Slashdot Mirror
A Worm's Worm
Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."
← Back to Stories (view on slashdot.org)
Jeez, they never fully test these worms before release. No wonder they'd have security issues.
Since when has this country used intellectual elite as a pejorative term?
Worm writers have got to start taking security more seriously.
This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.
I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
snowulf.com
Christ, doesn't anyone do any qc these days?
Its a shame that its come to the point where a worm will exploit another worm to screw stuff up. I am so glad I moved to linux.
You know this seems at first to be really creative . But think he/she is just riding on sassers coattails
did the sasser writer make it expandable on purpose? this isn't the first time a thing like this has happened.
Yes. Normally, I think virus writers are just scum, but I have mixed feelings about this one. This is just so damned cute...
"Convictions are more dangerous enemies of truth than lies."
...we need to stop relying on thrid-party worms, we need Micro-Soft certified worms to ensure our securtity....
Windows is only $500 if your time is worthless.
Just thought about this... With the huge number of machines out there "infected" by spyware, adware and similar programs (and many of them without their users even knowing), how long will it be until a worm is written that exploits a vulnerability in one of these programs?
The revolution will not be televised.
I think the Nimda worm exploited vulnerabilities created by CodeRed a few years ago.
Ah yes, the wonderful life of Linux and Mac.
"Dabber then installs itself and deletes the registry keys of Sasser and other viruses. It creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code, which might be far more malicious than Dabber itself."
sounds like its doing some antivirus while its at it. Good!
Just be sure to block off 9898.
-Grump
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
So now worms come with hooks for third party plug-in's?
Hath smaller fleas that on him prey;
And these have smaller still to bite 'em;
And so proceed ad infinitum.
- Swift
bit of an oxymoron from a biosciences perspective...
Would that make the security flaw a ::cough:: "Wormhole"?
maybe we should make a virus that causes everyone to hit up Windows Update and maybe we'll be alright.
The author in response to the news announce that he will be releasing Service Pack 1 within the next week. Make sure to set up your computer to get updates automatically from update.sasser.com.
There was something on /. the other day about a team of biologists who built a virus based on HIV, that goes out to destroy HIV ability to turn to AIDS. Apparently, the Dabber developer took a page from that book --- in a twisted sort of way.
"The generation of random numbers is too important to be left to chance."
This proves it, Microsoft is behind Sasser. ^_^
That used the backdoor left by the other virus, not a flaw in the virus itself.
Microsoft Security Bulletin MS05-014
Security Update for Microsoft Windows (93212)
Issued: May 14, 2004
Updated: May 14, 2004
Version: 1.0
Summary
Who should read this document: Customers who use the Sasser worm
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers running the Sasser worm should apply the update immediately to be protected from Dabber.
Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Caveats: The security update is for Windows 2000, XP Pro and Home, and Windows 2003 server platforms. As a prerequisite, the security update requires your system be infected with Sasser.
To download the Sasser worm, please open Outlook Express or Outlook 2000/XP and execute any attachements you have recieved from unknown senders. If you are not using Sasser you do not need to install this update.
Once installed your system will be immune from being infected with Dabber which exploits a flaw in the widely popular Sasser worm.
Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 - Download the update
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update
Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
Microsoft Windows Server(TM) 2003 - Download the update
Microsoft Windows Server 2003 64-Bit Edition - Download the update
it's the worm that gets exploited.
Dabber than installs itself and deletes the registry keys of Sasser and other viruses.
This is fantastic! It is a virus, that infects only virus infected machines, and then removes all other virii. What a great solution to rapidly spreading worms.
If users are too lazy or ignorant (in the nice sense of the word) to patch their systems, then just relase another virus to do it for them.
Except that...
It [then] creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code...
They just couldn't stop at doing a good thing, could they...
the windows RPC implimintation and the LSASS share some similar quilities with worms and back doors, One has to wonder how much more of windows has the same charictaristics of a virus.
- if you have windows, type, "format C:"
- if you have linux, or Mac OSX, type "su if you have a pre-OSX Mac, get someone to translate the above commands for you
That'll take care of the folks who don't patch or use a firewall or AV. I figure anyone smart enough to do that won't run the commandsSasser was intended to be a helpful virus and remove mydoom and bagel infestations...
