Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS05-039 Worm in the Wild

Posted by CmdrTaco on from the brace-for-impact dept.

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

18 of 252 comments (clear)

  1. ClamAV by slavemowgli · · Score: 5, Informative

    And it's detected by ClamAV already, too.

    --
    quidquid latine dictum sit altum videtur.
  2. Vulnerability by Tiberius_Fel · · Score: 4, Informative

    From TFA:

    "Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."

    I think a lot of people were relieved to read this. :)

    --
    Join the Empire! http://www.empirereborn.net/
    1. Re:Vulnerability by louarnkoz · · Score: 5, Informative

      The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.

  3. crappy summary by smoondog · · Score: 5, Informative

    What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

    - Patch MS05-039 will protect you
    - Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
    - Blocking port 445 will protect you (but watch for internal infected systems)
    - The FTP server does not run on port 21. It appears to pick a random high port.

    1. Re:crappy summary by sucker_muts · · Score: 4, Informative

      Another usefull article from eweek with even more info:

      http://www.eweek.com/article2/0,1759,1847756,00.as p?kc=EWRSS03119TX1K0000594

      --
      Dependency hell? => /bin/there/done/that
    2. Re:crappy summary by numbski · · Score: 4, Informative
      Blocking port 445 will protect you (but watch for internal infected systems)

      Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?

      Hmmm...lessee here...
      [erwin:~] numbski% cat /etc/services | grep 445
      microsoft-ds 445/udp # Microsoft-DS
      microsoft-ds 445/tcp # Microsoft-DS
      Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t! :\
      --

      Karma: Chameleon (mostly due to the fact that you come and go).

  4. More Detail by Tiberius_Fel · · Score: 4, Informative

    Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
    http://www.f-secure.com/weblog/

    --
    Join the Empire! http://www.empirereborn.net/
  5. Re:What drives people to do this... by RAMMS+EIN · · Score: 5, Interesting

    What drives them is probably a sense of achievement. By creating a working worm they can prove something to themselves, their friends, and/or the world. And it seems to work, some people got security jobs because of the exploits they made.

    As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:

      - give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
      - make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
      - don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
      - maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.

    --
    Please correct me if I got my facts wrong.
  6. Better analasys by Barny · · Score: 4, Informative

    As usual, trend have thier info strait about this exploit, and good ways to prevent it...
    http://www.trendmicro.com/vinfo/secadvisories/defa ult6.asp?VNAME=(MS05-039)+Vulnerability+in+Plug+an d+Play+Could+Allow+Remote+Code+Execution+and+Eleva tion+of+Privilege+(899588)&Page=

    --
    ...
    /me sighs
  7. Re:What drives people to do this... by Gorath99 · · Score: 4, Interesting

    Indeed, money is a motivation, but it's not the only one. It's also an intellectual challenge.

    Back when I had learned to program in my early teens, I myself was quite fascinated by virii/trojans/etc. and wondered if I could create one. I probably could have written a moderately "successful" trojan by the standards of the time. It's not that hard.

    Thankfully, I was responsible enough not to, but not everybody is. All it takes is one bad apple...

  8. Re:miscategorised by suitepotato · · Score: 4, Insightful

    It is only horribly redundant because the average malware scumbag writer is taking the easy way out and going after Windows machines, taking advantage of end-user naivete and Windows' openness to infection. If they had any guts and were truly 1337, they'd try to get into a source repository on sourceforge and slip their own modded source in to get Linux people to infect their machines or something equally hard and nasty.

    Come to think of it, what do we know of the server security at any of the big name OSS-hosting sites and does anyone really peruse the source anymore? Given the difference between being C++ proficient and merely being able to administer a Linux system is like the difference between the average Windows user and a Windows programmer, I'm guessing not too many.

    --
    If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
  9. Firewalls offer limited protection only by Dynamoo · · Score: 5, Insightful
    Remember folks - if you work for any large organisation, your external firewall will ONLY protect you as long as some freaking idiot doesn't bring an infected laptop in. From my experience a perimiter firewall will maybe buy you 1-2 days MAXIMUM in this situation if you have a large number of mobile users. In our case, we do not allow users to connect laptops to non-company networks at all.. but they still do.

    What's worse is that today is Sunday, so there's a greater chance of those laptops being used on an unprotected internet connection.

    Shucks, the patch for this is only four days old. There goes my Sunday afternoon!

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:Firewalls offer limited protection only by johu · · Score: 5, Interesting

      We have all workstations configured with local firewall rules that prohibit most outbound traffic unless IP address is from our intranet address range. If it's not only DHCP client, DNS client, AV updates and VPN to corporate network is allowed. Inbound traffic is completely blocked when plugged to foreign network. Even when within our network there's strict rules blocking everything as default and only allowing limited set of ports if traffic is coming from subnet used by helpdesk.

      Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.

      Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.

      This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.

      Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.

      Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.

      Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.

  10. Re:no subject really by JamesTRexx · · Score: 4, Funny

    Which is why we're at this moment here at work patching all servers manually. Good thing it also means a sunday bonus. :-)

    --
    home
  11. Re:What drives people to do this... by lgw · · Score: 4, Insightful

    What scares me is it's only a matter of time and technology until we have this same situation with biological viruses.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  12. Re:What drives people to do this... by Eivind+Eklund · · Score: 4, Interesting
    Making it harder could work.

    The rest of these are irrelevant, because they do not expect to get caught. Really. Even if the people around them are going down in flames, they don't expect to get caught.

    About 15 years ago I was in the "hacker" scene (the ones breaking into computers, not the ones creating brilliant software). Getting caught never felt real, and never seemed to feel real for anybody else, either. My friends got busted left and right, yet - they'd always been careless about something, and I felt that *I* wouldn't be careless about that.

    There's one other thing that could work: Break up the scene. The people need to be shown as ridicilous. And it needs to seem ridicilous to the people close to the scene.

    For the tagging (grafitti) scene, it seems to have worked somewhat well here in Norway to use advertising to give them a new, ridicilous name and image.

    I therefore humbly suggest we from now on call those that break into computers "Computer wankers".

    Eivind.

    --
    Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
  13. Re:What drives people to do this... by thrillseeker · · Score: 4, Funny
    Personally my hobbies include martial arts and power lifting. Another good systems guy I know is an expert martial artist. I say we get five minutes locked in a small concrete room with Mr. Worm Creator and see how much fucking fun he has while he's getting an ass beating.

    Having some difficulties understanding the self-control aspects of the martial arts, are you?

  14. An attack on Win2000? by nurb432 · · Score: 4, Insightful

    I bet microsoft secretly loves this, to get at all those people that wont upgrade to XP/2003.

    "See, you have to upgrade to be safe, send us money"

    --
    ---- Booth was a patriot ----