Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
my whole business model...
Oh well, what the hell...
I'm taking bets on how long till the first lawsuit comes out against the person or persons who wrote this helpful worm. I say it will happend before the people who wrote the destructive worms are even arrested.
Space for rent, inquire within
I'm glad someone took the initiative to fix this. Hopefully the worm is succesful in patching the machines.
now as much as this is a good idea it is bad because it reduces the internet bandwidth and creates users who don't know how to run windows update, if someone else keeps fixing the problem it will never be fixed.
For The Best Jazz/Hip-hop fusion > COlD DUCK
Heh, if this turned into a trend, it could spell the end of an industry - the virus-removal industry. Imagine: Open Sourced, hunter-seeker virus removal worms, out in the wild nearly as fast as the original, cleaning up the mess some scridiot created in a fit of juvinle mischief. Somehow, I don't think the virus writer/scanner cartel will not let this become a trend.
People who think they know everything are a great annoyance to those of us who do.
Except that white blood cells don't usually cause lots of damage themselves. Even a "white-hat" worm causes lots of traffic and can thus bring down networks and make innocent people pay for lots of wasted bandwidth.
Programming can be fun again. Film at 11.
This is probaly the best internet virus news I've heard in a long time. Unfortunately, it's only a matter of time before the creator is tracked down and prosecuted for violation of internet security laws.
D
The first, last, and only tech news site on the net
No good deed goes unpunished. Who's going to give odds that the writer(s) of the 'good' worm will get caught and strung up by the short hairs under the DMCA? As long as it only affects machines that haven't already been patched- great. But what if it's flawed and actually causes unintentional damage? And if the original authors of the Blaster worm's intent was to teach people who ignore warnings a lesson, might this not start a virus war, of sorts? Sounds cool, but I'm not convinced this is an entirely good thing.
666-607: 6th floor apartment of the beast
Last week we were discussing the MSBlast worm here in the office and I commented, rather offhandly, "I wonder how long it will take before someone writes a phage worm that uses the same hole, but eats MSBlast?"
Apparently the answer is 'Four days at most...'
The extent to which the Internet recapitulates evolution and biological systems is astounding!
- -
Are you an SF Fan? Are you a Tru-Fan?
You haven't popped a zit in a while have you?
(B) + (D) + (B) + (D) = (K) + (&)
a sensibile worm, although, it will be interesting to see how many anti-virus companies will classify this as a "threat" or not, don't you think?
;).
- It is a worm by nature, but it also does good but without the user's authorization... Sounds a bit like automatic windows update gone postal
"See? See?!! We don't need to patch our systems because Microsoft is doing it for us by mailing us the fix in e-mail! See?! I'm not afraid of worms because eventually someone will fix it for me!"
Un-news
You know all those annoying car alarms that go off in the middle of the night waking everybody up?
I've made a better car alarm: it makes an even LOUDER sound, thus drowning out the original car alarm for everybody's protection.
Its the first time I see a car alarm that actually does something good!
"Old man yells at systemd"
innocent people
Not so innocent if they let themselves be infected by Blaster and haven't had the presence of mind to clean it up and patch their system.
~Berj
No, and if you'd keep your hands out of the cheetos bag and pick up a healthy subway sub instead of your double qp with cheese, you wouldnt either.
I don't need no instructions to know how to rock!!!!
Except that white blood cells don't usually cause lots of damage themselves.
Except in an autoimmune disorder.
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
What happens when someone releases an...
[starts coding furiously on a anti-Gator worm]
Life is the leading cause of death in America.
The thing about the "white-hat" worm is that it'll eventually kill itself - as it runs around patching machines, there are less vulnerable machines out there, so it will lose its ability to spread.
Or, put another way, if there were no "white-hat" worm that might also up traffic for a while, there will probably be a black-hat one that WILL up traffic for a while, AND format a few hard drives to boot. Erm, not boot.
paintball
And you will know enough to either get rid of it or not get it in the first place. Think of how many people have things like Gator on their machine...which they in a way installed (kazaa, etc)...and have not a clue why they get so many popups.
For the rest of the people out there who would never even know they have this, I'd much rather have them infected with this version.
I would hope after a certain amount of time, it stops trying to find other infected machines. My previous post is based on this assumption.
-Pete
Soccer Goal Plans
I've been getting a lot of firewalled ping activity today, must be that cleanup worm. Machines that the Blaster worm never even tried to hit. I wouldn't trust a cleanup worm one bit more than I would Blaster. Everyone knows (or should know) you can't count on good intentions on the Internet!
Hes such a whitehat he can pay my bandwidth bill for me.
Who's going to pay for your bandwidth when the real worm gets out of hand? Better a pre-emptive strike from a beneficial source with minor inconveniences than a serious problem from a malicious source which would cause even more traffic problems.
Higher Logics: where programming meets science.
>> However it can be sort of viewed in the way vaccines are
Sure... but when was the last time a nurse jabbed you in the ass with a vaccine while you were walking down the street stuffing your mouth with dounuts?
Even vaccines are voluntary things that have risks...
MadCow.
I used to have a sig, but I set it free and it never came back.
