Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
MS exploit virus comes out.
mysterious patching virus starts making the rounds. massive consequences.
we should be doing this more often, kids.
-Leigh
So, the question I have is: do you think he was trying to be a good Samaritan and just wrote something that caused serious problems, or do you think he purposely wrote something that would cause problems but would spread wild due to the ostensible good it was trying to do?
"cleanup" worms are still bad. Since the original worm didn't do anything except attack a domain name that's no longer in use, the cleanup one may even be worse.
Flying is hard enough - they tell you it's the safest way to travel. Now we find out it's run by a system famed for it's ability to crash?!
The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.
Seriously though, that sounds more like the airline's standard crumby service than the latest Microsoft worm/virus is to blame.
Who cares?
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
The Register also has an article on this.
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Dark Nexus
"Sanity is calming, but madness is more interesting."
ISPs are going to start firewalling off more and more ports because of the fact that Windows is insecure. But more importantly, customers don't care enough about the problems to deal with their own responsiblity: securing their own machines.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
Since the article's filename is "flash1.html," I doubt it's staying in that location forever, so here is the text. Posting logged-in because of the insidious article text trolls that have been plaguing Slashdot recently.
COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
Tue Aug 19 2003 20:33:34 ET
TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.
Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.
``It is causing delays in processing customers at airports,'' she said.
The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.
``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.
It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.
Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.
Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.
The worm snarled the network at the CBC, slowing the broadcaster's Web site.
The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.
Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''
Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.
``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.
``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''
It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''
Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
Comment removed based on user account deletion
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
> Every time I hear about a huge new worm, I wonder how long until someone finds some huge exploit or something that will wreak major havoc over the entire 'net. What would the effects of that be, in the end? Seems like that would have a major effect on world economy.
Yeah, people would start getting their work done out of sheer boredom.
Sheesh, evil *and* a jerk. -- Jade
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
> My cable went out for about 2-3 hours earlier, and even before it went out everythings been slow, and still is.
Yes, due to the state of emergency we'll all have to shoot for "second post" until this dies down, since the internet isn't physically fast enough to let anyone get a "first post" in right now.
Sheesh, evil *and* a jerk. -- Jade
Comment removed based on user account deletion
1. Gain access via the same vulnerability. 2. Do something to block port 135 completely (without generating network traffic). 3. Go to the next vulnerable system.
Support Israeli punk bands. Man Alive.
If they just made sure their bloody networks were patched and firewalled correctly they wouldn't have this issue..
Frankly I think that anyone that complains about this needs a good hard leson in cause and effect.. oh hang on.. looks like they're getting that now!
Lets hope they're bright enough to recognize it.
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?
Well cry me a fucking river.
With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
-- Will program for bandwidth
For what it is worth, MS and others should do something like this _EVERY_ time a full root vunerability is exploited by a released worm, virus etc. So it may stop an app from working, etc. At least a virus didn't fdisk your hdd. Minor patches be dammned, vunerabilities that give the attacker root or equivalent access NEED to be taken care of ASAP.
.
;)
If the dumbass sysadmin didn't decide to patch his system, the writer of the software (note I don't think this should be limited to MS) should take it upon themselves to fix it.
If not immediately ater, then a couple days.
Now. I understand that ms hotfixes tend (AHAHAHAHAHHAHAAH, tend) to screw stuff up. A simple flag in the registry / file in the filesystem could tell the "viral exploit patch", not to patch the system, but send the administrator a message / put a link on the desktop for the patch. Of course, the next worm could just set that flag after infection, so this idea kinda sucks, and which is why I'd reccomend the radical option of no way of overriding the "viral exploit patch".
Yeah, flame me and mod me down, but it is just plain fucking stupid and irresponsible to leave a system in a vunerable state. When exploits begin to affect infrastructure (whether it be 411 or whatever), they NEED to be taken care of. There are plenty of IT morons who leave critical systems (ok, define critical) open, and it is just a matter of time before something happens and many people actually get hurt.
