The tough part is getting a remote machine to execute code without knowledge of the machine owner. Cheesy email viruses are usually scripts embedded in documents and spreadsheets that automatically execute when the user opens the attachment. Hence the daily feeding of, "never open attachments you weren't expecting."
The better email virii cause the end users' machines to execute code as soon as the email is received. That's a huge problem with Outlook. Think about the millions of office workers who never exit Outlook, even when going home for the weekend, and those with cable modems who leave Outlook up all day. Yes, you can make Outlook automatically dialup to retreive email, but I doubt many people actually do that.
AFAIK, no GNU mail readers support automatically executing scripts stored in email. Can anyone vouch for Netscape? One would think that would be closest risk to the same problems, but it would find so few users in the world.
It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.
I'm on 56k ppp dialup, so I shouldn't see any attacks (let alone packets) not destined for my machine. Now that you know that, you should also know that I was rejecting all connections to port 80 with ipchains. Therefore, since the worm couldn't connect, it wouldn't transmit the HTTP request that snort is watching for.
By hanging netcat on port 80 with a 3 second connect limit using xinetd, all inbound port 80 probes get connections. They send their payload, snort alerts on it, netcat routes it directly to/dev/null, and then closes the connection. No huge apache logs, or whatever minimal risks are associated with apache.
I shunt the payloads directly to/dev/null just so snort can actually watch them coming in. I literally asked for a "dummy listener" on the snort list, and they pointed me to netcat at l0pht.
Weeks.. heck, months. Some are saying that CRII is reusing the "copy cmd.exe to \scripts" trick that first appeared with the Sadmind/IIS worm... BACK IN MAY!!
Think about what CRII is going to do for the zero day lists!! Hey.. how about a gnutella hack that automatically accepts uploads and shares 'em right back out??
now are either workstations with IIS installed and the user doesn't know/remember
A friend of mine is a cable modem user who got infected. He said on or about the 1st, his cable modem light suddenly became maxed out. He's usually good with his system administration, but he recently switched back from RH to Win2k server. He checked and checked and found out that some Windows Media Server had been installed and was running its own copy of IIS, which had been infected.
Too bad they don't take snort logs. I route all traffic coming in on port 80 to/dev/null just so snort can keep an eye on the attacks as they're coming in.
I guess I won't even make a snide comment about whan an asshole Rob is, then
Seriously, that was pretty fuckin' uncalled for. I don't care how insecure RH may be out of the box compared to some other distros, but shit, Linux is Linux, right? You have to secure every distro, and AFAIK, none of them ship with a chrooted apache, bind, and sendmail (or better yet, qmail or postfix). Gimme a break.
Granted, I haven't used it yet, but I have yet to see or hear any evidence as to why apt-get is so much better than rpm -Fvh. Particularly when no commercial apps ship as.deb's. (And yes, some of us have *jobs* where we're well-regarded for specifying closed-source commercial apps for Linux.)
Some people will always find someting to bitch about. Case in point.
I can't believe we haven't/.ed his guestbook!! I was expecting to find about 400 entries saying, "you do realize the entire Internet knows you're a complete moron by now, don't you??"
Snort has to inspect traffic as its coming in. If a machine on your subnet doesn't have port 80 open, then the initial connection will be refused.. therefore the GET request will never be sent, and snort cannot log the attempt.
Snort isn't going to report ALL connection attempts to port 80 on your subnet, only CodeRed infection attempts, which can ONLY occur after a connection to port 80 was successfully made.. get it?
I opened port 80 on my firewall, but used xinetd to route all incoming connections to netcat, a program that just routes all incoming data to/dev/null. That way, the request will actually come into my firewall (and go directly to/dev/null) so that snort will be able to watch that data as it comes in.
CodeRed can't send the infection attempt until it connects to port 80. Clear enough for you?
I've been thinking about this.. We ran a very tight routing configuration at my last job (not vouching for the software).. using PIX we severely locked down inbound traffic flow, but had to manage inbound email and Websphere access to mainframe databases.
