Slashdot Mirror
"Witty" Worm Wrecks Computers
An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.
Although they ain't perfect, at least they're not running on your computer. Yikes.
How can we blame M$ for this?
Insert "witty" first post comment
glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things
It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(
That's not bill gates fault.
I'm waiting for the plague of locusts...
Worms and Viruses caused DATA LOSS!
It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.
I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router. I have never understood why you would want to run the firewall on the actual connected system. Guess they cant say its better than running nothing anymore.
Do you really expect us to believe more than ten people worldwide run Windows on their firewalls? ;-)
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?
:)
Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one?
"All computers", you sure?
Don'tcha mean "Windows computers"?
Me and my Quantian box are browsing safely and recklessly.
On a less triumphant note, I'll eventually get called to fix Windows machines that suffer from that worm. How can you recover someone's data from an unbootable HD?
So who is responsible. Is it the MSFT developers for making the exploit, or is it the harddrive manufactures for making those sectors readable?
Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones
I didn't know worms were so powerful now that they could melt a computer into a pile of toxic sludge. : /
-Colin
"FGTRGDI" (Feels good to run gnu/linux doesent it?)
More cryptic acronyms to the people!
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Now that you've got yourself a computer system at home, you'll want to protect it from the evils of the Internet. Because Operating Systems are chock full of holes just waiting to be exploited, you should, at a minimum, take the following steps... Step 1. Go out and buy a firewall product for your machine. Also pick up some virus protection software. Step 2. Ok, now install the firewall software... Oh......Damn It!
First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(
By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not to find a login. Click here
How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
Now, every windows user aware of this will believe a firewall is a great danger for his computer.
Oh... After all, what will it change ?
Homer: Kids, would you step outside for a second?
[the kids run out]
[standing up] F --
[a church organ plays a chord; birds fly away; everything stops]
Ned: Dear Lord! That's the loudest profanity I've ever heard.
If the only thing this does is wipe out the hard drive, how does it spread to other systems? Is there a dormant version of this, or does it postpone doing the damage for a certain number of hours? The articles didn't explain.
"With all these hard drive problems, the infection rates are going to shrink pretty quickly as all these affected machines grind themselves to a halt," Stewart said.
Well thanks Stewart. I'm glad to know I won't have to worry about the infection rate of AIDS once most people have AIDS.
-Colin
From LURHQ
"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."
Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.
It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).
I think this will be with us for a while, particularly when mutations start showing up.
In the free world the media isn't government run; the government is media run.
Comment removed based on user account deletion
"All computers", you sure?
Well, any computer running BlackICE under Linux is screwed too, though for different reasons.
The ______ Agenda
It's a weekend, why should they care about putting out their timely alerts, eh?
"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."
Actually the answer here would be to REMOVE norton before rebooting.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Or maybe to the developers who created such a piece of shit of an OS that you can't even connect to the internet without a days worth of patching and proyecting.
;-)
(or use the quick n' dirty protection - put a condom on your RJ45 ethernet plug before ya' stick it in
Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation. After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.
If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".
Newspapers, magazines, letters, and stamps.
How 1980s. Yikes.
My father is a blogger.
Allow me to alliterate:
Witty Worm Wrecks Windows
-Colin
Why does Windows allow writing to a part of the hard drive that would permanantly corrupt it?
Or are they just blowing the whole story out of proporting when it in fact just erases your boot sector?
well, you did ask....:
'FRTBRaBDI'
=Feels Rightous to be running a BSD, Doesn't it=
'FRGTBUABMSDI'
=Feels real good to be using anything but MS, doesn't it= (ok, this one's a bit much, I think...)
'IARGFTNHTWAVAWSMIT'
=It's a real good feeling to not have to worry about virus's and worm's so much, Isn't it?=
'NIKWIUU!'
=Now I know why I use Unix!=
'W!IHTIUAM!'
=Wow! I'm happy that I use a MAC!=
--- ok, that's enough, need more beer.
have fun!
Sometimes people just have to learn and adapt to change, it is one of the requirements of being a living thing.
HEY SMARTY!
This virus was because of people running firewall software.
I'd advise anyone who depends on any kind of software firewall to go out and buy some sort of hardware firewall.
I reccomend Linksys
Those who depend on Windows Firewalling should beware also.. in fact I'm surprised it wasnt that firewall that was exploited in the first place.
I would say not, especially in this case. According to Internet Security Software:
certain ISS products were targeted with a malicious worm based on a known vulnerability. All ISS products have had protection in place prior to the vulnerability being publicly disclosed and prior to a worm being developed in the wild.
So in other words, the ones that are being hit by this worm didn't patch their software. Of course this still reflects very poorly on ISS for a number of reasons, which would almost certainly hurt their sales.
Dan East
Better known as 318230.
Hey, serves these folks right! I mean who'd be stupid enough to have a Windows machine on the internet without any kind of firewa...
err, never mind.
Installed a snort rule this morning using:
7 76974747920 6d6573736167652068657265|";re\v:1;)
2 0.
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e7365727420
Found via http://isc.incidents.org/diary.html?date=2004-03-
After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.
This is indeed a particularly nasty worm. Several other divisions of my company are battling infections. The master boot record on an infected host is almost certainly destroyed by this little dandy and any host which might have been rebooted before an infection is detected is inoperable. Thankfully it is only the relatively recent versions of the software packages that are effected. The divine combination of wisdom and laziness has found this systems administrator blessedly behind the times. The decision to stop upgrading out ISS tools in favor of a push towards OSS now seems all the more prescient. For those in the community who expect big businesses to flop over to OSS immediately, don't hold your breath. Nothing happens over night because big business is slow, no matter how fast the company's advert department declares them to be. We've been actively switching systems over to Linux and OSS for two years now, but the average depreciation cycle means that it takes a minimum of 5 years to switch over an environment, and that only if you put a stake in the ground. Realistically it takes 7 to 10 years to switch over and IT environment in a company which judges IT investment solely on Cost Benefit Analysis.
Yeah. Knoppix to the rescue! (Again)
RealSecure, indeed.
eEye Digital Security supposedly found the flaw last wednesday. Did they publish the information last wednesday after giving Internet Security Systems plenty of time to fix it? Or did they release it without ample time? If the former, how much more liable would ISS be? If the latter, wouldn't that be irresponsible?
wait, nevermind.. The ISS download site says they released the patch on the 9th. So I guess people had about a week to update the firewall?
In times like these, it is helpful to remember that there have always been times like these. - Paul Harvey
Most if not all user agreements for any software, anti-virii, Windows and it's related software usually contain:
In no way can you hold us responsible for loss of data, damange to your system bla bla bla.. basically use at your own risk.
Uhh, so did this guys.
I bet this worm was written by a disgruntled network administrator sick of those "I'm being attacked" emails.
> More cryptic acronyms to the people!
That's MCATTP around here, chum.
Sheesh, evil *and* a jerk. -- Jade
but this is inherently why the idea of a firewall LOCAL to the system it is protecting is a ... shall I say "retarded" idea.
