Slashdot Mirror
Worm vs. Worm Battle Slows Networks
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
MS exploit virus comes out.
mysterious patching virus starts making the rounds. massive consequences.
we should be doing this more often, kids.
-Leigh
Who cares?
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
The Register also has an article on this.
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Dark Nexus
"Sanity is calming, but madness is more interesting."
Since the article's filename is "flash1.html," I doubt it's staying in that location forever, so here is the text. Posting logged-in because of the insidious article text trolls that have been plaguing Slashdot recently.
COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
Tue Aug 19 2003 20:33:34 ET
TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.
Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.
``It is causing delays in processing customers at airports,'' she said.
The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.
``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.
It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.
Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.
Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.
The worm snarled the network at the CBC, slowing the broadcaster's Web site.
The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.
Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''
Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.
``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.
``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''
It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''
Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
Comment removed based on user account deletion
One suspects that the power companies in that corner of the world are oh-so-glad to have any random excuse right now.
Sheesh, evil *and* a jerk. -- Jade
Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Learning HOW to think is more important than learning WHAT to think.
It's a case of a lesser of two evils. The problem is, there are thousands of exploitable boxes and if nothing is done about it, in the long term, this is going to cause some serious problems. Many of the owners of these systems will never fix or patch them themselves.
It's really a toss-up between a worm that temporarily slows down networks by spreading and patching the systems it infects, then automatically deleting itself after a set date, or a script kiddie scanning the entire internet, picking up these boxes and adding them to his DDoS network, which can slow down all or any network(s) (root DNS servers, anyone?) he or she chooses at a later date.
It is for this reason, IMHO, that these exploitable boxes are a threat to the integrity of the internet, and while writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
Personally, I'd have written a worm that enables automatic updates and XP's inbuilt firewall. If windowsupdate can't handle the load perhaps they shouldn't have designed it in a way that -purposely breaks- normal web caching.
The current round of worms are clumsy and unimaginitive. I think it's only a matter of time before we see a worm that does some -real- damage.
455fe10422ca29c4933f95052b792ab2
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
True, it shouldn't be the responsibility of the ISP, and no, I'm not exactly happy with the thought of port filtering becoming common place and extending to other ports (ftp, ssh, http, etc - after all, "it's a home connection, you shouldn't be running servers..."). As an interim measure, though, it at least does help to contain the problem.
If people don't start taking their own computer's security seriously
I think you have that wrong. People do take their computer's security seriously, they just don't know enough about it. They also, largely, expect to be able to just switch their computer on, and have it work, like everything else they use. TV, video, dvd, microwave, car, central heating - they're all made, installed or set up once, and then just work. If they break down, they're replaced, or a qualified engineer is called to fix them.
People aren't yet used to the idea that computers don't quite act like that. You and I may have been working closely with them for years, but most "ordinary" people haven't. So, they expect them to require the same amount of effort as everything else they use.
I think that PC manufacturers could go a long way to helping here - shipping with firewalls and virus scanners preinstalled and configured. Perhaps have a couple of big, impossible to miss buttons on the desktop - "click here if this machine is connecting directly to the internet", "click here if this machine will not connect to the internet, or will connect via another machine on the network", "click here if you don't know what that means", that configures the machine appropriately for its role. That way, the gateway can be secured, while the rest of the network can share files and printers. No, that's not a foolproof plan, but I think it would go a long way to helping solve the problem.
Don't just bitch and moan at the "clueless, irresponsible" users - teach them to know better, and help them while they're learning.
It's official. Most of you are morons.
You couldn't tell, but I used the freeze-frame on my Beowulf cluster of Tivos and saw that there was hidden IP in Blasters hand.
I was so pissed, I called Fight Update to complain, but the lines were all busy.
Never again will I pay $179 for a pay-per-view wrestling match...although the upcoming free-for-all cage match between SCO, Linux, IBM, Novell, Red Hat and FSF sounds pretty interesting. I bet that PanIP will make an appearance and beat the hell out of somebody too.
Someone always gets in the cage at the last minute.
Surely operating systems should be very secure by default, as in not accepting ANY incoming connections, no ActiveX, no executable e-mail attachments. One shouldn't have to install security patches every week just to read e-mail and browse the web.
What we have here is one company's lack of responsibility and desire to make a quick buck without working on software quality. Its so fortunate they don't make cars.
We got this crap at work. Firewalls didnt help
because someone in the office took his notebook
home, got infected and then brought notebook
into work. Silent infection. You can build
multiple firewalls but it is worth nothing if
your users dont protect their networks at home.
Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason.
