Slashdot Mirror
Windows Users Fear Korgo Virus
An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."
Main details from top of SARC page: Happy cleaning.
For those that have just come out from their rock, here is a removal tool for this latest worm
And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?
Hmmm.
Symantec's Advisory. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
Issued: April 13, 2004
Updated: May 4, 2004
Version: 1.3
If you "just get it" without having to run anything, it's a worm, not a virus. It's not complicated.
...you're new here, aren't you?
"Sent back to the creator" means data is dumped into an IRC channel, newsgroup, or possibly some zombied machine. There's little way to track the person behind the bot, so to speak.
Of course, a little way is all it takes to pinch some angsty German teenager...
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
Figure what out? The actual LSASS patch was issued all the way back on April 13. Therefore, it's about 6 weeks time to patch machines. This new worm was simply just to catch all of those that, again, haven't patched their systems... sigh..
I'm sure smarter people than me can come up with more ideas to post here as well. :)
"Wow, you're like some kind of superhero able to ward off happiness and success at every turn."
-- Ryan Stiles
Yes, they do. They prevented SP1 from installing on machines with blacklisted corporate keys, but Windows Update has always worked, and they recently announced that even those installs will be able to install SP2. It was covered on /. too.
The reasoning was it was better than having umpteen zillion unpatched boxes out there DDoS'ing their website.
I don't need no instructions to know how to rock!!!!
Cards with a MC/Visa logo only protect you if they're actually a credit card. If they're an ATM you're SOL.
F-Secure Weblog says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...
Except of course that the update for this came out almost two months ago.
I'd rather be lucky than good.
The security update for this issue is a month old even though this particular exploit is just hitting the news. If you're not sure, windows update has "View installation history."
Look for "Security Update for Windows XP (KB835732)"
Or, as a even better solution, use nullsoft's safesex. Then the virus writer would learn your safesex password but not your real passwords to things..
I agree with the original poster. Waiting a week and a half is totally useless is a corporate environment. It's kind of silly to wait a week and half, as everyone is doing this more and more basically you wind up finding all the same problems a week and a half later.
You're assuming that someone out there in the world is going to install, test and have somewhat of a similiar environment to yours. In other words, you're hoping someone else will do the work for you.
I think a better rule of thumb is to have a testing mechanism where you can install the patch, test it and then release it for yourself. Like the original poster says, use the IT dept as guinea pigs or whatever.
It's a new virus, but the patch is the same old one as for the Sasser worm.
Korgo in itself is not the problem, it is the backdoor that it installs. Korgo does not have a keylogger or anything else harmfull it. Through the backdoor the makers can download anything, including the keyloger that is stealing everyones bank info. Its all here: http://www.f-secure.com/weblog/
Look in the Add/Remove Programs applet in the control panel. If this patch is installed you should see "Windows 2000 Hotfix - KB835732" listed as an installed program.
Thank goodness you can download critical updates manually regardless of your key. *whew*
Yes, and the 011 patch also killed about 5% of the machines it was installed on before the May 4 update. Now it only kills about 1%, or about 100 machines in our case. Not to mention the several apps it killed.
This sig is the express property of someone.
(that is, XP Professional Corporate, otherwise known as "Volume Licensed" and XP Professional Dumbass edition) is the product ID string in the i386/setupp.ini file on the CD.
That's the only file that's at all different between both editions. So just copy the CD to the HD, change the line in that file that reads
Pid=XXXXXYYY (where XXXXX is the first five digits, and YYY is the last three) to
PID=XXXXX270 (so we are keeping the first five digits, and changing the last 3 to "270")
Also, make sure to call the Volume Label "WXPVOL_EN".
Burn, insert, reboot. When you are asked to enter a product key, use any old XP volume license key you can find: from your employer (good idea) or that keygen util that's floating around (not a good idea unless you've paid for a copy of XP) or whatever.
Finish the install, and presto! No product activation.
Ever.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Routers won't help with email-borne issues. It will only stop a remote-connect worm from getting through.
I have something in common with Stephen Hawking...
I run RH 9 and FreeBSD 4.9. I looked at the list on the front page, and none of the issues put me at risk.
There are two reasons a person can be unaffected by the vulnerability if they don't patch. One is they don't have or run the affected software. Gnome users that never use KDE aren't impacted by KDE runtime vulnerabilities. The other is that their network is protected enough to render the vulnerability useless (firewall, local IP security, chroot, NAT, etc.)
