Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
It is not a minimal risk for a Windows XP system to get infected. Not after Microsoft have changed their Windows Update program. I have alot of friends struggling with properly secureing their pirated version of XP.
Is that like h4cking teh gibson?
I want to delete my account but Slashdot doesn't allow it.
overblown? I think it all started at the Michaelangelo virus, where the media was telling everyone to turn their computer off on Mikey's birthday? It's gotten worse since then.
Anybody got a torrent?
Our language is a wonderful thing. Please stop using it.
From all that I've read on the news lately, it looks like the various variants are battle each other... so they may be keeping their own numbers down.
Hmmm witty sig or funny sig? Maybe elitest techy sig!
It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.
Everyone that disagrees with me is a paid shill
'The worm only spreads to systems running on Windows 2000, XP and Server 2003'
this seemed funny to me. as if somehow not a significant portion of computers run those OSes
I would like to name August the official Worm month.
August 2003: Sobig
August 2004: Sasser
August 2005: Zotob
What's next?
Nouvelles de jeux et technologies en français. TC
This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.
This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.
it is better to light a flame thrower than curse the darkness. -Terry Pratchett Men at Arms
Lucky Windows 3.0 users can be at ease.
It's been pretty hairy here, inside the walls of a Fortune 500 company. Probably because we have so many variations of Windows in our lab, it was all over the place. People who had kept up to date and patched weren't hit bad (I'm on XP SP1), but we were creating ad-hoc teams all afternoon yesterday trying to get things clean.
In some ways, this was a bigger deal than Sobig.
Tim
Patch caused errors in 3rd party software. Not enough lead time to do proper regression testing. News at 11, if they get their computers fixed.
Zotob is affecting more than Windows machines. Case and point, the network is really slow (via the Windows garbage) which is making Slashdot load slow for me and I am running Solaris. Grr.
Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!
What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).
The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.
Both Symantec link and F-Secure link
States that only Windows 2000 machines were affected.
F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."
The Witty worm spread much faster despite the very small base of susceptible hosts (only about 12,000 total that had some old version of some firewall software). Witty had a doubling time of only a couple minutes and nearly saturated (infected all susceptible hosts) in less than one hour.
A modern worm should be able to spread extremely quickly -- sending out hundreds of infectious packets per second if the payload is small (Witty's was only 637 bytes). If only 1 in 10,000 machine is susceptible, then a worm spewing 100 randomly addressed packets per second should double the number of infected machines every 100 seconds. I'd wager that the number of zotob-susceptible machines was much greater than only 1 in 10,000, so zotob should have spread faster. If anyone ever creates a worm that can infect even 1% of IP addys, it would double every second and saturate the net within the first minute or so.
Why didn't zotob spread faster?
Two wrongs don't make a right, but three lefts do.
Once we control the spice, we control the worm.
It's striking how nice the virus writers are to the antivirus companies. Most viruses do just enough damage to require ongoing spending for antivirus tools and upgrades, but not enough to make users switch to, say, Linux. There are exceptions, like the virus that encrypts data on the hard drive and demands payment in E-gold, but those are very rare. Few viruses erase data. Few do things that would make removal impossible without physically opening the computer, like modifying the BIOS so it can only boot from the hard drive. The mainstream viruses seem to be carefully tuned to optimize the revenue stream of antivirus and upgrade vendors.
Somewhere there's a reason for this.
This malware outbreak received disproportionate media coverage, because it hit media outlets first and hardest.
org.slashdot.post.SignatureNotFoundException: ewg
Wow, you've been reading to much sci-fi. Lay off the crack.
:)
If there are factions, its just a bunch of 14year windows users that prefix their IRC nick with their clan name , e.g. [VWF]h4x0r is a member of [V]irus [W]riters [F]orever. They can't offer you an "expert protectionism", whatever the fuck that is, because they're too dumb. Have you seen the code to some of these things? Crap.
Again, there isn't any "viral factions", you need to unsubscribe to the space channel, any MMORPG's or other online games you own, burn your scifi books and get some fresh air.
Cheers
The CNN coverage was probably due to CNN still using Windoze 2000, which we use here at NBC for all of our desktop computers.
Mind you, we also have high end workstations running Avid Newscutters and the DS that are based on XP but for desktop use, it's strictly 2000.
It is quite possible that news ops software, like Avid's iNews (a very necessary script-writing, show organizing and newswire access tool that almost every news organization uses) does not work or is not supported on XP. It may also be an issue that XP requires better hardware (highly likely) than 2000 and large, worldwide organizations like CNN, ABC, NBC, CBS, BBC and so on are highly dependent on that version of Microsoft's OS.
So, at least in their case, the hysteria at CNN may have been warranted.
Gods don't kill people, people with gods kill people.
This was a problem with IT admins not maintaining secure environments through patching and firewall administration. Where I work has 400+ machines in a mix of 2000 and XP, and I'd be surprised if half a dozen of them got infected (I didn't hear about even one, personally).
San Diego County Government had 12,000 workstations crash.
People couldn't do ANYTHING connected to the county.
They had 3,000 systems up today.
Wonder if I can apply for the sysadmin job?
You can't talk about Wikipedia's flaws on Wikipedia
Kneel before ZOTOB!
