New Windows Worm on the Loose

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

Re:I Use X Windows

[squall14716]

Actually, I use:

emerge -uD world

;)

Security Update Dates

[TheUnFounded]

You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...

Re:ah...

[Anonymous Coward]

the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.

Re:Mutex Trapping

[SchnauzerGuy]

Creating a mutex at startup is by no means universal, and in fact, I doubt that very common at all.

If there was a mutex checker/blocker program developed, you would just see worm authors switch to a different method of determining if their worm was already running, or randomize the mutex name.

Re:Mutex Trapping

[eyeye]

Many modern firewalls allready flag up applications running and allow you to block them.

They dont rely on mutexes either.

Same old, same old....

[gnuman99]

Same old news about another worm. Nothing to see here, move along.

Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?

If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.

Unoptimized algoritm...

[Henk Poley]

Don't these worm writers learn [berkeley.edu] anything?

Re:Mutex Trapping

[Mr. Darl McBride]

Worms and spyware will simply use a home-made mutex system if we start to block the windows one.

In general, the idea of catching windows library calls is worthless, unless the library call is absolutely necessary to the worm and the functionality cannot be done in any other way (which is not the case in Mr. Darl McBride's example).

Of course. They're going to work around any countermeasure if it goes into popular use. Once upon a time, all programs were allowed to write to the entire filesystem. Remember bootsector viruses? They finally reworked the filesystem and device layer so that user code couldn't touch that area anymore, and those kinds of infections went away. Remember Word macro viruses? New versions of Office warn you about macros that want to run on opening a doc, and those are rapidly vanishing as well.

Similarly, short of reworking the way programs are installed and authorized, nothing is going to work as the long-term solution. That's why Longhorn and the .NET execution framework thange these things exactly.

The mutex check is merely one option which doesn't seem to be in wide-spread use yet. I'm sure there are many others, and yes -- any of them would eventually get worked around for new viruses and trojans.

Re:Same old, same old....

[Anonymous Coward]

When the first serious Windows worm striked,

- users could have asked for their money back,
- companies could have switched away from Windows en masse,
- government could have banned using Windows in their offices,
- there could have been a class-action lawsuit for gross negligence.

To Microsoft's surprise and delight, none of this happened. That's why we're seeing a 379th worm today.

Re:HAHA

[yulek]

A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

i realize you were mostly joking, but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it. and since current viruses are not true malware, the fact that the machine is infected doesn't even matter to the cheap contractor admin "running" the box. as someone mentioned in another story's comment, it's time to make some REAL malware and wake these ijits up.

Re:Security Update Dates

[Unknown Relic]

Is that reduced timeline maybe an example of what this /. article [slashdot.org] from a couple months ago was talking about? Essentially it stated that a lot of the new worms are actually being caused by the reverse engineering of patches to easily find exploits. Some machines will of course be patched, but as we all know, a huge number of machines will remain unpatched and vulnerable for months to come. If this is the case, Microsoft can hardly be faulted for getting the patch out only a few days before the exploit, since it's the patch itself that potentially prompted its creation. The really interesting thing is that if this is the case and Microsoft is actually increasing their security efforts and releasing more patches, we could actually see more worms released targetting unpatched systems. For them, this really isn't a good situation to be in - the more they do correct problems with their operating systems, the more exploits hit the unpatched machines, making it look like their enhanced focus on security is a joke.

I use the best anti virus on the market!

[rspress]

I use the best anti virus on the market! It is called a Mac! Actually I have both a Mac and a WindowsXP Pro box with a router and firewall. Just to keep things clean my windows machine is NEVER used for checking mail. All mail is handled through the Mac. If I have a need to send mail via the PC or need to check it from the PC for some reason then Eudora Pro is used. The Outlook variants are the biggest viri available for the PC....with explorer coming in a close second.

Re:Security Update Dates

[insecuritiez]

Came out the 13th if I recall correctly. 17 Days is still a really fast turn around though.

Re:I Use X Windows

[SpectreGadget]

oh yes:

"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

isn't kludgy in the least and very intuitive. I prefer "apt-get dist-upgrade" myself.

Terminology

[tritone]

Of course, here on slashdot, it's common enough to correctly identify this sort of malware as a "windows worm," but if this terminology could make it into the more general media, it might raise the general consciousness to make people more aware of the alternatives to Windows. Maybe some informed and polite letters to your local newspaper might make a difference.

