Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
Oh wow! This is the internet equivilent of white blood cells! First there was white-hat hackers. Now white-hat virus writers? Makes a damn good change!
It's pretty sad that soeone has to release a worm to clean up a mess microsoft couldn't... sounds like microsoft needs to hire a certain someone to me...
Because Mom and Pop can't be bothered to figure out this internet thingie ("can I talk on the phone at the same time? Will it turn on in the middle of the night and download spam?") It seems some avenging white-hat (aka Sysadmin who is tired of encountering so many damn infected machines) has coded up a viral solution!
An even better twist of fate would be for that individual to get arrested for creating a worm! (its a DMCA violation to use that hack...)
In the future, I would want to not be isolated from my friends in the Space Station.
It really is more akin to a microphage than a virus. Perhaps this starts a whole new trend :)
Neat nonetheless.
I wonder if MS is h4x0r1ng themselves... maybe they figured the best way to get out a patch is to use their own vulnerability. ;-)
"It worked for the hackers, maybe it'll work for us!"
I've had this idea for quite awhile now. All these people that find exploits should just write a virus to patch the vulnerability.
Bravo.
I just got done scanning all my users to check for the patch install. About 1/4 have the patch so far, that are publicly accessable and not behind a firewall. Using the tool on Microsoft's website, and it seems to work well for us ISPs. I set up the router to block that port on my core router but if some gets inside the network with it, we might still get hit. This thing is bad.
No.
I have wondered for a while when this sorta thing would start happening, anti-virus coders that go after the virus coders.
This could be something we see more of in the future, almost like a battle between the two groups, taking place on machines throughout the world while the majority of users are completly unaware.
It could be pretty interesting to see the whole thing unfold!
I think on numerous occasions it was debated here and in other places whether this was something that should be done or not. I think some people raised privacy concerns and other ethical things like that. Basically saying "a virus is a virus" (yeah, yeah it's a worm :)) However it can be sort of viewed in the way vaccines are. Harmless strains of virii used to boost the immune system. That's just what this worm does. It's a harmless strain that clears up an "infection"
I think this is a worm I wouldn't mind my parents having on their computer. I'm almost positive they haven't patched their machine and now that DSL is in their rural area they're all the more vulnerable to it. If this can clean it up for them without me pulling my hair out while going over the update process then so be it :)
Something about this seems like a global scale Core Wars game. How scary, horrible and cool at the same time.
Indeed. "No good deed goes unpunished," as the saying goes.
Plus, it just so happens that good people are not as paranoid and don't tend to hide themselves as well...
should provide a great test of the security savvy of university IT departments, as students return to the dorms and plug in their unpatched computers, the vast majority of which probably haven't been connected to the Internet in several months.
Unsecured university networks could unleash a new wave of worm-infected machines on the Net. This could be fun to watch, for those of us who aren't uni sysadmins...
--joedoe
Better find a new security hole then as this is closing the door to msblaster's hosts. So basically the "next" worm would have to find another vulnerabilty in Windoze to get to the W32/Nachi worm
But since its gotten in a "host" a new way the W32/Nachi worm is of little concern since its trying to kill the old worm.
But what this will do is make leet hackers trying to industrialize thier worms. Such things as taking more control over the system, disabling all traffic to Microsoft, attacking virus protection, or even close the door themselves so that cleaner worms or "copy-cat" worms can't get in.
The evolution of the "worm" has begun.
The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
NAI report that this is a self-removing worm after 1st January 2004.
Never email donotemail@WeAreSpammers.com
I think this cleanup worm is a dandy idea. Yes, it's still a worm and could cause traffic or computer problems, but it's nice to see one with good intentions. Had I designed it I probably would have made it disable itself sooner, maybe after a few days instead of 2004, and tell the computer user exactly what it was doing.
People who think this is a good idea, are you for real??? Do you know how much work goes into protecting large corporate networks, rigorous testing of each and every patch before it goes into production, reacting to IDS alerts, identifying potentially vulnerable environments, etc... The fact remains the same, both worms exploit the same vulnerability, both worms modify system data without user's consent, and both are potentially "lethal" because of unpredicted errors and patch compatibility issues. Let's not pee our pants trying to cheer. This is not white hacking. White hacking is identifying the vulnerability, and advising the user on how to protect themselves, but what do I know, feel free to flame, cause that seems to be the common trend on /. these days...
Hmm, no, but if you were walking past and happened to look in and see my wife being strangled by a dude wearing a ski mask, I'd hope to hell you did something about it.
