"the worm uses Microsoft's Outlook to spread itself"
In this particular case Sobig.F has it's own SMTP engine.
Users that do not have Outlook at all, could still easily cause as much damage. Mozilla users that open the attached file could then infect their machines and server shares to get other computers on the network.
Which then start broadcasting the infected mail again.
Obviously, most average Joes DO use Outlook, but it is not necessary and there is no exploit the thing is using... it's just dumb people who have replaced their "computer security" slot with "patch windows" where it used to contain "don't click on stupid shit"
It does work as advertised, note however that you must do some trickery (regedit) to get it to work on every PC, or use Group Policies or other stuff. (Those things make it less useful for small networks that are not likely to be doing group polices, etc.)
With high bandwidth connections though, I found it easier to just sneak in and make it auto install the updates directly from MS.
Please note, with the inclusion of it's own SMTP engine, the header is likely static anyway. Adding "Outlook Express" is in that case an attempt to make it look normal. (i.e. look like most other emails out there)
I won't argue if you assert that Outlook has been 80% of the problem in the past, but for SoBig and Klez (i think) Outlook is not generating the infection attempts via email.
The part that is baffling to me, is why this outbreak is so sudden, almost like they (virus fighter guys) some function so far that spreads by other means. I mean, did the power outage cook the brains of all those NorthEasterners? So everybody suddenly forgot that clicking on random attachments is dangerous? Lots of viruses have required user intervention in the past, but NONE of them have slammed my mail servers so hard before.
Something's different about this one. Maybe it's that people have been thinking so much about MSblaster not requiring the user to do anything they forget other things. Users "security" slot is full with "patch" that they flushed "dont click on shit" from cache....
Around my workplace there is a set of rules, rule #1 is:
The world is a fucked up place, and people are the problem.
#2 is:
99.95% of people are not completely, utterly, astoundingly, stupid.
If you are not part of rules #1 and #2 you can do something about this. (There are other rules, but would be OT.)
Register to vote (vote or not), only registered voters are called for jury duty. When you are called up, go! Be honest, and do your part and you can torpedo this type of thing when it happens.
EVERY time there is some fiasco like this where one guy gets thrown in (FPMITAP) jail for 16 months and the next guy HS ex-football star-rapist gets 3 months of probation there is a jury there. THEY convict the person. Not the procecutor.
Get in there and do your moral/societal duty by particpiating in our judicial system. Judging by the news and articles I see, the cops, the lawyers, the judges, the clerks and the accused need someone that knows a little more stuff about tech stuff. In general, you may not get that trial, but you may get the next Skylarov...
I had the experience of spending an entire week in a DUI trial last year, and I tell you it is scary how much power the jury has, you can make a difference. We did.
It makes me wonder though, why they could not have built in logic on the system to check the difference in capacity across the exit/entry points on a real time basis.
That way, they could have a decision point "enough power to help" or "not enough power to help" tell the switch what to do in the event of a shutdown on the other side.
They are after all, already down, no sense in blowing oneself as well. The net result would be more frequent but smaller failures, depending on the tolerances involved it might not be a perceptible (by the public) difference.
Obviously, there would be tuning and more than a few CPU cycles involved to make the decisions, but it seems like they are using transistor ideas and not fuzzy logic ideas to get the problem solved.
The "Davy Crockett" is more accurately described as a portable recoilless rifle launched nuke. It's about the same size as a more modern TOW setup, can go on a tripod. It probably took 4 or 5 guys to carry all the stuff on foot, so it's not really a bazooka (an anti-tank weapon).
It had a "dial a yield" warhead from 10 to 250(1) Tons of TNT. The higher settings would cause almost certain death to the launch crew as the lethal radiation kill zone was much farther than the maximum range of even the biggest launcher (2 miles or so).
One of the new thingies or an old Davy Crockett might be a good device to wipe out a bunch of tanks out in a desert, but it's still a friggin huge weapon compared to the precision stuff used nowdays. (I doubt any army will be dumb enough to go head-to-head against the US Army in desert tank battle for a looonngg time. Even the Iraqis didn't try it a second time.)
The canal is a fixed width of 33 meters (the locks), it is narrower than aircraft carriers, some cruise liners, a bunch of cargo ships and many many oil tankers.
