Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
MS exploit virus comes out.
mysterious patching virus starts making the rounds. massive consequences.
we should be doing this more often, kids.
-Leigh
This is a GOOD worm!
Okay, do you get it? These worms harm perhaps just as much as they help, in the short-term...
So, the question I have is: do you think he was trying to be a good Samaritan and just wrote something that caused serious problems, or do you think he purposely wrote something that would cause problems but would spread wild due to the ostensible good it was trying to do?
"cleanup" worms are still bad. Since the original worm didn't do anything except attack a domain name that's no longer in use, the cleanup one may even be worse.
of course it's causing more problems, because it's PREVENTING MSBlaster from causing the problems in the first place. any slowage at all would be considered more of a problem than no virus at all.
Flying is hard enough - they tell you it's the safest way to travel. Now we find out it's run by a system famed for it's ability to crash?!
The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.
Seriously though, that sounds more like the airline's standard crumby service than the latest Microsoft worm/virus is to blame.
Who cares?
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
The Register also has an article on this.
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Dark Nexus
"Sanity is calming, but madness is more interesting."
ISPs are going to start firewalling off more and more ports because of the fact that Windows is insecure. But more importantly, customers don't care enough about the problems to deal with their own responsiblity: securing their own machines.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
Of course, if they could re-do the internet, maybe they'd change some things, make it better... I smell an 'ask slashdot'.
Username taken, please choose another one.
"Hardest hit was the 411 system..."
Can't someone just right another worm to stop the worm stopping the worm?
It's all getting a bit silly isn't it. The worse thing is that every incident like this is just another piece of ammunition for the pro-DRM companies.
It also encourages the conspiracy theory people. After all why shouldn't Microsoft enjoy these worms so that people demand that their computers be locked down and be *safe* from the outside world
Since the article's filename is "flash1.html," I doubt it's staying in that location forever, so here is the text. Posting logged-in because of the insidious article text trolls that have been plaguing Slashdot recently.
COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
Tue Aug 19 2003 20:33:34 ET
TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.
Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.
``It is causing delays in processing customers at airports,'' she said.
The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.
``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.
It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.
Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.
Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.
The worm snarled the network at the CBC, slowing the broadcaster's Web site.
The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.
Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''
Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.
``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.
``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''
It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''
Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
So...will there be another worm to patch the Anti-worm so it doesn't clog the networks? And if that screws up, will there be an Anti-worm to patch the original Anti-worm that ... oh never mind.
Comment removed based on user account deletion
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Someone should write a "cleanup worm" that spreads for a while (a day or so) and then deletes everything on the infected computer's hard disk. This would solve the problem, because after a few days, there would no longer be many vulnerable machines left on the net :)
What're the chances of the Drudge Report feeling any affect of this posting here? I mean, he's up there with google and yahoo for overall hits.
There are 10 kinds of people in the world; those that understand binary and those that do not.
I think the dude who wrote it had a good idea... We had a discussion here about automatic updates... If people won't patch their own machines, then someone has to.
However, the execution here was poorly thought-out. It should have been written to be far less agressive so as to avoid network slowdown. I would have had it scan for one hour per day, which hour would be chosen randomly. Then you cut traffic to 1/24 of the original level. Then have it de-activate and self-destruct after 5 pcs had been "infected" or 3 hours of scanning, whichever comes first.
The thinking is, let a worm-writer take a crack at getting patches installed. If patches spread as quickly as viruses, this whole thing would never have happened!
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
I won't say who or where, but I will just say that this will definately pour fuel to the fire for forcing us to DMZ all of the doctors and the nursing students (we have been pushing for a while now). The virus we were infected with was the W32.Welchia.Worm. Brought over 600 clients down in less than 2 hours.
"Look Ma! I can do it with no hands!"
> My cable went out for about 2-3 hours earlier, and even before it went out everythings been slow, and still is.
Yes, due to the state of emergency we'll all have to shoot for "second post" until this dies down, since the internet isn't physically fast enough to let anyone get a "first post" in right now.
Sheesh, evil *and* a jerk. -- Jade
It's not a bug, it's a feature.
A feature MS wants you to patch and remove to optimize the feature's capability, really, I swear
Don't you hate a linux geek that gloats >-)
Error 407 - No creative sig found
Comment removed based on user account deletion
If they just made sure their bloody networks were patched and firewalled correctly they wouldn't have this issue..
Frankly I think that anyone that complains about this needs a good hard leson in cause and effect.. oh hang on.. looks like they're getting that now!
Lets hope they're bright enough to recognize it.
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
For example, if I were to to write a virus that called one of the myriad of registry functions in Windows, my virus would have to be registered for authentication with MS beforehand. It is highly unlikely that MS's inspectors would not notice the harmful intent of my code.
Although there is a lot of fear about DRM in the Free & Open source communities, there need not be in reality. This is for two reasons. First, it would not be difficult to craft an open source DRM specification and submit it to the W3C. This means it will not be patentable. And second, with the registration mechanism handled through the W3C, developers would only have to submit their code for DRM authentication for a small fee of 1000-2000 dollars. This could easily cover the W3C's administrative costs, and would be economically viable for open source developers.
Just my $00.02.
So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?
Well cry me a fucking river.
With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
-- Will program for bandwidth
My cable (internet) went out for a couple hours earlier, too. I called Adelphia and the guy told me "Looks like you're part of an outage. From Ukiah (California, my town) to Los Angeles."
Of course, Adelphia doesn't serve a large amount of markets in that area, but anyway, I wonder if it's really because of this. Somehow I'll bet it's not. It wasn't like it was slow, it just couldn't even sync upstream.
What is your ISP and metro area?
On how to shape the "patching worm" activities so that it continues scanning for infected machines without causing serious congestion. Would it be enough for one of the worms to quit if it finds another one on the same subnet? Or should the worm just run for fixed time on each vunerable node it finds and patches and then quit permanently?
Actually this is a hypothetical question. I don't think Windows users can be helped by installing just one patch. More radical solutions are needed, like pointing them to the nearest Apple store. Someone with way more free time than me can consider writting a worm that activates XP firewall on every network interface and disables ActiveX in IE and OE.
But writting a truly benefitial warm/virus is still a fasinating topic to think about. Any thoughts?
Tell me about that TCO now!
Got Code?
For what it is worth, MS and others should do something like this _EVERY_ time a full root vunerability is exploited by a released worm, virus etc. So it may stop an app from working, etc. At least a virus didn't fdisk your hdd. Minor patches be dammned, vunerabilities that give the attacker root or equivalent access NEED to be taken care of ASAP.
.
;)
If the dumbass sysadmin didn't decide to patch his system, the writer of the software (note I don't think this should be limited to MS) should take it upon themselves to fix it.
If not immediately ater, then a couple days.
Now. I understand that ms hotfixes tend (AHAHAHAHAHHAHAAH, tend) to screw stuff up. A simple flag in the registry / file in the filesystem could tell the "viral exploit patch", not to patch the system, but send the administrator a message / put a link on the desktop for the patch. Of course, the next worm could just set that flag after infection, so this idea kinda sucks, and which is why I'd reccomend the radical option of no way of overriding the "viral exploit patch".
Yeah, flame me and mod me down, but it is just plain fucking stupid and irresponsible to leave a system in a vunerable state. When exploits begin to affect infrastructure (whether it be 411 or whatever), they NEED to be taken care of. There are plenty of IT morons who leave critical systems (ok, define critical) open, and it is just a matter of time before something happens and many people actually get hurt.
