Slashdot Mirror
LovSan Clone Let Loose
JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."
Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.
"It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems."
To be fair, the media's not going to be interested in reporting that it's not as bad as it seems.
(Note: I'm not saying it's not that bad, I'm saying don't trust the media to tell is its dying.)
"Derp de derp."
Bill gates, why do you let this happen? any coincidence that the attack is exactly 1 month to the day that the hole was announced..
The war with islam is a war on the beast
The war on terror is a war for peace
Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovesan worm (also know as "Blaster").
Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.
Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.
Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.
that an antivirus lab announced that a new clone was on the way, not spreading but on the way.
Banaaaana!
I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.
When the source is open, the possibilities are endless.
The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.
Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
"Linux has its own problems. But you mod them -1 under the rug until the fsf site gets hax0red. troll but true. "
That was true like a year or two ago, but since this has come up I've been amazed at how things have changed here. It's not that it's turning pro-Microsoft, but the "Everything Linux does is perfect" attitude has settled back down to realistic levels.
I agree with you, though, Linux is a root password away from being ssh'd to hell.
"Derp de derp."
"All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update."
Guess they were just damned lucky there.
If we're lucky the power will be out and the worms won't be able to carry out their attack.
Sheesh, evil *and* a jerk. -- Jade
How many times do people need to be told this?
- FSF FTP site gets hacked. Some people are mined for passwords.
- A significant proportion of all desktop machines on the internet are compromised by a self-propigating virus, and the internet is affected by the sheer quantity of traffic generated by the worm.
I think there's a slight difference of scale there.Those in the US north east and south east Canada.....
OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.
SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.
B:
C:
The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.
Get Firefox!
This uses the same vulnerability as before. Which means that if you were hit by but recovered from blaster, you'll be safe from this one. That said, this is a more virulent form, and will screw over unprotected networks even faster. But it won't be nearly as damaging as the original. This is just an example of an anti-virus software producer hyping up a virus to sell their product.
I think it's funny that I've had the patch since it's been out and almost everybody in the US doesn't have their boxes patched. It kinda pisses me off though, that M$ is not getting blamed for having the vulerability. Yes, nobody is perfect, I'm sure Linux and MacOS have exploits that can do the same things, except they don't make $498,324,059,872,309 a minute. The world needs to realise thats all bill wants to do: make money from idiots
Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
Download
Network admins have fun.
Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.
So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.
Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.
Yeah that sucked. Anyway, I find it interesting to note the common public reactions to these outbreaks of exploits.
For example, this link shows a CNN poll where "Doing Nothing" about the worm is tied with "already downloaded a patch" -- this is kind of interesting, since CNN would be a more "general user" audience than tech savvy folk here.
I wonder why no one seems to really care about computer security until it hits them with data loss, or worse.
Patches and backups are things people always promise to do "later" -- and, luckily for data recovery companies, later seldom comes.
I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems? Would you trace them to user negligence, or Microsoft software, or perhaps a combination of the two? Perhaps it's some other factor, such as the "dumbing-down" of computers by the media leading to common misconceptions?
Sometimes, as reports of Windows exploits become a daily news item, I often wonder when people will, en masse, decide they've simply had enough and switch?
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
Lovsan is a proprietry product of SCO. All users who are running Lovsan on their computers without a lisense will face charges of $5,000.
Lisensing fees start at $699 for home users.
Saying your OS is the best because more people use it is like saying MacDonalds make the best food
i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.
i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?
somethings smells here.
eric
I'm surprised someone doesn't write a worm to patch the vulnerability and clean the system, if already compromised. After all, if you don't mind leaving yourself open to attack by a malicious worm, how can you complain about getting repaired by one that is beneficial?
