Slashdot Mirror
US-CERT Says Microsoft's Advice On Downadup Worm Bogus
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.
Sometimes they come out with something good....I think.
But they've always been completely screwed up on anything whatsoever to do with autorun.
It was a bad idea from the start, and it's just managed to get worse.
"City hall" in German is "Rathaus" Kinda explains a few things......
Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There's a new sound, the newest sound around
The strangest sound that you have ever heard
Not like a wild boar or a jungle lion's roar
It isn't like the cry of any bird
But there's a new sound, it's deep down in the ground
And everyone who listens to it squirms
Because this new, new sound so deep under the ground
Is the sound that's made by worms
It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.
Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.
And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.
Microsoft deserves derision for continuing to offer and promote this feature.
If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.
Does Windows Vista or Window 7 handle this differently than XP??
Comment removed based on user account deletion
"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.
Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.
2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).
The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).
In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector.
The "recommendation" referred to is almost two years old and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.
So no, not really suspicious at all. Bad on the "researchers" who have pointed to those articles for protection.
The problem is the Microsoft solution doesn't really disable autorun fully because they didn't think of all codepaths by which the behavior can be launched. The solution CERT gives is beautiful in its simplicity:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Basically it just associates autorun.inf with a NULL system function as the default handler.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Or you could, oh I don't know, not let morons near your computer? I'm typing this on a Win2K pro machine that has been hooked to the net and running non stop for almost 9 years. In that time I have gotten zero, zip, nada, squat on the virus front. Why? Because I don't let morons on this machine, that's why.
As a PC repairman I have noticed the PEBKAC problems with Windows can nearly always be traced to one of three types. One, the "anything my friend (insert name of girlfriend) sends me has to be okay." Those can usually be dealt with by installing a decent AV and having them use webmail instead of OE. Two, the "I will click on anything that'll get me teh hot lesbos!" guy. You can usually cut down on his rate of pwnage by giving a copy of Firefox loaded with bookmarks for places like Youporn and Redtube. And three, the "I click on everything I loads off the Kazaa!" types. These are usually dumbass teenagers looking for the latest horrible pop drivel and instead clicking on "lousy_tune.mp3.exe" thinking it is their pop drivel. Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick.
The point is blaming Windows for morons is like blaming the SUV manufacturers when some woman plows through a family of five because she ran a redlight while playing with her cell phone. Stupid people will find a way to break stuff, hence why we call them stupid. If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe. It all comes back to the dancing bunny problem. The best we tech guys can do is educate where we can, and take steps like the ones listed above to minimize the damage they can do. Because I don't care which OS you give them PEBKAC problems will NEVER go away. After all this problem wouldn't exist in the first place if folks had actually bothered applying the patch the MSFT released in OCTOBER. Just further proof that they ain't exactly brain trusts we are talking about here.
ACs don't waste your time replying, your posts are never seen by me.
Seriously, what are you talking about? I see a lot of "Vista's evil DRM," tossed around, and very little in the way of specifics to back up what it does, which of course leads me to think the people doing the talking don't know what they are talking about.
So what DRM do you want to see disabled? Are you talking about HDCP, the DVI encryption? That's not MS's standard, by the way, DVD and Blu-ray players are where that's from. However, it is one of those things that you don't have to use if you don't want to. I have a Vista system connected to a monitor which has HDCP turned off (professional monitor, you can change the state manually). Means if the system required HDCP, I'd get no image. But it works fine. Reason is, HDCP is only required by Blu-ray playback software. Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play. It wasn't as though MS said "Let's include this to fuck people." Rather it is required if you want to license Blu-ray playback.
So again, what DRM are you talking about? I'm tired of all this bitching from people who don't know what they are saying. If there is something in particular you object to, let's here what and why. Otherwise, please stop going on about thing you don't understand.
Did nothing?? What planet were you on?
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
The 1 step guide to getting cheap mod points on Slashdot
1) Mention DRM
Comment removed based on user account deletion
Thanks for pulling up that Gem from 20 + years ago. You and my wife must be related!
My name is Inigo Montoya. You killed my Father! Prepare to die!
Perhaps it's more accurate to say that the Morris Worm did not carry a destructive payload. It's true that it brought down more than a few servers, but that was only because it spread so rampantly without -- as with many modern worms -- any kind of rate-limiting logic.
um, what are you talking about? if there is a worm going around that exploits the AutoRun, then naturally the thing to do would be to disable AutoRun. so why is it bad on the researchers for advising people to disable a feature that makes their system more vulnerable to an ongoing security threat. and how is US-CERT or ComputerWorld "trolling" by pointing out that Microsoft's instructions for "disabling AutoRun" doesn't actually disable AutoRun?
Microsoft is the one who created a feature that is now an active malware infection vector. they are the ones who set this feature to be enabled by default. and they are the ones who made it near impossible to turn off (without downloading additional software). and to make things worse, they release inaccurate advice on how to "disable" this feature, which could potentially lull users into a false sense of security.
"Or you could, oh I don't know, not let morons near your computer?"
.exe."
.mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.
Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.
"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."
When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.
"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the
Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.
Palm trees and 8
The system was designed to be open by default... not secure. Security was ALWAYS an afterthought.
