MS05-039 Worm in the Wild

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

ClamAV

[slavemowgli]

And it's detected by ClamAV already, too.

Re:ClamAV

Its like my Network guys always say..

The early revision always gets the worm! //Ok, I'm sorry about that. I apologize.

Re:ClamAV

[nametaken]

And it was already mentioned in a /. article today.

Vulnerability

[Tiberius_Fel]

From TFA:

"Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."

I think a lot of people were relieved to read this. :)

Re:Vulnerability

[louarnkoz]

The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.

Re:Vulnerability

so basically all those windows boxes out there with blank passwords for Administrator are pretty much owned then huh?

Re:Vulnerability

One of these defenses was requiring authentication for all RPC access

That's... not really "defense in depth". That's the kind of basic, rudimentary security that no sane company would have ever released a product without in the first place.

Re:Vulnerability

[grennis]

blank passwords are not allowed for remote logins. But I'm sure you knew that right? Because you know SO much about Windows, huh... just dont let the facts get in the way of a "me too" rant

Re:Vulnerability

[timeOday]

This "defense in depth" seems to be working, at least in this case.

It seems to me that the whole virus scene has been much quieter lately than at its peak 2 or 3 years ago when Outlook and IIS bugs were clogging up the Internet (and our inboxes). Either security improved, or the same people figured out it's easier to get the same effect by tricking people into installing spyware.

Re:Vulnerability

[rsmith-mac]

Even if it didn't need a valid login, doesn't the SP2 firewall block port 445?

Re:Vulnerability

You sir have obviously not been in this business long :)

Re:Vulnerability

[Gentlewhisper]

blank passwords are not allowed for remote logins. But I'm sure you knew that right? Because you know SO much about Windows, huh... just dont let the facts get in the way of a "me too" rant

That's default behaviour, but that too can be changed...

Re:Vulnerability

[jp10558]

I'd guess it's a little of both. Sadly, it seems easier to soical enginere people than it is to hack systems. Although, the long awaited update in XPSP2 to finally stop IE from installing things without asking people really helps all those with half a clue who still use IE.

Re:Vulnerability

And in Unix, the root account's password can be empty too. What's your point?

Re:Vulnerability

[goonerw]

One of these defenses was requiring authentication for all RPC access

That's great until you realise that certain MS products require anonymous RPC/COM in order to function correctly. SMS 2.0 Admin Console is one of them.

Re:Vulnerability

[Chang]

Active Directory Migration Tool is another.

crappy summary

[smoondog]

What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.

Re:crappy summary

What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter).

You mean what operating system this Affects.

Re:crappy summary

[wheany]

And it would have been nice to know what "MS05-039" is.

Re:crappy summary

[kayen_telva]

if it doesnt affect XP SP2, then why is there a patch ?
http://www.microsoft.com/technet/security/Bulletin /MS05-039.mspx

Re:crappy summary

[vorm]

Symantec list Windows 2000, Windows 95, Windows 98, Windows NT, Windows XP as operating systems affected. However, TFA says XP SP2 and 2003 Server are not, but the patch MS05-039 wasn't released until August 9th. Can we please have more contradictory information?

Re:crappy summary

[sucker_muts]

Another usefull article from eweek with even more info:

http://www.eweek.com/article2/0,1759,1847756,00.as p?kc=EWRSS03119TX1K0000594

Re:crappy summary

[caluml]

what operating system this effects

Affects. What operating system this affects.

Re:crappy summary

[StarHeart]

The patch fixes the vunerability that XP SP2/2003 still has. This worm depends on more than just the vunerability. It also needs a valid login, which it won't have in the case of XP SP2/2003.

It wouldn't surprise me to see a second revision of this worm that fixes this limitation in some way.

Re:crappy summary

[CProgrammer98]

Bad grammar has an effect on me.
I am affected by bad grammar.

Re:crappy summary

I'm sorry to hear that, redundant grammar Nazi. Lighten up already, for crying out loud.

Re:crappy summary

[sebisor]

I have yet to see how is this new worm relevant. There are thousands of worms around, what big deal is this new one?

Re:crappy summary

[kayen_telva]

but I work on XP Sp2 machines all the time with no administrator password. of course I try to convince the user to change that, but mostly they dont want the hassle

Re:crappy summary

[edb]

Appears to me that OP is correct. The MS operating system effects many a security problem.

(hey, you can assume you know what he/she means, and then assume bad grammar, or you can take it as stated and read the words to figure out what the poster means. :-)

Re:crappy summary

What a crappy summary, it doesn't even mention what operating system this effects

Technically, is that necessary?

Re:crappy summary

Never heard of dictionary attacks have you, fucktard?

Re:crappy summary

[numbski]

Blocking port 445 will protect you (but watch for internal infected systems)

Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?

Hmmm...lessee here...

[erwin:~] numbski% cat /etc/services | grep 445
microsoft-ds 445/udp # Microsoft-DS
microsoft-ds 445/tcp # Microsoft-DS

Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t! :\

Re:crappy summary

[lseltzer]

>>So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.

Or patch your systems

Re:crappy summary

[lseltzer]

actually, on XP SP0/SP1 it needs a valid logon. On SP2 it needs a valid logon and, depending on whose reports you believe, either admin privileges or rights to log on locally. So it's hard to believe that SP2 systems will be compromised in the real world by this. I can see SP0/1 systems being hit through a dictionary attack, but it's more work than most worms will bother to do.

Re:crappy summary

[seifried]

Actually port 445 is CIFS, Common Internet File System, it replaces SMB.

http://www.seifried.org/security/ports/0/445.html

Re:crappy summary

pound sand up your ass, anonymous fucktard.

Re:crappy summary

[totallygeek]

Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.

Just so you know, Windows domain and directory authentication is over tcp 389. As for 445, that is for file sharing via CIFS. CIFS is the next gen past SMB (which used 137, 138 and 139).

Re:crappy summary

[numbski]

Okay, just so you know, I wrote that in a hurry, and quite literally just did a quick `cat /etc/services | grep 445`, as you saw in my original post.

If I'm wrong, I'm wrong. Question is, who put it as Microsoft-DS in /etc/services?

Re:crappy summary

A 3rd party software firewall works just fine to block port 445. Most modern software that uses pure tcp/udp instead of smb/cifs works fine. When a file is needed from a remote windows server, you can open the outgoing port 445 only, do the business, and shut it back off. As a bonus, it keeps the company SMS daemon from screwing with your system.

Re:crappy summary

[dodobh]

Microsoft Data Service.

Re:crappy summary

[Aphexian]

You mean what operating system this Affects.

You meanT, WHICH operating systems this Affects.

Grammar Nazis Unite! Now get it right before I have to break out my dangling participle.

What drives people to do this...

[cameronk]

Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?

Re:What drives people to do this...

What can we do to provide more disincentives to keep them from being jerks?

If the challenge of hacking OSx86 to work on anything didn't sway that guy from creating this worm, nothing will!

Re:What drives people to do this...

[Troed]

Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things.

Money. Bot networks are worth quite a lot.

Re:What drives people to do this...

[RAMMS+EIN]

What drives them is probably a sense of achievement. By creating a working worm they can prove something to themselves, their friends, and/or the world. And it seems to work, some people got security jobs because of the exploits they made.

As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:

  - give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
  - make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
  - don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
  - maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.

Re:What drives people to do this...

[woah]

Symantec/Sophos/.. payroll.

Re:What drives people to do this...

[a_n_d_e_r_s]

Mostly money.

Worms are used to get zombies, who are used to send spam, who are used to lure suckers to spend money on junk.

Re:What drives people to do this...

What can we do to provide more disincentives to keep them from being jerks?

Nothing can be done. Some people are jerks and it has nothing to do with what anyone else does.

In a larger view, jerks are a necessary evil. If everyone was conforming to social norms, society would never change.

Re:What drives people to do this...

[lord_rob+the+only+on]

You know, if everybody was honnest, SSL wouldn't exist, as no one would use your credit card number to do unauthorized things, you could leave your car's or your house's doors open all the time as no one would enter it if not allowed to.

People who create worms are not obliged to be sick or jerks or whatever. Most people create 'em because they find it is fun to do. People who are not computer illetrates usually know how to avoid being infected by those worms, and people who aren't ... Well they shouldn't use Windows, rather an operating system. Windows has never been designed to be used over a network !

Re:What drives people to do this...

[Megor1]

I always wished the first worm to come out would be one that patched the systems. Maybe make it check for others infections dl avg to their system etc and clean that pc up using free software.

Re:What drives people to do this...

[Waffle+Iron]

I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?

There are 6 billion people on this planet, and it only takes one of them to launch a worm. With a sample that large, there's no way that a worm won't get written if a vulnerability exists and generally known. There's always going to be at least one crazy who'll do it regardless of any disincentives. Peoples' energy is better directed at eliminating the vulnerabilities in the first place.

Re:What drives people to do this...

[Gorath99]

Indeed, money is a motivation, but it's not the only one. It's also an intellectual challenge.

