Zotob Worm Hits CNN and Goes Global

securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."

Microsoft

Microsoft is not spreading FUD this time; their own products are much bigger threats

ahh got about 10,000 bots today

and i just sat back :)

Is your computer infected?

[ackthpt]

• If computer is Apple, No
• If OS is Linux, No
• If OS is Windows variant, Could be
• If OS is Windows 2000, Could be
• If Search finds Botzor.exe in your filesystem, Definitely
  • What do I do?
  • Ignore it, like millions of others.

Re:Is your computer infected?

[jim_v2000]

If OS is Windows variant, Could be

According to TFA's apparently not.

Re:Is your computer infected?

If OS is Windows variant, Could be

According to TFA's apparently not.

This just in: Windows 2000 is a variant of Windows. Pictures at 11.

Re:Is your computer infected?

You seem to have left a few out.

If OS is Windows 95, No
If OS is Windows 98, No
If OS is Windows ME, No
If OS is Windows XP, No
If OS is up to date with security patches, no

Or just to make it easier
If ((OS != Windows 2000)&&(System.HasAllTheSecurityUpdates != True))
Then Could be.

Re:Is your computer infected?

[Haydn+Fenton]

"Ignore it, like millions of others."

Well, generally speaking it looks like that's not really a bad thing to do in this case. Check out the Symantec Security Response page (link in TFSummary), all it appears to do is remove spyware applications from the filesystem and their startup keys in the registry. Oh noes!!11!one!!
"gray-hat" worm?

Re:Is your computer infected?

[daliman]

I thought you were joking about the Botzor.exe.

According to Microsoft, apparently not.

Re:Is your computer infected?

[monkeydo]

That should be:

If ((OS == Windows 2000)&&(System.HasAllTheSecurityUpdates != True))
Then Could be.

Re:Is your computer infected?

[KillShill]

if computer is apple or linux or windows, you'll be bombared by attempts to infect you. the internet you connect to will be a more hostile place and be slower as a result.

if you're an island, more power to you. the fact there isn't an island in existence might be a little discouraging but don't let that stop you from making a fool of yourself.

stupid dickheads harm us all. someone elses misfortune tends to become your own over time.

Re:Is your computer infected?

"You seem to have left a few out" posts are probably the least interesting crap that gets modded up at Slashdot. They're even worse than the five or six acceptable Slashdot cliches that get modded up without fail... man, fuck you.

Re:Is your computer infected?

[brianimator]

Let's not get too cocky...

Re:Is your computer infected?

Or you could just state it in plain logic since it's highly unlikely a simple boolean test reveals whether or not the system is patched and stating the operator on a boolean test is like saying if true/false != true...

If the machine does not have the relevant patches and is running Windows 2000 then it may be infected, depending on network configuration and other random factors.

Re:Is your computer infected?

Actually, it is a bad thing. Worms are supposed to be GOOD news for my consulting business. My hopes of removing this worm from every unpatched Windows 2000 machine have turned to the polar opposite as it now removes spyware and other resource eating processes. Baaah humbug.

Re:Is your computer infected?

That would explain why my Zotob system has been infected by the 2000 varient of Windows.

Re:Is your computer infected?

[bryhhh]

Actually it is possible for XP (and Server 2003) systems to get hit by this if the following value has been set in the registry,

    HKLM\System\CurrentControlSet\Control\LSA\Restrict AnonymousSam = 0

There are some applications that will set this value at install time, so don't be confident you wont get hit because you are running Windows XP.

Re:Is your computer infected?

[rikkards]

Do you have a list of said applications?
Would like to know.

Re:Is your computer infected?

[bryhhh]

My source suggests legacy domain controllers, Microsoft Exchange servers, Microsoft SQL Servers, etc.

I've not verified this, but I don't have any reason to doubt it.

Re:Is your computer infected?

[ricky_charlet]

I take it that you intend the innuendo that Linux and Apple are immune from viruses. The methodology used to create this virus seems to have been:
1) wait for OS vendor to announce a vulnerability and patch
2) create a virus
3) distribute virus before most users have updated the patch.

This methodology would also be successful against Apple and Linux but for their lack of popularity.

The number of historical incidence per OS is related to both population density quality of the OS. But the pace of spread is related to population density only - not to OS quality. Certian versions of windows are the only OS'es with sufficient population density to attract the attention of virus writters.

So do remember that using an unpopular OS is a very good virus defence. But also do try to keep the secret ;-)

Re:Is your computer infected?

[RotJ]

all it appears to do is remove spyware applications from the filesystem and their startup keys in the registry

That's not all it does. Did you miss the following?

# Attempts to open a back door by connecting to one of the following IRC servers on TCP port 6667:

        * xaeti.m00p.org
        * db23a.hack-syndicate.org
        * spookystreet.m00p.org
        * spookystreet.udp-flood.com

# Allows a remote attacker full control over the compromised computer to perform various actions, including:

        * Downloading and executing files
        * Making queries to www.google.com
        * Ending processes
        * Carrying out dictionary attacks on user passwords

Unless the hackers are only using the IRC zombification of your machine to keep your system clear of spyware, I wouldn't call this gray-hat. It's probably only removing the spyware because those programs hijack browsers and phone home, which might conflict with the workings of this worm.

SANS/ISC's take on the CNN infection

[Kelson]

The Internet Storm Center's take on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:

Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it.

Re:SANS/ISC's take on the CNN infection

[Jeremiah+Cornelius]

Appalling security for these folks. Bucket-brigade virus infections. Now you know how to take one of these orgs out - drop a nasty on the lobby jacks.

Re:SANS/ISC's take on the CNN infection

why do terrorist worms hate american freedom of the press?

Re:SANS/ISC's take on the CNN infection

[Jeremiah+Cornelius]

Your ideas intrigue me, sir, and I would like to subscribe to your newsletter.

Re:SANS/ISC's take on the CNN infection

[benna]

DaniWeb has a rather angry blog post about this as well. I watched some of the coverage on CNN myself. It was pretty entertaining. Nobody had any idea what they were talking about.

Re:SANS/ISC's take on the CNN infection

[Master+of+Transhuman]

"these infected laptops where able to take out the network from the inside once they connected back to it."

Interesting.

And a few weeks ago, people here were saying that companies just using perimeter security were in the minority these days, and that "everybody uses defense in depth", so the whole "single corporate firewall is obsolete" argument was moot.

Guess not - at least not in the news business.

Maybe a bunch of /. sys admins should submit their resumes to these organizations, since they obviously are smarter than the incumbents.

Re:SANS/ISC's take on the CNN infection

[DerWulf]

thats what I thought while viewing CNN yesterday, too. Really funny how they made this huge special newsbrake where they basically had nothing to say but made it out be 'a widespread infection' with the potential to cause billions of dollars of damage and huge disruptions. I hope that tonight they'll make a huge show titled "No coffee at CNNs NY office. End of Civilisation drawing near?".

Re:SANS/ISC's take on the CNN infection

[smooth+wombat]

Dani is full of shit. I did watch CNN and their tech guy (can't remember his name right now) tried to explain the difference between a worm and a virus. He even said he'll probably hear from some tech 'experts' who will take him to task for not getting it right but he did his best to make it as simple as possible so everyone could understand. So no, they weren't calling it a virus.

Further, this worm CAN affect XP SP2 under certain conditions. In fact, on Microsofts own page the second entry is for XP SP 1 AND XP SP 2. Microsoft even provides the link for the patch for these systems.

Still further, constant rebooting of a machine may cause data loss depending on the system. It's rare but it can happen.

The article was nothing more than a stab at CNN rather than an actual report on something. In fact, the last sentence proves my point:

Although I hate to say this, FOX News hasn't even touched this story.

So? FOX doesn't touch any story that might bring bad news. They haven't even reported on the newest bombings in Baghdad because that would be contrary to all the 'good' news that's coming out of that hellhole.

If CNNs story seemed a bit overhyped and not totally correct, so be it. If it gets people to go patch their machines then that's a good thing.

Re:SANS/ISC's take on the CNN infection

[shotfeel]

Although I hate to say this, FOX News hasn't even touched this story.

Or it could simply be that FOX News hasn't been hit by it. Ever notice how journalists go majorly nuts whenever a problem hits them instead of "regular people"?

This isn't a comment on FOX News, just pointing out that journalists tend to cover what they know and experience (or what they think they know).

Re:SANS/ISC's take on the CNN infection

[smooth+wombat]

Agreed. Maybe FOX hasn't been hit by it so to to them it's not a big story. However, it is news regardless if it happens to a journalist or not and should be covered.

You are correct in that when it happens to journalists it somehow seems to be the most important thing going on at that time. Which to them it is because it happened to them.

It's the typical human (or any animal) response. Something happens to you and that's all you care about for a time.

Re:SANS/ISC's take on the CNN infection

[benna]

I saw that too but that was later. That was when they actually had their technology guy reporting on it. In the beginning though, when they had their business reporter trying to answer questions about it it was pathetic. Wolf Blitzer was telling this guy on the air, "Press control alt delete." Pretty funny stuff though.

Re:SANS/ISC's take on the CNN infection

[EvilTwinSkippy]

I've interviewed at a few of them. They don't listen to their own staff. They listen to contractors and consultants. And contractors and consultants don't usually build stuff for the long term. Consultants build systems to meet requirements, budget, and schedule. Whether it works in 6 months (or after the next rev of Windows/SQL Server/etc) is not their problem.

Getting back to my point, if you want to be heard, be a consultant.

Re:SANS/ISC's take on the CNN infection

[Master+of+Transhuman]

Amen to that.

That's certainly how it works at City College of San Francisco. We pay nearly $200K/year to a consulting firm that gets to recommend themselves for extending the contract every year - this on top of the $150K we pay SCT for Banner "support" which is what the consulting firm is actually used for.

yeah, but....

... does it run on Linux?

MS says..

[Turn-X+Alphonse]

It doesn't effect Windows XP, so Microsoft will just go "You should of updated". Which will lead to more sales of XP by the masses beliving they need the latest OS to "be safe".

Re:MS says..

Well it's true, isn't it?

I don't run vulnerable versions of the Linux kernel either, do you?

Re:MS says..

[Guspaz]

What are you talking about? This virus does affect Windows XP. WinXP is a Windows 2000 based OS.

Microsoft has released patches for this that cover Windows XP as well as 2000 and 2003:

http://www.microsoft.com/technet/security/bulletin /MS05-039.mspx

Re:MS says..

[Revenge013]

Symantec lists XP as a vulnerable OS, though I'm not certain if that is just a blanket response from Symantec.

However, TFA at CNN quotes the Sans Institute as having identified 'early versions of XP' as being susceptible to the threat, via the MS05-039 hole.

Being that XP is the red-headed stepchild of 2000, I'd say it's susceptible to attack.

Re:MS says..

[DrEldarion]

so Microsoft will just go "You should of updated". ... and then the grammar nazis will descend upon them like hawks.

Re:MS says..

[Krach42]

The patch was released for Windows 2000, XP, and Server 2003.

If Zotob isn't infecting Windows XP, it's because of a failure of the authors to account for portability. Some later author could potentially fix this.

As always, it's recommended to patch your Operating System after a critical security patch. So, take the breather that you have if you're using Windows XP, to go out and patch the vulnerability out of your Windows XP box.

(opinions expressed are my own.)

Re:MS says..

[(startx)]

I don't run vulnerable version of the Linux kernel, but then again I don't have to pay to upgrade either.

Re:MS says..

"MS might release a press release."

If they don't release it, then it won't be much of a release, will it?

Please report to user #789240 for remedial English lessons.

Re:MS says..

[cnettel]

It requires authentication, though. So, if you are not wide-open for file sharing through SMB or something, you will need to be infected by a machine that already has login credentials for some machine. So, it's remote privilege elevation on XP, but not form an anonymous user, making the threat much lower. Until that trsuted, unpatched 2000 machine enters the LAN.

Re:MS says..

that was the intended affect...

Re:MS says..

[Dun+Malg]

"You should of updated"

should have updated (or should've), fer god's sake. What does "should of" mean?

Re:MS says..

[DrCode]

Also, you don't have to upgrade everything, either.

Re:MS says..

[sgant]

shoulda coulda woulda

Re:MS says..

[Tony+Hoyle]

Except if 'simple' (aka. broken) file sharing is enabled, as it is on XP Home, it'll let anyone in as guest. It's implemented at the NTLM auth level.. as I've found to my cost with SSPI based applications (the workaroud is to check the registry for the setting and warn the user they disabled their security...).

Re:MS says..

[FlipmodePlaya]

I think using 2000 instead of XP is more akin to running kernel 2.4 instead of 2.6 than running a 'vulnerable' version of the kernel. Remember that older Linux kernels are still maintained, and used by many people who require specific features that were changed in more recent versions.

I think the same can be said of many Windows 2000 users, who may not like a lot of the interface changes made to XP (and, yes, that goes beyond the Luna theme, which I realize is merely a default). Of course, as others noted, cost is probably the foremost concern.

Re:MS says..

[jcr]

Don't they teach English in schools anymore?

No, they needed the class time to teach pomposity.

-jcr

Re:MS says..

[smittyoneeach]

God save us from the fury of the Winged Grammar Nazis of Dreldarion!

Re:MS says..

[KillShill]

now we know ms is evil but they simply CANNOT defile the english language like that. we shouldn't stand for it.

Re:MS says..

Funny.

Re:MS says..

[GeoffP]

"grammar nazis"

Heil Webster!

Re:MS says..

[ToasterofDOOM]

Forsooth! Huzzah!

Re:MS says..

[grogdamighty]

Was the "affect"/"effect" mistake supposed to be humorous?

Re:MS says..

[Surlyboi]

No, I think it was supposed to be humerus.

Re:MS says..

is just another way to say "dinna"

Re:MS says..

[Master+of+Transhuman]

"should have updated"

No, the proper phrase is:

"should switch to Linux."

Microsoft doesn't have that AT ALL in their grammar checker.

Re:MS says..

Grammar Macht Frei!

Re:MS says..

ah, very punny comment. (no fun intended).

Re:MS says..

[ozmanjusri]

And I for one welcome our new Winged Grammar Nazis of Dreldarion overlords. I'd like to remind them that as a trusted Slashdot denizen with excellent karma, I can be helpful in rounding up others to toil in their underground proofreading basements.

Re:MS says..

[Jettamann]

If the average consumer buys/leases/trades-in his/her $20,000 car/truck every 5 years, why can't these same people buy a new $300.00 operating system every 3 to 5 years?

Re:MS says..

But that same vehicle comes with a warranty and can be resold. I own the vehicle, not just some non transferable right to drive it. If an auto maker made a vehicle that performed as badly as Windows we sure would have one sorry mess ...

Re:MS says..

[techno-vampire]

Don't they teach English in schools anymore?

Why should they?
"In America, they haven't used it for years."

Re:MS says..

Ahh, ignorance is bliss.

Windows zealots vs Linux zealots...
Wouldn't be slashdot without blind arrogance, now would it?

I guess now I'm supposed to believe that your kernel will *never* be vulernable to *anything*?
And your time *must* be equal to nothing. And the time of all the family/friends you converted to Linux (who would then be vulernable and would be relying on you to update -- unless their update process *never* breaks). It's people like you who setup high expectations of Linux, and when it fails, it will be becuase of you.

When will you christian.. err, I mean Linux fundamentalist catch a fraggin clue.

A computer is a tool. Not a religion. Moron.

Re:MS says..

I will destroy you all.

Re:MS says..

[minus_273]

well if you are black you do get to learn ebonics instead.. that really takes you far in life.

Re:MS says..

[ncalsmitty1369]

Seems to me that this virus comes out fairly soon after trying to force w2k people to submit to a system scan... might they be encouraging this? Since those who opted not to get scanned need to get a patch now?

Re:MS says..

[Redwin]

Maybe they were using US English :-)

Re:MS says..

[Surlyboi]

I will make no bones about that assessment.

Re:MS says..

[linuxpaul]

the grammar nazis will descend upon them like hawks.

You! You with the mixed metaphor! My [boot/talon] will make you use better grammar!

Re:MS says..

[indifferent+children]

pimposity

Re:MS says..

[indifferent+children]

We'll spit nails to make sure that English is the only official language, but we won't lift a finger to teacher gooder English.

Re:MS says..

[mwood]

'Was the "affect"/"effect" mistake supposed to be humorous?'

Actually it's more than humorous, because it works either way. (At least for those who've taken a psych. course and been taught to use "affect" as a noun.)

Re:MS says..

[Himring]

Yep, it's totally nuts I tell ya. They make an OS and webserver that fosters Codered. Codered breaks the Internet. Microsoft makes patch to fix crappy OS. New reports: "Microsoft has fixed the Internet!"

It just sounds so much like mafia "protection money."

Re:MS says..

It doesn't effect

"affect"

so Microsoft will just go "You should of updated".

Microsoft will respond "You should have updated."

Which will lead to more sales of XP by the masses beliving they need the latest OS to "be safe".

An unpatched (pre-SP2) copy of XP is still vulnerable. An SP2 copy is still vulnerable if certain key registry values have been altered from the new standard.

Please, for the love of the gods, somebody remove this gentleman's Insightful mods.

All of a sudden

[inode_buddha]

All of a sudden, a worm makes mainstream news because it invaded CNN's network. I guess that is a sad indicator of what it takes to raise awareness.

Re:All of a sudden

[Prof.+Pi]

All of a sudden, a worm makes mainstream news because it invaded CNN's network.

They've usually reported on worms in the past.

What's different in this case is that they explicitly said it affects Microsoft systems. In the past, they would usually (but not always) say, "there's a new virus going around and every computer in the world is vulnerable." I would complain to them about not specifying the OS, comparing it to reporting on a new safety flaw in cars without naming the make and model.

Re:All of a sudden

[qyiet]

It could have done us all a favor, and infected Fox's network.

Re:All of a sudden

[fdiskne1]

I was in the process of testing the latest patches and was planning on expanding them out to the rest of the couple of thousand machines later in this week. I heard about the exploits available online when I woke up Sunday morning. I worked on Sunday making sure the couple of thousand machines we have were patched. By the time I was done, two viruses taking advantage of the vulnerability were in the wild so I got the signatures updated in case any machines were missed by the auto update I started. Today as I was about to leave, someone up the chain of command (not in a direct line of management with IT, thankfully) with no IT knowledge called, nearly in a panic. "My mother just called and CNN is calling this one of the worst viruses ever." I figured, "Yeah, she read a virus hoax email." She conference me in with her mother so I could hear what CNN was saying. I have never heard so much hype over such a minor virus before. From what I heard, it sounded like they were way over the top. I calmly explained to them the process I went through and when. CNN is reporting it two days later. I know this is a new version, but jeeze. Haven't these companies learned from previous virus events? I'm glad I stopped watching major media news.

Re:All of a sudden

No kidding. CNN sent out a freakin' email alert for it. Examples of previous email alerts:

plane crash
Peter Jennings dying
terrorist attacks in London

I freaked out for a second and was about to call my boss when I decided to visit CNN.com and realized what was going on. And of course they don't make it clear that 1) this is a MICROSOFT virus and 2) it doesn't even effect all versions of Windows.

Re:All of a sudden

[sfritsche]

*applause*

Re:All of a sudden

Wierd. You don't like freedom of speech? Huh, who would have guessed a liberal wouldn't like freedom of speech. Stalin, Mao, Hitler, and Pol-Pot all smile up at you from their graves.

(Nazis were national socialists)

Re:All of a sudden

[Gordo_1]

Haven't these companies learned from previous virus events?

Does anyone care about the difference between worms and viruses anymore?

Anyone?

Ah, forget it.

Re:All of a sudden

[fdiskne1]

Yes, I know the difference. I typically don't make a huge deal to differentiate between the two because they are virtually identical in the PUBLIC conciousness. I guess I just slip into that mode since I deal with non-IT folk all the time.

Re:All of a sudden

lol so true

Re:All of a sudden

[NuGeo]

The concept of a computer virus has been around a lot longer than the concept of a computer worm, so it's only natural people commonly make this mistake, myself included sometimes. But really, it's not that big of a deal to get upset over.

Re:All of a sudden

[GSloop]

Kind of like locking up folks without trial, at the say so of King George?

Or how about the people who claim Sheehan is "bordering on treasonous?"

