Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
So, the question I have is: do you think he was trying to be a good Samaritan and just wrote something that caused serious problems, or do you think he purposely wrote something that would cause problems but would spread wild due to the ostensible good it was trying to do?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I think the dude who wrote it had a good idea... We had a discussion here about automatic updates... If people won't patch their own machines, then someone has to.
However, the execution here was poorly thought-out. It should have been written to be far less agressive so as to avoid network slowdown. I would have had it scan for one hour per day, which hour would be chosen randomly. Then you cut traffic to 1/24 of the original level. Then have it de-activate and self-destruct after 5 pcs had been "infected" or 3 hours of scanning, whichever comes first.
The thinking is, let a worm-writer take a crack at getting patches installed. If patches spread as quickly as viruses, this whole thing would never have happened!
Comment removed based on user account deletion
1. Gain access via the same vulnerability. 2. Do something to block port 135 completely (without generating network traffic). 3. Go to the next vulnerable system.
Support Israeli punk bands. Man Alive.
It's a case of a lesser of two evils. The problem is, there are thousands of exploitable boxes and if nothing is done about it, in the long term, this is going to cause some serious problems. Many of the owners of these systems will never fix or patch them themselves.
It's really a toss-up between a worm that temporarily slows down networks by spreading and patching the systems it infects, then automatically deleting itself after a set date, or a script kiddie scanning the entire internet, picking up these boxes and adding them to his DDoS network, which can slow down all or any network(s) (root DNS servers, anyone?) he or she chooses at a later date.
It is for this reason, IMHO, that these exploitable boxes are a threat to the integrity of the internet, and while writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
What kind of sick airline uses Windows servers to do check in and track flights/passengers. Is their IT department completely slow? They deserve what they get.
(Disclaimer: I've flown Air Canada. The accomodations were very nice.)
http://yetanotherpoliticalrant.blogspot.com
This new worm, it looks to me like it is being dubbed an anti-virus.
/.r comes forth and cites instances of anti-viruses in the past.
Most of the time I learn about something and think it is new it is not. So I won't act shocked when some
However I personally have not come across this before.
I predict that the anti-virus will never be as prevolent as the virus, but we can expect to see them from here on out.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
True, it shouldn't be the responsibility of the ISP, and no, I'm not exactly happy with the thought of port filtering becoming common place and extending to other ports (ftp, ssh, http, etc - after all, "it's a home connection, you shouldn't be running servers..."). As an interim measure, though, it at least does help to contain the problem.
If people don't start taking their own computer's security seriously
I think you have that wrong. People do take their computer's security seriously, they just don't know enough about it. They also, largely, expect to be able to just switch their computer on, and have it work, like everything else they use. TV, video, dvd, microwave, car, central heating - they're all made, installed or set up once, and then just work. If they break down, they're replaced, or a qualified engineer is called to fix them.
People aren't yet used to the idea that computers don't quite act like that. You and I may have been working closely with them for years, but most "ordinary" people haven't. So, they expect them to require the same amount of effort as everything else they use.
I think that PC manufacturers could go a long way to helping here - shipping with firewalls and virus scanners preinstalled and configured. Perhaps have a couple of big, impossible to miss buttons on the desktop - "click here if this machine is connecting directly to the internet", "click here if this machine will not connect to the internet, or will connect via another machine on the network", "click here if you don't know what that means", that configures the machine appropriately for its role. That way, the gateway can be secured, while the rest of the network can share files and printers. No, that's not a foolproof plan, but I think it would go a long way to helping solve the problem.
Don't just bitch and moan at the "clueless, irresponsible" users - teach them to know better, and help them while they're learning.
It's official. Most of you are morons.
The genius of using a DNS hack to fix the worm is that checking download.microsoft.com is the first thing the worm does--nip it in the bud. Sure, you can patch machines by hand--but why not use the worm's own self-defense vector (patching behind its entry point) to kill it?
