Slashdot Mirror
Internet Security Warnings
Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."
But it's been a while since we've had a good/effective worm.
Jerry
http://www.cyvin.org/
Oh, I guess it doesn't, ror.
Seems to me these color coded systems do more to confuse than they do good. Should I relax if we're at green? Should I be paranoid if we're at Red? Should I even care since I run UN*X rather than Windows? Every day there are at least a few new sploits. Every few weeks there's a sploit that affects me as a sysadmin and requires my attention to preserve the security of my servers and internet-attached LAN. Given this I still don't understand the value in these color coded alert systems. Yellow? What does that mean? Wake up an extra hour early to read the logs? The terrorists can attack just as easily if we're at green than if we are at red. I'm uncertain of the value in the announcements at the airport every 15 minutes to remind me that we're at yellow or orange.
The app could download data automatically using IE and ActiveX, format the data using an Excel Macro, then email results to me using Outlook.
Because I care about security.
On related news, the US puts it's security level color at pink. Again, on related news, Bobby's mom chooses to wear an orange shirt. No need to actually read the security threat -- we have colors for that.
Correct me if I'm wrong but haven't there already been warnings about Plug and Play prior to this? I know at least one security website that had warnings about Plug and Play a long time ago, along with a handy utility to disable it. See below.
http://grc.com/UnPnP/UnPnP.htm
You'll notice this was circa December 2001, fully 4 years before these new exploits.
"Are you sure, sir? It means changing the bulb...
Windows is dying.
.exe. I know far too many people who are e-card addicts, and I am SURE they would have clicked.
Well, it's deathly ill, mostly. The average Windows end user is in a never ending battle against the baddies. They buy their systems at the Best Buy, bring them home, run for a couple of months, and then complain that they can't login.
Then they call me, or someone like me. With disdain, I inform them that I'm wicked busy but I'll do it "this time".
When I get my grubby hands on their machines, they're fubar. It's not for lack of trying either, because there are multiple Virus, Trojan, and Firewall apps, all fighting over the same machine, including the odd fake anti-trojanwares. You know the one's I'm talking about. We've all seen them. "Click here for a FREE security scan!" and then the machine gets YET another bit of evil.
I simply don't know what to do anymore. I clean them up, set up security, knowing - just KNOWING that it's all in vain. Just yesterday, I got an "e-postcard" in the mail, and it was just an overt attempt at infection. There wasn't anything that would trip an AV or firewall in the mail, just an obfuscated link that actually pointed at a crypically named
Toast. Totally goddamn toast. The fact that Windows programs have their execute bit as part of the filename is probably the worst thing ever to happen to an OS. One click, and yet another "svchost.exe" process. No lube, no kiss, no reach-around, just total PC anal rape.
And without a total redesign of Windows or dumping the platform for Apple or Linux, Joe and Josephine User are SOL. Vista is going to be more of the same, as it's going to be simply XP SP3 with more chrome.
Ah well.
If anyone knows anything about a0190313376667.gif.exe, mail me at my alias AT Entropy dawt TMOK dawt com. There's hardly anything on the 'net about it except some German blogs.
--
BMO
In other words.. the alert level tends to stay stubbornly at green unless there is a real issue - the ISC is usually extremely conservative about threat assessments. If they've raised the alert level as a precaution then it's definitely time to take notice.
As for me.. I check the ISC at least once every day to see what emergent threat are out there. There are also a number of tools you can use such as a small Windows app that can help to inform you when the threat level changes.
It's worth having these tools - when Sasser came out I'm pretty sure they saved my backside.. because in that case the short amount of time between the vulnerability being announced and the worm coming out was so short that many organisations hadn't even started patching. Thanks to the ISC we managed to get almost everything secured in a day, so when the inevitable rogue laptop user physically brought a worm infected machine into the office, then we managed to contain the outbreak effectively.
Never email donotemail@WeAreSpammers.com
How long until that "uber-virus/trojan/worm" comes out that deletes the hard disk contents of millions of PCs? On one hand, that would be a great day, because then people would truly pay attention to security and Microsoft would get the attention it deserves.
On the other hand, it would be bad for obvious reasons. But, IMO, it's only a matter of time. What color will the Infocon be then?
bash: rtfm: command not found
"Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."
What. The. Fuck.
