Slashdot Mirror
Sasser Worm Disruption Growing
thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."
Here at work, none of our employees can connect to the VPN, hence nobody can get work done, hence I'm sitting here with my phone ringing off the goddamn hook.
Capital punishment for worm writers!
What does Sasser actually DO?
Usually, viruses have a goal, like collecting your personal information, DDOSing SCO, or SOMETHING...
What does this one actually do?
My theory is that someone wrote it to disable all the spamware-infested computers out there.
They can't be spamming us if they're rebooting constantly, can they?
And if the owner doesn't disinfect them and protect them from future attacks, they'll just start rebooting again...
I don't know the meaning of the word 'don't' - J
From my understanding of the Sasser worm, it infects vulnerable Windows PCs by probing and connecting through a specific open port, and then launching some Windows specific code designed to infect and propagate the worm. My question is of a largely theoretical, yet insightful nature: if a Linux machine is running a Windows emulation environment, such as WINE, and the Sasser specific port is open, is it possible that Sasser could attack and infect the Linux PC? After all, if WINE is at a level of compatibility which allows Linux users to run complex Win32 apps such as Microsoft Office, is it also not inconceivable that some Windows vulnerabilities have been emulated also? I look forward to the community's response.
All the computers the UK Coastguard use have beeen affected according to this BBC story
Struggling to find a day everyone can make? WhenShallWe.com
i'd like to know:
when is someone going to put a genetic algorithm into their virus/worm?
something that mutates the worm's parameters (ports, timing delays, ip-search stratgy, etc.) so that the most virulent parameters are found by "natural selection"?
seems like an ideal application for genetic algorithms.
K.
I have zonealarm setup on a home PC and it failed to keep Sasser out. So much for a personal firewall.
And yes there is AV on it, but it was infected before the updates had even come down.
Same s**t, different day
Up to date with patches, a proper firewall, and common sense and my Windows machine has never had a virus. I am convinced that in the end Windows users will end up better off. It is like security boot camp with live ammunition. Each time the number of people infected gets just a little bit smaller.
I picture a day when most users have migrated to Linux and the first serious threat comes out and they are all prepared and the l33t get destroyed because their systems can't possibly get a virus because it is open-source.
I patch both my Slackware box and my Microsoft box regularly - do you?
Now that's what I call a superior worm!Imagine my shock this morning when I read the BBC's article on Sasser which claimed:
This bastard hit Cummins Inc. , Sunday morning, shutting down manufacturing and corporate operations at every facility in the world till early Monday morning.
like apache is the most popular web server?
Apache has the largest market share in HTTP servers, and it's not the most hacked.
I always see this posted and I think people get this mixed up. More web sites are hosted on Apache servers, but there are more physical boxes running Windows.
Example:
I just left a job working at one of the largest internet hosting companies. We hosted close to 300,000 web sites; both Windows and Linux. Our customer base was roughly 60% Linux and 40% Windows; hosted on a little over 5,000 servers.
If you were to know the number of servers we have and looked at a Netcraft scan you would assume the following:
3,000 servers running Linux web sites
2,000 servers running Windows web sites
But that would be incorrect. Most of our Linux sites are cheep little geek home pages where we have a couple hundred sites hosted on a server. Our dedicated sites, big e-commerce sites, are mostly running on Windows boxes. So we have some servers running hundreds of sites and others running 1+ sites.
What's my point? In reality it's more like 1,500 servers running Linux (Apache) and 3,500 running Windows (IIS). I've worked at a couple large hosting companies and it's the same at all of them. So when you see the Netcraft report stating that 65% of the web is running on Apache, that doesn't mean there's more physical servers out there running Apache than IIS; just Apache servers are hosting more sites due to the small, cheap nature of a lot of Linux hosted sites. So, in reality, there is a larger install base of IIS machines. Of course Apache is pretty secure, because if they attacked an Apache box at a hosting company they could take down a lot more sites, causing more havok.
