"Dasher" Worm Brings Christmas Keylogger

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

It could always be worse...

[Ruff_ilb]

Most of the desktops that I know that run Win2k are run by schools, universities, etc. I haven't seen someone's PC running win2k yet. Also, these desktops (the ones run by schools, at the library, etc) are usually either (A) very secure or (B) no one expects them to be secure. So this could be worse, I think.

This could be a major problem if it infected SP2 computers.

Re:Impractical amount of data?

[tpgp]

Wouldn't sifting through data from potentially hundreds of thousands of machines (for popular viruses/worms) be difficult-to-impossible? Or maybe there's a way to determine which account are, e.g. admins on large IRC servers or otherwise useful.

I think it would be trivial to write a script to go through the data looking for email addresses & credit card / bank account details.

I'm sure thats what the author is after....

Of course...

[Skiron]

... the big question is why haven't people patched?

Well I will tell you. They don't as Microsoft NEVER EVER release just a `fix' patch. It is bundled with other patches that break lots of things. So people either:

a) Can't as it fubars their system.

or

b) Too scared what it breaks. [I still get very nervy at work when applying these patches to servers - you never know - nor guarantee - if it will ever come back up again or just get BSOD.]

It is about time MS started to just issue a patch to fix ONE of their flaws instead of loading it with other `upgrades' the users doesn't want or need - or even just do 'one at a time'.

What am I missing?

[lip_spork]

The worm posts data collected to a specific server. Isn't that kind of evidence that could be used to determine who's responsible for it?

Re:My answer to Key loggers

[JackDW]

vi is the only surviving editor that has a protocol instead of a user interface. The datastream moving from your brain to the file on disk is about as compressed as it can be. All the commands are minimalist (most are single-key), you never need to use the mouse, there's built-in regex support... No wonder programmers like it: the editor doesn't require you to switch context.

Unfortunately the datastream produced by vi is very easy to examine - just pipe it into another copy of vi, and there you go. Easier than examining the keystrokes of someone typing in a lesser editor, anyway, as their editing will be punctuated by mouse-clicks and menu events, making analysis tricky.

Fortunately, if you're able to use vi, you are perfectly able to (a) patch your OS, or (b) use a sensible OS, or (c) both, so who cares?

Re:Impractical amount of data?

[toadlife]

"The more people use it, the better it gets?" I don't get that train of thought. There are only so many people that can hack on Linux code, and most vulnerabilities in any platform are completely unrelated to the kernel anyway. If a bunch of ignorant people used Linux, it seems to me it would only make Linux what Windows is today - a platform with a huge bullseye on it.