Slashdot Mirror
Botnet Herders Attack MS06-040 Worm Hole
Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."
If the hacker has to use IRC to command the bots, cant the entire virus be reverse-engineered to find out the IRC channel and then the hackers IP address?
I would like to see these virus authors caught and publicly executed for once.
Fascism is the greatest political ideology ever conceived. Sorry.
Could be right out of a voyager episode or something.
I really hope they reverse their shield polarity when attackign that wormhole, or it could trigger a tachyon cascade....
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
from the analysis:
This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.
Do we actually know which is the more malicious variant?
liqbase
Notice: This worm cannot target Server 2003 or XP SP2, in fact, no exploit for them has been found. The basic flaw exists, but the stack guards used on all newer versions of Windows (post-security-push) trips all as of yet attempted attacks. To be really safe however make sure you update Server 2003 and XP SP2 machines anyway!
Find a way to make the average user patch software.
As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible. No product, be it OSS or commercial, is free of these banes. On the other hand, problems like this would nearly go away, if only users would patch the software. Whether it's a new exploit in Windows or Apache or phpBB, if you don't patch, you're going to get screwed. Yes, it seems like Microsoft products have more patches than average, but at least they have patches. Blaster and MyDoom? They'd have never hit the news if users were patched. Automatic Updates in XP is a great step forward, but it's still opt-in.
Some people seem amazed when I say I had no direct problems with Blaster or Welchia, and they don't seem to get it that these problems essentially always appear after a patch is release which means there is no valid reason for their survival. Patch, patch, patch, patch, patch. Yes, slightly monotonous, but if users would simple do it, we'd stop seeing these equally monotonous news stories about Exploits of Doom.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
...to think some of this stuff is officially sanctioned, state sponsored or at least allowed to continue?
It would almost as stupid for a company to deploy patches without testing them as it would be to never patch at all.
So there will be a delay between a patch being released and that patch being deployed on production systems.
And going into "crisis mode" for 2 weeks, starting the second Tuesday of every month is a bit much to expect of people.
Does that mean that if someone reverse-engineers the bot command set, maybe we can send them all a command to shutdown the service?
I don't know the meaning of the word 'don't' - J
I know that the patching after you're infected may not do you much good, except to prevent reinfection after you clean your system, but why don't viruses and worms start doing things like pretending to be a firewall and blocking sites like microsoft.com, or monitor what you search for and prevent you from searching for its own name?
is that their patches generally involve strengthening not only system security for the user, but system security for use by ms against the user (e.g. DRM)
prime examples so far - bundling of windows genuine advantage with security patches and xbox 360 forced updates through live.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
What are you talking about? The "Server" service is the component (handles file, printer, named pipe sharing, etc), and is very easily stopped or disabled.
Suppose the bots all used AIM or MSN Messenger servers. Would you demand that those be taken down?
The weak point is not IRC or any other communications method. The weak point is software that's so easy to exploit it has new "critical" patches every month [insert tampon jokes here].
Friends don't help friends install M$ junk.
If you're running norton you've got bigger problems than this worm.
Is that true? I don't have any of these problems and would like to find out. Is there a Debian version of this Norton? What kinds of problems can I expect if I install it?
Friends don't help friends install M$ junk.
Find a way to make the average user patch software. As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible.
It's very easy with Debian's stable distribution:
That's it, all done and it never breaks anything.
If it were that easy to upgrade commercial software, users would do it but it's not. Commercial software lacks both the resources to fix things and the ability to co operate so that everything is in one place. Worse, some nameless companies in Redmond use their "patch" system to change EULAs and sabotage other people's software. It's unlikely the average user will ever bother to wade through the cesspool of monthly critical patches from every vendor to brave the very real risk is breakage of their holy, one and only PC. They are going to sit back and laugh at those who do when they too, just like M$ themselves, get broken.
Friends don't help friends install M$ junk.
It's interesting to note that the Microsoft Security Bulletin [microsoft.com] does not disclose the component of the "Server Service" that is subject to the vulnerability. Yes, actually, the bulletin does. The problem is within Netapi32.
