Sasser Worm Disruption Growing

thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."

Yeah..you're telling me...

[hookedup]

Here at work, none of our employees can connect to the VPN, hence nobody can get work done, hence I'm sitting here with my phone ringing off the goddamn hook.

Capital punishment for worm writers!

Re:Yeah..you're telling me...

It's not fair. I sometimes wish I used windows.

All the windows folks in the place are sat around talking and drinking coffee because everythings broken, but us unlucky users of openbsd servers and linux desktops are having to work hard as usual.

It seems there are hidden benefits to choosing Microsoft products.

Re:Yeah..you're telling me...

[FrYGuY101]

Yes. Because Linux IS inherently secure?

Or maybe, just maybe, computers are inherently insecure?

Re:Yeah..you're telling me...

[Mysticalfruit]

More like capitalism punishment.

If after all the bullshit that companies went through with Blaster, they didn't sit down, get a team of smart IT people together and implement solutions to stop worms, then they don't deserve customers business.

Darwanism at work. Those who don't grow immune to the poison, die from it.

Re:Yeah..you're telling me...

[kin_korn_karn]

Somehow I don't think they're going to ignore a guy mugging an old lady because they won't be able to write a report about it afterward.

Re:Yeah..you're telling me...

Typical *nix admin, thinking that posting on Slashdot is 'working hard as usual'.

Re:Yeah..you're telling me...

[Paulrothrock]

Darwan: A large network in which selection determines node connectivity.

Re:Yeah..you're telling me...

[JWW]

I'm sorry, but even companies that aren't getting hit by this still paid the price.

We ran around frantically patching every $#%@#^ windows box at the company after the patches came out. Installing patches wastes users time, administrators time, everyones time. I know it can be automated, but its still a pain and you have to check every system anyway.

And whether or not you get a worm on your systems should not be the deciding factor of whether you deserve the customers business. Are you really saying that a record company that effectively blocked this worm deserves my business? Please don't start an oftopic rant about the RIAA, its just an example.

Re:Yeah..you're telling me...

[halaloszto]

All this really resembles me to the Y2K problem.

The difference is, that we could sit down, make a plan, inspect all PCs, have stickers for OK machines, etc.

And there were far less problems than with an average worm nowadays. Imagine if the Y2K problem would have been as big as a usual worm hit. (several middle to large companies affected for a couple of days)

Vajk

Re:Yeah..you're telling me...

[TheSpoom]

Yes, but customers don't know that. Witness a news story I heard about the Sasser worm after a day of doing tech support for it... it ended with "...a patch is now available to protect against the worm from Microsoft." Customers think "oooh, thanks Microsoft!", not knowing that it was a huge hole in their product that allowed the worm in the first place. Subtle misdirection and Microsoft didn't even have to pay for it. Thanks, CBC!

Re:Yeah..you're telling me...

[teh*fink]

Somehow I don't think they're going to ignore a guy mugging an old lady because they won't be able to write a report about it afterward.

or vice versa

Re:Yeah..you're telling me...

[Mysticalfruit]

I know it's a pain, but the question is.

Is the one time pain of deploying an automated patching system greater or less than the 3 or 4 times a year that even if your networkd doesn't come to a grinding halt, you've got to spend 4 hours going cube to cube and deploying patches.

Our solution was to deploy a centeralized controlled distributed firewall system inside our internal network. The best defense is a good offense.

This allows us to from C&C (command and control) to proactively block ports and sample traffic from any machine on any subnet.

Hense, even if sasser were to come in from some laptop and that person plugged their laptop into our general purpose subnet, 99 percent of the machines on all the subnet have the offending incoming ports blocked and as soon as it sees traffic for that port it'll send me a report.

Also, this combined with an agent that lets us push out patches and auto updating virus software allows us to stay ahead of the curve.

Re:Yeah..you're telling me...

[Smidge204]

No, but if the cops can't run a plate or license number check during a routine traffic stop, you won't know if there's a warrent out on the guy for a series of violent crimes.

Just an example. The ability for the police to do thier job in any capacity relies on the ability to get and share information. It's pretty rare that the cop actually witnesses the mugging, but a witness description, cross referenced with other reports from the head office, might lead to the ID of a suspect.
=Smidge=

Re:Yeah..you're telling me...

[Starlet+Monroe]

Any police chief who supplies his force with inferior, useless tools deserves to be shot... ...with a weapon borrowed from a different precinct.

Re:Yeah..you're telling me...

[System.out.println()]

Some of us use Mac OS X.

....

....

....you insensitive clod! XD

Re:Yeah..you're telling me...

[System.out.println()]

Wheres my new powerbook?

Probably still waiting to come back from getting fixed. :P

Re:Yeah..you're telling me...

[Anonym0us+Cow+Herd]

Still a bit better than MS admins, who think that posting misinformed bullshit on Slashdot is 'working hard as usual'...

It may actually be working hard if one is being paid to post misinformed bovine feces on slashdot.

Re:Yeah..you're telling me...

Some of us use Mac OS X.

Better get QuickTime and iTunes patched then:

Apple QuickTime (QuickTime.qts) Heap Overflow

:o)

Re:Yeah..you're telling me...

[Dr+Caleb]

Strange this in the logs for my firewall I keep getting "portsentry[]: attackalert: connect from host slashdot.org/66.35.250.150 to TCP port 1080".

Several times during the last couple days. Seems someone at Slashdot hasn't patched their two year old RPC hole.

And recent patches for XP actually break SSL connections - so patching right away isn't always the best thing to do.

Another removal tool

[BlackHawk-666]

Can be found here.

Re:Another removal tool

[BlackHawk-666]

Oh stupid me for typing the wrong slashes...try here instead. Oh well, a dose of humiliation before your peers is good for the humility gland.

Late...

[tirenours]

Even the news on the tv talked about it before /.

re: Late...

[c0defiant]

Nope, this one was on /. first

Internet Explorer?

Sasser doesn't affect IE.

Re:Internet Explorer?

Yeah, but blaming stuff on IE is really good for Slashdot's parent company, VA Systems, or whatever they've called themselves now to grope for profitability.

Re:Internet Explorer?

[ameoba]

It depends on how you look at it. From the perspective of the average user, if the network is down then "IE is broken".

I have a question

[Progman3K]

What does Sasser actually DO?

Usually, viruses have a goal, like collecting your personal information, DDOSing SCO, or SOMETHING...

What does this one actually do?

My theory is that someone wrote it to disable all the spamware-infested computers out there.

They can't be spamming us if they're rebooting constantly, can they?

And if the owner doesn't disinfect them and protect them from future attacks, they'll just start rebooting again...

Re:I have a question

[manavendra]

You mean other than scanning random IP addresses on successive TCP ports starting at 1068 and making copies of itself?

Well, it also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

It further makes copies of itself in the %Windows% directory.

Oh and finally, it causes LSASS.EXE to crash, and by default this causes your system to reboot. Repeatedly.

Re:I have a question

[joeykiller]

Sasser is mostly annoying. It causes your computer to restart repeatedly, while scanning nearby ip adresses and spreading itself to them (if they're not patched). Doesn't sound too bad does it?

Well, even though it's "just annoying" and "poorly written" according to F.Secure, it caused Sampo (a large bank in Finland) to shut down yesterday. Both computer networks and telephony systems were hurt. The same happened to If, a Norwegian / Swedish insurance company, and today another Norwegian insurance company had to halt operations (Vesta).

So even annoyances can stop entire operations, and thus we can say that it's a pretty serious problem until most (Windows) computers are patched.

Re:I have a question

[nordicfrost]

Well, for one, it bogs down your network to a mush of syrup. All that looking for other hosts to infect really takes up a lot of capacity on the network. And the Sasser.D version is up to 1024 threads pr. CPU, up from 128 in the Sasser.B version...

Re:I have a question

The purpose seems to be simple propogation (no destructive payload, mass-mailer, etc.). The crash of LSASS seems to just be a side effect of the exploit used.
Of course the patch to fix the LSASS hole has been reported to render systems unusable as well.

Re:I have a question

[Progman3K]

Right...
But have you noticed, it can only infect computers that are not properly patched and up-to-date...

I read a while ago that 0-day exploits on Windows are mostly unheard of, while most viruses seem to come out a few weeks AFTER Microsoft has issued a patch, because the virus-writers wait for a patch to disassemble it and learn how to exploit the weakness, which is easier to do that figuring out how to exploit the vulnerability.

This hole was patched by Microsoft, when? A few weeks ago...

So other than annoying people with improperly-maintained machines, Sasser doesn't really seem to be more than a proof-of-concept, or as I believe, a virus crafted to SPECIFICALLY annoy people who's machines are not properly patched.

And let's face it; if your machine is not properly patched, it's probably already being used as a spam relay, so it's not the spammers who would want this.

Rather it feels like someone waging war ON THE SPAMMERS!

Re:I have a question

[spellraiser]

Usually, viruses have a goal, like collecting your personal information, DDOSing SCO, or SOMETHING...

Sorry, but that's not all that accurate. Most often, the virus/worm is a goal in itself (and by the way, Sasser is a worm, not a virus). Viruses and worms that are tools to carry out some separate agenda are the exception, not the rule. Although recent worms such as Bagle, Netsky and MyDoom (and their numerous variants) were crafted to be 'useful' in some way, this is a fairly recent phenomenon, and still a fairly uncommon one, if one looks at everything that's being released these days. It might become the norm in the future, but that hasn't happened just yet.

My theory is that someone wrote it to disable all the spamware-infested computers out there.

They can't be spamming us if they're rebooting constantly, can they?

Interesting theory, but there's one problem. Whoever wrote Sasser did not intend for it to crash systems. This is a side effect of sloppy coding; it's not intentional.

Re:I have a question

[Progman3K]

>Interesting theory, but there's one problem. Whoever wrote Sasser did not intend for it to crash systems. This is a side effect of sloppy coding; it's not intentional.

You know what?
I think that yesterday, I received a LOT LESS spam than usual. I'm talking a fraction; instead of 200-300, I only received about 20.

So even if taking down all those spam-relays was just a side-effect, I'LL TAKE IT! :-)

Re:I have a question

Well, even though it's "just annoying" and "poorly written" according to F.Secure, it caused Sampo (a large bank in Finland) to shut down yesterday. Both computer networks and telephony systems were hurt.

I'm concerned about what'll happen when some more competently written worms get written, with some highly destructive payloads triggered at a certain time, or by some certain network event.

At the moment, most of the disruption is directly as a result of the worms spreading, with network connections being swamped. If worms were to actively trash filesystems, or (more dangerously) subtly mess about with data in spreadsheets, databases etc, it could be horribly expensive to sort everything out, and genuine, lasting damage could be done to businesses.

You'd think the current worm and trojan problems were enough to jolt people into a more security-aware frame of mind, but it seems we're fighting a losing battle to educate people before some polymorphic, ultra-subtle worm with no (initial) obvious effects will strike.

If such a thing were to wreak havoc, there'd probably going to be a major backlash against Microsoft, even though computer security is partly the responsibility of the user, too.

Re:I have a question

[interiot]

Just a note regarding 0-day exploits: SysInternals (the people who brought you filemon, regmon, etc) write BGInfo, a low-CPU no-memory way of displaying important system properties. If you do have it installed, you can tell it to display the timestamp of the file C:\Program Files\WindowsUpdate\V4\iuhist.xml, which should be the last time WindowsUpdate was run, helping remind you to run it frequently.

Re:I have a question

[WormholeFiend]

I've always been a virus-writer-hater, but reading your comments, I'd say you're doing a pretty good job at convincing me that viruses are good...

the enemy [virus writer] of my enemy [spammer], while being useful, is he still my enemy or my friend?

I'm confused.

Re:I have a question

[Ashtead]

No joke, this company is for for real. And yes, I do not think they chose that good of a name either. But this is the result of the fusion of several insurance companies, including some with names like "Storebrand" and "Norges Brannkasse" names which reveal the focus on fire insurance (Brann == fire) in a country where most houses are made of wood.

Re:I have a question

[kasparov]

Anything that opens a remote shell has a destructive payload. It basically gives a remote user full control of your pc. That means at a whim, they (or someone else who figures out that it is there) can delete files, format drives, or store kiddy porn on your pc--whatever they want. I would argue that that is a destructive payload...

Re:I have a question

[bogie]

"I read a while ago that 0-day exploits on Windows are mostly unheard of, while most viruses seem to come out a few weeks AFTER Microsoft has issued a patch, because the virus-writers wait for a patch to disassemble it and learn how to exploit the weakness, which is easier to do that figuring out how to exploit the vulnerability."

Actually your probably not doing it intentionally but your just repeating Microsoft marketing-speak. http://slashdot.org/article.pl?sid=04/02/26/155520 8

There is little evidence that hackers are actuallly reverse engineers patches. In fact as people pointed out in that thread if that theory was true then MS could just stop releasing patches and Windows would become invulnerable.

Most exploits are based on proof of concept code that floats around the net way before MS gets around to fixing patches. In fact there are more than a few sites out there that have lists of MS security flaws which have yet to be patched. I think your right that patches may increase the visibility of MS flaws to some of the dumbiest script kiddies and common people but the damage was already done way before then. MS is just trying to plug a hole that was already known. So no, patches are Not the reason why worms happen.

Finally as proof of at least one virus or 0-day exploit that took advantage before MS issued a patch, look at the Melissa virus. See that thread for other examples.

When MS's security cheif said "We have never had vulnerabilities exploited before the patch was known", he lied.

Re:I have a question

[Progman3K]

>Actually your probably not doing it intentionally but your just repeating Microsoft marketing-speak

So someone at Microsoft wrote this article and invented all the facts in it?

http://www.computerworld.com/printthis/2004/0,48 14 ,92037,00.html

And you should know that I am NOT a Microsoft shill.
I'm not excusing Microsoft, I just think someone out there has an agenda that is different that the typical worm-writer's.