Of course, neither analogy is completely perfect, but obviously this situation isn't as black-and-white as you want it to appear.
its very possible that this worm was made by the same person who made the original. notice that this worm was released *after* the attack on the microsoft website. also, the worm was not meant to cause any harm on any of its host systems. the worm served its purpose, so why not clean up after yourself?
"W32/Nachi.worm"...sounds like a new spinoff group from Japan's pop-idol Hello! Project
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
it patches the rpc hole and installs a tftp server on the saved machine. it then propogates to other machines, infecting them and patching the vulnerability so a later variant of the same worm won't be able to uninstall it.
I don't think anyone has mentioned this yet, but interestingly enough, Network Associates VirusScan and Sniffer products detect and block Nachi.
When you get right down to it, a worm or a virus is just a bit of code that updates your computer in some fashion. It allows your computer to perform some function it did not previously perform. In essence, it is no different than hitting windows update and hoping for the best.
Well, of course there is a slight difference. With windows update, you ask for the update to happen. That is not the same as knowing what is really being changed. For example, the most recent windows update broke EI when it tries to talk to Squid. Also, I do not really know what is being updated by windows update, I just have to hope for the best.
So, is leaving a port open any more of a security risk than pressing the "Windows Update" button? Either way I am giving people who I do not know and probably don't trust access to my computer.
On the flip side, does a worm that improves my computer in some way any better than one that degrades my computer? Would it be ok for MicroSoft to release a worm that automatically upgrades EI? I think more right thinking people would agree that it is wrong, even if its for the right reasons. The end does not justify the means.
Somewhere there is a line between right and wrong here. The problem of course is that there are so many people who do not understand what a worm or an update are, how can they possible do the right thing? Does a fix it worm make sysadmins lazy?
Maybe. Does it help the little old lady who just wants to find out about her genealogy and does not know or care how her computer work? Absolutely. It also help those of us who have to help this little old lady out because she is out mother.
Someday, the computer will be as easy to use as a microwave. Until then, I will take all the help I can get.
Your friend and well-wisher
m0smithslash
http://www.ferociousflirting.com
It's the first rumblings of Curious Yellow, I tell ya.
The end is near. So download Linux!
Returned Peace Corps IT Volunteer
I'd settle for a worm that downloaded a kernel and loadlin.exe.
You actually don't need a worm for that. Most users aren't savvy enough to know what an ActiveX installer is so they simply "click yes". We wouldn't have the Gator problem that exists if users were just a bit more educated (or MS software wasn't so exploit-able).
If you could create a distro that installed and co-existed on an NTFS partition, you'd have a winner. Heck, you could even give users the option to "remove my windows partition" once they started using it.
IMHO - Linux on NTFS is the first step to widespread adoption. Users would be able to install it through Windows via a regular InstallShield or whatever...
Life is the leading cause of death in America.
There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?
Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.
The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.
Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
This is interesting because, initially, worms were mechanisms to install software (in a distributed computing type of model) across networks with slow connections (or was it updates?).
It would be interesting if technology like this were used by administrators to distribute patches to people whose machines have become infected with other viruses...
Since people never bother to install patches when told to but ALWAYS "install" the latest versions of viruses, this may be an interesting new way to distribute pre-emptive patches or solutions for removing infections from machines.
-Joe
If we're all god's children, what's so special about Jesus? - Jimmy Carr
...is how good a job this worm does of
- identifying susceptable machines without burning the network,
- fixing exactly what needs to be fixed, no more, no less,
and, most importantly, how does the quality of this unsolicited support per dollar compare with Windows Update or what private companies charge for this service?I've often thought that this is the proper way to clean up machines where sysadmins fail to do their own patching after a decent interval.
In fact, if I were MS, I'd have someone do this, but disclaim any and all connection, for the obvious reason of legal liability.
[But considering the extra powers authorities have in the case of human infection - witness the recent SARS outbreak - having a net Doctor authorized to release a vaccine for such a serious vulnerability as this RPC/DCOM, at some point after the general notification, seems reasonable to me.]
"Provided by the management for your protection."
Some history:
Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could, and let it loose on just one of the networked machines in the year-1 lab.
I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for Acorn Archimedes/BBC micro's (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like
It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the lab was infected.
You have to remember that virii in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too". Of course, the act of logging in would infect them...
Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.