Like the folks who claim we can't release the photographs and video from Abu Graib because it would make us look bad? (Ah, someone tell them we already do. Remind them of the barn door thing. Better yet, how about not murdering, raping and doing unspeakable things to ANYONE in the first place. "Rape rooms" as George calls them, indeed.)

That kind of "Freedom?"

Kind of hard to exercise freedom of speech when you're dead, or locked up in Guantanimo without recourse, or one of the ghost detainees, huh?

Freedom indeed.

The founding fathers wanted to protect us from the likes of the current administration. (I'll be the first to admit that the Dems aren't a whole lot better, but since that's all the opposition we have at the moment, I'll take what I can get.)

Cheers,
Greg

Re:All of a sudden

sure, because when you had told Stalin, Mao, Hitler, and Pol-Pot "you're a liberal!" , they all would have had answered, "you got me, that's what I am!"

Re:All of a sudden

[Ilgaz]

They would find traces of Saddam and Bin Laden in worm ;)

Re:All of a sudden

Fellow AC, let me clue you in on something that is important to understand about "Fox News Network":

There's no news on it. It is 100% wall-to-wall commentary ABOUT news, if news were to consist entirely of things that make good neo-con talking points... but there isn't any actual news.

Which shouldn't be taken to imply that any other cable news network is doing any better. There is no Edward R. Murrow working in (American) television journalism today because news has become an entertainment rather than an informational product. The constant need to have something for the talking heads to talk about has led to a situation where nothing stories are discussed for months on end for their sheer sensationalism, while stories that might be informative or important fall by the wayside because they're boring or require some sort of work like fact-checking.

Those have nothing to do with "free as in speech", and criticizing this very real problem doesn't make you a Stalinist.

Re:All of a sudden

Fox network runs on Linux
http://toolbar.netcraft.com/site_report?url=http:/ /www.foxnews.com

A sober second opinion...

[Saint+Aardvark]

... from the ever-excellent Inhttp://isc.sans.orgternetstorm/ Center:

Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

As reported by Slashdot t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:

We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

[....] Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

Re:A sober second opinion...

[unixbugs]

It hit the local news earlier about ABC, they went on to report that 'All versions of Microsof Windows are vulnerable'. Be this true or not they even displayed all 6 or so of logos of the different versions, ie 95, 98, ME, "NE" (Whatever the hell that is), 2k, XP etc. This is in Dallas.

They also announced that a number of Chrysler plants were also dropped offline due to this thing.

The kicker was how the news anchors reacted, you know, when they get to spout their little un-educated opinions on the matter during that 45 second space between the end of the story and the next commercial. One guy said something like "Gosh with those computers if its not one thing its another" and the anchor woman next to him said something about how terrible it is to lose all your personal data and have to "reboot".

This is sooooooo classic. I wish I had been recording that. It shows how uneducated people are and how foolishly inclined even the media themselves are to believe just about anything thrown at them, like 'Microsft = Computers' and how these problems are completely unavoidable, like there is NO ALTERNATIVE to using MS products.

Im in the process of writing them a (much better spoken) letter about the tragedy brought about by convenience and ignorance. Any comments on some points I can bring up? Not to troll, well yeah, to troll, just thought Id ask. It cant hurt a thing to inform these people a little on the *real world* use of the operating system that drives us into the future.

I know that one day we will be looking at some serious security problems with OSS, especially when it hits prime time. But when that day comes its not going to be up to some big ass company with greedy motives to fix it, or to delay a fix so it can push out 'updated versions' of its software for sale instead. The fix is going to come from thousands of sources and this is a GOOD THING. We have the source code to fix the problem and staff on hand to implement a quick solution to a wide range of possible issues on the kernel level. We don't need to pray and wait for some extortionist coporation to be merciful enough to bend under the will of the most basic moral resourcefullness of its staff.

Re:A sober second opinion...

[paranoidgeek]

I know that one day we will be looking at some serious security problems with OSS, especially when it hits prime time. But when that day comes its not going to be up to some big ass company with greedy motives to fix it, or to delay a fix so it can push out 'updated versions' of its software for sale instead. The fix is going to come from thousands of sources and this is a GOOD THING. We have the source code to fix the problem and staff on hand to implement a quick solution to a wide range of possible issues on the kernel level. We don't need to pray and wait for some extortionist coporation to be merciful enough to bend under the will of the most basic moral resourcefullness of its staff.

Another though : What if a Mo-Mo-Monster Kill-ill-ill ( that is from UT ) Virus/Worn came out and shut down parts of the 'net maybe even all of Redmond. What then ? With OSS you dont need a massive 30MB MS-signed patch to fix the problem. More than likely it would only take a ~1000 Byte diff that can come from anywhere and can be reviewed to check to see is it is legit.

...and the anchor woman next to him said something about how terrible it is to lose all your personal data and have to "reboot".

Heard that a bit. Once i had to power cycle a client's computer and were wondering why they were so worried when i told them i had to "reboot" their computer.

Re:A sober second opinion...

[x86eon]

We can't stay on yellow for ever.

US Department of Homeland Security thinks so...

Re:A sober second opinion...

[unixbugs]

From what I heard we were allready all patched up at work. From the stuff Im reading on the net this thing is going around killing spyware! Im SURE MS is in a BIG hurry to stop this.

Re:A sober second opinion...

[SpecBear]

The Infocon is intended to measure change. We can't stay on yellow for ever.

Excellent observation. Now when will the Department of Homeland Security figure this out?

Re:A sober second opinion...

I am not going to say who I work for but I can tell you it is a hell of a lot bigger than a few media outlets.

I work in a DOW 30 company and our network is on its ***.

Re:A sober second opinion...

[drew]

The Infocon is intended to measure change. We can't stay on yellow for ever.

Why not- It works for DHS.

Re:A sober second opinion...

Why was this and the GP modded down ??

True, they were both rambling on about not much but there were still interesting.

Re:A sober second opinion...

They also announced that a number of Chrysler plants were also dropped offline due to this thing.

I don't know if it was Zotob or not (I'm starting to think it was), but I work for UPS, and our systems were down for the first half of my shift tonight (which royally fucked up the rest of the night, I might add). We were being told that it was due to a virus, and that it wasn't just a UPS problem. Interestingly enough, our center just recently completed an upgrade to Windows 2000 and AD. Then we get hit by a virus. Go figure.

*Moderate* severity

[the_skywise]

Dunno if the slashdotting did it, But MS's site now says it's a Moderate Severity risk.

Or code Bert...

Re:*Moderate* severity

[millennial]

You know, I wondered if anybody else used that. I have the Sesame Street Advisory System in my sig for a bunch of other sites.

Honeywell

Knocked them down also.

Instant karma's gonna get you

[Kafka_Canada]

hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others.

Hm, must be a Karl Rove plant.

Or else it's just another victory in the GWOT?

Re:Instant karma's gonna get you

[ackthpt]

hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others.

Hm, must be a Karl Rove plant.

Or else it's just another victory in the GWOT?

Meanwhile, in an office in the Whitehouse...
"Heh, heh, heh, Mission accomplished."

Re:Instant karma's gonna get you

[Nasarius]

Or else it's just another victory in the GWOT?

No no, haven't you heard? It's now the GSAT.

Re:Instant karma's gonna get you

[marktwen0]

Actually, it's acronym is SAVE: Struggle Against Violent Extremism. Check out Harry Shearer's show "Le Show" a couple a weeks ago for a humorous take on this.

Could also be GSAVE: Global Struggle Against Violent Extremism

Please...

hit the CBC!

thank you, Zotob

a canadian taxpayer

Re:Please...

[Kafka_Canada]

Amen, brother!

Zotob proves patching of "Windows" nonexistent

[Dr.+Zowie]

... though a full upgrade to "X-windows" seems to avoid most viruses.

Re:Zotob proves patching of "Windows" nonexistent

[XPisthenewNT]

Except the "WhereTheHellsMyPictures" exploit that occurs whenever you plug in a digital camera, or the ever present "WhyCantBloodyLinuxSeeMyAccessPoint" when trying to use a wireless connection.

Re:Zotob proves patching of "Windows" nonexistent

and usability
and aesthetics
and compatibility

Re:Zotob proves patching of "Windows" nonexistent

[Graviteh]

I think they just call the OS "Windows" because it gives exploiters a "Window" of opportunity :D

Re:Zotob proves patching of "Windows" nonexistent

[jrockway]

All of these problems are caused by the Human.ImDum virus. You can wipe out the ImDum virus by using your brain or, in severe cases, by reading a book or two.

Of course this is more important than...

[craznar]

160 dead in Venezuela Crash, Gaza Pull out and Paul Abdul's Idol issues.

I doubt it - yet it's front page on CNN.COM...

Re:Of course this is more important than...

[DShard]

And none of those things will cause billions in dollars of lost productivity. The worm is by far more damaging.

Re:Of course this is more important than...

[saskboy]

You put the smear job of an American Idol TV judge ahead of an actively spreading computer worm that demonstrates the insecurity built into Microsoft's "most secure operating system ever", and has affected tens of thousands of people in a real way?

Re:Of course this is more important than...

[staeiou]

Feeding the trolls of course, but the Venezuela Crash and the Gaza Pullout are days old. This is hours old. I knew that the Gaza Pullout was going suckfully and that people died in a plane crash. I didn't know that the worm had gotten into corporate networks.

We don't want to hear the same news stories over and over. If a story is important, it should get front page status until (Importance of $story1 * Percentage of readers who have heard of $story1) is less than (Importance of $story2 * Percentage of readers who have heard of $story2). Then story2 should go on the front page. When everyone hears of the worm, I suspect that Gaza will go back to the front page because it has a higher importance, even if more people have read it.

Re:Of course this is more important than...

[bfizzle]

Unless Terrorist are involved of course...

Re:Of course this is more important than...

[code+shady]

Everything is more important then Paula Abduls Idol issues.

Re:Of course this is more important than...

[Smurf]

The Venezuela crash was today around 3 am (local time?). You are thinking of a different crash. This tends to prove that we are not really aware of the news in other parts of the world...

Re:Of course this is more important than...

[WindBourne]

Windows 2K is in cars, planes, nuke plants, naval ships, missles, banks, etc. With MS being as unstable as it is, this could be a big deal. It is possible, that millions could die. Few if any will die from the crash or "Paul" Abdul. The Gaza may cause more deaths, but not as many as Windows could cause.

Re:Of course this is more important than...

[saskboy]

"will cause billions in dollars of lost productivitywill cause billions in dollars of lost productivitywill cause billions in dollars of lost productivitywill cause billions in dollars of lost productivity"

Please leave the hype to CNN, this is only modest slashdot. Have some journalistic integrity, and don't make up numbers like the mainstream overblown media.

Re:Of course this is more important than...

[Superfarstucker]

Wow, that's quite the stab in the dark... I think people are generally aware of the fact Windows is insecure (what OS isn't) and can often be unstable, but saying that Windows 2000 runs missiles, Nuclear Power Plants, Airplanes, and Banks is about as fucking clueless as it gets. Do you think people are idiots? What would be the advantages of running a full blown os on afucking missile. The fucking thing doesn't need to do a whole lot besides recieve guidance data and plot points on its way to self-armaggedon. Not to trivialize that (I certainly have no clue how one begins with such a task), but Windows 2000 is clearly one of the poorest choices possible for such a system. You need to know a little to realize you don't have the slightest grasp on such situations

Re:Of course this is more important than...

So how much "lost productivity" do you think will result from the deaths of 160 people?

Re:Of course this is more important than...

[Trogre]

I don't know, but I've got some Windows 2000 oscilloscopes here that I can show you...

Oh, and no way of patching them, either.

Re:Of course this is more important than...

[WindBourne]

I am always amazed at how clueless ppl are, yet they all want to talk about it. So, lets take it one at a time:

• Naval Ships: the US navy is converting to having Windows 2000 run their ships. In fact it was on the USS Ronald Reagan when it ran in circles. We made lots of fun here about that.
• Airplanes: I currently work at Jeppesen; The company that makes aviation maps as well as does the data for Flight Simulator, etc. I happen to know that some of our products are on Windows 2K and are in the cockpits (in fact, I was hired to help with the move to Linux). More importantly, a number of the other manufacturers are on Windows 2K and yes, they have their product running in cockpits (as in autopilots). The FAA wants a Do-178B (or is it DO-200, I never remember or care) OS to run the cockpits. But out of the country, as well as for the military, is a different matter. The Airforce has a number of systems that are based on W2k. And yes, it is in some of our more advanced military aircraft (scary thought).
• Missles: what exactly do you think controls a cruise missile? what some monkey with his hand on the stabilizers? Or perhaps, you think it is a mainframe computer? Well, clue time; it is simple computers. In fact, to simplify their lives, companies use Windows, Linux, Unix, etc. with fast CPUs. Yeah, a hard real-time can not run Windows, but others are doing so. The cruise missiles are using inputs from a number of sources, generally, GPS, followed by visual. Some are using laser guidance. I know of at least one of the missiles that use a GPS system that was developed on Win 2K. considering that they do not offer it on any other OS, I doubt that it was ported to another system just to run on missiles. (Oh, I do have a clue on how to do the task)
• Banks: Just go to the ATM. Most are either OS2 or Win2K. Enough said.
• nuclear power plants: did you miss the fact that several power plants had issues during the last major virus? in fact, there was a nice big outage in the east. One of the things that came out of that, was that Windows 2K was being used in nuclear power plants.

Do I think that pple are idiots. No, but I can certainly point fingers at a few, and be correct.

Re:Of course this is more important than...

[bhiestand]

Of course over 350 bombs going off in Bangladesh doesn't even get a picture or a paragraph on the main page. It's relegated to the "World" section within hours of it happpening. Most people don't even know yet. Bangladesh is the third largest muslim country, and most of the leaflets said a lot of interesting things about americans, muslim soil, and some sort of death.

Then again, it's no computer virus, and it certainly doesn't directly affect americans the way one bomb going off in Israel or Iraq would...

Re:Of course this is more important than...

>Do I think that pple are idiots. No, but I can certainly point fingers at a few, and be correct.

"people"

Try pointing your fingers at the 'e' and 'o' keys. You would be correct.

Re:Of course this is more important than...

For some reason I read that as "Gaza pulls out of Paula Abdul's ass". :shudder:

I feel left out

[ylikone]

As a Linux user I feel left out of all the seemingly weekly worm fun... I mean, my chosen OS has some of the best hacker (both good and evil) minds behind it and tons of techie users... yet we have no fun worms. Sure, an unsecured and non-updated Linux server box will end up getting hacked into by the script kiddies here and there... but what about us desktop users?

Re:I feel left out

[gooman]

That's why I keep saying, "Linux is still not ready for the desktop."

I've come up with an awareness slogan to help us remedy the situation: "It's not the applications, it's the infections."

Re:I feel left out

obviously you didn't use Linux in 1995-97

Re:I feel left out

Do you feel left out since your choice of games next to nill and your choice of software packages looks like shareware from the 80's?

Re:I feel left out

[ylikone]

Actually, yes, I setup and administrated slackware servers for an ISP in 1995 and 1996. What's your point?

Re:I feel left out

[ylikone]

Well, you've got me on the games... although I do play UT2004, Doom3 and Sims. The 80's shareware remark though seems a little ignorant. I guess you haven't looked at projects like OpenOffice, Mozilla/Firefox/Thunderbird, The Gimp, Blender, Inkscape, Xine, etc...

In Tonight's News

[ackthpt]

All of a sudden, a worm makes mainstream news because it invaded CNN's network. I guess that is a sad indicator of what it takes to raise awareness.

This just in, CNN staff have been smoking 20 packs of cigaretts a day to see if it does indeed cause cancer.

duh...

Re:In Tonight's News

Yeah, but in Soviet Russia, cigarette smokes YOU!
*rimshot*

Re:In Tonight's News

[saintlupus]

I thought Peter Jennings was on ABC?

[-1, Dead Canadian]

--saint

Re:In Tonight's News

[mwood]

Yeahbut, CNN has more time to fill. That's why they keep republishing the same stories with different titles, I suppose. And all those stories of rumors that someone will announce today that a press conference is to be scheduled for tomorrow to discuss the possibility that something might happen next week.

Company of Waffles

[kff322]

Guess what Microsoft?,You thought wrong! p0wn3d

I wonder...

[pointguy]

... how many computers Apple will sell because of this?

Re:I wonder...

[TykeClone]

About 1000...

Those wild and crazy mac rioters

Re:I wonder...

[MouseR]

4.6%.

(har har)

No MS virus have had any factual effect on Mac sales. Ratter, it's the cumulation of frustration that shifts some users away from MS.

This one virus alone isn't enough on it's own to make massive shifts. People are stupider than that.

Re:I wonder...

[Darth+Daver]

None. Apple computers are way too expensive. Now help me get these Windows systems fixed. This is going to take forever.

Re:I wonder...

Apple wont sell more computers..no .. 0sx86 will be the os on that flea market compaq pulled from working environment system that would have had 2000 on it

Re:I wonder...

[Fastball]

About 1000...

(logs on to eBay and patiently waits for the surplus to show up)

Re:I wonder...

[darkenbinary]

For home users maybe a few.....for corporations none.

And Symantec says "Medium"

[winkydink]

We haven't seen it here yet, though usually our Chinese office picks this stuff up and then tries to spread it through the company. It's still to early in thew morning there.

Impact

[daeley]

Microsoft calls it a "low impact" threat and tells you What you should know about Zotob.

"Low impact" in the sense of how low you would be if a meteorite impacted you crown-first.

Re:Impact

[flowerHercules]

The Caterpillar plant I work at was down for over 16 hours, I doubt they would consider it low impact in light of the profit lost, as a result. Maybe they will switch to Linux.

Then again, they don't hire people based on their qualifications, multiplying any estimated repair time by ~10 and you come close to the actual down-time time in our facility.

Re:Impact

[MighMoS]

This is "low impact" in the same way that a tornado is an air current.

Re:Impact

[Tony+Hoyle]

Any you didn't patch your systems because....??

I'm not MS fanboy (by any stretch of the imagination!) but the patch *is* out there, has been pushed by windows update for a couple of days, and the tech media at least including slashdot have made a noise about the threat. Why wait until you're actually affected?

Re:Impact

[slazar]

they don't hire people based on their qualifications

I think that pretty much sums it up.

Re:Impact

[Peaceful_Patriot]

I am behind a good firewall and have always been very careful to keep my Win2K box up to date with the critical updates. I have resisted SP4 due to the Windows DRM which is included.

There is no 'critial update' patch for this. It is SP4 or nothing. I am counting on my firewall to keep this worm out of the Windows box, but it bothers me greatly to be vulnerable to the exploit.

Re:Impact

[dtfinch]

Your business stops working when the computers go down?

Re:Impact

[archen]

If you don't need CIFS (the newer smb networking) you can block off port 445 with TCP filtering. Just go to the advanced part of IP networking in the network options. Find the "options" tab, and add only needed networking options. If no one on your local network needs to connect to your pc, you can leave "permit only" blank and deny all connections (that aren't established).

Cue wild speculation

[saskboy]

Now that media is directly affected, they will start proclaiming that this worm is the worst ever, and has caused billions of dollars in losses for businesses.

Media worm hype really sucks, is my point.

What I found amusing today were the two alert emails in my inbox. The first one was a warning about the new Acrobat flaw [which makes it a requirment to install a bad version of Acrobat, and then patch it *3* times to fix it!]. Then next email was one about this Zotob worm spreading through the PnP ethernet bug in Windows 2000 - but the information came via a .pdf file!

Re:Cue wild speculation

[wasted+time]

Now that media is directly affected, they will

interview some of their own in-house computer security experts*. Check
start showing silly screenshots of a windows error box. Check
ask stupid questions like how many computers are affected. Check
try to somehow relate it to their daily war on terrorism. Check

*who apparently don't spend any time securing their own systems.

Re:Cue wild speculation

but the information came via a .pdf file!

Kind of like those SlammerRemoverTool!@#.txt.exe files that went around? You still open random attachments in email?

Re:Cue wild speculation

[saskboy]

In fact I didn't open the .pdf file in my email like a good little boy. I can get the same information myself through good old HTTP and HTML, and avoid the PDF Acrobat launching, time wasting, plugin holed, patch needing Reader like the plague.

