Slashdot Mirror
LovSan Clone Let Loose
JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."
The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.
Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.
Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.
So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.
Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.
i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.
i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?
somethings smells here.
eric
Yes, and notice that their anti-virus program detects both versions of the virus (the old and the "expectant" one) without even an UPDATE? Hmmmm... ;)
There is also a difference of scale in the sheer number of computers running the infected software. Outside of /., what is the percentage of people running anything else than windows on their desktop?
Moreover, what are the technical competencies of those people?
M$ tried to make the update process as painless as possible through their windows update website, but it seems to me that it is STILL a failure. 300k+ computers already infected? I cant believe this is ONLY NT4 machines with no auto updates...
You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.
When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.
Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.
This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.
Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.
I always wondered if the anti-virus companies have some programmers in their payroll who work on developing viruses -- either to predict things before they hit, or to keep product updates coming and profitable.
This might be off-topic. I have a question on "Net slowdowns are expected over the weekend when both versions of the virus start their attack."
Is this why slashdot.org feels slow/not responding and have missing images? All other Web sites seem fine. I noticed this at work, home, etc. with Mozilla v1.4.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically. If you wanted to get really fancy, you could have it completely rewrite the code randomly by substituting different assembly sequences that are mathematically equivalent.
> Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically.
Maybe some of them do do that, and the A-V firms haven't caught on yet.
Seriously, IMO the kind of worms we've seen so far are child's play compared to what we can expect when someone wants to do some serious damage. In the future we'll have stealth worms that just flip a few bits on your system and then erase themselves after propagating to another computer or two, worms that work as a genetic algorithm to optimize effectiveness and continually feed new variants into new "ecological niches" of the internet, worms that are mathematically optimized for the fastest spread, or conversely for the broadest under-the-radar spread, etc.
The future is bleak, IMO.
Sheesh, evil *and* a jerk. -- Jade
I had been working on my CAD system on my home machine running WIN95 and DOS. I wasn't even aware anything was amiss until I logged onto Slashdot to see whats new. I was wondering why it was so slow. My firewall responded in a bit and told me I was getting a helluva lot of connect attempts on port135. So, I go look up the log file and it looked like SQL slammer all over again. Almost a megabyte of infection attempts. I wondered at first if I had made an enemy on a dialup??? In 4 hours??? Why did the whole world seem determined to wax me off the web? Damm, it seemed like everyone in the world was wanting my port135.
Ok.. so I continue to read Slashdot and the story finally loads about this new LoveSan virus making the rounds. Hmmm. When I think of how much work would have been lost had something came in and messed up my machine, I shudder. But then, I don't run my machine wide open to the net. I try to practice secure techniques - such as never allowing any programs to run that I have not verified their intentions, and don't run anything that allows embedded executables ( read: javascript and later things post DMCA that haven't been "cleared" by what I consider trusted groups - which are mostly the groups the DMCA was aimed at in the first place. )
Sure, there are a lot of websites that I can no longer see. I can not even access the Southern California Edison site, nor many business sites - as they require these embedded-executable technologies as a requisite to viewing their content.
So, I sit here, with a pretty fast system, as its pretty simple. I have no virus scanning going on, as I am not running just anything I get in. I do have an integrity monitor running, which does a quickie on startup to see if any critical files are amiss ( it just calculates an MD5 on my key executables and compares to what they should be. ).. if so, booting to GUI is aborted and I drop to DOS to straighten it out - but its never happened outside a test situation.
I keep getting all these people telling me I should upgrade and be current with the times. I would gladly upgrade if the later stuff was actually better and more robust than the earlier stuff - but thats not what I see.
Oh yes, the "presentation skills" are definitely better on the new stuff, but I see the new systems much like a stunningly beautiful secretary that I can't trust, and spends a helluva lot of time doing her makeup.
I try to tell these business people what they are getting into by running software that hasn't been verified for trustworthiness, but they seem happy to go ahead and do it anyway as long as there is someone else to blame if things go amiss. I hoot till I'm blue in the face about these businessmen who put content on the web that can only be viewed with proprietary readers, whose underlying trojan motives, if any, can no longer be legally ascertained as a result of the DMCA.
I am especially puzzled by business's perception of proper etiquette. Would they hire a sales rep that constantly interrupted a customer in mid-question with comments on his grammar or spelling? Or worse yet, rudely hangs up on customers if they don't understand something? Is not a corporate web-site their sales-rep in cyberspace? Why would a business hire such rude representatives that coin their own protocols and chide the customers relentlessly for not adhering to their latest incarnations of the communications protocol "standard"?