Microsoft's "fixes"

[JosKarith]

We tried installing MS04-014. It totally secured our network - it shut down out ADSL link until we removed it.
Thanks guys...

Re:Microsoft's "fixes"

[getling]

Umm...why did you install MS04-014 instead of MS04-011? Maybe you got confused, like /. about what in the world this "poorly written" worm is attacking....

Re:Microsoft's "fixes"

[rabs]

Reminds me of a quote I saw on bash.org:

"The most secure computer in the world is one not connected to the internet. Thats why I recommend Telstra ADSL."

- rabs

Re:Microsoft's "fixes"

Perhaps if you people stopped referring to patches and vulnerabilities as hard-to-decypher combinations of uppercase letters and numbers, and started calling them by short explanatory titles, others would be less confused. Sheesh! You'd think we're back to the mainframe days. In this century, you people are absolute fucking idiots if you're still running around using irrelevant numbers to refer to anything.

STOP THROWING AROUND FUCKING NUMBERS AND JUST SAY WHAT THE PROBLEM IS. ELITIST JACKASS!

Removal tool

[Mindtoy]

Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.

Re:M$ - First Post?

[Oxy+the+moron]

I still am of the opinion that it doesn't matter how many patches M$ releases. The fact is, we need an educated user base. So many people continue to use computers without knowing the full risks associated with them.

The Internet is great, broadband is great, computers are great. But as long as people are willing to give up their passwords for chocolate and have no clue what a firewall is or what it does, this problem will continue to plague everyone.

Nothing beats a good educated user.

Decent firewall, regular updates & common sens

[Dark+Lord+Seth]

These are the three secret ingredients to a relatively secure system. Read them. Learn them. Understand them.

Re:Windows only

[cyborch]

You forgot to mention that "sasser" only infects windows machines.

It should be the default assumption that since it is a worm then it only infects windows (the same goes for virii of course). I would think that it would be worth mentioning if it infected anything besides windows boxes...

Don't blame Internet Explorer this time

[joeykiller]

The original poster is not correct when claiming Internet Explorer has a problem. This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.

See this and this for more details.

Re:Don't blame Internet Explorer this time

[Tackhead]

> This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.

One of my first questions when I laid hands on an XP box: "OK, so now that I've un-dumbed-down the thing as much as I can... WTF's this LSASS.EXE process running as SYSTEM, and WhyTF is it listening to port 445, and HowTF do I shut it down?"

Answer: "Some sort of weird Microsoft shit, I don't know, and there's no way to kill it - in that order."

Me: "Fuck it, then. Let's block inbound 445 at the router, and on my personal box, I'll try setting my third-party software 'Firewall' to deny all inbound and outbound traffic to it. If anything blows up, I can always permit my box to talk to whatever machines it needs to talk to".

Nothing blows up. Yet another Microsoft unnecessary service running with SYSTEM privs is forgotten about.

A year or two later: w00t!

Win9x may have been an unstable piece of shit masquerading as a graphical DOS shell, but as long as you didn't use Internet Exploiter and Outbreak Excess, you couldn't get pwn3d, because desktops that don't run any listening services are pretty fucking hard to compromise remotely.

Re:Don't blame Internet Explorer this time

[jjares]

Actually, LSASS is the security validation services that SMB uses to validate a user when he is trying to request a resource, and that validates your user in a network that doesn't use Kerberos... I think login in most unixes runs as root too, so I don't see where microsoft went wront here.

Re:Don't blame Internet Explorer this time

[jonfelder]

Except that most people will just click yes because they have no idea what they are doing.

All they know is that "clicking yes" makes their IM client work or game work.

Asking if it's ok to do something hasn't stopped websites that install spyware, "comet cursor...sure sounds good...spyware crap toolbar, wow that sounds useful!"

What makes you think it'll work with firewalls?

Finally, clicking "always" makes the notices stop comming up. Imagine the machine is being pummeled by Sasser and notices keep popping up constantly asking to allow inbound traffic.

Unfortunately the only real solution is also the most impractical...cutting the luser's network cable.

Please wake up...

[MSFanBoi]

What it tells us about Microsoft, is there are people out there who cannot take care of systems.

This includes Linux boxes and Mac boxes as well.

Wake up and smell the damn coffee, it's not a problem exclusive to Microsoft, as much as some of the Linux rah-rah club would like to think.

Why is it OK for Linux to patch the hell outta itself but a damn near capital crime if Microsoft has to?

Grow up.

Microsoft released a patch, people did not install the patch. Who's fault is that? None of the 1000+ systems in my office were infected because I'm intelligent enough to have policies in place to prevent stuff like this from happening.

Re:Please wake up...

[Anonytroll]

Yeah, but the problem in this case was that the patch that closed the hole made other systems unusable (iirc most of them couldn't have any network connection anymore), so it couldn't be used.

Re:Please wake up...

[Compholio]

Because when the Linux Rah-Rah Club provides a patch for a security vulnerability it usually doesn't provide a new three vulnerabilities for the one it fixed. Even if the LRRC did provide such a patch someone would see the problems immediately and provide another one to fix them.

Re:Please wake up...

[Ruie]

Linux distributions do not have major security problems as often as Microsoft (I can remember a single occasion when a hole was found in SSL libraries and I had to upgrade fast).

Also, on a Linux system there is no problem finding out what exactly runs, what it does and one can check the code quality.

In contrast, I have never even heard of the "subsystem" that is being used by this worm.

On a free system no one *has* to fix bugs for you, but you have the freedom to do it yourself (and configure the system anyway you like, so that, if you are not comfortable running sendmail, you use other software like exim or postfix).

On a black box system like Windows the company that makes it is responsible for getting each and every detail right because they do not let anyone else touch the contents.

Re:Please wake up...

[Lumpy]

Microsoft released a patch, people did not install the patch. Who's fault is that? None of the 1000+ systems in my office were infected because I'm intelligent enough to have policies in place to prevent stuff like this from happening.

I find that comment funny and sad. Obviousally you run in a very tiny shop. we are still TESTING that patch because we are not stupid enough to trust microsoft. we have had many times a patch completely hose several of our critical apps. and when you are looking at around 500,000 desktops/ servers/ etc.. you can't do foolish things like installing patches willy nilly.

now let's add the fact that the company is too damned stupid to staff the security and virus team properly. we have 2 people... 2! and maybe 6 machines to test on... we really need about 5 and 20 machines and 2 servers to test on so we can roll this crap out in a timely manner.

So buddy, Grow Up.

Re:Please wake up...

[RoLi]

When do you Winlots start to realize that there is a HUGE difference between remote and local exploits?

The former is likely to hit a lot of people through worms, the latter is (and I'll get flamed for saying that) mostly irrelevant unless you really need ultra-high security or have untrusted users on your machines (both cases are pretty rare in real life, sorry Winlots.)

And that's exacly why Linux' TCO is a lot lower than Window's. That's why webhosters usually charge about 30$ more for Windows than for Linux. (Every Windows machine is a much larger risk than a Linux machine.).

Also while in the Windows-world old bugs are constantly re-introduced into the network (because if you have some Win2K license you will use that when you reinstall) while in the Linux-world you usually use the newest version when you install a new machine. Actually Netcraft reported that after the CodeRed epidemy, the number of vulnerable machines was on the rise again!

To sum up (and to prevent somebody purposely misunderstanding), sure OSS isn't the silver bullet - but it indeed is much more secure than Microsoft. Also a halfway recent (let's say about 1-2 years old) unpatched Linux installation does not provide 100% security, but adequate (or "good enough") security for most users.

Re:Please wake up...

[pesc]

No, the truth is that Windows is not ready for the internet. Do you need more proof?

1) All windows boxes use the same software and services which creates a good monoculture for viruses to spread in.

2) Why the fuck is that port turned on by default? What the heck is the service doing? Most users don't use that service so it should be turned off by default. sheesh!

3) When I last used Windows (a couple of years ago) it actively made it difficult for me to remove services I didn't want to use, like IE, IM, M$-media player, etc. There were many services that I didn't understand what they were doing, but I couldn't remove them. On Linux I do the opposite. I install a slim minimal server, and then add the services I want to use and understand. This is how it should be done.

Why all the talk about how Linux is not ready for the desktop (it is, it's what I use all the time) when the truth is that Windows is not ready for the internet. This is demonstrated monthly.

Re:Please wake up...

[NatasRevol]

Specifically what needs fixing?
Security.
What part of Windows' design needs fixing?
Security issues.
What part of the base needs fixing?
All the remote exploits.
What would *you* do to fix Windows?
sudo rm -rf /

Hope that clears it up for you!

Re:Please wake up...

[RobertB-DC]

we have 2 people... 2! and maybe 6 machines to test on... we really need about 5 and 20 machines and 2 servers to test on so we can roll this crap out in a timely manner.

I get it now. Microsoft isn't the bad guy after all! They're trying like mad to increase your company's staffing by 150%, not to mention the trickle-down effect of quadrupling your machine count.

Microsoft Windows: It's not a virus portal, it's an employment generator!

I'm glad Microsoft's doing something about the outsourcing issue.

(Caution: the above comment contains satire, an element determined by the State of California to cause cognitive dissonance in affected individuals)

Re:Please wake up...

[dmomo]

Agreed. This is yet ANOTHER thing that I never understood with MS. Why aren't certain things off by default? I am weary to guess that it is merely oversight. I thought of it, and you thought of it. My boss who knows little of OS security thought of it, I am sure Microsoft has thought of it. But, why aren't they doing it? The must have some reason. It's exactly this that makes me trust them less. What are their reasons?

Re:Please wake up...

[slackerboy]

"1000+ systems"
"Obviousally you run in a very tiny shop."
" 500,000 desktops/ servers/ etc."

Something about this exchange just struck me as really odd. So let's be generous and assume that the companies in question have 2 computers for every employee (unlikely). According to this page, that would place the first company in the top 0.306% of businesses in the U.S. and and the second company in the very elite 0.016% of businesses in the U.S.! Tiny shop, my ass.

Re:Windows only

[bungley]

Perhaps that MS products are more widely used than anything else?

Interesting way of talking about it.

[ActiveSX]

The poster called Sasser a virus, then proceeded to give a definition that said it was not a virus. No offense, but was the poster actually reading what he wrote?

Could Sasser possibly affect Linux?

[Debian+Troll's+Best]

From my understanding of the Sasser worm, it infects vulnerable Windows PCs by probing and connecting through a specific open port, and then launching some Windows specific code designed to infect and propagate the worm. My question is of a largely theoretical, yet insightful nature: if a Linux machine is running a Windows emulation environment, such as WINE, and the Sasser specific port is open, is it possible that Sasser could attack and infect the Linux PC? After all, if WINE is at a level of compatibility which allows Linux users to run complex Win32 apps such as Microsoft Office, is it also not inconceivable that some Windows vulnerabilities have been emulated also? I look forward to the community's response.

Re:Could Sasser possibly affect Linux?

[Aliencow]

You would have to run the LSASS Service under Wine...and I don't know why you would want to do that !

Re:Could Sasser possibly affect Linux?

[necrotic]

I have sucessfully had a virus run under Wine. It was not sasser, and was not tcp port based however. Launched an infected exe from Thunderbird to see what would happen, Wine took over and ran it. THe virus scanned my networks SMB shares, and collected email addresses. It also spawned its own SMTP engine and proceeded to send itself to the collected addresses.

When you think about it, Wine should have no trouble running simple applications such as this. It only seems to bawk when applications use non conformant GUI methods or non-standard network operations / file access methods...

No patches for this one, just kill -9 :)

Re:Could Sasser possibly affect Linux?

[13Echo]

I've actually attempted to run a few viruses on my Slackware machine, through WINE, without any success. This was simply for testing purposes. In many cases, the environments are just too different for the virus to function properly. WINE often crashes in this case. Even then, Linux doesn't automatically load any of the the WINE "emulation layer" code on system startup, and only loads it when you run WINE. Still, WINE is not run as root (unless you are stupid), and anything that could possibly damage the machine would be restricted to a user's home directory, unable to affect the actual Linux OS and libraries, or the critical WINE stuff.

Sasser is a worm that requires access to port 445 and needs to hit a machine that runs the LSASS authentication code on Windows machines (which WINE doesn't use). As someone mentioned, it might be possible to run LSASS in some form or fashion, but there would be no reason to do it.

Re:Could Sasser possibly affect Linux?

[spitzak]

Wine is not listening to that port without a lot of elaborate setup.

However there certainly are examples of Wine successfully running .exe files imbedded in virus email and actually emailing copies out. And even doing this without the user knowing (they clicked on the exe just like a Windows user).

Probably more of a concern is that I know that a Linux machine's disk can be trashed by a Windows virus. It wrote over the files right over NFS (or perhaps over Samba to a server that then went to this machine via NFS).

The UK Coastguard has been hit.

[levell]

All the computers the UK Coastguard use have beeen affected according to this BBC story

Not exactly a 0-day exploit

[Zog+The+Undeniable]

If you applied last month's critical patches OR you have a working firewall - even the basic XP one - you won't get it.

Everyone with a Windows machine should sign up for MS's monthly security e-mail or religiously check Windows Update on the second Tuesday of each month. I won't go as far as recommending automatic updates, though.

Re:Not exactly a 0-day exploit

[Proaxiom]

An unfortunate factor of this worm is that the patch that fixes the exploited vulnerability - MS04-011, has been found to have stability problems and other issues in the field.

This has caused many administrators to be hesitant to install it. Bugtraq had a discussion of the problems in April.

Re:Not exactly a 0-day exploit

[ConceptJunkie]

Yeah, but Joe Twelve-pack won't have his XP firewall turned on if he doesn't know to enable it... at least not until XP service pack 2.

Could all virus and worm writers just lay off for a couple months? Thank you.

