Slashdot Mirror
Internet Security Warnings
Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."
But it's been a while since we've had a good/effective worm.
Jerry
http://www.cyvin.org/
Seems to me these color coded systems do more to confuse than they do good. Should I relax if we're at green? Should I be paranoid if we're at Red? Should I even care since I run UN*X rather than Windows? Every day there are at least a few new sploits. Every few weeks there's a sploit that affects me as a sysadmin and requires my attention to preserve the security of my servers and internet-attached LAN. Given this I still don't understand the value in these color coded alert systems. Yellow? What does that mean? Wake up an extra hour early to read the logs? The terrorists can attack just as easily if we're at green than if we are at red. I'm uncertain of the value in the announcements at the airport every 15 minutes to remind me that we're at yellow or orange.
The app could download data automatically using IE and ActiveX, format the data using an Excel Macro, then email results to me using Outlook.
Because I care about security.
On related news, the US puts it's security level color at pink. Again, on related news, Bobby's mom chooses to wear an orange shirt. No need to actually read the security threat -- we have colors for that.
"Are you sure, sir? It means changing the bulb...
Windows is dying.
.exe. I know far too many people who are e-card addicts, and I am SURE they would have clicked.
Well, it's deathly ill, mostly. The average Windows end user is in a never ending battle against the baddies. They buy their systems at the Best Buy, bring them home, run for a couple of months, and then complain that they can't login.
Then they call me, or someone like me. With disdain, I inform them that I'm wicked busy but I'll do it "this time".
When I get my grubby hands on their machines, they're fubar. It's not for lack of trying either, because there are multiple Virus, Trojan, and Firewall apps, all fighting over the same machine, including the odd fake anti-trojanwares. You know the one's I'm talking about. We've all seen them. "Click here for a FREE security scan!" and then the machine gets YET another bit of evil.
I simply don't know what to do anymore. I clean them up, set up security, knowing - just KNOWING that it's all in vain. Just yesterday, I got an "e-postcard" in the mail, and it was just an overt attempt at infection. There wasn't anything that would trip an AV or firewall in the mail, just an obfuscated link that actually pointed at a crypically named
Toast. Totally goddamn toast. The fact that Windows programs have their execute bit as part of the filename is probably the worst thing ever to happen to an OS. One click, and yet another "svchost.exe" process. No lube, no kiss, no reach-around, just total PC anal rape.
And without a total redesign of Windows or dumping the platform for Apple or Linux, Joe and Josephine User are SOL. Vista is going to be more of the same, as it's going to be simply XP SP3 with more chrome.
Ah well.
If anyone knows anything about a0190313376667.gif.exe, mail me at my alias AT Entropy dawt TMOK dawt com. There's hardly anything on the 'net about it except some German blogs.
--
BMO
That link refers to UPnP, Universal Plug and Play, a networking based technology for device discovery and configuration. The vulnerability concerning the ISC is a PnP vulnerability. Plug and Play is used for internal device discovery and configuration. The two are totally different. Microsoft, in a fit of brilliance though that exposing the internal PnP via RPC to the rest of the world was a good idea. As it turns out there is an unchecked buffer than with Windows 2000 machines in accessible via a NULL Session. In XP and 2003 the buffer requires a valid account or even and admin account to expose. The threat of a Windows 2000 based worm in the next few days is very real. All of you with XP and 2003 aren't in immediate worm danger.
In other words.. the alert level tends to stay stubbornly at green unless there is a real issue - the ISC is usually extremely conservative about threat assessments. If they've raised the alert level as a precaution then it's definitely time to take notice.
As for me.. I check the ISC at least once every day to see what emergent threat are out there. There are also a number of tools you can use such as a small Windows app that can help to inform you when the threat level changes.
It's worth having these tools - when Sasser came out I'm pretty sure they saved my backside.. because in that case the short amount of time between the vulnerability being announced and the worm coming out was so short that many organisations hadn't even started patching. Thanks to the ISC we managed to get almost everything secured in a day, so when the inevitable rogue laptop user physically brought a worm infected machine into the office, then we managed to contain the outbreak effectively.
Never email donotemail@WeAreSpammers.com
How long until that "uber-virus/trojan/worm" comes out that deletes the hard disk contents of millions of PCs? On one hand, that would be a great day, because then people would truly pay attention to security and Microsoft would get the attention it deserves.
On the other hand, it would be bad for obvious reasons. But, IMO, it's only a matter of time. What color will the Infocon be then?
bash: rtfm: command not found
"Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."
What. The. Fuck.
Crumb's Corollary: Never bring a knife to a bun fight.
Isn't "color-coded threat levels" an excessively paranoid way to describe what we've always known as outdated, buggy software? This kind of representation paints a very fake picture -- as if those "threats" are a given and that all we can do is "try to protect ourselves", when in fact what we're dealing with is simply the result of flawed operating system design. These threats are only symptoms, not the root of the problem. I wonder who benefits from making people focus on the former instead of the latter.
The filesystem is the package manager
The patches for Windows are already out: click
...and colorblind admins go on without a care in the world....
-- Fugacity: Confusing chemists since 1908
Data: Captain.. Sensors are picking up localized pockets of Upnp activity in subspace transmissions.
Picard: Geordi, can we triangulate the originating source?
Geordi: Yes sir, it's coming from a planetary system 15 light years from our present location. Long range sensors indicate it is...
Picard: Yes, I know... Microsoft...
Picard: All hands, yellow alert. Data, set a course for the source of the transmissions. All hands, to battlestations. Worf, put us to red alert upon enterting the system. We don't want another Code Red Incident. And send out a subspace communication to the Federation, all ships, all systems.. We have engaged Microsoft..