Microsoft released a patch, people did not install the patch. Who's fault is that? None of the 1000+ systems in my office were infected because I'm intelligent enough to have policies in place to prevent stuff like this from happening.
I find that comment funny and sad. Obviousally you run in a very tiny shop. we are still TESTING that patch because we are not stupid enough to trust microsoft. we have had many times a patch completely hose several of our critical apps. and when you are looking at around 500,000 desktops/ servers/ etc.. you can't do foolish things like installing patches willy nilly.
now let's add the fact that the company is too damned stupid to staff the security and virus team properly. we have 2 people... 2! and maybe 6 machines to test on... we really need about 5 and 20 machines and 2 servers to test on so we can roll this crap out in a timely manner.
So buddy, Grow Up.
Do not look at laser with remaining good eye.
Mine was probably the only PC left infected in the office. Funnily however when i tried to download the patch for Sasser from Microsoft ( I unfortunately have to dual boot), Here is what i got Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You must be running a Microsoft Windows operating system in order to use Windows Update. From what i have heard from my colleagues, this worm attacks when you connect to net, and microsoft forces you to connect with a vulnerable system. But then, windows is a product for dummies from the dummies. PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch
Just to comment on the "educated user" bit. My father works at the EU Commission. The news reports were not overstated. Almost ALL (at least 90%+) Of the computers on the Commission intranet (around 25,000 if I remember correctly) were infected with this virus on the 3rd of may. In the end he went home arly (like most people) and the admins sorted it out overnight.
These are computers which are automatically updated from a local mirror when an admin tells them to.
Sod educated users, lets have some educated admins.
One of my first questions when I laid hands on an XP box: "OK, so now that I've un-dumbed-down the thing as much as I can... WTF's this LSASS.EXE process running as SYSTEM, and WhyTF is it listening to port 445, and HowTF do I shut it down?"
Answer: "Some sort of weird Microsoft shit, I don't know, and there's no way to kill it - in that order."
Me: "Fuck it, then. Let's block inbound 445 at the router, and on my personal box, I'll try setting my third-party software 'Firewall' to deny all inbound and outbound traffic to it. If anything blows up, I can always permit my box to talk to whatever machines it needs to talk to".
Nothing blows up. Yet another Microsoft unnecessary service running with SYSTEM privs is forgotten about.
A year or two later: w00t!
Win9x may have been an unstable piece of shit masquerading as a graphical DOS shell, but as long as you didn't use Internet Exploiter and Outbreak Excess, you couldn't get pwn3d, because desktops that don't run any listening services are pretty fucking hard to compromise remotely.
At first linux's traction on the desktop was because "windows isn't stable". Then there came windows XP, where most instability is from third party drivers.
x .html
Then alot of linux's traction has been "windows is insecure". But when windows XP SP2 comes out, the worms will die away a bit, and it will only be social engineering attachment trojans in outlook.
Then what will linux's attraction be? A better the desktop right? Better browser etc. But when Longhorn finally comes, that might be gone too.
Linux, to my mind will always be better for myriad reasons, but it has to be alot better to make people change. And winXP stability, firewalls cutting the worms down, and a better GUI... will it be *that* much better to get people to change?
This makes the "linux on the desktop" window of opportunity quite finite.
I, for one, believe we can best microsoft on the home desktop but we need the corporate desktop for the following reason; hardware compatability.
"Why?" you ask, well I'll tell you. We need the corporate desktop for hardware support. OSX has a hardware rendered desktop, longhorn will have it too. No linux will be able to have a hardware rendered desktop without GPLed drivers. To get GPLed drivers for most graphics cards, we are going to need the slugging power of at least a 30% stake in business desktops. This makes Ximian/MS intergration type projects, mozilla/firefox/thunderbird and openoffice some of the most important battlegrounds you will see in the next few years. Once we have the hardware, we can take them - but don't fire until you see the whites of their CGI rendered eyes.
