Sasser Worm Disruption Growing
thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."
Here at work, none of our employees can connect to the VPN, hence nobody can get work done, hence I'm sitting here with my phone ringing off the goddamn hook.
Capital punishment for worm writers!
What does Sasser actually DO?
Usually, viruses have a goal, like collecting your personal information, DDOSing SCO, or SOMETHING...
What does this one actually do?
My theory is that someone wrote it to disable all the spamware-infested computers out there.
They can't be spamming us if they're rebooting constantly, can they?
And if the owner doesn't disinfect them and protect them from future attacks, they'll just start rebooting again...
I don't know the meaning of the word 'don't' - J
From my understanding of the Sasser worm, it infects vulnerable Windows PCs by probing and connecting through a specific open port, and then launching some Windows specific code designed to infect and propagate the worm. My question is of a largely theoretical, yet insightful nature: if a Linux machine is running a Windows emulation environment, such as WINE, and the Sasser specific port is open, is it possible that Sasser could attack and infect the Linux PC? After all, if WINE is at a level of compatibility which allows Linux users to run complex Win32 apps such as Microsoft Office, is it also not inconceivable that some Windows vulnerabilities have been emulated also? I look forward to the community's response.
All the computers the UK Coastguard use have beeen affected according to this BBC story
Struggling to find a day everyone can make? WhenShallWe.com
i'd like to know:
when is someone going to put a genetic algorithm into their virus/worm?
something that mutates the worm's parameters (ports, timing delays, ip-search stratgy, etc.) so that the most virulent parameters are found by "natural selection"?
seems like an ideal application for genetic algorithms.
K.
I have zonealarm setup on a home PC and it failed to keep Sasser out. So much for a personal firewall.
And yes there is AV on it, but it was infected before the updates had even come down.
Same s**t, different day
Apache has the largest market share in HTTP servers, and it's not the most hacked.
I always see this posted and I think people get this mixed up. More web sites are hosted on Apache servers, but there are more physical boxes running Windows.
Example:
I just left a job working at one of the largest internet hosting companies. We hosted close to 300,000 web sites; both Windows and Linux. Our customer base was roughly 60% Linux and 40% Windows; hosted on a little over 5,000 servers.
If you were to know the number of servers we have and looked at a Netcraft scan you would assume the following:
3,000 servers running Linux web sites
2,000 servers running Windows web sites
But that would be incorrect. Most of our Linux sites are cheep little geek home pages where we have a couple hundred sites hosted on a server. Our dedicated sites, big e-commerce sites, are mostly running on Windows boxes. So we have some servers running hundreds of sites and others running 1+ sites.
What's my point? In reality it's more like 1,500 servers running Linux (Apache) and 3,500 running Windows (IIS). I've worked at a couple large hosting companies and it's the same at all of them. So when you see the Netcraft report stating that 65% of the web is running on Apache, that doesn't mean there's more physical servers out there running Apache than IIS; just Apache servers are hosting more sites due to the small, cheap nature of a lot of Linux hosted sites. So, in reality, there is a larger install base of IIS machines. Of course Apache is pretty secure, because if they attacked an Apache box at a hosting company they could take down a lot more sites, causing more havok.
Microsoft released a patch, people did not install the patch. Who's fault is that? None of the 1000+ systems in my office were infected because I'm intelligent enough to have policies in place to prevent stuff like this from happening.
I find that comment funny and sad. Obviousally you run in a very tiny shop. we are still TESTING that patch because we are not stupid enough to trust microsoft. we have had many times a patch completely hose several of our critical apps. and when you are looking at around 500,000 desktops/ servers/ etc.. you can't do foolish things like installing patches willy nilly.
now let's add the fact that the company is too damned stupid to staff the security and virus team properly. we have 2 people... 2! and maybe 6 machines to test on... we really need about 5 and 20 machines and 2 servers to test on so we can roll this crap out in a timely manner.
So buddy, Grow Up.