And it really annoys me how Symantec used to tell you exactly how to fix the registry when a virus hit, but now they just tell you to disable System Restore and buy their product to scan for files so it can delete them.

Payload

[Teclis]

"Gives a remote attacker full control over the compromised computer to perform various actions, including:

Downloading and executing files
Making queries to www.google.com ..."

Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?

Re:Payload

[Dr.+Zowie]

Jeez, the lengths some people will go to, to avoid the google cookie...

Re:Payload

[Compholio]

Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?

Maybe they're from china or australia and it's the only way they can get uncensored searches.

Re:Payload

[OneOver137]

Probably to artificially increase search hits to web sites.

Re:Payload

[Gleenie]

Recon - anonymously.

Re:Payload

[CaptainPinko]

Australia? Is this a joke? I knew they were right-of-center but am I missing something news that I should know about them?

Re:Payload

[Compholio]

Australia? Is this a joke? I knew they were right-of-center but am I missing something news that I should know about them?

Yes, yes, and yes. You're missing one of today's other main page items:
Search Engines Break AU Online Gambling Ban?

Re:Payload

[WhatAmIDoingHere]

Maybe that's why I got an error message from Google saying either I, or someone in the same neighborhood as I am has been sending them too many automated searches. I couldn't use Google for over an hour. It was torture.

Well, since you asked...

[crow_t_robot]

...1000 apple computers were sold in Henrico County, Virginia today...

It's only news because it hit CNN...

[eericson]

ISC is still showing green. To quote directly from the handler:

"CNN is heavily covering an outbreak of a worm in its own network. They are reporting that ABCNews and NYTimes are hit as well. All statements so far make this look like a Zotob variant, even though this variant appears to reboot the system. (Zotob.d ?).

Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it."

Feel free to insert the usual comments about media types overreacting and not understanding anything technical, along with misc sagely advice about defense in depth and perimiter security.

FUD?

[Call+Me+Black+Cloud]

Microsoft says this virus has medium impact, not low as the submitter says. Is the submitter perhaps spreading some FUD of his own or did MS upgrade the threat?

Re:FUD?

[jerw134]

Microsoft did infact upgrade the threat.

Re:FUD?

[abes]

Actually the current threat level of the worm is light fusia. However, experts are predicting it might go to dark fusia by tonight.

Re:FUD?

[tarquin_fim_bim]

That'll be pretty.

Re:FUD?

[Detritus]

It's fuchsia, you philistine.

Re:FUD?

[abes]

How's this then:

The color will start off as a nice #FF00FF, but later on the day is expected to go a #F400A1.

Re:FUD?

[i.r.id10t]

Thats not one of the web safe colors....

(does that apply anymore anyway?)

attacks malware?

[putch]

i mean, im sure it has it's own malicious intent, but according to the SARC page, it's deleting malware like gator, 180solutions, viewmgr, etc.

Re:attacks malware?

[assassinator42]

Looks to be only the D variant that does it. Plus it opens a backdoor. And it also deletes quicktime for one. Don't know the motivation behind it, maybe they want to feel they're doing good by deleting other malware?

Re:attacks malware?

They want a box free of any other controls, backdoors or CPU/memory hogs, that's all.

From: W32.Zotob.D

[abes]

All j00r base are belong to us!

Apple user says...

[tfcdesign]

What virus?

Re:Apple user says...

WOW! You Apple users are FUCKING COOL!!!
Can you jizz on my face? Thanks!

Re:Apple user says...

[jerw134]

So does the Windows XP user, and the Windows 2000 user who applied the patch.

Re:Apple user says...

Sure!

Eeeuuggghh... nnnggguuuughh.... neeeahhhh...

How was that?

Re:Apple user says...

[tfcdesign]

Still doesnt beat ANY Apple OS with or without patches :P

Re:Apple user says...

[Fortran+IV]

Still doesnt beat ANY Apple OS with or without patches :P

So, your Apple system runs AutoCAD? Or supports a Cincinnati laser control?

In the real world people don't always have a choice. Please don't be snotty just because you do.

Re:Apple user says...

[j79]

Sorry, but we Apple users don't do things like that.

However, I can understand your plight. Years of being bent over and horribly screwed by Microsoft can break down any man.

I guess, I could see how you'd want to go for a "facial", instead of the usual "pound you in the ass", by big bad Microsoft...

Man, I'm sorry you'd want something like that done to you... Hang in there, buckaroo! Everything will be all right!

Re:Apple user says...

[Tony+Hoyle]

There was a security patch for OSX just today..

You think they do it for fun???? No.. it's to avoid OSX exploits.

Re:Apple user says...

[tfcdesign]

Oh please. It was joke. No need to strangle your undies.

Re:Apple user says...

[toddestan]

So does the Windows XP user, and the Windows 2000 user who applied the patch.

Or the people sitting pretty behind their firewalls. My Windows and Linux computers are not at all worried about this worm.

Re:Apple user says...

[jerw134]

The ironic thing is, the people who are smart enough to put their computer behind a firewall are also smart enough to apply the patches.

Re:Apple user says...

"hmmm! where did I put my but plug?"

Symantec link is wrong

[Penguinshit]

The executable in this particular instance is "wintbp.exe". I thought at first it might be a randomly-named executable, but all 100+ systems I'm manually disinfecting at the moment have the same executable. It tries to connect to other systems via port 445, aka the "Magic Windoze Port"(tm).

Apparently all it's doing is rebooting systems, but I haven't done any kind of a postmortem so don't know. I haven't detected any other connection attempts either inside or outside.

Manual disinfection means disconnecting your NIC and then using regedit to delete this value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr ent Version\Run\wintbp.exe

You must then reboot the machine to disable the executable which is:

C:\%systemroot%\System32\wintbp.exe.

Good luck. I'm glad my own systems are Linux....

Re:Symantec link is wrong

[nvrrobx]

Check out http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html to see exactly what this is attempting to do.

Re:Symantec link is wrong

[Net0ps]

No, the Symantec link is right...for the Zotob family of worms. The RBOT family, which uses "wintpb.exe", is a different family of worms exploiting the same vulnerability.

These are just two different exploits for the same vulnerability--woe to those who wind up with both on their network at once, particularly since Symantec and others have focused so heavily on Zotob that they seem to have missed the development of the RBOT variants and are only now catching up...

Re:Symantec link is wrong

[Penguinshit]

Thanks for the clarification. I'm hit with the RBOT. Unfortunately, my company is partnered with Symantec so there's nothing at all I can do to change the antivirus our Windoze users run.

Re:Symantec link is wrong

[Penguinshit]

Check this link for what Symantec is calling the "Zotob.E" variant (which is exactly what's happening with me).

Re:Symantec link is wrong

[mov_eax_eax]

errr, you forgot patch the system

Re:Symantec link is wrong

[KillShill]

i'm glad i run linux too.... on my router. it happens to stop just about all external threats.

Re:Symantec link is wrong

[Feanturi]

I haven't actually seen this one yet, so I can't comment on it specifically, but I wanted to add some advice. In general, the better way to deal with items that can be handled using the method you describe (ie: they're not really trying to hide), is to include an extra step. If Windows is booted into Normal mode, make sure to kill the process before you edit the registry. Many bugs that plant themselves in this fashion will re-write the reg setting as they close. So just cleaning the registry and rebooting, with the thing still running, in many cases accomplishes nothing. Like I said I haven't seen this one with my own eyes yet, but that's a basic rule you can apply to all critters of this sort without adding much time to your fix.

The best way, if you've got a bunch of them on one machine to deal with, or if you're dealing with one that can re-open as soon as you kill it, is to boot into Safe mode so none of them get the chance to start up. Then you can regedit and delete them in one pass without having to kill each one first.

Re:Symantec link is wrong

[ninjakin]

I bet those "antivirus" companies make the viruses and just send it to some little kid and say "hey wanna have some fun" then they make money selling their product. b/c how do they know so mucha bout the virus?

Re:Symantec link is wrong

[MrJynxx]

They didn't say it infected Canada. However, EVERY SINGLE MAJOR BANK WAS AFFECTED. This bloody worm/virus/nuissance whatever you want to call it caused havoc on my networked desktops. Approx 20k desktops on my network got this infection in LESS THEN 1 HOUR. yes 1 hour.. This infection was so severe I was sent out from toronto to calgary on 2hrs notice. Our DFS (distributed file system) was down, we couldn't remotely patch our desktops. We had bluescreens, the whole works. A complete MESS Anyone saying this was low impact are fools. We thought we got all the infected PC's last night, but we were wrong. Oh well, i'm sitting in my underwear drinking heineken's at a fairmont hotel. And it's 5am and I have to be up in less then 2hrs. DAMN YOU WINTBP.exe oh ya, we're manually patching critical desktops. our process was as follows 1. Disconnect nic 2. Power up 3. open command prompt and do a tlist, kil the wintbp.exe process 4. install patch 5. remove the file \winnt\system32\wintbp.exe Reset and the PC is clean.. what a bloody disaster. the power outage that affected half of canada/new york wasn't this bad. at least we knew when the power turns on, everything is back to normal

All I know

Is it's kicking our ass here at The Texas Health and Human Services Commission.

XM, internet time, and worm threats

[joejoejoejoe]

I just got XM in my car. I'm an internet dude. What struck me as I was driving home around 6pm EST was how CNN was covering it, admitted they got infected, and it seemed to remind me of SQL Slammer / Code Red.

Anyway, they kept saying only windows 2000 was affected, but the patch was for pnp on 2000/xp/2003. In a later report CNN did mention it might affect XP too.

This makes me wonder how seriously people (BHPs, IT guys, FireWall guys, etc) take worms. Where I work we have many FWs, push patches very often, and accelerate our pace when things like this are out there. If CNN, ABC, etc, can all get infected does that reveal that they might not take all this PC security seriously enough when it comes to their own networks?

I know we have stepped it up in the past 3 or so years, Code Red, SQL Slammer, and Nimda were all wake-up-calls. Maybe THIS one will make a new set of users/admins/PHBs wake up... We can only hope right? It was front and center on CNN tonight.

-Jon

Re:XM, internet time, and worm threats

[Tony+Hoyle]

In a way I'm not to surprised if someone like CNN gets infected.. they probably have thousands of laptops out all over the world that need to VPN into their network.

Small companies I have little sympathy for (just as I wouldn't if they 'forgot' to fix the broken lock on their door and all their computers were stolen.. saving a few dollars by not securing their machines carries a risk, and this time it didn't pay off).

Banks.. well if a bank I was with got infected I'd close my account the very next day. They have *no* excuse.

Re:XM, internet time, and worm threats

[Pollardito]

This makes me wonder how seriously people ( BHPs, IT guys, FireWall guys, etc) take worms

Big-Haired Person? Bee-Hived Person? i bet this is the analogue of a PHB if you work at a library

Is it just me or....

[Kahless2k]

I was reading through the symantec description of the D varient; and noticed somthing peculiar...

Is it just me or does it primarily remove various spyware-related entries from the registry? (Hotbar, etc)

Is this another example of a virus writer having a positive goal but a crappy method?

Re:Is it just me or....

[3fiddy]

Yeah, I noticed that too. Makes you wonder if something was going on behind closed doors and escaped the lab a la "The Stand" by Stephen King, only not quite as deadly of a virus.

nah

[ylikone]

"160 dead in Venezuela Crash, Gaza Pull out and Paul Abdul's Idol issues"

That's just yesterdays news. You gotta get with the times man.

Re:nah

[kd5ujz]

I belive this crash was this morning, well, 3am CST 8/16/05. It left Tocumen Panama for Fort de France, Martinique. It crashed in Venezuela.

You might be thinking of the Greek crash that happend sunday (depending on your time zone).

Re:nah

To the guy begging for a TV: VHS and DVD aren't the only things you can watch without cable. Back in the old days, before cable, we all relied on free, over-the-air broadcasting, which could be picked up with anything from the ever-popular "rabbit ears" to a rooftop antenna. Guess what? It's still there! Better than ever, too, in terms of picture quality and the number of channels available. You can even get free high definition signals OTA, though you'll need a separate receiver for that.

AOL Call Centers

I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.

Re:AOL Call Centers

[Anonymous+Crowhead]

I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.

I'm glad you found one of the few that is working so you could post to Slashdot.

Re:AOL Call Centers

Haha...that is hilarious...couldn't stop laughing !

Re:AOL Call Centers

[focitrixilous+P]

We are taking almost no calls How is that different from any other day? Or does putting someone through the hold maze count as taking a call?

Re:AOL Call Centers

[kc0re]

Hey Anonymous, you made like three strikes in that one sentance!
1. I work in an AOL Call Center
2.Windows 2000

Re:AOL Call Centers

[nuckin+futs]

there has to be at least 1 Mac in that whole place.

Re:AOL Call Centers

[dtfinch]

Shouldn't this be modded funny? Either it's a joke or (even funnier) it's the truth.

I have to ask

[js3]

why a company like CNN and ABC with billions of dollars in revenue is still running unpatched windows 2000 computers.

Re:I have to ask

Too busy making sure their news coverage is as fair and balanced as Fox News?

Re:I have to ask

[RyanFenton]

> why a company like CNN and ABC with billions of
> dollars in revenue is still running unpatched
> windows 2000 computers.

To that, I have to ask: What reason is there to run Windows XP, when you have perfectly valid licensed copies of Windows 2000?

I've not yet seen any valid need for running Windows XP, nor spending the money and time to "upgrade". What's the motivation to switch?

Ryan Fenton

Re:I have to ask

[stinky+wizzleteats]

Because they might have travelling users who have been out of town last week and not received the update via the company's internal servers? (among about 100 valid reasons why a company as large as CNN might not have 100% patch compliance within a 6 day window)

A better question to ask would be: Why do companies like CNN and ABC spend billions on Microsoft software when that use repeatedly results in global network-crushing superworms.

Re:I have to ask

[damgx]

Maybe the reason why the make so much money is because they don't spend it on upgrades all the time...

Does one really need WinXP to write the paper?

And here I thought newspapers was Mac country.

Re:I have to ask

I recently did some contract work for one of the worlds largest investment banks - and they were still running NT4 as standard.

Some people are just too risk-averse to change their systems just because there is a later release.

Re:I have to ask

[TheIndividual]

He didn't suggest a switch to XP, he pointed out that running unpatched Win2k copies is a security risk.

The best solution would be to apply patches in an organized manner, it's hardly rocket science.

Re:I have to ask

[dioscaido]

Security fixes are free. All this shows is that large organizations don't take upgrading their system seriously.

Re:I have to ask

[Gyarados]

In my opinion, Windows is less than useless.

• Everything it offers also exists in operating systems such as FreeBSD, Linux and Mac OS (with an extremely higher quality of design and implementation).
• Its use creates significant problems for everyone, due to bad design and programming.
• Microsoft encourage (or at least, fail to dissolve) a subculture of end-users and developers who are guilty of ignoring Web standards, developing generally poor software, and refusing to learn how to secure their computers.

Therefore, I think the main reason that such companies use Windows is because they are ignorant, lazy, or both.

Re:I have to ask

[bonius_rex]

All this shows is that large organizations don't take upgrading their system seriously.

Spoken like someone who's never worked for a large organization.

As one of the security guys for a large corporation, I can tell you that I'd like to have had get my systems all patched up a week ago, but I'll be waiting at least a month for all the f@#$%g Sarbanes Oxley paperwork to get the required signoffs before I can begin. It's not that we don't take it seriously, we do. Unfortunately, our hands are tied by many levels of bureaucracy.

Re:I have to ask

[ztirffritz]

I think that the problem is more a case of "The people who know better aren't in a position to make the change. I know better, but everytime I ask my boss if we can start buying Macs, or at least switch to Linux he says that the corporate standard is Windows. I try to point out to him that our Corporate office is still using Exchange 5.0 and Windows NT as their servers. They're not the brightest bulbs in the shed, and as such, should not be trusted to dictate our computer standards. It just doesn't matter. No one ever got fired for choosing Microsoft, so that's what they go with.

Re:I have to ask

Because they run several thousand machines. Things like that take time to roll out because not everyone is on the network, some cannot be patched because they are needed for on air activities and not to meantion theres legitimate reasons why their network would have to connect to a competitors who may not be as secure.

Re:I have to ask

[ImaLamer]

For one, this is their way of telling us that Time Warner and Disney's profits aren't going to be up to par with what Wall Street thinks...

Like giving an excuse: "Sorry, we lost millions on some silly virus."

Not a bad idea, blame Microsoft, since both Disney and Time Warner would like to see them slow down or die.

Re:I have to ask

[Fudge.Org]

I have to answer why a company like CNN and ABC with billions of dollars in revenue is still running unpatched windows 2000 computers

It could be as simple as "the devil you know..."

Re:I have to ask

Clearly you don't work in a large organization.

MS has been doing a better job of not breaking things with their patches recently, but the fact remains that it's just as irresponsible to rush a patch into production without proper testing as it is to remain unpatched. It's been 1 week as of today since the patch was released. That's enough time to perform proper testing, but only if priorities aren't being readjusted to other issues, and only if the testing actually goes well.

Re:I have to ask

[infectedRoot]

Did you know that the CIBC Banking Terminals (all of the new "standalone" terminals at least) are all running NT4 workstation?

I just can't wait to see unpatched CIBC bank terminals spit out money due to constant restarts. Money for all.

Re:I have to ask

[isorox]

Because when windows 2000 is part of your broadcast infrastructure (and indeed, NT4SP3 - the software doesn't work with a later service pack or OS), you can't just drop tools and update across the board.

The patch comes in, it's tested with various bits of software to make sure it doesn't take us off air, it then gets rolled out into a release, it then gets updated over the next week. Broadcast critical machines are updated manually, we're currently updating braodcast critical machines for the last lot of patches. We can't afford the time and effort to keep up with patches every week. Our latest patch update process started on 28th July, and should be complete by the end of the week. As I understand it the MS05-039 patch has been avaiable for a week or so.

Personally doesn't bother me, as I get to laugh at the windows bunnies.

Re:I have to ask

[dedazo]

OMG, you people really crack me up. You have it all figured out.

It's so convenient to ignore that this worm affects a 7-year old operating system, and that XP SP2/2003 are not affected. No, instead we just keep mumbling the mantra.

What a hoot.

Re:I have to ask

[empvirus]

Well, my best guess is Windoze XP has proven itself to be unstable so they won't "upgrade". Why Windoze? probabably because it's all they know how to use.

Re:I have to ask

[dtfinch]

I saw someone get fired for recommending Microsoft software. All the desktops already run Windows, but they wanted to go all the way and migrate to a full modern Microsoft stack: XP Professional, Office 2003, Server 2003, and Exchange.

As for migration, you need to give some assurances, expected pros and cons, and some other very compelling reasons. And if they later decide that the migration has cost them more than the benefit, they won't like you very much.

Re:I have to ask

[Gyarados]

Less than six years by my count, but close.

We're not ignoring the fact that the latest versions of Windows are immune to the worm when updated; we're discussing why major companies fail to apply such security updates.

It seems you are the one who is conveniently ignoring things.

Re:I have to ask

[dedazo]

fail to apply such security updates

Really, so according to you if they were using Linux, OS X or BSD they'd be patching like there's no tomorrow. Ah, yes. Using non-Microsoft OSes automagically increases corporate IQ by 200 points. I forgot about that. Yes, because if you use Windows, you're "lazy or ignorant or both".

Re:I have to ask

[Ilgaz]

There is one more reason. The machines doing real business.

Check http://www.xlr8yourmac.com/index.html , 64bit mathematica is disabled after yesterdays security update for OS X and Apple pulled automatic update right now. (If you have problem, check site, shows workaround)

  So, e.g. a petrol company, university will apply the patch allowing hundreds of hours of processing power (money) lost?

Broadcast is even harder, you can't allow 1/10 sec downtime on some machines.

Re:I have to ask

Why is your broadcast infrastructure connected to your corporate lan?

Re:I have to ask

[Gyarados]

No, I didn't say that.

I said that Windows has no unique features, and the features it does have are poorly implemented.

Therefore, I think the main reason for people choosing Windows in the corporate environment is due to laziness or ignorance.

My point is that the lazy and ignorant don't apply patches.

(By the way, I'm a programmer who previously used Windows, from version 3.1 to XP, over a period of approximately 9 years. I've also tried Fedora Core. I'm now using Mac OS.)

