Nimda To Strike Again

Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.

Again?

[Dimensio]

What does this mean? I was under the impression that once Nimda infected a machine it would attempt to propigate indefinitely unless the machine were cleaned. What was the propagation time cycle for the first run?

Mind you, I've not seen a significant dropoff in my firewall hits (hits doubled after Nimda first hit), but perhaps I've not been checking properly.

Thanks, guys

[ZaBu911]

Well, once more I have to thank you guys at slashdot for the heads up.

On another note, I think that these viruses totally justify Ashcrofts view as labeling "hackers" as terrorists...the virus writers are really wreaking havoc.

-z

Not Me

[NitsujTPU]

I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.

Are you kidding?

Legislation shows that people have a hard time differentiating what's a serious offence and what isn't.

For one thing, taking this out on someone hard, would only lead to approval of laws like the proposed law to make a bunch of kids in HS "terrorists" for winnuking each other.

We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.

If anything, they need counseling to know WHY what they are doing is bad, that it affects other people and that it isn't just a game, but certainly making an example of these people sets a precident for the treatment of all of us.

In other words, turn some silly kid with a script for making viruses into a real criminal, when people are getting in trouble for stupid stuff like scanning someone's ports, and soon you'll see anybody without corporate backing thrown in jail for having a debugger.

Why the sudden infux?

[Anonymous Coward]

Why is windows suffering so many of these attackes recently (I know this is the same but I mean coupled with Code Red etc)? Is it becuase the exploits have only recently been found that enable them? This implies that fewer such exploits existed in older MSware - is this true?

Is their widespreading mostly helped by the recent influx of cable/dsl users? Instead of the usual MS bash, could we try to explain some of the factors that make these stories so common on /. recently?

Of course, we can't escape that it was Microsoft that published exploitable code but I'm sure their software has always been as bad so what else is behind the current surge?

Re:what do you mean again?

[ncc74656]

Ditto...I'm up to nearly 13k hits logged since Nimda began, vs. a bit under 10k Code Red hits. The weird bit is that the number of Nimda-infected hosts is much lower...400 vs. 3500 for Code Red. Maybe it spends so much time banging away at the same system that it doesn't spread itself as effectively as Code Red.

Math?

[sharkey]

9pm GMT -04:00 (EDT) is 5pm EDT.
9pm GMT -05:00 (EST) is 4pm EST.

However, the time mentioned in the article is 1am ET. Hazard a guess that it is really EDT they are citing, making 5am GMT zero hour. It will be 12:00am (Midnight) EST.

Nimda cost me Microsoft.

[standards]

My organization was hit hard by Nimda. Our poor Windows Administration staff ran around like crazy cleaning, patching, and upgrading hundreds of machines.

Is this a Microsoft problem? You bet.

Microsoft OSs do not have a complete, common set of system administration tools built in. This results in haphazard machine administration.

Microsoft and other companies sell useful administration tools, but these are high priced tools that only do a piece of the job. And since they aren't included with the OS, very few sysadmins have expertise with them.

So Microsoft, get on the ball. If you want to sell an OS, it should be ready for the enterprise.... including enterprise administration.

In the meantime, we're porting our apps from IIS to Apache. Yay!

Dangerous Viruses??

[dragons_flight]

Whatever happened to all the "3v1|_ h4x0r5"(TM)??

We seen a number of highly infectious viruses in the last year (Sircam, Code Red, Nimda, etc), but none of these were actually very destructive. Sure they are a pain to get rid of, and may spread a little information around, eat up bandwidth, or compel you to reformat just to be sure, but they aren't flattening people's systems.

Whatever happened to the anarchists out to destroy the system? Now admittedly I don't want to encourage people to be more destructive, but it seems almost trivial to think of ways that viruses and worms could easily be made more destructive. For instance, upon infection, delete everything in the "My Documents" folder. Or, change default web page to a share of the whole computer. Or even wait a couple days and then wipe the person's hard drive.

I haven't been vulnerable to anything to come along lately, and I'm glad, but I'm also glad to note that the truly skilled black hats out there seem to have moderated how much damage they actually intend to do. I wonder if they are scared what the law might do to them if their attack truly was evil.

Terrorists?

