Forgot your password?
typodupeerror
Microsoft

Nimda To Strike Again 523

Posted by timothy
from the and-again-and-again dept.
Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.
This discussion has been archived. No new comments can be posted.

Nimda To Strike Again

Comments Filter:
  • 9 PM? (Score:3, Flamebait)

    by SpanishInquisition (127269) on Thursday September 27, 2001 @06:34PM (#2361079) Homepage Journal
    All NT admins leave at 4:50 PM, too bad for them.
  • Again? (Score:2, Interesting)

    by Dimensio (311070)
    What does this mean? I was under the impression that once Nimda infected a machine it would attempt to propigate indefinitely unless the machine were cleaned. What was the propagation time cycle for the first run?

    Mind you, I've not seen a significant dropoff in my firewall hits (hits doubled after Nimda first hit), but perhaps I've not been checking properly.
    • Re:Again? (Score:3, Informative)

      by Pathwalker (103)
      I saw a sudden dropoff in Nimda infection attempts a while ago.
      It's quite obvious if you look at the graph I have here [ofdoom.com].
      One moment, the nimda hit count is heading straight up, the next, a sharp bend to the right as the rate of new hits drops to almost nothing...
      • That's probably from many, many PHBs reacting immediately to the Gartner Group's reccomendation to replace their IIS PCs with $SOMETHING_LESS_VULNERABLE. Once they had turned 'em off, hits would have to drop.
        • Re:Again? (Score:3, Insightful)

          by reverius (471142)
          That's not possible... any significantly large company that was going to change something like that would need an obscene amount of time to switch to "something less vulnerable"...

          somewhere around a year and a half. :)
  • by jiheison (468171) on Thursday September 27, 2001 @06:36PM (#2361090) Homepage
    I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.

    Maybe just corn syrup and regular ants for the admins who still haven't patched their servers.

    • The usual punishment of:

      • a hosed server first thing in the morning, before coffee,
      • a stack o mail from other irate sysadmins that are getting hit on by the infected zombie to which your name is attached,
      • some urgent voicemails and pages from users and from your management asking what the !&%$ is happening.
      The usual...ho humm.

      Otherwise, Friday morning would have been relatively pleasant.

    • by DrSkwid (118965) on Friday September 28, 2001 @04:30AM (#2362730) Homepage Journal
      I've gone through my logs and found quite a few

      What I do is go connect to the offending box via smb

      Usually they have a printer attached to it so I print out a page of A4 with :
      "YOU ARE INFECTED WITH NIMDA, SORT IT OUT
      here's how : http://www.antivirus.com"

      on it in 72 point text

      it's working so far

      if they don't have a printer then they usually have an open share that's world writable so I leave text files called

      you are infected with nimda.txt

      and put the url inside them

      that's closed a couple too

      (I also found a keygen I'd been looking for so that was a bonus)

      I'm not sure if nimda resets the passwords but which might not lead to a surprise of how far you can go with

      un : adminsitrator
      pw :

      have fun

    • by Rogerborg (306625) on Friday September 28, 2001 @05:24AM (#2362800) Homepage
      • I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants

      I'd recommend 25 years of indenduted servitude at Microsoft. Possible outcomes:

      • Microsoft learn how to think and code defensively.
      • Microsoft learn that bigger isn't necessarily better.
      • The s'kiddies have the will to code sucked out of them.

      Either way, we win.

  • Not Me (Score:4, Interesting)

    by NitsujTPU (19263) on Thursday September 27, 2001 @06:37PM (#2361098)
    I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.

    Are you kidding?

    Legislation shows that people have a hard time differentiating what's a serious offence and what isn't.

    For one thing, taking this out on someone hard, would only lead to approval of laws like the proposed law to make a bunch of kids in HS "terrorists" for winnuking each other.

    We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.

    If anything, they need counseling to know WHY what they are doing is bad, that it affects other people and that it isn't just a game, but certainly making an example of these people sets a precident for the treatment of all of us.

    In other words, turn some silly kid with a script for making viruses into a real criminal, when people are getting in trouble for stupid stuff like scanning someone's ports, and soon you'll see anybody without corporate backing thrown in jail for having a debugger.
    • Re:Not Me (Score:3, Interesting)

      by rgmoore (133276)
      We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.

      But this is really an argument in favor of different sentencing for juveniles than for adults (an idea that I support, and feel that recent laws are incredibly stupid to ignore) not against heavy potential penalties for writing viruses. IMO, writing a virus is the ethical equivalent of starting a fire, and deliberately releasing one is the moral equivalent of arson. Like a fire, a virus has the potential to spread completely out of the control of its originator and cause tremendous damage along the way. Little kids are not generally sent to prison when their playing with matches burns something down, but adults who do so are- and deserve to be- treated quite harshly. IMO any person who is legally competent to understand the consequences of releasing a virus and does so anyway deserves a nice long vacation at Club Fed.

    • Re:Not Me (Score:5, Interesting)

      by sphealey (2855) on Thursday September 27, 2001 @07:11PM (#2361305)
      "Legislation shows that people have a hard time differentiating what's a serious offence and what isn't"

      Despite the fact that I thought we were patched and secured, the Nimda worm hit our servers. Oops - missed one of those MS security bulletins. My bad.

