MS05-039 Worm in the Wild 252
An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.
ClamAV (Score:5, Informative)
Re:ClamAV (Score:3, Informative)
Vulnerability (Score:5, Informative)
"Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."
I think a lot of people were relieved to read this.
Re:Vulnerability (Score:5, Informative)
Re:Vulnerability (Score:2, Insightful)
That's... not really "defense in depth". That's the kind of basic, rudimentary security that no sane company would have ever released a product without in the first place.
Re:Vulnerability (Score:2)
Re:Vulnerability (Score:2)
crappy summary (Score:5, Informative)
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.
Re:crappy summary (Score:2)
Re:Must everything be handed to you? (Score:3, Insightful)
Re:Must everything be handed to you? (Score:2, Funny)
So next time it should read like this to make you happy:
This worm (a computer program that spreads from computer to computer) infects Windows (an operating system from Microsoft (an operating system is the software that allows access to the hardware and provides an environment for o
Re:crappy summary (Score:2)
http://www.microsoft.com/technet/security/Bulleti
Re:crappy summary (Score:3, Informative)
It wouldn't surprise me to see a second revision of this worm that fixes this limitation in some way.
Re:crappy summary (Score:2)
Re:crappy summary (Score:2)
Re:crappy summary (Score:4, Informative)
http://www.eweek.com/article2/0,1759,1847756,00.a
Re:crappy summary (Score:3, Funny)
Affects. What operating system this affects.
Re: :) (Score:2, Funny)
Get a browser with support for hyperlinks. Cool stuff.
Re:crappy summary (Score:5, Informative)
Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?
Hmmm...lessee here... Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t!
Re:crappy summary (Score:2)
Or patch your systems
Re:crappy summary (Score:4, Informative)
Just so you know, Windows domain and directory authentication is over tcp 389. As for 445, that is for file sharing via CIFS. CIFS is the next gen past SMB (which used 137, 138 and 139).
What drives people to do this... (Score:4, Insightful)
Re:What drives people to do this... (Score:5, Interesting)
As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:
- give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
- make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
- don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
- maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.
Re:What drives people to do this... (Score:5, Interesting)
The rest of these are irrelevant, because they do not expect to get caught. Really. Even if the people around them are going down in flames, they don't expect to get caught.
About 15 years ago I was in the "hacker" scene (the ones breaking into computers, not the ones creating brilliant software). Getting caught never felt real, and never seemed to feel real for anybody else, either. My friends got busted left and right, yet - they'd always been careless about something, and I felt that *I* wouldn't be careless about that.
There's one other thing that could work: Break up the scene. The people need to be shown as ridicilous. And it needs to seem ridicilous to the people close to the scene.
For the tagging (grafitti) scene, it seems to have worked somewhat well here in Norway to use advertising to give them a new, ridicilous name and image.
I therefore humbly suggest we from now on call those that break into computers "Computer wankers".
Eivind.
Re:They were careless (Score:3, Insightful)
The question is where people gets recruited to be computer wankers. A large amount of these are from the "scene", starting out with just doing it for fun and becoming more criminal with time. By removing the false glamour of the scene, fewer kids will start out as computer wankers, and there will overall be fewer wankers.
Of course there will be some le
In particular (Score:4, Interesting)
Actually, just-for-the-hell-of-it random crime in general is a lot harder to trace than motivated crime. Nothing short of Orwellian-level surveillence can reliably solve random, profit-less crime committed by smart criminals. Fortunately, these two things--random, profit-less crime and smart criminals--are very rarely connected.
Re:What drives people to do this... (Score:2)
Re:What drives people to do this... (Score:4, Insightful)
Worms are used to get zombies, who are used to send spam, who are used to lure suckers to spend money on junk.
Re:What drives people to do this... (Score:2)
Re:What drives people to do this... (Score:3, Informative)
Come to think of it, what it should have done was set up a BitTorrent-like environment and downloaded the patches via that
But as the poster who was (wrongly, IMO) modded down to -1 said, it's still illegal.
Re:What drives people to do this... (Score:3, Insightful)
There are 6 billion people on this planet, and it only takes one of them to launch a worm. With a sample that large, there's no way that a worm won't get written if a vulnerability exists and generally known. There's always going to be at least one crazy who'll do it regardless of any disincentives. Peoples' energy is better directed at eliminating the vulnerabilitie
Re:What drives people to do this... (Score:5, Insightful)
Re:What drives people to do this... (Score:2)
Re:What drives people to do this... (Score:2)
Re:What drives people to do this... (Score:2, Insightful)
Re:What drives people to do this... (Score:2)
Re:What drives people to do this... (Score:3, Insightful)
Re:What drives people to do this... (Score:2)
It'd be more interesting to know why people does harmful things and don't write a worm that patches your machine. It's the same effort, still people don't seem to like doing things that are good for others.
Re:What drives people to do this... (Score:2)
The ones who get caught should be punished, but I really see no gain in trying to discourage people from writing worms.
