Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
Flying is hard enough - they tell you it's the safest way to travel. Now we find out it's run by a system famed for it's ability to crash?!
The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.
Seriously though, that sounds more like the airline's standard crumby service than the latest Microsoft worm/virus is to blame.
Who cares?
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
The Register also has an article on this.
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Dark Nexus
"Sanity is calming, but madness is more interesting."
ISPs are going to start firewalling off more and more ports because of the fact that Windows is insecure. But more importantly, customers don't care enough about the problems to deal with their own responsiblity: securing their own machines.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
For example, if I were to to write a virus that called one of the myriad of registry functions in Windows, my virus would have to be registered for authentication with MS beforehand. It is highly unlikely that MS's inspectors would not notice the harmful intent of my code.
Although there is a lot of fear about DRM in the Free & Open source communities, there need not be in reality. This is for two reasons. First, it would not be difficult to craft an open source DRM specification and submit it to the W3C. This means it will not be patentable. And second, with the registration mechanism handled through the W3C, developers would only have to submit their code for DRM authentication for a small fee of 1000-2000 dollars. This could easily cover the W3C's administrative costs, and would be economically viable for open source developers.
Just my $00.02.
So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?
Well cry me a fucking river.
With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
-- Will program for bandwidth
For what it is worth, MS and others should do something like this _EVERY_ time a full root vunerability is exploited by a released worm, virus etc. So it may stop an app from working, etc. At least a virus didn't fdisk your hdd. Minor patches be dammned, vunerabilities that give the attacker root or equivalent access NEED to be taken care of ASAP.
.
;)
If the dumbass sysadmin didn't decide to patch his system, the writer of the software (note I don't think this should be limited to MS) should take it upon themselves to fix it.
If not immediately ater, then a couple days.
Now. I understand that ms hotfixes tend (AHAHAHAHAHHAHAAH, tend) to screw stuff up. A simple flag in the registry / file in the filesystem could tell the "viral exploit patch", not to patch the system, but send the administrator a message / put a link on the desktop for the patch. Of course, the next worm could just set that flag after infection, so this idea kinda sucks, and which is why I'd reccomend the radical option of no way of overriding the "viral exploit patch".
Yeah, flame me and mod me down, but it is just plain fucking stupid and irresponsible to leave a system in a vunerable state. When exploits begin to affect infrastructure (whether it be 411 or whatever), they NEED to be taken care of. There are plenty of IT morons who leave critical systems (ok, define critical) open, and it is just a matter of time before something happens and many people actually get hurt.
And to be completely honest - if the "viral exploit patch" hits your internal network, the destructive one could of have just as easily gotten in, that isn't an arguement.
Reporting back to a central server would be cool, although how it would differenciate between many internal networks, the code would need to be optimized to minimize disruption, etc.
Personally, I think whoever wrote blaster was doing the community a favor, some skript kiddie would eventually write their own version that did something far worse.
Sure, I'm kind of bitter, but crap like this pisses me off - if gives the IT industry and computers in general a bad image. If it turns out that some hick in ohio forgot to patch his servers - servers that were rebooting when they were supposed to be sending out warnings to other power stations . .
Soooo. . . who think's I'm going to have an ulcer in 10 years
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Learning HOW to think is more important than learning WHAT to think.
> Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
Supposedly there are "thousands" of people/organizations already working up lawsuits against that one energy company that's starting to pick up the stink. If it turns out that Blaster had anything to do with it at all, someone's going to get creamed for it.
And you can bet that they'll go after $omebody with deeper pocket$ than whatever punk-ass kiddie it was who released it. With 50,000,000 people inconvenienced and a reported $6,000,000,000 dent in business, we're talking about a sum that would be a concern even to $DEEPPOCKETS.
Sheesh, evil *and* a jerk. -- Jade
"The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned."
...
"The Davis-Besse incident was not Slammer's only point of impact on the electric industry. According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.
"A SCADA (Supervisory Control and Data Acquisition) system consists of central host that monitors and controls smaller Remote Terminal Units (RTUs) sprinkled throughout a plant, or in the field at key points in an electrical distribution network. The RTUs, in turn, directly monitor and controls various pieces of equipment.
"In a second case reported in the same document, a power company's SCADA traffic was blocked because it relied on bandwidth leased from a telecommunications company that fell prey to the worm.
"Reports on the effect of last week's Blaster worm on the electric grid, if any, have yet to emerge."
Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason.
