Worm vs. Worm Battle Slows Networks 559
joel_archer writes "According this article at the DrudgeReport, a worm, apparently designed to patch MSBlaster infected Win2K and XP machines, brings various Canadian networks to a crawl. Hardest hit was the 411 system, Air Canada, and Ontario hydro electric operations. Apparently this is causing more problems than MSBlaster itself."
hmm, i wonder. (Score:5, Funny)
mysterious patching virus starts making the rounds. massive consequences.
we should be doing this more often, kids.
-Leigh
Re: hmm, i wonder. (Score:5, Funny)
> MS exploit virus comes out. mysterious patching virus starts making the rounds. massive consequences. we should be doing this more often, kids.
Yeah, I'm working on a worm to kill off the worm that was supposed to fix Blaster, but I've been busy and haven't gotten it out yet. Look for it in your mailboxes tomorrow!
Re: hmm, i wonder. (Score:5, Funny)
21st century version of CoreWars (Score:5, Interesting)
MS Windows Virus Wars. Comming to a desktop near you. Let the evolution begin.
I agree (Score:3, Insightful)
(Disclaimer: I've flown Air Canada. The accomodations were very nice.)
Windows servers (Score:4, Funny)
"At least one service failed to start..."
I took a photo of it. I thought:
- "I'm glad I don't run Windows." - "I'm glad I'm not flying Delta today."
Re:Windows servers (Score:3, Interesting)
Re:Windows servers (Score:3, Informative)
Just because the displays use Windows doesn't mean anything. It was probably easier for whoever developed the system to develop it on Windows. For all you know it could be getting all of the data from a Linux server. I have seen other cases where Windows is only used as the front end. Banks, for example. PC Financial [pcfinancial.ca] uses Win2k
Re:Windows servers (Score:5, Informative)
Yeah. It's amazing where you'll find Windows. For the past few days, the local public education cable channel has had a Windows login prompt misdisplayed.
Airport FIDS (Flight Information Display Systems) tend to run Windows. I used to manage a system of a few thousand displays running a weird Continental Airlines and Infax proprietary protocol. There were two big reasons for using Windows, despite the suckage. One is that it's a hell of a lot easier to find programmers who can do custom work quickly in the Windows enviroment. The other is that Windows support for things like multi serial cards and stuff is a lot better; we often didn't have too much choice in the hardware we had to use (strange implementations of the old current loop, on 16 ports, for example... with only one supplier). Airports are very conservative, and with good reason. They really don't like change. Lots of serial cabling and repeaters where Ethernet would have done a great job.
How about this one: The Canadian government's Office Of Critical Infrastructure Protection and Emergency Preparedness [ocipep.gc.ca] runs IIS.
Why, given the nature of the department and (one would hope) its awareness of the threats, would they use IIS while more stable and more secure alternatives are still available?
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
Looking at that site and seeing the fragile infrastructure they're using, I can't help but feel proud to be a Canadian. Jesus wept.
Re:Windows servers (Score:4, Interesting)
Re:Windows servers (Score:5, Insightful)
In my hiatus from technical employment (over now after 18 long months) amongst other things I've worked as a baggage handler.
The clients for the baggage reconciliation system (BRS - ensures bags travel if and only if the passenger gets on the plane, implemented after Lockerbie) run on Windows 3.1!!!
First thing I thought is, what happens if someone wiretaps the network cable? I'd guess it wasn't encrypted, or if it is, it's a 10 yr old technology, How long would it take to crack it, learn protocols and be able to wreak havoc?
Must by archaic/vulnerable systems like that in key installations everywhere. Scary to think.
Re:Windows servers (Score:5, Interesting)
Because we wern't a paying customer, we were sent the company's test-mule where all the new developments were tried before going into production.
The machine used a lightly modified Windows 98 installation as it's OS. Security was non-existant, as any idiot (me) could go in and monkey with passwords, workgroup settings, and file locations. (I did this to get it to talk to our network for backup) I was concerned about this at first, until I realized that these devices
weren't used with mice or keyboards
and typically had armed guards nearby who took a dim view of people monkeying with the hardware
As far as the installation of windows, we used it for 3 months straight, with absolutely no crashes whatsoever. The only time it was rebooted was when it was shut down for the weekends.
Windows Emergency Services (Score:5, Interesting)
I'm not all that great on securing Windows boxes - but that sure didn't seem right. Considering this would be the first way (and for something like 5 minutes!) to warn the local emergency services of something - which could very well be a tunnel collapse/fire/whatever where 5 minutes easily can make a lot of difference in human lives. The program that was custom-made for emergency-reporting also seemed of pretty poor quality - most likely a case of lowest bidder with noone competent seeting intelligent rules for the bidders.
Re:Windows Emergency Services (Score:3, Insightful)
Granted, Win2k is prolly the best out for windows applications, but c'mon, unpatched/unstripped?
Are you suicidal?!
