame the sloppy code. Maybe more than one major vulnerability per month this year is below your threshold, but it's above mine.
As evidence for the unreasonableness of the patching burden, the MS download site was itself hit "hacked by Chinese" during the Code Red outbreak. If the contractors running that site can't keep up, the product is too flawed for Joe Admin out in the sticks.
The steps to reduce the burden of patching have been awful. Windows Update fails silently, or falsely reports success in many cases. After the SQL worm, many admins are wary of blindly patching.
I think the technet article was July 16, one month ago.
There was a Dilbert about rewarding employees for finding bugs. Naturally, this didn't drive careful coding.
Microsoft is now confirming what was speculated: About 8:45pm PT Thursday, Microsoft.com and Windows Update went down for several hours. One reason was a DDOS attack Microsoft says was unrelated to the MSBlast worm.
And Microsoft sources also say the company has moved at least the Windows Update domain (and perhaps Microsoft.com itself) to new IP addresses isolated from the rest of their networks to blunt the expected worm attack.
It is broken. It fails silently, or worse, falsely reports success. I've seen both. It's bad enough that I'm not sure it's better than nothing.
I asked if he could determine where the scans were coming from and he said that this was unusual and he was looking into it. He pointed out that there was no damage being done, but was curious as to who would be doing 12 hours of constant port scanning.
After an hour he called back and said that the scans were coming from just about everywhere, and that they were scanning only the port used by the Worm. His conclusion (and mine as well) was that a fault in the random number generation method used by the worm caused it to pick our Class C address block more than other ones, and thus we were getting the scans.
No damage is being done... so I guess we merely wait until (hahahahah) all these lusers patch their systems - but really, can the script kiddies out there PLEASE learn how to write GOOD code before releasing their worms? (or did this come straight out of microsoft labs itself - seems their typical crap coding style).
Perhaps they should have used the SGI LAVA RANDOM NUMBER GENERATOR.
Lucky for everyone the Blaster worm is just annoying enough people are now aware of the security flaw in windows xp and patching it. I work tech support, since tuesday morning we have been getting a steady stream of users bitching about how they could get a virus just by being connected to the internet.
If blaster had not come out think of all the trojan ddos viruses that would be spreading to all these XP and 2K machines and people would never know they had been compromised.
Sure its a pain in the ass for me to fix everyone's pc, but it should of been done in the first place and once again people are starting to realize that if you are running microsoft software you better keep your critical updates, umm up-to-date
-nayr
For a well written emulator, it's very unlikely for a random virus to detect and outmaneuver the emulator with logic - especially if you watch for trivial traps (back in the day, things like prefetch queue tricks and seg:off address wrapping, although these are obsoleted now). A virus is also not likely to go into a loop for 2 days under normal circumstances before infecting something - that'd hurt its survival rate. Under most practical circumstances, you can in fact emulate and easily determine what a virus does. These days worms and viruses are often written in higher level languages (VBScript, C++, etc), so the number of instructions has increased - but the same concepts usually still apply.
TBSCAN was both an awesome idea, and a bit scary. It actually *executed* the code, although it tried to sandbox it a little - there were a few tricks around to 'escape' the protections in his environment. Certain viruses would format the hard drive if you tried to remove them with thunderbyte - not pretty. However, it could also disinfect most viruses w/o knowing anything about them, so there was some neat code there.
I picked up my first assembler after getting hit by the Stoned virus and wondering how the hell it worked, then ran into Joshi shortly afterwards. Cleaners for those were easier than for no-frills (they were BSV/MBR viruses), but disassembling them was pretty interesting at the time.
I write code.
The Shatter exploit is alive and well - NGSSoftware has some VERY interesting code for excercising it on WIN32, Microsoft will likely be unable to patch this without having to extend WIN32 APIs (recompile your apps) or change the architecture of Windows. Mind you that's what was stated when this all first released last year too and tey simply patched a few sysem calls - it's cat and mouse that they cannot win I'm afraid. This was handily demonstrated in 'Vegas just recently at Black Hat.
;-)
Anyway, it seems that it's going to be possible to do this in WIN2K3 too. It will be harder due to the "canaries" that Microsoft has instituted in the stack to detect overflows but the speaker had some pretty interestin ideas on getting around it and I believe it's been done. The code to exlpoit WIN2K and XP was released BTW, I'm not sure if they've rleased th code for 2K3 but it's coming and certainly enough info was handed out that smarter people in the audience could probably code it up given some time.
to be fair - this was NOT a remote exploit but it was a terrific way of comprimising the UI (much security relies on simply graying out buttons it seems) and to escalate privliges. If you've never seen an Explorer desktop AND the Login box at the same time you really missed a treat
Build it, Drive it, Improve it! Hybridz.org
Ever think of growing up? You know that people LOVE to twist the text of the EULA's and you are no better than they are.