Re:I have to ask

[Himring]

Because all companies are different. Some companies have great health insurance, but crappy life. Some offer great benefits all around, but everyone has to sit in a cube. Some companies believe in IT and pour money into it. Other companies think IT is a necessary evil, and they toss scraps at it like a mangy junkyard dog -- this would best explain CNN....

Re:I have to ask

[sysadmn]

Because it takes 3-5 days to confirm that the latest service pack won't crash a mission critical application? Some Windows computers run more than MS Word, MS Powerpoint, and MS Excel. If the latest service pack takes out a shop floor machine controller, or a CRM client, you're just as bad off as if a virus did it.

Re:I have to ask

[dioscaido]

I apologize, I definitely think the IT departments take these things seriously. My statement was more at the higher levels which put the bureaucracy in place that bogs down the distribution of updates. For non-critical, it makes sense to take it slow since things may break. But for critical issues, like the ones related to this vulnerability, which had known exploits only a day after the announcement, the IT dept should have had a free pass at applying the patch of a handful of test machines on Monday to identify any compatibility issues, and on Tuesday/Wednesday begin the company wide rollout.

Re:I have to ask

[isorox]

Because people need to have email to the wider world, wires service, desktop editing (video and audio). Basically, anyone more useful than managment needs access to the broadcast network. They tried to seperate the networks a year ago (for selling the corporate side off, not for any security issues), but found it impossible.

While the actual playout stuff is theoretically unroutable - there are a few Solaris/Linux machines on both sides of the fence, all it takes is somebody to mis-patch a bay, or some journo to plug their laptop in, and you can have chaos.

Re:I have to ask

[haakondahl]

Actually, I think CNN's cash is tied up in Carol Costello's plastic surgery. Ba-dum.

Windows directory worm

[shawkin]

That would be bad.
On the bright side, Linux and OSX operating system market shares would skyrocket.

I think the reason.....

[commo1]

Microsoft is calling this threat "low-impact" or "moderate" is that they consider Windows 2000 to be a second-tier operating system at this point and that everyone (and I mean everyone and his dog or penguin) should be using XP. Good points made above for the "variant" aspect of this virus. I'm running XP on a customer's machine (that's my cop-out, anyway), and it's got botzor.exe in the registry.

Re:I think the reason.....

[Sadsfae]

it would not be hard to create a xp/s2003 variant since the codebase is so similiar. its just a matter of time really. i would actually think this would be a selling point for another OS at the frequency that this has happened lately, not to mention the prevalence of rootkits that are extremely hard to detect.

Re:I think the reason.....

[Krach42]

Yeah, Microsoft thinks that everyone should be running Windows XP...

Despite the fact that Microsoft has released a patch for Windows 2000 to plug the hole that the worms are exploiting.

It's the companies fault for not having patched. Microsoft released them as critical updates, and that they needed to be installed.

Also, Microsoft has Windows Server 2003, which is generally going to be a much better upgrade choice from 2000, than XP.

(Opinions expressed are my own.)

Re:I think the reason.....

[radish]

botzor is not Zotob...it's some other worm which uses a similar attack vector.

Re:I think the reason.....

According to Microsoft the vulnerability exists on Windows XP and other Windows variants and is considered to be critical severty and should be patched immediately:

From http://www.microsoft.com/technet/security/bulletin /MS05-039.mspx

Affected Software:

• Microsoft Windows 2000 Service Pack 4 - Download the update
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
• Microsoft Windows XP Professional x64 Edition - Download the update
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update
• Microsoft Windows Server 2003 x64 Edition - Download the update

Non-Affected Software:

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Re:I think the reason.....

[httptech]

Botzor.exe is Zotob.a. Although the name botzor.exe could have existed prior for other IRC bots. The problem here is there are now over a dozen bots of at least there are 5 unique variant families, which all spread via MS05-039. And the media is just calling them all Zotob.

The original Zotob is just Mytob with the MS05-039 component added and the SMTP component removed. Thats all.

Re:I think the reason.....

[pdxguy]

I used to have a dog but it got old, sick,e tc. Now I have two cats - a tabby tomcat and a bengal female. But those penguins interest me. But I'm concerned about what to feed them if I got one - never seen any penguin chow at the local pet store. Then again where do you get the penguins? How long do they live? Can they be litterbox trained too?

CNN, ABC, the New York Times

[Nom+du+Keyboard]

So it has hit CNN, ABC, the New York Times. Obviously this worm is part of the Vast Right-Wing Conspiracy!

Re:CNN, ABC, the New York Times

[Halfbaked+Plan]

One of the ways of knowing we still have a healthy amount of press freedom in the U.S. is that both right wing and left wing nutcases (i.e. the frothers at Democratic Underground and Lucianne.com) think the mainstream media is a 'tool' of the other side.

Re:CNN, ABC, the New York Times

[Kris_J]

That assumes that the news services you list are in any way left of centre, when in fact they frequently show bias to the right.

Re:CNN, ABC, the New York Times

[Nom+du+Keyboard]

That assumes that the news services you list are in any way left of centre, when in fact they frequently show bias to the right.

Now that's funny.

Or to put it another way, only if you're Howard Dean.

CIBC Bank has to bring down their network

Staff there are saying that the banks have been hit. They have to bring the network down and clean all the servers and computers. They are certainly not advertising it.

Check your bank book.

It was all at Capitol Hill

[mtuller]

CNN is reporting that the worm hit at Capitol Hill. I wonder if Microsoft will get any sympathy from any Senator that has his/her computer distroyed by this.

Re:It was all at Capitol Hill

[kcbrown]

I'm sure Microsoft will get plenty of sympathy from any Senator they want as long as the "campaign contribution" check is fat enough.

Re:It was all at Capitol Hill

[John+Hasler]

> I wonder if Microsoft will get any sympathy from
> any Senator that has his/her computer distroyed
> by this.

Yes. They will. The senators will want to know what new laws Microsoft needs in order to better control the "hackers" that are behind all this. To politicians "improved security" means more laws and more cops.

MS Windows Update Validation?

[Gadgetfreak]

I'm wondering how much worse this has been made by the new policy of only allowing updates for legit copies of Windows. Can the millions with illegal copies get their fix, or will they just be sitting ducks for this and the next exploit to come along?

Re:MS Windows Update Validation?

[cnettel]

AFAIK, W2K isn't really checked, but a "pass-all" is done.

Re:MS Windows Update Validation?

[Keeper]

The new policy has zero effect. People with "unvalidated" copies of windows can still download security updates. They can't download new 'feature releases'; versions of IE, MediaPlayer, DirectX, etc.

Re:MS Windows Update Validation?

[Krach42]

Wrong, I was blocked from installing the patch on my shiny new Windows XP machine here at the Microsoft Campus.

I had to activate my copy of Windows before it would let me install the patch for Windows XP.

So, next time try not to assume that because someone once told you something, that it's fact. Fact can usually be very often different.

Re:MS Windows Update Validation?

[Kelson]

In theory, Windows Update and automatic updates via Control Panel don't require validation, but Microsoft Update and manual downloads via the download center do. If things work as advertised, you can get security fixes without validating.

Of course, don't forget the words in bold. I've had to validate my Windows XP box twice without changing any hardware. Fortunately my Linux boxes don't need any stinking validation to update via yum.

Re:MS Windows Update Validation?

Your mixing up "product validation" with "product activation".

Re:MS Windows Update Validation?

[Halfbaked+Plan]

I was leery about installing the 'validate and verify' update at Windows Update, since I'm a holdout on Windows 2000 and won't ever update to a newer version that requires 'validation' to be considered legit.

But I did and so far nothing bad has happened.

I have a handy ghost image on hand if trouble does kick in. And the W2K machine isn't that important a machine here anymore in any case.

Re:MS Windows Update Validation?

[Keeper]

From where? Windows Update? I never claimed that Windows Update would give it to you, rather I just said that you could still obtain the patch.

Go here: http://www.microsoft.com/technet/security/bulletin /MS05-039.mspx
Click the download link apropriate for your platform.
Install.
Enjoy.

Re:MS Windows Update Validation?

[Krach42]

No, I'm not.

The product validation explicitly told me that my copy of Windows was not activated and that I could not install the update until I did so.

Product Validation requires Product Activation.

Re:MS Windows Update Validation?

[Krach42]

Alright I'll give this to you.

But it does take some time for the files to be made available. As, they weren't there at the time that I went to install them. And I've never had the need to download said patches because I've never had to WGA verify an illegal copy of Windows.

Re:MS Windows Update Validation?

[man_ls]

I can't validate my copy of Windows, because it tells me my Internet connection is not working. ......................

Okay. Sure. That makes sense. No firewall (hardware or software), I'm just sitting out on the Net with nothing in between. Oh well...automatic updates work.

Re:MS Windows Update Validation?

[toddestan]

I believe you can still get all the critical patches and service packs through Automatic Updates. If you try to go to the Windows Update site to download them it'll block you though. However, I don't think you can get to the non-critical updates like Media Player or DirectX anymore without a genuine copy of Windows XP (well, that is without using any of the easy ways to circumvent the check).

Re:MS Windows Update Validation?

[Keeper]

A KB article with the files are made available the same time that the patch is published on the Windows Update site.

You can find a list of the bulletins here: http://www.microsoft.com/technet/security/current. aspx

Check the above URL when a new patch comes out and you'll have no problem obtaining it.

Re:MS Windows Update Validation?

[Krach42]

Actually, I work in the department that builds these patches. I know about them, and can install them before you all can. I also got pinged with a critical email telling us to install the patches immediately.

Regardless of that point, my fact still remains that when I clicked on the link to download the Windows XP SP2 version of the PnP patch, that it came up with a 404 error.

There's a race-condition in there, and you're not going to convince me otherwise, because I hit a 404 page trying to get the patch.

Glad I'm off till Friday

[CBob]

Given the total refusal of our net admins to fully patch due to "we haven't tested" some of our craptastic apps with all the patches, I expect to see another round of "no problem" here at work come Friday when I'm back.

New worm comes out...few days later we have widespread network problems & a couple of "minor" server "issues" and "resets", but the True Word is "No problem here".

I don't who's dumber, our MS fanboy head net admin, our "restructured" (4th time?)management or ME for staying there.
(yes, he has actually said, "According to MicroSoft" on many occasions)

Is it time to reapply to Sungard again?

Re:Glad I'm off till Friday

[Krach42]

When I worked for a well-known ISP selling their internet connections, we were instructed that if we had any computer problems, that we were to tell the person on the phone, "Unfortunately, due to the updates that we're performing in order to benefit you, we're not going to be able to process your request at this time."

That way, when our computers are down, people won't think we're frantically running around or totally crippled, but will rather think, "Hey, that's cool. They're updating... odd that they would have chosen a time of day when they're doing work to do this..."

I don't believe crap from anyone now if they tell me that they're "updating for my convenience." Especially when I'm having trouble getting them to do something for me.

Re:Glad I'm off till Friday

[Detritus]

The telephone company does the same thing, except they say that the problem "cleared while troubleshooting" when they reconnect the patch cable for your data line.

Re:Glad I'm off till Friday

[CBob]

Our ISP (tho would could act as our own) has the endearing habit of what I call "dead sunday" every once in a while. Internal LAN/WAN working fine, but nothing past the 1st hop out of the firewall. Webaccess for incoming is gone too. Now, try to report it to the ISP, I dare ya. Their Email...Yeah right. Phone...Oddly, it rings. And rings and will not be answered even if I throw Procomm in as the dialer x 99. Weirdly, our internal net folks have managed to totally distance themselves from this one. There's some kind of weird "not my fault" that puts it on the web dev crew. And they don't actually do anything, they just want to be notified if it's > 2 hours down. And if anyone follows up later in the week, "scheduled maint" covers all the bases.

We need to re-think patching.

[cperciva]

We need to re-think we way we apply security patches. The patches for this problem were available several days ago; why weren't they applied?

The answer is that Microsoft security patches have a reputation for causing things to break. Why this happens, I don't know -- Microsoft certainly has the resources necessary to test their patches before releasing them -- but for whatever reason, patches from Microsoft have developed that reputation. As a result, administrators of large networks have learned to not apply security patches immediately to all systems, but instead to test them on a few machines for some time first -- exactly the same way as other patches are handled.

The decreasing window between patch publication and widely distributed exploit code means that this approach simply doesn't work any more. Security patches must be applied to all affected systems immediately. Don't stop to test them; just apply the patches and reboot if necessary.

Of course, this means that vendors need to do a good job of testing security fixes before releasing them. I'm proud of the fact that in my time on the FreeBSD security team, we have never released a security patch which has caused new problems. While we don't officially recommend this, I know several people who have their systems automatically download and install FreeBSD security patches -- because they trust us to make sure that our security patches will never break anything.

After all... if you can't trust the security team of the operating system you're running, why are you running that operating system?

Re:We need to re-think patching.

[Krach42]

Duh, of course Microsoft tests patches before they leave the company.

The problem is that occationally people will rely upon undefined behavior of functions or activities, and when those behaviors change, their code breaks.

If people would stop writing Windows code that depeneded upon undefined behaviour, then things would be a heck of a lot better!

Re:We need to re-think patching.

[Halfbaked+Plan]

If people would stop writing Windows code that depeneded upon undefined behaviour, then things would be a heck of a lot better!

While you and I might agree that MS should stop developing Microsoft Office (which depends on undefined behavior, i.e. undocumented system calls) there are people dependent on Word and Excel for their daily work who would disagree.

Re:We need to re-think patching.

The problem is that occationally people will rely upon undefined behavior of functions or activities, and when those behaviors change, their code breaks.

Not true. About 18 months ago, I deployed a Windows patch for an SMB issue, which for some reason had a "rider" update to the spooler subsystem. The update to the spooler caused print out of Internet Explorer to render in 6-point type. That wasn't "people" relying on undefined behavior. That was Microsoft screwing up their own code, and failing to test.

Re:We need to re-think patching.

[Krach42]

That was people at Microsoft relying on undefined behavior.

And I'll take the opportunity to slap on an insurance bet, and say that not everything gets completely tested out of the box. That's just not possible. (Reference: Halting Problem)

But Microsoft does test stuff pretty well before it goes out the door. No better, or worse than Linux.

Speaking of which. If Microsoft were to put out a patch that caused reproducable Filesystem corruption for a number of it's users, then immediately puts out a patch to correct the problem; everyone would pound on Microsoft and say that it's because of lack of testing, and just shows that Microsoft can't be trusted.

But when Linus and the Linux crew releases 2.4.11, then 2.4.12 the next day (or two) then the OSS community just says, "Well, no guarentees" and "can't test it all".

While I still enjoy Linux a lot more than Windows, and I like OSX a lot more than I llike Linux; my time at Microsoft has shown me that they're just like all the other programmers out there. No worse, no better.

Opinions expressed are my own

Re:We need to re-think patching.

[WhatAmIDoingHere]

That's the main problem with something like Windows. How many different mobo/processor/hard drive/media reader/video card/sound card/NIC/and whatever else combos are there? They test as well as they can. Once released, if any crashes happen a report is sent to MS so they can figure out what they need to fix.

Microsoft Telling Two Different Stories

I find it interesting that Microsoft's PnP vulnerability announcement states that all their modern OSs are vulnerable, and need immediate patching (http://www.microsoft.com/technet/security/Bulleti n/MS05-039.mspx), yet their "All you need to know about zotob" they spread conflicting tales of vulnerable versions:

"Important If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob.A. If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob.A." (http://www.microsoft.com/security/incident/zotob. mspx)

If only Microsoft would get their act together and tell their customers the truth.

I work for the Information Security department at a major Technical school in Georgia, and have seen this worm infect Windows 2003 Servers, with SP1.

Machines really vulnerable to this are those boxes with NULL sessions enabled.

BTW, I love the confirmation image/word for this posting: spreads

Keep on patching!

Odd

[SocialEngineer]

When I try to read the informationweek article, my browser locks up and gives an SSL error (Error code: -12281). I'm running the latest FF and Slackware 10.

Anybody else having any problems with the article

From CNN's email updates:

[gardyloo]

A worm shut down computers running Windows 2000 software across the United
States.

    And that's IT. Ironically, I'm posting this from a Win2k machine. Sorry, all.

Re:From CNN's email updates:

Well, they had to type quickly and click "Send" before the computer they were using to issue the Breaking News alert completed its worm-initiated shutdown.

People are still using Windows?

[veganopolis]

Hasn't everyone learned already? This is just plain dumb. Windows is always going to be vulverable to these threats.

I was talking to a friend the other day, and I told him that I wouldn't run anything other than Linux. And that Windows would never be installed on a computer that I owned. He thought I was some sort of hippy or hacker.

But think about it, in order to run Windows, you have to have virus & spyware software running. There is no getting around it.

So now you have all of these apps running, eating up your resources, just so you can surf the web and download pr0n. It just doesn't make sense to me.

Re:People are still using Windows?

Millions of people run windows. Deal with it.

Re:People are still using Windows?

[veganopolis]

Millions of people believe in god, but that doesn't make god real. Deal with it.

The truth is that Windows is a security risk. And in order to use Windows you are required to run several applications (on some server or your own client) to keep it secure.

The logic doesn't add up. Why would you voluntarily use an OS that requires you to run resource hog supporting apps just to get your work done?

Re:People are still using Windows?

[rah1420]

Oh, grow up.

Mod this flamebait if you must, but the fact is that people don't voluntarily choose to run Windows 2000 or XP or anything else.

They choose the path of least resistance.

In many cases, too, probably a vast majority, the decision has been made for them by an uber-authority (an IT department or senior management team.)

Most people just want to get their work done and don't want know the gory details. And I think we both know that if there were different companies marketing different computers, each preinstalled with different OSes; say, Linux or Mac or BeOS or Plan 9 for Christ's sake -- and readily available versions of the various apps that people need -- in short, if there was REAL competition in operating systems and software rather than the lock that Microsoft has on the desktop market, that the spate of instabilities would cause people to flock from Windows in droves.

That's it, fantasy over. Please deposit 50 cents for a new fantasy.

Re:People are still using Windows?

[veganopolis]

Again, let's go back to my original argument:

The truth is that Windows is a security risk. And in order to use Windows you are required to run several applications (on some server or your own client) to keep it secure.

It's not my fault that people are willing to put up with crap. It just amazes me. Regardless if you, or other users, are using Windows because you chose it, or it chose you, the fact of the matter is that it is insecure and requires you to run extra software just to keep it clean.

Now, you can go off and cry about it. But do like the rest of us and wake up. There is no god, santa clause, nor is there a secure version of windows.

I should also add that I didn't choose Linux because it is the easiest. By no means. I chose it because it eliminated my spyware / virus worries. I don't stay up late at night reinstalling my system every three months because I forgot to patch something.

At least you are trying to put an end to your fantasy...

Re:People are still using Windows?

[rah1420]

At least you are trying to put an end to your fantasy...

I have an end to my fantasy, and it's a Linux distro that lives on my laptop. My personal laptop. My home is filled with Mac and Linux.

My work environment, unfortunately, demands my use of Windows 2000. Doesn't mean I like it, 'cos I don't. However, I have to put up with crap in my work persona that I would not tolerate for a minute outside of the office, because they sign a paycheck that I live on. So at work, I smile and let virii have their way with me. But at home, I keep the dragons at bay.

Just don't think that people do it because they wanna do it; they do it because it's the only choice they think they have. Not everyone's as smart as you.

Re:People are still using Windows?

[veganopolis]

I have to use the old Winders from time to time for various clients here and there, and belive me, I really do understand why people use it. But I still don't understand why we tolerate this shoddy mess.

Most of the clients I have worked for, that still use Windows, made the decision to stick with MS because of one person in their company. I see this all the time. Some micro-junky who carries a lot of weight. This is really bizarre to me.

I was once involved with a product evaluation effort involving an MS server component and several alternates. These words were actually spoken in a meeting: "why don't we just pick the MS one and get this whole process over with? That is the only one that our CTO will authorize anyway."

And that type of thinking has to stop. So in that particular situation I made a scene and got everyone to complete the actual analysis. It took several months and we finally ended up recommending a 3rd party product. It was successfully accepted by the CTO and staff.

I think that there are a lot of people out there that are too afraid to stand up for something they know is right. This mentality has to end.

If you don't make decisions for yourself, somebody else will.

Re:People are still using Windows?