      The cost in real dollars (not "gartner dollars" or "TCO dollars) to clean it up was around $25,000. For one small manufacturing company.

      If a naughty kid threw a rock through our window and did $100 of damage, the police would yell at him and call his parents to pick him up. If he threw a bottle of gasoline through the window and did $25k of damage, he would be prosecuted for a felony.

      So exactly how is this Nimda bomb not a "serious offense"?

      sPh
      • The cost in real dollars (not "gartner dollars" or "TCO dollars) to clean it up was around $25,000. For one small manufacturing company.

        I've always been curious - exactly how was this value arrived at?

        I know that one of the major factors that goes into the usual "damage" estimates is actually people's time, but if you have a sysadmin on staff, it's not costing anything real, it's just changing his tasks for the day (to arguably do something he should have done already).

        Not meaning to flame you, I've missed my share of security bulletins too. I'm just honestly interested in where that figure comes from. I understand if you don't want to mention specifics due to corporate interest, but even a rough breakdown would be enlightening.
        • Re:Not Me (Score:4, Informative)

          by ptomblin (1378) <ptomblin@xcski.com> on Thursday September 27, 2001 @07:42PM (#2361457) Homepage Journal
          but if you have a sysadmin on staff, it's not costing anything real

          Maybe this isn't the case where you work, but where I work people use the computers to get useful work done rather than just to provide employement for a sysadmin. If a virus or worm causes down time, or the DDoS-equivalent of all those scans causes people to be unable to reach the internet to do their jobs, then everybody in the company sits there twiddling their thumbs doing nothing. That costs money. So do lost orders because people attempting to reach your web site get a defacement message and probably a copy of the worm instead of your orders page.
          • I hate to ask, but are you assuming that everyone who was unable to reach your site never came back to complete the interrupted transaction? If so, I don't believe I would take the numbers themselves quite as seriously. It's unreasonable to assume that based on the average amount of business time a given site remains offline due to Local problems , that people haven't learned "gee, maybe I should come back in 5 minutes". It's kind of a new "internet-ism".

            People posting damage estimates should included some indication at how they were arrived at: its just a part of gaining credibility. 50 different companies are going to estimate it 50 different ways, and everyone from consultants to law enforcement will have their own definition.

        • Re:Not Me (Score:3, Informative)

          by sphealey (2855)
          "Not meaning to flame you, I've missed my share of security bulletins too. I'm just honestly interested in where that figure comes from. I understand if you don't want to mention specifics due to corporate interest, but even a rough breakdown would be enlightening."

          Well, I'm a bit busy at the moment :-(, but a rough breakdown goes like this:

          We are in the middle of an ERP implementation. I (who serve as the IS Director, IT Manager, business analyst, and project manager) am six weeks behind on some critical tasks. Fixing the worm took 5 days of my time (about 100 hours - but I won't charge for the lost sleep). I had to bring in several temps to key data that couldn't be pulled from our reports server, bring in our networking consultant on short notice from out of town, pay overtime to the other members of my staff to assist in the cleanup, buy two additional machines to use as recovery servers. We missed several customer shipments because part of the shipment processing system was down, for which we will probably have to pay penalties. We had to pay our EDI vendor to fax us transactions that should have EDI'd in, and Customer Service and Accounting people overtime to key them in manually. We may be charged penalties for not to the customer for not completing the EDI transactions. And so on.

          There are real dollars involved when business processes fail. Normally I am not the most even-tempered person in the world, but this time, every time I started to get angry I thought to myself: "and how do they sysadmins on Wall Street feel?", making my problems not seem as critical. But it was a very ugly week.

          sPh
      • Re:Not Me (Score:2, Insightful)

        by Drake42 (4074)
        I bet you have security guards, fences and cameras to protect your buildings from 14 year old kids.

        Why don't you have a secure firewall to protect your servers?

        We are living in the time that 100 years from now people will look back and think we must not yet have evolved properly. They will look back and think, "Why did they put up with that idiocy? Were they just stupid back then?" And parents will shrug and grandparents will say "It was like the frontier!" and kids will think "Wow. Those guys were stupid."

        Don't bitch about the lack of govenment protection when all you have to do is install appropriate security which costs NOTHING. I don't want my taxes paying to protect you from your own laziness.

        25K lost? Serves you right.
        • "I bet you have security guards, fences and cameras to protect your buildings from 14 year old kids.

          Why don't you have a secure firewall to protect your servers? "

          There's something to that argument, and I have already abased myself in front of the owners of the company.

          OTOH, we DO (and did) have a firewall and virus scanners of reasonable strength. I also own a house on a fairly heavily travelled street. Should I have to put up 3m walls with razor wire and install bullet-proof glass, as they do in Jo-burg? Is that a pleasant way to live? And what about personal responsibility on the part of the felon who did, in fact, actually cause the damage?

          sPh
      • Re:Not Me (Score:4, Insightful)

        by technos (73414) on Thursday September 27, 2001 @08:18PM (#2361595) Homepage Journal
        Despite the fact that I thought we were patched and secured, the Nimda worm hit our servers.

        Oops indeed! All of Nimda's exploits were old. You had what? Five months? At a total cost of $25,000?? Damn, I hope you have some money put away, because if you were one of my employees, you'd be working at half pay to reimburse the company for your negligence. That's on a good day. On a bad day, you'd be fired, and I'd call Legal to have them sue your ass once it cleared the doorstep on your way to the unemployment line.