I've had the same install of XP since shortly before it was released, I have installed, uninstalled, beat on, pissed on, and sliced and diced it so much I keep expecting it to just laugh at me one day when I reboot, but it is still going strong. I have had MAJOR problems with Outlook 2002 since I installed the office service pack, but no real problems with XP at all. I've had handfulls of games, XML editors, database management tools, audio & video codecs and players, and other programs that I've installed and uninstalled after a while. I currently have 3 versions of Visual Studio, 2 versions of the .Net framework, SQL Server 2000, WMP9, Photoshop, a funky little desktop sidebar tool (toy, actually), SharpDevelop, Firebird, Office XP, Flash MX, Netscape 7, Kazaa Lite, RealOne, 2 CD burning programs, an FTP program, Acrobat, a bad scanner, some IM programs, several web sites, and whatever programs I'm working/playing on at the moment.
And like I said, only Outlook gives me trouble.
The truth doesn't care what I think.
I've often wondering why someone doesn't make a "virus" that spreads rapidly, but instead of wreaking havoc, just patches people's systems, copies itself to as many computers as possible, and then deletes itself. A philanthropic virus, as it were. Surely some good-natured person on Slashdot could whip something like this up in a matter of hours, send it to some unexpecting, not-so-technically-inclined friends to get it started, and then watch the little bug cure the world.
I'm in Jersey City, typing on a Mac across the Hudson from a very patchily, (mostly un-) lit New York city just part of the east coast that is in the dark (from Virginia to Ottawa [where I just spoke to the ex- who is sweating in her powerless condo,]) wondering how this disrfption will affect the spread of the virus.
:-)
Its certainly isn't doing much damage over here. The computers are completely safe. They're shut down and turned off.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
It takes more then the root password. By default root cannot login via SSH. The user must first login with a user name and password for an account in the wheel group, and then know the closely guarded root password. This can be changed, but there are warnings all around the configuration file where you do this telling you that it is bad security to allow root ssh access. Oh, the "all it takes is to know the root password" part of you post is funny. Only a real idiot makes that password available to anyone other than himself. If some users need elevated priveleges, you can use "sudo" to let them run some commands as root, or just "suid" the binaries they need to run with root access privleges, no need to give them the root password at all.
I can't afford a sig!
Funny, must not have been modded down twice at the time. (I read at a 0 threshold)
This is not a Troll. Is it possible that the worm(s) caused the power outage? Could a computer or network failure in some little power plant have caused the cascading effect thorughout that whole region? They have as yet not identified a cause..so is it possible?
There is nothing so powerful as an idea whose time has come.
We played with the worm at work in order to try and limit its damage. We found (like a lot of other companies) that if we poisoned our internal DNS by returning a null value for a DNS query for 'windowsupdate.com' that the worm stays in its propagation mode, and does not enable the SYN flood mode.
If you do a lookup on 'windowsupdate.com' today you'll notice there is no A record entry. So the magnitude of the coming SYN flood will be minimal. Granted there may be some hosts out there with the entry cached, but their effect should be minimal. Although I would have loved to see MicroSoft get blasted this weekend (and next week when all the returning people turn on their infected workstations at work), I really did not want to see our WAN links and firewalls get flooded.
I don't know about anyone else, but MicroSoft's help on this from a corporate standpint was piss poor. I am a security engineer in a Fortune 100 company with 30,000+ employees. Despite all the millions we blow on M$ products every year, we were unable to get a dedicated M$ resource for this event. Any questions we had were forwarded to a "representative", and answered hours later with the answer usually being "patch your boxes". Gee thanks for the obvious answer M$, now how about some guidance from a holistic standpoint. They were unable to share any real analysis of their exploit, or what to expect. I can only imagine what little help smaller companies, and consumers received.
M$, take note: If you are going to produce the most easily exploitable code on the planet, then you better damn well get a dedicated security staff and make them available for events like these. Especially for large companies that have been fooled into thinking that M$ products are "enterprise ready" and that patch management for their is a no brainer. Since things only seem to be getting worse for you (and the rest of us), I would also suggest you ramp up on the number of resources you make available. It's time to get serious.
One other interesting point is that although the SYN flood has been averted, the worm author was still successful in DoS windowsupdate.com by forcing them to take it down. It will be interesting to see how long the DNS entry is missing. Knowing how ineffective patching is I don't expect to see 'windowsupdate.com' anytime soon.
