Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lessons Learned From Blaster

Posted by timothy on from the evil-compounds-itself dept.

CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue. Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."

12 of 312 comments (clear)

  1. I learned from Blaster six months before the fact. by gfecyk · · Score: 5, Interesting

    Back when Messenger Service popups happened and started using $80 hardware firewalls that doubled as Internet sharing boxes.

    When Blaster hit I was sitting pretty and so was every client that took my advice.

    *yawn*

    --
    Use Evolution instead of Outlook? Bewa
  2. Re:Lesson Learned... by Prod_Deity · · Score: 5, Interesting


    First off... I personally agree with that statement.
    Second... I was working a dead end call center job for an ISP when Blaster was running rampant.
    Even though this was a Windows problem (and should have been sent to Microsoft), we trouble shooted it since it did technically stop a customer from getting online.
    I think after that, nearly every Joe 6-pack finally realized that the thing in his "Start Menu" called "Windows Update" was something to use often.

  3. Trusted Computing is the answer. by King_of_Prussia · · Score: 5, Interesting
    No, hold back your -1 troll mods, I don't mean that coathanger abortion of an idea that Microsoft has been diddling around with for a while, but a new kind of trust level for computer users. Say everytime a virus has to be removed from a Windows box because a user clicked an attachment a little value increments by one. Once it reaches 10 or so the computer starts throwing up helpful hints like "Don't click on things labelled 'Enlarge your Penii!', they can most likely not deliver on their claims!".

    If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.

    --

    Making the moon less necessary since 1998.

    1. Re:Trusted Computing is the answer. by l810c · · Score: 4, Interesting
      If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.

      How would having Webmasters looking for a 'trusted' flag solve anything? Users don't infect websites. Webmasters from 'bad sites'(porn, warez, etc) would also have a flag telling them that they have a prime target currently browsing their site. Grab the ip and launch other more nefarious processes against the sitting ducks thus furthering the mayhem.

  4. Automatic Updates by Wedge1212 · · Score: 3, Interesting

    Automatic Updates and Norton...and try to minimize office guests access to the network...

    --
    See Sig! See Sig Zig! Zig Sig Zig!!!!!
  5. URL for GCIH analysis of Blaster by JohnVH · · Score: 4, Interesting

    http://www.giac.org/practical/GCIH/John_VanHoogstr aten_GCIH.pdf

  6. Re:VPN's aren't perfect pipes by thogard · · Score: 5, Interesting

    VPNs can be owned too so can "tursted" links to remote controled system. We had a (XP?) box deep inside our network get compromised with a virus that stayed in memory. It got there over a remote control system from another PC that was sometimes hooked to the net. The box deep inside the network then started hunting for other boxes to own, and it found a NT 4 server that could make outbound connections to the net and it set up a nice little email proxy. Lucky for me, my test network isn't as open as it appeared and my freebsd box clampled down on the outbound smtp traffic. A few new rules later (to let the SMTP traffic appear to go out) and the NT box was trying to spam AOL as fast as it could.

    There are some tricky things out there that will take advantage of "internal trust" so my new rule is no PC talks to anything else but its samba, proxy or email server. Windows PC's can't talk to any other Windows PC.

  7. Re:Included in TCO? by OneSeven · · Score: 3, Interesting
    you mean something like this ...
    economists and industry analysts believe that the losses in productivity, lost revenue from disabled systems, and the human cost to patch systems and restore those that became nonfunctional are substantial--somewhere between $320 million and $500 million or more.
    RTFA
  8. Re:VPN's aren't perfect pipes by HermanAB · · Score: 4, Interesting
    "my new rule is no PC talks to anything else but its samba, proxy or email server"

    Good quality routers, eg. HP2524 can be configured for 'port to port security'. So it is actually very easy to configure a system to prevent PCs from blabbing to each other.

    If the PCs can only see the servers and the servers are all Linux or Mac boxen, then the system is remarkably robust.

    --
    Oh well, what the hell...
  9. Re:Blasters effect on Cisco by Beryllium+Sphere(tm) · · Score: 3, Interesting

    Denial of service by cache poisoning!

    I guess it's an example of the kind of attack suggested in http://www.securiteam.com/securityreviews/5AP0V0AA 1W.html

    The general idea is that you attack an application by exploiting differences between its average performance and its worst-case performance.

  10. Massive distributed computing by freeduke · · Score: 4, Interesting
    When this worm hit a lot of my friends, at home, I first tried to figure out what it did, beside restarting computers.

    It did nothing to the files, just rebooted the computer, and waited for a precise date to attack Microsoft site. I wanted to participate to this huge distributed computing effort.

    To do this, no patch was required: just open the control panel, clic on ugly icons, and go to the RPC panel. Here, I was surprised to see that the main annoying comportment of this worm was due to a default windows setting!

    The default option on RPC failure is to "restart computer"! So I chose the "restart service" option for every failure and that worked fine! All my friends could now live with this worm and contribute to this distributed computing effort!

    Default options in Windows are users' worst choices: restart the computer on every failure!! The most funny, an stupid, one is the default restart computer on... boot failure!

    To Fix every virus under Windows, put a Knoppix CD in your box and then restart your computer for the last time.

  11. Re:Missing the point by gerardrj · · Score: 4, Interesting

    Well, there are three problems with windows update which IMO takes significant blame away from the users:

    1. Microsoft's update system has been less than simple to date. Ex:
    Update 00dflkjsd_9 - fixes a flaw in some obscure dll which you have no idea if you use or even have installed. Only install this update if you are having problems with some arbitrary function after installing update fskjsdf_3. ( I have no idea what update fskjsdf_3 IS, never mind if I've had trouble with it. If I install this anyway, will it cause me trouble that it was trying to fix?)
    Yea, I made it up, but that's my impression of some items I've seen the few times I've had to update a windows machine. (I run OS X myself). This is compounded by MS's apparent refusal or inability to "roll up" updates in to "service packs" on a regular basis.

    2. You have, until recently, been forced to launch MSIE and specifically visit WindowsUpdate to check for updates, Only MSIE works and there was no automated checking feature. To my knowledge auto-check is only available in XP. The large number of users in corporations don't have any need to upgrade from 2000, or 98/95 and don't have the auto-check feature.

    3. Once you are at the site and see there are updates to install, you might have to reboot the system several times. MS is quite fond of "exclusive installers" where you can only choose the one update to install, then reboot and move on to others. From a clean install, this will usually require at least three reboots on an XP box. For a small home machine this may only take two minutes per reboot, but for self monitoring servers a reboot can take up to 10 minutes what with memory tests, system checks, RAID startup, clock syncing, etc.

    The questions I have for Microsoft are:

    Why can't you issue a service pack for XP already? All the patches are verified, just apply them cumulatively in a single unified installer.
    Why aren't the existing patches on the new CDs and systems that people are purchasing? Surely MS has the clout to force the integrators to apply existing patches before shipping a system. There's absolutely no reasonable excuse for a brand new system from HP, Dell, or Gateway to arrive with security holes that were identified and patched two years ago.

    --
    Article X: The powers not delegated... by the Constitution...are reserved...to the people