A firewall is best a physical device between your network and the "great big intarweb". That way if your firewall IS comprimised, you arent immediatly toast.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
A computer virus isn't what Google thinks a Witty Worm is (not at all work safe :-) ).
Matthew @ Bytemark Hosting
I told him I would never buy any of their products since I figured they were just as likely to insert their own backdoors in the products due to maturity reasons.
This is just priceless though, I wish that guy a hardy Nelson "har har".
Never overestimate the end user. -jeramy b. smith
They can't respond to their email, because their machines won't boot?
After all, they're all using Windows, right?
I lucked out. Got BlackIce patched right away, removed Norton and installed McAfee. Rebooted and I'm still here. All is well.
I still want to gut the motherfucker like a fish, but I'm calm enough now that I can take my time.
"Why Subscribe?" Good question...
This would also be a perfect time to come up with an expression you could actually pronounce...
Surelly you could still access the data and copy it onto another Hard disk, burn it to CD or copy it to a USB pen by running Knoppix.
The first few sectors of a hard drive (read MBR Boot loaders) aren't very hard to recover. Even if it damaged super important filesystem data a chkdsk -r will fix it up no problem. Where on the hard drive though could you erase to totally scrap a Windows OS?
Now, every windows user aware of this will believe a firewall is a great danger for his computer.
This would provide a nice counter to the current view that having a firewall makes you immune to viruses and worms.
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
It's easier in a windows environment to make big remote damages because many programs and servers run at administrator rights ; which is the case of this firewall software. In linux, all the firewalling stuff is based on netfilter/iptables, netfilter in kernel space, and iptables as the super-user interface. The benefit of having firewalling facilities in kernel space, integrated with the TCP/IP stuff, are that the size of the potentially unsecure code is quite small, when in windows all the security stuff is a user space developers responsability.
I know this may look like a troll. But windows security design is a disaster ; and I don't think this will really change soon.
Actually, it's good, in the darwinian sense. nondestructive viruses aren't instructive.. People won't change their behaviors if the virus does nothing more than slow them down.
Besides application specific rules which another poster has mentioned, software firewalls also better REMOTE address filtering - I've recently been researching this, and few, if any, of the "29 bucks" routers will provide anywhere near the level of control that a software firewall provides. For example, if I wanted to run a development web/database server and I want to restrict access to a handful of IP address (yeah, I know, VPN, blah blah blah) there are no other "cheap" options.
Why? The hardware router guys want to push customers requiring this stuff to their professional $200+ lineup.
of the user's data.
-dameron
According to Symantec's Witty information page, Norton Antivirus can't detect it because it is memory resident only, and never written to disk.
As the story summary states, it "attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues." Devastating.
BlackICE patches are available.
RTFA. This is not a Windows flaw, but an exploit in those firewalls. Blaming Microsoft for a 3rd party software vendor's fault is rather irrational. And besides how many exploits have been found in let's say bind/sendmail in the past? Personally I've never come across any of those firewalls, and I doubt any of them represents a major part of the personal firewall market.
The average joe isnt going to be monitoring any lists.. they will just ( hopefully ) plug in whatever box that came with their pc.. or at worst, accept defaults on software, which normally is useless..
Thast the reality of 90% of the 'home users'.. so a 'free' hardware firewall is the best solution. Since they give away printers, they shoudld be giving away firewalls too.. they are just as cheap. ( though, yes i realize that they make their money via ink carts.. but you get my point )
---- Booth was a patriot ----
Just a few days ago people were commenting, 'its not like the old days where most virus outbreaks caused damage. Now they just set up spam-bots.. bla bla '
Welp, heres a 'evil' virus/worm for ya.. Hope everyone is feeling better now. ( and its not attacking an OS but 'security software'.. how lovely.. )
---- Booth was a patriot ----
This is why having a firewall running on the machine(s) it's supposed to protect is idiotic.
When will the Windows world (and, to a lesser extent, the *nix world) wake up and realize that putting all services on a single box is just asking for trouble?
A firewall should be a dedicated, hardened host that is easily rebuilt if compromised. A firewall should not be the only layer of security.
.@.
Actually, pretty easy.
:-)
If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall.
My FreeBSD/Linux based routers serve as firewalls for my Windows boxes. Very easy to turn off everything but ssh.
In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it.
The first and only firewall most people need is an OS that doesn't open itself up to the world like a cheap two-bit, umm, door. Or something.
OTOH, if Windows were to ship with a functional firewall (such as IPTables), nobody would ever need the 3rd-party software in the first place.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
From looking at the disassembly it looks more like it sends 20000 copies of itself to random destinations, then tries to open one of HD0-7, if the open fails it goes back to sending, if it succeeds it overwrites a random 64kB-aligned 64kB chunk of the first 2 GiB with some data, reseeds the prng and goes back to sending, if the open fails it simply loops back to sending another 20k copies.
I'd hardly call 2GiB a few sectors...
True, but then all the companies making firewalls would get the government(s) to declare Microsoft a monopoly preventing them from selling their products. Probably because even if Microsoft were to create an effective firewall, they probably would depend on monopolistic activities to sell their product rather than depend on a superior product--all hypothetical of course.
Our founding fathers removed the guys in charge. Be American. Vote incumbents out.
More cryptic acronyms to the people!
... maybe ... VABULI could work (Viruses Are Bad, Use LInux.)
I don't really think that's an acronym. Google defines it (or rather; finds it defined as:) (n) A word formed by joining the initial letters of a series of words. (Emphasis mine.) Now FGTRGDI doesn't feel or sound like a word to me. It's just an abbreviation. A word should have no more than two consonants in a row, three only as an exception. Anything more than that and it'll only pass as an acronym in the Welsh language. However
Look a monkey!
LRC, the best-read libertarian site on the web
who said this is os related? read: BlackICE IS AN APPLICATION, you fucking linux monger. linux needs to be patched just as often as windows does.
username:oldwarez password:oldwarez
Strongbad is truly awesome ok.
t ml
:P
Just finished his 100th e-mail reply in WIDE-O-VISION
http://www.homestarrunner.com/sbemailahundred.h
But on-topic on "the achievement": I'm impressed and hope that he will make a nice bootable floppy for that tool so that I can use it if I need it.
I'm impressed, you just sound jealous
This is the sig that says NI (again)
Seems like everyone's written one of these. Here's one a friend of mine wrote.
http://memberwebs.com/nielsen/windows/scrounge/
I am running win xp pro with zone alarm firewall. Twice today I have had a blue screen come up and say that there is a system stop due to a program trying to write to a read only portion of memory. It then says that it is dumping physical memory to disk. After about a minute it reboots and runs fine. Does this sound like the worm in question?
Today's vices may be tomorrow's virtues.
Thou dost protest too much, sir troll.
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
You can't remote root a system with no open ports unless the firewall code itself is compromised.
And _that_ I've never heard of (except in the case of BlackICE and ZoneAlarm)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
It doesn't just write the the MBR. It pushes 64k of data to RANDOM locations on a randomly selected hard-disk. At some point it bombs the MBR, but it bombs other portions of the disks on a machine.
