Definitely. In fact a curse on MS for making it so difficult for novice users to find.. every individual user should have a firewall before they go within 6 foot of an internet connection in my view;)
Wrong? Nope. There are two ways the potential worm can get through the firewall.
Firstly, it can come through as a blended attack combining a traditional worm with a mass-emailing virus. Really it's just a question of putting together existing malware technologies.
Secondly, all you need to really screw your network is for someone to use an unprotected laptop on their home ISP and then bring it into the office. The worm basically just walks past the firewall.
This second one was a favorite infection vector for MSBlast and Nachi to get onto corporate networks. Large networks with many laptop users got hit repeatedly.
Maybe that'll blow people like Slimeware Corporation out of the water who are remarkable up front about the payload their pretty worthless products have.
Reminds me of the infamous Bob Novak of Pets Warehouse who decided to sue some unhappy customers who moaned about his company in a forum for the tune of $15,000,000.
A Slashdot favorite, you can read about it here, here, here and a synopsis here and another one here.
Basically, suing the customers backfired horribly and Mr Novak ended up being countersued and lost. A cautionary tale!
Since Verisign thinks it owns the Internet (i.e. the Sitefinder/wildcard domain scandal) I assume that it will also assume it owns the democratic process and can change it as it seems fit.
But hey, with an electoral system where the guy with the most votes loses (i.e. Al "Internet" Gore) then maybe it might even be an improvement. Hmmm.
Yeah we had some dumbass user run Windows Update on their Compaq Evo laptop, download all the critical updates (which was OK) and updated drivers (which was not). Result? Blue screen of death. Smart move.
Forget your firewall, it's a useful tool, but a lot of outfits that got hit by MSBlast and Nachi had properly configured firewalls.
The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.
Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.
Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.
So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.
Never mind WhenU - there's a new parasiteware pusher on the block in the shape of Slimeware Corporation which seems to have the nastiest parasites riding on the back of some of the world's most useless utilities..
The Other Cinema, 11 Rupert Street, London W1, Tel: 020 77341506
Watershed, 1 Canons Road, Bristol City Centre, Tel: 0117 9276444
The Showroom, Sheffield Media & Exhibition Centre, Sheffield City Centre, Tel: 0114 2763534
Cornerhouse, 70 Oxford Street, Manchester City Centre, Tel: 0161 2287621
Can't find the other one.. but if you're interested in the film, why not go an see it on a lovely big cinema screen rather than a pokey little window on your PC?:)
You are dead wrong. SP4 doesn't have the patch, you need to apply 823980 (and probably 823559) on top of it. If you're relying on SP4 then you're going to be in awful trouble.
(Any chance of a mod up.. the ISC is having huge difficulties)
--------
Updated August 11th 2003 17:59 EDT RPC DCOM WORM (MSBLASTER) This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
********** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
In order to protect yourself, you need to: Close port 135 (if possible 135-139, 445 and 593) Apply Patches http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
If you are infected: - disconnect machine from any network - delete msblast.exe - delete registry key staring msblast.exe - reboot.
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET 2. this causes a remote shell on port 4444 at the TARGET 3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444, 4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot
Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n, name: 'windows auto update'
Strings of interest:
msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Internet Storm Center is getting hammered, so I attach their analysis.
NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.
I count about 1 scan every 10 seconds at present.
--x8 Cut here ----
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
********** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET 2. this causes a remote shell on port 4444 at the TARGET 3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444, 4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot
Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n, name: 'windows auto update'
Strings of interest:
msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
..and it stinks. Last week there was a massive "joe job" attack on Doxdesk.com, a site detailing browser parasites, porn diallers and other nasty plugins. The aim of the joe job was to generate fake spam supposedly advertising the site so it would get shut down.
The spam was being generated from multiple locations simultaneously, and from IP addresses that looked like standard ISP subscribers, mostly in the US and Western Europe. It looks suspiciously like the spam was being sent from Trojanised PCs.
Bearing in mind that the people most likely to want to force Doxdesk.com off the web were browser parasite writers, it seems to me that there is a definite link now between these parasites, certain viruses/trojans/worms and spammers. Just another bit of proof that these people have no respect for the law.
Yeah, I'm not a big fan of AOL simply because I'm not that kind of Internet user. I don't need handholding, exclusive content or parental controls. But some people do, which is a pretty good market to be in.
AOL isn't just some ISP though. AOL Time Warner is a corporate leviathan, and according to AOL, the AOL legal department has over 60 lawyers worldwide, presumably plus anything they can pull in from the parent company.
As far as I can tell, I am unique too. Not as though my name is too weird for words, it's just that my forename and surname are slightly unusual.
