Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
It is not a minimal risk for a Windows XP system to get infected. Not after Microsoft have changed their Windows Update program. I have alot of friends struggling with properly secureing their pirated version of XP.
Is that like h4cking teh gibson?
I want to delete my account but Slashdot doesn't allow it.
overblown? I think it all started at the Michaelangelo virus, where the media was telling everyone to turn their computer off on Mikey's birthday? It's gotten worse since then.
Anybody got a torrent?
Our language is a wonderful thing. Please stop using it.
From all that I've read on the news lately, it looks like the various variants are battle each other... so they may be keeping their own numbers down.
Hmmm witty sig or funny sig? Maybe elitest techy sig!
It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.
Everyone that disagrees with me is a paid shill
'The worm only spreads to systems running on Windows 2000, XP and Server 2003'
this seemed funny to me. as if somehow not a significant portion of computers run those OSes
I would like to name August the official Worm month.
August 2003: Sobig
August 2004: Sasser
August 2005: Zotob
What's next?
Nouvelles de jeux et technologies en français. TC
On the whole, this is probably the best thing that has happened to Microsoft lately - it'll encourage clueless managers to order that their company's systems be upgraded, with a release of Vista around the corner. It's amazing just how many businesses still rely upon W2k.
This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.
This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.
it is better to light a flame thrower than curse the darkness. -Terry Pratchett Men at Arms
Lucky Windows 3.0 users can be at ease.
It's been pretty hairy here, inside the walls of a Fortune 500 company. Probably because we have so many variations of Windows in our lab, it was all over the place. People who had kept up to date and patched weren't hit bad (I'm on XP SP1), but we were creating ad-hoc teams all afternoon yesterday trying to get things clean.
In some ways, this was a bigger deal than Sobig.
Tim
This worm is definately a problem. Just ask all the IT support staff out there who have lost sleep for the past few days patching systems, updating anti-virus, and chasing down infected workstations. Granted the world did not implode on itself because of this virus, but I can guarantee that it will cost organizations quite a bit because of it.
Patch caused errors in 3rd party software. Not enough lead time to do proper regression testing. News at 11, if they get their computers fixed.
They make no mention of Vista being susceptible...I think the only way to protect ourselves is to upgrade to the new version of SuperWindows!
yesterday on NPR they were going off about how it had infected ABC, CNN et al. and they had been reduced to writing their copy on typewriters.
I'm sure as far as the news outlets were concerned this is the worst virus since organized religion (Snow Crash reference)
Petyr Rahl
People who hate Windows write worms and viruses designed to discredit the operating system and cause mass chaos.
People who hate Microsoft pirate Windows (see the first reply to this article) or refuse to authenticated it in an effort to defy the M$ empire and therefore cannot utilize the patches designed to keep their system safe from other Microsoft haters.
So now honest companines and hard working individuals must spend time and money trying to protect their systems because of some anti-Microsoft zealots who are the same people complaining that they can't patch windows cause they stole it?
The company I work help desk for got hit by Zotob on Monday Morning, and by 7:20 it had taken down several servers and most of the computers in one section of the company. We are actually still patching and scanning systems, they shut off the wireless network when it started and just turned it back on today. They had turned off access to shared drives through VPN and are scanning all laptops that enter any of the buildings before they let them into the main area. I would like to know who it is that let this into the network and give them a nice punch in the nose. I am sure they hope no one finds out as it probably cost the company several millions in downtime.
-- Any comments seen here are not mine, but a mixture of alchohol and lack of sleep.
Zotob is affecting more than Windows machines. Case and point, the network is really slow (via the Windows garbage) which is making Slashdot load slow for me and I am running Solaris. Grr.
Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
Why in the world is this listed as a mitigating factor? Is there really that large of an 95/98/NT base left?
Now the submission says "propagated on the internet", as it should have all along. Don't you subscribers point this stuff out to the 'editors' ?