"Sic Semper Tyrannosaurus Rex."
In the last few years, the guys who write this stuff have become more and more like gangs. In the real world, gangs compete for terf. That includes undermining each other whenever possible.
Gosh, this whole mess looks just like Blaster from down here in the trenches.
.
I'm tech support for Tremendously Large ISP. From down here this looks just like Blaster did. Customers calling in complaining that their machine is restarting without their consent. And now someone has a follow up virus that attacks the virus - as some may recall there was a Blaster variant that patched systems AGAINST Blaster. This was terrible - if you got this variant inside a corporate network not only would your bandwidth use skyrocket, but since NAT tends to fubar Windows Update, the variant never managed to patch a system. God that was hell . .
It's almost enough to make you want to write a virus in revenge . . .
a post with the title "clever" and the text "very clever" in a story about a "worm's worm" moderated as "redundant".
It's like rain on a rainy day.
meep
than all the worms that have been infecting the the Windows worm that has been infecting computers for years.
Last time I checked that stupid Windows worm has infected nearly every damn computer on the planet.
I agree that these stupid worm writers (Microsoft) need to improve their security so that they don't become hosts to yet more worms.
So where do I doenload the patch so my Sasser isn't vulnerable?
itadakimasu
I told you not to try Sasser, it's a gateway worm! IT LEADS TO HARDER, MORE DANGEROUS WORMS!
Are you secure enough in your masculinity to run 'man touch'?
...with some software with the ability to self-replicate. God help the rest of the universe when life finally manages to get off this planet.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
I wonder if the author of the author of Dabber has violated the DMCA by circumventing a copyright protection system -- i.e., the code to the Sasser worm.
More specifically, I wonder if the author of Sasser can sue the author of Dabber for statutory damages of up to "$2,500 per act of circumvention."
Only Women Bleed (Sex, Sharia remix)
The mentioned code, which is used in Dabber, can be found at http://packetstormsecurity.nl/0405-exploits/sasser ftpd.c
But do you still infect it if you walk without rythm?
...from History of the World Part one:
"Look how low we have become! Beggars! Begging from beggars!"
Does this mean my dogs heart-worms have heart-worms? The idea of recursively-defined worms frightens me for some reason.
These aren't the sigs you're looking for.
While this is really funny, IE users should be warned that clicking the albinoblacksheep.com links can cause multiple spawning windows.
I know, I am an idiot, but I thought the flash demo might be funny also. The post was funny, but the web site was not.
This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.
Actually, this sounds like somebody trying to make a disinfectant worm. Look at the description:
- It only infects infected systems, using a flaw in the previous infection.
- It cleans out the infection of the worm that it exploited, and several others.
It does open a new backdoor. But while that might be preparation for some future malicious action, it might also have been the author leaving himself a way to fix things if his initial worm got out with a destructive bug. (Of course it could be the worm cleaning up signs of previous infections in order to hide itself and thus head off other cleanups.)
I wouldn't be surprised to see, on further analysis, that it does other antimalware things (like fix the flaw the other worms used).
(Not to say that it IS somebody trying to fight virus with virus. But it might be interesting if it turns out that it is.)
I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
Which is exactly what the military does with some of its really secure stuff.
Now if we can just get the Microsoft users to emulate them. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Does this situation imply that the sum total of Sasser-infected machines outnumber Macs and Linux boxes?
Most of my friends didn't try Linux until I told them about my own success stories and satisfaction.
So Linux's spreading is clearly due to flaws in the users. (tongue in cheek)
tasks(723) drafts(105) languages(484) examples(29106)
Add the sasser FTP server to your nmap-services file. I run Gentoo, mines in /usr/share/nmap.
:)
Add this line:
sasser 5554/tcp # Sasser worm FTP server
This way when you do a port scan of a host, you can tell if they've been infected with sasser
This is quite literally the funniest thing I've ever read on slashdot.
read this article. The beautiful thing about science is how a single discovery can effects on many different systems.
Only use worms that are Microsoft Security Hole Certified!