Surely operating systems should be very secure by default, as in not accepting ANY incoming connections, no ActiveX, no executable e-mail attachments. One shouldn't have to install security patches every week just to read e-mail and browse the web.
What we have here is one company's lack of responsibility and desire to make a quick buck without working on software quality. Its so fortunate they don't make cars.
We got this crap at work. Firewalls didnt help
because someone in the office took his notebook
home, got infected and then brought notebook
into work. Silent infection. You can build
multiple firewalls but it is worth nothing if
your users dont protect their networks at home.
So far, we rarely see a truly malicious worm or virus. Most of what we see are certainly annoying, can be expensive to clean, and cost businesses in terms of downtime, network slowdowns and data loss, however, they could be a whole lot worse. The worst one I remember is Chernobyl that would flash anything in your computer that was updateable from your video card to your Mainboard leaving you with a (figuratively) smoking lump of useless, twisted metal.
We are always finding out about vulnerabilities. This one obviously existed since the beginning of time since it is exploitable on all post 3.1 versions of windows. If someone years ago had made a worm that infected systems slowly, so as not to draw attention, and then in a given time frame was really destructive such as chernobyl, we could end up having real problems on our hands.
These worms that make us find and patch these holes, without wiping our systems out, are costly, yes, and annoying yes, but they are also protecting us from the really malicious ones, by making us all more aware, and ensuring that steps are taken to prevent. I am not just talking about the cleanup worm, but also MSblaster. It doesn't destroy anything, but it makes us protect ourselves, makes us develop an immune system.
I am not saying I like them, and in my work I am the one responsible for protecting our offices, and cleaning up if something were to get through but I would rather be protecting from MSBlaster, than something really nasty.
Well, considering that you can have no confidence in a system that is known to have had unauthorised remote commands executed on it, I'd have to say that might not be a bad idea.
Can I bum a sig? I left mine at the office.
Yes and what about when web sites and media start requiring DRM/Palladium whatever crap computers and operating systems to access their sites? What about when an ISP requires it to connect to their service? Web developers seem to be pretty braindead about the way they put a lot of sites together as it is(and no I don't care how many people I offend). Comcasts homepage uses actually has a flash dialog come up telling me that I need to install flash to use one of the features! This will shut out opensource companies effectively. Do not try and pretend this will be handled threw the W3C or anyone else who is impartial. Microsoft is the biggest pusher of security through obscurity and will not allow anyone to make an opensource implementation or put it up to a standards community like them. It goes against everything they've been saying. And what good are certificates anyway? Half the web sites can't even figure out how to renew their certificates in the first place, not even the trustedcomputing site. With the system you describe anytime some software company you bought from doesn't renew their subscription you won't be able to use your software that you spend hundreds of dollars on. And if there permanent there's nothing stopping people from somehow using the same certificates in worms or viruses. People can modify programs installing rootkits that have the same crc as the original software. Furthermore, what happens when the security for any part is broken? Now the malicious code/hacker is completely trusted. I'm making a lot of assumptions here on the exact implementation, and nothing I've said is original, but whatever it comes down to is the system is crap. It hasn't kept the xbox and playstations, dvd players, or windows media from being cracked -- and these are small fish compared to how extensive microsoft wants to see this stuff implemented. It is targeted at people like you though, that just want something to make you feel good and give people excuses for not thinking about security or monitoring their systems.
---------- Open Source is capitalism applied to IP.
The funny thing is that many *nix admins (me included) would react to an exploited/owned machine the same way. Funny.
I don't think that impossible to miss buttons will help at all. People will click them and be none the wiser what they really do behind the scenes.
What people need to realise is that a computer is not like their microwave or tv. A computer doesn't come with all those limits in what they can do. Therefore, a computer must also be more complicated to use.
Somehow, people that buy a computer must realise that it won't plug and play. They will have to read some documentation (Which should be supplied by the manufacturer, and be easy to understand). If people only realised that to operate a computer they need to clue themselves in slightly, and if computer manufacturers understood the importance of good documentation we would soon see less clueless users.