The only vulnerability I've seen announced this year that I've had any concern about was the CVS one. Fortunately, though, I have yet to open up my firewall for outside access to CVS. When I do, I plan to use SSH, in which case the vulnerability wouldn't have impacted me. Thus, so far in 2004 between the two operating systems I have had no true vulnerabilities.
Sure, you could say the version of MySQL I'm running has the symlink vulnerability. But, if an attacker can't get local non-chroot'd shell access, then what relevance is a symlink vulnerability?
Contrast it to Korgo and Sasser, which hit Windows ports that are opened by default. I can't tell you how many times I see ports 135 and 445 in my daily logs of packet rejections. Plus, the infecting the processess using those ports gives the attack complete control of the sytem.
Windows is plauged by REMOTE vulnerabilities to MICROSOFT software. Linux distrubutions mostly have LOCAL vulnerabilities with the independent APPLICATIONS that are packaged with them, not the operating system itself. Most of these vulnerabilities require LOCAL access and most of this software runs on Windows as well (e.g., Apache), so the vulnerability usually applies to both operating systems, but appears on the linux security alerts simply because they are one of the thousands of optional programs being included on the FOSS CDs. You have to download Apache if you have Windows because Microsoft is not going to include it, and Microsoft isn't going to send you a patch for it, or even post an Errata, just because you are running it on Windows.
I've also administered Windows servers for many years, using Windows 3.1, Workgroups, NT 3.5/4.0, 2000 and XP, and used just about all their software, including Visual Studio, InterDev, IIS, and COM/DCOM. I still run 2000 and XP in addition to RH 9 and FreeBSD. I've developed my opinion from experience securing production servers in both Windows and Linux, as have other people posting on /.
Open Standards Portal
If we assume that the Apache sites are nicely split between Apache 1 and 2, thats still 33.5% for each putting both ahead of IIS, which also assumes that there is only one version of IIS deployed, which would be incorrect since 2k has IIS 5 and 2003 IIS 6.
I'm not aware of any vulnerability in IIS 6. Can you point me to one?
Now from what I've heard, Apache 2 is probably deployed less then 1, but either way you slice it, Apache has more sites then any single version of IIS.
Keep going with the slicing and dicing. All you've done is made the distrinction between two major versions of Apache. There's many versions within each major release. For example there's versions: 1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.19, 1.3.20, 1.3.22, 1.3.23, 1.3.26, 1.3.27, 1.3.28, 1.3.29, and 1.3.31. That's 13 different versions of Apache in just the 1 fork. And only versions available in or after 2000. For the 2 fork we have: 2.0a1, 2.0a2, 2.0a3, 2.0a4, 2.0a5, 2.0a6, 2.0a7, 2.0a8, 2.0a9, 2.0.35, 2.0.36, 2.0.39, 2.0.40, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, and 2.0.49. That's 21 unique versions of Apache in the 2 fork...excluding alpha/beta releases.
Now one can argue that some of those old versions are few and far between. But the sheer number, 34, of different versions means that if we were to assume you're 50-50 split above and then assume equal weighting for the remaining (not that I would recommended it but bear with me) then at most any version in the 1 fork would have only 3.35% of the market. And any one version in the 2 fork would have a maximum of 2.39% of the market. One has to ask: When was a flaw introduced? When was a flaw corrected?
But then one has to factor in the different platforms that Apache runs on. Cross compilers can generate different binaries for different platforms. They are not used to make a single binary that can run on every platform. Even if someone took the time to compile a version for the most significant platforms the spread of the malicious code would be hindered by the mere fact that it cannot run on a different platform for which it was compiled.
Barring that there's the myraid of different distributions. RedHat 9.0 may have patched their Apache version 1.3.28 while version 8.0 was not. Redhat is known to use the same version with extended version numbering. Lather, rise, repeat for any number of different distributions and you can see that the "Apache outnumbers IIS" is most likely specious.
The problem is, a lot of Winblows software won't run without admin priviledges. Also, XP doesn't encourage setting up user accounts. Many people don't even know they exist.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
This might be true in some obscure legal system where companies think they can write their own laws.
In Europe it is generally accepted that once you bought it it is legally yours and you can do with it as you please. (like re-selling)
You own the right to run 1 copy of software product X and that is it.
There is no significant difference between the OEM or the full retail versions of the product so the differentiation Microsoft makes lives entirely in their own fantasie.
The GPL is a different matter as it *does* fit in an existing legal framework
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Like this one?