And to be completely honest - if the "viral exploit patch" hits your internal network, the destructive one could of have just as easily gotten in, that isn't an arguement.
Reporting back to a central server would be cool, although how it would differenciate between many internal networks, the code would need to be optimized to minimize disruption, etc.
Personally, I think whoever wrote blaster was doing the community a favor, some skript kiddie would eventually write their own version that did something far worse.
Sure, I'm kind of bitter, but crap like this pisses me off - if gives the IT industry and computers in general a bad image. If it turns out that some hick in ohio forgot to patch his servers - servers that were rebooting when they were supposed to be sending out warnings to other power stations . .
Soooo. . . who think's I'm going to have an ulcer in 10 years
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Learning HOW to think is more important than learning WHAT to think.
> Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
Supposedly there are "thousands" of people/organizations already working up lawsuits against that one energy company that's starting to pick up the stink. If it turns out that Blaster had anything to do with it at all, someone's going to get creamed for it.
And you can bet that they'll go after $omebody with deeper pocket$ than whatever punk-ass kiddie it was who released it. With 50,000,000 people inconvenienced and a reported $6,000,000,000 dent in business, we're talking about a sum that would be a concern even to $DEEPPOCKETS.
Sheesh, evil *and* a jerk. -- Jade
What kind of sick airline uses Windows servers to do check in and track flights/passengers. Is their IT department completely slow? They deserve what they get.
(Disclaimer: I've flown Air Canada. The accomodations were very nice.)
http://yetanotherpoliticalrant.blogspot.com
This new worm, it looks to me like it is being dubbed an anti-virus.
/.r comes forth and cites instances of anti-viruses in the past.
Most of the time I learn about something and think it is new it is not. So I won't act shocked when some
However I personally have not come across this before.
I predict that the anti-virus will never be as prevolent as the virus, but we can expect to see them from here on out.
> Send a worm to kill a worm!
Two worms enter, one worm leaves!
Sheesh, evil *and* a jerk. -- Jade
You couldn't tell, but I used the freeze-frame on my Beowulf cluster of Tivos and saw that there was hidden IP in Blasters hand.
I was so pissed, I called Fight Update to complain, but the lines were all busy.
Never again will I pay $179 for a pay-per-view wrestling match...although the upcoming free-for-all cage match between SCO, Linux, IBM, Novell, Red Hat and FSF sounds pretty interesting. I bet that PanIP will make an appearance and beat the hell out of somebody too.
Someone always gets in the cage at the last minute.
At Boston/Logan airport last Friday, I saw on a Delta departures/arrivals screen this Windows error dialog in front of the grid of flights:
"At least one service failed to start..."
I took a photo of it. I thought:
- "I'm glad I don't run Windows." - "I'm glad I'm not flying Delta today."
...of two huge monsters battling over Tokyo and knocking over buildings in their fight while the puny sysadmins in their tanks futilely try to hurl patches, and one of the huge monsters is Good and one of the huge monsters is Bad but no matter becuase even if the good one wins, Tokyo is getting stomped flat either way?
Okay, I think I've just proven that I've been awake too long. Goodnight..
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
The original anti-virus virus was probably DenZuk, created to kill the Brain virus. They were both bootsector viruses. Problem is, later on a new format of floppy got introduced - DenZuk trashed users' data when it encountered them. And there wasn't a damned thing the original author could do about it, because it was self replicating, and therefore by definition not under his control.
If you've gotta go vigilante, don't go viral. Do something you can control. Scan all the machines on the net and patch them, or just patch everything that bounces off your firewall - fine. It's likely to get you in legal hot water, and it is on questionable ethical grounds, but at least you aren't trashing random machines with self replicating code that you can no longer STOP, no matter how much you might want to.
Any experienced programmer will know well that code that works on one machine is not going to always work on every other machine - no matter how good of a coder you are. Any smart and experienced programmer will also know that almost any complex program is going to run into a situation it wasn't designed for eventually and create an unexpected and probably very unpleasant result. Spend some time and think about it before acting.
