Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux
The only thing better than a clean up worm... is a gummi worm!
'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
Did anything interesting happen yesterday on this? Did killing the domain really prevent the worm from doing any damage? I sort of expected an internet slowdown (ie slammer), but didn't notice anything.
What happens when someone releases an anti-anti-Blaster-worm-worm-worm?
dinner: it's what's for beer
my whole business model...
Oh well, what the hell...
Oh wow! This is the internet equivilent of white blood cells! First there was white-hat hackers. Now white-hat virus writers? Makes a damn good change!
I see a virus that actually does something good.
I'm taking bets on how long till the first lawsuit comes out against the person or persons who wrote this helpful worm. I say it will happend before the people who wrote the destructive worms are even arrested.
Space for rent, inquire within
I'm glad someone took the initiative to fix this. Hopefully the worm is succesful in patching the machines.
now as much as this is a good idea it is bad because it reduces the internet bandwidth and creates users who don't know how to run windows update, if someone else keeps fixing the problem it will never be fixed.
For The Best Jazz/Hip-hop fusion > COlD DUCK
this is just like the futurama episode where Fry ate the "egg" sandwich which contained worms. the worms turned Fry in an intelligent, muscle man. very cool episode.
Heh, if this turned into a trend, it could spell the end of an industry - the virus-removal industry. Imagine: Open Sourced, hunter-seeker virus removal worms, out in the wild nearly as fast as the original, cleaning up the mess some scridiot created in a fit of juvinle mischief. Somehow, I don't think the virus writer/scanner cartel will not let this become a trend.
People who think they know everything are a great annoyance to those of us who do.
It's pretty sad that soeone has to release a worm to clean up a mess microsoft couldn't... sounds like microsoft needs to hire a certain someone to me...
Because Mom and Pop can't be bothered to figure out this internet thingie ("can I talk on the phone at the same time? Will it turn on in the middle of the night and download spam?") It seems some avenging white-hat (aka Sysadmin who is tired of encountering so many damn infected machines) has coded up a viral solution!
An even better twist of fate would be for that individual to get arrested for creating a worm! (its a DMCA violation to use that hack...)
In the future, I would want to not be isolated from my friends in the Space Station.
I wonder if MS is h4x0r1ng themselves... maybe they figured the best way to get out a patch is to use their own vulnerability. ;-)
"It worked for the hackers, maybe it'll work for us!"
Next time we have a vulnerability someone write a worm that automatically applies the MS patch.
Maybe MS itself launced this new worm to 'force' infected and/or un-patched machines to apply their patches?
I've had this idea for quite awhile now. All these people that find exploits should just write a virus to patch the vulnerability.
Bravo.
some admin got sick of applying patches and figured the same bad decisions that got people into the situation could get them out again.
I just got done scanning all my users to check for the patch install. About 1/4 have the patch so far, that are publicly accessable and not behind a firewall. Using the tool on Microsoft's website, and it seems to work well for us ISPs. I set up the router to block that port on my core router but if some gets inside the network with it, we might still get hit. This thing is bad.
No.
Wow, a worm to do the work that the sysadmin should have done in the first place. That'll encourage those lazy sysadmins to just sit back and continue to do nothing.
Prevent email address forgery. Publish SPF records for y
Instead of quickly cleaning mblast last week from my network, I could have just sat around on my ass and played video games . . . and let this worm do all the work for me. Damn.
I have wondered for a while when this sorta thing would start happening, anti-virus coders that go after the virus coders.
This could be something we see more of in the future, almost like a battle between the two groups, taking place on machines throughout the world while the majority of users are completly unaware.
It could be pretty interesting to see the whole thing unfold!
turning over my network to a well-meaning worm. I trust that it will properly protect my network. I believe that the teeth I put under my pillow magically are turned into quarters. I am confident that Microsoft has resolved this RPC implementation problem. I have faith that Microsoft's security initiatives are on track. I am sure that elves fix my shoes when I fall behind on my work.
I think on numerous occasions it was debated here and in other places whether this was something that should be done or not. I think some people raised privacy concerns and other ethical things like that. Basically saying "a virus is a virus" (yeah, yeah it's a worm :)) However it can be sort of viewed in the way vaccines are. Harmless strains of virii used to boost the immune system. That's just what this worm does. It's a harmless strain that clears up an "infection"
I think this is a worm I wouldn't mind my parents having on their computer. I'm almost positive they haven't patched their machine and now that DSL is in their rural area they're all the more vulnerable to it. If this can clean it up for them without me pulling my hair out while going over the update process then so be it :)
This is probaly the best internet virus news I've heard in a long time. Unfortunately, it's only a matter of time before the creator is tracked down and prosecuted for violation of internet security laws.
D
The first, last, and only tech news site on the net
Now we just need a worm that reformats the hard drive and installs Debian.
grammar-lesson free since 1999. (rescinded - 2005)
Nice intentions, but the worm still increases network traffic looking for new machines to fix. So there are some harmful effects, though in this case I think the benefits outweigh the costs.
Something about this seems like a global scale Core Wars game. How scary, horrible and cool at the same time.
someone makes a worm that downloads and installs a Linux distro?
No good deed goes unpunished. Who's going to give odds that the writer(s) of the 'good' worm will get caught and strung up by the short hairs under the DMCA? As long as it only affects machines that haven't already been patched- great. But what if it's flawed and actually causes unintentional damage? And if the original authors of the Blaster worm's intent was to teach people who ignore warnings a lesson, might this not start a virus war, of sorts? Sounds cool, but I'm not convinced this is an entirely good thing.
666-607: 6th floor apartment of the beast
Last week we were discussing the MSBlast worm here in the office and I commented, rather offhandly, "I wonder how long it will take before someone writes a phage worm that uses the same hole, but eats MSBlast?"
Apparently the answer is 'Four days at most...'
The extent to which the Internet recapitulates evolution and biological systems is astounding!
- -
Are you an SF Fan? Are you a Tru-Fan?
a sensibile worm, although, it will be interesting to see how many anti-virus companies will classify this as a "threat" or not, don't you think?
;).
- It is a worm by nature, but it also does good but without the user's authorization... Sounds a bit like automatic windows update gone postal
So where do I send people to get infected?
-Alex
I'm sure I'm not the only one who is not quite sure whether this is a good or a bad thing.
My conscience and ethics are torn apart by this...
-Pete
Soccer Goal Plans
You know you're thinking it:
ALL YOUR WORMS ARE BELONG TO...
Oh, never mind.
Microsoft do something like this in the first place? I'm sure it would have alleviated some of the problems and prevented the necessitation (wow, does that make sense?) for ``removing'' windowsupdate.com.
You might quote legal implications on MS' behalf but I'm sure they make those EULAs for a reason... there'll be some ``get out of jail free card'' they could use there.
Now, if only GNU/Linux(TM-RMS) had enough defects to allow this sort of unsolicited optimization to take place. Clearly Windows(TM-MS) is superior in this regard!
Cheers!
"The only good windmill is a tilted windmill."
"See? See?!! We don't need to patch our systems because Microsoft is doing it for us by mailing us the fix in e-mail! See?! I'm not afraid of worms because eventually someone will fix it for me!"
Un-news
I just write about it:
w book.cfm?ID=632 :)
http://www.elsevier-international.com/e-books/vie
We need someone to write worm that does this:
1) Infect Windows box via RPC (or any exploit)
2) install Kazaa Lite (or an equiv.)
3) Download copyrighted songs
4) share them
5) infect other boxes... etc etc
Think about the implications... if the RIAA files suit, you have a defense: "Hey I was infected by that evil DCOM/Kazaa worm!"
But does this new worm try and download the update from www.windowsupdate.com?
P.S. If you didn't know, Microsoft took down windowsupdate.com, the correct site name is windowsupdate.microsoft.com
I wonder how Norton and the rest will handle this worm. Will they quartine it if found on machines or will they ignore it?
Now we are one step closer to sky net
Look out, the machines will take over.
The Internet is full. Go Away!!!
Begun, this worm war has.
Basically someone has given you a week to fix it yourself, or they fix it for you.
This rocks.
