New Windows Worm on the Loose 622
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
Re:I Use X Windows (Score:2, Insightful)
Security Update Dates (Score:5, Insightful)
Re:ah... (Score:5, Insightful)
Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.
Re:Mutex Trapping (Score:3, Insightful)
If there was a mutex checker/blocker program developed, you would just see worm authors switch to a different method of determining if their worm was already running, or randomize the mutex name.
Re:Mutex Trapping (Score:2, Insightful)
They dont rely on mutexes either.
Same old, same old.... (Score:5, Insightful)
Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?
If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.
Unoptimized algoritm... (Score:2, Insightful)
Re:Mutex Trapping (Score:3, Insightful)
Similarly, short of reworking the way programs are installed and authorized, nothing is going to work as the long-term solution. That's why Longhorn and the .NET execution framework thange these things exactly.
The mutex check is merely one option which doesn't seem to be in wide-spread use yet. I'm sure there are many others, and yes -- any of them would eventually get worked around for new viruses and trojans.
Re:Same old, same old.... (Score:2, Insightful)
- users could have asked for their money back,
- companies could have switched away from Windows en masse,
- government could have banned using Windows in their offices,
- there could have been a class-action lawsuit for gross negligence.
To Microsoft's surprise and delight, none of this happened. That's why we're seeing a 379th worm today.
Re:HAHA (Score:5, Insightful)
i realize you were mostly joking, but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it. and since current viruses are not true malware, the fact that the machine is infected doesn't even matter to the cheap contractor admin "running" the box. as someone mentioned in another story's comment, it's time to make some REAL malware and wake these ijits up.
Re:Security Update Dates (Score:5, Insightful)
I use the best anti virus on the market! (Score:4, Insightful)
Re:Security Update Dates (Score:3, Insightful)
Re:I Use X Windows (Score:5, Insightful)
"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"
isn't kludgy in the least and very intuitive. I prefer "apt-get dist-upgrade" myself.
Terminology (Score:2, Insightful)
Re:HAHA (Score:5, Insightful)
They cause the computer to run really slow, and screw things up, including networking settings, killing IE, destroy the cryptography service, so that you can't get updates, and the ability to repair the TCP/IP layer.
When you get multiple viruses on a machine, they can cause it to not even startup--Especially the ones that try to shut down virus scanners (Gaobot).
I know they're not malware in the sense that they format your HD or anything, but when your server runs at 10% of it's normal speed, that's enough to take down almost any operation.
Re:already feeling it on college campuses (Score:5, Insightful)
> absolutely no proprietary, closed source software would be
> allowed anywhere on my network, especially not the parts
> accessible to students
So, preventing your students from being unable to run Mathematica, Maple, Matlab, Visual Studio,... is educationally beneficial in what way?
Yes, closed source software has problems. So does open source. An all-out ban either way helps no one and solves nothing.
Re:Linux is vunerable too (The anti-anti-windows F (Score:5, Insightful)
Re:ah... (Score:5, Insightful)
Completely patched.
My stupidity was DMZing my firewall. Stupid, STUPID.
Freinds don't let freinds open their firewalls. Not even to play video games, no matter how many processes they have deactivated.
I think the tragedy here is that most "regular power users" (ie. the folks who think that they're big shit because they can install antivirus software and change their windows desktop) probably don't realize that it's entirely possible to have a completely patched windows machine that can still get infected by a virus if you plug it right into the internet. I honestly think these things are reaching a critical mass. It'll be interesting to see exactly how that manifests.
Re:ah... (Score:3, Insightful)
Ah, actually, Microsoft tried a "new security initiative" back in 2001 as well, IIRC.
The 2003 one is the SECOND "new security initiative" - and seems to be shaping up as effective as the first, that is, nada, zip, zilch, useless, meaningless marketing bullshit.
Nice timeline you had there, though, really shows the Microsoft competence in perspective.
Re:That's funny. (Score:2, Insightful)
If Linux is now viable on the desktop as some think, (and I'm not gonna get into that right now) will it be used as securely by the computer illiterate that currently use windows? I think that people who don't have a clue will unintentionally employ improper security regardless of the capabilities of the technology. The OS, although a big part of the picture is only a part. How many regular windows folk know how to configure a hardware firewall/router properly? I know mine came with poorly chosen settings.
I guess what I'm saying is that if Linux was more popular than windows the average IQ would be quite a few digits higher, /. would be the most popular website, and chess would be a major sporting event. I believe it is the level of intelligence/competency of the user not the software that mostly affects the success of attacks like these.
Re:I Use X Windows (Score:3, Insightful)
"The X Consortium requests that the following names be used when referring to this software:
X
X Window System
X Version 11
X Window System, Version 11
X11
X Window System is a trademark of X Consortium, Inc. "
Re:windows users never fail to amaze me. (Score:4, Insightful)
It attacks a genuine hole in the operating system and is not dependent on anyone even being logged on to the machine at all. It 'hijacks' the LSASS process, wich runs in the SYSTEM context. The operating system could not run if LSASS wasn't running as SYSTEM.
Of course, the patch has been available for >2 weeks now, so all of this *should* be moot.
notice to customers (Score:2, Insightful)
There's another worm spreading across the Internet, called the "Sasser Worm".
