Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
"cleanup" worms are still bad. Since the original worm didn't do anything except attack a domain name that's no longer in use, the cleanup one may even be worse.
Since the article's filename is "flash1.html," I doubt it's staying in that location forever, so here is the text. Posting logged-in because of the insidious article text trolls that have been plaguing Slashdot recently.
COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
Tue Aug 19 2003 20:33:34 ET
TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.
Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.
``It is causing delays in processing customers at airports,'' she said.
The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.
``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.
It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.
Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.
Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.
The worm snarled the network at the CBC, slowing the broadcaster's Web site.
The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.
Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''
Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.
``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.
``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''
It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''
Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
Yeah. It's amazing where you'll find Windows. For the past few days, the local public education cable channel has had a Windows login prompt misdisplayed.
Windows is fine for games and light use, but who why would you want to do anything serious with it? Sooner or later, these companies will wise up and move to *nix.
http://yetanotherpoliticalrant.blogspot.com
this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.
is it really that much to ask people to read an advisory of how the worm works before cheering it on?
For those who run a Linux firewall between a network of Windows boxes and the Internet you should rate limit those IP echo (ping) packets. Refer to my previous posting where I showed some sample iptables rules.
Of course my firewalls have port 135 (and a lot more) blocked. Still, it is very hard to keep out of a large network, it doesn't have to get through a firewall. But once inside it can quickly spread and then your firewall or border router will get flooded with pings. I was seeing well over 1 million pings per minute. At that rate my stateful Linux firewall was crawing on its knees as the connection tracking table filled up trying to remember all those echo requests so it could match them up with the echo responses. It didn't crash Linux, but it did render it near useless.
The scariest thing with all these worms is thinking about what could have been. What if they actually did something much more serious? What if they throttled back on the network scanning just a bit so they didn't take the network completely down and it took longer to notice?
I wouldn't expect any MS anti-virus software for quite awhile... Actually, a Microsoft anti-virus (among other things) program is currently in alpha stage. It's called the "PC Satisfaction Trial" and contains firewall, backup, and anti-virus tools. Although it's extremely buggy at the moment (which is to be expected with alpha software) it does look very promising. Even at alpha, it's simple enough for Joe User to figure out how to use it. I predict this program will be quite a big success.
Yeah. It's amazing where you'll find Windows. For the past few days, the local public education cable channel has had a Windows login prompt misdisplayed.
Airport FIDS (Flight Information Display Systems) tend to run Windows. I used to manage a system of a few thousand displays running a weird Continental Airlines and Infax proprietary protocol. There were two big reasons for using Windows, despite the suckage. One is that it's a hell of a lot easier to find programmers who can do custom work quickly in the Windows enviroment. The other is that Windows support for things like multi serial cards and stuff is a lot better; we often didn't have too much choice in the hardware we had to use (strange implementations of the old current loop, on 16 ports, for example... with only one supplier). Airports are very conservative, and with good reason. They really don't like change. Lots of serial cabling and repeaters where Ethernet would have done a great job.
How about this one: The Canadian government's Office Of Critical Infrastructure Protection and Emergency Preparedness runs IIS.
Why, given the nature of the department and (one would hope) its awareness of the threats, would they use IIS while more stable and more secure alternatives are still available?
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
Looking at that site and seeing the fragile infrastructure they're using, I can't help but feel proud to be a Canadian. Jesus wept.
Fire and Meat. Yummy.
The article says that the virus is hindering repairs on Ontario's "hydro" system... not that it is affecting hydroelectric.
:)
Just another misunderstanding based on the use of the word "hydro" to mean "electricity"... it would be nice if at least news sources would stop making this simple mistake
1) When it infects machines, 99% of the time it is unable to download the patch. This makes it pointless.
/16, thats a lot of traffic.
No, I don't know why, I guess its because windows update URL has changed? All the machines that we've found with this virus have not been patched and had to have the patch applied anyway.
2) It tries to ping every machine on it's local network as fast as it can, repeatedly. It doesn't just do a single scan then shut up til 2004 (it's expiry date) - oh no, it continually scans. Thats ok if you have 2 machines on your LAN, but when you have a huge switched lan with a few hundred or thousand hosts on a
I see LOTS of ARP traffic from the machines doing the scanning to hosts on the local network, and I see loads of ICMP echo-request destined for outside our network. Which I filter now.
3) It runs as a service that isn't detected by many virus scanners, for some reason Nortons didn't find it though McAffee did. Again I have no idea why.
The thing did a LOT of collateral damage on our network with a couple of hundred machines. I shudder to think about what kind of damage it is doing to large networks at universities etc.
oh brave new world, that has such people in it!
I actually rebuilt my server the other day onto a new machine, not because of a worm, but because I got a second hand dual proc 750mzhz server (with RAID 5!) for nothing. It was pretty east to install the base system, RedHat 9, run up2date, then copy the important files from /etc into place. Back up and running in no time. Try doing that with the registry.
All those moments will be lost in time, like tears in rain.
Virus history is a bit different if you follow the definition of viruses parasitically infecting files, whereas worms are self-contained and actively spread via network. Here's a paper that covers the early history of both to some degree.
