Slashdot Mirror
Botnet Herders Attack MS06-040 Worm Hole
Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."
If the hacker has to use IRC to command the bots, cant the entire virus be reverse-engineered to find out the IRC channel and then the hackers IP address?
I would like to see these virus authors caught and publicly executed for once.
Fascism is the greatest political ideology ever conceived. Sorry.
Could be right out of a voyager episode or something.
I really hope they reverse their shield polarity when attackign that wormhole, or it could trigger a tachyon cascade....
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
from the analysis:
This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.
Do we actually know which is the more malicious variant?
liqbase
Notice: This worm cannot target Server 2003 or XP SP2, in fact, no exploit for them has been found. The basic flaw exists, but the stack guards used on all newer versions of Windows (post-security-push) trips all as of yet attempted attacks. To be really safe however make sure you update Server 2003 and XP SP2 machines anyway!
Find a way to make the average user patch software.
As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible. No product, be it OSS or commercial, is free of these banes. On the other hand, problems like this would nearly go away, if only users would patch the software. Whether it's a new exploit in Windows or Apache or phpBB, if you don't patch, you're going to get screwed. Yes, it seems like Microsoft products have more patches than average, but at least they have patches. Blaster and MyDoom? They'd have never hit the news if users were patched. Automatic Updates in XP is a great step forward, but it's still opt-in.
Some people seem amazed when I say I had no direct problems with Blaster or Welchia, and they don't seem to get it that these problems essentially always appear after a patch is release which means there is no valid reason for their survival. Patch, patch, patch, patch, patch. Yes, slightly monotonous, but if users would simple do it, we'd stop seeing these equally monotonous news stories about Exploits of Doom.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
...to think some of this stuff is officially sanctioned, state sponsored or at least allowed to continue?
It would almost as stupid for a company to deploy patches without testing them as it would be to never patch at all.
So there will be a delay between a patch being released and that patch being deployed on production systems.
And going into "crisis mode" for 2 weeks, starting the second Tuesday of every month is a bit much to expect of people.
It's interesting to note that the Microsoft Security Bulletin does not disclose the component of the "Server Service" that is subject to the vulnerability. In particular, one cannot simply disable the relevant service. Actually, I don't even know whether their software is built to make such things possible. The reason I'm suspicious is because they recommend blocking certaing ports with a firewall rather than disabling the relevant component.
I'm completely unfamiliar with MS server software, but there seems to be a sharp contrast this bulletin with standard Unix practice where one can either edit inetd.conf and restrat the daemon (kill -HUP) or use rc.d start/stop scripts depending on the setup.
Does that mean that if someone reverse-engineers the bot command set, maybe we can send them all a command to shutdown the service?
I don't know the meaning of the word 'don't' - J
I know that the patching after you're infected may not do you much good, except to prevent reinfection after you clean your system, but why don't viruses and worms start doing things like pretending to be a firewall and blocking sites like microsoft.com, or monitor what you search for and prevent you from searching for its own name?
is that their patches generally involve strengthening not only system security for the user, but system security for use by ms against the user (e.g. DRM)
prime examples so far - bundling of windows genuine advantage with security patches and xbox 360 forced updates through live.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Suppose the bots all used AIM or MSN Messenger servers. Would you demand that those be taken down?
The weak point is not IRC or any other communications method. The weak point is software that's so easy to exploit it has new "critical" patches every month [insert tampon jokes here].
Friends don't help friends install M$ junk.
If you're running norton you've got bigger problems than this worm.
Is that true? I don't have any of these problems and would like to find out. Is there a Debian version of this Norton? What kinds of problems can I expect if I install it?
Friends don't help friends install M$ junk.
Find a way to make the average user patch software. As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible.
It's very easy with Debian's stable distribution:
That's it, all done and it never breaks anything.
If it were that easy to upgrade commercial software, users would do it but it's not. Commercial software lacks both the resources to fix things and the ability to co operate so that everything is in one place. Worse, some nameless companies in Redmond use their "patch" system to change EULAs and sabotage other people's software. It's unlikely the average user will ever bother to wade through the cesspool of monthly critical patches from every vendor to brave the very real risk is breakage of their holy, one and only PC. They are going to sit back and laugh at those who do when they too, just like M$ themselves, get broken.
Friends don't help friends install M$ junk.
MS06-040 is a vulnerability that allows an attacker to take over a PC whose only crime is running Windows while connected to the internet. No user action required.
It looks like the blog on technet calls the current attack "extremely small" and "extremely targeted" - to only those PCs running W2K, which as I understand it, is millions of bidniz PCs.
This is like calling 911 and having the dispatcher say "It can't be a very bad fire if it's only in the kitchen! Call us back when it gets to attic."