[veganopolis]

Just wanted to add this. A new client of mine, with a couple thousand internal users, has just blocked all access to outside webmail.

Now, hmmm think about that logic. Webmail services like Gmail, Hotmail, or Yahoo! have serious virus scanning / filtering. These guys are waiting until they "patch" all the machinese before they unblock webmail access.

I understand their goal, but get real. If anything, the internal users would be better off using external webmail than the internal exchange servers until these systems are patched...

Not enough!

[mrchaotica]

Unfortunately, people are too stupid to realize it's Microsoft's fault and that better options exist.

Re:Not enough!

[Ilgaz]

Its not Microsoft's fault. The update is there, free. It's the moron admin or (as people say) suits not allowing him to update without paperwork.

Yesterday there was a huge security update for OS X; I applied right away as my system is setup to get every critical update without asking to me. I just wonder how many other OS X users did? Don't forget the myth of security all end users are brainwashed with too...

left out again

[wardk]

this is getting ridiculous.

when are non-windows users going to get in on the fun?

or is the fun actually in watching the knuckleheads fix their boxes, share their stories, re-infect each other, etc?

What you should remember

[jiushao]

One thing that really should be pointed out again (it is around on the news also) is that this is an exploit for an already patched exploit. The exploit is in fact most likely constructed by disassembling the Microsoft patch to discover the flaw. I know that I am a bit of a Microsoft apologist on Slashdot, but that really is because the Microsoft bashing is often ill-founded.

In this case Microsoft have really done everything any vendor can ever do in this kind of situation. They got the patch out there before any exploits were made, they have a complete patch system to distribute it (bordering on obnoxious when it nags you to reboot after updates). No open-source software could have done better, and despite all this the infection is apparently rampant.

Now if only the patching system had been in place when Windows 2000 was first released (on the other hand, how many OS's had automatic patch checks in 1999?) things might have turned out better. Or if the userbase (at least on a bigtime news network that really should have a big staff of system administrators) would actually get the patch system, or at least the patches. But it is just not meant to be I guess.

Re:What you should remember

anyone with zenworks would have been able to automate a rollout of this patch back then.. remember M$ is 95% of the time behind the 8 ball. If you think they did something first, double check your findings as your most likely wrong.

Re:What you should remember

[jiushao]

Oh, they clearly did not do it first. The security push was very late in fact. Just pointing out that for Windows 2000 it was not that strange that it did not ship with automatic updating (few systems at the time did). On the other hand Microsoft has made a huge effort to rectify the situation, so it mostly comes down to the system administrators being the ones to blame for this.

Re:What you should remember

[NullProg]

In this case Microsoft have really done everything any vendor can ever do in this kind of situation.

I disagree. Obviously they new it was a security hole because this feature has been disabled/removed in XP. Once it was disabled in one product, it should have been back patched for previous versions (Note that XP was released before the support ran out for 2k).

We won't even discuss the merit of having PnP available as a network service.

Enjoy,

Re:What you should remember

[jiushao]

This might have been an interesting argument if it was disabled/removed from XP. Which it is not (checked two different machines and installations of XP SP2, the service is present and running on both). Microsoft released a patch for the problem targeting XP, 2000 and 2003 Server earlier this month.

So I maintain my position that Microsoft has handled security in an appropriate manner when it comes to this issue (and most issues as of late).

Re:What you should remember

[NullProg]

The original MS05-39 stated that it only impacted Win2000. Since last Tuesday, the Microsoft bulletin has changed to include XP, and 2003 Server.

So I maintain my position that Microsoft has handled security in an appropriate manner when it comes to this issue (and most issues as of late).

I maintain that its still Microsofts fault for turning on network PnP, by default, to begin with.

I'm a programmer, but in our small shop, I'm the one who understands and is in charge of network security. I just spent the better part of four hours (missed dinner with the wife and kids) patching our lab computers. I didn't appreciate the extra work for no reason. 2k/XP I understand, but 2003 Server? So much for Microsofts security team.

Thanks for the response,
Enjoy.

Re:What you should remember

[Randseed]

they have complete patch system to distribute it (bordering on obnoxious when it nags you to reboot after updates).

That's your opinion, which you're clearly entitled to. A lot of people (God only knows the proportion) find this to be highly obnoxious, however. First off, they could probably fix a lot of these bugs without requiring a reboot in the first place. But the fact that it nags users and doesn't play nice at all, coupled with requiring a full reboot, encourages many people to turn off the auto-install option. At that point, it might as well not be there at all.

I have a Windows machine sitting somewhere right now where this has been turned off for this reason. It's probably not been updated since at least last Monday or so, for two reasons. First, the annoyance feature which hoses all sorts of applications and generally annoy the hell out of the users. Second, the machine dual-boots into Linux, and boots into Linux by default. A random reboot without user intervention results in the machine rebooting into Linux. This is done because Linux runs the 'mission critical' crap that the machine does sometimes, and the Linux installation will recover from anything weird that happens. (This isn't a big problem at all, obviously. The catch is that I can therefore tell when Windows decides to spontaneously reboot itself, for whatever reason. Windows was rebooting and killing processes right and left in the process. Linux hasn't failed yet, except when there was a power issue; I don't know if someone tripped over the cord or what.)

So now you have a machine which runs largely unattended much of the time, with something crunching away, and which can't deal with a bullshit reboot because of what it does. This thing was doing stuff like rebooting during lunch and killing whatever was running in the process and that kind of thing, in addition to the annoyance factor and the fact that Update will start patching at some random time and shoot system performance all to hell. So the feature was turned off.

Luckily, the firewall and IDS keeps us from being burned by crap like this, at least so far. I don't know of a better way to handle it, given various applications' crappy fault tolerance. (They aren't designed for it. Consumer crap.)

For reference, on the Linux side, installing a software update usually involves just terminating and restarting the service without any problems. The only things that really require a reboot are glibc updates, kernel updates, and updates to the init process. Those are few and far between. So an equivalent exploit on the Linux machines would be transparently and automatically fixed at the time of release.

Microsoft has a really bad job to do here, but it's at least partially due to their own mistakes of the past. Because some machines may run unattended because their user is on vacation or whatever, and poor design requires reboots for every system update, they had to make a decision, and the logical one to make was just to reboot the unattended machines and install the update. Since just rebooting the machine while the user is sitting there is, well, stupid and annoying, they have the nag screen with the countdown. Unfortunately, because this is annoying, many situations encourage the auto-update system to be disabled, which then results in "critical update" patches like this not being done. On at least a laptop, the most logical way to probably do this is to have an option that installs the update based on system load values (nice 19 the thing), and disables the nag screen. Then when the laptop _reboots_ the next time (NOT when it's turned off, when the user wants to get out of Dodge), install the update. Since laptops don't normally sit on all the time, this works. A desktop is a pain in the ass from their perspective.

Like I said, a bad situation for Microsoft to be in. It's a mess.

It's not really that bad..

[Scaz7]

It's not totally bad... I mean at least it is trying to do the average joe some kind of favour:

Kind of anyway:

[http://securityresponse.symantec.com/avcenter/ven c/data/w32.zotob.d.html%5D

Searches for the following files and folders to delete the files and the contents of folders:

%SYSTEM%\pnpsrv.exe
%SYSTEM%\winpnp.exe
%SYSTEM%\csm.exe
%SYSTEM%\botzor.exe
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\Common Files\WinTools
%PROGRAMFILES%\Common Files\WinTools\*.exe
%PROGRAMFILES%\Toolbar
%PROGRAMFILES%\Toolbar\*.exe
%PROGRAMFILES%\CxtPls
%PROGRAMFILES%\NavExcel
%PROGRAMFILES%\AutoUpdate
%PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
%PROGRAMFILES%\eZula
%PROGRAMFILES%\eZula\mmod.exe
%PROGRAMFILES%\Common Files\GMT
%PROGRAMFILES%\Common Files\GMT\GMT.exe
%PROGRAMFILES%\Common Files\CMEII

15

[mnemonic_]

Like, fifteen.

Is it just me...

[rootedgimp]

Or does it seem like this new worm proves that there is a digital advertising war going on? Bear with me a second...

Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:

9. Deletes the following registry values:
"Windows PNP Server" "Windows PNP" "csm Win Updates" "MyWebSearch" "WINDOWS SYSTEM" "Zotob" "MyWay" "WeatherOnTray" "Apropos" "IBIS TB" "TBPS" "Toolbar" "Hotbar" "CMESys" "NavExcel" "ViewMgr" "eZula" "EbatesMoeMoneyMaker" "Ebates" "AutoUpdater" "Gator" "Trickler" "QuickTime" "GatorDownloader" "eZmmod" "Viewpoint" "TkBellExe" "180" "WinTools" "Real" "QuickTime Task" "sais" "msbb" "saie" "180ax" "lgbibsn" "tov"

from the following subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunO nce

10. Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\CommonFiles\CMEII

Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the /. community present for this virus removing spyware?

Is this supported in Wine?

[OrangeTide]

Does Wine support this worm yet?

Re:I feel left out me too My IP is 127.65.42.121

I would really appreciate as much pain and frustration as possible.
Don't hold back.

I really mean it no pain no gain.
Consider this legal permission to deliver your worst.

Thanks and best wishes.

No IM gonna wait at my keyboard till my machine smokes. Don't make me wait ya noob haxxors!

MOD PARENT UP !

[paranoidgeek]

I never thought about the fact that if a trusted but infected 2k machine comes into the LAN it will infect XP machines.

Why doesn't Microsoft release fixes?

[frostman]

Leaving aside any questions about monopolies and anti-virus software and so on....

Why doesn't Microsoft release a scanner/fixer/patch combination when this sort of thing hits?

I know there are a lot of actual "whys" but it seems like the logical thing to do...

Re:Why doesn't Microsoft release fixes?

[Tony+Hoyle]

They released the fix 2 days ago at least.. and pushed it as a priority update on Windows Update.

I'm not sure what more you're expecting them to do...

Re:Apparently they didn't read the EULA

[vertinox]

And I quote from the C:\windows\system32\eula.txt

12. DISCLAIMER OF WARRANTIES. The Limited
        Warranty that appears above is the only express warranty
        made to you and is provided in lieu of any other express
        warranties (if any) created by any documentation,
        packaging, or other communications. Except for the Limited
        Warranty and to the maximum extent permitted by applicable
        law, Microsoft and its suppliers provide the Product and
        support services (if any) AS IS AND WITH ALL FAULTS, and
        hereby disclaim all other warranties and conditions, either
        express, implied or statutory, including, but not limited
        to, any (if any) implied warranties, duties or conditions
        of merchantability, of fitness for a particular purpose,
        of reliability or availability, of accuracy or completeness
        of responses, of results, of workmanlike effort, of lack
        of viruses, and of lack of negligence, all with regard to
        the Product, and the provision of or failure to provide
        support or other services, information, software, and
        related content through the Product or otherwise arising
        out of the use of the Product. ALSO, THERE IS NO WARRANTY
        OR CONDITION OF TITLE, QUIET ENJOYMENT,
        QUIET POSSESSION, CORRESPONDENCE TO
        DESCRIPTION OR NON-INFRINGEMENT WITH
        REGARD TO THE PRODUCT.

So "lack of viruses" is not covered in the warranty ;)

Obviously Low Impact

[netnomad]

It's obviously a low impact worm. It invaded the CNN network and Miles O'Brien is still on the air.

SBC

[Widowwolf]

Well all i can tell you is SBC is down(thats right the phone company SBC)...company wide!(Cingular is not down at this moment)

Re:SBC

If what you heard is that SBC has gone down, well, that is another thing altogether. All SBC customers already knew this.

Re:SBC

[Widowwolf]

woot i finally got a post moderated!...Finally..and its all because of this stupid damn company I work for...!Figures

Re:SBC

[Widowwolf]

no not what i heard, what i know is that a great percentage of the business computers that SBC uses received the malicious file. I was not meaning that the phone lines went down, but that thier internal business systems went down

Yep, it's live

My gf (yes I have one) had her company fairly shut down by this today. She works for a major drug manufacturer, which makes you wonder :)

Re:Yep, it's live

>>major drug manufacturer

I'll bet I know which one it is.

The SMS push did not get to me before the virus did.

Dammit.

I amused myself by showing off Ubuntu Linux on my personal laptop. "See? If we were all fooking running this, we'd still be running."

Fastest spreading ever? Probably not.

[Gary+W.+Longsine]

There are other possible infection vectors, but that one is most likely. Corporations would never expose Windows systems directly on the internet, but they buy laptops by the truckload, allow users to take them anywhere, then bring them back into the office and hook them up as though they were not any different than your nice safely-protected behind the firewall chained to the desktop system -- as though they hadn't been handed over to organized crime for a few days, for example. It's really not rational, but it's almost universal practice.

ABC News on the worm
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."

We have seen this at a government client this week. It appears that the worm authors didn't test on Windows 2000 SP3. Several variants cause the target system to reboot when they attempt to exploit the MS05-039 defect on systems older than Windows 2000 SP4, apparently without infecting the target. The issue could be more subtle than that, perhaps systems running a particular hotfix or something like that, but I haven't had a chance to dig deeper on this point.

People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.

It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.

One of the SLOWEST spreading infections in history

[menscher]

Come on... let's be serious here. Has Trend Micro never heard of SQL Slammer? The worm that melted the internet in 15 minutes? Meanwhile, several DAYS after this worm was released, it's just barely starting to make the news, and that only because the news agencies themselves got hit.

Or perhaps the story summary is just making up stuff. The links provided have no quote from TM saying such silliness.

Notebooks and viruses at my work

[acomj]

Where I work, we have classes. And the instructor takes his notebook out and hooks into the network, pulls his powerpoint. During the class a window pops up... Oh, he says, its just a virus, it pops up from time to time, and procedes to reboot and keep going.

After class the computer goes back in the bag for a month, as he has a desktop in his office. The virus hibernates....

Our IT folks must love this..

We need to re-think Linux

"The answer is that Microsoft security patches have a reputation for causing things to break. "

Unlike Linux patches that just give weird behaviour that requires a geek to fix.

MOD PARENT DOWN

No, goober. MS05-039 works on Win2K as well as XP, so Win 2000 is still covered. The correct phrase is, "You have have patched."

HAH! Looks like it cleans out spyware!

[doormat]

Zotob might be what most people need to clean up their spyware.....

# Searches for the following files and folders to delete the files and the contents of folders:
  * %SYSTEM%\pnpsrv.exe
  * %SYSTEM%\winpnp.exe
  * %SYSTEM%\csm.exe
  * %SYSTEM%\botzor.exe
  * %PROGRAMFILES%\MyWebSearch
  * %PROGRAMFILES%\MyWebSearch\*.exe
  * %PROGRAMFILES%\Hotbar
  * %PROGRAMFILES%\Hotbar\*.exe
  * %PROGRAMFILES%\MyWay
  * %PROGRAMFILES%\MyWay\*.exe
  * %PROGRAMFILES%\180Solutions
  * %PROGRAMFILES%\180Solutions\*.exe
  * %PROGRAMFILES%\Common Files\WinTools
  * %PROGRAMFILES%\Common Files\WinTools\*.exe
  * %PROGRAMFILES%\Toolbar
  * %PROGRAMFILES%\Toolbar\*.exe
  * %PROGRAMFILES%\CxtPls
  * %PROGRAMFILES%\NavExcel
  * %PROGRAMFILES%\AutoUpdate
  * %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
  * %PROGRAMFILES%\EbatesMoeMoneyMaker
  * %PROGRAMFILES%\eZula
  * %PROGRAMFILES%\eZula\mmod.exe
  * %PROGRAMFILES%\Common Files\GMT
  * %PROGRAMFILES%\Common Files\GMT\GMT.exe
  * %PROGRAMFILES%\Common Files\CMEII

Re:HAH! Looks like it cleans out spyware!

[PetoskeyGuy]

Zotob might be what most people need to clean up their spyware.....
That was my first thought too. Although it probably will end up to BE spyware that's just eliminating the competition.

Re:HAH! Looks like it cleans out spyware!

[guruevi]

Don't forget explorer.exe and wmp.exe (or whatever it is called in Windows) - /me uses linux for long time, forgot about Windhowls

RTFM

[radish]

From MS:

"If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants."

Windows XP is NOT Windows 2000.

Re:RTFM

[Fortran+IV]

However, the MS05-39 vulnerability being exploited by Zotob exists in XP systems up to and including SP2, so it probably won't be long before a cousin of Zotob attacks XP.

Re:I wonder...funny

[acomj]

Where are my mod points when I need them?

Re:FUD? None for me, how about you?

[securitas]

Microsoft says this virus has medium impact, not low as the submitter says. Is the submitter perhaps spreading some FUD of his own or did MS upgrade the threat?

I leave the FUD to others. Before accusing someone, check your facts.

Catch 22

[Gary+W.+Longsine]

That's so funny, it's almost worthy of its own number... maybe Catch 22.314159265 or something impossible to remember.

Another client of ours experienced some small amount of decision-making and communication chaos early in this worm outbreak. Some division managers instructed (many thousands of) users to unplug their computers from the network to prevent infection. This is a reasonable enough strategy, I suppose, but now they are strugging with the question of how to get these people to connect back to the network when they can't... wait for it... check their email!

They are working up phone trees -- an old-fashioned technique employed today mostly by blue-hair bridge clubs, terrorist cells, and desperate IT managers, I gather.

Symantec slow on virus pattern updates?

[WarmNoodles]

Today is Tuesday Aug 16, 2005 8:50 EST
From securityresponse.symantec.com, the threat assessment included when patterns were released.

Zotob.A Aug 14 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.a.html
Zotob.B Aug 14 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.b.html

Visit this link --> Zotob.D Aug 17 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html
Note the
  Virus Definitions (Intelligent Updater) *
  August 17, 2005

Virus Definitions (LiveUpdate(TM)) **
  August 17, 2005

Zotob.E Aug 16 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.e.html

Well Hmm... is Zotob D scheduled for release tomorrow.

Perhaps Symantec should invest in some of those Desk calendars to schedule the virus releases.

Seriously,
for the suxxors who rely on Symantec Live update, they will have to wait another day to get virus patters for viruses out TODAY.
While anyone with smarts enough to manually download the so called intelligent updater can have today's patterns.

Just why Symantec waits, I suppose is so Press consumer pain can and is generated about infections which only boost sales. Or presuming no ulterior motives, its because their download servers are weak and can't update same day scheduled over the whole day for their paying user base. I seem to remember AOL being sued ( and end users winning) for over selling service lines and having over loaded networks.

Don't know why this came out as Symantec bashing, just they way the note was written.
By the way after replacing NIS 2003 with 2005 with anti spam, my advertising is %1000 more of a pain in the ass and the Ad trash can is missing from the product.

Guess the ad's spam and missing ad trash can is why this came out as Symantec bashing, guess Symantec's bad karma's just making the rounds.

Re:Symantec slow on virus pattern updates?

[mabu]

I know better than to use Symantec AV now. Perhaps this latest bout of negligence may help convince others to jump that sinking ship.

I'm also noticing that instead of commentary from Symantec, you have Trend Micro people being consulted to comment on this worm.

It's obvious Symantec is too slow to be effective in dealing with these things. Time and time again, I find that AVG catches things that Symantec doesn't even recognize. Buh Bye Norton.

the real news story is

[Indy1]

Major media corp IT depts badly behind in patching their systems, news at 11!

Honestly Zotob is a joke. I work IT for a major university thats 95% win 2k and xp, and so far we've had 0 zotob infections. I wouldnt be surprised if we eventually got 1 or 2 here and there with old boxes that arent tied into the domain, but the vast majority of the workstations auto update themselves and hence this is a non issue for any properly run network.

Re:the real news story is

[kcbrown]

Honestly Zotob is a joke. I work IT for a major university thats 95% win 2k and xp, and so far we've had 0 zotob infections.

Yeah, no kidding. Obviously the guys who wrote zotob don't know what they're doing, because we haven't seen a single infec@#@)!!)@$ NO CARRIER

Re:the real news story is

I am honestly surprised at many of the posts here. To say that their network admins suck or that they are badly behind on patches is very shortsighted.
Microsoft released the patch on Tuesday the 9th.
The virus hit on Sunday the 14th.
That means they had roughly 4 days to patch all their systems. Antivirus companies didn't even detect the thing until the 15th so no help there.
I guess a "properly run network" means that any patch is rolled to every computer without ANY testing and just see what happens.
No one here has ever seen a patch released breaks something or bluescreens a computer eh? No patches have been re-released to fix the bugs in the patch either...
I'm glad you're not responsible for all the computers at my company... what a mess you'd make.