Back when I had learned to program in my early teens, I myself was quite fascinated by virii/trojans/etc. and wondered if I could create one. I probably could have written a moderately "successful" trojan by the standards of the time. It's not that hard.

Thankfully, I was responsible enough not to, but not everybody is. All it takes is one bad apple...

Re:What drives people to do this...

[Junior+J.+Junior+III]

I'm not sure, but I think free ponies for everyone would go a long way. Let's ask Colin Powell what he thinks... Colin?

Re:What drives people to do this...

[wheany]

You were fascinated by what exactly?

Re:What drives people to do this...

[fermion]

Another issue is that it is often not that hard. The current situation is that a security risk for a given bug does not exist unless there is working code to exploit the bug. Therefore one has to supply code that exploits the bug if one expects the bug to be fixed. This leads to the zero day exploit in which some kids uses that code, combines it with other code from old exploits, and generates a new problem. It would be better if the powers that be did not require exploit code, but were able to work from the theoretical, but that is not the way it is. This situation leads to the MS nightmare of zero day exploits, which is really the issue that makes MS Windows such a headache, as all systems have security issues, but just not so easy to exploit.

Re:What drives people to do this...

[man_of_mr_e]

While I don't know about this worm, but at least SOME worms at least have the perception of being written as a way to drive people off windows. One worm included text like "billy gates why do you make this possible? Stop making money and fix your software!"

Re:What drives people to do this...

[BoomerSooner]

Boredom. Plus sticking it to MS. Just think if someone could easily hack all the bsd/linux servers in the wild, they would cause much more havoc. However it is non-trivial to hack compared to reverse engineering the MS patches and comparing the old and new code.

Re:What drives people to do this...

[diegocgteleline.es]

Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things.

It'd be more interesting to know why people does harmful things and don't write a worm that patches your machine. It's the same effort, still people don't seem to like doing things that are good for others.

Re:What drives people to do this...

[Monkelectric]

Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?

Honestly, I think they are heros. Worms can do truely hideous things, the worms going around don't do anything that harmful. They are warnings that our infrastructure is unsafe. Do you think when someone who wants seriously to harm us releases a worm, all it will do is spread? The point of the worm is not the worm it is *THE PAYLOAD*. The worm simply carries the payload. The payload steals information, destroys computers, waits for years to destroy you...

Blame the people who make the worm possible.

Re:What drives people to do this...

People who create worms are not obliged to be sick or jerks or whatever. Most people create 'em because they find it is fun to do. People who are not computer illetrates usually know how to avoid being infected by those worms, and people who aren't ... Well they shouldn't use Windows, rather an operating system. Windows has never been designed to be used over a network !

Well, the obligatory:

She shouldn't have {used an unpatched machine/worn that} if she didn't want to get {infected/raped}. It's all her fault.

Fun eh? Got news for you, not all of us systems folks who have to clean up the mess are pint sized geeks. Personally my hobbies include martial arts and power lifting. Another good systems guy I know is an expert martial artist. I say we get five minutes locked in a small concrete room with Mr. Worm Creator and see how much fucking fun he has while he's getting an ass beating.

And if all else fails, there's "System Security Provided by Glock".

Re:What drives people to do this...

[NeoThermic]

As someone else who was fascinated by such things, I would say it was how they spread.

Like their biological counterparts, viruses and worms propergate by clueless uses, system holes, and the internet (if you need the human version: clueless people, holes, the outside world).

It fascinated me in the sense that just a few lines of code can cause such havok and can spread so fast with such little effort.

Now days while I like taking apart worms I've caught from the wild (by choice; I'm not open like a clueless user), I dispise those who make distructive ones or use them to host botnets, as thats akin to killing others before killing yourself. Killing youself isn't honourable anyway, but taking others with you is cowardly.

YMMV though.

NeoThermic

Re:What drives people to do this...

[Metasquares]

Nachia did this during the peak of the LovSan virus. I remember hearing that it DDoSed Windows update or something of that nature because it was trying to download patches on all machines that it infected.

Come to think of it, what it should have done was set up a BitTorrent-like environment and downloaded the patches via that :)

But as the poster who was (wrongly, IMO) modded down to -1 said, it's still illegal.

Re:What drives people to do this...

[drsmithy]

Blame the people who make the worm possible.

That would be the people writing them.

Re:What drives people to do this...

[mogul]

Call me sick if you want, but I like CoreWar.
Its like the internet worms, just smaller.
(and in a controled sandbox)

Re:What drives people to do this...

[ShyGuy91284]

Simple. Get out of this computer industry recession and give them a job!

Re:What drives people to do this...

Mostly, what drives people in creating worms and such is money.
The chain works like this: Microsoft -> shared source -> partner (A/V SWhouse likely) -> uncovered weakness -> virus/worm -> patch/new release for A/V product -> ??? -> profit!!!

It's absolutely impossible that ten of thousands viruses/worms in few years can be coded by single geeks aiming in discrediting Microsoft.
Remember: if there were no viruses, A/V companies had no reason to exist.

Re:What drives people to do this...

[TorKlingberg]

There are a lot of people in the world. If there is an easily exploitable hole, someone will make a worm.

The ones who get caught should be punished, but I really see no gain in trying to discourage people from writing worms.

Virii and trojans is a slightly different thing, as they cannot be prevented by just using secure software.

Re:What drives people to do this...

The post wasn't moderated down, that's just the user's bad-karma penalty you're seeing. r0ach is a persistent troll.

Re:What drives people to do this...

All it takes is one bad apple...

Erm...I think you're mistaken. It's one bad Windows. WINDOWS.

Re:What drives people to do this...

[ThaFooz]

I ask myself what drives the sick people who create such things

That can be said of any (non-victimless) crime really, and just about every crime out there is committed for money and/or passion (revenge, political/religious ideals, whatever). For the past couple years in the US, times have not been good for software engineers - the fortunate ones with jobs are often underpaid and overworked and considered dispensable. In Russia, where the mob has a rather large influence, there is money to be made of creating & selling zombie networks. To top it off, the largest software maker on the planet isn't exactly well liked to say the least. Sounds like an awful lot of educated people with awful good motives.

What can we do to provide more disincentives to keep them from being jerks?

Well, I would argue that alternate approach of fixing the problems I mentioned would be more productive. But, unless I'm missing something, the only possible disincentives are:

• Appeal the the ethics of said would-be-criminals
• Tougher laws & punishments
• Improve computer literacy & demand better security from vendors

Given that the first is unlikely the second is moot when the problem frequently originates in places outside of your country's jurisdiction, it seems like there is only one thing you can do. I'd like to avoid the (very) tired Linux/Apple-vs-MS security debate here, because I think that user ignorance is by far the biggest problem (I'm well aware MS's *default* settings are inadequate - but that doesn't mean securing the box is impossible).

Unfortunately though, despite all of the worms/viruses we've seen and the amount of $ they've cost everybody, and despite how easy it is to properly secure a PC - the end user remains largely apathetic. I wonder, at what point can we hold software makers or even the end users responsible? I would argue that after a point, the ignorance could constitute negligence or even an accessory to the crime. I don't mean to blame the victim or sound like big brother here - but think about your car for a moment - you need inspection, registration, a license, and insurance just to run the damn thing. And if something on the vehicle breaks and causes an accident - a poorly maintained or defective part could hold you or the manufacturer responsible, respectivley.

Re:What drives people to do this...

[CProgrammer98]

No!! Don't ask Colin! He can't even prnounce his own name. It's KOH-LIN not COE-LYN...

Re:What drives people to do this...

[caferace]

I dunno. What would Brian Boitano do?

Re:What drives people to do this...

[lgw]

What scares me is it's only a matter of time and technology until we have this same situation with biological viruses.

Re:What drives people to do this...

Windows has never been designed to be used over a network !

Neither was Unix...

Re:What drives people to do this...

[theendlessnow]

Money? Probably not.

Intellectual challenge? Yes. Somewhat.

However, most viruses/worms and such are created merely for an emotional high. When you have a company like Microsoft that believes there is no bug or hole until it's made public... there's a natural desire to rip through their "perfect" OS (perfection depending upon whether or not there is a KNOWN exploit out there today).

It's no different from the high that some get by building explosive devices or setting fire to things. There's a high in taking down that which some feel is indestructable.

Microsoft is NOT a company that is known for giving out "pats on the back" to people outide of their own private paradise....

Many times these folks simply want a bit of attention and recognition that they are important.... maybe having a "Don't tell = no bug" and "We know it all" philosophy breeds a spirit of targeted attention getting terrorism..... just a thought.

Re:What drives people to do this...

>>Honestly, I think they are heros.

Well, that makes you a jerk too.

Re:What drives people to do this...

[Hangin10]

I don't know where you're located, but in the midwestern US at least, the two pronounciations you
gave sound identical. Did you mean KAH-LIN?

I don't mean to sound like I'm correcting you or
any thing. I'm just confused. :)

Re:What drives people to do this...