And here are some thoughts on that matter, my head's in the clouds for some of it - but we can dream right?;
Convince XGI to GPL Volari drivers. Standard tactic of an underdog is to use open-source to sling-shot ahead of the competition through features and performance. Directx9 is heavily shader based, but I prefer opengl myself and if you look at these performance statistics http://www.tomshardware.com/graphic/20031107/inde
the only thing a volari needs is GPLed drivers and a linux following.
GPLed Nvidia and ATI drivers might follow. Who knows.
The other thing is, put some weight behind an "opensource hardware" movement to get an openGL performance beast that can be manufactured and sold by anyone, as it is an open design. I think with DRM we are going to see the ground ripe for open source hardware configurations. And don't think electrical engineers won't be able to do what software engineers have done with linux.
Anyway, that's just some memes I wanted to spread around, AC because I don't care about authorship. Just mull them over, because we need all the ideas we can get for the battle to gain a foothold. I am not saying I want to destroy MS, I just want enough market share to be able to have hardware compat and make sure things like DRM don't make their way into hardware (or make sure there is an alternative). from minix to now we have only seen the end of the begining business and home desktops, DRM and the very nature of hardware await.
1) Enable ICF (Internet Connection Firewall) if using XP or Server 2003. This blocks all unsolicited incoming traffic.
u lletin /MS04-011.mspx
2) Block the following at the firewall:
* UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port
(Personal note here: I block *all* ports except 80, 443 (web), 25, 110 (mail).)
3) Enable advanced TCP/IP filtering to block all unsolicited inbound traffic. See Microsoft Knowledge Base Article 309798.
4) Block the affected ports by using IPSec on the affected systems.
(Personal note here: I run a couple of machines over VPN exclusively, and so only the VPN ports need to be open on the firewall for them. Any attack will have to come from within the VPN.)
These tips are straight from M$, see:
http://www.microsoft.com/technet/security/b
Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet.
Are you kidding me? By this definition, Sasser *IS* a virus, unlike everything else, which are Worms.
It seems that we've been living in the land of email worms for so long that most people don't know how to deal with a real virus. Yeah, that's what they do... they spread without your help. Geez!
Skiers and Riders -- http://www.snowjournal.com
Of course, why don't we all just toss out our E-mail, address books, bookmarks and 'special files' three times a month?
While all those things can be backed up, practically noone actually does this, and so keeping a system running is top priority.
Besides which, 'known good media' means 'unpatched windows'. A pre-SP1 WinXP takes about 15-30 seconds from first connect to infection with MSBlaster, even nowadays. What you want people to have is a during-install-service-pack-update.
Moral of the story: Keep aware of the Critical Updates.
That... or don't have unrestricted port access to your machine. Because of my efforts, no one in my extended family is permitted to plug their PC directly into their cable modem, all go through NAT routers because of the inherit security benefit of them.
I admit it, I don't keep up to date on windows updates, simply because my PC is several levels removed from the internet that a slew of cataclysmic events would have to occur for me to become infected with anything more then disk fragmentation.
Help Brendan pay off his student loans
Is this why the IRS computers were down yesterday? I had called them up regarding my return and they said all computers were down. Hmmmm...
Not only highly inaccurate (IE?), but also covered by Slashdot two days ago.
New Windows Worm on the Loose
Stupidest...story...ever...
I.O.U One Sig.
I was referring to how it's not showing up on some of my unpatched machines in Windows Update as a critical update (not at all).
The built in WinXP firewall does NOT protect against the Sasser worm. I ghosted an XP box three times to confirm this-- not until after applying MS04-014 and/or using an alternative firewall (zB. ZoneAlarm) did I see protection from Sasser or its variants (if they exist... although I did see LSASS crash a few times without the presence of avserveX.exe on the system).
I don't know about you guys, but the SASSER worm turned an otherwise boring Sunday into wickedly exciting day! Thankyou worm-guy!
-s
Again, right!
:-)
Net effect?
These machines will keep crashing until they are DEALT WITH!
That means brought up to date.
And that means -
No more vulnerabilities, no more infections, no more spam-relays...