        Rule 1: If you're an NT admin, you have to stay on top of *EVERY* patch. You don't patch, your company loses money because of your negligence. If you don't patch, you deserve to lose your job.

        Now, if you're one of those companies that has lost a lot of 'good men' to rule 1, perhaps you should not use Microsoft products? Perhaps they're not everything the Microsoft rep told you they would be...
        • Good luck finding work in the real world. I am afraid the days of 600-man data processing departments went out with the 1960's. And while we do have security guards around our physical facilities, we don't have detachement of 200 ex-SAS blokes with night vision and sniper rifles, either.

          sPh
        • "Oops indeed! All of Nimda's exploits were old. You had what? Five months?"

          You are assuming that you, and the security vendors, fully understand Nimda and all its vectors. I am not quite so sure myself.

          sPh
        • Re:Not Me (Score:5, Insightful)

          by Rogerborg (306625) on Friday September 28, 2001 @05:31AM (#2362813) Homepage
          • If you're an NT admin, you have to stay on top of *EVERY* patch. You don't patch, your company loses money because of your negligence. If you don't patch, you deserve to lose your job

          You apply SP6 to NT4 the day it comes out. Your company's Lotus Notes system falls on its arse. You lose your job.

          Admins have a hard enough job keeping a known, stable system running without applying day-0 patches every time Microsoft figure they're screwed up again. Applying patches immediately and automatically isn't a black and white issue, and all your sound and fury won't make it so.

        • Re:Not Me (Score:3, Funny)

          by psin psycle (118560)
          If he threw a bottle of gasoline through the window and did $25k of damage, he would be prosecuted for a felony.

          We've know about these exploits for many many years. There are even patches for them, fire retardant materials and bullet proof glass. For some strange reason though, it is still the bottle thrower who is at fault and punished, and not the poor facilities guy who didn't upgrade the bits that make up the windows to something that cannot be attacked.

          Why the double standard? In the 'real world' good-enough security is, well, good enough. In the computer world, good-enough security gets laughed at and scorned.

    • We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.

      For the most part, yes. However, Nimda behaves in some very strange ways indeed and I think may have been the work of a pro. I have seen it spread through 2 methods which are completely undocumented and through software which is supposed to be immune, such as IE 5.5 SP2 or IE6.

      I saw it write to a share which had write permission denied to everybody. Furthermore, it somehow executes itself through that share. So we have one patch which was supposed to work and another vulnerability for which there is no patch. That makes me suspect that the virus uses 2 previously unknown vulnerabilities.

      FWIW, I did the following to secure my system at work (unfortunately MS OS) and have not had problems since:

      1: Remove the following groups from NTFS permissions: Authenticated Users, Everyone.

      2: In the security tab of IE, click custom and either disable javascript, or file downloads...
  • What? (Score:4, Funny)

    by jpinnix (220884) on Thursday September 27, 2001 @06:38PM (#2361108) Homepage
    No double stockade and fireants for the IIS creators?
    • Re:What? (Score:2, Funny)

      by chromatic (9471)

      Presumably they already have to attend Microsoft pep rallies, where Steve Ballmer may dance again. Haven't they suffered enough?
  • by cOdEgUru (181536)
    Gosh! It would be interesting to see if any more servers turns up affected after so much of patching and screaming and thrashing. I would normally expect everyone of those Admins to patch their boxes by now, but at the same time, there would be some more, either ignorant or out on vacation, who is bound to get hit.

    And when shit hits the fan, the management is sure to turn around and bite yelling "But we all knew about it..Why didnt you do it ?" .. Err..well..

    Patch those boxes up..and do so in a routine manner. Sure its pathetic and time consuming. but its your data and your hardware..

    • by Roofus (15591) on Thursday September 27, 2001 @07:12PM (#2361312) Homepage
      Heh, I work with a guy who isn't the brightest at times. He's been setting up a 2000 Server that's been hit twice with nimda in the last week. He reinstalled the server from scratch after each infection. His response?

      "I put the computer on the network to install Norton, and it keeps getting infected before I can get the updates"

      Ok, TWO THINGS:

      1) If your going to install IIS, do not plug it into the network you've shut down IIS. Then go download the updates.

      2) Norton isn't going to stop you from getting infected, it will only warn you about it during a routine check. If you want your machine to stay healthy, PATCH YOUR GODDAMN SYSTEM.

      Seriously, Microsoft has a little utily called HFNetChk that will scan any local or remote system and will tell you what patches need to be applied. This includes system, IIS, and SQL Server, and IE.

      Not all updates are listed on the little automatic update website.

      Sigh...
      • by q-soe (466472)
        We use netchek and it works like a charm - the problem we had with Nimda was that the SAP servers connected to our network but maintained by the providor (we are in month 3 or an Enterprise Rollout) were unsecured and not running any virus protection, we got slammed by nimda - it did not hit any of our servers in the front door thru IIS but spread to boxes not running IIS but connected to the SAP system and to dekstops from there.

        Thats then thing that really pisses me off, we spend the time to lock down and secure our netowkrs, hours patching systems and making usre virus scanners are up to date and then we get slammed by servers we have no access to or control over - yet we are the IT dept.