Vulnerable systems include: Windows 2000, Windows Server 2003, Windows XP
See:
http://us.mcafee.com/virusInfo/default.asp?id=des
http://securityresponse.symantec.com/avcenter/ven
Microsoft security bulletin on the vulnerability:
http://www.microsoft.com/technet/security/Bulleti
Among other things, this worm installs an ftp server and a remote shell system to further propagate itself across Windows. It likely has the capability of giving remote users full access and control of the compromised machine, therefore any data on the system may be vulnerable.
Once a machine is infected, it starts 128 instances of itself, trying to spread the worm to other Microsoft PCs. The worm also attempts to disable the ability to shut down or restart the computer/server. The worm may also compromise the "system restore" function under some versions of Windows, so trying to revert back to an older configuration setup might reinstate the compromise!
As you might expect, our servers here are NOT directly affected or vulnerable. However, this is another "blaster" type worm which, once it infects a vulnerable Microsoft system, begins to randomly bombard other systems all around the Internet. The end result will be potentially severe denial-of-service attacks to all systems (in other words, services may be slow or unresponsive due to the traffic increase on the Internet from compromised systems).
We're going to have to wait until Monday to probably see the full-effect of this worm. The ability it will have to disrupt major services online is going to depend upon whether or not people have been routinely running Windows Update (http://windowsupdate.microsoft.com/).
If you are running a vulnerable system (Windows Server 2000/2003 and XP are vulnerable; Windows 95/98/ME are not vulnerable) and haven't run Windows Update in the last two weeks, there's a good chance you are vulnerable, if not infected if you are not behind a firewall and have been online for awhile.
This is yet another annoyance for most of us with Windows on our client PCs. By now everyone should be in the habit of automating or running Windows Update every few days.
The real problem are ISPs and web hosting companies that are using Microsoft NT/200x Server and XP for Internet based services. (And we don't do this but there are tons who do) This is particularly dangerous for e-commerce applications. The admins of these servers have to be forever diligent in making sure their systems are secure. Who knows what critical information (customer data, credit card numbers, etc.) are sitting around on these machines. It seems every week there's a new major vulnerability with Microsoft's servers. This is why we don't use MS products for e-commerce and critical services -- we don't want to risk the security of our clients. I urge everyone to be careful about providing e-commerce to systems running Microsoft servers - they have proven to be exponentially more vulnerable than Unix/Linux counterparts. (if you visit a web page and you see URLs with filenames like
As usual, those of us that do run secure systems are now going to be hammered by infected systems so bear with us while we hold out to see if admins of Microsoft Servers can fix their problems fast before their machines spam the Internet with data and cripple everyone else.
Patching / Firewalls (Score:5, Insightful)
Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".
Running something other than Windows is not a good reason to ignore security.
Re:ah... (Score:5, Insightful)
Social engineering (Score:3, Insightful)
"Here's your new screensaver!
You will be prompted for the admin password so we can install this and set it up.
[prompt] - Install screensaver|install [keylogger/SMTP/ZombieClient]
Please enter your admin password again to verify the settings for security
Thank you! We appreciate your business! Click here to send this to all your friends!"
Currently, Linux is more secure because, among other things, its users are generally more clued up. Put the general Bonzi fan on Lindows, and you'd see much the same thing.
Re:Linux is vunerable too (The anti-anti-windows F (Score:1, Insightful)
Ah yes....then why is the NSA even bothering with Linux? Ever heard of Selinux? The NSA doesn't seem to think the openess is a problem.
Re:I Use X Windows (Score:3, Insightful)
Could you point some of these programs out? I have searched for them, and honestly can't find them.
And I don't disagree about Norton being overpriced.
Re:ah... (Score:4, Insightful)
For starters, sendmail and wu-ftpd should have been banned from Earth a long time ago. They have more holes than swiss cheese. Telnetd should already have been deprecated by ssh, and should not be installed at all.
Re:goodbye windows update (Score:3, Insightful)
http://pestpatrol.com/pestinfo/w/w32sup.asp [pestpatrol.com]
Re:Patching / Firewalls (Score:3, Insightful)
Usefull public well known ports:
22 ssh
25 smtp
80 http
110 pop3
123 ntp
220 imap
443 https
Re:Linux is vunerable too (The anti-anti-windows F (Score:3, Insightful)
Well-set-up Windows systems can be much more secure than badly-set-up Linux systems. The trouble is that Linux users tend to {have to} be more clued-up. Part of the problem is the way Windows is pre-installed on so many machines. The supplier has to keep everything as general-purpose as possible, because they don't know what requirements the user's ISP will place on them -- which, in practice, means rather permissive defaults. In turn, the fact that it just works at first, despite the unnecessary ports and services, leads users not to think about security until it's too late already. With Linux {some obsolete RedHat versions excepted}, everything starts off inactive -- you have to select only what you want to allow. But that probably would also happen if users had to install Windows for themselves; or, even if pre-installed Windows systems had to be configured up from a "deny-all" situation. It means you have to use your brain a little bit, but that's hardly a bad thing -- as harsh as this may sound, it's more important that the job should be done properly, for the sake of other Internet users, than easily and maybe badly.