New Windows Worm on the Loose 622
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
Mutex Trapping (Score:5, Interesting)
Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.
This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.
Re:Mutex Trapping (Score:3, Interesting)
Why can't we have something that protects the registry and pops up whenever something wants to go into software/microsoft/windows/run, /runonce, runonceex, etc? 3/4 of the stuff that goes in there, I end up ripping out later. It's dumb that it's so easy for programs to install things there.
Blaster-style? Uh-oh. (Score:3, Interesting)
Re:I Use X Windows (Score:2, Interesting)
Dammit... (Score:4, Interesting)
This close to removing win2k... (Score:3, Interesting)
1) IE won't work (joking aside it just doesn't work at all). This happened a long time ago, so I switched to mozilla. I thanks ms for this cause moz. owns.
2) Add/Remove programs, I can no longer see the text to describe the program install. It's all grey. An icon shows, so I can uninstall that way. Its not the colo scheme either, I tried MS default and it still didn't work.
3) I was having problems with this latest worm, but patching fixed everything, so now we wait to see what broke.
All and all I'm getting extremely close to wiping the HDD, and dual booting Slackware Linux (which has been on my laptop for over a year and I love it) and win98se for games. All the backups are current, and I'm waiting for the next problem to make the system more unsuable. If I wasn't so damn lazy, this would of been done sooner.
BrendanRe:Blaster-style? Uh-oh. (Score:4, Interesting)
Re:Removal Instructions (Score:2, Interesting)
Looks like they just cut and pasted that page. Found in source code html...
That's funny. (Score:3, Interesting)
I know linux is more secure, especially because of the multi-user system where root is only used for special reasons, and that many windows programs are integrated in the OS (IE, Outlook...), but how feasible WOULD it be to make worms for Linux? I really don't know. I do use Linux, and I love it. I only boot into windows for certain things such as Battlefield 1942...
Re:ah Nice, more work =) (Score:2, Interesting)
We had a lot of grief with this one last night. (I'm going to be rich next Friday, after seven hours of overtime. I'd rather have had seven hours of sleep.)
It seems to have some effects not attributed to Blaster - it appears to have flooded some of our own machines. (we're not windowsupdate.com!) For example, causing two SQL servers to reboot spontaneously at random intervals until we cut our connection to corporate HQ.
We then got to spend several hours trying to figure out how to get a couple of mission-critical applications working when they connect to outside vendors on "strange" ports - and corporate has decided to cut off any ports they're not familiar with. Thank God for saving obsolete satellite receivers and a few hundred feet of RS-232 cable.
A problem we had was proprietary applications whose vendors haven't qualified the patches.
-----
As for home users not patching...
It's easy to belittle those who don't keep their systems patched to the latest revision. IIRC the appropriate patches for this one run to roughly 10MB. For dialup users, that's the better part of an hour of downloading. Often, tying up one's only phone for that period.
IMHO there are some fundamental structural issues in Windows. At least, it should NEVER be possible for software to be installed on a system without the user's consent. It should NEVER be possible to add items to the startup sequence without the user's consent. Sure, fixing that won't stop worms (there are plenty of users who say "Yes" to anything...) but it'd sure help.
Re:Oh the irony (Score:2, Interesting)
I usually set people up with the free version of ZoneAlarm. It stops most of these worms. Several people I know don't have this patch yet, but ZoneAlarm stopped the worm.
Also, my gaming machine (my only one running windows) was fine because it was behind a linux firewall/router
This totally sucks. (Score:5, Interesting)
So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.
Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.
Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.
Outside the firewall... (Score:5, Interesting)
Re:ah... (Score:5, Interesting)
1999, the year MS forgot was was said back in 90.
2003, the year of Microsofts new security initiative.
2004, the year of the Windows worms.
XP SP2, the patch for mentioned "listening state" error.
Re:already feeling it on college campuses (Score:2, Interesting)
I got it today! (Score:2, Interesting)
Re:I Use X Windows (Score:3, Interesting)
All that "emerge" stuff breaks Gentoo, sooner or later, every time I've tried it.
Re:No brainer (Score:2, Interesting)
Concidering how I only use Windows to play games and burn CD's, I don't really care what worm get on it as long as it don't damage the hardisk. It is a bother to install a AV program when I spend so little time on Windows. btw, I am behind a firewall/router.
And AV isn't the only solution. My dad has the same laptop for at least 7 years now and it never got a virus. I guess that it is still running win95 from when he bought it has something to do with it....
Re:Removal Instructions (Score:5, Interesting)
Do you create all your HTML documents from scratch?
This worm release is pretty cool, I think. This is the first time I've got to see the patch deployment process I built with a couple of other people from my group send out patches to the entire company and get pretty much everybody taken care of before the worm was released. We built it from SMS SUS and a bunch of in-house components. 11,000 workstations across the country patched in less than a week, and we could have done it even faster in an emergency.