So, say m$ really did write this "virus". Any computer that blaster will run on has theoretically signed off on m$'s evil auto-update EULA, so wouldn't this theoretically be "legal" for m$, but not anyone else. Wouldn't that situation sort of contradict the DMCA?
Everything I know I learned by eating the brains of smart people.
should provide a great test of the security savvy of university IT departments, as students return to the dorms and plug in their unpatched computers, the vast majority of which probably haven't been connected to the Internet in several months.
Unsecured university networks could unleash a new wave of worm-infected machines on the Net. This could be fun to watch, for those of us who aren't uni sysadmins...
--joedoe
No kill I, I children feed! ./msblast please PLEASE!!
OH THE SHAME I fell off the wagon and use sigs again!
Can you imagine the damage that the 6 Kb LovSan worm could have caused if the author changed its payload to a time-delayed "deltree C:\*.*"? This single virus keeps suprizing me - from what I've read/experienced (and I've had to clean up a few machines now), the original msblaster.exe worm did not introduce a backdoor into your computer, only spread itself while causing that nasty RPC error. In the past few days the source was released on some vulnerability sites, and now several trojan variants have appeared (watch traffic on port 4444). My guess is that an contact-list based, email-spread variant will also appear. This clean-up worm is yet another twist (perhaps written by tbe author of the original, as the message left in the startup reg key suggested he/she was advocating better windows security instead of internet havoc. MORE INFO: http://www.swcp.com/msblaster-info.html FIX (better late than never): http://campus.umr.edu/security/patches/2003-08-12- windows-dcom/
The guy had a point. M$ is responsible for writing vulnerable software, as bizzare as this exploit is.
[c0d3fu]: jwjb62@umr.edu || james@macrohub.com
Fight fire with fire. Although this is the first time I've actually seen it work like this. Imagine, a virus that cleans and protects your system from another virus. And it even has the courtesy to delete itself. Actually, isn't that considered a vaccine?
The only reason this could have possibly been written is because someone got pissed off by lazy/idiot admins not patching their systems, and this is the only way they saw to stem the spread of worms. Having known a few lazy/idiot admins in my time, I'm thankful there are some productive people out there willing to put in time to actually STOP virii. Now to sit back and wait for the next virus that will attack the good virus, and then begin downloading tons of kiddie porn and illegal MP3s onto you computer. Isn't technology great?
From BenJurry, RPC vulnerability researcher, posted to Full Disclosure:
,it copy %systemroot%\system32\dllcache\tftpd.exe to %systemroot%\system32\wins\svchost.exe ,then create the service named RPCTftpd ,and its Display is ""Network Connections Sharing". ,then create the service named RpcPath . ,then download the patch form the M$ according diffrent language version,and patch system with parameter "-n -o -z -q". ,whose type is "echo" and size is 92 bytes ,so there are large volumes of ICMP traffic in network .when the worm find a host ,it will try to infect with RPC DCOM and Webdev, If sucess it will listen a TCP port less than 1000 to send the file.If the year is 2004,then it will remove itself.So the easiest way to remove is adjust your time.
This worn written by VC++6.0 and compressed by UPX. Its size is 10240 bytes.
The worm's aim is to remove the msblast anf patch the system,which infects by RPC DCOM and WebDEV.
When it go into the system
And then It copy himself to %systemroot%\system32\wins\dllhost.exe
3rd,the worm will check the process "msblast" and remove it
Then it scan the subnet with ICMP filled with
It seems it is a "good " worm to clean msblast:)
...a beowulf cluster of these?
Maybe professional "anti-worms" such as this are the best way to handle security, being that the average joe mousepad doesnt understand, or even keep up w/ virus alerts. Would this raise to many legal issues, or is it the "wave of the future"?
"Give someone a program, frustrate them for a day... Teach someone to program, frustrate them for a lifetime."
...so... they found a nice idea to repair their explotable errors: Make a worm that found a unpatched PC, and patches it, removing other bad worms installed on it.
...and after that, M$ puts a new cute name to it's worm, and patent it. "Microsoft Frog - Keep your pc bug-free!"
drmad
welcome our new Robot Overlords.
releases the code to the worm under the GPL?
I can almost hear Bill Gates' insidious little laugh now, just thinking about irony of it.
The cure for cancer is coming: Reovirus
...that maybe the same person who wrote MSBlast wrote this worm as well? As worms go, MSBlast was disruptive, but hardly destructive. The entire point was essentially to launch an effective (or at least it tried to be) DDOS attack against MS.
Now that the attack date is past, go on out and remove the virus. Simple as that.
And as for why the worm itself wasn't coded to expire on that date, then people just would have set their clocks ahead a few days and have cleaned it off then.
Anyways, just an idea. *shrug*
In Soviet Russia, the virus patches YOU!!
do() || do_not();
Sort of like a battle between the VCR blinks 12:00, and the sets your VCR time crowd.
Uh honey what time is it?
[looks at clock]
Um, it's 12:00, no wait, it's 3:00 PM. No wait, it's 12:00, no wait it's 3:00 PM again. [grumble...grumble]
2 weeks ago, I receve a call from one of my customer telling me that he have done nothing but our application was no more working: he got a message server is unavailable or smthg like that.
You know when customer says:I did nothing, he lies not allways by intention but he lies. In fact , by asking some question, he told me that they just used Microsoft Auto upadte.
Now the point: HotFix 823980 fix well the problem of RPC overflow but cause an impossibility to access a COM+ object that we need (In fact our server is a com+ object). So if you fix the bug our software dont run if you don't...
Are we the only company that got this problem? Are we the only using a COM+ object server instantiate on client?
"Use cases are fairy tales..." I. S. 2005
Some are arguing all this does is waste more bandwidth...
For the short term yes. Long term bandwidth is saved. I don't know the specific workings of this "fixer worm", but here's how I see it.
Short term, traffic will be twice as bad as if blaster were on the loose. More traffic = bad.
One the critical mass of open machines are patched by this sucker, the "total bandwidth" used by this whole RPC problem will plummet to almost nothing as more machines are patched and stop looking for others to patch. Less traffic = good.
Short term the traffic is worse, but in the long term less overall bandwidth is used.
I don't know where I stand overall on the ethical issues of this worm, but from a traffic perspective I see it as a good thing.
Someone who knows more about how exactly this fixer exploit works...feel free to reinforce or correct me.
-Pete
Soccer Goal Plans
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
That includes the GPL.
-- Daryl McBride
... if the guy who coded the good worm was the coder of the bad worm too ?
:)
it'll be funny as he is laughing at the face of M$
What if your well intentioned patch screws up computers?
I couldn't access the net on my windows 98 box at work, so I did a quick netstat and noticed like 100 connections to port 135, including a whole bunch from my ISP (other business dsl users at earthlink). Had to set Zonealarm on high and reboot to get access back. I think the denial of service was from machines trying to infect me, even though I have 98 on that box.
In Arthur C. Clarke's 1990 novel Ghost from the Grand Banks, the Y2K bug was solved by releasing a worm that fixed the problem in systems it had infected.
Hi from Billy Gates!
I have enuf $$$ that I can spend weekend making anti-worm worm-software!
PS - linux sux0rz!
It's been done before - remember "Code Red"?
A guy called Herbert HexXer wrote an anti-worm called Code Green.
He got into a LOT of trouble over that I believe.
didnt the cheese linux worm do this same thing last year or the year before that? (ie, fix a security vulnerability)
the history of the world
In Soviet Russia, worm vulnerability patches YOU!
the worm turns.
The Cheese worm did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.
a worm that automatically downloads Linux?
how long until
NAI report that this is a self-removing worm after 1st January 2004.
Never email donotemail@WeAreSpammers.com
... that would be the absolute horror, the end of everything. IMagine 3/4 of a billion unfriendly, uncompatible, unstable Linux boxes.
My work (W2k) machine got hit with this today. Thank you, thank you, thank you Mr./Ms. Virus Writer!
Our MSCEs never got around to patching my box last week... and I couldn't patch it myself since I don't have admin rights.
Neo: So, I guess the obvious question is, if you're a program, how can I trust you?
