Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

A Worm's Worm 345

Posted by michael from the meta dept.
Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."
This discussion has been archived. No new comments can be posted.

A Worm's Worm More

A Worm's Worm

Comments Filter:

  • Is not the first time it happens (Score:4, Informative)

    by gmuslera ( 3436 ) on Friday May 14, 2004 @08:03PM (#9158152) Homepage Journal
    I think the Nimda worm exploited vulnerabilities created by CodeRed a few years ago.

  • Not the same thing (Score:3, Informative)

    by Dog and Pony ( 521538 ) on Friday May 14, 2004 @08:07PM (#9158199)
    That used the backdoor left by the other virus, not a flaw in the virus itself.

  • Re:Is not the first time it happens (Score:5, Informative)

    by grunthos ( 574421 ) on Friday May 14, 2004 @08:09PM (#9158225) Homepage
    No, they both exploited the same holes in IIS.

    Perhaps you are thinking of Welchia [viruslist.com] which exploited IIS but also removed Blaster.

  • Exploit available on packetstorm (Score:5, Informative)

    by Anonymous Coward on Friday May 14, 2004 @08:30PM (#9158375)
    The mentioned code, which is used in Dabber, can be found at http://packetstormsecurity.nl/0405-exploits/sasser ftpd.c [packetstormsecurity.nl]

  • IE users: don't click above links! (Score:1, Informative)

    by Anonymous Coward on Friday May 14, 2004 @08:34PM (#9158397)
    While this is really funny, IE users should be warned that clicking the albinoblacksheep.com links can cause multiple spawning windows.

    I know, I am an idiot, but I thought the flash demo might be funny also. The post was funny, but the web site was not.

  • Re:It's ok... SP1 is coming soon (Score:5, Informative)

    by int2str ( 619733 ) on Friday May 14, 2004 @08:37PM (#9158410)
    Nope, the Sasser author is going to Jail (http://www.heise.de/newsticker/meldung/47205 - sorry, in german).
    SP1 will be a while ;)

  • Add it to nmap! (Score:5, Informative)

    by JThundley ( 631154 ) on Friday May 14, 2004 @08:49PM (#9158478)
    Add the sasser FTP server to your nmap-services file. I run Gentoo, mines in /usr/share/nmap.

    Add this line:
    sasser 5554/tcp # Sasser worm FTP server

    This way when you do a port scan of a host, you can tell if they've been infected with sasser :)

  • Re:Ugh... (Score:5, Informative)

    by httptech ( 5553 ) on Friday May 14, 2004 @08:51PM (#9158484) Homepage
    This is already happening. Agobot is a GPLed malware project. Although it's not quite a worm, it can spread unattended once given the command to do so. Plenty of people are contributing to it (although some of them have been arrested in the past few days) and the feature list is quickly growing.

  • Re:Ugh... (Score:3, Informative)

    by pyite ( 140350 ) on Friday May 14, 2004 @09:53PM (#9158818)
    When I was a sophomore, my school was just starting to offer AP Computer Science A (C++) to juniors and seniors. I petitioned and got in the class. Out of roughly forty students only I and one other student got a 5 on the exam. Due to the obvious lack of preparation of most of the kids entering the course, I encouraged my teacher to try to start an intro. class. Surprisingly, he listened, and even listened to my language recommendation of Scheme. That summer he went to a Scheme teacher's workshop type thing geared to starting coures in Scheme. Sure enough, the following fall, a semester course called Introduction to Computer Programming was being taught using Scheme to grades 10 and above. High schools can be decent places to learn coding, if you have faculty that is motivated to teach it. I even managed to start a chapter of the American Computer Science League in my school. That kind of failed since we were all seniors who were far past giving a damn. It was still a good idea though.

  • Re:Spyware and others (Score:1, Informative)

    by Anonymous Coward on Friday May 14, 2004 @10:36PM (#9159027)
    many of the nasty adware/spyware out there disables your security settings and opens backdoors. We were having problems with adware overwriting content at one of the dot coms I worked at and I seriously considered using the disabled security to write a remover for the adware.

    It was decided that it wasn't worth it since once we knew a machine was infected with some adware, all bets are off to the stability of the machine.

    Code which might work perfectly in QA would likely cause crashes in the wild due to multiple infections. So we went with the detect and warn rather than the using backdoors to fix.

  • Re:Spyware and others (Score:4, Informative)

    by nukey56 ( 455639 ) on Saturday May 15, 2004 @01:17AM (#9159610)
    As an antivirus tech at one of the bigger anti-virus companies, I can say that I see this all the time. Real simple example:
    1. Hacker breaks into adware web server, replaces lots_of_banners_here.html with omg_olol_teh_hax.html
    2. said adware gets on a user's computer
    3. said adware tries to get its banner ads, and BAM, user now has redlof.A


    Given this isn't exactly a code-level exploit, though it is annoying enough that I sent two people to the reformat docters today because of it. Antivirus installed on the system beforehand, too.

  • No sympathy to the victims (Score:3, Informative)

    by tokachu(k) ( 780007 ) on Saturday May 15, 2004 @04:14AM (#9160119) Journal
    ...and no sympathy to the kids who release them. The vulnerability was shown well before the worm's release.

    The fact is, this worm released relies on another worm that causes the computer to randomly shut down. Unlike the LSASS service, there is very little stability, therefore making it highly unlikely that a computer infected with the former worm will be hit by the latter.

  • Re:Ugh... (Score:3, Informative)

    by mabinogi ( 74033 ) on Saturday May 15, 2004 @06:43AM (#9160365) Homepage
    You can't put restrictions on Public Domain.

    If it's in the public domain, then anyone can do anything they want with it - you are revoking all ownership so have no more right to impose restrictions such as copyright notices than the guy down the street does.

  • Re:Ugh... (Score:3, Informative)

    by Anarke_Incarnate ( 733529 ) on Saturday May 15, 2004 @07:39AM (#9160452)
    But he is not saying it is in the public domain. He is saying that from year YYYY until year YYYY(+X) he owns the copyright and can make demands as such. Once YYYY(+X), it becomes public domain and then, as such, can be done with as pleased. Until then, the demands as to copyright notice are his to make.

Slashdot Top Deals

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Close