Re:Fastest spreading ever? Probably not.

[cmacb]

"People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern)."

I don't know if this was intended to be funny, but it cracked me up. I guess I've been out of the industry so long that I foget that Windows admins take hourly or daily crashes for granted. What a sad sad world it must be.

Actually...Re:SANS/ISC's take on the CNN infection

[alexandreracine]

Actually, its because CNN, ABC and NYTimes got a couple of journalist spying on each other to get the news first! So they connect to other network.

But... they are running windows... pff.

Anti-annoyanceware virus?

[phorm]

From symantec, it almost sounds like the worm is trying to decrudify your system. It attempts to kill the realplayer, quicktime, gator, and many spyware/malware/adware toolbars. It alsocleans them out of the registry, and deletes their files.

Too bad it also opens an FTP, IRC connection, and many others, but I do wonder if it's a variant on code originally intended to clean rather than infest?

I also quite like how MS directs you to complain to the Internet Fraud Complaint Center Web site, I'm sure they really appreciate all the extra phonecalls about infected operating systems...

Re:Anti-annoyanceware virus?

[angrist]

Quicktime is now grouped with "spyware/malware/adware" ?

Re:Anti-annoyanceware virus?

[phorm]

No, it's grouped with the stuff that's removed. The quicktime taskbar is annoying though, as it tends to automatically reassert itself whenever quicktime runs - whether you want it to do so or not.

there was a 7.2 earthquake in Japan yesterday

[artifex2004]

and for hours, only the international edition of CNN carried it on the front page. The US edition didn't. Actually, BBC wasn't much better, with just a small link on the side at the top of its news page.

I'm not really surprised, just sad. Celebrities hold more interest in the US than most other news stories, and forget international news, unless it involves (some of the many) ongoing wars.

Re:there was a 7.2 earthquake in Japan yesterday

[DigiShaman]

The well known term for this is called Infotainment. In fact, here is the Wiki link to it's very definition...

http://en.wikipedia.org/wiki/Infotainment

Fortune 500 Company

I work at a Fortune 500 Health Care company.

We have been brought to our knee's by this thing.

When I left work there where very few computers still working.

Re:Fortune 500 Company

[Halvy]

I usually don't support corporations..

But i am truly sorry to hear your concern about the seriousness of this at your company.

:(

LATE BREAKING NEWS on CNN Right Now

[mexicangeek]

"CNN's network admins suck."

Re:LATE BREAKING NEWS on CNN Right Now

[Nintendork]

Either that or the IT department isn't large enough for them to do everything.

Re:LATE BREAKING NEWS on CNN Right Now

Well have you ever seen their idiot tech reported, Daniel Sieburg (or whatever).

If their tech department is anything like HIM they are lucky they can even get their computer turned on in the morning! No one in their tech reporting deparment has ever heard of a computer other than a PC running windows.

They are just idiots... plain corporation-worshiping idiots.

Re:LATE BREAKING NEWS on CNN Right Now

"CNN's network admins suck."

Finally something more newsworthy than Aruba!

This is way overblown...

Checking my firewall logs, I have zero portscans on port 445.

Re:This is way overblown...

[Halvy]

NO BILL!

This new ZoTob enhancement only 'works' on your WinDoze (remember?)

You have DEBIAN!!

So your okies mahhhhn. :)

CNN is heavy Mac...

... and will get more so as all the Mac users laugh their asses off at the stupid WinPC users they still have left.

FUCK MICROSOFT JUST REFUSE TO USE THEIR SHIT

MS authored?

[saddino]

So, MS, who desperately wants the 50% or so of entrenched businesses still on 2000 to upgrade, claims this worm is "low impact" hmm?

Clearly, MS is implying the solution is to upgrade to XP. From their site: If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants.

How convenient! Really, why do I think the first answer to Bill's brainstorming marketing session on "How do we get people to move off 2000?" was some smart-ass saying "Well, we could always write a virus or worm for it."

After all, any notion of "irreperable harm" from security threats has vanished in the onslaught on the Windows hegemony. One little, "not so bad" worm wouldn't really hurt the Windows reputation any more than it already has been, and it sure would be a nice kick-in-the-pants for those businesses sitting on the 2000 fence.

Just saying^H^H^H^H^H^Hpostulating.

Re:MS authored?

Those Windows 2000 machines should be upgraded by throwing away the hard drives and running a Linux Live CD. The workstation would then be impossible to infect - and the apps could save their work on a network share, or use the web browser for browser based apps. So the TCO for a Linux based solution after deployment - $0.00. TCO for an ongoing struggle with keeping Windows updated, protected and upgraded --- more than $0.00.

Re:MS authored?

[weicco]

Clearly, MS is implying the solution is to upgrade to XP

Or installing security fix...

karma trawling...

[Gary+W.+Longsine]

I may have been sub-consciously trawling for funny mods.

Re:FUD? None for me, how about you?

[Call+Me+Black+Cloud]

Accusation? RTFP. I asked (a) or (b). Others already answered (b). No need for you to jump in.

My friend...

[wmaker]

works at a call center in Oklahoma for Farmers Insurance, they had all 2000 workstations in their call center rebooting every 60 seconds today.

Re:My friend...

[dtfinch]

Does this happen every time a new worm comes out?

Convenient

Convenient for this to hit when Microsoft tries everyone to switch to Windows XP.

I know MS is just sitting in a room saying, I told you so!

I know its unlikely, but what if MS is the author of the worm? They have the source so they know how to infect things quickly. Kind of makes me wonder... Is MS preparing for a world takeover?

Re:Convenient

[Halvy]

I know its unlikely, but what if MS is the author of the worm? They have the source so they know how to infect things quickly. Kind of makes me wonder... Is MS preparing for a world takeover?

No, but they may be preparing to goto jail.

Remember they are still probably preddy big hedded about pulling the wool over the Doj's recently.

And this worm (if reports are true) has hit the Capitol Building in Washington, DC.

That is considered terrorism.

And there is MORE than enuff proof from the past-- to see that Bill Gaffs is demented enuff to try this to the extreme extent-- that this worm seems to be damaging things.

hahah.

[deep44]

Ken Dunham, senior engineer with VeriSign iDefense, said that this weekend his group eavesdropped on conversations about a Visual Basic script tool that would let attackers scan for vulnerable PCs.

Anybody else catch this?

Ken, my friend: you're not listening in on the right group of "hackers" if they're talking about scanners written in VB script. You would have probably had better luck in #metasploit "eavesdropping" on all the people asking about Windows-related compiler errors..

brief flirtations with the other color

[Gary+W.+Longsine]

Well, strictly speaking not forever. They do dabble about with orange now and again.

Step 3: Profit!

[Gary+W.+Longsine]

Well, a botnet could certainly be used to perform some Google queries, and simulate clicks on google ads, generating revenue. A relatively small botnet, given relatively subtle enough instructions, might not even trip the Google fraud alarms.

Me also...

No, you're not dreaming. I got the same message when Mozy Suite tried to connect.

Re:Fastest spreading ever? Probably not.

The fact that CNN and other companies with large computer networks became infected due to a known exploit should only serve as an embarrassment for their IT organizations failures to apply regular security patches and/or employ adequate security measures (e.g. Up to date anti-virus products on all client machines, regular security patch deployments to client devices, etc.) In other words, these companies should be asking their IT directors why they failed to deploy security updates that ultimately end up costing significant amounts of money in time and resources which would otherwise be productive on other tasks.

Pirate install of XP fosters viri growth

[DigiShaman]

Basically, the subject says it all.

Now that Microsoft is checking PCs for valid installation keys before you can get security updates, it won't be long before pirated installs of XP become a host for all sorts of nasty shit. And because it's pirated, they will not be able to prevent further revisions of this virus from infecting their PC and thus spreading it around perpetually.

Fuck, there goes my low ping rate for multi-player gaming due to the increase in traffic...so I would imagine.

Re:Pirate install of XP fosters viri growth

You don't need Windows Update. You can use Bigfix.com to download the patches. Not that there hasn't been a hundred different ways to disable the Advantage stuff posted on the net.

Re:Pirate install of XP fosters viri growth

[holiggan]

I think that a way around the validation will be found, and at least a part of the XP boxes around will be updated, by people that knows a little about these things and actualy understands that updates are important. The boxes that will stay "outdated" are probably owned by someone that either doesn't know / doesn't care about updates in the first place, so there is no garanty that they would update the boxes even if their Windows copy was legit.

Re:Pirate install of XP fosters viri growth

[Keeper]

You can also find them here: http://www.microsoft.com/technet/security/current. aspx

Additionally, if you tell your computer to download and install the updates automatically (the "automatic updates" tab found in the system properties dialog), you'll get them as well.

Re:Pirate install of XP fosters viri growth

[WhatAmIDoingHere]

Wrong. Security updates can be downloaded even if you have a pirated copy of XP. And the people who installed pirated copies themselves know how to stop the check on the windows update site.

Re:Pirate install of XP fosters viri growth

Or you can use Auto Patcher and not even go to Winblows uphate.

http://www.softpedia.com/get/Tweak/System-Tweak/Au toPatcher-XP.shtml

FUD alert....

[Khyber]

DISCLAIMER:This comment may be FUD...

Seeing as Microsoft stopped supporting Windows 2000, wouldn't this seem like a nice co-incidental way of "encouraging" users to upgrade to Windows XP??

Of course, one could always go to a pirated version of XP... Why pay for a simple security upgrade, after all?

Re:FUD alert....

[Lxy]

XP is just as vulnerable, take off your tinfoil hat and move along.

Props to Shavlik Technologies on this one. I got an e-mail last Tues when the patch was released:

"Both the 05-039 and 05-043 exploits stand a good chance of becoming Internet worms in the near future. These worms could act in a manner similar to the Blaster worm. Shavlik recommends testing and installing these patches as soon as possible to prevent exploitation via these vulnerabilities.
"

That's ther first time I've seen wording that strong from Shavlik, good call guys!

Foresight vs Response

[tfcdesign]

No argument here. But we were talking about a virus. Apple is not releasing patches because it has been attacked, but rather because they (or someone) are testing and debugging their own work. It's quite a differnt circumstance than running around the planet trying to reboot crashed machines or prevent an immediate threat from crashing your machines. Are Apples perfect, of course not. It was just a joke... Someday someone will feel the need to write an Apple virus. Its envitable.

Re:Foresight vs Response

[Ilgaz]

Virus writers are reading slashdot etc too.

In current environment if OS X virus/worm ships it will be a huge disaster. They will shoot the messenger (whoever finds it first) repeatedly until some newspapers arrive 12 pm instead of 5 am to stores.

Remember Intego and what happened to them when they released their finder exploit to public (with stupid PR language). If I were them, I would think 1000 times before going to public when some threat is detected.

If you see what's fixed with security updates, they aren't so theoretical threats at all. Its just lack of popularity of OS X among these worm/virus writing lamers.

Re:Foresight vs Response

[tfcdesign]

Its just lack of popularity of OS X among these worm/virus writing lamers. Yep. I think I implied that with the "envitable" comment. I have also said twice before I was joking. Sorry. I hope the Linux users dont have you too riled.

For all we know

[WindBourne]

this virus was developed by MS to encourage just that action.

Removes spyware?

[gargan]

Has anyone else noticed that according to the Symantec security response page, this virus removes several common spyware files? kills process, removes registry entry, and deletes. I suppose it does this so that it will have the machine's internet connection mostly to itself, but I find that fascinating.

Re:Removes spyware?

[mabu]

It makes perfect sense.

All these worms are written by spammers who want to turn the machines into zombied SMTP servers. They want to disable other exploitive processes.

If all major ISPs filtered port 25 traffic (like AOL does) from anyplace other than their in-house SMTP gateways, you'd see worm activity drop to almost nothing. It's all about spamming. And the feds don't seem to care. Sooner or later, the major broadband providers will act responsibly and stop their clients from becoming spam zombies, then there won't be much of a need for these worms to be released. That's what they're all about: spamming.

Re:Removes spyware?

[Hungry+Admin]

Disabling other parasitic processes accomplishes several goals beneficial to the invading organism.

1) All available resources are made available to the invading worm.

2) The user is less likely to notice the infection due to poor performance of the system.

3) There is less opportunity for one of the other worms to interfere with the intended operation of the worm.

This is just another step in the evolution of viruses... just like in the biological world, initial versions tend to kill the host rapidly. As they evolve, they become better able to make use of the host without killing it off.

Re:Removes spyware?

[MikeBabcock]

Port 25 connections aren't the issue, authenticated smtp is.

If ISPs used SMTP AUTH instead of unauthenticated SMTP, they'd be much better off.

You *have* to support port 25 connections for other mail servers to send your customers mail anyway.

Re:Removes spyware?

[crabpeople]

well having been on gay ISPs that filter incomming port 80, 25, 23, 53 etc i will kindly ask you to STFU. you know how god damn annoying it is to be trying to run a small in house network with those kinds of restrictions? oh you want to run your own mailserver? upgrade to the business pacakge for 300$ more a month. not faster or anything, just you get the ports unblocked.

fuck that. id rather have open spam realays that i can block in my sendmail config, or at the firewall level, than be forced to us my ISP's buggy DNS and mail servers. when you have 1 hour delays on mail in peak times, maybe you would agree.

also mod down for suggesting that AOL has *any* practices that should be applied to any other isp. you need your hand held? fine. some of us know what the fuck we are doing thanks.

Re:Removes spyware?

[mabu]

Yes, *legitimate* mail servers have to be listening on port 25, but IP space where there shouldn't be rogue SMTP traffic doesn't need to be routing port 25.

The thing that really gets me is that every major ISP can usually tell within a few minutes, if a client has turned into a spam zombie. It's not a stretch to easily identify a dramtically-different pattern from a host and notify the customer that their computer might be compromised. I keep waiting for some ISP to automate such a system. It would be a huge competitive advantage.

Re:Removes spyware?

[sploxx]

It makes perfect sense.

All these worms are written by spammers who want to turn the machines into zombied SMTP servers. They want to disable other exploitive processes.

Maybe this view is outdated, but I still see my PC as a tool and not a virtual biotope where every kind of artificial live grows :-)

The Worm is doing a bit of good

[tmonkey]

anyone notice it is deleting these files;
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
as per http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html now if it just woulnt reboot the computer.

Let me know

[ArchieBunker]

When linux runs all of my windows games flawlessly, has support for any $20 802.11g card, and lets me use my sound card without dealing with .diff files and make config(menuconfig)(xconfig) etc.

Re:Let me know

[smash]

You can fix that problem to a large extent:

Instead of your $300AU windows license, buy a copy of Cedega (no it doesn't support *every* game, but a lot of good ones), and a wireless card that works.

Pocket the change, and go buy something nice :D

Thats what I just did recently, when i finally stopped multi-booting :)

smash.

Re:Let me know

[wolverine1999]

My 802.11g card works under Linux with no problems!

Internal firewalling!

[redelm]

Worms like this one just make the case for internal firewalls. Instead of "mostly open" internally, routers can be set to only pass certain ports. If a corp still wants to be mostly open, it can set up tripwires and even autoport shutdowns.

Actually it's TWAT

The War Against Terror.

Win2k users, like banks, trusts, securities firms

[crovira]

and the like are all in a hard place.

As much as they would like very much to have a stable OS (OS X, Linux, BSD. any stable OS, dag nabbit,) they have developped software on their own for their own purposes (Microsoft doesn't make everything, ya kno',) and their budgets don't allow for the kinds of redeployment costs associated with a new OS or even a new version of an old OS. (The roll out costs to Microsoft's clients dwarfs the cost of the OS. If only it wasn't a POS.)

I was working at a client's who were heart-broken when WinNT got end-of-lifes. They had to gear up for deployment of 20 or 30 THOUSAND systems to Win2K...

And poor ol' Microsoft can't upgrade the APIs like they need to because of clients like mine. (Which is why also Linux is having a hard time getting in. It has to WORK from the 'get go.')

Fuck the GUI, its the API that are the hold up.

And as long as Windows can't change the APIs they don't have the lattitude to change the OS so stupid shit like this worm can't happen.

If Linux can deliver APIs that are the same as Windows, its got it made. Until then, its out in the cold.

Re: Differences

[The+Patient]

Hell yeah!

Sincerely,

The People Who Also Care About The Difference Between Theft And Copyright Infringement and The Difference Between Rollerblades(tm) And Inline Skates

Re:Fastest spreading ever? Probably not.

[the_Bionic_lemming]

I don't know if this was intended to be funny, but it cracked me up. I guess I've been out of the industry so long that I foget that Windows admins take hourly or daily crashes for granted. What a sad sad world it must be.

Really? If my PC had crashed anytime within the last three years I'd of been pissed.

win 2k and win xp properly maintained don't crash.
anyone who says otherwise is spreading fud.

If you developped any software for your own co.

[crovira]

you know why they go with old tech.

It not just that they'e cheap bastards (though they probably are.) Its the APIs.

If you can get Linux systems that can implement those same APIs, they're in. Microsoft isn't everybody's darlin' by a long shot.

And I'm sure the Chief of the Boat who got stopped dead in the water by the divide by zero error in WinNT would disagree with your last statement. :-)

Yes, it may be: 'just you'..

[Halvy]

I mean, if what your saying is true, it does not make ANY sense that the coroporation behind this would do it to the extent that it is.

People from fortune 500 companies, major media outlets and the capitol were hit hard today.. and it's spreading.

There is NO benefit to the attackers (if they are coroparate related).

They (when/if found) will have a black mark on nearly everyones mind, because the attack goes BEYOND removing silly spyware.

Machines are being brought down en-mass and the publicity is NOT good.

Maybe your still right though, after all, marketing companies have not always been known to be the brightest chocolates in the boxen ;)

Anti-Adware

[Wizarth]

After reading one of the Symantec links, I noticed it appears to remove/disable a number of ad-ware programs.

So, you can tell if your computer is infected by it starts running cleaner!

And does this explain this virus writer's rationale? The end justifies the means?

Sweet

[DroopyStonx]

I love these worms - I really do.

Just goes to show you all the stupid people out there that don't patch their systems :)

Plus it's good to watch the media get in a big frenzy about it... not to mention all the monetary costs this will incur!

This is what I call entertainment.

Spoken like somebody

[crovira]

who hasn't looked at the price in years and who thinks his time is worth nothing.

Re:Spoken like somebody

[brettper]

It's a joke

Laugh

Typical liberals

[Brian+Stretch]

Microsoft, a few days ago: "Worms are coming. Here's the patch. Secure your systems."

NYT/CNN/ABC: "Yawn. We don't see any worms. Stop trying to scare us. It's acceptable to lose a few LANs so we don't have our right to pr0n infringed, or something."

Today: Worm hits.

NYT/CNN/ABC: "It's Karl Rove's fault!"

FOX: "Our networks are fine. Who's the dumbass now?"

Microsoft: "Good thing people too stupid to run Windows Update are also too stupid to run Linux."

Sony was hit

Well, the virus knocked out a significant part of the Sony Electronics intranet today. I'm just finishing a 16 hour day because of it.

Actually, the millions who run windoz..

[Halvy]

need to 'deal with it'.

I think he runs Linux :)

sooooo, i guess you 'need to deal with it'.. too.

Maybe killed IBM too?

I don't know if this was the cause, but all the internet access at IBM was dead from about noon today. This is rare. I think maybe they killed the firewall systems until they had a good ruleset.

Oh yes there is!!

[Halvy]

There is no ..santa clause..

Or do you want to be the one to tell ALL THOSE PARENTS that there isn't one?! ;)

Re:One of the SLOWEST spreading infections in hist

[sjudd]

May be referring to the release time difference between the vulnerability announcment (and patch) to the exploiting code.

Slammer exploited MS02-039 which had been available 185 days.
Zoton exploits MS05-039 which has been out 4 days...

Re:Fastest spreading ever? Probably not.

[ozmanjusri]

win 2k and win xp properly maintained don't crash. anyone who says otherwise is spreading fud.