I've been having problems enough securing my Win2k machine securely, running only required (by me) services, and goddamn fully patched. Even though MS's patches break all my goddamn custom/low level apps.
Five minutes? If you're unware on an unpatched base Win2k install on an older service pack, it takes 5 seconds to hopelessly compromise a default Win2k install
Re:Windows Emergency Services (Score:4, Funny)
Re:Windows servers (Score:5, Insightful)
It's just their website, dude. It's not some mission-critical thing.
This is like a fire station which keeps the bin full of oily rags next to the Captain's personal collection of matchbooks from world-famous hotels.
No, it's as if a fire station's PR firm had the oily rags and matches. Well, if fire stations had PR firms, I mean.
Re:Windows servers (Score:5, Interesting)
I work at a gas station, and the computer that controls the gas pumps runs on windows. IOW, if windows crashes, nobody can pump gas, and nobody who has pumped gas already can pay for their gas. It hasn't crashed on us yet (AFAIK -- I've only worked there for a month, and the station has been in service for 2 years).
But, we have had some problems with it. One day, it kept popping up a stupid dialog saying that the computer is too hot and that if we don't cool it down fast then we'll have to shut it off. Yeah, like we're just going to turn off all our gas pumps in the middle of rush hour (the busiest time of day).
Later that same day, it popped up with a stupid message saying that had automatically downloaded and installed updates and patches for us. Seeing that message made me cringe, I was so worried that the patch might have broken something and rendered the entire gas station useless. *shudder*
Re:Windows servers (Score:5, Funny)
Please, please tell me that the pumps can't actually be controlled from the PC running the station...
Re:Windows servers (Score:4, Funny)
Re:Windows servers (Score:3, Funny)
Q.
Re:Windows servers (Score:5, Funny)
"Regular, midgrade, premium...CowboyNeal? The hell?"
Re:Windows servers (Score:4, Interesting)
What, would you rather it just packed up shop and died quietly?
Later that same day, it popped up with a stupid message saying that had automatically downloaded and installed updates and patches for us. Seeing that message made me cringe, I was so worried that the patch might have broken something and rendered the entire gas station useless. *shudder*
Since you're so worried about it, I hope you turned this feature off, then - but perhaps it's just as well, since it probably installed the RPC DCOM fix for you: right?
Which leads me to wonder, as an earlier post did: why on earth is this system sitting connected to the Internet?
Re:Windows servers (Score:4, Funny)
So they can act swiftly and download patches :o)
Re:Windows servers (Score:4, Interesting)
Which leads me to wonder, as an earlier post did: why on earth is this system sitting connected to the Internet?
It might've installed the patch, if someone set it up that way. It's probably setup with 'net access for that reason. The clerk who seems to know better sounds like just a clerk though, and is probably (hopefully) locked out of administrative functions.
But then, probably not. Anyone who doesn't know by now not to just automagically update without warning or testing on a system you rely on is just too incompetant to be doing the job.
Re:Windows servers (Score:5, Funny)
[comic book guy voice] You would think that, but no, no they won't. [puts hands to face and continues to cry]
On a dead serious note, I have personally wasted 2 hours yesterday on this new strain of the worm (it took down a customer's network that one sub-project needs -- they are SOL). Add 10 hours for the original one and it's a big block of my time over the past week...so much so, that my contract has been extended at this site to deal with the backlog multiple departments are suffering with.
Here's the kicker; all *my* computers run Linux...yet, the network uses Windows, so the Linux systems become marginally useful even though they pur along fine by themselves.
Even though I'm not in the IS department on this project, I do get drafted because I know something...and the IS folks are not the cream of the crop here. Some are good, though they all do too much of the 'stand of one leg...no, server is still sick...stand on other leg...nope, is it time? OK, hit the lights and get the chicken while I light the candles.'.
You can bet that I've been pointing out that I have not had a single virus on my machines, though honestly that is a small value since most of what I do requires the damn network!
Re:Windows servers (Score:4, Insightful)
Indeed. My bank's ATMs have a cool touchscreen interface. Sometime ago, I was greeted by the usual window about "illegal operation", etc. The thing then rebooted, displaying what looked like a common PC BIOS, and booted Windows 2000.
This is a case where I think Windows is not too little, it is too much. One wonders how much this (Brazilian, once-public) bank spent with Microsoft licences and hardware when any small, light, specialized OS would do better.
Fortunately, this is changing. At least one [wikipedia.org] bank is already using Linux.
Windows on airport displays (Score:5, Funny)
She had to point out that a more alarming interpretation of the word "crashed" may have been made by some of the other people in the arrivals area.
Re:hmm, i wonder. (Score:5, Funny)
mysterious patching virus starts making the rounds. massive consequences.
we should be doing this more often, kids.
That's the worst haiku I've ever seen.
Hm... (Score:3, Insightful)
Re:Hm... (Score:5, Insightful)
The current round of worms are clumsy and unimaginitive. I think it's only a matter of time before we see a worm that does some -real- damage.
This is exactly why (Score:5, Informative)
Re:This is exactly why (Score:5, Insightful)
It's really a toss-up between a worm that temporarily slows down networks by spreading and patching the systems it infects, then automatically deleting itself after a set date, or a script kiddie scanning the entire internet, picking up these boxes and adding them to his DDoS network, which can slow down all or any network(s) (root DNS servers, anyone?) he or she chooses at a later date.
It is for this reason, IMHO, that these exploitable boxes are a threat to the integrity of the internet, and while writing a worm to automatically patch the systems might be rather militant, something has to be done about it.
Re:This is exactly why (Score:5, Insightful)
Yes, and the proper thing to do would be to contact the system administrator and let him/her know that their system is vulnerable. Releasing another worm to patch the first worm is just as morally wrong and illegal, since it is entering the system by unauthorized means.
Two wrongs do not make a right. Frankly, I hope they find both the guys that wrote those damnable things and throw them both in jail.
The moral of this story is: keep your damn hands off something that ain't yours.
Re:This is exactly why (Score:4, Informative)
Er... which system administrator would that be?
I get the impression the vast majority of systems that are still at risk belong to good old incompetent (through no fault of their own) home users. Contact and explain?... not likely to be very effective.
Re:This is exactly why (Score:4, Insightful)
Script kiddies are in fact way safer now than before this good samaritan, since most of the lazy users that have been compromised also by other means than the initial worm now will think everything's fine and leave the additional rootkit installed and running. If this second worm hadn't made things appear normal again, these users would have to reinstall their systems and thus get rid of e.g. the IRC drones that currently annoys most of the major IRC networks, including the one I admin a server on.
In addition, this worm wastes bandwidth on somewhat responsible users that do not trust something using an exploit for gaining access to keep their systems secure. Would you leave your box as is if this worm had "secured" you? Or would you be worried and prefer to reinstall and manually patch?
However good the intentions of this worm might be, it's just adding to the problem.
Re:This is exactly why (Score:3, Informative)
However, I'm our one man Hosting and Deployment department for our web-based apps, so I am pretty diligent about this stuff.
About a week after MS released the RPC patch, I had it tested and on all the servers used to deliver
yes (Score:2)
I think I'll take the bus (Score:3, Interesting)
The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.
Seriously though, that sounds more like the airline's standard crumby service than the latest Microsoft worm/virus is to blame.
Another article... (Score:5, Interesting)
Basically the same core facts, but also talks about the ethical issues with "good" worms.
Ultimately... (Score:5, Interesting)
Many ISPs already filter the standard windows NetBIOS ports (137-139, i think) because of possible attacks.
I think this opens an interesting problem. If people don't start taking their own computer's security seriously, other people will be forced to -- their ISPs. Will ISPs become liable then if attacks do take place?
Re:Ultimately... (Score:5, Insightful)
I see that as a good thing. What possible reason is there to have file and printer sharing open to the internet?
True, it shouldn't be the responsibility of the ISP, and no, I'm not exactly happy with the thought of port filtering becoming common place and extending to other ports (ftp, ssh, http, etc - after all, "it's a home connection, you shouldn't be running servers..."). As an interim measure, though, it at least does help to contain the problem.
If people don't start taking their own computer's security seriously
I think you have that wrong. People do take their computer's security seriously, they just don't know enough about it. They also, largely, expect to be able to just switch their computer on, and have it work, like everything else they use. TV, video, dvd, microwave, car, central heating - they're all made, installed or set up once, and then just work. If they break down, they're replaced, or a qualified engineer is called to fix them.
People aren't yet used to the idea that computers don't quite act like that. You and I may have been working closely with them for years, but most "ordinary" people haven't. So, they expect them to require the same amount of effort as everything else they use.
I think that PC manufacturers could go a long way to helping here - shipping with firewalls and virus scanners preinstalled and configured. Perhaps have a couple of big, impossible to miss buttons on the desktop - "click here if this machine is connecting directly to the internet", "click here if this machine will not connect to the internet, or will connect via another machine on the network", "click here if you don't know what that means", that configures the machine appropriately for its role. That way, the gateway can be secured, while the rest of the network can share files and printers. No, that's not a foolproof plan, but I think it would go a long way to helping solve the problem.
Don't just bitch and moan at the "clueless, irresponsible" users - teach them to know better, and help them while they're learning.
Re:Ultimately... (Score:3, Insightful)
What people need to realise is that a computer is not like their microwave or tv. A computer doesn't come with all those limits in what they can do. Therefore, a computer must also be more complicated to use.
Somehow, people that buy a computer must realise that it won't plug and play. They will have to read some documentation (Which should be supplied by the ma
Re:Ultimately... (Score:3, Interesting)
Because I want to.
Because I can.
Because it's easier than trying to nail up some IPSEC tunnel between my Win box and someone else's.