I wonder about much smaller organizations that might dual-home an NT box with 192.168 on one side and their registered address on the other. Granted, a Linksys would go a long way, but I'm sure many of these tiny firms don't have someone to go to for little tidbits like that.
I almost feel bad for those entities. You would think a small business may not be able to pay extravagant fees for software, but instead of going with free software (which is certainly more difficult to configure) they instead choose to pirate the shoddy MS garbageware. Now they're suffering greatly as a direct result of the choices they made.
The way I see it, though, is kinda like feeling bad for West Virignians who rebuild their homes in the same place after last one was washed away by a flood. I just can't feel bad for their own stupidity.
This was mentioned about 75 posts ago.. create a small army of Apache hosts that automatically respond to CRII attacks with a reverse attack that forces the host to patch and reboot itself.
I think the army should execute "net stop www" or "route delete 0.0.0.0" on CRII-infected hosts. There are better ways to (semi) permanently "cleanse" the Internet of unprotected hosts, but that's the nicest way I can think of. All it takes is a little psychological reprogramming of the sysadmins. Like having their server entirely blown away with the announcement of each new system-level exploit. They will eventually break down and change their ways.
Check out cajun.sourceforge.net. Cajun == Car Audio Jukebox using Unix
The site is actually just for some perl software that allows you to remote control a linux pc-based mp3 player. The key is that the site includes plans for assembling a small LCD text panel with buttons on the sides, all powered off the pc's serial port. Very cool stuff, and you'll find endless links to hardware, and hundreds of pictures, particularly if you keep following the MP3 Car ring.
Building one of these was supposed to be my summer project, but I gave myself too many of those, it seems..
Exactly.. I can't believe how many 'general press' outlets are playing up this concept that Microsoft will save the Internet. One would think since the press likes to focus so much on negativism, that they would actually say something along the lines of "after 25 years of the Internet, Microsoft threatens its existence 15 times in six years". Particularly since AOL/TW *is* so much of the press.
>>it just makes the day when that company folds all the more enjoyable.
>Don't hold your breath on that one.
Oh, I don't know. They may have perfected the mail order PC business, but they're not holding it together all that well. I've said it before.. services, services, services. In the land of microthin margins, product alone doesn't float your company. Yes, I do work for IBM, and we support and provide consulting for Linux on every class of hardware we make, from Internet appliances for kiosks to z390's running 10,000 copies of Linux in a 19" rack. When users will start paying annual fees for XP, and have to buy replacement licenses because they replaced their dead hard drive, Dell's going to wish they had an alternative to offer their customers. "I'm sorry, that's all we offer, sir. Yes, you do have to buy another copy of XP. It was only licensed for your original hard drive."
Dell closed up $1.25 today at $28.43. IBM closed up $1.74 today at $108.80. Whenever there's a "downturn in PC orders", we suffer a $30 drop in our stock price. Dell doesn't have $30 a share to lose. First stop Cisco's share price, next stop Lucent's. -- Steve Jackson
I am getting so sick and tired of typical/. sensationalistic and baseless posts.
Aren't there laws in the US about selling intentionally defective goods and not advertising the fact that they have been made defective?
The original CDs are not defective. Stop making it seem like someone needs to contact the Consumer Protection Center, like its "Johnny Switchblade" or something (might be too old for you to remember).
having to face questions about their product quality and safety
What questions about quality and safety?? The CD's don't damage a fucking thing! God I can't believe I'm letting such a troll get under my skin.
the CD's can damage equipment
*No*they*can't!* If you COPY the CD's then the COPY can damage your equipment. Has anyone thought that perhaps this technology is being released in countries that do not require the buyer to be able to make a backup copy?? Sheesh.
Look at the dramatic slowdown in infections from 10am to 5pm ET at incidents.org!
New hourly infections were roughly 9,000, 10,000, 9,000, 7,000, 4,000, 1,000, and then 300?!?