First name Conrad.. a common name in Germany (2.2m Google matches). Second name, Longmore - a specific name originating from the English/Scots border (17,300 Google matches). Put them together in a string and you get 77 Google matches and they're all down to me or my cyberstalker.
The trouble is with a cyberstalker people will assume that references to me are true. Such is life.
This is only half the story.. the latest announcement from the Department of Homeland Security is basically a tax on web surfers and publishers. Goodbye the free internet:(
Slashdot Mirror
Closest thing I've seen to the perfect phone/PDA/games machine/MP3 player yet. Looks like it has a much better screen than the N-Gage too.
Definitely. In fact a curse on MS for making it so difficult for novice users to find.. every individual user should have a firewall before they go within 6 foot of an internet connection in my view ;)
Firstly, it can come through as a blended attack combining a traditional worm with a mass-emailing virus. Really it's just a question of putting together existing malware technologies.
Secondly, all you need to really screw your network is for someone to use an unprotected laptop on their home ISP and then bring it into the office. The worm basically just walks past the firewall.
This second one was a favorite infection vector for MSBlast and Nachi to get onto corporate networks. Large networks with many laptop users got hit repeatedly.
Honestly.. these guys are UNBELIEVABLE. ;)
A Slashdot favorite, you can read about it here, here, here and a synopsis here and another one here.
Basically, suing the customers backfired horribly and Mr Novak ended up being countersued and lost. A cautionary tale!
But hey, with an electoral system where the guy with the most votes loses (i.e. Al "Internet" Gore) then maybe it might even be an improvement. Hmmm.
Yeah we had some dumbass user run Windows Update on their Compaq Evo laptop, download all the critical updates (which was OK) and updated drivers (which was not). Result? Blue screen of death. Smart move.
The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.
Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.
Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.
So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.
Can't find the other one.. but if you're interested in the film, why not go an see it on a lovely big cinema screen rather than a pokey little window on your PC? :)
More impressive 3D spreadsheets? Awesome presentations? Hmmm...
NAI report that this is a self-removing worm after 1st January 2004.
You are dead wrong. SP4 doesn't have the patch, you need to apply 823980 (and probably 823559) on top of it. If you're relying on SP4 then you're going to be in awful trouble.
(Any chance of a mod up.. the ISC is having huge difficulties)
:n /MS03-026.asp
u n, name: 'windows auto update'
\ Run
--------
Updated August 11th 2003 17:59 EDT
RPC DCOM WORM (MSBLASTER)
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
In order to protect yourself, you need to
Close port 135 (if possible 135-139, 445 and 593)
Apply Patches http://www.microsoft.com/technet/security/bulleti
If you are infected:
- disconnect machine from any network
- delete msblast.exe - delete registry key staring msblast.exe - reboot.
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\R
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Internet Storm Center is getting hammered, so I attach their analysis.
u n, name: 'windows auto update'
\ Run
NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.
I count about 1 scan every 10 seconds at present.
--x8 Cut here ----
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\R
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
The Department of Homeland Security is dead against the internet anyway, as stated in this press release. ;)
And how about it being the new home of the Open Directory Project too? Just a thought..
The spam was being generated from multiple locations simultaneously, and from IP addresses that looked like standard ISP subscribers, mostly in the US and Western Europe. It looks suspiciously like the spam was being sent from Trojanised PCs.
Bearing in mind that the people most likely to want to force Doxdesk.com off the web were browser parasite writers, it seems to me that there is a definite link now between these parasites, certain viruses/trojans/worms and spammers. Just another bit of proof that these people have no respect for the law.
Never mind Teraflops, we should have a measure of web server load called "Slashdots".
AOL isn't just some ISP though. AOL Time Warner is a corporate leviathan, and according to AOL, the AOL legal department has over 60 lawyers worldwide, presumably plus anything they can pull in from the parent company.
Spammers.. be afraid. Be very afraid. :)
First name Conrad.. a common name in Germany (2.2m Google matches). Second name, Longmore - a specific name originating from the English/Scots border (17,300 Google matches). Put them together in a string and you get 77 Google matches and they're all down to me or my cyberstalker.
The trouble is with a cyberstalker people will assume that references to me are true. Such is life.
And again I suggest you compare that news with this news and try to tell which one is true. ;)
Or maybe he admitted to owning a copy of Windows XP?
This is only half the story.. the latest announcement from the Department of Homeland Security is basically a tax on web surfers and publishers. Goodbye the free internet :(
So, it should cost something between 0.01 cents to 0.1 cents per page.
(Self-mods himself down for not checking his sums!)