christ, right after i wander over to symantec's website to see what this thing really is. the few friends of mine that i've talked to about this, they told me it was some kind of security breaching attack against a system, and that msblast.exe is the program that a hacker can use to remotely control a pc, perhaps to host an ftp server or some other hoopla. then i received some distressful emails from the ITS department at my university, saying many of the computers have been infected but are now isolated in an attempt to control the spreading of this thing. then yesterday, i was at work and in the course of only three hours i had two people come up to me asking about antivirus software (i work in retail) - they were infected. i wasn't sure what to make of this new threat at that point, so i told them that norton may or may not be able to help. then when i got home and checked out what symantec had to say, all the documentation was already done on this new strain of worm. so it is, after all, a destructive worm that reproduces itself, no hacking involved. i read the whole thing, and then i read microsoft's security bulliten (which is more vague, the only important thing it has to say is that you need to patch your os and tells you where to get the patch). so it's simple. just patch your os, update virus defenitions. and run fixblast.exe courtesy of symantec. designed to remove any threat. i have already helped one person by personally removing the virus from her system by using that simple sweeping program, which simply scans your computer for the registry keys and msblast.exe and removes it if found. it was pathetically easy. and symantec's documentation backs me up on this; it is very easy to remove using their tool, not as easy but still not challenging to do it manually either (instructions are that are also available). today i received another email from ITS, a new strain is out, and all the computers on the network are preparing for a massive DOS attack against windowsupdate.microsoft.com (not sure if that address is correct, tell me if i'm wrong). how they know this or why someone would want to do something so completely insane with this worm is beyond me. the point being, it can easily be fixed, and thanks to dedicated teams like symantec, virus threats can be kept to a minimum in combination with prevention awareness.
Yes, and notice that their anti-virus program detects both versions of the virus (the old and the "expectant" one) without even an UPDATE? Hmmmm... ;)
You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.
When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.
Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.
This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.
Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.
We at CodeWeavers are proud to announce our new product: Crossover Blaster. This new piece of software for the Linux operating system will provide the same quality that you've come to expect from Crossover Office, but this time with the very popular Blaster worm (known to some as LovSan). It will even work with clones of the worm.
Finally, all the Linux users who have felt left out can participate in the reboot fun. It is a bargain for $50. See www.crossoverblaster.devnull for more details.
Disclaimer: I do not work for CodeWeaver. My views are purely my own.
A text string in the virus says "love you san". There's also one having a go at "billy gates".
This might be off-topic. I have a question on "Net slowdowns are expected over the weekend when both versions of the virus start their attack."
Is this why slashdot.org feels slow/not responding and have missing images? All other Web sites seem fine. I noticed this at work, home, etc. with Mozilla v1.4.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Hey AV experts, just wait till the 17th to post a fix, please?, in the meantime, have fun, enjoy the beach, watch windowsupdate.com as it goes DoSed, what a wonderful life!. At last a virus that goes to the source of the problem. hehehe I think I'll get some Karma for saying this, well, some Karma is not too bad!.
If this worm didn't exist, the systems would remain unpatched until some much more destructive exploit was distibuted (say, deleting all your files).
Think of it as vaccination - a mild form to shore up our defenses, so a killer form doesn't get us.
It's not wasting time, I'm educating myself.
It is certainly evident that either Windows was not originally designed to be secure, or that those who coded it were fairly sloppy in implementing the design (perhaps a little of both).
The fact that nobody patches their systems is an indication that the delivery method is flawed. It must be that the patching system has one or more of the following problems:
1. Too complicated, or too flaky to make updates simple
2. The importance of patching is not impressed on the user at install time
3. Patches are too flaky to have automated installations done without even bugging the user
The thing is, all of the above are true on some level. Windows update is flaky, patches don't always install properly. And on top of that it doesn't keep good track of what updates are installed. It doesn't check library versions, or versions of actually installed files, it checks some database that IT generates. Regarding the second point, its too damn easy to switch off automated updates altogether. No reason to bug the user more than once, but use some bold type in there noting that they could get r00ted and their files could magically disappear. The last point is valid as well. If I recall correctly a patch for a recent worm, in its original incarnation conflicted with another patch or broke certain pieces of software.
I just don't understand why people put up with this. After you've lost as much money to downtime as it would cost to replace those windows boxen with some other solution (linux, mac os x, or anything else. this applies especially to systems where doing remote updates is easy and free. microsoft charges for tools to deploy plugs for all the holes in their operating system on a large scale. linux and mac os x updates can be performed via the command line, so you could script updates to network machines)
One major manufacturing facility in Taiwan that I work with had its internal network hit including control devices running on Windows NT. It probably caused between 1 to 2 million dollars in damage because of production delays.