The stars that shine and the stars that shrink
in the face of stagnation the water runs before your eyes
Why would the "fix" worm be this much worse than the original? They do essentially the same thing, use the same exploit, transmit themselves the same way. The only different I can see is that the "fixer" reboots your PC once, whereas the original could continuosly reboot you PC. Why is the press making it sound (at least in this case) that this worm is worse than the original?!
Perhaps its the worms attempt to download the patch from MS thats causing all the headaches, but the patch *IS* rather small, so I'm not very convinved on that point.
Am I being paranoid, or overreacting or what?
But can DRM truly be the solution to prevent exploits and worms? I doubt it. I expect that it will be trivial to exploit a program that's already been verified and make it do something it shouldn't even with fairly well implemented DRM.
Email viruses may be halted in their tracks - but most exploits will most likely not be. You say the Palladium implementation of DRM is sophisticated enough to detect a code change during runtime from a stack overwrite? I doubt it, but if so - just change the data instead. Same effect. It raises the bar, but viruses share a characteristic there with open source - the bar only has to be hurdled once before the flood. See the recent rash of RPC hole worms and exploits - one guy did it, now everyone and their 12 year old can.
And licensing a piece of software for $1000-$2000 so that it could run in the first place is ridiculous. Do you like freeware, shareware, or open source? It'd kill it on that platform. Might be great for the competing platforms, but not the one it's on.
I think the real threat with DRM though is that it'll be used in the ways we've already seen, only more expansive. Wanna play a DVD you bought on an unauthorized operating system? Pay the fee, or, if the owners are too lazy to write software for your OS, just forget about it. And don't even think about writing a program to play it for you if you value your freedom.
If left unchecked, CD's will become that way. Downloadable audio has already started to. Tried to download an mp3 from iTunes on Linux? Find anywhere else you can get the same tunes legally? For now - yes, just buy the CD. For now. Hopefully consumers will be upset enough as use of such copy protection schemes increase to purchase alternatives. I subscribe to E-Music myself - no DRM, but I'm paying for the industry to create more, and mostly to smaller lables (mainly Napalm, if they keep track - bands like Tristania, The Sins of Thy Beloved, etc).
I write code.
writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
Yes, and the proper thing to do would be to contact the system administrator and let him/her know that their system is vulnerable. Releasing another worm to patch the first worm is just as morally wrong and illegal, since it is entering the system by unauthorized means.
Two wrongs do not make a right. Frankly, I hope they find both the guys that wrote those damnable things and throw them both in jail.
The moral of this story is: keep your damn hands off something that ain't yours.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
From what I've read, this worm actually does use the same vulnerability. And why block port 135 completely? Doing that risks breaking ish. Breaking ish isn't a good thing. No, here's what a better worm would've done:
1) Once on a box, clean and patch said box.
2) Sit and listen to port 135, waiting for Blaster to rear its ugly pulsing-zit-like head.
3) In response to Blaster probe, install itself on Blaster-infested machine and start over at 1).
4) On some set date in future, or when number of Blaster-probes remains 0 for a predetermined time (say 1 month), remove itself from system.
By only loading itself onto machines which first probe it (trying to spread Blaster), it completely eliminates the stupid network scans. In that way, it only attempts contact with machines which have shown themselves to be Blaster-infested, while leaving the rest of the internet alone.
The worm should not spread, instead it should sit on a host and if it gets attacked by the bad worm, it installs it self on the attacking host, cleans it, and remains dormant. the flaw in a worm searching for infected hosts is that even if all the bad worms are out, the worm will keep on searching for infected hosts in vain, using up network resources. a worms most dangerous feature is propagation.
._seg
Use Bittorrent to make download of patches easy on networks.
I have to mainly agree with you. Although I believe that most people want their computer to be more like a tv. Convergence will eventually turn the PC into an appliance.
