RPC DCOM Cleanup Worm Appears 758
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
that's cute (Score:5, Funny)
Re:that's cute (Score:5, Funny)
Something along the lines of:
Who do I now need to pay $699 to?
strangely enough (Score:5, Funny)
IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)
Re:that's cute (Score:5, Interesting)
You actually don't need a worm for that. Most users aren't savvy enough to know what an ActiveX installer is so they simply "click yes". We wouldn't have the Gator [gator.com] problem that exists if users were just a bit more educated (or MS software wasn't so exploit-able).
If you could create a distro that installed and co-existed on an NTFS partition, you'd have a winner. Heck, you could even give users the option to "remove my windows partition" once they started using it.
IMHO - Linux on NTFS is the first step to widespread adoption. Users would be able to install it through Windows via a regular InstallShield or whatever...
Re:that's cute (Score:3, Insightful)
See, I would tend to disagree. being a long time Mac user, I've struggled to figure out why the MacOS, which I consider to be clearly superior to Windows, hasn't done better. I finally realised: people are lazy and unlikely to vary from what they're used to.
Sure, the learning curve to switch from Windows to Mac, and the Mac experience is easier to use, more stable, less virus-prone etc etc, but people assu
Re:that's cute (Score:3, Funny)
Re:that's cute (Score:5, Funny)
That wouldn't work too well. You would have to download the virus yourself, make sure the virus was compatible with your hardware, make sure you had all the necessary dependencies for the virus to run properly, then you would have to modify the virus source code to work with your particular setup, then go out on newsgroups seeking help when you can't get it to work, and in the end you would end up giving up, re-installing Windows, then posting an article on Slashdot about how Linux "isn't quite ready for the masses yet."
Re:that's cute (Score:3, Informative)
About a year ago I installed RedHat 7.2. It was my first Linux install and after getting it up and running, I spent about an hour playing around with it before downloading all the patches (there were *a lot*). In that short time, a venerability in wu-ftp was exploited and my machine compromised.
Call my stupid (and I'm sure you will), but for a "boxed, off the shelve" consumer product, that doesn't sound
Re:that's cute (Score:3, Insightful)
Coolness.... (Score:4, Funny)
Re:Coolness.... (Score:4, Insightful)
On a more practical side, though, perhaps we need more of these, enough people seem to not patch their systems themselves...
Speaking of which... (Score:2)
Re:Speaking of which... (Score:5, Informative)
Basically, No. Nothing happened.
Re:Speaking of which... (Score:5, Informative)
Re:Speaking of which... (Score:5, Funny)
Did anyone else read this with the tune of "video killed the radio star" playing in their head?
Re:Speaking of which... (Score:3, Funny)
GNU/Linux: for when it actually has to work!
This could go on for a while... (Score:5, Funny)
Re:This could go on for a while... (Score:5, Interesting)
Neat nonetheless.
Re:This could go on for a while... (Score:3, Interesting)
It would be interesting if technology like this were used by administrators to distribute patches to people whose machines have become infected with other viruses...
Since people never bother to install patches when told to but ALWAYS "install" the latest versions of viruses, this may be an interesting new way to distribute p
Re:This could go on for a while... (Score:5, Insightful)
I see a new arms race coming up. "White hat" virus/worm writer vs "Black Hat" virus/worm vriters.
Or perhaps it was just that one of them finally realized that to make headlines (and get the attention that these guys seem to crave for) it had to be different from the rest. Since worms usually cause damage, what better way to be different than by fixing damage
Or perhaps it's simply microsofts latest patch distribution strategy. "We use our holes to patch our holes". (So they're not bugs, just an update distribution feature)
Re:This could go on for a while... (Score:5, Interesting)
But since its gotten in a "host" a new way the W32/Nachi worm is of little concern since its trying to kill the old worm.
But what this will do is make leet hackers trying to industrialize thier worms. Such things as taking more control over the system, disabling all traffic to Microsoft, attacking virus protection, or even close the door themselves so that cleaner worms or "copy-cat" worms can't get in.
The evolution of the "worm" has begun.
The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
Re:This could go on for a while... (Score:3, Insightful)
The evolution of the "worm" has begun.
