Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
MS exploit virus comes out.
mysterious patching virus starts making the rounds. massive consequences.
we should be doing this more often, kids.
-Leigh
"cleanup" worms are still bad. Since the original worm didn't do anything except attack a domain name that's no longer in use, the cleanup one may even be worse.
Who cares?
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
The Register also has an article on this.
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Dark Nexus
"Sanity is calming, but madness is more interesting."
ISPs are going to start firewalling off more and more ports because of the fact that Windows is insecure. But more importantly, customers don't care enough about the problems to deal with their own responsiblity: securing their own machines.
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
Since the article's filename is "flash1.html," I doubt it's staying in that location forever, so here is the text. Posting logged-in because of the insidious article text trolls that have been plaguing Slashdot recently.
COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
Tue Aug 19 2003 20:33:34 ET
TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.
Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.
``It is causing delays in processing customers at airports,'' she said.
The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.
``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.
It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.
Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.
Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.
The worm snarled the network at the CBC, slowing the broadcaster's Web site.
The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.
Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''
Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.
``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.
``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''
It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''
Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
Comment removed based on user account deletion
So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?
Well cry me a fucking river.
With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
-- Will program for bandwidth
Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Learning HOW to think is more important than learning WHAT to think.
> Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
Supposedly there are "thousands" of people/organizations already working up lawsuits against that one energy company that's starting to pick up the stink. If it turns out that Blaster had anything to do with it at all, someone's going to get creamed for it.
And you can bet that they'll go after $omebody with deeper pocket$ than whatever punk-ass kiddie it was who released it. With 50,000,000 people inconvenienced and a reported $6,000,000,000 dent in business, we're talking about a sum that would be a concern even to $DEEPPOCKETS.
Sheesh, evil *and* a jerk. -- Jade
Personally, I'd have written a worm that enables automatic updates and XP's inbuilt firewall. If windowsupdate can't handle the load perhaps they shouldn't have designed it in a way that -purposely breaks- normal web caching.
The current round of worms are clumsy and unimaginitive. I think it's only a matter of time before we see a worm that does some -real- damage.
455fe10422ca29c4933f95052b792ab2
You couldn't tell, but I used the freeze-frame on my Beowulf cluster of Tivos and saw that there was hidden IP in Blasters hand.
I was so pissed, I called Fight Update to complain, but the lines were all busy.
Never again will I pay $179 for a pay-per-view wrestling match...although the upcoming free-for-all cage match between SCO, Linux, IBM, Novell, Red Hat and FSF sounds pretty interesting. I bet that PanIP will make an appearance and beat the hell out of somebody too.
Someone always gets in the cage at the last minute.
At Boston/Logan airport last Friday, I saw on a Delta departures/arrivals screen this Windows error dialog in front of the grid of flights:
"At least one service failed to start..."
I took a photo of it. I thought:
- "I'm glad I don't run Windows." - "I'm glad I'm not flying Delta today."
...of two huge monsters battling over Tokyo and knocking over buildings in their fight while the puny sysadmins in their tanks futilely try to hurl patches, and one of the huge monsters is Good and one of the huge monsters is Bad but no matter becuase even if the good one wins, Tokyo is getting stomped flat either way?
Okay, I think I've just proven that I've been awake too long. Goodnight..
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
The original anti-virus virus was probably DenZuk, created to kill the Brain virus. They were both bootsector viruses. Problem is, later on a new format of floppy got introduced - DenZuk trashed users' data when it encountered them. And there wasn't a damned thing the original author could do about it, because it was self replicating, and therefore by definition not under his control.
If you've gotta go vigilante, don't go viral. Do something you can control. Scan all the machines on the net and patch them, or just patch everything that bounces off your firewall - fine. It's likely to get you in legal hot water, and it is on questionable ethical grounds, but at least you aren't trashing random machines with self replicating code that you can no longer STOP, no matter how much you might want to.
Any experienced programmer will know well that code that works on one machine is not going to always work on every other machine - no matter how good of a coder you are. Any smart and experienced programmer will also know that almost any complex program is going to run into a situation it wasn't designed for eventually and create an unexpected and probably very unpleasant result. Spend some time and think about it before acting.
I write code.
We got this crap at work. Firewalls didnt help
because someone in the office took his notebook
home, got infected and then brought notebook
into work. Silent infection. You can build
multiple firewalls but it is worth nothing if
your users dont protect their networks at home.
Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason.
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.
is it really that much to ask people to read an advisory of how the worm works before cheering it on?
For those who run a Linux firewall between a network of Windows boxes and the Internet you should rate limit those IP echo (ping) packets. Refer to my previous posting where I showed some sample iptables rules.
Of course my firewalls have port 135 (and a lot more) blocked. Still, it is very hard to keep out of a large network, it doesn't have to get through a firewall. But once inside it can quickly spread and then your firewall or border router will get flooded with pings. I was seeing well over 1 million pings per minute. At that rate my stateful Linux firewall was crawing on its knees as the connection tracking table filled up trying to remember all those echo requests so it could match them up with the echo responses. It didn't crash Linux, but it did render it near useless.