And to be completely honest - if the "viral exploit patch" hits your internal network, the destructive one could of have just as easily gotten in, that isn't an arguement.
Reporting back to a central server would be cool, although how it would differenciate between many internal networks, the code would need to be optimized to minimize disruption, etc.
Personally, I think whoever wrote blaster was doing the community a favor, some skript kiddie would eventually write their own version that did something far worse.
Sure, I'm kind of bitter, but crap like this pisses me off - if gives the IT industry and computers in general a bad image. If it turns out that some hick in ohio forgot to patch his servers - servers that were rebooting when they were supposed to be sending out warnings to other power stations . .
Soooo. . . who think's I'm going to have an ulcer in 10 years
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Learning HOW to think is more important than learning WHAT to think.
The Hyppocratic Oath, the "do no harm" oath, apparently hasn't been translated into computing yet.
Regardless, if this worm's malevolence level is as benign as it sounds, more development in this area might need to be considered. Better delivery of course, but the concept is interesting.
Do not look into laser with remaining eye.
> Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
Supposedly there are "thousands" of people/organizations already working up lawsuits against that one energy company that's starting to pick up the stink. If it turns out that Blaster had anything to do with it at all, someone's going to get creamed for it.
And you can bet that they'll go after $omebody with deeper pocket$ than whatever punk-ass kiddie it was who released it. With 50,000,000 people inconvenienced and a reported $6,000,000,000 dent in business, we're talking about a sum that would be a concern even to $DEEPPOCKETS.
Sheesh, evil *and* a jerk. -- Jade
What kind of sick airline uses Windows servers to do check in and track flights/passengers. Is their IT department completely slow? They deserve what they get.
(Disclaimer: I've flown Air Canada. The accomodations were very nice.)
http://yetanotherpoliticalrant.blogspot.com
This new worm, it looks to me like it is being dubbed an anti-virus.
/.r comes forth and cites instances of anti-viruses in the past.
Most of the time I learn about something and think it is new it is not. So I won't act shocked when some
However I personally have not come across this before.
I predict that the anti-virus will never be as prevolent as the virus, but we can expect to see them from here on out.
If this worm fixes the problem then it's not worse than the original worm.
The original worm is called blaster so for the sake of lazyness and hommage to mad max I'll call the new one master.
So master is more effecent than blaster. Probably more compact and certanly smarter. So it'll get to most of the unsecured machines before blaster dose.
While master may be a bigger nusense than blaster it's also a one time nussence while blaster is in it for the long hall.
So hay what's the big deal if the users don't secure there own systems master will do it for them.
I don't actually exist.
> Send a worm to kill a worm!
Two worms enter, one worm leaves!
Sheesh, evil *and* a jerk. -- Jade
judging from what they do (or don't do for that matter) neither of the two worms seem to be some lifeless kid's work. they smell much more like some pissed off network/security admin(s) who wanted to slap M$. could even be the same guy twice. network slowdown is more like a side effect, not much of an issue that is.
> Two worms enter, one worm leaves!
Heh, just after I clicked "submit" it occured to me that one guy in the Thunderdome was named "Blaster".
Sheesh, evil *and* a jerk. -- Jade
ISP is Cox HSI, i'm located in Rhode Island on the east coast. I was downloading something at about 150kbyte/sec (not my max btw), then suddenly it started to slow down, sites stopped working, aim was lagged. I power cycled my modem to reset it and it couldn't reestablish a connection, the "cable" light would blink and blink then it would reset and try again, did this for maybe 20 mins then it finally synced, but my router couldn't get an IP. I reset it again and it connected like normal and my router got an IP but nothing worked. I tried resetting a few more times, same thing. Signed on my 56k and aim wouldnt work, but sites worked, then aim worked, everything was slow (slower than normal, even for dialup). Finally about 2-3 hours later it worked.. I found out because a friend of mine the town over sent me an IM asking if my cox connection went down because his did. So I signed back on with the cable modem and its been working since (but slow, bad ping, cant tracert anything, i get all timeouts after my first 2 hops (router and a 10.x.x.x address))
You couldn't tell, but I used the freeze-frame on my Beowulf cluster of Tivos and saw that there was hidden IP in Blasters hand.
I was so pissed, I called Fight Update to complain, but the lines were all busy.
Never again will I pay $179 for a pay-per-view wrestling match...although the upcoming free-for-all cage match between SCO, Linux, IBM, Novell, Red Hat and FSF sounds pretty interesting. I bet that PanIP will make an appearance and beat the hell out of somebody too.
Someone always gets in the cage at the last minute.
"The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned."
...
"The Davis-Besse incident was not Slammer's only point of impact on the electric industry. According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.
"A SCADA (Supervisory Control and Data Acquisition) system consists of central host that monitors and controls smaller Remote Terminal Units (RTUs) sprinkled throughout a plant, or in the field at key points in an electrical distribution network. The RTUs, in turn, directly monitor and controls various pieces of equipment.
"In a second case reported in the same document, a power company's SCADA traffic was blocked because it relied on bandwidth leased from a telecommunications company that fell prey to the worm.
"Reports on the effect of last week's Blaster worm on the electric grid, if any, have yet to emerge."
At Boston/Logan airport last Friday, I saw on a Delta departures/arrivals screen this Windows error dialog in front of the grid of flights:
"At least one service failed to start..."
I took a photo of it. I thought:
- "I'm glad I don't run Windows." - "I'm glad I'm not flying Delta today."
...of two huge monsters battling over Tokyo and knocking over buildings in their fight while the puny sysadmins in their tanks futilely try to hurl patches, and one of the huge monsters is Good and one of the huge monsters is Bad but no matter becuase even if the good one wins, Tokyo is getting stomped flat either way?
Okay, I think I've just proven that I've been awake too long. Goodnight..
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
...the guy that wrote this blaster-patching worm wasn't trying to use this as a way to get hired...
Most of the traffic is generated by the worm shooting off all these icmp packets/requests... Just block/drop them until you can remove the worm.
0 03 0814-blaster.shtml
http://www.cisco.com/warp/public/707/cisco-sn-2
I usually tolerate some spam or virus e-mail but this starts to be annoying. And, please, don't bounce !! The mails are not coming from address that is in header reply - it's FAKE !! I'm getting ( only some but.. ) bounces. It's not too difficult ( look all the mail trace ) to see that the sender is not the domain that is in header, please !! AND, yes, they are coming from MS servers - haven't yet seen any other. Doesn't prove anything but.. have a nice day.
Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason.
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
So far, we rarely see a truly malicious worm or virus. Most of what we see are certainly annoying, can be expensive to clean, and cost businesses in terms of downtime, network slowdowns and data loss, however, they could be a whole lot worse. The worst one I remember is Chernobyl that would flash anything in your computer that was updateable from your video card to your Mainboard leaving you with a (figuratively) smoking lump of useless, twisted metal.
We are always finding out about vulnerabilities. This one obviously existed since the beginning of time since it is exploitable on all post 3.1 versions of windows. If someone years ago had made a worm that infected systems slowly, so as not to draw attention, and then in a given time frame was really destructive such as chernobyl, we could end up having real problems on our hands.
These worms that make us find and patch these holes, without wiping our systems out, are costly, yes, and annoying yes, but they are also protecting us from the really malicious ones, by making us all more aware, and ensuring that steps are taken to prevent. I am not just talking about the cleanup worm, but also MSblaster. It doesn't destroy anything, but it makes us protect ourselves, makes us develop an immune system.