I think it's WONDERFUL that this worm causes the computer to reboot constantly; that's SURE to get the system the attention it requires, and in the meantime, it effectively takes it out of commission.
I don't know the meaning of the word 'don't' - J
I think you don't understand the problem.
People giving away passwords are not a problem except for themselves.
Windows is a problem for everybody because a worm can exploit millions of machines automatically.
I've found that the best solution to the problem of Microsoft's constant and ever more serious security holes is simple:
Dual boot with Linux. Linux for the network; Windows for the games.
Just use Linux as your network-enabled OS, and Windows for everything else. Log off the internet or disconnect your DSL or broadband before you reboot into Windows, and you'll be fine.
It is really that simple - I just disconnect my network connection when I'm running Windows. Let's face reality here:
So the solution is simple: Linux is your network OS, and Windows is your "friends and family" OS.
The society for a thought-free internet welcomes you.
For those that are interested the worm serverly affected the UK coastguard BBC
And let's face it; if your machine is not properly patched, it's probably already being used as a spam relay, so it's not the spammers who would want this.
In a corporate network environment, such as mine, a few weeks is barely enough time to get a patch onto every desktop. First a few days are spent testing it. Then it has to be pushed out to all of the users. Server patches often have to wait until weekends because they can't be down during the week. Then manual installs have to be done for all the "non-standard" setups.
Then there's the new computer I got yesterday with our standard corporate developer's build. Of course the build doesn't have the latest patches yet, so when I turn on the computer for the first time, immidately after logging in McAffee catches the virus. So then I have to hunt down the right patches from the right people and reboot repeatedly until I can log into the network without getting the virus.
So I lost all of yesterday fixing the problems on my two computers and my office is as up to date as possible with getting patches onto workstations. Machines go for weeks without new patches because it's impossible to distribute them when some break applications, and therefore require much testing.
I wrote a 70 page document explaining why we should switch from Windows to Linux. Management wouldn't even start to read it. This is what they get for their ignorance.
Developers: We can use your help.
Specifically what needs fixing? /
Security.
What part of Windows' design needs fixing?
Security issues.
What part of the base needs fixing?
All the remote exploits.
What would *you* do to fix Windows?
sudo rm -rf
Hope that clears it up for you!
There are two types of people in the world: Those who crave closure
If most users would quit being so cheap and buy a firewall appliance like a linksys router, or (for the more savvy) build a Coyote linux box we wouldn't have half of these problems. I run Win2k, Solaris and SuSE linux. The linux box is the only one exposed to the net and hasn't been rooted/hijacked once in the three years it has been exposed. Running stuff like Zone Alarm is like giving a band aid to someone who has a big gaping wound.
"I bow to no man" - Riddick
It's used for filesharing. Chances are that you have used this service. The latest version of Samba even supports sharing files on this port. It's not some obscure port. Best learn what you're talking about before finding fault.
The company for which I work requires anything that ever connects to the internal network to have a personal fire wall installed.
We also require the installation of a service that installs various updates (Microsoft and others) after they have been approved by a team that installs and tests them.
We have around 36,000 employees world wide, and this virus hasn't affected us.
Yes, they released the patch 21 days ago. They also released a hotfix at the same time that breaks a non-trivial # of computers.
/. for being incompetent).
Those of us forced to work and support a Windows environment are caught between a rock and a hard place. We don't dare apply a brand-new patch on production servers, or roll it out across the enterprise, but if we wait too long, an exploit hits what the patch supposedly fixed, and we get smacked (plus raked over the coals on
I try to get new so-called critical patches applied within 7 days -- usually sooner, depending on when I can afford to take servers down, etc. But it won't be long before one of these wide-spread worms hits a vulnerability that's just been patched in the last day or two. Hell, I run several layers of AV protection that checks for updates hourly, and twice I've gotten hit by viruses before the updated signatures were available.
-
A tool that I use quite often seems to go ignored time and time again.
