New Microsoft Worm Coming Soon?

Seft sent in a solid article running on the BBC discussing the next potential worm explosion on the heels of a recent Security Bulletin from Microsoft. The article is a somewhat general topic piece on worms in general.

The Amazing Flying Hackers of China!

[RobertB-DC]

From the article:
US computer security firm iDefense discovered the code being circulated from Chinese websites. It said some computers were already being broken into using the new exploit code.

This puts a bit of a different spin on the previous story, in which Taiwan accused China of organizing a cyber-attack. I think this validates the position that Taiwan's government was simply disseminating a little cross-channel FUD... there may indeed be Chinese hackers trying to break into Taiwanese systems, but they're doing it on an ad-hoc basis, not as part of a government-sponsored attack.

Think about it... you're a hacker in mainland China, and you want to attack someone. Do you go after your own government? Only if your family doesn't mind paying for the bullet when you're convicted of espionage. Much safer to hit a country that your government wouldn't mind giving a black eye?

Hackers in China... hey, it looks like China is the new Russia!

Re:The Amazing Flying Hackers of China!

[ramzak2k]

does this have anything to do with Microsoft opening up its code to China ?

Re:The Amazing Flying Hackers of China!

[caluml]

To be honest, I hope it just trashes boot sectors before writing random crap all over the hard drive. That might actually get the message through. All these soft viruses just make people think of it as an inconvenience. When something bad happens, people might just start sitting up and taking notice.

Mod me down, troll/flamebait, I know.
However, mod me up if you feel that this might make people start patching their systems.

Re:The Amazing Flying Hackers of China!

[IM6100]

A worm/virus that trashes it's host doesn't do a good job of propagating. These sorts of programs can do so at a 'time bomb' setpoint, if the designer feels the virus/worm will have propagated widely by that time, of course.

Re:The Amazing Flying Hackers of China!

[bigjocker]

Now that you mention it, probably.

It's a lot easier to write a worm having the Windows' source code available. This bug came from China, and Microsoft has sent the source code to China ... maybe they should start looking for the Blaster writer over there ...

Also, the last attack agains Taiwan by some chinese crackers may have something to do with this. Maybe Microsoft was right when they said that it would be a major security risk to publish the Windows source code.

Re:The Amazing Flying Hackers of China!

[The_K4]

I'm waiting for the virus taht cause Windows XP to believe that it's not "activated" and cause hunders of thousnds of people to call to re-activeate their OS. :) Talk about DDoSing them. :)

Re:The Amazing Flying Hackers of China!

[Marcus+Brody]

True. It would have to run for x hours, trying to infect other hosts before "delivering its payload".
What would be a good value for x?

X would clearly be PC dependent for optimum worm spread. An obvious thing would be to deliver the fatal payload after the infection had spread to, say, 15 other PC's. This would cause exponential spread until the number of vulnerable machines became limiting.

But thats *boring*. A much more twisted & evil thing to do would be to deliver a payload at a mission-critical point. For example, after MS Word had been used excessively over a few days, and the word CONCLUSION was typed in.

/maniacal evil genius laugh/

Re:The Amazing Flying Hackers of China!

[RobertB-DC]

Go further down the rabbit hole. Ask yourself if China is this bad AND has nuclear weapons why was Iraq invaded while China's a preferred trading status country?

I just happen to have a TRS-80 Level II Basic program in front of me:

10 Data "China", "yes", "yes", "Iraq", "yes", "no"
20 Read Country$, Bad$, Nuke$
30 If Bad$ = "yes" then Print "We must deal with "; Country$
40 If Bad$ = "yes" and Nuke$ = "no" then Print "Invade Evil "; Country$; "!!!"
50 If Bad$ = "yes" and Nuke$ = "yes" then Print "We will constructively engage "; Country$; " with trade."
60 GOTO 20

Re:The Amazing Flying Hackers of China!

[paj1234]

> Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow

Friend, you mean, "Even if you do learn to speak correct English, to whom are you going to speak it? -- Clarence Darrow"

Re:The Amazing Flying Hackers of China!

[Isomer]

True. It would have to run for x hours, trying to infect other hosts before "delivering its payload".

What would be a good value for x? When the critical mass has been infected obviously.

You can take the payload and split it up into "n" smaller chunks, then infect "n" initial machines with your virus each with only a small part of the payload. Then every time a virus infects a new host it splits it's payload in half until it's down to one byte/bit/whatever, then it just copies it's payload. When it finds another machine thats already infected, they both give each other their own payload.

If the other side have data that conflicts with your own, throw theirs away to prevent poisoning

So when there are lots of hosts to infect around the world, the payload gets split up, but it's not until almost all the machines are infected that the payload starts being reassembled.