        If we cant maintain it and gurantee it safe then it should not be on my network dammnit !
    • "Gosh! It would be interesting to see if any more servers turns up affected after so much of patching and screaming and thrashing. I would normally expect everyone of those Admins to patch their boxes by now, but at the same time, there would be some more, either ignorant or out on vacation, who is bound to get hit."

      You are assuming, of course, that all the vectors of infection are known, all the behaviours of the worm are understood, and that patches exist for all of them.

      It's typical terrorist tactics to hit the same target twice 20 minutes apart. That way you get all the rescue workers and gawkers too. The IRA figured that out years ago - the WTC killers just perfected the idea.

      So perhaps Nimda was designed to throw a scare into everyone, cause them to run around and download lots of patches, expend lots of effort - and then 10 days later do its real dirty work.

      sPh
  • by BIGJIMSLATE (314762) on Thursday September 27, 2001 @06:40PM (#2361120)
    I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.

    (Plain-text link):
    http://www.wired.com/news/business/0,1367,47037, 00 .html
    • After I heard about the Gartner report calling for a rewrite of IIS, I couldn't help wondering how a company that is supposed to be full of analysts can miss the mark by such a great deal. The problem with IIS isn't that it needs a rewrite, because a rewritten version will probably still have bugs since it will be a non-trivial piece of software and all software has bugs, but that
      1. Microsoft needs a better way of getting patches out to people. Preferrably something as simple as the apt-get/cron combination.

      2. IIS admins are typically inexperienced and unknowledgable about security and thus never get around to installing a patch even though it was released almost a year ago.

      3. IIS patches need to be on the Windows Update [microsoft.com] website.
      • by alienmole (15522) on Thursday September 27, 2001 @07:44PM (#2361463)
        Did you read the Gartner report carefully? It said "enterprises hit by both Code Red and Nimda" should investigate alternatives. This implies that enterprises not hit by both worms don't need to switch.

        If a company wasn't hit by both, presumably their security policies and procedures are either already up to scratch, or capable of being improved sufficiently. But if a company was hit by both, their procedures are probably beyond repair, and they'd be better off with a server that's more secure by default.

        So I think Gartner was absolutely correct. Not only that, but people who didn't pick up that subtlety from the Gartner report are also more likely to need to switch servers, so the report works either way! :P

  • by edrugtrader (442064) on Thursday September 27, 2001 @06:41PM (#2361129) Homepage
    a video game i wrote 10 years ago in Qbasic was just emailed to me today via sircam...

    that means that someone actually had it on their computer, and that made me feel all fuzzy.

    god bless sircam, and its glorious resurrection and distribution of great software titles.
  • Fight back (Score:5, Informative)

    by Anonymous Coward on Thursday September 27, 2001 @06:43PM (#2361136)
    Check out my script [cheapnet.net]! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!

    • Re:Fight back (Score:2, Insightful)

      by Sagarian (519668)
      Given the way that these viruses work, and given that your script fires a message to everyone who attempts to Code Red exploit a server running your script, and that there's no central registry of which servers / email addresses have been notified by your script :

      Wouldn't this script, if widely employed, bring forth massive tidal waves of email as well?

      Imagine an admin's joy at finding that not only are 20 of his servers infected and/or destroyed, but he has an inbox full of thousands of messages that are now swamping his mailserver.

      Given that the communication of the email is not secure, could a malicious party not monitor traffic for copies of your script's message, and thus know exactly which servers can be exploited?

      Perhaps a better solution would be a secure central registry / database of known-infected systems, which exposed a secure known-infected system reporting mechanism (even a simple XML message protocol via https for example). Just thinking on the fly here...

      Anyway, the intention is noble...
      • Wouldn't this script, if widely employed, bring forth massive tidal waves of email as well?

        Please! As a patched NT admin, let the unpatched be DOS'ed off the face of the planet.

  • by Anonymous Coward on Thursday September 27, 2001 @06:44PM (#2361144)
    Why is windows suffering so many of these attackes recently (I know this is the same but I mean coupled with Code Red etc)? Is it becuase the exploits have only recently been found that enable them? This implies that fewer such exploits existed in older MSware - is this true?

    Is their widespreading mostly helped by the recent influx of cable/dsl users? Instead of the usual MS bash, could we try to explain some of the factors that make these stories so common on /. recently?

    Of course, we can't escape that it was Microsoft that published exploitable code but I'm sure their software has always been as bad so what else is behind the current surge?
  • by irix (22687)
    I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.

    I'd like to see some fireants for the server admins who still haven't patched for this thing. What kind of rock do you have be living under not to have heard of this by now?

  • Math? (Score:5, Interesting)

    by sharkey (16670) on Thursday September 27, 2001 @06:46PM (#2361160)
    9pm GMT -04:00 (EDT) is 5pm EDT.
    9pm GMT -05:00 (EST) is 4pm EST.

    However, the time mentioned in the article is 1am ET. Hazard a guess that it is really EDT they are citing, making 5am GMT zero hour. It will be 12:00am (Midnight) EST.
  • by standards (461431) on Thursday September 27, 2001 @06:48PM (#2361169)
    My organization was hit hard by Nimda. Our poor Windows Administration staff ran around like crazy cleaning, patching, and upgrading hundreds of machines.

    Is this a Microsoft problem? You bet.

