Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
Oh wow! This is the internet equivilent of white blood cells! First there was white-hat hackers. Now white-hat virus writers? Makes a damn good change!
Because Mom and Pop can't be bothered to figure out this internet thingie ("can I talk on the phone at the same time? Will it turn on in the middle of the night and download spam?") It seems some avenging white-hat (aka Sysadmin who is tired of encountering so many damn infected machines) has coded up a viral solution!
An even better twist of fate would be for that individual to get arrested for creating a worm! (its a DMCA violation to use that hack...)
In the future, I would want to not be isolated from my friends in the Space Station.
It really is more akin to a microphage than a virus. Perhaps this starts a whole new trend :)
Neat nonetheless.
I've had this idea for quite awhile now. All these people that find exploits should just write a virus to patch the vulnerability.
Bravo.
I just got done scanning all my users to check for the patch install. About 1/4 have the patch so far, that are publicly accessable and not behind a firewall. Using the tool on Microsoft's website, and it seems to work well for us ISPs. I set up the router to block that port on my core router but if some gets inside the network with it, we might still get hit. This thing is bad.
No.
I have wondered for a while when this sorta thing would start happening, anti-virus coders that go after the virus coders.
This could be something we see more of in the future, almost like a battle between the two groups, taking place on machines throughout the world while the majority of users are completly unaware.
It could be pretty interesting to see the whole thing unfold!
I think on numerous occasions it was debated here and in other places whether this was something that should be done or not. I think some people raised privacy concerns and other ethical things like that. Basically saying "a virus is a virus" (yeah, yeah it's a worm :)) However it can be sort of viewed in the way vaccines are. Harmless strains of virii used to boost the immune system. That's just what this worm does. It's a harmless strain that clears up an "infection"
I think this is a worm I wouldn't mind my parents having on their computer. I'm almost positive they haven't patched their machine and now that DSL is in their rural area they're all the more vulnerable to it. If this can clean it up for them without me pulling my hair out while going over the update process then so be it :)
Something about this seems like a global scale Core Wars game. How scary, horrible and cool at the same time.
Indeed. "No good deed goes unpunished," as the saying goes.
Plus, it just so happens that good people are not as paranoid and don't tend to hide themselves as well...
should provide a great test of the security savvy of university IT departments, as students return to the dorms and plug in their unpatched computers, the vast majority of which probably haven't been connected to the Internet in several months.
Unsecured university networks could unleash a new wave of worm-infected machines on the Net. This could be fun to watch, for those of us who aren't uni sysadmins...
--joedoe
Better find a new security hole then as this is closing the door to msblaster's hosts. So basically the "next" worm would have to find another vulnerabilty in Windoze to get to the W32/Nachi worm
But since its gotten in a "host" a new way the W32/Nachi worm is of little concern since its trying to kill the old worm.
But what this will do is make leet hackers trying to industrialize thier worms. Such things as taking more control over the system, disabling all traffic to Microsoft, attacking virus protection, or even close the door themselves so that cleaner worms or "copy-cat" worms can't get in.
The evolution of the "worm" has begun.
The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
NAI report that this is a self-removing worm after 1st January 2004.
Never email donotemail@WeAreSpammers.com
People who think this is a good idea, are you for real??? Do you know how much work goes into protecting large corporate networks, rigorous testing of each and every patch before it goes into production, reacting to IDS alerts, identifying potentially vulnerable environments, etc... The fact remains the same, both worms exploit the same vulnerability, both worms modify system data without user's consent, and both are potentially "lethal" because of unpredicted errors and patch compatibility issues. Let's not pee our pants trying to cheer. This is not white hacking. White hacking is identifying the vulnerability, and advising the user on how to protect themselves, but what do I know, feel free to flame, cause that seems to be the common trend on /. these days...
its very possible that this worm was made by the same person who made the original. notice that this worm was released *after* the attack on the microsoft website. also, the worm was not meant to cause any harm on any of its host systems. the worm served its purpose, so why not clean up after yourself?
it patches the rpc hole and installs a tftp server on the saved machine. it then propogates to other machines, infecting them and patching the vulnerability so a later variant of the same worm won't be able to uninstall it.