NASTY worm. Definitely old-school in nature- I wondered when someone would get around to making something along these lines.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Linux..
I grew weary of this bullshit about 2 years ago and totally abandoned the norm.
I've had ZERO concern over any of the last two years worth of viruses, worms, trojans, spyware, malware, 1984ware, hackers, crackers, etc, etc..
When someone starts beating on you, you have to be pretty dumb to stand there and let them continue to beat on you. A wise man strikes back.
Fsck that "turn the other cheek" shit..
The worm's functionality is as follows:
1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
(emphasis mine)
Well i'm glad this was posted on slashdot even though I had submitted this *hours* before.
I've also updated my blog with all the relevent links and data . The speed of the worm creation is frightening, less then 5 days from the vulnerability announcement to the time that the worm hit the internet. No one can claim this is a spamming effort either since, as noted in other posts here, it is destroying the disks on the machine as well. It's actually like a game of russion roulette, it targets one of the first 8 disks and if the disk doesn't exist it simply continues it's routine of attacking 20,000 random addresses. This is the first worm I can remember that is actually malicious.
Listed on the above blog are the following links:
eEye advisory
ISS advisory
lurhq analysis
SANS diary report
F-Secure writeup
Symantec writeup
Witty Worm Capture 1 and 2 (from dslreports.com)
and the text from SANS capture of the worm.
I've been capturing UDP traffic all day and hope to compile some more interesting information later on.
This is a huge hole. It requires no end-user action whatsoever to exploit. The "security" program it attacks is probably running with administrator privileges, even on locked down systems. There's no reason a packet filter should be able to write raw disks. In fact, if it still runs with those privileges, you want to get this "security" product off your system now. This might not be the only hole.
Should do it unless the worm does more damage not listed in the article.
"Witty" Worm Wrecks Workstations!
1, 2 and 3 are okay. Subject to each person's experience.
4 is not. Worms and viruses and (to a lesser extent) trojans are NOT distributed equally based upon marketshare.
They propagate because of FLAWS in the SECURITY of the system. And Linux has a better security model than Windows.
Windows has the problems it does because:
#1. Microsoft puts software on the system that was not selected. Microsoft does this for a "user friendly" point. But "user friendly" does not equate to "good security".
#2. Microsoft enable services, by default, that are NOT needed. Again, this is for "user friendly" points. But it is bad for security.
#3. Microsoft made it easy to execute apps, even via email. They're finally learning on this one after wave after wave after wave of email trojans have hit their products. Again, this is from a "user friendly" point.
In order for Linux to have the same problems that Microsoft has, Linux would have to have 51% of the desktop, come installed with the same apps on 90% of those desktops AND have security holes in those apps AND be setup to run as root.
This is NOT just about who has more desktops.
The Knoppix CD will happily boot with a usable Linux and it reads NTFS harddisks.
I'd like to apologise for the poster your responding to and I'd like to point that the 99.9% of OTHER Linux users are not starry eyed PFB's trying to cram their particular religion down everyone's throats.
We know Linux needs work before its ready for prime time, just like we know that there are certain trade-offs between convenance and security.
I do believe that Windows users have gotten a bit of a drop here by Microsoft, but that would be more of a monopoly issue and bad planning (if we had the lead all this time WE would certainly have made some mistakes too).
So keep using your Windows PC in peace. Its got a lot of useful functionality and as a Gnome developer once suggested, the most secure operating system is the one your comfortable with and can keep updated. As Linux gains marketshare you can bet some vunerabilities will be found, some we'll expect and some we wont. Maybe you'll find it more appealing after its had more time to mature. Don't let zealots color your opinions too much, they speak for themselves.
Quack, quack.
...is only possible on a platform that has insecurities in the FIRST place. An OS shouldn't allow the vector, let alone the actual processing of the attack.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
This is a bad thing? It seems to me this is the best way to get all those spam-proxy infected machines off the net. I'm sure any box hit by this probably also has at least one or two other infections already active.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
The 'total' mess is that, by the time the boot sector is overwritten, countless other sections of the drive have had random data written to them. The chances of the virus doing other things to cripple a system before it overwrites the boot sector and partition table is pretty high.
/. where the virus actually understands common document formats (like spreadsheets and DBs) and over time slowly alters the data in them without destroying the structure of the file so that, by the time the virus is known and people find out they have it, all of their data (and if it's been any length of time, their backups) are completely untrustworthy.
Even if you considre that he size of the MBR/PT is a small fraction of a percent of the size of the critical files that the OS can't live without (loader, kernel, device drivers, registry, etc...) so the worm is 2-3 orders of magnitude more likely to cripple the machine on any given write, there's still a lot of data that can get corrupted without forcing you to do a recovery.
What good is recovering data from a system if you can't be sure if any of the data is any good in the first place?
This isn't quite as bad as a suggestion I remember reading about a while back here on
my sig's at the bottom of the page.
Why didn't you just disable, and then uninstall BlackIce?
autopr0n is like, down and stuff.
A computer virus isn't what Google thinks a Witty Worm is (not at all work safe :-) ).
I disagree. Any user that uses either involuntarily feels the same way.
Now I am one for dismissing most things, but really.. someone tell me if its not alittle fishy that the latest worms have been "cleaning up" systems.. welchi.. fixes vulnerabilities.. now this worm basically crashes vulnerable systems forcing the owner to reinstall possible a "newer" version of OS..
As for as a long term solution, the latest worms actually haven't "compromised" anyone's data.. and the worst they've done is create downtime causing the importance of patching/upgrading to be visible on the executive's agenda.
I've used blackice before, among other personal firewalls.. they all have one thing in common, the simple product is designed with "bells and whistles" that increase the amount of attackable points in the software.. keep it simple..
macs can read hard drives without file alocation tables?! That is impressive.
autopr0n is like, down and stuff.
I am tired of all of this worm crap ... I am just happy to see that someone wrote a worm that is killing infected computers and putting them out of their misery instead of quietly using them to spread their junk forever.
... they weren't as complex but more of them were fatal.
That's one thing I miss about old dos viruses
If there is no physical damage to the hard drive, then there a number of inexpensive and very useful data recovery tools out there for recovering data from a hard drive. Even if the partitions are blown.
The file system does matter, of course, And I am not up to speed for the various similar tools for *nix file systems (anyone care to jump in on this?)
There is a nice market for people who can do data recovery without needing to open a drive in a clean room, without charging 2000 bucks just to look at it.
Once you have everything recovered to another disk, then you can have fun rebuilding the Partition.
"It is a greater offense to steal men's labor, than their clothes"
Virus for Linux are not likely to be very damageable. For doing such kind of things (ie. the first blocks of a hard disk), the virus should be based on a remote root exploit, which happens, but is *very* rare. Most exploits are local, so you can't use them if you don't have a ssh account on this computer.
If you have a local root exploit, and a remote user exploit, then you have a remote root exploit.
autopr0n is like, down and stuff.
