Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
It is not a minimal risk for a Windows XP system to get infected. Not after Microsoft have changed their Windows Update program. I have alot of friends struggling with properly secureing their pirated version of XP.
Is that like h4cking teh gibson?
I want to delete my account but Slashdot doesn't allow it.
overblown? I think it all started at the Michaelangelo virus, where the media was telling everyone to turn their computer off on Mikey's birthday? It's gotten worse since then.
Anybody got a torrent?
Our language is a wonderful thing. Please stop using it.
From all that I've read on the news lately, it looks like the various variants are battle each other... so they may be keeping their own numbers down.
Hmmm witty sig or funny sig? Maybe elitest techy sig!
Move along. No story here.
It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.
Everyone that disagrees with me is a paid shill
'The worm only spreads to systems running on Windows 2000, XP and Server 2003'
this seemed funny to me. as if somehow not a significant portion of computers run those OSes
I would like to name August the official Worm month.
August 2003: Sobig
August 2004: Sasser
August 2005: Zotob
What's next?
Nouvelles de jeux et technologies en français. TC
On the whole, this is probably the best thing that has happened to Microsoft lately - it'll encourage clueless managers to order that their company's systems be upgraded, with a release of Vista around the corner. It's amazing just how many businesses still rely upon W2k.
This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.
This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.
it is better to light a flame thrower than curse the darkness. -Terry Pratchett Men at Arms
Lucky Windows 3.0 users can be at ease.
It's been pretty hairy here, inside the walls of a Fortune 500 company. Probably because we have so many variations of Windows in our lab, it was all over the place. People who had kept up to date and patched weren't hit bad (I'm on XP SP1), but we were creating ad-hoc teams all afternoon yesterday trying to get things clean.
In some ways, this was a bigger deal than Sobig.
Tim
This worm is definately a problem. Just ask all the IT support staff out there who have lost sleep for the past few days patching systems, updating anti-virus, and chasing down infected workstations. Granted the world did not implode on itself because of this virus, but I can guarantee that it will cost organizations quite a bit because of it.
They make no mention of Vista being susceptible...I think the only way to protect ourselves is to upgrade to the new version of SuperWindows!
yesterday on NPR they were going off about how it had infected ABC, CNN et al. and they had been reduced to writing their copy on typewriters.
I'm sure as far as the news outlets were concerned this is the worst virus since organized religion (Snow Crash reference)
Petyr Rahl
People who hate Windows write worms and viruses designed to discredit the operating system and cause mass chaos.
People who hate Microsoft pirate Windows (see the first reply to this article) or refuse to authenticated it in an effort to defy the M$ empire and therefore cannot utilize the patches designed to keep their system safe from other Microsoft haters.
So now honest companines and hard working individuals must spend time and money trying to protect their systems because of some anti-Microsoft zealots who are the same people complaining that they can't patch windows cause they stole it?
The company I work help desk for got hit by Zotob on Monday Morning, and by 7:20 it had taken down several servers and most of the computers in one section of the company. We are actually still patching and scanning systems, they shut off the wireless network when it started and just turned it back on today. They had turned off access to shared drives through VPN and are scanning all laptops that enter any of the buildings before they let them into the main area. I would like to know who it is that let this into the network and give them a nice punch in the nose. I am sure they hope no one finds out as it probably cost the company several millions in downtime.
-- Any comments seen here are not mine, but a mixture of alchohol and lack of sleep.
Zotob is affecting more than Windows machines. Case and point, the network is really slow (via the Windows garbage) which is making Slashdot load slow for me and I am running Solaris. Grr.
Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
Why in the world is this listed as a mitigating factor? Is there really that large of an 95/98/NT base left?
Computer users need to remain vigilant and take immediate measures to protect against this and other attacks.
If only there was a color coded alert system to warn us of when we should take these immediate measures!
A citizen of America will cross the ocean to fight for democracy, but won't cross the street to vote in an election.
Now the submission says "propagated on the internet", as it should have all along. Don't you subscribers point this stuff out to the 'editors' ?
I want to delete my account but Slashdot doesn't allow it.
When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!
What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).
The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.