Oracle: Bingo! It is a pickle, no doubt about it. The bad news is there's no way if you can really know whether I'm here to help you or not. So it's really up to you. You just have to make up your own damn mind.... Candy?
one hundred twenty
is just enough characters
to write a haiku
The thing about the "white-hat" worm is that it'll eventually kill itself - as it runs around patching machines, there are less vulnerable machines out there, so it will lose its ability to spread.
Or, put another way, if there were no "white-hat" worm that might also up traffic for a while, there will probably be a black-hat one that WILL up traffic for a while, AND format a few hard drives to boot. Erm, not boot.
paintball
It may be off topic a bit, but for those of us who are not as up on our lingo as we should be; what is the diffrence between a virus and a worm?
More of my thoughts
A lot of people here are predicting a new wave of anti virus virii, taking advantage of the same exploit and cleaning the system.
All this will do is prompt future virii (the bad ones) to patch their whole *after* infecting a system.
There have been virii in the past that blocked Norton or other anti virii programs, and this is no different. THe only difference (as has been pointed out) is that smart "white" virii take network bandwidth.
no comment
People are saying it's still bad cause it creates extra internet traffic, but is it any worse than the bazillions of emails being sent to endusers by sysadmins trying to get them to fix it themselves? Now, if a sysadmin were about to send such an email, he could instead just let the virus loose inside his network and block the port till it was done, and it would probably be way more effective and reliable than the email. If I'm not mistaken such a virus is also easily trackable, so you can be sure you've stamped it out before giving everything the green light to talk to the world again.
It would be cool to write specific helper routines for cases like this I think, but this case is unique since the vulnerability is a particularly bad one maybe? It lets viruses take more control over a cimputer than normal, so the hlper virus is actually able to fix something?
What are the chances that this was someone within a network administration role that was trying to find a creative way to patch all of their systems?
While unconventional, it would be able to handle workstations of differeing configurations (except for the TFTPD item) eliminating the vulnerability/virus from their network.
I mean, the worm even kills itself after 1 January 2004. This doesn't seem like the typical "virus writer's" M.O.
Just a thought, might be unlikely, but I've personally done less conventional things in times of an emergency.
This will very likely spawn a discussion about the ethics of doing such a thing. If they catch the guy who wrote this virus, would it be appropriate to jail him just like the rest? What if it was entirely an accident?
"God is dead!" - Nietzsche
"Nietzsche is dead!" - God
I wouldn't be surprised if Microsoft itself was responsible for this worm, if it wasn't for the fact that it wasn't released until after the DOS attack went down. But then again, maybe Microsoft just didn't want to draw attention to itself last week...
People who do not know how to use Windows Update are not created by worms.
People who do not know how to use Windows Update are created by people who do not know how to use birth control.
paintball
Now you grammar trolls can't correct me, cuz I caught it first.
Hole not whole.
no comment
People who think this is a good idea, are you for real??? Do you know how much work goes into protecting large corporate networks, rigorous testing of each and every patch before it goes into production, reacting to IDS alerts, identifying potentially vulnerable environments, etc... The fact remains the same, both worms exploit the same vulnerability, both worms modify system data without user's consent, and both are potentially "lethal" because of unpredicted errors and patch compatibility issues. Let's not pee our pants trying to cheer. This is not white hacking. White hacking is identifying the vulnerability, and advising the user on how to protect themselves, but what do I know, feel free to flame, cause that seems to be the common trend on /. these days...
Oooh, separate incidents!
[Maude calls about the rug]
Guess we can close the case on that one!
Maybe this worm will accomplish what Blaster failed to do: take down the M'soft patch server with DDoS! If it manages to reach critical mass (doubtful), the number of systems trying to reach the server will cause the server to go down, achieving, in effect, what Blaster tried to do.
There are 10 kinds of people in the world - those that know binary, and those that don't.
Microsoft issued a patch today that they claim will resolve all Windows security issues forever. The patch uninstalls all versions of Windows and replaces them with the latest Linux development kernel. When asked why they are using a presumably unstable development Kernel, a Microsoft spokesperson said it was because it was still more stable than any Windows kernel.
On a related note, the website windowsupdate.com will be renamed for the second time this month to nukewindowsreplacewithlinuxupdate.com.
Your mileage may not adhere to the 2nd law of thermodynamics.
why can't somebody release a worm that will gather pr0n from all over the web and store it in a huge repository on some publicly-readable, remote machine? that ought to save the /. community many, many hours of surfing time, thus freeing up more time to do other useful things, like posting here.
I've been getting a lot of firewalled ping activity today, must be that cleanup worm. Machines that the Blaster worm never even tried to hit. I wouldn't trust a cleanup worm one bit more than I would Blaster. Everyone knows (or should know) you can't count on good intentions on the Internet!
Just imagine: if 'benevolent' worms begin appearing in response to malevolent worms, the impetus to patch systems will further decline and sys admins will do even less to maintain the security of their systems.
CIO: We need to patch all of our systems...
SA: Why? It'll be less time-consuming and more efficient if we just wait for the clean-up worm!
Doesn't make it profitable to do so.
paintball
Do you mean that the worm deactivates itself on New Year's Day 2004, or on-or-after? Many businesses do not start their machines on New Year's Day of any year because their employees are on vacation.
Will I retire or break 10K?
and now our computers and bandwidth have become battle grounds for worms.... oh the joys of ecology.
"There is always some madness in love. But there is also always some reason in madness."- Friedrich Nietzsche
...I didn't realize I was buying a battlefield.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Our new ---- ahhhh forget it. Mod this up redundant.
If you can read this sig - the bitch fell off.
as in the illegal freelance heating engineer in the movie "Brazil."
Now he's fixing our internet ductwork.
Hooray.
"By running this infected program, you agree to abide by these terms & conditions..."
"In Soviet Russia, the virus patches you!"
Even cooler would be a location to download and execute this worm on purpose. That way you don't have to sit around hoping your network gets "infected." Hell why doesn't the symantec tool work like this. It's a little fight fire with fire-ish but jeez you would think they could at least give it a shot.
I read at -1 So you don't have to.
I will not say what agency I work for, but the IT staff just turned off all of our switches due to this worm...I'm hearing reports from other places as well. Talk about being blind-sided!
More specifically, Windows users are like GM owners. They believe that they are driving a top notch quality reasonably new vehicle only to find themselves on the side of the road, broken down. These people refuse to believe that their car IS A PIECE OF SHIT.
Do you mean to imply that FixOrRepairDaily owners are any better off? What about DamnOldDirtyGasEater owners?
Will I retire or break 10K?
"W32/Nachi.worm"...sounds like a new spinoff group from Japan's pop-idol Hello! Project
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
Actually, the anti-virus industry could just start writing counter-virii themselves. They'd release them into the wild for free, then pull a SCO and charge everbody $$$ if their computer was fixed by it.
I can see all the slashdot geeks wearing tshirts with "Free Robin Hood", and freerobinhood.com selling stickers.
To be serious now, even though it will cause enough traffic, with each box gettin fixed,we get less traffic from blaster
...and I still have to pop about a zit a week. /thought it would stop at 20... :(
it patches the rpc hole and installs a tftp server on the saved machine. it then propogates to other machines, infecting them and patching the vulnerability so a later variant of the same worm won't be able to uninstall it.
The first rounds have been fired in the often talked about cyber wars methinks.
Breaking news. Today, unnamed sources at the pentagon have confirmed the existance of a covert, technical ops group whose sole mission is to create a national defense army of worms, designed to seek out and destroy malicious, terrorist worms that have infiltrated our homeland. Under authorization of the Homeland Security Act, these elite hackers, are devising worms to not only destroy the terrorist worms, but to reprogram every computer around the world in an effort to shutdown the global terrorist network of worms. When contacted, Richard Stallman of the FSF, was quoted as saying "While I like the idea of stopping global terrorist worms, the FSF is fundamentally opposed to ANY closed software worms. This special technical ops group needs to make their worms open and free."
Cheers
If a such as this was written whenever a large vulnerability was discovered, and designed to be limited to a specific block of IP addresses, it could be a handy thing to have on hand for someone who admins a large private network. If your network doesn't get hit, then great, but if it does, just let this loose to clean things up.