Re:HAHA

[Lothsahn]

Actually, current viruses are real malware, especially the ones that try to shut down virus scanners.

They cause the computer to run really slow, and screw things up, including networking settings, killing IE, destroy the cryptography service, so that you can't get updates, and the ability to repair the TCP/IP layer.

When you get multiple viruses on a machine, they can cause it to not even startup--Especially the ones that try to shut down virus scanners (Gaobot).

I know they're not malware in the sense that they format your HD or anything, but when your server runs at 10% of it's normal speed, that's enough to take down almost any operation.

Re:already feeling it on college campuses

[Radon Knight]

> If I was in charge of a university's computer systems,
> absolutely no proprietary, closed source software would be
> allowed anywhere on my network, especially not the parts
> accessible to students

So, preventing your students from being unable to run Mathematica, Maple, Matlab, Visual Studio,... is educationally beneficial in what way?

Yes, closed source software has problems. So does open source. An all-out ban either way helps no one and solves nothing.

Re:Linux is vunerable too (The anti-anti-windows F

[ajs318]

1. Linux isn't as good as Windows, Windows has more accountability and support.

Microsoft could withdraw support for Windows at any time. Linux has independent support from a community of users.

2. If Linux was used as much as Windows then Viruses would be as common, instead of incredable rare.

Linux is secure by design. Privilege separation, memory protection and so forth. Most distributions force you to create a non-root user at installation time.

3. Windows is cheaper then Linux even though Linux is free. It's a TCO type of thing.

What you mean is that it's cheaper to hire somebody to fix a Windows box than a Linux box. There is a grain of truth in this. Windows often packs up for no appareny reason. Almost any unskilled monkey can "fix" a broken Windows box just by hoicking out the power lead, counting to ten and putting it back. Linux only ever misbehaves with a good reason, and requires someone who knows their arsehole from their earhole to fix it.

4. Gimp sucks compared to Photoshop.

This sounds like an ad hominem attack. At best it's a red herring. Photoshop is an Adobe product, nothing to do with Windows or Linux.

5. Open source is insecure by default. Only by hidding your secrets are they kept safe.

Thou smokest crack. If the security of your code depends on a secret that you hope an attacker will not discover, then as soon as an attacker discovers that secret then your code is insecure. The security of Linux does not depend on one big, centrally-kept secret. Cf. public key encryption.

6. IE is better then Firefox because my kids can play shockwave games on Disney.com

Then try the full version of Mozilla, which definitely supports the Flash player plugin {though I'm not convinced you aren't just lying, Firefox might well support plugins}. If you don't need Flash, but you would like tabbed browsing, pop-up blocking, a Javascript debugging console, cookie management and speed, then Firefox certainly does it.

7. MS has Exchange, Linux doesn't.

Linux has Sendmail. 'Nuff said.

8. OO.org sucks compared the usability of Office

You haven't said how OO.o "sucks", nor even which release you are talking about, so I have to presume you are merely parroting.

9. Linux isn't ready for the Desktop.

You are merely parroting.

10. Grandma can't install Linux.

Awwwwk! Pieces of eight! Polly want a cracker! Grandma can't install Windows either.

11. Can't play Everquest on Linux.

Blame the makers of Everquest, or find another game to play. See also point 4.

12. Users are the problem, Not Microsoft.

Just goes to show ..... if you say enough things then at least one of them might turn out to be true. Many users need to get a clue, I'll agree. But I have to say that writing a mail client which treats unknown file types as "executable" -- and executes them without the user's consent -- sounds seriously like aiding and abetting virus propagation. Yeah, that was years ago. See also point 9.

Re:ah...

[Sj0]

I just got hit with wone of these lsass viruses a few weeks ago.

Completely patched.

My stupidity was DMZing my firewall. Stupid, STUPID.

Freinds don't let freinds open their firewalls. Not even to play video games, no matter how many processes they have deactivated.

I think the tragedy here is that most "regular power users" (ie. the folks who think that they're big shit because they can install antivirus software and change their windows desktop) probably don't realize that it's entirely possible to have a completely patched windows machine that can still get infected by a virus if you plug it right into the internet. I honestly think these things are reaching a critical mass. It'll be interesting to see exactly how that manifests.

Re:ah...