The scariest thing with all these worms is thinking about what could have been. What if they actually did something much more serious? What if they throttled back on the network scanning just a bit so they didn't take the network completely down and it took longer to notice?
The funny thing is that many *nix admins (me included) would react to an exploited/owned machine the same way. Funny.
But can DRM truly be the solution to prevent exploits and worms? I doubt it. I expect that it will be trivial to exploit a program that's already been verified and make it do something it shouldn't even with fairly well implemented DRM.
Email viruses may be halted in their tracks - but most exploits will most likely not be. You say the Palladium implementation of DRM is sophisticated enough to detect a code change during runtime from a stack overwrite? I doubt it, but if so - just change the data instead. Same effect. It raises the bar, but viruses share a characteristic there with open source - the bar only has to be hurdled once before the flood. See the recent rash of RPC hole worms and exploits - one guy did it, now everyone and their 12 year old can.
And licensing a piece of software for $1000-$2000 so that it could run in the first place is ridiculous. Do you like freeware, shareware, or open source? It'd kill it on that platform. Might be great for the competing platforms, but not the one it's on.
I think the real threat with DRM though is that it'll be used in the ways we've already seen, only more expansive. Wanna play a DVD you bought on an unauthorized operating system? Pay the fee, or, if the owners are too lazy to write software for your OS, just forget about it. And don't even think about writing a program to play it for you if you value your freedom.
If left unchecked, CD's will become that way. Downloadable audio has already started to. Tried to download an mp3 from iTunes on Linux? Find anywhere else you can get the same tunes legally? For now - yes, just buy the CD. For now. Hopefully consumers will be upset enough as use of such copy protection schemes increase to purchase alternatives. I subscribe to E-Music myself - no DRM, but I'm paying for the industry to create more, and mostly to smaller lables (mainly Napalm, if they keep track - bands like Tristania, The Sins of Thy Beloved, etc).
I write code.
From what I've read, this worm actually does use the same vulnerability. And why block port 135 completely? Doing that risks breaking ish. Breaking ish isn't a good thing. No, here's what a better worm would've done:
1) Once on a box, clean and patch said box.
2) Sit and listen to port 135, waiting for Blaster to rear its ugly pulsing-zit-like head.
3) In response to Blaster probe, install itself on Blaster-infested machine and start over at 1).
4) On some set date in future, or when number of Blaster-probes remains 0 for a predetermined time (say 1 month), remove itself from system.
By only loading itself onto machines which first probe it (trying to spread Blaster), it completely eliminates the stupid network scans. In that way, it only attempts contact with machines which have shown themselves to be Blaster-infested, while leaving the rest of the internet alone.
1) When it infects machines, 99% of the time it is unable to download the patch. This makes it pointless.
/16, thats a lot of traffic.
No, I don't know why, I guess its because windows update URL has changed? All the machines that we've found with this virus have not been patched and had to have the patch applied anyway.
2) It tries to ping every machine on it's local network as fast as it can, repeatedly. It doesn't just do a single scan then shut up til 2004 (it's expiry date) - oh no, it continually scans. Thats ok if you have 2 machines on your LAN, but when you have a huge switched lan with a few hundred or thousand hosts on a
I see LOTS of ARP traffic from the machines doing the scanning to hosts on the local network, and I see loads of ICMP echo-request destined for outside our network. Which I filter now.
3) It runs as a service that isn't detected by many virus scanners, for some reason Nortons didn't find it though McAffee did. Again I have no idea why.
The thing did a LOT of collateral damage on our network with a couple of hundred machines. I shudder to think about what kind of damage it is doing to large networks at universities etc.
It's not the affending system that is attacked and destroyed, it's the systems that are attacked via DDOS through the hacked boxes using signal propagating viruses.
Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.
Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.
I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.
On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
Mod me down and I will become more powerful than you can possibly imagine!
I served military duty in the Danish Emergency Management Agency and was shocked when I saw they were implementing the entire system for reporting all kinds of disasters and emergencies (everything from tunnel fires to radiation leeks) on Windows 2000. These computers were connected to the net - and knowing the place they would probably never be updated. And even worse - it wasn't even a stripped down Windows 2000 that only ran the necessary services - it was a default (apparently unpatched) installation complete with an autostarting Messenger.
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
Perhaps have a stage in there where the "Good Samaritan" worm pop up and explain to the user how it got there, the implications of the security issue, and ask the user if they want to fix their system.
Backup not found: (A)bort (R)etry (P)anic
My wife and I were going through Dublin airport when I noticed that a number of the airport schedule display screens were going through a reboot sequence. I showed it to her : "Hey, looks like that one crashed."
She had to point out that a more alarming interpretation of the word "crashed" may have been made by some of the other people in the arrivals area.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
It's the new 21st century version of core wars.
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I'll see your senator, and I'll raise you two judges.