I wonder what's the story. Out of an estimated 6 million vulnerable hosts, Microsoft claiming 1 million recent patch downloads, and just 2,000 misconfigured systems continuing to spread the worm throughout the dormancy period, could we really be done at just 127,000 new infections?? Perhaps the data collection method is flawed. They collect logs from dshield right? I wonder if many firewalls are slow to report or something..
something just doesn't seem right here.. We'll never get to an million infected hosts at a rate of 300 per hour!!
but I don't think the issue with clocks is that the worm will "reawaken", but rather that on some machines with significantly slow clocks (a couple weeks slow) which still think the date is around the middle of July, the worm is still in spread mode
Yes, we are in agreement. I read early on that the worm was programmed to restart its infection phase on the 1st of each month. So, I sounded the alarm about that on the 23rd. Of course that theory was dethroned around the 30th when several security firms realized that the worm will not indeed return to the infection phase on the 1st of the month.
My original reply was to a poster who hadn't learned yet that the worm will not return to the infection phase on the first of each month. And yes, you are correct about the clocks. There were some 2,000 infected hosts with misconfigured clocks causing the worm to still be in the infection phase throughout the dormancy period, and all too happy to infect *new*, vulnerable and heretofore uninfected hosts.
I just wish the worm was a bit more destructive, to the point of clearing the net of the vulnerable servers and leaving it free for the rest of us. Note to worm writers: don't DDoS the net, just spread to a few other hosts, and wipe out the servers when you're done! Please!
They're not public airwaves. They paid many millions of dollars for the right to transmit on those airwaves. The public does not own them.
Amateur Radio operators have the right to transmit on 500MHz of spectrum from 10.0GHz to 10.5GHz (which the government gave to U.S. hams), and DirecTV paid huge sums of money for the right to transmit on the same exact spectrum allocation only 500MHz higher, extending from 10.5GHz to 11.0GHz. And recently, our first (AFAIK) 10GHz satellite, AO-40, recently failed its first 10GHz test, due to the post-launch anomaly.
Now if the FCC would allow us hams to user higher bandwidth modes, maybe we'll have our own DirecTV ham equivalent. I'm not holding my breath.
No there isn't always landline cable. My uncle bought a house in a newly-expanding area of Southwest Florida (Charlotte County), and the cable company didn't come down his street for about three years. They had to wait until they had critical mass. So he bought a Dish Network dish in the meantime.
Now cable showed up a year ago, and cable modems a couple weeks later, and I've been waiting for my cable modem for **four** years through three different owners -- T/W, AT&T and now Comcast..
Seems like you have to be wealthy in *rural* areas to get the latest technology.
I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st
8:00PM on 7/31 in Washington DC is the same as 12:00AM 8/1 in London. Instead of having the worm (I won't say reactivate).. become willing to start spreading at midnight local time (like the "24 hours of y2k" we got to enjoy), the worm writer settled on midnight London time -- aka GMT Greenwich Mean Time, aka UTC Coordinated Universal Time (acronym fucked up by the French, again) -- so we would have the pleasure of the worm starting to spread from all points around the globe simultaneously.
However, *someone* re-introduced the worm to the wild, and the spread has started again.
It is thought that it was reintroduced by infected servers with misconfigured clocks showing it was still time to spread the worm. There were an estimated 2,000 such servers around the world, and when the other 99.999% of the world clicked over to 0:00UTC, those 2,000 servers finally started getting results from their infection attempts.
My thing is the admins who got infected between the 28th and the 31st got a permanently sleeping worm, and may have thought "phew! glad I escaped that one!" Next reboot.. vulnerable all over again.
Slashdot Mirror
The tough part is getting a remote machine to execute code without knowledge of the machine owner. Cheesy email viruses are usually scripts embedded in documents and spreadsheets that automatically execute when the user opens the attachment. Hence the daily feeding of, "never open attachments you weren't expecting."
The better email virii cause the end users' machines to execute code as soon as the email is received. That's a huge problem with Outlook. Think about the millions of office workers who never exit Outlook, even when going home for the weekend, and those with cable modems who leave Outlook up all day. Yes, you can make Outlook automatically dialup to retreive email, but I doubt many people actually do that.