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
You should visit New Zealand some time. I can honestly say, I have never visited an international airport terminal here where there has not been at least one of the arrival/departure screens showing 'This program has performed an illegal operation'. And I visit a fair few international airports.
That is what happened to us - someone brought
their notebook from home ( with infection) and
then plugged into IT network. Practice safe
computing!!!
In this kind of scenario, firewalls dont help.
Cant block port 135 at routers 'cause we have apps at that port.
Needless to say, our IT network is still reeling from this.
I disagree. MrP's revision on my idea would:
* Only infect machines already sick with w32.Blaster
* Stop these machines from restarting due to the RPC process being terminated.
* Stop these machines from causing network slowdown by scanning.
Even if there was a problem with the code, it would still do more good than harm, because every machine patched would be one less flooding the 'net searching for machines to infect. It would not increase the traffic, because machines unpatched but uninfected would not be affected by this "good" worm.
While I agree that in many situations, one might worry about releasing any worm into the wild, I think in this case the worst case scenario is it doesn't work. Which is the same as if you don't try at all, so there's little to lose.
> Any smart and experienced programmer will also know that almost any complex program...
Complex? This could be accomplished with a really small app. Its job would be incredibly simple:
1. Kill blaster process, delete blaster app
2. Attempt to download MS patch. If unsuccessful several times, terminate.
3. Execute patch.
4. Open relevant port 5. Wait for a connection.
6. Transmit self to next machine.
7. Has it been a week since last time scanned? If so, terminate.
8. Goto 5.
Sounds pretty simple to me, at least. I think it'd be pretty easy to debug.
Yeah. It's amazing where you'll find Windows.
I work at a gas station, and the computer that controls the gas pumps runs on windows. IOW, if windows crashes, nobody can pump gas, and nobody who has pumped gas already can pay for their gas. It hasn't crashed on us yet (AFAIK -- I've only worked there for a month, and the station has been in service for 2 years).
But, we have had some problems with it. One day, it kept popping up a stupid dialog saying that the computer is too hot and that if we don't cool it down fast then we'll have to shut it off. Yeah, like we're just going to turn off all our gas pumps in the middle of rush hour (the busiest time of day).
Later that same day, it popped up with a stupid message saying that had automatically downloaded and installed updates and patches for us. Seeing that message made me cringe, I was so worried that the patch might have broken something and rendered the entire gas station useless. *shudder*
Not complex? You're downloading a bloody Microsoft Patch and running it! Have you seen how many people - competent administrators - have been saying all along that they have the automatic updates turned off because the patches keep breaking their machines? Ever written a buffer exploit? That's usually not simple code either, and it is very system and application specific - if the underlying code changes, but an overflow remains, your code will have completely unpredictable results. That's why the original patch for RPC prevented infection, but many patched computers that got probed still crashed.
Also - this won't be done in a corporate environment with proper testing labs if it is done. You simply won't have legal access to the number and variety of machines you need to even get an idea that it might work properly right at the moment, much less "for all of its lifetime". The DenZuk example I provided is a perfect example of a pretty well written virus that went all wrong - the disks it corrupted didn't even exist when the author wrote it, and yet, it still caused damage.
What happens when an uninfected machine attempts a legitimate RPC call? You infect it? Great.... You just broke someone's intranet that relied on RPC to get the job done, and you're preventing the legitimate program from binding to the port. Good job - pat yourself on the back, you just cost a company $1,000,000 in lost time during cleanup and lost customers.
Someone's CMOS battery is dead and they reboot it once a day? Great! Worm never dies, hoses RPC forever for that machine.
Bad idea. Mark my words on that.
I write code.
When I was in an airport a few days ago, I saw one of their chemical identification things (where they put that little cloth after wiping down your bag) booting up. It was running (I believe) Windows 95 (either that or 98, couldn't see the number). I felt safe knowing that national security is in the hands of Microsoft.
Wasn't this how viruses were "invented"? To perform upgrades? Some network admin had the bright idea of performing maintenance by having a process that jumped from system to system, updating as it went. Unfortunately, it did so in a very non-deterministic and incorrect way, and the entire network had to be taken down so that individual computers could be disinfected in isolation. Several years later, the event inspired the first research into computer viruses.
PLEASE let me know if I've horribly botched this tale -- I'd hate to sound like a fool.
Anyway, I'd say that the whole idea of eliminating a worm with a worm is akin to infecting someone with malaria to cure the Plague.
Kinda reminds me of the movie, where 2 evil superheroes fight each other and make a lot of damage as a side effect, doesn't it?
