Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Security Warnings

Posted by CmdrTaco on from the we-have-a-code-yellow-people-this-is-not-a-drill-omg-freak-out dept.

Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

4 of 296 comments (clear)

  1. Netcraft Confirms It. by bmo · · Score: 5, Informative

    Windows is dying.

    Well, it's deathly ill, mostly. The average Windows end user is in a never ending battle against the baddies. They buy their systems at the Best Buy, bring them home, run for a couple of months, and then complain that they can't login.

    Then they call me, or someone like me. With disdain, I inform them that I'm wicked busy but I'll do it "this time".

    When I get my grubby hands on their machines, they're fubar. It's not for lack of trying either, because there are multiple Virus, Trojan, and Firewall apps, all fighting over the same machine, including the odd fake anti-trojanwares. You know the one's I'm talking about. We've all seen them. "Click here for a FREE security scan!" and then the machine gets YET another bit of evil.

    I simply don't know what to do anymore. I clean them up, set up security, knowing - just KNOWING that it's all in vain. Just yesterday, I got an "e-postcard" in the mail, and it was just an overt attempt at infection. There wasn't anything that would trip an AV or firewall in the mail, just an obfuscated link that actually pointed at a crypically named .exe. I know far too many people who are e-card addicts, and I am SURE they would have clicked.

    Toast. Totally goddamn toast. The fact that Windows programs have their execute bit as part of the filename is probably the worst thing ever to happen to an OS. One click, and yet another "svchost.exe" process. No lube, no kiss, no reach-around, just total PC anal rape.

    And without a total redesign of Windows or dumping the platform for Apple or Linux, Joe and Josephine User are SOL. Vista is going to be more of the same, as it's going to be simply XP SP3 with more chrome.

    Ah well.

    If anyone knows anything about a0190313376667.gif.exe, mail me at my alias AT Entropy dawt TMOK dawt com. There's hardly anything on the 'net about it except some German blogs.

    --
    BMO

    1. Re:Netcraft Confirms It. by bmo · · Score: 5, Informative

      I think you misunderstand....

      I am _not_ a professional admin who has a network of machines to maintain or easy access to the machines I fix or the authority to command people to do as I want. I'm "the guy that fixes stuff" for his friends/enemies.

      Go 'round every couple of months requesting that everyone send me their machines for updating the OS? Are you out of your mind? Ghost? Are you out of your mind? These are all individual machines, not something cookie-cutter that I could administer in a sane way.

      Yes, I would love to standardize all these machines with the same Windows distribution. I would love to partition the drives so that the OS resides on a separate partition from the user data, and yet another partition for the extra installed programs. That would be sane. But that would mean I would have to furnish boxed copies of XP at the retail price myself, to be sold to the "customers" so I can do it up right.

      "But I have Windows! Why do I have to buy another?"

      Things were so much simpler when PCs came with full OS licenses and a full set of disks. Now, the only choice is to either manually disinfect for HOURS without disturbing too much of the installation, or format and use the "recovery" cd, and the user is fucked for whatever was on the machine if it was never backed up.

      It's fucking maddening is what it is.

      The day that Microsoft stopped the likes of Dell and HP from furnishing OEM CDs spelled doom for the customer who wanted to have a multiple partition setup. Now if you want that, you need a purchase a full Windows kit that costs 200 bux for XP Home.

      --
      BMO

  2. Re:Yellow is pretty rare.. by lamj · · Score: 5, Informative

    One happy customer :-)

    You are correct. We want the infocon to stay at green most of the time and only raise it when necessary. Think about this, if we keep it at yellow all the time, it would eventually lower people's perception of the current threat. Trust me, we do try very hard to only raise it when necessary and appropriately.

    Disclaimer: I am one of the ISC guys.

  3. Re: 40 mothers agree: Cleaning Windows is a PITA by homesteader · · Score: 5, Informative

    More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:

    Tools required:

    Process Explorer(procexp) from http://www.sysinternals.com/
    autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
    Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
    Ad-Aware from http://www.lavasoft.de/
    LSPFix from http://www.cexx.org/lspfix.htm/
    Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
    Experience enough to know valid windows processes and files.

    Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.

    Boot to safe mode

    Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.

    Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.

    Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.

    If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items

    Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.

    So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199

    Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)

    Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . . .

    Now for the real manual part . . .

    Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.

    Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis

    Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.

    Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.

    In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a .dll that is registered and can't be removed. Never fear! Write down the .d