Forget bad coding for a minute... Microsoft wouldn't have half the problems they have if they would simply not choose the most perversely stupid default settings.

IE?

[BenBenBen]

What the hell has a worm that attacks through non-HTTP traffic and downloads its body through a built-in FTP client got to do with Internet Explorer?

If you're going to bash Microsoft, at least bash the right frickin' part...

Re:Windows only

[Paulrothrock]

Wrong again. Apache has the largest market share in HTTP servers, and it's not the most hacked.

Re:Direct?

[orbit0r]

What could be more "directly from the Internet" than email?

An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.

Re:M$ - First Post?

[basil+montreal]

It's a strange problem, security. Educated users are key, but because Microsoft has the largest market share, they also get the largest number of uneducated users. What will happen if Linux eventually completely replaces MS products on the desktop? Will they have the same security problems?

firewall to the rescue

[steve.m]

It looks like it exploits LSASS.EXE by scanning for a listening port 445. Good job I've got all incoming blocked by default.

Roll on XP SP2 with the firewall on by default for everyone, then hopefully things like this will go away....

Microsoft: crime-ridden slums of computing

[kherr]

It is very apparent that using Windows is like living in a high-crime, blighted neighborhood. You try and try to live a normal life but at any moment something bad could come along.

Why people continue to choose Windows is beyond me. Linux and Mac OS X are more secure and more powerful. And oh yeah, cheaper. Sure you get Windows when you buy a new machine. But that's like offering a poke in the eye with a pointed stick with every purchase.

Re:Direct?

[gunnk]

Email gets picked up by your email client. An email virus must then be run from the message either by opening the attachment or (for some Outlook versions) by having Outlook open it for you. Even just receiving a copy of an email virus requires that you run your email client.

In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.

That's why worms are "more directly from the internet" than email-based viruses.

Yeah, I'll run that removal tool.

[pschmied]

I'm not sure why everyone is so hopped up on these removal tools. It seems to me that after being infected with a worm that installs a back door, more people ought to look at reinstallation from known good media.

Biggest Windows vulnerability ever, again. How many times have we said that this year? At work, it's begining to feel a bit like a duck and cover drill.

-Peter

Re:Yeah, I'll run that removal tool.

[the+grace+of+R'hllor]

Of course, why don't we all just toss out our E-mail, address books, bookmarks and 'special files' three times a month?

While all those things can be backed up, practically noone actually does this, and so keeping a system running is top priority.

Besides which, 'known good media' means 'unpatched windows'. A pre-SP1 WinXP takes about 15-30 seconds from first connect to infection with MSBlaster, even nowadays. What you want people to have is a during-install-service-pack-update.

From an IT guy

[bigjnsa500]

From a *nix IT guy, I am sitting here this morning, drinking my coffee and posting on /.
Down the hall are the MCSE's. I can hear them shouting at each other about why this and that system wasn't patched.
Even the network big wigs are in the room with them.

Ahhhh... the joys of *nix....

Back to my wonderful coffee....

Re:From an IT guy

[Mysticode]

A firewall is all well and good until someone brings an unsecured laptop in and plugs it into the network. Are you tell me that no one in your organization has a laptop that they take home with them. What's the chance that they may plug it directly into a high-speed net connection at home without a firewall?

"sasser" in northern Europe

[akaiONE]

The Sasser-worm had its fair amount of success yesterday as it crashed the networks of insurance-giant 'If' and their competitor in Norway, 'Vesta'. Both companies blame corporate users with laptops for the glitches in the security system and media all over Norway reported the whole thing as "unavoidable".

I have been giving this some thought, and quite frankly, even laptops can be locked down so that users are patched against this kind of attacks. The main issue in the IT-depts' of the companies mentioned above must surely have been giving it some thought yesterday; -Why did we not apply that patch from MS?

The answers for many sysadmins is to apply patches in batches on a regular basis, unless there is something *mission critical* on the radar. Ofcourse such things as the patch available to stop "sasser"-worm may have slipped by the eyes of even expirienced sysadmins, especially when its not flagged with whistles and trumpets by Microsoft.

Other sysadmins have choosen not to patch the vuln. due to its effect on VPN-connectivity as mentioned in other posts. The big question here is why Microsoft released a patch that disabled VPN in such a way. I realise it may have been the lesser of two evils, but hey, atleast they could have released the VPN-aware patch a little earlier than yesterday morning..

Just my 0.02 Norwegian Kroner

evolution?

[qqqqarl]

i'd like to know:

when is someone going to put a genetic algorithm into their virus/worm?

something that mutates the worm's parameters (ports, timing delays, ip-search stratgy, etc.) so that the most virulent parameters are found by "natural selection"?

seems like an ideal application for genetic algorithms.

K.

Re:evolution?

[ultrasound]

A genetic algorithm is also something different to what YOU think. What qqqqarl is suggesting is actually quite possible and intriguing.

The very existence of multiple instances of the code, with the ability to mutate by altering parameters or even parts of the worms algorithm automatically leads to the conditions for evolution of an improved worm. The very survival of the worm long enough to transmit itself to produce duplicate or mutated instances _is_ the selection process and a measure of its 'fitness'. 'Natural' selection at work. How effective this is is dependent on a number of things, particularly whether the infection of a host will block future infection by another instance of the worm, and how the worm affects the host. The parallel with natural viruses comes to mind, a virus has no purpose other than to reproduce. It does this by subverting a host. If it is too effective and kills the host rapidly, then its virulence is limited if it relies on the hosts continual operation to be transmitted. Hence Ebola is far less widespread than AIDS because the former zaps the host too fast, whereas the latter gives the host plenty of time to spread it around.

Evolution without sex appears to be less effective (and less fun) but is still a valid method of a searching a parameter space for local and global optima. I also recall doing some experiments that seemed to indicate that certain problems are easier to solve without introducing cross-over through mating of selected pairs, but just relying on parameter mutation. Something to do with the particular fitness function over the parameter space selecting against large jumps.

Dont forget that your predecessors had to do without sex but still managed to get along and produce you in the end.

The idea is interesting and one could imagine extending it to include sex by allowing worms to meet up and share some of their parameters in order to produce offspring. The chances of them finding each other on compromised machines would be improved using irc, and maybe even turning every N'th machine into a 'worm' speed dating platform. The possibilities are endless.

Wouldn't it be fun if it was actually something that wasn't destructive. I wonder if there is actually a 'good' application for this type of evolving distributed algorithm? What ever happened to the idea of Intelligent Agents that was all the rage a few years ago? Using the parallel with nature, I can't think of any symbiotic viruses, but there are many instances of symbiotic relationships between hosts and bacteria. Are we going to see a white hat virus one day(other than simple patching viruses that naturally die out), or is any foriegn code naturally excised out of principle? Probably.

Re:evolution?

[Flyboy+Connor]

Funny, I give such a university course too.

Anyway, by DEFINITION a genetic algorithm uses a population, and also by DEFINITION it uses sexual reproduction (see Thomas Bäck's excellent book comparing several evolutionary techniques, "Evolutionary Algorithms in Theory and Practice", 1996).

If you use pure mutation on a single solution, the term to use would be "Evolution Strategy".

If you want to exclude sexual reproduction, or use any evolutionary technique without bothering about definitions, use the term "evolutionary algorithm", which is an umbrella-name covering all evolutionary techniques.

I know that people are often a bit loose about what terms to use, but since this is one of my particular subjects of research, I am a bit anal about it.

Finally, AFAIK, there are already virusses and worms that mutate themselves. I don't have any definite examples, though.

Re:evolution?

[qqqqarl]

i apologize for being loose with the jargon. i tend to use terms people have already heard, so that the root ideas can be more easily digested by the masses.

it would have been nice, in your original post, if you had been more clear: "i'm harping on jargon" rather than "your idea is unsound."

K.

Re:evolution?

[dasunt]

when is someone going to put a genetic algorithm into their virus/worm?

something that mutates the worm's parameters (ports, timing delays, ip-search stratgy, etc.) so that the most virulent parameters are found by "natural selection"?

I don't think the number of infected machines in the world is high enough for successful genetic evolution. Viruses and worms are not like living organisms -- the chance of non-fatal mutation is lower. If a mutation creates an organism with a 1/2" longer neck, that organism will probably not die because of it. If a virus mutates so that an exploit code attacks a slightly different bit of memory, that virus is probably toast.

What we need for a successful 'evolution' virus it two-fold. First, their should be a different tendency to mutate different parts of its code. It should have a low chance to mutate most of its code, but a higher chance to mutate code that is least likely to result it damage. (Think "I love you!")

Second, it should act like some bacteria and find other organisms (viruses) and steal its code. Let the walking bags of mostly dirty water and their wetware develop the code. Exploit it. In this manner, its more likely that a new working exploit will be found.

Can the above be done in a viral payload? I don't know. I'm guessing that the difficulty factor is pretty large, but if someone wants to, someone will probably pull it off.

Re:If Im totally up to date with my MS Security st

[JustDisGuy]

That depends on whether the Microsoft patches you have installed don't actually do more harm than good.

For other than this particular exploit, it also depends on whether another exploit is made available before a working patch is made available for a publicized (or not!) vulnerability.

In short, no. You may be safer, but you're not safe.

--
Hanlon's Razor - Never attribute to malice that which is adequately explained by stupidity.

Re:Windows only

[Hrothgar+The+Great]

People have short memories. There was an Apache worm about two years ago (in mod_ssl).

Here is a link

Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.

Zonealarm Failure

[doneagain]

I have zonealarm setup on a home PC and it failed to keep Sasser out. So much for a personal firewall.
And yes there is AV on it, but it was infected before the updates had even come down.

Re:Zonealarm Failure

[Jarnis]

Correction; You had a zonealarm that was set up wrong.

Blocking port 445 from inbound traffic secures the computer against this worm.

Also the failure to install a critical patch that has been out for two weeks is called 'stupidity'. Using a windows box connected to the net is already something close to extreme sports. Doing so without regular windowsupdate visits is like extreme sports blindfolded without a helmet. You are *bound* to get hurt.

Re:If Im totally up to date with my MS Security st

Up to date with patches, a proper firewall, and common sense and my Windows machine has never had a virus. I am convinced that in the end Windows users will end up better off. It is like security boot camp with live ammunition. Each time the number of people infected gets just a little bit smaller.

I picture a day when most users have migrated to Linux and the first serious threat comes out and they are all prepared and the l33t get destroyed because their systems can't possibly get a virus because it is open-source.

I patch both my Slackware box and my Microsoft box regularly - do you?

Our server's protected

[AC-x]

A few days ago I saw a message from our firewall asking if I wanted to allow Security Authority Subsystem to be contacted by a remote host.

A simple click on the "No" button stopped this worm in its tracks.

If more admins just installed firewalls and made sure all unnecessary services were blocked there'd be a lot less worm infections. (sure it won't protect people who need to use the Security Authority Subsystem, but I'm willing to bet a lot of the infected machines don't use it at all)

Re:Our server's protected

[FictionPimp]

Yea, I run software firewalls on all my windows machines as well as using NAT. Never had a problem.

Although just the other day I had some "windows expert" recommend instead of trying to find and open the ports for a video game I was trying to play, that I just put my computer on the DMZ (even after I told him I needed to get 3 computers working and needed to use port triggering). I told him putting your computer as DMZ was just as good as putting a kickme sign up. He argued with me and told me windows is 100% secure, that I just didn't know how to secure it.

So there, guys, windows is 100% secure. Get off it. :-)

Kill the AVSERVT.EXE process!

[denis-The-menace]

AVSERVT.EXE is the FTP server that Sasser uses.
It will show up as a very hungry process (77%+ CPU)

Kill it and then you'll be able to patch the box.

Re:Kill the AVSERVT.EXE process!

[CPlusPlusOwnsYou]

Of course its located in the registry in the startup location and will be restarted everytime you reboot.

Check the startup registry path for "Avservt.exe":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

uh uh

[WormholeFiend]

"I'm sitting here with my phone ringing off the goddamn hook"

so are you telling us you'd rather let the phone ring and read slashdot and post comments instead?

More removal toos here

[T-Ranger]

• www.redhat.com
• www.debian.org
• www.slackware.org
• www.freebsd.org
• www.openbsd.org

Problems are with windows, not IE

[T.Hobbes]

A few things:

• It's a worm, not a virus
• It's attacks Windows, not IE (despite Microsoft's efforts, there is still a distinction)
• For the user, the main damage is that the infected computer will shut down; I have no reference, but shutdown loops have been reported
• For the admin, the main damage is the flood of trafic sent out by the worm in search of new hosts
• The worm can use Win98/WinME boxes to propegate but cannot infect those same computers

Google cache of McAfee's page on the worm
One of symantec's pages

BEWARE NT4 TS + Citrix admins!!

[SlashDread]

The patch from MS : http://www.microsoft.com/technet/security/bulletin /MS04-011.mspx

just BSOD'ed my Citrix server.

YMMV

"/Dread"

Re:BEWARE NT4 TS + Citrix admins!!

[Rick.C]

There's a Terminal-Server-specific security rollup patch (SRP) that must be applied first. Check the MS MS04-011 page.

I would hope that MS04-011 would check for the presence of the SRP, but who knows?

Re:Heard of a firewall?

[SiggyRadiation]

A. Guy takes home corporate laptop.
B. Plugs laptop into phone-line / uses internet
C. Gets infected
D. Takes his laptop back to the job
E. Infects the entire LAN *FROM THE INSIDE* while the firewall hapilly keeps the fire "IN" (instead of out).

If you fire anyone, please fire the laptop-owner.

Re:If Im totally up to date with my MS Security st

[Macgruder]

Well in this case, yes.

Sasser exploits a hole in Windows. A patch for this hole has been out for about three weeks.

Moral of the story: Keep aware of the Critical Updates. You may not need to apply every single one of them, but at least be aware of what they are, and what problems they are designed to fix.