What a joke! They apparently got hit badly. They had a big red box down in the crawl area and endless repetitive coverage like it was the London bombings or 9/11 all over again. Made it seem like the sky was falling. Ari Belshi stood next to his rebooting 2000 machine and lots of footage of their sweaty IT guy as he stood before an infected machine. I'm surprised they didn't cap it off with Lou Dobbs claiming this was just another symptom of our open borders. That few hours on CNN should go right up there with the VH-1/MTV coverage of Live 8 in the TV hall of shame.
Both Symantec link and F-Secure link
States that only Windows 2000 machines were affected.
F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."
but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article but accorning to this article
# Please try to keep posts on topic.
# Try to reply to other people's comments instead of starting new threads.
# Read other people's messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
# If you want replies to your comments sent to you, consider logging in or creating an account.
The Witty worm spread much faster despite the very small base of susceptible hosts (only about 12,000 total that had some old version of some firewall software). Witty had a doubling time of only a couple minutes and nearly saturated (infected all susceptible hosts) in less than one hour.
A modern worm should be able to spread extremely quickly -- sending out hundreds of infectious packets per second if the payload is small (Witty's was only 637 bytes). If only 1 in 10,000 machine is susceptible, then a worm spewing 100 randomly addressed packets per second should double the number of infected machines every 100 seconds. I'd wager that the number of zotob-susceptible machines was much greater than only 1 in 10,000, so zotob should have spread faster. If anyone ever creates a worm that can infect even 1% of IP addys, it would double every second and saturate the net within the first minute or so.
Why didn't zotob spread faster?
Two wrongs don't make a right, but three lefts do.
Once we control the spice, we control the worm.
It's striking how nice the virus writers are to the antivirus companies. Most viruses do just enough damage to require ongoing spending for antivirus tools and upgrades, but not enough to make users switch to, say, Linux. There are exceptions, like the virus that encrypts data on the hard drive and demands payment in E-gold, but those are very rare. Few viruses erase data. Few do things that would make removal impossible without physically opening the computer, like modifying the BIOS so it can only boot from the hard drive. The mainstream viruses seem to be carefully tuned to optimize the revenue stream of antivirus and upgrade vendors.
Somewhere there's a reason for this.
Of course these lessons bring up another argument, over the last 10 years a lot of non-computer people or hobbists/tinkerers have been put in admin positions. Therefore many of them do not understand the weaknesses of networks and the Strengths of each OS out there until someone smacks them with a large chunk of data loss, network downtime, or company embarassment. Now that they have learned this lesson, what will be the next one? And could this have been avoided had the companies not used the "buddy system" and hired competent professionals in the first place.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
This malware outbreak received disproportionate media coverage, because it hit media outlets first and hardest.
org.slashdot.post.SignatureNotFoundException: ewg
Given that you have to do such a big song and dance just to get the patches (yeah, yeah, it is at work at for a legal copy), what are the chances of getting zapped while you are downloading everything?
The other big hassle with Win2K patches is that some of the patches (835732 -- the Sasser patch -- and 889293 and some others) bolex up IE from working. So I am supposed to switch to Mozilla or whatever, but d'ya suppose Microsoft would like me to still use IE? Patching this one W2K machine is this big sifting and winnowing process of endless reboots to load/remove patches to find out which patches I can take and which ones I cannot.
Funny thing is that I had the problem on one W2K machine, and the problem was not so much IE as some Explorer component that I couldn't start Control Panel without a crash, but it required an IE reinstall to roll back. That machine is now fully patched because MS, bless their black little hearts, must have patched the patches.
This other machine however only had a problem with IE crashing on startup if I installed some patches and has been a pain to maintain. I have virus checked and spy checked and regsistry checked the darn thing all up and down to see if some malware is involved to no avail. Currently I am afraid to switch this machine on, although it is behind a firewall and it is SP4.
Wow, you've been reading to much sci-fi. Lay off the crack.
:)
If there are factions, its just a bunch of 14year windows users that prefix their IRC nick with their clan name , e.g. [VWF]h4x0r is a member of [V]irus [W]riters [F]orever. They can't offer you an "expert protectionism", whatever the fuck that is, because they're too dumb. Have you seen the code to some of these things? Crap.
Again, there isn't any "viral factions", you need to unsubscribe to the space channel, any MMORPG's or other online games you own, burn your scifi books and get some fresh air.
Cheers
Isn't that like saying, "Aids only infects those people having sex, and the possibility is minimal?" Sorry, in Risk Management, a risk is still a risk that needs to be mitigated. We've all seen examples (whether in our workplaces or in the news) of times when users have had this lackadaisical attitude about viruses that have brought an organization's network down and clogged the internet.