Hey, it's more fun than CoreWars! (to people of a certian mentality.) Once a vulnerability is discovered, the contest is on to see who can write the best worm to take over the larg
Re:This could go on for a while... (Score:5, Insightful)
You know, a really cool way to get around this is have the worm only trigger an infection when a Slammer infection attempt is detected. This way, you'll only hit infected machines. Then, coupled with an expiry time, this thing could be relatively benign (well, other than the whole "break into computers and install software without permission" thing).
Re:This could go on for a while... (Score:5, Interesting)
The end is near. So download Linux!
Re:This could go on for a while... (Score:3, Informative)
RTFA has never been more relevant.
Obligatory Semi-Relevant Simpsons Quote (Score:5, Funny)
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
Re:This could go on for a while... (Score:5, Insightful)
[starts coding furiously on a anti-Gator worm]
So cool! (Score:5, Interesting)
Re:So cool! (Score:5, Insightful)
Re:So cool! (Score:3, Insightful)
The question is, have you popped someone else's? (Score:3, Insightful)
Re:So cool! (Score:3, Insightful)
!(not a single one has not seen) == everyone has seen
That would have been soo much easier to read.
Re:So cool! (Score:5, Informative)
But, notice that this worm self un-installs at a certain date. Its quite a way away, but even so. The fact it opens port 707 sounds a bit worrying though.
Re:So cool! (Score:4, Insightful)
Except in an autoimmune disorder.
Maybe, but not likely. (Score:5, Insightful)
Or, put another way, if there were no "white-hat" worm that might also up traffic for a while, there will probably be a black-hat one that WILL up traffic for a while, AND format a few hard drives to boot. Erm, not boot.
Re:So cool! (Score:5, Insightful)
Re:So cool! (Score:5, Insightful)
You seem to be confusing innocence with willful ignorance. If you want to own and use a computer, especially one connected to the internet, you have an implied obligation to make sure you know how to use and care for it properly. Just like when you own a car. When your ignorance begins to impact and harm other people, any claim of innocence gets tossed right out.
Re:So cool! (Score:4, Insightful)
Great, so YOU go explain to my mom how to. I live 1300 miles away, I get my sister to when possible, and I do when I visit, but shes 67, and has no hope of being L33+. "Obligation" is a bit harsh. We want everyone on the internet (it made it cheaper) and we talk about being inclusive, but they we talk shit about how superior we are and people who get confused about updates should not be on the net.
The problem isn't my mom. The problem is the dickholes who write very bad OS software that must be patched weekly. And no, she wasn't infected. I had been down visiting and updated her.
Re:So cool! (Score:3, Interesting)
Re:So cool! (Score:3, Insightful)
Someone has entered your house through an unlocked back door and installed a device which disrupts yours (and other peoples') wireless networks. You're not only the victim of a crime, but by being a victim (and leaving your door unlocked) you're causing harm to others (in the case of the virus, it's spreading to others, being used in a DOS attack, etc.) Someone then comes in through this still-unloc
oh shut up (Score:5, Insightful)
Re:So cool! It's just like getting "cow pox" (Score:3, Insightful)
Sounds like Windows Media Player (Score:3, Funny)
Or Gator.
Time till first lawsuit (Score:5, Insightful)
Re:Time till first lawsuit (Score:5, Interesting)
Plus, it just so happens that good people are not as paranoid and don't tend to hide themselves as well...
Re:Time till first lawsuit (Score:5, Interesting)
cleaner worms (Score:2, Insightful)
They will never allow this to grow (Score:4, Insightful)
Re:They will never allow this to grow (Score:4, Insightful)
Re:They will never allow this to grow (Score:5, Interesting)
Re:They will never allow this to grow (Score:3, Insightful)
People may be mad, but the fact is that their unpatched machines are a menace to everybody else on the internet (much moreso than an unlocked car). It's got to stop somehow, and until Microsoft ships Windows with a built-in enabled automatic firewall on all of these ports that shouldn't (by any rights) be inte
That's hysterical... (Score:5, Interesting)
An even better twist of fate would be for that individual to get arrested for creating a worm! (its a DMCA violation to use that hack...)
it needs a EULA (Score:5, Funny)
Re:That's hysterical... (Score:3, Insightful)
Who's going to pay for your bandwidth when the real worm gets out of hand? Better a pre-emptive strike from a beneficial source with minor inconveniences than a serious problem from a malicious source which would cause even more traffic problems.