    Microsoft OSs do not have a complete, common set of system administration tools built in. This results in haphazard machine administration.

    Microsoft and other companies sell useful administration tools, but these are high priced tools that only do a piece of the job. And since they aren't included with the OS, very few sysadmins have expertise with them.

    So Microsoft, get on the ball. If you want to sell an OS, it should be ready for the enterprise.... including enterprise administration.

    In the meantime, we're porting our apps from IIS to Apache. Yay!
    • by bad-badtz-maru (119524) on Thursday September 27, 2001 @07:47PM (#2361469) Homepage

      Our organization didn't do squat because we spent five minutes researching commonly accepted practices for securing IIS and NT boxes before we ever put our first box on the net. We do the same for every piece of hardware and software, exploits are not an MS-exclusive thing. The simple act of unmapping unused extensions in IIS has saved us countless hours (or days) of agony on many occasions. I suspect your organization may not contain the level of security-conciousness necessary to properly maintain systems connected to the internet since such security-awareness would have included remedial research into the securest method of presenting a piece of hardware or software to the internet. In other words, if your organization knew what they were doing, the issue you experienced would not have occurred. It's not an apache/IIS issue, it's a poor administration issue that will plague your organization, unless corrected, regardless of what OS and web server software they choose to deploy.

      Hope this helps,
      maru
      www.mp3.com/pixal
      • by NMerriam (15122) <NMerriam@artboy.org> on Friday September 28, 2001 @09:54AM (#2363311) Homepage
        Our organization didn't do squat because we spent five minutes researching commonly accepted practices for securing IIS and NT boxes before we ever put our first box on the net.

        Unfortunately Nimda spreads itself over shares, too -- so our server was well-maintained, but every shared directory on there was filled with the .dll and .eml files from Nimda that users had been infected on their desktops.

        All it took was a single person on our network who had disabled their antivirus to spread it all over ever network drive in the place.
  • Dangerous Viruses?? (Score:5, Interesting)

    by dragons_flight (515217) on Thursday September 27, 2001 @06:50PM (#2361180) Homepage
    Whatever happened to all the "3v1|_ h4x0r5"(TM)??

    We seen a number of highly infectious viruses in the last year (Sircam, Code Red, Nimda, etc), but none of these were actually very destructive. Sure they are a pain to get rid of, and may spread a little information around, eat up bandwidth, or compel you to reformat just to be sure, but they aren't flattening people's systems.

    Whatever happened to the anarchists out to destroy the system? Now admittedly I don't want to encourage people to be more destructive, but it seems almost trivial to think of ways that viruses and worms could easily be made more destructive. For instance, upon infection, delete everything in the "My Documents" folder. Or, change default web page to a share of the whole computer. Or even wait a couple days and then wipe the person's hard drive.

    I haven't been vulnerable to anything to come along lately, and I'm glad, but I'm also glad to note that the truly skilled black hats out there seem to have moderated how much damage they actually intend to do. I wonder if they are scared what the law might do to them if their attack truly was evil.
    • The reason that these widespread viruses aren't as destructive as one might imagine they could be is analogous to how viral outbreaks happen in nature, IMHO.

      Most successfull viruses don't kill their hosts right away, or ever, as by doing so they destroy their own method of propogation. Even if they did no harm for some amount of time, you'd find that the number of vulnerable systems would be down very quickly once that timer hit on a large scale, whereas with non-destructive viruses, you're almost garunteed to have repeat outbreak becuase of lingering infections out there that never get cleaned up, or are left for long periods of time.

      In general, the more destructive a virus is, the shorter it's overall lifespan, and the lesser the overall damage.
      • I don't buy it.

        Viruses in nature are developed through evolution and mutation and thus long term survivability makes sense. Computer viruses are intentional creations of people, and it doesn't seem to me that virus writers would neccesarily focus on making them last in the wild for a long time. There are people who just like destroying stuff right? And depending on what you destroy or how you do it, it isn't neccesarily immediately obvious to the user, or going to stop the worm from seeking new hosts.

        Also with the IIS worms, they tend to just about saturate all vulneralbe machines within the first few days if not hours. Once you've got 98% of what's available to get, then shutting all those down doesn't cause much loss in total reach. Especially since after a point the infection rate goes down due to patching faster than it increases from finding still uninfected machines.

        Some people say they write viruses to demonstrate vulnerabilities, well it doesn't seem like a huge leap, by that logic, to decide to start taking out vulnerable software.
    • by desertfool (21262)
      My first day at a computer related job (helping users) in '94 I found a computer with NATAS. That was one nasty virus. A real bitch to get rid of. And the computer had to be completed cleaned and re-installed. Then, upon scanning, I found several more that also had been infected, but it hadn't popped up and decimated the .exe and .com files yet. What a mess.

      The new worm/virus phenomena is more of an annoyance. I keep my servers patched and protected, but I get 20+ emails a day from my users (all properly paranoid) about the new virus they heard about while driving in to work. That is the worst part.

  • by none2222 (161746) on Thursday September 27, 2001 @06:54PM (#2361204)
    . . . running Win2k and IIs on my dorm computer. Am I at risk?


    To put it mildly, YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security. You can start by reading up on Nimdahere [microsoft.com].
    • While it's true that Microsoft products are no less secure than those of other vendors...