Bottom line: patch your Window's environment.
It is not our abilities that show what we truly are... it is our choices.
San Diego County Government had 12,000 workstations crash.
People couldn't do ANYTHING connected to the county.
They had 3,000 systems up today.
Wonder if I can apply for the sysadmin job?
You can't talk about Wikipedia's flaws on Wikipedia
Kneel before ZOTOB!
"Made up/misattributed quote that makes me look smart. I am on
I don't know if it was "minimal" elsewhere, but it hit GE Transportation really hard. We had two sites go down completely (no network, no computers), including HQ in Cincinnati. The sites went completely offline around 3pm, and I can only assume the poor techies had to stay all night to patch each computer on campus manually (because they won't stay on, always rebooting). When I got to work the next day, we all had a specific set of instructions to do to complete the patching process. They really lost a fortune on this one.
Microsoft's decision to no longer patch pirated installations has a few unintended consequences. There is now a base of unpatched machines that any new worm will likely be able to exploit. If a greater fraction of machines are unpatched, a greater fraction of infection attempts will succeed, and the worm will spread faster. A faster-spreading infection means a more legitimate Windows users will be infected before they patch (although the auto-updating feature of Service Patch 2 will help with this).
And of course, that population of never-patched machines affects everyone who uses the internet, regardless of their operating system.
Deletes the following registry values:
.
.
.
"MyWebSearch"
"WINDOWS SYSTEM"
"Zotob"
"MyWay"
"WeatherOnTray"
"Apropos"
"IBIS TB"
"TBPS"
"Toolbar"
"Hotbar"
"CMESys"
"NavExcel"
"ViewMgr"
"eZula"
"EbatesMoeMoneyMaker"
"Ebates"
"AutoUpdater"
"Gator"
"Trickler"
"QuickTime"
"GatorDownloader"
"eZmmod"
"Viewpoint"
"TkBellExe"
"180"
"WinTools"
"Real"
"QuickTime Task"
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
A stupid question: would a standard software firewall (say XP SP2 firewall) prevent this attack.
If so, why is there such a high risk. Surely everyone runs firewalls these days?
James
http://www.reeb.freeserve.co.uk
but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
The article is wrong, zotob has variants that infect 9x thru 2003. You can look at the summaries on symantec. As a pc support person at a very large company (one of the ones mentioned on cnn when they talked about zotob), this is certainly the worse virus I've had to deal with.
just the ones that 90% of people that use windows, use. dont worry your computers running DOS, Windows 3.1, 95, 98 and the wonderful ME, cannot be infected.
How odd that this worm should attack W2K so severely, and W2K3/WXP not so severely, just as Microsoft is dropping sales of W2K, and urging W2K users to upgrade, including draconian herding techniques like discontinuing W2K automatic update support.
Now, even if MS hasn't created this worm, or released it into the wild, or deprioritized fixing bugs in W2K for it to exploit, or overhyped its danger to create "relief" that its favored W2K3/WXP products aren't at as much risk... don't you think the people over at the "W2K extinction department" in Redmond are very happy about this bad news? That's an incentive to neglect security. Like the sheepdog carpooling with the wolf.
--
make install -not war
hard to feel sorry for the people still running windows, how many times does the car have to break down on the freeway before you trade the SOB in for something reliable?
what is it called when you continue the same behavior and expect different results?
All patch management issues aside, how hard would it be to simply:
- Firewall your networks, on *both* sides
- Limit access of portable computers
Worm exposure would be greatly mitigated by those things alone.
Throw in mail filtering/scanning/content quarantining, and virus risk is greatly reduced as well.
If you don't secure your networks, regardless of which systems you run, you'll regret it, eventually.
personally, I'm more worried about machines that run fulltime, sometimes for weeks without being checked, in labs.
A few were infected here at the UW.
-- Tigger warning: This post may contain tiggers! --
Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.
We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.
See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.
So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.
Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.
This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.
One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.
The mitigating factor is that it attacks a code path that is disabled by default on Windows XP and Windows 2003. So you probably aren't vulnerable anyway.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
A virus could easily be extremely malicious, yet unlikely to be detected for days.
For example, it would be relatively simple to write a virus which had a database of common names, and rude words to replace them with. It would know enough about Word's file format to seek out Word documents and quietly switch the names. You could do the same with web pages.