Virii and trojans is a slightly different thing, as they cannot be prevented by just using secure software.
Re:What drives people to do this... (Score:2, Interesting)
That can be said of any (non-victimless) crime really, and just about every crime out there is committed for money and/or passion (revenge, political/religious ideals, whatever). For the past couple years in the US, times have not been good for software engineers - the fortunate ones with jobs are often underpaid and overworked and considered dispensable. In Russia, where the mob has a rather large influence, there is money to be made of creat
Re:What drives people to do this... (Score:2)
Re:What drives people to do this... (Score:2)
These worms are often used to build armies of zombie PCs that criminals use to do mean things with. Most of your spam comes from virus infected machines. Don't believe me? Check the received headers.
Re:What drives people to do this... (Score:5, Interesting)
Back when I had learned to program in my early teens, I myself was quite fascinated by virii/trojans/etc. and wondered if I could create one. I probably could have written a moderately "successful" trojan by the standards of the time. It's not that hard.
Thankfully, I was responsible enough not to, but not everybody is. All it takes is one bad apple...
Re:What drives people to do this... (Score:2, Insightful)
Intellectual challenge? Yes. Somewhat.
However, most viruses/worms and such are created merely for an emotional high. When you have a company like Microsoft that believes there is no bug or hole until it's made public... there's a natural desire to rip through their "perfect" OS (perfection depending upon whether or not there is a KNOWN exploit out there today).
It's no different from the high that some get by building explosive devices or setting fire to things. There's a high
Re:What drives people to do this... (Score:2)
Psychopaths are manipulative, charming, glib, deceptive, parasitic, irresponsible, selfish, callous, promiscuous, impulsive, antisocial, and aggressive individuals who have no concern for the welfare of others, experience little remorse or guilt as a result of their injurious and antisocial behavior, do not tolerate delay of gratification,
Re:What drives people to do this... (Score:2)
Like their biological counterparts, viruses and worms propergate by clueless uses, system holes, and the internet (if you need the human version: clueless people, holes, the outside world).
It fascinated me in the sense that just a few lines of code can cause such havok and can spread so fast with such little effort.
Now days while I like taking apart worms I've caught from the wild (by choice; I'm not open like a clueless u
Re:What drives people to do this... (Score:3, Interesting)
Unsurprisingly, I decided to get a master's degree in AI
Re:What drives people to do this... (Score:2)
That would be the people writing them.
Re:What drives people to do this... (Score:2, Insightful)
I don't buy that argument simply because the vast majority of these worms hitting MS machines come out after MS identifies or fixes the hole. They're letting MS tell them which piece of code is vunerable, and they're banking on the fact that so many windows users don't bother to patch regurlarly. I fail to see the heroism in that
Re:What drives people to do this... (Score:5, Funny)
Having some difficulties understanding the self-control aspects of the martial arts, are you?
Re:What drives people to do this... (Score:2)
miscategorised (Score:3, Insightful)
Re:miscategorised (Score:3, Funny)
Re:miscategorised (Score:4, Insightful)
Come to think of it, what do we know of the server security at any of the big name OSS-hosting sites and does anyone really peruse the source anymore? Given the difference between being C++ proficient and merely being able to administer a Linux system is like the difference between the average Windows user and a Windows programmer, I'm guessing not too many.
Re:miscategorised (Score:2)
Re:miscategorised (Score:3, Funny)
Re:miscategorised (Score:2)
And, as a matter of fact, I legitimately own two XP licenses and one computer.
Re:miscategorised (Score:2)
More Detail (Score:5, Informative)
http://www.f-secure.com/weblog/ [f-secure.com]
Let's listen all the FUD... (Score:2)
I don't have $100 for an XP upgrade (Score:2)
Windows XP SP2 costs $100 for people whose computers came with Windows 98, Windows 2000, or Windows Millennium Edition.
Re:I don't have $100 for an XP upgrade (Score:2)
Oh, windows 98. ME.
Are you aware that windows 98 and ME are UNSUPPORTED at this time and no security fixes are being released for them?
Your argument is "Potatoes are too expensive, I'd rather die from hunger". Well, die then, it was your choice.
Re:I don't have $100 for an XP upgrade (Score:2, Informative)
Windows 98 still works. You can use it for Internet browsing, email, and word processing. You can run older games on it, too--there are even a fair number of recent games that will run on it--but if you have the money for the appropriate hardware, you'll upgrade Windows.
The point is, not everyone can afford $100 for a software upgrade that's not really necessary, especially if it will probably significantly decrease the speed of their computer.
The grandparent's argument was more like "My 1989 Buick g
Re:I don't have $100 for an XP upgrade (Score:2)
Windows 98 is unsupported, with know unfixed security flaws which aren't fixed just because MS isn't forced to do it- windows 98 is SEVEN years old.
Yeah, 50's cars can take you everywhere just like a 2000's car, right?