Consider ourselves lucky. As fast as this worm/virus writers are going, it wouldn't surprise me one day they decide to go badder, and start doing some damage. Come on, how long until a scr1p7 kiddie modifies code to start deleting stuff?
-P@
I'm sure that the foot icon for the humor section would be very appropriated to this news :-)
It's really funny...
Ploum.net.
A beowulf cluster of these!
Anti-virus vendors are in the process of developing signature updates to automatically detect and remove the worm
Only the slashdot crowd could find the humor in the above quote from the article.
That's a great question, I wonder if Sasser is really as widespread as the entire install base of OS X.
A friend was asking for a laptop reccomendation for a kid going off to college - I said an iBook at the kid would not have to be cleaning stuff off it all time.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Comment removed based on user account deletion
McAfee has a free tool named Stinger that can remove Sasser and various other worms, yet people don't bother to download (only 770kb) it can scan their computers.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
HERE IT IS
It's fun to imagine dark genius types at the helm of the Evilware Industry, but it simply isn't the case. Spammers and 'Mafia'-types who might have anything to gain from such tools simply won't pay anybody ("all money belongs to me!"), so nobody capable will work for them.
Good Coders(tm) are never arrected for creating these things, and that's not because they are too clever to be caught...it's because the malware is ALWAYS created by some clueless zit-faced 15-year-old wannabe 1337 h4x0rZ using a VB virus-by-numbers toolkit he got from a friend's really 1337 older brother. You only have to examine the luserish-quality of the coding to see that.
I just read last night in the science section about a virus being used to fight AIDS by latching on to the HIV virus and preventing it from turning it into AIDS. I didnt understand it all that well but it does sound like this virus is doing much the same thing.
"Alcohol, cause of, and solution to, all of life's problems" -Homer Simpson
You know, just as those guys managed to figure a virus to fight HIV, MS shouldn't have announced the vulnerability but written a worm to fix the hole... then the world needn't know how much more vulnerable Windows can get... too bad the tech team there don't seem as great as their marketing team....
we had the same basic thing with the cheese worm. someone made it to fix the li0n worm, but it ended up causing its own problems because it pummeled the living daylights out of networks while trying to propogate
Everything I need to know I learned by killing smart people and eating their brains.
Program code so advanced it travels through worm holes!
*rimshot*
CAn'T CompreHend SARcaSm?
Have the authors of Sasser released a patch to fix this vulnerability yet? I checked sasserupdate.com and nothing's been posted yet.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
This sort of reminds me when I wrote a counter-bug to combat an email worm that had infested an office building I was contracting to. Worked through the ever-so-lovely 'You don't have to really click the attachment for it to go off on you' bug in an older version of outlook.
:)
:P
:)
It sat and watched a users inbox for the big bug at the time and pretty much acted like a counteragent, the instant they showed up, it nuked them off the machine (inbox and all) and undid whatver they managed to do.
Send one copy to everybody in the office, and instantly watch outgoing network mail traffic DROP back down to normal levels and my phone stop ringing.
I seem to recall distinctly 'forgetting' to mail it to key people, however.. *cough*
Would be a real shame if some of the geek-prowess around the OSS world were to start doing such counter-bugs. Alot of these backdoors, trojans, and whatnot, have gaping flaws in them because..well, guess.
Just think:
Infect > Disinfect > Patch > Scan nearby machines (proceed life cycle)> Local Self-remove
Could be the next revolution. Don't bother patching or downloading, we bring the cure to YOU..
My new top secret key -> C>N|KB
seriously, good link
...it reminds me of the phage/bacteriophage, actually. If I recall, those viruses kill bacteria(judging from the name...) by infecting them.
This goes on to remind me of that recent anti-HIV virus that's been in the news.
----- Wtcher Dragon, UDIC
This worm is self-distributed under terms of GNU GPL but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. The author, as mentioned in the subject of this copyright, is NOT RESPONSIBLE for any damages caused.
Sounds like our new potential AIDS cure.
You can lead a horse to water, but you can't make it dissolve.