I write code.
D'oh, d'oh indeed.
Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason.
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
So far, we rarely see a truly malicious worm or virus. Most of what we see are certainly annoying, can be expensive to clean, and cost businesses in terms of downtime, network slowdowns and data loss, however, they could be a whole lot worse. The worst one I remember is Chernobyl that would flash anything in your computer that was updateable from your video card to your Mainboard leaving you with a (figuratively) smoking lump of useless, twisted metal.
We are always finding out about vulnerabilities. This one obviously existed since the beginning of time since it is exploitable on all post 3.1 versions of windows. If someone years ago had made a worm that infected systems slowly, so as not to draw attention, and then in a given time frame was really destructive such as chernobyl, we could end up having real problems on our hands.
These worms that make us find and patch these holes, without wiping our systems out, are costly, yes, and annoying yes, but they are also protecting us from the really malicious ones, by making us all more aware, and ensuring that steps are taken to prevent. I am not just talking about the cleanup worm, but also MSblaster. It doesn't destroy anything, but it makes us protect ourselves, makes us develop an immune system.
I am not saying I like them, and in my work I am the one responsible for protecting our offices, and cleaning up if something were to get through but I would rather be protecting from MSBlaster, than something really nasty.
Well, considering that you can have no confidence in a system that is known to have had unauthorised remote commands executed on it, I'd have to say that might not be a bad idea.
Can I bum a sig? I left mine at the office.
this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.
is it really that much to ask people to read an advisory of how the worm works before cheering it on?
Yes and what about when web sites and media start requiring DRM/Palladium whatever crap computers and operating systems to access their sites? What about when an ISP requires it to connect to their service? Web developers seem to be pretty braindead about the way they put a lot of sites together as it is(and no I don't care how many people I offend). Comcasts homepage uses actually has a flash dialog come up telling me that I need to install flash to use one of the features! This will shut out opensource companies effectively. Do not try and pretend this will be handled threw the W3C or anyone else who is impartial. Microsoft is the biggest pusher of security through obscurity and will not allow anyone to make an opensource implementation or put it up to a standards community like them. It goes against everything they've been saying. And what good are certificates anyway? Half the web sites can't even figure out how to renew their certificates in the first place, not even the trustedcomputing site. With the system you describe anytime some software company you bought from doesn't renew their subscription you won't be able to use your software that you spend hundreds of dollars on. And if there permanent there's nothing stopping people from somehow using the same certificates in worms or viruses. People can modify programs installing rootkits that have the same crc as the original software. Furthermore, what happens when the security for any part is broken? Now the malicious code/hacker is completely trusted. I'm making a lot of assumptions here on the exact implementation, and nothing I've said is original, but whatever it comes down to is the system is crap. It hasn't kept the xbox and playstations, dvd players, or windows media from being cracked -- and these are small fish compared to how extensive microsoft wants to see this stuff implemented. It is targeted at people like you though, that just want something to make you feel good and give people excuses for not thinking about security or monitoring their systems.
---------- Open Source is capitalism applied to IP.
For those who run a Linux firewall between a network of Windows boxes and the Internet you should rate limit those IP echo (ping) packets. Refer to my previous posting where I showed some sample iptables rules.
Of course my firewalls have port 135 (and a lot more) blocked. Still, it is very hard to keep out of a large network, it doesn't have to get through a firewall. But once inside it can quickly spread and then your firewall or border router will get flooded with pings. I was seeing well over 1 million pings per minute. At that rate my stateful Linux firewall was crawing on its knees as the connection tracking table filled up trying to remember all those echo requests so it could match them up with the echo responses. It didn't crash Linux, but it did render it near useless.
The scariest thing with all these worms is thinking about what could have been. What if they actually did something much more serious? What if they throttled back on the network scanning just a bit so they didn't take the network completely down and it took longer to notice?