If only I had the knowhow... (Score:3, Interesting)
Bravo.
Scanning my users (Score:5, Interesting)
Re:Scanning my users (Score:5, Informative)
For those Windows sysadmins that don't know, you can use SUS [microsoft.com] (free from Microsoft) on a local server to distribute updates via Automatic Updates. The clients need to be configured, through Group Policy (or manually, if you wish), to use your server instead of Micosoft's, but it can scale quite easily to enterprise level.
It needs IIS to run, but it runs the IIS Lockdown Tool [microsoft.com] at the same time.
Helping lazy admins (Score:4, Funny)
Where was this worm last week? (Score:5, Funny)
I did wonder (Score:3, Interesting)
This could be something we see more of in the future, almost like a battle between the two groups, taking place on machines throughout the world while the majority of users are completly unaware.
It could be pretty interesting to see the whole thing unfold!
I feel very comfortable ... (Score:5, Funny)
Pretty cool (Score:5, Interesting)
Re:Pretty cool (Score:5, Insightful)
Sure... but when was the last time a nurse jabbed you in the ass with a vaccine while you were walking down the street stuffing your mouth with dounuts?
Even vaccines are voluntary things that have risks...
MadCow.
Internet Robin Hood (Score:5, Insightful)
D
Re:Internet Robin Hood (Score:5, Funny)
Let's just hope that jingle-detection algorithm is perfect, and the purse-cutting knife is sharp and true. Otherwise Sherwood is going to have a lot of pissed-off, penniless eunuchs.
Vigilantism is a dangerous game. Innocent victims do get hurt. This worm is a very bad idea.
Core wars (Score:5, Interesting)
Something about this seems like a global scale Core Wars game. How scary, horrible and cool at the same time.
And guess who'll get caught (Score:5, Insightful)
Wow, I called this last Thursday! (Score:5, Insightful)
Apparently the answer is 'Four days at most...'
The extent to which the Internet recapitulates evolution and biological systems is astounding!
Re:Wow, I called this last Thursday! (Score:3, Funny)
Yeah, now all we need is a type of cancer that attacks cancer cells and turns them back into normal cells.
And one that turns people who don't patch their machines into people who DO patch their machines! Oh yeah, that'd be sweet...
I can hear it now... (Score:4, Insightful)
Predicted a long time ago, and very far away. (Score:5, Funny)
the next few weeks... (Score:5, Interesting)
Unsecured university networks could unleash a new wave of worm-infected machines on the Net. This could be fun to watch, for those of us who aren't uni sysadmins...
--joedoe
Bad Idea (Score:5, Insightful)
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
This happened to Linux first (Score:3, Informative)
Self-removing on 1st Jan 2004 (Score:5, Interesting)
A good worm is a dead worm... (Score:5, Interesting)
I guess that explains my firewall activity (Score:5, Insightful)
Where do they get these names from? (Score:3, Interesting)
read the advisory -- this is evil (Score:4, Interesting)
COMING SOON (Score:5, Funny)
- W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.
- Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.
one possible author (Score:5, Funny)
Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.
Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!
Re:one possible author (Score:3, Funny)
No, I disagree.
I can assure you that there are Microsoft zealots who are every bit as zealous as open source people. Perhaps even more so. Even worse, they claim that they are "unbiased". I know at least one.
Microsoft could probably get into trouble for this. It is very unlikely that this is anything that the corporation has officially done. It might have been a Microsoft employee
Depressing thoughts (Score:5, Insightful)
There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.
What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.
Imagine a malicious government, with 100 dedicated programmers.
Or a well funded terrorist or anarchist.
Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.
Governments need to sit up and take notice, this is serious stuff.
They did (Score:3, Informative)
The government warned people TWICE to install the patch last month.
Re:Depressing thoughts (Score:3, Insightful)
Way, way more than that.
Consider it this way (Score:5, Insightful)
If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.
I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.
Worms: The good, the bad, and windows update (Score:5, Interesting)
Well, of course there is a slight difference. With windows update, you ask for the update to happen. That is not the same as knowing what is really being changed. For example, the most recent windows update broke EI when it tries to talk to Squid. Also, I do not really know what is being updated by windows update, I just have to hope for the best.
So, is leaving a port open any more of a security risk than pressing the "Windows Update" button? Either way I am giving people who I do not know and probably don't trust access to my computer.
