A Worm's Worm 345
Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."
This discussion has been archived.
No new comments can be posted.
A Worm's Worm
Related Links Top of the: day, week, month.
Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen
Ugh... (Score:5, Funny)
Re:Ugh... (Score:5, Funny)
Re:Ugh... (Score:5, Informative)
Re:Ugh... (Score:5, Funny)
Re:Ugh... (Score:5, Interesting)
Yay for Free Software! (Achoo!)
Re:Ugh... (Score:4, Interesting)
Re:Ugh... (Score:4, Interesting)
Copyright (c) yyyy, The Author and Contributors. All rights reserved until yyyy when this work will enter the Public Domain.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Any redistribution of the software or derived work in binary form must be accompanied by an offer of the source code, to be valid until the lapse of copyright on the work in question. In case of default on this offer, any affected party may use reasonable force to obtain the source code.
- The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
- Modifications on such a scale that they are deemed by applicable local laws to constitute a whole new work are exempt from this licence.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.Re:Ugh... (Score:3, Informative)
If it's in the public domain, then anyone can do anything they want with it - you are revoking all ownership so have no more right to impose restrictions such as copyright notices than the guy down the street does.
Re:Ugh... (Score:3, Informative)
Re:Ugh... (Score:5, Funny)
Next time I'll read all of the comment, not just random words
Re:Ugh... (Score:3, Interesting)
Re:Ugh... (Score:5, Interesting)
Given that it's a GPL project, I can't imagine that it would be too hard to find a few dedicated coders who would be willing to work on such a fork.
Why not? (Score:4, Insightful)
If the outcome is gonna be the same, might as well be an asshole.
Re:Ugh... (Score:3, Interesting)
I ran into Welchia.B the other day which went after MyDoom (SCO) and downloaded 5 patches or so from MS and installed them on the system. Trouble is, that it's still a worm - nobody wants it on their system - it took me a couple hours to identify and remove it then get Windows running again.
Welchia.B was trying to run four different exploits on remote IPs - I sniffed all the
Re:Ugh... (Score:5, Funny)
--
New deal processing engine online: http://www.dealsites.net/livedeals.html [dealsites.net]
Re:Ugh... (Score:2, Interesting)
Re:Ugh... (Score:5, Insightful)
heh.. sure, right. God knows that unless you have a masters in CS your only chance to program something like code red, blaster, or sasser is by hacking "together code snippets [you] find on the web" Christ, 3 years into a CS major, and aside from the calculus I have yet to make any large leaps in knowledge over what I already knew several years ago.
Maybe that's what grad school is for?
Re:Ugh... (Score:2)
--
New deal processing engine online: http://www.dealsites.net/livedeals.html [dealsites.net]
Re:Ugh... (Score:4, Insightful)
Re:Ugh... (Score:3, Interesting)
My former high school offered a Visual Basic course in grade 10... but that's VB.
However, there's a lot one can learn by teaching themselves from a book, and I think that's where a lot of the talented young programmers get their starts. It may be that writing annoying viruses and worms are just some kid's way of testing and/or p
Re:Ugh... (Score:2, Interesting)
But still... it is just getting younger and younger. During the summer my University hosts several computer camps, and I see 7,8, 9 and 10 year old kids programming in C ++ and other OO programming languages.
Crazy indeed
Re:Ugh... (Score:3, Insightful)
I'd say it's crazy. Dude, come on, C++ OO programming at 7? That's a little hard to believe unless you're a genius. At 7 you don't have the concepts needed to do advanced programming. Heck, most kids only learn to read at 6 or 7, and this is the bright kids. You can't say he's been alive for 7 years now, and C++ can be mastered in 2 years, so he should be a guru by now. It just doesn't work that way, you need to accumulate knowledge and develop the mind in a certain way.
Logo at 6 or 7 I can believe. Basic
Re:Ugh... (Score:3, Informative)
Re:Ugh... (Score:5, Insightful)
No, but the remainder of your undergraduate education will benefit if you continue to hope that this is true.
Every year in my EE and CS programs I figured that 'next year' would be the year I'd really learn something useful, but that day never arrived. Nonetheless I managed to graduate, get a high-paying job, and get laid off 20 months ago after 3 years of 15 hour days. Now I think about taking classes at the community college, welding maybe, but I just can't get up the energy to do it.
You see, you are wrong in assuming that calculus is the only thing you've learned so far. You've also learned The Secret a year earlier than most people.
You know those tests they do on rats, where they put them in a maze, and if they do the wrong thing they get an electric shock, but if they do the right thing they get the cheese?
The Secret is this:
You are the rat.
The electric shock is *always* on.
***There Is No Cheese***.
Re:Ugh... (Score:4, Insightful)
I learned lots of useful things in undergrad. I use them roughly 7-9 hours a day, doing a job I actually enjoy.
And I got an EE degree. Maybe it's because I'm not a programmer.
Maybe you just worked for a shitty company? (And before you get pissy about it, I work for a Fortune 100 company - it ain't just small company's that can be decent to work for.)
I dropped Comp Sci (Score:4, Insightful)
The fact is that if you challenge yourself you can learn everything you'd learn in college on your own for a lot less money. In the field of technology you have to be able to teach yourself anyway or you'll find you've become obsolete.
I switched to education because I think it'd be a more entertaining and fulfilling career than sitting behind a computer all day.
"Maybe that's what grad school is for?"
Save your money. If you want to learn how to program just buy the books and come up with projects.
The reason I know as many languages as I do is because I'm always coming up with ideas. I then figure out what language would be best to implement it and learn the language.
You're better off specializing in an area (like math or physics) and then learning how to program on the side so you can utilize that skill in your profession. You don't need a comp sci degree to write modeling programs for a chemistry application. You need a chemistry degree so you understand what the program needs to do. In programming knowing what you need to do is 90% of it. The other 10% can be learned as you build the program.
Think about it. Little kids can program. It's really not that hard. But little kids don't know enough about chemistry to use their programming skills to write chemistry programs.
If you don't understand chemistry nobody really cares if you can do magic in C++ because you don't have the knowledge to make your programs do what a chemistry program needs to do.
It's the same reason the FBI doesn't care if you were on a police force. An FBI agent needs to know things you can't learn being in the police force. And what you need to learn in the police force can easily be taught to you by the FBI.
Ben
Re:Ugh... (Score:3, Funny)
In place of English class, apparently.
Re:Ugh... (Score:5, Insightful)
DMCA violation? (Score:5, Funny)
I wonder if the author of the author of Dabber has violated the DMCA by circumventing a copyright protection system [cornell.edu] -- i.e., the code to the Sasser worm.
More specifically, I wonder if the author of Sasser can sue the author of Dabber for statutory damages of up to "$2,500 per act of circumvention [cornell.edu]."
Re:DMCA violation? (Score:5, Insightful)
Re:DMCA violation? (Score:3, Interesting)
Both are illegal, both are prosecutable, but the "victim" burglar can't sue for loss of property from the 2nd burglar because the property belongs to the original owner.
I've had enough (Score:5, Funny)
Re:I've had enough (Score:5, Funny)
all new low (Score:5, Funny)
I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
Actually sounds like somebody trying to fix things (Score:5, Interesting)
Actually, this sounds like somebody trying to make a disinfectant worm. Look at the description:
- It only infects infected systems, using a flaw in the previous infection.
- It cleans out the infection of the worm that it exploited, and several others.
It does open a new backdoor. But while that might be preparation for some future malicious action, it might also have been the author leaving himself a way to fix things if his initial worm got out with a destructive bug. (Of course it could be the worm cleaning up signs of previous infections in order to hide itself and thus head off other cleanups.)
I wouldn't be surprised to see, on further analysis, that it does other antimalware things (like fix the flaw the other worms used).
(Not to say that it IS somebody trying to fight virus with virus. But it might be interesting if it turns out that it is.)
I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.
Which is exactly what the military does with some of its really secure stuff.
Now if we can just get the Microsoft users to emulate them. B-)
Re:We've been down this road before (Score:3, Insightful)
It was a misguided attempt to stop msblast but it caused a lot of problems itself. We never had a problem with msblast but nachi essentially shut down a couple of our routers and cost us plenty in man-hours to clean up.
I doubt that Dabber is the same deal though. If it were you would expect it to have an expiration date.
Re:all new low (Score:5, Funny)
Maybe they can just run Norton AntiVirus - oh wait...
geez (Score:3, Insightful)
Not really surprising (Score:5, Insightful)
Re:geez (Score:5, Funny)
planned (Score:4, Interesting)
Re:planned (Score:4, Funny)
Coming soon....
http://www.sasser-plugins.com
This is why... (Score:5, Funny)
Re:This is why... (Score:3, Interesting)
Re:This is why... (Score:4, Funny)
Yes, that's it! Windows is a trojan horse designed to sneek windows updates onto your computer!
Tremble before my mighty logic!
Re:This is why... (Score:5, Funny)
Heh.
The Virus you're about to install has not passed Windows Logo testing to verify its compatibility with Windows XP.
Continue Anyway.
Spyware and others (Score:5, Interesting)
Re:Spyware and others (Score:5, Funny)
Re:Spyware and others (Score:5, Funny)
Gimme a sec.
Re:Spyware and others (Score:2)
Re:Spyware and others (Score:4, Informative)
Given this isn't exactly a code-level exploit, though it is annoying enough that I sent two people to the reformat docters today because of it. Antivirus installed on the system beforehand, too.
Re:Spyware and others (Score:3, Interesting)
In fact.. thinking about it what's to stop me capturing requests for this crap on my proxies and redirecting them to an exe that removes gator? Hmm...
Is not the first time it happens (Score:4, Informative)
Not the same thing (Score:3, Informative)
Re:Is not the first time it happens (Score:5, Informative)
Perhaps you are thinking of Welchia [viruslist.com] which exploited IIS but also removed Blaster.
Antivirus! (Score:2, Interesting)
sounds like its doing some antivirus while its at it. Good!
Just be sure to block off 9898.
-Grump
Re:Antivirus! (Score:2, Insightful)
Nah, let's not fool ourselves. This is probably just so that you can run a Sasser removal tool, find nothing and feel yourself at ease thinking your machine is clean :(
Re:Antivirus! (Score:3, Interesting)
Re:Antivirus! (Score:3, Funny)
Re:Antivirus! (Score:3, Funny)
Plug-in (Score:5, Funny)
Re:Plug-in (Score:5, Interesting)
Quite a bit of modern worms in this or that way provide just a generic backdoor to the infected machine without performing any extra malice. Some of them just open oprts, some trick firewalls and actively "call home", which usually happens to be some random IRC server on some compromised machine (IRC seems to be preferred method for the virii writers for controlling worms, which just act as bots on the channel). Then the virii can upload a spamming software, a DDoS attack plugin, a keystroke logger, a file transfer thing, a tunneling/relay program to mask an attack, or whatever the twisted minds come up with.
So, naturalists observe, a flea... (Score:5, Insightful)
And these have smaller still to bite 'em;
And so proceed ad infinitum.
- Swift
um... (Score:5, Funny)
what Microsoft is thinking (Score:4, Insightful)
Re:what Microsoft is thinking (Score:4, Insightful)
It scanned for machines with the RPC blaster vulnerability or a webdav vulnerability, infected them, and then downloaded the RPC patch from windows update and installed. Next time the machine rebooted, you were secure. It also had a self kill on 1st jan 2004.
The perfect anti-worm, yes? Except it was very aggressive with the ping scanning, and a few infected machines on a network could end up cripping it. Add to that, if a machine got infected with nachi, yet windows update wasn't directly available (login proxy for example) then the amount of bandwidth consumed could be huge. From the ISP's point of view, welchia was a worse worm than blaster. From the managers point of view, at least it was obvious if someone had blaster. With welchia, if you didn't have competent inhouse IT staff (and an awful lot of small companies don't) it was hard to find why your network was running rather slow.
In response to just turning on autoupdate, corporates often don't use windows update, but SUS or ghost or the like to roll out patches - once they've been fully tested. Don't forget, microsoft patches regularly break other applicatons. LSASS (sasser) update, for example:
"According to the article problem may arise on Windows 2000 operating systems if any of three drivers (ipsecw2k.sys, imcide.sys, dlttape.sys) are loaded. People might experience lockups at boot time, the inability to log on, or 100% CPU utilization."
Antiworms are a possible solution, but as with this new one leaving a big backdoor, so far they've been as bad as the virus they supplant. What they should do, at most, is a popup every time you logon saying you are infected with virus bob, list the symptoms, and tell them they have to go to this location to get the patch and the removal tool.
It's ok... SP1 is coming soon (Score:5, Funny)
Re:It's ok... SP1 is coming soon (Score:5, Informative)
SP1 will be a while
Just like the Anti-HIV Virus! (Score:5, Insightful)
MS is on it... (Score:5, Funny)
Security Update for Microsoft Windows (93212)
Issued: May 14, 2004
Updated: May 14, 2004
Version: 1.0
Summary
Who should read this document: Customers who use the Sasser worm
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers running the Sasser worm should apply the update immediately to be protected from Dabber.
Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Caveats: The security update is for Windows 2000, XP Pro and Home, and Windows 2003 server platforms. As a prerequisite, the security update requires your system be infected with Sasser.
To download the Sasser worm, please open Outlook Express or Outlook 2000/XP and execute any attachements you have recieved from unknown senders. If you are not using Sasser you do not need to install this update.
Once installed your system will be immune from being infected with Dabber which exploits a flaw in the widely popular Sasser worm.
Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 - Download the update [albinoblacksheep.com]
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update [albinoblacksheep.com]
Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update [albinoblacksheep.com]
Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update [albinoblacksheep.com]
Microsoft Windows Server(TM) 2003 - Download the update [albinoblacksheep.com]
Microsoft Windows Server 2003 64-Bit Edition - Download the update [albinoblacksheep.com]
This is *almost* a wonderful thing (Score:5, Insightful)
Dabber than installs itself and deletes the registry keys of Sasser and other viruses.
This is fantastic! It is a virus, that infects only virus infected machines, and then removes all other virii. What a great solution to rapidly spreading worms.
