Nimda To Strike Again 523
Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.
Re:Patch your damn servers! (Score:3, Insightful)
The usual punishment of:
- a hosed server first thing in the morning, before coffee,
- a stack o mail from other irate sysadmins that are getting hit on by the infected zombie to which your name is attached,
- some urgent voicemails and pages from users and from your management asking what the !&%$ is happening.
The usual...ho humm.Otherwise, Friday morning would have been relatively pleasant.
I am so sick of this (Score:5, Insightful)
I work in a Corporate Travel Agency in NYC, they just decimated my entire staff and I have me and one other guy who has been relegated to inputting ticket refunds.
I DON'T HAVE TIME FOR THIS! My lone IIS server has been patched since the first day. Lotus Notes doesn't care about these dumb ass viruses (virii) and my Norton's are all up to date.
My USERS got this crap from infected web pages!
We're losing a machine a day in the field b/c these bozos can't figure out how to click on a button called VIRUS_FIX on the corporate intranet.
I am ready to frigging quit and become an English Teacher fuck the money! If the whole MS world can be brought to its knees everytime some kid in Sweden has the day off then we're all fucked.
CIOs who continue to use Outlook/IIS deserve whatever happens to them. (We HAD to use IIS for a 3rd party software app.) Micorsoft SHOULD ABSOLUTELY BE PAYING IT'S CUSTOMERS BACK FOR THIS! HOW DARE THEY GET READY TO RELEASE YET ANOTHER VIRUS RUNTIME OS.
It is seriously time for the MCSE farms to be shut down and for corporate America to move to another OS. Fuck the users; guess what they don't know all that much about the OS they are on switching them now will have no lasting impact.
Re:Dangerous Viruses?? (Score:2, Insightful)
Most successfull viruses don't kill their hosts right away, or ever, as by doing so they destroy their own method of propogation. Even if they did no harm for some amount of time, you'd find that the number of vulnerable systems would be down very quickly once that timer hit on a large scale, whereas with non-destructive viruses, you're almost garunteed to have repeat outbreak becuase of lingering infections out there that never get cleaned up, or are left for long periods of time.
In general, the more destructive a virus is, the shorter it's overall lifespan, and the lesser the overall damage.
Re:I am so sick of this (Score:1, Insightful)
Re:Nimda cost me Microsoft. (Score:1, Insightful)
Knowledge of these would have saved your company time and money, assuming patches were applied within a month of being released and/or recommended practices were followed.
Tools, and procedures [microsoft.com]
email notification (any decent admin would already be subscribed to this):
mailinglist [microsoft.com]
Get the admins to visit those links soon, or MS will pointlessly reorganise their site again.
Read between Gartner's lines (Score:5, Insightful)
If a company wasn't hit by both, presumably their security policies and procedures are either already up to scratch, or capable of being improved sufficiently. But if a company was hit by both, their procedures are probably beyond repair, and they'd be better off with a server that's more secure by default.
So I think Gartner was absolutely correct. Not only that, but people who didn't pick up that subtlety from the Gartner report are also more likely to need to switch servers, so the report works either way! :P
Re:Nimda cost me Microsoft. (Score:5, Insightful)
Our organization didn't do squat because we spent five minutes researching commonly accepted practices for securing IIS and NT boxes before we ever put our first box on the net. We do the same for every piece of hardware and software, exploits are not an MS-exclusive thing. The simple act of unmapping unused extensions in IIS has saved us countless hours (or days) of agony on many occasions. I suspect your organization may not contain the level of security-conciousness necessary to properly maintain systems connected to the internet since such security-awareness would have included remedial research into the securest method of presenting a piece of hardware or software to the internet. In other words, if your organization knew what they were doing, the issue you experienced would not have occurred. It's not an apache/IIS issue, it's a poor administration issue that will plague your organization, unless corrected, regardless of what OS and web server software they choose to deploy.
Hope this helps,
maru
www.mp3.com/pixal
I smell an ASP migration product opportunity (Score:3, Insightful)
Has anyone written a product yet to translate Active Server Pages (ASP) code to PHP, JSP, or some other format? Most of the basic scripting language concepts should translate pretty nicely.
Even if someone has built their IIS / ASP application 'correctly' (cough cough) isolating middle-tier logic to MTS or something similar, wouldn't Perl / Java / whatever wrappers to those COM / COM+ services also be straightforward to write?
Or has someone done this already? Isn't there (or wasn't there) a Chilisoft implementation of ASP that you could run on Apache and Linux?
Re:9 PM? (Score:1, Insightful)
Re:Not Me (Score:2, Insightful)
Why don't you have a secure firewall to protect your servers?
We are living in the time that 100 years from now people will look back and think we must not yet have evolved properly. They will look back and think, "Why did they put up with that idiocy? Were they just stupid back then?" And parents will shrug and grandparents will say "It was like the frontier!" and kids will think "Wow. Those guys were stupid."
Don't bitch about the lack of govenment protection when all you have to do is install appropriate security which costs NOTHING. I don't want my taxes paying to protect you from your own laziness.
25K lost? Serves you right.
Serves You Right. (Score:3, Insightful)
I bet you have security guards, fences and cameras to protect your buildings from 14 year old kids.
Why don't you have a secure firewall to protect your servers?
We are living in the time that 100 years from now people will look back and think we must not yet have evolved properly. They will look back and think, "Why did they put up with that idiocy? Were they just stupid back then?" And parents will shrug and grandparents will say "It was like the frontier!" and kids will think "Wow. Those guys were stupid."
Don't bitch about the lack of govenment protection when all you have to do is install appropriate security which costs NOTHING. I don't want my taxes paying to protect you from your own laziness.
25K lost? Serves you right.
Re:Fight back (Score:2, Insightful)
Wouldn't this script, if widely employed, bring forth massive tidal waves of email as well?
Imagine an admin's joy at finding that not only are 20 of his servers infected and/or destroyed, but he has an inbox full of thousands of messages that are now swamping his mailserver.
Given that the communication of the email is not secure, could a malicious party not monitor traffic for copies of your script's message, and thus know exactly which servers can be exploited?
Perhaps a better solution would be a secure central registry / database of known-infected systems, which exposed a secure known-infected system reporting mechanism (even a simple XML message protocol via https for example). Just thinking on the fly here...
Anyway, the intention is noble...
Re:Not Me (Score:4, Insightful)
Oops indeed! All of Nimda's exploits were old. You had what? Five months? At a total cost of $25,000?? Damn, I hope you have some money put away, because if you were one of my employees, you'd be working at half pay to reimburse the company for your negligence. That's on a good day. On a bad day, you'd be fired, and I'd call Legal to have them sue your ass once it cleared the doorstep on your way to the unemployment line.
Rule 1: If you're an NT admin, you have to stay on top of *EVERY* patch. You don't patch, your company loses money because of your negligence. If you don't patch, you deserve to lose your job.
Now, if you're one of those companies that has lost a lot of 'good men' to rule 1, perhaps you should not use Microsoft products? Perhaps they're not everything the Microsoft rep told you they would be...
Re:Serves You Right. (Score:4, Insightful)
Re:Hmmm (Score:1, Insightful)
Re:How long until someone drops the bomb? (Score:1, Insightful)
2) It would be an easy proposition to program a worm to spread initially, go dormant for 10 days, then propegate again 10 days later, then finally destroy its hosts.
3) Consider the timing of this worm. It was released into the wild concurrently with the WTC attack, when the FBI was, ahem, busy with other matters.
Q: If you wanted to maximize the damage to the information infrastructure, when would you plan to trigger the virus payload?
A: At the end of the month, after payrolls had been computed. Golly. It's the last weekday of the month.
Make no mistake, I have absolutely no evidence of such a plan or motive. I am saying that the fact that these worms are out there and work illustrates a potential to destroy massive numbers of computers all at once, and potentially inflict economic damage to businesses on a scale similar to the economic damage done to the airlines on 9/11. If such an attack were to happen, it would cause many, many companies to have to restore from backups all at once, and a certain percentage of computers would not be able to be restored, and a large amount of data would be lost. Businesses would be disrupted. Losses would be enormous. Jobs would be lost. It would be a severe economic blow.
I stand by my claim. The IIS and Outlook security holes constitute an enormous threat to the national, and world economy.
Re:Again? (Score:3, Insightful)
somewhere around a year and a half.
Re:Not Me (Score:2, Insightful)
All of Nimda's exploits were old. You had what? Five months?
You forget several things.
Re:Nimda is a tough worm to keep out of a network! (Score:2, Insightful)
I would hope that most firewall admins aren't allowing TFTP outbound!
If you don't need the service, turn it off. Only allow what is required.
Now if Nimda had used HTTP to retrive the Admin.dll file, many more folks would have been infected, as most firewalls do need to allow HTTP outbound.
Milalwi
Re:Not Me (Score:5, Insightful)
You apply SP6 to NT4 the day it comes out. Your company's Lotus Notes system falls on its arse. You lose your job.
Admins have a hard enough job keeping a known, stable system running without applying day-0 patches every time Microsoft figure they're screwed up again. Applying patches immediately and automatically isn't a black and white issue, and all your sound and fury won't make it so.
Re:Nimda cost me Microsoft. (Score:2, Insightful)
So, if there are recommendations on how to set it up securely, why isn't that the default? Still sounds like a faulty product to me.
Re:Nimda cost me Microsoft. (Score:4, Insightful)
Unfortunately Nimda spreads itself over shares, too -- so our server was well-maintained, but every shared directory on there was filled with the
All it took was a single person on our network who had disabled their antivirus to spread it all over ever network drive in the place.