Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
Flying is hard enough - they tell you it's the safest way to travel. Now we find out it's run by a system famed for it's ability to crash?!
The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.
Seriously though, that sounds more like the airline's standard crumby service than the latest Microsoft worm/virus is to blame.
Who cares?
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
The Register also has an article on this.
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Dark Nexus
"Sanity is calming, but madness is more interesting."
ISPs are going to start firewalling off more and more ports because of the fact that Windows is insecure. But more importantly, customers don't care enough about the problems to deal with their own responsiblity: securing their own machines.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?
Well cry me a fucking river.
With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
-- Will program for bandwidth
Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Learning HOW to think is more important than learning WHAT to think.
> Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
Supposedly there are "thousands" of people/organizations already working up lawsuits against that one energy company that's starting to pick up the stink. If it turns out that Blaster had anything to do with it at all, someone's going to get creamed for it.
And you can bet that they'll go after $omebody with deeper pocket$ than whatever punk-ass kiddie it was who released it. With 50,000,000 people inconvenienced and a reported $6,000,000,000 dent in business, we're talking about a sum that would be a concern even to $DEEPPOCKETS.
Sheesh, evil *and* a jerk. -- Jade
Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason.
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
You should visit New Zealand some time. I can honestly say, I have never visited an international airport terminal here where there has not been at least one of the arrival/departure screens showing 'This program has performed an illegal operation'. And I visit a fair few international airports.
I disagree. MrP's revision on my idea would:
* Only infect machines already sick with w32.Blaster
* Stop these machines from restarting due to the RPC process being terminated.
* Stop these machines from causing network slowdown by scanning.
Even if there was a problem with the code, it would still do more good than harm, because every machine patched would be one less flooding the 'net searching for machines to infect. It would not increase the traffic, because machines unpatched but uninfected would not be affected by this "good" worm.
While I agree that in many situations, one might worry about releasing any worm into the wild, I think in this case the worst case scenario is it doesn't work. Which is the same as if you don't try at all, so there's little to lose.
> Any smart and experienced programmer will also know that almost any complex program...
Complex? This could be accomplished with a really small app. Its job would be incredibly simple:
1. Kill blaster process, delete blaster app
2. Attempt to download MS patch. If unsuccessful several times, terminate.
3. Execute patch.
4. Open relevant port 5. Wait for a connection.
6. Transmit self to next machine.
7. Has it been a week since last time scanned? If so, terminate.
8. Goto 5.
Sounds pretty simple to me, at least. I think it'd be pretty easy to debug.
Yeah. It's amazing where you'll find Windows.
I work at a gas station, and the computer that controls the gas pumps runs on windows. IOW, if windows crashes, nobody can pump gas, and nobody who has pumped gas already can pay for their gas. It hasn't crashed on us yet (AFAIK -- I've only worked there for a month, and the station has been in service for 2 years).
But, we have had some problems with it. One day, it kept popping up a stupid dialog saying that the computer is too hot and that if we don't cool it down fast then we'll have to shut it off. Yeah, like we're just going to turn off all our gas pumps in the middle of rush hour (the busiest time of day).
Later that same day, it popped up with a stupid message saying that had automatically downloaded and installed updates and patches for us. Seeing that message made me cringe, I was so worried that the patch might have broken something and rendered the entire gas station useless. *shudder*
When I was in an airport a few days ago, I saw one of their chemical identification things (where they put that little cloth after wiping down your bag) booting up. It was running (I believe) Windows 95 (either that or 98, couldn't see the number). I felt safe knowing that national security is in the hands of Microsoft.
It's not the affending system that is attacked and destroyed, it's the systems that are attacked via DDOS through the hacked boxes using signal propagating viruses.
Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.
Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.
I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.
On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
Mod me down and I will become more powerful than you can possibly imagine!
Worms are bad. Period. Even if the worm is supposed to be good then the damage it can do in terms of network usage, etc causes problems.