[Eivind+Eklund]

Making it harder could work.

The rest of these are irrelevant, because they do not expect to get caught. Really. Even if the people around them are going down in flames, they don't expect to get caught.

About 15 years ago I was in the "hacker" scene (the ones breaking into computers, not the ones creating brilliant software). Getting caught never felt real, and never seemed to feel real for anybody else, either. My friends got busted left and right, yet - they'd always been careless about something, and I felt that *I* wouldn't be careless about that.

There's one other thing that could work: Break up the scene. The people need to be shown as ridicilous. And it needs to seem ridicilous to the people close to the scene.

For the tagging (grafitti) scene, it seems to have worked somewhat well here in Norway to use advertising to give them a new, ridicilous name and image.

I therefore humbly suggest we from now on call those that break into computers "Computer wankers".

Eivind.

Re:What drives people to do this...

[thrillseeker]

Personally my hobbies include martial arts and power lifting. Another good systems guy I know is an expert martial artist. I say we get five minutes locked in a small concrete room with Mr. Worm Creator and see how much fucking fun he has while he's getting an ass beating.

Having some difficulties understanding the self-control aspects of the martial arts, are you?

Re:What drives people to do this...

[ThaFooz]

Honestly, I think they are heros. Worms can do truely hideous things, the worms going around don't do anything that harmful. They are warnings that our infrastructure is unsafe

I don't buy that argument simply because the vast majority of these worms hitting MS machines come out after MS identifies or fixes the hole. They're letting MS tell them which piece of code is vunerable, and they're banking on the fact that so many windows users don't bother to patch regurlarly. I fail to see the heroism in that.

If you think that they "aren't doing anything that harmful", you're mistaken. The reason they don't trash the machine is simple - there is nothing to gain from doing so, and a dead machine can't propagate a worm. The point of infecting a home user's PC isn't to disrupt or steal from that user (its unlikely that there is anything more valuble on the machine than a low-limit CC#, if that), it's in having said PC's resources at your disposal. With a sufficently large zombie network you can go after something that actually matters.

Re:What drives people to do this...

[zippthorne]

These worms are usually pretty small, must they all have been created by people? What are the odds of a worm "created" by random copying errors? Are we talking, "bigger than a universe of universes" or "likely every day given the world's data transfer rate"

Re:What drives people to do this...

[Gorath99]

The spreading was indeed what I found so fascinating. You write a clever bit of software, release it, and if you've been clever enough, your bit of code will take on a life of its own. In time it could be all over the world, perhaps even mutating if you write it that way, all by itself.

Unsurprisingly, I decided to get a master's degree in AI :-)

Re:What drives people to do this...

The odds are quite astronomical. It's really much more likely that you'll be hit by lightning every single day for an entire year.

And the worms usually contain "messages" (not in the sense that they're visible to the user, but to analysts trying to understand how they work). If a brick falls from above you in the city, you might say "Well, sometimes bricks must come loose and fall" even though that's actually a pretty unlikely explanation, but if it's wrapped in a piece of paper that says "Wear a hard hat" I think you should assume someone threw/ dropped it.

Re:What drives people to do this...

[Henry+Stern]

Botnets, phishing, spamming, ddos.

These worms are often used to build armies of zombie PCs that criminals use to do mean things with. Most of your spam comes from virus infected machines. Don't believe me? Check the received headers.

Re:What drives people to do this...

[robogun]

I submit that virus writers have a psychological disability. It is simply the lack of regard for other people. In psychology terms it is called "psychopathic tendencies."

Psychopaths are manipulative, charming, glib, deceptive, parasitic, irresponsible, selfish, callous, promiscuous, impulsive, antisocial, and aggressive individuals who have no concern for the welfare of others, experience little remorse or guilt as a result of their injurious and antisocial behavior, do not tolerate delay of gratification, and persevere despite punishment; psychopaths are mostly male and are less than 1% in the general population; approximately 11% of the forensic psychiatric population and 23% of the correctional population are psychopaths.

The rest of the programming world seems to satisfy its intellectual challenges just fine without attempting to harm other people and indeed society itself.

Any company dumb enough to hire these individuals on the basis of resumes listing criminal activity absolutely deserves what it gets.

Re:What drives people to do this...

No, he's not having any trouble understanding them -- he's actively ignoring them. That's one of the side effects of the steroids: great for the power lifting, not so hot for the cerebration.

Then again, the other side effect of the steroids?

see how much fucking fun he has...

GP won't be having much fun fucking after his testosterone levels reach zero. That, and he just won't sound real scary as his voice starts doing the "TG without the hormone supplements" thing.

Re:What drives people to do this...

[Deagol]

"You, too, will learn the lesson of Ed Gruberman..."

Re:What drives people to do this...

[deep44]

As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here.

My Powerbook doesn't even have A/V software loaded on it, and neither does my Linux desktop. Do the math- there's your silver bullet.

Re:What drives people to do this...

What the fuck is a Virii?

Oh wait, do you mean Viruses by any chance?

Fucktard.

Re:What drives people to do this...

[RAMMS+EIN]

Don't fool yourself. Exploitable vulnerabilities are found in open source software, too. Do you think running make install as root does not constitute a security risk? Do you _really_ check all the code that runs on your systems? Just because there are no known viruses for your systems at the moment, doesn't mean there never will be. IIRC, the first ever worm was written for a unix system. I could go on, but I think you should have gotten the point: Linux and OS/X aren't magic bullets by a long stretch.

Re:What drives people to do this...

[deep44]

Do you think running make install as root does not constitute a security risk? Do you _really_ check all the code that runs on your systems?

Running "make install" is a security risk? Any chance you could provide me with a link to a vulnerability report to backup your statement? Don't bother looking; there isn't one. That would be like me telling you that hitting the "power" button on a Windows system is a security risk. Let's get serious.

Either way, the day that a massive Linux/BSD worm hits the 'net, I'll come back here and we'll both have a good laugh at my expense. Until then, I stand by my previous statement.

Re:What drives people to do this...

That's why western martial arts are so much better, man. Eastern martial arts are all about balance, and self control, and chi flow, and fruity crap like that. Western martial arts are all about trashing bozos!
  You should hear one of those sissy kung-fu dudes cry like a little girl when you get 'em in a scissorlock! "Ow! Ow! Ow! I knocked you down, you're supposed to lose, not keep coming at me! Ow! Ow! I can't fight you if you won't let me stand up!" Yeah! Way of the Lotus, my ass!
  Wrestling teeeeaaam.

Re:What drives people to do this...

[spuzzzzzzz]

How about this:

install: /bin/rm rf -rf /

Re:What drives people to do this...

[deep44]

install: /bin/rm
rf -rf /

sh: rf: not found

You should really do some local testing before posting that sort of thing.

Re:What drives people to do this...

[surprise_audit]

Biological viruses are generally harder to produce. With a software virus, if it goes wrong you just reload your system from CD. If it's not virulent enough, or doesn't work properly, you can mutate it easily. The first mistake with a biological virus could kill you and nobody else.

Re:What drives people to do this...

[spuzzzzzzz]

Thanks for the advice, but for some things, I prefer to leave the testing up to other people. On that note, I enclose the following patch for my previous Makefile:

--- Makefile 2005-08-15 11:14:29.000000000 +1000
+++ Makefile 2005-08-15 11:14:46.000000000 +1000
@@ -1,2 +1,2 @@
install: /bin/rm
- rf -rf /
+ rm -rf /

Re:What drives people to do this...

Every time some new insecure software is released to the public, I ask myself what drives the idiots who create such things. What can we do to provide more disincentives to keep people from releasing garbage software?

Re:What drives people to do this...

[grozzie2]

Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things.

Every time a new worm like this gets a few pages of press, it reminds a LOT of folks that thier anti virus definitions subscription has expired. The cash register at anti-virus vendor websites starts to go 'cha-ching'.

If you were the ceo of a multi-million dollar public corporation, and virus definitions were your main cash cow, would you sit back and 'hope' that the virii would continue to show up? Would your shareholders allow you to take such a business risk, basing the entire business model on the generosity of virus writers?

The tin foil hat crowd gets blasted every time they suggest that the bulk of virii come from the anti-virus companies. It's not a tin foil hat thing tho, it's a sane business operations decision. If you were the ceo of [insert big anti-virus name here] it would be irresponsible of you to NOT protect your multi-million dollar revenue stream by investing a couple hundred K per annum in funding some black hat types to ensure there is a supply of virii ready to go into the wild on demand.

Re:What drives people to do this...

It's more complex than Acheivement.

Try to think about it like this:

A security vulneribility is only _really_ valueable before anyone else even knows about it. When no one knows a vulnerability is available, the ports "aren't" closed, like Directory Services port taken advantage of in the article. It's a playground which can be taken advantage of _very_ carefully, without detection.

However when you read the article, you learn that now SysAdmins are closing this port to external hosts, and re-thinking it's necessity internally.