The funny thing is that many *nix admins (me included) would react to an exploited/owned machine the same way. Funny.
I wouldn't expect any MS anti-virus software for quite awhile... Actually, a Microsoft anti-virus (among other things) program is currently in alpha stage. It's called the "PC Satisfaction Trial" and contains firewall, backup, and anti-virus tools. Although it's extremely buggy at the moment (which is to be expected with alpha software) it does look very promising. Even at alpha, it's simple enough for Joe User to figure out how to use it. I predict this program will be quite a big success.
I disagree. MrP's revision on my idea would:
* Only infect machines already sick with w32.Blaster
* Stop these machines from restarting due to the RPC process being terminated.
* Stop these machines from causing network slowdown by scanning.
Even if there was a problem with the code, it would still do more good than harm, because every machine patched would be one less flooding the 'net searching for machines to infect. It would not increase the traffic, because machines unpatched but uninfected would not be affected by this "good" worm.
While I agree that in many situations, one might worry about releasing any worm into the wild, I think in this case the worst case scenario is it doesn't work. Which is the same as if you don't try at all, so there's little to lose.
> Any smart and experienced programmer will also know that almost any complex program...
Complex? This could be accomplished with a really small app. Its job would be incredibly simple:
1. Kill blaster process, delete blaster app
2. Attempt to download MS patch. If unsuccessful several times, terminate.
3. Execute patch.
4. Open relevant port 5. Wait for a connection.
6. Transmit self to next machine.
7. Has it been a week since last time scanned? If so, terminate.
8. Goto 5.
Sounds pretty simple to me, at least. I think it'd be pretty easy to debug.
The article says that the virus is hindering repairs on Ontario's "hydro" system... not that it is affecting hydroelectric.
:)
Just another misunderstanding based on the use of the word "hydro" to mean "electricity"... it would be nice if at least news sources would stop making this simple mistake
Why would the "fix" worm be this much worse than the original? They do essentially the same thing, use the same exploit, transmit themselves the same way. The only different I can see is that the "fixer" reboots your PC once, whereas the original could continuosly reboot you PC. Why is the press making it sound (at least in this case) that this worm is worse than the original?!
Perhaps its the worms attempt to download the patch from MS thats causing all the headaches, but the patch *IS* rather small, so I'm not very convinved on that point.
Am I being paranoid, or overreacting or what?
But can DRM truly be the solution to prevent exploits and worms? I doubt it. I expect that it will be trivial to exploit a program that's already been verified and make it do something it shouldn't even with fairly well implemented DRM.
Email viruses may be halted in their tracks - but most exploits will most likely not be. You say the Palladium implementation of DRM is sophisticated enough to detect a code change during runtime from a stack overwrite? I doubt it, but if so - just change the data instead. Same effect. It raises the bar, but viruses share a characteristic there with open source - the bar only has to be hurdled once before the flood. See the recent rash of RPC hole worms and exploits - one guy did it, now everyone and their 12 year old can.
And licensing a piece of software for $1000-$2000 so that it could run in the first place is ridiculous. Do you like freeware, shareware, or open source? It'd kill it on that platform. Might be great for the competing platforms, but not the one it's on.
I think the real threat with DRM though is that it'll be used in the ways we've already seen, only more expansive. Wanna play a DVD you bought on an unauthorized operating system? Pay the fee, or, if the owners are too lazy to write software for your OS, just forget about it. And don't even think about writing a program to play it for you if you value your freedom.
If left unchecked, CD's will become that way. Downloadable audio has already started to. Tried to download an mp3 from iTunes on Linux? Find anywhere else you can get the same tunes legally? For now - yes, just buy the CD. For now. Hopefully consumers will be upset enough as use of such copy protection schemes increase to purchase alternatives. I subscribe to E-Music myself - no DRM, but I'm paying for the industry to create more, and mostly to smaller lables (mainly Napalm, if they keep track - bands like Tristania, The Sins of Thy Beloved, etc).
I write code.