AFAIK, no GNU mail readers support automatically executing scripts stored in email. Can anyone vouch for Netscape? One would think that would be closest risk to the same problems, but it would find so few users in the world.
net stop iiswww
/y' go by before..
route delete 0.0.0.0
(the equivalent of) ifconfig eth0 down
and I saw something like 'iisreset
It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.
/dev/null, and then closes the connection. No huge apache logs, or whatever minimal risks are associated with apache.
/dev/null just so snort can actually watch them coming in. I literally asked for a "dummy listener" on the snort list, and they pointed me to netcat at l0pht.
I'm on 56k ppp dialup, so I shouldn't see any attacks (let alone packets) not destined for my machine. Now that you know that, you should also know that I was rejecting all connections to port 80 with ipchains. Therefore, since the worm couldn't connect, it wouldn't transmit the HTTP request that snort is watching for.
By hanging netcat on port 80 with a 3 second connect limit using xinetd, all inbound port 80 probes get connections. They send their payload, snort alerts on it, netcat routes it directly to
I shunt the payloads directly to
same exploit over a couple of weeks
:)
Weeks.. heck, months. Some are saying that CRII is reusing the "copy cmd.exe to \scripts" trick that first appeared with the Sadmind/IIS worm... BACK IN MAY!!
Now THAT is insane!
Think about what CRII is going to do for the zero day lists!! Hey.. how about a gnutella hack that automatically accepts uploads and shares 'em right back out??
now are either workstations with IIS installed and the user doesn't know/remember
A friend of mine is a cable modem user who got infected. He said on or about the 1st, his cable modem light suddenly became maxed out. He's usually good with his system administration, but he recently switched back from RH to Win2k server. He checked and checked and found out that some Windows Media Server had been installed and was running its own copy of IIS, which had been infected.
The next day he installed Apache Win32.
Too bad they don't take snort logs. I route all traffic coming in on port 80 to /dev/null just so snort can keep an eye on the attacks as they're coming in.
Time the long-awaited "Finger of God" script. Fdisk 'em!
I guess I won't even make a snide comment about whan an asshole Rob is, then
.deb's. (And yes, some of us have *jobs* where we're well-regarded for specifying closed-source commercial apps for Linux.)
Seriously, that was pretty fuckin' uncalled for. I don't care how insecure RH may be out of the box compared to some other distros, but shit, Linux is Linux, right? You have to secure every distro, and AFAIK, none of them ship with a chrooted apache, bind, and sendmail (or better yet, qmail or postfix). Gimme a break.
Granted, I haven't used it yet, but I have yet to see or hear any evidence as to why apt-get is so much better than rpm -Fvh. Particularly when no commercial apps ship as
Some people will always find someting to bitch about. Case in point.
I can't believe we haven't /.ed his guestbook!! I was expecting to find about 400 entries saying, "you do realize the entire Internet knows you're a complete moron by now, don't you??"
I'll try to take this one...
/dev/null. That way, the request will actually come into my firewall (and go directly to /dev/null) so that snort will be able to watch that data as it comes in.
Snort has to inspect traffic as its coming in. If a machine on your subnet doesn't have port 80 open, then the initial connection will be refused.. therefore the GET request will never be sent, and snort cannot log the attempt.
Snort isn't going to report ALL connection attempts to port 80 on your subnet, only CodeRed infection attempts, which can ONLY occur after a connection to port 80 was successfully made.. get it?
I opened port 80 on my firewall, but used xinetd to route all incoming connections to netcat, a program that just routes all incoming data to
CodeRed can't send the infection attempt until it connects to port 80. Clear enough for you?
Oh hell yeah, without a doubt.
I've been thinking about this.. We ran a very tight routing configuration at my last job (not vouching for the software).. using PIX we severely locked down inbound traffic flow, but had to manage inbound email and Websphere access to mainframe databases.
