Slashdot Mirror
A Worm's Worm
Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."
← Back to Stories (view on slashdot.org)
Jeez, they never fully test these worms before release. No wonder they'd have security issues.
Since when has this country used intellectual elite as a pejorative term?
Worm writers have got to start taking security more seriously.
This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.
I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
snowulf.com
...we need to stop relying on thrid-party worms, we need Micro-Soft certified worms to ensure our securtity....
Windows is only $500 if your time is worthless.
Just thought about this... With the huge number of machines out there "infected" by spyware, adware and similar programs (and many of them without their users even knowing), how long will it be until a worm is written that exploits a vulnerability in one of these programs?
The revolution will not be televised.
So now worms come with hooks for third party plug-in's?
Would that make the security flaw a ::cough:: "Wormhole"?
The author in response to the news announce that he will be releasing Service Pack 1 within the next week. Make sure to set up your computer to get updates automatically from update.sasser.com.
There was something on /. the other day about a team of biologists who built a virus based on HIV, that goes out to destroy HIV ability to turn to AIDS. Apparently, the Dabber developer took a page from that book --- in a twisted sort of way.
"The generation of random numbers is too important to be left to chance."
Microsoft Security Bulletin MS05-014
Security Update for Microsoft Windows (93212)
Issued: May 14, 2004
Updated: May 14, 2004
Version: 1.0
Summary
Who should read this document: Customers who use the Sasser worm
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers running the Sasser worm should apply the update immediately to be protected from Dabber.
Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Caveats: The security update is for Windows 2000, XP Pro and Home, and Windows 2003 server platforms. As a prerequisite, the security update requires your system be infected with Sasser.
To download the Sasser worm, please open Outlook Express or Outlook 2000/XP and execute any attachements you have recieved from unknown senders. If you are not using Sasser you do not need to install this update.
Once installed your system will be immune from being infected with Dabber which exploits a flaw in the widely popular Sasser worm.
Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 - Download the update
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update
Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
Microsoft Windows Server(TM) 2003 - Download the update
Microsoft Windows Server 2003 64-Bit Edition - Download the update
Dabber than installs itself and deletes the registry keys of Sasser and other viruses.
This is fantastic! It is a virus, that infects only virus infected machines, and then removes all other virii. What a great solution to rapidly spreading worms.
If users are too lazy or ignorant (in the nice sense of the word) to patch their systems, then just relase another virus to do it for them.
Except that...
It [then] creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code...
They just couldn't stop at doing a good thing, could they...
Perhaps you are thinking of Welchia which exploited IIS but also removed Blaster.
My son's 5th grade teacher actually assigned them "write a limerick about a planet". I'm not kidding.
In the last few years, the guys who write this stuff have become more and more like gangs. In the real world, gangs compete for terf. That includes undermining each other whenever possible.
Gosh, this whole mess looks just like Blaster from down here in the trenches.
.
I'm tech support for Tremendously Large ISP. From down here this looks just like Blaster did. Customers calling in complaining that their machine is restarting without their consent. And now someone has a follow up virus that attacks the virus - as some may recall there was a Blaster variant that patched systems AGAINST Blaster. This was terrible - if you got this variant inside a corporate network not only would your bandwidth use skyrocket, but since NAT tends to fubar Windows Update, the variant never managed to patch a system. God that was hell . .
It's almost enough to make you want to write a virus in revenge . . .
So where do I doenload the patch so my Sasser isn't vulnerable?
itadakimasu
I told you not to try Sasser, it's a gateway worm! IT LEADS TO HARDER, MORE DANGEROUS WORMS!
Are you secure enough in your masculinity to run 'man touch'?
if you have windows, type, "format C:"
Why yes, I have windows. I even have doors too. I typed "format C:" like you said but I just got a message saying "the page cannot be displayed".
In this world nothing is certain but death, taxes and flawed car analogies.
The mentioned code, which is used in Dabber, can be found at http://packetstormsecurity.nl/0405-exploits/sasser ftpd.c
This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.
Actually, this sounds like somebody trying to make a disinfectant worm. Look at the description:
- It only infects infected systems, using a flaw in the previous infection.
- It cleans out the infection of the worm that it exploited, and several others.
It does open a new backdoor. But while that might be preparation for some future malicious action, it might also have been the author leaving himself a way to fix things if his initial worm got out with a destructive bug. (Of course it could be the worm cleaning up signs of previous infections in order to hide itself and thus head off other cleanups.)
I wouldn't be surprised to see, on further analysis, that it does other antimalware things (like fix the flaw the other worms used).
(Not to say that it IS somebody trying to fight virus with virus. But it might be interesting if it turns out that it is.)
I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
Which is exactly what the military does with some of its really secure stuff.
Now if we can just get the Microsoft users to emulate them. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Add the sasser FTP server to your nmap-services file. I run Gentoo, mines in /usr/share/nmap.
:)
Add this line:
sasser 5554/tcp # Sasser worm FTP server
This way when you do a port scan of a host, you can tell if they've been infected with sasser
You jest, but I wouldn't be surprised if it was possible. Don't forget, this is the country where a buglar can sue his victims if he breaks his leg while breaking into their house and win.
Program code so advanced it travels through worm holes!
*rimshot*
CAn'T CompreHend SARcaSm?
This sort of reminds me when I wrote a counter-bug to combat an email worm that had infested an office building I was contracting to. Worked through the ever-so-lovely 'You don't have to really click the attachment for it to go off on you' bug in an older version of outlook.
:)
:P
:)
It sat and watched a users inbox for the big bug at the time and pretty much acted like a counteragent, the instant they showed up, it nuked them off the machine (inbox and all) and undid whatver they managed to do.
Send one copy to everybody in the office, and instantly watch outgoing network mail traffic DROP back down to normal levels and my phone stop ringing.
I seem to recall distinctly 'forgetting' to mail it to key people, however.. *cough*
Would be a real shame if some of the geek-prowess around the OSS world were to start doing such counter-bugs. Alot of these backdoors, trojans, and whatnot, have gaping flaws in them because..well, guess.
Just think:
Infect > Disinfect > Patch > Scan nearby machines (proceed life cycle)> Local Self-remove
Could be the next revolution. Don't bother patching or downloading, we bring the cure to YOU..
My new top secret key -> C>N|KB
...it reminds me of the phage/bacteriophage, actually. If I recall, those viruses kill bacteria(judging from the name...) by infecting them.
This goes on to remind me of that recent anti-HIV virus that's been in the news.
----- Wtcher Dragon, UDIC