At the risk of redundancy, I'll say it again. I do not like these proprietary unverifiable protocols. I consider them very risky - to me. I really don't care if YOU get hit with a virus, but I don't want any part of it.
Ok.. I just had to get this off my chest. It might cost me a bit of karma, but I had to say it in public in the hopes that someone in management that makes the decisions will hear my plea.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
One major manufacturing facility in Taiwan that I work with had its internal network hit including control devices running on Windows NT. It probably caused between 1 to 2 million dollars in damage because of production delays.
I had to stay up till 12am trying to figure what the crap was going on with my equipment when it was communicating with those stupid NT servers. We're running Redhat and I was sitting there using tcpdump trying to figure out what was wrong with the packets.
It looks normal from the Redhat side, but you'll get no responses from the Application layer on the NT side. It must flood the send pipe in the TCP/IP socket layer on the NT side.
WARNING: If you're running Linux in the Enterprise and you're interfacing NT, you'll be blamed first. Just know it ain't your fault.
Self-mutating viruses have been around for over a decade. They're called polymorphic viruses, and they usually work by reordering instructions, randomly inserting useless instructions (like NOP or OR AX, AX), or encrypting the virus against a varying table of keys and then decrypting the virus at runtime.
The 800kb patch has been out since last month. If you didn't patch, you know who to blame. Not Bill Gates.
As a matter of fact, this has been the only vulnerability in Windows Server 2003 since its release, and it was a vulnerability that was inherent in the interprocess structure of the Win32 library itself and so affected all the products in the Windows line.
I doubt we'll see any other holes in Windows Server 2003 for the rest of the year, especially since they're already working on the service pack (their plan is to phase in Blackcomb features). Microsoft's reputation is riding on this, and you better believe they were checking their code like crazy.
"Sufferin' succotash."
In my opinion, you have three classes of people that are capable of writing a worm:
The curious amateur
This guy has a couple clever ideas, few scruples, and a lot of spare time. All the wide-spread (and well-covered) worms, to date, have come from this kind of guy.
The white-hat professional
These are your security researchers other security professionals. these are the guys that get paid to work in this field every day. They're smart, the understand the details of the security business, and they're fully aware of the extreme vulnerability of the Internet. Like you, the know how bad a "real worm" could be.
The black-hat professional
These are your security researchers and security professionals. These are the guys who's job is security. They're smart, they understand the details of the security business, and they develop tools (including worms, trojans and viruses) to take advantage of these vulnerabilities. These tools are developed for a specific purpose: to further the objectives of their employer. You don't hear about them, because their tools are low-n-slow and their impact is very targeted and controlled.
The difference between a white-hat and a black-hat is a matter of perspective. The world is a big place. Certain governments do not have the same morals as others. Read The Economist. The French intelligence services work very closely with French businesses. The Chinese have equally questionable practices.
The future is not that bleak. The worms that are designed and released for wide-spread, global impact are the modern-day equivalent of graffiti on billboards. It's an ego trip, nothing more. The ones to worry about are the ones who don't have an ego, and have a specific purpose.
Hope you're checking your logs, and I hope you notice when he hacks your systems.
J.J.
I know it is the "in" thing to rag on script kiddies but it does not matter who did the damage. Why someone has more or less respect for a root kit user or a exploit writer because it was easy or hard to implement is beyond me. It would not matter to me if my systems were cracked by Solar Designer, Linus, or a t33n gamer. My claiming I was only cracked by a script kiddie does not make it any better, the damage is still the same. If it was something I could have patched but did not, I'd blame myself first.
IMHO (not probably not a popular one), someone who writes a virus that replicates by seeking out other victims through sockets is not what I consider to be a script kiddie. Code Red and Slapper were similar. Regardless of how poorly you think it is written, it has taken down between 250,000-500,000 internet users in only three days.
Bad boys rape our young girls but Violet gives willingly.
I asked if he could determine where the scans were coming from and he said that this was unusual and he was looking into it. He pointed out that there was no damage being done, but was curious as to who would be doing 12 hours of constant port scanning.
After an hour he called back and said that the scans were coming from just about everywhere, and that they were scanning only the port used by the Worm. His conclusion (and mine as well) was that a fault in the random number generation method used by the worm caused it to pick our Class C address block more than other ones, and thus we were getting the scans.
No damage is being done... so I guess we merely wait until (hahahahah) all these lusers patch their systems - but really, can the script kiddies out there PLEASE learn how to write GOOD code before releasing their worms? (or did this come straight out of microsoft labs itself - seems their typical crap coding style).
Perhaps they should have used the SGI LAVA RANDOM NUMBER GENERATOR.