[Ghoser777]

Here's what most terrorists do. Atleast this is what I've heard/seen done by past terrorists:
1. They take hostages
2. They kill people
3. They make demands
4. They invoke terror in their victims

In no way do these "hackers" fit the description of a terrorist except for maybe #4. These are generally just people who find a whole in security and take advantage of it. They can be really annoying, and people who make these types of viruses should be tried for damages, but I don't think they fit the desciption of a terrorist.

But more important, I think Ashcroft isn't talking about virys writing hackers, but any type of hacker. Essentially, if you mess with a system at all, then you're a terrorist accroding to Ashcroft.

Boy, my parents must be disappointed in me now, rasing a terrorist..

F-bacher

Re:Not Me

[rgmoore]

We KNOW that these aren't hard to create, kids with no formal training can crank them out like they're nothing. To a 14 year old kid who needs to show off to his friends (and almost all of them do), it's IRRESISTABLE. I can't picture throwing someone behind bars for more than a couple years just because they're virus is effective.

But this is really an argument in favor of different sentencing for juveniles than for adults (an idea that I support, and feel that recent laws are incredibly stupid to ignore) not against heavy potential penalties for writing viruses. IMO, writing a virus is the ethical equivalent of starting a fire, and deliberately releasing one is the moral equivalent of arson. Like a fire, a virus has the potential to spread completely out of the control of its originator and cause tremendous damage along the way. Little kids are not generally sent to prison when their playing with matches burns something down, but adults who do so are- and deserve to be- treated quite harshly. IMO any person who is legally competent to understand the consequences of releasing a virus and does so anyway deserves a nice long vacation at Club Fed.

Re:Not Me

[sphealey]

"Legislation shows that people have a hard time differentiating what's a serious offence and what isn't"

Despite the fact that I thought we were patched and secured, the Nimda worm hit our servers. Oops - missed one of those MS security bulletins. My bad.

The cost in real dollars (not "gartner dollars" or "TCO dollars) to clean it up was around $25,000. For one small manufacturing company.

If a naughty kid threw a rock through our window and did $100 of damage, the police would yell at him and call his parents to pick him up. If he threw a bottle of gasoline through the window and did $25k of damage, he would be prosecuted for a felony.

So exactly how is this Nimda bomb not a "serious offense"?

sPh

Re:Dangerous Viruses??

[desertfool]

My first day at a computer related job (helping users) in '94 I found a computer with NATAS. That was one nasty virus. A real bitch to get rid of. And the computer had to be completed cleaned and re-installed. Then, upon scanning, I found several more that also had been infected, but it hadn't popped up and decimated the .exe and .com files yet. What a mess.

The new worm/virus phenomena is more of an annoyance. I keep my servers patched and protected, but I get 20+ emails a day from my users (all properly paranoid) about the new virus they heard about while driving in to work. That is the worst part.

How long until someone drops the bomb?

[Anonymous Coward]

If there's anything surprising about the entire worm phenomenon, it's that the payloads have been so benign. There's absolutely no reason why that has to be the case though, and sooner or later some little shit is going to slip in something like:

FORMAT C:

as the ultimate payload of a nimda-like worm, and all hell, and I truly mean all hell is going to break loose.

I think that it's absolutely shocking that no one knew until right now that the damn thing is going to start up again tomorrow. What else don't we know about the program? I certainly hope that the experts who are now giving us some six hours notice (at night!) that the damn thing is about to restart haven't missed any other little details of the worm's operation.

The entire ISS/Outlook security situation is absolutely shameful. Microsoft has been fucking around for years piling on layer after layer of buggy, insecure active this and executable that into the Windows mail system, and pretending that it doesn't matter, and the result, today, right now, today, is an internet that's about as secure as an airport with no guards, and half the locks in the terminals and on the planes flat out nonfunctional.

Someone is responsible for this mess, and it ain't the folks who wrote the RFCs!

How to install patches without a network?

[jvj24601]

I was helping a friend install Win2KPro on his home machine to do some development work (for work, of course). I'm not a big Win guy, but I've done the point-click install before.

Anyway, as soon as we were done (installing while his home network was live), we tried getting to windowsupdate.microsoft.com to install patches. However, we soon discovered that we were already infected! Two freaking minutes after installation!!

If you don't install behind a firewall, how the hell are you supposed to get updates to all of Win2kPro's problems without getting infected?