- Marco
It's not the affending system that is attacked and destroyed, it's the systems that are attacked via DDOS through the hacked boxes using signal propagating viruses.
Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.
Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.
I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.
On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
Mod me down and I will become more powerful than you can possibly imagine!
Many posts here talk about what if worms did some *real* damage. I wonder what this could be? A worm that formats the HDD is obviously useless - how will it replicate? In order to spread, it necessarily exposes its presense and therefore it can be killed. So the max damage a worm can do is limited. Am I right in my thinking?
Worms are bad. Period. Even if the worm is supposed to be good then the damage it can do in terms of network usage, etc causes problems.
However, vulnerable boxes do cause a lot of problems, so IMHO a better solution is for those people who care about such things to install a system on their firewall that responds to scans - if a machine scans your firewall then you look to see if you recognise the signature of the scan (i.e. the likes of Code Red, ete, have quite distinctive patterns of scanning) and then your firewall launches an exploit against that machine that is scanning you. Once exploited the system would take some action to close the vulnerability and remove the worm (i.e. turn on the auto update stuff, install whatever patches are needed, etc). After it's done that the software that you installed through the exploit would delete itself.
This is a defense - the machine in question attacked your network so your network responded by fixing the compromised machine - no other (innocent) machines are affected by the problem.
ISPs also need to do something to help the situation IMHO - there is no sane reason to use Netbios over the internet so this should be blocked by every ISP (I know some do already, but the vast majority still allow it).
And remembering that 90% of home windows uses are completely clueless when it comes to security, they need to be forced into fixing their systems. The best way I can see of doing that is for all ISPs to look for scans coming from their customers - if a machine is making a lot of scans to lots of hosts all over the internet that matches the signature of a known worm, the ISP should pull the customer's entire internet connection. Infact it wouldn't be too hard for the ISP to intercept all web requests and redirect them to a website with all the patches on it. This is damage limitation - if a machine is compromised and is attempting to compromise other machines then it is essential that machine is taken off the network ASAP. If all the ISPs followed these steps then the spread of worms would be severely reduced.
http://blog.nexusuk.org
But, we have had some problems with it. One day, it kept popping up a stupid dialog saying that the computer is too hot and that if we don't cool it down fast then we'll have to shut it off. Yeah, like we're just going to turn off all our gas pumps in the middle of rush hour (the busiest time of day).
What, would you rather it just packed up shop and died quietly?
Later that same day, it popped up with a stupid message saying that had automatically downloaded and installed updates and patches for us. Seeing that message made me cringe, I was so worried that the patch might have broken something and rendered the entire gas station useless. *shudder*
Since you're so worried about it, I hope you turned this feature off, then - but perhaps it's just as well, since it probably installed the RPC DCOM fix for you: right?
Which leads me to wonder, as an earlier post did: why on earth is this system sitting connected to the Internet?
I served military duty in the Danish Emergency Management Agency and was shocked when I saw they were implementing the entire system for reporting all kinds of disasters and emergencies (everything from tunnel fires to radiation leeks) on Windows 2000. These computers were connected to the net - and knowing the place they would probably never be updated. And even worse - it wasn't even a stripped down Windows 2000 that only ran the necessary services - it was a default (apparently unpatched) installation complete with an autostarting Messenger.
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
The fixer scans MUCH more agressively, causing much more traffic.
It also apparently will keep this agressive scanning for a long time unless users intervene.
It'd be nice if people put effort into stuff that would replicate over hundreds of thousands of systems.
Dynamic scanning speed and duration based on date and how many generations old it is would be a nice start with the next renegade healer worm. Pay attention to infection attempts from other sources to help guide actions and pick targets. A remote kill for it (maybe leaving a don't reinfect cookie behind) so if it does get stupid businesses can quickly udp spray their nets with shutdown packets and be done with it.
I think I'll go anonymous coward on this one.
"Since you're so worried about it, I hope you turned this feature off, then - but perhaps it's just as well, since it probably installed the RPC DCOM fix for you: right?"
Which leads me to wonder, as an earlier post did: why on earth is this system sitting connected to the Internet?
It might've installed the patch, if someone set it up that way. It's probably setup with 'net access for that reason. The clerk who seems to know better sounds like just a clerk though, and is probably (hopefully) locked out of administrative functions.
But then, probably not. Anyone who doesn't know by now not to just automagically update without warning or testing on a system you rely on is just too incompetant to be doing the job.