Trend Micro Damage Cleanup is a free after-the-fact cleanup tool that will fix just about any virus (As long as the pattern file is downloaded...) It scans drives, registry, etc. The only drawback is that it's quite large (The pattern file is ~8.5MB and the Scanner is ~1.6MB).
It blows Norton's one-fix-per-virus tools away, except from a portability standpoint. Also helps make sure you don't leave other viruses behind. (Did I run the Netsky.QZX removal tool, but not the Netsky.ZZB one?)
Yesterday it found 530 copies of Agobot (3 Variants) and Sasser.B on one person's PC.
I think your priorities are wrong. Patch them, patch all the mofos on the day the patches come out. Do it automated if you have to. I wouldn't even care if my patching rebooted a computer while the luser was doing something on it. "If you wanted 5x9's of uptime you woulnd't have gone with windows, now suck it up while I do the ritual that keeps this shitty OS semi-secure"
If the patches break a few apps, then take the time to go fix them individually. If they do real damage sue the shit out of M$. Isn't that the usual attack on Free Software? "who do we sue when shit breaks?". Besides, no one ever gets fired for choosing M$ right? Instead of having a compromised network (IMHO 100X worse) you may have some borked apps. So tell people it's all M$'s fault, go fix them and at least your network is secure for now.
That is until M$ holds onto a security hole for months without patching it and someone releases a worm first.
And if you're worried M$ is spying on you, why don't you call and complain? why don't you sue them? Oh yeah that's right it must be that legally-binding contract you have with them called an EULA which gives them all your base and the right to piss on you too. Have a nice day.
--BOFH
Liberty.
"1000+ systems"
"Obviousally you run in a very tiny shop."
" 500,000 desktops/ servers/ etc."
Something about this exchange just struck me as really odd. So let's be generous and assume that the companies in question have 2 computers for every employee (unlikely). According to this page, that would place the first company in the top 0.306% of businesses in the U.S. and and the second company in the very elite 0.016% of businesses in the U.S.! Tiny shop, my ass.
Things to do today: See list of things to do yesterday
IT@large_corporate_network here.
True, auto updates aren't good for business critical machines. Microsoft gives you 2 ways to do the updates, you could use the automatic updater and put up a update server so you can control what is updated. Alternately, you could use SMS.
If it takes you weeks to do testing, you should consider a more standardized loadset. If you were using one, the 90% of the systems who can use that loadset could be tested in a few hours. If you have users requiring manual installs, there are options like patch management systems (I like HFNetChkPro by Shavlik) or putting the patch installer into the login script.
On adding to the corp. build, you need a leaner process, I can get it up in about a week.
For all of this, and the server reboots, let me remind you that the patch was 21 days before the worm.
Also, why does this article act like the worm is a new concept?
About the patch being released 21 days ago:
Our machines were all patched up as of Wednesday and still got screwed by this worm. Microsoft released a new patch after that and we all apparently needed it to stop the servers rebooting. They weren't getting infected, but they were effectively DOSed until they were patched Saturday.
Before I get derided about not having them behind a firewall, they were getting hit by users who were behind our shields.
First, I didn't choose Windows. I recommended Linux and/or BSD with a 70 page research document to back it up. Management ignored it. Second, I'm a developer, not an admin, so I have no say in the patching process.
As a developer I can tell you when patch goes out that breaks an existing corporate app, execs get furious at the developers. If I write application X then any time X doesn't work it's my fault. No matter what, the apps have to work. The multi-billion dollar corporation comes to a halt if the fundamental custom apps aren't working. A problem caused by a patch from Microsoft can't always be resolved by adjusting code in our apps. Management cares a lot less if we're rooted because at least business can continue.
Of course I think Microsoft should be sued for some of the problems we have. I don't think everything in the EULA will hold up in court in every state. But it's not my decision. And I also agree management has no one to blame but themselves for sticking with Microsoft. They get what they deserve. All I can do is write the best apps I can and get paid for it.
Developers: We can use your help.