If the payload is encrypted in such a way that you need the entire payload to decrypt the entire thing, then Antivirus researchers can't tell what the payload is going to do before it actually occurs.

You probably want to make sure that there are multiple copies of the initial data in case machines get cleaned that contain the only copy of one bit or so.

We need to organise things like automated detection of abnormal network activity, and some kind of automated way to slow down (but perhaps not stop -- you're not sure if it is an actual virus) the flow of virulent activity.

A technique like this could be used for something like Freenet to hide information until everyone has the information, then release it.

In other news...

[brotherscrim]

...Scientists predict the sun will rise tomorrow.

Re:In other news...

[ramzak2k]

"...Scientists predict the sun will rise tomorrow."

I live in the east cost, insensitive clod !

Worm's Target

on the heals of a recent Security Bulletin from Microsoft

Apparently, the worm infects the user's grammar-checker, rendering it inoperable.

Re:Worm's Target

[RobertB-DC]

I tried it in M$ Word, and here's what Clippy told me:

. . . explosion on the heals of a recent Security Bulletin...
Clippy: Order of Words (consider revising)

Applying typical Slashdot editorial standards, I tried this:

. . . explosion on heals the of a recent Security Bulletin...
Clippy: Order of Words (consider revising)

Crap, let's try again.

. . . explosion on heals of the a recent Security Bulletin...
Clippy: Remove "the" or "a"

I think we got it:

Seft sent in a solid article running on the BBC discussing the next potential worm explosion on heals of the recent Security Bulletin from Microsoft. The article is a somewhat general topic piece on worms in general.
Clippy: turns into a bicycle and rides into the distance

Alright! Let's post!

Thank goodness...

[dillon_rinker]

...that the next worm explosion heals the recent Microsoft Security Bulletin. That will be a welcome change, coming on the heels of the last big Microsoft worm.

1993?

[StingRayGun]

"Malicious hackers are starting to circulate computer code that exploits recently found vulnerabilities"

Starting? When was this article written 1993?

New Worm 9.0!

All my friends and family use Worm 9.0! It's easier than ever!

Am i the only one?

[madcoder47]

Am I the only one who noticed that the woman in the BBC Article's picture (directly above the "The MSBlast worm hit some users hard" Caption text) is using an old mac, and therefore, is not struggling with the MSBlast worm?

The power button and display/contrast knobs on the side of the monitor give it away....

Also, from the article: "But viruses that take advantage of new found flaws in the chunk of computer code exploited by MSBlast look set to arrive even sooner." -- Does this mean that even though microsoft cleaned up the code that was used by MSBlast as a backdoor, they still overlooked some code in the same region?

Re:Am i the only one?

[NanoGator]

"Am I the only one who noticed that the woman in the BBC Article's picture (directly above the "The MSBlast worm hit some users hard" Caption text) is using an old mac,"

The virus turns your PC into a Mac?! Now that's a creative way to hit users hard.

*Sigh*

[r_glen]

Its a shame the only people who read these articles are the ones who aren't affected in the first place.

Already Here

[Fletch]

According to C|Net's News.com.com, two new woms have surfaced exploiting a 2 year old hole in IE 5.x.

Where's the update?

[lord_dragonsfyre]

Okay, I've read about three emails so far, plus this article, about this new security hole. So of course, I go to download the patch.

And there is no patch. Headed to http://windowsupdate.microsoft.com, hit Scan for Updates.... nothing shows under Critical Updates.

Anyone know what's up with this?

James.

Re:Where's the update?

[jhoffoss]

TechNet article: here.

Patch: here. (For XP...this and the rest of the patches are also linked on the above page.)

Scan tool: here.

Re:Where's the update?

[Bourbonium]

I believe this all refers to MS03-039, released on 9/10/2003. If you've updated your system since last Wednesday, you're protected and the patch won't show up as a Critical Update, because you've been scanned and MS has determined that you're already patched.

Of course, if you're using Linux and you go to the Windows Update site, you won't find any critical updates for your system there either.

New slashdot pattern: 3 articles per MS Virus/Bug?

[alexmogil]

So now there will be:

A pre-worm article

A current worm article

And a post-worm article?

Essentially three times the FUD, bashing, turfing, and... well, slashdot.

I think there's already something new going around

[ncc74656]

My suspected-spam file had something like 50-60 new messages in it since last night. Except for one Nigerian-scam message, they all claimed to be security fixes from Microsoft (how original of them :-| ). I saved the attachment from one of them and let Nortan Antivirus take a look at it. It didn't identify any virus (even after updating signatures), but it has to be malware of some sort that just hasn't been cataloged yet.