This worm is just as bad, maybe even worse than the first.
Script kiddies are in fact way safer now than before this good samaritan, since most of the lazy users that have been compromised also by other means than the initial worm now will think everything's fine and leave the additional rootkit installed and running. If this second worm hadn't made things appear normal again, these users would have to reinstall their systems and thus get rid of e.g. the IRC drones that currently annoys most of the major IRC networks, including the one I admin a server on.
In addition, this worm wastes bandwidth on somewhat responsible users that do not trust something using an exploit for gaining access to keep their systems secure. Would you leave your box as is if this worm had "secured" you? Or would you be worried and prefer to reinstall and manually patch?
However good the intentions of this worm might be, it's just adding to the problem.
The next great MMORPG.
If you let people plug random machines into your network, you, to all intents and purposes, don't have a firewall.
Laptops which visit the outside world need to be treated as external machines, not internal ones.
_O_
.|< The named which can be named is not the true named
I know this is off topic, but I remember seeing an Amiga boot prompt (the one with the hand holding the disk) for several days on a public/marketing station in Ireland. This was pretty cool at the time, cause the Amiga was cool. Windoze is pretty lame so seeing it on you TV is a pretty lame also.
Gota make ya wonder....
"Ceilean Súil an ní ná feiceann..."
Blocking dangerous ports would be a good thing for most ISPs, they want subscribers and online time, but preferrably as little traffic as possible.
Even more so as broadband/always-on connections multiply.
But all forms of ISP controlled blocks create two problems.
Some people want those ports open, some because they use those ports, some because they se it as an invasion of privacy (it's _my_ port, and _my_ computer, _I_ decide if I want it blocked or not!).
As soon as the ISP start to take 'responsibility' is hard to say where that responsibility ends. "You block port xxx but not port yyy, and because of that 1000's of customers got infected, bad ISP!"
And of course, it does mean more work for the staff, which costs money for the ISP.
But it's not a simple issue.
Most of it also applies to ISP spam blocks.
Executive Pope (small) Kallisti Engineering
In my hiatus from technical employment (over now after 18 long months) amongst other things I've worked as a baggage handler.
The clients for the baggage reconciliation system (BRS - ensures bags travel if and only if the passenger gets on the plane, implemented after Lockerbie) run on Windows 3.1!!!
First thing I thought is, what happens if someone wiretaps the network cable? I'd guess it wasn't encrypted, or if it is, it's a 10 yr old technology, How long would it take to crack it, learn protocols and be able to wreak havoc?
Must by archaic/vulnerable systems like that in key installations everywhere. Scary to think.
Perhaps have a stage in there where the "Good Samaritan" worm pop up and explain to the user how it got there, the implications of the security issue, and ask the user if they want to fix their system.
Backup not found: (A)bort (R)etry (P)anic
There is absolutely no evidence that Welchia is worse than Blaster, as a cursory reading of the linked article would reveal to anyone who passed the fourth grade.
If you're unpatched, you either get Welchia, or you get Blaster. They both hose your network. If you're too stupid to block the ports and apply the patches, then you're going to get one or the other.
Go on, pick one. Not that it makes any difference. Welchia isn't worse than Blaster. Sure, it opens a port, and everyone is assuming (why?) that this is a back door, but as long as you're unpatched and your 135 port is open, arbitrary code can be run on your box anyway, so how does Welchia make that worse?
Lies, damn lies, statistics, Slashdot reporting.
If you were blocking sigs, you wouldn't have to read this.
Indeed. My bank's ATMs have a cool touchscreen interface. Sometime ago, I was greeted by the usual window about "illegal operation", etc. The thing then rebooted, displaying what looked like a common PC BIOS, and booted Windows 2000.
This is a case where I think Windows is not too little, it is too much. One wonders how much this (Brazilian, once-public) bank spent with Microsoft licences and hardware when any small, light, specialized OS would do better.