Re:Windows only

Apache has the largest market share in HTTP servers, and it's not the most hacked.

I always see this posted and I think people get this mixed up. More web sites are hosted on Apache servers, but there are more physical boxes running Windows.

Example:

I just left a job working at one of the largest internet hosting companies. We hosted close to 300,000 web sites; both Windows and Linux. Our customer base was roughly 60% Linux and 40% Windows; hosted on a little over 5,000 servers.
If you were to know the number of servers we have and looked at a Netcraft scan you would assume the following:

3,000 servers running Linux web sites
2,000 servers running Windows web sites

But that would be incorrect. Most of our Linux sites are cheep little geek home pages where we have a couple hundred sites hosted on a server. Our dedicated sites, big e-commerce sites, are mostly running on Windows boxes. So we have some servers running hundreds of sites and others running 1+ sites.

What's my point? In reality it's more like 1,500 servers running Linux (Apache) and 3,500 running Windows (IIS). I've worked at a couple large hosting companies and it's the same at all of them. So when you see the Netcraft report stating that 65% of the web is running on Apache, that doesn't mean there's more physical servers out there running Apache than IIS; just Apache servers are hosting more sites due to the small, cheap nature of a lot of Linux hosted sites. So, in reality, there is a larger install base of IIS machines. Of course Apache is pretty secure, because if they attacked an Apache box at a hosting company they could take down a lot more sites, causing more havok.

Re:Windows only

[qasimzaidi]

Mine was probably the only PC left infected in the office. Funnily however when i tried to download the patch for Sasser from Microsoft ( I unfortunately have to dual boot), Here is what i got Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You must be running a Microsoft Windows operating system in order to use Windows Update. From what i have heard from my colleagues, this worm attacks when you connect to net, and microsoft forces you to connect with a vulnerable system. But then, windows is a product for dummies from the dummies. PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch

Re:M$ - First Post?

Just to comment on the "educated user" bit. My father works at the EU Commission. The news reports were not overstated. Almost ALL (at least 90%+) Of the computers on the Commission intranet (around 25,000 if I remember correctly) were infected with this virus on the 3rd of may. In the end he went home arly (like most people) and the admins sorted it out overnight.

These are computers which are automatically updated from a local mirror when an admin tells them to.

Sod educated users, lets have some educated admins.

Once again, the writing is on the wall....

[innerweb]

...Security, stability and safety are the primary concerns of any computing platform. When you ignore any of the three, you are at risk. Just like risk in the real world, risk in the digital world can have serious impact.

Microsoft, Linux, Apple - all platforms need to have this drilled into their brains, coding, and documentation repeatedly with much force! Microsoft is a target because they have angered so many with their *business* activities and sloppy coding. How long before Linux joins them?

I am an avid Linux user - The only windows machines I have are for client applications that I can not run on Linux.

Most of us (yes, me included) when we scratch an itch, make it work for ourselves, not for the world in general. If we are to produce Secure, Stable and Safe programs, then we need to have a tool set that allows us to build them without thinking about it, or we need to all think about it with each app released into the wild. Asking Joe User to know enough to run a secure platform is like asking all people to be able to self serve everything in their own cars, appliances and bodies (i.e., no mechanics, repairmen or doctors needed).

'It aint gonna happen!' All of these are way to complex and most are changing faster than most people can keep up with. So, it needs to fall back on our shoulders (the developers) to make this happen. The question today (as in so many other days past) is what can we Linux developers learn from Microsoft's mud? What are the issues that are allowing these things to happen and how can we prevent them? I hope everyone has heard this before.

And, more importantly, how do we get qualified people to itch this scratch to completion? It seems to me that the world in general would benefit most from a programming tool set that built these solutions in, and that is not going to be an easy task. Microsoft is trying to address that with .net, and is still not on target (or anywhere close from what I have seen). Java tried to answer that, but it has fallen far short of what is needed.

I really do not have any answers to this. One of my bet friends has explained to me the complexities of building compiler systems and writing your own languages. Those complexities alone are big issues. I would love to read what other /.ers have to say on this issue.

InnerWeb

Correction

[CPlusPlusOwnsYou]

The problem isn't with internet explorer. It's with a program called lsass.exe or the "Local Security Authority System Service".

It takes advantage of the open ports in Windows (as if microsoft didnt learn from NetBios).

In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

Check if port 445 is open on your system (you have to do a regedit hack to close it)

http://www.petri.co.il/what_is_port_445_in_w2kxp .h tm

The above site has a detailed information on howto use regedit.exe to disable port 445 in Win2k/XP.

interesting thoughts for the future

At first linux's traction on the desktop was because "windows isn't stable". Then there came windows XP, where most instability is from third party drivers.

Then alot of linux's traction has been "windows is insecure". But when windows XP SP2 comes out, the worms will die away a bit, and it will only be social engineering attachment trojans in outlook.

Then what will linux's attraction be? A better the desktop right? Better browser etc. But when Longhorn finally comes, that might be gone too.

Linux, to my mind will always be better for myriad reasons, but it has to be alot better to make people change. And winXP stability, firewalls cutting the worms down, and a better GUI... will it be *that* much better to get people to change?
This makes the "linux on the desktop" window of opportunity quite finite.

I, for one, believe we can best microsoft on the home desktop but we need the corporate desktop for the following reason; hardware compatability.

"Why?" you ask, well I'll tell you. We need the corporate desktop for hardware support. OSX has a hardware rendered desktop, longhorn will have it too. No linux will be able to have a hardware rendered desktop without GPLed drivers. To get GPLed drivers for most graphics cards, we are going to need the slugging power of at least a 30% stake in business desktops. This makes Ximian/MS intergration type projects, mozilla/firefox/thunderbird and openoffice some of the most important battlegrounds you will see in the next few years. Once we have the hardware, we can take them - but don't fire until you see the whites of their CGI rendered eyes.

And here are some thoughts on that matter, my head's in the clouds for some of it - but we can dream right?;

Convince XGI to GPL Volari drivers. Standard tactic of an underdog is to use open-source to sling-shot ahead of the competition through features and performance. Directx9 is heavily shader based, but I prefer opengl myself and if you look at these performance statistics http://www.tomshardware.com/graphic/20031107/index .html
the only thing a volari needs is GPLed drivers and a linux following.

GPLed Nvidia and ATI drivers might follow. Who knows.

The other thing is, put some weight behind an "opensource hardware" movement to get an openGL performance beast that can be manufactured and sold by anyone, as it is an open design. I think with DRM we are going to see the ground ripe for open source hardware configurations. And don't think electrical engineers won't be able to do what software engineers have done with linux.

Anyway, that's just some memes I wanted to spread around, AC because I don't care about authorship. Just mull them over, because we need all the ideas we can get for the battle to gain a foothold. I am not saying I want to destroy MS, I just want enough market share to be able to have hardware compat and make sure things like DRM don't make their way into hardware (or make sure there is an alternative). from minix to now we have only seen the end of the begining business and home desktops, DRM and the very nature of hardware await.

Sasser prevention tips

1) Enable ICF (Internet Connection Firewall) if using XP or Server 2003. This blocks all unsolicited incoming traffic.

2) Block the following at the firewall:
* UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port

(Personal note here: I block *all* ports except 80, 443 (web), 25, 110 (mail).)

3) Enable advanced TCP/IP filtering to block all unsolicited inbound traffic. See Microsoft Knowledge Base Article 309798.

4) Block the affected ports by using IPSec on the affected systems.
(Personal note here: I run a couple of machines over VPN exclusively, and so only the VPN ports need to be open on the firewall for them. Any attack will have to come from within the VPN.)

These tips are straight from M$, see:
http://www.microsoft.com/technet/security/bu lletin /MS04-011.mspx

Sassier *is* a virus

[cr@ckwhore]

Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet.

Are you kidding me? By this definition, Sasser *IS* a virus, unlike everything else, which are Worms.

It seems that we've been living in the land of email worms for so long that most people don't know how to deal with a real virus. Yeah, that's what they do... they spread without your help. Geez!

Re:Sassier *is* a virus

[American+AC+in+Paris]

It seems that we've been living in the land of email worms for so long that most people don't know how to deal with a real virus. Yeah, that's what they do... they spread without your help. Geez!

No, that's inaccurate.

Worms can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File for a more verbose answer.

Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.

So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.

Re:Windows only

And now compare the number of users using apache and mod_ssl against those using windows and the number of windows outbreaks there have been over that two year period.

Re:If Im totally up to date with my MS Security st

[DaHat]

Moral of the story: Keep aware of the Critical Updates.
That... or don't have unrestricted port access to your machine. Because of my efforts, no one in my extended family is permitted to plug their PC directly into their cable modem, all go through NAT routers because of the inherit security benefit of them.

I admit it, I don't keep up to date on windows updates, simply because my PC is several levels removed from the internet that a slew of cataclysmic events would have to occur for me to become infected with anything more then disk fragmentation.

Windows machines directly on public networks

[Peter+Cooper]

I'm no Windows hater, but these exploits reinforce my opinion that no Windows machine should have a publicly accessible IP address.

We run Windows on our network here, but we have a Linux box with IP masquerading enabled connected to the Net, so the only exploits that could possibly work would be 'stupid enough to open the attachment' types, as you can't target any of our Windows PCs from the outside world, only our Linux box.

Sure, some of the ports Windows leaves open are useful for things you might do on a corporate LAN (Active Directory, RPC, and such) but these things are next to useless for the larger Internet. If they don't want to fix the holes before someone has exploited them, or code their systems properly, then Microsoft could at least make it so that Windows leaves NO generic ports open on public/WAN interfaces.

Here's my favorite bit...

[qtone42]

Poor programming by Sasser's creator makes infected machines shut down.

That should make the writers happy... that their ineptitude made global news.

I am not impressed with the foo of these cut-and-paste virus coders. There was a time when it was actually difficult to code one of these things, but come on... they are open-source now.

No-kung-foo-required.

Interesting?

[sameerdesai]

Is this why the IRS computers were down yesterday? I had called them up regarding my return and they said all computers were down. Hmmmm...

Dupe..

[shird]

Not only highly inaccurate (IE?), but also covered by Slashdot two days ago.

New Windows Worm on the Loose

Stupidest...story...ever...

Re:Patch

[MNJavaGuy]

I was referring to how it's not showing up on some of my unpatched machines in Windows Update as a critical update (not at all).

Built in XP firewall not effective

The built in WinXP firewall does NOT protect against the Sasser worm. I ghosted an XP box three times to confirm this-- not until after applying MS04-014 and/or using an alternative firewall (zB. ZoneAlarm) did I see protection from Sasser or its variants (if they exist... although I did see LSASS crash a few times without the presence of avserveX.exe on the system).

I don't know about you guys, but the SASSER worm turned an otherwise boring Sunday into wickedly exciting day! Thankyou worm-guy!

-s

Re:M$ - First Post?

[JustDisGuy]

So many people continue to use computers without knowing the full risks associated with them.

You're mad. I know this is /. but the fact is that most people don't give a shit about how computers work - they just want them to work like an appliance. That's why we have jobs.

An educated user base? Hah. AIDS is still spreading and you're worried about a computer virus?!?!?

Re:That's only part of it

[Progman3K]

Again, right!

Net effect?
These machines will keep crashing until they are DEALT WITH!

That means brought up to date.
And that means -
No more vulnerabilities, no more infections, no more spam-relays...

I think it's WONDERFUL that this worm causes the computer to reboot constantly; that's SURE to get the system the attention it requires, and in the meantime, it effectively takes it out of commission. :-)

Re:M$ - First Post?

[RoLi]

But as long as people are willing to give up their passwords for chocolate

I think you don't understand the problem.

People giving away passwords are not a problem except for themselves.

Windows is a problem for everybody because a worm can exploit millions of machines automatically.

Actually related to Internet Explorer?

[Junks+Jerzey]

Yet another virus is causing problems with Internet Explorer

Does it have anything to do with Internet Explorer? Neither of the links provided mentioned anything at all about IE.

Slashdot Jumped the Shark

[Fubar411]

Wow, I'm witness to Slashdot jumping the shark. An article summary bore no resemblence to the actual article. This hasn't happened before.

Re:Decent firewall, regular updates & common s

[wwwillem]

Pick two out of three :-).

Nearly all my systems are Linux based or updated with the latest patches from Redmond. But I have here one box running Windows 95, daily used for email and browsing, behind a firewall that's as locked down as possible. On the other hand, the last security update or virus definition download happened at least three years ago. And yes, the common sense topic also applies, because I've trained my wife (the main user of that box) from day one to mistrust any attachment.

So, this box, without being updated, has over the years always been virus free. And probably its chances are getting better by the day, because who is writing virusses for Win95, or IE4 or even WordPad....

Colleage of mine is already working a week to install XP on a new notebook. While connected to the net (only sw firewall, no hw router) to get the Windows Updates, she got hit already. Of course I told here she was stupid not to buy a firewall box first, but oh well, who listens to me :).

Conclusion: get that firewall and use common sense!!

Dual boot works for me...

[gillbates]

I've found that the best solution to the problem of Microsoft's constant and ever more serious security holes is simple:

Dual boot with Linux. Linux for the network; Windows for the games.

Just use Linux as your network-enabled OS, and Windows for everything else. Log off the internet or disconnect your DSL or broadband before you reboot into Windows, and you'll be fine.

It is really that simple - I just disconnect my network connection when I'm running Windows. Let's face reality here:

• The majority of PC users run Windows. So you need Windows to communicate with the rest of the world. If you want to write free software that benefits the average PC user, you have to target Windows. There are a lot of "average" users who couldn't use Linux, but not many geeks that can't use Windows.
• Linux is far more secure when exposed to a network than Windows.
• Yes, there are patches available for Windows, but some of us have better things to do than constantly patch our machines and spending hours trying to figure out why the latest Microsoft patch "broke" something that worked previously. And...
• Neither I nor my professional colleagues have the time to constantly patch our desktop machines. We have work to do. We shouldn't have to deal with security holes that shouldn't be present in a commercial operating system.
• Even should you put forth the effort to stay fully up to date, your boxes still contain a plethora of security holes; 6 months from now, Microsoft will be issuing patches for today's vulnerabilities that have yet to be discovered. Considering that more Windows security holes are discovered in the average month than have been discovered in all 10+ years of Linux's history, I feel a little safer running Linux.