I wasn't aware that a worm could do that. I know a virus could, but a worm? Nope.
Worms flood, use up resources, crash computer systems, etc. They don't overwrite files. So I believe "Witty" is just another script-kiddie virus. After all... it doesn't take that much knowledge to make Windows unbootable. Just Deltree it with a batch file... =/
"Instant gratification takes too long." - Carrie Fisher
Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Let's look at your points:
Anyway, your last (unnumbered) point about programs needing refinement is probably the only accurate one. Most do need refinement; however, the beautiful thing about the Linux and Free Software community is that they constantly are being refined. And if there's something you don't like, I suggest you help out, or quit complaining about it.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Basicly no.
This would be the same as any application running on more then one OS. You can buy different versions of programs to run on different OS's, but in general one file runs on one OS.
There might be a way to build a file that had multiple seperate programs in it, one for each OS that it will run on. I don't know enough about how each OS loads files to know if this is possible, but I don't think it is.
All a saturday mornigng, afternoon, evening and night for isolating and patching that crap. Only one things good: swithing to pktfilter next week
But Witty apparently tries to spread itself 20,000 times, then takes out a hard drive sector, then tries to spread 20,000 more times, in a relatively quick death spiral.
...Nothing interesting here. Just move along...
You don't need your FAT table to access your files. It keeps track of used sectors, but it doesn't keep track of the files.
You can reconstruct the entire FAT table from the directory structures, which are easily found.
This claim is just as wrong as the grandparent's claim about the location of the backup FAT.
Both copies of the FAT are located near the start of the disk, between the boot sector and the data.
Directories record the starting cluster of a file, and its size. The FAT is the only record of the location of the rest of the clusters. It's often possible to guess their location (clusters are normally allocated sequentially), but not always. Fragmented files are generally pretty hard to recover without having the FAT around to help.
A bit of a drop from Microsoft. Ha! If that's how you describe the porking a big chunk of the computing public has been taking lately, then I want some of the medication you're taking. Pass the bong, dude.
But, yeah, if you want to keep using Windows, have at it. Some people have to use it for work. Just don't try to connect it to my network.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Who said anything about Linux, you fucking anti-Linux prick? All he said was that Windows was a piece of shit OS that needs a days worth of patching before you connect it to the internet. Which is true.
Actually, he didn't even mention Windows, though, but you can assume that this:
is referring to Windows, since the worm in question attacks a firewall on a Windows-based machine. And yes, I realize that the firewall software in question isn't Windows, and the security hole isn't even Microsoft's fault, this time. It is, however, a final result of a chain of poor decisions, practices, and other events that led to the need of a third-party firewall on Windows-based machines, which in turn led to the possibility of this hole being there in the first place.
Linux (since you brought it up) has a good built-in firewall, not a third-party add-on hack. Also, even though Linux does need patching also, I wouldn't be scared to connect it to the internet unpatched in order to download the patches it needs.
I've had Windows machines where I did a fresh install, rebooted, installed anti-virus software, rebooted, updated the virus definitions, rebooted, and found the Welchia worm. Even if you do have a security update needed on Linux, this kind of situation never happens.
"City hall" in German is "Rathaus" Kinda explains a few things......
Now where have I seen this before? Let me think. What are the distinctive points about Witty's design?
Now where have I seen this before? Oh yes - SQL Slammer/Sapphire.
Witty roots a firewall, it spreads rapidly, it's extremely small and minimalistic (sort of bootsector size) yet still carries a destructive payload... this is not your average 16-year-old, this is one of the old school. Probably in his 30s, it's very probably the same author who wrote Sapphire, and he's probably a pro by now (white-hat? av company? competing firewall?).
Yeah... the virus would be the same thing as an application (it's a software program after all)...
Does any comp sci guys know if you can theoretically create a program (however trivial) that can run on arbitrarily differing operating systems?
I'm thinking it would have to be a low level program, possibly written in assembly or machine language (if that's even possible), and it has to circumvent the operating system calls... I don't know... Seems interesting...
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.
My company purchased a product a while back called GetDataBack NTFS and it has worked perfectly. It worked great when I (accidentally) deleted a volume from the W2K Disk Management MMC (whoops). Recovered all the data (since only the partition map was changed). Yes, I did something stupid, but this software saved me hours of recovering from backups.
Technically what you are asking, yes it could be written. But it couldn't really do anything usefull.
You could write an x86 asm routine that did not make an OS call. So it would not care what OS it is running on. I used to write my own string copy routines that would work on any OS.
But, if you take out all access to OS related functions you don't have much you can do. No reading or writing files. Unless you want to try and write a file system into it that would interface with the hardware to read any file system. No access to network interfaces, unless you wrote and added drivers for any hardware the machine might have. And so on.
So basicly you can write an OS that did not talk to a host OS, that is what Linux, Windows, BeOS, and all of those do. But it would not be a very small thing if you wanted to read the users files and send them somewhere.
Actually you basically can't for a simple reason.
Yes, you can write x86 *CODE* that will run on any OS, by using BIOS interrupts, or even making different calls/checks to see what OS this is, and then using the appropriate system calls. But how to run this code?
Windows uses PE files, Linux uses ELF files, MacOS 9 uses data+ressource forks...etc. It would take a hell of a lot of hacking the formats to somehow make the PE offsets correspond to the ELF offsets or somehow put both kinds of headers in the executable program so it can run on both OSs.
So while your code might be multi-platform compatible, the cointainer itself will end up being OS-specific.
Yep, just like in nature, a virus that kills its host can't spread as widely.
Actually, we don't really give a crap about what you want. You're mostly cluebies who shouldn't have a say in the matter, and the cause of most of these problems. You're the ones who use the vulnerable software, and click on things because they tell you to. (Remember, one of the last worms was purely a trojan---the user had to do all the work.)
You should use Linux (or OSX, or whatever), because we tell you to, and we know what we're talking about. You're causing problems that affect a lot of people (the networks get saturated), and you need to stop.
Oh god shut up, shut up, shut the FUCK UP.
*cough*
Excuse me, but you can shove that condescending know-it-all attitude straight up your ass.
I use Windows because the overall experience, at least for Desktop use, has been better. Stuff actually works the way I expect it to. I plug in a firewire hard disk, it installs and loads drivers, and the partitions, if any, appear. Instantly. No going to linux1394.org, downloading a shell script, and hoping it works. I click a torrent in mozilla, or Explorer, or whatever, and it loads my Bittorrent client automatically. More recent distros are better, but you won't win anyone over with that attitude.
Last time I had reliability problems with windows, the hard disk was failing. But since I fixed that problem (which not even Linux is immune to) I've had ZERO problems booting. And to be honest, I haven't had any security problems.
Whoa, you think I'm lying, right?
No, I'm not. In the time I've been running 2K and XP, not once have I had:
A Trojan
A Worm
Spyware
Malware
of any sort have any sort of presence on my machine.