I am not saying I like them, and in my work I am the one responsible for protecting our offices, and cleaning up if something were to get through but I would rather be protecting from MSBlaster, than something really nasty.
My linux box receives 10kB/s worth of packets even when idle (ordinarily this number is less than 1kB/s). Ethereal says that most of them are ARP packets, the rest are pings and port 135 requests. Guess they are related.
Well, considering that you can have no confidence in a system that is known to have had unauthorised remote commands executed on it, I'd have to say that might not be a bad idea.
Can I bum a sig? I left mine at the office.
this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.
is it really that much to ask people to read an advisory of how the worm works before cheering it on?
For those who run a Linux firewall between a network of Windows boxes and the Internet you should rate limit those IP echo (ping) packets. Refer to my previous posting where I showed some sample iptables rules.
Of course my firewalls have port 135 (and a lot more) blocked. Still, it is very hard to keep out of a large network, it doesn't have to get through a firewall. But once inside it can quickly spread and then your firewall or border router will get flooded with pings. I was seeing well over 1 million pings per minute. At that rate my stateful Linux firewall was crawing on its knees as the connection tracking table filled up trying to remember all those echo requests so it could match them up with the echo responses. It didn't crash Linux, but it did render it near useless.
The scariest thing with all these worms is thinking about what could have been. What if they actually did something much more serious? What if they throttled back on the network scanning just a bit so they didn't take the network completely down and it took longer to notice?
Great, now we have worm battles. So is SCO going to write a worm that finds SCO in Linux and reports back? And then someone can write a worm that overrides that and changes the code instead?
Most likely the #1 Unfunny Meta/Moderator on
Actually, the lazy admins are the $HIT. If the Critical Update plus a high-profile warning from no less than the US Govt (reprinted in media everywhere) isn't enough to make you consider reading the advisory, testing the patch and deploying, maybe you were an ostrich in a previous life. I get really amused when MS gets blasted for this but the GNU FTP server exploit which possibly tainted months worth of code updates only has the crowd screaming for the perpetrator's head. Truth is, in both scenarios, the admins are at fault.
Can I bum a sig? I left mine at the office.
I guess it's quite possible that either Microsoft, the NSA or another gov. agency released the new worm to test it as a virus attack counter measure.
specific to airport delays, with pictures and one here
The article says that the virus is hindering repairs on Ontario's "hydro" system... not that it is affecting hydroelectric.
:)
Just another misunderstanding based on the use of the word "hydro" to mean "electricity"... it would be nice if at least news sources would stop making this simple mistake
1 a minute? I wish! Currently, due to some mailing lists I'm on, I'm grabbing about 3 a minute. Once in awhile I get lucky and a 3 min window goes by without any.
Speed wise, I haven't slowed down too much though. I guess all the tree huggers are asleep here in OR. I'm currently at 1725/248, AIM hasn't died in hours - life is good!
My girlfriend and I take weekend vacations where the most technology we use is the car to get to the camp site and our watches/flashlights. While we're there, we don't touch the car or anything else related to technology. I think its time for another REAL soon.
Why would the "fix" worm be this much worse than the original? They do essentially the same thing, use the same exploit, transmit themselves the same way. The only different I can see is that the "fixer" reboots your PC once, whereas the original could continuosly reboot you PC. Why is the press making it sound (at least in this case) that this worm is worse than the original?!
Perhaps its the worms attempt to download the patch from MS thats causing all the headaches, but the patch *IS* rather small, so I'm not very convinved on that point.
Am I being paranoid, or overreacting or what?
Me never forget you URL pay back much money.
Thank You For Helping Worm and Mother
OH THE SHAME I fell off the wagon and use sigs again!
Remember, this is the same airline that decided to solve its MASSIVE customer service and revenue problems by cutting free meals from flights. Last I heard, you are now charged $8 for 4 (pretty crappy) chicken wings.
A man who can't pronouce "nuclear arsenal" shouldn't have one -sig ends here.
The article he cites would be an interesting read. He should link it instead of being vague.
The company that got hit is going to have a hard time blaming anyone beyond their own admins. MS did the same thing they do to mitigate any other risk plus did some extra public-awareness work. Anybody who didn't see this coming and at least follow the advisory's recommendations to firewall the appropriate ports... well, they weren't too concerned about their systems. I mean, c'mon, NetBIOS ports open to untrusted networks? What system that critical should be allowing that? I don't allow NetBIOS to my son's gaming machine!
Can I bum a sig? I left mine at the office.
"You can't usually block port 135 to all local traffic, because it has legitimate uses on MS networks"
Ok, but this still doesn't explain why:
The networks were Internet accesible.
or why
The critical parts of the network aren't patched.
If I have a private network that I need to use insecure protocols on (NFS, SMB, etc), I will ensure that it's private. All borders will have strong packet filtering, and the address space will be a reserved one that's flagged as non routeable.
Now, because I am a smart sysadmin, and I know that there will still be cross polination (by people getting virus email attachements, bringing in laptops, etc), I will also take the time to patch my test server, run the validation suite, and then roll the patch out to the production servers sooner than a month after the patch is released. After all, what the fuck am I being paid for?
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The worm should not spread, instead it should sit on a host and if it gets attacked by the bad worm, it installs it self on the attacking host, cleans it, and remains dormant. the flaw in a worm searching for infected hosts is that even if all the bad worms are out, the worm will keep on searching for infected hosts in vain, using up network resources. a worms most dangerous feature is propagation.
._seg
Use Bittorrent to make download of patches easy on networks.
um...i usualy RTFA (even the evil free reg required NYT ones),but you cant pay me to read any of drudge's blather.
Collecting data is only the first step toward wisdom. But sharing data is the first step toward community
Go back to dilaup where everyone on your local subnets runs an insecure ME or XP home edition box and then you will really know how sucky internet acces can get - it's almost as back as the old 2400 baud non erro corrected modem days. Though it is still slightly better than teh 300 baud acoustic coupler days.
Does all this talk of battling worms remind anyone else of the classic game "Worms" from the mid 90's? Incoming!!! BOOM!!!
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
I used to see a black and red error screen all the time on what is now the "TV Guide" channel. (The tv programming scroller thing.) Through the magic of emulation, I later discovered this is the exact error you'd see after an amiga crash. The "red and black" screen of death so to speak. Apparently they weren't rare since i would see the channel doing that about 2 or 3 times a week.
Wasn't this how viruses were "invented"? To perform upgrades? Some network admin had the bright idea of performing maintenance by having a process that jumped from system to system, updating as it went. Unfortunately, it did so in a very non-deterministic and incorrect way, and the entire network had to be taken down so that individual computers could be disinfected in isolation. Several years later, the event inspired the first research into computer viruses.
PLEASE let me know if I've horribly botched this tale -- I'd hate to sound like a fool.
Anyway, I'd say that the whole idea of eliminating a worm with a worm is akin to infecting someone with malaria to cure the Plague.
... is why, at work, we had 1300 pings/second before be asked our ISP to close off ICMP Echo Request at an upstream router, while my PF (OpenBSD rules!) has fended off only ~500 Echo Requests in the last 48 hours. Ok, at work the firewall protects 255 addresses and @home only 1, but still that math does not really explain it...
That my autodisconnect no longer works cause I keep getting ping keepalives - damn those happy worms
Kinda reminds me of the movie, where 2 evil superheroes fight each other and make a lot of damage as a side effect, doesn't it?
- Marco
1) When it infects machines, 99% of the time it is unable to download the patch. This makes it pointless.