Microsoft doesn't have a nice way out of this problem - well, they didn't until this fix-it worm came along. The worm will continue to cause them network trouble for the rest of the year, IIRC.
They won't ever publically support it, but this worm fixes alot of problems for them. The smart money would be on them preventing actions which would impeed its progress. Let's not pretend Microsoft doesn't have power and influence.
Now, given all that, proceed to formulate your own conspiracy theories about where this new worm came from.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
- W32/Webster.Worm: Opens a command shell using the RPC VNC OpenHole ActiveX/rootsploit featurebug. Opens all MSWord and Works documents, fixes spelling and grammar, saves without a backup, then writes a polite "echo" line to AUTOEXEC.BAT gently chiding you to learn to read at a fourth grade level.
- W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.
- Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.
It looks like this is Microsoft's new autoupdate feature. Exploit your own vulnerability to patch it :D
Maybe this is the first step in Trusted Computing - we're supposed to trust that this worm (who's source hasn't been fully analyzed to see if it's totally benevolent or not) is supposed to clean up our systems.
Sig & Below
Yuck Fou
You now have a worm that people are being led to believe that is a "trustworthy" worm.
Sure it is. But wait. As it moves around, it will be hijacked and mutated into something bad.
It will pickup a package along the way and drop it in your box, and because you are led to believe that it's a "good" worm you'll welcome it.
This is NOT smart computing. It's not responsible, by any means. If you don't take action of your own accord, you are lazy and stupid and you deserve whatever bad things happen to you because of it.
Fix your own problems or pull the plug. If you can't handle it, you have no business using a computer..
I feel there's only one possible author of this antiworm: Microsoft.
Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.
Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!
# Erik
Discreet, makers of 3dsmax, was also affected in a major way by this hot"fix" more info can be found here .max files they have been making, crash older un-patched windows, I myself spent a day figuring this one out, and getting everyone in my company up to speed.
Discreet Info
Its really a bummer for all those people who stay up to date to find that the
Microsoft has announced the release of WindowsUpdate Version 5.0
I wanna get infected! haha :)
Seriously, there are at least 3 persons who I know that would benefit from this worm, since they are average users and dont really know how to clean up their systems.
It would be nice if we could apply it on purpose.
warning: obligatory tarantino reference...
"no, man; they're metric over there. they call it a royale with cheese."
ed
worms that go around and occationally change their code when they copy themselves, that way the worms will evolve. The worms should battel each other and try to defend them self, naturally they should not harm the host much as that would hurt themselves.
This just in...
New Microsoft Ad Campaign
"We at Microsoft intentionally leave security holes such as these to allow our 'viral update programs' to fix other holes we didn't intentionally leave open so that Linux-craving sysadmins who don't patch our systems and read Slashdot all day will be foiled in their attempts to overthrow our monopo.... errmmm, vastly superior (albeit insecure) operating system."
I for one welcome our friendly worm overlords.
(although running OS X I care quite little except that both the good and bad eat up unnecessary bandwidth)
Windows is listening on about 6 ports. What services can I safely turn off so that those 6 ports are closed? These machines are simple TCP/IP client machines that do not need/want/use any Microsoft "innovations". I just need to be able to get to www and pop servers.
Any help would be appreciated.
Don't you mean the 4/4 billion unfriendly Microsoft boxes?
TMI.
These worms are child's play; it is only a matter of time before someone decides to do something *really* nasty with a well thought out worm.
There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.
What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.
Imagine a malicious government, with 100 dedicated programmers.
Or a well funded terrorist or anarchist.
Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.
Governments need to sit up and take notice, this is serious stuff.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
What, that takes longer than a week? The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
No, this cure is no better than the dissease. When a machine is comprimised, it must be rebuilt. What makes you think your particular copy of Nachi is doing your work for you? There's no telling what the damn thing has done and the box is screwed.
The real cure it to get rid of insecure software like Microsoft makes. Companies that don't start moving toward secure platforms deserve to die.
If you can't get rid of it because you are enslaved by AutoDesk or similar, blind Microsoft to the network and dual boot it or VMware Windblows. Free software network tools are obviously superior and should be used for moving information around. Hell, ProE on Mac OSX is better for both purposes than AutoCAD on windblows. Similar solutions can be found where free software does not exist yet.
Friends don't help friends install M$ junk.
How can you tell the difference? What makes you think your worm is a white hat and not just another trojan with a friendly name? If you trust worms, you might as well smash your network with a hammer and save the rest of us our bandwith.
Got windoze and got infected? Rebuild the box. Costs too much to do that? Get rid of windblows.
Friends don't help friends install M$ junk.
nt
Don't believe anything I say. I crash test crack pipes for a living.
... that's a FISH!
This worm causes the same problem as the original, increased network traffic and an impact on non-vulnerable machines. The tactic I employed against Code Red, waiting to be attacked and then reversing the attack, would be much simpler, more effective, and more prudent. http://crazybob.org/codered/index.html
If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.
I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.
If you were blocking sigs, you wouldn't have to read this.
When you get right down to it, a worm or a virus is just a bit of code that updates your computer in some fashion. It allows your computer to perform some function it did not previously perform. In essence, it is no different than hitting windows update and hoping for the best.
Well, of course there is a slight difference. With windows update, you ask for the update to happen. That is not the same as knowing what is really being changed. For example, the most recent windows update broke EI when it tries to talk to Squid. Also, I do not really know what is being updated by windows update, I just have to hope for the best.
So, is leaving a port open any more of a security risk than pressing the "Windows Update" button? Either way I am giving people who I do not know and probably don't trust access to my computer.
On the flip side, does a worm that improves my computer in some way any better than one that degrades my computer? Would it be ok for MicroSoft to release a worm that automatically upgrades EI? I think more right thinking people would agree that it is wrong, even if its for the right reasons. The end does not justify the means.
Somewhere there is a line between right and wrong here. The problem of course is that there are so many people who do not understand what a worm or an update are, how can they possible do the right thing? Does a fix it worm make sysadmins lazy?
Maybe. Does it help the little old lady who just wants to find out about her genealogy and does not know or care how her computer work? Absolutely. It also help those of us who have to help this little old lady out because she is out mother.
Someday, the computer will be as easy to use as a microwave. Until then, I will take all the help I can get.
Your friend and well-wisher
m0smithslash
http://www.ferociousflirting.com
In the evening, I grep my firewall logs for offending IP addresses which are also from my ISP (which for me is basically in the same /16), send the log entries to my ISP, and I usually find that the offending IPs have been shut down early the next day. My ISP is of course much more likely to pay attention to my compaints becuase they have to keep me happy as a customer, so they actually do something about the problem.
If everyone were to do this...
It cannot really download any patches but keeps restarting machine after trying. I would not say it's beneficial for users if they can work 5 minutes from boot to another restart :-)
Worm's growth is exponential. It needs to reach a critical mass, then it unleashes itself. The problem with a worm that seals the vulnerability is that the growth will spiral downward exponentially. It's like a parasite that kills it's host too quickly. I'm not quite sure about the details, maybe a mathamatician can help me out, but my gut reaction is that this might not work.
I've always wondered if worms of these types were just worms written by a sysadmin of some company trying to delete the worm without going computer to computer, but somehow got out of the company's network...
CowsAnonymous: We're here to help moo.
Why couldn't a worm be designed on purpose like this that would limit its exposure. For example lets say a company wants to make sure the patch gets put on all the employees computers (maybe even including home computers). From the beginning its designed to only affect say.. a certain group of IP addresses. The worm only tries to spread within its allowed parameters, and doesn't go elsewhere. This way a company or ISP could protect itself without bothering the outside world.
blaster didn't take down my 2 big gun routers. Granted our cisco guys should have implimented ICMP throttling, but when you have 70k machines...and maybe half are patched....the rest generate lots of ICMP traffic.
IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)
A friend of a friend used to live downtown, and owned a Jeep. You know, the kind with the fabric tops, that simply could not be fully locked. Well, he never left anything valuable in his jeep. But, living downtown, he was pretty close to an area where there were quite a few prostitutes.