So, if you leave the door to your house unlocked, you're giving me permission to enter and nail plywood sheets over the doorway? Cool. It's for your own good, after all. Better that I render your house impregnable than a drug dealer gets in a sets up shop. Oh by the way, I'm not a carpenter, so if I accidentally break up a couple windows in the process, you won't mind, right?
You seem to overestimate the common person's knowledge and saavy about even the very need to patch their systems. See this personal account. You would be surprised just how innocent people can be. Start-Windows Update ? Sure, it's there, but if they don't know *why* it is there and it hasn't been scared into them at a personal level, they probably won't play with it, for fear they'll break something and have to pay a repair man at a shop somewhere to fix it.
But what this will do is make leet hackers trying to industrialize thier worms. Such things as taking more control over the system, disabling all traffic to Microsoft, attacking virus protection, or even close the door themselves so that cleaner worms or "copy-cat" worms can't get in.
The evolution of the "worm" has begun.
Hey, it's more fun than CoreWars! (to people of a certian mentality.) Once a vulnerability is discovered, the contest is on to see who can write the best worm to take over the largest number of machines, and keep competitive worms out. I suspect your statement about the beginnings of the evolution of the worm are very prophetic.
I'll see your senator, and I'll raise you two judges.
If a such as this was written whenever a large vulnerability was discovered, and designed to be limited to a specific block of IP addresses, it could be a handy thing to have on hand for someone who admins a large private network. If your network doesn't get hit, then great, but if it does, just let this loose to clean things up.
The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
You know, a really cool way to get around this is have the worm only trigger an infection when a Slammer infection attempt is detected. This way, you'll only hit infected machines. Then, coupled with an expiry time, this thing could be relatively benign (well, other than the whole "break into computers and install software without permission" thing).
Your "robbery victim" anology isn't right (ChrisDolan's is slightly better.) Lets try a more accurate one:
Someone has entered your house through an unlocked back door and installed a device which disrupts yours (and other peoples') wireless networks. You're not only the victim of a crime, but by being a victim (and leaving your door unlocked) you're causing harm to others (in the case of the virus, it's spreading to others, being used in a DOS attack, etc.) Someone then comes in through this still-unlocked back door, removes the harmfull device from your house and locks the door on his way out.
Sound better?
In ChrisDolan's analogy, "boarding up the door" is over the top.
Granted, I don't know any details on *this* virus (how long it hangs around, how much traffic it causes) but it sounds like a pretty good idea.
~Berj
You would be surprised just how innocent people can be
You seem to be confusing innocence with willful ignorance. If you want to own and use a computer, especially one connected to the internet, you have an implied obligation to make sure you know how to use and care for it properly. Just like when you own a car. When your ignorance begins to impact and harm other people, any claim of innocence gets tossed right out.
---- El diablo esta en mis pantalones! Mire, mire!
Windows is listening on about 6 ports. What services can I safely turn off so that those 6 ports are closed? These machines are simple TCP/IP client machines that do not need/want/use any Microsoft "innovations". I just need to be able to get to www and pop servers.
Any help would be appreciated.
These worms are child's play; it is only a matter of time before someone decides to do something *really* nasty with a well thought out worm.
There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.
What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.
Imagine a malicious government, with 100 dedicated programmers.
Or a well funded terrorist or anarchist.
Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.
Governments need to sit up and take notice, this is serious stuff.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
What, that takes longer than a week? The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
No, this cure is no better than the dissease. When a machine is comprimised, it must be rebuilt. What makes you think your particular copy of Nachi is doing your work for you? There's no telling what the damn thing has done and the box is screwed.
The real cure it to get rid of insecure software like Microsoft makes. Companies that don't start moving toward secure platforms deserve to die.
If you can't get rid of it because you are enslaved by AutoDesk or similar, blind Microsoft to the network and dual boot it or VMware Windblows. Free software network tools are obviously superior and should be used for moving information around. Hell, ProE on Mac OSX is better for both purposes than AutoCAD on windblows. Similar solutions can be found where free software does not exist yet.
Friends don't help friends install M$ junk.
If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.
I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.
If you were blocking sigs, you wouldn't have to read this.
It's a nice thought, but when it comes down to it, it's still a worm. It installs itself on your machine, without your permission, exploiting a hole in the Windows RPC code, downloads patches without your permission, installs the patches, still without your permission, and then sits there until it kills itself on Jan 1, 2004. I know on Slashdot there are enough people paranoid about Windows patches to want to not download them anyway, this will surely set them off. If worm/virus authors were ever tracked down and prosecuted, I'd demand the author of this worm to be dealt with in the same manner.
On a more practical side, though, perhaps we need more of these, enough people seem to not patch their systems themselves...
Worm's growth is exponential. It needs to reach a critical mass, then it unleashes itself. The problem with a worm that seals the vulnerability is that the growth will spiral downward exponentially. It's like a parasite that kills it's host too quickly. I'm not quite sure about the details, maybe a mathamatician can help me out, but my gut reaction is that this might not work.
Agreed. It is a great service from an unknown person. However, it is not an ethical thing to to. Okay, Ethics vary from people to people, but this is very questionable.
