Forgot your password?
typodupeerror
Security The Internet

A Worm's Worm 345

Posted by michael
from the meta dept.
Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."
This discussion has been archived. No new comments can be posted.

A Worm's Worm

Comments Filter:
  • Ugh... (Score:5, Funny)

    by c0dedude (587568) on Friday May 14, 2004 @08:00PM (#9158117)
    Jeez, they never fully test these worms before release. No wonder they'd have security issues.
    • Re:Ugh... (Score:5, Funny)

      by irokitt (663593) <archimandrites-iaur@yahoo. c o m> on Friday May 14, 2004 @08:09PM (#9158222)
      This is why every worm should be released under the GPL. Then independant worm enthusiasts can verify the security of worm code and contribute patches and improvements to the author.
      • Re:Ugh... (Score:5, Informative)

        by httptech (5553) on Friday May 14, 2004 @08:51PM (#9158484) Homepage
        This is already happening. Agobot is a GPLed malware project. Although it's not quite a worm, it can spread unattended once given the command to do so. Plenty of people are contributing to it (although some of them have been arrested in the past few days) and the feature list is quickly growing.
        • Re:Ugh... (Score:5, Funny)

          by jesser (77961) on Friday May 14, 2004 @09:48PM (#9158786) Homepage Journal
          So if I'm infected, I can demand a copy of the source code?
          • Re:Ugh... (Score:5, Interesting)

            by Rob Simpson (533360) on Friday May 14, 2004 @11:54PM (#9159330)
            Of course, and its a sad comment on the state of computing today that this is a unique case. Human viruses are thoughtfully provided with their source code - exceeding even the requirements of the GPL - so they can be compiled by your cells.

            Yay for Free Software! (Achoo!)

            • Re:Ugh... (Score:4, Interesting)

              by lostchicken (226656) on Saturday May 15, 2004 @04:05PM (#9162802)
              All binaries come with "source code", machine code. It's a language that most of us don't use, but it's still a language. My CPU uses this "source code" to create a different set of instructions that are executed by the core of the CPU. You can read the machine code and see what the app is doing. DNA and RNA are pretty much just machine code for cells.
          • Re:Ugh... (Score:4, Interesting)

            by ajs318 (655362) <sd_resp2 AT earthshod DOT co DOT uk> on Saturday May 15, 2004 @03:49AM (#9160050)
            You should try my personal favourite software licence:

            Copyright (c) yyyy, The Author and Contributors. All rights reserved until yyyy when this work will enter the Public Domain.

            Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
            • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
            • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Any redistribution of the software or derived work in binary form must be accompanied by an offer of the source code, to be valid until the lapse of copyright on the work in question. In case of default on this offer, any affected party may use reasonable force to obtain the source code.
            • The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
            • Modifications on such a scale that they are deemed by applicable local laws to constitute a whole new work are exempt from this licence.
            THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
            • Re:Ugh... (Score:3, Informative)

              by mabinogi (74033)
              You can't put restrictions on Public Domain.

              If it's in the public domain, then anyone can do anything they want with it - you are revoking all ownership so have no more right to impose restrictions such as copyright notices than the guy down the street does.
              • Re:Ugh... (Score:3, Informative)

                But he is not saying it is in the public domain. He is saying that from year YYYY until year YYYY(+X) he owns the copyright and can make demands as such. Once YYYY(+X), it becomes public domain and then, as such, can be done with as pleased. Until then, the demands as to copyright notice are his to make.
        • Re:Ugh... (Score:5, Interesting)

          by lommer (566164) on Friday May 14, 2004 @11:24PM (#9159228)
          I have a very serious suggestion, namely that Agobot, once it infects a host, should patch the host, remove spyware, and remove other virii, and then propogate itself a maximum of 10 times (to conserve bandwidth). Though you are still doing unauthorized stuff to other peoples' computers, if you're gonna make a virus, you may as well make it beneficial. Maybe that way fewe people would get arrested...