MS06-040 is a vulnerability that allows an attacker to take over a PC whose only crime is running Windows while connected to the internet. No user action required.
It looks like the blog on technet calls the current attack "extremely small" and "extremely targeted" - to only those PCs running W2K, which as I understand it, is millions of bidniz PCs.
This is like calling 911 and having the dispatcher say "It can't be a very bad fire if it's only in the kitchen! Call us back when it gets to attic."
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
I just read the title and wondered if I woke up in the year 3000...
Video of a real life worm hole ...
http://www.youtube.com/watch?v=c5MGfEVBs1s
Yes. Although stupid botnet 'herders' may have their botnet ircds listening on the default port (6667), anyone who is even a half wit is smart enough to change that to something utterly random.
Besides, why block IRC - IRC is so fun :)
The sad thing is that I could almost understand what you were saying!
Yes. Although stupid botnet 'herders' may have their botnet ircds listening on the default port (6667), anyone who is even a half wit is smart enough to change that to something utterly random.
:)
Besides, why block IRC - IRC is so fun
Indeed, which is why some of us irc admins open up port 8080 so anyone has a fair chance at losing their job.
People replying to my sig annoy me. That's why I change it all the time.
I thought DS9 and a cluster of self-replicating mines was supposed to protect the MS06-040? Or is this a different worm hole? Are the "Botnet Herders" a Dominion force?
SIG: TAKE OFF EVERY 'CAPTAIN'!!
Whats normal? American soldiers raping indiginous folk in whatever part of the world they are fucking up (Iraq)?
Stop being such an ignorant twat. The US also turns a blind eye to crimes far worse if they a bit of an embarrasment overseas.
The US also point blank refuses to allow their soldiers to be subject to any laws except thier own when they are serving overseas. So why should any other nations hand criminals over to the US if they wont do the same in return.
I dont read
The point isn't to "Demand that the server be taken down," but rather for law enforcement personnel to go to the channel and find who is giving the botnet commands, then track that user down and prosecute him for what he is doing.
If true, that's hardly a problem unique to IRC. The root cause remains Windoze.
Friends don't help friends install M$ junk.
In my analogy, it's the INDUSTRY calling 911, not an individual. MS, when speaking on the technet blog, is describing the impact of the virus on the internet as a whole. In the analogy, the burning house represents the vulnerable systems on the internet, and the dispatcher (MS) is saying the fire (MS06-040) is unimportant because "only part of the kitchen is burning" == "only some vulnerable systems are being attacked". I do agree that MS products, in general, implement older technologies ("50 year old wiring"), and after MS's inspection of their own products, MS decides not to "update the wiring" except when forced by industry or circumstances (like Blaster). And I really don't think MS would ever suggest to the industry to "get out of the house" when "the house" is Windows. As to the other poster who described all the details of what's wrong that makes MS boxen easy targets, I would remind same poster that MS was pressured by the industry for years and several major releases of Windows to stop shipping the product with all the services on and ports open. The fact that the poster knows of industry response (hw coming with "MS Networking blocks option") shows that the poster should know it's MS that releases unprotected products that others have to react to.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
In all seriousness, couldn't the world community impose "Internet sanctions" on a country, cutting them off from the Internet at large until they take action against these sorts of people? We already impose trade sanctions for other offenses. Of course, somebody will invariably point out that no one entity owns the Internet, thus such sanctions would be hard to enforce; I don't buy that for a second. You may not be able to completely cut a country off from the Internet, but you could, say, have backbone servers and routers deny access to certain IP blocks.
You know, basically a "play nice or don't play at all" sort of rule.
Actually, the root cause is human nature. No matter what protocol/OS/browser becomes popular or available, someone will try to break it. Windows is popular now, so it would be the logical choice for which to develop an attack. If Windows falls out of favor when Vista is released as you have many times predicted here, and Linux becomes more mainstream, you can be assured that our less civilized members of society will be looking for a way to crack it. The wise old verse still holds true: "Seek, and ye shall find."