I wonder the same thing. It's probably only a matter of time before one is written that deletes files. Just think, if one scanned a drive and deleted .doc, .mdb, .xls, .ppt, .zip files. Just imagine how bonkers the suits would go.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
"I'll think you'll find there are many companies and organisations whose IT staff are responsible and on-the-ball, but the shocking mess that is Windows, means that this crap beats them anyway. Honestly - I'm not one to bash Microsoft, but after this run of worms, I've realised that the state of OS security is inexcusable. Literally - there are no excuses for it, whatsoever."
Do responsible and on-the-ball IT staffs use SMS to patch their workstations in case individuals forget. Do responsible and on-the-ball IT staffs use a domain policy to enforce firewall rules on individual workstations. Do responsible and on-the-ball IT staffs enforce the running of up-to-date antivirus software on each workstation. Do responsible and on-the-ball IT staffs use external firewalls, IDSes, etc? Is there an excuse *not* to? Is it not due diligence on MSFTs part to release the patch (a month ago), supply a domain policy controlled firewall for each workstation, SMS servers for patch distribution, and leave it up to the IT staffs to deploy them properly. I think MSFT did it's due diligence here, and the IT staffs of infected networks did not.
we collect data from clinical trials, and we do so in a validated manner as we're inspectable by the FDA. i'd rather disconnect our LAN from the WAN and work with reduced functionality than just patch the servers willy nilly and break our validation. we can't apply *anything* without formally testing it as it could potentially affect data. it's fine if you're just doing bogstandard file'n'print, but for other stuff you can't just go installing patches that may or may not impact production systems.
try admining real users instead of a bunch of secretaries than. Its not IE we're worried about. It breaks CAD programs, simulation programs, programs that tell machinery where and how to dig, etc. Hell a friend of mine admins at a coal mine. He applied SP4 to Win2K. Should be able to trust it right? WRONG!!! If he wouldn't have caught that it crashed critically software and stopped applying the service pack right away just imagine what could have happened. This is why it is so important to test patches, especially from M$. Because they can't be trusted.
So, in answer to your question; A SHIT LOAD!!!!
I also work with clinical trials and the FDA breathing down my neck. My office is all running Macs. Intentionally. We knew that the small functionality loss from "going Mac" would be much much less than the horrific security problems unleashed on the Windows World.
"One touch of Darwin makes the whole world kin." George Bernard Shaw
I take offence at you remarks.
- After 15 years of exp in the field, I DO have an iota. At least one for initative.
- We DO have a firewall.
- We have an Auto-Update push server. It should have updated us last week, but who knows? SUS server reporting is crap.
- We were hit, four laptops running XP. (They may have picked it up from outside, but they were surely spreading it inside.) A Citrix server BSOD'd from the patch.
- Microsoft sells its products as if 12 y/o can administrate it, knowladge where it is needed about security and firewalls, is not properly taught.
- MS admins generally are busy reinstalling laptops, updating MS office, cleaning up after McAfee detected Yet Another Virus.
- MS is totally dominant on the desktop, which they dont mind, but does help the fastness of the spreading of worms.
- These remote root exploits, seem to often hit EVERY windows flavour, that worries me. When will this cardhouse fold?
- If you piss off enough people, people will push back. MS pisses off a lot of people.
In essence, all this I blame on... well not me.
well I learned one thing, personal firewalls on windows, are becoming a nessicity.
"/Dread"
Overall, I'd say the risk of a patch breaking something on your specific machine (as opposed to a few random thousand of the 100s of millions out there) is much lower than the risk of a virus hitting you while you're "testing" the patches.
That hasn't been our experience here. Less than a year ago we specifically put together a plan for staged rollouts of patches. It started with a get tough plan to make sure all servers were up to date, followed by several applications on all of our middletiers working erratically. It took a week for the programmers of the effected apps to get the problem fixed and working reliably. Things were starting to get a little ugly and users were not happy. Result, we have three stages of rollouts; test systems, first half production, last half production. None of which install automatically.