/16, thats a lot of traffic.
No, I don't know why, I guess its because windows update URL has changed? All the machines that we've found with this virus have not been patched and had to have the patch applied anyway.
2) It tries to ping every machine on it's local network as fast as it can, repeatedly. It doesn't just do a single scan then shut up til 2004 (it's expiry date) - oh no, it continually scans. Thats ok if you have 2 machines on your LAN, but when you have a huge switched lan with a few hundred or thousand hosts on a
I see LOTS of ARP traffic from the machines doing the scanning to hosts on the local network, and I see loads of ICMP echo-request destined for outside our network. Which I filter now.
3) It runs as a service that isn't detected by many virus scanners, for some reason Nortons didn't find it though McAffee did. Again I have no idea why.
The thing did a LOT of collateral damage on our network with a couple of hundred machines. I shudder to think about what kind of damage it is doing to large networks at universities etc.
"The current round of worms are clumsy and unimaginitive. I think it's only a matter of time before we see a worm that does some -real- damage."
Yeah! Like install Windows on your computer.
(Bastard Flight Attendant From Hell)
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
And they're blaming it on a virus? I can see it now....
BFAFH: "Your luggage hasn't arrived yet? Let me see..."
*klickety-klickety*
"It appears that it was accidently routed to the other side of the world!"
(which makes sense, that's where it would go when the BFAFH put it on the "international flights" belt at the person's originating terminal.)
Traveller: "What?!? How could that happen?"
BFAFH: "Well, it's most likely due to.." *flips 'excuse of the day' calendar... hmm, this one's easy* "..a computer virus! Yes, you must have heard about it on the news, that one that is hitting all of the Windows systems? It's really quite horrible."
Traveller: "But what am I going to do for clothes? I have a business meeting tomorrow!"
BFAFH: "Well, the soonest we can get them here is next week. Sorry about that, have fun shopping for nice clothes in a hurry. And thank you for flying!"
Every time I read this sort of story, I wonder how it is that these people responsible for maintaining these networks are still employed. It seems these peoples employers are even more clueless than the twit that doesnt upgrade their systems. If your boss accepts your excuse for this occuring in your company, they are morons.
A patch to fix this was out several weeks before this hit, as most already know. So what exactly is the reason anyone can give that this critical part of their job didnt get done in WEEKS! I had a friend of mine who works in the IT dept of a fairly large company telling me he was pissed about this because he was going to get called in early saturday when this worm hit, as they knew large numbers of their systems were infected. He was almost to the point of bragging that it was such a major situation...at which point I reminded him that he was bragging about the fact that their dept let a MAJOR hole go unfixed for almost 4 weeks.
To drag the open source argument into this a bit, even if linux and windows had the exact same amount of vulnerabilities, which group is it that doesnt seem to have as much of a problem applying a simple 'patch'. Perhaps this is just the result of 'certification'. Where you learn enough to get some documentation saying you learned what was needed for that document...but most of these monkeys are not much better than the moron who drives for miles while the oil light is on in the car..."If the car is still running, it couldnt be that big of a problem"...
Fix your shit people...its that simple
It's not the affending system that is attacked and destroyed, it's the systems that are attacked via DDOS through the hacked boxes using signal propagating viruses.
Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.
Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.
I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.
On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
Mod me down and I will become more powerful than you can possibly imagine!
Many posts here talk about what if worms did some *real* damage. I wonder what this could be? A worm that formats the HDD is obviously useless - how will it replicate? In order to spread, it necessarily exposes its presense and therefore it can be killed. So the max damage a worm can do is limited. Am I right in my thinking?
Does that mean we can expect to see aircrafts randomly dropping around Canada?
No; they would install *nix from scratch.
If it makes system administrators look like idiots, and does for free, and practically instantly, what would cost $5,600 and the taking of your computer to the repair shop to fix...it must be immoral and evil!!
I guess the job market must really suck for people to see something that does good as something that does evil.
Am I the only person who immediatly thought og Hard Drive by David Pogue. This is creepily similar to the end of the book, except with crappy grammar...
___ alwaysBETA.com - Hey, you've got nothing better to do.
Worms are bad. Period. Even if the worm is supposed to be good then the damage it can do in terms of network usage, etc causes problems.
However, vulnerable boxes do cause a lot of problems, so IMHO a better solution is for those people who care about such things to install a system on their firewall that responds to scans - if a machine scans your firewall then you look to see if you recognise the signature of the scan (i.e. the likes of Code Red, ete, have quite distinctive patterns of scanning) and then your firewall launches an exploit against that machine that is scanning you. Once exploited the system would take some action to close the vulnerability and remove the worm (i.e. turn on the auto update stuff, install whatever patches are needed, etc). After it's done that the software that you installed through the exploit would delete itself.
This is a defense - the machine in question attacked your network so your network responded by fixing the compromised machine - no other (innocent) machines are affected by the problem.
ISPs also need to do something to help the situation IMHO - there is no sane reason to use Netbios over the internet so this should be blocked by every ISP (I know some do already, but the vast majority still allow it).
And remembering that 90% of home windows uses are completely clueless when it comes to security, they need to be forced into fixing their systems. The best way I can see of doing that is for all ISPs to look for scans coming from their customers - if a machine is making a lot of scans to lots of hosts all over the internet that matches the signature of a known worm, the ISP should pull the customer's entire internet connection. Infact it wouldn't be too hard for the ISP to intercept all web requests and redirect them to a website with all the patches on it. This is damage limitation - if a machine is compromised and is attempting to compromise other machines then it is essential that machine is taken off the network ASAP. If all the ISPs followed these steps then the spread of worms would be severely reduced.
http://blog.nexusuk.org
Am I the only person who immediatly thought of Hard Drive by David Pogue? This is creepily similar to the end of the book, except with crappy grammar...
___ alwaysBETA.com - Hey, you've got nothing better to do.
oh brave new world, that has such people in it!
Stomping on them buildings is more fun than beating up your opponents. :-)
I served military duty in the Danish Emergency Management Agency and was shocked when I saw they were implementing the entire system for reporting all kinds of disasters and emergencies (everything from tunnel fires to radiation leeks) on Windows 2000. These computers were connected to the net - and knowing the place they would probably never be updated. And even worse - it wasn't even a stripped down Windows 2000 that only ran the necessary services - it was a default (apparently unpatched) installation complete with an autostarting Messenger.
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
My wife and I were going through Dublin airport when I noticed that a number of the airport schedule display screens were going through a reboot sequence. I showed it to her : "Hey, looks like that one crashed."
She had to point out that a more alarming interpretation of the word "crashed" may have been made by some of the other people in the arrivals area.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
...we get programs saying "this program can only be run on Windows X", I saw one recently that refused to install a program under WinXP (was made for WinNT). Since it is downloading an official patch, I assume the patch will not run on any systems it can't patch properly.
On a worst-case scenario, Microsoft could simply move the file and the worm is dead. But I don't think the problem you're referring to would have been big at all....
Kjella
Live today, because you never know what tomorrow brings
This reminds me of something I read back in 2000 :-)
There is absolutely no evidence that Welchia is worse than Blaster, as a cursory reading of the linked article would reveal to anyone who passed the fourth grade.
If you're unpatched, you either get Welchia, or you get Blaster. They both hose your network. If you're too stupid to block the ports and apply the patches, then you're going to get one or the other.