Crumb's Corollary: Never bring a knife to a bun fight.
So if the internet should come crashing down, as in the infocon red situation, what is the use of a little hyperlinked gif to their website, a gDesklet , or a systray icon?
Some of you people might be, but I'm just waiting for my gentoo box to compile.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Isn't "color-coded threat levels" an excessively paranoid way to describe what we've always known as outdated, buggy software? This kind of representation paints a very fake picture -- as if those "threats" are a given and that all we can do is "try to protect ourselves", when in fact what we're dealing with is simply the result of flawed operating system design. These threats are only symptoms, not the root of the problem. I wonder who benefits from making people focus on the former instead of the latter.
The filesystem is the package manager
The patches for Windows are already out: click
...and colorblind admins go on without a care in the world....
-- Fugacity: Confusing chemists since 1908
Critical updates can still be obtained without passing WGA.
Data: Captain.. Sensors are picking up localized pockets of Upnp activity in subspace transmissions.
Picard: Geordi, can we triangulate the originating source?
Geordi: Yes sir, it's coming from a planetary system 15 light years from our present location. Long range sensors indicate it is...
Picard: Yes, I know... Microsoft...
Picard: All hands, yellow alert. Data, set a course for the source of the transmissions. All hands, to battlestations. Worf, put us to red alert upon enterting the system. We don't want another Code Red Incident. And send out a subspace communication to the Federation, all ships, all systems.. We have engaged Microsoft..
Worf: Yes Captain.
Picard: Data, we did test our monthly Microsoft patches on the first Tuesday of the month, correct.
Data: Negative Captain. Unfortunately, there were exploits in the wild which take advantage of the weaknesses in the Upnp service installed on the ship's computer, and the Federation threat level was raised, so we did not test them.
Picard: Damn Microsoft. Alright, let's be careful. We don't know yet what we're dealing with. Maximum Warp! Engage!
Slashdot.. Land of nerds, trolls, and FlameBait..
I think the threat level was raised to blue...
But what does this mean?
STOP: 0x0000000A (00000595 00000002 00000000 8010da41)
IRQL_NOT_LESS_OR_EQUAL
Slashdot.. Land of nerds, trolls, and FlameBait..
Windows bigots are fond of pointing at Linux and Apple as each having 5 percent of the market, and therefore are "loser OSes that can't do anything".
So ok, let's use that number, just for shits and giggles. If popularity of OS == abundance of malware, let's do some math.
Depending on who you ask, there are between 60 and 70 THOUSAND Windows viruses, trojans, etc.
I'll use the low number, just so nobody can accuse me of bias.
5 percent of 60,000 is 3,000.
Where are the THREE THOUSAND viruses that should be out there for Linux or Macintosh? Last I looked, there were 7 for Linux, and NONE of them were active.
So it's more complicated than just popularity. There are other factors, and I'll let you guess as to what they are.
--
BMO
Wow, that summary is chock full of wierd names, AlertCon ThreatCon etc.
youd think they could come up with some less... tacky names
I guess someone over at ISC had to blow the dust off the colo(u)r sensor (grins), but seriously, not much on the radar to panic anyone right now. Still, if you aren't awake you really ought to add ISC to your
morning newspaper (wakeup + gallon of coffee) along with some others, so for the sake of people who don't grok the need to be aware (but: go read doug adams and don't panic as well!):
Here goes: (sometimes costs me an hour in the morning, but it's worth the effort...).
http://www.dshield.org/ http://secunia.com/ http://vitalsecurity.org/ http://www.f-secure.com/weblog/ - gossip and just
plain fun (cough) dilbert (cough).
(many others, but i'm tooo lazy on a sunday morning to write em...).
Oh, and be sure to replace the windows task manager with the wonderful (process explorer)
over at the always splendid Mark Russinovich's sysinternals.com (it'll save you when your friends machine gets pwn3d). (hint: it shows tcp/ip connections so you can see if ET is phoning home).
Finally, no list would be complete without a pointer to "comp.risks" (google groups ok?). Laugh. It helps...
cheers all,
Andy.
Affected Products:
.NET companies,
Microsoft Windows NT 4.0 up to and including SP6a
Microsoft Windows 2000 up to and including SP4
Microsoft Windows XP up to and including SP2
Microsoft Windows Server 2003 up to and including SP1
It's nice to be a Microsoft "reject"...
at least when worms come out I don't give a damn.