Granted, I run Mozilla, Apache (with a secured user-account of its own,) instead of the usual windows implements. Sometimes the opensource community does create stuff that truly JUST WORKS. At least they're smart enough to not get arrogant about it.
But for kicks I run without a firewall and as an administrator 100% of the time. Still waiting for all the problems you describe.
So, kindly, pull that stick out of your ass. Thank you.
Instead of just stealing your stuff, they should wait in your house and hack you up with your own kitchen knives when you get home. That would put more pressure on the police to catch them.
Is it stupid in here or is it just me?
Isn't it amazing that that according to MS it is absolutely essential to add a browser and a mutimedia player to their OS, and these items cannot be removed without damaging the OS. However, truly essential OS addons like a firewall and virus detection somehow never find there way into the OS.
Linux needs to take a lesson here -- before it is too late. The major opensource distros need to get together and back an open source virus detection program and all distros should provide disk space for the distribution of updates. The opensource firewall is already there but it needs to be "dumbed down" and gui'ed.
I pretty much agree with you.
The only gotcha I see in the answer would be that the original question was asking if you could write a virus that would run on any (or multiple) OS's. That takes the requirement of a executable file out of it.
If somehow you could get a buffer overflow or something that jumped to your code (which would be OS specific I guess) you could then execute any "pure" x86 code you wanted. I just don't see it being able to do a whole lot. Best/Worst case would be directly talk to an IDE interface and corupt drive 0. That would probably take the original exploit to be in the kernal of the infected OS otherwise I think pretty much all OS block user code from that low level access.
But you are right, there is probably going to have to be some OS dependant code in there somewhere to get it started. And it would be some pretty nasty code.
"Witty" Worm did not destroy your system.
Pete Carr Owner Chatmag.com
Comment removed based on user account deletion
The old viruses that could actually destroy a computer were a whole nother beast entirely. A sibling or nephew post mentioned one that would overclock everything from the bios and disable thermal protection, i think that would have to be tailored to a specific motherboard however. How about the ones that would change your display refresh rate to a non supported speed and actually fry your CRT. Not that hardware destruction is a good thing, but maybe it'll get peoples attention and make them patch their systems instead of this merely annoying pussy mass mailer crap we have nowadays that people just tend to ignore.
"Sic Semper Tyrannosaurus Rex."
I just checked, Norton Pro has a virus definition for this one. Why should norton worry about a worm that only affects the competition??
Isn't the virus just bounced when you are not running any of this ISS software, (making the buffer overflow exploit impossible)???
Anyway, what the hell is "ICQ parsing?"
Hello! I'm a disaster waiting to happen!
1. Get a Nintendo/PS2/XBOX/whatever I have these AND a windows machine, 'cause sometimes they release a game only for Windows.
2. Good software support. Hah. Most Windows programs are monolithic, clunky, closed systems (i.e. you can't extend them, script them, etc.). They may or may not conform to a UI model, and they may or may not even get along with each other. If you think what you're using is good, try OSX or KDE 3.1. You'll be amazed. I like eMule, Office, WinAmp, CloneCD, ICQ, MSN Messenger, Paint Shop Pro, L&H Japanese Translator, Visual Studio, Encarta, DiscJuggler, Reason, RPGMaker and Tag&Rename just ot name a few. I've never really encountered a situaiton where I'd want to script or extend them. You can name me the alternatives (lMule, OpenOffice, XMMS, etc.); I've tried them, and I don't like them as much as the originals. I may have had one or two instances of software not working together on a Windows machine (say Adobe doing some funky script thing in Office), but they tend to be merely annoyances; certainly nothing that would keep me from doing any work. But try installing an mp3 tagger in Debian which depends on something which depends on something which depends on something which depends on a version of libstdc++5 from the unstable branch, and you've pretty much killed a dozen or two of your apps.
3. I've never had Windows not just work (i.e. always, Windows just works), and I've installed it on 5 home systems, 2 systems for friends, and 10 systems in a LAN at work. Networking always worked, and video always worked, so for the few instances that the more obscure hardware didn't, I could just hop onto Windowsupdate.com and get the drivers. With every system I've installed Linux on but one, I found out the hardware was not supported. Things as basic as video, sound and networking would not work. Downloading a driver from a windows machine, splitting it into 1.4 meg chunks using WinRar, floppy-disking it onto the linux box, and downloading a linux unrar program, trying to get the driver to compile using the 20+ command line arguments the README file tells me to input, and being told that a certain option has been deprecated and not being told what the option replaces it is not fun.
Linux is a fine OS, but there are still plenty of reasons to use Windows. I run both.
Reminds me of the Monkey virus...
It would take the first copy of your file allocation table and store it somewhere else on the disk, and insert its own code there. As long as you booted from there, you got your files. Otherwise...
yours,
kbs
I'm sure those who were around will remember the whole darned internet grinding to a halt when the Morris worm came out in 1988.
Can someone tell me why open systems basically learned their collective lesson on one big event and it never happened again, while Microsoft products get the beatdown at least once every ninety days and nothing changes?
The picture someone else makes to represent what they think is the best method to communicate to someone else what the computer is doing is a pretty sad thing when compared to the results that come from having your very own picture in your head.
You point and click types can whine, but vi
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
I don't know about these specific products, but what Windows users call a firewall usually also prevents outgoing connections, unless permission for those is granted. This is a sensible thing to do if you install and run software that you don't trust completely. For example, quite a few programs for Windows (including Explorer) have been reported to contain spyware that sends some data to some server. Firewalling outgoing connections helps prevent that.
...) you can't trust. At the end of the day, even if you have audited each and every piece of code on your system and found them clean, a new vulnerability migh arise that you didn't know about (e.g. the implementation is good, but the design has weaknesses). Security is always a matter of more or less, rather than yes or no.
Of course, security is out of the window[s] when you run software you don't trust - or cannot trust. Unfortunately, this is the common case; no access to the source, inability to comprehend the source, reliance on services (libraries,
Please correct me if I got my facts wrong.
Here's an idea I read a little while ago - how about a payload that finds any number followed by a dollar sign in outgoing emails, and doubles it; in incoming emails, it divides it by two. Anyone that got the virus would suddenly lose all kinds of business, as their customers would see them submitting huge estimates. And, communications between two infected computers would seem normal, so it could be really slow to detect if everyone in a company got it. Just imagine the chaos...
Lots of similar ideas
You could also create a virus that would have an immediately beneficial impact on the economy - it would just delete any copies of MS powerpoint it finds. Just think, managers would have to start doing work!
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
"If you could actually turn off unwanted and insecure services you wouldn't NEED a firewall."
Who says you can't?
Start > Control Panel > Administrative Tools > Services
You can disable just about everything.
"In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it."
This is FUD. You *can* tell what's running. You *can* disable everything.