I want to delete my account but Slashdot doesn't allow it.
When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!
What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).
The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.
Both Symantec link and F-Secure link
States that only Windows 2000 machines were affected.
F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."
The Witty worm spread much faster despite the very small base of susceptible hosts (only about 12,000 total that had some old version of some firewall software). Witty had a doubling time of only a couple minutes and nearly saturated (infected all susceptible hosts) in less than one hour.
A modern worm should be able to spread extremely quickly -- sending out hundreds of infectious packets per second if the payload is small (Witty's was only 637 bytes). If only 1 in 10,000 machine is susceptible, then a worm spewing 100 randomly addressed packets per second should double the number of infected machines every 100 seconds. I'd wager that the number of zotob-susceptible machines was much greater than only 1 in 10,000, so zotob should have spread faster. If anyone ever creates a worm that can infect even 1% of IP addys, it would double every second and saturate the net within the first minute or so.
Why didn't zotob spread faster?
Two wrongs don't make a right, but three lefts do.
Once we control the spice, we control the worm.
It's striking how nice the virus writers are to the antivirus companies. Most viruses do just enough damage to require ongoing spending for antivirus tools and upgrades, but not enough to make users switch to, say, Linux. There are exceptions, like the virus that encrypts data on the hard drive and demands payment in E-gold, but those are very rare. Few viruses erase data. Few do things that would make removal impossible without physically opening the computer, like modifying the BIOS so it can only boot from the hard drive. The mainstream viruses seem to be carefully tuned to optimize the revenue stream of antivirus and upgrade vendors.
Somewhere there's a reason for this.
Of course these lessons bring up another argument, over the last 10 years a lot of non-computer people or hobbists/tinkerers have been put in admin positions. Therefore many of them do not understand the weaknesses of networks and the Strengths of each OS out there until someone smacks them with a large chunk of data loss, network downtime, or company embarassment. Now that they have learned this lesson, what will be the next one? And could this have been avoided had the companies not used the "buddy system" and hired competent professionals in the first place.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
This malware outbreak received disproportionate media coverage, because it hit media outlets first and hardest.
org.slashdot.post.SignatureNotFoundException: ewg
Given that you have to do such a big song and dance just to get the patches (yeah, yeah, it is at work at for a legal copy), what are the chances of getting zapped while you are downloading everything?
The other big hassle with Win2K patches is that some of the patches (835732 -- the Sasser patch -- and 889293 and some others) bolex up IE from working. So I am supposed to switch to Mozilla or whatever, but d'ya suppose Microsoft would like me to still use IE? Patching this one W2K machine is this big sifting and winnowing process of endless reboots to load/remove patches to find out which patches I can take and which ones I cannot.
Funny thing is that I had the problem on one W2K machine, and the problem was not so much IE as some Explorer component that I couldn't start Control Panel without a crash, but it required an IE reinstall to roll back. That machine is now fully patched because MS, bless their black little hearts, must have patched the patches.
This other machine however only had a problem with IE crashing on startup if I installed some patches and has been a pain to maintain. I have virus checked and spy checked and regsistry checked the darn thing all up and down to see if some malware is involved to no avail. Currently I am afraid to switch this machine on, although it is behind a firewall and it is SP4.
Wow, you've been reading to much sci-fi. Lay off the crack.
:)
If there are factions, its just a bunch of 14year windows users that prefix their IRC nick with their clan name , e.g. [VWF]h4x0r is a member of [V]irus [W]riters [F]orever. They can't offer you an "expert protectionism", whatever the fuck that is, because they're too dumb. Have you seen the code to some of these things? Crap.
Again, there isn't any "viral factions", you need to unsubscribe to the space channel, any MMORPG's or other online games you own, burn your scifi books and get some fresh air.
Cheers
The CNN coverage was probably due to CNN still using Windoze 2000, which we use here at NBC for all of our desktop computers.