Just don't use Internet Explorer and have a good Firewall...
The only problem with Windows 98 SE, is that most newer machine cannot install it properly, since drivers do not exists!!! arggggg.
Which means.... hmmm
maybe I should update my Dell Laptop. =(
Anyone knows where to find Windows 98 drivers for Dell laptops ?! [Hint: Dell Tech Support are clueless]
Also, it's funny that all those fine
which insist on using ASP.NET, C#, ISS crapt will get infected again, again and again...
why nobody learn... just use LAPP!!!
(Linux, Apache, PostgreSQL, Perl/PHP)
I'm sorry, but if I have to take stuff seriously, can someone put it in plan simple english without these threatening big brother buzzwords?
"Internet Storm Center"
"turn the Infocon to yellow"
"Internet Threat Level meters"
"Symantec ThreatCon"
"DeepSight Threat Management System"
"Internet Security Systems X-Force"
"AlertCon"
Sounds like a bad CIA / X-Men / Matrix rip off movie.
people who blab that shit generally have no real technical insight into why these worms become such a problem. thats why the fall back on "windows is more popular, therefore it has more attackers" what they view fails to take into account is there are millions of linux boxes installed on fat pipes doing unoffical mail servers and website, they DO MAKE A BIG TARGET. as an attacker why would i care about infecting someones cable internet with a shitty 25kb/sec upstream, when i can infect a linux box with 100mbit upstream? and i simply don't buy these market share figures, they are all bogus. how do they manage to take into account for boxes built and installed by admins themselfs? those figures of 5% only take into account PURCHASED systems. so as you can see, the idea that windows has a much larger virus potential is bullshit.
If you mod me down, I will become more powerful than you can imagine....
I also had the automatic updates set to wait for my approval. For a long time. Then I finally realized that in the years approving the updates, I haven't rejected a single one. I can't remember even researching most of the updates to see if there's something I don't want. To the extent that I didn't even bother reading the descriptions because they always were pretty useless.
Now I just have it on full auto. What the heck. If they fuck up, I think I'll be reading about it on slashdot within few minutes and some comment will have link to instructions on how to undo the evil one.
Bot Assisted Blogging
I just read the rest of this morning's news on /. half an hour ago, and just popped back to read this article. Seems a good order, reminds me of how TV news works. They show the day's 'real' news - war, disasters, etc and then at the end, just before the weather they have something silly to cheer you up, usually animal related - an otter that can surf, monkeys at zoos having triplets, etc
/. we have the day's real news of interest, software patents, privacy, Google joining Apple, and then at the end when we think all is bleak for free software, there's a short story on Windows to make you laugh. Look, it's insecure! All their sensitive data's being emailed around. Ha ha.
Here on
More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:
.
.
.dll that is registered and can't be removed. Never fear! Write down the .d
Tools required:
Process Explorer(procexp) from http://www.sysinternals.com/
autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
Ad-Aware from http://www.lavasoft.de/
LSPFix from http://www.cexx.org/lspfix.htm/
Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
Experience enough to know valid windows processes and files.
Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.
Boot to safe mode
Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.
Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.
Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.
If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items
Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.
So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199
Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)
Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . .
Now for the real manual part . .
Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.
Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis
Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.
Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.
In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a
Doesn't every ISP already have the typical windows ports blocked already?
I mean, in every one of my routers I block 135-139,445 TCP/UDP. (Yes, I know, there's one or two that aren't windows specific, but its easier on the FW rules considering its exceedingly rare for any legitimate traffic to go over the 'net on 'em)
Maybe the yellow alert is warrented, but imo its jumping the gun. And to those network admins who haven't gotten the hint yet and blocked those ports, DO IT NOW! Thanks. Oh, and while we're at it, make some decent anti-spoofing filters too, huh? Only things that should be leaving your network are *your* ips, and conversely the only things entering should *not* be yours. Lets all work together to make a better 'net huh?
Fucking hell! Is your second name Sisyphus? Plus you're doing half-assed stuff like sorting by file date and automatically overlooking old files?