I wasn't effected on that case, but I have had MS 'fixes' break critical systems. A while back a 'fix' of the generic text printer driver caused it to eat the first character of each line. Barcode printers stopped working. And no barcodes, no shipping. Spent a day finding it, added a sacrificial space to each line, system is back online. A year later, MS fixes the 'fix' and the driver is working correctly again, but now the printers are choking on the extra space. Pull our fix for their 'fix', and our systems are back in a couple hours. But only because I remembered the previous problem and work around.
As to timeframe; it takes time to test complicated systems. Add to that the effects of the ecomony and companies are expecting more from fewer developers. So we have to balance our time between business requirements and testing MS patches. Being late installing a patch doesn't show up on my annual review, missing development deadlines does.
As far as getting hit; we don't get hit very often, today is the first case of an infected server that I can remember since code red hit our website. We have up-to-date scanning on our systems, SUS for desktop patches, email scanning, and properly configured firewalls.
Today we are fighting with a variant of a worm that isn't being detected by our scanners. But also doesn't appear to be using a vuln fixed by any patch. But that's a problem for Operations; developers are coding today, not chasing MS bugs.
It is amazing what you can accomplish if you do not care who gets the credit. -- Harry Truman
If you don't believe me, Google around for articles about patches breaking machines versus articles about viruses breaking machines. I think you'll see that some of the latest viruses and worms hit in the many millions, whereas the problems experienced from patches hit in the many thousands or are not completely debilitating.
Great! You can explain that to my boss when 500 out of the 600 users in my organization are unable to work because a Microsoft patch broke one of our servers and everything has to be reinstalled from scratch and incrememental backups, only to be hit 5 minutes later by the very worm we'd applied the patch against!
Recovery from that - conservatively, a day. Conservatively. Now, these 500 people are out of work for a day, but they're salaried... lawyers, Judges, court reporters, clerks. The average salary is probably $75,000 in this organization. That's about $300 per day per employee, or $150,000 in damages. Never mind the fact that we have to run on set schedules or else other bad things happen. I can't take that risk, even if it's 1 in 100, before I click on that little Windows Update icon.
Theoretically, of course, the patch shouldn't do anything but fix the poor bounds checking in some DLL or something - just replace the DLL with a corrected binary. But if you've ever applied a patch, you *know* they play with all sorts of other things. We run Novell, and I've used Snapshot on PCs before and after applying what should be very simple patches, only to find dozens of files and unrelated registry keys have been changed. Microsoft clearly does other stuff in patches - quiet fixes of other problems which haven't been publicized, adding DRM software, I don't know but you can only guess at their motives - and how long until one of those breaks one of my production server?
No, man. I need to be able to look at a patch and know exactly what it does, so that I can tell in advance if it's going to break something. I need the diffs between the patch and the original source so that if it does break something, my developers can immediately know what changed and how to work around it. I need to be able to apply them individually without requiring a reboot of the server, just a restart of the daemon (ahem... service) in question.
And I ain't gonna get any of that from Microsoft. But, unfortunately - and it wasn't my decision - this server is running Windows 2000 Server, and the best thing I can do is hope that there's no e-mail borne version of the worm to get it into my LAN.
Fire and Meat. Yummy.
We're still in the "hobbyist" phase of virus creation. Folk do this for the same reason that people used to write their own software; because it is l33t. We have recently seen some more "applied" virus writting, as when a virus sets up a zombie computer for spam uses later. Or even, when one virus goes after another.
...
Now imagine a real "virus industry". There would be serious R&D, business plans, virus development models, project management, the works. Probably even some code QA and testing. Why? Because there would be money in it. Don't know what the money would be, be if there were to be some then the "virus industry" would emerge overnight.
The idea that a virus could be stealthy (or clever) enough to avoid detection and just sit around on infected PCs is part of the transtition from hobby to a business. I've been noticing that already there is a sort of "dark Internet" of zombies that can do pretty much whatever someone needs them to do, enabled by viruses. Aside from spam, here are some other uses for those machines:
-- set up virtual casinos that dissolve instantly when the vice cops arrive.