However, vulnerable boxes do cause a lot of problems, so IMHO a better solution is for those people who care about such things to install a system on their firewall that responds to scans - if a machine scans your firewall then you look to see if you recognise the signature of the scan (i.e. the likes of Code Red, ete, have quite distinctive patterns of scanning) and then your firewall launches an exploit against that machine that is scanning you. Once exploited the system would take some action to close the vulnerability and remove the worm (i.e. turn on the auto update stuff, install whatever patches are needed, etc). After it's done that the software that you installed through the exploit would delete itself.
This is a defense - the machine in question attacked your network so your network responded by fixing the compromised machine - no other (innocent) machines are affected by the problem.
ISPs also need to do something to help the situation IMHO - there is no sane reason to use Netbios over the internet so this should be blocked by every ISP (I know some do already, but the vast majority still allow it).
And remembering that 90% of home windows uses are completely clueless when it comes to security, they need to be forced into fixing their systems. The best way I can see of doing that is for all ISPs to look for scans coming from their customers - if a machine is making a lot of scans to lots of hosts all over the internet that matches the signature of a known worm, the ISP should pull the customer's entire internet connection. Infact it wouldn't be too hard for the ISP to intercept all web requests and redirect them to a website with all the patches on it. This is damage limitation - if a machine is compromised and is attempting to compromise other machines then it is essential that machine is taken off the network ASAP. If all the ISPs followed these steps then the spread of worms would be severely reduced.
http://blog.nexusuk.org
But, we have had some problems with it. One day, it kept popping up a stupid dialog saying that the computer is too hot and that if we don't cool it down fast then we'll have to shut it off. Yeah, like we're just going to turn off all our gas pumps in the middle of rush hour (the busiest time of day).
What, would you rather it just packed up shop and died quietly?
Later that same day, it popped up with a stupid message saying that had automatically downloaded and installed updates and patches for us. Seeing that message made me cringe, I was so worried that the patch might have broken something and rendered the entire gas station useless. *shudder*
Since you're so worried about it, I hope you turned this feature off, then - but perhaps it's just as well, since it probably installed the RPC DCOM fix for you: right?
Which leads me to wonder, as an earlier post did: why on earth is this system sitting connected to the Internet?
I served military duty in the Danish Emergency Management Agency and was shocked when I saw they were implementing the entire system for reporting all kinds of disasters and emergencies (everything from tunnel fires to radiation leeks) on Windows 2000. These computers were connected to the net - and knowing the place they would probably never be updated. And even worse - it wasn't even a stripped down Windows 2000 that only ran the necessary services - it was a default (apparently unpatched) installation complete with an autostarting Messenger.
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
"Since you're so worried about it, I hope you turned this feature off, then - but perhaps it's just as well, since it probably installed the RPC DCOM fix for you: right?"
Which leads me to wonder, as an earlier post did: why on earth is this system sitting connected to the Internet?
It might've installed the patch, if someone set it up that way. It's probably setup with 'net access for that reason. The clerk who seems to know better sounds like just a clerk though, and is probably (hopefully) locked out of administrative functions.
But then, probably not. Anyone who doesn't know by now not to just automagically update without warning or testing on a system you rely on is just too incompetant to be doing the job.
It's the new 21st century version of core wars.
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I'll see your senator, and I'll raise you two judges.
Because we wern't a paying customer, we were sent the company's test-mule where all the new developments were tried before going into production.
The machine used a lightly modified Windows 98 installation as it's OS. Security was non-existant, as any idiot (me) could go in and monkey with passwords, workgroup settings, and file locations. (I did this to get it to talk to our network for backup) I was concerned about this at first, until I realized that these devices
weren't used with mice or keyboards
and typically had armed guards nearby who took a dim view of people monkeying with the hardware
As far as the installation of windows, we used it for 3 months straight, with absolutely no crashes whatsoever. The only time it was rebooted was when it was shut down for the weekends.
OK...
I can do this. I am, after all,
a superhero!