          Given that it's a GPL project, I can't imagine that it would be too hard to find a few dedicated coders who would be willing to work on such a fork.
          • Why not? (Score:4, Insightful)

            by r_j_prahad (309298) <r_j_prahad@@@hotmail...com> on Saturday May 15, 2004 @01:24AM (#9159634)
            Even if you try to be the good guy doing beneficial stuff like that, it'll still get you just as arrested, just as photographed, and just as incarcerated under existing law as if you had done the typical evil stuff.

            If the outcome is gonna be the same, might as well be an asshole.
          • Re:Ugh... (Score:3, Interesting)

            Welchia perhaps? It doesn't remove spyware and was designed to remove just one worm but that's kind of what you're on about I think.

            I ran into Welchia.B the other day which went after MyDoom (SCO) and downloaded 5 patches or so from MS and installed them on the system. Trouble is, that it's still a worm - nobody wants it on their system - it took me a couple hours to identify and remove it then get Windows running again.

            Welchia.B was trying to run four different exploits on remote IPs - I sniffed all the
    • Re:Ugh... (Score:5, Funny)

      by dealsites (746817) on Friday May 14, 2004 @08:09PM (#9158223) Homepage
      I imagine that most of these virus writers are not formally educated in programming, but able to hack together code snippets they find on the web. It's a wonder some of them work as well as they do. I doubt they do peer review or use a CVS to manage their code.

      --
      New deal processing engine online: http://www.dealsites.net/livedeals.html [dealsites.net]
      • Re:Ugh... (Score:2, Interesting)

        by Anonymous Coward
        Most virii are rather small in code size compared to a typical project using CVS or similar tools. That means a single person can easily manage and oversight the code.
      • Re:Ugh... (Score:5, Insightful)

        by inertialmatrix (675777) on Friday May 14, 2004 @08:28PM (#9158355)
        "most of these virus writers are not formally educated in programming, but able to hack together code snippets they find on the web. It's a wonder some of them work..."

        heh.. sure, right. God knows that unless you have a masters in CS your only chance to program something like code red, blaster, or sasser is by hacking "together code snippets [you] find on the web" Christ, 3 years into a CS major, and aside from the calculus I have yet to make any large leaps in knowledge over what I already knew several years ago.

        Maybe that's what grad school is for?
        • That is true... I guess I had the term "script kiddies" in my head and assumed that these were pre-college programmers. I'm getting a little older now, but I assume that they are probably teaching programming in high-school now. Does anyone know what grade the first introductory programming classes are now offered in?

          --
          New deal processing engine online: http://www.dealsites.net/livedeals.html [dealsites.net]
          • Re:Ugh... (Score:4, Insightful)

            by taped2thedesk (614051) * on Friday May 14, 2004 @08:36PM (#9158408)
            A lot of schools used to offer as a electives in high school, but thanks to constant budget cuts, the "leave every child behind" act, etc, many have had to drop these classes. Pretty sad.
          • Re:Ugh... (Score:3, Interesting)

            by drskrud (684409)
            That's something that really depends on the school. I remember my elementary school would have a class that consisted of Logo Writer / Microworlds that I took in the first grade...

            My former high school offered a Visual Basic course in grade 10... but that's VB.

            However, there's a lot one can learn by teaching themselves from a book, and I think that's where a lot of the talented young programmers get their starts. It may be that writing annoying viruses and worms are just some kid's way of testing and/or p
          • Re:Ugh... (Score:2, Interesting)

            Hrmmm... I think the first programming class I took in school was during 4th grade. I think it was LOGO, and then that summer my school started a computer camp that focused on BASIC.

            But still... it is just getting younger and younger. During the summer my University hosts several computer camps, and I see 7,8, 9 and 10 year old kids programming in C ++ and other OO programming languages.

            Crazy indeed
            • Re:Ugh... (Score:3, Insightful)

              by Crayon Kid (700279)

              I'd say it's crazy. Dude, come on, C++ OO programming at 7? That's a little hard to believe unless you're a genius. At 7 you don't have the concepts needed to do advanced programming. Heck, most kids only learn to read at 6 or 7, and this is the bright kids. You can't say he's been alive for 7 years now, and C++ can be mastered in 2 years, so he should be a guru by now. It just doesn't work that way, you need to accumulate knowledge and develop the mind in a certain way.