Most businesses wouldn't notice, until someone sent a letter to a major client starting "Dear Dick Head..." or the press wondered why the CEO's web page called him "Fat Crook".
You could even make the substitute words the same length as the search words, so you wouldn't need to understand the file format and wouldn't need to rewrite files. Target the newest files first for maximum effect, or target the oldest files first for longest time before detection. You might even manage to hold out undetected for long enough that people's backups would be corrupted too.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
This is part of the first wave of "it's not so bad and it is the victim's fauly anyway" press releases which will be followed shortly with the 'any operating system is vulnerable to viruses' wave of press releases, followed by the 'Windows Vista is much more secure and everybody should upgrade' press releases. The only amazing part is that Windows users never seem to catch on. Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and hard before buying a fourth one. Windows users? Not a chance.
In addition to the Fortune 100 company I work for, it has had significant impact on GE, UPS and SBC. I know it has hit us harder than any other malware to date.
Microsoft is claiming that the impact is very limited. That alone should cause the contrarian Slashdot types to suspect this is a big problem.
Windows 2003 Server has a little something called 'Secure by Default'.
-IIS isn't installed by default. When it is, only static pages (by default) can be hosted
-Ports you don't use are turned off
-Share access defaults to 'Read Only'
-Enforcement of 'Strong' passwords
-Blank Passwords are forbidden
etc,etc..
Yeah, internal firewalling would be great, let's just block port 445 on the LAN-- it's not like Windows uses that port for anything. Oh, wait, it does.
Great solution, genius. Why even bother with internal firewalls when you could just take a pair of garden shears to the network cable on each workstation and get the same result?
Granted, I deal only with about 150 users, over about 6 companies, however, I haven't even had a reported case of this worm.
The only excuse for an administrator having a problem with this, is if the patch is incompatible with some or other software.
Any competent administrator knows:
WSUS works like a charm, you can tell it to check for updates every day, and then all clients on the network can be forced to apply the patches.
There are instances where WSUS cannot really help much:
It's called preventative maintenance, you can replace your brakes after they fail, but if you do it before they fail, it saves you having to repair the rest of your car as well.
In summary, all administrators from companies that that run a domain controller, and have a reasonable amount of resources should NOT have experienced any major outbreak. So stop whining, clean up your mess, do your job properly now and avoid future problems.
Would you point me in the direction of a *nix that has NEVER had more than one security issue? I just want to run something absolutly perfect like you do...
Thanks
I read
rob-bot
What's next?
August 2006: Longhorn
Well, it will propagate itself through the internet.
Illegal? Samir, This is America.
Just a curious question:
Are there any systems that could be setup to locate clients (say in a LAN) attempting to propogate worm infections, and then pass on an autopatch or something similar to clean it out (using whatever exploits/backdoors the worm opens or got in with).
Alternately, how about something that would deny those machines access to the network, perhaps by having a master password on local routers and commands capable of directing traffic from infected machines (on infection ports at least) to the bit-bucket.
No it shouldn't!
If you don't know where you are going, you will wind up somewhere else.
It's been like firemen at an oilfire at a few GoA servers. My ministry hasn't been hit though, yet.
A couple days ago our IT director sent out an email saying: "Would you please refrain from using the Internet immediately until we have taken the appropriate actions to prevent the virus."
And today we've been asked not to download anything, don't use Messenger and to bring any laptops to them for worm inspection prior to connecting to the network.
So I took my iBook back to them and asked them to check for worms. :D
Sweetie, you talked me into it. Actually my ancient W2000 Server just finally croaked. It wouldn't even load explorer.exe so no desktop. The only thing running was a probably bogus update.exe. So I am going back to Linux. I am trying the Ubuntu distribution this time; I used to be a Red Hat user. I don't know if it was this virus or not. It doesn't matter. There is no reason for me to run Windoze at home any more. I support the more modern user at work.
The only reason it was a story at all was that it hit the media companies..
---- Booth was a patriot ----
here - they brag about having just one in 8 years. It IS possible to be fairly tight, but Msft has a long history of exploiting the right of not having any legal responsibility for whatever they slop out to customers. Why? They don't have to - it's the default os automatically bundled in with most computers whether the customer wants it or not.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Who the hell writes code that takes an *external* MIME encapsulated program and just runs it? WTF were the lame programmers over there thinking? Where do they get these guys, off the street?