So the solution is simple: Linux is your network OS, and Windows is your "friends and family" OS.

Backdoor Dangers

[gregarican]

To me the more dubious part of the Sasser worm is that it can lead to other backdoor processes being planted on a host PC. That's why some sources are stating that just running a removal tool and then patching is enough. The backdoor processes would still be present on the host PC. That means the best removal tool would be the old format command. Ouch.

Starting with Code Red and Slammer I would just bash Microsoft without regard to any other factors. But now I am seeing things a bit more objectively. After all, these recent exploits weren't created until after the security bulletins and patches were released to the public. And there was about a full two weeks for the public to patch their systems.

If Linux had as broad of a home user base I'm sure some published vulnerabilities and patches would result in much the same. Joe Six Pack, whether using Windows or Linux, would be slow to patch their systems. And that would lead to some rather uninventive script kiddies writing easy exploits working off of published POC examples.

Easy to remove

[Overzeetop]

Actually, this is quite easy to remove...I talked my mother through it over the phone (and she doesn't know the difference between AOL and the internet). Sure, it took her 30 minutes to perform all three steps (boot to safe mode - 8 minutes, delete the exe's - 12 minutes, and remove the registy keys - 10 minutes), but it was actually quite simple. Most of the delay came from me trying to walk her tough the process over the phone wihtout having my machine set up identical to hers:

Me: Okay, press the button on the computer to turn it on and then press f8
Mom: Ess or Eff?
Me: Eff-Eight, the function key
Mom:Press F8 and hold it? Do I press F and hold it while I press the 8?
Me: No, F8 is a key at the top of the keyboard, near the center.
Mom. Oh. Okay, the starting windws screen is up, do I press F8 now?
Me: Yes
Mom: (long pause) It's coming up (pause) Okay, I have my normal picture on the screen.
Me: Oh. Okay, lets turn the computer off and try again.
[rinse, repeat, rinse, repeat, rinse, repeat]

It's sort of like talking your dog through doing open heart surgery over the telephone, with the only commands you can give being "sit", "speak", and "heel", and the only feedback is the dog barking.

At least now she's been forced to install a working antivirus program and the firewall software.

Coast Guard

[baldcamel]

For those that are interested the worm serverly affected the UK coastguard BBC

You gotta be kidding me

[gosand]

still am of the opinion that it doesn't matter how many patches M$ releases. The fact is, we need an educated user base. So many people continue to use computers without knowing the full risks associated with them.

Really? Who do you know that knows the FULL risks associated with using computers? Before this worm, I didn't know what port 445 was for - but I knew I had it blocked on my firewall. Maybe you are talking in a perfect world, but there is ZERO chance that all computer users will realize the full risk of using them. If they did, they wouldn't be using computers. I have been using computers since the early 80s, and I don't claim to know all the risks associated with using them.

I am not anti-computer-education, but what you are talking about is a pipe dream. For jebus sake, we still have people wiring their life savings to people in Nigeria, and guys buying penis enlargement pills.

Re:Heard of a firewall?

[StrawberryFrog]

A. Guy takes home corporate laptop.
B. Plugs laptop into phone-line / uses internet
C. Gets infected
D. Takes his laptop back to the job
E. Infects the entire LAN *FROM THE INSIDE* while the firewall hapilly keeps the fire "IN" (instead of out).

This actually happend to us last year.

If you fire anyone, please fire the laptop-owner.

Uh, problem being that it's good odds that the laptop owner is the boss of the people wanting to fire someone.

Re:What ARE Win98SE users supposed to do?

[gregarican]

Just like the ASN.1 vulnerability that is patched through one of the recent Microsoft patches. Supposedly Win98/ME PC's aren't affected by the issue. But looking at my company's Win98 PC's I saw the msasn1.dll file present. And researching things a little bit I saw that the standard implementation of the ASN.1 command parser is affected on any and all platforms. From a Nortel H.323 gateway to a Cisco router to a Windows 2003 Server to a Windows 98 PC.

This was months ago that I read this. I called into the Microsoft PCSAFETY toll free number and a tech indeed acknowledged that Windows 98 and ME PC's were vulnerable. And they e-mailed me a link to download the patch (not one of the hoax e-mails either, so no jokes!!). Since then I deployed it to all of my Windows 98 PC's and know that they are at the same standard as the Windows 2000 and XP machines.

What kind of company releases patches and leaves out some client versions that are still safe from the EOL cycle? That's what Microsoft did with the ASN.1 patch.

And what kind of company releases patches that obviously weren't tested on clients that were running USB storage, DLT storage, and IPSec agents? Look at the KB835732 patch. It broke all of these driver loads, leaving patched PC's running at 99% CPU utilitization after rebooting.

Nice, really nice. Risk stability and compatibility issues versus being exposed to an Internet-borne worm. I'm not blaming Microsoft for having vulnerabilities. All OS'es do to one degree or another. But I am blaming them for leaving our client versions and not thoroughly testing code they should've been working on for 5 months.

Don't worry....

[vwjeff]

If enough machines get infected you won't have to worry about anything. The network will be flooded.

Seriously folks. Microsoft release the patch 21 days ago. If the worm came out before the patch I would be more critical but it didn't. Hopefully Microsoft decided to turn on automatic updates by default in service pack 2 for XP.

Re:Don't worry....

[Ruprecht+the+Monkeyb]

Yes, they released the patch 21 days ago. They also released a hotfix at the same time that breaks a non-trivial # of computers.

Those of us forced to work and support a Windows environment are caught between a rock and a hard place. We don't dare apply a brand-new patch on production servers, or roll it out across the enterprise, but if we wait too long, an exploit hits what the patch supposedly fixed, and we get smacked (plus raked over the coals on /. for being incompetent).

I try to get new so-called critical patches applied within 7 days -- usually sooner, depending on when I can afford to take servers down, etc. But it won't be long before one of these wide-spread worms hits a vulnerability that's just been patched in the last day or two. Hell, I run several layers of AV protection that checks for updates hourly, and twice I've gotten hit by viruses before the updated signatures were available.
-

Re:Don't worry....

[bluntmanspam]

About the patch being released 21 days ago:
Our machines were all patched up as of Wednesday and still got screwed by this worm. Microsoft released a new patch after that and we all apparently needed it to stop the servers rebooting. They weren't getting infected, but they were effectively DOSed until they were patched Saturday.

Before I get derided about not having them behind a firewall, they were getting hit by users who were behind our shields.

Re:Don't worry....

[slashdot_commentator]

Don't blame the user for an inadequate network design. Servers should be segregated from "users" on separate subnets with firewalls between them. You can poke some more holes into the internal firewalls to account for applications; it sure beats having nothing.

Weeks to patch

[truthsearch]

And let's face it; if your machine is not properly patched, it's probably already being used as a spam relay, so it's not the spammers who would want this.

In a corporate network environment, such as mine, a few weeks is barely enough time to get a patch onto every desktop. First a few days are spent testing it. Then it has to be pushed out to all of the users. Server patches often have to wait until weekends because they can't be down during the week. Then manual installs have to be done for all the "non-standard" setups.

Then there's the new computer I got yesterday with our standard corporate developer's build. Of course the build doesn't have the latest patches yet, so when I turn on the computer for the first time, immidately after logging in McAffee catches the virus. So then I have to hunt down the right patches from the right people and reboot repeatedly until I can log into the network without getting the virus.

So I lost all of yesterday fixing the problems on my two computers and my office is as up to date as possible with getting patches onto workstations. Machines go for weeks without new patches because it's impossible to distribute them when some break applications, and therefore require much testing.

I wrote a 70 page document explaining why we should switch from Windows to Linux. Management wouldn't even start to read it. This is what they get for their ignorance.

Re:Weeks to patch

[BigBir3d]

Send them your post instead of a 70 page report. Mgmt sees 70 pages as a way to try to confuse them into making a decision. They want a one page answer. Doesn't make it right... but you need to work within the system to work the system. No different than a computer really.

Re:Weeks to patch

[dasmegabyte]

Their ignorance? What about yours?

A new computer is like a new baby. You need to inocculate it or it'll get sick. If you're putting out in a wild environment without protection -- and a suitably large organization is almost as bad as the internet itself -- you're just asking for trouble. The best way to prevent this is to patch it up to a useful level behind a one way firewall. An even better way is to update your corporate ghost image once a month so you're never more than 30 days behind in your patches.

Furthermore, the days of agressively testing patches should be over for everything but servers. Let your employees run autoupdates and if one of them does break your machines, roll it back. Servers are a special case, because if you lose the TCP stack on your mail server it's much worse than if Ted from Marketing loses his.

Management doesn't want Linux because they don't want to lose days learning an alien operating system when they already have YOU to do the job of protecting them from viruses. What would you say if your plumber told you that to unclog a leak, you'd have to buy a new house?

Re:Weeks to patch

[bankman]

I wrote a 70 page document explaining why we should switch from Windows to Linux. Management wouldn't even start to read it. This is what they get for their ignorance.

This is a very typical mistake. Management, especially senior management does not read 70 page long pamphlets about a topic that they most likely don't understand.

Write a very concise executive summary, comprising no more than two pages, outlining in an easy to understand language why switching to Linux will be beneficial to your organisation. Emphasise on cost and security and explain the interdependencies. Also explain the business freedom your organisation will gain (management decides when to make major changes to your infrastructure, not Microsoft etc.). Preferably get a colleague with an idea of management's language to help you with it.

It's like every business pitch: First you get them hooked with what they really want, then you get the stuff in that you want.

Re:Weeks to patch

I wrote a 70 page document explaining why we should switch from Windows to Linux.


Maybe if you spent the time patching machines instead of writing proganda your managment would have more faith in your decision making skills.

Re:Weeks to patch

[Spoing]

I agree on the reasons why management doesn't want Linux. That and fear; they don't run it so they suspect it's major voodoo. Running a test system with a web app or two is like a camel's nose, though.

1. A new computer is like a new baby. You need to inocculate it or it'll get sick. If you're putting out in a wild environment without protection -- and a suitably large organization is almost as bad as the internet itself -- you're just asking for trouble. The best way to prevent this is to patch it up to a useful level behind a one way firewall. An even better way is to update your corporate ghost image once a month so you're never more than 30 days behind in your patches.

I strongly disagree;

Firewalls don't protect jack if ports are open client side within your network that shouldn't be.

Infections can't be stopped by running virus scanners.

Testing is very much necessary, as are customizing the desktop so that it doesn't have exposed interfaces. (Run a port scan or better yet Nessus. Know what's running and in most cases TURN IT OFF.)

Baseline configuration is the way to go since you're at the mercy of the vendor's marketing team otherwise -- and marketing teams don't care about security, stability, or usefulness.

When done with this, go back and work on tuning firewall(s) and routers. Split the network into parts that are isolated by function using the router; accounting should not be directly accessable from development or development from production.

Re:Weeks to patch

[phallstrom]

Couple of thoughts in a "windows world"...

- as soon as your baby is born and put in the nursery with the other brand new babies... they would all be infected... where would you suggest we put the new baby right off the bat?

- have you ever dealt with Ted from Marketing? I've found that if Ted is high enough up and he can't play solitaire then the sh*t is going to hit the fan pretty dang fast!

- if a plumber, electrician, and carpenter told you that in the long run it would be a lot cheaper just to buy a new house instead of have them out every other day, wouldn't that make sense?

Re:Weeks to patch

[Spoing]

Have you seen the cartoon "Jacki Chan's Adventures"? Think Uncle: "Firewall not important!" (You talk to Uncle now.)

1. I get upset by slashdotters who argue "phantom" points

That not me. Check the thread again; here.

If you pick on someone else's ignorance, do not get upset if the favor is returned.

Your rant at the end about viri/viruses/... is the same nit picking.

The distinction between process and tools is bedrock; it's the single most important part. Your comments ignored it; you yourself gave the dumbed down 'use a firewall'.

Specifically;

1. What I said, paraphrased, was: "If you are head of an IT department charged with installing software on a new machine, a good idea is to place it behind a firewall with no open ports, to prevent worms from exploiting the vulnerable operating system while you patch it."

"Firewall not important!"

1. How you got from that I was suggesting that a firewall is the only security you need, or that I was making any suggestiong to home users, I have no idea.

This;

1. I was suggesting to put up the box behind a firewall appliance -- a cheap Dlink would do -- as the ONLY thing behind it. Put it on your installation bench sort of like a surge protector for viruses.

Why bother with a cheap hardware firewall box for one machine unless you're talking about a home machine. (Isolate machines at the router and update from a trusted server that is read-only and exposed to the isolated segment only.) Home or corporate network, you've shot a degree of certianty by relying on a firewall to ensure security; "Firewall not important!"

I'll match your rant: As for things that I'm sick of one is being forced to deal with the apathy and 'it is good enough' attitude of people who are paid to know better.

This is so frustrating

[j-turkey]

It's funny how articles claim that the worm has caused all kinds of damages -- from banks to postal systems, to transit systems. The tone of the article seems to lay blame largely upon the worm itself. This is absolute horseshit. If users (and IT personnel) at these governments and places of business were responsible enough to do their jobs and ensure that computers were adequately patched, this problem never would have occured.