You can't tell whats running? This is very easy, actually. Try this:
To see what ports are currently listening:
netstat -an
To see what services are attached to what process: /svc
tasklist
To stop a process (until next boot):
sc stop _service_name_
To query a state of a process:
sc query _service_name_
No, you can't. With a lot of services on a modern MS OS, there is a web of complex interdependencies that are difficult to analyze. Maybe for a home environment, turning everything off is OK, but in a networked environment, things that should be separate from each other are entangled. Sometimes there is no immediate adverse effect when you turn off a service, but the system degrades to the point that certain services must be restarted. Microsoft operating systems are one of the finest examples of the second law of thermodynamics the world has ever seen, aside from Kia automobiles perhaps.
"This is a sensible thing to do if you install and run software that you don't trust completely"
Uh, don't. Or use a separate machine for that.
But if you don't have a separate machine, I recommend using vmware for that (a separate virtual machine). Make sure you remove connection to the vmware "network card" so that the machine is isolated. After you're done using the stuff and saved the test results to a shared folder, you can rollback to the pristine test system you had.
Risk: there might still be ways for a hacker to get to the host system from the guest o/s - maybe there are some machine code/bugs etc.
"FGTRGDI" (Feels good to run gnu/linux doesent it?)
;-)
Mr. Stallman...welcome back to slashdot
"It is seldom that liberty of any kind is lost all at once." -David Hume
"Virus for Linux are not likely to be very damageable"
I wouldn't bet on that. OpenSSH and OpenSSL haven't had a good track record, heck tcpdump was exploitable too. BIND is still written by the same jokers. Look hard enough and there'll be enough 0-days you can use.
If enough people switched to Linux, the worm spammers will target Linux as well. And the last I checked, most Linux distro's security architectures aren't very much better than W2K. John Doe cannot easily run a program and give it less privileges than his own account - johndoe. Plus John Doe probably won't understand the various nuances of such a system either.
Can editors be clear in titles of stories; if its Windows then say its Windows....or have the Microsoft lawyers got some editorial influence on the postings ?
Apparently the witty virus doesn't really overwrite the first sectors , but this could have value in general:
:)
I once recovered a system from attack of the CIH virus. One thing the virus does is overwrite your harddisk starting from the first sector. It continues until your system crashes. So you lose partition table, MBR and FAT. I used the tool 'cleancih' to reconstruct the data. That machine has been functional since, though it displays a first partition of 1 GB instead of 2GB
That suggests two things:
1. whatever the cause of the destruction, it should be possible to recover the first sectors. I think , the fact that there was more than 1 partition helped.
2. There are some things on my todolist that I never get around to.
Thank you. Most appreciated.
I shall go and tell the indestructible man that someone plans to murder him.
...to a fresh amputation. It is possibly worse than no defense at all. Avoid at all costs. Either Kerio Personal Firewall, ZoneAlarm (at a push, works for me, some users find it doesn't) or Tiny Personal Firewall.
I am NaN
Je fume. Tu fumes. Nous fûmes!
Tape needs retensioning (if reused) and also dies on the shelf (perhaps more slowly than CD's, perhaps not.)
Got a hard disk offsite to backup to?
The only solid solution.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I'm talking about ONE virus that can infect a Windows machine, then propagate onto a linux machine and infect that, and so on.
It would be possible to do. But it would of course take at least twice as much work to make it. And I haven't heard of any. Even if the two OSes run on the same hardware, it would be hard to take advantage of, as system calls are different. If you want to attack a large range of different systems a virtual machine layer would make the task simpler. I think even with just two systems you might find that the virtual machine aproach is simpler. It is possible to target three or more systems without a virtual machine, but it gets complicated. Basically the complexity of a native virus would be quadratic in the number of target systems where the virtual machine version would be linear.
Two different systems means you must attack in two different ways. This also opens the possibility for a worm/virus hybrid. It could act as a worm on Linux systems and a virus on Windows systems. But you could go even further, you wouldn't have to limit yourself to one attack against each system. You could include ten different attacks against Windows, two different attacks against Linux, and one attack agains MacOS if you wanted to.
The attack is performed in the usual way through either a vulnurable network serive or by modifying the executable. The code to do this would be running on top of the virtual machine. You'd have to try the different attacks against systems, and each time you perform an attack, you transfer the apropriate virtual machine implementation for the target, and afterwards the program for the virtual machine.
Of course this wouldn't be as efficient as the worms we are seeing today. I mean you don't transfer such a pice of malware in a single UDP packet. Talk about bloatware worms anyone? It is not like todays worms need to transfer a MB of code to perform an infection, which I think you could easilly end up with if you want a single worm to target every vulnurability out there.
Do you care about the security of your wireless mouse?
"How many times do you Linux lusers have to be told that we don't want to use linux."
That's ok, we enjoy being GODS among men...
Just a pity you don't get to enjoy women.
[accidently posted this in the hardware router anonymously] After running BlackICE for less than a week, curious to see for myself what it was capable of, I was unlucky enough to get hit with this and lucky enough to kill it after it ran for an hour and half (blackd.exe opened port 4000 locally at 5:17 gmt, Mar.19.) It doesn't appear to have done any damage though, certainlly not to my MBR (though if it randomly writes to any sector I don't think there was a chance of this,) but I'm certain it sent more than the 20,000 needed to trigger the junk data being written in the 90 minutes it ran. With no record of the packets it sent, I do have a record of nearly 10,000 angry ICMP responses, the bulk of which are from a single address which first caused me to believe my IP was being spoofed, but I suspect this represents a fraction of the addresses it successfully sent to (locally it attempted to send ~6GB at 10Mb/s.) Up until now I've never felt the need for a hardware router.
I used to think one hardware router was enough until I noticed that my DI-604 with the original BIOS was sending out UPnP packets. The upgraded DI-604 BIOS is UPnP enabled, but the original version that shipped with the router wasn't. So this led me to believe that someone rather knowledgeable had made use of hardware exploits in my cable modem and router to reflash the BIOS.
:)
Now I sit behind 2 hardware routers and tcpdump -vvv eth0 rarely shows any packet other than those I requested.
It sure lets me play around with LFS more and read netfilter HOWTOs less.
+++ATHZ 99:5:80
Assuming this is one vulnerability, I'd have to also assume that these products share some common code or at least a common library with the vulnerability.
I don't see any discussion as to why several different products share the same vulnerability!
That in itself is a discredit to the value of choosing such products. It looks like they rely on some black box code that these companies do not develop themselves and thus doesn't get the type of code review required in a security product.
I did briefly run Black ICE on a machine designated for firewall/gateway several years ago when routers were more expensive than reusing an old PC. I'd likely not do that again, and I'd certainly never recommend using software firewall for protecting the machine running the firewall software.
It must be nice having benevolent cracker reflash your BIOS for you.
Pronounced figetrygidigy...
That has to mean something dirty.
Bot Assisted Blogging
Hymn? ;o)
Syzygy?
Myth?
Slyly?
Crypts?
Nymphs? (My personal favourite
Spry?
Lots of perfectly lovely words have no vowels at all, you insensitive clod.
But wasn't one of the problems with the recent RPC exploits that XP needed to have RPC running for some reason? Sure you can turn stuff off, but will the system continue to function normally otherwise?