              Logo at 6 or 7 I can believe. Basic

          • Re:Ugh... (Score:3, Informative)

            by pyite (140350)
            When I was a sophomore, my school was just starting to offer AP Computer Science A (C++) to juniors and seniors. I petitioned and got in the class. Out of roughly forty students only I and one other student got a 5 on the exam. Due to the obvious lack of preparation of most of the kids entering the course, I encouraged my teacher to try to start an intro. class. Surprisingly, he listened, and even listened to my language recommendation of Scheme. That summer he went to a Scheme teacher's workshop type thing
        • Re:Ugh... (Score:5, Insightful)

          by foobario (546215) on Saturday May 15, 2004 @01:06AM (#9159570) Homepage
          >Maybe that's what grad school is for?

          No, but the remainder of your undergraduate education will benefit if you continue to hope that this is true.

          Every year in my EE and CS programs I figured that 'next year' would be the year I'd really learn something useful, but that day never arrived. Nonetheless I managed to graduate, get a high-paying job, and get laid off 20 months ago after 3 years of 15 hour days. Now I think about taking classes at the community college, welding maybe, but I just can't get up the energy to do it.

          You see, you are wrong in assuming that calculus is the only thing you've learned so far. You've also learned The Secret a year earlier than most people.

          You know those tests they do on rats, where they put them in a maze, and if they do the wrong thing they get an electric shock, but if they do the right thing they get the cheese?

          The Secret is this:

          You are the rat.
          The electric shock is *always* on.
          ***There Is No Cheese***.
          • Re:Ugh... (Score:4, Insightful)

            by Kiryat Malachi (177258) on Saturday May 15, 2004 @03:22AM (#9159981) Journal
            Funny.

            I learned lots of useful things in undergrad. I use them roughly 7-9 hours a day, doing a job I actually enjoy.

            And I got an EE degree. Maybe it's because I'm not a programmer.

            Maybe you just worked for a shitty company? (And before you get pissy about it, I work for a Fortune 100 company - it ain't just small company's that can be decent to work for.)
        • I dropped Comp Sci (Score:4, Insightful)

          by KalvinB (205500) on Saturday May 15, 2004 @03:25AM (#9159993) Homepage
          After two years I've given up on it. I spent two years studying philosophy and didn't bother trying to get a degree for the same reason I'm switching majors now (secondary education). I got ahead of my math classes. I've always been ahead of the programming classes. And I can't stand physics (which I'm done with finally).

          The fact is that if you challenge yourself you can learn everything you'd learn in college on your own for a lot less money. In the field of technology you have to be able to teach yourself anyway or you'll find you've become obsolete.

          I switched to education because I think it'd be a more entertaining and fulfilling career than sitting behind a computer all day.

          "Maybe that's what grad school is for?"

          Save your money. If you want to learn how to program just buy the books and come up with projects.

          The reason I know as many languages as I do is because I'm always coming up with ideas. I then figure out what language would be best to implement it and learn the language.

          You're better off specializing in an area (like math or physics) and then learning how to program on the side so you can utilize that skill in your profession. You don't need a comp sci degree to write modeling programs for a chemistry application. You need a chemistry degree so you understand what the program needs to do. In programming knowing what you need to do is 90% of it. The other 10% can be learned as you build the program.

          Think about it. Little kids can program. It's really not that hard. But little kids don't know enough about chemistry to use their programming skills to write chemistry programs.

          If you don't understand chemistry nobody really cares if you can do magic in C++ because you don't have the knowledge to make your programs do what a chemistry program needs to do.

          It's the same reason the FBI doesn't care if you were on a police force. An FBI agent needs to know things you can't learn being in the police force. And what you need to learn in the police force can easily be taught to you by the FBI.

          Ben
      • Re:Ugh... (Score:5, Insightful)

        by John Hasler (414242) on Friday May 14, 2004 @09:09PM (#9158572) Homepage
        I imagine that many of these virus writers are professionals, well-paid by their spammer employers.
    • by David Hume (200499) on Friday May 14, 2004 @08:28PM (#9158356) Homepage

      Jeez, they never fully test these worms before release. No wonder they'd have security issues.