Would this have happened without a virus that wildly runs out of control? These can be mistakes made when writing _truely_ malicious code. Code that wouldn't have been detected as easily. Code that might have run over these ports for years to come.

This apparently is a resolved issue from MS on XP and 2k3, since the virus is being named after the MS fixpack that resolves the volneribility. That means that the issue is mostly with patching. Making individual people and businesses to install software.

MS has at least a motive for writing it. To force upgrades to people who may have otherwise ignored them. Not to oversimplify here.... I understand that the fixes are free and available. There is a huge advantage simply to having -everyone- on the latest code. including those who resist......

Re:What drives people to do this...

[CProgrammer98]

In the UK,the "CO" of Colin" is pronounced very short and sharp, as in "dog" or the "Boll" in "Bollywood". the way he pronounces it the O is extended and long to rhyme with "GO" or "SO"

Re:What drives people to do this...

Personally my hobbies include martial arts and power lifting.

Wouldn't it just be easier to get a T-shirt that says 'I have a small penis.' or something?

Re:What drives people to do this...

All it takes is one bad apple...

This is a setup for a Soviet Russia joke if I have ever seen one!

In Soviet Russia, one bad apple makes a worm.

Re:What drives people to do this...

[paranoidgeek]

And while we are talking about this neither was x86 ... Hey what was designed for use over a network ? Just about everything has nothing to do with networks. E.g., keyboard, mouse, floppy, CD, screen. The only thing that is would be the network card.

miscategorised

[hungrygrue]

Why is this under "worms" and "security" but not under "Windows" and "Microsoft".

Re:miscategorised

[rel4x]

Because it would be horribly redundant?

Re:miscategorised

[suitepotato]

It is only horribly redundant because the average malware scumbag writer is taking the easy way out and going after Windows machines, taking advantage of end-user naivete and Windows' openness to infection. If they had any guts and were truly 1337, they'd try to get into a source repository on sourceforge and slip their own modded source in to get Linux people to infect their machines or something equally hard and nasty.

Come to think of it, what do we know of the server security at any of the big name OSS-hosting sites and does anyone really peruse the source anymore? Given the difference between being C++ proficient and merely being able to administer a Linux system is like the difference between the average Windows user and a Windows programmer, I'm guessing not too many.

Re:miscategorised

What makes the difference?

Soon, there will probably be yet another post here complaining about the problems with Microsoft's code. So be it. I don't like it either, but that is the way it is for now.

What amazes me (with the exception of a few posts I have seen above) is the lack of anger against the weasles that expolit the vulnerabilities.

Microsoft provided the patch for the vulnerability. This is a security issue at this point. Patch it and get over it.

Re:miscategorised

that's why they sign the files with MD5 sums.
to make sure they are downloaded correctly and don't contain any modifications.
there's of course no way that someone could get unauthorized code into the vanilla linux kernel, as it's tightly controlled. (yes by "programmers") and the mirrors are updated .. somehting like every day.

in short, i don't think it's an issue.

Re:miscategorised

[m50d]

The submitter didn't bother finding out which OS the worm was for, or anything, and hell will freeze over before a slashdot editor actually checks something like that.

Re:miscategorised

[DingerX]

Okay, so where do I get the patch without installing "windows genuine advantage"?

And, as a matter of fact, I legitimately own two XP licenses and one computer.

Re:miscategorised

[DingerX]

Never mind. RTFA

Re:miscategorised

[discogravy]

don't worry, the repost will be.

Re:miscategorised

Because it runs fine with Wine.

More Detail

[Tiberius_Fel]

Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
http://www.f-secure.com/weblog/

no subject really

[akhomerun]

Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.

Well that just makes the worm pretty much useless to home users who don't know how to protect themselves which is bad because then I don't get paid as much to fix people's crap.

Hopefully this doesn't hit corperate environments too hard, where everyone uses Windows 2000 because it's the best Windows OS out there.

Re:no subject really

[diegocgteleline.es]

Hopefully this doesn't hit corperate environments too hard, where everyone uses Windows 2000 because it's the best Windows OS out there.

It is the best OS out there but a out-of-the-box XP SP2 or win 2003 aren't affected and windows 2000 is? Well...

Re:no subject really

[FullCircle]

Keep in mind that Microsoft leverages security patches to force upgrades.

XP and 2003 are just 2000 with paid patches.

Re:no subject really

[drsmithy]

Keep in mind that Microsoft leverages security patches to force upgrades.

Just like Red Hat, Sun, Apple and everyone else who sells software, you mean ?

Re:no subject really

I think it's time for you to grow up. No, seriously, you act like you're 4 years old.

Blah blah blah MS is teh EVIL!!!11!!1!111!!!!

Re:no subject really

[JamesTRexx]

Which is why we're at this moment here at work patching all servers manually. Good thing it also means a sunday bonus. :-)

Re:no subject really

So you're ignoring all other qualities of an OS and decide that the best OS is the one that is not affected by this particular problem. I am not defending win2000 but you make no sense.

Re:no subject really

[HardCase]

Weird - our IT department pushed the patches automatically last week. I guess they have better things to do with their time on a Sunday.

Re:no subject really

Weird - our IT department pushed the patches automatically last week. I guess they have better things to do with their time on a Sunday.

Oh, so your IT department fully tested those patches on a series of testbeds to make sure they didn't break anything?

Didn't think so.

Re:no subject really

It is the best OS out there but a out-of-the-box XP SP2 or win 2003 aren't affected and windows 2000 is? Well...

Yeah you're so right. I mean, out-of-the-box XP is obviously so much more secure since this one worm out of 10000 doesn't directly affect it. /sarcasm

Re:no subject really

[JamesTRexx]

Like someone else already said, we don't like pushing patches automatically onto our servers, and we do plan better upgrade days, but this threat is serious enough to warrant a day like this. Besides, anything to get to sleep in on a monday morning. :-P

Re:no subject really

[trick-knee]

> Which is why we're at this moment here at work patching all servers manually.

no, you're not. you're reading and posting to slashdot.

Re:no subject really

[HardCase]

You'd be wong - but that's why you posted AC, right?

Windows is great and all

[AnonDotOrg]

But they should put the system requirements as so on the box: CPU: Pentium 233MHz RAM: 32MB Storage:

Re:Windows is great and all

[AnonDotOrg]

There was supposed to be an infinity symbol... [crying].

Re:Windows is great and all

[CyricZ]

It looks like you fucked that up, Antwon.

Re:Windows is great and all

I'm guessing it was also supposed to be funny. You screwed that up too.

Let's listen all the FUD...

[diegocgteleline.es]

..despite of the fact that SP2 is not affected and everyone should be running it since it was released in August 2004...

Re:Let's listen all the FUD...

Its not?

I run SP2 and when i went to windowsupdate on tuesday there was a PnP critical update. Is this not the same one? If so, it would seem SP2 is indeed affected

Re:Let's listen all the FUD...

[Gollum2001]

Wrong

1) It's not FUD. Zotob.A it's already in the wild, if everyone had SP2 it shouldn't, right?.
2) There are a lot of windows systems out there that are not XP SP2. I have XP SP1 and i'm not going to get that.. 'upgrade' (but I have all the patches including the one mentioned in the article, so I'm safe).

Re:Let's listen all the FUD...

[ShakiirNvar]

Hmmm ... SP2 is not affected ... maybe MS did do something right after all in SP2.

Re:Let's listen all the FUD...

[diegocgteleline.es]

I have XP SP1 and i'm not going to get that.. 'upgrade

You have a defective car which is know to crash randomly and kill the driver, the company offers you a fix and you reject it? Riiiight

Re:Let's listen all the FUD...

[Cheapy]

Yes, people "should" be running it, since it's been out for only a year.

However...that's not always the case. I repair computers as a side job, and you'd be amazed at all the SP1 Windows machines there are out there. In my past 10 computer jobs, maybe one or two of them actually had SP2 installed. Now, I'm not saying my experiences are the same as everyone else...but my guess is that it would be the same.

To those who don't secure their computers, me and countless other geeks who make money off repairing computers salute you!

Re:Let's listen all the FUD...

[v1]

Half the PC users I know that have half a clue are not running SP2. Instead they are hiding behind routers.

SP2 can and does make matters worse more often than not.

Re:Let's listen all the FUD...

[bushidocoder]

If you don't mind my asking, why don't you install SP2?

I know that alot of XP home users who aren't tech savvy haven't upgraded to SP2. I know there are still a couple enterprise environments that have legacy software problems, and I know that high end sound engineers who are using Windows and not OSX(???) are having problems with some of the changes to the device driver security model... but why would you choose to not use SP2? A look at the security profile for the last year is proof that Service Pack 2 has done a fantastic job in improving the overall security of Windows desktops. The same core system changes to Win2k3 have resulted in a server operating system with a damned fine security track record. Why would you choose to ignore that?

Re:Let's listen all the FUD...

