Slashdot Mirror
MS05-039 Worm in the Wild
An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.
← Back to Stories (view on slashdot.org)
And it's detected by ClamAV already, too.
quidquid latine dictum sit altum videtur.
From TFA:
:)
"Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."
I think a lot of people were relieved to read this.
Join the Empire! http://www.empirereborn.net/
What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.
Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?
"...What is good for General Motors is good for America." -Charles Wilson, Secretary of Defense and fmr President of GM
Why is this under "worms" and "security" but not under "Windows" and "Microsoft".
Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
http://www.f-secure.com/weblog/
Join the Empire! http://www.empirereborn.net/
But they should put the system requirements as so on the box: CPU: Pentium 233MHz RAM: 32MB Storage:
Hopefully this doesn't hit corperate environments too hard, where everyone uses Windows 2000 because it's the best Windows OS out there.
It is the best OS out there but a out-of-the-box XP SP2 or win 2003 aren't affected and windows 2000 is? Well...
..despite of the fact that SP2 is not affected and everyone should be running it since it was released in August 2004...
We could tell them to write it in java instead of C/Assembly, that way it will propagate slower as the files will be larger, the code will use more memory and there will be more processing overhead... :)
"I reject your reality, and substitute my own" - Adam Savage
As usual, trend have thier info strait about this exploit, and good ways to prevent it...a ult6.asp?VNAME=(MS05-039)+Vulnerability+in+Plug+an d+Play+Could+Allow+Remote+Code+Execution+and+Eleva tion+of+Privilege+(899588)&Page=
http://www.trendmicro.com/vinfo/secadvisories/def
...
If you haven't patched yet, the update for this vuln is at http://www.microsoft.com/technet/security/bulletin /ms05-039.mspx.
Windows XP SP2 costs $100 for people whose computers came with Windows 98, Windows 2000, or Windows Millennium Edition.
Is there any nomenclature in the particular way these worms/viruses are given names? In windows, *.exe files are executable, *.sys files are system files. In Unix, *.conf files are configuration files. I have heard of Backdoor.Nibu.N and we now have Zotob.A. Is there a way to know more information on a virus by the format of its name?
All note the free IDS snort detects this worm.
alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.
alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.
alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.
What about all the other mega bucks IDS systems?
Just like Red Hat, Sun, Apple and everyone else who sells software, you mean ?
Thats the first time i've seen the internet storm center at "yellow" ... yikes!
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
What's worse is that today is Sunday, so there's a greater chance of those laptops being used on an unprotected internet connection.
Shucks, the patch for this is only four days old. There goes my Sunday afternoon!
Never email donotemail@WeAreSpammers.com
If you installed the patch, Win2K has no problem. The automatic update system downloaded and installed it the middle of last week. I'm not saying Windows Update is a perfect system, but it does remember to check for new patches on a regular basis, no matter how busy I am or how often the boss adds something to today's to-do list. On the whole, using automatic update is a lot better than waiting until the system gets exploited and then trying to clean up the mess.
Which is why we're at this moment here at work patching all servers manually. Good thing it also means a sunday bonus. :-)
home
...until June 30, 2006
A n1
http://support.microsoft.com/default.aspx?pr=Life
> What a crappy summary
Get a browser with support for hyperlinks. Cool stuff.
If people are stupid enough to leave port 445 open, then they deserve to get infected.
Why should you have to do a Google search? The patch/exploit is the entire basis for the article. I know the quality of journalism at /. is mediocre at best, but expecting readers to search for the most relevant piece of information is asinine.
Replace Windows 2000 Professional with Debian GNU/Linux.
Is there an update to Debian that lets SANE use a Microtek ScanMaker 4850 flatbed scanner? I'm afraid not.
That is why my employer's IT department enforces its firewall software (blocks incoming and outgoing stuff) on everyone's computers and laptops. Also, critical Windows Updates are enforced when approved after a day or so. They are annoying, but they keep the situations (e.g., outbreaks) more controlled.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
in the latest set of 3com tipping point unity1 digital vaccines.
It's a digest of the worm, not the vulnerability. Why do you need everything explained in every article? It's not like Microsoft vulnerability details are hard to find, so I don't see why he'd need to explain it all over again.
n /MS05-039.mspx.