I had to stay up till 12am trying to figure what the crap was going on with my equipment when it was communicating with those stupid NT servers. We're running Redhat and I was sitting there using tcpdump trying to figure out what was wrong with the packets.
It looks normal from the Redhat side, but you'll get no responses from the Application layer on the NT side. It must flood the send pipe in the TCP/IP socket layer on the NT side.
WARNING: If you're running Linux in the Enterprise and you're interfacing NT, you'll be blamed first. Just know it ain't your fault.
Damn if you are going to write a worm make it do some damage. You back hats are really starting to bore the shit out of me.
For instance take this worm and add the ability for it to seek the network for every single excel spread sheet it can find and randomly mix up a couple of cell values. Then have it set the access time back to the original.
Hell just write a few bytes to a random location in any file you can access.
Come on black hats, quit boring me!
Got Code?
While some companies in the AV industry have shown (ahem) questionable ethics in the past, I think it's stretching to say they WRITE the viruses, rather than just hype them.
... some of our ideas would have been quite evil indeed. And most of us were pretty good programmers.
...
For one thing, there are plenty of idiots out there quite willing to write a virus for free.
For another, if the viruses/worms/trojans were written by the AV firms, they'd be MUCH better. My co-workers and I would regularly discuss how one could, hypothetically, write the ultimate virus
Contrast that with the true nature of most successful 'in the wild' viruses -- most of which aren't that well written
It's getting a little too easy to randomly reference SCO in some way for a +5 Funny.
Just my opinion. I'm tired of this same "joke" showing up in every article.
"Sufferin' succotash."
What was it a month or two ago that Microsoft said they were going to start charging for updates? If they were to start doing that tomorrow Microsoft will become richer adn more powerful because every will remember this adn start paying for the updates because they don't want to see this happen to their system again. Very few people even realize there are other options out there for operating systems. I hope people start waking up soon.
It is very easy to configure OpenSSH to not allow remote root login. 'PermitRootLogin no'. Newer versions of OpenSSH have that as a default, so you would have to actively allow root logon.
And the muscular cyborg German dudes dance with sexy French Canadians
The desktop world is ruled (by numbers, anyway) by Microsoft. Any potential malware s'kiddie can knock together some malware in a few hours, dump it into some unsuspecting newsgroup somewhere or email it to his Outlook-using mates and start an epidemic relatively easily. The sheer number of vulnerable machines makes that easy.
The installed base of Windows boxes also means that, despite MS not opening up their code to anyone (except governments and universities willing to sign away their first-born as insurance against breaking the NDA), large numbers of people spend vast tracts of time throwing McValue Meal-sized URLs at web-servers and mutant packets at RPC interfaces.
Lots of people x Lots of time x Lots of machines = lots of vulnerabilities found...
Now consider *nix. It has a number of advantages straight off the block:
- It's open source. Code that finds its way into the kernel goes through the best peer-review system available; public scrutiny.
- Generally, the people who run *nix are more tech-savvy than an average Joe Blow.
- Any vulnerabilities that are found get acknowledged and fixed very quickly.
But what would happen if *nix had the sort of desktop penetration that Windows does? How quickly would the kind of person that thinks a computer case is called a 'hard drive' apply a *nix security patch? If *nix was that popular, how many more people would devote vast tracts of time to finding obscure security holes and vulnerabilities?Just a thought. Now flame away ;)
Windows Tweaks
To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)
Now you can actually *see* when the worm tries it's futile attack on your superior OS.
Just in case others got misled by the general press reports: The MSBlast (and its two known variants) worm attack against WindowsUpdate.com will really start at 4 a.m. Pacific Friday (Redmond time). As noted in this News.com piece the widely-reported "midnight" is really "when a PC clock shows midnight" -- whenever Friday becomes Saturday, starting across the International Date Line in Anadyr, Russia. Set your TiVos accordingly, assuming you have power.
I was updating a couple computers tonight, and at 10:20 Central Time, windows update worked great. At 10:30 windows update and microsoft.com website is unaccessible.
Nothing, Nada.
I guess in a weird sort of way, its ironic.
The next step is to remake the Administrator account, except make it a basic user and give it no privileges at all. Then give it a really long random password. If someone ever tries to h4x0r the box, this one is guaranteed to keep the script kiddies busy for days!