Furthermore, if personnel took a single iota of initiative by installing and maintaining a simple firewall -- these issues would have been far less widespread (although this can still be spread through a network via infected laptops brought in from a home network). The important thing here is that the creators of this worm, the IT groups who let this happen, and the individual broadband users affected really share blame for the spread of this worm. Let me use an example, if you live in a shitty neighborhood and you leave your door unlocked, you are partially responsible for some jerk breaking into your house -- sure, they broke the law, but you helped facilitate that.

OK, one more topic to rant over then I'll STFU. I see alot of Slashdotters blaming Microsoft for this problem -- saying that running Linux or xBSD would solve this problem. Bullshit, fanboys. I am a Linux/Free software advocate and that argument is absolute bullshit. Every once in a while, remote exploits are discovered for these Free products. Most of the time, patches for these apps are released right away -- faster than their commercial counterparts are able to react. The users will still need to be smart enough to apply the patch. Well, in this case, Microsoft's patch was available before an exploit was in the wild. The reason why this worm is so widely distributed is because the user base (and administrative base) is large enough that there is a large cross section of people who have no idea what they're doing.

If Windows went away tomorrow and Linux became the defacto standard, we would have the same issues. All of those MCSE's who allowed this to happen will become RHCE's who will still allow something like this to happen. That certification doesn't make them any smarter -- bad admins are bad admins. Clueless users are clueless users, regardless of the operating system they use. It's easy to blame Microsoft for this, because they have deep pockets, a huge market share, and shady business practices -- but all code has bugs. Microsoft did the right thing, their userbase just wasn't smart enough to do the right thing.

Re:This is so frustrating

[praxis]

"I'll think you'll find there are many companies and organisations whose IT staff are responsible and on-the-ball, but the shocking mess that is Windows, means that this crap beats them anyway. Honestly - I'm not one to bash Microsoft, but after this run of worms, I've realised that the state of OS security is inexcusable. Literally - there are no excuses for it, whatsoever."

Do responsible and on-the-ball IT staffs use SMS to patch their workstations in case individuals forget. Do responsible and on-the-ball IT staffs use a domain policy to enforce firewall rules on individual workstations. Do responsible and on-the-ball IT staffs enforce the running of up-to-date antivirus software on each workstation. Do responsible and on-the-ball IT staffs use external firewalls, IDSes, etc? Is there an excuse *not* to? Is it not due diligence on MSFTs part to release the patch (a month ago), supply a domain policy controlled firewall for each workstation, SMS servers for patch distribution, and leave it up to the IT staffs to deploy them properly. I think MSFT did it's due diligence here, and the IT staffs of infected networks did not.

Re:This is so frustrating

[SlashDread]

I take offence at you remarks.

- After 15 years of exp in the field, I DO have an iota. At least one for initative.

- We DO have a firewall.

- We have an Auto-Update push server. It should have updated us last week, but who knows? SUS server reporting is crap.

- We were hit, four laptops running XP. (They may have picked it up from outside, but they were surely spreading it inside.) A Citrix server BSOD'd from the patch.

- Microsoft sells its products as if 12 y/o can administrate it, knowladge where it is needed about security and firewalls, is not properly taught.

- MS admins generally are busy reinstalling laptops, updating MS office, cleaning up after McAfee detected Yet Another Virus.

- MS is totally dominant on the desktop, which they dont mind, but does help the fastness of the spreading of worms.

- These remote root exploits, seem to often hit EVERY windows flavour, that worries me. When will this cardhouse fold?

- If you piss off enough people, people will push back. MS pisses off a lot of people.

In essence, all this I blame on... well not me.

well I learned one thing, personal firewalls on windows, are becoming a nessicity.

"/Dread"

Old MainFrame Days..

[nurb432]

I used to work at a remote IBM shop years ago, you could tell the mainframe was down when you walked in the ofice and saw the people roaming the halls..

It was 4 states away, nothing we could do about it, but have chair races and hit the vending machines...

Two words.. Hardware Firewall

[Nonillion]

If most users would quit being so cheap and buy a firewall appliance like a linksys router, or (for the more savvy) build a Coyote linux box we wouldn't have half of these problems. I run Win2k, Solaris and SuSE linux. The linux box is the only one exposed to the net and hasn't been rooted/hijacked once in the three years it has been exposed. Running stuff like Zone Alarm is like giving a band aid to someone who has a big gaping wound.

Re:Two words.. Hardware Firewall

[Luscious868]

You simply have to do what I do on my home PC. Use ZoneAlarm for a firewall and Moziall for the web browser and e-mail. If you're using Internet Explorer or Outlook Express and you don't have to then you're crazy. OE is full of holes and I wouldn't trust any web browser that's integrated with an operating system for exactly the reasons you've mentioned. If you use ZoneAlarm at home, keep your system patched and don't use IE or OE then your perfectly safe.

The patch kb835732 breaks oracle

[Maliq]

Here is the kicker, if you're running oracle 8i to 9 when you run the patch it stops oracle from starting. And the worm that is running around automatically fixing the problem, it doesn't check if your running oracle, could someone update that good bug to check??

this is going to be a long day.

Re:The patch kb835732 breaks oracle

[djmurdoch]

That patch also broke R (the open source stats package). We tracked it down to the fact that after installing the patch, the HOMEPATH environment variable is no longer set properly.

Details here.

By the way, we had a patch out to work around this bug within a couple of days. Open source is good.

Re:Heard of a firewall?

[MCraigW]

The company for which I work requires anything that ever connects to the internal network to have a personal fire wall installed.

We also require the installation of a service that installs various updates (Microsoft and others) after they have been approved by a team that installs and tests them.

We have around 36,000 employees world wide, and this virus hasn't affected us.

Auto updates and quick patches

[truthsearch]

Autoupdates and immediate patching aren't options for large corporate networks. Patches often break existing applications. Even after extensive testing some patches have caused more problems than they fixed. Windows Update sends enough information back to Microsoft for them to determine what's installed on our private network, so we block it from running.

It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.

Re:Auto updates and quick patches

Bah...like Linux or OS X or BSD or Solaris are any better. Nobody really has desktop patches down all that well, the users make the machines too personalized.

Plus, any OS that has 95% of the desktop market is going to attract worm/virus writers, and I don't care how open or closed source the code is. If things were reversed and Linux was had hundreds of millions of installs it'd be hacked to pieces. Even now I get all kinds of patches on my RedHat and SuSE boxes, it's no different than Windows.

It's easy to maintain and patch 10K servers of any kind because you have control over everything. But any kind of desktop support is going to suck major a$$, regardless of the OS.

In reality, computers just plain suck. They're still very young compared to, oh I don't know, combustion engines...the human body...the planet's ecosystems.

Re:Auto updates and quick patches

[coulbc]

Exactly right about breaking things. I found this patch broke Kerberos Authentication when double hop's are used. It broke a lot of our Intranet applications. Fortunately, we are firewalled and our internal MS machines were patched. I'm waiting on MS to resolve the issue so I can apply the updated patch.

Re:Auto updates and quick patches

[7-Vodka]

What is worse? A few broken computers, or a r00t3d network?

I think your priorities are wrong. Patch them, patch all the mofos on the day the patches come out. Do it automated if you have to. I wouldn't even care if my patching rebooted a computer while the luser was doing something on it. "If you wanted 5x9's of uptime you woulnd't have gone with windows, now suck it up while I do the ritual that keeps this shitty OS semi-secure"

If the patches break a few apps, then take the time to go fix them individually. If they do real damage sue the shit out of M$. Isn't that the usual attack on Free Software? "who do we sue when shit breaks?". Besides, no one ever gets fired for choosing M$ right? Instead of having a compromised network (IMHO 100X worse) you may have some borked apps. So tell people it's all M$'s fault, go fix them and at least your network is secure for now.

That is until M$ holds onto a security hole for months without patching it and someone releases a worm first.

And if you're worried M$ is spying on you, why don't you call and complain? why don't you sue them? Oh yeah that's right it must be that legally-binding contract you have with them called an EULA which gives them all your base and the right to piss on you too. Have a nice day.
--BOFH

Re:Auto updates and quick patches

[cavebear42]

IT@large_corporate_network here.
True, auto updates aren't good for business critical machines. Microsoft gives you 2 ways to do the updates, you could use the automatic updater and put up a update server so you can control what is updated. Alternately, you could use SMS.
If it takes you weeks to do testing, you should consider a more standardized loadset. If you were using one, the 90% of the systems who can use that loadset could be tested in a few hours. If you have users requiring manual installs, there are options like patch management systems (I like HFNetChkPro by Shavlik) or putting the patch installer into the login script.
On adding to the corp. build, you need a leaner process, I can get it up in about a week.
For all of this, and the server reboots, let me remind you that the patch was 21 days before the worm.

Also, why does this article act like the worm is a new concept?

Re:Auto updates and quick patches

[RhettLivingston]

In that case, you're just tough out of luck, because there have been plenty of exploitable Linux and OpenBSD patches in the last couple of years. In fact, if you're a server manager, you might look through Slashdot's history for the last year. Somewhere, there was an article pointing out that the majority of the actual server breakins were not on Windows servers. After all, how could they be since there are so few Windows servers. People breaking into servers are more than happy to encounter an unpatched Linux or OpenBSD machine.

I've got both Windows and Linux machines and have them both fully autoupdating. They only time I've ever had anything "break" due to autoupdating was when one of Microsoft's patches about a year ago caused machines running Norton Antivirus to slow down in some activities. Yes, 4 or 5 years ago when NT was the game, it was different and the patches tended to bite you. But it hasn't been that way for a long time.

Overall, I'd say the risk of a patch breaking something on your specific machine (as opposed to a few random thousand of the 100s of millions out there) is much lower than the risk of a virus hitting you while you're "testing" the patches.

I think that the real driver for people using your excuse for not patching is one of responsibility shifting. If you don't patch and get hit by a virus and its not an extreme case like taking more than a year to patch, you can whine about MS even though it was really your choice to bet the farm on 10:1 odds just because whining about Microsoft is a popular thing. If you do patch and you encounter that more rare condition that the patch busted you, you'll catch hell for patching without testing. So, not patching is the safer bet for you, patching is the safer bet for your machine.

If you don't believe me, Google around for articles about patches breaking machines versus articles about viruses breaking machines. I think you'll see that some of the latest viruses and worms hit in the many millions, whereas the problems experienced from patches hit in the many thousands or are not completely debilitating.

Re:Auto updates and quick patches

[RobFrontier]

I work for a global top 50 company, and they quickly realized that we needed a strategy for securing our environment within a few days of patched being released. Our WINTEL group tests the patch for 2 or 3 days in a production environment, then sends it to a pilot plant who tests it for a day, then it's released to everyone else. Is it a pain to have to patch all our machines on a deadline in a production environment? YES. Does it work? YES. It can be done in a relatively short period of time in a very large production environment. Is Windows the greatest thing since sliced bread? NO. But we have to use it so we cope.

Re:Auto updates and quick patches

[crotherm]

Is The Boeing Company large enough for you? The admins have been running around patching like fools the past few days either by hand, or an SMS push.

Ever since the company got owned by the Slammer virus, they have been very proactive in mandating patches.

Of course as soon a patch breaks something..... :)

Re:Auto updates and quick patches

[gnuman99]

Servers often can't be rebooted until weekends

Are we talking about the same Windows here? :)

Last time I checked, they almost rebooted by themselves. ;)

Re:Auto updates and quick patches

[llefler]

Overall, I'd say the risk of a patch breaking something on your specific machine (as opposed to a few random thousand of the 100s of millions out there) is much lower than the risk of a virus hitting you while you're "testing" the patches.

That hasn't been our experience here. Less than a year ago we specifically put together a plan for staged rollouts of patches. It started with a get tough plan to make sure all servers were up to date, followed by several applications on all of our middletiers working erratically. It took a week for the programmers of the effected apps to get the problem fixed and working reliably. Things were starting to get a little ugly and users were not happy. Result, we have three stages of rollouts; test systems, first half production, last half production. None of which install automatically.

I wasn't effected on that case, but I have had MS 'fixes' break critical systems. A while back a 'fix' of the generic text printer driver caused it to eat the first character of each line. Barcode printers stopped working. And no barcodes, no shipping. Spent a day finding it, added a sacrificial space to each line, system is back online. A year later, MS fixes the 'fix' and the driver is working correctly again, but now the printers are choking on the extra space. Pull our fix for their 'fix', and our systems are back in a couple hours. But only because I remembered the previous problem and work around.

As to timeframe; it takes time to test complicated systems. Add to that the effects of the ecomony and companies are expecting more from fewer developers. So we have to balance our time between business requirements and testing MS patches. Being late installing a patch doesn't show up on my annual review, missing development deadlines does.

As far as getting hit; we don't get hit very often, today is the first case of an infected server that I can remember since code red hit our website. We have up-to-date scanning on our systems, SUS for desktop patches, email scanning, and properly configured firewalls.

Today we are fighting with a variant of a worm that isn't being detected by our scanners. But also doesn't appear to be using a vuln fixed by any patch. But that's a problem for Operations; developers are coding today, not chasing MS bugs.

Re:Auto updates and quick patches

[mpe]

Bah...like Linux or OS X or BSD or Solaris are any better. Nobody really has desktop patches down all that well, the users make the machines too personalized.

What you are missing is that with unix type systems there are clear distinctions between what is "Operating System" and what is "Application" (as well as "user" and "sys-admin"). Whereas with Windows things are quite deliberatly intertwined.

Plus, any OS that has 95% of the desktop market is going to attract worm/virus writers, and I don't care how open or closed source the code is. If things were reversed and Linux was had hundreds of millions of installs it'd be hacked to pieces.

This explains why IIS is more commonly attacked than Apache, even though IIS is a minority webserver. Possibly even more important than numbers is how "attackable" a platform is and how "malware friendly" it is.

Even now I get all kinds of patches on my RedHat and SuSE boxes, it's no different than Windows.