If users are too lazy or ignorant (in the nice sense of the word) to patch their systems, then just relase another virus to do it for them.
Except that...
It [then] creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code...
They just couldn't stop at doing a good thing, could they...
Re:This is *almost* a wonderful thing (Score:2, Insightful)
Re:This is *almost* a wonderful thing (Score:4, Insightful)
Re:This is *almost* a wonderful thing (Score:4, Interesting)
Then again it should be easy to release this new work without the code that opens the backdoor so that it only does the removal part?
Seems Like (Score:2, Insightful)
A Quick Fix (Score:3, Funny)
- if you have windows, type, "format C:"
- if you have linux, or Mac OSX, type "su if you have a pre-OSX Mac, get someone to translate the above commands for you
That'll take care of the folks who don't patch or use a firewall or AV. I figure anyone smart enough to do that won't run the commandsRe:A Quick Fix (Score:3, Funny)
Dude, you forgot the following steps:
Why? BECAUSE YOU'RE TOO FUCKING STUPID TO USE A COMPUTER!!!
Re:A Quick Fix (Score:5, Funny)
Why yes, I have windows. I even have doors too. I typed "format C:" like you said but I just got a message saying "the page cannot be displayed".
This is doubly ironic! (Score:5, Informative)
Re:This is doubly ironic! (Score:2, Funny)
Remind Anyone of Blaster (Score:5, Interesting)
I'm tech support for Tremendously Large ISP. From down here this looks just like Blaster did. Customers calling in complaining that their machine is restarting without their consent. And now someone has a follow up virus that attacks the virus - as some may recall there was a Blaster variant that patched systems AGAINST Blaster. This was terrible - if you got this variant inside a corporate network not only would your bandwidth use skyrocket, but since NAT tends to fubar Windows Update, the variant never managed to patch a system. God that was hell . .
It's almost enough to make you want to write a virus in revenge . . .
Patch? (Score:5, Funny)
Sigh... (Score:5, Funny)
Re:Sigh... (Score:2)
It's amazing the harm one person can do... (Score:4, Interesting)
Exploit available on packetstorm (Score:5, Informative)
I'm reminded of the quote... (Score:2)
"Look how low we have become! Beggars! Begging from beggars!"
OS Popularity? (Score:5, Interesting)
Does this situation imply that the sum total of Sasser-infected machines outnumber Macs and Linux boxes?
Re:OS Popularity? (Score:3, Insightful)
On the other hand, though, I'd be utterly amazed if worm writers don't take apart existing worms when preparing to write a new one. Learn from what has gone before and all that. I'd expect that what's happened is not just that Sasser is so widespread that someone decided to exploit it, but that someone was studying it, noticed the exploit, and went for a quick and easy route to write a new worm.
Add it to nmap! (Score:5, Informative)
Add this line:
sasser 5554/tcp # Sasser worm FTP server
This way when you do a port scan of a host, you can tell if they've been infected with sasser
Just goes to show you... (Score:3, Funny)
Geek jokes (Score:5, Funny)
Program code so advanced it travels through worm holes!
*rimshot*
Fun! (Score:5, Interesting)
It sat and watched a users inbox for the big bug at the time and pretty much acted like a counteragent, the instant they showed up, it nuked them off the machine (inbox and all) and undid whatver they managed to do.
Send one copy to everybody in the office, and instantly watch outgoing network mail traffic DROP back down to normal levels and my phone stop ringing.
I seem to recall distinctly 'forgetting' to mail it to key people, however.. *cough*
Would be a real shame if some of the geek-prowess around the OSS world were to start doing such counter-bugs. Alot of these backdoors, trojans, and whatnot, have gaping flaws in them because..well, guess.
Just think:
Infect > Disinfect > Patch > Scan nearby machines (proceed life cycle)> Local Self-remove
Could be the next revolution. Don't bother patching or downloading, we bring the cure to YOU..
Phages? (Score:5, Insightful)
This goes on to remind me of that recent anti-HIV virus that's been in the news.
Is this a beginning of a new virus era....? (Score:3, Interesting)
Reminds me of a poem (Score:3, Funny)
Every flea has a flea
on his back to bite him.
And on that flea another flea
so ad infinitum.
MM
--
No sympathy to the victims (Score:3, Informative)
The fact is, this worm released relies on another worm that causes the computer to randomly shut down. Unlike the LSASS service, there is very little stability, therefore making it highly unlikely that a computer infected with the former worm will be hit by the latter.
Re:Same for my mac (Score:5, Funny)
Re:Clever (Score:5, Funny)
a post with the title "clever" and the text "very clever" in a story about a "worm's worm" moderated as "redundant".
It's like rain on a rainy day.
Re:Clever (Score:3, Funny)