[Gollum2001]

Sorry, but would you add an 'upgrade' that disables some parts of your car (raw sockets) and make you drive slower? (TCP connection limited to 10 open connections) Plus add another junk like windows firewall... My SP1 is up to date in patches and running fine. There are more drivers killed by SP2 than SP1. Ask yourself why a lot of business didn't make jump to SP2 when it was 'offered' by MS.
And about 'random'... sorry, but my computer has not been rebooted (by me) in weeks, and it's XP. Also I don't remember any random reboot or BSOD. Maybe is that I have a CS degree and know what i'm doing.

Re:Let's listen all the FUD...

[Gollum2001]

Disabling unwanted services, intalling all the patches and having a good anti-virus, (correctly configured) firewall and anti-spyware kept me safe during years. Don't need SP2 if it doesn't add nothing useful (winfirewall is crap, and security control center, blah...) and limit my internet connection (raw sockets off and TCP connection limit).
I think that a smart user keeps a better security track record than a normal user with SP2. Let's face it, SP2 doesn't add much to security, maybe 'Execute Disable' bit for buffer overruns.

Re:Let's listen all the FUD...

[usmc.spitfire]

...despite the fact that SP2 doesn't work on all machines. My machine breaks whenever I install SP2, so I've stuck with SP1. All the other machines I own run fine with SP2, so my guess is hardware incompatibilities...

Re:Let's listen all the FUD...

[soulhuntre]

You have a defective car which is know to crash randomly and kill the driver, the company offers you a fix and you reject it? Riiiight

But that way they can leep on complaining for YEARS. The thing is, MS is addressing and fixing the problems... windows is much better than it was an getting better allt he time.

The only way to keep whinign and moaning about it all is to come up with some convoluted reason to refuse the updates then keep blaming it all on MS.

Re:Let's listen all the FUD...

[bushidocoder]

On the contrary, there are substantial other changes to SP2 which impact security. See the complete list of changes.

In particular, permissions changes to the RPC service and the entire DCOM surface are finally correcting a pox upon the world. In the SP2 world, an Administrator can override an application's CoInitializeSecurity request - this was not possible before, and there are a substantial number of networked applications installed on top of windows that an admin simply can't lock down correctly without this ability. Additionally, the ability to restrict remote clients to the RPC service at a level lower than the firewall is a substantial add.

Above and beyond NX, having all the windows binaries compiled with the buffer overflow check option (I forget offhand what the option's flag is and I'm too lazy to look it up) is useful by itself.

No technology can replace a smart user - but smart users just can't plug all the legacy holes in older versions of Windows. Microsoft is finally on the right path, and denying the proven security that comes with SP2 for no real reason just doesn't seem very wise.

The Source

Is said to be here. ~hunbun-funland

Re:The Source

Stop pimping your site.

Re:While drives software companies to do this...

[SoloFlyer2]

We could tell them to write it in java instead of C/Assembly, that way it will propagate slower as the files will be larger, the code will use more memory and there will be more processing overhead... :)

Better analasys

[Barny]

As usual, trend have thier info strait about this exploit, and good ways to prevent it...
http://www.trendmicro.com/vinfo/secadvisories/defa ult6.asp?VNAME=(MS05-039)+Vulnerability+in+Plug+an d+Play+Could+Allow+Remote+Code+Execution+and+Eleva tion+of+Privilege+(899588)&Page=

Nice troll

http://it.slashdot.org/comments.pl?sid=158989&ci d=13316164

You've already patched this, right?

If you haven't patched yet, the update for this vuln is at http://www.microsoft.com/technet/security/bulletin /ms05-039.mspx.

Re:You've already patched this, right?

Oh, I patched it alright

I don't have $100 for an XP upgrade

[tepples]

..despite of the fact that SP2 is not affected and everyone should be running it since it was released in August 2004...

Windows XP SP2 costs $100 for people whose computers came with Windows 98, Windows 2000, or Windows Millennium Edition.

Re:I don't have $100 for an XP upgrade

I bet you have a few hours to download this update.

Re:I don't have $100 for an XP upgrade

[diegocgteleline.es]

Windows XP SP2 costs $100 for people whose computers came with Windows 98, Windows 2000, or Windows Millennium Edition.

Oh, windows 98. ME.

Are you aware that windows 98 and ME are UNSUPPORTED at this time and no security fixes are being released for them?

Your argument is "Potatoes are too expensive, I'd rather die from hunger". Well, die then, it was your choice.

Re:I don't have $100 for an XP upgrade

[dhasenan]

Stiffu.

Windows 98 still works. You can use it for Internet browsing, email, and word processing. You can run older games on it, too--there are even a fair number of recent games that will run on it--but if you have the money for the appropriate hardware, you'll upgrade Windows.

The point is, not everyone can afford $100 for a software upgrade that's not really necessary, especially if it will probably significantly decrease the speed of their computer.

The grandparent's argument was more like "My 1989 Buick gets me around, but doesn't have side airbags. I can't afford a new car, so I won't." If you had two neurons to rub together, you'd realize that.

Re:I don't have $100 for an XP upgrade

[dioscaido]

Windows 2000 can be patched for these vulnerabilities as well.

Running Win98/Me at this point is like running ancient versions of Linux, OpenSSH, Apache, Samba, etc... and complaining if your system gets exploited.

Re:I don't have $100 for an XP upgrade

[diegocgteleline.es]

Windows 98 still works.

Windows 98 is unsupported, with know unfixed security flaws which aren't fixed just because MS isn't forced to do it- windows 98 is SEVEN years old.

Yeah, 50's cars can take you everywhere just like a 2000's car, right?

Re:I don't have $100 for an XP upgrade

If your mother phoned you and said you were "no longer supported" would you kill yourself?

Yes, 50's cars can take you everywhere. Well done for figuring that out.

Re:I don't have $100 for an XP upgrade

I've never received any "support" from microsoft before, why should this matter ?

Re:I don't have $100 for an XP upgrade

[petermgreen]

what if you wan't the much greater compatibility with dos games etc that the 9x line offers?

Re:I don't have $100 for an XP upgrade

[tepples]

what if you wan't the much greater compatibility with dos games etc that the 9x line offers?

This worm spreads only through the Internet. Games designed for MS-DOS rarely if ever support Internet multiplayer.

Re:I don't have $100 for an XP upgrade

>> I've never received any "support" from microsoft before

The patches they issue are SUPPORT

The MSDN Knowledgebase is SUPPORT

Windows Update is SUPPORT

Furthermore, all of the above is FREE SUPPORT

If you're too fucking dumb to take advantage of it then that's your problem.

Re:I don't have $100 for an XP upgrade

[UncleFluffy]

Running Win98/Me at this point is like running ancient versions of Linux, OpenSSH, Apache, Samba, etc... and complaining if your system gets exploited.

Except that the manufacturer does not expect me to pay them to fix problems that were present in the product at the time I purchased it.

Re:I don't have $100 for an XP upgrade

[Jackmn]

Get DOSBox or dual boot with FreeDOS.

Re:I don't have $100 for an XP upgrade

[petermgreen]

my experiance with dosbox is its slow as hell. even disney/virgin/east points the lion king didn't run at an acceptable speed.

as for multibooting yes you can do it but its a pita

Re:I don't have $100 for an XP upgrade

[Tourney3p0]

Yeah, 50's cars can take you everywhere just like a 2000's car, right? I don't see why they couldn't. As a matter of fact, there's a pretty big market for them.

Re:I don't have $100 for an XP upgrade

[Jackmn]

Configure the 'rate' in DOSBox until the game runs smooth. You'll still need a decent machine.

Re:I don't have $100 for an XP upgrade

[dioscaido]

Given that all the examples on my list are open source, you have no point.

If you really want to look into your logic, well most commercical sofware companies are guilty since they all drop support for aging versions of their software. When was the last time Apple released a patch for OS 8?

Re:I don't have $100 for an XP upgrade

[cheekyboy]

use VMWARE or have you not heard of virtual machines?

learn!!!!!!!!!

Youre lucky I didnt call you a dumb idiot MOFO

Re:I don't have $100 for an XP upgrade

[petermgreen]

maybe i'll try a more recent vmware (last version i have tried was 3.x) sometime but from the versions i have tried its aimed at buisness users and totally unsuitable for games.

Re:I don't have $100 for an XP upgrade

[UncleFluffy]

Given that all the examples on my list are open source, you have no point.

Not exactly - that pretty much is my point. To expand on my hastily typed single sentence answer:

The cost of purchasing the current version of Apache is zero, so that is not a valid excuse for not upgrading, even if you don't need the new features.

The cost of purchasing the current version of Windows is non-zero, even if you simply want something that works correctly [1] and the new features have no value to you.

Therefore, there is a difference between the two cases: for the first, I can have bugfixes for free - for the second, I have to pay a second time in order for the software I have already purchased to work correctly. (Remember - all I want is bugfixes, not a picture of dog that wags its tail while searching for files).

If you really want to look into your logic, well most commercical sofware companies are guilty since they all drop support for aging versions of their software. When was the last time Apple released a patch for OS 8?