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
I just read the title and wondered if I woke up in the year 3000...
IRC botnets have been common for years. I have been blocking outgoing standard IRC ports for years as well on my home network, 6660-6669, 31337, and 5555 at least. I know a bot or person can connect on any port but my blocks have worked in the past. Am I wasting my time?
More info..
Defualt deny would be a better choice but with one kid and myself PC gaming, that has been a major PITA. My other kid only gets 5190 to the world, http is handled by a transparent squid proxy locally as is DNS. I solved our console gaming issues with a different subnet. The PSP, Xbox, PS2, WAP(with TKIP), and VOIP is the only thing on that subnet, it has no connection to our main home network and I deny my actual computers mac addresses to prevent accidently plugging a computer into that network. That subnet has almost no filters, okay, hack my PSP, big deal.
Just yesterday you were modded down to -1 for attempting the same "joke".
So, you read my posts before you mod them? Great. Would you like to subscribe to my newsletter, Buggy?
Friends don't help friends install M$ junk.
Video of a real life worm hole ...
http://www.youtube.com/watch?v=c5MGfEVBs1s
The sad thing is that I could almost understand what you were saying!
I thought DS9 and a cluster of self-replicating mines was supposed to protect the MS06-040? Or is this a different worm hole? Are the "Botnet Herders" a Dominion force?
SIG: TAKE OFF EVERY 'CAPTAIN'!!
Whats normal? American soldiers raping indiginous folk in whatever part of the world they are fucking up (Iraq)?
Stop being such an ignorant twat. The US also turns a blind eye to crimes far worse if they a bit of an embarrasment overseas.
The US also point blank refuses to allow their soldiers to be subject to any laws except thier own when they are serving overseas. So why should any other nations hand criminals over to the US if they wont do the same in return.
I dont read
The point isn't to "Demand that the server be taken down," but rather for law enforcement personnel to go to the channel and find who is giving the botnet commands, then track that user down and prosecute him for what he is doing.
If true, that's hardly a problem unique to IRC. The root cause remains Windoze.
Friends don't help friends install M$ junk.
Firstly, the soldiers are going to be courts martialed.
Secondly, we don't have to play nicely. If you catch one of our folks on your turf fucking up then by all means grab them, but don't expect us to extradite just because you request it. You don't have a big enough stick with which to beat us or a big enough carrot with which to entice us to comply.
Thirdly, might makes right. Deal with it. If you don't hand them (criminals) over expect anything from economic and diplomatic retaliation to an armed response. The Chinese are going to do the same favor for us here in 10-20 years when they take over. And if you think the US plays hardball, you haven't seen anything yet.
The US, China, and Russia are in a unique club: they do not have to take shit off the rest of the world. Yeah, I'm talking to you Old Europe.
In my analogy, it's the INDUSTRY calling 911, not an individual. MS, when speaking on the technet blog, is describing the impact of the virus on the internet as a whole. In the analogy, the burning house represents the vulnerable systems on the internet, and the dispatcher (MS) is saying the fire (MS06-040) is unimportant because "only part of the kitchen is burning" == "only some vulnerable systems are being attacked". I do agree that MS products, in general, implement older technologies ("50 year old wiring"), and after MS's inspection of their own products, MS decides not to "update the wiring" except when forced by industry or circumstances (like Blaster). And I really don't think MS would ever suggest to the industry to "get out of the house" when "the house" is Windows. As to the other poster who described all the details of what's wrong that makes MS boxen easy targets, I would remind same poster that MS was pressured by the industry for years and several major releases of Windows to stop shipping the product with all the services on and ports open. The fact that the poster knows of industry response (hw coming with "MS Networking blocks option") shows that the poster should know it's MS that releases unprotected products that others have to react to.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
In all seriousness, couldn't the world community impose "Internet sanctions" on a country, cutting them off from the Internet at large until they take action against these sorts of people? We already impose trade sanctions for other offenses. Of course, somebody will invariably point out that no one entity owns the Internet, thus such sanctions would be hard to enforce; I don't buy that for a second. You may not be able to completely cut a country off from the Internet, but you could, say, have backbone servers and routers deny access to certain IP blocks.
You know, basically a "play nice or don't play at all" sort of rule.
Actually, the root cause is human nature. No matter what protocol/OS/browser becomes popular or available, someone will try to break it. Windows is popular now, so it would be the logical choice for which to develop an attack. If Windows falls out of favor when Vista is released as you have many times predicted here, and Linux becomes more mainstream, you can be assured that our less civilized members of society will be looking for a way to crack it. The wise old verse still holds true: "Seek, and ye shall find."
yeah, the US don't have to take shit "off" the rest of the world; they're being shat upon enough by their own government as it is, effing dimwit losers