Soon after moving downtown, he started noticing used condoms showing up on the floor of his jeep. It turns out that the girls found his vehicle a pretty convenient place with nice soft seats for doing their business.
He found a good solution though, he walked around and made friends with all the various girls, and explained how he'd appreciate it if they didn't use his jeep that way. Because he was nice about it, and actually tried to be a friend, not only did they not use his car that way anymore, but they also kept a lookout, making sure that nobody else messed with his car.
So... just remember, just because you have nothing valuable to steal in your car doesn't mean someone won't find a good use for it.
If the person who made the "Good" worm comes forward and takes credit for it, I wouldn't be suprised if he was the same person who made the "Evil" one. Sounds like a good (albeit risky) way to build a rep.
If it isn't the same person, then good for the "good worm" writer. However, this type of behaviour could really lead to problems, it only takes 1 mistake in this type of code to make a real mess. Ask Robert Morris.
"See, once you move from a rural area to a bigger city, you start to get upset as thieves always seem to break into your car and steal anything of value. So, in order to not have to pay for another window or fix up a lock, they'll just leave the car unlocked with no valuables inside."
Favorite apocryphal 70s New York City story:
Manhattanite leaves his car on the street with the trunk open, the glove box open, the windows up but the doors unlocked. He's taped a note to the dashboard that reads: "No Radio."
When he returns, he finds all four windows are smashed and the following response to his note: "Get one!"
that possibly one of the anti-virus groups might have deployed this as a test? I have been pondering the idea of such a worm to exist, that possibly someone would eventually create a worm that does good, hell, let's see more of this.
Agreed on this. A terrible if well-intentioned strategy. Getting blasted with ICMP packets today, seems to have a penchant for connecting to hosts in the same /16 or /24.
now the african continent just needs to wait for the anti-AIDs worm to hit and bam, problem solved!
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
I KNEW IT!!! I checked google and NACHI is (National Association of certified Home inspectors). Man. What a pro-active group! I wonder if NOT having this worm will lower my mortgage?
The thing I don't like about this VIRUS is that it is now going to be ping sweeping away through the end of the year, cluttering my logs. That sucks.
Two worms don't make a wright.
"Hell, ProE on Mac OSX is better for both purposes than AutoCAD on windblows"
And CATIA and SolidWorks on Windows are way better than both.
There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?
Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.
The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.
Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
They are, however, perfectly effective at DOSing, and that effects responcible netizens too. This new worm protects us from that -- those who don't want it can secure their systems in the first place.
OTOH, I do realize that Nichi style worms have a destructive potential. I think they're called for only when a Blaster style worm is growing large and planning a DOS or similar attack. In other words, no pre-emptive worms.
Sig:Why copyright isn't a fundamental human right
I eat my share of junk food, but I don't think that's what causes the occasional zit. Even though IANAD (dermatologist) I have observed a strong correlation between stress and pimples.
"Ask not what your country can do for you." --John F. Kennedy
...was temporarily put our Software Update Services server out of commission until the new DNS entry they made for www.msus.windowsupdate.com had enough time to propegate around the world. (or at least as far as my office)
Speak for yourself.
And granted, most docs would *rather* tell you to pop/inject this or that antibiotic, and then check your blood every so often, and tack that onto your bill, but if you check around you will find Doctors recommending just the obvious: eating habits do indeed make a difference. Sometimes it just takes a little common sense.
Seems like what this person did might be a useful idea, although it could be implemented in a more proper way (i.e. it could auto-distribute, but it would alert the user on the "infected" system before taking any action and automatically remove itself after a set time period).
Still, the potential of "good" viruses to help prevent the spread of harmful ones to users who are too computer illeterate or lazy to protect their own machines could be quite beneficial in the long run.
Even distributing something like Norton AntiVirus using a virus type distribution / replication would be enormously beneficial I would say.
Understanding is a three edged sword. - Ambassador Kosh Naranek, Babylon 5
In the spirit of this worm, do any of you hackers/crackers want to write a worm to gain access to my machine and complete my dissertation for me?
...is how good a job this worm does of
- identifying susceptable machines without burning the network,
- fixing exactly what needs to be fixed, no more, no less,
and, most importantly, how does the quality of this unsolicited support per dollar compare with Windows Update or what private companies charge for this service?I've often thought that this is the proper way to clean up machines where sysadmins fail to do their own patching after a decent interval.
In fact, if I were MS, I'd have someone do this, but disclaim any and all connection, for the obvious reason of legal liability.
[But considering the extra powers authorities have in the case of human infection - witness the recent SARS outbreak - having a net Doctor authorized to release a vaccine for such a serious vulnerability as this RPC/DCOM, at some point after the general notification, seems reasonable to me.]
"Provided by the management for your protection."
Governments need to sit up and take notice, this is serious stuff.
The government warned people TWICE to install the patch last month.
"Sufferin' succotash."
After a while, these analogies become completely pointless. We all understand how these programs work, and we can talk about them specifically. Right or wrong on it's own merits, not because it's 'like' something both hypothetical and ridiculous in the real world.
autopr0n is like, down and stuff.
Why do slashdotters think they are so good at coming up with analogies? You see this in every single article. Someone creates a perfectly fine analogy and 8 people respond saying "actually, it would be more like your neighbor/daughter/lawn gnome..."
:: Rosie O'Donnell : Attractive
Slashdotter : Good Analogy
But indeed, a well placed software developer trumps any number of counters.
It's viral, so it's not really a vaccine. It's more like cow pox. Cow pox is contagious, but not severe. And, if you get cow pox, you become immune to small pox (and cow pox, of course) forever after.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
I have 300+ NT4 and W2K workstations (on a non-internet-routeable network) that will take me weeks to touch every one to install the patch. This new worm sounds like just what I need :-)
I am surprised that I did not see people talking about this right off the bat. Superworms were a concept where worms/viruses would use a P2P type of organization to enhance their infections, remain undetected, and update themselves. In the original paper I read (linked from this Slasdot story), the author postulated that the eventual outcome would be to have two or maybe multiple competing worm distributors battling for control over the entire Internet. Sounds like something from James Bond.
Are we seeing the dawn of Superworms that update our computers and themselves without our knowledge or permission?
In the case of Windoze, I do not mind. Windoze users gave up their freedom when they paid Big Brother Bill to lobby Washington to take away their freedom. But a few or even one individual controlling the entire Internet and, by extrapolation, most if not all world communication: That is frightening.
All data is speech. All speech is Free.
Some history:
Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could, and let it loose on just one of the networked machines in the year-1 lab.
I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for Acorn Archimedes/BBC micro's (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like
It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the lab was infected.
You have to remember that virii in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too". Of course, the act of logging in would infect them...
Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.
There were basically 3 ways the virus could be activated:
We hadn't really counted on just how effective this was. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone had put the virus onto their floppy disk (by typing *. on the floppy rather than the network) and had then brought the disk back into college and re-infected the network.
If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit when found would be expelled. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...
Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time
We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended
So, everyone was happy. Infected with the counter-virus, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months
Anyway. I've never written anything remotely like a virus since [grin]
Simon.
Physicists get Hadrons!
Hey man, I've patented the concept of worms/viruses/trojans which go around and remove other worms/viruses/trojans. Everybody out there who gets hit by this new worm owes me license royalty money!!!!
It still runs code on a machine without the permission of the owner, and is therefore a virus.
Or Gator.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Although this looks like a great little worm, going after a nasty, poorly written worm, it effectively launches a DDOS attack against the real windowsupdate site, by downloading patches as it spreads at an exponentially increasing rate.
...are all pigs. Ya, joke around that's it. All news on Slashdot is one big joke. "MAYBE we should do SOMETHING about Microsoft and DRM. Ya, We MIGHT have to do something. Maybe slap them in the wrist or something. Look at me, I said anti-anti-Blaster-worm-worm-worm. That's Hilarious! ha ha." THIS is so cute, THAT is cute. Bashing Microsoft is just a cliche, everything is cute and nothing is worth giving a shit about. I hope you all become slaves to the American fasciast pigs.
I'd sure like to see the source of this new worm. How is anyone to know for sure that it's only intentions are good until a full analysis has been done?
