Slashdot Mirror
Windows Users Fear Korgo Virus
An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."
The company that I work at pushed the KB835732 patch out to a few thousand machines. It caused some incompatability issue that cause Windows to blue screen with the error "Winsrv.dll missing or corrupt", its been a blast removing the patch through recovery console, especially walking remote users through it.
Almost makes you feel bad for all those people with pirated copies of Windows XP that can't put the patches on, doesn't it?
My guess is that is just an easy way to explain that the creator has some way of retrieving the information once sent from the infected system. In some of the worm documents, it says that it connects to multiple IRC servers and unknown channels. That could be the possible dump for information or more for controlling once infected.
Hmmm.
I read the post and immediately thought "oh gosh, here we go again" and went to MS windows update to update my workstation while I downloaded the patch. Then I realized that I'd already updated everyone here at the office back when the patch first came out.
Damn, I gotta rtfa *grin*
Seriously though, even though I check for new updates religously and try to keep all the users on my network up to date, I guess I'm still a little gun-shy.
The Digital Sorceress
Nope. I have a questionable windows copy -- I won this computer in a legit contest STRAIGHT from Intel itself, and it didn't come with any documentation or keys. When I go to Windows Update, it refuses to work because it thinks I have a pirated key.
Needless to say, isntalling individual hotfixes like these is a PITA.
Sadly, that's not the bottom 5% of the userbase. In the last three months, I've had to fix six home user computers and one that was used to track the finances of a church. Four of the home computers had never had Windows Update run (and both of the other two had only been force-fed updates through manufacturer-installed support software), and the Church computer was still vulnerable to the Blaster worm (Thankfully the thing wasn't connected to the Internet)
Since only legal users of XP can install the updates, does this mean that all those people using illegal copies can't get the update?
Figuring so, a lot of people could get screwed.
Evolution or ID?
Are the logged keystrokes of most of these viruses transmitted in the clear? If so, then couldn't one create a outbound traffic monitor that watched for certain key character strings (such as passwords, account numbers, etc.) and if the monitor see sensitive data strings in clear text, it would halt the transmission and alert the owner. This could also be used to halt snooping of files and directory structures -- just create a file with a monitor-prohibitted file name and contents.
As a side benefit, the system would also catch insecure site logins - seeing which websites are asking for unencrypted sensitive data such as passwords.
Two wrongs don't make a right, but three lefts do.
is win98 the most useable, but safest ms os? it seems like nt/2k/xp, etc. are so susceptible to spyware, worms, and viruses.
is win98 really the safest ms os for use on the internet for moderately informed users (who don't enjoy patching their ms os).
i am considering downgrading several xp machines on a domain, there isn't a lot of advantage vs win98, or is there? stability could be argued, more control of processes, better (cough cough) security...
would love to hear why i should or should not downgrade these xp machines.
Forgive my ignorance, but shouldn't the lightweight consumer-grade routers (Linksys and such) with NAT be effective as well at blocking this sort of thing?
Murphy was an optimist.
an even better way to go about it is for when I must reinstall MS OS, I use the "MS Security Update CD (February Edition 2004)" and have a prepared directory I can burn to cdrw with the latest antivirus, antispyware, firewall and software apps (OOo, gaim, mozilla + extensions) and do everything while it's not connected to the internet/intranet.
only AFTER do I connect with IE (setting IE's homepage to http://windowsupdate.microsoft.com) and get the rest. Also setting their computers "automatic update" feature to automatically download and either install automatically at a certian time of night (cablemodem users always on computers behind NAT) or to ask before downloading/installation (dialup users).
usually this works. most of the time I just collect the downloadable files from M$'s technet and have them stored on a removable hdd so i can do it manually if their dialup is just too slow as i usually is.
anyways, that's what I do, what works for you????
...so anything that zonealarm misses is heading straight for me.
Well, at least you have zonealarm. My clueless neighbor just recently asked me to check his computer, since he had some "problems" with it. I checked, he had XP w/o any firewall/virus/spyware on it. His computer would reset itself every 7 minutes (I guess some kind of worm) every time he connected to internet.