I write code.
I didn't link to the article because it's in Norwegian. But if you can read Norwegian, here it is.
This article is based upon another article from the danish newspaper Jyllands-Posten, but I'm unable to locate the article on their web site.
The thing is, the worm doesn't download *just* that patch, from the listing, it downloads at least 8 related and semi related patches.
It's just a good thing that the worm wasn't patched in SP1 for WinXP, or else Microsoft itself could conceivably nuke thousands of warezed copies without even trying.
PS: Microsoft, if you're reading this, you better give me a cut for the idea.;)
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
STFU
Try patchin 75,000 workstations and servers in a month with 100 IT staffers who have jobs to do besides patching MS shit.
Conformity is the jailer of freedom and enemy of growth. -JFK
Every time I have said this on /. it has been modded down as a troll. However, you will find Microsoft now recommending exactly the same thing on their site: http://www.microsoft.com/windowsxp/expertzone/colu mns/northrup/02august12.asp
If you connect a Windows box directly to the Internet you are asking for trouble. Microsoft's endless list of vulnerabilities, their insane choice of services that they leave open to the Internet, the lameness of Microsoft's update system and the fact that patches only come out AFTER a vulnerability has been exploited insure that you will be compromised at some point.
All of my Windows machines hide behind a minimalist (less complexity, less holes) Linux firewall and I only ocassionally use IE and never outlook. I have yet to be compromised (crosses fingers, kisses rabbit's foot, continues to install Linux).
yeah, yeah, blame the user, blame the user.
Have you totally ignored the discussions about this worm? The fact is that many people took Microsoft's advice, applied the patches and still got compromised. This is a massive failure on Microsoft's part:
1. for releasing yet another buffer overrun hole in their systems. The coding problems that cause this are well-known, the tools to search for it can be automated, and MS claims to have an army of people searching for these vulnerabilties by hand. Yet one of the affected systems is Windows Server 2003!
2. They fucked up the fix! The first round of fixes for this vulnerability turned off the DCOM services to the outside world, but left the server listening at the same port and vulnerable to a buffer overflow! Stupid! Stupid! Stupid!
3. Many claim (and I haven't verified this myself) that the updates said that the fix was already installed when it wasn't. Seems like the registry changes that MS uses to verify that patches were installed are made before the actual patch is installed. If the patch process punted while installing the patch, but after the registry changes were made, it would never try to install it again. Stupid! Stupid! Stupid!
That's a little harsh, don't you think? People did apply patches, they just did not work. The only incompetent thing it to use or recomend Microsoft in the first place. It should be obvious by now that M$ has no place on a network. More than a year after Bill Gates made security job one, M$ still blows and it always will.
I would have considered a disk formatting worm to be fully justified.
Well, it would require fewer network services and people could get on with the rebuild job they need anyway. Face it, you can't trust a worm to do your job. If you get either of these, it's time to break out the CDs and rebuild the machine because you can't trust a worm to not be trojaned. That would be nicer than making it so no computer can use a network because these broken boxes are spewing their guts out trying to get M$ patches.
The answer is to dump Microsoft all together. Free software is obviously superior by now and no one need to spend good money on bad Microsoft software anymore. Disasters like this just go to show the real TCO of that junk. The colatoral damage to people who don't run M$ at all is unaceptable as well.
You have to wonder if businesses that don't use M$ anymore but were unable to use networks because of it can sue M$ and the dummies that still use them. Sounds like another billion dollar classaction lawsuit followed by thousands of individual suits to chip at the rapidly diminishing M$ pile of ill gotten cash.
Friends don't help friends install M$ junk.
where there has not been at least one of the arrival/departure screens showing 'This program has performed an illegal operation'. And I visit a fair few international airports.
Just because the displays use Windows doesn't mean anything. It was probably easier for whoever developed the system to develop it on Windows. For all you know it could be getting all of the data from a Linux server. I have seen other cases where Windows is only used as the front end. Banks, for example. PC Financial uses Win2k workstations that connect via IBM's client access to an AS/400. The workstation might crash but it doesn't do a thing to the server.
Is that a real poncho? I mean, is that a Mexican poncho or is that a Sears poncho?
So far I have had two friends come over to my house with thier PC's and tell me "It keeps rebooting."
Both had cable internet. One had no firewall and one had a software firewall. The software firewall had been helpfully turned off by some spyware program. Ad-aware http://www.lavasoft.de found over 200 spyware programs on the pc.)
I wish someone would release an anti code red worm or two. I still see pages and pages of code red attempts in my logs. After, how many months? , any machine that is not code red patched is probably not going to be.
While I am ranting how about an anti Kazza worm and an anti Comet Cursor worm.
I hope no one is working on a worm that changes the passwords in a windows box? That would create a mess.
Question:
I am seeing a lot of imcp type 8 traffic and domain-udp traffic aimed at my firewall today from all over the place. Much more then normal. Is the antiworm doing this or something else.
Every wrong attempt discarded is a step forward - T. Edison
While at the airport about 2 months ago, I noticed one of the display terminals had blue screened. I was rather delighted, so I snapped a few pics before airport security noticed.