What the hell purpose would it have? Letting Microsoft run any program it wants on your computer? WTF? And this MIME exploit is currently the "top" problem on the security lists.
Would it be so hard as a minimum to ask or warn the user twice before running it? Did anyone think of this when the programmed in that part?
And this plug and play thing, why the hell is it running on the ethernet port? I can understand it on USB or PCI.
And why is this thing spreading in this day and age when a firewall should be blocking almost every incoming port? This is a RPC port issue. Who the hell would be stupid enough to not be running a firewall that closes off all those damn RPC ports anyway?
Then the security companies say this thing has a IRC command that will "remove itself" if commanded from a IRC channel. So why don't the security people sit there on that IRC channel and send out that command and stop this now, today? Is there a profit motive to not stop this?
Yea, the whole thing makes me mad, it shouldn't be happening at all. Only beginning programmers would overlook simple things like this when creating a operating system, so Microsoft has no excuse and they are to blame for this.
If it wasn't for Linux coming along and making a threat, no one would even be bothering with fixes for this stuff. Even with that, why is this type of simple thing still happening after years of time that should have been used to find all of these problems?
> Any links to validate this "Turkey Virus"?
I've found that...
> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?
No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).
Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.
(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Who comes up with these names? ZOTOB sounds like some sort of new drug that treats heartburn, or allergies, or cholesterol or something.
"Ask your doctor if ZOTOB is right for you!"
Tired of FB/Google censorship? Visit UNCENSORED!
anyone remember the Wazzup virus? It attacked MS Word and would randomly place the word "wazzup" in your document when you saved it or printed it. God it was beautiful. So many book reports with "wazzups" circled in red ink....
People wazzup arent creative like that anymore.
Why stick up for big business?
I can't RTFA, the site crashes Firefox instantly.
On rereading my post, I don't notice anywhere that I stated that all operating systems were 'perfect' w/r/t to security, just as no car model is completely immune from the possibility of bursting into flames. What I was suggesting is that Microsoft spends significant amounts of money trying to persuade users that the degree of security problems that are present in Windows that can be automatically exploited is 'normal'. It is not. None of MacOS, OpenBSD, FreeBSD, Linux, Solaris, AIX, HP_UX, IRIX, Unixware, etc. have perfect security, however, they all have orders of magnitude better track records than Windows with regard to remote exploits.
Alright people, take notice:
A worm that moves to a computer, finds another target, and copies itself to the target computer.
What else does it do?
Uh.
Internet 1 | Humanity 0
This is why I am still running Windows NT.
Free virus protection!!!
NT is too old to be interesting to virus writers.
In a recent turn of events, it was found that the Microsoft Corporation was actually the creator of the ZOTOB worm. The monopolies intent: to push pirates to either buy the operating system (in order to recieve updates from the Genuine Advantage Program) they probably primarily play video games with or once and forall switch to the Linux operating enviroment, poluting the community with fools.
I know this has been hashed over a thousand times on /. already, but there are two relevant replies
to this:
1. Microsoft apologists always try to blame the sysadmins. But one of Microsoft's marketing threads has always been along the lines of: "Unix and Linux are complicated and you need to pay a lot for experts who understand these arcane systems. Windows is so easy, even a trained monkey can administer it, which lowers your TCO!" So they encourage managers to devalue competent system administration, then turn around and say, "if something goes wrong, it's because your sysadmins aren't smart!"
2. How long was the patch available? Any Windows sysadmin (especially a smart one) knows you don't add patches to a large organization without thorough testing, because they have a history of breaking existing systems, especially those with a lot of third-party apps and/or custom configurations. (I'll give MS the benefit of the doubt and assume it's due to lack of adequate testing rather than deliberate.) A lot of MS shops are still testing SP2.
How come when I install all the updates to XP in order to keep my network safe from this new worm, it creates a new account called "ASP.NET something something blah blah" and forces users to a login screen that confuses the hell out of them on boot? Seems like a quick-fix workaround for some problem that MS decided they didn't really have time to fix properly, and it means I have to go around and delete the newly-created user from every machine.
Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and hard before buying a fourth one.
The manufacturer told them they just had to change the oil regularly and it wouldn't catch on fire anymore, so they bought 10 more.
Standard apologist claim. But they never explain why Apache has three times the market share of IIS, but IIS has the worse security record.
Also... you have no credibility to say "but I don't have to go after M$ to discredit them" as you do go after them with your oh so clever use of the dollar sign.
OP was talking about people writing viruses to discredit MS. But hey, putting a dollar sign in an online comment is just as bad, right?
And if you leave off the dollar sign, aren't you then matching the common abbreviation of a certain crippling disease? (Some on /. might find that
more appropriate, actually.)
> 'Contrary to many reports that the ZOTOB worms
> can infect Windows 95, 98, and ME, and NT, these
> platforms are not susceptible to the
> vulnerability.
Aha! I knew my persistence in continuing to run
Windows 98 instead of XP would pay off some day!
I work at a small Canadian bank. The whole company uses w2k desktops. On Tuesday and Wednesday I spent my entire shifts playing poker while around us computers continuously rebooted. Without net access all kinds of rumours developed about how the worm was affecting the rest of the world. Our only communication with management was occasional typewritten faxes.
Of course at my office we have ZERO problems because a) we're all patched b) my antivirus is up to date and c) all my users run with only user level permission.
But ah, their home computers that I fix on my off time, they are GOLD!
Vote Quimby!
This worm exploits the MS05-039 vunerabiity, which is a stack overflow in the Windows Plug and Play service. As the writeup of the exploit in the Metasploit Framework put it "[s]ince the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot."
Randy.Flood@RHCE2B.COM
Windows users? Not a chance.
Y'know, there's a fair few of us Windows users who have yet to catch a virus, or be infected with spyware, or get rooted.
Sure, I see others crashing and burning, but then I've known people knocked down and killed crossing the road; yet I still cross. I just take sensible precautions, and take my chances.
It's official. Most of you are morons.
I initially bought my PC for my children with the good intentions of helping them in school. I had no idea they would witness penetration of this magnitude. There was penetration of their PC, penetration in their friends' houses, and penetration of major corporations. Penetration was running rampant. This lawsuit will follow the righteous path set by Senator Clinton against the 'hot coffee' crack. If we don't draw the line in the sand to stop virus penetration in front of innocent children who will? Senator Clinton thinks of the children, so should you. Call you congressmen and congressional women to stop virus penetration today!
Actually they'd probably upgrade to a Ford Explorer 'cos the pinto isn't made anymore.
The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal. Nevertheless, despite the relatively low worldwide infection rate, this worm can, in theory, spread and infect computers extremely fast. Computer users need to remain vigilant and take immediate measures to protect against this and other attacks,' warned Kirouani
Talk about contridictions.
And whats with this thing where Ms. is 'warning' us several days in advance?
If I was to 'warn' someone that something bad was to happen to them, I'd be arrested for 'threatening' them.
I wish Eliot Spitzer (that lone prosecutor from the State of New York who defends 'Individual's' rights) would look into the how-why-where-when of Ms. being able to call catastrophese like these.
And while he's at it, find out if Ms. computers were affected by this worm, and if not, WHY NOT!!
As far as this virus not being a big deal, well even Comcast who rarely has down times or problems was off line quite a bit the following morning here in the West. Even if they weren't directly affected by it, it is possible they were 'making' sure that their systems were ok for the day ahead.
They seemed to be having problems down stream (from me, because I was online and linking, but was not able to get to ANY websites).
Of course I couldn't get any info outa comcast (your never can, they always claim you have the problem only).
I will gladly loose all of life's battles.. in order to win the war..
I've run windows as long as I've had computers, I am presently running Windows 2000 among other non-Windows OS's.
Never had any problems related to worms, viruses, or rootkits that were not trivial and harmless. How? This is how:
- I've disabled all services that are not needed (most)
- I always use a firewall (free) that does not reply to port-scans etc. There are firewalls both on the computer and the entrypoint to the LAN
- I always use active anti-virus scanning (free)
- I regularily patch with security updates (free)
- if I ever use IE it is because of WindowsUpdate but since there are other better ways to get security patches I seldom ever use IE at all
- IE, Outlook, and Outlook Express are banned from making connections by the firewall. To use IE I have to edit the firewall temporarily
- I regularily update my anti-virus (free) and do a complete thorough scan, at least weekly
- I less frequently scan for spyware and adware as well as updating the anti-spy/adware (free)
- I less frequently use anti-rootkit tools (free)
- I don't go clickety-click on everything "someone" offers be it through mail, web, or programs
- I choose F/OSS applications and protocols for Windows over proprietary ones as much as possible
- I rarely do any registry maintenance, mostly because there never has been any real need to do so (i.e. I do it for fun, yes fun, maybe one or two times a year - think of it as poking *.rc files out of interest on other systems)
These things aren't that hard to do if you have a minimal amount of knowledge (even the registry maintenance can be a gui-assisted nobrainer if you so wish), in fact they should be second nature for a Windows computer user.
I have no need for Snort, Tripwire or other NIDS and HIDS/HIPS but if I felt like I did have such a need I would run it.
Most of the above aren't especially OS-centric, whatever system I run I do most of these things in some way or another either manually, automatic or by the correct use of the inherent architecture of the OS (which is obviously the best).
The only breaches I've experienced are websites that push trojan downloads (immediately detected, acknowledged, denied, and deleted) independent of browser (IE/Opera/Firefox), and a few measly inactive trojans in p2p-downloads and jars (detected when doing regular pc housecleaning) - actually the latter has only happened three times in four years.
Yes, Windows has crappy security. Yes *nix-like OSes are slightly better with a few variants that are much better. The reason Windows seems worse than it is are (in order of importance):
- clueless administrators who don't roll out in-depth defenses and lock down the system both from an inside-out as well as an outside-in perspective
- clueless users
- clueless 3rd party application programmers
- clumsy and slow Windows security patch making and handling
I will be switching from Windows 2000 as my main OS when I feel I know enough to achieve better security on a F/OSS OS, no, it is not likely to be a Linux flavour (so far OpenBSD is the leading contender).
My impression of the average penguinite (end-user) is that they are as clueless about security as the average windozer (end-user); the penguinites being somewhat saved by the Linux userland (although not always). What is worse is that a lot of the penguinites think they are safe without doing much of the aforementioned when in fact they're not. A massive increase in Linux use is more likely to lead to a rootkit galore than anything else (which is the directon Windows breaches are heading in as well).
From an AC that longs for the day when RO chroot/jailed/sandboxed kernel-&root-security is commonplace.
Holden (GM In Australia) lost $6 million AUD in production due to the virus.
http://www.abc.net.au/news/newsitems/200508/s1440
ONLY 2000 systems are affected.
I work at MS on the enterprise support security team. We have yet to see problems in 2k3.
I don't know about other packet-filtering software firewalls, but Sygate's does a CRC check on the process's EXE before granting it access. A process has to have (at least) the right EXE path, name, and CRC to get to the network. In this way, Sygate detects patches and updates, and should detect rootkit patches and EXE infections too.
It's true that naming a worm process "explorer.exe" or something would increase the worm's chances of obtaining a human's permission to get through a firewall, but it wouldn't be automatic or invisible.
Is there any equivalent to the SEI CMM for System Administration? Are you aware of any references describing recommended tools and processes for a high maturity level for system administration?
It didn't get much press attention, but the researchers are all still very interested in The Witty Worm. It did something similar to your suggestion, and demonstrated that a worm can be destructive without limiting its propagation -- saturate first, then destroy. It also saturated a niche population of systems (much smaller than the Macintosh market, whose security record people incorrectly attribute to the smaller number of systems).
Modern worms can spread so rapidly that a small delay in the destruction, as you suggest, is all that's needed. If you saturate the entire target population in an hour, and start erasing random bits from the hard drive, tremendous damage could result. If a worm like Witty had exploited MS05-039, we would see a few hundred thousand wrecked systems today.
Why don't we see that? Because these worms are designed to build fleets of useful systems, gather information, steal identities, log keystrokes, collect passwords, and all manner of really nasty stuff.
The victims would be far, far better off if the worm merely waxed the hard drive.
These worms wouldn't be able to achieve their aims if they wrecked the C: drives. The "non-destructive" nature of these worms gets widely reported, because people don't understand that these systems are remotely controlled by hostile attackers from outside the corporate network from the early moments of the worm outbreak. Hey, the system still runs and users can still get their corporate email, so it can't be that bad, right? This remote control stuff is theoretical, right?
Wrong. This crop of worms is efficient, and very, very nasty. I have an IRC session log which shows literally hundreds of MB of files being stolen from infected computers, and many MB of files downloaded and executed on those same systems. Files that are not recognized by AntiVirus, files that don't get cleaned up with the magic bullet clean up tools. It also shows the bots responding when a firewall rule was put up to block the initial IRC connection. These bots are becoming smarter all the time, and these are definitely not "gentle peaceful worms" that seek only to spread from system to system.
If you mod me down, I shall become more powerful than you could possibly imagine.
saying "I CANNOT support systems I do not control." This means that all workstations will be allowed to be patched at MY schedule. All workstations will have ONLY approved software installed and it will only be installed after it is tested and approved by the corporate team. No unapproved devices may be plugged into any corporate systems without approval. It might be war doing this, but it is the only way to make progress. Once you have that control, you can make exceptions for your developers and engineers, but you can also revoke that if they break the rules. The key is IT grants control of THEIR systems.
I don't know if this plug and play option is "featured" in NT or not. I noticed it is ominously missing from Microsoft's description of the patch. Its neither under the effected nor the uneffected systems.
Yes, for a time it was possible to instruct the video hardware of a PC to change the scan rate of the monitor to values high enough to damage the monitor. If your monitor is anything remotely new it has built in circuitry to protect it. I have a monitor that is over 5 years old with that feature--it cannot be broken in that fashion.
Furthermore, all cards older thatn super VGA have locked scan rates--IT IS TOTALLY IMPOSSIBLE to change the scan rates via software of any kind on original VGA or anything older than that (including old non-PC platforms, except maybe the Amiga but I doubt even that). The only way to do so would've been to swap the crystal on the card that ran the dot-clock and no virus could do that of course.
The original poster talking about "directing the beam" and starting a monitor on fire is completely full of sh1t. Unless someone had physically altered a system, there has never been a commercially available PC that was capable of such a feat through software. It is not possible to directly control the position of the electron beams of a monitor without disassembling it and messing with the circuitry to essentially turn it into a 3-beam oscilliscope.
The best you can do is set horizontal and vertical sync pulse timings--those are the only physical signal inputs to a monitor which control scan rates, otherwise the beam must follow the left-to-right/top-to-bottom raster pattern hard wired into the monitor. Also, setting the scan rate to zero would NOT cause the beam to stop on the picture tube and burn a hole in your display. The beam would reach the end of the scan line and the horizontal deflection circuit would wait for the horizontal sync pulse--past the right edge of the display area of the tube. If the sync does not arrive in a timely fashion the vertical and horizontal deflection circuitry resets entirely and the beams turn off--basically this turns off the monitor display entirely and this is how ALL VGA multisync monitors have always behaved--even the ones that could be ruined by "over clocking" could not be damaged by underclocking--once you got down lower than CGA level the sync pulses were too long and the whole display would shut off.
I just have to shake my head when I hear such nonsense in various virus hoaxes--like one that went around saying if you opened an email it would erase your hard drive (that friggin "good times" hoax--as if reading an email in PINE would kill your hard drive). I had to explain over and over again to people that no--it is IMPOSSIBLE to erase a hard drive or get a computer virus through simply reading email.
Then BillG and his crew had to prove me wrong and invent an email client so "innovative" to make the above assertion inaccurate. The f*ckers...
I replied before browsing all of the posts in this thread. After posting I thought "Doh, this is slashdot. I bet someone here already mentioned IPSEC". To my dismay not one fucking person even mentioned the possibility of using IPSEC.
What the fuck? Doesn't ANYONE know ANYTHING about Windows? I thought this was a site for nerds? Aren't nerds that partake in computer security discussions supposed to know about things like IPSEC? Hell, Windows has come with IPSEC built into in since Win2k. That's FIVE YEARS Windows has had this capability. I learned about it...FIVE YEARS AGO when I first got a copy of Win2k at work.
I watch idiots post all day on this site about how much Windows sucks, and how it can't be secured, yet they don't know one fucking thing about how Windows works, or about the methods available to secure it.
Jesus Christ people, get a fucking clue!
Oh, and excuse my foul language, I hope I didn't permanently damage the psyche of the numerous 12 year old Linux d00dz that are sure to be reading this.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
when it's in the best interests of those selling the 'cure' to blow it out of proportion.
and Microsoft has exponentially more market share than the operating systems you mention. When you have 93% of the market, I would think it's safe to say (at least) 93% of the idiots are trying to hack your products...
I read