Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
So, the question I have is: do you think he was trying to be a good Samaritan and just wrote something that caused serious problems, or do you think he purposely wrote something that would cause problems but would spread wild due to the ostensible good it was trying to do?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Comment removed based on user account deletion
It's a case of a lesser of two evils. The problem is, there are thousands of exploitable boxes and if nothing is done about it, in the long term, this is going to cause some serious problems. Many of the owners of these systems will never fix or patch them themselves.
It's really a toss-up between a worm that temporarily slows down networks by spreading and patching the systems it infects, then automatically deleting itself after a set date, or a script kiddie scanning the entire internet, picking up these boxes and adding them to his DDoS network, which can slow down all or any network(s) (root DNS servers, anyone?) he or she chooses at a later date.
It is for this reason, IMHO, that these exploitable boxes are a threat to the integrity of the internet, and while writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
What kind of sick airline uses Windows servers to do check in and track flights/passengers. Is their IT department completely slow? They deserve what they get.
(Disclaimer: I've flown Air Canada. The accomodations were very nice.)
http://yetanotherpoliticalrant.blogspot.com
This new worm, it looks to me like it is being dubbed an anti-virus.
/.r comes forth and cites instances of anti-viruses in the past.
Most of the time I learn about something and think it is new it is not. So I won't act shocked when some
However I personally have not come across this before.
I predict that the anti-virus will never be as prevolent as the virus, but we can expect to see them from here on out.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
True, it shouldn't be the responsibility of the ISP, and no, I'm not exactly happy with the thought of port filtering becoming common place and extending to other ports (ftp, ssh, http, etc - after all, "it's a home connection, you shouldn't be running servers..."). As an interim measure, though, it at least does help to contain the problem.
If people don't start taking their own computer's security seriously
I think you have that wrong. People do take their computer's security seriously, they just don't know enough about it. They also, largely, expect to be able to just switch their computer on, and have it work, like everything else they use. TV, video, dvd, microwave, car, central heating - they're all made, installed or set up once, and then just work. If they break down, they're replaced, or a qualified engineer is called to fix them.
People aren't yet used to the idea that computers don't quite act like that. You and I may have been working closely with them for years, but most "ordinary" people haven't. So, they expect them to require the same amount of effort as everything else they use.
I think that PC manufacturers could go a long way to helping here - shipping with firewalls and virus scanners preinstalled and configured. Perhaps have a couple of big, impossible to miss buttons on the desktop - "click here if this machine is connecting directly to the internet", "click here if this machine will not connect to the internet, or will connect via another machine on the network", "click here if you don't know what that means", that configures the machine appropriately for its role. That way, the gateway can be secured, while the rest of the network can share files and printers. No, that's not a foolproof plan, but I think it would go a long way to helping solve the problem.
Don't just bitch and moan at the "clueless, irresponsible" users - teach them to know better, and help them while they're learning.
It's official. Most of you are morons.
The original anti-virus virus was probably DenZuk, created to kill the Brain virus. They were both bootsector viruses. Problem is, later on a new format of floppy got introduced - DenZuk trashed users' data when it encountered them. And there wasn't a damned thing the original author could do about it, because it was self replicating, and therefore by definition not under his control.
If you've gotta go vigilante, don't go viral. Do something you can control. Scan all the machines on the net and patch them, or just patch everything that bounces off your firewall - fine. It's likely to get you in legal hot water, and it is on questionable ethical grounds, but at least you aren't trashing random machines with self replicating code that you can no longer STOP, no matter how much you might want to.
Any experienced programmer will know well that code that works on one machine is not going to always work on every other machine - no matter how good of a coder you are. Any smart and experienced programmer will also know that almost any complex program is going to run into a situation it wasn't designed for eventually and create an unexpected and probably very unpleasant result. Spend some time and think about it before acting.
I write code.
Surely operating systems should be very secure by default, as in not accepting ANY incoming connections, no ActiveX, no executable e-mail attachments. One shouldn't have to install security patches every week just to read e-mail and browse the web.
What we have here is one company's lack of responsibility and desire to make a quick buck without working on software quality. Its so fortunate they don't make cars.
We got this crap at work. Firewalls didnt help
because someone in the office took his notebook
home, got infected and then brought notebook
into work. Silent infection. You can build
multiple firewalls but it is worth nothing if
your users dont protect their networks at home.
So far, we rarely see a truly malicious worm or virus. Most of what we see are certainly annoying, can be expensive to clean, and cost businesses in terms of downtime, network slowdowns and data loss, however, they could be a whole lot worse. The worst one I remember is Chernobyl that would flash anything in your computer that was updateable from your video card to your Mainboard leaving you with a (figuratively) smoking lump of useless, twisted metal.