[Master of Transhuman]

2003, the year of Microsofts new security initiative.

Ah, actually, Microsoft tried a "new security initiative" back in 2001 as well, IIRC.

The 2003 one is the SECOND "new security initiative" - and seems to be shaping up as effective as the first, that is, nada, zip, zilch, useless, meaningless marketing bullshit.

Nice timeline you had there, though, really shows the Microsoft competence in perspective.

Re:That's funny.

[logical1010]

Speaking of worms, how easily could worms spread if it were Linux that was popular and not windows?

If Linux is now viable on the desktop as some think, (and I'm not gonna get into that right now) will it be used as securely by the computer illiterate that currently use windows? I think that people who don't have a clue will unintentionally employ improper security regardless of the capabilities of the technology. The OS, although a big part of the picture is only a part. How many regular windows folk know how to configure a hardware firewall/router properly? I know mine came with poorly chosen settings.

I guess what I'm saying is that if Linux was more popular than windows the average IQ would be quite a few digits higher, /. would be the most popular website, and chess would be a major sporting event. I believe it is the level of intelligence/competency of the user not the software that mostly affects the success of attacks like these.

Re:I Use X Windows

[bkhl]

No, you're not:

"The X Consortium requests that the following names be used when referring to this software:

X
X Window System
X Version 11
X Window System, Version 11
X11

X Window System is a trademark of X Consortium, Inc. "

Re:windows users never fail to amaze me.

[Nevo]

Actually, this particular attack cannot be mitigated by running as admin.

It attacks a genuine hole in the operating system and is not dependent on anyone even being logged on to the machine at all. It 'hijacks' the LSASS process, wich runs in the SYSTEM context. The operating system could not run if LSASS wasn't running as SYSTEM.

Of course, the patch has been available for >2 weeks now, so all of this *should* be moot.

notice to customers

[Anonymous Coward]

Here's a copy of a notice we've been sending to customers on this issue:

There's another worm spreading across the Internet, called the "Sasser Worm".

Vulnerable systems include: Windows 2000, Windows Server 2003, Windows XP

See:
http://us.mcafee.com/virusInfo/default.asp?id=desc ription&virus_k=125007
http://securityresponse.symantec.com/avcenter/venc /data/w32.sasser.worm.html

Microsoft security bulletin on the vulnerability:
http://www.microsoft.com/technet/security/Bulletin /MS04-011.mspx

Among other things, this worm installs an ftp server and a remote shell system to further propagate itself across Windows. It likely has the capability of giving remote users full access and control of the compromised machine, therefore any data on the system may be vulnerable.

Once a machine is infected, it starts 128 instances of itself, trying to spread the worm to other Microsoft PCs. The worm also attempts to disable the ability to shut down or restart the computer/server. The worm may also compromise the "system restore" function under some versions of Windows, so trying to revert back to an older configuration setup might reinstate the compromise!

As you might expect, our servers here are NOT directly affected or vulnerable. However, this is another "blaster" type worm which, once it infects a vulnerable Microsoft system, begins to randomly bombard other systems all around the Internet. The end result will be potentially severe denial-of-service attacks to all systems (in other words, services may be slow or unresponsive due to the traffic increase on the Internet from compromised systems).

We're going to have to wait until Monday to probably see the full-effect of this worm. The ability it will have to disrupt major services online is going to depend upon whether or not people have been routinely running Windows Update (http://windowsupdate.microsoft.com/).

If you are running a vulnerable system (Windows Server 2000/2003 and XP are vulnerable; Windows 95/98/ME are not vulnerable) and haven't run Windows Update in the last two weeks, there's a good chance you are vulnerable, if not infected if you are not behind a firewall and have been online for awhile.

This is yet another annoyance for most of us with Windows on our client PCs. By now everyone should be in the habit of automating or running Windows Update every few days.

The real problem are ISPs and web hosting companies that are using Microsoft NT/200x Server and XP for Internet based services. (And we don't do this but there are tons who do) This is particularly dangerous for e-commerce applications. The admins of these servers have to be forever diligent in making sure their systems are secure. Who knows what critical information (customer data, credit card numbers, etc.) are sitting around on these machines. It seems every week there's a new major vulnerability with Microsoft's servers. This is why we don't use MS products for e-commerce and critical services -- we don't want to risk the security of our clients. I urge everyone to be careful about providing e-commerce to systems running Microsoft servers - they have proven to be exponentially more vulnerable than Unix/Linux counterparts. (if you visit a web page and you see URLs with filenames like .ASP or .CFM, that's an indication the system may be running on a MS server and potentially more vulnerable).