ISPs ARE and SHOULD not become content producers, providers, or censors. It's connectivity, that's all. Otherwise, when do you stop?
Good and bad, and a slippery slope (Score:3, Interesting)
It's good and bad and something of a slippery slope. When I sign up with an ISP, I want IP service -- the ability to send and receive any and all IP datagrams, regardless of their type or subtype. If my ISP starts filtering my IP service based on the overflowing basket of potential IP-based vulnerabilities, I lose that IP service. That's bad.
It's also something that "controllers" will
Re:Ultimately... (Score:5, Insightful)
What we have here is one company's lack of responsibility and desire to make a quick buck without working on software quality. Its so fortunate they don't make cars.
Re:Ultimately... (Score:3, Insightful)
Blocking dangerous ports would be a good thing for most ISPs, they want subscribers and online time, but preferrably as little traffic as possible.
Even more so as broadband/always-on connections multiply.
But all forms of ISP controlled blocks create two problems.
Some people want those ports open, some because they use those ports, some because they se it as an invasion of privacy (it's _my_ port, and _my_ computer, _I_ decide if
that's alright (Score:2)
It's all getting a bit silly isn't it. The worse thing is that every incident like this is just another piece of ammunition for the pro-DRM companies.
It also encourages the conspiracy theory people. After all why shouldn't Microsoft enjoy these worms so that people demand that their computers be locked down and be *safe* from the outside world
Re:that's alright (Score:2)
Sure, but what happens when they left another worm?
Re:that's alright (Score:3, Informative)
Article text (Score:5, Informative)
COMPUTER WORM THWARTS POWER SYSTEM REPAIR IN CANADA
Tue Aug 19 2003 20:33:34 ET
TORONTO (CP) - A computer worm designed to eliminate an earlier virus brought computer networks to a standstill Tuesday, hindering efforts in Ontario to recover from last week's power outage and forcing Air Canada to check passengers in manually across the country. Vancouver International Airport reported huge delays and long line ups in the international departures terminal as the virus slowed Air Canada's check-in computer system.
Air Canada spokeswoman Laura Cooke said the virus affected the airline's call centre in Toronto and check-in systems across the country.
``It is causing delays in processing customers at airports,'' she said.
The worm also slowed Ontario's efforts to repair the hydro system from last week's blackout.
``The system is under attack from the virus, and we've had more problems with this particular virus this afternoon than any other previous virus in Ontario,'' said Terry Young, a spokesman for the Ontario's Independent Electricity Market Operator.
Inside the terminal in Vancouver, passengers, some of whom have been stranded since the blackout-related problems of last Thursday, were frustrated.
``It's a nightmare,'' said one unidentified woman. ``The service is so bad; the management was so bad. The system is just a mess, just a mess. I had my luggage delivered to Toronto, I was told on Saturday, so I don't have anything.''
The worm targets computers running Windows 2000 and Windows XP and infected with the blaster worm. Once it deletes the blaster worm, the computer attempts to download a patch of the Microsoft update site, installs the patch and reboots the computer.
It searches for active computers by sending a signal across the Internet, which results in significant increases in traffic.
Internet security firm Symantec identified over 600,000 computers on Tuesday afternoon that were affected by one of the two worms.
Telus, the country's second-biggest phone company, saw operations for 411 operators slowed as the worm infected a number of internal systems at the company, while Corus Entertainment's Web site was down until the company was able to clean up its system.
The worm snarled the network at the CBC, slowing the broadcaster's Web site.
The Blaster worm also affected some computers of Ontario's emergency response system dealing with the aftermath of last week's huge blackout across a swath of the province and eight U.S. states.
Dr. James Young, the Ontario commissioner of public safety, said the problem was ``making our job more difficult.''
Symantec assessed the worm a ``Level 4'' threat, the second-highest, due to reports of severe disruptions on internal networks.
``Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,'' Vincent Weafer, senior director of Symantec Security Response, said.
``The worm is swamping network systems with traffic and causing denial of service to critical servers with organizations.''
It was not known where either of the worms originated. However, blaster, also known as lovsan because of a note it left on vulnerable computers _ ``I just want to say LOVE YOU SAN!'' _ also carried a hidden message to taunt Microsoft's chairman: ``billy gates why do you make this possible? Stop making money and fix your software!''
Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which fir
Re: (Score:2, Funny)
Re:My connection sucks (Score:3, Funny)
> My cable went out for about 2-3 hours earlier, and even before it went out everythings been slow, and still is.
Yes, due to the state of emergency we'll all have to shoot for "second post" until this dies down, since the internet isn't physically fast enough to let anyone get a "first post" in right now.
Re:My connection sucks (Score:4, Insightful)
How lame is their IT department? (Score:5, Insightful)
Re: How lame is their IT department? (Score:5, Funny)
One suspects that the power companies in that corner of the world are oh-so-glad to have any random excuse right now.
Re:How lame is their IT department? (Score:5, Insightful)
You can't usually block port 135 to all local traffic, because it has legitimate uses on MS networks. So, if a brand new worm or virus comes out, few if any anti-virus programs will detect it. Virus scanners, by-and-large are reactionary. They can't (usually) scan for what they don't know exist. It sounds like this particular worm was written to spread extremely quickly, and few had a chance to develop or update their virus definitions.
Given this environment, all it takes is one machine to get infected before the entire network gets hit.
Not a good samaritan worm (Score:5, Interesting)
It doesn't just kill the other worm. It replaces it. It's several orders of magnitude better at scanning, persists after reboot just like Blaster, and leaves a backdoor open, just like Blaster.
OTOH, if you set your DNS to spoof "download.microsoft.com" and point it to an unproxied web server which gives it a different executable file instead of the patch it tries to pull, it will run that executable just dandy. Interesting things you can do to a worm-infected system besides patching it and leaving the infection intact are legion.
But, really! (Score:2)
A feature MS wants you to patch and remove to optimize the feature's capability, really, I swear
Don't you hate a linux geek that gloats >-)
Oh FFS! (Score:4, Funny)
Frankly I think that anyone that complains about this needs a good hard leson in cause and effect.. oh hang on.. looks like they're getting that now!
Lets hope they're bright enough to recognize it.
Re:Oh FFS! (Score:5, Insightful)
because someone in the office took his notebook
home, got infected and then brought notebook
into work. Silent infection. You can build
multiple firewalls but it is worth nothing if
your users dont protect their networks at home.
Re:Oh FFS! (Score:3, Insightful)
If you let people plug random machines into your network, you, to all intents and purposes, don't have a firewall.
Laptops which visit the outside world need to be treated as external machines, not internal ones.
And this is bad? (Score:5, Interesting)
Well cry me a fucking river.
With all the worm and virus activity in the last few months they have absolutely no damn excuse for not being on top of this. Since they are too stupid to do their job, someone found it necessary to do it for them. Personally, I would have considered a disk formatting worm to be fully justified.
disk formatting would be better. (Score:4, Informative)
That's a little harsh, don't you think? People did apply patches, they just did not work. The only incompetent thing it to use or recomend Microsoft in the first place. It should be obvious by now that M$ has no place on a network. More than a year after Bill Gates made security job one, M$ still blows and it always will.
I would have considered a disk formatting worm to be fully justified.
Well, it would require fewer network services and people could get on with the rebuild job they need anyway. Face it, you can't trust a worm to do your job. If you get either of these, it's time to break out the CDs and rebuild the machine because you can't trust a worm to not be trojaned. That would be nicer than making it so no computer can use a network because these broken boxes are spewing their guts out trying to get M$ patches.
The answer is to dump Microsoft all together. Free software is obviously superior by now and no one need to spend good money on bad Microsoft software anymore. Disasters like this just go to show the real TCO of that junk. The colatoral damage to people who don't run M$ at all is unaceptable as well.
You have to wonder if businesses that don't use M$ anymore but were unable to use networks because of it can sue M$ and the dummies that still use them. Sounds like another billion dollar classaction lawsuit followed by thousands of individual suits to chip at the rapidly diminishing M$ pile of ill gotten cash.
Why weren't these systems patched? (Score:5, Interesting)
Are each of those systems equipped with a 9-volt battery and a cheap Somebody Else's Problem field?
And don't give me that shit about airline computers having to be 24x7. If that were the case, they wouldn't be running Windows in the first place.
Re:Why weren't these systems patched? (Score:3, Informative)
Try patchin 75,000 workstations and servers in a month with 100 IT staffers who have jobs to do besides patching MS shit.
I predict that we haven't seen the last of this... (Score:4, Insightful)
Most of the time I learn about something and think it is new it is not. So I won't act shocked when some
However I personally have not come across this before.
I predict that the anti-virus will never be as prevolent as the virus, but we can expect to see them from here on out.
Worm vs. Worm - It's a Ripoff! (Score:5, Funny)
You couldn't tell, but I used the freeze-frame on my Beowulf cluster of Tivos and saw that there was hidden IP in Blasters hand.
I was so pissed, I called Fight Update to complain, but the lines were all busy.
Never again will I pay $179 for a pay-per-view wrestling match...although the upcoming free-for-all cage match between SCO, Linux, IBM, Novell, Red Hat and FSF sounds pretty interesting. I bet that PanIP will make an appearance and beat the hell out of somebody too.
Someone always gets in the cage at the last minute.
Is anyone else getting the mental image (Score:5, Funny)
Okay, I think I've just proven that I've been awake too long. Goodnight..
Couple of things - train crashes etc. (Score:5, Interesting)
Secondly, lots of people are (hopefully) going to be scrabbling for WindowsUpdate [microsoft.com] for patches which will also add to the bandwidth being consumed.
We have yet to see a bad one! (Score:3, Insightful)
We are always finding out about vulnerabilities. This one obviously existed since the beginning of time since it is exploitable on all post 3.1 versions of windows. If someone years ago had made a worm that infected systems slowly, so as not to draw attention, and then in a given time frame was really destructive such as chernobyl, we could end up having real problems on our hands.
These worms that make us find and patch these holes, without wiping our systems out, are costly, yes, and annoying yes, but they are also protecting us from the really malicious ones, by making us all more aware, and ensuring that steps are taken to prevent. I am not just talking about the cleanup worm, but also MSblaster. It doesn't destroy anything, but it makes us protect ourselves, makes us develop an immune system.
I am not saying I like them, and in my work I am the one responsible for protecting our offices, and cleaning up if something were to get through but I would rather be protecting from MSBlaster, than something really nasty.
Totally untrue! (Score:5, Interesting)
Have you heard of Dalnet? The network that used to be the largest of the IRC networks? It isn't now. Four months of DDOS attacks against all it's servers brought that to a halt (and there were like 10 of them). It's come back up, but most people have moved to other networks.
Maybe you didn't see this as a real problem because it didn't affect you, but four months can do more than merely wipe data or destroy hardware. They can take down businesses forever.
I'd rather have the "malicious ones" destroy computers owned by users who are partially to blame for letting in viruses than destroy businesses that have no fault at all in the matter.
On an interesting parallel: one of the most destructive viruses (real world) on the planet is Ebola. How do you think it's rate of spreading and death rate compare to AIDS? It's the slow, insideous viruses that you have to worry about, not the ones that are obvious. Not knowing that the virus is there is the best defense a virus has against innoculation or containment, which gives it more time to spread and wreak havok.
this is not good worm vs. bad worm. (Score:5, Informative)
is it really that much to ask people to read an advisory of how the worm works [nai.com] before cheering it on?
iptables rules (Score:5, Informative)
For those who run a Linux firewall between a network of Windows boxes and the Internet you should rate limit those IP echo (ping) packets. Refer to my previous posting [slashdot.org] where I showed some sample iptables rules.
Of course my firewalls have port 135 (and a lot more) blocked. Still, it is very hard to keep out of a large network, it doesn't have to get through a firewall. But once inside it can quickly spread and then your firewall or border router will get flooded with pings. I was seeing well over 1 million pings per minute. At that rate my stateful Linux firewall was crawing on its knees as the connection tracking table filled up trying to remember all those echo requests so it could match them up with the echo responses. It didn't crash Linux, but it did render it near useless.
The scariest thing with all these worms is thinking about what could have been. What if they actually did something much more serious? What if they throttled back on the network scanning just a bit so they didn't take the network completely down and it took longer to notice?
Re:iptables rules (Score:3, Informative)
>Sure, traceroute is nice, but things like this mean it's just not worth the ICMP overhead.
Dropping all ICMP traffic is a bad habit to get into . ICMP is necessary for ip fragmentation and path maximum transmission unit discovery [cisco.com] to work properly. You will break [merit.edu] things [merit.edu] if you drop it.
just why... (Score:3, Insightful)
Perhaps its the worms attempt to download the patch from MS thats causing all the headaches, but the patch *IS* rather small, so I'm not very convinved on that point.
Am I being paranoid, or overreacting or what?
Re:just why... (Score:3, Insightful)
Re:just why... (Score:3, Informative)
It's just a good thing that the worm wasn't patched in SP1 for WinXP, or else Microsoft itself could conceivably nuke thousands of warezed copies without even trying.
PS: Microsoft, if you're reading this, you better give me a cut for the idea.;)
Worms are bad, but... (Score:3, Interesting)
However, vulnerable boxes do cause a lot of problems, so IMHO a better solution is for those people who care about such things to install a system on their firewall that responds to scans - if a machine scans your firewall then you look to see if you recognise the signature of the scan (i.e. the likes of Code Red, ete, have quite distinctive patterns of scanning) and then your firewall launches an exploit against that machine that is scanning you. Once exploited the system would take some action to close the vulnerability and remove the worm (i.e. turn on the auto update stuff, install whatever patches are needed, etc). After it's done that the software that you installed through the exploit would delete itself.
This is a defense - the machine in question attacked your network so your network responded by fixing the compromised machine - no other (innocent) machines are affected by the problem.
ISPs also need to do something to help the situation IMHO - there is no sane reason to use Netbios over the internet so this should be blocked by every ISP (I know some do already, but the vast majority still allow it).
And remembering that 90% of home windows uses are completely clueless when it comes to security, they need to be forced into fixing their systems. The best way I can see of doing that is for all ISPs to look for scans coming from their customers - if a machine is making a lot of scans to lots of hosts all over the internet that matches the signature of a known worm, the ISP should pull the customer's entire internet connection. Infact it wouldn't be too hard for the ISP to intercept all web requests and redirect them to a website with all the patches on it. This is damage limitation - if a machine is compromised and is attempting to compromise other machines then it is essential that machine is taken off the network ASAP. If all the ISPs followed these steps then the spread of worms would be severely reduced.
Not just in Canada (Score:3, Informative)
Usual high standard of reporting, I see (Score:3, Insightful)
There is absolutely no evidence that Welchia is worse than Blaster, as a cursory reading of the linked article would reveal to anyone who passed the fourth grade.
If you're unpatched, you either get Welchia, or you get Blaster. They both hose your network. If you're too stupid to block the ports and apply the patches, then you're going to get one or the other.
Go on, pick one. Not that it makes any difference. Welchia isn't worse than Blaster. Sure, it opens a port, and everyone is assuming (why?) that this is a back door, but as long as you're unpatched and your 135 port is open, arbitrary code can be run on your box anyway, so how does Welchia make that worse?
Lies, damn lies, statistics, Slashdot reporting.
W2K Service Pack 2 (Score:4, Insightful)
So what if it's sitting there saying "This patch requires Service Pack 2", and the worm reboots? The result: a still unpatched system! Even if the worm were to consider its work done, after reboot the computer can be re-infected. Which means another download of the patch gets started! Can you say "Sorcerer's Apprentice"?
Even if the worm were smart enough to download a service pack, we're talking over 100 megabytes. That can take a while if you don't have good broadband, and meanwhile it's providing a nice accidental DDoS against microsoft.com.
Worm (Score:3, Funny)
On the first Tuesday in November, one of them will activate and fill your computer, television and radio with loads of bullshit.
Plagarism alive and well... (Score:3, Interesting)
"...Blaster exploited a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download the patch, leaving them vulnerable to the worm, which first started hitting computers around the world on Monday. ..."
I could have sworn I had read the exact same statement in a different article a few days ago. The statement had stuck in my head because it implied the worm problem was completely users fault for not installing the patch. Since it seemed so familiar, I googled [google.com] the phrase "Although Microsoft posted a software patch to fix the flaw" (google limits you to ten words or less). Lo and behold, hundreds of hits for individual separate articles from "different" news sources with the exact same paragraph, completely verbatim. I am aware that information is shared through the associated press, but personally I find it unsettling that all of these news authors do little more than cut and paste another authors words (and voice), instead of writing an article on the same subject with different points of view or ways of expressing the facts. It is especially concerning when the statement in this example seems to slant blame away from a responsible party, Microsoft, in a serious situation that they are largely (IMO) accountable for.
Perhaps I am off topic, but I felt obliged to point out my discovery. I didn't think it was possible, but my level of trust in the quality of information in the media has dropped yet another rung.
Re:So? (Score:5, Interesting)
Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
If this theory is right I guess 50 million americans without power cares whether incompetent admins can't keep their networks up.
Re: So? (Score:5, Interesting)
> Well, according to an article I read yesterday the MSBlast theory of the power blackout in the US and Canada isn't dead just yet. They don't think MSBlast was the reason of the blackout anymore, but that the worm slowed down and crashed monitoring systems. In that way the worm worsened the problem and didn't stop it where it could have been stopped.
Supposedly there are "thousands" of people/organizations already working up lawsuits against that one energy company that's starting to pick up the stink. If it turns out that Blaster had anything to do with it at all, someone's going to get creamed for it.
And you can bet that they'll go after $omebody with deeper pocket$ than whatever punk-ass kiddie it was who released it. With 50,000,000 people inconvenienced and a reported $6,000,000,000 dent in business, we're talking about a sum that would be a concern even to $DEEPPOCKETS.
Re: Imminent death of the net predicted (Score:3, Funny)
> Every time I hear about a huge new worm, I wonder how long until someone finds some huge exploit or something that will wreak major havoc over the entire 'net. What would the effects of that be, in the end? Seems like that would have a major effect on world economy.
Yeah, people would start getting their work done out of sheer boredom.
Comment removed (Score:5, Insightful)
Re:I applaud the idea. (Score:5, Insightful)
The original anti-virus virus was probably DenZuk, created to kill the Brain virus. They were both bootsector viruses. Problem is, later on a new format of floppy got introduced - DenZuk trashed users' data when it encountered them. And there wasn't a damned thing the original author could do about it, because it was self replicating, and therefore by definition not under his control.
If you've gotta go vigilante, don't go viral. Do something you can control. Scan all the machines on the net and patch them, or just patch everything that bounces off your firewall - fine. It's likely to get you in legal hot water, and it is on questionable ethical grounds, but at least you aren't trashing random machines with self replicating code that you can no longer STOP, no matter how much you might want to.
Any experienced programmer will know well that code that works on one machine is not going to always work on every other machine - no matter how good of a coder you are. Any smart and experienced programmer will also know that almost any complex program is going to run into a situation it wasn't designed for eventually and create an unexpected and probably very unpleasant result. Spend some time and think about it before acting.
Re:I applaud the idea. (Score:3, Interesting)
* Only infect machines already sick with w32.Blaster
* Stop these machines from restarting due to the RPC process being terminated.
* Stop these machines from causing network slowdown by scanning.
Even if there was a problem with the code, it would still do more good than harm, because every machine patched would be one less flooding the 'net searching for machines to infect. It would not increase the traffic, because machines unpatched but uninfected would not b
Re:I applaud the idea. (Score:3, Interesting)
Not complex? You're downloading a bloody Microsoft Patch and running it! Have you seen how many people - competent administrators - have been saying all along that they have the automatic updates turned off because the patches keep breaking their machines? Ever written a buffer exploit? That's usually not simple code either, and it is very system and application specific - if the underlying cod
Re:But, but, but.. (Score:2, Insightful)
1. Gain access via the same vulnerability. 2. Do something to block port 135 completely (without generating network traffic). 3. Go to the next vulnerable system.
Re:But, but, but.. (Score:5, Insightful)
1) Once on a box, clean and patch said box.
2) Sit and listen to port 135, waiting for Blaster to rear its ugly pulsing-zit-like head.
3) In response to Blaster probe, install itself on Blaster-infested machine and start over at 1).
4) On some set date in future, or when number of Blaster-probes remains 0 for a predetermined time (say 1 month), remove itself from system.
By only loading itself onto machines which first probe it (trying to spread Blaster), it completely eliminates the stupid network scans. In that way, it only attempts contact with machines which have shown themselves to be Blaster-infested, while leaving the rest of the internet alone.
Re:But, but, but.. (Score:5, Insightful)
Perhaps have a stage in there where the "Good Samaritan" worm pop up and explain to the user how it got there, the implications of the security issue, and ask the user if they want to fix their system.
It's not THAT good. (Score:5, Informative)
No, I don't know why, I guess its because windows update URL has changed? All the machines that we've found with this virus have not been patched and had to have the patch applied anyway.
2) It tries to ping every machine on it's local network as fast as it can, repeatedly. It doesn't just do a single scan then shut up til 2004 (it's expiry date) - oh no, it continually scans. Thats ok if you have 2 machines on your LAN, but when you have a huge switched lan with a few hundred or thousand hosts on a
I see LOTS of ARP traffic from the machines doing the scanning to hosts on the local network, and I see loads of ICMP echo-request destined for outside our network. Which I filter now.
3) It runs as a service that isn't detected by many virus scanners, for some reason Nortons didn't find it though McAffee did. Again I have no idea why.
The thing did a LOT of collateral damage on our network with a couple of hundred machines. I shudder to think about what kind of damage it is doing to large networks at universities etc.
Re:Reinstall (Score:3, Insightful)
Re:But, but, but.. (Score:5, Insightful)
Re:But, but, but.. (Score:3, Informative)
I actually rebuilt my server the other day onto a new machine,
Re:Welcome to the WORM wars (Score:3, Funny)
> Send a worm to kill a worm!
Two worms enter, one worm leaves!
Re:DRM (Score:5, Insightful)
But can DRM truly be the solution to prevent exploits and worms? I doubt it. I expect that it will be trivial to exploit a program that's already been verified and make it do something it shouldn't even with fairly well implemented DRM.
Email viruses may be halted in their tracks - but most exploits will most likely not be. You say the Palladium implementation of DRM is sophisticated enough to detect a code change during runtime from a stack overwrite? I doubt it, but if so - just change the data instead. Same effect. It raises the bar, but viruses share a characteristic there with open source - the bar only has to be hurdled once before the flood. See the recent rash of RPC hole worms and exploits - one guy did it, now everyone and their 12 year old can.
And licensing a piece of software for $1000-$2000 so that it could run in the first place is ridiculous. Do you like freeware, shareware, or open source? It'd kill it on that platform. Might be great for the competing platforms, but not the one it's on.
I think the real threat with DRM though is that it'll be used in the ways we've already seen, only more expansive. Wanna play a DVD you bought on an unauthorized operating system? Pay the fee, or, if the owners are too lazy to write software for your OS, just forget about it. And don't even think about writing a program to play it for you if you value your freedom.
If left unchecked, CD's will become that way. Downloadable audio has already started to. Tried to download an mp3 from iTunes on Linux? Find anywhere else you can get the same tunes legally? For now - yes, just buy the CD. For now. Hopefully consumers will be upset enough as use of such copy protection schemes increase to purchase alternatives. I subscribe to E-Music [emusic.com] myself - no DRM, but I'm paying for the industry to create more, and mostly to smaller lables (mainly Napalm, if they keep track - bands like Tristania, The Sins of Thy Beloved, etc).
Re:Wasn't this (Score:4, Informative)
Virus history is a bit different if you follow the definition of viruses parasitically infecting files, whereas worms are self-contained and actively spread via network. Here's a paper [claws-and-paws.com] that covers the early history of both to some degree.