Do not look at laser with remaining good eye.
Mine was probably the only PC left infected in the office. Funnily however when i tried to download the patch for Sasser from Microsoft ( I unfortunately have to dual boot), Here is what i got Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You must be running a Microsoft Windows operating system in order to use Windows Update. From what i have heard from my colleagues, this worm attacks when you connect to net, and microsoft forces you to connect with a vulnerable system. But then, windows is a product for dummies from the dummies. PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch
One of my first questions when I laid hands on an XP box: "OK, so now that I've un-dumbed-down the thing as much as I can... WTF's this LSASS.EXE process running as SYSTEM, and WhyTF is it listening to port 445, and HowTF do I shut it down?"
Answer: "Some sort of weird Microsoft shit, I don't know, and there's no way to kill it - in that order."
Me: "Fuck it, then. Let's block inbound 445 at the router, and on my personal box, I'll try setting my third-party software 'Firewall' to deny all inbound and outbound traffic to it. If anything blows up, I can always permit my box to talk to whatever machines it needs to talk to".
Nothing blows up. Yet another Microsoft unnecessary service running with SYSTEM privs is forgotten about.
A year or two later: w00t!
Win9x may have been an unstable piece of shit masquerading as a graphical DOS shell, but as long as you didn't use Internet Exploiter and Outbreak Excess, you couldn't get pwn3d, because desktops that don't run any listening services are pretty fucking hard to compromise remotely.
The built in WinXP firewall does NOT protect against the Sasser worm. I ghosted an XP box three times to confirm this-- not until after applying MS04-014 and/or using an alternative firewall (zB. ZoneAlarm) did I see protection from Sasser or its variants (if they exist... although I did see LSASS crash a few times without the presence of avserveX.exe on the system).
I don't know about you guys, but the SASSER worm turned an otherwise boring Sunday into wickedly exciting day! Thankyou worm-guy!
-s
I've found that the best solution to the problem of Microsoft's constant and ever more serious security holes is simple:
Dual boot with Linux. Linux for the network; Windows for the games.
Just use Linux as your network-enabled OS, and Windows for everything else. Log off the internet or disconnect your DSL or broadband before you reboot into Windows, and you'll be fine.
It is really that simple - I just disconnect my network connection when I'm running Windows. Let's face reality here:
So the solution is simple: Linux is your network OS, and Windows is your "friends and family" OS.
The society for a thought-free internet welcomes you.
And let's face it; if your machine is not properly patched, it's probably already being used as a spam relay, so it's not the spammers who would want this.
In a corporate network environment, such as mine, a few weeks is barely enough time to get a patch onto every desktop. First a few days are spent testing it. Then it has to be pushed out to all of the users. Server patches often have to wait until weekends because they can't be down during the week. Then manual installs have to be done for all the "non-standard" setups.
Then there's the new computer I got yesterday with our standard corporate developer's build. Of course the build doesn't have the latest patches yet, so when I turn on the computer for the first time, immidately after logging in McAffee catches the virus. So then I have to hunt down the right patches from the right people and reboot repeatedly until I can log into the network without getting the virus.
So I lost all of yesterday fixing the problems on my two computers and my office is as up to date as possible with getting patches onto workstations. Machines go for weeks without new patches because it's impossible to distribute them when some break applications, and therefore require much testing.
I wrote a 70 page document explaining why we should switch from Windows to Linux. Management wouldn't even start to read it. This is what they get for their ignorance.
Developers: We can use your help.
If most users would quit being so cheap and buy a firewall appliance like a linksys router, or (for the more savvy) build a Coyote linux box we wouldn't have half of these problems. I run Win2k, Solaris and SuSE linux. The linux box is the only one exposed to the net and hasn't been rooted/hijacked once in the three years it has been exposed. Running stuff like Zone Alarm is like giving a band aid to someone who has a big gaping wound.
