Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Worms Security

MS05-039 Worm in the Wild 252

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.
This discussion has been archived. No new comments can be posted.

MS05-039 Worm in the Wild

Comments Filter:
  • ClamAV (Score:5, Informative)

    by slavemowgli ( 585321 ) on Sunday August 14, 2005 @11:18AM (#13316157) Homepage
    And it's detected by ClamAV already, too.
  • Vulnerability (Score:5, Informative)

    by Tiberius_Fel ( 770739 ) <fel@NoSpAm.empirereborn.net> on Sunday August 14, 2005 @11:18AM (#13316162)
    From TFA:

    "Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."

    I think a lot of people were relieved to read this. :)
    • Re:Vulnerability (Score:5, Informative)

      by louarnkoz ( 805588 ) on Sunday August 14, 2005 @11:48AM (#13316291)
      The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.
      • Re:Vulnerability (Score:2, Insightful)

        by Anonymous Coward
        One of these defenses was requiring authentication for all RPC access

        That's... not really "defense in depth". That's the kind of basic, rudimentary security that no sane company would have ever released a product without in the first place.
      • This "defense in depth" seems to be working, at least in this case.
        It seems to me that the whole virus scene has been much quieter lately than at its peak 2 or 3 years ago when Outlook and IIS bugs were clogging up the Internet (and our inboxes). Either security improved, or the same people figured out it's easier to get the same effect by tricking people into installing spyware.
    • Even if it didn't need a valid login, doesn't the SP2 firewall block port 445?
  • crappy summary (Score:5, Informative)

    by smoondog ( 85133 ) on Sunday August 14, 2005 @11:19AM (#13316163)
    What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

    - Patch MS05-039 will protect you
    - Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
    - Blocking port 445 will protect you (but watch for internal infected systems)
    - The FTP server does not run on port 21. It appears to pick a random high port.

    • And it would have been nice to know what "MS05-039" is.
    • if it doesnt affect XP SP2, then why is there a patch ?
      http://www.microsoft.com/technet/security/Bulletin /MS05-039.mspx [microsoft.com]
      • Re:crappy summary (Score:3, Informative)

        by StarHeart ( 27290 ) *
        The patch fixes the vunerability that XP SP2/2003 still has. This worm depends on more than just the vunerability. It also needs a valid login, which it won't have in the case of XP SP2/2003.

        It wouldn't surprise me to see a second revision of this worm that fixes this limitation in some way.
        • but I work on XP Sp2 machines all the time with no administrator password. of course I try to convince the user to change that, but mostly they dont want the hassle
        • actually, on XP SP0/SP1 it needs a valid logon. On SP2 it needs a valid logon and, depending on whose reports you believe, either admin privileges or rights to log on locally. So it's hard to believe that SP2 systems will be compromised in the real world by this. I can see SP0/1 systems being hit through a dictionary attack, but it's more work than most worms will bother to do.
    • Re:crappy summary (Score:4, Informative)

      by sucker_muts ( 776572 ) <sucker_pvn@SLACK ... com minus distro> on Sunday August 14, 2005 @12:12PM (#13316385) Homepage Journal
      Another usefull article from eweek with even more info:

      http://www.eweek.com/article2/0,1759,1847756,00.as p?kc=EWRSS03119TX1K0000594 [eweek.com]
    • what operating system this effects

      Affects. What operating system this affects.

    • Re: :) (Score:2, Funny)

      by tveidt ( 726264 )
      > What a crappy summary

      Get a browser with support for hyperlinks. Cool stuff.
    • Re:crappy summary (Score:5, Informative)

      by numbski ( 515011 ) * <numbski&hksilver,net> on Sunday August 14, 2005 @03:15PM (#13317078) Homepage Journal
      Blocking port 445 will protect you (but watch for internal infected systems)

      Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?

      Hmmm...lessee here...
      [erwin:~] numbski% cat /etc/services | grep 445
      microsoft-ds 445/udp # Microsoft-DS
      microsoft-ds 445/tcp # Microsoft-DS
      Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t! :\
      • >>So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.

        Or patch your systems
      • Re:crappy summary (Score:4, Informative)

        by totallygeek ( 263191 ) <sellis@totallygeek.com> on Sunday August 14, 2005 @08:34PM (#13318531) Homepage
        Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.


        Just so you know, Windows domain and directory authentication is over tcp 389. As for 445, that is for file sharing via CIFS. CIFS is the next gen past SMB (which used 137, 138 and 139).

  • by cameronk ( 187272 ) on Sunday August 14, 2005 @11:19AM (#13316164) Homepage
    Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?
    • by RAMMS+EIN ( 578166 ) on Sunday August 14, 2005 @11:34AM (#13316227) Homepage Journal
      What drives them is probably a sense of achievement. By creating a working worm they can prove something to themselves, their friends, and/or the world. And it seems to work, some people got security jobs because of the exploits they made.