So, I installed zonealarm and ad-aware from my external HD. When connected to internet I was surprised by how many attempts to connect or send data out zonealarm blocked. Geez, this was like an army waiting to either destroy or use his computer for some other malicious tasks. And ad-aware found over 200 spyware programs! Suffice to say, computer stopped resetting. I run an online virus program as well. I still have to update his XP with patches, but that for another evening.
Internet is a nasty place now-adays. I thought XP comes with a build-in firewall. Guess either he bought it before that was the case, or the firewall is off by default, or it just plain sucks.
The purpose of life is to find the purpose of life.
Have you checked for recalls on your car, toaster, or microwave oven?
If your toaster had a recall on it, and for whatever reason caught fire in the middle of the night and burnt your house down, you'd be suing the manufacturer. Well, if you didn't, your insurance company would. They don't like giving away money, they like to get it back from somewhere else.
What's different in a product which simply exists in a larger product? Would you be checking for recalls on the radio in your car? Probably not.
People are generally greedy. Most of the people I knew that tried to get their tires replaced under the Firestone recall did it not for safety, but because their tires were pretty much worn out, and they wanted new tires for free. People with good condition tires, even though they had seen all the press on the recall, didn't bother with it. Why? "It won't happen to me."
It's just like unprotected sex. Everyone knows of the dangers of unprotected sex, but they believe, "It won't happen to me." Well, not til the day they go to the doctor and find out they have a STD, or worse, a potentially fatal STD.
I heard about one guy who kept baby wipes in his bathroom. He'd wipe himself off after sex, believing it was a "better" solution. It's the same as people who believe they've protected themselves from computer problems by not opening emails with attachments. Sure, it stops some, but not all.
"I don't have to worry about Sasser, there are so many computers on the Internet, it'll never find me."
If Microsoft made the security patches part of a cool new free "gotta have it" product, there's a pretty good chance, a larger segment of the users would get it immediately. As it is now, most users have Windows that is at the same patch state as when they took it out of the box.
Serious? Seriousness is well above my pay grade.
It is so sad that MS doesnt really give a sh*t about these issues (there must be some financial gain for them Im sure.)
I used to work for MS, I was innocent back then and thought MS was good. When they did the automatic updates feature, I was very surprised that they didnt turn it ON by default so I emailed the right internal people, being myself a fulltime programmer at MS. The security team from the windows team never emailed back. Same thing happened when they did the simple windows firewall. They also did not enable it by default, and never gave a sh*it about my obvious suggestion to ship the feature enabled.
I dont work for them anymore, now I own a mac and love computers and programming again.
I just posted a similiar rant. :)
You're absolutely right. I have a friend who was completely anal about a lot of things. His car was his favorite toy. He's 30-something now, and has started becoming more lax. He hasn't been rotating his tires, or even taking a good look at them. He was occasionally glancing at the outside edge, seeing the tread looked ok, and assumed all was fine.
A couple weeks ago, on a wet road, he slid off the road, and his car ended up in a lake. Why? Because his alignment was a little bit off, and the majority of his tires were bald. Well, all except the outside edge, which appeard to have tread. He had a very nice car. Now it's a very nice decoration at a junk yard. He's fine. He just got wet, swimming out of the lake. He found out about the tires when they loaded the car on the tow truck, and he noticed the tires.
As far as cars go, I don't go by milage, but that's because I'm very technical, and look for the indicators which say something needs to be done. That may mean I rotate my tires at 10,000 miles, or I change my oil at 2000 miles, or 6000 miles. But non-technical drivers, who don't even check their oil, think that 3000 miles means "3,000 miles, or when I feel like it in a couple months". I changed the oil in a car once that came out as sludge. I flushed light-weight oil through that engine about 3 times before it came out like liquid.
But I'm far from perfect too. My last annual physical was 5 years ago. I don't have the current firmware on all my hardware. I have no idea if my toaster, microwave, or tv have been recalled. It usually takes me a week or two to get around to fix the time on the clocks when time changes happen.