Regular SUS took care of our servers a week ago.
Fine. (Score:1, Interesting)
But still, it's stupid to have any OS that has all these worms going around. I'd like to see Microsoft go through what they already have in their codebase and pull these little fuckers out, then patch 'em. Patch 'em good, patch 'em hard.
Yeah, it's not open source, less eyeballs on the code etc etc, but I'm sorry but if Microsoft, a corporation which is not only making in the region of several billion $PLURALCURRENCY a year but is a frickin' defense contractor, can't invest some money in poking through their code and going "nope, some script kiddie piece of shit is gonna 0wn that" then there's no hope for us all.
(Note: I have just moved to XP from Linux because of hardware not working. So far I haven't got Blaster or been cracked in any other way. I must be lucky or something. *g*)
Re:I was wondering... (Score:5, Interesting)
It sure is. The last worm [securityfocus.com] wouldn't have worked without one.
Re:ah... (Score:3, Interesting)
Boy, am I lame!
Re:Dammit... (Score:5, Interesting)
I use the "redirect" feature of the packet filter to do the equivalent of proxy transparency on ports 135,139,445,4444,9996 to local ports with a local listener.
The Sasser worm starts 128 scanning threads to pseuod-random destinations, and on a fast machine can really pump out the packets. If you give it something to talk to on ports 445 and 9996, that considerably slows the scanning behavior.
so thats why my /var/log/messages is so big today (Score:3, Interesting)
Re:Outside the firewall... (Score:2, Interesting)
At our school, although we are unfortunately a 99% m$ shop, we run all our stuff through a p166 running linux as a gateway. We actually have a cisco 2600 provided by the council, but as they refuse to give us admin access to it, we bypassed it.
Now, at the time of blaster we were absolutely fine. No infections. Yet the idiots in many other schools managed to saturate our shared net connection (fibre!) for 2 solid weeks!
So rather than chucking that old p166, use it for something useful. Don't trust Mr. Cisco provided by the council to work just fine protecting your 2K server - do it yourself.
Re:I Use X Windows (Score:2, Interesting)
After installing SP4 on my friend's Windows 2000 box, he had to reinstall just about every program he had, because they just stopped working.
To be fair to MS though, they really didn't expect him to be running any programs as a normal user instead of an administrator.
Grounded (Score:4, Interesting)
I have to wonder...
Re:ah... (Score:3, Interesting)
Re:I Use X Windows (Score:5, Interesting)
I don't use a Windows machine from the adminstrator account. When I need to run Update, I switch over and do it as the administrator. I read before I install, and I don't install nonapplicable updates. I don't trust anyone's automagic updaters.
When I've used Gentoo, it's been as a desktop machine. I've installed it 3, maybe 4, times, always building from the minimal install (the one that takes a day and a night, and most of the second day...). I don't much about and I don't install "foreign" software. Every time I've used Gentoo, it goes belly up after I've installed some update or another.
Gentoo may have an excellent packaging system, but I don't have time or energy or purpose to become an expert on one more proprietary packaging and updating scheme.
Linux touts "choice" all the time, and rightly so. But the fact is that having a plethora of distribution-specific packaging schemes is a major pain that limits choice.
So long as the Linux community fails to agree to, implement, and use a single packaging and updating scheme, Linux will be a nonstarter outside the geek and corporate worlds.
Re:Grounded (Score:3, Interesting)
Re:Grounded (Score:1, Interesting)
It's not a security issue as nobody tried to hack into their systems *specifically* -- and it's not a safety issue (with the planes) as they were grounded and *can* keep track of them.
The fact remains though...
?
Re:Security Update Dates (Score:3, Interesting)
So the turnaround time on wrapping that public exploit code into this worm was far from 18 days.
Re:Linux is vunerable too (The anti-anti-windows F (Score:1, Interesting)
What you mean is that it's cheaper to hire somebody to fix a Windows box than a Linux box. There is a grain of truth in this. Windows often packs up for no appareny reason. Almost any unskilled monkey can "fix" a broken Windows box just by hoicking out the power lead, counting to ten and putting it back. Linux only ever misbehaves with a good reason, and requires someone who knows their arsehole from their earhole to fix it.
^^^^^^^^
I work in IT and we rarely see issues with software on our machines. It's always the hardware nowadays. Sure if you get hit with spyware and shit like that you may have problems but that's NOT a flaw in Windows. You'd get the same garbage if they targeted Linux.
With a little common sense Windows will not crash unless you're running poorly written software. Of course you'll still blame Microsoft when someone like Adobe hasn't patched their distiller software in 2 years.