      As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:

        - give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
        - make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
        - don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
        - maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.
      • by Eivind Eklund ( 5161 ) on Sunday August 14, 2005 @01:37PM (#13316725) Journal
        Making it harder could work.

        The rest of these are irrelevant, because they do not expect to get caught. Really. Even if the people around them are going down in flames, they don't expect to get caught.

        About 15 years ago I was in the "hacker" scene (the ones breaking into computers, not the ones creating brilliant software). Getting caught never felt real, and never seemed to feel real for anybody else, either. My friends got busted left and right, yet - they'd always been careless about something, and I felt that *I* wouldn't be careless about that.

        There's one other thing that could work: Break up the scene. The people need to be shown as ridicilous. And it needs to seem ridicilous to the people close to the scene.

        For the tagging (grafitti) scene, it seems to have worked somewhat well here in Norway to use advertising to give them a new, ridicilous name and image.

        I therefore humbly suggest we from now on call those that break into computers "Computer wankers".

        Eivind.

    • by a_n_d_e_r_s ( 136412 ) on Sunday August 14, 2005 @11:36AM (#13316231) Homepage Journal
      Mostly money.

      Worms are used to get zombies, who are used to send spam, who are used to lure suckers to spend money on junk.

    • I always wished the first worm to come out would be one that patched the systems. Maybe make it check for others infections dl avg to their system etc and clean that pc up using free software.
      • Nachia did this during the peak of the LovSan virus. I remember hearing that it DDoSed Windows update or something of that nature because it was trying to download patches on all machines that it infected.

        Come to think of it, what it should have done was set up a BitTorrent-like environment and downloaded the patches via that :)

        But as the poster who was (wrongly, IMO) modded down to -1 said, it's still illegal.
    • I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?

      There are 6 billion people on this planet, and it only takes one of them to launch a worm. With a sample that large, there's no way that a worm won't get written if a vulnerability exists and generally known. There's always going to be at least one crazy who'll do it regardless of any disincentives. Peoples' energy is better directed at eliminating the vulnerabilitie

    • I'm not sure, but I think free ponies for everyone would go a long way. Let's ask Colin Powell what he thinks... Colin?
    • Another issue is that it is often not that hard. The current situation is that a security risk for a given bug does not exist unless there is working code to exploit the bug. Therefore one has to supply code that exploits the bug if one expects the bug to be fixed. This leads to the zero day exploit in which some kids uses that code, combines it with other code from old exploits, and generates a new problem. It would be better if the powers that be did not require exploit code, but were able to work fro
    • While I don't know about this worm, but at least SOME worms at least have the perception of being written as a way to drive people off windows. One worm included text like "billy gates why do you make this possible? Stop making money and fix your software!"
    • Boredom. Plus sticking it to MS. Just think if someone could easily hack all the bsd/linux servers in the wild, they would cause much more havoc. However it is non-trivial to hack compared to reverse engineering the MS patches and comparing the old and new code.
    • Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things.

      It'd be more interesting to know why people does harmful things and don't write a worm that patches your machine. It's the same effort, still people don't seem to like doing things that are good for others.
    • There are a lot of people in the world. If there is an easily exploitable hole, someone will make a worm.

      The ones who get caught should be punished, but I really see no gain in trying to discourage people from writing worms.

      Virii and trojans is a slightly different thing, as they cannot be prevented by just using secure software.
    • I ask myself what drives the sick people who create such things

      That can be said of any (non-victimless) crime really, and just about every crime out there is committed for money and/or passion (revenge, political/religious ideals, whatever). For the past couple years in the US, times have not been good for software engineers - the fortunate ones with jobs are often underpaid and overworked and considered dispensable. In Russia, where the mob has a rather large influence, there is money to be made of creat
    • These worms are usually pretty small, must they all have been created by people? What are the odds of a worm "created" by random copying errors? Are we talking, "bigger than a universe of universes" or "likely every day given the world's data transfer rate"
    • Botnets, phishing, spamming, ddos.

      These worms are often used to build armies of zombie PCs that criminals use to do mean things with. Most of your spam comes from virus infected machines. Don't believe me? Check the received headers.
  • miscategorised (Score:3, Insightful)

    by hungrygrue ( 872970 ) on Sunday August 14, 2005 @11:20AM (#13316169) Homepage
    Why is this under "worms" and "security" but not under "Windows" and "Microsoft".
    • Because it would be horribly redundant?
      • Re:miscategorised (Score:4, Insightful)

        by suitepotato ( 863945 ) on Sunday August 14, 2005 @12:03PM (#13316345)
        It is only horribly redundant because the average malware scumbag writer is taking the easy way out and going after Windows machines, taking advantage of end-user naivete and Windows' openness to infection. If they had any guts and were truly 1337, they'd try to get into a source repository on sourceforge and slip their own modded source in to get Linux people to infect their machines or something equally hard and nasty.