It's a lot different from Windows. The typical Linux distribution contains a huge amount of software, which in many cases includes several alternatives for the same function. As well as many pieces of software which will only be installed on a few machines. Desiging a worm which will "work" is sveral orders of magnitude easier with the homogeneous Windows population than the heterogeneous Linux population. Even the "Redhat", "SuSE", "Debian", "Gentoo", etc populations are likely to far more diverse than the Windows population.

It's easy to maintain and patch 10K servers of any kind because you have control over everything. But any kind of desktop support is going to suck major a$$, regardless of the OS.

It matters a lot if you are dealing with a "workstation" class of operating system or a "personal computer" class of operating system. Just bacause Microsoft have tacked "workstation" only the name of their product does not mean that it is a workstation OS. Single user, personal computer design assumptions are still there in Windows and a lot of Windows software. e.g. that which requires the user to have administrator privs to even run...

Re:Auto updates and quick patches

[aztracker1]

This explains why IIS is more commonly attacked than Apache, even though IIS is a minority webserver. Possibly even more important than numbers is how "attackable" a platform is and how "malware friendly" it is.

IIRC, the original IIS exploits came from a legacy ISAPI that was there by default... also, that followups where exploiting holes the originals had created...

I usually remove any unused ISAPI filters as one of the first things on an IIS machine, as well as bringing patches to current.

Desiging a worm which will "work" is sveral orders of magnitude easier with the homogeneous Windows population than the heterogeneous Linux population.

It's also easier to write gui software that will work on 99.99% of all windows 98 or higher installations without extensive tweaking, than it is to get running on even 50% of linux installations. Especially if sound is a requirement.

Re:M$ - First Post?

[BlackHawk-666]

We will start to see the same sorts of problems I suspect, but the damage will be more limited, most likely only to the user(s) who fell for the hack if it's a social engineering attack. To help mitigate teh problem we need distros to be careful in how they provide the default setup. i.e. use Mozilla instead of IE, built in firewall on each machine using IPTABLES but with a nice interface like Zonealarm or similar. Then, as long as the mail client (I like KMail, but most are pretty damn good) is *not* script enabled it will be done to good old buffer overflows to work their magic. Oh yeh, not installing services unless requested would also be smart, and then perhaps using IPTABLES or hosts.allow to keep the consumers of the services just down to the local private subnet should do the trick for most stuff.

Finally, make sure they use apt-get or similar to automatically update their machine. This could be configured at install or afterwards as the user grows to know their machine. A default install might be to download all security patches and install with only a confirmation from the end user. A power install would just get the patches, but not install until instructed.

How Come These Things Are Not REALLY Bad

[theManInTheYellowHat]

OK this sasser worm can install istelf open a few ports, serve files as an FTP daemon, place itself where it pleases, and gobble up your network.

Other virus's do all sorts of nasty things, but they all seem to stop short of REALLY bad things. Search for files they can delete, look for a network drive and have their way, find interesting files and mail to random people, rename this or that to render the machine useless.....

To me this seems very strange. Is ther some kind of virus writers code that has some small bit of ethic? Is there some undergound society that meets the 3rd wednesday to discuss safe virus exploits? Does Microsoft create these things to get people to upgrade? Maybe McAfee and Norton are funding them and they just want a profitable year?

Now I am not asking for this kind of damage, but as my boss points out he has no reason to switch to anything more secure because nothing really bad happens.

Re:How Come These Things Are Not REALLY Bad

[simetra]

I wonder the same thing. It's probably only a matter of time before one is written that deletes files. Just think, if one scanned a drive and deleted .doc, .mdb, .xls, .ppt, .zip files. Just imagine how bonkers the suits would go.

Re:How Come These Things Are Not REALLY Bad

[advocate_one]

been done before... the "I LOVE YOU" one replaced *.jpg files with *.jpg.vbs copies of itself that became activated when the user tried to view the file. Our tech publishing house had a very close call when a manager's laptop was connected to the admin share... only those images (just clip-art) on the admin share got clobbered cos that manager didn't have write access to the graphics department's share.

Re:How Come These Things Are Not REALLY Bad

[theCat]

We're still in the "hobbyist" phase of virus creation. Folk do this for the same reason that people used to write their own software; because it is l33t. We have recently seen some more "applied" virus writting, as when a virus sets up a zombie computer for spam uses later. Or even, when one virus goes after another.

Now imagine a real "virus industry". There would be serious R&D, business plans, virus development models, project management, the works. Probably even some code QA and testing. Why? Because there would be money in it. Don't know what the money would be, be if there were to be some then the "virus industry" would emerge overnight.

The idea that a virus could be stealthy (or clever) enough to avoid detection and just sit around on infected PCs is part of the transtition from hobby to a business. I've been noticing that already there is a sort of "dark Internet" of zombies that can do pretty much whatever someone needs them to do, enabled by viruses. Aside from spam, here are some other uses for those machines:

-- set up virtual casinos that dissolve instantly when the vice cops arrive.
-- set up distributed supercomputers for unlawful uses, like cracking access codes or breaking IPSec packets
-- have zombies not only monitor their users, but via something like ethereal monitor the broader Internet for traffic within their subnet. Imagine Carnivore on crack, and in the hands of the Mafia.
-- use zombies to launch focused, sustained DDoS attacks against adversary nations
-- use zombies as advanced positions to launch new rounds of virus outbreaks with split second timing and absolute accuracy, in this way overcoming most defensive responses in the first 15 seconds. Build a newer, stronger zombie network each time. slowly take over the Internet. ...

Profit

It's coming, people. You know it and I know it. Every habitat has its unseen underbelly, its fetid swamp, its decaying compost, and the Internet is about to get its own sewer system, full of rats and desease and decay.

Will we care? Nope. It will just be there and we'll eventually learn to live with it, or use it to our own purposes.

Re:Remote Desktop vs. VNC?

[gregarican]

Remote Desktop Connection encrypts the data transmission. Similar to using MPPE/PPTP for a VPN connection to a Windows host. VNC by itself doesn't encrypt data transmission. You can tunnel VNC through an SSH connection to do this, however. But straight out of the box I would say RDC is your more secure alternative.

Trend Micro Damage Cleanup

[Fez]

A tool that I use quite often seems to go ignored time and time again.

Trend Micro Damage Cleanup is a free after-the-fact cleanup tool that will fix just about any virus (As long as the pattern file is downloaded...) It scans drives, registry, etc. The only drawback is that it's quite large (The pattern file is ~8.5MB and the Scanner is ~1.6MB).

It blows Norton's one-fix-per-virus tools away, except from a portability standpoint. Also helps make sure you don't leave other viruses behind. (Did I run the Netsky.QZX removal tool, but not the Netsky.ZZB one?)

Yesterday it found 530 copies of Agobot (3 Variants) and Sasser.B on one person's PC.

Re:Windows only

[Tin+Foil+Hat]

PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch

That's because windows update installs via an ActiveX object. Only IE can run that. You probably downloaded the ActiveX object, but since it can't run without IE, it didn't download the update. If you need to download the update separately, check out the adminstrator section of windows update. MS provides all updates as a separate download that you can burn to a disk and install that way.

Re:Windows only

[commo1]

I think you've missed the point.

1: There ARE more web servers out there running Apache than anything else. So, why is it that there is an unbalanced proportion of these boxes remaining intact and and with 99% (sic) uptime than the Windows boxes?

2: Apache runs properly with fewer system resources, hardware and preventative maintenance than Windows. Set & forget, to a great extent.

3: One of the main reasons that many corporate/commercial servers are still running IIS is because of the ease of use in integrating MS SQL and specific data export services from what the desktop is running: Windows. If from your average net admin's perspective, they could easliy and definitively state to their bosses that they could run a given database server on Apache for X dollars instead of on MS for XXX dollars, they would do it. It is difficult for the admins on two fronts: a) persuading their employers that a free product could possibly outrun what the so called market leader has provided, and b) if something goes wrong, fewer heads will roll if they're using MS instead of a "free", "open-source" product that, in the eyes of their employers was a gamble to start with.

This will all change VERY soon.

It's all a mind game....

Re:Heard of a firewall?

[KevinKnSC]

If you fire anyone, please fire the laptop-owner.

How about firing the genius who lets laptops connect directly to the internal network? It's a laptop, the whole point is that it's portable. It should be assumed that it will be taken somewhere else and connected to untrusted networks. At your facility, you should connect laptops to a purgatorial network between firewalls, so that they're protected from the outside world but don't have unrestricted access to everything on the inside. It's just common sense.

Re:M$ - First Post?

[Oxy+the+moron]

My point wasn't that M$ has absolutely no guilt in the matter. You bring up a good point by comparing the issue to driving. BOTH parties are responsible for using the product correctly and safely.

The manufacturer should make every effort they can to ensure the product works 100% out of the box. If you know full well that your Ford Explorer has tires that blow up on impact, you should not sell the product with those tires. In the event that you did so accidentally, you should make the public very aware of the situation and attempt to rectify the problem. Now, Microsoft has done reasonably well on the second account (a patch was/is available) but not so much the first. I think that having something similar to a "recall notice" for Windows OS that is very public could be a step in the right direction.

However, it is also the job of the consumer to be educated in their use of the product. A Ford Explorer is perfectly capable of towing a boat, but Ford does not necessarily include the right tools to do so. It may have the hook thingy in the back of the body (pardon my lack of vocabulary) but if you try to tow the boat behind with a rubber band, it is not Ford's fault you were uneducated about that decision. In the same way, Windows is perfectly capable of being an OS that can be connected to a network to transfer data. But if you decide to do so with a DSL modem that has no firewall, that is not Microsoft's problem. In that regard, MS has made the attempt to educate their user base (link) , but it is up to the consumer to read and educate themselves at that point.

When this worm could have been stopped very easily with a properly configured (and inexpensive no less!) firewall, I find it hard to pin all the blame on MS.

Aren't worms good for the soil ?

[RLW]

If my computer was a flower bed it would have the biggest and brightest flowers on the block. But instead I have to patch the OS time and time again. If it were a boat it would be nothing but overlapping patches; at least it would make a great anchor. Something's got to give. I can't have a system that keeps crashing, or waiting for patches which maybe worse than the disease, and then praying that the system works and that what ever it was didn't kill anything important. Sigh, :-(

Broken vs. rooted

[truthsearch]

First, I didn't choose Windows. I recommended Linux and/or BSD with a 70 page research document to back it up. Management ignored it. Second, I'm a developer, not an admin, so I have no say in the patching process.

As a developer I can tell you when patch goes out that breaks an existing corporate app, execs get furious at the developers. If I write application X then any time X doesn't work it's my fault. No matter what, the apps have to work. The multi-billion dollar corporation comes to a halt if the fundamental custom apps aren't working. A problem caused by a patch from Microsoft can't always be resolved by adjusting code in our apps. Management cares a lot less if we're rooted because at least business can continue.

Of course I think Microsoft should be sued for some of the problems we have. I don't think everything in the EULA will hold up in court in every state. But it's not my decision. And I also agree management has no one to blame but themselves for sticking with Microsoft. They get what they deserve. All I can do is write the best apps I can and get paid for it.

Reverse FUD

[E-Rock]

It's bullshit and you know it. One of the April 13th patches funged IE, and within a week there was a follow-up patch, that still leaves you two more weeks to patch.

What else did it break? Nothing?

Horray for Roadrunner.

[llzackll]

Ever since last year, roadrunner has been blocking inbound ports 135, 136, 137, 138, 139, 445, 520, 593, and 1026 in most areas. They learned their lesson from the Blaster worm. WHy other ISP's haven't done the same thing amazes me. Unlike most of you, who deal with corporate networks, I have to deal with the public on this. I must of removed this worm from at least 40 PC's yesterday. Most of them users of Verizon DSL, or MSN. None of them who had Roadrunner were infected.

And (wait for it)...patch breaks the computer!

[stuntpope]

I got a laugh when our security team sent out an update to their vulnerability notice for Sasser (doesn't affect my servers, hehe).

"[We] have learned of issues loading the Windows 2000 patch in MS04-011 when complying with [vulnerability ID].... systems can stop responding, users cannot log on to Windows, or CPU usage for the system process approaches 100 percent after installation of the security update. Additionally, [we] have heard that some systems may require a complete rebuild once the patch causes system to crash."

And the kicker, "Systems Administrators are advised to proceed with caution when patching Windows 2000 systems." Um, how exactly does one do that, with one hand on the power cord, or click the install button very slowly? Does applying the patch warn you "About to hose your system, proceed?"

Re:M$ - First Post?

[List+of+FAILURES]

The fact is, we need an educated user base.

You speak the truth. However, as always, the car:computer analogy fits here. If you think about what you need to know to use a car, it's not very complicated. There is a core set of knowledge that you need:

1. Operational (How to turn it on/off, put it into gear, brake, accelerate, speed, re-fuel, etc...)

2. Navigational (How to get from point A to point B. Understand traffic flow and direction. Read signs and street lights, etc...)

That is the bare minimum you need to drive a car. Many people these days seem to just barely know (or care) about any of that. In addition there is extended knowledge:

1. Maintenance (Get your oil and filters checked/changed. Tune-ups. Fluid checks. Cleaning.)

2. Enhancement (Learn more about your engine to get it performing to the best of it's abilities. Understanding the interaction between your car's tires, the road and aerodynamics to get the most out of your car)

3. Interior/Exterior Decor ("Trick Out" your car and add high performance with stickers, spoilers, tailfins and fartcans. Make sure your stereo can tip off Richter scales for miles around, etc...)

Very few people ever get to that level of knowledge. There really isn't any real reason for "Joe Average" to get there. But as far as the core knowledge goes, would you want someone out on the road who can't read directional signs, doesn't understand the concept of direction (N, E, S, W) or speed limits? Trust me, I see people on the road every day who appear to be lacking these basic skill sets and they are largely responsible for the accidents we see regularly.