The article he cites would be an interesting read. He should link it instead of being vague.
The company that got hit is going to have a hard time blaming anyone beyond their own admins. MS did the same thing they do to mitigate any other risk plus did some extra public-awareness work. Anybody who didn't see this coming and at least follow the advisory's recommendations to firewall the appropriate ports... well, they weren't too concerned about their systems. I mean, c'mon, NetBIOS ports open to untrusted networks? What system that critical should be allowing that? I don't allow NetBIOS to my son's gaming machine!
Can I bum a sig? I left mine at the office.
Not complex? You're downloading a bloody Microsoft Patch and running it! Have you seen how many people - competent administrators - have been saying all along that they have the automatic updates turned off because the patches keep breaking their machines? Ever written a buffer exploit? That's usually not simple code either, and it is very system and application specific - if the underlying code changes, but an overflow remains, your code will have completely unpredictable results. That's why the original patch for RPC prevented infection, but many patched computers that got probed still crashed.
Also - this won't be done in a corporate environment with proper testing labs if it is done. You simply won't have legal access to the number and variety of machines you need to even get an idea that it might work properly right at the moment, much less "for all of its lifetime". The DenZuk example I provided is a perfect example of a pretty well written virus that went all wrong - the disks it corrupted didn't even exist when the author wrote it, and yet, it still caused damage.
What happens when an uninfected machine attempts a legitimate RPC call? You infect it? Great.... You just broke someone's intranet that relied on RPC to get the job done, and you're preventing the legitimate program from binding to the port. Good job - pat yourself on the back, you just cost a company $1,000,000 in lost time during cleanup and lost customers.
Someone's CMOS battery is dead and they reboot it once a day? Great! Worm never dies, hoses RPC forever for that machine.
Bad idea. Mark my words on that.
I write code.
From what I've read, this worm actually does use the same vulnerability. And why block port 135 completely? Doing that risks breaking ish. Breaking ish isn't a good thing. No, here's what a better worm would've done:
1) Once on a box, clean and patch said box.
2) Sit and listen to port 135, waiting for Blaster to rear its ugly pulsing-zit-like head.
3) In response to Blaster probe, install itself on Blaster-infested machine and start over at 1).
4) On some set date in future, or when number of Blaster-probes remains 0 for a predetermined time (say 1 month), remove itself from system.
By only loading itself onto machines which first probe it (trying to spread Blaster), it completely eliminates the stupid network scans. In that way, it only attempts contact with machines which have shown themselves to be Blaster-infested, while leaving the rest of the internet alone.
Wasn't this how viruses were "invented"? To perform upgrades? Some network admin had the bright idea of performing maintenance by having a process that jumped from system to system, updating as it went. Unfortunately, it did so in a very non-deterministic and incorrect way, and the entire network had to be taken down so that individual computers could be disinfected in isolation. Several years later, the event inspired the first research into computer viruses.
PLEASE let me know if I've horribly botched this tale -- I'd hate to sound like a fool.
Anyway, I'd say that the whole idea of eliminating a worm with a worm is akin to infecting someone with malaria to cure the Plague.
1) When it infects machines, 99% of the time it is unable to download the patch. This makes it pointless.
/16, thats a lot of traffic.
No, I don't know why, I guess its because windows update URL has changed? All the machines that we've found with this virus have not been patched and had to have the patch applied anyway.
2) It tries to ping every machine on it's local network as fast as it can, repeatedly. It doesn't just do a single scan then shut up til 2004 (it's expiry date) - oh no, it continually scans. Thats ok if you have 2 machines on your LAN, but when you have a huge switched lan with a few hundred or thousand hosts on a
I see LOTS of ARP traffic from the machines doing the scanning to hosts on the local network, and I see loads of ICMP echo-request destined for outside our network. Which I filter now.
3) It runs as a service that isn't detected by many virus scanners, for some reason Nortons didn't find it though McAffee did. Again I have no idea why.