      I wonder if the author of the author of Dabber has violated the DMCA by circumventing a copyright protection system [cornell.edu] -- i.e., the code to the Sasser worm.

      More specifically, I wonder if the author of Sasser can sue the author of Dabber for statutory damages of up to "$2,500 per act of circumvention [cornell.edu]." ;)

      • Re:DMCA violation? (Score:5, Insightful)

        by spectre_240sx (720999) on Friday May 14, 2004 @08:55PM (#9158506) Homepage
        You jest, but I wouldn't be surprised if it was possible. Don't forget, this is the country where a buglar can sue his victims if he breaks his leg while breaking into their house and win.
        • Re:DMCA violation? (Score:3, Interesting)

          by Jahf (21968)
          There's a little difference ... if you want to use a burglar analogy, then use the analogy of a burglar stealing property from another burglar that stole it from the owners.

          Both are illegal, both are prosecutable, but the "victim" burglar can't sue for loss of property from the 2nd burglar because the property belongs to the original owner.
  • by KevinKnSC (744603) * on Friday May 14, 2004 @08:00PM (#9158119)
    Worm writers have got to start taking security more seriously.
  • all new low (Score:5, Funny)

    by ResQuad (243184) <`moc.ketelosnok' `ta' `todhsals'> on Friday May 14, 2004 @08:00PM (#9158123) Homepage
    This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.

    I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
    • by Ungrounded Lightning (62228) on Friday May 14, 2004 @08:38PM (#9158416) Journal
      This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.

      Actually, this sounds like somebody trying to make a disinfectant worm. Look at the description:

      - It only infects infected systems, using a flaw in the previous infection.

      - It cleans out the infection of the worm that it exploited, and several others.

      It does open a new backdoor. But while that might be preparation for some future malicious action, it might also have been the author leaving himself a way to fix things if his initial worm got out with a destructive bug. (Of course it could be the worm cleaning up signs of previous infections in order to hide itself and thus head off other cleanups.)

      I wouldn't be surprised to see, on further analysis, that it does other antimalware things (like fix the flaw the other worms used).

      (Not to say that it IS somebody trying to fight virus with virus. But it might be interesting if it turns out that it is.)

      I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.

      Which is exactly what the military does with some of its really secure stuff.

      Now if we can just get the Microsoft users to emulate them. B-)
    • by Anonymous Coward on Friday May 14, 2004 @08:47PM (#9158461)
      Now virus programmers will have to make their virus's better so they dont get infected by another virus.

      Maybe they can just run Norton AntiVirus - oh wait...
  • geez (Score:3, Insightful)

    by killerface (573659) on Friday May 14, 2004 @08:01PM (#9158133) Homepage
    You know this seems at first to be really creative . But think he/she is just riding on sassers coattails
  • planned (Score:4, Interesting)

    by name773 (696972) on Friday May 14, 2004 @08:01PM (#9158134)
    did the sasser writer make it expandable on purpose? this isn't the first time a thing like this has happened.
  • by boffy_b (699458) on Friday May 14, 2004 @08:02PM (#9158141) Homepage
    ...we need to stop relying on thrid-party worms, we need Micro-Soft certified worms to ensure our securtity....
    • Re:This is why... (Score:3, Interesting)

      by wmspringer (569211)
      You mean like IE? I've certainly had enough programs try to get me to install that on my computer..
      • by duffel (779835) on Friday May 14, 2004 @08:30PM (#9158371)
        ...we need to stop relying on thrid-party worms, we need Micro-Soft certified worms to ensure our securtity....
        You mean like IE? I've certainly had enough programs try to get me to install that on my computer..
        Wouldn't that be a trojan horse rather than a worm? Worms are more like those automatic updates, burrowing into your system... Although that program that downloads them would be more like a trojan horse, and the downloading of updates the payload...

        Yes, that's it! Windows is a trojan horse designed to sneek windows updates onto your computer!