And if it is a "good virus" then why is it not open source? It should have nothing to hide, right?
So, unknown, untrusted code is running on your system without your knowledge. I'm sorry, folks, I don't care what the intentions are, this is a bad, bad idea.
Facts are stubborn things.
Each person that has his purses strings cut is given his own set of tights and instructed to do the same.
Yes, eventually you end up with a very overpopulated forest where all the 'Hoods are desperately trying to rob each other.
And bomb full of attitude adjustment gas goes off at the end of the year and they forget why they're all in the forest.
-Scott Hutton
You may have had it for a while now, but I had it first you insensitive clod!
Hmm... tomorrow's headlines?
SCO to IBM: "You're still infringing on our IP, you insensitive clods."
Begun this worm war has
make sig make: *** No rule to make target `sig'. Stop
As opposed to our giant space ant overlords?
"Ladies and gentlemen, er, we've just lost the picture, but, uh, what we've seen speaks for itself. The Corvair spacecraft has been taken over -- "conquered", if you will -- by a master race of giant space ants. It's difficult to tell from this vantage point whether they will consume the captive earth men or merely enslave them.
One thing is for certain, there is no stopping them; the ants will soon be here. And I, for one, welcome our new insect overlords. I'd like to remind them that as a trusted TV personality, I can be helpful in rounding up others to toil in their underground sugar caves."
robi
You still have to touch each and every desktop to run them. Login scripts are no good either, they require the user to log off and back on. Sometimes the end users at difficult-to-reach locations leave their machines logged in for weeks at a time. Remotely-rebooting the machines out from under the end users will piss them off.
The real cure it to get rid of insecure software like Microsoft makes.
I have seen and worked in plenty of networks in which windows based systems ran every bit as securely as their Unix counterparts. I've even seen Windows systems deployed that were far more secure than their Unix counterparts.
Companies that don't start moving toward secure platforms deserve to die.
So does that include the Cancer Research Institute who happens to be running IIS? Besides, if microsoft hasn't been moving towards securing their systems, I don't know who has.
For those of you who haven't seen the forth season of the geek-classic ReBoot, a supervirus with a French accent named Daemon was attempting to infect and "bring unity" to the entire Net. The ReBoot heros modified Hexidecimal with the cure, and sent her over the net, just before Daemon's timer was up. Why oh why did they cancel that series. It was fun.
We all go a little mad sometimes.... haven't you?
The real cure it to get rid of insecure software like Microsoft makes. Companies that don't start moving toward secure platforms deserve to die.
And what secure operating system would you suggest? I seem to see a lot of security patches coming out for a bunch of operating systems. If people don't install them they won't help. Just like people not installing the MS Patch that was available for a LONG time before the worm hit.
Seriously, this isn't the equivalent of popping a zit. A much better parallel would be an armed group, going around and popping the zits of everyone they encountered while holding them at gun/knife point.
The Seattle Post-Intelligencer, in an article on this, reports that "public safety systems in Seattle don't use Windows software." Talk about not recognizing a prophet in his home town....
"with their freedom lost all virtue lose" - Milton
1. When the pin is pulled, Mr. Grenade is no longer your friend.
2. Do not eat iPod shuffle.
Yeah, because Gaim is sooo much better than Trillian.
Sure... but when was the last time a nurse jabbed you in the ass with a vaccine while you were walking........... /i
Yeah........if i was has a nasty virus that made me reboot irl,then why no,no i wouldn't be bothered at all.
"Comedy's a dead art form. Now tragedy, that's funny."
This has the benefit of lowering the overall amount of traffic that is broadcast, and /.'ers would be happy to run these servers and eventually the viruses spread would logarithmically decay.
I am of assuming that there is some way to re-infect a already infected machine with new code. This may or may not be possible.
It seems to me that this is the Internet fixing itself. The victims of these worms and viruses aren't just the owners of the infected machines. Depending on the payload, these viruses clog up the net, send spams to uninfected people, launch DOS attacks, etc. By not securing YOUR network against attack, you are being negligent and can harm others.
As I see it, this kind of white-blood-cell virus is defensible in much the same way as forced quarantene is. Yes, it may inconvenience people in Hong Kong who are uninfected, but it's for the good of the entire system.
So to address this:
Do you know how much work goes into protecting large corporate networks, rigorous testing of each and every patch before it goes into production, reacting to IDS alerts, identifying potentially vulnerable environments, etc...
I'd have to say, "Yeah? I dont' care what rigorous testing you do--if you're vulnerable, it's better for you and your network to be hit by the "good" virus than the bad one. Because if you don't close the hole yourself in time, someone's gonna do it for you for the good of the Internet.
That's just my thought on the matter.
You never know - maybe Microsoft released cleanup as an "internet windowsupdate - mandatory!" :)
R
take a high school biology class and learn what puss is made of
I believe it's been mentioned before but this is interesting that someone would write a virus to go out and fix the probem on PC's.
:)
Maybe he got tired of getting hit by code red, and the other variants that you always still see pinging your webservers and such.
If the sysadmin is lazy this is his dream a virus that does his job
But the corporate systems aren't either the problem or the victim here. If you're patched up and properly firewalled, you won't get either worm. (If you're not...)
The problem is the millions of home or small business PCs that are not administered by people who are paid to spend their time monitoring the security mailing lists, installing numerous patches and verifying their correctness, monitoring critical systems to ensure they aren't compromised, and otherwise making security a full-time job.
Some of these people are informed and smart. They install patches regularly, run personal firewalls, etc. These people aren't the problem either.
But the rest, the ones whose systems aren't protected, the ones who are going to get the "white worm", are the ones who are going to be causing the problems with MSBlast.
Now, the ethics of releasing a worm like this are obviously questionable. The practical benefits, however, could be pretty significant if it's done well. I don't think this is as black and white an issue as either side is making out on this thread.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
someone just finished reading Seth Godin's Unleashing the Ideavirus and had too much time on their hands?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
"We can rebuild it...we can make it faster....stronger....better...." Anyone have $6 million they could lend me?
It's a tough job, but somebody's got to do it.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
This new fixing virus just reenforces the idea that the BLASTER virus was written by someone from inside Microsoft that new the system's vulnerabilities too well.
Spoiled sports!
Exactly what kind of cracker writes stuff like this?
There has been discussion in my office (dialup technical support) about the blaster worm and we all seem to agree it was really neet. I thought it was interesting in that no user interaction was necessary to get it. Just connect and you get it. It has had some interesting side effects, such as it can disable copy and paste in word, and kill the office assistant (man, if only that was all it did I would want it) it can also kill java in IE. And causes a runtime error in the earthlink total access 2003 mail client.
Just interesting things along with the obvious shut down your machine when you connect to the net.
It also seems to be written to be able to be removed without damaging your data. It occurs to me that it could have destroyed every system it was in if the programmer wanted it to.
Are these new? or am I just not aware of another worm that spread in a similar manner?
Let me know.
Isn't the windows version of Catia new? I thought that ran on Unix-like systems forever (meaning, I can't imagine Catia wouldn't run great or better on Unix than Windows).
If it did that, eventually it would self-kill all infected hosts until the few that remained can't find anyone else to infect.
Might make a good math exercise. As a host is cleaned and listens for attacks, it cleans other hosts, then those hosts also assume vigilante role. Eventually you'd have less and less infected hosts searching for victims and more and more former victims waiting to be found. I would expect the count of infected hosts to reach zero at some point, given that the method to find new hosts is random enough. Question is, how many events would have to occur to reach zero!
I know RISKS discussed beneficial viruses a long time ago. I am still searching for that discussion. My recollection though was that the consensus opinion was that it was a bad idea...
Life imitating art? Or has this been happening for awhile now? Hmmmmm.....
DaveC
There are no stupid questions...just stupid people.
WTF?
echo 127.0.0.1 ads.osdn.com >> etc\hosts
Beeeeeotches!
Folks will be more than happy to inform you of the many holes in many packages installed out of the box for several linux distros-- wu-ftpd, for instance, that have let folks 0wn3r7 linux boxes in the last couple of years...
Maybe someone should release a worm to replace network traffic containing the term 'virii' with the correct term, 'Viruses'.
for the serioulsly seriously stupid statement.