Windows 98 is still supported (Score:2, Interesting)
http://support.microsoft.com/default.aspx?pr=Life
Re:Windows 98 is still supported (Score:2)
Please note "PAID". If you don't have $100 to upgrade to XP SP2, I doubt you have the $$$ to pay for incident support.
Re:Windows 98 is still supported (Score:2)
"Critical security updates will be provided on the Windows Update site through June 30, 2006."
I guess if something like this is considered "critical" then it will be fixed through next year. If Microsoft does not consider it "critical" then you're up the creek.
Re:I don't have $100 for an XP upgrade (Score:2)
Running Win98/Me at this point is like running ancient versions of Linux, OpenSSH, Apache, Samba, etc... and complaining if your system gets exploited.
Re:I don't have $100 for an XP upgrade (Score:2)
Re:I don't have $100 for an XP upgrade (Score:2)
as for multibooting yes you can do it but its a pita
Re:I don't have $100 for an XP upgrade (Score:2)
Running Win98/Me at this point is like running ancient versions of Linux, OpenSSH, Apache, Samba, etc... and complaining if your system gets exploited.
Except that the manufacturer does not expect me to pay them to fix problems that were present in the product at the time I purchased it.
Re:Let's listen all the FUD... (Score:2)
SP2 can and does make matters worse more often than not.
Re:Let's listen all the FUD... (Score:2)
You have a defective car which is know to crash randomly and kill the driver, the company offers you a fix and you reject it? Riiiight
Re:Let's listen all the FUD... (Score:2)
I know that alot of XP home users who aren't tech savvy haven't upgraded to SP2. I know there are still a couple enterprise environments that have legacy software problems, and I know that high end sound engineers who are using Windows and not OSX(???) are having problems with some of the changes to the device driver security model... but why would you choose to not use SP2? A look at the security profile for the last year is proof that Service Pac
Better analasys (Score:4, Informative)
http://www.trendmicro.com/vinfo/secadvisories/def
You've already patched this, right? (Score:2, Informative)
Any logic in the nomenclature? (Score:2)
Re:Any logic in the nomenclature? (Score:2)
Re:Any logic in the nomenclature? (Score:3, Informative)
http://www.caro.org/tiki-index.php?page=CaroNaming Scheme/ [caro.org]
and the original conference paper for the naming scheme:
http://www.caro.org/tiki-read_article.php?articleI d=1/ [caro.org]
and there is a new naming convention being proposed as well, see:
http://www.caro.org/tiki-read_article.php?articleI d=2/ [caro.org]
It's actually really complicated, and pretty much none of the antivirus companies
Snort (Score:2, Informative)
All note the free IDS snort detects this worm.
alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.c om/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)
alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_serv
tipping point (Score:2)
Sends chills (Score:2)
Firewalls offer limited protection only (Score:5, Insightful)
What's worse is that today is Sunday, so there's a greater chance of those laptops being used on an unprotected internet connection.
Shucks, the patch for this is only four days old. There goes my Sunday afternoon!
Re:Firewalls offer limited protection only (Score:3, Insightful)
Re:Firewalls offer limited protection only (Score:2)
Firewall required on employers computers & lap (Score:2)
Re:Firewalls offer limited protection only (Score:2)
All the wired connections have portsecurity, so if the MAC isn't on the access list for that port the port shuts down.
Of course, then we have the research vlan where a bunch of clueless grad students treat the machines like they're their home machines and click on everything.
Well, we try at least.
and variants will appear (Score:2)
Re:Firewalls offer limited protection only (Score:5, Interesting)
Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.
Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.
This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.
Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.
Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.
Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.
Re:Firewalls offer limited protection only (Score:2)
This is all very basic stuff that any decent employee could disable easily.
Your giving your implimentation efforts way too much credit. Almost everyone I know that receives a laptop with a company image on it reimages it. A corporate laptop typically has barely enough ram and cpu to run the necessary apps WITHOUT all the extra overhead of all that extra necessary crap.
Sure, it's easy to say, "Oh well, they should
Not just laptops (Score:2)
Well (Score:2)
Who gave the people an OS with all ports open? (Score:2)
And they are quite hard to switch off or configure to react to localhost only, at least when you are not a sysadmin who spends his time figuring things out, but just a user trying to get work done.
Re:Who gave the people an OS with all ports open? (Score:2)
Well actually the firewall works pretty well, I just miss the fine grained control of exactly knowing which app is serving which port, most of the time it just ends up being LSASS, but you don't know which service
An attack on Win2000? (Score:5, Insightful)
"See, you have to upgrade to be safe, send us money"
Re:no subject really (Score:2)
It is the best OS out there but a out-of-the-box XP SP2 or win 2003 aren't affected and windows 2000 is? Well...
Re:no subject really (Score:2)
Just like Red Hat, Sun, Apple and everyone else who sells software, you mean ?
Re:no subject really (Score:5, Funny)
Re:no subject really (Score:2)
Re:While drives software companies to do this... (Score:3, Funny)