On the flip side, does a worm that improves my computer in some way any better than one that degrades my computer? Would it be ok for MicroSoft to release a worm that automatically upgrades EI? I think more right thinking people would agree that it is wrong, even if its for the right reasons. The end does not justify the means.
Somewhere there is a line between right and wrong here. The problem of course is that there are so many people who do not understand what a worm or an update are, how can they possible do the right thing? Does a fix it worm make sysadmins lazy?
Maybe. Does it help the little old lady who just wants to find out about her genealogy and does not know or care how her computer work? Absolutely. It also help those of us who have to help this little old lady out because she is out mother.
Someday, the computer will be as easy to use as a microwave. Until then, I will take all the help I can get.
Internet chatter about a Good Worm (Score:3, Interesting)
There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?
Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.
The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.
Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.
The Big Question (Score:5, Interesting)
...is how good a job this worm does of
- identifying susceptable machines without burning the network,
- fixing exactly what needs to be fixed, no more, no less,
and, most importantly, how does the quality of this unsolicited support per dollar compare with Windows Update or what private companies charge for this service?I've often thought that this is the proper way to clean up machines where sysadmins fail to do their own patching after a decent interval.
In fact, if I were MS, I'd have someone do this, but disclaim any and all connection, for the obvious reason of legal liability.
[But considering the extra powers authorities have in the case of human infection - witness the recent SARS outbreak - having a net Doctor authorized to release a vaccine for such a serious vulnerability as this RPC/DCOM, at some point after the general notification, seems reasonable to me.]
I wrote a virus like this once (Score:5, Interesting)
Some history:
Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could, and let it loose on just one of the networked machines in the year-1 lab.
I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for Acorn Archimedes/BBC micro's (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like
It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the lab was infected.
You have to remember that virii in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too". Of course, the act of logging in would infect them...
Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.
There were basically 3 ways the virus could be activated:
We hadn't really counted on just how effective this was. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone had put the virus onto their floppy disk (by typing *. on the floppy rather than the network) and had then brought the disk back into college and re-infected the network.
If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit when found would be expelled. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...
Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time
We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended
So, everyone was happy. Infected with the counter-virus, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months
Anyway. I've never written anything remotely like a virus since [grin]
Simon.
A quick note (Score:4, Insightful)
Re:A quick note (Score:3, Insightful)
Article in Seattle P-I (Score:3, Interesting)
Less aggressive idea (Score:3, Interesting)
This has the benefit of lowering the overall amount of traffic that is broadcast, and /.'ers would be happy to run these servers and eventually the viruses spread would logarithmically decay.
I am of assuming that there is some way to re-infect a already infected machine with new code. This may or may not be possible.
WTF? (Score:3)
Exactly what kind of cracker writes stuff like this?
Why does the anti-worm have to spread the same way (Score:3, Interesting)
If it did that, eventually it would self-kill all infected hosts until the few that remained can't find anyone else to infect.
Might make a good math exercise. As a host is cleaned and listens for attacks, it cleans other hosts, then those hosts also assume vigilante role. Eventually you'd have less and less infected hosts searching for victims and more and more former victims waiting to be found. I would expect the count of infected hosts to reach zero at some point, given that the method to find new hosts is random enough. Question is, how many events would have to occur to reach zero!
Re:It's the first time.. (Score:4, Insightful)
I've made a better car alarm: it makes an even LOUDER sound, thus drowning out the original car alarm for everybody's protection.
Its the first time I see a car alarm that actually does something good!
Re:Traffic Rubber Band Effect (Score:4, Insightful)
For the rest of the people out there who would never even know they have this, I'd much rather have them infected with this version.
I would hope after a certain amount of time, it stops trying to find other infected machines. My previous post is based on this assumption.
-Pete
Re:SuperWorms (Score:3, Insightful)
Sorry you have such contempt for others that don't choose the same OS as you do.
In response to your comments about super worms...
One thing that is coming from Microsoft is a Layer 7 filter with a simple user
Try 1,300,000 pings per minute! (Score:4, Interesting)
On my linux firewall guarding a company network I was seeing way over 1 million ping packets per minute at one point! I'd call that a DDoS attack! From the inside out.
For those with Linux firewalls, try the following iptables rules to rate limit those ping packets: