Lessons Learned From Blaster

CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue. Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."

I learned from Blaster six months before the fact.

[gfecyk]

Back when Messenger Service popups happened and started using $80 hardware firewalls that doubled as Internet sharing boxes.

When Blaster hit I was sitting pretty and so was every client that took my advice.

*yawn*

Re:Lesson Learned...

[Prod_Deity]

First off... I personally agree with that statement.
Second... I was working a dead end call center job for an ISP when Blaster was running rampant.
Even though this was a Windows problem (and should have been sent to Microsoft), we trouble shooted it since it did technically stop a customer from getting online.
I think after that, nearly every Joe 6-pack finally realized that the thing in his "Start Menu" called "Windows Update" was something to use often.

Sadly OSX is Next

[artlu]

I use OSX since I never get virii or worms, but they are coming to the mac soon enough. Although, everyday I am using windows less and less and only for Oracle development (OAF/JDEV) because of my job.

I guess the only thing to learn from the blaster worm is to switch to OSX. ;)

GroupShares Inc. - A Free Stock Trading Community. Over a 100 active members daily!

Trusted Computing is the answer.

[King_of_Prussia]

No, hold back your -1 troll mods, I don't mean that coathanger abortion of an idea that Microsoft has been diddling around with for a while, but a new kind of trust level for computer users. Say everytime a virus has to be removed from a Windows box because a user clicked an attachment a little value increments by one. Once it reaches 10 or so the computer starts throwing up helpful hints like "Don't click on things labelled 'Enlarge your Penii!', they can most likely not deliver on their claims!".

If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.

Re:Trusted Computing is the answer.

[l810c]

If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.

How would having Webmasters looking for a 'trusted' flag solve anything? Users don't infect websites. Webmasters from 'bad sites'(porn, warez, etc) would also have a flag telling them that they have a prime target currently browsing their site. Grab the ip and launch other more nefarious processes against the sitting ducks thus furthering the mayhem.

Automatic Updates

[Wedge1212]

Automatic Updates and Norton...and try to minimize office guests access to the network...

URL for GCIH analysis of Blaster

[JohnVH]

http://www.giac.org/practical/GCIH/John_VanHoogstr aten_GCIH.pdf

Re:VPN's aren't perfect pipes

[thogard]

VPNs can be owned too so can "tursted" links to remote controled system. We had a (XP?) box deep inside our network get compromised with a virus that stayed in memory. It got there over a remote control system from another PC that was sometimes hooked to the net. The box deep inside the network then started hunting for other boxes to own, and it found a NT 4 server that could make outbound connections to the net and it set up a nice little email proxy. Lucky for me, my test network isn't as open as it appeared and my freebsd box clampled down on the outbound smtp traffic. A few new rules later (to let the SMTP traffic appear to go out) and the NT box was trying to spam AOL as fast as it could.

There are some tricky things out there that will take advantage of "internal trust" so my new rule is no PC talks to anything else but its samba, proxy or email server. Windows PC's can't talk to any other Windows PC.

What about Mona?

[grotgrot]

What I found outrageous is that they disconnected customers. Even though they knew there was a payment issue. Surely the first thing to do would have been to put all disconnections, late fees etc on hold until after you know what the situation is.

They didn't include the cost of alienating customers or destroying their own brand image in the post mortem. But then again it would be a breath of fresh air to find a utility company that shows compassion or cares about its own image.

Re:How many times do people have to be told

[Glamdrlng]

... to stop executing screensavers, executables, etc. when they appear in their mailbox? I guess it doesn't matter since it only takes the weakest link to compromise an entire corporate network.

First off, blaster wasn't spread through email attachments. But for the helluvit, here's my corresponding question: when will mail server admins learn to stop allowing attachments with .scr, .com, .exe, etc extensions?

Re:Included in TCO?

[OneSeven]

you mean something like this ...

economists and industry analysts believe that the losses in productivity, lost revenue from disabled systems, and the human cost to patch systems and restore those that became nonfunctional are substantial--somewhere between $320 million and $500 million or more.

RTFA

Re:VPN's aren't perfect pipes

[HermanAB]

"my new rule is no PC talks to anything else but its samba, proxy or email server"

Good quality routers, eg. HP2524 can be configured for 'port to port security'. So it is actually very easy to configure a system to prevent PCs from blabbing to each other.