I wonder about much smaller organizations that might dual-home an NT box with 192.168 on one side and their registered address on the other. Granted, a Linksys would go a long way, but I'm sure many of these tiny firms don't have someone to go to for little tidbits like that.
I almost feel bad for those entities. You would think a small business may not be able to pay extravagant fees for software, but instead of going with free software (which is certainly more difficult to configure) they instead choose to pirate the shoddy MS garbageware. Now they're suffering greatly as a direct result of the choices they made.
The way I see it, though, is kinda like feeling bad for West Virignians who rebuild their homes in the same place after last one was washed away by a flood. I just can't feel bad for their own stupidity.
This was mentioned about 75 posts ago.. create a small army of Apache hosts that automatically respond to CRII attacks with a reverse attack that forces the host to patch and reboot itself.
I think the army should execute "net stop www" or "route delete 0.0.0.0" on CRII-infected hosts. There are better ways to (semi) permanently "cleanse" the Internet of unprotected hosts, but that's the nicest way I can think of. All it takes is a little psychological reprogramming of the sysadmins. Like having their server entirely blown away with the announcement of each new system-level exploit. They will eventually break down and change their ways.
I actually *opened* port 80 on my firewall and hung netcat off it with xinetd, just so snort would have some packets to watch.
/var/log/messages | grep snort
Then, to watch it live, I
tail -vf
instead of seeing the whole attack on each line, I get a neat little snort alert like this:
Aug 5 04:57:24 ast snort[27858]: [1:0:0] CodeRed IDA Overflow: 65.68.10.178:1119 -> 64.20.132.92:80
which reminds me.. I have to go check out snort.org and see if anyone published a rule to detect CRv2.. gotta go!
Check out cajun.sourceforge.net. Cajun == Car Audio Jukebox using Unix
The site is actually just for some perl software that allows you to remote control a linux pc-based mp3 player. The key is that the site includes plans for assembling a small LCD text panel with buttons on the sides, all powered off the pc's serial port. Very cool stuff, and you'll find endless links to hardware, and hundreds of pictures, particularly if you keep following the MP3 Car ring.
Building one of these was supposed to be my summer project, but I gave myself too many of those, it seems..
Enjoy!
Exactly.. I can't believe how many 'general press' outlets are playing up this concept that Microsoft will save the Internet. One would think since the press likes to focus so much on negativism, that they would actually say something along the lines of "after 25 years of the Internet, Microsoft threatens its existence 15 times in six years". Particularly since AOL/TW *is* so much of the press.
>Don't hold your breath on that one.
Oh, I don't know. They may have perfected the mail order PC business, but they're not holding it together all that well. I've said it before.. services, services, services. In the land of microthin margins, product alone doesn't float your company. Yes, I do work for IBM, and we support and provide consulting for Linux on every class of hardware we make, from Internet appliances for kiosks to z390's running 10,000 copies of Linux in a 19" rack. When users will start paying annual fees for XP, and have to buy replacement licenses because they replaced their dead hard drive, Dell's going to wish they had an alternative to offer their customers. "I'm sorry, that's all we offer, sir. Yes, you do have to buy another copy of XP. It was only licensed for your original hard drive."
Dell closed up $1.25 today at $28.43. IBM closed up $1.74 today at $108.80. Whenever there's a "downturn in PC orders", we suffer a $30 drop in our stock price. Dell doesn't have $30 a share to lose. First stop Cisco's share price, next stop Lucent's.
--
Steve Jackson
I am getting so sick and tired of typical /. sensationalistic and baseless posts.
Aren't there laws in the US about selling intentionally defective goods and not advertising the fact that they have been made defective?
The original CDs are not defective. Stop making it seem like someone needs to contact the Consumer Protection Center, like its "Johnny Switchblade" or something (might be too old for you to remember).
having to face questions about their product quality and safety
What questions about quality and safety?? The CD's don't damage a fucking thing! God I can't believe I'm letting such a troll get under my skin.
the CD's can damage equipment
*No*they*can't!* If you COPY the CD's then the COPY can damage your equipment. Has anyone thought that perhaps this technology is being released in countries that do not require the buyer to be able to make a backup copy?? Sheesh.