Rubbish. Anyone who uses 2000/XP for video editing or other high load applications will tell you it often has problems, crashes and lockups under heavy CPU/RAM utilisation. Likewise, there are plenty of applications, including MS Office, that can take down the OS when they fail.

Anyone who says otherwise is astroturfing.

To increase the website hit of this virus creator

[Amitz+Sekali]

Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?

To increase the website hit of this virus creator?

Anyone haveing problems with Firefox freezing...

on the informationweek.com site? I get an error message box with random error messages each time I try the site. When I close the box Firefox locks up. One error message was about SSL not running and the other was an 'incorrect message or error' from their server.

It ain't a white-hat worm, I'm pretty sure

[freeweed]

My first thought was that this was another foolhardy attempt at a white-hat worm, where the intention is to help clean a victim's machine, maybe of a lot of malware...

But having just spent an all-nighter in the office cleaning up the B variant, this new D doesn't do nearly enough to actually fix the damage.

What really pisses me off about Windows, is that this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.

Microsoft: please, for the love of god, implement KILL -9. Without a reboot. Thanks.

Re:It ain't a white-hat worm, I'm pretty sure

I'm not entirely sure of the underlying mechanism, but there are certain things that task manager itself won't let you kill. It's not a permissions thing, but rather a flag of some sort that taskman seems to honor. Get a third-party process viewer (a very good one is available for free at prcview.com) and you can kill anything. This is a total guess on my part as to how things actually work, based solely on the fact that I can't kill some worms in taskman but I can in prcview.

Re:It ain't a white-hat worm, I'm pretty sure

[davegust]

One undocumented trick that works to kill any process on an NT box is "drwtsn32 -p xxx" where xxx is the process number. Technically what you are doing is attaching the debugger (drwtsn32) and terminating the process that way. I found this by looking over the source for an old version of Dr. Watson.

Re:It ain't a white-hat worm, I'm pretty sure

[RangerRick98]

Try Process Explorer from http://www.sysinternals.com/

Re:It ain't a white-hat worm, I'm pretty sure

[The+Wicked+Priest]

I've found to my distress that even kill -9 sometimes doesn't work in Linux. I don't remember it being this way years ago; only in more recent versions. It seems to happen when the hardware fails to respond -- in my case, mainly my DVD+R.

Re:It ain't a white-hat worm, I'm pretty sure

[slartibart]

Microsoft: please, for the love of god, implement KILL -9. Without a reboot. Thanks.

This is at least one step closer to kill -9. Try pskill.exe from sysinternals.com. It can kill a lot of processes that in Task Manager tell you "Access Denied".

There are a few processes it won't kill (and i don't mean critical OS processes - it WILL allow you to kill those). But the same is true for 'kill -9'.

Re:It ain't a white-hat worm, I'm pretty sure

[Lost+Race]

Killing a process without permission (which usually means "owned by a different user") requires elevated privileges. The "Administrator" user has most privileges available but by default not enabled. Task Manager does not attempt to enable the necessary privileges before attempting to kill processes.

haha isnt it funny...

[temi]

that this only affects win2000 so that the only people heavily affected as a group are big corporations (like CNN ironically) that have too hard of a time migrating to new OS's so they are always a step or two behind the normal consumer (of Windows at least).

So now there is this mad dash by the news corporations because they are probably feeling it worse than the people they are reporting to.

I mean sheesh I just saw Anderson Cooper and he was gripping the table white-nuckled and looking way frazzled.

Been using NT4, W2k, WXP, since '99, NO crash ever

Been using NT4, W2k, WXP, since '99, NO crash ever. I don't know what bozo does to crash his box, but if you know these types of people, it says more about you than anything.

Time to move out of the basement

[freeweed]

the vast majority of the workstations auto update themselves and hence this is a non issue for any properly run network.

Ha.

HAHA.

Let me repeat: HAHAHAHAHAHA.

Here in the business world, we have these machines called servers. They, like your workstations, often run Windows. However, unlike a university workstation, they cannot just be rebooted willy-nilly because of an "auto-update". These servers will actually be used, 7x24, by other people, and in order to take them offline to apply a patch, you need to actually co-ordinate this, or you could potentially lose huge amounts of data.

There's also the issue of OS patches breaking applications, which happens a good 3-4 times a year. Sometimes it's no big deal, other times the company can lose tens of thousands of dollars a day in lost productivity. Hence, we need to actually test these patches manually, on many differing systems, in order to know we're safe to roll with it.

For the record, the time between patch and worm was 5 days. 3 of those working days. You have a very bizarre sense of "badly behind in patching".

The real news story is: you work at a university. It matters very little if your shit breaks, which is why this is a non-issue for you. However, in the real world, it matters. It matters a lot. Which is why you're seeing news about it.

Of course, why anyone would run critical systems on Windows is beyond me, but then again, I don't pay the bills. I just write them up :)

Re:Time to move out of the basement

[Indy1]

we run a mixed environment of unix and windows because our clients use unix and windows. Yes windows sucks because you have to reboot it for every damn patch. Thats why you run MULTIPLE domain controllers. Patch one, reboot it, test and verify it works fine, then patch and reboot the others. Its not so damn hard if you take windows's weak points into consideration. And while your busy slamming a university network as non critical, the engineering dept i directly support recieves over 50 million dollars a year in NSF grants for scientific research, so dont tell me its not important the network works properly.

Re:Time to move out of the basement

[xt0rt187]

Domain controllers are not the end-all be-all of the server world. It is important to avoid downing a server that provides a service to another server within the collective system. If one server out of this collective doesn't take the patch well your entire system/application may be down.

Had this happen with our db server, without this server running _nothing_ works, DC or not.

Re:Time to move out of the basement

[Randseed]

I brought this up a few weeks ago in another thread. The problem with Windows Update as currently implemented is that it is not a very good desktop citizen. It will download the patch (good), and then if you set it to auto-apply the patches (which we're talking about here) it will go apply the patch without any regard for the load on the machine, thus bringing any intensive applications to a screeching halt. After it does that, it goes off and repeatidly annoys the hell out of the user to reboot the machine. This crashes some applications which don't handle having the desktop yanked from them well, while at the same time causing a problem if this happens when, say, the user is at lunch with a bunch of stuff open.

This is good in theory, and I'm sure that Microsoft had good intentions. However, they need to have it install patcWhes with some respect for load (just install them at the Windows equivalent of 'nice 19'.) They also need to do something about the nag feature. As it stands now, I think many people just turn the auto-install feature off, which results in the patch just sitting there much of the time. Further, the requirement for a reboot in the first place (which many times is superfluous, unless that's changed in later Windows versions) interrupts work, and further discourages people from installing it.

So now you have a bunch of patches being downloaded, but requiring manual installation of some sort, and only when the user has the time to mess with it and isn't actively using the machine at the time.

Then again, the only thing my Windows machines are used for is playing games and the occasional hotsync of Palm software that has some Windows-dependent desktop component. Anything mission critical already runs on Linux or, in one case, OpenBSD.

Re:To increase the website hit of this virus creat

Ah, the rarely seen autoslashdot effect...

Is it a worm or a virus?

[RPoet]

"The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm"

Make up your minds already.

Re:Fastest spreading ever? Probably not.

HO HO. Nice fucking bullshit. Maybe if you just use your computer every once in a while and don't install hardly anything. But no doubt your the hard core power user, and you just happen to be the elite windows fixer upper, and yes, your computer has never malfunctioned in the LAST 3 YEARS. But I call fucking bullshit. How's come I don't know 1 single person who runs Windows XP that has been as lucky as you and others like you with similar claims? Sure, some people I know started off claiming things like that, but as they realized that I wasn't buying it and as I was up front with them about my operating system's flaws, they too became a little more honest. Nice BULLSHIT, though!!!!!!

CNN

[SpaceAdmiral]

I was watching CNN Headline News about this, and, although they didn't out-and-out lie, they sure made it sound like Microsoft had released the patch today. Of course, the patch has been out since the 9th.

Anyone dumb enough to run Windows should be smart enough to check for updates daily. . . . wait, does that make sense?

Really good advice

[interstellar_donkey]

From Microsoft's info page:

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.

Ummm...

"Hello, FBI? Yeah, hi. This is Pat. Listen, I've noticed my computer has been running a little slow lately. Yeah, more so then usual... Well, I heard about this new worm virus on the news... Yeah, I know I should run a virus scanner... Yes, I'm aware that the FBI does not troubleshoot and provide support for PCs... No, I don't expect you to launch a huge investigation because I suspect I *might* have been infected... Of course I'm aware that even if I was infected, there's really nothing the FBI can do about my particular case. . . . What do you mean 'Why am I calling you'?? Microsoft said I should!!"

Re:Really good advice

From Microsoft's info page:

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.

More like: "Hello, FBI? Yeah, hi. This is Pat. Listen, I'd like to report some serious fraud. Microsoft sold me this operating system, and they said it was secure and stuff, but I just got totally pwned by another worm. When I asked them for my money back because their software didn't live up to their promises, they told me, 'Tough shit, the EULA says it's your problem and we get to keep your money. Neener, neener, neener!'"

pardon the tin foil hat,

but think of it: a worm that hit media sites running older versions of Windows, with lots of exposure, which might cause users to feel compelled to switch to a newer, shinier MS OS. Wonder who released this into the wild?

Why Isn't MicroSoft Effected by this virus(es)??!

[Halvy]

As if we don't know that answer.

UPS affected by worm

I work at UPS processing international packages. Today I was not able to enter invoice data into the computer. The program called "UPS Mainframe" was inaccesible. I could not get the UPS website from my work computer. I could not print tracking labels to stick them on invoices. I could use a scanner to image invoices for customs, but the images would not upload to the server. I had to fax my invoices to a bigger hub so that they would enter them there. They told me just to fax the express invoices not 2nd day air or ground. Other people at UPS had also problems all day because of this. I am not a programmer so I don't know that much about computers, but I know enough.

Re:Fastest spreading ever? Probably not.

[Jimmy+The+Leper]

You might want to run memtest86 on that machine... Every time I've had stability problems with WinXP it's been bad hardware.

Re:Fastest spreading ever? Probably not.

[Cylix]

Do you know how long it took me to get my video editing box's stable.

Not even just system tweaking, proper drivers that don't flip out, but just nixing the heat issues.

So yeah, I have fairly stable prem pro 1.5 systems with canopus dvstorm2 cards. It's possible sure, but it takes some planning and work because the load will bring out bugs faster then a workstation that uses word all day.

Haven't yet dived into building HD editing stations, but I'll let the solutions mature (and cheapen) a bit before that.

Lame tech reporting != lame tech support staff

[Nonesuch]

Well have you ever seen their idiot tech reported, Daniel Sieburg (or whatever).

Daniel Sieberg, their "technology correspondent", has no formal technology training. (Since Dan claims to read Slashdot, maybe he can prove me wrong here)

If their tech department is anything like HIM they are lucky they can even get their computer turned on in the morning! No one in their tech reporting deparment has ever heard of a computer other than a PC running windows.

And surely CNN's technical infrastructure staff cringe every time these reporters open their mouths on the air.

Odds are that the "real" techies aren't photogenic enough to put them on the air, or capable of writing plain enough english that CNN could at least give them a pass at their scripts before giving the script to Daniel to read.

If I had to hazard a guess, I'd say the support staff pushed to deploy at least the critical patches to all of CNN shortly after the patches and public exploit code were released (Tuesday and Thursday of last week), but got pushback on any sort of "hasty" deployment of patches to systems "critical to broadcast operations".

CNN is a 24-hour product, so if they couldn't schedule downtime in the past couple of years to migrate off Windows 2000, why expect that they would be able to take an outage in the past week to install patches?

Worm epidemiology?

[Nonesuch]

eericson wrote
To quote directly from the handler:

Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it."

Funny, ISC has since edited the diary to remove this text?

This is a good point -- looking at network traffic right now, the Zotob variants all target primarily (only?) hosts in the same /8 or /16 network as the infected workstation.

This means that once somebody brings an infected laptop into a mid-to-large sized organization that is built on just one or two highly-populated network ranges, the worm will swiftly infect all available targets in that network.

I could almost speculate that the target generation code is written intentionally to make this a slow-spreading low-impact worm on the Internet overall, but much more effective once it gets inside a target-rich corner of the network (private or public). Almost.

Re:Fastest spreading ever? Probably not.

"Do you know how long it took me to get my video editing box's stable"

You keep your video editing box in a stable?

Corporations and windows

[Nice2Cats]

Corporations would never expose Windows systems directly on the internet

You work at a university, right?

Re:Corporations and windows

[Gary+W.+Longsine]

Sorry, I was a little less specific than I should have been. I was thinking specifically about larger corporations like those listed in the news articles about the MS05-039 worms. There probably isn't a single Fortune 100 company, probably not even a single Fortune 500 company, that allows desktop Windows systems to be knowingly exposed to the internet while connected to the corporate LAN. They are behind firewalls. (Yes, I know that's not sufficient protection, but it's a good first step). Small companies often don't have the sophistication or talent in their IT departments and you're right, sometimes their entire network is more or less directly exposed to the internet. This is particularly true of very small companies, which may have a DSL connection shared by a small LAN, with all systems exposed.

By contrast, nearly every Fortune 500 company allows laptops to come and go, willy nilly. That's often how worms get into their networks.

No patch avalable for Windows 2000 SP3

[edxwelch]

There is only a patch available for Windows 2000 SP4, and everybody know SP4 has many problems that were never resolved.

Low Impact my ass!

[McDoobie]

It knocked out United Parcel Service's Data Aquisition system nationwide.

If your packages arrive late tommorrow, that's why.

Re:Fastest spreading ever? Probably not.

"How's come I don't know 1 single person who runs Windows XP that has been as lucky as you?" Because you don't have many friends? Or maybe because everyone you know buys the same crap hardware as you? My home PC only ever reboots when I tell it to, and the uptime is fantastic. Maybe not 3 years, but that's just a retarded thing to say. But then this is /.

Re:Been using NT4, W2k, WXP, since '99, NO crash e

[Emporerx]

No offense intended, but, did you ever turn these machines on?

Thanks for 100% uptime? Dream on.

[SgtChaireBourne]

Our IT folks must love this..

I'm sure they do. Otherwise, they'd force an iBook on him.

Think about it. It gives them a sense of purpose and a familiar task to deal with. What's more they're heroes for then working extra to put out the MS-viruses. What's not to like? If they had chosen a system that was immune or at least resistant, then they'd have none of that satisfaction or recognition. How many IT folk hear a thanks for 100% uptime on servers OR workstations?

Not enough

[rctay]

It needs to bring Fox news down also. Of course they will declare it the first round of a new jihad aimed at American values.

such a friendly virus

[NuShrike]

Wow, what a friendly virus. Looks like it also tries to clean up some spyware for you.

TinFoil hats on Everyone!

some smart-ass saying "Well, we could always write a virus or worm for it."

You left out the critical part on the cutting-room floor:

some smart-ass saying "Well, we could always write a virus or worm for it." Bill turns to face the guy who made the suggestion, affectionately known in this InnerCircle as WHiteyHat, and nods and winks almost imperceptibly while saying, "Aren't you supposed to be making a PowerPoint presentation for one of your clients?"

At this point, everybody turns to look at the guy, who still doesn't get it, until the light bulb lights up. Bill raises both eyebrows as if to say, "Well?", and the guy leaves the meeting...

kill -9 vs Task manager

[rduke15]

this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.

Usually, when I could not kill a task, it was because another one was watching it, and restarting it if it was killed. Rebooting in safe mode and removing the tasks from the registry (HKLM/..../Run) worked.

Microsoft: please, for the love of god, implement KILL -9. Without a reboot. Thanks.

I also prefer ps and kill to the Task manager, but that is just personal preference and cosmetics. In such a case it wouldn't make a difference. In Unix too, if inittab keeps re-spawning a process, kill -9 doesn't help until inittab is fixed.

Re:Fastest spreading ever? Probably not.

[GORby_]

I guess I've been out of the industry so long that I foget that Windows admins take hourly or daily crashes for granted.

Sorry, but the companies where that happens should really hire competent people instead of letting the secretary manage their IT infratructure. We use winxp, but crashes are extremely rare (say... 1 per year or so). Severely restricting users' privileges to mess with the system helps a lot of course...

If you use decent hardware, and install the OS + software correctly, windows XP can be rock stable too, just like linux (although the latter one tends to be a bit more forgiving in certain circumstances).

(OK, now mod me down with this if you're a linux zealot)

An end to this madness

[brian6string]

I spent the weekend helping a friend remove various viruses and spyware from her (Windows) machine. A common theme in these is that they write values to the HKLM\Software\Micro$oft\Windows\Run or RunServices entries of the Registry.

Some of these even have background process that will restore their original entry to the registry if you try to delete it. (Of course, once you end the background process, you are able to modify the registry).

My question is: Why isn't writing to the Run or RunServices a restricted privilege? Like when my firewall software detects an unknown process trying to write to a port...a Registry Firewall could warn me about it and let me choose whether to allow such an action or not.

weird

[Viriatus]

Well i have Windows XP and i wasn't infected. I just update my Windows regularly and don't have such problems. My only real problem is spyware which is a real plague. But last night before i heard the news about this new virus i had a problem with my computer. I was running emule in windows during all day but later when i rebooted my computer to go to kubuntu i had no internet! My ethernet card died. Luckily i had a spare one. Maybe it was the heat that fucked up my card, i don't know.

Re:weird

[WhatAmIDoingHere]

This isn't your fucking blog, nobody here gives a shit about your NIC.

Re:weird

[Viriatus]

vai para o caralho seu filho da puta

Re:weird

[WhatAmIDoingHere]

I speak 2 languages. English and 1337. If you wish to communicate, you're going to have to use a real language. Not some taco-land bullshit.

Incredible that port 25 filtering is effective

[Oestergaard]

What you're saying is probably close to true - and a *lot* of ISPs do filter outgoing port 25 traffic.

However, it is beyond me why this is effective. Everyone and their dog will have their e-mail client (for most probably outlook/-express) configured to properly send all outgoing e-mail via. the ISP provided SMTP relay.

If a program uses the standard mail API in windows, those settings will be used and a mail will be transmitted properly through any defined relays. For some reason, the worms choose to implement their own SMTP layer directly atop of the socket layer, rather than saving the work and using the standard API. And *this* alone causes port 25 filtering to be effective.

The first worm that simply utilises the standard mail API will effectively bypass any port 25 blocking.

Why they don't do this already, is beyond me.

Re:Incredible that port 25 filtering is effective

[The+Wicked+Priest]

I can think of several reasons. The ISP's outgoing mail server may do filtering, so it won't pass on as much spam. Even more likely, outgoing mail will be limited in some way (number of messages or total bytes per user over some interval of time) -- spammers want to send millions of messages. Finally, by sending large volumes of spam through the ISP's relay, you call attention to yourself more quickly than by sending directly. A non-relaying bot thus stays up longer, on average.

Re:Incredible that port 25 filtering is effective

[Skapare]

The previous reply does cover the reasons well. But despite that, I have in fact gotten spam that was relayed from a major ISP customer machine through the ISP mail servers. So either some zombies are doing this, or the customer is a spammer. But a very distinct possibility (I haven't seen it yet ... I do check my logs for this) is that a zombie would detect being blocked via the direct SMTP connection, and fallback to inserting the spam via the ISP mail server. Lots of networks are isolating end-customer addresses (whether they are real mail servers or not) and refusing email from them. I do that on the basis of the ISP's reverse DNS name strategy (so in my case, I don't refuse email from a customer with valid reverse DNS not in the ISP's customer naming strategy).

Many ISPs do block port 25. But the big telco/cable ones don't and that seems to be where most of the spam is coming through these days. The smaller ISPs (more numerous) seem to be doing "the right thing" in a greater percentage.

Re:Incredible that port 25 filtering is effective

[mabu]

The first worm that simply utilises the standard mail API will effectively bypass any port 25 blocking.

The first major worm that does this will probably expose its author very quickly.

There are many reasons why worms don't use the standard SMTP path:

1. They need to operate in previously unknown IP space to get around RBLs.

2. If they routed through known SMTP gateways, their presence would be more critically logged, making it easy to track the injection point for the worm, and thus catch the author.

3. Routing through a standard SMTP gateway means they will get the ISPs attention much quicker, and if the ISP has a main mail server RBL'd, they're going to be much more proactive in keeping these things from happening in the future.

