Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Dasher" Worm Brings Christmas Keylogger

Posted by CowboyNeal on from the sneaking-in-through-the-chimney dept.

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

9 of 114 comments (clear)

  1. Impractical amount of data? by PurifyYourMind · · Score: 3, Interesting

    Wouldn't sifting through data from potentially hundreds of thousands of machines (for popular viruses/worms) be difficult-to-impossible? Or maybe there's a way to determine which account are, e.g. admins on large IRC servers or otherwise useful.

    1. Re:Impractical amount of data? by Kijori · · Score: 3, Interesting

      That depends on the resources of the group behind the attack. If this is an individul importing all the data into a database, then yes, it would be nearly impossible for them to make any real headway. If, however, it is a government faction running a pseudo-AI program to sift out useless data before passing it onto a few hundred minimum-wage key pounders, then very large scale breaches are not only possible, but likely. Of course, the programming errors alluded to in the summary suggest the former over the latter, but even so we need to consider the possibilities of a well-funded group using a virus like this to hold large companies to randsom or just to disrupt the internet. Should help drive people to Linux though, so there is a good side.

    2. Re:Impractical amount of data? by Xarius · · Score: 3, Interesting

      You think Linux is somehow immune to keyloggers?

      --
      C17H21NO4
  2. Convenient? by Jynx97 · · Score: 5, Interesting

    Didn't I just read somewhere that Microsoft was upset with the penetration of SP2 for Winxp?

    The next day an article comes out saying that only SP2 will save you!

  3. It just hit me by Stan+Vassilev · · Score: 5, Interesting

    Looks like viruses (spread by infecting exe files) are mostly non-existant today, replaced by network-propagated worms..

    And it just hit me that we'd never get any of this if we were not on-line all the time.. Few years ago when the first internet worms were appearing I was like "ahah, just don't stay connected all the time you idiots".

    Now I and the majority of folks around the world are "converted" and hopelessly tied to on-line, making us vulnerable to those attacks.

    How many minutes can you spend offline, before the reflex kicks in and you try to google up some info you need?

  4. Re:Could be worse...Is worse than u think... by RealisticCanadian · · Score: 4, Interesting


    While this still could be worse, you are correct on one thing: Win2k in schools.

    Spent the summer working at a local university. There was superfluous opportunity to embezzle a lot of money; as we were instituting their absolutely awful new HR software--which also meant I got to see how much all the bigwigs and upper-administrators (read: idiots puffed full of their own self importance) made off of hard-working students. (I was brought on as a Data Technician; not support or PC repair or what-have-you)

    When the machines in our semi-secret office (All W2K) were infected with a virus (Don't ask me, I no longer remember, but I went & read the writeup @ symanted then, which told me it was able to cross-propogate through the network once it landed on one machine) I of course decided to quarantine the bastard myself first... I then realized what I had most feared--that these machines were all set up to Track who was using them; but not to actually restrict Anyone from Anything. Thats right, Joe Schmoe user could do anything he wanted; from registry-hacking to whatever your heart desired.

    So; I managed to isolate this guy and the three other viruses that were wandering through the War-Room (thats what we called it); but I didn't purge, at this point I was too intrigued, so I summoned the IT guys.

    4 hours later ONE guy (who looks like a plumber, and not even Mario) shows up, and begins, well, piddling (there's no other word for it.... he threw in an admin password and started checking completely unnecessary settings, then attempting to read the reports that their Tracking software creates, presumably to get to the root of the problem) with the machines after pretending he doesn't need me to tell him what I've done so far. His expression gets more and more bored, and after about another hour and a half, he tells my boss (one of them aforementioned admin-types) that he can't find anything wrong, and she should watch 'that new guy'.

    I'm pretty sure they heard my jaw hit the floor on the other side of campus. A week later I had recieved the job offer I'd been counting on from the local cable service provider; and I headed for the hills, washing my hands of the whole situation, and terribly glad the only records tying my name to the lpace were strictly paper-based.

    I checked in on it with a friend of mine who's a student there. He moved here from China, and is still a little unpolished with his english, but I heard this loud and clear: "Oh my FUCKING GOD man! Half the computers on campus are FUCKED!"

    I can only assume that Mr. Plumber did not get anyone to look into the virus.

    I have no idea how much that mistake cost the University; but I do know that once it was cleaned out, nothing changed. They are merrily running the exact same sytems setup the exact same way; probably every one of em mapped off the mirror sitting in the IT department.

    So yes, I do believe that this could have MUCH wider-effect than you believe.

    --
    A couple fans told me that my last journal entry was mint; give it a shot. Hope you like.
  5. Irony by TeknoHog · · Score: 2, Interesting

    You're safe from keyloggers if you use Dasher.

    --
    Escher was the first MC and Giger invented the HR department.
  6. OK... by Skiron · · Score: 2, Interesting
    Have a laugh...
    http://support.microsoft.com/kb/905915

    WTF?

    Update rollup 905915 includes the cumulative security fixes that are documented in security bulletin MS05-054. The update rollup also includes hotfixes for Microsoft Internet Explorer that were released after the release of security bulletin MS04-004 and of security bulletin MS04-038.
    If update rollup 873377, update rollup 889669, or an Internet Explorer hotfix that was released after security bulletin MS04-038 are not installed, and if you want to install the hotfixes that are included in update rollup 905915, you must follow the instructions in Microsoft Knowledge Base article 897225. Otherwise, all Internet Explorer hotfixes that you have installed are removed.
    897225 How to install hotfixes that are included in cumulative security updates for Internet Explorer 6 Service Pack 1
    The update rollup 905915 installer verifies whether one or more of the files that are being updated on the computer have previously been updated by an Internet Explorer hotfix. However, the installer detects only hotfixes that were released after security bulletin MS04-038, after update rollup 873377, or after update rollup 889669. Therefore, if you have installed update rollup 873377, update rollup 889669, or an Internet Explorer hotfix that was released after update rollup 873377, the update rollup 905915 installer automatically installs the hotfixes and the security updates that are included in update rollup 905915.


    As I said, no wonder people don't apply patches.
  7. Patch bundling by Craig+Ringer · · Score: 2, Interesting

    I hear people claim that MS bundle up multiple fixes and updates in patches, and I'm yet to see evidence of it. In fairness, I haven't really gone looking, but it also doesn't seem logical.

    If MS was to bundle other (security) fixes in a patch, they would quickly be identified by reverse engineering the patch and used to exploit as-yet-unpatched systems. There are people who look over these patches in extreme detail, both "white hat" and "black hat" types.

    If they bundled other fixes / changes, their business customers would get really, really pissed in a major hurry. Microsoft does NOT want to piss these people off, even with the lock they have on the market. Remember that Microsoft's whole sales pitch right now is about "total cost of ownership."

    Given this, I'm inclined to belive the "MS bundles other crap with patches" rumour to be most likely outdated. It could also be something that grew out of a misunderstanding of the difference between security patches, hotfixes, and service packs. I'm more inclined to attribute breakage to a combination of (a) imperfect patch QA and (b) badly written software / malware replacing or patching system DLLs/installing drivers that end up being incompatible with "clean" versions of some of those DLLs installed by a patch. Breakage also used to be common causes of breakage in win9x ... which was a horrific mess you could break by looking at it funny.

    I've personally never had issues patching an NT-derived system. I ensure they're clean before patching, and I don't use shoddy software ( in so far as is possible ). In fairness, my only Windows server is NT4 (ugh); I'm speaking mostly about the XP desktops I admin at work and the older win2k machines I've run.

    That's not to say that things don't go wrong for anybody, of couse... just that in my own experience they don't tend to do so. Perhaps I'm just lucky not to use $BLAH_POPULAR_DATABASE that likes to patch ntfs.sys, or whatever other ghastly hack people might perpetrate.