--
Steve Jackson
Look at the dramatic slowdown in infections from 10am to 5pm ET at incidents.org!
New hourly infections were roughly 9,000, 10,000, 9,000, 7,000, 4,000, 1,000, and then 300?!?
I wonder what's the story. Out of an estimated 6 million vulnerable hosts, Microsoft claiming 1 million recent patch downloads, and just 2,000 misconfigured systems continuing to spread the worm throughout the dormancy period, could we really be done at just 127,000 new infections?? Perhaps the data collection method is flawed. They collect logs from dshield right? I wonder if many firewalls are slow to report or something..
something just doesn't seem right here.. We'll never get to an million infected hosts at a rate of 300 per hour!!
but I don't think the issue with clocks is that the worm will "reawaken", but rather that on some machines with significantly slow clocks (a couple weeks slow) which still think the date is around the middle of July, the worm is still in spread mode
Yes, we are in agreement. I read early on that the worm was programmed to restart its infection phase on the 1st of each month. So, I sounded the alarm about that on the 23rd. Of course that theory was dethroned around the 30th when several security firms realized that the worm will not indeed return to the infection phase on the 1st of the month.
My original reply was to a poster who hadn't learned yet that the worm will not return to the infection phase on the first of each month. And yes, you are correct about the clocks. There were some 2,000 infected hosts with misconfigured clocks causing the worm to still be in the infection phase throughout the dormancy period, and all too happy to infect *new*, vulnerable and heretofore uninfected hosts.
I just wish the worm was a bit more destructive, to the point of clearing the net of the vulnerable servers and leaving it free for the rest of us. Note to worm writers: don't DDoS the net, just spread to a few other hosts, and wipe out the servers when you're done! Please!
DirectTV is using public airwaves
They're not public airwaves. They paid many millions of dollars for the right to transmit on those airwaves. The public does not own them.
Amateur Radio operators have the right to transmit on 500MHz of spectrum from 10.0GHz to 10.5GHz (which the government gave to U.S. hams), and DirecTV paid huge sums of money for the right to transmit on the same exact spectrum allocation only 500MHz higher, extending from 10.5GHz to 11.0GHz. And recently, our first (AFAIK) 10GHz satellite, AO-40, recently failed its first 10GHz test, due to the post-launch anomaly.
Now if the FCC would allow us hams to user higher bandwidth modes, maybe we'll have our own DirecTV ham equivalent. I'm not holding my breath.
There's always land-line cable
No there isn't always landline cable. My uncle bought a house in a newly-expanding area of Southwest Florida (Charlotte County), and the cable company didn't come down his street for about three years. They had to wait until they had critical mass. So he bought a Dish Network dish in the meantime.
Now cable showed up a year ago, and cable modems a couple weeks later, and I've been waiting for my cable modem for **four** years through three different owners -- T/W, AT&T and now Comcast..
Seems like you have to be wealthy in *rural* areas to get the latest technology.
I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st
8:00PM on 7/31 in Washington DC is the same as 12:00AM 8/1 in London. Instead of having the worm (I won't say reactivate).. become willing to start spreading at midnight local time (like the "24 hours of y2k" we got to enjoy), the worm writer settled on midnight London time -- aka GMT Greenwich Mean Time, aka UTC Coordinated Universal Time (acronym fucked up by the French, again) -- so we would have the pleasure of the worm starting to spread from all points around the globe simultaneously.
However, *someone* re-introduced the worm to the wild, and the spread has started again.
It is thought that it was reintroduced by infected servers with misconfigured clocks showing it was still time to spread the worm. There were an estimated 2,000 such servers around the world, and when the other 99.999% of the world clicked over to 0:00UTC, those 2,000 servers finally started getting results from their infection attempts.
My thing is the admins who got infected between the 28th and the 31st got a permanently sleeping worm, and may have thought "phew! glad I escaped that one!" Next reboot.. vulnerable all over again.