Windows is not a minor alignment issue. It is more of a "is safe until key in ignition is turned" type problem - and I'm actually paid to support it so I think I have experience in picking up the pieces...
I'll see your Constitution and raise you a Queen.
Those who pay attention to this sort of thing already had their machines patched. The driving-while-drunk-and-blind ignoramuses who still don't realize there's an msblast worm won't know or care about this one. Nor do they really give a damn what's running on their machine. So I say, let the worm spread!!!
That's the most interesting thought I've read under this whole story. Moderators - to work!
It does seem to fit in with the auto-update, but even so I'll bet there would still be troubles. Who knows if all corperate users have licences like that? A worm knows no contract boundaries...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Actually, it's more like the lock on your door is faulty so that someone only has to jiggle it to get in. Unlike the burglars, I break into your house to quickly replace the lock on the door then secure it on my way out.
"Sufferin' succotash."
I hope I didn't miss anything important.
One line blog. I hear that they're called Twitters now.
SolidWorks rocks! I have designed some sweet car parts in SW. Except, I can't seem to find anyone around here with a 4 axis CNC mill to cut anything for me without charging me a gazillion dollars :(
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Since that also relies on your own immune system (recognizing the cow pox as foreign and developing a response to it that just happens to work against smallpox, too) it still isn't really equivalent. A better analogy might be a retrovirus that deletes or damages the genes for the apparently unnecessary co-receptors that the HIV virus needs (along with CD4) to cause infection.
Just in theory, say I wrote a worm that scanned networks for unpatched systems. Once detected the program would leave a small text file on your desktop stating "READ ME TO SECURE YOUR COMPUTER". Inside the file would be an explanation on what was done in layman's terms and technical jargon also giving the URL's to microsoft's website with links to directly download to the .exe and the informational page itself. AND the source code for the worm itself (which after 7 days would terminate).
Would this be acceptable or not? IMHO it's like putting a note on someone's car door or house/apartment door saying... Please lock your door or someone could do something much worse next time.
To me this may be questionable, but I'm all for honesty and giving the user a choice.
Just me 0.02c
What do you guys think??
This isn't a bad idea.
How about using PUSH technology, while giving the user a choice to update or not. No one is going to go to an obscure MS website (mom & pop aren't techies) to download a patch for a funny sounding "feature" called 'DCOM'
Get real! PUSH technology is what MS will probably and almost certianly should do.
Thank you for your help. A friend sent me one link which is pretty detailed: http://www.blackviper.com/WinXP/servicecfg.htm
But, this does not tell what ports belong to what service.
If you want to own and use a computer, especially one connected to the internet, you have an implied obligation to make sure you know how to use and care for it properly.
Have you EVER worked tech support? I did it for home consumers buying their first computer from 1995 to 1996, and then for corporate users from 1996 to 1997. And those people were trendy. Now anybody can buy a com-poo-tah.
The home user will call for help plugging in the wires. (Color coding helps, but you stil have to tell that the green connector goes into the green plug.) Then they call every time there is a message they do not understand. (What is the difference between "Shutdown", "Standby", "Restart", and "Restart in MSDOS mode"? I just want to turn it OFF.) Then they call when they want it to do something but do not want to research it in any way. (I want to send a fax of this paper. I hold it to the screen and nothing happens. Did you buy a scanner? No.)
They want every ability they imagine without even knowing if the machine they bought can do that. They only worry about what they see. Any virus that does not announce itself will survive until the user calls tech support and is told to run the "Recovery disk". (Then they call back because they cannot open that picture they saved last week.)
Corporate users are slightly better because:
1. They have proven they have some brains, since they have escaped the retail world.
2. Their questions must be job-related.
3. The IT group set up the machine much better than any seller to home consumers.
Just like when you own a car. When your ignorance begins to impact and harm other people, any claim of innocence gets tossed right out.
In the US, a license is required to drive a car. You need to pass a theoretical and a practical test before you get the license.
A computer just requires some money. It is now possible to buy one for one week's take-home from working in a fast food job.
And yes, any computer that touches the internet has the ability to "impact and harm other people."
Who handles the licensing process?
The seller just wants to sell computers. Do you think they will put any restrictions on who can give them money? Besides, just get your techie friend to buy it.
The internet provider wants that monthly income. Can you force them to put restrictions on who can give them money?
I believe the ISPs should be held responsible for these types of problems. They firewall everything. If you want to open a particular port, you sign a contract that you will pay for any problems caused by its use.
- Port 135: Why would ANYBODY want this exposed?
- Port 25: Any spam reported and you pay a $500 fine and it is closed for 1 week. This will not stop the spammers, but will stop machines from being used as unknowing relays. Or the ISP can test the few people who are running SMTP servers once a month and alert the user that there is an issue. If it is not fixed by a second test, then fines and the port is closed.
I do not think it is possible to require anybody to be licensed to use a computer. No law aimed at the home consumer can be effective. So aim the laws at the ISPs, so they are universal. Keep them simple while forcing the ISPs to allow anything if the consumer is willing to accept responsibility.
IMPORTANT: If the law does not require them to open the ports on demand, then they will just close the ports for everyone. We would soon have email being tunnelled though port 80, and the concept of ports in TCP would die.
I put the fine at $500. The user had to ASK for that port to be open. And the fine should be enough that it is more expensive than paying someone to fix it. It should be cheaper to find someone to configure your SMTP server (or remove the trojan server) than to pay the fines.
I spend my life entertaining my brain.
maybe Microsoft released cleanup as an "internet windowsupdate - mandatory!" :)
That would fit with their philosophy of *embrace and extend*. Microsoft Viruses(R), the only DRM- and Palladium-compatible viruses. Catch one today! :)
Boy, nothing like proving his point in not time flat by showing the ignorance that can be the linux community sometimes.
His point was, if a user ran out and bought a copy of Linux there are many scripting exploits out there that would tank a machine before it could patch itself. I don't think there is one for current distributions - but that doesn't mean one can't be found in the future.
Behind a firewall? I thought linux WAS a firewall. At least with Redhat it ASKS you to install the firewall - and even if it did and you selected 'medium' security the wu-ftpd exploit would have hacked it because port 21 is open under 'medium' as I recall.
I had the same thing happen with RH 6.2 when RH 7.0 first came out. I was downloading patches via my cable modem and a buffer overrun occured within 1 hr of me isnstalling. I dont' remember for sure but I think it was the atd process.
At the time, I had no idea how to run linux and didn't think that people would script hacks of linux because it's the *real* os and no one would want to hack it like they do MS.
Proves that there are assholes that just do this for fun IMHO.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Sure it all looks like a time saving worm for all the admins out there, but what it does is very, very bad for the avarage security on the internet (a figure that has to be around 0,3 already no mather what scale you want to measure it by).
Like all worms that scan all posible hosts randomly instead of simply attacking host known to be vulnarable blaster is advertising vulnarable hosts to the world. A worm could prevent this by checking make and version of the e-mail clients used to send mail in the mailboxes of an infected hosts and reply to vulnarable ones instead of every host in the adres book. Also for webservers the type of webserver serving the pages read during normal browsing of an infected client could be abused to find vulnarable server. By attacking only hosts very likely to be vulnarable a worm will not only stay undetected for much longer (it wont apear hundreds of times in firewall logs or d-shield), it will also stop vigilante internet users (or their worms) stoping infected host by going after their infececting attempts. (providing the worm is undetected, OR very few vigilante net users are running vulnarable systems)
By scanning randomly, infected hosts are advertising their vulnarability to the world. Combine this with recent worms (nimbda and blaster) which opened backdoors for easy entrance, and infected hosts with a fast connection "broadcasting" faster and thus to more hosts is a recipy for attracting script kidies looking for easy targets for DDoS drones, bounce servers or warez servers.