We are always finding out about vulnerabilities. This one obviously existed since the beginning of time since it is exploitable on all post 3.1 versions of windows. If someone years ago had made a worm that infected systems slowly, so as not to draw attention, and then in a given time frame was really destructive such as chernobyl, we could end up having real problems on our hands.
These worms that make us find and patch these holes, without wiping our systems out, are costly, yes, and annoying yes, but they are also protecting us from the really malicious ones, by making us all more aware, and ensuring that steps are taken to prevent. I am not just talking about the cleanup worm, but also MSblaster. It doesn't destroy anything, but it makes us protect ourselves, makes us develop an immune system.
I am not saying I like them, and in my work I am the one responsible for protecting our offices, and cleaning up if something were to get through but I would rather be protecting from MSBlaster, than something really nasty.
Well, considering that you can have no confidence in a system that is known to have had unauthorised remote commands executed on it, I'd have to say that might not be a bad idea.
Can I bum a sig? I left mine at the office.
The funny thing is that many *nix admins (me included) would react to an exploited/owned machine the same way. Funny.
I don't think that impossible to miss buttons will help at all. People will click them and be none the wiser what they really do behind the scenes.
What people need to realise is that a computer is not like their microwave or tv. A computer doesn't come with all those limits in what they can do. Therefore, a computer must also be more complicated to use.
Somehow, people that buy a computer must realise that it won't plug and play. They will have to read some documentation (Which should be supplied by the manufacturer, and be easy to understand). If people only realised that to operate a computer they need to clue themselves in slightly, and if computer manufacturers understood the importance of good documentation we would soon see less clueless users.
The stars that shine and the stars that shrink
in the face of stagnation the water runs before your eyes
Why would the "fix" worm be this much worse than the original? They do essentially the same thing, use the same exploit, transmit themselves the same way. The only different I can see is that the "fixer" reboots your PC once, whereas the original could continuosly reboot you PC. Why is the press making it sound (at least in this case) that this worm is worse than the original?!
Perhaps its the worms attempt to download the patch from MS thats causing all the headaches, but the patch *IS* rather small, so I'm not very convinved on that point.
Am I being paranoid, or overreacting or what?
But can DRM truly be the solution to prevent exploits and worms? I doubt it. I expect that it will be trivial to exploit a program that's already been verified and make it do something it shouldn't even with fairly well implemented DRM.
Email viruses may be halted in their tracks - but most exploits will most likely not be. You say the Palladium implementation of DRM is sophisticated enough to detect a code change during runtime from a stack overwrite? I doubt it, but if so - just change the data instead. Same effect. It raises the bar, but viruses share a characteristic there with open source - the bar only has to be hurdled once before the flood. See the recent rash of RPC hole worms and exploits - one guy did it, now everyone and their 12 year old can.
And licensing a piece of software for $1000-$2000 so that it could run in the first place is ridiculous. Do you like freeware, shareware, or open source? It'd kill it on that platform. Might be great for the competing platforms, but not the one it's on.
I think the real threat with DRM though is that it'll be used in the ways we've already seen, only more expansive. Wanna play a DVD you bought on an unauthorized operating system? Pay the fee, or, if the owners are too lazy to write software for your OS, just forget about it. And don't even think about writing a program to play it for you if you value your freedom.
If left unchecked, CD's will become that way. Downloadable audio has already started to. Tried to download an mp3 from iTunes on Linux? Find anywhere else you can get the same tunes legally? For now - yes, just buy the CD. For now. Hopefully consumers will be upset enough as use of such copy protection schemes increase to purchase alternatives. I subscribe to E-Music myself - no DRM, but I'm paying for the industry to create more, and mostly to smaller lables (mainly Napalm, if they keep track - bands like Tristania, The Sins of Thy Beloved, etc).
I write code.
writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
Yes, and the proper thing to do would be to contact the system administrator and let him/her know that their system is vulnerable. Releasing another worm to patch the first worm is just as morally wrong and illegal, since it is entering the system by unauthorized means.
Two wrongs do not make a right. Frankly, I hope they find both the guys that wrote those damnable things and throw them both in jail.
The moral of this story is: keep your damn hands off something that ain't yours.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
From what I've read, this worm actually does use the same vulnerability. And why block port 135 completely? Doing that risks breaking ish. Breaking ish isn't a good thing. No, here's what a better worm would've done:
1) Once on a box, clean and patch said box.