The question is: "would fixing a computer without giving the user the option to accept it or not be a right thing?"
Many may remember what happened when such things were tried to be implemented by a known Megacorp.
Me, I'd rather not be a luser and play by the book, updating my system frequently and using antiviruses on my Win machines.
- Please, ignore everything written above.
After a while, these analogies become completely pointless. We all understand how these programs work, and we can talk about them specifically. Right or wrong on it's own merits, not because it's 'like' something both hypothetical and ridiculous in the real world.
autopr0n is like, down and stuff.
It's viral, so it's not really a vaccine. It's more like cow pox. Cow pox is contagious, but not severe. And, if you get cow pox, you become immune to small pox (and cow pox, of course) forever after.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
I'd agree if the fix came out first.
But if a worm/virus/elephant is released creating mass media, and another one is released abusing the same, you deserve it. Plus it at least has a good intention. It's better to try than to not.
Although this looks like a great little worm, going after a nasty, poorly written worm, it effectively launches a DDOS attack against the real windowsupdate site, by downloading patches as it spreads at an exponentially increasing rate.
I see a new arms race coming up. "White hat" virus/worm writer vs "Black Hat" virus/worm vriters.
Or perhaps it was just that one of them finally realized that to make headlines (and get the attention that these guys seem to crave for) it had to be different from the rest. Since worms usually cause damage, what better way to be different than by fixing damage
Or perhaps it's simply microsofts latest patch distribution strategy. "We use our holes to patch our holes". (So they're not bugs, just an update distribution feature)
- We are the slashdot. Resistance is futile. Prepare to be moderated -
In the case of Windoze, I do not mind. Windoze users gave up their freedom when they paid Big Brother Bill to lobby Washington to take away their freedom. But a few or even one individual controlling the entire Internet and, by extrapolation, most if not all world communication: That is frightening.
Sorry you have such contempt for others that don't choose the same OS as you do.
In response to your comments about super worms...
One thing that is coming from Microsoft is a Layer 7 filter with a simple user confirmation interface to augment the firewall for incoming and outgoing traffic.
It has the possibility to virtually remove any worm threat to Windows.
I hope other OSes will follow suit and make Layer 7 filtering a standard feature on the desktop and not just in server environments providing routing and caching.
Seriously, this isn't the equivalent of popping a zit. A much better parallel would be an armed group, going around and popping the zits of everyone they encountered while holding them at gun/knife point.
not a single one has not seen
!(not a single one has not seen) == everyone has seen
That would have been soo much easier to read.
Why wasn't the machine behind a firewall? If it was your first Linux install, why did you install wu-ftp and set it to listen to the net, before checking for security issues? That's certainly not the default. Just because it's Linux doesn't mean you don't have to be careful.
Litigious bastards
You seem to be confusing innocence with willful ignorance. If you want to own and use a computer, especially one connected to the internet, you have an implied obligation to make sure you know how to use and care for it properly. Just like when you own a car. When your ignorance begins to impact and harm other people, any claim of innocence gets tossed right out.
Great, so YOU go explain to my mom how to. I live 1300 miles away, I get my sister to when possible, and I do when I visit, but shes 67, and has no hope of being L33+. "Obligation" is a bit harsh. We want everyone on the internet (it made it cheaper) and we talk about being inclusive, but they we talk shit about how superior we are and people who get confused about updates should not be on the net.
The problem isn't my mom. The problem is the dickholes who write very bad OS software that must be patched weekly. And no, she wasn't infected. I had been down visiting and updated her.
Tequila: It's not just for breakfast anymore!
Your message kind of proves my point. Yes, I should have done a lot of things before connecting or installing wu-ftp, but I was a happy consumer that bought RH at CompUSA that kicked "next", "next", "next" on the install wizard.
My point is, out of the box, RH (i.e Linux to the masses) isn't much better than Windows. You shouldn't have to be a pro to get a secure version installed. Checking on the "net" is not what I would expect the consumer to do.
Ron
See, I would tend to disagree. being a long time Mac user, I've struggled to figure out why the MacOS, which I consider to be clearly superior to Windows, hasn't done better. I finally realised: people are lazy and unlikely to vary from what they're used to.
Sure, the learning curve to switch from Windows to Mac, and the Mac experience is easier to use, more stable, less virus-prone etc etc, but people assume it's different. And just try answering the question "Does the Mac use Windows?"
Linux is an even harder sell, because most of the benefits are technical. With OS X, I can show the cool iTunes visualiser, the pretty Aqua GUI, the Mail.app spam filter etc. But try telling me mom why a recompilable kernel-based OS is superior to a monolithic architecture, and watch her eyes glaze over. Start talking about SMTP, POP, NFS, inetd etc etc and you'll lose her.
I don't see Linux or (sadly) MacOS gaining much dominance because it's a self-perpetuating ycle: the more people use Windows, the more they're used to it, and the less likely they are to change.
It's the same reason many people at eat McDonald's regularily, instead of trying new places
"Reality is merely an illusion, albeit a very persistent one " -Albert Einstein
You obviously have time to post on Slashdot. Why wasn't your network patched already, anyway?