By the end of WWII there were quite a few ships that could not get through.
The economies of large ships do not benefit from the canal, so a second way around in the north would help. (The US could get by with fewer carriers that way too, saving the US a bunch of money.)
... in addition, there will be HUGE economic benefits to having a year round navigable ocean up there too. Canada for one will become more wealthy and the economies of the isolated communities will be boosted.
Think about the difference between going around Canada and going around the southern tip of South America, there are quite a few boats that need to go the long way go get from one side to another. Shipping from Europe, Middle East, US, etc. to the Pacific will be cheaper and faster.
The "NorthWest Passage" thing has always been a big deal since Europeans first started sailing up and down the coast of the Americas.
It's easy to have great leaders and rise to great heights when your idea of achievement is fresh running water and a warm place to shit. (Not without great environmental cost as well, I might add...) The remaining things; longer life expectancy, larger population, higher standard of living may seem unnecessary to you, but believe me if you do not have those things they are really important. Doing the above things will come at an environmental cost, through pollution, wars, etc.
Voters have always been stupid, and they used to be much less educated overall. (And do not forget that women, minorities, non-land owners, etc. used to not be in the mix.)
People are dumb, foolish, and panicky whereas you can say you are smart and sensible as any individual might be. (misquoted, MIB) You are comparing you "person" with "people" and seeing a big gap. Of course!
Unfortunately the democratic process has to deal with "people", not "person". That is the simple truth.
You should be happy that there is enough knowledge out there that there is a fighting chance for concerned people to make a difference. I am sure the Romans (or pick your ancient culture that is now gone) would have liked to have known that irrigation can cause the soil to become too salty to plant crops, or the Incas might have benefitted by knowing certain parts of their culture were fatally self-destructive.
Do what you can, but know that whiny-pissing about it only turns people off to your point of view. Feel free to join the political arena and make a difference. I might even vote for you.
Well... if you use Windows there is a solution to that problem. Though, it'd be better to have a hardware dongle or something to make it non-operating system specific....
No. ONE of the patches was out for a while now. (And I would not consider less than 4 months a while, I seem to remember doing this one only several weeks ago.) For those people that waited, there was one patch. For those people that patched right away, there was yet, a second patch.
The hotfix to close the exploit was out before the appearance of the LovSan worm, and fixes were included in the new SP4 version too.
The hotfix to prevent the denial of service (RPC crashing when probed) was not out, because nobody knew about it until the worm started hammering at the RPC service trying to spread. So even if all the boxes on the network and DMZ were all patched, the internet connection could have provided the means for the worm to crash boxes anyway. Even if they were patched in advance.
An infected box can still crash a whole network of other boxes becase the hotfix prevented infection, it did not prevent RPC from crashing when repeatedly probed. So a second patch came out to fix that problem, AFTER THE WORM WAS RELEASED AND CAUSING PROBLEMS ALREADY.
If the person who wrote LovSAN (or whatever you want to call it) was intending on showing people they should patch, they did not wait long enough. Nobody in their right mind throws all the service packs and fixes onto a windows machine willy-nilly without trying it on one first and running a while. There will always be a gap between publishing of a patch and full implementation, even if by some magical means every user was a perfect admin of all the boxes they administer, and all boxes had such admins. Even if everybody became telepathically informed of all released patches on all software. There are good, valid and sensible reasons for waiting before patching. Ask around, you will find some people wait for service pack updates simply to allow the early adapters to find all the bugs and for MS to fix them.
Your understanding this worm and the RPC security problem is wrong.
[And who the fuck modded the parent post as "interesting"? Listen to Art Bell if you want self-righteous smuggery mmm'kay? You might think it is funny, but one persons ignorant cock-rubbing bullshit is not "interesting"]
While it is true that people should be patched; this worm can still damage stuff on patched servers.
If the server is not firewalled, but it is patched, the msbash.exe worm probing can crash the RPC service. Which then crashes Exchange, Some AD stuff, some windows explorer stuff, and other things (including windows update). It can still bring the DMZ servers to their knees EVEN IF THEY ARE PATCHED.