If an admin where to kick blaster out of a machine taken by a script kidie after a worm the extra backdoors, DDoS tools or warez might get noticed and cleaned out, not with this worm! This worm stops and deletes blaster.exe (while leaving the startup registry key, which just might mean everyone could put a blaster.exe in the path for local privelege escalation). If this new worm where to desinfect a host it might leave a perfectly secure unattented DDoS node on the net becouse no admin noticed something being wrong. ("system rebooted 2 or 3 times, doing fine now, continue playing minesweeper"), this is bad couse no mather how good your OS security is, defending against DDoS is tough, especially from these unatented windows systems. If things where really bad you could crack these zombies to get the DDoS clients out, but this worm just might close the last entrance for that.
Besides, if microsoft hasn't been moving towards securing their systems, I don't know who has.
Okay, I'll bite -- I never could resist a straight line. Sure, Microsoft has been inching up on security for over twenty years, and at the rate they're going, Windows 2200 should be secure. That'll be another ten code reviews, right? :)
Seven wise men with knowledge so fine,
created a pussy to their own design.
First was a butcher, with a smart wit,
and using a knife he gave it a slit.
Second was a carpenter, strong and bold,
with a hammer and chisel he gave it a hole.
Third was a tailor, tall and thin,
by using red velvet, he lined it within.
Fourth was a hunter, short and stout,
with a piece of fox fur, he lined it without.
Fifth was a fisherman, nasty as hell,
threw in a fish and gave it a smell.
Sixth was a preacher, whose name was McGee,
he touched it and blessed it, and said it could pee.
Last was a sailor, dirty little runt,
he sucked it and fucked it, and called called it a c***.
-- unknown
The "good" worm carries the distinctive string "SKYNET".
Rumours are that it also likes to play a special DOOM mod.
Have a good day.
I'm not naming names, but you heard the concept HERE First.
Virus fighting in the 21st century.
It Will be Back !
Anything near this box now is highly secured, (after 15 calls to run to peoples houses and fix blaster, and then patch the box) i got like 3 f-prots running, spamassassin on all incoming mail, and tons of other stuff. My firewall is much more secure now, and everything... I will NOT put up with this script kiddie garbage anymore... i just wish people would think security, i guess linux users think about it more than win users, because nix users dont get hit with a million popups... and most windows users ARENT wise enough to click NO or turn off activeX -- All hail the penguin
In Soviet Russia, shop sets up drug dealer!
Well, ok, that did give me a chuckle, but seriously. I think they've made some very substantial progress towards improving Windows security, and I'm not just talking bugs in code. For example, Active Directory allows administrators to set security settings for all the computers in a domain so you can more effectively control things like script execution and active x controls and lots and lots of other stuff. We now have free tools like SUS (Software Update Services) to help us distribute patches across our network. Now XP ships with it's own built in software firewall. Also the authentication mechanisms supported in 2000 and XP are greatly improved over NT. We've also got neat semi useful tools like MBSA (Microsoft Baseline Security Analyzer) and the iis_lockdown wizard. And let's not forget the Windows Dos line is dead. I'm not saying they have the best security around, but they have definitely made some very real very substantive improvements.
My firewall sure is showing a lot of Ping attempts, thankfully they've all been blocked, just like the probes from the original worm.
<LUSERMODE>Where can I download the patch for My Blaster?</LUSERMODE>
CAn'T CompreHend SARcaSm?
I agree that any worm seems bad but as you say there are so many people that don't know how to patch their own machines or are just to lazy. Since the worms are hurting the Net as a community doesn't the community have some right to force people to protect themselves? I for one would find it acceptable if all worms would be followed by counter-worms that patched systems infected or at risk. Obviously, if you were a careful admin of your systems you'd already be patched and therefore at no risk of this inoculation. I would however be annoyed if these forced patches started happening before there was an evil counterpart using the exploit.. as I have reasons for sometimes delaying patches.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
On how to make one that would be able to be 'certified' to be a good anti-virus virus. (or worm, or whatever)
Basically, it phones home to a central server (can't add code to itself- would be able to crack and create quick copy without any problem) with a 'key' created by parts of the hardware. Then, home server sends back other 'key' that is stored in windows (or whatever OS) in a certain spot- error log, creates program, etc with that 'key' and a link to the central server's web site that you can enter your 'key' into and verify that you have a valid 'certified' virus. Ala XP.
Maybe even make this a program...wait...doesn't that sound like...*gasp* antivirus software now?
Back on topic, but this would be a way to do it. Except:
1) You would need massive hosting space (or dedicated 'net access) to do this.
2) Server (and likely you) residing in a country that isn't touched by the DMCA.
Unless...
You had it as part of Windows that could automatically update the machines(s). But, now you're talking about Windows Update (once again an already born product)
But, either one of these could sell. Idea under #2 could work, especially for those not running XP (where autoupdate is a feature) such as 98, etc where mass installs would be good (and for those without a local IT guy who can remotely update a whole set, or without an IT guy at all...ala phone call to tech support which cost megabucks per call/visit/comp/whatever)
Just my $0.02**
**-varies, depending on inflation and local currency exchange rates.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
ICMP traffic -http://isc.sans.org/images/icmpfp.png FYI - that Source range the looks like it's generating the traffic seems to exist in the 141.211 - 141.213 range -- University of Michigan...
Key quote:
The attack was apparently an attempt to cripple the site and make it more difficult for users to protect their computers against the Blaster worm. But Microsoft on Friday changed the way it routes computers to the site, averting the attack.
Take a look how they did it:While larege web sites normall use Akamai's services to serve static content (images/media/text) to the world on a massive scale (thousands of servers, gigabits/second of traffic), they leveraged their infrastructure to implement what I call the "Save Your Ass" DDoS protection product. They use their farms of web servers as reverse proxy cache web servers for your web site. The servers would forward legitimate dynamic requests to your web server and serve cached images directly. Since SYN floods aren't valid requests, they'd get dropped at Akamai. Microsoft would deal with only a normal amount of traffic.
Akamai kicks butt (used them myself, and their competitors, too), but Akamai is expensive - once quoted at $1000/Mbps a couple years ago. Even if Microsoft's Windows Update service still works properly, they now have real monetary damages due to a security flaw because they now have to pay Akamai for service.
Interesting note: Akamai is/was mostly Linux-powered. So are Microsoft OS clients talking through Linux boxes to get to Microsft?
Linux saves Microsoft - news at 11.
-ez
Karma - Whore (based on your use of Anonymous Coward when posting garbage)
The time that i told everyone in our highschool 'Happy Mole day!' while in the computer lab during chemistry class. Yeah people weren't very happy.
John Hancock
On my linux firewall guarding a company network I was seeing way over 1 million ping packets per minute at one point! I'd call that a DDoS attack! From the inside out.
For those with Linux firewalls, try the following iptables rules to rate limit those ping packets:
Moooo.
Oh, wait....
realityshunt
Democracy is susceptible to being led astray by having scapegoats paraded in front of the electorate.
You know, in the olden days, we didnt have "computers" or "pacman video games" or even your "dan fogelberg". All we had were pouring salt on slugs and chasing snakes. Worms, how ridiculous. Worms are faggots. or is that not politically correct enough for you computer freaks?! I FOUGHT IN 'NAM AND WE DIDNT TAKE BULLCRAP FROM WORMS!!
Whether it's port 135 or pings, I'm sitting here watching my firewall reject these packets.
While the computer is vulnerable, it's not exactly saying so. With the worm doing it's thing the computers are now saying "hack me, I've got holes!"
If I were a dodgy sort, I could be collecting these IPs and installing backdoors on them all, for my later use.
Personally, if I knew I had the worm, I wouldn't trust the computer any longer.
It would be a format/reinstall.
"It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable."
i just read like 400 posts and yours was the only one to convince me that it was a bad thing for this to get wiped. sometimes i love slashdot.
its easy if you try
... the idea that worms could fight worms, remotely, and patch end users' systems?
Think about it: If they know about a security hole, they should corner the market and exploit it first to patch the hole.
Help us build a better map!
I agree, however the term "Virus" will not be used. Instead, the term "autonomic update" will come into vogue. ;)
Despite the smiley face, I'm NOT kidding!
In the future, I would want to not be isolated from my friends in the Space Station.
Heh, nice story!
One thing though is that the Archimedes range used 32 bit ARM processors and the BBC Micros used the 8 bit 6502. Completely different architectures. How could the virus run on both?