        Tremble before my mighty logic!
    • by writermike (57327) on Friday May 14, 2004 @08:51PM (#9158486)
      ...we need to stop relying on thrid-party worms, we need Micro-Soft certified worms to ensure our securtity....

      Heh.

      The Virus you're about to install has not passed Windows Logo testing to verify its compatibility with Windows XP.

      Continue Anyway.
  • Spyware and others (Score:5, Interesting)

    by r.jimenezz (737542) <rjimenezh@g[ ]l.com ['mai' in gap]> on Friday May 14, 2004 @08:02PM (#9158142)
    Just thought about this... With the huge number of machines out there "infected" by spyware, adware and similar programs (and many of them without their users even knowing), how long will it be until a worm is written that exploits a vulnerability in one of these programs?
    • by MrRuslan (767128) on Friday May 14, 2004 @08:13PM (#9158264)
      Something like a rear entry into bonzi buddies behind?
    • by clambake (37702) on Friday May 14, 2004 @08:34PM (#9158394) Homepage
      Just thought about this... With the huge number of machines out there "infected" by spyware, adware and similar programs (and many of them without their users even knowing), how long will it be until a worm is written that exploits a vulnerability in one of these programs?

      Gimme a sec.
    • Here's an interesting idea: If someone writes a worm that exploits a flaw in a spyware, would be spyware company be legally responsible for the damage? Even if not, the resulting uproar could bring much needed attention to spywares.
    • by nukey56 (455639) on Saturday May 15, 2004 @01:17AM (#9159610)
      As an antivirus tech at one of the bigger anti-virus companies, I can say that I see this all the time. Real simple example:
      1. Hacker breaks into adware web server, replaces lots_of_banners_here.html with omg_olol_teh_hax.html
      2. said adware gets on a user's computer
      3. said adware tries to get its banner ads, and BAM, user now has redlof.A


      Given this isn't exactly a code-level exploit, though it is annoying enough that I sent two people to the reformat docters today because of it. Antivirus installed on the system beforehand, too.
    • by skinfitz (564041)
      I'm just waiting for someone to root Gator's..oops - sorry Claria's [claria.com] download servers and replace "precisiontime.exe" and so on with trojaned alternatives.

      In fact.. thinking about it what's to stop me capturing requests for this crap on my proxies and redirecting them to an exe that removes gator? Hmm...
  • by gmuslera (3436) on Friday May 14, 2004 @08:03PM (#9158152) Homepage Journal
    I think the Nimda worm exploited vulnerabilities created by CodeRed a few years ago.
  • Antivirus! (Score:2, Interesting)

    by ForestGrump (644805)
    "Dabber then installs itself and deletes the registry keys of Sasser and other viruses. It creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code, which might be far more malicious than Dabber itself."

    sounds like its doing some antivirus while its at it. Good!

    Just be sure to block off 9898.
    -Grump
    • Re:Antivirus! (Score:2, Insightful)

      by r.jimenezz (737542)
      sounds like its doing some antivirus while its at it. Good!

      Nah, let's not fool ourselves. This is probably just so that you can run a Sasser removal tool, find nothing and feel yourself at ease thinking your machine is clean :(

    • Re:Antivirus! (Score:3, Interesting)

      by c0dedude (587568)
      Do you really think those infected with sasser will know how to block off a TCP port, much less what TCP is?
      • by spun (1352)
        A TCP port is any port through which they ship the illegal drug TCP, of course. Everyone knows that.
    • by Jedi Alec (258881)
      yeah, kinda like a dictator being replaced by one that's even worse. i can just feel the revolution on my harddisk taking place...
  • Plug-in (Score:5, Funny)

    by StateOfTheUnion (762194) on Friday May 14, 2004 @08:04PM (#9158166) Homepage
    So now worms come with hooks for third party plug-in's?
    • Re:Plug-in (Score:5, Interesting)

      by SharpFang (651121) on Friday May 14, 2004 @08:17PM (#9158295) Homepage Journal
      Yes, for quite a while.