Go on, pick one. Not that it makes any difference. Welchia isn't worse than Blaster. Sure, it opens a port, and everyone is assuming (why?) that this is a back door, but as long as you're unpatched and your 135 port is open, arbitrary code can be run on your box anyway, so how does Welchia make that worse?
Lies, damn lies, statistics, Slashdot reporting.
If you were blocking sigs, you wouldn't have to read this.
I didn't link to the article because it's in Norwegian. But if you can read Norwegian, here it is.
This article is based upon another article from the danish newspaper Jyllands-Posten, but I'm unable to locate the article on their web site.
And to make matters worse, you get 1 mail a minute from some remote daemon telling you that there is a virus in a message which is apparently from you. Mail administrators who set up such auto-replies shoot be taken out and shot.
Given the possibly sensative nature of the data stored on them and the risk of viruses etc
why oh why are these airline checkin systems connected to the internet anyway??? Why don't they at least use VPN?? Sorry , but this smacks of
utter stupidity to me. You wouldn't expect your bank to have all its client account computers connected , why don't airlines follow
their example??
Okay, I'm hopelessly drunk and you're (supposedly) a coder that should know better.
;)
I mean, just cause a system doesn't have a sysadmin... In the last day I've spent a total of about an hour getting @50+ users booted off (or at least having their internet connections temporarily severed) my home ISP's subnet(s). My fucking logger couldn't properly keep up with all the traffic this was generating!
With all the emulated and specialized systems out there, can you guarantee that any code you write will run properly on all systems?
Of course not. If you believe that, you're hopelessly naive and shouldn't be allowed near a compiler or interpreter.
Believe it or not, I have actually looked into this (and I'm hosed, find sources yourself...), but almost all of the supposedly "beneficial" worms/virii out there have caused more problems or at least as many problems as whatever it was they were trying to do or fix!
Whoever the idiot is that distributes something like a "clean up worm" deserves as much federal "pound me in the ass" prison as any of the other virus writers out there that have gotten such sentances...
"The road to hell is paved with good intentions."
"Ignorance is no excuse for fucking up and completely hosing some random stranger's system."
That last platitude is mine.
Well, I agree.
But then again thanks to the "net send" messup the average user clicks away on reflex whatever pops up on his screen:
- "I want to secure your box clicke here!"
- "I want to help you make Ca$h on the web!"
- "I want to enlarge your penis!"
Sigh, noone would trust a real, nice, viruscleaning worm anymore.
cu,
Lispy
+4 Interesting? FFS, people...
hahah ill remember that when you smash your car up and need cutting out,or when you house is burning down around you, hope you got your chequebook handy
Didn't they learn anything from the Terminator series? SkyNet is not the answer.
Why are there only 19 people folding@home for slashdot?
I don't care what the intent was on this anti-worm worm. I have one sales guy in Australia right now that somehow managed to get *both* worms on his laptop- despite the fact that I sent him instructions ahead of time on how to patch his system and ensure that his virus definitions were updated. Now he's expecting me to help him out despite the fact that he cannot connect to our VPN, and that he's 12 hours ahead of us.
Good Samaratain worm my ass- this one is just as big a pain as Lovesan was.
It'll be interesting to see how this impacts the future of worms and virii though.
I have no sympathy for any one or any company that's been hit by this. The patch for the exploit was available for ages before the worm was released. If anyone's systems are vulnerable it was no one's fault but their own, and especially after all the windows worms and viruses that have come before this one, you'd have thought people would learn by now...
:)
In fact I'm finding the whole thing rather amusing
If you want to help people, write your firewall activation and configuration program as a tool that allows the user to control it and distribute it freely on a website. Advertise it. If it doesn't suck, people will use it and you'll help make the internet more secure. Popular magazines might even recommend it as a really easy fix for security, and you'll help even more people. And, if you screw up, you can fix the bugs in the next version and provide support. Added bonus - the police and corporate lawyers won't be hunting you.
I wish I had moderator points today. This is one of the most insightful posts I have seen on this subject today.
I say this as one who doesn't really have a problem with the 'white-hat' worm (assuming it really is white-hat, and not just a more subtle attack waiting to happen, which those open ports might well represent), and any damage it does cause could reasonably be considered collatoral in a battle to secure a system the vendor and user alike are either unwilling or too incompetent to secure, and I do find the argument that your autonomy over your own system ends the moment it attacks my network to be a compelling one in some respects.
Nevertheless, your advice, and your stance on this, makes a whole hell of a lot more practical and ethical sense: spend your energy writing software that fixes (or perhaps detects and fixes) security flaws such as this one in a manner that educats and empowers otherwise helpless users, and distribute it freely. Put your energy into something others can contribute to and improve upon, something that will allow you to receive the recognition you deserve, rather than become another hunted felon.
Excellent advice, and it trumps the pro v. con 'good-guy' worm argument completely, whichever side of that debate one stands on.
The Future of Human Evolution: Autonomy
The collection of worms/virii don't go and infiltrate high-end physics labs, change signs on equations and cause Peter Weller and company to lose out on their 5 year mission to save the Earth from destruction...
So what if it's sitting there saying "This patch requires Service Pack 2", and the worm reboots? The result: a still unpatched system! Even if the worm were to consider its work done, after reboot the computer can be re-infected. Which means another download of the patch gets started! Can you say "Sorcerer's Apprentice"?
Even if the worm were smart enough to download a service pack, we're talking over 100 megabytes. That can take a while if you don't have good broadband, and meanwhile it's providing a nice accidental DDoS against microsoft.com.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Unless you want the blaster worm on your box, you've already been compromised.
I like the idea of having the worm wait for probes from infected boxes and then jumping to them and cleaning them and waiting for more probes.
Although it would be nice if it tossed up a dialog box saying what it did and how to remove it.
Every time I have said this on /. it has been modded down as a troll. However, you will find Microsoft now recommending exactly the same thing on their site: http://www.microsoft.com/windowsxp/expertzone/colu mns/northrup/02august12.asp
If you connect a Windows box directly to the Internet you are asking for trouble. Microsoft's endless list of vulnerabilities, their insane choice of services that they leave open to the Internet, the lameness of Microsoft's update system and the fact that patches only come out AFTER a vulnerability has been exploited insure that you will be compromised at some point.
All of my Windows machines hide behind a minimalist (less complexity, less holes) Linux firewall and I only ocassionally use IE and never outlook. I have yet to be compromised (crosses fingers, kisses rabbit's foot, continues to install Linux).
Well, Joey, we agree on one thing... we both know one admin who will know better next time (we hope) or one position that has a new chance to be filled by someone worthy of pay grade above that of fry-cook. These companies kill me... hiring not only unschooled slobs but lazy ones as well to oversee their most critical infrastructure. It's amazing. It's one thing to run critical services on Windows; it's another to have an unattentive dolt manage them.
The bad part about it is that these guys bring down the pay grade for more skilled admins both in the Windows and *NIX world.
Can I bum a sig? I left mine at the office.
It's the new 21st century version of core wars.
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I'll see your senator, and I'll raise you two judges.
"What possible reason is there to have file and printer sharing open to the internet?"
Microsoft obviously thought that it would be a good idea. All other points are therefore moot. When Microsoft cooks up an "innovation", look out below!!!
Yeah! Just do like Dubya did with his energy policy! Turn the whole thing over to Enron, just when Enron was dying!!!
That's the way to fix those "Socialists"!
P.S.
In the case of the North American blackout, I don't think that there was a single "Socialist" in sight! There were, however some allegedly crooked capitalists running part of the power grid. Or, are those the "Socialists" that you refer to? They were, after all, wallowing in government subsidies and regulations!