4. Most ISPs have systems in place to throttle mass-mailing through their servers. Spammers want to send mail out faster than an ISP's standard server will allow.

5. ISPs are often filtering mail going through their servers. It's possible an attempt by a worm to propagate via the SMTP API might trigger alarms and have the e-mail stripped of its payload.

Just in ... Slashdot community arrogant, clueless

[jacksdl]

I'm in a Fortune 100 company that was crippled by this thing all day on Monday -- we've got security stopping laptop toting people at the door this morning to clean and patch (the laptops, not the people).

If your organization wasn't affected, it may mean that you have top, top IT staff that never miss a thing -- or maybe you just got lucky this time.

At this point it is fairly obvious to me that this is bigger than the Slashdot crowd seems to admit.


clever and amusing sig

Re:Fastest spreading ever? Probably not.

[mdarksbane]

Yep, the company I intern at makes its entire business by selling "solutions" to that problem.

Any laptop or desktop logging in without up-to-date virus software and other protections doesn't get access to the network, except for maybe an update server so they can fix themselves.

  www.endforce.com

It seems like an interesting concept, at least. I know if they'd required it at my university it would have certainly helped the "plug in an everyone else in the campus attacks you within seconds" problem.

CNN (ding! ) Be The First To Know !!!

were the mobiles spared ?

is that a trick question?

[Gary+W.+Longsine]

What other reasons can the /. community present for this virus removing spyware?

Perhaps it's the work of a convicted spammer, performing court-ordered community service whilst on probation.

This Just In

[djfray]

-If Apple were as popular as Windows, the worm-writers would be writing their worms for Apple
-If Linux were as popular as Windows, the worm-writers would be writing their worms for Linux
-Arrogance isn't funny

I'm laughing

[wodeh]

Wise man say: "Today is a good day to be using a Macintosh..."

Enjoy your endless punishment, you crazy Winblows users, god created viruses specifically to torture you! It's written in the Bible somewhere. (Big Idiotic Book of Ludicrous Events)

Re:Fastest spreading ever? Probably not.

[Calyth]

Yeah I can attest to the fact that laptops aren't treated differently than desktops.
I'm currently on the last 2 weeks of work at a small business, but we already have a handful of laptops around, and there has been at least one case that my boss has specifically asked a user with a laptop not to plug his laptop in for suspected worm infection, and the user still did anyway, causing an infection throughout the office.
Superficially, it's the (malicious/dangeriously negligent) user's fault. He had done something contrary to what he was instructed to do. But I think the blame should also rest on the sysadmin aka my boss because he should've make sure that laptop users don't have direct communication with the desktops, so even if he did plug it in, it's harder for the worms to spread. For crying out loud, we do have managed switches here that could've done that job.
Sometimes I wonder how many worm infection does it take for an sysadmin to have a somewhat secure setup.

Re:Fastest spreading ever? Probably not.

[cmacb]

I agree with you here. My personal W2000 system rarely crashed either (because I acted as my own administrator) however other people were often having trouble with their machines and the "official" admins were usually at a loss for what to do, other than replace the persons computer (and when they did that they often forgot to backup/restore the users data resulting in weeks of aggravation). Keep in mind these were people with MCSE certifications who SHOULD have known how to manage these systems better.

My thinking is that the Windows mindset lends itself to sloppy work on the part of the admins. Anything that they can't do with a few clicks seems like too much work for them, and the atmosphere created by existing and past flaws in Windows allows them to often escape responsibility for their poor workmanship... just blame it on hardware or Windows.

To make matters worse, as some of these admins finally DO begin to standardize these systems around a more secure Windows set-up they are often unable to adapt to exceptions. As I've kept in touch with my former colleagues I hear that they often run into situations where the network administrators will centralize controls that prevent them from replacing their own application (i.e. applications that they are being paid to work on) and they treat every user as though the only thing they have the rights to do is open Word or Excel documents. In short, the admins, although there seem to be hundreds of them in a large organization, are total idiots.

This situation, of needing so many admins (because so many of the functions are on thousands of users desktops rather than centralized) and therefor looking for CHEEP admins, is one thing that goes into making TCO for distributed PC systems as high or higher than for the old mainframe systems (especially where the old mainframe has been replaced with a modern equivalent). I think that ultimately much of what we do with PCs will in one way or another be centralized again, whether it is by using something like Cytrix. Or, better yet, a non-Windows solution like LTSP where this concept is more natural.

In the environment I came from, where (1) we were writing our own applications from scratch, (2) security was a BIG concern, and (3) there were tens of thousands of desktops involved, something like Linux using a set of central systems with thin clients for most of the desktops would have been not only a much cheaper solution, but a much more secure and reliable one. One reason I left that line of work was that no matter how many high-priced consultants told them that Windows was the wrong solution they continued to stay with it, always leading me to speculate that something "funny" was going on behind the scenes. Now I can just watch these systems fail from a distance (it usually makes the news) and laugh.

Re:Just in ... Slashdot community arrogant, cluele

[Indy1]

it may be bigger in some networks, and not so big in others. I think it just depends how militant your organization is on pushing patches out. We're very militant in that aspect, and it seems that policy has saved our asses from zotob. Some of the writeups on zoton indicates that if your running win xp sp2, your pretty much immune already. I'd say about 95% of our boxes here are XP sp2, 4% win 2k, and 1% the odd random professor with an unpatched xp sp1 notebook (that eventually i'll have to hunt down and update).

http://www.f-secure.com/v-descs/zotob_a.shtml

Re:Fastest spreading ever? Probably not.

[Dare+nMc]

> Anyone who uses 2000/XP for video editing
I agree it's a configuration problem ;)
I use windows for the gui, then dump the actual processing to ffmpeg in a X-window I have open from the linux box with the proper config.

It wasn't that sudden at all

[Calyth]

Kinda funny that because CNN's IT folks are inept and lazy, CNN's goes out on a limb and publicize this stuff. Had they've got a more responsible sysadmin (eg the parent poster), I doubt we'd be hearing this stuff from them.
But yeah, the bug was reported on SecurityFocus 8 days ago, I recall by Friday, IT new channels already reporting that this bug can become a worm (I went and downloaded the patch. I don't think this was part of Windows Update...). There should've been plenty of time for the admins to respond.

What I find interesting...

[skyggen]

The reason for the fast hacker turn-around, said Ullrich, is that attackers are sharing more and more information. "Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground," Ullrich said. "The only way we can keep up with this development is by sharing information as efficiently. Read Carefully. The reason hackers develop code quicker then MS is because they share code. Hmmm.. That sounds oddly familiar. ;)

Re:Fastest spreading ever? Probably not.

[mwood]

They still have NULL sessions enabled? They still have UPnP enabled? Wow. Next you'll tell me they don't have a policy instructing all domain members to take updates from their SUS/WSUS server everyday.

It's like my plane was diverted to Bizarro World or something.

Re:Just in ... Slashdot community arrogant, cluele

Or, you don't run Windows 2000. We run Windows 98! muhahahahahaha (financial institutions move slow, and most of our lusers don't know a computer from a hole in the ground ....) Might have something to do with us bein a union shop, too. Luckily I'm not.

Psh.

[Fantastic+Lad]

I still use Win98.

It's called, "Living under the Radar."

-FL

Re:Thanks for 100% uptime? Dream on.

[mwood]

If you're in IT for recognition from end users, you have the wrong job. You know you've done well when hardly anybody speaks to you.

Me, I have things to do which are a lot more fun than sponging viruses out of workstations, so I do all I can to keep them from getting in.

Sick of it all.

Taking my etch-a-sketch and going to hang out in the bathroom till my legs fall asleep.

Perhaps, but...

[Richard+Steiner]

...the combination of more technically experienced users and less stupidly-designed mail and web clients would make those systems womewhat harder targets, I think.

Re:Perhaps, but...

[djfray]

That applies to windows as well.

Re:Perhaps, but...

[techmeltz]

Wow, there are other slashdotters from mableton! and I thought it was just blue haired old ladies and day laborers! Slashdotter from stone mountain, previously from mableton

It's Just You

[SkiifGeek]

In less than a month, my company has notified over 600 sites that they have been defaced by 'Internet Hackers', and the majority do leave a political message. The flavour of the month seems to be Turkish hackers badmouthing AUS, UK, US and the 'War on Terrorism'.

The remainder are just the equivalent of 'I was here', or 'Our group R0xx0rs'. I think that the reason it has changed is that Internet defacements do not really reach out and touch people like worms do.

Re:Been using NT4, W2k, WXP, since '99, NO crash e

[pixelpusher220]

Nice...care to pass the "coke-off-monitor" clean up tools?

Thanks for the laugh!

Re:Thanks for 100% uptime? Dream on.

[Grishnakh]

If you're in IT for recognition from end users, you have the wrong job. You know you've done well when hardly anybody speaks to you.

Wrong. In my corporation, the people who do the best are the ones with the most "visibility". Those without a lot of visibility get very poor reviews at the end of the year. IT people who spend all their time fighting the weekly virus outbreak get tons of visibility, because they can claim they're heros for working diligently to apply the latest patches and prevent a total catastrophe. They then get awards for this work at quarterly meetings, and usually people who get a lot of awards also get big raises.

Running Linux in this organization would be terrible: the admins wouldn't get any visibility because everything would work smoothly and no one would pay attention. These admins would then get poor reviews because they didn't have any visibility, and would then look for greener pastures outside the company.

MS patching woes

It's been a rough two weeks to be using Microsoft Windows 2000. Here is a quick breakdown of the common problems that have surfaced in the last two weeks.

Server: Windows 2000 SP3 with APC PowerChute software 6.x installed.

Issue One: MS05-039.
You have to be SP4 or greater to install. We'll get back to this issue when we're done with everything else that happens if the Fates hate you and you happen to install SP4.

Issue Two: APC Powerchute 6.x
After installing SP4 you reboot...and now you can't reach the desktop. The certificate that lets the powerchute software lauch expired on the 27th of last month. Time to boot to recovery console and disable the APC services. Now you can boot to the desktop again (and update the software later. See APC's website).

Issue Three: Post SP4 security rollup 1
http://support.microsoft.com/kb/891861/
Trying to save time after updating to SP4 you install the rollup to apply several hotfixes in one go. Take a read of the article...there are several things that can happen. My favorite one experienced to date has been the system drive letter changing from C to something else every other reboot. But then again I told the client to not use dynamic disks on the system volume. Anyway, the normal remedy is to uninstall the rollup and wait for the new release (no ETA). So now you're out an hour more time and installing the hotfixes again.

Issue Four: MS Genuine Advantage
For any of the hotfixes you don't have downloaded locally you can always use Microsoft Update, at least if you don't have a pirated version of the OS. To prove this you have another reboot coming to install the latest version of Microsoft update and the Genuine Advantage tool. You haven't done this already for the same reason you're still on SP3. Moving on...

Back to Issue One: you can now install MS05-039 and be secured against the worms.

It's a fair amount of work, but then again the premise either a) you've been lazy or b) the client never got around to testing/validating the software on SP4. Sorry, mainline support stopped a few months ago. That was a wakeup call before the worms appeared.

Just my 2 cents (added to the hourly fee)

Agreed. Let's Streamline the language

[FreeUser]

Yes, I know the difference. I typically don't make a huge deal to differentiate between the two because they are virtually identical in the PUBLIC conciousness. I guess I just slip into that mode since I deal with non-IT folk all the time.

I agree. Let's streamline the language, since the dumbed down public can't grasp much anyway.

I suggest we refer to all worms, trojans, and viruses collectively as "marklar". I furthermore suggest we refer to those who install, create, use, benefit from, are harmed by, or unnaffect by, said "marklar" "marklar" as well. I would furthermore expand the definition to include all actions by said "marklar" as "marklar", as well (thereby streamlining cause, effect, action, and miliue as one all encompassing, comprehensive concept: "marklar").

Thus, quoting you:


Marklar, Marklar marklar the marklar. Marklar marklar marklar marklar a marklar to marklar marklar the marklar because marklar marklar marklar in the MARKLAR marklar. Marklar marklar Marklar marklar markar marklar marklar Marklar marklar with marklar marklar marklar marklar.


Terminology should always be dictated by, and pandered to, the least common demonintor persons discussing the topic they know nothing about. To do otherwise my be to do the unthinkable: educate the ignornant.

Re:Fastest spreading ever? Probably not.

[delus10n0]

That's probably the most generic and incorrect statement I've ever heard.

Want to put a huge strain on your systems components? Go play a first person shooter, like Doom3 or Battlefield2. This is going to tax your system more than video editing will. And if that crashes or locks up, you can take your pick from the typical problems:

1) Cheapo power supplies. Sorry, a $15 power supply is crap. You get what you pay for.

2) Custom cases with little/no ventilation. You need a fan pulling in cool air, at the bare minimum, in combination of your power supply fan exhausting hot air. If you've got a billion hard drives and the latest video cards, you probably should have more fans.

3) Overclocking (CPU, GPU, Memory). Retarded. Enough said.

4) "Enhanced" drivers, or non-WHQL drivers. While WHQL drivers aren't "perfect" (thanks to dis-honest companies) they do ensure that the drivers have met a certain quality level. The tweaked/enhanced driver sets that people install don't have to go through these checks, and do all sort of stupid things (see overclocking above.)

Re:Win2k users, like banks, trusts, securities fir

[EvilTwinSkippy]

Windows is in a pickel of its own making. To cut the throats of competitors, they buried what should be application code into the guts of the OS and knitted things like "Spell Check", "Program Scripting", and "Contact Lists" into the API. As a result, the API is overly complex. It is also confused about when something is working on the hardware, OS, Application, or User level. A call that is designed to retrieve an address from an address book can, with a little hacking, access the registry or even the file system.

If anything Windows will be out in the cold. To secure their system they are going to have to start from scratch with the API. A lot of companies that write custom software, forced to migate their software no matter what, will migrate to Unix-like systems because the API has more of less been set in stone for 20 years, and will remain so for the future.

And should a new API break your code, you can keep running on the old API. It will be supported as long as someone has a copy of the code.

HA HA

Boy am I glad I still run Windows NT 4.0. :)

I've only been here since July 1st.

[Richard+Steiner]

We saw some fairly nice areas in both Smyrna and Mableton, and since I work near the Cumberland Mall, they both seemed like a logical place to look for a house.

In the end, Mableton won. :-)

I'm just south of the EW Connector on Cooper Lake Road. Not in the big new fancy houses, though.

Conflict of interest for you /.ers? LOL

It could have done us all a favor, and infected Fox's network.

Oh yeah, let's infect Linux, considering that FOX is smart enough to use that. Or do most /.ers here have a conflict of interest between their views on OSS and politics? Oh yeah, this is /.

Sorry guys, can't have your cake and eat it too (unless you're a conservative who supports OSS, like me.) :)

Big Brother ISPs

[gargonia]

I agree with your sentiment here. It really bugs me that I can't run my own mail server without having to channel everything through my ISP's mail server just because other people can't handle properly configuring their computers so as to avoid being used as spam launching stations. I purchase internet access, but I don't get internet access... I get a filtered connection that allows me to operate on ports the ISP determines are safe for me to have access to. What comes next? Will my ISP determine what websites are appropriate for me to access, what hours I should be allowed to access, what OS I can use, etc.? I don't like this paternalistic regulating of my bandwidth, I don't think it's necessary, and I think ISPs that do so should be liable for theft of services, but, alas, the only way you can get the bandwidth is to pay what they ask, sign their TOSes, shut up and like it.

Everyone should be using XP? Ha!

Microsoft is calling this threat "low-impact" or "moderate" is that they consider Windows 2000 to be a second-tier operating system at this point and that everyone (and I mean everyone and his dog or penguin) should be using XP.

Hmm, they're the same company that thinks everyone should be using Internet Explorer. Suuuuurrrree, I'll take their advice. Oh wait my versions of Windows do not have Internet Explorer, let alone any trace of XP. Oh and I don't get infected. Ever. Hmm....

Re:Fastest spreading ever? Probably not.

[Gary+W.+Longsine]

I thought I saw you when we boarded. That was me wearing the Viva La Relativity! T-Shirt.

Yes, not all clients are rational.

Re:Agreed. Let's Streamline the language

Now THAT was funny.

Re:Fastest spreading ever? Probably not.

[ozmanjusri]

That's probably the most generic and incorrect statement I've ever heard.

Um, yeah sure.
Look, I'm sure you mean well, but I've been around video long enough to have played with one of the first Fairlight CVIs to come out. I have nine Windows boxes, two Linux servers and a G4 Mac around the office and edit suite. "Cheapo power supplies", custom cases etc aren't part of this world and neither are FPS games.

Still, since you say so, I'll believe there's some wonderful parallel universe where a magical combination of hardware and configuration settings will let Win 2K/XP work without crashing, and recover cleanly from heavy loads. Trouble is, that world is a long way from this one, where I and my clients spend a great deal of time, money and effort keeping these and other Windows machines up and running.

Re:Fastest spreading ever? Probably not.

[delus10n0]

Can you be more specific about crashing/heavy loads? Like I said, an FPS is going to strain your machine more than any video or audio editing is going to.

Most of the time, when you are dealing with add-in video or audio cards, the companies that make them cut corners in hardware or driver design, or worse, design strictly for Mac (with PC being an afterthought.) This leads to terrible non-WHQL'd drivers, which cause crashes/blue screens/other fun things, and leads people to blame Microsoft when they shouldn't.

Re:One of the SLOWEST spreading infections in hist

[Randseed]

Worse, my network IDS still catches the various Mickeysoft SQL worms' attempts to propogate. A year later.

Re:Fastest spreading ever? Probably not.

[ozmanjusri]

Like I said, an FPS is going to strain your machine more than any video or audio editing is going to.

Look, it sounds like you're a young bloke, so no offense, but if you think a few hours playing an FPS is even remotely similar CPU loading to rendering video streams, I'm afraid you don't know what you're talking about.

If you're genuinely interested, there's bound to be a jobbing video pro in your area who wouldn't mind you having a look around - they're generally not too precious about hardware. Just a tip though, try not to be so patronising. We're not all novices out here...

Re:Fastest spreading ever? Probably not.

[mwood]

To be fair, crummy third-party software often makes it difficult to run an MS Windows setup properly. And I'm not talking about Sid's Storm Doors and Software Ltd.; I'm talking about well-known products from well-respected companies. Some of them are only well-respected because nobody listens to sysadmin.s anymore.

The world is still lousy with products that have obviously never ever been loaded on a halfway secure box, because when you do, they upchuck and die instantly. Products that have no notion of multiple users. Products that demand world write access to the directories where the program lives, or want everybody to be a member of Administrators. You'd think these people had never seen a modern computer installation.

Windows Installer has been in the field for, what, about *six years* now, and there are still many many big-name products that either don't use it or use it stupidly, making managed installation difficult to impossible. I'm working up a repackage now of a *very* popular product whose latest kitting might have been designed as an example of how *not* to deploy software.

I've taken the approach that our MS Windows setup will be secure *first*, and then the app.s are made to work. We haven't had much instability or many infections, but it's amazing the number of products that won't work out-of-the-box when you set up the platform properly. (It's also amazing the number of tech-support people who will swear up and down that their company's product can't work in an environment like ours, after I've already made it work.)

Bottom line: MS Windows can be stabilized and secured, but when you have a hundred standard app.s stability and security don't just happen; it takes a lot of hard work, a lot of investigation and experiment, and a lot of shouting at suppliers, and it never ends.

Re:Fastest spreading ever? Probably not.

[Cylix]

I don't know why I keep doing that with the apostrophe lately. I know it shouldn't be there. Damn me. Damn me to hell.

Is there a "botwar" going on

[Madas]

This article on SC Magazine Apparently there is a war between virus writers and they are all trying to delete each other's viruses. Mikko has provided a lovely diagram to illustrate the point.

Re:Fastest spreading ever? Probably not.

[Feztaa]

Heh, yeah. I remember when I lived on campus, at times there'd be warnings not to connect to the internet because you'd get a worm from the other infected hosts on the network. Being a linux user, I just laughed at them.

Re:Fastest spreading ever? Probably not.

[jcr]

People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal

That's hilarious, in a sad-but-true kind of way. I talk to people all the time who've made the windoze-to-mac switch within the last year, and they marvel at the stability. It's amazing just how low the expectations are among the general population.

-jcr