My comment does not only apply to Microsoft. I feel the same way about any company that supplies a faulty product, whether they are in the software business or not. If the user breaks something after the purchase, then it's the user's problem. If the manufacturer shipped a broken product, then they should either fix it for free or refund the purchase price. Is that really so unreasonable?

(Now, the legal status of modifying the contract after the purchase (i.e. the EULA) may affect the manufacturer's legal obligations, but that wasn't the point of my comment).

[1] For the purposes of this comment, I'm using "correctly" to mean: (a) stable, (b) behaves according to the manufacturer's documentation, and (c) complies with all standards that it claims to comply with - which I suppose is just a subset of (b).

Any logic in the nomenclature?

[bogaboga]

Is there any nomenclature in the particular way these worms/viruses are given names? In windows, *.exe files are executable, *.sys files are system files. In Unix, *.conf files are configuration files. I have heard of Backdoor.Nibu.N and we now have Zotob.A. Is there a way to know more information on a virus by the format of its name?

Re:Any logic in the nomenclature?

[DaCool42]

The suffix is the variant. The prefix usually tells you if it's worm, virus, malware, spyware, etc.

Re:Any logic in the nomenclature?

[jayloden]

The naming sceme was designed by CARO (Computer Antivirus Researchers Organization). The naming convention is documented on the caro website:
http://www.caro.org/tiki-index.php?page=CaroNaming Scheme/

and the original conference paper for the naming scheme:
http://www.caro.org/tiki-read_article.php?articleI d=1/

and there is a new naming convention being proposed as well, see:
http://www.caro.org/tiki-read_article.php?articleI d=2/

It's actually really complicated, and pretty much none of the antivirus companies use more than one or two parts of it, but if you're really interested in digging up more info, those links should be more than adequate :)

Re:Any logic in the nomenclature?

So MS stansds for worm? How convinient.

Snort

[cyberkahn]

All note the free IDS snort detects this worm.

alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.c om/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.c om/technet/security /Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.c om/technet/secur ity/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132; rev:1;)

What about all the other mega bucks IDS systems?

Sends chills

[bizitch]

Thats the first time i've seen the internet storm center at "yellow" ... yikes!

Re:Sends chills

[frozen_crow]

they said they went to yellow because there were a number of windows worms reported, plus the backup exec exploit.

http://isc.sans.org/diary.php?date=2005-08-12

Firewalls offer limited protection only

[Dynamoo]

Remember folks - if you work for any large organisation, your external firewall will ONLY protect you as long as some freaking idiot doesn't bring an infected laptop in. From my experience a perimiter firewall will maybe buy you 1-2 days MAXIMUM in this situation if you have a large number of mobile users. In our case, we do not allow users to connect laptops to non-company networks at all.. but they still do.

What's worse is that today is Sunday, so there's a greater chance of those laptops being used on an unprotected internet connection.

Shucks, the patch for this is only four days old. There goes my Sunday afternoon!

Re:Firewalls offer limited protection only

[Alejo]

And home users getting in through a VPN. Of course they want working all Microsoft services too. And it still is your fault, not theirs.

Re:Firewalls offer limited protection only

[Dynamoo]

Well.. our VPN client comes with a builtin firewall. As long it's *working* of course.

Re:Firewalls offer limited protection only

You're right, until organisations' network is well designed.
Especially in large networks, internal access to the servers zone should be forced through a proxy/gateway to filter out most unrelevant traffic.
Ok, this won't preserve workstations/laptops from being infected, but servers obtain a (slightly) more secure environment.

Re:Firewalls offer limited protection only

[drewness]

Where I work laptops are only allowed on the wireless network, which is on its own vlan, which has all Windows related ports firewalled off from the rest of the network.

All the wired connections have portsecurity, so if the MAC isn't on the access list for that port the port shuts down.

Of course, then we have the research vlan where a bunch of clueless grad students treat the machines like they're their home machines and click on everything.

Well, we try at least.

Re:Firewalls offer limited protection only

[...] your external firewall will ONLY protect you as long as some freaking idiot doesn't bring an infected laptop in.

Bingo! And all the W2K servers at work toppled like dominoes. Tsk, tsk. It started at about 17:00 PT Saturday night. Symantec released a "beta" signature file yesterday. The MS Server guys are patching and disinfecting now.

Re:Firewalls offer limited protection only

[johu]

We have all workstations configured with local firewall rules that prohibit most outbound traffic unless IP address is from our intranet address range. If it's not only DHCP client, DNS client, AV updates and VPN to corporate network is allowed. Inbound traffic is completely blocked when plugged to foreign network. Even when within our network there's strict rules blocking everything as default and only allowing limited set of ports if traffic is coming from subnet used by helpdesk.

Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.

Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.

This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.

Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.

Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.

Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.

Re:Firewalls offer limited protection only

[caluml]

Remember folks - if you work for any large organisation, your external firewall will ONLY protect you as long as some freaking idiot doesn't bring an infected laptop in.

In Soviet Russia, YOU protect the firewall.

Re:Firewalls offer limited protection only

[ryanw]

This is all very basic stuff that any decent admin should be able to implement easily.

This is all very basic stuff that any decent employee could disable easily.

Your giving your implimentation efforts way too much credit. Almost everyone I know that receives a laptop with a company image on it reimages it. A corporate laptop typically has barely enough ram and cpu to run the necessary apps WITHOUT all the extra overhead of all that extra necessary crap.

Sure, it's easy to say, "Oh well, they should be fired for doing that. Make a few examples out of people and nobody else will do it." But it's hard when the argument is, "Well, I asked for the new laptop 6 months ago, and I didn't get it, so I installed a lean version of winxp on it without all the overhead apps and it runs 60% faster to hold me over till the next budgets are approved."

Re:Firewalls offer limited protection only

[GNU(slash)Nickname]

• No 802.1x machine certificate, no access to the lan.
• No machine account in Active Directory, no 802.1x machine certificate.
• No company image, no machine account in Active Directory.

Works pretty well here.

Re:Firewalls offer limited protection only

" as long as some freaking idiot doesn't bring an infected laptop in"

Correction, should read:
...as long as some freaking idiot doesn't bring Windows infected laptop in...

Re:Firewalls offer limited protection only

So you encrypt traffic and have some policies? Wow, you're a fucking genius. Fag.

Re:Firewalls offer limited protection only

[jonfr]

All that work and some 15 year old teenager comes along and makes an scrapmetal out of your network by using some bug that has been fixed four days ago.

Why don't virus writers actually do there work properly and makes virus before there is an patch from Microsoft, only then we will see problems.

Re:Win2K

[tcgroat]

If you installed the patch, Win2K has no problem. The automatic update system downloaded and installed it the middle of last week. I'm not saying Windows Update is a perfect system, but it does remember to check for new patches on a regular basis, no matter how busy I am or how often the boss adds something to today's to-do list. On the whole, using automatic update is a lot better than waiting until the system gets exploited and then trying to clean up the mess.

Windows 98 is still supported

[thechink]

...until June 30, 2006

http://support.microsoft.com/default.aspx?pr=LifeA n1

Re:Windows 98 is still supported

[drawfour]

Paid incident support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me) is available through June 30, 2006.

Please note "PAID". If you don't have $100 to upgrade to XP SP2, I doubt you have the $$$ to pay for incident support.

Re:Windows 98 is still supported

[drawfour]

Open mouth, insert foot.

"Critical security updates will be provided on the Windows Update site through June 30, 2006."

I guess if something like this is considered "critical" then it will be fixed through next year. If Microsoft does not consider it "critical" then you're up the creek.

Re:Windows 98 is still supported

[Captain+Segfault]

How about:

"Critical security updates will be provided on the Windows Update site through June 30, 2006."

For someone who is still using Win98, that's probably the most important support aspect.

Re: :)

[tveidt]

> What a crappy summary

Get a browser with support for hyperlinks. Cool stuff.

Must everything be handed to you?

[cbreaker]

You can't do a Google search for "MS05-039"? It's the first hit.

Re:Must everything be handed to you?

[Bald+Wookie]

Why should you have to do a Google search? The patch/exploit is the entire basis for the article. I know the quality of journalism at /. is mediocre at best, but expecting readers to search for the most relevant piece of information is asinine.

Re:Must everything be handed to you?

[cbreaker]

It's a digest of the worm, not the vulnerability. Why do you need everything explained in every article? It's not like Microsoft vulnerability details are hard to find, so I don't see why he'd need to explain it all over again.

So next time it should read like this to make you happy:

This worm (a computer program that spreads from computer to computer) infects Windows (an operating system from Microsoft (an operating system is the software that allows access to the hardware and provides an environment for other software to run)) systems due to the vulnerability listed in MS05-039 (Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)) which can be found at http://www.microsoft.com/technet/security/Bulletin /MS05-039.mspx.

PC's (Personal Computers) without this patch (a software update that fixes a problem or provides an enhancement) should download (retrieving data from another computer) and install this software ASAP (As Soon As Possible.)

Re:Must everything be handed to you?

Google? What's that? It's a webpage? If so, post the address, please, it seems useful.