If the PCs can only see the servers and the servers are all Linux or Mac boxen, then the system is remarkably robust.

Re:I learned from Blaster six months before the fa

[Babbster]

Fascinating. But every person who posts this observation (and at least one person does right off the top of every /. security discussion) forgets that, generally, people who get trashed (apart from network congestion which hits everyone) by this kind of thing barely understand the concept of a "fully patched OS" let alone NAT, firewall, or packets.

One day, in a galaxy...never mind...One day, internet connections won't even be possible with an exposed PC address. DSL/cable won't even be permitted to connect directly to a PC without DHCP/NAT interposed between. The sky will be clear of pollution. All people will clasp hands in a show that we are all from the same human family and we all have rights......

I'm getting loopy. It must be those packets I solicited from that guy downtown.

Re:Blasters effect on Cisco

[Beryllium+Sphere(tm)]

Denial of service by cache poisoning!

I guess it's an example of the kind of attack suggested in http://www.securiteam.com/securityreviews/5AP0V0AA 1W.html

The general idea is that you attack an application by exploiting differences between its average performance and its worst-case performance.

Re:Why were they running kiosk systems on XP?

[Monkelectric]

Here's the reason they weren't: You have to hire REAL programmers to write a QNX program, your MCSE visual basic hacks can't drag and drop their way to an application on QNX.

Re:Lesson Learned...

Agreed. It's like all the people sobbing about how many jobs lost when a fraudulent company like WorldCom or Enron dies - when all along honest companies were dying along the way trying to compete.

The millions "lost" were a better educational lesson than the same "millions" spent on "continuing education training".

Massive distributed computing

[freeduke]

When this worm hit a lot of my friends, at home, I first tried to figure out what it did, beside restarting computers.

It did nothing to the files, just rebooted the computer, and waited for a precise date to attack Microsoft site. I wanted to participate to this huge distributed computing effort.

To do this, no patch was required: just open the control panel, clic on ugly icons, and go to the RPC panel. Here, I was surprised to see that the main annoying comportment of this worm was due to a default windows setting!

The default option on RPC failure is to "restart computer"! So I chose the "restart service" option for every failure and that worked fine! All my friends could now live with this worm and contribute to this distributed computing effort!

Default options in Windows are users' worst choices: restart the computer on every failure!! The most funny, an stupid, one is the default restart computer on... boot failure!

To Fix every virus under Windows, put a Knoppix CD in your box and then restart your computer for the last time.

Missing the point

[Tom]

9.5 for style, 0 for content.

Patching is dead. In a world where worms can spread faster than patches, patching is by definition a failed paradigm.

Of course, too much so-called security business depends on the model of adding layer after layer after layer (each layer another product that can be sold) to achieve "security". Whereas security (without quotation marks) is often reached by reducing rather than increasing complexity.

My bet is 18 months or less before a worm uses some exploit in an anti-virus or anti-worm software to propagate.

Re:Missing the point

[gerardrj]

Well, there are three problems with windows update which IMO takes significant blame away from the users:

1. Microsoft's update system has been less than simple to date. Ex:
Update 00dflkjsd_9 - fixes a flaw in some obscure dll which you have no idea if you use or even have installed. Only install this update if you are having problems with some arbitrary function after installing update fskjsdf_3. ( I have no idea what update fskjsdf_3 IS, never mind if I've had trouble with it. If I install this anyway, will it cause me trouble that it was trying to fix?)
Yea, I made it up, but that's my impression of some items I've seen the few times I've had to update a windows machine. (I run OS X myself). This is compounded by MS's apparent refusal or inability to "roll up" updates in to "service packs" on a regular basis.

2. You have, until recently, been forced to launch MSIE and specifically visit WindowsUpdate to check for updates, Only MSIE works and there was no automated checking feature. To my knowledge auto-check is only available in XP. The large number of users in corporations don't have any need to upgrade from 2000, or 98/95 and don't have the auto-check feature.

3. Once you are at the site and see there are updates to install, you might have to reboot the system several times. MS is quite fond of "exclusive installers" where you can only choose the one update to install, then reboot and move on to others. From a clean install, this will usually require at least three reboots on an XP box. For a small home machine this may only take two minutes per reboot, but for self monitoring servers a reboot can take up to 10 minutes what with memory tests, system checks, RAID startup, clock syncing, etc.