Isn't this what happened the LAST time someone wrote an anti-worm?
Vague recollection here, but someone wrote a worm which was designed to patch a security hole, but that worm caused so much network traffic that networks slowed to a crawl. I think they got into trouble for it too.
what the hell for?
automatically commence rebooting. That's my least favorite way of getting an 'autopatch'.
"Too hot" sounds like an automatic message from the motherboard. My intel P4 can do that.
Sounds like an opportunity for the car radiator CPU cooling system to me.
-- it must be true, it's on the internet.
Someone, please mod the parent up!
Even if they are using Windows Internet Explorer for the front-end GUI to access the big-iron back-end, at least ensure that they are capable of patching all of their front-office systems. For instance, they should be using enterprise-wide software distribution facilities such as Tivoli Software Distribution.
If it's not possible to distribute software to the endpoints, at least have a firewall installed in each location, or have firewalls installed in each PC.
No wonder Air Canada has troubles with bankruptcy - their foundation is not solid. Imagine how much money they lost because of this worm (and last week's power-outage - that's another rant)?
You will notice a lot of software vendors are now introducing their products into the Linux platform due to corporate demand - many companies want to move away from Windows because of these critical flaws.
When I read the headline "Worm vs. Worm Battle", nanotechnology came to mind. Now instead of people battling each other, worms will do it for us.
Bush is on fire and its not good for my lungs.
If they only used the crown jewel of Canadian technology, they wouldn't have this problem. Ironic.
We'll set aside the fact that it is a copy of a US product and received substantial funding from the US taxpayer.
I'm going to develop a worm, that mutates into two different worms...one will be the democrats, the other will be the republicans.
On the first Tuesday in November, one of them will activate and fill your computer, television and radio with loads of bullshit.
It's not what you know; It's what you can find out.
What kind of sick airline uses Windows servers to do check in and track flights/passengers. Is their IT department completely slow? They deserve what they get.
I'll tell you what kind...the kind that NEEDS to run custom apps! The sort of custom apps that can't be or haven't been ported to *nix! You wanna stop beating the "evil Microsoft" dead horse and start offering some USEFUL alternatives, fine. I know I'm going to be waiting a loooong time for that one. Hell, I'm still waiting for a viable replacement for Ms Exchange.
BTW I support a Medical services provider with numerous Windows boxen in multiple locations (yes, gasp! they run Windows...it's that custom app thing again!) and not one of those boxen succumed to any of the last spate of virii/worms. It's not all that hard to secure Windows. And I know this to be true: If everyone was running *nix, we'd be bitching about the latest *nix exploit!
Also I can't understand why we don't lay the blame firmly at the feet of who it belongs to, namely the shit-sucking script kiddies that write these things! So a Windows box has security holes in it...so what! Does that give you the right to mess with it? Do you wander through your neighbourhood trying doors to see if any are unlocked? If I leave my door unlocked, do you have the right now to walk in and steal from me? Ethically it's the same thing. These scumbags are not heroes, they're not "Neo" or "Trinity" or "Morpheus", they're little better than the lowest form of common thief and should be treated accordingly.
You're using her as bait, Master!
... that disables sobig.f and all its incarnations? Wondering how small one can make a personal firewall and spread it as a worm. At least a program that monitors for new ports being opened, tests them for being SMTP or SOCKS or whatever else sobig is opening, then pops up a warning saying "your system may be compromised, learn more by clicking here, clean it up by clicking here".
I've finally had it: until slashdot gets article moderation, I am not coming back.
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
It's good and bad and something of a slippery slope. When I sign up with an ISP, I want IP service -- the ability to send and receive any and all IP datagrams, regardless of their type or subtype. If my ISP starts filtering my IP service based on the overflowing basket of potential IP-based vulnerabilities, I lose that IP service. That's bad.
It's also something that "controllers" will want to see implemented based on whatever their agenda is (MSN blocks AIM, RIAA/MPAA wants Kazaa/Gnutella blocked, Ashcroft wants IPSec blocked, et al). That's the slippery slope, and it leads to what amounts to cable-TV internet service -- transparent proxied, web-only service. Yuck.
The good would be that the ignorant wouldn't be vulnerable, and many of us that manage networks professionally wouldn't have to put up with the amplification effect of millions of infested boxes with terrabytes of bandwidth. Some more obscure worms/viruses would die on the vine, but I highly doubt it will end all of them.
What ISPs should do is offer a "filtered" internet connection that limits vulnerabilities and charge extra for it. Although I'm sure it'd be a major headache to setup, and potentially a huge liability of the filtering was inadequate to stop a worm or a new vulnerability.
This would allow for the clueless to get something to help them, and protect people who want real IP service, and not some cable tv-like service.
Unfortunately, I think the real solution is more, bigger worms: this should shame MS into overhauling their networking security model.
Away from the speech, Skinner and Lisa talk.
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
Gamingmuseum.com: Give your 3D accelerator a rest.
All it takes is for one home user using VPN or a single laptop user to get infected and then connect to the corporate network to spread it befind the firewall. Blocking port 135 at the firewall is SOP almost everywhere.
Behind the firewall, port 135 is necessary in Windows networks and can't be blocked without massive breakage.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
A related article sums an argument against beneficial viruses. Unauthorized intrusion is bad, no matter that the perpetrators _claim_ their are good.
--
Send us your Linux Sysadmin articles.
Geeky modern art T-shirts
That's a little harsh, don't you think? People did apply patches, they just did not work. The only incompetent thing it to use or recomend Microsoft in the first place. It should be obvious by now that M$ has no place on a network. More than a year after Bill Gates made security job one, M$ still blows and it always will.
I would have considered a disk formatting worm to be fully justified.
Well, it would require fewer network services and people could get on with the rebuild job they need anyway. Face it, you can't trust a worm to do your job. If you get either of these, it's time to break out the CDs and rebuild the machine because you can't trust a worm to not be trojaned. That would be nicer than making it so no computer can use a network because these broken boxes are spewing their guts out trying to get M$ patches.
The answer is to dump Microsoft all together. Free software is obviously superior by now and no one need to spend good money on bad Microsoft software anymore. Disasters like this just go to show the real TCO of that junk. The colatoral damage to people who don't run M$ at all is unaceptable as well.
You have to wonder if businesses that don't use M$ anymore but were unable to use networks because of it can sue M$ and the dummies that still use them. Sounds like another billion dollar classaction lawsuit followed by thousands of individual suits to chip at the rapidly diminishing M$ pile of ill gotten cash.
Friends don't help friends install M$ junk.
hmm... T3 anyone?
I HAVEN'T OWNED A TELEVISION SINCE 1967 AND ONLY WATCH MOVIES ABOUT LEFT-HANDED ALEUT LESBIAN PIPEWELDERS! FUCK HOLLYWOO
Would you look at that! If i remember correctly, in the previous post on /. about lovesan, someone asked about what if someone released a worm to basically FIX msblast, and there were several replies stating how it would make things worse! This proving thier points, that you cant always fix a worm with a worm.
What this is degenerating into is simply CoreWars on a global scale...
DNA just wants to be free...
How about state laws dictate that all citizens who purchase a PC provide their PC Operator's License? Similar to a citizen not being able to legally drive without passing a test to obtain a Driver's License.
It might not be foolproof, but at least it would be a step in the right direction. A PC Operator then would be tested on security patching, software installation and configuration, basic troubleshooting, etc. That might help take care of one third of the problem that exists with worm/virus/exploit damage affecting everyone to the degree it does. Lately an unlicensed driver isn't a big of a threat as a clueless PC owner!