It is, in theory possible that you could find a similar exploit for them -- but they do have the advantage of many of the best eyes in the industry looking at them.
In my case, I have a hardware (OK: BSD) firewall, and my Linux boxes behind them run IPTables. My theory is that some people may be able to breach one of the two, but it's unlikely that both will be exploitable at the same time (layered security). I'd suggest the same thing for Windows users... put stuff like BlackICE behind a firewall. Don't trust it as your only security.
Software firewalls will, if nothing else, help you when your roommate's computer(s) swallow a web or email virus which gets past the outside perimiter, while the hardware unit will protect you from most externally sourced issues that don't subvert the firewall.
____
.As for the destroyed disks, depending on how much was overwritten, you might be able to recover the secondary FAT table... Just stomp on the trashed data with enough info for dosfsck to not reject the drive as fat32 and then have it recover the secondary FAT data (( I've used this trick to recover a friend's disk that had seen similar breakage about a year ago)).
This does, however presume that you have a Linux boot CD floating around (Knoppix, or a Fedora/RH8 boot disk or any other recent Linux distribution with DOS recovery tools will probably help for people with FAT32 filesystems (( repairing NT is going to be a good bit more work, since the FS is nowhere near as well defined)).
Free Software: Like love, it grows best when given away.
OK.. The common response here is to install a hardware firewall. Most people spout a cost of $29-49 for such a device. That MUST be a cable/DSL router. Some statistics I read recently (sorry, I don't remember source) said that 40-50% of all US households are now on broadband. That means 50-60% are still on dialup. While Cable/DSL routers/firewalls are cheap and easy to come by, what is one supposed to do for clients on dialup? Software firewalls are generally the only option in this case from what I can see. If anyone has a better option, I'd like to know what it is. Hardware dialup firewalls are expensive. Software firewalls are vulnerable and problematic (I've had problems removing some before without trashing the system).
See my blog at Who's Who
Sorry, blackd.exe opened port 4000 at 5:17 gmt Mar.20, not Mar.19.
"In Windows you can't even tell whats running let alone shut it off. There are many ports that get attached to every interface and no way to fix it."
;-) Doesn't necessarily mean you can switch it off though...
This is FUD. You *can* tell what's running.
Very true. You can run nmap from a Linux box to find out what's running on the Windows machines
Code, Hardware, stuff like that.
Heh, exactly...because you'll be running at Ring 3 (user-mode) and not in the Kernel, all those x86 interrupts you could use become useless, since you're only allowed executing user-code. And user-code is 99% OS-dependent, rendering the whole thing useless.
Basically you'd need a kernel buffer overflow on all the OSs you want to infect...good luck!
The problem is that firewalls have become *massively* oversold to idiots, and the "personal firewall" has seen a surge in interest.
Firewalls have a good, legitimate (if annoying) purpose. They provide a single point to deploy emergency protection -- you can't patch every box in a company in a production environment in a day, with the current state of computers, but you can get at the firewall quickly.
The problem is that, because firewalls are (a) cheap, (b) require only a minimal amount of technical competence to operate, and (c) sound sexy ("*firewall*"), they've become incredibly oversold.
The personal firewall is a terrible example of this. The term "firewall" went around, and in order for people to feel secure and safe, now they have to have a "personal firewall". If you want to secure your own box, the answer is to yank off everything that's sitting there *listening* and waiting for crap to come in and screw it over. Unlike most vendors, Microsoft ships a system that keeps ports open by default and daemons running. And not only did they do that, but they leave gateways into the incredibly complex and undoubtedly difficult-for-developers-to-secure Windows filesharing and IPC mechanisms. Simple things like SSH have had masses of their own problems, but they pale compared to having a Windows box sitting and listening for data out of box. Sure enough, users, unaware of how to disable Microsoft's filesharing system WRT remote access (especially how to do so without breaking functionality) started buying these damned personal firewalls.
Personal firewalls bog down a machine, and make a complex, frequently-modified (and often not frequently updated, since Joe User isn't a rabid security admin) daemon sit and make itself available to exploits.
There's a great, free, high-performance, *almost* foolproof way to secure a system. Turn off the stuff that you don't want being accessed. Barring bugs in TCP stacks (and given the degree of pounding they get, I trust TCP stack code more than most code), you now have a nice, secure system.
I had to deal with someone not long ago who *very* much wanted to set up a firewall in front of a Linux box -- a single machine. It was a server of some importance, but I couldn't help but ask -- why? What possible benefit do you hope to derive from it? On such a server, you *have* to allow in inbound connections (or else you cannot communicate with the outside world) -- and on this box, it was connections to all listening ports. The only thing you can block is things that the TCP stack is going to ignore anyway. And, for that matter, the firewall was running an embedded Linux system. If there was a bug in the Linux TCP stack, that same bug is likely to affect both the firewall and the server.
I've been watching the rise of "personal firewalls" with some irritation, and I hope that the growing number of attacks on firewalls will help bring an end to them. Network-wide firewalls have *some* point -- personal firewalls do not.
May we never see th
This isn't strictly true.
You *can* shut off, I believe, every service that listens on a port in a vanilla Windows box.
However, Windows' netstat lacks the -p flag, for mapping a port to a process.
Windows does provide, out of box, an extremely complex couple of daemons running with full privileges, and listening on ports. While it's not as if these has never been done before (*cough* sendmail *cough*) this is a pretty bad idea. Nasty if a worm slips into your LAN and then spreads around like wildfire.
These services, like filesharing and RPC and whatnot, are important to many users. The problem is that on a secure system, any daemons should provide an absolutely minimal functionality set to any system that has not authenticated itself unless that daemon is specifically designed for anonymous access (like a web server). The more functionality you expose, the more potential vulnerabilities you expose to the world. Microsoft does not provide an easy way (I believe you can pull it off with, say, IPSec, though) to ensure that a connection is from a trusted computer. Compare this to, say, the configuration of a secure modern X11 system. One generally listens only on UNIX-domain sockets (rather than IP) and then tunnels everything through an simple authentication system that doesn't run as root -- ssh. Even that isn't perfect -- openssh has had a security history -- but it's a lot better than letting arbitrary people poke and prod at a vanilla system in all sorts of ways. IP-based blocking (Oh, *that* guy's on the Internet -- I'll ignore packets from him) may not be sufficient with the spread of Mobile IP (and the subsequent inability of people to block spoofed packets).
May we never see th
I just switched over to my XP box and typed in "tasklist/svc" and got told it was an unknown command.
So how is the average user to know how to use commands which might not even be present?
Besides, the average user would need someone to kindly explain what a service is and why they would want to look for them. (Or yell at them for not being l337 and call them clueless depending on your inclinations.)
Lost at C:>. Found at C.
I don't run a software firewall, it's in the router, SMART ASS!
Dumb to kill the host quickly when you could be spreading silently for years.
Watch this Heartland Institute video
Probably because a good, oh, 80% of the people that use computers don't know enough to know how to patch the system, or to even know that it should be? About 50%-60% of users have a virus scanner on their system, but the process is pretty arcane to most of them.