The thing did a LOT of collateral damage on our network with a couple of hundred machines. I shudder to think about what kind of damage it is doing to large networks at universities etc.
It's not the affending system that is attacked and destroyed, it's the systems that are attacked via DDOS through the hacked boxes using signal propagating viruses.
Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.
Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.
I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.
On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
Mod me down and I will become more powerful than you can possibly imagine!
Many posts here talk about what if worms did some *real* damage. I wonder what this could be? A worm that formats the HDD is obviously useless - how will it replicate? In order to spread, it necessarily exposes its presense and therefore it can be killed. So the max damage a worm can do is limited. Am I right in my thinking?
Worms are bad. Period. Even if the worm is supposed to be good then the damage it can do in terms of network usage, etc causes problems.
However, vulnerable boxes do cause a lot of problems, so IMHO a better solution is for those people who care about such things to install a system on their firewall that responds to scans - if a machine scans your firewall then you look to see if you recognise the signature of the scan (i.e. the likes of Code Red, ete, have quite distinctive patterns of scanning) and then your firewall launches an exploit against that machine that is scanning you. Once exploited the system would take some action to close the vulnerability and remove the worm (i.e. turn on the auto update stuff, install whatever patches are needed, etc). After it's done that the software that you installed through the exploit would delete itself.
This is a defense - the machine in question attacked your network so your network responded by fixing the compromised machine - no other (innocent) machines are affected by the problem.
ISPs also need to do something to help the situation IMHO - there is no sane reason to use Netbios over the internet so this should be blocked by every ISP (I know some do already, but the vast majority still allow it).
And remembering that 90% of home windows uses are completely clueless when it comes to security, they need to be forced into fixing their systems. The best way I can see of doing that is for all ISPs to look for scans coming from their customers - if a machine is making a lot of scans to lots of hosts all over the internet that matches the signature of a known worm, the ISP should pull the customer's entire internet connection. Infact it wouldn't be too hard for the ISP to intercept all web requests and redirect them to a website with all the patches on it. This is damage limitation - if a machine is compromised and is attempting to compromise other machines then it is essential that machine is taken off the network ASAP. If all the ISPs followed these steps then the spread of worms would be severely reduced.
http://blog.nexusuk.org
oh brave new world, that has such people in it!
I served military duty in the Danish Emergency Management Agency and was shocked when I saw they were implementing the entire system for reporting all kinds of disasters and emergencies (everything from tunnel fires to radiation leeks) on Windows 2000. These computers were connected to the net - and knowing the place they would probably never be updated. And even worse - it wasn't even a stripped down Windows 2000 that only ran the necessary services - it was a default (apparently unpatched) installation complete with an autostarting Messenger.
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
I actually rebuilt my server the other day onto a new machine, not because of a worm, but because I got a second hand dual proc 750mzhz server (with RAID 5!) for nothing. It was pretty east to install the base system, RedHat 9, run up2date, then copy the important files from /etc into place. Back up and running in no time. Try doing that with the registry.
All those moments will be lost in time, like tears in rain.
Perhaps have a stage in there where the "Good Samaritan" worm pop up and explain to the user how it got there, the implications of the security issue, and ask the user if they want to fix their system.
Backup not found: (A)bort (R)etry (P)anic
My wife and I were going through Dublin airport when I noticed that a number of the airport schedule display screens were going through a reboot sequence. I showed it to her : "Hey, looks like that one crashed."
She had to point out that a more alarming interpretation of the word "crashed" may have been made by some of the other people in the arrivals area.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
There is absolutely no evidence that Welchia is worse than Blaster, as a cursory reading of the linked article would reveal to anyone who passed the fourth grade.
If you're unpatched, you either get Welchia, or you get Blaster. They both hose your network. If you're too stupid to block the ports and apply the patches, then you're going to get one or the other.
Go on, pick one. Not that it makes any difference. Welchia isn't worse than Blaster. Sure, it opens a port, and everyone is assuming (why?) that this is a back door, but as long as you're unpatched and your 135 port is open, arbitrary code can be run on your box anyway, so how does Welchia make that worse?