Comment removed based on user account deletion
None of them live up to the Original Morris Internet Worm. It infected multiple operating systems running on different hardware platforms. Combined they constituted an even greater portion of the Internet than Windows NT4 to XP command today (I'm not including Windows Server 2003 since it isn't vulnerable to Sasser). It also originated the techniques of automatically exploiting remote vulnerabilities to spread without human intervention across a network.
This was a unique idea at the time, and spawned not only the modern worms that copy that model, but also formed the basis for many science fiction stories, including well known ones like SkyNet in the Terminator, and the rampant AI in Bungie's Marathon.
Is this a beginning of a new virus era? I can see virus programmers making holes in their code on purpose just to release a second virus to take advantage of it. virus 'a' is programmed with a hole - virus 'b' takes advantage of it! A fine case of hit them when they are down!
Computer Science Education is about producing scientists not programmers who can develop a product. You should be banished to Devry.
UNCLEAN!!!!! UNCLEAN!!!!!
Heh, I completely agree.. I was just pointing out that in terms of programming knowledge; the last three years as a CS major have been a little lacking. Granted, I still have at least 3 semesters left.. but still, the majority of my study has been in math, not C++.
Computer Science Education is about producing scientists not programmers who can develop a product. You should be banished to Devry. UNCLEAN!!!!! UNCLEAN!!!!!
AC, you cracked me up!!
QUOTE:
"You know those tests they do on rats, where they put them in a maze, and if they do the wrong thing they get an electric shock, but if they do the right thing they get the cheese? The Secret is this: You are the rat. The electric shock is *always* on. ***There Is No Cheese***."
wow. I can't see.. eyes still watering.
would never pay people to release a computer virus or worm. After all, what good would that do them? They are in the business of getting rid of such problems. Why, I would bet that no one would be happier if worms and viruses (viri?) completely disappeared. :-)
Even if you try to be the good guy doing beneficial stuff like that, it'll still get you just as arrested, just as photographed, and just as incarcerated under existing law as if you had done the typical evil stuff.
If the outcome is gonna be the same, might as well be an asshole.
if only it had been moderated redundant twice..
-ashot
that sounds Sassy !
Chris ,
Php Programmers.
the enemy of my enemy is my friend
This reminds me of a poem I heard when I was a kid. I'm not sure who the original author is.
Every flea has a flea
on his back to bite him.
And on that flea another flea
so ad infinitum.
MM
--
By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
Some spyware looks for the existance of other adware and takes over that adware's ad lookup, forcing both pieces to serve the spyware's ads.
"I'm not impatient. I just hate waiting." - My Dad
Write a virus that kills viruses, imagine it, a virus that decompiles the code of the virus to analyse it and find new ways to destroy viruses and remain undetected. The virus could randomly change its own size (file size) and name in an attempt to remain undetected.
This might lead to the evoltuion of it though.
I had an imaginary sig once, he said I was a loser and ran off.
Hey cut this guy some slack.. it ain't easy timing first posts anymore like the old days. Plus, I did it for his clan. He's a soldier and that's why Slashdot has threshold levels. I happen to enjoy first posts and I always browse at -1 Oldest first. I suggest you do too. Funny people, these guys, particularly those gay negros.
After two years I've given up on it. I spent two years studying philosophy and didn't bother trying to get a degree for the same reason I'm switching majors now (secondary education). I got ahead of my math classes. I've always been ahead of the programming classes. And I can't stand physics (which I'm done with finally).
The fact is that if you challenge yourself you can learn everything you'd learn in college on your own for a lot less money. In the field of technology you have to be able to teach yourself anyway or you'll find you've become obsolete.
I switched to education because I think it'd be a more entertaining and fulfilling career than sitting behind a computer all day.
"Maybe that's what grad school is for?"
Save your money. If you want to learn how to program just buy the books and come up with projects.
The reason I know as many languages as I do is because I'm always coming up with ideas. I then figure out what language would be best to implement it and learn the language.
You're better off specializing in an area (like math or physics) and then learning how to program on the side so you can utilize that skill in your profession. You don't need a comp sci degree to write modeling programs for a chemistry application. You need a chemistry degree so you understand what the program needs to do. In programming knowing what you need to do is 90% of it. The other 10% can be learned as you build the program.