2) Sit and listen to port 135, waiting for Blaster to rear its ugly pulsing-zit-like head.
3) In response to Blaster probe, install itself on Blaster-infested machine and start over at 1).
4) On some set date in future, or when number of Blaster-probes remains 0 for a predetermined time (say 1 month), remove itself from system.
By only loading itself onto machines which first probe it (trying to spread Blaster), it completely eliminates the stupid network scans. In that way, it only attempts contact with machines which have shown themselves to be Blaster-infested, while leaving the rest of the internet alone.
This worm is just as bad, maybe even worse than the first.
Script kiddies are in fact way safer now than before this good samaritan, since most of the lazy users that have been compromised also by other means than the initial worm now will think everything's fine and leave the additional rootkit installed and running. If this second worm hadn't made things appear normal again, these users would have to reinstall their systems and thus get rid of e.g. the IRC drones that currently annoys most of the major IRC networks, including the one I admin a server on.
In addition, this worm wastes bandwidth on somewhat responsible users that do not trust something using an exploit for gaining access to keep their systems secure. Would you leave your box as is if this worm had "secured" you? Or would you be worried and prefer to reinstall and manually patch?
However good the intentions of this worm might be, it's just adding to the problem.
The next great MMORPG.
Blocking dangerous ports would be a good thing for most ISPs, they want subscribers and online time, but preferrably as little traffic as possible.
Even more so as broadband/always-on connections multiply.
But all forms of ISP controlled blocks create two problems.
Some people want those ports open, some because they use those ports, some because they se it as an invasion of privacy (it's _my_ port, and _my_ computer, _I_ decide if I want it blocked or not!).
As soon as the ISP start to take 'responsibility' is hard to say where that responsibility ends. "You block port xxx but not port yyy, and because of that 1000's of customers got infected, bad ISP!"
And of course, it does mean more work for the staff, which costs money for the ISP.
But it's not a simple issue.
Most of it also applies to ISP spam blocks.
Executive Pope (small) Kallisti Engineering
In my hiatus from technical employment (over now after 18 long months) amongst other things I've worked as a baggage handler.
The clients for the baggage reconciliation system (BRS - ensures bags travel if and only if the passenger gets on the plane, implemented after Lockerbie) run on Windows 3.1!!!
First thing I thought is, what happens if someone wiretaps the network cable? I'd guess it wasn't encrypted, or if it is, it's a 10 yr old technology, How long would it take to crack it, learn protocols and be able to wreak havoc?
Must by archaic/vulnerable systems like that in key installations everywhere. Scary to think.
Perhaps have a stage in there where the "Good Samaritan" worm pop up and explain to the user how it got there, the implications of the security issue, and ask the user if they want to fix their system.
Backup not found: (A)bort (R)etry (P)anic
Indeed. My bank's ATMs have a cool touchscreen interface. Sometime ago, I was greeted by the usual window about "illegal operation", etc. The thing then rebooted, displaying what looked like a common PC BIOS, and booted Windows 2000.
This is a case where I think Windows is not too little, it is too much. One wonders how much this (Brazilian, once-public) bank spent with Microsoft licences and hardware when any small, light, specialized OS would do better.
Fortunately, this is changing. At least one bank is already using Linux.
Prescriptive grammar:linguistics
And to make matters worse, you get 1 mail a minute from some remote daemon telling you that there is a virus in a message which is apparently from you. Mail administrators who set up such auto-replies shoot be taken out and shot.
Jeez, troll, hopefully? :P
:P
Granted, Win2k is prolly the best out for windows applications, but c'mon, unpatched/unstripped?
Are you suicidal?!
I've been having problems enough securing my Win2k machine securely, running only required (by me) services, and goddamn fully patched. Even though MS's patches break all my goddamn custom/low level apps.
Five minutes? If you're unware on an unpatched base Win2k install on an older service pack, it takes 5 seconds to hopelessly compromise a default Win2k install if you're unlucky.
So what if it's sitting there saying "This patch requires Service Pack 2", and the worm reboots? The result: a still unpatched system! Even if the worm were to consider its work done, after reboot the computer can be re-infected. Which means another download of the patch gets started! Can you say "Sorcerer's Apprentice"?
Even if the worm were smart enough to download a service pack, we're talking over 100 megabytes. That can take a while if you don't have good broadband, and meanwhile it's providing a nice accidental DDoS against microsoft.com.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
It's just their website, dude. It's not some mission-critical thing.
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
No, it's as if a fire station's PR firm had the oily rags and matches. Well, if fire stations had PR firms, I mean.