You are only fully protected if you are both patched AND the 135/445 ports are shut off from the internet. (No naked DMZ stuff.)
I personally patched all the DMZ servers with the hotfix the day it came out, then some other servers with SP4 that included the exploit fix Only the SP4 ones are unaffected.
Note, I am talking about services available, none of the boxes in question actually got infected. The infection attempt caused the problem.
Naked un-firewalled computers are going to get this thing, and get it bad.
It will be interesting to see if that August 16th date pans out to be a dDOS or what...
[Note, auto update is fine for PCs, but is fucking dangerous for production servers. Sometimes the updates do not play nice with whatever is there, if it happens when so-and-so is on vacation there could be real trouble. Do what you gotta do, but I am never going to let MS put anything on my stuff. You'll probably see when someone figures out how to spoof that and gets all 375 of your boxes rooted due to Windows Update.]
When I speak or write words mean exactly what *I* intend them to mean. No more, no less. I use them because I intend to transfer an idea in a specific way. Sometimes I make allowances for what the dictionary says, sometimes I deliberately mangle meanings to get the other person to understand. ("Press the "eject" button on the hard drive and pull out the floppy disk, then reboot.")
If some fool mis-inteprets what I say when I did not intend to say it, it's their problem, not mine. Likewise, the confusion between 'hacker' and 'cracker' is yours.
Just because some weenie decides they want to change a word, that means diddly until others decide to use it that way. If the person said "hacker" and meant "someone who accessed a computer without permission" then the word is appropriate.
Feel free to use words as you like, however when it comes to dictating the language of others, STFU.
No more vigilantism than quarantining the kindergarten kid that gets scarlet fever. Sure it sucks to miss a lot of school and catch up later, but then having the whole class do the same is worse.
Sometimes the public good weighs on the conveneience of others, the wheelchair ramp outside the business might be costly, but its the right thing to do.
Closing up and otherwise paying attention to the devices one sticks on the internet should be no different.
Yup. Someone was posting about something called "FormFucker" which puts bogus, but seemingly real information in forms. So there is a tool out there to do that already.
Note, that this type of activity is just as legal as the RIAA or MadonnaWhore putting out fake MP3s.
[I work with banks as clients, and they sure are dumb about technology stuff most of the time, but they figure out when something hurts them financially pretty darned quick. I'd estimate the mortgage lead business would go away in less than 6 months if what the parent poster was proposing was actually implemented on a widespread basis.]
Of course, I doubt the leads pay as much as $20 a pop.... a few cents maybe....
It seems to me that in areas where S&R Ham is critical there are unlikely to be broadband carrying powerlines causing problems.
You guys don't help Mommy find Jr. who wandered from JC Penny into the mall itself do you?
Sure HAM has uses, but I bet the uses have a much smaller economic impact than broadband over power lines would.
In addition, there ARE alternatives to the uses you describe, satilite phones for example could fit that bill too. You said yourself coverage is spotty and you have to hope for a mountain top repeater, using a Sat phone would be no different.
In real emergency situations, power to run those broadband devices is gone, along with the lines and everything else. So your radio spectrum would be clear enough to be useful.
HAM users are going to end up fucked in one way or another like many other hobbies in the last few years; model rocketry, gun collecting, etc.
Check out www.shockwave.com . Among all the cruddy pool and golf games, they used to have a pretty decent version of Joust that was played in a browser program.
Really, putting all those games online (with banner ads for revenue) in shockwave or flash or DHTML or whatever would be a great way to both let the corporations make money as and let people play them on modern computers.
Slashdot Mirror
"the worm uses Microsoft's Outlook to spread itself"
In this particular case Sobig.F has it's own SMTP engine.
Users that do not have Outlook at all, could still easily cause as much damage. Mozilla users that open the attached file could then infect their machines and server shares to get other computers on the network.
Which then start broadcasting the infected mail again.
Obviously, most average Joes DO use Outlook, but it is not necessary and there is no exploit the thing is using... it's just dumb people who have replaced their "computer security" slot with "patch windows" where it used to contain "don't click on stupid shit"
"Software Update Service" it is called.
It does work as advertised, note however that you must do some trickery (regedit) to get it to work on every PC, or use Group Policies or other stuff. (Those things make it less useful for small networks that are not likely to be doing group polices, etc.)