I don't think anyone has mentioned this yet, but interestingly enough, Network Associates VirusScan and Sniffer products detect and block Nachi.
When you get right down to it, a worm or a virus is just a bit of code that updates your computer in some fashion. It allows your computer to perform some function it did not previously perform. In essence, it is no different than hitting windows update and hoping for the best.
Well, of course there is a slight difference. With windows update, you ask for the update to happen. That is not the same as knowing what is really being changed. For example, the most recent windows update broke EI when it tries to talk to Squid. Also, I do not really know what is being updated by windows update, I just have to hope for the best.
So, is leaving a port open any more of a security risk than pressing the "Windows Update" button? Either way I am giving people who I do not know and probably don't trust access to my computer.
On the flip side, does a worm that improves my computer in some way any better than one that degrades my computer? Would it be ok for MicroSoft to release a worm that automatically upgrades EI? I think more right thinking people would agree that it is wrong, even if its for the right reasons. The end does not justify the means.
Somewhere there is a line between right and wrong here. The problem of course is that there are so many people who do not understand what a worm or an update are, how can they possible do the right thing? Does a fix it worm make sysadmins lazy?
Maybe. Does it help the little old lady who just wants to find out about her genealogy and does not know or care how her computer work? Absolutely. It also help those of us who have to help this little old lady out because she is out mother.
Someday, the computer will be as easy to use as a microwave. Until then, I will take all the help I can get.
Your friend and well-wisher
m0smithslash
http://www.ferociousflirting.com
It's the first rumblings of Curious Yellow, I tell ya.
The end is near. So download Linux!
Returned Peace Corps IT Volunteer
I'd settle for a worm that downloaded a kernel and loadlin.exe.
You actually don't need a worm for that. Most users aren't savvy enough to know what an ActiveX installer is so they simply "click yes". We wouldn't have the Gator problem that exists if users were just a bit more educated (or MS software wasn't so exploit-able).
If you could create a distro that installed and co-existed on an NTFS partition, you'd have a winner. Heck, you could even give users the option to "remove my windows partition" once they started using it.
IMHO - Linux on NTFS is the first step to widespread adoption. Users would be able to install it through Windows via a regular InstallShield or whatever...
Life is the leading cause of death in America.
...is how good a job this worm does of
- identifying susceptable machines without burning the network,
- fixing exactly what needs to be fixed, no more, no less,
and, most importantly, how does the quality of this unsolicited support per dollar compare with Windows Update or what private companies charge for this service?I've often thought that this is the proper way to clean up machines where sysadmins fail to do their own patching after a decent interval.
In fact, if I were MS, I'd have someone do this, but disclaim any and all connection, for the obvious reason of legal liability.
[But considering the extra powers authorities have in the case of human infection - witness the recent SARS outbreak - having a net Doctor authorized to release a vaccine for such a serious vulnerability as this RPC/DCOM, at some point after the general notification, seems reasonable to me.]
"Provided by the management for your protection."
Some history:
Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could, and let it loose on just one of the networked machines in the year-1 lab.
I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for Acorn Archimedes/BBC micro's (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like
It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the lab was infected.
You have to remember that virii in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too". Of course, the act of logging in would infect them...
Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.
There were basically 3 ways the virus could be activated:
We hadn't really counted on just how effective this was. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone had put the virus onto their floppy disk (by typing *. on the floppy rather than the network) and had then brought the disk back into college and re-infected the network.
If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit when found would be expelled. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...
Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time
We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended
So, everyone was happy. Infected with the counter-virus, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months
Anyway. I've never written anything remotely like a virus since [grin]
Simon.
Physicists get Hadrons!
This has the benefit of lowering the overall amount of traffic that is broadcast, and /.'ers would be happy to run these servers and eventually the viruses spread would logarithmically decay.
I am of assuming that there is some way to re-infect a already infected machine with new code. This may or may not be possible.
On my linux firewall guarding a company network I was seeing way over 1 million ping packets per minute at one point! I'd call that a DDoS attack! From the inside out.
For those with Linux firewalls, try the following iptables rules to rate limit those ping packets: