Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Microsoft The Internet

Worm vs. Worm Battle Slows Networks 559

joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
This discussion has been archived. No new comments can be posted.

Worm vs. Worm Battle Slows Networks

Comments Filter:
  • by Pandora's Vox ( 231969 ) on Wednesday August 20, 2003 @01:21AM (#6741516) Homepage Journal
    MS exploit virus comes out.

    mysterious patching virus starts making the rounds. massive consequences.

    we should be doing this more often, kids.

    -Leigh
    • by Black Parrot ( 19622 ) on Wednesday August 20, 2003 @01:27AM (#6741550)


      > MS exploit virus comes out. mysterious patching virus starts making the rounds. massive consequences. we should be doing this more often, kids.

      Yeah, I'm working on a worm to kill off the worm that was supposed to fix Blaster, but I've been busy and haven't gotten it out yet. Look for it in your mailboxes tomorrow!

    • I agree (Score:3, Insightful)

      by kramer2718 ( 598033 )
      What kind of sick airline uses Windows servers to do check in and track flights/passengers. Is their IT department completely slow? They deserve what they get.

      (Disclaimer: I've flown Air Canada. The accomodations were very nice.)
      • by danielsfca2 ( 696792 ) on Wednesday August 20, 2003 @01:50AM (#6741665) Journal
        At Boston/Logan airport last Friday, I saw on a Delta departures/arrivals screen this Windows error dialog in front of the grid of flights:

        "At least one service failed to start..."

        I took a photo of it. I thought:

        - "I'm glad I don't run Windows." - "I'm glad I'm not flying Delta today."
        • Re:Windows servers (Score:3, Interesting)

          by media_whore ( 695970 )
          You should visit New Zealand some time. I can honestly say, I have never visited an international airport terminal here where there has not been at least one of the arrival/departure screens showing 'This program has performed an illegal operation'. And I visit a fair few international airports.
          • where there has not been at least one of the arrival/departure screens showing 'This program has performed an illegal operation'. And I visit a fair few international airports.

            Just because the displays use Windows doesn't mean anything. It was probably easier for whoever developed the system to develop it on Windows. For all you know it could be getting all of the data from a Linux server. I have seen other cases where Windows is only used as the front end. Banks, for example. PC Financial [pcfinancial.ca] uses Win2k
      • by Anarchofascist ( 4820 ) on Wednesday August 20, 2003 @04:44AM (#6742164) Homepage Journal
        My wife and I were going through Dublin airport when I noticed that a number of the airport schedule display screens were going through a reboot sequence. I showed it to her : "Hey, looks like that one crashed."

        She had to point out that a more alarming interpretation of the word "crashed" may have been made by some of the other people in the arrivals area.
    • by Mr. Bad Example ( 31092 ) on Wednesday August 20, 2003 @12:03PM (#6745648) Homepage
      MS exploit virus comes out.
      mysterious patching virus starts making the rounds. massive consequences.
      we should be doing this more often, kids.


      That's the worst haiku I've ever seen.

  • Hm... (Score:3, Insightful)

    by gooru ( 592512 ) on Wednesday August 20, 2003 @01:22AM (#6741522)
    So, the question I have is: do you think he was trying to be a good Samaritan and just wrote something that caused serious problems, or do you think he purposely wrote something that would cause problems but would spread wild due to the ostensible good it was trying to do?
    • Re:Hm... (Score:5, Insightful)

      by zcat_NZ ( 267672 ) <zcat@wired.net.nz> on Wednesday August 20, 2003 @01:47AM (#6741640) Homepage
      Personally, I'd have written a worm that enables automatic updates and XP's inbuilt firewall. If windowsupdate can't handle the load perhaps they shouldn't have designed it in a way that -purposely breaks- normal web caching.

      The current round of worms are clumsy and unimaginitive. I think it's only a matter of time before we see a worm that does some -real- damage.

  • This is exactly why (Score:5, Informative)

    by Magic Thread ( 692357 ) on Wednesday August 20, 2003 @01:22AM (#6741524) Homepage Journal
    "cleanup" worms are still bad. Since the original worm didn't do anything except attack a domain name that's no longer in use, the cleanup one may even be worse.
    • by admbws ( 600017 ) on Wednesday August 20, 2003 @01:44AM (#6741624) Homepage Journal
      It's a case of a lesser of two evils. The problem is, there are thousands of exploitable boxes and if nothing is done about it, in the long term, this is going to cause some serious problems. Many of the owners of these systems will never fix or patch them themselves.

      It's really a toss-up between a worm that temporarily slows down networks by spreading and patching the systems it infects, then automatically deleting itself after a set date, or a script kiddie scanning the entire internet, picking up these boxes and adding them to his DDoS network, which can slow down all or any network(s) (root DNS servers, anyone?) he or she chooses at a later date.

      It is for this reason, IMHO, that these exploitable boxes are a threat to the integrity of the internet, and while writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
      • by zangdesign ( 462534 ) on Wednesday August 20, 2003 @02:44AM (#6741868) Journal
        writing a worm to automatically patch the systems might be rather militant, something has to be done about it.

        Yes, and the proper thing to do would be to contact the system administrator and let him/her know that their system is vulnerable. Releasing another worm to patch the first worm is just as morally wrong and illegal, since it is entering the system by unauthorized means.

        Two wrongs do not make a right. Frankly, I hope they find both the guys that wrote those damnable things and throw them both in jail.

        The moral of this story is: keep your damn hands off something that ain't yours.
      • by sperling ( 524821 ) * on Wednesday August 20, 2003 @03:28AM (#6741974) Homepage
        This worm is just as bad, maybe even worse than the first.

        Script kiddies are in fact way safer now than before this good samaritan, since most of the lazy users that have been compromised also by other means than the initial worm now will think everything's fine and leave the additional rootkit installed and running. If this second worm hadn't made things appear normal again, these users would have to reinstall their systems and thus get rid of e.g. the IRC drones that currently annoys most of the major IRC networks, including the one I admin a server on.

        In addition, this worm wastes bandwidth on somewhat responsible users that do not trust something using an exploit for gaining access to keep their systems secure. Would you leave your box as is if this worm had "secured" you? Or would you be worried and prefer to reinstall and manually patch?

        However good the intentions of this worm might be, it's just adding to the problem.
      • by Anonymous Coward
        Let me say up front that the IT department at my company is not at all on top of things like massive exploits. The company LAN has suffered the wrath of Nimda (for several days because IT neglected to tell people to shut down Everyone shares), Code Red, and now MSBlast and MSBlast.D.

        However, I'm our one man Hosting and Deployment department for our web-based apps, so I am pretty diligent about this stuff.

        About a week after MS released the RPC patch, I had it tested and on all the servers used to deliver
  • of course it's causing more problems, because it's PREVENTING MSBlaster from causing the problems in the first place. any slowage at all would be considered more of a problem than no virus at all.
  • by evn ( 686927 ) on Wednesday August 20, 2003 @01:23AM (#6741527)
    Flying is hard enough - they tell you it's the safest way to travel. Now we find out it's run by a system famed for it's ability to crash?!

    The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.

    Seriously though, that sounds more like the airline's standard crumby service than the latest Microsoft worm/virus is to blame.
  • Another article... (Score:5, Interesting)

    by Dark Nexus ( 172808 ) on Wednesday August 20, 2003 @01:23AM (#6741529)
    The Register also has an article [theregister.co.uk] on this.

    Basically the same core facts, but also talks about the ethical issues with "good" worms.
  • Ultimately... (Score:5, Interesting)

    by metatruk ( 315048 ) on Wednesday August 20, 2003 @01:23AM (#6741531)
    ISPs are going to start firewalling off more and more ports because of the fact that Windows is insecure. But more importantly, customers don't care enough about the problems to deal with their own responsiblity: securing their own machines.

    Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.

    I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
    • Re:Ultimately... (Score:5, Insightful)

      by Tim C ( 15259 ) on Wednesday August 20, 2003 @01:48AM (#6741649)
      Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.

      I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?

      True, it shouldn't be the responsibility of the ISP, and no, I'm not exactly happy with the thought of port filtering becoming common place and extending to other ports (ftp, ssh, http, etc - after all, "it's a home connection, you shouldn't be running servers..."). As an interim measure, though, it at least does help to contain the problem.

      If people don't start taking their own computer's security seriously

      I think you have that wrong. People do take their computer's security seriously, they just don't know enough about it. They also, largely, expect to be able to just switch their computer on, and have it work, like everything else they use. TV, video, dvd, microwave, car, central heating - they're all made, installed or set up once, and then just work. If they break down, they're replaced, or a qualified engineer is called to fix them.

      People aren't yet used to the idea that computers don't quite act like that. You and I may have been working closely with them for years, but most "ordinary" people haven't. So, they expect them to require the same amount of effort as everything else they use.

      I think that PC manufacturers could go a long way to helping here - shipping with firewalls and virus scanners preinstalled and configured. Perhaps have a couple of big, impossible to miss buttons on the desktop - "click here if this machine is connecting directly to the internet", "click here if this machine will not connect to the internet, or will connect via another machine on the network", "click here if you don't know what that means", that configures the machine appropriately for its role. That way, the gateway can be secured, while the rest of the network can share files and printers. No, that's not a foolproof plan, but I think it would go a long way to helping solve the problem.

      Don't just bitch and moan at the "clueless, irresponsible" users - teach them to know better, and help them while they're learning.
      • Re:Ultimately... (Score:3, Insightful)

        by lightcycle ( 649999 )
        I don't think that impossible to miss buttons will help at all. People will click them and be none the wiser what they really do behind the scenes.
        What people need to realise is that a computer is not like their microwave or tv. A computer doesn't come with all those limits in what they can do. Therefore, a computer must also be more complicated to use.
        Somehow, people that buy a computer must realise that it won't plug and play. They will have to read some documentation (Which should be supplied by the ma
      • Re:Ultimately... (Score:3, Interesting)

        by Gothmolly ( 148874 )
        What possible reason is there to have file and printer sharing open to the internet?
        Because I want to.
        Because I can.
        Because it's easier than trying to nail up some IPSEC tunnel between my Win box and someone else's.
        ISPs ARE and SHOULD not become content producers, providers, or censors. It's connectivity, that's all. Otherwise, when do you stop?
      • I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?

        It's good and bad and something of a slippery slope. When I sign up with an ISP, I want IP service -- the ability to send and receive any and all IP datagrams, regardless of their type or subtype. If my ISP starts filtering my IP service based on the overflowing basket of potential IP-based vulnerabilities, I lose that IP service. That's bad.

        It's also something that "controllers" will
    • Re:Ultimately... (Score:5, Insightful)

      by iamacat ( 583406 ) on Wednesday August 20, 2003 @01:55AM (#6741683)
      Surely operating systems should be very secure by default, as in not accepting ANY incoming connections, no ActiveX, no executable e-mail attachments. One shouldn't have to install security patches every week just to read e-mail and browse the web.

      What we have here is one company's lack of responsibility and desire to make a quick buck without working on software quality. Its so fortunate they don't make cars.
    • Re:Ultimately... (Score:3, Insightful)

      by hdw ( 564237 )
      This is a discussion that I think most ISPs have had for many many years.

      Blocking dangerous ports would be a good thing for most ISPs, they want subscribers and online time, but preferrably as little traffic as possible.
      Even more so as broadband/always-on connections multiply.

      But all forms of ISP controlled blocks create two problems.

      Some people want those ports open, some because they use those ports, some because they se it as an invasion of privacy (it's _my_ port, and _my_ computer, _I_ decide if

  • Can't someone just right another worm to stop the worm stopping the worm?
    It's all getting a bit silly isn't it. The worse thing is that every incident like this is just another piece of ammunition for the pro-DRM companies.
    It also encourages the conspiracy theory people. After all why shouldn't Microsoft enjoy these worms so that people demand that their computers be locked down and be *safe* from the outside world
    • Can't someone just right another worm to stop the worm stopping the worm?

      Sure, but what happens when they left another worm?
  • Article text (Score:5, Informative)

    by Magic Thread ( 692357 ) on Wednesday August 20, 2003 @01:26AM (#6741545) Homepage Journal
    Since the article's filename is "flash1.html," I doubt it's staying in that location forever, so here is the text. Posting logged-in because of the insidious article text trolls that have been plaguing Slashdot recently.

    COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
    Tue Aug 19 2003 20:33:34 ET

    TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.

    Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.

    ``It is causing delays in processing customers at airports,'' she said.

    The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.

    ``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.

    Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.

    ``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''

    The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.

    It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.

    Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.

    Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.

    The worm snarled the network at the CBC, slowing the broadcaster's Web site.

    The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.

    Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''

    Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.

    ``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.

    ``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''

    It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''

    Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
  • Re: (Score:2, Funny)

    Comment removed based on user account deletion

    • > My cable went out for about 2-3 hours earlier, and even before it went out everythings been slow, and still is.

      Yes, due to the state of emergency we'll all have to shoot for "second post" until this dies down, since the internet isn't physically fast enough to let anyone get a "first post" in right now.

  • by nacturation ( 646836 ) <nacturation@gmai l . c om> on Wednesday August 20, 2003 @01:30AM (#6741559) Journal
    From the article:
    ``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
    So basically they haven't yet learned how to block port 135 on their networks? And they refer to a worm as a virus. I'm glad I don't live in Ontario right about now.
    • by Black Parrot ( 19622 ) on Wednesday August 20, 2003 @01:35AM (#6741582)

      "The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario," said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
      > So basically they haven't yet learned how to block port 135 on their networks? And they refer to a worm as a virus. I'm glad I don't live in Ontario right about now.

      One suspects that the power companies in that corner of the world are oh-so-glad to have any random excuse right now.

    • by WoTG ( 610710 ) on Wednesday August 20, 2003 @01:48AM (#6741645) Homepage Journal
      Or maybe some people actually have a local network that uses port 135! As much as I like to knock the things that go on at Air Canada, I can't really blame this one on them.

      You can't usually block port 135 to all local traffic, because it has legitimate uses on MS networks. So, if a brand new worm or virus comes out, few if any anti-virus programs will detect it. Virus scanners, by-and-large are reactionary. They can't (usually) scan for what they don't know exist. It sounds like this particular worm was written to spread extremely quickly, and few had a chance to develop or update their virus definitions.

      Given this environment, all it takes is one machine to get infected before the entire network gets hit.
  • by Anonymous Coward on Wednesday August 20, 2003 @01:31AM (#6741566)
    If it were a good samaritan worm, why would it exploit the WebDAV hole, too? Fact is, this is a sneaky worm, not a prophylactic.

    It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.

    OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.

  • It's not a bug, it's a feature.

    A feature MS wants you to patch and remove to optimize the feature's capability, really, I swear

    Don't you hate a linux geek that gloats >-)
  • Oh FFS! (Score:4, Funny)

    by marcushnk ( 90744 ) <senectus&gmail,com> on Wednesday August 20, 2003 @01:36AM (#6741586) Journal
    If they just made sure their bloody networks were patched and firewalled correctly they wouldn't have this issue..

    Frankly I think that anyone that complains about this needs a good hard leson in cause and effect.. oh hang on.. looks like they're getting that now!
    Lets hope they're bright enough to recognize it.
    • Re:Oh FFS! (Score:5, Insightful)

      by cbdavis ( 114685 ) on Wednesday August 20, 2003 @01:57AM (#6741698)
      We got this crap at work. Firewalls didnt help
      because someone in the office took his notebook
      home, got infected and then brought notebook
      into work. Silent infection. You can build
      multiple firewalls but it is worth nothing if
      your users dont protect their networks at home.
      • Re:Oh FFS! (Score:3, Insightful)

        by R.Caley ( 126968 )
        Firewalls didnt help because someone in the office took his notebook home, got infected and then brought notebook into work.

        If you let people plug random machines into your network, you, to all intents and purposes, don't have a firewall.

        Laptops which visit the outside world need to be treated as external machines, not internal ones.

  • And this is bad? (Score:5, Interesting)

    by rossz ( 67331 ) <ogre@NosPAm.geekbiker.net> on Wednesday August 20, 2003 @01:39AM (#6741596) Journal
    So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?

    Well cry me a fucking river.

    With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
    • by twitter ( 104583 ) on Wednesday August 20, 2003 @09:54AM (#6744176) Homepage Journal
      So the networks are brought to a crawl due to the large amount of traffic necessary to patch systems because incompetent MSCEs are too incompetent to do the job themselves?

      That's a little harsh, don't you think? People did apply patches, they just did not work. The only incompetent thing it to use or recomend Microsoft in the first place. It should be obvious by now that M$ has no place on a network. More than a year after Bill Gates made security job one, M$ still blows and it always will.

      I would have considered a disk formatting worm to be fully justified.

      Well, it would require fewer network services and people could get on with the rebuild job they need anyway. Face it, you can't trust a worm to do your job. If you get either of these, it's time to break out the CDs and rebuild the machine because you can't trust a worm to not be trojaned. That would be nicer than making it so no computer can use a network because these broken boxes are spewing their guts out trying to get M$ patches.

      The answer is to dump Microsoft all together. Free software is obviously superior by now and no one need to spend good money on bad Microsoft software anymore. Disasters like this just go to show the real TCO of that junk. The colatoral damage to people who don't run M$ at all is unaceptable as well.

      You have to wonder if businesses that don't use M$ anymore but were unable to use networks because of it can sue M$ and the dummies that still use them. Sounds like another billion dollar classaction lawsuit followed by thousands of individual suits to chip at the rapidly diminishing M$ pile of ill gotten cash.

  • by chill ( 34294 ) on Wednesday August 20, 2003 @01:42AM (#6741613) Journal
    Considering the original and first variant of the MSBlaster worm made major headlines, why were these systems still vulnerable?

    Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?

    And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
  • by sllim ( 95682 ) <achanceNO@SPAMearthlink.net> on Wednesday August 20, 2003 @01:45AM (#6741629)
    This new worm, it looks to me like it is being dubbed an anti-virus.

    Most of the time I learn about something and think it is new it is not. So I won't act shocked when some /.r comes forth and cites instances of anti-viruses in the past.

    However I personally have not come across this before.
    I predict that the anti-virus will never be as prevolent as the virus, but we can expect to see them from here on out.

  • I got this on pay-per-view last week and it was totally fixed. MS Blaster dove off the top rope onto MS Patcher, and then kept booting him, and rebooting him. MS Patcher was like, "Huh? What?" until his manager got in the ring and slapped him.

    You couldn't tell, but I used the freeze-frame on my Beowulf cluster of Tivos and saw that there was hidden IP in Blasters hand.

    I was so pissed, I called Fight Update to complain, but the lines were all busy.

    Never again will I pay $179 for a pay-per-view wrestling match...although the upcoming free-for-all cage match between SCO, Linux, IBM, Novell, Red Hat and FSF sounds pretty interesting. I bet that PanIP will make an appearance and beat the hell out of somebody too.

    Someone always gets in the cage at the last minute.

  • by mcc ( 14761 ) <amcclure@purdue.edu> on Wednesday August 20, 2003 @01:51AM (#6741670) Homepage
    ...of two huge monsters battling over Tokyo and knocking over buildings in their fight while the puny sysadmins in their tanks futilely try to hurl patches, and one of the huge monsters is Good and one of the huge monsters is Bad but no matter becuase even if the good one wins, Tokyo is getting stomped flat either way?

    Okay, I think I've just proven that I've been awake too long. Goodnight..
  • by skinfitz ( 564041 ) on Wednesday August 20, 2003 @02:02AM (#6741718) Journal
    Firstly during Code Red it got blamed for Internet slowdown, until someone realised that some major net cables were damaged in a train tunnel fire that later turned out to be the real reason [bbc.co.uk].

    Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate [microsoft.com] for patches which will also add to the bandwidth being consumed.
  • by CB-in-Tokyo ( 692617 ) on Wednesday August 20, 2003 @02:03AM (#6741720) Homepage
    So far, we rarely see a truly malicious worm or virus. Most of what we see are certainly annoying, can be expensive to clean, and cost businesses in terms of downtime, network slowdowns and data loss, however, they could be a whole lot worse. The worst one I remember is Chernobyl that would flash anything in your computer that was updateable from your video card to your Mainboard leaving you with a (figuratively) smoking lump of useless, twisted metal.

    We are always finding out about vulnerabilities. This one obviously existed since the beginning of time since it is exploitable on all post 3.1 versions of windows. If someone years ago had made a worm that infected systems slowly, so as not to draw attention, and then in a given time frame was really destructive such as chernobyl, we could end up having real problems on our hands.

    These worms that make us find and patch these holes, without wiping our systems out, are costly, yes, and annoying yes, but they are also protecting us from the really malicious ones, by making us all more aware, and ensuring that steps are taken to prevent. I am not just talking about the cleanup worm, but also MSblaster. It doesn't destroy anything, but it makes us protect ourselves, makes us develop an immune system.

    I am not saying I like them, and in my work I am the one responsible for protecting our offices, and cleaning up if something were to get through but I would rather be protecting from MSBlaster, than something really nasty.

    • Totally untrue! (Score:5, Interesting)

      by fireboy1919 ( 257783 ) <rustyp AT freeshell DOT org> on Wednesday August 20, 2003 @04:02AM (#6742073) Homepage Journal
      It's not the affending system that is attacked and destroyed, it's the systems that are attacked via DDOS through the hacked boxes using signal propagating viruses.

      Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.

      Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.

      I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.

      On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
  • by htmlboy ( 31265 ) on Wednesday August 20, 2003 @02:06AM (#6741733)
    this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.

    is it really that much to ask people to read an advisory of how the worm works [nai.com] before cheering it on?
  • iptables rules (Score:5, Informative)

    by dmeranda ( 120061 ) on Wednesday August 20, 2003 @02:09AM (#6741744) Homepage

    For those who run a Linux firewall between a network of Windows boxes and the Internet you should rate limit those IP echo (ping) packets. Refer to my previous posting [slashdot.org] where I showed some sample iptables rules.

    Of course my firewalls have port 135 (and a lot more) blocked. Still, it is very hard to keep out of a large network, it doesn't have to get through a firewall. But once inside it can quickly spread and then your firewall or border router will get flooded with pings. I was seeing well over 1 million pings per minute. At that rate my stateful Linux firewall was crawing on its knees as the connection tracking table filled up trying to remember all those echo requests so it could match them up with the echo responses. It didn't crash Linux, but it did render it near useless.

    The scariest thing with all these worms is thinking about what could have been. What if they actually did something much more serious? What if they throttled back on the network scanning just a bit so they didn't take the network completely down and it took longer to notice?

  • just why... (Score:3, Insightful)

    by mahhy ( 10505 ) on Wednesday August 20, 2003 @02:29AM (#6741822)
    Why would the "fix" worm be this much worse than the original? They do essentially the same thing, use the same exploit, transmit themselves the same way. The only different I can see is that the "fixer" reboots your PC once, whereas the original could continuosly reboot you PC. Why is the press making it sound (at least in this case) that this worm is worse than the original?!

    Perhaps its the worms attempt to download the patch from MS thats causing all the headaches, but the patch *IS* rather small, so I'm not very convinved on that point.

    Am I being paranoid, or overreacting or what?
    • Re:just why... (Score:3, Insightful)

      by NeuroManson ( 214835 )
      Well, if the number of users with unpatched systems range into the millions at the most, and are ALL downloading the 30-40Mb of patches from Microsoft, AND are all spreading the worm simultaneously, then the traffic use is more than likely in the range of several thousand mangnitudes, then yes, they would do much more damage to both windowsupdate.com and the ISPs the users are using.
  • by FireFury03 ( 653718 ) <slashdot@nexTIGERusuk.org minus cat> on Wednesday August 20, 2003 @04:22AM (#6742121) Homepage
    Worms are bad. Period. Even if the worm is supposed to be good then the damage it can do in terms of network usage, etc causes problems.

    However, vulnerable boxes do cause a lot of problems, so IMHO a better solution is for those people who care about such things to install a system on their firewall that responds to scans - if a machine scans your firewall then you look to see if you recognise the signature of the scan (i.e. the likes of Code Red, ete, have quite distinctive patterns of scanning) and then your firewall launches an exploit against that machine that is scanning you. Once exploited the system would take some action to close the vulnerability and remove the worm (i.e. turn on the auto update stuff, install whatever patches are needed, etc). After it's done that the software that you installed through the exploit would delete itself.
    This is a defense - the machine in question attacked your network so your network responded by fixing the compromised machine - no other (innocent) machines are affected by the problem.

    ISPs also need to do something to help the situation IMHO - there is no sane reason to use Netbios over the internet so this should be blocked by every ISP (I know some do already, but the vast majority still allow it).

    And remembering that 90% of home windows uses are completely clueless when it comes to security, they need to be forced into fixing their systems. The best way I can see of doing that is for all ISPs to look for scans coming from their customers - if a machine is making a lot of scans to lots of hosts all over the internet that matches the signature of a known worm, the ISP should pull the customer's entire internet connection. Infact it wouldn't be too hard for the ISP to intercept all web requests and redirect them to a website with all the patches on it. This is damage limitation - if a machine is compromised and is attempting to compromise other machines then it is essential that machine is taken off the network ASAP. If all the ISPs followed these steps then the spread of worms would be severely reduced.
  • Not just in Canada (Score:3, Informative)

    by BigBadBri ( 595126 ) on Wednesday August 20, 2003 @04:26AM (#6742126)
    Lockheed Martin [fortwayne.com] and possibly the US Navy [computerworld.com.au] (they may have mistaken Patcher for BLaster) are reported to have been hit too.

  • by Rogerborg ( 306625 ) on Wednesday August 20, 2003 @05:31AM (#6742315) Homepage

    There is absolutely no evidence that Welchia is worse than Blaster, as a cursory reading of the linked article would reveal to anyone who passed the fourth grade.

    If you're unpatched, you either get Welchia, or you get Blaster. They both hose your network. If you're too stupid to block the ports and apply the patches, then you're going to get one or the other.

    Go on, pick one. Not that it makes any difference. Welchia isn't worse than Blaster. Sure, it opens a port, and everyone is assuming (why?) that this is a back door, but as long as you're unpatched and your 135 port is open, arbitrary code can be run on your box anyway, so how does Welchia make that worse?

    Lies, damn lies, statistics, Slashdot reporting.

  • W2K Service Pack 2 (Score:4, Insightful)

    by b1t r0t ( 216468 ) on Wednesday August 20, 2003 @07:56AM (#6743060)
    The patch for this exploit under Windows 2000 requires Service Pack 2 be installed first. I know that all the downloading for the patch is causing these network problems, but just assume for a moment that the patcher worm gets to a W2K system that has never had a Service Pack upgrade. If it's not perfectly written, it'll download the patch, try to install it, then reboot the computer, right?

    So what if it's sitting there saying "This patch requires Service Pack 2", and the worm reboots? The result: a still unpatched system! Even if the worm were to consider its work done, after reboot the computer can be re-infected. Which means another download of the patch gets started! Can you say "Sorcerer's Apprentice"?

    Even if the worm were smart enough to download a service pack, we're talking over 100 megabytes. That can take a while if you don't have good broadband, and meanwhile it's providing a nice accidental DDoS against microsoft.com.

  • Worm (Score:3, Funny)

    by Eviscero ( 675126 ) on Wednesday August 20, 2003 @09:03AM (#6743686) Journal
    I'm going to develop a worm, that mutates into two different worms...one will be the democrats, the other will be the republicans.

    On the first Tuesday in November, one of them will activate and fill your computer, television and radio with loads of bullshit.
  • by RALE007 ( 445837 ) on Wednesday August 20, 2003 @11:10AM (#6745033)
    After reading the article, I had a haunting feeling of deja vu, most notably to the paragraph:

    "...Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which first started hitting computers around the world on Monday. ..."

    I could have sworn I had read the exact same statement in a different article a few days ago. The statement had stuck in my head because it implied the worm problem was completely users fault for not installing the patch. Since it seemed so familiar, I googled [google.com] the phrase "Although Microsoft posted a software patch to fix the flaw" (google limits you to ten words or less). Lo and behold, hundreds of hits for individual separate articles from "different" news sources with the exact same paragraph, completely verbatim. I am aware that information is shared through the associated press, but personally I find it unsettling that all of these news authors do little more than cut and paste another authors words (and voice), instead of writing an article on the same subject with different points of view or ways of expressing the facts. It is especially concerning when the statement in this example seems to slant blame away from a responsible party, Microsoft, in a serious situation that they are largely (IMO) accountable for.

    Perhaps I am off topic, but I felt obliged to point out my discovery. I didn't think it was possible, but my level of trust in the quality of information in the media has dropped yet another rung.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...