Save yourself some of your lifespan dude and do what's the only right thing to do to a compromised machine: reinstall from fresh media.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Sometimes I almost wished Microsoft's own Internet imitation hadn't died. Then, we would have the true Internet, with the academic publications, some grassroots stuff, and the users of alternative operating systems. And the Microsoft network with all the Windows users, entertainment, flashing adverts, worms, pr0n, and everything.
Of course, people would probably build bridges between the two networks, and the bridges could probably be exploited by worms...but the vulnerabilities would probably be on the Microsoft side for the most part, meaning that worms could travel from the Internet to the Microsoft network, but hardly the other way around.
Ah, how pleasant dreams can be...
Please correct me if I got my facts wrong.
The thing that really galls me on MS with these issues is the fact that it's THEIR problem, and they issue a security update to patch a product a user BOUGHT under good faith. Then you have to sign your life away/agree to various thing MS can do to your machine to apply it - as if it's YOUR fault and not MS's onus.
Not to sell a used car at a funeral, but... when these worms hit is the best time to push linux, especially to companies who see significant downtime and lost sales. Something along the lines of, "You know, if you were running (Insert *nix and/or BSD distro here), you'd still be in business. Right now, your business is doing as much sales as a liquor store being robbed, because being 'robbed' is exactly what's happening. If Windows is the liquor store, (distro) is the well guarded bank. 'Robberies' can still happen, but they are extremely more rare and the 'crooks' will be caught sooner."
I8-D
Did anyone besides me originally read that as the global DeepShit Threat Management System?
I think I like it better that way.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
A large client was affected last night because of it. And they patched almost all servers this week, but how can you keep patching up with thousands of workstations, including home users accessing through vpn?
Tightening more is not an easy option as people want to do all what Microsoft promises them. When security teams (or just plain support) insist on patching they are labeled as annoying dorks, and when a worm/virus hits because of lame users not patching... just plain dorks!
Sometimes I wish I liked painting instead of computers.
You cannot clean a compromised system with tools running within that system, even in Safe Mode. That's like asking your mayor if s/he's been bribed or not and expecting an honest answer just because the question has been posed during a public council meeting. Wipe, and install from scratch. I would count those ~2 hours as lost in the sense that the system may not have been fixed; you'd probably have been better off watching a funny movie with kith and kin.
Try googling rootkit. *nix has been around ~35 years, and not with a perfect security record. *nix admins hae been dealing with breaches for a long time. While the *nix mindset has come up with clever tricks to detect rootkits I have yet to hear anyone sucessfully defend cleaning any system from within itself. The problem with this approach has nothing to do with *nix and applies across multiple platforms. Because the system is compromised, you can't trust ANYTHING the system tells you about itself, or any tools that use the system to gather information about the system.
I'm hard pressed to imagine an operating system where this would not be the case, but perhaps others would enlighten me.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
The thing is, the whole claim that OSS has inherently better security has been exposed as hype for a long time now.
Some OSS projects have excellent security, because the project leaders place sufficient emphasis on it, and the coders code with that emphasis in mind.
Other OSS projects do not have good security, sometimes not even as good as Microsoft and co.
Consider this: I have downloaded patches for more security flaws in Firefox than for IE in recent weeks. Moreover, the IE patches were offered to me via automatic updates within minutes of being available on Windows Update, while the Firefox patches did not show up as automatic updates for several days after they were available from the project web site in some cases. They even had a whole version missed out of the automatic updates, because somehow a release was made that contained serious bugs of its own, and had to be withdrawn.
This is not intended to be a slam against Firefox; it's great software and the project seems to be run well, the vast majority of the time. Rather, this is intended to demonstrate that nothing's perfect. Trying to convert people from Windows to OSS alternatives, based on security fears, at a time when a worm is circulating, Microsoft has made a patch available, but people haven't bothered installing that patch yet, really is being a used car salesman in the most derogatory sense of the term.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Here are my conclusions about the current Windows threat level:
Today, 173 users of Slashdot will post comments about how Windows security sucks, they've had enough, and they'll be switching their entire corporate network to Linux on Monday. None of them will.
Threat assessment: hollow.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I fully agree. My home network is made up of 3 OS X machines and one windows box for when necessary. With OS X, I could actually agree that the best fix for a compromised machine(were it to happen) would be a reinstall, since there's nothing user specific in the System directory anyway.