Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
It is not a minimal risk for a Windows XP system to get infected. Not after Microsoft have changed their Windows Update program. I have alot of friends struggling with properly secureing their pirated version of XP.
overblown? I think it all started at the Michaelangelo virus, where the media was telling everyone to turn their computer off on Mikey's birthday? It's gotten worse since then.
I would like to name August the official Worm month.
August 2003: Sobig
August 2004: Sasser
August 2005: Zotob
What's next?
Nouvelles de jeux et technologies en français. TC
Patch caused errors in 3rd party software. Not enough lead time to do proper regression testing. News at 11, if they get their computers fixed.
When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!
What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).
The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.
The Witty worm spread much faster despite the very small base of susceptible hosts (only about 12,000 total that had some old version of some firewall software). Witty had a doubling time of only a couple minutes and nearly saturated (infected all susceptible hosts) in less than one hour.
A modern worm should be able to spread extremely quickly -- sending out hundreds of infectious packets per second if the payload is small (Witty's was only 637 bytes). If only 1 in 10,000 machine is susceptible, then a worm spewing 100 randomly addressed packets per second should double the number of infected machines every 100 seconds. I'd wager that the number of zotob-susceptible machines was much greater than only 1 in 10,000, so zotob should have spread faster. If anyone ever creates a worm that can infect even 1% of IP addys, it would double every second and saturate the net within the first minute or so.
Why didn't zotob spread faster?
Two wrongs don't make a right, but three lefts do.
Once we control the spice, we control the worm.
Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.
We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.
See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.
So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.
Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.
This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.
One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.
> Any links to validate this "Turkey Virus"?
I've found that...
> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?
No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).
Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.
(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.