"I bow to no man" - Riddick
Yes, they released the patch 21 days ago. They also released a hotfix at the same time that breaks a non-trivial # of computers.
/. for being incompetent).
Those of us forced to work and support a Windows environment are caught between a rock and a hard place. We don't dare apply a brand-new patch on production servers, or roll it out across the enterprise, but if we wait too long, an exploit hits what the patch supposedly fixed, and we get smacked (plus raked over the coals on
I try to get new so-called critical patches applied within 7 days -- usually sooner, depending on when I can afford to take servers down, etc. But it won't be long before one of these wide-spread worms hits a vulnerability that's just been patched in the last day or two. Hell, I run several layers of AV protection that checks for updates hourly, and twice I've gotten hit by viruses before the updated signatures were available.
-
A tool that I use quite often seems to go ignored time and time again.
Trend Micro Damage Cleanup is a free after-the-fact cleanup tool that will fix just about any virus (As long as the pattern file is downloaded...) It scans drives, registry, etc. The only drawback is that it's quite large (The pattern file is ~8.5MB and the Scanner is ~1.6MB).
It blows Norton's one-fix-per-virus tools away, except from a portability standpoint. Also helps make sure you don't leave other viruses behind. (Did I run the Netsky.QZX removal tool, but not the Netsky.ZZB one?)
Yesterday it found 530 copies of Agobot (3 Variants) and Sasser.B on one person's PC.
"1000+ systems"
"Obviousally you run in a very tiny shop."
" 500,000 desktops/ servers/ etc."
Something about this exchange just struck me as really odd. So let's be generous and assume that the companies in question have 2 computers for every employee (unlikely). According to this page, that would place the first company in the top 0.306% of businesses in the U.S. and and the second company in the very elite 0.016% of businesses in the U.S.! Tiny shop, my ass.
Things to do today: See list of things to do yesterday
IT@large_corporate_network here.
True, auto updates aren't good for business critical machines. Microsoft gives you 2 ways to do the updates, you could use the automatic updater and put up a update server so you can control what is updated. Alternately, you could use SMS.
If it takes you weeks to do testing, you should consider a more standardized loadset. If you were using one, the 90% of the systems who can use that loadset could be tested in a few hours. If you have users requiring manual installs, there are options like patch management systems (I like HFNetChkPro by Shavlik) or putting the patch installer into the login script.
On adding to the corp. build, you need a leaner process, I can get it up in about a week.
For all of this, and the server reboots, let me remind you that the patch was 21 days before the worm.
Also, why does this article act like the worm is a new concept?
First, I didn't choose Windows. I recommended Linux and/or BSD with a 70 page research document to back it up. Management ignored it. Second, I'm a developer, not an admin, so I have no say in the patching process.
As a developer I can tell you when patch goes out that breaks an existing corporate app, execs get furious at the developers. If I write application X then any time X doesn't work it's my fault. No matter what, the apps have to work. The multi-billion dollar corporation comes to a halt if the fundamental custom apps aren't working. A problem caused by a patch from Microsoft can't always be resolved by adjusting code in our apps. Management cares a lot less if we're rooted because at least business can continue.
Of course I think Microsoft should be sued for some of the problems we have. I don't think everything in the EULA will hold up in court in every state. But it's not my decision. And I also agree management has no one to blame but themselves for sticking with Microsoft. They get what they deserve. All I can do is write the best apps I can and get paid for it.
Developers: We can use your help.
I wonder the same thing. It's probably only a matter of time before one is written that deletes files. Just think, if one scanned a drive and deleted .doc, .mdb, .xls, .ppt, .zip files. Just imagine how bonkers the suits would go.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
we collect data from clinical trials, and we do so in a validated manner as we're inspectable by the FDA. i'd rather disconnect our LAN from the WAN and work with reduced functionality than just patch the servers willy nilly and break our validation. we can't apply *anything* without formally testing it as it could potentially affect data. it's fine if you're just doing bogstandard file'n'print, but for other stuff you can't just go installing patches that may or may not impact production systems.