Then things could be taken a step further and states could require that the other two-thirds of the problem (i.e. - programmers and sysadmins) undergo instructional classes to better prepare and prevent such issues.
Oh wait, most of these guys did go to some sort of formal training or instructional classes!
No one is blaming these stupid worms for all their woes. Well, maybe a few airlines can gripe because their ticketing system is completely disabled. The worms are, however, exasperating the blackout's impact, and some have even implicated it as the blackout's root cause. Statements in the New York Times about non fuctioning alarm display sceens being the root cause of the blackout give those rumors weight. In any case, you are missing the point.
lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
The God damn worm is consuming bandwith in just that manner. Thanks to Microsoft's brain dead distribution system, that bandwith consumption is nationwide. You can contrast that to free software distribution systems where it's easy to set up a local mirror and theyby reduce the amount of traffic needed by orders of magnitude. I've only got six machines or so, but my bandwith usage is down dramatically thanks to a local mirror. The same benifits can be had, but to a much larger extent, in an organization with hundreds or thousands of machines. Train wreck, yeah, that's about right. One track, all blocked up by broken shit. Hopefully, people are going to be scrambling to replace that M$ junk. How many times do you have to be burnt to learn?
Statements about lower TCO for M$ junk are equally flawed and embarassing when you factor in the costs of worms like this and weeks of lost business.
Friends don't help friends install M$ junk.
If you add up the number of people that were hurt by this 'good' worm and compare the trouble saved the people that were successfully cleaned by this worm you might find that this worm actually did a net good.
There may be people who were aware of the patch and could not apply it for some reason ( maybe the patch broke existing software and they were in the process of fixing the problem when the good worm 'nicely' patched them against their will. That is the main problem I have with this 'good' worm.
A less obnoxious 'good' worm would have a screen that popped up and explained how the person had become 'infected' and then asked whether the person wanted to be patched before doing so.
The scanning is a problem too.
Suppose everyone ran a web server. You could then write a web page that popped up a screen asking if you wanted to install the worm. The worm might include code that replaced the 404 not found error message with the popup notification. Then anyone that got a 404 not found error on your web server would get the worm page and the opportunity to let it spread to them.
You could have a page that offered to install a 'computer optimizer' with a long EULA that basically gave you rights to do whatever you wanted to their computer.
If you were mallicious, you could even add a clause that opened the computer to ANYONE that wanted to do ANYTHING to your computer, and watch the chaos ensue when you published the control protocol with a convienent SDK. People would be able to use these legion zombie machines to do any evil thing they dreamt up or even write a worm to delete the hard drives of them all.
that's what you'll yearn
-- Thou hast strayed far from the path of the Avatar.
Perfect. It's not your fault for recomending and using Microsoft crap, it's your user's fault for not taking precations? No, the root cause of this failure is in Redmond, but your use of their crap is a larger contributing cause to your company's problems than anything any of your users do. Take responsibility for your decisions and fix that mess the right way. How many times are you going to shell out big bucks only to be burnt by the next Microsft Transmitted Disease?
It is way past time to dump Windows. It's not hard to do, really, and you will be much better off in the long run to start using free software now. Good luck cleaning that mess up. Don't be too hard on the owner of that laptop, there were as many ways for that thing to get on your network as IE has exploits. When you finish restricting your users to things that are "safe" on an M$ network, what exactly will you be providing your users? Free software requires far fewer restrictions while offereing much better services and ease of data trasport. When you factor worms like this and bandwith costs for "patching" into your TCO, free software is a real bargain.
Friends don't help friends install M$ junk.
From what I read here, M$'s little tools said the machines were "patched" when they were not.
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
I won't and they be making that mistake for much longer either. That roaring sound you hear is not a jet engine, it's the sound of millions of IT pros wispering, "I told you so," as they write yet another paper recomending free software everywhere M$ is. M$ TCO is way more than the M$ tax.
Friends don't help friends install M$ junk.
For a while I was regularly seeing the "Welcome to Windows Terminal Server" dialog box on the Ottawa city bus electronic time schedules. They had never even unchecked the "show me on startup box". Tuned that software to the gills, I tell ya.
They didn't name them 'W32.Godzilla' and 'W32.Mothra', that would put things into perspective better..
XML is like violence. If it doesn't solve the problem, use more.
One of serveral possible Point of Sale systems does run NT4 (and had the daylights tested out if it in SQA before release), but the E500 pumps on the island run Linux!
Also, the POS isn't on the Internet. Updates (and remote troubleshooting) are accomplished by dialing-in. Any card processing networks that might be attached are dedicated and encrypted. The encryption box runs a dedicated OS kernel, not Windows.
Airlines, utilities, etc., I cannot attest for, but there are no dummies or risk takers where I work. When you handle both financials and flammable liquids, there's no margin for error. Moreover, the flammable side is Linux.
"...Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which first started hitting computers around the world on Monday. ..."
I could have sworn I had read the exact same statement in a different article a few days ago. The statement had stuck in my head because it implied the worm problem was completely users fault for not installing the patch. Since it seemed so familiar, I googled the phrase "Although Microsoft posted a software patch to fix the flaw" (google limits you to ten words or less). Lo and behold, hundreds of hits for individual separate articles from "different" news sources with the exact same paragraph, completely verbatim. I am aware that information is shared through the associated press, but personally I find it unsettling that all of these news authors do little more than cut and paste another authors words (and voice), instead of writing an article on the same subject with different points of view or ways of expressing the facts. It is especially concerning when the statement in this example seems to slant blame away from a responsible party, Microsoft, in a serious situation that they are largely (IMO) accountable for.
Perhaps I am off topic, but I felt obliged to point out my discovery. I didn't think it was possible, but my level of trust in the quality of information in the media has dropped yet another rung.
Beware blue cats moving at
...I know an old lady who swallowed a dog.
She swallowed the dog to catch the cat.
She swallowed the cat to catch the bird.
She swallowed the bird to catch the spider.
She swallowed the spider to catch the fly.
I don't know why she swallowed the fly.
Perhaps she'll die.
Now play nicely.
This worm vs. worm stuff definitely reminds me of watching CoreWars running 2 or more "programs" that are trying to clobber each other. For those not in the know, CoreWars started off in Scientific American Mathematical Recreations article and describes a low-level programming language close to assembly language called Redcode. Using Redcode you write mini programs that are supposed to clobber other programs in Core (aka memory). Fun and fascinating to watch. There are versions for Windows & Linux, so no excuse not to try it. They even have an annual contest, IIRC.
Maybe it's time for someone to invent Internet-enabled Corewars so that programs can attack each other via broadband...
pot.kettle(black);
So far I have had two friends come over to my house with thier PC's and tell me "It keeps rebooting."
Both had cable internet. One had no firewall and one had a software firewall. The software firewall had been helpfully turned off by some spyware program. Ad-aware http://www.lavasoft.de found over 200 spyware programs on the pc.)
I wish someone would release an anti code red worm or two. I still see pages and pages of code red attempts in my logs. After, how many months? , any machine that is not code red patched is probably not going to be.
While I am ranting how about an anti Kazza worm and an anti Comet Cursor worm.
I hope no one is working on a worm that changes the passwords in a windows box? That would create a mess.
Question:
I am seeing a lot of imcp type 8 traffic and domain-udp traffic aimed at my firewall today from all over the place. Much more then normal. Is the antiworm doing this or something else.