      Quite a bit of modern worms in this or that way provide just a generic backdoor to the infected machine without performing any extra malice. Some of them just open oprts, some trick firewalls and actively "call home", which usually happens to be some random IRC server on some compromised machine (IRC seems to be preferred method for the virii writers for controlling worms, which just act as bots on the channel). Then the virii can upload a spamming software, a DDoS attack plugin, a keystroke logger, a file transfer thing, a tunneling/relay program to mask an attack, or whatever the twisted minds come up with.
  • by jbuhler (489) on Friday May 14, 2004 @08:04PM (#9158167) Homepage
    Hath smaller fleas that on him prey;
    And these have smaller still to bite 'em;
    And so proceed ad infinitum.

    - Swift
  • um... (Score:5, Funny)

    by Anonymous Coward on Friday May 14, 2004 @08:05PM (#9158177)
    Would that make the security flaw a ::cough:: "Wormhole"?
  • by Anonymous Coward on Friday May 14, 2004 @08:05PM (#9158179)
    maybe we should make a virus that causes everyone to hit up Windows Update and maybe we'll be alright.
  • by licamell (778753) on Friday May 14, 2004 @08:06PM (#9158186)
    The author in response to the news announce that he will be releasing Service Pack 1 within the next week. Make sure to set up your computer to get updates automatically from update.sasser.com.
  • by Cyberherbalist (731257) * on Friday May 14, 2004 @08:06PM (#9158191) Homepage
    There was something on /. the other day about a team of biologists who built a virus based on HIV, that goes out to destroy HIV ability to turn to AIDS. Apparently, the Dabber developer took a page from that book --- in a twisted sort of way.
  • by wo1verin3 (473094) on Friday May 14, 2004 @08:07PM (#9158202) Homepage
    Microsoft Security Bulletin MS05-014
    Security Update for Microsoft Windows (93212)

    Issued: May 14, 2004
    Updated: May 14, 2004
    Version: 1.0

    Summary
    Who should read this document: Customers who use the Sasser worm

    Impact of vulnerability: Remote Code Execution

    Maximum Severity Rating: Critical

    Recommendation: Customers running the Sasser worm should apply the update immediately to be protected from Dabber.

    Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

    Caveats: The security update is for Windows 2000, XP Pro and Home, and Windows 2003 server platforms. As a prerequisite, the security update requires your system be infected with Sasser.

    To download the Sasser worm, please open Outlook Express or Outlook 2000/XP and execute any attachements you have recieved from unknown senders. If you are not using Sasser you do not need to install this update.

    Once installed your system will be immune from being infected with Dabber which exploits a flaw in the widely popular Sasser worm.

    Tested Software and Security Update Download Locations:

    Affected Software:

    Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 - Download the update [albinoblacksheep.com]

    Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update [albinoblacksheep.com]

    Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update [albinoblacksheep.com]

    Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update [albinoblacksheep.com]

    Microsoft Windows Server(TM) 2003 - Download the update [albinoblacksheep.com]

    Microsoft Windows Server 2003 64-Bit Edition - Download the update [albinoblacksheep.com]
  • by Gribflex (177733) on Friday May 14, 2004 @08:08PM (#9158207) Homepage

    Dabber than installs itself and deletes the registry keys of Sasser and other viruses.

    This is fantastic! It is a virus, that infects only virus infected machines, and then removes all other virii. What a great solution to rapidly spreading worms.

    If users are too lazy or ignorant (in the nice sense of the word) to patch their systems, then just relase another virus to do it for them.

    Except that...

    It [then] creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code...

    They just couldn't stop at doing a good thing, could they...

    • The thing about an infected system is that it's absolutely NO GOOD to anybody except the person who's infected it. So when you infect a machine, you want to make sure it's a CLEAN machine, so that you can use it. There's nothing benevolent about destroying the OTHER invading forces so that you can own the land.
    • by Reivec (607341) on Friday May 14, 2004 @08:46PM (#9158457)
      You are missing a big point here. The worms effect us all in a much more annoying way. Internet traffic clogging up my connection speed. Why do I care if stupid people can't use their computer? If there was an "Anti-Worm" it would still cause tons of traffic scanning the networks and even if it helped infected people, I don't give a damn. They were too stupid and didn't protect their systems or use something besides windows, not my fault. So basically in my book, the cure would be just as bad as the problem.
    • by alonsoac (180192) * on Friday May 14, 2004 @09:10PM (#9158575) Homepage Journal
      This was never about doing a good thing. It's plain competition. Any decent worm should be able to remove all other worms and viruses from the system in order to have complete control over it. I bet this will only get more common.

      Then again it should be easy to release this new work without the code that opens the backdoor so that it only does the removal part?
  • Seems Like (Score:2, Insightful)

    by MrRuslan (767128)
    the windows RPC implimintation and the LSASS share some similar quilities with worms and back doors, One has to wonder how much more of windows has the same charictaristics of a virus.
  • A Quick Fix (Score:3, Funny)

    by magefile (776388) on Friday May 14, 2004 @08:11PM (#9158246)
    Everyone:
    • if you have windows, type, "format C:"
    • if you have linux, or Mac OSX, type "su if you have a pre-OSX Mac, get someone to translate the above commands for you
    That'll take care of the folks who don't patch or use a firewall or AV. I figure anyone smart enough to do that won't run the commands ... and anyone running a different OS won't have virus issues anyway (and will probably be smart enough to firewall, too!).
    • That'll take care of the folks who don't patch or use a firewall or AV.

      Dude, you forgot the following steps:
      • Unplug the computer from the walls
      • Detach peripherials from computer
      • Put computer back in box
      • Ship it back out

      Why? BECAUSE YOU'RE TOO FUCKING STUPID TO USE A COMPUTER!!! ;)
    • by rjshields (719665) on Friday May 14, 2004 @08:28PM (#9158360)
      if you have windows, type, "format C:"

      Why yes, I have windows. I even have doors too. I typed "format C:" like you said but I just got a message saying "the page cannot be displayed".
  • by erikharrison (633719) on Friday May 14, 2004 @08:17PM (#9158293)
    Gosh, this whole mess looks just like Blaster from down here in the trenches.

    I'm tech support for Tremendously Large ISP. From down here this looks just like Blaster did. Customers calling in complaining that their machine is restarting without their consent. And now someone has a follow up virus that attacks the virus - as some may recall there was a Blaster variant that patched systems AGAINST Blaster. This was terrible - if you got this variant inside a corporate network not only would your bandwidth use skyrocket, but since NAT tends to fubar Windows Update, the variant never managed to patch a system. God that was hell . . .

    It's almost enough to make you want to write a virus in revenge . . .
  • Patch? (Score:5, Funny)

    by durtbag (694991) on Friday May 14, 2004 @08:20PM (#9158318)
    So where do I doenload the patch so my Sasser isn't vulnerable?
  • Sigh... (Score:5, Funny)

    by ike6116 (602143) * on Friday May 14, 2004 @08:24PM (#9158339) Homepage Journal
    I told you not to try Sasser, it's a gateway worm! IT LEADS TO HARDER, MORE DANGEROUS WORMS!
    • Ha, my brother and his friends actually used to do something called Sassafras, kind of similar. Anyway, Sassafras I believe is derived from a root and is hallucinogenic.
  • by exp(pi*sqrt(163)) (613870) on Friday May 14, 2004 @08:26PM (#9158346) Journal
    ...with some software with the ability to self-replicate. God help the rest of the universe when life finally manages to get off this planet.
  • by Anonymous Coward on Friday May 14, 2004 @08:30PM (#9158375)
    The mentioned code, which is used in Dabber, can be found at http://packetstormsecurity.nl/0405-exploits/sasser ftpd.c [packetstormsecurity.nl]
  • ...from History of the World Part one [imdb.com]:

    "Look how low we have become! Beggars! Begging from beggars!"
  • OS Popularity? (Score:5, Interesting)

    by One Louder (595430) on Friday May 14, 2004 @08:41PM (#9158430)
    The tired argument is that Mac OS X and Linux are too unpopular to build worms and viruses for - but apparently it's worth writing worms just for Windows machines infected by a single strain of worm.