Products NOT affected...

[immel]

"Windows 98, Windows 98 Second Edition (SE), and Windows 95 also are not affected by this issue." So we can save ourselves by downgrading to previous windows versions? Or is this just a shameless plug? "However, these products are no longer supported. Users of these products are strongly encouraged to upgrade to later versions." Yup. It's a plug for newer, even more vunerable software, alright.

Re:Products NOT affected...

[calethix]

I laughed when I read that

"However, these products are no longer supported. Users of these products are strongly encouraged to upgrade to later versions."

Does MS really expect the average Win95/98 user to read that and think 'Oh! I better go out and get me a copy of that Winders XP. It may have viruses and worms but at least I'll be supported.'

New Worm

[seangw]

There's a new worm out there that exploits a security hole still in Windows 2k/XP from when it was released.

It has the capability to shut down applications, goes right through anti-virus software (even the latest patches!!!), and gives total control of the victim computer to the creator of the worm.

An attempt by the powers that be to shut down it's source of updates was thwarted by various government agencies and the worm itself.

Unfortunately there is no patch to get rid of the W32.MS.AutoUpdateRequired worm.

Ironic

[MrEnigma]

I think it's kind of ironic...on their page it goes through the products affected, NT, XP, etc.

And then they say Windows Me is not affected, not is 98, or 95, but you should upgrade to the newest versions. To the end user, that would kind of be like, I could upgrade to the newest versions, and then be vulnerable to all of this...why would I.

Just thought it was funny.

..and here's the exploit.

[bernz]

just to help things along, here's the exploit that the worm will use.

http://www.k-otik.com/exploits/09.16.MS03-039-ex p. c.php

i'd post the code, but /. won't let me.

Mod the college student down...

[toupsie]

Well, if the only thing you are doing is running AIM, IE and Kazaa, I would agree. However if you work in an environment with mission critical apps that cannot fail, you can't just simply "patch your systems". You must test, test and retest.

Start thinking of us that operate in the real world. Cocky statements like "We've had plenty of warning about this, so it's only the criminally unprepared that will be hit right" sound outright stupid. The patch was released last Wednesday. To coordinate business departments, users and techincal staff along with testing requirements doesn't happen overnight. You do your best to patch as fast as possible and take steps to add a firewall layer but you have to deal with business requirements. Switching from Microsoft won't solve this problem either....OpenSSH anyone?

However, I don't mind Microsoft security problems, it keeps food on my table.

Re:Mod the college student down...

[CausticWindow]

You're right about having to test a lot when applying patches in such an environment.

However, applying two ten line, plain text, patches on OpenSSH is a slightly more deterministic procedure than installing the lastet five megabyte patch from Microsoft.

Re:Mod the college student down...

[FyRE666]

However if you work in an environment with mission critical apps that cannot fail, you can't just simply "patch your systems".

I have to ask, why the hell would you be running anything remotely "mission critical" on windows in the first place???

Re:MS Security bulletin? What about...

[mph]

What am I missing?

Buffer Overflow in Sendmail
New ssh Exploit in the Wild

The problem seems to be that you're running late, not slashdot. The above stories were each posted the day before you claim that the vulnerabilities were discovered.

Survival for Virus: Don't Kill Your Host

[RobertB-DC]

To be honest, I hope it just trashes boot sectors before writing random crap all over the hard drive. That might actually get the message through. All these soft viruses just make people think of it as an inconvenience. When something bad happens, people might just start sitting up and taking notice.

You're thinking software, not biology.

A virus like Ebola is bad news for its host. It spreads pretty easily and quickly causes violent, bloody death. But it kills its host so quickly that the host doesn't have time to infect anyone outside his immediate contacts, and the severe nature brings all Man's medical defenses to track the contagion to its source and eradicate it.

The common cold is a virus, too. It causes relatively minor discomfort to its host, only killing a small number of previously weakened hosts. This gives the cold time to spread widely before it is detected, and by that time the infection can no longer be contained -- or even traced back to its original host.

Early viruses were more Ebola-like, wiping out boot sectors, killing the host. But when was the last time you heard of a new infection by the Michelangelo virus?

Evolution, of a sort, has led to new viruses being more like the common cold -- annoying, but not deadly, and therefore common as a sneeze.

Re:This is but one of two

[pe1chl]

Tonight 3 of these arrived here. It is an e-mail message that contains a .exe attachment that promises to be "the latest version of security update, the
"September 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities."

Apparently lots of people just doubleclick it.