So next time it should read like this to make you happy:
This worm (a computer program that spreads from computer to computer) infects Windows (an operating system from Microsoft (an operating system is the software that allows access to the hardware and provides an environment for other software to run)) systems due to the vulnerability listed in MS05-039 (Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)) which can be found at http://www.microsoft.com/technet/security/Bulleti
PC's (Personal Computers) without this patch (a software update that fixes a problem or provides an enhancement) should download (retrieving data from another computer) and install this software ASAP (As Soon As Possible.)
- It's not the Macs I hate. It's Digg users. -
Just made sure I've updated all the machines around here and something struck me; How come every few months of updates, there's another print spooler fix needed? Am I just remembering things wrong? But it seems that every 6 months or so, there's another print spooler security fix needed.
Thing is, I don't actually have any printers, made sure the spooler service is turned off (if I could remove it once and for all I'd be happy), and yet I'm still needing fixes for it. Well, I guess it makes sense to patch it just in case, but sheesh, how many times does it need fixing? You'd of thought that they'd of worked it out by now, or is the way Windows prints naturally open to more attacks than most?
Waiting for an amusing sig.
-
Accounts: Limit local account use of blank passwords to console logon only - defaults to Enabled
-
Network access: Sharing and security model for local accounts - allows only remote Guest login by default
So, by default, an XP box can be accessed only using a Guest login that still must have a password.(if the XP box is joined to a domain, domain policy overrides the #2 setting, allowing non-Guest remote logons).
throw new SuccessException("Sig read successfully");
Weird - our IT department pushed the patches automatically last week. I guess they have better things to do with their time on a Sunday.
There are many large networks still running Windows 2000, and it's not easy to upgrade them. It's not upgrading Windows on a single machine that's hard, it's upgrading Windows and dozens of other software systems that run on it, for tens of thousands of desktop systems. Oh, and that needs to be done in some way that the old and new interroperate during the transition period, and it's all got to be documented by about 3 people who understand it all so that the helpdesk and end users and internal development teams all understand the various customized moving parts.
It's really harder than it seems, when your perspective is "The PC on my desk has been running Windows XP SP2 since the day it was released." Believe it or not, it's actually so difficult and expensive, that many organizations are still contemplating whether or not they can skip Windows XP altogether and leap directly to Longhorn / Vista.
If you mod me down, I shall become more powerful than you could possibly imagine.
Plus, then it would be multi-platform! A virii/trojan/worm first. . . it would also be sandboxed, making the author's job a bit more difficult.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
Well, I'm not good at this, but I believe Windows has quite a lot of funky services open once the firewall is deactivated.
And they are quite hard to switch off or configure to react to localhost only, at least when you are not a sysadmin who spends his time figuring things out, but just a user trying to get work done.
I'm still trying to figure out what people mean by 'social skills' here.
There will probably be variants within a few days. Some of those will undoubtedly email copies around. Perimeter defense is necessary but not sufficient.
If you mod me down, I shall become more powerful than you could possibly imagine.
Dont forget VPN and dialup clients too..
---- Booth was a patriot ----
I bet microsoft secretly loves this, to get at all those people that wont upgrade to XP/2003.
"See, you have to upgrade to be safe, send us money"
---- Booth was a patriot ----
Great idea! An operating system in a VM! That'll get everyone to switch to Linux pretty fast.
You are right, just like the others I don't use.
If I use any Linux or BSD I get continued security updates for free.
If I did use Red Hat I could still patch the system with security updates myself. With Windows I can't do that.
How was my original post flamebait? The patches COULD be made for Windows 2000 since it is almost exactly the same codebase but instead they use it as leverage.
Just one more reason to use OSS.
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
I'm no blackhat, but I've got to point out that any hacker that's been arrested is careless, and it's been that way for quite a few years now. I live in a small to medium-sized town, and there are at least half a dozen public WiFi access points that I know of. Not all of them are free, but even a half-assed hacker could get aroud their security. I'm sure that there are at least a hundred personal WiFi routers around town, too. The vast majority are probably unsecured, or at best secured with WEP and MAC filtering (both easily breakable.)
The point is, anyone who's capable of creating an original exploit should also be able to construct a cantenna (or a woktenna) and access a hotspot from a block (or five) away in complete anonymity, rotating hotspots frequently and using proxies whenever possible. Any hacker who does not do this is indeed being (extremely) careless. Any hacker who DOES do this is almost certain not to get caught (unless he does something stupid like use a stolen credit card number to have something shipped to his house--but then, that's not careless cracking, that's careless fraud.)