-- set up distributed supercomputers for unlawful uses, like cracking access codes or breaking IPSec packets
-- have zombies not only monitor their users, but via something like ethereal monitor the broader Internet for traffic within their subnet. Imagine Carnivore on crack, and in the hands of the Mafia.
-- use zombies to launch focused, sustained DDoS attacks against adversary nations
-- use zombies as advanced positions to launch new rounds of virus outbreaks with split second timing and absolute accuracy, in this way overcoming most defensive responses in the first 15 seconds. Build a newer, stronger zombie network each time. slowly take over the Internet.
Profit
It's coming, people. You know it and I know it. Every habitat has its unseen underbelly, its fetid swamp, its decaying compost, and the Internet is about to get its own sewer system, full of rats and desease and decay.
Will we care? Nope. It will just be there and we'll eventually learn to live with it, or use it to our own purposes.
=^..^= all your rodent are belong to us
This one will have real legs. You see, in order to cure the infection, you will have to get the cure. This can be gotten from various sources. That will cure it...for now. It will not immunize you from getting it again..and again..and agagggaaggaain! This is because the sucurity vulnerability in windows' Lsass.exe program remains and will remain so for as long as there is a microsoft and as long as they are a predatory computer thug on the face of this world.
You see, to get the fix for the windows weakness that microsoft left in the system for we users and 'buyers', you first have to access their site, not someone else's mirror site, microsoft's site. Not just any access though! No! No!! You have to provide 'special' access to microsoft. Microsoft wants to 'web install' your patch. That means it downloads what it wants to, then runs it....ALL FROM THE WEB!!? And we are also expected to go into our security settings and set microsoft's site as a trusted site just like it was the computer in your father or mother's den on your home network. You are further supposed to trust microsoft explicitly and implicitly for all the content that they download into your machine. You are supposed to accept without question that you will never see what they really downloaded and ran in your machine. You are supposed to never question what they do, however they do it, or whenever they do it!. This from the company that gave you the bug in the first place and lobbied the government hard to make illegal the mere reporting of the existance of these bugs.
Lets run this back and follow another bouncing ball. Lets say that you bought a car from a company like microsoft. It had a defect that could kill you or a member of your family. Somebody found out about this defect and reported it in a newspaper in a letter to the editor and signed it with his name (most newspapers demand this from their letter writers). Under the present laws, that person who wrote the letter could be tried under the terrorism sections of those laws for telling you that you and yours were in danger. In addition, the man could be forced to pay the maker of the car for the potential costs to the company for fixing those cars....not the actual costs....the potential costs. The company would never have to fix those cars because you signed a 'EULA' that said you would hold the company harmless for anything that happened to you and yours in connection with your allowed use of the car. In addition, you were not allowed to fix the car yourself as this would compromise the company 'secrets' and you also agreed to protect THOSE as well. On top of this, if grievious harm came to you or yours as a result of these faults of the company, and after pursuing the company all the way to the US Supreme Court you finally won a case that said the company was at fault, another provision of this same 'EULA' said that the limitation of your ability to collect from said company would be the lesser of your claim or five United States Dollars (actual EULA provisions in some software
'licences'). On top of that, if the company did decide to fix your car, you would have to provide a room in your house for him or her to live while the fixing would be done, and you would have to leave the house and live in a hotel while it was being done. You would also have to leave all your valuables in your house for the company's perusal (secret installation of secret files on top of total access as a 'trusted' user on your network...this also gives total access to all files on your machine[s]). Don't laugh!
This is only a real world illustration of the miserable, tawdry, mendacious 'end user licence agreements' that you and yours sign every day whenever you install a 'bought and paid for' program into your machine. If you really read those agreements and realize what you throw away every day and every time you click yes on these conundrums; if you had an ounce of pride in your evidently worthless hides; you would remove those programs and the operating