Every wrong attempt discarded is a step forward - T. Edison
oviously someone read Stealing the Network and got the idea from there.
NUTBAR CONSPIRACY THEORY
Yesterday was the 50th anniversary of the U.S. backed coup that overthrew the elected government of Iran and replaced it with a dictatorship. Kind of an embarrassing thing for George II et al to have in the news right now what with Iraq and all. Was it in the news? Course not, between the power failure and the worms and the virus, the news had lots of other stuff to talk about. AND even better, all the commie-mutant-traitors who use the internet to bring up unwelcome topics of conversation couldn't get on-line.
altho there is some question in my mind as to whether the Committee for Homeland Security is in fact bright enough to come up with this...
I disagree, that filtered should be more, rather unfiltered should cost money. Let's face it, the people who want to use the internet as it was designed are in the minority. Most people see it as a service like cable TV. So either you redesign the internet to be like cable TV, or you filter it so that it's safe.
The internet is cheap because the unwashed masses are useing it. How much money was it to get even a 128k ISDN line to the internet ten years ago? A hell of a lot more then a DSL line is today.
The internet needs the masses to be a success and I think that it's the duty of the ISPs to ensure that those people don't kill each other with viruses.
BTW, MS will never be shamed into making secure software, because people don't blame MS for the viruses. Nor should they be. MS is the number one target because it is number one. If Linux, Mac, BSD, Sun, etc. was number one then they would be the number one target.
Noticed an increase in Spam? SoBig.F is to blame, as well as people's stupidity - in that they STILL open unknown attachments.
Go here: http://www.lurhq.com/sobig.html
for all the gory details on this little nasty critter.
Once infected, it's easy to remotely identify an infected host. Details on port usage is listed in the URL above.
Of course we already now that slashdotters would NEVER open up attachments, right? Right? Please tell me it isn't so.
Of course it affects WinBlows users, but aren't we ALL winblows users? After all, who wouldn't want to be a Gates slave?
The windows OS is being dissed on this server apparently because it is insecure. However, this cannot be the real reason, as follows: Linux, the OS that people most often advocate, has had many, many security problems in the past, equivalent to the windows security problems. Also, just as Linux companies do, Windows released a fix for their problem.
The main reason that the Windows worm is more dangerous and annoying is because, to use agricultural terminology, there is on the internet a type of Windows monoculture. Because there are so many different variations of Linux in use, it is less likely that an infection could spread, but if a single version Linux was as widely adopted as Windows, it is not hard to conceive of the possibility of an equally damaging worm.
With all the emulated and specialized systems out there, can you guarantee that any code you write will run properly on all systems?
If the reverse worm only targeted attacking systems, then at least you'd have the guarantee that:
A) These machines are compatible enough to get infected by the original virus.
B) These machines are already causing havoc. If left alone, they will continue attacking random hosts until maybe they get discovered by an owner/administrator. You know, unless it's just an old machine sitting in a corner somewhere, or the user doesn't know how to fix the problem, or the admin is on vacation, etc. etc.
Whoever the idiot is that distributes something like a "clean up worm"...
One worm r00ts your box and opens up a tftp backdoor. The other worm looks for hosts that are sick or at risk and tries to innoculate them. (Damn those immunization shots, they might get my child sick! Why don't their parents just not let them outdoors?!)
The cleaner virus is altruistic, performing a benefitial service with the best intentions. The attacker virus is a massive DDOS zombie-maker. It seems to me that the distinction is clear.
As long as there are exploits, there will be worms. As long as there are automated attack worms, cleaner worms will be beneficial in combatting them. They're a valuable community service.
Of course, a clever virus writer will take a clue from the root-kit makers: once you own a box, always patch the holes you used to take it over, so some other kiddie can't take it back.
Excellent information, thank you very much.
One of those golden moments of Slashdot.
Notes From Under *nix: blas.phemo.us
Might I suggest that this be named the Morgaine worm? ;-)
Or perhaps the class of worms could be called 'Changeling' worms, with individual ones given names like Ivrel, Shiuan, etc.
Comment removed based on user account deletion
Even if it WERE true the power outage was the effect of the MSBlaster worm, do you think that M$ is going to allow the press to have a field day? Come on you guys, ol Billy boy controls the media.... and you can best bet your sweet dippy that ol Billy boy is NOT going to want this kind of publicity.
I have dozens of windows boxes running and I have NEVER been virus infected. Why? Because I'm not a fucking idiot. I recommend that people too stupid to run a firewall and antivirus software switch to Linux or Mac, OSes so marginal that nobody bothers to write virii for them
That should have read "renamed the Morgaine worm." Sorry, I'm surprised I didn't catch that in preview.
http://www.windowscrash.com/
Not true. Competent system administrators are saying that the update utility downloaded the patch but did not install it, yet reported it installed. Some help that is.
Why does it [Microsoft software] blow?
Development model, marketing model, distributio model, design problems and bad attitude and ethical problems. Where do you want me to start? The results are in, every few months when an new exploit costs everyone lots of grief. Try subscribing to the DEBIAN-SECURITY mailing list and tell me linux never has security holes.
I've got http://security.debian.org in my /etc/apt/sources.list file and it works great. Free software is like that. You need to look at the uptime lists on netcraft before you mouth off about the security and stabilty of free software as opposed to MicroShit.
Friends don't help friends install M$ junk.
It amazes me how many people in that thread regarded this as a clever, useful thing to do, while in this one it is universally declared an obvious problem.
Screw you, worm. You're fucking up my Tron 2.0 ping.
- IP
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
Ever read the EULA?
I agree that it would be fraught with problems, and I, as a poor programmer, wouldn't attempt it.
While any problems caused by installation of MS patches aren't really the fault of the writer of the worm, they are another reason why I'm glad my idea is only theoretical.
You are right, I admit, that it would be virtually impossible to create a "white hat" worm that didn't screw up approximately as much as it would fix.
Another question on same vein. I've been getting about 20 hits per hour since 8/14 that resolves to my ISP's DNS server. Is this an indication they are infected with the anti-worm as well? They don't, as expected have a clue, saying their systems are patched, no abnormal traffic across the system. I asked them to check their outgoing traffic on the server to see if they have an inordinate amount of traffic. No answer. And I still keep getting hammered by my ISP's server. Don't know how long software firewall is going to keep everything out at the rate it's being hit.
Especially for airports, it's not a good idea to put something as half-baked as MS-Windows in services that passengers depend on -- it makes you wonder how good the rest of their work is, e.g. safety, security, and maintenance.
With the bus schedules, it's just an inconvenience and mildly aggrevating, but nothing a paper schedule or a ride in a taxi won't solve. Though it is wasted money that could be used more effectively in other activities.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Given that the USA hates Canada for being liberal towelhead-loving bastards for not joining in the glorious liberating (omigod-noone-told-us-our-boys-would-get-killed-an d-we-should-have-left-it-to-the-United-Nations-lik e-everyone-told-us) war against Saddam, is it only me that's not surprised it's Canadian networks that are affected by the patching worm?
bored and underpaid
I believe the ultimate solution to this problem is to forbid incompetent people from using a computer or accessing the Internet. Do we allow random people to drive cars? No, they have to get a license first. Do we allow kids to drink alcohol? No, they have to be of legal age first (aka, have an ID card). Do we allow random citizens to practice medicine or law? No, they have to go to school and get a license first.
So why should it be any different with computers?
I, for one, welcome out new worm overlords.
D'oh!