Think about it. Little kids can program. It's really not that hard. But little kids don't know enough about chemistry to use their programming skills to write chemistry programs.
If you don't understand chemistry nobody really cares if you can do magic in C++ because you don't have the knowledge to make your programs do what a chemistry program needs to do.
It's the same reason the FBI doesn't care if you were on a police force. An FBI agent needs to know things you can't learn being in the police force. And what you need to learn in the police force can easily be taught to you by the FBI.
Ben
Work Safe Porn
Granted, you don't need a degree but to find the original exploit takes quite a bit of knowledge of system internals, probably quite a bit of time with a kernel debugger like SoftIce and a fair amount of persistence.
The calculus isn't needed though. Those are just gateway classes to see how serious you are.
...and no sympathy to the kids who release them. The vulnerability was shown well before the worm's release.
The fact is, this worm released relies on another worm that causes the computer to randomly shut down. Unlike the LSASS service, there is very little stability, therefore making it highly unlikely that a computer infected with the former worm will be hit by the latter.
Which is exactly what the military does with some of its really secure stuff.
My company has done a little work for a couple of UK governmental departments, and they do exactly this too. I can't go into details (and don't really know all that much), but they have some very strict rules about what can and cannot be connected to the internet, and what can and cannot access their secure network. For example, one particular feature required a data feed from a third party.
It actually made deployment and testing of the website we were developing a bit of a pain at times, as we could only access it from a secured room, which had no access to the rest of our network (and which itself was accessed by swipe card and pin code)
It's official. Most of you are morons.
The trouble that I have with this scenario is that other virus writers could use this backdoor. Because of this, I think it is malware.
I guess this brings a whole new meaning to the phrase "the GPL is viral in nature..." ;-)
Boo for Free Germware! (Achoo!)
Y'know, you blow up one sun and suddenly everyone expects you to walk on water.
They want us to donate for a lousy job?! I want my $1.50 back.
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
I don't know if security hole is the appropriate term for this. Wouldn't that suggest the author of the sasser worm had implemented security into the worm?
Although this is a bad thing to happen, parhaps it could be used to our advantage. Example:
We reverse engineer the worm to find the security hole, and then, rather than doing damage, just run the worm to warn the user that they have Sasser, check to see if it has given the worm to anyone else (i'm not sure how sasser works, so finding who the virus has infected is left as an excercise to the reader (firewall logs maybe?)). The user could be warned with an immediate message box, or a change to the registry key that shows the legal information on startup. And it would have to clean up after itself (deleting itself), and have a very small filesize, as not to clog bandwidth. QoS/ToS could be used so that the rest of the users programs are not interfered with. It is important that the program is GPLed to make sure it is stable. With the number of people with Sasser, beta testers shouldn't be hard to find.
It is *CRITICAL* that it doesn't interfere with Windows, since after all, you don't gain anything by fucking up people's systems, and it IS easier to get rid of Sasser than it is to reinstall windows. Maybe it should put a text file on the desktop if you are that cautious about chcanging the registry. I think I'm the same as many people in that i think a text file on my desktop is better than realising over a week i have a virus on every computer on my network, and that my developers haven't been telling me that their distributed compilation program is running slowly, and also my web server is running at 10% speed. Back when I was in primary school, there was only an IT guy there 2 days a week, and when we got Nimda.....since then my caffiene intake has doubles, i have never used a microsoft web server, and am currently in the process of moving to linux.
Back there stability didn't matter much. I could tell. 90% of the computers used Windows 98. The IT coordinator regretted moving his main computer to windows 2000. You have never experienced anything so close to hell as a network using only 10Base-T fully infected with a worm like Nimda.
My sympathies to anyone with Sasser.
Where is:
Move Sig. For great justice.
Where Can I get one of these, so I can try Sasser without installing it on my harddisk? If there's one that installs /home on a pen drive I can have an infected desktop wherever I go. Now that would be cool.
Comment removed based on user account deletion
"There is only fork!"
Got time? Spend some of it coding or testing
Code Red II used one of the backdoors CR used.
Assume I was drunk when I posted this.