With high bandwidth connections though, I found it easier to just sneak in and make it auto install the updates directly from MS.
Please note, with the inclusion of it's own SMTP engine, the header is likely static anyway. Adding "Outlook Express" is in that case an attempt to make it look normal. (i.e. look like most other emails out there)
I won't argue if you assert that Outlook has been 80% of the problem in the past, but for SoBig and Klez (i think) Outlook is not generating the infection attempts via email.
The part that is baffling to me, is why this outbreak is so sudden, almost like they (virus fighter guys) some function so far that spreads by other means. I mean, did the power outage cook the brains of all those NorthEasterners? So everybody suddenly forgot that clicking on random attachments is dangerous? Lots of viruses have required user intervention in the past, but NONE of them have slammed my mail servers so hard before.
Something's different about this one. Maybe it's that people have been thinking so much about MSblaster not requiring the user to do anything they forget other things. Users "security" slot is full with "patch" that they flushed "dont click on shit" from cache....
Around my workplace there is a set of rules, rule #1 is:
...
The world is a fucked up place, and people are the problem.
#2 is:
99.95% of people are not completely, utterly, astoundingly, stupid.
If you are not part of rules #1 and #2 you can do something about this. (There are other rules, but would be OT.)
Register to vote (vote or not), only registered voters are called for jury duty. When you are called up, go! Be honest, and do your part and you can torpedo this type of thing when it happens.
EVERY time there is some fiasco like this where one guy gets thrown in (FPMITAP) jail for 16 months and the next guy HS ex-football star-rapist gets 3 months of probation there is a jury there. THEY convict the person. Not the procecutor.
Get in there and do your moral/societal duty by particpiating in our judicial system. Judging by the news and articles I see, the cops, the lawyers, the judges, the clerks and the accused need someone that knows a little more stuff about tech stuff. In general, you may not get that trial, but you may get the next Skylarov
I had the experience of spending an entire week in a DUI trial last year, and I tell you it is scary how much power the jury has, you can make a difference. We did.
Do it.
{Sorry if I spelled Sklarov wrong.)
Ytterby, Sweden has four elements named after it.
Erbium, Terbium, Ytterbium, Yttrium; all rare earths that were first discovered there.
I think his name was "Powdered Toast Man".
I have no recollection if they ever explained in the show why his waist down blurred like that during flight, or how he flew.
Good information.
It makes me wonder though, why they could not have built in logic on the system to check the difference in capacity across the exit/entry points on a real time basis.
That way, they could have a decision point "enough power to help" or "not enough power to help" tell the switch what to do in the event of a shutdown on the other side.
They are after all, already down, no sense in blowing oneself as well. The net result would be more frequent but smaller failures, depending on the tolerances involved it might not be a perceptible (by the public) difference.
Obviously, there would be tuning and more than a few CPU cycles involved to make the decisions, but it seems like they are using transistor ideas and not fuzzy logic ideas to get the problem solved.
Uhm... You have a directional antenna in your attic and you don't know what it's doing there?
Check for web cams in your toilet bowl yet?
Verizon probably has new stuff in the area, generators and backup lines and so on.... Didn't a bunch of their stuff get destroyed on 9/11?
Hey! That's the combination on my luggage!
The "Davy Crockett" is more accurately described as a portable recoilless rifle launched nuke. It's about the same size as a more modern TOW setup, can go on a tripod. It probably took 4 or 5 guys to carry all the stuff on foot, so it's not really a bazooka (an anti-tank weapon).
e ar_device)
It had a "dial a yield" warhead from 10 to 250(1) Tons of TNT. The higher settings would cause almost certain death to the launch crew as the lethal radiation kill zone was much farther than the maximum range of even the biggest launcher (2 miles or so).
One of the new thingies or an old Davy Crockett might be a good device to wipe out a bunch of tanks out in a desert, but it's still a friggin huge weapon compared to the precision stuff used nowdays. (I doubt any army will be dumb enough to go head-to-head against the US Army in desert tank battle for a looonngg time. Even the Iraqis didn't try it a second time.)