I don't think I'd say it was an afterthought, that implies they believed it was important to address, once discovered late.
The closer reality seems to be that they acknowledged the issue and determined it made a better feature than vulnerability.
Like the windows autorun on media insert that's making Downadup so successful as of lately. Amazing they STILL haven't axed that. This isn't a case of them being late with a fix, this is a case of them refusing to fix it.
I work for the Department of Redundancy Department.
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context. A virus attempting to install some sort of keylogger in Firefox is forced to attack through Firefox (or another Mozilla program); compare with malware in Windows, that could attack through specially crafted music file and install a keylogger in IE.
Palm trees and 8
If you put these types on OSX or Linux they would break just as much as they do on Windows.
You had me up to that line. I have managed 4 desktop computers at a youth drop-in center for a year and a half now. We have all three of your types using these machines on a nightly basis.
On my first day all four computers ran xp Home with the youth using just the guest account. All four computers were heavily infested with you-name-it. The hard drives never stopped churning and the router lights never stopped blinking, 30 minutes after logging out.
I spent that first evening exorcising the demons on what appeared to be the worst of the four stations. I gave it a clean bill of health, tightened up security here and there, and called it a night. I decided that night that I would clean out one machine per week.
I went back for round 2 a week later and the one I had cleaned the week previous was back to its original state.
I spoke to the management and obtained permission and funds to do some minor hardware upgrades on the office computer. All the hard drives got pulled from the youth computers and assembled into a RAID on the office computer, on which I did a fresh default install of Ubuntu and ltsp. I created an account for every youth that wanted one and told them to have fun. I even installed limewire and showed some of them how to grab torrents using deluge and transmission.
A year and a half later and not a single breakage. No pop-ups, no churning disks, no dead family of five. I'm effectively unemployed with this organization.
Go ahead and tell me that Windows can be made secure. Yeah, I know. I work in 3 schools and it's all Windows or nothing, and the IT people (not me) have done a great job of locking things down and generally keeping things ticking. But that's far from default configuration.
no, "these types", the same ones who had 4 xp desks in a perpetually broken state, even with AV and limited accounts, haven't broken a default linux install yet.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
I remember the days pre-Windows when UNIX vendors were cursed and sworn at because they didn't patch the latest bugs quickly.
People will attack whatever operating system gives them the most bots for the buck. If the predominant OS is a UNIX, then it will be invisible .ko/.kext modules that will be the sysadmin's bane.
Right now, there are two main attack vectors other than the PEBKAC "hole" and social engineering. The first, a direct attack on a machine, can be mitigated by a solid firewalling router, so an attacker has to deal with a hardened attack surface before touching the more chewy machines behind it.
The second attack vector is the Web browser. It is in constant contact with untrusted code. To secure this beast takes more than just good defensive programming because even with a solid browser, a third party plugin might cause issues. It takes cooperation on multiple levels, where the OS has hooks to run the browser in a sandbox, but yet allow it to have upload/download functionality that users want. Vista's protected mode of IE7 is a great start, but all Web browsers need this protection, whether it be done by SELinux type profiles that exist in various Linux distros, or actual virtual machines that completely roll back all changes except to the bookmarks when the user is done and closes the browser session. Solving this problem will close a lot of potential security threats.
Finally, autorun just needs to go, and be replaced by a different, more secure system. Autoplay can stay, but it should never run anything other than showing the root of a CD or DVD, or pulling up a media player if a CD or DVD is inserted. In no way should an executable ever be automatically executed by default. Its just too easy these days to make a U3 flash drive with a bogus CD partition with malware present.
chkrootkit, tripwire, clamav, shorewall, john-the-ripper, and snort run on a lot of systems considered super secure by their users.
Some people consider their systems super secure because they know they are not they guess they are.
The question on freebsd-security a few years ago was what was the best way to avoid denial of service attacks if you are logging to lpr. (one of the obvious suggestions is do not log repeated messages, just the number of times the message has repeated. this will increase the work required to kill your server by running through all the paper and hanging until more boxes of paper are fed to the printers.)
That was the same list that made me realize that you should not have passwords on multiuser systems, or servers in general.
Do you really think that people use passwords like this
makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal
Phishing sites are one of the best ways to effectively get the information and tools needed to illicitly act on behalf of someone else.
At some point public key logins via ssl will become the norm, until then, passwords will be the week point in most systems.
Realize that even though debian had the ultra limp ssl keys generated it was still seems to be more productive to use password guessing than trying to try brute forcing an almost known key. Passwords suck that bad.
I would not be surprised if a sizable number of systems (more than 10%) in Arizona could be broken into this week with a dictionary attack of:
cardinals
cardina1s
Cardina1s
For those that want an analogy, imagine zoning laws that required NORAD style doors on all buildings and twenty percent of the population deciding that it is stupid and refusing to lock their doors. You would have a situation similar to the computer landscape today.
Work bio at MMWD
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable.
There was an outbreak of malware a while back that required users to open a password-protected zip file, and execute the contents within.
You really think having to set a file +x, or running it from a commandline with 'bash file.sh' is really going to slow them down ?