Serious? Seriousness is well above my pay grade.
It comes with a firewall, but it's like that thing with Outlook where you can tell it "Don't let me download anything that might harm my computer" a handy function that protects you from ever downloading anything, or opening any attachment.
When you turn the firewall on, it blocks a ton of ports, which may or may not include ports it should block (telnet). Needless to say there isn't any way to configure which ports. It's all or nothing.
I've got it on, but god knows if its doing any good, as its behind 2 better firewalls.
Hmmm. Lol. Okay, I just portscanned myself, and despite my setting it to dump ALL non established incoming tcp/ip, it doesn't block a bunch of ports (below), including IIS and 445, though it does block SSH and telnet (then again, those services might not be available for my version of windows, so who the hell knows?)
In conclusion, it sucks, and it won't protect you from this virus.
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
5000/tcp open UPnP
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
"The keys are then sent back to the virus creator"
I've always wondered about this sort of thing... doesn't that make the creator pretty easy to catch?
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
So what you're proposing, and please, correct me if I am mistaken, is that one should gather all one's sensitive pieces of data: credit card numbers, passwords, and the like, and compile them all into a plaintext set of firewall or IDS rules? Where would one store this treasure trove of sensitive information, conveniently gathered into one place for ease of use? Perhaps I have missed a critical component of your plan, which I'm sure isn't nearly as patently insane as it sounds.
Your point is a very good one. Each "security" feature adds another potential weakness to a system - witness the Witty worm for a recent example of new vulnerabilities created by security.
You are right about leaving critical data in plain text. The system would use a hashing system that compares hashed key values to a hash of running network data stream. The hash would be coded off a password and use a suitable one-way hash function that does not allow knowledge of the password to permit unhashing of the stored key values (think public key crypto).
Also, those with double-layer tin-foil hats might only enter partial substrings from key account numbers, passwords, etc. (e.g. the last 8 digits of a social security number). One could even create a simple non-useful code string such as "this string should never appear in outgoing network data" -- typing this in occassionally would catch the send activities of keyboard loggers. Innocuous, but unique strings could also be used inside files or in filenames to detect directory and file snooping.
Does the idea still sound insane?
Two wrongs don't make a right, but three lefts do.
Actually, the XP firewall will block Sasser and all those other nasty viruses. Granted, it will block other stuff you want, like printer sharing, but the XP firewall does work.
:-)
Case in point: a guy at work left his new XP computer installing with his network cable plugged in over night (so that the install would finish). When he came in in the morning, there were two viruses (Sasser and Gaobot on his computer). He re-installed, turned on the XP firewall with his network cable unplugged and then plugged his network cable in. No viruses.
At that point, you do of course go to Windows Update.
Your Windows PC is my other computer.
Yup that's the thing. Apple ships their operating system with absolutely all ports turned-off by DEFAULT. You absolutely cannot establish any connection to any port of a default OS X installation from any remote machine. Security works in layers, and this is one thick layer, a very important first line of defense. You would think that since the heydays of CodeRed and Nimda back in 2001 Microsoft would have learned to disable all listening network services on a default installation. No. They never did. Here we are today, you can plug a brand new PC onto an unprotected network and get reamed within seconds.
Microsoft apologists keep claiming that windows is so vulnerable because it is the most prominent operating system. I can tell you that today, if all classic end-user machines were running the consumer-edition (not server) of Mac OS X, none of the network-spread worms that have plagued windows for all those years would be an issue. Because if a machine is not accepting a network connection, you can't infect it over the network.
You need to look for holes in the next layer of security: application-level security and user-triggered exploits. In that area, there are issues surrounding protocol handling and application launching that Apple needs to address. And i'm getting to be impatient :(
Extraordinary Vacations. Exceptional Prices
Maybe this has been asked before, but what idiot at Microsoft decided to remove Windows Update from the default Start Menu in XP? You have to go to the help center to find it. That is at least one reason why so many simple PC users don't update.