These numbers are precisely the reason why viruses and worms exist, you know?
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Everyone tells me it can be done, but show me where on 2000 you can turn off...
445/tcp open microsoft-ds
That gets bound to every interface. With multiple network adapters, you can not tell it to stop binding to one.
You didn't read my post. I didn't say the linksys was better, I said his P2 box wasn't _more_ flexible. That was stretching it, since I assume he had empty slots, but the Linksys is ~$80, has 6 interfaces (one wireless), is silent, consumes 10watts, is smaller and simpler. And it runs linux. That was my point. It runs linux, so how is it worse than the P2? It's just as flexible. (Well, up to the 5 ethernet and 1 wireless interfaces). The only point that I would take to heart is that the P2 can boot directly of CDROM, where as you'd have to make a hardware mod to make it impossible for a hacker to reflash the boot code on your linksys. Then again, for the truely paranoid, you'd better make sure you can't reflash your P2's bios just using software...
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
hard drives crash...
Seriously, ive lost more backups data than the data that it was supposed to be gaurding. At work, the server dumps important directorys and network shares to cds once a week, plus whenever requested... and ive lost more cds and the server's raid-1 has never crashed.
If the server catches fire the situation might be different i suppose. Backups are less reliable than the backed up data usually anyway.
what about putting all the users on a email client that doesn't support javascript/external image loading/evil VBscript etc.. and just shows the html/text?
BTW, i use a linux firewall (dedicated distro) and internal computers run linux. an internal computer running windows is not allowed access to the net (its there for games). I havent had a virus problem yet.
IJSCAOMK!
qntm.org
I just bought BI a month ago, and I got hit with Witty too...except I had no idea what was going on...I walked away from my system, and when I came back, it was virtually locked up, with 98% system resources allocated to blackd.exe.
:)
I thought that was pretty weird, but didn't really think about it...and rebooted the machine. It booted back up, I restarted the processes I had going before the freeze, and walked away again...when I returned, same thing...system was virtually locked, and Blackd.exe was hogging all the resources.
I couldn't turn BI off at the task manager, or from the system tray...so, I rebooted. (I swear, my poor Alienware has been rebooted more times in the last 24 hours than it has in it's entire life.)
This time, it wouldn't boot. Well, wouldn't boot past the bios and hardware screen...then it would just reboot itself again...over and over.
I was able to boot from an Alienware recovery CD...and it appears that my files are all still intact...but somehow, I seem to have XP installed twice now. When I boot, I have a list of Windows installations to choose from.
If I choose the first one, it goes to a vanilla xp install...but you can still browse to the files and applications that were installed prior to the worm. If I choose the second option on the list, it boots to the windows install I had before...I have no idea what the heck I've done, to be completely honest.
I've mirrored all my data, on the assumption that I may have to fdisk and start again...but I'm just going to avoid doing that for as long as possible.
----I don't want to achieve immortality through my work... I want to achieve it through not dying.--
Re CD's: I just had to restore a backup made eighteen months ago on one of my machines (I needed an image backup, which I don't usually do, and that was the last one I did on this machine I haven't used in months). The four-disk image backup restored fine. A data file set of two CDs made on the same date would not restore properly, however - major sector errors. These were silk-screened CompUSA CDs (yeah, I know, cheap crap). I've read that if you put any kind of label on a CD, the glue will destroy your data within a year or so. Much safer to write on the CD with a marker made for that purpose.
I'm planning to make PAR files of my backups from now on so I can recover data on them. The Linux DAr (Disk Archive) program does that as part of its backup system.
As for hard disks crashing, well, the point of my post was that two disks separated by a network in different buildings are unlikely to crash at the same time. So if your backup server crashes, you back up again. If your main server crashes, the backup restores. And hard disks are VASTLY more reliable (and faster) than ANY other media when you consider how often they are accessed versus how often they crash. If the backup server is ONLY used for backups, it won't be accessed except when doing backups or restores and should be more reliable and last longer than any production server. And of course you can RAID that server.
All in all, compared to tape, CD, etc., hard disks are the best backup media in terms of reliability, speed, ease of use, etc.
But they have to be offsite to be used for corporate backups. Home users can take their chances with onsite backup. Of course, a home user can use a removable and stick a second one in a safe deposit box.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Point of clarification:
A Linksys router doesn't have five ethernet interfaces.
It has 1 switch (with some number of ports) a WAN port, and in some models, a wireless interface.
I agree that the Linksys has advantages over my P2, namely power consumption and physical size. However, it is by no stretch of the imagination as flexible, as you seem to agree with, on the hardware side of things.
On the software side, since both run Linux they are essentially of equal capability, so there is no differentiator there (of course I can cram more RAM into my P2, but a firewall doesn't need much RAM).
RealSecure? MyISS.
445/tcp open microsoft-ds
That gets bound to every interface. With multiple network adapters, you can not tell it to stop binding to one
I don't have 2k up right now, but I'm pretty sure its' under TCP/IP properties advanced, you can allow or deny access by port, I don't remember if it's by adapter, though.
I had a laptop I was working on for a buddy. The hard drive was not reading, and I was replacing it with a new one. However, before I did the deed, I figured I would see how well Mepis (another Live-CD a la Knoppix) worked on his Dell.
.sig: "Linux, it saves dead hardware!" ...
Not only did it boot, detect everything (including batter status and level), but it could read the drive! Apparently, it was defaulting to DMA mode when it booted, but Linux could read it in PIO (fallback from DMA).
So, I (slowly) recovered his data, and then swapped in the right drive. I considered making this my
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I don't know about the rest of you, but reading about this worm has given me the warm fuzzies (eg, a nice warm, happy feeling). I'm not condoning the behavior or writing viruses in the least, but I do think that it is a natural and expected thing, and an obvious result of MS monoculture.
Hopefully it will bring about change - that's why this makes me happy. Being able to tell someone that a virus was able to destroy their system -because- of their windows software firewall will be pleasureable.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I doubt they were benevolent. I certainly didn't (still don't) have the skill to save the suspect BIOS and then analyze it to ensure there's nothing fishy inside of it. I don't even know what processor the DI-604 runs on.
+++ATHZ 99:5:80
Thank you, I couldn't agree more. I get so freaking tired of u$oft bashing just for the sake of doing it. Everyone is already aware of it's flaws, faults and inefficiencies. Unfortunately there are those of us that are required to run\support Windoze. I think the poster really needs to pull his head out of his ass.
The worm must have a brother that attacks ZoneAlarm & Norton-protected PCs. My college-student daughter's laptop was bugged by something that rendered it unbootable. Using xp's Recovery Console, I used the fixmbr command, but then couldn't run any software. It also would not boot to any drive other than the HDD. Luckily, it defaulted to the usb floppy when that was hooked up, so I was able to start xp with the boot floppy set, format the drive with the xp cd, then run the system-restore CDs. What fun!
They can defrag but they can't click the windows update Icon. They don't know becasue they never bothered to learn, why do you suppose that is?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.