Re:Must everything be handed to you?

why mod this as redundant? if anything its funny. and no - i am not cbreaker - honestly! ;)

Re:Must everything be handed to you?

Where U been the last yrs? www.google.com!

Re:Must everything be handed to you?

[agallagh42]

In the third paragraph, you use the term "install". I'm not clear on what this means. Surely any reputable news source should explain all their "techno jargon" so the layperson can understand it. Sheesh. :p

Well

[Gary+Destruction]

If people are stupid enough to leave port 445 open, then they deserve to get infected.

Re:Well

I believe people stupid enough to post inflamatory crap like this on /. deserve to be modded troll, Troll.

Windows is a device driver.

[tepples]

Replace Windows 2000 Professional with Debian GNU/Linux.

Is there an update to Debian that lets SANE use a Microtek ScanMaker 4850 flatbed scanner? I'm afraid not.

Most XP home computers have blank admin

Most XP computers at people's homes have blank administrator password.

Re:Most XP home computers have blank admin

[quazee]

Yes, but on XP, there are two policies that prevent remote access using blank passwords:

1. Accounts: Limit local account use of blank passwords to console logon only - defaults to Enabled
2. Network access: Sharing and security model for local accounts - allows only remote Guest login by default

So, by default, an XP box can be accessed only using a Guest login that still must have a password.
(if the XP box is joined to a domain, domain policy overrides the #2 setting, allowing non-Guest remote logons).

Firewall required on employers computers & lap

[antdude]

That is why my employer's IT department enforces its firewall software (blocks incoming and outgoing stuff) on everyone's computers and laptops. Also, critical Windows Updates are enforced when approved after a day or so. They are annoying, but they keep the situations (e.g., outbreaks) more controlled.

Re:and?

The same way Windows is affected by the myriad of buffer overflow exploits that affect Linux and programs running on Linux

tipping point

[just+someone]

in the latest set of 3com tipping point unity1 digital vaccines.

print spooler

[MrDoh!]

Just made sure I've updated all the machines around here and something struck me; How come every few months of updates, there's another print spooler fix needed? Am I just remembering things wrong? But it seems that every 6 months or so, there's another print spooler security fix needed.
Thing is, I don't actually have any printers, made sure the spooler service is turned off (if I could remove it once and for all I'd be happy), and yet I'm still needing fixes for it. Well, I guess it makes sense to patch it just in case, but sheesh, how many times does it need fixing? You'd of thought that they'd of worked it out by now, or is the way Windows prints naturally open to more attacks than most?

Re:print spooler

[Darth_brooks]

The print spooler service runs with admin / system priviledges. Since it's a fairly common service, with high privs, so it's got a nice big target painted on its back.

Who knows? maybe it's one of those services that hasn't had a ground-up rewrite in a long time.

it's not easy to XP

[Gary+W.+Longsine]

There are many large networks still running Windows 2000, and it's not easy to upgrade them. It's not upgrading Windows on a single machine that's hard, it's upgrading Windows and dozens of other software systems that run on it, for tens of thousands of desktop systems. Oh, and that needs to be done in some way that the old and new interroperate during the transition period, and it's all got to be documented by about 3 people who understand it all so that the helpdesk and end users and internal development teams all understand the various customized moving parts.

It's really harder than it seems, when your perspective is "The PC on my desk has been running Windows XP SP2 since the day it was released." Believe it or not, it's actually so difficult and expensive, that many organizations are still contemplating whether or not they can skip Windows XP altogether and leap directly to Longhorn / Vista.

Re:While drives software companies to do this...

[ookabooka]

Plus, then it would be multi-platform! A virii/trojan/worm first. . . it would also be sandboxed, making the author's job a bit more difficult.

Who gave the people an OS with all ports open?

[RedLaggedTeut]

Well, I'm not good at this, but I believe Windows has quite a lot of funky services open once the firewall is deactivated.

And they are quite hard to switch off or configure to react to localhost only, at least when you are not a sysadmin who spends his time figuring things out, but just a user trying to get work done.

Re:Who gave the people an OS with all ports open?

[Gary+Destruction]

They provide a firewall with XP. But yeah you're right, they do leave ports open.

Re:Who gave the people an OS with all ports open?

[RedLaggedTeut]

Put with acrimony, you have the choice of turning the firewall on which might make your box useless, or opening all the ports of the default services.

Well actually the firewall works pretty well, I just miss the fine grained control of exactly knowing which app is serving which port, most of the time it just ends up being LSASS, but you don't know which service

and variants will appear

[Gary+W.+Longsine]

There will probably be variants within a few days. Some of those will undoubtedly email copies around. Perimeter defense is necessary but not sufficient.

Re:While drives software companies to do this...

[Varun+Soundararajan]

Well, you are calling for a flame war. Please do note that .NET too is on the cards (with the Mono impl expedited).

Not just laptops

[nurb432]

Dont forget VPN and dialup clients too..

An attack on Win2000?

[nurb432]

I bet microsoft secretly loves this, to get at all those people that wont upgrade to XP/2003.

"See, you have to upgrade to be safe, send us money"

Re:An attack on Win2000?

[Briareos]

Too bad Windows Update lists the patch for this vulnerability as high priority... they're really foiling their own plans... *g*

np: Jah Wobble & The Invaders Of The Heart - Lam Saravane Dub (I Could Have Been A Contender (Disc 2))

Re:miscategorised Like Hell!!

If you will notice there is a windows 2003 server add that pops up when you go to the article.....The boss knows where his bread is buttered. The fault is not windows 2000 server it is the fault of the cheap assholes who refuse to 'upgrade' to server 2003...

If you'd RTFMSB....

Right here:

http://www.microsoft.com/technet/security/Bulletin /MS05-039.mspx

What's affected?

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

So what in the heck is this about it not affecting XP or 2003? It's a moot point to change the authentication scheme to attack LDAP. Also, remember the note found within the worm: it's going to have a high rate of mutation, and the writers are going to be none too keen on playing nice. Patch the PnP exploit regardless, because the next iteration of this is going to bite SP2 users in the ass.

Re:While drives software companies to do this...

[springbox]

Great idea! An operating system in a VM! That'll get everyone to switch to Linux pretty fast.

Yes, exactly

[FullCircle]

You are right, just like the others I don't use.

If I use any Linux or BSD I get continued security updates for free.

If I did use Red Hat I could still patch the system with security updates myself. With Windows I can't do that.

How was my original post flamebait? The patches COULD be made for Windows 2000 since it is almost exactly the same codebase but instead they use it as leverage.

Just one more reason to use OSS.

They were careless

[foreverdisillusioned]

I'm no blackhat, but I've got to point out that any hacker that's been arrested is careless, and it's been that way for quite a few years now. I live in a small to medium-sized town, and there are at least half a dozen public WiFi access points that I know of. Not all of them are free, but even a half-assed hacker could get aroud their security. I'm sure that there are at least a hundred personal WiFi routers around town, too. The vast majority are probably unsecured, or at best secured with WEP and MAC filtering (both easily breakable.)

The point is, anyone who's capable of creating an original exploit should also be able to construct a cantenna (or a woktenna) and access a hotspot from a block (or five) away in complete anonymity, rotating hotspots frequently and using proxies whenever possible. Any hacker who does not do this is indeed being (extremely) careless. Any hacker who DOES do this is almost certain not to get caught (unless he does something stupid like use a stolen credit card number to have something shipped to his house--but then, that's not careless cracking, that's careless fraud.)

In essence, not only are harsher penalities defeated by self-delusion ("I'll never get caught!"), they're also defeated by healthy levels of intelligence and paranoia ("Hey, I DIDN'T get caught!)

As far as your solution goes, as long as blackhat hacking continues to inspire fear and yields real power (botnets and stolen IDs), I don't think that we'll be able to psyche them out into quitting. Graffiti is essentially an aethetic crime/sport, whereas hacking and worm authoring can lead to tangible benefits... and you can't really expect stop a thief by calling him silly names.

In the end, I believe that the solution must be technical.

Re:They were careless

[tsm_sf]

I'm no blackhat, but I've got to point out that any hacker that's been arrested is careless, and it's been that way for quite a few years now.

I think your assumption relies on the feds (et al) trying to track you down after the fact. WiFi is anonymous only when you're disconnected.

Hmm, was just thinking about how easy it'd be to triangulate a connection to my home router, and noticed Belkin's pre-n wireless router on their home page. 3 antennas. I think it'd behoove our leet brothers and sisters to assume that any wifi connection is being logged and xreferenced w/ google maps, with a little flag over your treehouse that reads "asshat".

Of course, anyone w/ a handheld RF monitor, a couple of friends and the willingness to burn a little shoe leather can grab you in real time.

Re:They were careless

[deep44]

.. and noticed Belkin's pre-n wireless router on their home page. 3 antennas. I think it'd behoove our leet brothers and sisters to assume that any wifi connection is being logged and xreferenced w/ google maps, with a little flag over your treehouse that reads "asshat".