In essence, not only are harsher penalities defeated by self-delusion ("I'll never get caught!"), they're also defeated by healthy levels of intelligence and paranoia ("Hey, I DIDN'T get caught!)
As far as your solution goes, as long as blackhat hacking continues to inspire fear and yields real power (botnets and stolen IDs), I don't think that we'll be able to psyche them out into quitting. Graffiti is essentially an aethetic crime/sport, whereas hacking and worm authoring can lead to tangible benefits... and you can't really expect stop a thief by calling him silly names.
In the end, I believe that the solution must be technical.
Symantec has info on two variants: W32.Zotob.A http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.a.html and W32.Zotob.B http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.b.html
Both describe, "Attempts to spread to systems which can be exploited by a vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039). If successful, the worm copies the file 2pac.txt to the remote machine."
Ignorance is curable, stupid is forever.
Don't joke. Looks like someone came in and connected an infected laptop up to our network. Guess what our 300+ Win32 servers are running? 2000, mostly.
:)
Slashdotters living in the basement can joke about "obsolete" OS's all you want, and rant on about patching, but the fact remains that for many enterprise level installs, 2000 is where it's at, and where it will be for many more years to come. Not everyone sits on the upgrade treadmill, especially when you're trying to not kill a business with constant outages.
5 days from patch to exploit. Hell, with the weekend, that's 3. 3 days to test this patch with hundreds of applications and hardware combinations. I'd love to see any of you naysayers manage that. Oh yeah, and scheduled outages on darn near every 7x24 service we offer.
Come work in enterprise sometime, when PHB's force Win32 down your throat. It's enough to make you want to tear your hair out.
And maybe this time they'll release a patch that shuts off all these damn default listening services. Yeah right. About as likely as vendors finally porting their offerings to Linux.
Oh well, I didn't need sleep anyway. At least I got a bit of private time this evening while our paging system was down as a result of this thing and no one could find me
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Like someone else already said, we don't like pushing patches automatically onto our servers, and we do plan better upgrade days, but this threat is serious enough to warrant a day like this. Besides, anything to get to sleep in on a monday morning. :-P
home
> Which is why we're at this moment here at work patching all servers manually.
no, you're not. you're reading and posting to slashdot.
The original poster was talking about "just for the hell of it"-worm authors. I should point out that these blackhats in particular should NEVER get caught unless they are extremely prideful and/or stupid. Worms that "call home" can obviously be traced, but proof of concept and cause-a-lot-of-chaos worms are only ever connected to their author for one brief instant--when they are uploaded. This instant can be when they are connected at a coffee shop from several blocks away during rush hour. Wash, rinse, repeat for all of the popular public hotspots in the area, over the course of a week to ensure that your worm is seeded in multiple locations. Then, after a week (or after your virus is identified in the wild) halt all distribution and watch the chaos unfold. Unless you suffer from supremely bad luck (i.e. hidden camera in the area FIVE BLOCKS AWAY from the actual hotspot manages to catch you in the act and the FBI agents actually check the camera and they actually manage to spot your woktenna through your tinted car windows) there is no way you will ever be caught. You can even be stupid brag about it on IRC to all your buddies and even if the FBI arrests you, you can just say you were being a lying little prick and as long as you've wiped your HD, they'll won't have enough evidence to indite you (what are they gonna do, arrest every script kiddie on IRC that claims they wrote the worm? heh.)
Actually, just-for-the-hell-of-it random crime in general is a lot harder to trace than motivated crime. Nothing short of Orwellian-level surveillence can reliably solve random, profit-less crime committed by smart criminals. Fortunately, these two things--random, profit-less crime and smart criminals--are very rarely connected.
While i may have been taken as a comedian, i was actually being quite serious.
We are about 1/2 Win2000 ( pro/serv ) where i work as well.
---- Booth was a patriot ----
You'd be wong - but that's why you posted AC, right?
In the third paragraph, you use the term "install". I'm not clear on what this means. Surely any reputable news source should explain all their "techno jargon" so the layperson can understand it. Sheesh. :p
Carpe Cerevisi - Seize the Beer