Here's some links with pictures:
http://www.wikipedia.org/wiki/Davy_Crockett_(nucl
http://www.guntruck.com/DavyCrockett.html
The canal is a fixed width of 33 meters (the locks), it is narrower than aircraft carriers, some cruise liners, a bunch of cargo ships and many many oil tankers.
By the end of WWII there were quite a few ships that could not get through.
The economies of large ships do not benefit from the canal, so a second way around in the north would help. (The US could get by with fewer carriers that way too, saving the US a bunch of money.)
... in addition, there will be HUGE economic benefits to having a year round navigable ocean up there too. Canada for one will become more wealthy and the economies of the isolated communities will be boosted.
Think about the difference between going around Canada and going around the southern tip of South America, there are quite a few boats that need to go the long way go get from one side to another. Shipping from Europe, Middle East, US, etc. to the Pacific will be cheaper and faster.
The "NorthWest Passage" thing has always been a big deal since Europeans first started sailing up and down the coast of the Americas.
It's easy to have great leaders and rise to great heights when your idea of achievement is fresh running water and a warm place to shit. (Not without great environmental cost as well, I might add...) The remaining things; longer life expectancy, larger population, higher standard of living may seem unnecessary to you, but believe me if you do not have those things they are really important. Doing the above things will come at an environmental cost, through pollution, wars, etc.
Voters have always been stupid, and they used to be much less educated overall. (And do not forget that women, minorities, non-land owners, etc. used to not be in the mix.)
People are dumb, foolish, and panicky whereas you can say you are smart and sensible as any individual might be. (misquoted, MIB) You are comparing you "person" with "people" and seeing a big gap. Of course!
Unfortunately the democratic process has to deal with "people", not "person". That is the simple truth.
You should be happy that there is enough knowledge out there that there is a fighting chance for concerned people to make a difference. I am sure the Romans (or pick your ancient culture that is now gone) would have liked to have known that irrigation can cause the soil to become too salty to plant crops, or the Incas might have benefitted by knowing certain parts of their culture were fatally self-destructive.
Do what you can, but know that whiny-pissing about it only turns people off to your point of view. Feel free to join the political arena and make a difference. I might even vote for you.
Well... if you use Windows there is a solution to that problem. Though, it'd be better to have a hardware dongle or something to make it non-operating system specific....
No. ONE of the patches was out for a while now. (And I would not consider less than 4 months a while, I seem to remember doing this one only several weeks ago.) For those people that waited, there was one patch. For those people that patched right away, there was yet, a second patch.
The hotfix to close the exploit was out before the appearance of the LovSan worm, and fixes were included in the new SP4 version too.
The hotfix to prevent the denial of service (RPC crashing when probed) was not out, because nobody knew about it until the worm started hammering at the RPC service trying to spread. So even if all the boxes on the network and DMZ were all patched, the internet connection could have provided the means for the worm to crash boxes anyway. Even if they were patched in advance.
An infected box can still crash a whole network of other boxes becase the hotfix prevented infection, it did not prevent RPC from crashing when repeatedly probed. So a second patch came out to fix that problem, AFTER THE WORM WAS RELEASED AND CAUSING PROBLEMS ALREADY.
If the person who wrote LovSAN (or whatever you want to call it) was intending on showing people they should patch, they did not wait long enough. Nobody in their right mind throws all the service packs and fixes onto a windows machine willy-nilly without trying it on one first and running a while. There will always be a gap between publishing of a patch and full implementation, even if by some magical means every user was a perfect admin of all the boxes they administer, and all boxes had such admins. Even if everybody became telepathically informed of all released patches on all software. There are good, valid and sensible reasons for waiting before patching. Ask around, you will find some people wait for service pack updates simply to allow the early adapters to find all the bugs and for MS to fix them.
Your understanding this worm and the RPC security problem is wrong.
[And who the fuck modded the parent post as "interesting"? Listen to Art Bell if you want self-righteous smuggery mmm'kay? You might think it is funny, but one persons ignorant cock-rubbing bullshit is not "interesting"]
Not that I know anything about it (still playing with Knopppix) but there is Debian based Knoppix like thing that lets you customize the CDs first.
