Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.
Everyone that disagrees with me is a paid shill
This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.
This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.
it is better to light a flame thrower than curse the darkness. -Terry Pratchett Men at Arms
Patch caused errors in 3rd party software. Not enough lead time to do proper regression testing. News at 11, if they get their computers fixed.
Both Symantec link and F-Secure link
States that only Windows 2000 machines were affected.
F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."
The code used in the Zotob worm to exploit the Microsoft PnP vulnerability addresses in MS05-039 relies on NULL sessions to exploit the target system. Default installations of Windows XP SP2 and Windows 2003 do not have NULL sessions enabled, and thus are not affected by the worm.
Amazing? 2000 is only one year older then XP.
Guess what happens every year in August.. Thousands of students return to school. A majority of them just had the summer off, which provided ample time to work on the next big worm. School starts and the creator has a new semi-anonymous internet connection to start propogation from.
already up on metasploit
+5, Truth
The CNN coverage was probably due to CNN still using Windoze 2000, which we use here at NBC for all of our desktop computers.
Mind you, we also have high end workstations running Avid Newscutters and the DS that are based on XP but for desktop use, it's strictly 2000.
It is quite possible that news ops software, like Avid's iNews (a very necessary script-writing, show organizing and newswire access tool that almost every news organization uses) does not work or is not supported on XP. It may also be an issue that XP requires better hardware (highly likely) than 2000 and large, worldwide organizations like CNN, ABC, NBC, CBS, BBC and so on are highly dependent on that version of Microsoft's OS.
So, at least in their case, the hysteria at CNN may have been warranted.
Gods don't kill people, people with gods kill people.
This was a problem with IT admins not maintaining secure environments through patching and firewall administration. Where I work has 400+ machines in a mix of 2000 and XP, and I'd be surprised if half a dozen of them got infected (I didn't hear about even one, personally).
I don't know if it was "minimal" elsewhere, but it hit GE Transportation really hard. We had two sites go down completely (no network, no computers), including HQ in Cincinnati. The sites went completely offline around 3pm, and I can only assume the poor techies had to stay all night to patch each computer on campus manually (because they won't stay on, always rebooting). When I got to work the next day, we all had a specific set of instructions to do to complete the patching process. They really lost a fortune on this one.
Deletes the following registry values:
.
.
.
"MyWebSearch"
"WINDOWS SYSTEM"
"Zotob"
"MyWay"
"WeatherOnTray"
"Apropos"
"IBIS TB"
"TBPS"
"Toolbar"
"Hotbar"
"CMESys"
"NavExcel"
"ViewMgr"
"eZula"
"EbatesMoeMoneyMaker"
"Ebates"
"AutoUpdater"
"Gator"
"Trickler"
"QuickTime"
"GatorDownloader"
"eZmmod"
"Viewpoint"
"TkBellExe"
"180"
"WinTools"
"Real"
"QuickTime Task"
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks
The reason that viruses are not as damaging today as they were long ago is because virus writers have learned, propagation is the goal, not destruction.
Compare computer viruses to real world viruses and you'll see.
Ebola, smallpox take your pick from the fast acting, horrific and deadly viruses, very contagious and extremely deadly. With such a rap, why they it killed off everyone on earth yet. The answer why they haven't is simple, they kill their hosts before they have much of a chance to spread.
That is why HIV is such an evil bug, it takes it's time before killing its host, as well as taking plenty of time before an infection is apparent.
Computer viruses are the same, one that destroys a PC or locks down files isn't going to get very far, while one whose sole job is reproduction will spread far and wide and cause havoc only because of it's level of penetration and infection.
Help Brendan pay off his student loans
but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
The article is wrong, zotob has variants that infect 9x thru 2003. You can look at the summaries on symantec. As a pc support person at a very large company (one of the ones mentioned on cnn when they talked about zotob), this is certainly the worse virus I've had to deal with.
It's not that they aren't affected, it's just that they can't be infected by the way it spreads...however, the worm will still run on XP/2003 machines.
Don't take life so seriously. No one makes it out alive.
Any idea how many millions of $$ it takes to upgrade an entire company full of desktops, laptops, lab devices, servers, etc, when you have tens of thousands of people working for you all around the globe?
Making sure that all your (hundreds of) applications function as expected on the new platform. Don't forget to test it on each and every language locale that will be in use for the company around the globe.
Beginning to get the picture? This takes a HUGE amount of money, people, time and planning to pull off. It's a hell of a lot more than 1. Order CD, 2. Reboot, 3. Upgrade
Let's see: 5,000 people x 1 day: wonder if our TCO is still lower with Windows?
You only use 2% of your DNA
For the record:
The reason the risk to XP and 2k3 are minimal is that they require authentication for the particular vulnerability to be exploited, where Win2k can be exploited using a NULL session.
Setting RestrictAnonymous=2 in the registry will disable null sessions and prevent infection on Win2k systems.
Mooniacs for iOS and Android
Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks
That used to be the case. Now with the latest version of Windows Update, you must pass genuine advantage in order to download patches. I know this as I've one machine that fails to get past the check on windows update despite the valid licence number on it. I believe autoupdate is still working, but for how long?
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
I'll install the next service patch as soon as Microsoft let's me decide which browser to do it with. Where's the network install (aka downloadable) patch?
a milyid=E39A3D96-1C37-47D2-82EF-0AC89905C88F&displa ylang=en
Right here:
http://www.microsoft.com/downloads/details.aspx?f
If you need web hosting, you could do worse than here
hsync and vsync value hack in the early days of heculese and cga cards, initiated with ASM code. and all those moderators who modded overrated need to learn more about hardware.
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
Granted, I deal only with about 150 users, over about 6 companies, however, I haven't even had a reported case of this worm.
The only excuse for an administrator having a problem with this, is if the patch is incompatible with some or other software.
Any competent administrator knows:
WSUS works like a charm, you can tell it to check for updates every day, and then all clients on the network can be forced to apply the patches.
There are instances where WSUS cannot really help much:
It's called preventative maintenance, you can replace your brakes after they fail, but if you do it before they fail, it saves you having to repair the rest of your car as well.
In summary, all administrators from companies that that run a domain controller, and have a reasonable amount of resources should NOT have experienced any major outbreak. So stop whining, clean up your mess, do your job properly now and avoid future problems.
"Upgraded from 128 MB HDD to 1.3GB, spent all summer cutting grass for that sucker and less than a week after installing I started hearing this god-awful screeching, only to have it fail totally in a few minutes"
somehow I doubt that as all drives > 1g and many > 200 meg did not support the park command because they auto parked at powerdown. They would accept the park command and silently ignore it.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
But only through automatic updates. If you go to Windows Update manually, it tells you that you have to download the WGA verification utility in order to proceed. I was pretty pissed until I read a post on /. explaining it; I never would have thought to use automatic updates otherwise.
In this case, no. Although we can't pinpoint it, it looks as though this worm actually came in on an infected laptop. There's almost nothing that can realistically be done to prevent this unless we also want to force everyone to use desktops. I know a lot of managers (and IT people... myself included) who often work from coffee shops on wireless connections when we need to. It people like myself can be expected to be conscientious about using at least a software firewall; managers and project managers? Well, I'll leave that to you to fill in that blank :)
> Any links to validate this "Turkey Virus"?
I've found that...
> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?
No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).
Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.
(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Software firewalls can work. A company I work with has over 10k laptops in use, and nearly all of them run a standard firewall package. It has centralized logging, so we can tell when someone disables it and/or uninstalls it. Those users are warned once and then walked out the door if it happens again, even managers. Patch management is handled automatically, so when a user logs on, the patch is pushed to them. If the firewalls are configured intelligently (i.e. absolutely NO MS networking allowed when in an untrusted network), patches are maintained, and antivirus software is in place, the virus problem gets much more managable. Add to that an IDS that has provisions to automatically identify propegating worms inside the company, interfaces with the trouble-ticketing system, and a process through which access control lists are applied to the appropriate routers within 15 minutes, and you have a method for dealing with viruses quickly and without a bunch of manpower. These days, a bad virus outbreak for me is 2-3 computers, and we've got well over 40k end users.
Windows users? Not a chance.
Y'know, there's a fair few of us Windows users who have yet to catch a virus, or be infected with spyware, or get rooted.
Sure, I see others crashing and burning, but then I've known people knocked down and killed crossing the road; yet I still cross. I just take sensible precautions, and take my chances.
It's official. Most of you are morons.
If you want to download and apply updates manually, go here: http://www.microsoft.com/technet/security/current. aspx