Re:I think there's already something new going aro

[ncc74656]

NAI has new defs that cover it now, and I assume all other others do too.

Just checked with Symantec...while the updated defs aren't available through LiveUpdate, they are available by downloading the Intelligent Updater. How smart of them...instead of sending out a couple hundred K, they force people to download 4 megs each until next Wednesday. It's their bandwidth, I suppose...

(I reran NAV after getting today's defs...it identified the file as containing Worm.Automat.AHB. SARC says nothing informative about it, but F-Secure says the following:

There is no virus known to us by this name. However, Norton Anti-Virus uses names like W97M.Automat.A to name viruses which have been detected automatically.

Another 5-10 copies arrived since my last post...busy little fscker, isn't it? Rabbits don't breed this rapidly.

Re:Welcome

[wo1verin3]

>> I, for one, welcome our new worm Overlords.

With that attitude, the movie Dune would have been a lot more boring. :(

HIV

[Detritus]

Another approach is to have a long incubation period, like HIV. It slowly multiplies over a long period of time before causing symptoms.

A computer virus could wait several weeks before it nuked the hard drive.

If I wrote a virus, I would add anti-tamper features so that removing the virus would also trash the system. The virus could encrypt selected parts of the hard drive and decrypt them on-the-fly when the operating system accessed those sections of the hard drive.

Re:HIV

[A_Non_Moose]

The virus could encrypt selected parts of the hard drive...

What's really scary is this:

Think of all the vbs worms/viruses, now mate that with windows scripting (similar to vbs, I think) and windows' abilty to encrypt the file system (built in functionality, right?).

How hard would it be to, oh, say infect a system, encrypt the entire drive (or "my documents" or delete select files/user data), change the admin password, and reboot the system when done?

I think that'd be the rudest awakening ever.

I give it a year or so before it happens somewhere important, because some people never learn...esp Microsoft.

Re:HIV

[HiThere]

Make that random parts of the system, and random *.doc files (and a few other extensions). Nobody would *dare* get rid of it. A bad system file can be replaced, but a bad doc file can be very bad.

It might teach people about hierarchcical backups, but I doubt it.

Microsoft's Advice

[digime]

From Microsoft:

Note Windows 98, Windows 98 Second Edition (SE), and Windows 95 also are not affected by this issue. However, these products are no longer supported. Users of these products are strongly encouraged to upgrade to later versions.

WTF? How this translates to me - "If your computer is immune from these new strains of virii you are strongly encouraged to make it vulnerable."

Re:OT: Unofficial Hostility in "Cyber Space"

[rodgerd]

Other way around, son. US business is so hopelessly dependent on cheap Chinese labour and just in time manufacturing that there'd be chaos if China was embargoed.

Microsoft Worm

[Sloppy]

Typical. Pre-announcing vaporware just to hurt competitors' sales.

Re:OT: Unofficial Hostility in "Cyber Space"

[4of12]

constantly improving

Over the long haul, yes.

But there were some points of tension when the U.S. cruddy intelligence led to the mistaken bombing of the Chinese embassy in Belgrade, and when a U.S. spyplane flying off the coast made an emergency landing on a Chinese island.

Meanwhile, the government there is learning that it can divert attention from inconvenient issues (like corruption between the military and industry, lack of an open democratic process) by exploiting nationalistic sentiment (We vs They).

This is in the same grand tradition that is done in the United States and in Russia, so the rest of the world can feel safe knowing that all 3 of the largest nuclear superpowers are populated by emotional peasants.

You ain't seen nothing yet

[ralphus]

I've said it before, and I'll say it again. The current array of worms making the rounds on the Internet are pretty fundamentally simple worms and not much more than teenagers throwing eggs at the wall on a large scale. Blaster was crashing systems because of it's sloppy coding, it wasn't even doing damage other than eating up resources and planning on attacking MS (which it stupidly did based on DNS entry and then even the WRONG ONE).

Worms today all have limited vision in what they can do and a greedy philosophy which results in limiting their possible damage.

I'm one of the good guys, but I can certainly see the potential that an evil genius can do. Please read these two papers and get a idea of what is possibly coming.

Warhol Worms

Curious Yellow

Treason or perjury?

[SgtChaireBourne]

This bug came from China, and Microsoft has sent the source code to China ..

That there is another Microsoft worm this week should come as no surprise. If you recall from the anti-trust trial and the appeal, Jim Allchin pointed out that Microsoft code was so flawed it could not be safely disclosed. It was even claimed that showing the Microsoft source code could damage national security.

So, was it perjury or treason? You decide.

Either way it's not a set of ethics that would induce me to resume business with them ... ever.