      You're Trolling, right? It's been over 3 years since the last remote root exploit in Apache, and IIS has had several this year!

      If you're not Trolling and you actually believe what you just said, you'd better do some research.
    • YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security.

      Market leader?? If that was it, I think that Apache would be three times the can of worms that IIS is. You must admit that the default installation of Apache is MUCH more secure than the default installation of IIS.

      IIS has the same design flaw that Sendmail does, an dit has enough market share to be a viable target. It is also true that many other vendors make the same mistake (including Red Hat and IBM)but lack the market share to be reasonable targets.

      Moral of the story: If you want to use IIS, tell it only to listen to IP address 127.0.0.1. If you can't figure out how to do this, please install Apache instead. (www.apache.org)
  • I'd like to see a nice double stockade for the writers of Sircam and Nimda ...

    I'd like to see something similar for the IIS developers along other selected members of Microsoft.

    ... or maybe a class action lawsuit against Microsoft for using their monolopy to propogate such insecure code?

  • I'd like to see a nice double stockade for the writers of Sircam and
    Nimda, and maybe some fireants.


    Yes, and a special one for those who roll out vulnerable server software. Ideally, with all the attacks, IIS should get stronger, as a body's immune system does with constant testing, however, it would indeed be a sad body which has been so patched. Make Frankenstein's monster look like George Clooney.

  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday September 27, 2001 @06:59PM (#2361239) Homepage Journal

    Then you're not vulnerable to either.

    Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.

    If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.

    Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.

    Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.

    And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.

    • by Spy Hunter (317220) on Thursday September 27, 2001 @07:33PM (#2361416) Journal
      WARNING to IE6 users or people without Outlook installed: You are not invulnerable! A virus file on your system can still easily be excecuted. I recently got infected, and it was the dumbest thing ever. Some time ago I had to reinstall Windows (gdi.exe was corrupted!?!), so I backed my files up to my friend's computer over the network. To get them back I made an open share on my computer (should have had a password) and sent them over. When I was done I noticed that some *.eml files had been inserted into my open share. "Hey, that's the virus I read about on Slashdot," I thought. So I went to delete it. I simply selected the file to delete it (I didn't run it) but Explorer, in its infinite stupidity, ran the file in the preview pane! Simply by the act of selecting the file I had run it inadvertently! This on a system running IE6 without Outlook installed!

      Fortunately I was able to boot into Linux and delete all those .eml files, then download a virus remover from McAfee or someplace. But let this be a warning: Before deleting a .eml file, TURN FILE PREVIEWS OFF!

      • This is correct. Also, if you have the authenticated users group listed in the share or ntfs permission areas, even if write access is denied, the virus can still write itself to your hard drive (had this happen, but fortuantely caught it in the act...).

        The IE6 issue can be prevented by disabling file downloading in the security settings, and the share issue can be resolved by removing the everyone and authenticated users groups from the share and NTFS permissions of shares.
    • Not hackers, crackers dammit!!!!

      What's sarcasm?
    • Thats simply not true.

      I run w2k pro sp2 with IE6 at home (dual-booted with slackware), with all of the various MS patches installed, behind a firewall - I know the dangers of IIS.

      Last week, I was browsing through some UK web agencies, and one of them had been infected with Nimda. Unlike most other people who got hit by Nimda, when I hit that IIS server, I didn't get a "save as..." dialogue. My firewall didn't notice anything amiss either.

      All that happened was :

      My desktop background changed to a chessy pic of a skeleton over a forest background.
      My machine started grinding away like hell.
      I muttered "Oh fuck." under my breath and whipped the cable out of my ethernet card so my girlfriends machine didnt get affected, as far as I could manage.

      I'm no sysadmin guru, but I'm a pretty savvy user, and had patched my system up fully, and I still got dicked. Yes, it wouldnt have happened if I was under *nix, but I do a lot of work with Shockwave and Flash, so 9 times out of 10 I'm running win32 rather than linux.

      It blows.
    • The boss of my boss of my boss (his rank is somewhere around a full bird) asked me personally and the rest of the staff in earshot to encourage the entire enterprise (around 20,000 white-collar workers) to get off IIS. Although all MY web servers are Apache, most at the Enterprise are M$. We have never used Outlook and never will.

      Well, I suggest that we go farther. We already block harmful and suspect viruses at our perimeter and throughout the enterprise. Why not instruct our routers, firewalls, and proxies to block any packets that indicate the content is coming from IIS - and block any M$ Internet Explorer broswer? Just drop the packets?

      OK. I'm speaking toungue in cheek, but I could actually make a justifiable argument that such use has PROVEN twice in a month that those tools are demonstrated security risks and should be defined as dangerous activity.

  • by ellem (147712) <ellem52@gmai[ ]om ['l.c' in gap]> on Thursday September 27, 2001 @07:02PM (#2361260) Homepage Journal
    I administer Notes, NT, Win9x and a Linux box, plus firewalls yadda, yadda.

    I work in a Corporate Travel Agency in NYC, they just decimated my entire staff and I have me and one other guy who has been relegated to inputting ticket refunds.

    I DON'T HAVE TIME FOR THIS! My lone IIS server has been patched since the first day. Lotus Notes doesn't care about these dumb ass viruses (virii) and my Norton's are all up to date.

    My USERS got this crap from infected web pages!

    We're losing a machine a day in the field b/c these bozos can't figure out how to click on a button called VIRUS_FIX on the corporate intranet.

    I am ready to frigging quit and become an English Teacher fuck the money! If the whole MS world can be brought to its knees everytime some kid in Sweden has the day off then we're all fucked.

    CIOs who continue to use Outlook/IIS deserve whatever happens to them. (We HAD to use IIS for a 3rd party software app.) Micorsoft SHOULD ABSOLUTELY BE PAYING IT'S CUSTOMERS BACK FOR THIS! HOW DARE THEY GET READY TO RELEASE YET ANOTHER VIRUS RUNTIME OS.

    It is seriously time for the MCSE farms to be shut down and for corporate America to move to another OS. Fuck the users; guess what they don't know all that much about the OS they are on switching them now will have no lasting impact.
  • Sorry to be nitpicky-Stockades aren't much of a punishment, really just a jail. I think you mean stocks or a pillory.
    Take a look here: Stocks and Pillories [geocities.com]
  • ...especially considering that the IIS patch has been available on WINDOWS UPDATE for the last THREE MONTHS. Fireants for any worthless tech who hasn't figured this out yet.

    -Jayde
  • Okay so they checked the code. But did they test it out? Has somebody changed the time on a server [issolating it first] and seen if really starts flinging bad bits?
  • by Anonymous Coward on Thursday September 27, 2001 @07:19PM (#2361347)
    If there's anything surprising about the entire worm phenomenon, it's that the payloads have been so benign. There's absolutely no reason why that has to be the case though, and sooner or later some little shit is going to slip in something like:

    FORMAT C:

    as the ultimate payload of a nimda-like worm, and all hell, and I truly mean all hell is going to break loose.

    I think that it's absolutely shocking that no one knew until right now that the damn thing is going to start up again tomorrow. What else don't we know about the program? I certainly hope that the experts who are now giving us some six hours notice (at night!) that the damn thing is about to restart haven't missed any other little details of the worm's operation.

    The entire ISS/Outlook security situation is absolutely shameful. Microsoft has been fucking around for years piling on layer after layer of buggy, insecure active this and executable that into the Windows mail system, and pretending that it doesn't matter, and the result, today, right now, today, is an internet that's about as secure as an airport with no guards, and half the locks in the terminals and on the planes flat out nonfunctional.

    Someone is responsible for this mess, and it ain't the folks who wrote the RFCs!
  • I was helping a friend install Win2KPro on his home machine to do some development work (for work, of course). I'm not a big Win guy, but I've done the point-click install before.

    Anyway, as soon as we were done (installing while his home network was live), we tried getting to windowsupdate.microsoft.com to install patches. However, we soon discovered that we were already infected! Two freaking minutes after installation!!

    If you don't install behind a firewall, how the hell are you supposed to get updates to all of Win2kPro's problems without getting infected?
  • Administration tools (Score:3, Informative)

    by fahrvergnugen (228539) <fahrv.hotmail@com> on Thursday September 27, 2001 @07:33PM (#2361418) Homepage
    The sad truth is that patches to protect yourself from these worms were released well ahead of the worms themselves. Getting hit by it is irresponsible, but Microsoft's current patching procedures are such a mishmash that getting the right information ahead of time is a total bitch.

    Those who are forced by circumstance to be responsible for administering IIS and other microsoft software should look at St. Bernard Software's UpdateExpert. It's a little pricey, but it doesn't cost nearly as much as even one full day of nimda / CodeRed / etc. infection.

    It simply keeps a list of all patches released on the Microsoft support site, and lets you roll them out to machines on your network without the users knowing about it. It's saved my bacon a few times now.
  • by Sagarian (519668) <smiller AT alum DOT mit DOT edu> on Thursday September 27, 2001 @07:51PM (#2361485)
    After Gartner's recommendation, thousands of PHB's and even sane people will rush to switch from IIS to Apache / IBM HTTP Server / whatever.

    Has anyone written a product yet to translate Active Server Pages (ASP) code to PHP, JSP, or some other format? Most of the basic scripting language concepts should translate pretty nicely.

    Even if someone has built their IIS / ASP application 'correctly' (cough cough) isolating middle-tier logic to MTS or something similar, wouldn't Perl / Java / whatever wrappers to those COM / COM+ services also be straightforward to write?

    Or has someone done this already? Isn't there (or wasn't there) a Chilisoft implementation of ASP that you could run on Apache and Linux?
  • killer app (Score:2, Funny)

    by Anonymous Coward
    nimda and its ilk are the killer apps that will
    spark the next information revolution.

    I'm looking forward to Microsoft's first foray into creating actual worms, instead of just
    providing the infrastructure.

    One day we will all look forward to the next MS worm with all the enthusiasm that we now share for the next Windows.
  • I have been monitoring my logs, and most of the hits I get are from Cable/DSL users. I bet a lot of these people are unaware that they are even running IIS, let alone that they need to install a security patch.
    I have not used W2k much (set up a test server at work, and reboot it now and then when it fails mysteriously), so I guess by default there is no automatic "Your Software needs updating" dialog that pesters you. If MS had their SW configured to do a weekly check and let users know that updates were available it would help. I know that Mac OS 9 and Mac OS X do this and it is useful for making sure systems stay current, and I wrote a few scripts that run as cron job on my Debian box at home that do apt-get update weekly, and mail me if there is a security update.
    Maybe something like this is already there in W2K (though if it is it sould be surprising), and I just have never seen it, I apologize if I speak from ignorance, but if there is not, then MS needs to get on the ball. Their software is causing a lot of problems, and they need to be more active in making sure that their boxes get updated.
    • Yep. You are right. Most of the ones I saw were new installations of IIS, and not on any large corporate network.