I applied it although we probably didn't need it, and now our Office 2000 applications are hanging opening documents over the network. Can't find out why. Any ideas?
I wouldn't want MS to know you thought Azlea was fricking rad, either, or anyone else for that matter.
The reason is, "If a virus is 20megs in size, only an idiot would download it."
Seriously. I guess you could make it to add a little random garbage at the end of every file to change the size, but that wouldn't fool a heuristics scanner, much less something that's actually got a piece of the code to compare.
The best you can get at this point is something that crawls network shares, or scans multiple ports, and that's not thinking, that's just idiot savant mode, which is about as good as it gets for a small piece of software.
Just my opinion.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
No; rather, I know that in the company I worked for and in a representative number of the others where I knew the people well enough to know, no viruses were written. I also knew and knew of a fair number of virus writers, all of whom were not on an AV company's payroll.
There are PLENTY of bored, disgruntled or easily-amused people out there who'll write a virus without being paid for it. Or do you think that the people who deface web sites etc. get paid for that, too? They're the same mindset, pretty much.
All as I can say is my ability to even reach /. over the last 3 days has been crappy. I just give up after a while 99% of the time. WTF is going on is it this dam worm eating up bandwidth? The connection attempts time out. I am Running Linux, Mozilla, Konq and Galeon. all 3 are flakey as long as I am logged in to teh site. A look at my firewall logs show that 99% of all attempts to connect to my IP are on port 135 with a scattering of port 137. This crap is slowing the internet down. The stupid fuckers who didn't patch their M$ products should be shot.
As you can see I don't care about my karma.
1) Chernobyl is not a worm.
2) Virii is not a word.
Recently, GRC.com released some kind of patch for a Windows XP vulnerability that was, if my memory is correct, about one tenth the size of Microsoft's patch. 800KB is a lot when there are thirty other formidable downloads--ranging beyond two megs for some--and all they have is 46kbit downstream. Microsoft should at least write tight code for their patches.
Since I am behind my router will I need to still patch my computer for this worm or am I going to be ok without it.
Kaboodle and noatun work pretty well for playing DivX-encoded AVI files under Linux, but I've had no luck trying to play most other Windows Media files.
Maybe that helps. *shrugs*
Why doesn't Microsoft simply modify this worm to install the patch that fixes the vulnerability. Then set it loose. If this worm works so well (and Microsoft doesn't break it), then this problem will be fixed in short order.
I take it you have read Dr. Mark A. Ludwig's[ameaglepubs.com/free_virus.html] Books yet?
In short, anyone could write such a virus but they choose not to.
Virus writing today has been compared to childs play by people (geeks,The message was in several parts (some of which aren't discussed here: "billy, stop collecting money and fix your software" and it was sent to all the "new", "unbreakable", "secure" OS's that Microsoft has staked their claim on. The fact that it was written sloppily showed that the writer was showing constraint; he only wanted to get a message across, not damage, for real, computers and the users of them.
The media may even know the real purpose of this, but of course they can't let on to it because it would ruin there agenda of hype to sell papers/airtime/etc...: it would bring virus's down to a rational level that even backwoods rural people could understand. I'm sure most /.'ers realize this too, but I thought I should balance off the hype that is /. sometimes with some reality. For a fact I know that consumers in general don't know this.
A case in point, I had a customer walk in to my WISP yesterday and he wanted to sign up with me because he got the worm and his other ISP didn't protect him from it. What were his claims of protection based on? The fact that he bought McAfee and he still got this virus. Somehow he thought it was the ISP's fault that his virus software couldn't stop this from happening.
A side not, if you ever think about taking advantage of situations like this, don't! It is in your best interest to keep the customer informed on what the real problem is; even if this means you don't gain them as a customer now, you probably will later, and when you do he'll know what is your fault or his.
This guy wasn't dumb, he was in his 60's and an established stock broker (I'm not sure if that rates as dumb or not;), but he just didn't understand why he paid money for something that can't protect against new virus'.
My point is that the general public needs made aware of what a virus is and why it works along with a list of other things related. If virus writers wanted to we could have to live with stuff like this on a constant basis. It isn't that way because virus writers have more sense than they are given credit for: they don't want to live in that kind of an environment: it only destroys a healthy economy having the same effects as decades of constant war/terrorism. Think of these guys not as graffiti artist only, but as modern day activist.
So next time you hear of a virus or one crosses your path, take time to try and find the message in it. Not wonder why it was more destructive or why it doesn't live longer (which btw the life span of virus' is measured in years/decades not months as the media/Symantic/McAfee would like you to think).
/. Heroics - 99.999%