Fortunately, this is changing. At least one bank is already using Linux.
Prescriptive grammar:linguistics
And to make matters worse, you get 1 mail a minute from some remote daemon telling you that there is a virus in a message which is apparently from you. Mail administrators who set up such auto-replies shoot be taken out and shot.
Jeez, troll, hopefully? :P
:P
Granted, Win2k is prolly the best out for windows applications, but c'mon, unpatched/unstripped?
Are you suicidal?!
I've been having problems enough securing my Win2k machine securely, running only required (by me) services, and goddamn fully patched. Even though MS's patches break all my goddamn custom/low level apps.
Five minutes? If you're unware on an unpatched base Win2k install on an older service pack, it takes 5 seconds to hopelessly compromise a default Win2k install if you're unlucky.
Unfortunately, you can't look at it that way in the real world. An ISP's responsibility to provide connectivity is its highest priority. They don't care about Blaster Joe or Typhoid Annie, and shouldn't be expected to put up any safeguards against them spreading thier joy. However, in the case of the "good" worm, you're pretty much stuck with having to block certain traffic in a big ISP. The wonderful pings that it sends, coming from hundreds or even thousands of users on the same termination router, basicly turns into a massive ARP storm. This is enough to bring a device (which usually runs at 30-50% capacity) to the rev limiter, hindering the subscribers' ability to pass legitimate traffic, and creates a level of instability on the units (Hoorray for malloc errors in IOS!)
An ISP shouldn't keep you from visiting tubgirl, goatse, or nambla, or doing whatever you want to do.. They should be prepared, and expected, to block a DOS attack, even if it is unwittingly coming from thier own users.
Squash
So what if it's sitting there saying "This patch requires Service Pack 2", and the worm reboots? The result: a still unpatched system! Even if the worm were to consider its work done, after reboot the computer can be re-infected. Which means another download of the patch gets started! Can you say "Sorcerer's Apprentice"?
Even if the worm were smart enough to download a service pack, we're talking over 100 megabytes. That can take a while if you don't have good broadband, and meanwhile it's providing a nice accidental DDoS against microsoft.com.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
It's just their website, dude. It's not some mission-critical thing.
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
No, it's as if a fire station's PR firm had the oily rags and matches. Well, if fire stations had PR firms, I mean.
Well, Joey, we agree on one thing... we both know one admin who will know better next time (we hope) or one position that has a new chance to be filled by someone worthy of pay grade above that of fry-cook. These companies kill me... hiring not only unschooled slobs but lazy ones as well to oversee their most critical infrastructure. It's amazing. It's one thing to run critical services on Windows; it's another to have an unattentive dolt manage them.
The bad part about it is that these guys bring down the pay grade for more skilled admins both in the Windows and *NIX world.
Can I bum a sig? I left mine at the office.
Oh, I don't know. It could scan your hard disk and send copies of all your documents to everyone in your address book, or forward all your old email. You're the CEO of a Fortune 500 company and your confidential five-year business plan gets sent to all your competitors. Your customers' credit card numbers and Social Security numbers escape into the wild. Legal documents, source code, everything. This would be damaging beyond belief.
This worm vs. worm stuff definitely reminds me of watching CoreWars running 2 or more "programs" that are trying to clobber each other. For those not in the know, CoreWars started off in Scientific American Mathematical Recreations article and describes a low-level programming language close to assembly language called Redcode. Using Redcode you write mini programs that are supposed to clobber other programs in Core (aka memory). Fun and fascinating to watch. There are versions for Windows & Linux, so no excuse not to try it. They even have an annual contest, IIRC.
Maybe it's time for someone to invent Internet-enabled Corewars so that programs can attack each other via broadband...
pot.kettle(black);
Maybe you should learn how to deploy patches and updates the right way then. Set up an SMS Server, and deploy the patches to every workstation in the domain overnight.
We did it with a few thousand workstations at my old company and didn't have that much difficulty with it.