Lies, damn lies, statistics, Slashdot reporting.
If you were blocking sigs, you wouldn't have to read this.
I didn't link to the article because it's in Norwegian. But if you can read Norwegian, here it is.
This article is based upon another article from the danish newspaper Jyllands-Posten, but I'm unable to locate the article on their web site.
And to make matters worse, you get 1 mail a minute from some remote daemon telling you that there is a virus in a message which is apparently from you. Mail administrators who set up such auto-replies shoot be taken out and shot.
I don't care what the intent was on this anti-worm worm. I have one sales guy in Australia right now that somehow managed to get *both* worms on his laptop- despite the fact that I sent him instructions ahead of time on how to patch his system and ensure that his virus definitions were updated. Now he's expecting me to help him out despite the fact that he cannot connect to our VPN, and that he's 12 hours ahead of us.
Good Samaratain worm my ass- this one is just as big a pain as Lovesan was.
It'll be interesting to see how this impacts the future of worms and virii though.
So what if it's sitting there saying "This patch requires Service Pack 2", and the worm reboots? The result: a still unpatched system! Even if the worm were to consider its work done, after reboot the computer can be re-infected. Which means another download of the patch gets started! Can you say "Sorcerer's Apprentice"?
Even if the worm were smart enough to download a service pack, we're talking over 100 megabytes. That can take a while if you don't have good broadband, and meanwhile it's providing a nice accidental DDoS against microsoft.com.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Well, Joey, we agree on one thing... we both know one admin who will know better next time (we hope) or one position that has a new chance to be filled by someone worthy of pay grade above that of fry-cook. These companies kill me... hiring not only unschooled slobs but lazy ones as well to oversee their most critical infrastructure. It's amazing. It's one thing to run critical services on Windows; it's another to have an unattentive dolt manage them.
The bad part about it is that these guys bring down the pay grade for more skilled admins both in the Windows and *NIX world.
Can I bum a sig? I left mine at the office.
It's the new 21st century version of core wars.
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I'll see your senator, and I'll raise you two judges.
Even if they are using Windows Internet Explorer for the front-end GUI to access the big-iron back-end, at least ensure that they are capable of patching all of their front-office systems. For instance, they should be using enterprise-wide software distribution facilities such as Tivoli Software Distribution.
If it's not possible to distribute software to the endpoints, at least have a firewall installed in each location, or have firewalls installed in each PC.
No wonder Air Canada has troubles with bankruptcy - their foundation is not solid. Imagine how much money they lost because of this worm (and last week's power-outage - that's another rant)?
You will notice a lot of software vendors are now introducing their products into the Linux platform due to corporate demand - many companies want to move away from Windows because of these critical flaws.
I'm going to develop a worm, that mutates into two different worms...one will be the democrats, the other will be the republicans.
On the first Tuesday in November, one of them will activate and fill your computer, television and radio with loads of bullshit.
It's not what you know; It's what you can find out.
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
It's good and bad and something of a slippery slope. When I sign up with an ISP, I want IP service -- the ability to send and receive any and all IP datagrams, regardless of their type or subtype. If my ISP starts filtering my IP service based on the overflowing basket of potential IP-based vulnerabilities, I lose that IP service. That's bad.
It's also something that "controllers" will want to see implemented based on whatever their agenda is (MSN blocks AIM, RIAA/MPAA wants Kazaa/Gnutella blocked, Ashcroft wants IPSec blocked, et al). That's the slippery slope, and it leads to what amounts to cable-TV internet service -- transparent proxied, web-only service. Yuck.
The good would be that the ignorant wouldn't be vulnerable, and many of us that manage networks professionally wouldn't have to put up with the amplification effect of millions of infested boxes with terrabytes of bandwidth. Some more obscure worms/viruses would die on the vine, but I highly doubt it will end all of them.
What ISPs should do is offer a "filtered" internet connection that limits vulnerabilities and charge extra for it. Although I'm sure it'd be a major headache to setup, and potentially a huge liability of the filtering was inadequate to stop a worm or a new vulnerability.
This would allow for the clueless to get something to help them, and protect people who want real IP service, and not some cable tv-like service.
Unfortunately, I think the real solution is more, bigger worms: this should shame MS into overhauling their networking security model.
That's a little harsh, don't you think? People did apply patches, they just did not work. The only incompetent thing it to use or recomend Microsoft in the first place. It should be obvious by now that M$ has no place on a network. More than a year after Bill Gates made security job one, M$ still blows and it always will.
I would have considered a disk formatting worm to be fully justified.
Well, it would require fewer network services and people could get on with the rebuild job they need anyway. Face it, you can't trust a worm to do your job. If you get either of these, it's time to break out the CDs and rebuild the machine because you can't trust a worm to not be trojaned. That would be nicer than making it so no computer can use a network because these broken boxes are spewing their guts out trying to get M$ patches.
The answer is to dump Microsoft all together. Free software is obviously superior by now and no one need to spend good money on bad Microsoft software anymore. Disasters like this just go to show the real TCO of that junk. The colatoral damage to people who don't run M$ at all is unaceptable as well.
You have to wonder if businesses that don't use M$ anymore but were unable to use networks because of it can sue M$ and the dummies that still use them. Sounds like another billion dollar classaction lawsuit followed by thousands of individual suits to chip at the rapidly diminishing M$ pile of ill gotten cash.
Friends don't help friends install M$ junk.
"...Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which first started hitting computers around the world on Monday. ..."
I could have sworn I had read the exact same statement in a different article a few days ago. The statement had stuck in my head because it implied the worm problem was completely users fault for not installing the patch. Since it seemed so familiar, I googled the phrase "Although Microsoft posted a software patch to fix the flaw" (google limits you to ten words or less). Lo and behold, hundreds of hits for individual separate articles from "different" news sources with the exact same paragraph, completely verbatim. I am aware that information is shared through the associated press, but personally I find it unsettling that all of these news authors do little more than cut and paste another authors words (and voice), instead of writing an article on the same subject with different points of view or ways of expressing the facts. It is especially concerning when the statement in this example seems to slant blame away from a responsible party, Microsoft, in a serious situation that they are largely (IMO) accountable for.
Perhaps I am off topic, but I felt obliged to point out my discovery. I didn't think it was possible, but my level of trust in the quality of information in the media has dropped yet another rung.
Beware blue cats moving at
This worm vs. worm stuff definitely reminds me of watching CoreWars running 2 or more "programs" that are trying to clobber each other. For those not in the know, CoreWars started off in Scientific American Mathematical Recreations article and describes a low-level programming language close to assembly language called Redcode. Using Redcode you write mini programs that are supposed to clobber other programs in Core (aka memory). Fun and fascinating to watch. There are versions for Windows & Linux, so no excuse not to try it. They even have an annual contest, IIRC.
Maybe it's time for someone to invent Internet-enabled Corewars so that programs can attack each other via broadband...
pot.kettle(black);
So far I have had two friends come over to my house with thier PC's and tell me "It keeps rebooting."
Both had cable internet. One had no firewall and one had a software firewall. The software firewall had been helpfully turned off by some spyware program. Ad-aware http://www.lavasoft.de found over 200 spyware programs on the pc.)
I wish someone would release an anti code red worm or two. I still see pages and pages of code red attempts in my logs. After, how many months? , any machine that is not code red patched is probably not going to be.
While I am ranting how about an anti Kazza worm and an anti Comet Cursor worm.
I hope no one is working on a worm that changes the passwords in a windows box? That would create a mess.
Question:
I am seeing a lot of imcp type 8 traffic and domain-udp traffic aimed at my firewall today from all over the place. Much more then normal. Is the antiworm doing this or something else.
Every wrong attempt discarded is a step forward - T. Edison