Again, not that I have tried it. Here's a link:
Morphix
While it is true that people should be patched; this worm can still damage stuff on patched servers.
If the server is not firewalled, but it is patched, the msbash.exe worm probing can crash the RPC service. Which then crashes Exchange, Some AD stuff, some windows explorer stuff, and other things (including windows update). It can still bring the DMZ servers to their knees EVEN IF THEY ARE PATCHED.
You are only fully protected if you are both patched AND the 135/445 ports are shut off from the internet. (No naked DMZ stuff.)
I personally patched all the DMZ servers with the hotfix the day it came out, then some other servers with SP4 that included the exploit fix Only the SP4 ones are unaffected.
Note, I am talking about services available, none of the boxes in question actually got infected. The infection attempt caused the problem.
Naked un-firewalled computers are going to get this thing, and get it bad.
It will be interesting to see if that August 16th date pans out to be a dDOS or what...
[Note, auto update is fine for PCs, but is fucking dangerous for production servers. Sometimes the updates do not play nice with whatever is there, if it happens when so-and-so is on vacation there could be real trouble. Do what you gotta do, but I am never going to let MS put anything on my stuff. You'll probably see when someone figures out how to spoof that and gets all 375 of your boxes rooted due to Windows Update.]
No.
When I speak or write words mean exactly what *I* intend them to mean. No more, no less. I use them because I intend to transfer an idea in a specific way. Sometimes I make allowances for what the dictionary says, sometimes I deliberately mangle meanings to get the other person to understand. ("Press the "eject" button on the hard drive and pull out the floppy disk, then reboot.")
If some fool mis-inteprets what I say when I did not intend to say it, it's their problem, not mine. Likewise, the confusion between 'hacker' and 'cracker' is yours.
Just because some weenie decides they want to change a word, that means diddly until others decide to use it that way. If the person said "hacker" and meant "someone who accessed a computer without permission" then the word is appropriate.
Feel free to use words as you like, however when it comes to dictating the language of others, STFU.
No more vigilantism than quarantining the kindergarten kid that gets scarlet fever. Sure it sucks to miss a lot of school and catch up later, but then having the whole class do the same is worse.
Sometimes the public good weighs on the conveneience of others, the wheelchair ramp outside the business might be costly, but its the right thing to do.
Closing up and otherwise paying attention to the devices one sticks on the internet should be no different.
Yup. Someone was posting about something called "FormFucker" which puts bogus, but seemingly real information in forms. So there is a tool out there to do that already.
Note, that this type of activity is just as legal as the RIAA or MadonnaWhore putting out fake MP3s.
[I work with banks as clients, and they sure are dumb about technology stuff most of the time, but they figure out when something hurts them financially pretty darned quick. I'd estimate the mortgage lead business would go away in less than 6 months if what the parent poster was proposing was actually implemented on a widespread basis.]
Of course, I doubt the leads pay as much as $20 a pop.... a few cents maybe....
Boo fucking hoo.
They started the stinking War, street justice is the only thing they deserve.
If I were in charge, they would be *DEAD*.
It seems to me that in areas where S&R Ham is critical there are unlikely to be broadband carrying powerlines causing problems.
You guys don't help Mommy find Jr. who wandered from JC Penny into the mall itself do you?
Sure HAM has uses, but I bet the uses have a much smaller economic impact than broadband over power lines would.
In addition, there ARE alternatives to the uses you describe, satilite phones for example could fit that bill too. You said yourself coverage is spotty and you have to hope for a mountain top repeater, using a Sat phone would be no different.
In real emergency situations, power to run those broadband devices is gone, along with the lines and everything else. So your radio spectrum would be clear enough to be useful.
HAM users are going to end up fucked in one way or another like many other hobbies in the last few years; model rocketry, gun collecting, etc.
Check out www.shockwave.com . Among all the cruddy pool and golf games, they used to have a pretty decent version of Joust that was played in a browser program.
Really, putting all those games online (with banner ads for revenue) in shockwave or flash or DHTML or whatever would be a great way to both let the corporations make money as and let people play them on modern computers.
Too bad banner ads don't work.
The ones who file charges are just being a little frisky - call it "hard to get." Some even call it foreplay.
What? Like the Lakers?