Worf: Yes Captain.
Picard: Data, we did test our monthly Microsoft patches on the first Tuesday of the month, correct.
Data: Negative Captain. Unfortunately, there were exploits in the wild which take advantage of the weaknesses in the Upnp service installed on the ship's computer, and the Federation threat level was raised, so we did not test them.
Picard: Damn Microsoft. Alright, let's be careful. We don't know yet what we're dealing with. Maximum Warp! Engage!
Slashdot.. Land of nerds, trolls, and FlameBait..
I think the threat level was raised to blue...
But what does this mean?
STOP: 0x0000000A (00000595 00000002 00000000 8010da41)
IRQL_NOT_LESS_OR_EQUAL
Slashdot.. Land of nerds, trolls, and FlameBait..
I guess someone over at ISC had to blow the dust off the colo(u)r sensor (grins), but seriously, not much on the radar to panic anyone right now. Still, if you aren't awake you really ought to add ISC to your
morning newspaper (wakeup + gallon of coffee) along with some others, so for the sake of people who don't grok the need to be aware (but: go read doug adams and don't panic as well!):
Here goes: (sometimes costs me an hour in the morning, but it's worth the effort...).
http://www.dshield.org/ http://secunia.com/ http://vitalsecurity.org/ http://www.f-secure.com/weblog/ - gossip and just
plain fun (cough) dilbert (cough).
(many others, but i'm tooo lazy on a sunday morning to write em...).
Oh, and be sure to replace the windows task manager with the wonderful (process explorer)
over at the always splendid Mark Russinovich's sysinternals.com (it'll save you when your friends machine gets pwn3d). (hint: it shows tcp/ip connections so you can see if ET is phoning home).
Finally, no list would be complete without a pointer to "comp.risks" (google groups ok?). Laugh. It helps...
cheers all,
Andy.
I'm sorry, but if I have to take stuff seriously, can someone put it in plan simple english without these threatening big brother buzzwords?
"Internet Storm Center"
"turn the Infocon to yellow"
"Internet Threat Level meters"
"Symantec ThreatCon"
"DeepSight Threat Management System"
"Internet Security Systems X-Force"
"AlertCon"
Sounds like a bad CIA / X-Men / Matrix rip off movie.
I just read the rest of this morning's news on /. half an hour ago, and just popped back to read this article. Seems a good order, reminds me of how TV news works. They show the day's 'real' news - war, disasters, etc and then at the end, just before the weather they have something silly to cheer you up, usually animal related - an otter that can surf, monkeys at zoos having triplets, etc
/. we have the day's real news of interest, software patents, privacy, Google joining Apple, and then at the end when we think all is bleak for free software, there's a short story on Windows to make you laugh. Look, it's insecure! All their sensitive data's being emailed around. Ha ha.
Here on
Erm, it DOES affect your powerbook.
IIRC we're all plugged into the same internet. A potentially mid to high level set of Windows exploits raises the *Internet* Storm Center's alert level to yellow.
This should tell you something. Ideally it should tell you that when X million Windows boxes are exploited, that there will be a noticeable degradation of quality or service on the internet. That the resultant poor quality traffic and noise created by a large scale (poorly written) worm will degrade the connection your PowerBook is enjoying.
Don't ever forget that we're all in the same boat, and it does little good to sit at the stern and laugh at the suckers at the bow as they dip gently under the water for the Nth time.
Damn, I posted, and I had mod points to burn too.
More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:
.
.
.dll that is registered and can't be removed. Never fear! Write down the .d
Tools required:
Process Explorer(procexp) from http://www.sysinternals.com/
autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
Ad-Aware from http://www.lavasoft.de/
LSPFix from http://www.cexx.org/lspfix.htm/
Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
Experience enough to know valid windows processes and files.
Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.
Boot to safe mode
Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.
Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.
Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.
If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items
Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.
So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199
Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)
Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . .
Now for the real manual part . .
Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.
Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis
Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.
Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.
In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a
Sometimes I almost wished Microsoft's own Internet imitation hadn't died. Then, we would have the true Internet, with the academic publications, some grassroots stuff, and the users of alternative operating systems. And the Microsoft network with all the Windows users, entertainment, flashing adverts, worms, pr0n, and everything.
Of course, people would probably build bridges between the two networks, and the bridges could probably be exploited by worms...but the vulnerabilities would probably be on the Microsoft side for the most part, meaning that worms could travel from the Internet to the Microsoft network, but hardly the other way around.
Ah, how pleasant dreams can be...
Please correct me if I got my facts wrong.
You cannot clean a compromised system with tools running within that system, even in Safe Mode. That's like asking your mayor if s/he's been bribed or not and expecting an honest answer just because the question has been posed during a public council meeting. Wipe, and install from scratch. I would count those ~2 hours as lost in the sense that the system may not have been fixed; you'd probably have been better off watching a funny movie with kith and kin.
Try googling rootkit. *nix has been around ~35 years, and not with a perfect security record. *nix admins hae been dealing with breaches for a long time. While the *nix mindset has come up with clever tricks to detect rootkits I have yet to hear anyone sucessfully defend cleaning any system from within itself. The problem with this approach has nothing to do with *nix and applies across multiple platforms. Because the system is compromised, you can't trust ANYTHING the system tells you about itself, or any tools that use the system to gather information about the system.
I'm hard pressed to imagine an operating system where this would not be the case, but perhaps others would enlighten me.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Here are my conclusions about the current Windows threat level:
Today, 173 users of Slashdot will post comments about how Windows security sucks, they've had enough, and they'll be switching their entire corporate network to Linux on Monday. None of them will.
Threat assessment: hollow.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.