        Come to think of it, what do we know of the server security at any of the big name OSS-hosting sites and does anyone really peruse the source anymore? Given the difference between being C++ proficient and merely being able to administer a Linux system is like the difference between the average Windows user and a Windows programmer, I'm guessing not too many.
    • The submitter didn't bother finding out which OS the worm was for, or anything, and hell will freeze over before a slashdot editor actually checks something like that.
    • don't worry, the repost will be.
  • More Detail (Score:5, Informative)

    by Tiberius_Fel ( 770739 ) <fel@NoSpAm.empirereborn.net> on Sunday August 14, 2005 @11:21AM (#13316177)
    Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
    http://www.f-secure.com/weblog/ [f-secure.com]
  • ..despite of the fact that SP2 is not affected and everyone should be running it since it was released in August 2004...
    • ..despite of the fact that SP2 is not affected and everyone should be running it since it was released in August 2004...

      Windows XP SP2 costs $100 for people whose computers came with Windows 98, Windows 2000, or Windows Millennium Edition.

    • Half the PC users I know that have half a clue are not running SP2. Instead they are hiding behind routers.

      SP2 can and does make matters worse more often than not.
  • Better analasys (Score:4, Informative)

    by Barny ( 103770 ) on Sunday August 14, 2005 @11:38AM (#13316244) Journal
  • by Anonymous Coward
    If you haven't patched yet, the update for this vuln is at http://www.microsoft.com/technet/security/bulletin /ms05-039.mspx [microsoft.com].
  • Is there any nomenclature in the particular way these worms/viruses are given names? In windows, *.exe files are executable, *.sys files are system files. In Unix, *.conf files are configuration files. I have heard of Backdoor.Nibu.N and we now have Zotob.A. Is there a way to know more information on a virus by the format of its name?
  • Snort (Score:2, Informative)

    by cyberkahn ( 398201 )


    All note the free IDS snort detects this worm.

    alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.c om/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

    alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_serv
  • Thats the first time i've seen the internet storm center at "yellow" ... yikes!
  • by Dynamoo ( 527749 ) on Sunday August 14, 2005 @12:15PM (#13316399) Homepage
    Remember folks - if you work for any large organisation, your external firewall will ONLY protect you as long as some freaking idiot doesn't bring an infected laptop in. From my experience a perimiter firewall will maybe buy you 1-2 days MAXIMUM in this situation if you have a large number of mobile users. In our case, we do not allow users to connect laptops to non-company networks at all.. but they still do.

    What's worse is that today is Sunday, so there's a greater chance of those laptops being used on an unprotected internet connection.

    Shucks, the patch for this is only four days old. There goes my Sunday afternoon!

    • And home users getting in through a VPN. Of course they want working all Microsoft services too. And it still is your fault, not theirs.
    • That is why my employer's IT department enforces its firewall software (blocks incoming and outgoing stuff) on everyone's computers and laptops. Also, critical Windows Updates are enforced when approved after a day or so. They are annoying, but they keep the situations (e.g., outbreaks) more controlled.
    • Where I work laptops are only allowed on the wireless network, which is on its own vlan, which has all Windows related ports firewalled off from the rest of the network.

      All the wired connections have portsecurity, so if the MAC isn't on the access list for that port the port shuts down.

      Of course, then we have the research vlan where a bunch of clueless grad students treat the machines like they're their home machines and click on everything.

      Well, we try at least.
    • There will probably be variants within a few days. Some of those will undoubtedly email copies around. Perimeter defense is necessary but not sufficient.
    • by johu ( 55313 ) on Sunday August 14, 2005 @02:19PM (#13316867)
      We have all workstations configured with local firewall rules that prohibit most outbound traffic unless IP address is from our intranet address range. If it's not only DHCP client, DNS client, AV updates and VPN to corporate network is allowed. Inbound traffic is completely blocked when plugged to foreign network. Even when within our network there's strict rules blocking everything as default and only allowing limited set of ports if traffic is coming from subnet used by helpdesk.

      Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.

      Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.

      This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.

      Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.

      Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.

      Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.

      • This is all very basic stuff that any decent admin should be able to implement easily.

        This is all very basic stuff that any decent employee could disable easily.

        Your giving your implimentation efforts way too much credit. Almost everyone I know that receives a laptop with a company image on it reimages it. A corporate laptop typically has barely enough ram and cpu to run the necessary apps WITHOUT all the extra overhead of all that extra necessary crap.

        Sure, it's easy to say, "Oh well, they should

    • Dont forget VPN and dialup clients too..
  • If people are stupid enough to leave port 445 open, then they deserve to get infected.
    • Well, I'm not good at this, but I believe Windows has quite a lot of funky services open once the firewall is deactivated.

      And they are quite hard to switch off or configure to react to localhost only, at least when you are not a sysadmin who spends his time figuring things out, but just a user trying to get work done.
  • by nurb432 ( 527695 ) on Sunday August 14, 2005 @03:38PM (#13317170) Homepage Journal
    I bet microsoft secretly loves this, to get at all those people that wont upgrade to XP/2003.

    "See, you have to upgrade to be safe, send us money"

"You know, we've won awards for this crap." -- David Letterman

Working...