Sasser Worm Disruption Growing 999
thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."
Yeah..you're telling me... (Score:5, Interesting)
Capital punishment for worm writers!
Re:Yeah..you're telling me... (Score:5, Funny)
All the windows folks in the place are sat around talking and drinking coffee because everythings broken, but us unlucky users of openbsd servers and linux desktops are having to work hard as usual.
It seems there are hidden benefits to choosing Microsoft products.
Re:Yeah..you're telling me... (Score:5, Funny)
Re:Yeah..you're telling me... (Score:5, Funny)
It may actually be working hard if one is being paid to post misinformed bovine feces on slashdot.
Don't worry.... (Score:5, Insightful)
Seriously folks. Microsoft release the patch 21 days ago. If the worm came out before the patch I would be more critical but it didn't. Hopefully Microsoft decided to turn on automatic updates by default in service pack 2 for XP.
Auto updates and quick patches (Score:5, Informative)
It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.
Re:Auto updates and quick patches (Score:4, Interesting)
True, auto updates aren't good for business critical machines. Microsoft gives you 2 ways to do the updates, you could use the automatic updater and put up a update server so you can control what is updated. Alternately, you could use SMS.
If it takes you weeks to do testing, you should consider a more standardized loadset. If you were using one, the 90% of the systems who can use that loadset could be tested in a few hours. If you have users requiring manual installs, there are options like patch management systems (I like HFNetChkPro by Shavlik) or putting the patch installer into the login script.
On adding to the corp. build, you need a leaner process, I can get it up in about a week.
For all of this, and the server reboots, let me remind you that the patch was 21 days before the worm.
Also, why does this article act like the worm is a new concept?
Re:Auto updates and quick patches (Score:5, Insightful)
In that case, you're just tough out of luck, because there have been plenty of exploitable Linux and OpenBSD patches in the last couple of years. In fact, if you're a server manager, you might look through Slashdot's history for the last year. Somewhere, there was an article pointing out that the majority of the actual server breakins were not on Windows servers. After all, how could they be since there are so few Windows servers. People breaking into servers are more than happy to encounter an unpatched Linux or OpenBSD machine.
I've got both Windows and Linux machines and have them both fully autoupdating. They only time I've ever had anything "break" due to autoupdating was when one of Microsoft's patches about a year ago caused machines running Norton Antivirus to slow down in some activities. Yes, 4 or 5 years ago when NT was the game, it was different and the patches tended to bite you. But it hasn't been that way for a long time.
Overall, I'd say the risk of a patch breaking something on your specific machine (as opposed to a few random thousand of the 100s of millions out there) is much lower than the risk of a virus hitting you while you're "testing" the patches.
I think that the real driver for people using your excuse for not patching is one of responsibility shifting. If you don't patch and get hit by a virus and its not an extreme case like taking more than a year to patch, you can whine about MS even though it was really your choice to bet the farm on 10:1 odds just because whining about Microsoft is a popular thing. If you do patch and you encounter that more rare condition that the patch busted you, you'll catch hell for patching without testing. So, not patching is the safer bet for you, patching is the safer bet for your machine.
If you don't believe me, Google around for articles about patches breaking machines versus articles about viruses breaking machines. I think you'll see that some of the latest viruses and worms hit in the many millions, whereas the problems experienced from patches hit in the many thousands or are not completely debilitating.
Re:Auto updates and quick patches (Score:4, Interesting)
That hasn't been our experience here. Less than a year ago we specifically put together a plan for staged rollouts of patches. It started with a get tough plan to make sure all servers were up to date, followed by several applications on all of our middletiers working erratically. It took a week for the programmers of the effected apps to get the problem fixed and working reliably. Things were starting to get a little ugly and users were not happy. Result, we have three stages of rollouts; test systems, first half production, last half production. None of which install automatically.
I wasn't effected on that case, but I have had MS 'fixes' break critical systems. A while back a 'fix' of the generic text printer driver caused it to eat the first character of each line. Barcode printers stopped working. And no barcodes, no shipping. Spent a day finding it, added a sacrificial space to each line, system is back online. A year later, MS fixes the 'fix' and the driver is working correctly again, but now the printers are choking on the extra space. Pull our fix for their 'fix', and our systems are back in a couple hours. But only because I remembered the previous problem and work around.
As to timeframe; it takes time to test complicated systems. Add to that the effects of the ecomony and companies are expecting more from fewer developers. So we have to balance our time between business requirements and testing MS patches. Being late installing a patch doesn't show up on my annual review, missing development deadlines does.
As far as getting hit; we don't get hit very often, today is the first case of an infected server that I can remember since code red hit our website. We have up-to-date scanning on our systems, SUS for desktop patches, email scanning, and properly configured firewalls.
Today we are fighting with a variant of a worm that isn't being detected by our scanners. But also doesn't appear to be using a vuln fixed by any patch. But that's a problem for Operations; developers are coding today, not chasing MS bugs.
Broken vs. rooted (Score:4, Interesting)
As a developer I can tell you when patch goes out that breaks an existing corporate app, execs get furious at the developers. If I write application X then any time X doesn't work it's my fault. No matter what, the apps have to work. The multi-billion dollar corporation comes to a halt if the fundamental custom apps aren't working. A problem caused by a patch from Microsoft can't always be resolved by adjusting code in our apps. Management cares a lot less if we're rooted because at least business can continue.
Of course I think Microsoft should be sued for some of the problems we have. I don't think everything in the EULA will hold up in court in every state. But it's not my decision. And I also agree management has no one to blame but themselves for sticking with Microsoft. They get what they deserve. All I can do is write the best apps I can and get paid for it.
Suing Microsoft for incompetence? (Score:5, Insightful)
Of course I think Microsoft should be sued for some of the problems we have. I don't think everything in the EULA will hold up in court in every state. But it's not my decision.
Okay. How about those people who don't even run Windows and therefore have no part in the EULA? Their networks are being ground to a halt because of flaws in Microsoft software and their patching process, as infected machines attack them.
Analogy: car company X builds cars with defective brakes. You didn't buy that car. Your wife and children are driving home from shopping and someone driving X's car runs through a red light because he can't stop, and plows into the side of your wife and kids. Now, not that I'm overly litigious, but there's a time and place for companies to be held responsible for the damage caused by their poor products and designs.
Who do you sue? The guy driving the car with defective brakes, or the company that has a pattern of time and time again making defective products?
in our case? a broken network. (Score:5, Interesting)
Re:in our case? a broken network. (Score:5, Interesting)
Re:Don't worry.... (Score:5, Interesting)
Those of us forced to work and support a Windows environment are caught between a rock and a hard place. We don't dare apply a brand-new patch on production servers, or roll it out across the enterprise, but if we wait too long, an exploit hits what the patch supposedly fixed, and we get smacked (plus raked over the coals on
I try to get new so-called critical patches applied within 7 days -- usually sooner, depending on when I can afford to take servers down, etc. But it won't be long before one of these wide-spread worms hits a vulnerability that's just been patched in the last day or two. Hell, I run several layers of AV protection that checks for updates hourly, and twice I've gotten hit by viruses before the updated signatures were available.
-
Re:Yeah..you're telling me... (Score:5, Insightful)
If after all the bullshit that companies went through with Blaster, they didn't sit down, get a team of smart IT people together and implement solutions to stop worms, then they don't deserve customers business.
Darwanism at work. Those who don't grow immune to the poison, die from it.
Re:Yeah..you're telling me... (Score:5, Funny)
Re:Yeah..you're telling me... (Score:5, Insightful)
We ran around frantically patching every $#%@#^ windows box at the company after the patches came out. Installing patches wastes users time, administrators time, everyones time. I know it can be automated, but its still a pain and you have to check every system anyway.
And whether or not you get a worm on your systems should not be the deciding factor of whether you deserve the customers business. Are you really saying that a record company that effectively blocked this worm deserves my business? Please don't start an oftopic rant about the RIAA, its just an example.
Re:Yeah..you're telling me... (Score:4, Insightful)
The difference is, that we could sit down, make a plan, inspect all PCs, have stickers for OK machines, etc.
And there were far less problems than with an average worm nowadays. Imagine if the Y2K problem would have been as big as a usual worm hit. (several middle to large companies affected for a couple of days)
Vajk
Re:Yeah..you're telling me... (Score:5, Insightful)
Or maybe, just maybe, computers are inherently insecure?
Re:Yeah..you're telling me... (Score:5, Informative)
Just an example. The ability for the police to do thier job in any capacity relies on the ability to get and share information. It's pretty rare that the cop actually witnesses the mugging, but a witness description, cross referenced with other reports from the head office, might lead to the ID of a suspect.
=Smidge=
Internet Explorer? (Score:5, Informative)
Slashdot Jumped the Shark (Score:5, Funny)
I have a question (Score:5, Interesting)
Usually, viruses have a goal, like collecting your personal information, DDOSing SCO, or SOMETHING...
What does this one actually do?
My theory is that someone wrote it to disable all the spamware-infested computers out there.
They can't be spamming us if they're rebooting constantly, can they?
And if the owner doesn't disinfect them and protect them from future attacks, they'll just start rebooting again...
Re:I have a question (Score:5, Informative)
Well, it also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.
It further makes copies of itself in the %Windows% directory.
Oh and finally, it causes LSASS.EXE to crash, and by default this causes your system to reboot. Repeatedly.
Re:I have a question (Score:5, Insightful)
Well, even though it's "just annoying" and "poorly written" according to F.Secure, it caused Sampo (a large bank in Finland) to shut down yesterday. Both computer networks and telephony systems were hurt. The same happened to If, a Norwegian / Swedish insurance company, and today another Norwegian insurance company had to halt operations (Vesta).
So even annoyances can stop entire operations, and thus we can say that it's a pretty serious problem until most (Windows) computers are patched.
Re:I have a question (Score:4, Interesting)
But have you noticed, it can only infect computers that are not properly patched and up-to-date...
I read a while ago that 0-day exploits on Windows are mostly unheard of, while most viruses seem to come out a few weeks AFTER Microsoft has issued a patch, because the virus-writers wait for a patch to disassemble it and learn how to exploit the weakness, which is easier to do that figuring out how to exploit the vulnerability.
This hole was patched by Microsoft, when? A few weeks ago...
So other than annoying people with improperly-maintained machines, Sasser doesn't really seem to be more than a proof-of-concept, or as I believe, a virus crafted to SPECIFICALLY annoy people who's machines are not properly patched.
And let's face it; if your machine is not properly patched, it's probably already being used as a spam relay, so it's not the spammers who would want this.
Rather it feels like someone waging war ON THE SPAMMERS!
Re:I have a question (Score:5, Informative)
Weeks to patch (Score:5, Interesting)
In a corporate network environment, such as mine, a few weeks is barely enough time to get a patch onto every desktop. First a few days are spent testing it. Then it has to be pushed out to all of the users. Server patches often have to wait until weekends because they can't be down during the week. Then manual installs have to be done for all the "non-standard" setups.
Then there's the new computer I got yesterday with our standard corporate developer's build. Of course the build doesn't have the latest patches yet, so when I turn on the computer for the first time, immidately after logging in McAffee catches the virus. So then I have to hunt down the right patches from the right people and reboot repeatedly until I can log into the network without getting the virus.
So I lost all of yesterday fixing the problems on my two computers and my office is as up to date as possible with getting patches onto workstations. Machines go for weeks without new patches because it's impossible to distribute them when some break applications, and therefore require much testing.
I wrote a 70 page document explaining why we should switch from Windows to Linux. Management wouldn't even start to read it. This is what they get for their ignorance.
Re:Weeks to patch (Score:4, Insightful)
A new computer is like a new baby. You need to inocculate it or it'll get sick. If you're putting out in a wild environment without protection -- and a suitably large organization is almost as bad as the internet itself -- you're just asking for trouble. The best way to prevent this is to patch it up to a useful level behind a one way firewall. An even better way is to update your corporate ghost image once a month so you're never more than 30 days behind in your patches.
Furthermore, the days of agressively testing patches should be over for everything but servers. Let your employees run autoupdates and if one of them does break your machines, roll it back. Servers are a special case, because if you lose the TCP stack on your mail server it's much worse than if Ted from Marketing loses his.
Management doesn't want Linux because they don't want to lose days learning an alien operating system when they already have YOU to do the job of protecting them from viruses. What would you say if your plumber told you that to unclog a leak, you'd have to buy a new house?
Re:Weeks to patch (Score:5, Interesting)
I strongly disagree;
Firewalls don't protect jack if ports are open client side within your network that shouldn't be.
Infections can't be stopped by running virus scanners.
Testing is very much necessary, as are customizing the desktop so that it doesn't have exposed interfaces. (Run a port scan or better yet Nessus. Know what's running and in most cases TURN IT OFF.)
Baseline configuration is the way to go since you're at the mercy of the vendor's marketing team otherwise -- and marketing teams don't care about security, stability, or usefulness.
When done with this, go back and work on tuning firewall(s) and routers. Split the network into parts that are isolated by function using the router; accounting should not be directly accessable from development or development from production.
Re:Weeks to patch (Score:5, Insightful)
This is a very typical mistake. Management, especially senior management does not read 70 page long pamphlets about a topic that they most likely don't understand.
Write a very concise executive summary, comprising no more than two pages, outlining in an easy to understand language why switching to Linux will be beneficial to your organisation. Emphasise on cost and security and explain the interdependencies. Also explain the business freedom your organisation will gain (management decides when to make major changes to your infrastructure, not Microsoft etc.). Preferably get a colleague with an idea of management's language to help you with it.
It's like every business pitch: First you get them hooked with what they really want, then you get the stuff in that you want.
Re:I have a question (Score:4, Insightful)
So someone at Microsoft wrote this article and invented all the facts in it?
http://www.computerworld.com/printthis/2004/0,4
And you should know that I am NOT a Microsoft shill.
I'm not excusing Microsoft, I just think someone out there has an agenda that is different that the typical worm-writer's.
Re:I have a question (Score:5, Informative)
Re:I have a question (Score:5, Interesting)
You know what?
I think that yesterday, I received a LOT LESS spam than usual. I'm talking a fraction; instead of 200-300, I only received about 20.
So even if taking down all those spam-relays was just a side-effect, I'LL TAKE IT!
Re:I have a question (Score:5, Funny)
the enemy [virus writer] of my enemy [spammer], while being useful, is he still my enemy or my friend?
I'm confused.
Microsoft's "fixes" (Score:4, Funny)
Thanks guys...
Re:Microsoft's "fixes" (Score:5, Informative)
Removal tool (Score:5, Informative)
Decent firewall, regular updates & common sens (Score:3, Informative)
These are the three secret ingredients to a relatively secure system. Read them. Learn them. Understand them.
Don't blame Internet Explorer this time (Score:5, Informative)
See this [mitre.org] and this [microsoft.com] for more details.
Re:Don't blame Internet Explorer this time (Score:5, Interesting)
One of my first questions when I laid hands on an XP box: "OK, so now that I've un-dumbed-down the thing as much as I can... WTF's this LSASS.EXE process running as SYSTEM, and WhyTF is it listening to port 445, and HowTF do I shut it down?"
Answer: "Some sort of weird Microsoft shit, I don't know, and there's no way to kill it - in that order."
Me: "Fuck it, then. Let's block inbound 445 at the router, and on my personal box, I'll try setting my third-party software 'Firewall' to deny all inbound and outbound traffic to it. If anything blows up, I can always permit my box to talk to whatever machines it needs to talk to".
Nothing blows up. Yet another Microsoft unnecessary service running with SYSTEM privs is forgotten about.
A year or two later: w00t!
Win9x may have been an unstable piece of shit masquerading as a graphical DOS shell, but as long as you didn't use Internet Exploiter and Outbreak Excess, you couldn't get pwn3d, because desktops that don't run any listening services are pretty fucking hard to compromise remotely.
Please wake up... (Score:3, Insightful)
This includes Linux boxes and Mac boxes as well.
Wake up and smell the damn coffee, it's not a problem exclusive to Microsoft, as much as some of the Linux rah-rah club would like to think.
Why is it OK for Linux to patch the hell outta itself but a damn near capital crime if Microsoft has to?
Grow up.
Microsoft released a patch, people did not install the patch. Who's fault is that? None of the 1000+ systems in my office were infected because I'm intelligent enough to have policies in place to prevent stuff like this from happening.
Re:Please wake up... (Score:5, Insightful)
Re:Please wake up... (Score:5, Insightful)
Also, on a Linux system there is no problem finding out what exactly runs, what it does and one can check the code quality.
In contrast, I have never even heard of the "subsystem" that is being used by this worm.
On a free system no one *has* to fix bugs for you, but you have the freedom to do it yourself (and configure the system anyway you like, so that, if you are not comfortable running sendmail, you use other software like exim or postfix).
On a black box system like Windows the company that makes it is responsible for getting each and every detail right because they do not let anyone else touch the contents.
Re:Please wake up... (Score:5, Interesting)
I find that comment funny and sad. Obviousally you run in a very tiny shop. we are still TESTING that patch because we are not stupid enough to trust microsoft. we have had many times a patch completely hose several of our critical apps. and when you are looking at around 500,000 desktops/ servers/ etc.. you can't do foolish things like installing patches willy nilly.
now let's add the fact that the company is too damned stupid to staff the security and virus team properly. we have 2 people... 2! and maybe 6 machines to test on... we really need about 5 and 20 machines and 2 servers to test on so we can roll this crap out in a timely manner.
So buddy, Grow Up.
Re:Please wake up... (Score:5, Funny)
I get it now. Microsoft isn't the bad guy after all! They're trying like mad to increase your company's staffing by 150%, not to mention the trickle-down effect of quadrupling your machine count.
Microsoft Windows: It's not a virus portal, it's an employment generator!
I'm glad Microsoft's doing something about the outsourcing issue.
(Caution: the above comment contains satire, an element determined by the State of California to cause cognitive dissonance in affected individuals)
Re:Please wake up... (Score:5, Interesting)
"Obviousally you run in a very tiny shop."
" 500,000 desktops/ servers/ etc."
Something about this exchange just struck me as really odd. So let's be generous and assume that the companies in question have 2 computers for every employee (unlikely). According to this page [census.gov], that would place the first company in the top 0.306% of businesses in the U.S. and and the second company in the very elite 0.016% of businesses in the U.S.! Tiny shop, my ass.
Re:Please wake up... (Score:4, Insightful)
1) All windows boxes use the same software and services which creates a good monoculture for viruses to spread in.
2) Why the fuck is that port turned on by default? What the heck is the service doing? Most users don't use that service so it should be turned off by default. sheesh!
3) When I last used Windows (a couple of years ago) it actively made it difficult for me to remove services I didn't want to use, like IE, IM, M$-media player, etc. There were many services that I didn't understand what they were doing, but I couldn't remove them. On Linux I do the opposite. I install a slim minimal server, and then add the services I want to use and understand. This is how it should be done.
Why all the talk about how Linux is not ready for the desktop (it is, it's what I use all the time) when the truth is that Windows is not ready for the internet. This is demonstrated monthly.
Interesting way of talking about it. (Score:4, Insightful)
Could Sasser possibly affect Linux? (Score:4, Interesting)
Re:Could Sasser possibly affect Linux? (Score:5, Informative)
The UK Coastguard has been hit. (Score:4, Interesting)
Not exactly a 0-day exploit (Score:5, Informative)
Everyone with a Windows machine should sign up for MS's monthly security e-mail or religiously check Windows Update on the second Tuesday of each month. I won't go as far as recommending automatic updates, though.
Re:Not exactly a 0-day exploit (Score:5, Informative)
This has caused many administrators to be hesitant to install it. Bugtraq had a discussion of the problems in April.
IE? (Score:5, Insightful)
If you're going to bash Microsoft, at least bash the right frickin' part...
firewall to the rescue (Score:5, Informative)
Roll on XP SP2 with the firewall on by default for everyone, then hopefully things like this will go away....
Yeah, I'll run that removal tool. (Score:5, Insightful)
Biggest Windows vulnerability ever, again. How many times have we said that this year? At work, it's begining to feel a bit like a duck and cover drill.
-Peter
From an IT guy (Score:5, Funny)
Down the hall are the MCSE's. I can hear them shouting at each other about why this and that system wasn't patched.
Even the network big wigs are in the room with them.
Ahhhh... the joys of *nix....
Back to my wonderful coffee....
Re:From an IT guy (Score:5, Insightful)
evolution? (Score:5, Interesting)
i'd like to know:
when is someone going to put a genetic algorithm into their virus/worm?
something that mutates the worm's parameters (ports, timing delays, ip-search stratgy, etc.) so that the most virulent parameters are found by "natural selection"?
seems like an ideal application for genetic algorithms.
K.
Re:evolution? (Score:4, Informative)
Anyway, by DEFINITION a genetic algorithm uses a population, and also by DEFINITION it uses sexual reproduction (see Thomas Bäck's excellent book comparing several evolutionary techniques, "Evolutionary Algorithms in Theory and Practice", 1996).
If you use pure mutation on a single solution, the term to use would be "Evolution Strategy".
If you want to exclude sexual reproduction, or use any evolutionary technique without bothering about definitions, use the term "evolutionary algorithm", which is an umbrella-name covering all evolutionary techniques.
I know that people are often a bit loose about what terms to use, but since this is one of my particular subjects of research, I am a bit anal about it.
Finally, AFAIK, there are already virusses and worms that mutate themselves. I don't have any definite examples, though.
Zonealarm Failure (Score:3, Interesting)
And yes there is AV on it, but it was infected before the updates had even come down.
Re:Zonealarm Failure (Score:5, Insightful)
Blocking port 445 from inbound traffic secures the computer against this worm.
Also the failure to install a critical patch that has been out for two weeks is called 'stupidity'. Using a windows box connected to the net is already something close to extreme sports. Doing so without regular windowsupdate visits is like extreme sports blindfolded without a helmet. You are *bound* to get hurt.
Our server's protected (Score:3, Informative)
A simple click on the "No" button stopped this worm in its tracks.
If more admins just installed firewalls and made sure all unnecessary services were blocked there'd be a lot less worm infections. (sure it won't protect people who need to use the Security Authority Subsystem, but I'm willing to bet a lot of the infected machines don't use it at all)
More removal toos here (Score:4, Funny)
Problems are with windows, not IE (Score:5, Informative)
Google cache of McAfee's page on the worm [216.239.41.104]
One of symantec's pages [symantec.com]
BEWARE NT4 TS + Citrix admins!! (Score:5, Informative)
just BSOD'ed my Citrix server.
YMMV
"/Dread"
Re:BEWARE NT4 TS + Citrix admins!! (Score:5, Informative)
I would hope that MS04-011 would check for the presence of the SRP, but who knows?
Once again, the writing is on the wall.... (Score:4, Insightful)
Microsoft, Linux, Apple - all platforms need to have this drilled into their brains, coding, and documentation repeatedly with much force! Microsoft is a target because they have angered so many with their *business* activities and sloppy coding. How long before Linux joins them?
I am an avid Linux user - The only windows machines I have are for client applications that I can not run on Linux.
Most of us (yes, me included) when we scratch an itch, make it work for ourselves, not for the world in general. If we are to produce Secure, Stable and Safe programs, then we need to have a tool set that allows us to build them without thinking about it, or we need to all think about it with each app released into the wild. Asking Joe User to know enough to run a secure platform is like asking all people to be able to self serve everything in their own cars, appliances and bodies (i.e., no mechanics, repairmen or doctors needed).
'It aint gonna happen!' All of these are way to complex and most are changing faster than most people can keep up with. So, it needs to fall back on our shoulders (the developers) to make this happen. The question today (as in so many other days past) is what can we Linux developers learn from Microsoft's mud? What are the issues that are allowing these things to happen and how can we prevent them? I hope everyone has heard this before.
And, more importantly, how do we get qualified people to itch this scratch to completion? It seems to me that the world in general would benefit most from a programming tool set that built these solutions in, and that is not going to be an easy task. Microsoft is trying to address that with .net, and is still not on target (or anywhere close from what I have seen). Java tried to answer that, but it has fallen far short of what is needed.
I really do not have any answers to this. One of my bet friends has explained to me the complexities of building compiler systems and writing your own languages. Those complexities alone are big issues. I would love to read what other /.ers have to say on this issue.
InnerWeb
Here's my favorite bit... (Score:4, Insightful)
That should make the writers happy... that their ineptitude made global news.
I am not impressed with the foo of these cut-and-paste virus coders. There was a time when it was actually difficult to code one of these things, but come on... they are open-source now.
No-kung-foo-required.
Built in XP firewall not effective (Score:5, Interesting)
I don't know about you guys, but the SASSER worm turned an otherwise boring Sunday into wickedly exciting day! Thankyou worm-guy!
-s
Dual boot works for me... (Score:4, Interesting)
I've found that the best solution to the problem of Microsoft's constant and ever more serious security holes is simple:
Dual boot with Linux. Linux for the network; Windows for the games.
Just use Linux as your network-enabled OS, and Windows for everything else. Log off the internet or disconnect your DSL or broadband before you reboot into Windows, and you'll be fine.
It is really that simple - I just disconnect my network connection when I'm running Windows. Let's face reality here:
So the solution is simple: Linux is your network OS, and Windows is your "friends and family" OS.
Two words.. Hardware Firewall (Score:5, Interesting)
How Come These Things Are Not REALLY Bad (Score:5, Insightful)
Other virus's do all sorts of nasty things, but they all seem to stop short of REALLY bad things. Search for files they can delete, look for a network drive and have their way, find interesting files and mail to random people, rename this or that to render the machine useless.....
To me this seems very strange. Is ther some kind of virus writers code that has some small bit of ethic? Is there some undergound society that meets the 3rd wednesday to discuss safe virus exploits? Does Microsoft create these things to get people to upgrade? Maybe McAfee and Norton are funding them and they just want a profitable year?
Now I am not asking for this kind of damage, but as my boss points out he has no reason to switch to anything more secure because nothing really bad happens.
Re:How Come These Things Are Not REALLY Bad (Score:4, Interesting)
Because virus writers are not subtle enough... (Score:4, Informative)
spread fast for the first few hours or days, until it saturated the vulnerable population, then cut way back on network traffic and hide.
not crash machines or trash all their files - instead, it would slowly and subtly modify user data files (see here [slashdot.org] for a few suggestions).
Imagine what would happen to modern business if they discovered that they couldn't trust any document that had ever touched a Windows machine... the world's economy would grind to a halt. Not even Microsoft has enough money to pay damages for an event like that, though the combined law firms of the world would try to get it from them.
Re:How Come These Things Are Not REALLY Bad (Score:5, Interesting)
Now imagine a real "virus industry". There would be serious R&D, business plans, virus development models, project management, the works. Probably even some code QA and testing. Why? Because there would be money in it. Don't know what the money would be, be if there were to be some then the "virus industry" would emerge overnight.
The idea that a virus could be stealthy (or clever) enough to avoid detection and just sit around on infected PCs is part of the transtition from hobby to a business. I've been noticing that already there is a sort of "dark Internet" of zombies that can do pretty much whatever someone needs them to do, enabled by viruses. Aside from spam, here are some other uses for those machines:
-- set up virtual casinos that dissolve instantly when the vice cops arrive.
-- set up distributed supercomputers for unlawful uses, like cracking access codes or breaking IPSec packets
-- have zombies not only monitor their users, but via something like ethereal monitor the broader Internet for traffic within their subnet. Imagine Carnivore on crack, and in the hands of the Mafia.
-- use zombies to launch focused, sustained DDoS attacks against adversary nations
-- use zombies as advanced positions to launch new rounds of virus outbreaks with split second timing and absolute accuracy, in this way overcoming most defensive responses in the first 15 seconds. Build a newer, stronger zombie network each time. slowly take over the Internet.
Profit
It's coming, people. You know it and I know it. Every habitat has its unseen underbelly, its fetid swamp, its decaying compost, and the Internet is about to get its own sewer system, full of rats and desease and decay.
Will we care? Nope. It will just be there and we'll eventually learn to live with it, or use it to our own purposes.
Trend Micro Damage Cleanup (Score:4, Interesting)
Trend Micro Damage Cleanup [trendmicro.com] is a free after-the-fact cleanup tool that will fix just about any virus (As long as the pattern file is downloaded...) It scans drives, registry, etc. The only drawback is that it's quite large (The pattern file is ~8.5MB and the Scanner is ~1.6MB).
It blows Norton's one-fix-per-virus tools away, except from a portability standpoint. Also helps make sure you don't leave other viruses behind. (Did I run the Netsky.QZX removal tool, but not the Netsky.ZZB one?)
Yesterday it found 530 copies of Agobot (3 Variants) and Sasser.B on one person's PC.
And (wait for it)...patch breaks the computer! (Score:5, Funny)
"[We] have learned of issues loading the Windows 2000 patch in MS04-011 when complying with [vulnerability ID].... systems can stop responding, users cannot log on to Windows, or CPU usage for the system process approaches 100 percent after installation of the security update. Additionally, [we] have heard that some systems may require a complete rebuild once the patch causes system to crash."
And the kicker, "Systems Administrators are advised to proceed with caution when patching Windows 2000 systems." Um, how exactly does one do that, with one hand on the power cord, or click the install button very slowly? Does applying the patch warn you "About to hose your system, proceed?"
Two huge gaping problems (Score:5, Informative)
1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.
2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.
--pete
Re:Another removal tool (Score:3, Informative)
Re:M$ - First Post? (Score:5, Insightful)
The Internet is great, broadband is great, computers are great. But as long as people are willing to give up their passwords for chocolate [slashdot.org] and have no clue what a firewall is or what it does, this problem will continue to plague everyone.
Nothing beats a good educated user.
Re:M$ - First Post? (Score:4, Insightful)
Re:M$ - First Post? (Score:4, Insightful)
You speak the truth. However, as always, the car:computer analogy fits here. If you think about what you need to know to use a car, it's not very complicated. There is a core set of knowledge that you need:
1. Operational (How to turn it on/off, put it into gear, brake, accelerate, speed, re-fuel, etc...)
2. Navigational (How to get from point A to point B. Understand traffic flow and direction. Read signs and street lights, etc...)
That is the bare minimum you need to drive a car. Many people these days seem to just barely know (or care) about any of that. In addition there is extended knowledge:
1. Maintenance (Get your oil and filters checked/changed. Tune-ups. Fluid checks. Cleaning.)
2. Enhancement (Learn more about your engine to get it performing to the best of it's abilities. Understanding the interaction between your car's tires, the road and aerodynamics to get the most out of your car)
3. Interior/Exterior Decor ("Trick Out" your car and add high performance with stickers, spoilers, tailfins and fartcans. Make sure your stereo can tip off Richter scales for miles around, etc...)
Very few people ever get to that level of knowledge. There really isn't any real reason for "Joe Average" to get there. But as far as the core knowledge goes, would you want someone out on the road who can't read directional signs, doesn't understand the concept of direction (N, E, S, W) or speed limits? Trust me, I see people on the road every day who appear to be lacking these basic skill sets and they are largely responsible for the accidents we see regularly.
Apply this to computers, and you can see that we are, indeed, in a sorry state by comparison. Again, there is a core skill set that a computer user SHOULD have to be fairly competent. But it's much more complex than what is required for driving a car:
1. File System - An understanding of how files are organized in an OS is very important at this point. It's a LOT like knowing how to read a map and get from point A to point B. Sadly, most users DO NOT have this skill set. In the interest of being "user friendly", applications like MS Office have attempted to abstract where files actually are located. This harms the user because if MS decides to change the location in a new version of the OS or program (My Documents has moved from where it was in NT 4.0 compared to Win2K and WinXP for example) then the user may think their documents are "gone". Tools like "Find Files" aren't any better at helping either because the user will ignore the path and just double click the file to have it open in Word. Or worse, there will be a "shortcut" in the "Recently Used" section of the Start Menu. I ask you, would you set up a physical filing cabinet this way with post-it notes in folders saying "This file is in Cabinet 35, Drawer B, Divider 2, Folder 12"? Shortucts (and sometimes symbolic links in Unix) are a BAD IDEA.
2. File Types - One of the worst things about most OSes (Macintosh pre and post OS X excepted) is the non-existence of standard file types. Part of this is due to the fact that file types and data types are a moving target. HTML files didn't exist in 1984, so a Macintosh from back then wouldnot have had a built in association with an application that could read them. In the Windows world, the association between application and file was (and can still be) manual procedure that will perplex most users. Considering how much data and file types come and go and change, I am still wondering why there is no DNS type of system for file types that any OS worth it's salt would hold to. Imagine... a central DNS like repository that holds a database that an OS queries: "I have a file with the following type: x-application-doc. What applications should I use?" The server responds to the OS: "mswin-winword.exe, mswin-soffice.exe -writer, generic-unix-soffice, linux-kword, multiosapp-abiword". Then the l
Re:Windows only (Score:3, Insightful)
You forgot to mention that "sasser" only infects windows machines.
It should be the default assumption that since it is a worm then it only infects windows (the same goes for virii of course). I would think that it would be worth mentioning if it infected anything besides windows boxes...
Microsoft: crime-ridden slums of computing (Score:3, Insightful)
Why people continue to choose Windows is beyond me. Linux and Mac OS X are more secure and more powerful. And oh yeah, cheaper. Sure you get Windows when you buy a new machine. But that's like offering a poke in the eye with a pointed stick with every purchase.
Re:Windows only (Score:5, Interesting)
Re:Windows only (Score:5, Informative)
That's because windows update installs via an ActiveX object. Only IE can run that. You probably downloaded the ActiveX object, but since it can't run without IE, it didn't download the update. If you need to download the update separately, check out the adminstrator section of windows update. MS provides all updates as a separate download that you can burn to a disk and install that way.
Re:Windows only (Score:3, Informative)
Re:Windows only (Score:4, Interesting)
I always see this posted and I think people get this mixed up. More web sites are hosted on Apache servers, but there are more physical boxes running Windows.
Example:
I just left a job working at one of the largest internet hosting companies. We hosted close to 300,000 web sites; both Windows and Linux. Our customer base was roughly 60% Linux and 40% Windows; hosted on a little over 5,000 servers.
If you were to know the number of servers we have and looked at a Netcraft scan you would assume the following:
3,000 servers running Linux web sites
2,000 servers running Windows web sites
But that would be incorrect. Most of our Linux sites are cheep little geek home pages where we have a couple hundred sites hosted on a server. Our dedicated sites, big e-commerce sites, are mostly running on Windows boxes. So we have some servers running hundreds of sites and others running 1+ sites.
What's my point? In reality it's more like 1,500 servers running Linux (Apache) and 3,500 running Windows (IIS). I've worked at a couple large hosting companies and it's the same at all of them. So when you see the Netcraft report stating that 65% of the web is running on Apache, that doesn't mean there's more physical servers out there running Apache than IIS; just Apache servers are hosting more sites due to the small, cheap nature of a lot of Linux hosted sites. So, in reality, there is a larger install base of IIS machines. Of course Apache is pretty secure, because if they attacked an Apache box at a hosting company they could take down a lot more sites, causing more havok.
Re:Windows only (Score:5, Insightful)
1: There ARE more web servers out there running Apache than anything else. So, why is it that there is an unbalanced proportion of these boxes remaining intact and and with 99% (sic) uptime than the Windows boxes?
2: Apache runs properly with fewer system resources, hardware and preventative maintenance than Windows. Set & forget, to a great extent.
3: One of the main reasons that many corporate/commercial servers are still running IIS is because of the ease of use in integrating MS SQL and specific data export services from what the desktop is running: Windows. If from your average net admin's perspective, they could easliy and definitively state to their bosses that they could run a given database server on Apache for X dollars instead of on MS for XXX dollars, they would do it. It is difficult for the admins on two fronts: a) persuading their employers that a free product could possibly outrun what the so called market leader has provided, and b) if something goes wrong, fewer heads will roll if they're using MS instead of a "free", "open-source" product that, in the eyes of their employers was a gamble to start with.
This will all change VERY soon.
It's all a mind game....
Re:Windows only (Score:5, Informative)
Here is a link [counterpane.com]
Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.
Re:Direct? (Score:5, Informative)
An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.
Re:Direct? (Score:5, Informative)
In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.
That's why worms are "more directly from the internet" than email-based viruses.
re: Late... (Score:3, Informative)
Re:Heard of a firewall? (Score:5, Insightful)
B. Plugs laptop into phone-line / uses internet
C. Gets infected
D. Takes his laptop back to the job
E. Infects the entire LAN *FROM THE INSIDE* while the firewall hapilly keeps the fire "IN" (instead of out).
If you fire anyone, please fire the laptop-owner.
Re:Heard of a firewall? (Score:5, Insightful)
A. Guy takes home corporate laptop.
B. Plugs laptop into phone-line / uses internet
C. Gets infected
D. Takes his laptop back to the job
E. Infects the entire LAN *FROM THE INSIDE* while the firewall hapilly keeps the fire "IN" (instead of out).
This actually happend to us last year.
If you fire anyone, please fire the laptop-owner.
Uh, problem being that it's good odds that the laptop owner is the boss of the people wanting to fire someone.
Re:If Im totally up to date with my MS Security st (Score:3, Insightful)
Sasser exploits a hole in Windows. A patch for this hole has been out for about three weeks.
Moral of the story: Keep aware of the Critical Updates. You may not need to apply every single one of them, but at least be aware of what they are, and what problems they are designed to fix.
Re:What ARE Win98SE users supposed to do? (Score:5, Informative)
This was months ago that I read this. I called into the Microsoft PCSAFETY toll free number and a tech indeed acknowledged that Windows 98 and ME PC's were vulnerable. And they e-mailed me a link to download the patch (not one of the hoax e-mails either, so no jokes!!). Since then I deployed it to all of my Windows 98 PC's and know that they are at the same standard as the Windows 2000 and XP machines.
What kind of company releases patches and leaves out some client versions that are still safe from the EOL cycle? That's what Microsoft did with the ASN.1 patch.
And what kind of company releases patches that obviously weren't tested on clients that were running USB storage, DLT storage, and IPSec agents? Look at the KB835732 patch. It broke all of these driver loads, leaving patched PC's running at 99% CPU utilitization after rebooting.
Nice, really nice. Risk stability and compatibility issues versus being exposed to an Internet-borne worm. I'm not blaming Microsoft for having vulnerabilities. All OS'es do to one degree or another. But I am blaming them for leaving our client versions and not thoroughly testing code they should've been working on for 5 months.
Re:Sassier *is* a virus (Score:5, Informative)
No, that's inaccurate.
Worms [snowplow.org] can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File [catb.org] for a more verbose answer.
Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.
So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.