Uhh, three antennas right next to each other on a Belkin router won't work for triangulating someone's location. Also, even if you did have legit logs, do you think they would hold up in court? Logs like that can be falsified so easily- there's no way. Not to mention that all you're logging is someone's MAC address. Those can also be changed on the fly quite easily.

Re:They were careless

[foreverdisillusioned]

As the parent says, I don't think that triangulation will be nearly that easy. As long as you're honey-pot savvy and rotate your MAC address and change your hotspot every day, no one from the physical world is going to get you (not because it's 100% impossible, but beacuse they're just not going to care.)

Now, it's possible that someone looking at your cyber-activities can track you down and figure out that all of your activities stem from the same geographical area. It is possible for them to then stake out these hotspots and hope you come roaming by, monitor the connection real-time and hope they can spot your car (out of the perhaps hundreds within range) or attempt to triangulate you during the few minutes that you do your dirty work. However, if you're a two-bit criminal it's just not likely that anyone will go to this kind of trouble. A list of a several hundred hotspots rotated each use that you use, say, twice a week will last you a year or two. Sure, someone could wardrive the area and stake out all availible hotspots, but who the hell would go to that kind of trouble? Not an individual whose WAP gets used by a single MAC address for a few hours (and then possibly gets used again by a different MAC address a year later) that's for damn sure.

The FBI might go to that much trouble, but only if you're defrauding people or corporations on the order of millions of dollars. If that's the case, then you can afford to quit your job and go on a permanent road trip, logging on from a different city each day. I'm not saying you'll never get caught, because the actual "fraud" part of computer fraud is much riskier to pull off, but random triangulation by some bored geek whom goes after every rogue MACs he sees at three in the morning (or alternately noon, if it's a busy coffee shop) is really the least of your concerns.

You know, sometimes I think I'd make a damn good blackhat... stupid freakin' ethics...

Re:They were careless

[tsm_sf]

Yeah, I started out searching for a way to add a third antenna onto a linksys and found the new belkin. I was thinking that the antennas might be detachable (or MADE to be detachable) for better positioning... just interesting to see a stock router w/ 3. Hmm... would simply weaving a strip of foil between the antennas suffice?

The MAC address is a non-issue, from my perspective. We're interested in physical location here, not network identity. Unless you've got to weed out one rogue connection from a slew of legit, all in the same building, I just don't see this as relevant other than as a reference point.

As far as logs being held up in court, I don't know. How are crimes prosecuted now? I'm guessing that there is a way to present them as legal evidence, or we'd all just be telling the RIAA to go fuck themselves.

Again, I just don't think it's safe to assume that a wifi connection is anonymous as far as your physical location is concerned.

Re:They were careless

[Eivind+Eklund]

It's always been the truth that any computer wanker that has been caught has been careless. It's just that almost all criminals are sometimes careless.

The question is where people gets recruited to be computer wankers. A large amount of these are from the "scene", starting out with just doing it for fun and becoming more criminal with time. By removing the false glamour of the scene, fewer kids will start out as computer wankers, and there will overall be fewer wankers.

Of course there will be some left. However, that will happen no matter what we do. The money spent on securing computer systems is an insurance policy against the costs of a security break. At each point, the question is how this money can be most effectively spent - on social engineering (propaganda, routines, company morale), on technical engineering, or on an actual insurance policies from Lloyds or similar.

Spending it all on the technical side would be wasteful.

Eivind.

Re:While drives software companies to do this...

First time posting here (hence AC), but I felt obliged to provide some information to you since you are at least slightly misinformed here.

Java programs will typically take up more memory due to the runtime environment (typically at least 18MB for a minimal GUI application).

Java programs, in certain circumstances, run FASTER than C/Assembly programs and here's why. When your compiler translates your C/Assembly into machine code, it can only optimize the paths to it's best-estimation of what the execution paths will look like. There is no absolute way to determine which code paths will be traversed most frequently, which are used rarely, etc etc.

With Hotspot Java runtime environments (especially if you flag the runtime environment as "Server"), the bytecode is translated into machine code as it is executed and when it is noticed that a particular path can benefit from optimization, that path is optimized and is used in subsequent runs.

What this can mean is that, up to a certain point, the longer the app runs, the more optimized and quicker it will become. That's a very very generalized explanation of my point, but one should not discount the execution speed of Java.

It's not the fastest out there, but it is quite quick and as the other responder pointed out, it's cross-platform (mostly).

Re:While drives software companies to do this...

That sounds great. How come it's still so much slower?

Your add server is cooked Taco.

Maybe the worm hit antt.tacda.net, your nerdy net icons are taking way too long again!

Two Variants Already

[TFGeditor]

Symantec has info on two variants: W32.Zotob.A http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.a.html and W32.Zotob.B http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.b.html

Both describe, "Attempts to spread to systems which can be exploited by a vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039). If successful, the worm copies the file 2pac.txt to the remote machine."

Pretty much exactly what the response is

[freeweed]

Don't joke. Looks like someone came in and connected an infected laptop up to our network. Guess what our 300+ Win32 servers are running? 2000, mostly.

Slashdotters living in the basement can joke about "obsolete" OS's all you want, and rant on about patching, but the fact remains that for many enterprise level installs, 2000 is where it's at, and where it will be for many more years to come. Not everyone sits on the upgrade treadmill, especially when you're trying to not kill a business with constant outages.

5 days from patch to exploit. Hell, with the weekend, that's 3. 3 days to test this patch with hundreds of applications and hardware combinations. I'd love to see any of you naysayers manage that. Oh yeah, and scheduled outages on darn near every 7x24 service we offer.

Come work in enterprise sometime, when PHB's force Win32 down your throat. It's enough to make you want to tear your hair out.

And maybe this time they'll release a patch that shuts off all these damn default listening services. Yeah right. About as likely as vendors finally porting their offerings to Linux.

Oh well, I didn't need sleep anyway. At least I got a bit of private time this evening while our paging system was down as a result of this thing and no one could find me :)

Re:Pretty much exactly what the response is

[cdn-programmer]

Just quit.

It is very unprofessional to let the PHB make technical decisions. A doctor would not allow his patient to diagnose the disease any more than a lawyer takes legal advice from his client.

In particular

[foreverdisillusioned]

The original poster was talking about "just for the hell of it"-worm authors. I should point out that these blackhats in particular should NEVER get caught unless they are extremely prideful and/or stupid. Worms that "call home" can obviously be traced, but proof of concept and cause-a-lot-of-chaos worms are only ever connected to their author for one brief instant--when they are uploaded. This instant can be when they are connected at a coffee shop from several blocks away during rush hour. Wash, rinse, repeat for all of the popular public hotspots in the area, over the course of a week to ensure that your worm is seeded in multiple locations. Then, after a week (or after your virus is identified in the wild) halt all distribution and watch the chaos unfold. Unless you suffer from supremely bad luck (i.e. hidden camera in the area FIVE BLOCKS AWAY from the actual hotspot manages to catch you in the act and the FBI agents actually check the camera and they actually manage to spot your woktenna through your tinted car windows) there is no way you will ever be caught. You can even be stupid brag about it on IRC to all your buddies and even if the FBI arrests you, you can just say you were being a lying little prick and as long as you've wiped your HD, they'll won't have enough evidence to indite you (what are they gonna do, arrest every script kiddie on IRC that claims they wrote the worm? heh.)

Actually, just-for-the-hell-of-it random crime in general is a lot harder to trace than motivated crime. Nothing short of Orwellian-level surveillence can reliably solve random, profit-less crime committed by smart criminals. Fortunately, these two things--random, profit-less crime and smart criminals--are very rarely connected.

Re:In particular

[tsm_sf]

Actually, just-for-the-hell-of-it random crime in general is a lot harder to trace than motivated crime.

Yeah, it seems that triangulation would only be appropriate if we're talking about a repeated pattern of accessing known hotspots. To raise an unpleasant analogy, how much more difficult would it be to catch a belltower sniper if they only fired one shot?

I should point out that these blackhats in particular should NEVER get caught unless they are extremely prideful and/or stupid

I dunno, NEVER is a pretty strong word. I just don't think I'd trust a "they'll never catch me, I'm using a radio!" mentality to keep me out of prison.

No Joke

[nurb432]

While i may have been taken as a comedian, i was actually being quite serious.

We are about 1/2 Win2000 ( pro/serv ) where i work as well.

I still use Win2k....

...you insensitive clod!

Re:While drives software companies to do this...

[SoloFlyer2]

Yeah, I know all the marketing hype but from what I have seen java has been pain when it comes to... well... anything! Interoperability between operating systems doesnt work like its suppose to and often in order for a program to run each supported os has to have huge chunks of code rewriten with if this os do this if this os do that...

and i dont know what your smoking but any thing written in Assembly will be faster smoother and smaller than the best java code period.

Personally i would rather recompile C code everytime i wanted to use it and optimise it for the specific system i wanted than use the steaming pile of cr&p known as java.