National security would be in the hands of whoever wrote the software in use to do the actual scanning - not the host operating system.
It doesn't matter whether you run a Microsoft OS or a flavor of Linux (or any other operating system). In the end, it is the software (in combination with the hardware) that does the actual scanning that makes the real difference.
I don't care what the intent was on this anti-worm worm. I have one sales guy in Australia right now that somehow managed to get *both* worms on his laptop- despite the fact that I sent him instructions ahead of time on how to patch his system and ensure that his virus definitions were updated. Now he's expecting me to help him out despite the fact that he cannot connect to our VPN, and that he's 12 hours ahead of us.
Good Samaratain worm my ass- this one is just as big a pain as Lovesan was.
It'll be interesting to see how this impacts the future of worms and virii though.
It's the new 21st century version of core wars.
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I'll see your senator, and I'll raise you two judges.
Because we wern't a paying customer, we were sent the company's test-mule where all the new developments were tried before going into production.
The machine used a lightly modified Windows 98 installation as it's OS. Security was non-existant, as any idiot (me) could go in and monkey with passwords, workgroup settings, and file locations. (I did this to get it to talk to our network for backup) I was concerned about this at first, until I realized that these devices
weren't used with mice or keyboards
and typically had armed guards nearby who took a dim view of people monkeying with the hardware
As far as the installation of windows, we used it for 3 months straight, with absolutely no crashes whatsoever. The only time it was rebooted was when it was shut down for the weekends.
OK...
I can do this. I am, after all,
a superhero!
Even if they are using Windows Internet Explorer for the front-end GUI to access the big-iron back-end, at least ensure that they are capable of patching all of their front-office systems. For instance, they should be using enterprise-wide software distribution facilities such as Tivoli Software Distribution.
If it's not possible to distribute software to the endpoints, at least have a firewall installed in each location, or have firewalls installed in each PC.
No wonder Air Canada has troubles with bankruptcy - their foundation is not solid. Imagine how much money they lost because of this worm (and last week's power-outage - that's another rant)?
You will notice a lot of software vendors are now introducing their products into the Linux platform due to corporate demand - many companies want to move away from Windows because of these critical flaws.
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
It's good and bad and something of a slippery slope. When I sign up with an ISP, I want IP service -- the ability to send and receive any and all IP datagrams, regardless of their type or subtype. If my ISP starts filtering my IP service based on the overflowing basket of potential IP-based vulnerabilities, I lose that IP service. That's bad.
It's also something that "controllers" will want to see implemented based on whatever their agenda is (MSN blocks AIM, RIAA/MPAA wants Kazaa/Gnutella blocked, Ashcroft wants IPSec blocked, et al). That's the slippery slope, and it leads to what amounts to cable-TV internet service -- transparent proxied, web-only service. Yuck.
The good would be that the ignorant wouldn't be vulnerable, and many of us that manage networks professionally wouldn't have to put up with the amplification effect of millions of infested boxes with terrabytes of bandwidth. Some more obscure worms/viruses would die on the vine, but I highly doubt it will end all of them.
What ISPs should do is offer a "filtered" internet connection that limits vulnerabilities and charge extra for it. Although I'm sure it'd be a major headache to setup, and potentially a huge liability of the filtering was inadequate to stop a worm or a new vulnerability.
This would allow for the clueless to get something to help them, and protect people who want real IP service, and not some cable tv-like service.
Unfortunately, I think the real solution is more, bigger worms: this should shame MS into overhauling their networking security model.
"...Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which first started hitting computers around the world on Monday. ..."
I could have sworn I had read the exact same statement in a different article a few days ago. The statement had stuck in my head because it implied the worm problem was completely users fault for not installing the patch. Since it seemed so familiar, I googled the phrase "Although Microsoft posted a software patch to fix the flaw" (google limits you to ten words or less). Lo and behold, hundreds of hits for individual separate articles from "different" news sources with the exact same paragraph, completely verbatim. I am aware that information is shared through the associated press, but personally I find it unsettling that all of these news authors do little more than cut and paste another authors words (and voice), instead of writing an article on the same subject with different points of view or ways of expressing the facts. It is especially concerning when the statement in this example seems to slant blame away from a responsible party, Microsoft, in a serious situation that they are largely (IMO) accountable for.
Perhaps I am off topic, but I felt obliged to point out my discovery. I didn't think it was possible, but my level of trust in the quality of information in the media has dropped yet another rung.
Beware blue cats moving at