    Does this situation imply that the sum total of Sasser-infected machines outnumber Macs and Linux boxes?

    • Re:OS Popularity? (Score:3, Insightful)

      by Tim C (15259)
      To be honest, I wouldn't be surprised if that was the case.

      On the other hand, though, I'd be utterly amazed if worm writers don't take apart existing worms when preparing to write a new one. Learn from what has gone before and all that. I'd expect that what's happened is not just that Sasser is so widespread that someone decided to exploit it, but that someone was studying it, noticed the exploit, and went for a quick and easy route to write a new worm.
  • Add it to nmap! (Score:5, Informative)

    by JThundley (631154) on Friday May 14, 2004 @08:49PM (#9158478) Homepage
    Add the sasser FTP server to your nmap-services file. I run Gentoo, mines in /usr/share/nmap.

    Add this line:
    sasser 5554/tcp # Sasser worm FTP server

    This way when you do a port scan of a host, you can tell if they've been infected with sasser :)
  • by Anonymous Coward on Friday May 14, 2004 @09:13PM (#9158595)
    Only use worms that are Microsoft Security Hole Certified!
  • Geek jokes (Score:5, Funny)

    by Tokerat (150341) on Friday May 14, 2004 @09:40PM (#9158742) Journal

    Program code so advanced it travels through worm holes!

    *rimshot*
  • Fun! (Score:5, Interesting)

    by Ketnar (415489) <{gro.rantek} {ta} {ranteK}> on Friday May 14, 2004 @09:46PM (#9158775) Homepage
    This sort of reminds me when I wrote a counter-bug to combat an email worm that had infested an office building I was contracting to. Worked through the ever-so-lovely 'You don't have to really click the attachment for it to go off on you' bug in an older version of outlook.

    It sat and watched a users inbox for the big bug at the time and pretty much acted like a counteragent, the instant they showed up, it nuked them off the machine (inbox and all) and undid whatver they managed to do.

    Send one copy to everybody in the office, and instantly watch outgoing network mail traffic DROP back down to normal levels and my phone stop ringing.

    I seem to recall distinctly 'forgetting' to mail it to key people, however.. *cough* :)

    Would be a real shame if some of the geek-prowess around the OSS world were to start doing such counter-bugs. Alot of these backdoors, trojans, and whatnot, have gaping flaws in them because..well, guess. :P

    Just think:
    Infect > Disinfect > Patch > Scan nearby machines (proceed life cycle)> Local Self-remove

    Could be the next revolution. Don't bother patching or downloading, we bring the cure to YOU.. :)
  • Phages? (Score:5, Insightful)

    by Wtcher (312395) <wtcher@gmail.com> on Friday May 14, 2004 @10:00PM (#9158864) Homepage
    ...it reminds me of the phage/bacteriophage, actually. If I recall, those viruses kill bacteria(judging from the name...) by infecting them.

    This goes on to remind me of that recent anti-HIV virus that's been in the news.
  • by standing_still (772809) on Saturday May 15, 2004 @12:55AM (#9159527)
    Is this a beginning of a new virus era? I can see virus programmers making holes in their code on purpose just to release a second virus to take advantage of it. virus 'a' is programmed with a hole - virus 'b' takes advantage of it! A fine case of hit them when they are down!
  • by mamba-mamba (445365) on Saturday May 15, 2004 @02:04AM (#9159747)
    This reminds me of a poem I heard when I was a kid. I'm not sure who the original author is.

    Every flea has a flea
    on his back to bite him.
    And on that flea another flea
    so ad infinitum.

    MM
    --
  • by tokachu(k) (780007) on Saturday May 15, 2004 @04:14AM (#9160119) Journal
    ...and no sympathy to the kids who release them. The vulnerability was shown well before the worm's release.

    The fact is, this worm released relies on another worm that causes the computer to randomly shut down. Unlike the LSASS service, there is very little stability, therefore making it highly unlikely that a computer infected with the former worm will be hit by the latter.

Save the whales. Collect the whole set.

Working...