Apply this to computers, and you can see that we are, indeed, in a sorry state by comparison. Again, there is a core skill set that a computer user SHOULD have to be fairly competent. But it's much more complex than what is required for driving a car:

1. File System - An understanding of how files are organized in an OS is very important at this point. It's a LOT like knowing how to read a map and get from point A to point B. Sadly, most users DO NOT have this skill set. In the interest of being "user friendly", applications like MS Office have attempted to abstract where files actually are located. This harms the user because if MS decides to change the location in a new version of the OS or program (My Documents has moved from where it was in NT 4.0 compared to Win2K and WinXP for example) then the user may think their documents are "gone". Tools like "Find Files" aren't any better at helping either because the user will ignore the path and just double click the file to have it open in Word. Or worse, there will be a "shortcut" in the "Recently Used" section of the Start Menu. I ask you, would you set up a physical filing cabinet this way with post-it notes in folders saying "This file is in Cabinet 35, Drawer B, Divider 2, Folder 12"? Shortucts (and sometimes symbolic links in Unix) are a BAD IDEA.
2. File Types - One of the worst things about most OSes (Macintosh pre and post OS X excepted) is the non-existence of standard file types. Part of this is due to the fact that file types and data types are a moving target. HTML files didn't exist in 1984, so a Macintosh from back then wouldnot have had a built in association with an application that could read them. In the Windows world, the association between application and file was (and can still be) manual procedure that will perplex most users. Considering how much data and file types come and go and change, I am still wondering why there is no DNS type of system for file types that any OS worth it's salt would hold to. Imagine... a central DNS like repository that holds a database that an OS queries: "I have a file with the following type: x-application-doc. What applications should I use?" The server responds to the OS: "mswin-winword.exe, mswin-soffice.exe -writer, generic-unix-soffice, linux-kword, multiosapp-abiword". Then the l

Re:Destructive Virus?

[praxis]

The patch has been available for a month, and the built-in firewall prevents it too. Two layers of defense. Did they not do their due diligence? And don't give me the "there shouldn't be bugs in the first place" because as anyone who writes code knows, there are always bugs.

Re:Australian politician weighs in on the topic

[MCraigW]

In interesting quote from that article: "Experts agree that Linux computers are not as susceptible for a number of reasons including clear separation of functions like email and applications so that hostile code cannot be run without significant user intervention;"

It seems to me that non-hostile code cannot be run without significant user intervention either.

Same thing.

[wantedman]

If a business critical application is broken, you might as well be r00ted.

Boss: "Why is everyone sitting around?"
Me: "Well, the patch broke an important application, so no work can get done, but at least our documents are safe!"
Boss: "Great! Have some more stock options!"

Windows ROI

[webzombie]

Okay, I just finished reading most of the posts regarding RedHat's return to the desktop and this post just f@#$'n kills me.

MS spurts and spouts about ROI and "real" costs yet nobody seems to be able to add up the real dollar impact of these almost daily security issues and breaches that are bring businesses to a screeching halt!

Its almost like the current US administration. You know... if we say it often and loud enough they're bound to start believing us...unfortunately I think up until now MS has been successful at convincing most that its security woes are the falt of script kiddies, terrorists and the like and is probably reassuring the big ones that once their "Trusted Computing" solutions are implemented all will be right in the "free" world again.

If Linux has a real chance it will be in the next 2 or so years so the "community" better get its ass in gear and start making a demonstrated effort to capture the hearts and minds of the desktop users who were one of the biggest reasons Windows 3.0 was adopted by the business mainstream... remember!

Patch 835732 also breaks Perl Authen::NTLM module

[aspeer]

Have a Perl program that uses NTLM to authenticate to an IIS server and download pages ? Prepare for it to break when the IIS server has the above mentioned patch installed, if your app used the CPAN Authen::NTLM module.

See Google thread here for further info, and possible fix.

My biggest hassle is not distributing the patches, it is the fact that they do not become effective until the machine is rebooted. Some people leave their machines on for weeks at a time without rebooting, and until they do so their machine is vulnerable.

Try to force a reboot, then sit back and listen to the whining about "lost an all night experiment" or similar. I am a somewhat a BOFH and would like not to give users a choice, but management wants a softly, softly approach.

So Microsoft, to try and keep both of us happy how about getting patches to at least hook (intercept) the vulnerable system call at install time, acting as a shim to filter out exploits, even if it means slowing the machine down slighty. Then at next reboot time install and activate the fully patched replacement DLL.

in our case? a broken network.

[RMH101]

we collect data from clinical trials, and we do so in a validated manner as we're inspectable by the FDA. i'd rather disconnect our LAN from the WAN and work with reduced functionality than just patch the servers willy nilly and break our validation. we can't apply *anything* without formally testing it as it could potentially affect data. it's fine if you're just doing bogstandard file'n'print, but for other stuff you can't just go installing patches that may or may not impact production systems.

Huh

[panic911]

unlike a virus which travels through e-mails and attachments, spreads directly from the internet.

I hate to nit-pick, but Email I think is classified under "the internet". Does he mean via http?

Two huge gaping problems

[Aslan72]

Sasser.d attacked our University last night and we noticed two particular things.

1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.

2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.

--pete

Because virus writers are not subtle enough...

[alispguru]

A "really bad" worm would:

spread fast for the first few hours or days, until it saturated the vulnerable population, then cut way back on network traffic and hide.

not crash machines or trash all their files - instead, it would slowly and subtly modify user data files (see here for a few suggestions).

Imagine what would happen to modern business if they discovered that they couldn't trust any document that had ever touched a Windows machine... the world's economy would grind to a halt. Not even Microsoft has enough money to pay damages for an event like that, though the combined law firms of the world would try to get it from them.

Re:Firewall for Win2k?

[gregarican]

Windows 2000 has firewall protection built-in. It's not enabled by default, which is a shame. But anyway, go into the Properties of the Local Area Network Connection. Then click on TCP/IP Properties. Then click on the Advanced button. There you will see under the Options tab a TCP/IP Filtering option. That is where you can open or close any TCP/UDP ports you want.

Re:in our case? a broken network.

[Aetrix]

I also work with clinical trials and the FDA breathing down my neck. My office is all running Macs. Intentionally. We knew that the small functionality loss from "going Mac" would be much much less than the horrific security problems unleashed on the Windows World.

Suing Microsoft for incompetence?

[BigBlockMopar]

Of course I think Microsoft should be sued for some of the problems we have. I don't think everything in the EULA will hold up in court in every state. But it's not my decision.

Okay. How about those people who don't even run Windows and therefore have no part in the EULA? Their networks are being ground to a halt because of flaws in Microsoft software and their patching process, as infected machines attack them.

Analogy: car company X builds cars with defective brakes. You didn't buy that car. Your wife and children are driving home from shopping and someone driving X's car runs through a red light because he can't stop, and plows into the side of your wife and kids. Now, not that I'm overly litigious, but there's a time and place for companies to be held responsible for the damage caused by their poor products and designs.

Who do you sue? The guy driving the car with defective brakes, or the company that has a pattern of time and time again making defective products?

Risk of applying patches

[BigBlockMopar]

If you don't believe me, Google around for articles about patches breaking machines versus articles about viruses breaking machines. I think you'll see that some of the latest viruses and worms hit in the many millions, whereas the problems experienced from patches hit in the many thousands or are not completely debilitating.

Great! You can explain that to my boss when 500 out of the 600 users in my organization are unable to work because a Microsoft patch broke one of our servers and everything has to be reinstalled from scratch and incrememental backups, only to be hit 5 minutes later by the very worm we'd applied the patch against!

Recovery from that - conservatively, a day. Conservatively. Now, these 500 people are out of work for a day, but they're salaried... lawyers, Judges, court reporters, clerks. The average salary is probably $75,000 in this organization. That's about $300 per day per employee, or $150,000 in damages. Never mind the fact that we have to run on set schedules or else other bad things happen. I can't take that risk, even if it's 1 in 100, before I click on that little Windows Update icon.

Theoretically, of course, the patch shouldn't do anything but fix the poor bounds checking in some DLL or something - just replace the DLL with a corrected binary. But if you've ever applied a patch, you *know* they play with all sorts of other things. We run Novell, and I've used Snapshot on PCs before and after applying what should be very simple patches, only to find dozens of files and unrelated registry keys have been changed. Microsoft clearly does other stuff in patches - quiet fixes of other problems which haven't been publicized, adding DRM software, I don't know but you can only guess at their motives - and how long until one of those breaks one of my production server?

No, man. I need to be able to look at a patch and know exactly what it does, so that I can tell in advance if it's going to break something. I need the diffs between the patch and the original source so that if it does break something, my developers can immediately know what changed and how to work around it. I need to be able to apply them individually without requiring a reboot of the server, just a restart of the daemon (ahem... service) in question.

And I ain't gonna get any of that from Microsoft. But, unfortunately - and it wasn't my decision - this server is running Windows 2000 Server, and the best thing I can do is hope that there's no e-mail borne version of the worm to get it into my LAN.

If the patch breaks one user, it breaks them all.

[BigBlockMopar]

Let your employees run autoupdates and if one of them does break your machines, roll it back. Servers are a special case, because if you lose the TCP stack on your mail server it's much worse than if Ted from Marketing loses his.

Most corporate desktops are imaged from a standard install. They're clones of each other.

Therefore, if a patch breaks one of the desktops, it breaks them all. And pretty soon, I have 600 employees who can't work because all their computers are down.

All of which will remain down until either we massively roll-back the update (probably requires re-imaging each and every machine) or figure out a way to remotely deploy a fix for whatever the patch broke. Either way, 600 users are down for at least a day. Average salary in my organzation is $75,000 a year which translates to a daily loss of $180,000 - just in salaries.

That's the sort of scenario which results in getting fired.

Re:in our case? a broken network.

[RMH101]

ok, obvious answer: no, of course trojans aren't certified. no one wants them, everyone takes steps to prevent them (hence saying i'd pull my validated systems off the net if that was what was required). however, we're talking about damage limitation here. i can't possibly afford any possibility of data corruption and am legally liable for up to 25 years for any clinical data captured on my systems.

As for playing CDs, etc: NOT ON MY CLINICAL SYSTEMS. these are *most definitely* not standard desktop PCs.

what it boils down to is i know PRECISELY what is on my machines: from little rubber feet up - I've documented evidence down to precise driver levels and there is *nothing* on there that i haven't specifically placed there, INCLUDING NEW PATCHES that haven't been exhausively tested by me - seeing as it's my signature on those FDA documents...

i'm not sure what your last line meant: can't specifically disagree with it, but i'm not talking about any "certification program", i'm talking about regulatory compliance in a production system.

Re:in our case? a broken network.

[zcat_NZ]

If you can't afford "any possiblity of data corruption", then in my opinion you can't afford to have this computer on the internet at all. Patched or otherwise.

If you really need to get data to and from the machine, stick it on a LAN with no direct connection to the real world. Or use rewritable CD's, whatever..

Any "Regulatory Compliance" that would let you leave an unpatched Windows machine on the internet is insane.

Yeah...this one has legs

This one will have real legs. You see, in order to cure the infection, you will have to get the cure. This can be gotten from various sources. That will cure it...for now. It will not immunize you from getting it again..and again..and agagggaaggaain! This is because the sucurity vulnerability in windows' Lsass.exe program remains and will remain so for as long as there is a microsoft and as long as they are a predatory computer thug on the face of this world.
You see, to get the fix for the windows weakness that microsoft left in the system for we users and 'buyers', you first have to access their site, not someone else's mirror site, microsoft's site. Not just any access though! No! No!! You have to provide 'special' access to microsoft. Microsoft wants to 'web install' your patch. That means it downloads what it wants to, then runs it....ALL FROM THE WEB!!? And we are also expected to go into our security settings and set microsoft's site as a trusted site just like it was the computer in your father or mother's den on your home network. You are further supposed to trust microsoft explicitly and implicitly for all the content that they download into your machine. You are supposed to accept without question that you will never see what they really downloaded and ran in your machine. You are supposed to never question what they do, however they do it, or whenever they do it!. This from the company that gave you the bug in the first place and lobbied the government hard to make illegal the mere reporting of the existance of these bugs.
Lets run this back and follow another bouncing ball. Lets say that you bought a car from a company like microsoft. It had a defect that could kill you or a member of your family. Somebody found out about this defect and reported it in a newspaper in a letter to the editor and signed it with his name (most newspapers demand this from their letter writers). Under the present laws, that person who wrote the letter could be tried under the terrorism sections of those laws for telling you that you and yours were in danger. In addition, the man could be forced to pay the maker of the car for the potential costs to the company for fixing those cars....not the actual costs....the potential costs. The company would never have to fix those cars because you signed a 'EULA' that said you would hold the company harmless for anything that happened to you and yours in connection with your allowed use of the car. In addition, you were not allowed to fix the car yourself as this would compromise the company 'secrets' and you also agreed to protect THOSE as well. On top of this, if grievious harm came to you or yours as a result of these faults of the company, and after pursuing the company all the way to the US Supreme Court you finally won a case that said the company was at fault, another provision of this same 'EULA' said that the limitation of your ability to collect from said company would be the lesser of your claim or five United States Dollars (actual EULA provisions in some software
'licences'). On top of that, if the company did decide to fix your car, you would have to provide a room in your house for him or her to live while the fixing would be done, and you would have to leave the house and live in a hotel while it was being done. You would also have to leave all your valuables in your house for the company's perusal (secret installation of secret files on top of total access as a 'trusted' user on your network...this also gives total access to all files on your machine[s]). Don't laugh!
This is only a real world illustration of the miserable, tawdry, mendacious 'end user licence agreements' that you and yours sign every day whenever you install a 'bought and paid for' program into your machine. If you really read those agreements and realize what you throw away every day and every time you click yes on these conundrums; if you had an ounce of pride in your evidently worthless hides; you would remove those programs and the operating