      I myself have helped at least five people uninstall IIS. None of them even knew what it was. One person asked me if they would still be able to view pages on the internet, like Yahoo... No I am not kidding.
  • Serves You Right. (Score:3, Insightful)

    by Drake42 (4074) on Thursday September 27, 2001 @08:04PM (#2361536) Homepage
    (I already made this as a reply to comment, but I'm irked about this enough that I want to post it to the main thread in hopes that people read it)

    I bet you have security guards, fences and cameras to protect your buildings from 14 year old kids.

    Why don't you have a secure firewall to protect your servers?

    We are living in the time that 100 years from now people will look back and think we must not yet have evolved properly. They will look back and think, "Why did they put up with that idiocy? Were they just stupid back then?" And parents will shrug and grandparents will say "It was like the frontier!" and kids will think "Wow. Those guys were stupid."

    Don't bitch about the lack of govenment protection when all you have to do is install appropriate security which costs NOTHING. I don't want my taxes paying to protect you from your own laziness.

    25K lost? Serves you right.
    • by SuiteSisterMary (123932) <slebrunNO@SPAMgmail.com> on Thursday September 27, 2001 @08:23PM (#2361629) Journal
      I'll point out that a firewall won't protect from this, as these are legitimate http requests. Your gateway anti-virus solution and/or intrusion detection system, on the other hand, should catch these. But this sort of thing is NOT what a firewall is supposed to stop.
    • Nimda is complicated beast [neohapsis.com].

      Unlike 'Code Red', Nimda does not spread by pushing the worm binary in the HTTP request. The worm uses HTTP to find a vulnerable IIS server, then causes the IIS server to make a TFTP request out to the attacking host to retrieve the ~64K binary.

      Most normal 'secure firewall' products aren't tuned to block outbound requests from the protected servers to internet hosts. Mine are, but that only gave me about 72 hours of lead time before it came in another way...

      Even when firewalls block the IIS scanning, Nimda spreads by email, file shares, and by putting a copy of 'README.EXE' in the root of the IIS server and adding Javascript to all web pages on the server, pushing the worm at users of the infected web site server.

      My firewalls block _all_ UDP packets, but my network still got hit hard, and probably incurred more like $60K in 'paper losses' -- lost productivity, bandwidth, overtime, etc.

      We haven't found 'patient zero', but we have two good suspects, in both cases a user with a laptop that did not have updated anti-virus software and that got infected from one of these routes:

      1. User took the laptop home and connected to an infected network/file shares.
      2. User accessed 'hotmail' or a similar site and downloaded an attachment.
      3. User visited an infected web site (probably at home) and ran README.EXE when prompted.

      The common thread here is user error.

      The best firewall is no protection against malicious, or just plain ignorant, users. Blame also falls on local admins for failing to push virus signature updates and keep up with system patches.

      I've only ever seen around a dozen inside hosts from which the work was actively scanning HTTP, but the worm traffic from those dozen machines alone was enough to severely degrade WAN and firewall performance.

  • by manon (112081)
    Let's make some profit out of Nimda :)

    Like T-shirts...
    "I've been attacked by Nimda and all I got whas this T-shirt"
    "Chicks dig Nimda"
    "(front:)IIS (back:) you are dumb"

    Or posters...
    "Internet map of Nimda infected domains"
    New 'Inc DeMotivators' poster :"Suicidal" with a kind of Nimda showing.

    We should inform Thinkgeek [thinkgeek.com] of this nifty plan :)))
  • by rayvd (155635) on Thursday September 27, 2001 @08:47PM (#2361702) Homepage Journal
    If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:

    SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
    SetEnvIf Request_URI "^/scripts" attacks # For nimda
    SetEnvIf Request_URI "^/c/winnt" attacks # ... ditto all the way down
    SetEnvIf Request_URI "^/_mem_bin" attacks
    SetEnvIf Request_URI "^/_vti_bin" attacks
    SetEnvIf Request_URI "^/MSADC" attacks
    SetEnvIf Request_URI "^/msadc" attacks
    SetEnvIf Request_URI "^/d/winnt" attacks

    CustomLog /var/log/access_log combined env=!attacks
    CustomLog /var/log/attack_log combined env=attacks

    This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.
  • by hypergreatthing (254983) on Thursday September 27, 2001 @11:28PM (#2362190)
    There shouldn't be security holes that allow these viruses to exist in the first place. Don't blame the kids who wrote this, but rather blame microsoft. I'm sure you can use the excuses that microsoft can't be held responsible for everything their software causes, but this is rediculous. Why did it take tons of viruses for microsoft to even patch this?.. Why wasn't this patched before, or caught before and addressed? It's simply because microsoft can't afford to make their software secure until it's demanded, and that's just wrong for a company like microsoft.

The number of arguments is unimportant unless some of them are correct. -- Ralph Hartley

Working...