I also work with clinical trials and the FDA breathing down my neck. My office is all running Macs. Intentionally. We knew that the small functionality loss from "going Mac" would be much much less than the horrific security problems unleashed on the Windows World.
"One touch of Darwin makes the whole world kin." George Bernard Shaw
Overall, I'd say the risk of a patch breaking something on your specific machine (as opposed to a few random thousand of the 100s of millions out there) is much lower than the risk of a virus hitting you while you're "testing" the patches.
That hasn't been our experience here. Less than a year ago we specifically put together a plan for staged rollouts of patches. It started with a get tough plan to make sure all servers were up to date, followed by several applications on all of our middletiers working erratically. It took a week for the programmers of the effected apps to get the problem fixed and working reliably. Things were starting to get a little ugly and users were not happy. Result, we have three stages of rollouts; test systems, first half production, last half production. None of which install automatically.
I wasn't effected on that case, but I have had MS 'fixes' break critical systems. A while back a 'fix' of the generic text printer driver caused it to eat the first character of each line. Barcode printers stopped working. And no barcodes, no shipping. Spent a day finding it, added a sacrificial space to each line, system is back online. A year later, MS fixes the 'fix' and the driver is working correctly again, but now the printers are choking on the extra space. Pull our fix for their 'fix', and our systems are back in a couple hours. But only because I remembered the previous problem and work around.
As to timeframe; it takes time to test complicated systems. Add to that the effects of the ecomony and companies are expecting more from fewer developers. So we have to balance our time between business requirements and testing MS patches. Being late installing a patch doesn't show up on my annual review, missing development deadlines does.
As far as getting hit; we don't get hit very often, today is the first case of an infected server that I can remember since code red hit our website. We have up-to-date scanning on our systems, SUS for desktop patches, email scanning, and properly configured firewalls.
Today we are fighting with a variant of a worm that isn't being detected by our scanners. But also doesn't appear to be using a vuln fixed by any patch. But that's a problem for Operations; developers are coding today, not chasing MS bugs.
It is amazing what you can accomplish if you do not care who gets the credit. -- Harry Truman
We're still in the "hobbyist" phase of virus creation. Folk do this for the same reason that people used to write their own software; because it is l33t. We have recently seen some more "applied" virus writting, as when a virus sets up a zombie computer for spam uses later. Or even, when one virus goes after another.
...
Now imagine a real "virus industry". There would be serious R&D, business plans, virus development models, project management, the works. Probably even some code QA and testing. Why? Because there would be money in it. Don't know what the money would be, be if there were to be some then the "virus industry" would emerge overnight.
The idea that a virus could be stealthy (or clever) enough to avoid detection and just sit around on infected PCs is part of the transtition from hobby to a business. I've been noticing that already there is a sort of "dark Internet" of zombies that can do pretty much whatever someone needs them to do, enabled by viruses. Aside from spam, here are some other uses for those machines:
-- set up virtual casinos that dissolve instantly when the vice cops arrive.
-- set up distributed supercomputers for unlawful uses, like cracking access codes or breaking IPSec packets
-- have zombies not only monitor their users, but via something like ethereal monitor the broader Internet for traffic within their subnet. Imagine Carnivore on crack, and in the hands of the Mafia.
-- use zombies to launch focused, sustained DDoS attacks against adversary nations
-- use zombies as advanced positions to launch new rounds of virus outbreaks with split second timing and absolute accuracy, in this way overcoming most defensive responses in the first 15 seconds. Build a newer, stronger zombie network each time. slowly take over the Internet.
Profit
It's coming, people. You know it and I know it. Every habitat has its unseen underbelly, its fetid swamp, its decaying compost, and the Internet is about to get its own sewer system, full of rats and desease and decay.
Will we care? Nope. It will just be there and we'll eventually learn to live with it, or use it to our own purposes.
=^..^= all your rodent are belong to us