The questions I have for Microsoft are:

Why can't you issue a service pack for XP already? All the patches are verified, just apply them cumulatively in a single unified installer.
Why aren't the existing patches on the new CDs and systems that people are purchasing? Surely MS has the clout to force the integrators to apply existing patches before shipping a system. There's absolutely no reasonable excuse for a brand new system from HP, Dell, or Gateway to arrive with security holes that were identified and patched two years ago.

Re:Missing the point

[optimus2861]

In response to points 1 and 2:

1. To be fair, this isn't a Microsoft-specific problem. I've seen a fair amount of technobabble in the Mandrake-secure mailing list; several times I've had to check to see whether I even had a package installed that was discussed in an advisory, since the advisory sometimes doesn't give you anything but an obscure package name to go on. And there have been a fair lot of advisories; about 40-50 this year, including at least three kernel upgrades. Mandrake's graphical rpm manager is pretty good at sorting things out for you, though -- just pick the "Security updates" button and it shows you all the ones you need.

2. Automatic updates are available on Windows 2000, from service pack 3 I think. Doesn't mean it works worth a damn, though; I had to shut mine off at work because it kept prompting to download the same patch over and over and over again. Think I installed it 10-12 times over a 2-week span before I clued in.

Point 3 is spot-on, though I was pleasantly surprised this weekend when I installed a pair of "Critical Updates" on my XP Home box and didn't have to reboot.

Re:Missing the point

[ooby]

Not only does autocheck work on 2000, you also don't need IE to install any of the updates (except, of course, for IE updates). You can download each update and install it from your machine using Mozilla, albiet, they don't make it easy.

A Good Login Script Is Your Friend

We got hit by Nachi/Welchia at the end of August 2003 while I was on holiday with my daughter.

I came back to work to find the place in chaos (the volume of traffic that critter produced on our network was astounding).

I knocked up a KiXtart script which, when run remotely with Administrator credentials using Sysinternals.com's PSExec detected the presence of the worm, killed the process if it was running, ran McAfee's Stinger and patched the workstation.

A modifed version of that script which detects over 100 common viruses is now run on every workstation when the users log in.

In my experience, there's a residual 2 to 3 percent of workstations which, for a variety of reasons, refuse to be patched remotely (usually no ADMIN$ share, sometimes in need of a service pack).

Every month I use the same techniques to push out critical patches to our 2000+ desktop PCs.

It's amazing what you can do with free software.

ISP border

[dpilot]

How bad would it be for the router to be tracking state on EVERY packet for EVERY internal customer?

An alternative would be to go stateless, and just block incoming SYN packets. That would leave UDP open. How big an exposure would that be, or how big a burden would it be to go pseudo-stateful on UDP, blocking incoming SYN on TCP?

But then again, I don't want to solve ISP problems like this, because I'd like to have remote access to MY systems at home.

fast money is a part of it

[zogger]

my isp (small mom and pop outfit) is also a whitebox shop and has a big sign out front that says "we will fix your viruses". I think they like they can make a nice chunk of change off of relatively simple repairs, it's a steady business model. AFAIK talking to the guy who runs it, I'm the only linux user he has. Not saying this is true for all ISPs, but it's like "you" as joe homeuser getting them to do an oil change and tuneup and tire rotation for these shops, and most of them I have been in charge a pretty snazzy rate for de infesting machines and applying patches-all things the owners of the PCFs could do themselves, but most users choose to remain ignorant it appears,and don't make the effort, so the fixit repair shops take advantage of that, at least the first few times the users get nailed. Say 50$ or something a pop to have your box cleaned, it adds up. I imagine a lot of /. readers here make some nice loot off of windows insecurities and viruses, especially the ones who get hired to run networks or who get called in to fix stuff. No problems and everything running smooth = much less money made in *some* cases. I know that's a bit cyncical, but I bet it's true.

Re:Lesson Learned...

[j-pimp]

I think after that, nearly every Joe 6-pack finally realized that the thing in his "Start Menu" called "Windows Update" was something to use often. I have a friend thats an economics major. Very intelligent. In terms of calculas knowledge he probally knows more than anyone here without a master in CS. or a BA in pure math.

I had to tell him how to hook up his speakers to his computer. He had a simple 3 speaker system. He never owned a non USB keyboard so when he saw the PS/2 looking connector that was supposed to connet his right speaker to his subwoofer he paniced and IMed me.

Its not a matter of creating an idiot proof system. The users aren't idiots, they just don't get it.