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate for patches which will also add to the bandwidth being consumed.
this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.
is it really that much to ask people to read an advisory of how the worm works before cheering it on?
Yeah. It's amazing where you'll find Windows. For the past few days, the local public education cable channel has had a Windows login prompt misdisplayed.
Airport FIDS (Flight Information Display Systems) tend to run Windows. I used to manage a system of a few thousand displays running a weird Continental Airlines and Infax proprietary protocol. There were two big reasons for using Windows, despite the suckage. One is that it's a hell of a lot easier to find programmers who can do custom work quickly in the Windows enviroment. The other is that Windows support for things like multi serial cards and stuff is a lot better; we often didn't have too much choice in the hardware we had to use (strange implementations of the old current loop, on 16 ports, for example... with only one supplier). Airports are very conservative, and with good reason. They really don't like change. Lots of serial cabling and repeaters where Ethernet would have done a great job.
How about this one: The Canadian government's Office Of Critical Infrastructure Protection and Emergency Preparedness runs IIS.
Why, given the nature of the department and (one would hope) its awareness of the threats, would they use IIS while more stable and more secure alternatives are still available?
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
Looking at that site and seeing the fragile infrastructure they're using, I can't help but feel proud to be a Canadian. Jesus wept.
Fire and Meat. Yummy.
From what I've read, this worm actually does use the same vulnerability. And why block port 135 completely? Doing that risks breaking ish. Breaking ish isn't a good thing. No, here's what a better worm would've done:
1) Once on a box, clean and patch said box.
2) Sit and listen to port 135, waiting for Blaster to rear its ugly pulsing-zit-like head.
3) In response to Blaster probe, install itself on Blaster-infested machine and start over at 1).
4) On some set date in future, or when number of Blaster-probes remains 0 for a predetermined time (say 1 month), remove itself from system.
By only loading itself onto machines which first probe it (trying to spread Blaster), it completely eliminates the stupid network scans. In that way, it only attempts contact with machines which have shown themselves to be Blaster-infested, while leaving the rest of the internet alone.
Holy shit, your gas station is running Windows and is connected to the internet??
Please, please tell me that the pumps can't actually be controlled from the PC running the station...
You know they call 'em fingers but I've never seen 'em fing. Oh, there they go.
In my hiatus from technical employment (over now after 18 long months) amongst other things I've worked as a baggage handler.
The clients for the baggage reconciliation system (BRS - ensures bags travel if and only if the passenger gets on the plane, implemented after Lockerbie) run on Windows 3.1!!!
First thing I thought is, what happens if someone wiretaps the network cable? I'd guess it wasn't encrypted, or if it is, it's a 10 yr old technology, How long would it take to crack it, learn protocols and be able to wreak havoc?
Must by archaic/vulnerable systems like that in key installations everywhere. Scary to think.
I served military duty in the Danish Emergency Management Agency and was shocked when I saw they were implementing the entire system for reporting all kinds of disasters and emergencies (everything from tunnel fires to radiation leeks) on Windows 2000. These computers were connected to the net - and knowing the place they would probably never be updated. And even worse - it wasn't even a stripped down Windows 2000 that only ran the necessary services - it was a default (apparently unpatched) installation complete with an autostarting Messenger.
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
My wife and I were going through Dublin airport when I noticed that a number of the airport schedule display screens were going through a reboot sequence. I showed it to her : "Hey, looks like that one crashed."
She had to point out that a more alarming interpretation of the word "crashed" may have been made by some of the other people in the arrivals area.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
It's just their website, dude. It's not some mission-critical thing.
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
No, it's as if a fire station's PR firm had the oily rags and matches. Well, if fire stations had PR firms, I mean.
It's the new 21st century version of core wars.
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I'll see your senator, and I'll raise you two judges.
Because we wern't a paying customer, we were sent the company's test-mule where all the new developments were tried before going into production.
The machine used a lightly modified Windows 98 installation as it's OS. Security was non-existant, as any idiot (me) could go in and monkey with passwords, workgroup settings, and file locations. (I did this to get it to talk to our network for backup) I was concerned about this at first, until I realized that these devices
weren't used with mice or keyboards
and typically had armed guards nearby who took a dim view of people monkeying with the hardware
As far as the installation of windows, we used it for 3 months straight, with absolutely no crashes whatsoever. The only time it was rebooted was when it was shut down for the weekends.
OK...
I can do this. I am, after all,
a superhero!
Holy shit, your gas station is running Windows and is connected to the internet??
"Regular, midgrade, premium...CowboyNeal? The hell?"