There are massive legal rammifications to this.
:
Firstly, the second strain of the virus is clearly derived from
the first strain. This is blatant piracy, and a violation of the
cherished IP of the original authors.
The original author of the virus is now in a position to reap a windfall, by
- Suing the second author to the tune of $3Bn for having blatantly stolen their code.
- Suing the thousands of owners of infected machines because they may be running pirated code in violation of the DMCA.
- Offering infected users a $699 licence fee for running the derived virus, which will protect them from any further legal action.
What the authors of the second, derived virus have done is abominable, and shows a callous disregard for the IP rights of the original authors. They are nothing but pirates, and a threat to the wholesome values of benign free-trade capitalism.
-----------------------
Well that and many home users are just barely computer literate and don't know how to update their computers. If they buy one that doesn't have the automatic update feature already turned on, then they have no idea how or where to get the updates. My parents got the worm mostly because they didn't know there were updates, and secondly they didn't know how to do the update.
Perhaps to not be redundant, most appear to view this as a comedy issue. Maybe all future Microsoft security issues, worms and trojans should be filed under the comic section?
It is certainly redundant to state the simple solution is to abandon all Microsoft products. There must be hundreds of exploits 'widely known among hackers' but not known to Microsoft and/or published. Any 'hacker' worth his salt can get into any NT type server with a minimal effort and can certainly get to clients and install servers. The truth of he matter is us old hacks are really bored with Microsoft.
Symantec lists *three* versions on their web site. One of which has its executable named penis32.exe (the B worm uses penis32.exe and the C worm uses teekids.exe)
Source: http://www.sarc.com
LedgerSMB: Open source Accounting/ERP
I asked if he could determine where the scans were coming from and he said that this was unusual and he was looking into it. He pointed out that there was no damage being done, but was curious as to who would be doing 12 hours of constant port scanning.
After an hour he called back and said that the scans were coming from just about everywhere, and that they were scanning only the port used by the Worm. His conclusion (and mine as well) was that a fault in the random number generation method used by the worm caused it to pick our Class C address block more than other ones, and thus we were getting the scans.
No damage is being done... so I guess we merely wait until (hahahahah) all these lusers patch their systems - but really, can the script kiddies out there PLEASE learn how to write GOOD code before releasing their worms? (or did this come straight out of microsoft labs itself - seems their typical crap coding style).
Perhaps they should have used the SGI LAVA RANDOM NUMBER GENERATOR.
We played with the worm at work in order to try and limit its damage. We found (like a lot of other companies) that if we poisoned our internal DNS by returning a null value for a DNS query for 'windowsupdate.com' that the worm stays in its propagation mode, and does not enable the SYN flood mode.
If you do a lookup on 'windowsupdate.com' today you'll notice there is no A record entry. So the magnitude of the coming SYN flood will be minimal. Granted there may be some hosts out there with the entry cached, but their effect should be minimal. Although I would have loved to see MicroSoft get blasted this weekend (and next week when all the returning people turn on their infected workstations at work), I really did not want to see our WAN links and firewalls get flooded.
I don't know about anyone else, but MicroSoft's help on this from a corporate standpint was piss poor. I am a security engineer in a Fortune 100 company with 30,000+ employees. Despite all the millions we blow on M$ products every year, we were unable to get a dedicated M$ resource for this event. Any questions we had were forwarded to a "representative", and answered hours later with the answer usually being "patch your boxes". Gee thanks for the obvious answer M$, now how about some guidance from a holistic standpoint. They were unable to share any real analysis of their exploit, or what to expect. I can only imagine what little help smaller companies, and consumers received.
M$, take note: If you are going to produce the most easily exploitable code on the planet, then you better damn well get a dedicated security staff and make them available for events like these. Especially for large companies that have been fooled into thinking that M$ products are "enterprise ready" and that patch management for their is a no brainer. Since things only seem to be getting worse for you (and the rest of us), I would also suggest you ramp up on the number of resources you make available. It's time to get serious.
One other interesting point is that although the SYN flood has been averted, the worm author was still successful in DoS windowsupdate.com by forcing them to take it down. It will be interesting to see how long the DNS entry is missing. Knowing how ineffective patching is I don't expect to see 'windowsupdate.com' anytime soon.