Mind you, we also have high end workstations running Avid Newscutters and the DS that are based on XP but for desktop use, it's strictly 2000.
It is quite possible that news ops software, like Avid's iNews (a very necessary script-writing, show organizing and newswire access tool that almost every news organization uses) does not work or is not supported on XP. It may also be an issue that XP requires better hardware (highly likely) than 2000 and large, worldwide organizations like CNN, ABC, NBC, CBS, BBC and so on are highly dependent on that version of Microsoft's OS.
So, at least in their case, the hysteria at CNN may have been warranted.
Gods don't kill people, people with gods kill people.
Isn't that like saying, "Aids only infects those people having sex, and the possibility is minimal?" Sorry, in Risk Management, a risk is still a risk that needs to be mitigated. We've all seen examples (whether in our workplaces or in the news) of times when users have had this lackadaisical attitude about viruses that have brought an organization's network down and clogged the internet.
Bottom line: patch your Window's environment.
It is not our abilities that show what we truly are... it is our choices.
San Diego County Government had 12,000 workstations crash.
People couldn't do ANYTHING connected to the county.
They had 3,000 systems up today.
Wonder if I can apply for the sysadmin job?
You can't talk about Wikipedia's flaws on Wikipedia
Kneel before ZOTOB!
"Made up/misattributed quote that makes me look smart. I am on
I don't know if it was "minimal" elsewhere, but it hit GE Transportation really hard. We had two sites go down completely (no network, no computers), including HQ in Cincinnati. The sites went completely offline around 3pm, and I can only assume the poor techies had to stay all night to patch each computer on campus manually (because they won't stay on, always rebooting). When I got to work the next day, we all had a specific set of instructions to do to complete the patching process. They really lost a fortune on this one.
Microsoft's decision to no longer patch pirated installations has a few unintended consequences. There is now a base of unpatched machines that any new worm will likely be able to exploit. If a greater fraction of machines are unpatched, a greater fraction of infection attempts will succeed, and the worm will spread faster. A faster-spreading infection means a more legitimate Windows users will be infected before they patch (although the auto-updating feature of Service Patch 2 will help with this).
And of course, that population of never-patched machines affects everyone who uses the internet, regardless of their operating system.
Deletes the following registry values:
.
.
.
"MyWebSearch"
"WINDOWS SYSTEM"
"Zotob"
"MyWay"
"WeatherOnTray"
"Apropos"
"IBIS TB"
"TBPS"
"Toolbar"
"Hotbar"
"CMESys"
"NavExcel"
"ViewMgr"
"eZula"
"EbatesMoeMoneyMaker"
"Ebates"
"AutoUpdater"
"Gator"
"Trickler"
"QuickTime"
"GatorDownloader"
"eZmmod"
"Viewpoint"
"TkBellExe"
"180"
"WinTools"
"Real"
"QuickTime Task"
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
A stupid question: would a standard software firewall (say XP SP2 firewall) prevent this attack.
If so, why is there such a high risk. Surely everyone runs firewalls these days?
James
http://www.reeb.freeserve.co.uk
but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
The article is wrong, zotob has variants that infect 9x thru 2003. You can look at the summaries on symantec. As a pc support person at a very large company (one of the ones mentioned on cnn when they talked about zotob), this is certainly the worse virus I've had to deal with.
just the ones that 90% of people that use windows, use. dont worry your computers running DOS, Windows 3.1, 95, 98 and the wonderful ME, cannot be infected.
How odd that this worm should attack W2K so severely, and W2K3/WXP not so severely, just as Microsoft is dropping sales of W2K, and urging W2K users to upgrade, including draconian herding techniques like discontinuing W2K automatic update support.
Now, even if MS hasn't created this worm, or released it into the wild, or deprioritized fixing bugs in W2K for it to exploit, or overhyped its danger to create "relief" that its favored W2K3/WXP products aren't at as much risk... don't you think the people over at the "W2K extinction department" in Redmond are very happy about this bad news? That's an incentive to neglect security. Like the sheepdog carpooling with the wolf.
--
make install -not war
hard to feel sorry for the people still running windows, how many times does the car have to break down on the freeway before you trade the SOB in for something reliable?
what is it called when you continue the same behavior and expect different results?
All patch management issues aside, how hard would it be to simply:
- Firewall your networks, on *both* sides
- Limit access of portable computers
Worm exposure would be greatly mitigated by those things alone.
Throw in mail filtering/scanning/content quarantining, and virus risk is greatly reduced as well.
If you don't secure your networks, regardless of which systems you run, you'll regret it, eventually.
personally, I'm more worried about machines that run fulltime, sometimes for weeks without being checked, in labs.
A few were infected here at the UW.
-- Tigger warning: This post may contain tiggers! --
Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.
We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.
See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.
So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.
Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.
This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.
One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.
The mitigating factor is that it attacks a code path that is disabled by default on Windows XP and Windows 2003. So you probably aren't vulnerable anyway.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
A virus could easily be extremely malicious, yet unlikely to be detected for days.
For example, it would be relatively simple to write a virus which had a database of common names, and rude words to replace them with. It would know enough about Word's file format to seek out Word documents and quietly switch the names. You could do the same with web pages.
Most businesses wouldn't notice, until someone sent a letter to a major client starting "Dear Dick Head..." or the press wondered why the CEO's web page called him "Fat Crook".
You could even make the substitute words the same length as the search words, so you wouldn't need to understand the file format and wouldn't need to rewrite files. Target the newest files first for maximum effect, or target the oldest files first for longest time before detection. You might even manage to hold out undetected for long enough that people's backups would be corrupted too.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
This is part of the first wave of "it's not so bad and it is the victim's fauly anyway" press releases which will be followed shortly with the 'any operating system is vulnerable to viruses' wave of press releases, followed by the 'Windows Vista is much more secure and everybody should upgrade' press releases. The only amazing part is that Windows users never seem to catch on. Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and hard before buying a fourth one. Windows users? Not a chance.
In addition to the Fortune 100 company I work for, it has had significant impact on GE, UPS and SBC. I know it has hit us harder than any other malware to date.
Microsoft is claiming that the impact is very limited. That alone should cause the contrarian Slashdot types to suspect this is a big problem.
iNews - It runs on XP - perfectly. Running 2.1.1.2 with no problem (I personally prefer other systems, but hey)
(Back to coding some stuff against the iNews API - later)
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Granted, I deal only with about 150 users, over about 6 companies, however, I haven't even had a reported case of this worm.
The only excuse for an administrator having a problem with this, is if the patch is incompatible with some or other software.
Any competent administrator knows:
WSUS works like a charm, you can tell it to check for updates every day, and then all clients on the network can be forced to apply the patches.
There are instances where WSUS cannot really help much:
It's called preventative maintenance, you can replace your brakes after they fail, but if you do it before they fail, it saves you having to repair the rest of your car as well.
In summary, all administrators from companies that that run a domain controller, and have a reasonable amount of resources should NOT have experienced any major outbreak. So stop whining, clean up your mess, do your job properly now and avoid future problems.
Would you point me in the direction of a *nix that has NEVER had more than one security issue? I just want to run something absolutly perfect like you do...
Thanks
I read
rob-bot
Actually, what I've suggested is blocking tcp port 445 to *public* networks, not the lan.
I thought that much was obvious. Guess I was wrong.
Thanks for pointing that out, genius.
Why didn't MS include that little feature in a W2K SP or other patch years ago?
--
make install -not war
What's next?
August 2006: Longhorn
Well, it will propagate itself through the internet.
Illegal? Samir, This is America.
Just some anecdotal evidence from the dshield mailing list. The patch appears to either restrict COM access or reset permissions that the admin had put in place. Veritas backup was mentioned, as well as a lot of custom COM apps. I didn't see anythng about COM issues in their tech bullein.
Just a curious question:
Are there any systems that could be setup to locate clients (say in a LAN) attempting to propogate worm infections, and then pass on an autopatch or something similar to clean it out (using whatever exploits/backdoors the worm opens or got in with).
Alternately, how about something that would deny those machines access to the network, perhaps by having a master password on local routers and commands capable of directing traffic from infected machines (on infection ports at least) to the bit-bucket.
No it shouldn't!
If you don't know where you are going, you will wind up somewhere else.
It's been like firemen at an oilfire at a few GoA servers. My ministry hasn't been hit though, yet.
A couple days ago our IT director sent out an email saying: "Would you please refrain from using the Internet immediately until we have taken the appropriate actions to prevent the virus."
And today we've been asked not to download anything, don't use Messenger and to bring any laptops to them for worm inspection prior to connecting to the network.
So I took my iBook back to them and asked them to check for worms. :D
Sweetie, you talked me into it. Actually my ancient W2000 Server just finally croaked. It wouldn't even load explorer.exe so no desktop. The only thing running was a probably bogus update.exe. So I am going back to Linux. I am trying the Ubuntu distribution this time; I used to be a Red Hat user. I don't know if it was this virus or not. It doesn't matter. There is no reason for me to run Windoze at home any more. I support the more modern user at work.
The only reason it was a story at all was that it hit the media companies..
---- Booth was a patriot ----
here - they brag about having just one in 8 years. It IS possible to be fairly tight, but Msft has a long history of exploiting the right of not having any legal responsibility for whatever they slop out to customers. Why? They don't have to - it's the default os automatically bundled in with most computers whether the customer wants it or not.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Interesting, though...is this a case where security through obscurity would have worked better? The way it is going, even if a patch is ready to be deployed the instant a vulnerability is disclosed, it is still massively exploitable in the window of time between announcement and disclosure. Perhaps if "mystery patches" were deployed and then the vulnerability disclosed later...but the whole public disclosure thing sure doesn't seem to be enhancing security in these cases.
If you don't know where you are going, you will wind up somewhere else.
> Any links to validate this "Turkey Virus"?
I've found that...
> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?
No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).
Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.
(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Who comes up with these names? ZOTOB sounds like some sort of new drug that treats heartburn, or allergies, or cholesterol or something.
"Ask your doctor if ZOTOB is right for you!"
Tired of FB/Google censorship? Visit UNCENSORED!
Then I would suggest my second idea, which is these companies have rolled out so many Windoze 2000 computers that won't run XP well that they're now depending on that OS.
Else there is a different application that is problematic that we rely on. Heck, within this organization, I cannot set up a computer to print to an area Canon printer without calling IT. And our printers are pretty close to "unfindable" as they're named things like "\\LA12PNEWSNBCGE\NN536S Producer - HP 4050" instead of something that is easy to remember.
Gods don't kill people, people with gods kill people.
Yeah - I'd say your 2nd idea is on the money - see a lot of PII-233s running around with 256meg memory, including in places like control rooms.
I also think there is a lot of "if the user does not ask for, and make a business case for an upgrade, why should we change it"
and as for bad printer names, the one down the hall has a name listing it 3 buildings over, on another floor, and as the wrong type!
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
anyone remember the Wazzup virus? It attacked MS Word and would randomly place the word "wazzup" in your document when you saved it or printed it. God it was beautiful. So many book reports with "wazzups" circled in red ink....
People wazzup arent creative like that anymore.
Why stick up for big business?
On rereading my post, I don't notice anywhere that I stated that all operating systems were 'perfect' w/r/t to security, just as no car model is completely immune from the possibility of bursting into flames. What I was suggesting is that Microsoft spends significant amounts of money trying to persuade users that the degree of security problems that are present in Windows that can be automatically exploited is 'normal'. It is not. None of MacOS, OpenBSD, FreeBSD, Linux, Solaris, AIX, HP_UX, IRIX, Unixware, etc. have perfect security, however, they all have orders of magnitude better track records than Windows with regard to remote exploits.
Sure, it mighta been a pain in the ass, but much less than cleaning up tons of infected desktops/laptops.
In a recent turn of events, it was found that the Microsoft Corporation was actually the creator of the ZOTOB worm. The monopolies intent: to push pirates to either buy the operating system (in order to recieve updates from the Genuine Advantage Program) they probably primarily play video games with or once and forall switch to the Linux operating enviroment, poluting the community with fools.
I know this has been hashed over a thousand times on /. already, but there are two relevant replies
to this:
1. Microsoft apologists always try to blame the sysadmins. But one of Microsoft's marketing threads has always been along the lines of: "Unix and Linux are complicated and you need to pay a lot for experts who understand these arcane systems. Windows is so easy, even a trained monkey can administer it, which lowers your TCO!" So they encourage managers to devalue competent system administration, then turn around and say, "if something goes wrong, it's because your sysadmins aren't smart!"
2. How long was the patch available? Any Windows sysadmin (especially a smart one) knows you don't add patches to a large organization without thorough testing, because they have a history of breaking existing systems, especially those with a lot of third-party apps and/or custom configurations. (I'll give MS the benefit of the doubt and assume it's due to lack of adequate testing rather than deliberate.) A lot of MS shops are still testing SP2.
How come when I install all the updates to XP in order to keep my network safe from this new worm, it creates a new account called "ASP.NET something something blah blah" and forces users to a login screen that confuses the hell out of them on boot? Seems like a quick-fix workaround for some problem that MS decided they didn't really have time to fix properly, and it means I have to go around and delete the newly-created user from every machine.
Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and hard before buying a fourth one.
The manufacturer told them they just had to change the oil regularly and it wouldn't catch on fire anymore, so they bought 10 more.
Standard apologist claim. But they never explain why Apache has three times the market share of IIS, but IIS has the worse security record.
Also... you have no credibility to say "but I don't have to go after M$ to discredit them" as you do go after them with your oh so clever use of the dollar sign.
OP was talking about people writing viruses to discredit MS. But hey, putting a dollar sign in an online comment is just as bad, right?
And if you leave off the dollar sign, aren't you then matching the common abbreviation of a certain crippling disease? (Some on /. might find that
more appropriate, actually.)
> 'Contrary to many reports that the ZOTOB worms
> can infect Windows 95, 98, and ME, and NT, these
> platforms are not susceptible to the
> vulnerability.
Aha! I knew my persistence in continuing to run
Windows 98 instead of XP would pay off some day!
Also consider the number of laptops that media outlets use. That's the primary infection vector for these worms.
Conformity is the jailer of freedom and enemy of growth. -JFK
I work at a small Canadian bank. The whole company uses w2k desktops. On Tuesday and Wednesday I spent my entire shifts playing poker while around us computers continuously rebooted. Without net access all kinds of rumours developed about how the worm was affecting the rest of the world. Our only communication with management was occasional typewritten faxes.
Of course at my office we have ZERO problems because a) we're all patched b) my antivirus is up to date and c) all my users run with only user level permission.
But ah, their home computers that I fix on my off time, they are GOLD!
Vote Quimby!
This worm exploits the MS05-039 vunerabiity, which is a stack overflow in the Windows Plug and Play service. As the writeup of the exploit in the Metasploit Framework put it "[s]ince the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot."
Randy.Flood@RHCE2B.COM
Windows users? Not a chance.
Y'know, there's a fair few of us Windows users who have yet to catch a virus, or be infected with spyware, or get rooted.
Sure, I see others crashing and burning, but then I've known people knocked down and killed crossing the road; yet I still cross. I just take sensible precautions, and take my chances.
It's official. Most of you are morons.
I initially bought my PC for my children with the good intentions of helping them in school. I had no idea they would witness penetration of this magnitude. There was penetration of their PC, penetration in their friends' houses, and penetration of major corporations. Penetration was running rampant. This lawsuit will follow the righteous path set by Senator Clinton against the 'hot coffee' crack. If we don't draw the line in the sand to stop virus penetration in front of innocent children who will? Senator Clinton thinks of the children, so should you. Call you congressmen and congressional women to stop virus penetration today!
Actually they'd probably upgrade to a Ford Explorer 'cos the pinto isn't made anymore.
I don't know about other packet-filtering software firewalls, but Sygate's does a CRC check on the process's EXE before granting it access. A process has to have (at least) the right EXE path, name, and CRC to get to the network. In this way, Sygate detects patches and updates, and should detect rootkit patches and EXE infections too.
It's true that naming a worm process "explorer.exe" or something would increase the worm's chances of obtaining a human's permission to get through a firewall, but it wouldn't be automatic or invisible.
It didn't get much press attention, but the researchers are all still very interested in The Witty Worm. It did something similar to your suggestion, and demonstrated that a worm can be destructive without limiting its propagation -- saturate first, then destroy. It also saturated a niche population of systems (much smaller than the Macintosh market, whose security record people incorrectly attribute to the smaller number of systems).
Modern worms can spread so rapidly that a small delay in the destruction, as you suggest, is all that's needed. If you saturate the entire target population in an hour, and start erasing random bits from the hard drive, tremendous damage could result. If a worm like Witty had exploited MS05-039, we would see a few hundred thousand wrecked systems today.
Why don't we see that? Because these worms are designed to build fleets of useful systems, gather information, steal identities, log keystrokes, collect passwords, and all manner of really nasty stuff.
The victims would be far, far better off if the worm merely waxed the hard drive.
These worms wouldn't be able to achieve their aims if they wrecked the C: drives. The "non-destructive" nature of these worms gets widely reported, because people don't understand that these systems are remotely controlled by hostile attackers from outside the corporate network from the early moments of the worm outbreak. Hey, the system still runs and users can still get their corporate email, so it can't be that bad, right? This remote control stuff is theoretical, right?
Wrong. This crop of worms is efficient, and very, very nasty. I have an IRC session log which shows literally hundreds of MB of files being stolen from infected computers, and many MB of files downloaded and executed on those same systems. Files that are not recognized by AntiVirus, files that don't get cleaned up with the magic bullet clean up tools. It also shows the bots responding when a firewall rule was put up to block the initial IRC connection. These bots are becoming smarter all the time, and these are definitely not "gentle peaceful worms" that seek only to spread from system to system.
If you mod me down, I shall become more powerful than you could possibly imagine.
Yes, for a time it was possible to instruct the video hardware of a PC to change the scan rate of the monitor to values high enough to damage the monitor. If your monitor is anything remotely new it has built in circuitry to protect it. I have a monitor that is over 5 years old with that feature--it cannot be broken in that fashion.
Furthermore, all cards older thatn super VGA have locked scan rates--IT IS TOTALLY IMPOSSIBLE to change the scan rates via software of any kind on original VGA or anything older than that (including old non-PC platforms, except maybe the Amiga but I doubt even that). The only way to do so would've been to swap the crystal on the card that ran the dot-clock and no virus could do that of course.
The original poster talking about "directing the beam" and starting a monitor on fire is completely full of sh1t. Unless someone had physically altered a system, there has never been a commercially available PC that was capable of such a feat through software. It is not possible to directly control the position of the electron beams of a monitor without disassembling it and messing with the circuitry to essentially turn it into a 3-beam oscilliscope.
The best you can do is set horizontal and vertical sync pulse timings--those are the only physical signal inputs to a monitor which control scan rates, otherwise the beam must follow the left-to-right/top-to-bottom raster pattern hard wired into the monitor. Also, setting the scan rate to zero would NOT cause the beam to stop on the picture tube and burn a hole in your display. The beam would reach the end of the scan line and the horizontal deflection circuit would wait for the horizontal sync pulse--past the right edge of the display area of the tube. If the sync does not arrive in a timely fashion the vertical and horizontal deflection circuitry resets entirely and the beams turn off--basically this turns off the monitor display entirely and this is how ALL VGA multisync monitors have always behaved--even the ones that could be ruined by "over clocking" could not be damaged by underclocking--once you got down lower than CGA level the sync pulses were too long and the whole display would shut off.
I just have to shake my head when I hear such nonsense in various virus hoaxes--like one that went around saying if you opened an email it would erase your hard drive (that friggin "good times" hoax--as if reading an email in PINE would kill your hard drive). I had to explain over and over again to people that no--it is IMPOSSIBLE to erase a hard drive or get a computer virus through simply reading email.
Then BillG and his crew had to prove me wrong and invent an email client so "innovative" to make the above assertion inaccurate. The f*ckers...
I replied before browsing all of the posts in this thread. After posting I thought "Doh, this is slashdot. I bet someone here already mentioned IPSEC". To my dismay not one fucking person even mentioned the possibility of using IPSEC.
What the fuck? Doesn't ANYONE know ANYTHING about Windows? I thought this was a site for nerds? Aren't nerds that partake in computer security discussions supposed to know about things like IPSEC? Hell, Windows has come with IPSEC built into in since Win2k. That's FIVE YEARS Windows has had this capability. I learned about it...FIVE YEARS AGO when I first got a copy of Win2k at work.
I watch idiots post all day on this site about how much Windows sucks, and how it can't be secured, yet they don't know one fucking thing about how Windows works, or about the methods available to secure it.
Jesus Christ people, get a fucking clue!
Oh, and excuse my foul language, I hope I didn't permanently damage the psyche of the numerous 12 year old Linux d00dz that are sure to be reading this.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
when it's in the best interests of those selling the 'cure' to blow it out of proportion.
I cannot see how a laptop would be more of a vector than the desktops. Our desktops are connected to the Internet all of the time. Laptops are connected to the Internet some of the time. Unless the worm, virus or other malware specifically targets WiFi or laptops, it's all the same.
Of course we have producers who edit in the field with laptops, either using Final Cut Pro (since they're on Macintosh computers they're more resistant to malware and 100% resistant to Windows viruses) or Avid's pee-cee-based Mini-DV cutter (which is not). I have not yet heard of a laptop editing operation that missed air due to a virus issue though.
Gods don't kill people, people with gods kill people.
Our IT department did "push" a patch to all of the possible machines that could be infected and I cannot say whether or not CNN's IT people did. But on at least one machine that I regularly use, the patch didn't work. The computer booted up and had an error message, saying that something was corrupted in the installation, so I had to call IT to have them manually patch the machine.
I was told that many of the pee cees around here did not accept the patch correctly, due to idiosyncratic configurations.
Multiply that into a worldwide news organization and you have a pretty massive IT headache, hence's CNN's on-air hysteria.
I would note that the AP wires are currently reporting that one airline infected with the worm had problems booking passengers
Gods don't kill people, people with gods kill people.
The Zobtob worm mostly targets IP addresses on the same /16 network as the host. That makes Zotob jump networks slower.
Also, patch management for laptops is hard, and Zotob was nearly a zero-day worm.
I was thinking more in terms of reporters or travelling workers logging in at hotels/starbucks/etc and logging in remotely. I noticed that even locally media outlets and insurance companies (which tend to have alot of desktops) got hit harder.
Conformity is the jailer of freedom and enemy of growth. -JFK
and Microsoft has exponentially more market share than the operating systems you mention. When you have 93% of the market, I would think it's safe to say (at least) 93% of the idiots are trying to hack your products...
I read