As usual, those of us that do run secure systems are now going to be hammered by infected systems so bear with us while we hold out to see if admins of Microsoft Servers can fix their problems fast before their machines spam the Internet with data and cripple everyone else.

Patching / Firewalls

[gorfie]

Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".

Running something other than Windows is not a good reason to ignore security.

Re:ah...

[hawkbug]

And thank you for your lazy attitude - you're the reason spammers can control broadband connected zombie boxes to fill my inbox with massive amounts of shit.

Social engineering

[YrWrstNtmr]

...but how feasible WOULD it be to make worms for Linux?

"Here's your new screensaver!
You will be prompted for the admin password so we can install this and set it up.
[prompt] - Install screensaver|install [keylogger/SMTP/ZombieClient]
Please enter your admin password again to verify the settings for security
Thank you! We appreciate your business! Click here to send this to all your friends!"

Currently, Linux is more secure because, among other things, its users are generally more clued up. Put the general Bonzi fan on Lindows, and you'd see much the same thing.

Re:Linux is vunerable too (The anti-anti-windows F

[Anonymous Coward]

[I}5. Open source is insecure by default. Only by hidding your secrets are they kept safe. [/i}

Ah yes....then why is the NSA even bothering with Linux? Ever heard of Selinux? The NSA doesn't seem to think the openess is a problem.

Re:I Use X Windows

[pantherace]

My point was not that NT was not technically a multi-user system (depending on definitions), but was that everyone seems to still consider it one at heart, and act as if it is.

Could you point some of these programs out? I have searched for them, and honestly can't find them.

And I don't disagree about Norton being overpriced.

Re:ah...

[Molina the Bofh]

The problem is not being open to the world.

For starters, sendmail and wu-ftpd should have been banned from Earth a long time ago. They have more holes than swiss cheese. Telnetd should already have been deprecated by ssh, and should not be installed at all.

Re:goodbye windows update

[smeenz]

and... what's so funny about that ?

http://pestpatrol.com/pestinfo/w/w32sup.asp [pestpatrol.com]

Re:Patching / Firewalls

[toast0]

Actually, none of the affected ports for this attack are necessary.

Usefull public well known ports:

22 ssh
25 smtp
80 http
110 pop3
123 ntp
220 imap
443 https

Re:Linux is vunerable too (The anti-anti-windows F

[ajs318]

Yeah, but not everyone is as fastidious as you. In my line of work, I have experienced all sorts of idiots who shouldn't be allowed to use a pocket calculator, never mind the Internet. I've had to deal with people who don't know the difference between an e-mail address and a website URL, and even one person who didn't know the difference between an e-mail address and their own name! And the scary part is, these were the most tech-literate people working for their own companies. I've tried saying to people, "Get your IT person to set your Outlook Express {they always use that, despite the fact that anyone with half a brain knows how terrible it is} up with these parameters ....." and found that the clueless tosser on the other end was the IT person. {Even if our internal "no source, no sale" policy didn't forbid using Outlook Express our end, it would still be such a horrible buggy piece of software we wouldn't touch it with a barge pole; but these people insist on using it}. If they were running Linux, I could just get them to temporarily set a new root password, SSH into their box, set everything up for them, and that would be Job Done.

Well-set-up Windows systems can be much more secure than badly-set-up Linux systems. The trouble is that Linux users tend to {have to} be more clued-up. Part of the problem is the way Windows is pre-installed on so many machines. The supplier has to keep everything as general-purpose as possible, because they don't know what requirements the user's ISP will place on them -- which, in practice, means rather permissive defaults. In turn, the fact that it just works at first, despite the unnecessary ports and services, leads users not to think about security until it's too late already. With Linux {some obsolete RedHat versions excepted}, everything starts off inactive -- you have to select only what you want to allow. But that probably would also happen if users had to install Windows for themselves; or, even if pre-installed Windows systems had to be configured up from a "deny-all" situation. It means you have to use your brain a little bit, but that's hardly a bad thing -- as harsh as this may sound, it's more important that the job should be done properly, for the sake of other Internet users, than easily and maybe badly.