"Made up/misattributed quote that makes me look smart. I am on
I don't know if it was "minimal" elsewhere, but it hit GE Transportation really hard. We had two sites go down completely (no network, no computers), including HQ in Cincinnati. The sites went completely offline around 3pm, and I can only assume the poor techies had to stay all night to patch each computer on campus manually (because they won't stay on, always rebooting). When I got to work the next day, we all had a specific set of instructions to do to complete the patching process. They really lost a fortune on this one.
Deletes the following registry values:
.
.
.
"MyWebSearch"
"WINDOWS SYSTEM"
"Zotob"
"MyWay"
"WeatherOnTray"
"Apropos"
"IBIS TB"
"TBPS"
"Toolbar"
"Hotbar"
"CMESys"
"NavExcel"
"ViewMgr"
"eZula"
"EbatesMoeMoneyMaker"
"Ebates"
"AutoUpdater"
"Gator"
"Trickler"
"QuickTime"
"GatorDownloader"
"eZmmod"
"Viewpoint"
"TkBellExe"
"180"
"WinTools"
"Real"
"QuickTime Task"
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks
but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
The article is wrong, zotob has variants that infect 9x thru 2003. You can look at the summaries on symantec. As a pc support person at a very large company (one of the ones mentioned on cnn when they talked about zotob), this is certainly the worse virus I've had to deal with.
just the ones that 90% of people that use windows, use. dont worry your computers running DOS, Windows 3.1, 95, 98 and the wonderful ME, cannot be infected.
Any idea how many millions of $$ it takes to upgrade an entire company full of desktops, laptops, lab devices, servers, etc, when you have tens of thousands of people working for you all around the globe?
Making sure that all your (hundreds of) applications function as expected on the new platform. Don't forget to test it on each and every language locale that will be in use for the company around the globe.
Beginning to get the picture? This takes a HUGE amount of money, people, time and planning to pull off. It's a hell of a lot more than 1. Order CD, 2. Reboot, 3. Upgrade
How odd that this worm should attack W2K so severely, and W2K3/WXP not so severely, just as Microsoft is dropping sales of W2K, and urging W2K users to upgrade, including draconian herding techniques like discontinuing W2K automatic update support.
Now, even if MS hasn't created this worm, or released it into the wild, or deprioritized fixing bugs in W2K for it to exploit, or overhyped its danger to create "relief" that its favored W2K3/WXP products aren't at as much risk... don't you think the people over at the "W2K extinction department" in Redmond are very happy about this bad news? That's an incentive to neglect security. Like the sheepdog carpooling with the wolf.
--
make install -not war
Take a big company with several thousand Win 2000 machines.
Take an idiot user with a laptop and Win 2000.
Idiot user gets infected off their home internet connection, takes laptop into work, connects it to the network and infects every other machine within minutes.
hard to feel sorry for the people still running windows, how many times does the car have to break down on the freeway before you trade the SOB in for something reliable?
what is it called when you continue the same behavior and expect different results?
Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.
We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.
See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.
So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.
Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.
This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.
One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.
This is part of the first wave of "it's not so bad and it is the victim's fauly anyway" press releases which will be followed shortly with the 'any operating system is vulnerable to viruses' wave of press releases, followed by the 'Windows Vista is much more secure and everybody should upgrade' press releases. The only amazing part is that Windows users never seem to catch on. Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and hard before buying a fourth one. Windows users? Not a chance.
Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks
That used to be the case. Now with the latest version of Windows Update, you must pass genuine advantage in order to download patches. I know this as I've one machine that fails to get past the check on windows update despite the valid licence number on it. I believe autoupdate is still working, but for how long?
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
Granted, I deal only with about 150 users, over about 6 companies, however, I haven't even had a reported case of this worm.
The only excuse for an administrator having a problem with this, is if the patch is incompatible with some or other software.
Any competent administrator knows:
WSUS works like a charm, you can tell it to check for updates every day, and then all clients on the network can be forced to apply the patches.
There are instances where WSUS cannot really help much:
It's called preventative maintenance, you can replace your brakes after they fail, but if you do it before they fail, it saves you having to repair the rest of your car as well.
In summary, all administrators from companies that that run a domain controller, and have a reasonable amount of resources should NOT have experienced any major outbreak. So stop whining, clean up your mess, do your job properly now and avoid future problems.
What's next?
August 2006: Longhorn
Well, it will propagate itself through the internet.
Illegal? Samir, This is America.
It's been like firemen at an oilfire at a few GoA servers. My ministry hasn't been hit though, yet.
A couple days ago our IT director sent out an email saying: "Would you please refrain from using the Internet immediately until we have taken the appropriate actions to prevent the virus."
And today we've been asked not to download anything, don't use Messenger and to bring any laptops to them for worm inspection prior to connecting to the network.
So I took my iBook back to them and asked them to check for worms. :D
> Any links to validate this "Turkey Virus"?
I've found that...
> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?
No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).
Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.
(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
anyone remember the Wazzup virus? It attacked MS Word and would randomly place the word "wazzup" in your document when you saved it or printed it. God it was beautiful. So many book reports with "wazzups" circled in red ink....
People wazzup arent creative like that anymore.
Why stick up for big business?
Windows users? Not a chance.
Y'know, there's a fair few of us Windows users who have yet to catch a virus, or be infected with spyware, or get rooted.
Sure, I see others crashing and burning, but then I've known people knocked down and killed crossing the road; yet I still cross. I just take sensible precautions, and take my chances.
It's official. Most of you are morons.