There were basically 3 ways the virus could be activated:
We hadn't really counted on just how effective this was. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone had put the virus onto their floppy disk (by typing *. on the floppy rather than the network) and had then brought the disk back into college and re-infected the network.
If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit when found would be expelled. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...
Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time
We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended
So, everyone was happy. Infected with the counter-virus, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months
Anyway. I've never written anything remotely like a virus since [grin]
Simon.
Physicists get Hadrons!
I'd sure like to see the source of this new worm. How is anyone to know for sure that it's only intentions are good until a full analysis has been done?
And if it is a "good virus" then why is it not open source? It should have nothing to hide, right?
The Seattle Post-Intelligencer, in an article on this, reports that "public safety systems in Seattle don't use Windows software." Talk about not recognizing a prophet in his home town....
"with their freedom lost all virtue lose" - Milton
This has the benefit of lowering the overall amount of traffic that is broadcast, and /.'ers would be happy to run these servers and eventually the viruses spread would logarithmically decay.
I am of assuming that there is some way to re-infect a already infected machine with new code. This may or may not be possible.
I reckon the author is someone who is the sysadmin for a large number of Windows boxen. He thinks to himself 'damn, how do I patch all these computers, I know, I'll write a worm that uses the same techniques', but then forgets to limit his worm to his network.
Just a thought.
If it did that, eventually it would self-kill all infected hosts until the few that remained can't find anyone else to infect.
Might make a good math exercise. As a host is cleaned and listens for attacks, it cleans other hosts, then those hosts also assume vigilante role. Eventually you'd have less and less infected hosts searching for victims and more and more former victims waiting to be found. I would expect the count of infected hosts to reach zero at some point, given that the method to find new hosts is random enough. Question is, how many events would have to occur to reach zero!
Sure it all looks like a time saving worm for all the admins out there, but what it does is very, very bad for the avarage security on the internet (a figure that has to be around 0,3 already no mather what scale you want to measure it by).
Like all worms that scan all posible hosts randomly instead of simply attacking host known to be vulnarable blaster is advertising vulnarable hosts to the world. A worm could prevent this by checking make and version of the e-mail clients used to send mail in the mailboxes of an infected hosts and reply to vulnarable ones instead of every host in the adres book. Also for webservers the type of webserver serving the pages read during normal browsing of an infected client could be abused to find vulnarable server. By attacking only hosts very likely to be vulnarable a worm will not only stay undetected for much longer (it wont apear hundreds of times in firewall logs or d-shield), it will also stop vigilante internet users (or their worms) stoping infected host by going after their infececting attempts. (providing the worm is undetected, OR very few vigilante net users are running vulnarable systems)
By scanning randomly, infected hosts are advertising their vulnarability to the world. Combine this with recent worms (nimbda and blaster) which opened backdoors for easy entrance, and infected hosts with a fast connection "broadcasting" faster and thus to more hosts is a recipy for attracting script kidies looking for easy targets for DDoS drones, bounce servers or warez servers.
If an admin where to kick blaster out of a machine taken by a script kidie after a worm the extra backdoors, DDoS tools or warez might get noticed and cleaned out, not with this worm! This worm stops and deletes blaster.exe (while leaving the startup registry key, which just might mean everyone could put a blaster.exe in the path for local privelege escalation). If this new worm where to desinfect a host it might leave a perfectly secure unattented DDoS node on the net becouse no admin noticed something being wrong. ("system rebooted 2 or 3 times, doing fine now, continue playing minesweeper"), this is bad couse no mather how good your OS security is, defending against DDoS is tough, especially from these unatented windows systems. If things where really bad you could crack these zombies to get the DDoS clients out, but this worm just might close the last entrance for that.
From Manta of MantaBase MaxPC Forum User:
Intent should be considered. The crimes are not the same.
Further, there is alot on your (not yours personally - I don't know) drive that is there without consent. Should we treat cookie and tracker bot planters the same as those who initiate viruses (I think we should)? What about those that plant packets on your drive without thier knowledge.
Intent should be considered. When the law is black and white we are all guilty
Just some food for thought.
Manta
ICMP traffic -http://isc.sans.org/images/icmpfp.png FYI - that Source range the looks like it's generating the traffic seems to exist in the 141.211 - 141.213 range -- University of Michigan...
On my linux firewall guarding a company network I was seeing way over 1 million ping packets per minute at one point! I'd call that a DDoS attack! From the inside out.
For those with Linux firewalls, try the following iptables rules to rate limit those ping packets: