Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.
This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.
it is better to light a flame thrower than curse the darkness. -Terry Pratchett Men at Arms
Patch caused errors in 3rd party software. Not enough lead time to do proper regression testing. News at 11, if they get their computers fixed.
Both Symantec link and F-Secure link
States that only Windows 2000 machines were affected.
F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."
The code used in the Zotob worm to exploit the Microsoft PnP vulnerability addresses in MS05-039 relies on NULL sessions to exploit the target system. Default installations of Windows XP SP2 and Windows 2003 do not have NULL sessions enabled, and thus are not affected by the worm.
It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.
Actually Windows 2000 does have a firewall. It just doesn't have a purdy gui.
http://online.securityfocus.com/infocus/1559
Anyhow, how does a firewall help one when an infected machine gets in the building (like a laptop)? You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.
While we didn't get hit where I work I can sympathize with companies that did. When you're working in a large environment it can take some time to test patches to make sure they work as advertised (esp. on mission ciritcal servers). One week lead time is really intense.
G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
The reason that viruses are not as damaging today as they were long ago is because virus writers have learned, propagation is the goal, not destruction.
Compare computer viruses to real world viruses and you'll see.
Ebola, smallpox take your pick from the fast acting, horrific and deadly viruses, very contagious and extremely deadly. With such a rap, why they it killed off everyone on earth yet. The answer why they haven't is simple, they kill their hosts before they have much of a chance to spread.
That is why HIV is such an evil bug, it takes it's time before killing its host, as well as taking plenty of time before an infection is apparent.
Computer viruses are the same, one that destroys a PC or locks down files isn't going to get very far, while one whose sole job is reproduction will spread far and wide and cause havoc only because of it's level of penetration and infection.
Help Brendan pay off his student loans
For the record:
The reason the risk to XP and 2k3 are minimal is that they require authentication for the particular vulnerability to be exploited, where Win2k can be exploited using a NULL session.
Setting RestrictAnonymous=2 in the registry will disable null sessions and prevent infection on Win2k systems.
Mooniacs for iOS and Android
I blame it more on crappy IT administration.
And how! Almost all of my clients' machines are immune to this (though we patched anyways). Why? Because we disable anonymous connections (RestrictAnonymous registry key), which has been a recommended practice for YEARS.
See the tech advisory: "Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users."
http://support.microsoft.com/kb/q246261/
http://www.microsoft.com/technet/security/advisory /899588.mspx
The same thing happened with Slammer. The MSSQL servers we setup were immune out of the gate because they were setup properly from the get-go.
hsync and vsync value hack in the early days of heculese and cga cards, initiated with ASM code. and all those moderators who modded overrated need to learn more about hardware.
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
> Any links to validate this "Turkey Virus"?
I've found that...
> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?
No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).
Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.
(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.