The myth of regular patches

[Carnage4Life]

If a piece of software requires regular patches for serious security problems, that's probably a sign that its basic approach to security is flawed.

But does IIS really need patches as frequently as you imply? Code Red, Code Blue, Nimda et al exploit the same security hole that is almost a year old. The problem is that for every security hole, there are several waves of worms because IIS admins simply never patch their boxes.

If you disbelieve me check out Netcraft's security survey [netcraft.com] which shows how long several IIS boxes have gone unpatched and that about 12% of SSL sites (meaning they are probably eCommerce related) running IIS have been "rooted".

Re:sircam may me feel warm today though...

[Anonymous Coward]

A while back some practical jokers burst in on a couple of people I knew from high school, while they were buck naked and fucking.

The resulting picture got sent out to a bunch of people from the school and since then I've encountered it twice randomly over the internet. Once while looking through a humour website, and another time it was part of an email forward sent to my college roommate (who wasn't from my high school).

Re:Some advice to cut down on the runnin around.

[curunir]

It's not going to matter what o/s it is if someone can write a virus, root kit, whatever for it.

From the OpenBSD website: "Four years without a remote hole in the default install!"

Now, with the resources that M$ has, there's no reason why they shouldn't be able to say the same. The simple fact is that they've determined that they can make the public believe that they are not at fault, so it is more cost effective to add another "feature" to the os. If general motors didn't put airbags into their cars so that they could put in extra cup holders, would they be at fault? After all, it is the other car that actually caused the fatalities, right?

Re:SysAdmins....wake up

[q-soe]

We use netchek and it works like a charm - the problem we had with Nimda was that the SAP servers connected to our network but maintained by the providor (we are in month 3 or an Enterprise Rollout) were unsecured and not running any virus protection, we got slammed by nimda - it did not hit any of our servers in the front door thru IIS but spread to boxes not running IIS but connected to the SAP system and to dekstops from there.

Thats then thing that really pisses me off, we spend the time to lock down and secure our netowkrs, hours patching systems and making usre virus scanners are up to date and then we get slammed by servers we have no access to or control over - yet we are the IT dept.

If we cant maintain it and gurantee it safe then it should not be on my network dammnit !

Windows Update?!

[dimer0]

Since I heard about Code Red, and Nimda, I've been hitting Windows update every day or so just to make sure I'm still up to date with all their security patches.. I've gone there before, downloaded security updates, and regularly make the rounds.

For the past month or so, all that's been there are IE6 and Microsoft Messenger 3.6. Whoopie.

So, I'm safe. Nothing can touch me.

UNTIL I SEE THIS STORY ON SLASHDOT. That "command line tool" (hfnetchk) showed that I had 8 security patches I needed to apply, one of them had a WARNING next to it.

Uh, hello Microsoft? Is Windows Update NOT for security updates? Just a place to peddle your frickin MSN Messenger!? I'm sure there's thousands of people like me who think that since Microsoft doesn't have any security updates posted under the CRITICAL heading on Windows Update, that we're free and clear. Geeze.

eh... actually I'm glad about these viruses

[hypergreatthing]

There shouldn't be security holes that allow these viruses to exist in the first place. Don't blame the kids who wrote this, but rather blame microsoft. I'm sure you can use the excuses that microsoft can't be held responsible for everything their software causes, but this is rediculous. Why did it take tons of viruses for microsoft to even patch this?.. Why wasn't this patched before, or caught before and addressed? It's simply because microsoft can't afford to make their software secure until it's demanded, and that's just wrong for a company like microsoft.

How to protect an intranet with Linux?

[avel599]

OK, let's say there's an intranet with all sorts of Windows boxes, which uses a masquerade (IPCHAINS) Debian Linux box to connect to the Internet.

How can I use the Linux firewall to protect all the machines inside it from those evil viruses? Any ideas/URLs? There *must* be something!

Re:9 PM?

[ethereal]

Except the user was right, of course - if you guys weren't using NT, or possibly just kept up on the patches from Microsoft and hoped that those patches didn't hose something else that was important, the Internet wouldn't be broken (or at least the only brokenness would be coming from machines outside of your site, which you could at least firewall off). Heaven forbid a user point out that you guys can't keep it together. The fact that you had to work really hard and still couldn't get things back up in a timely fashion doesn't fill me with sympathy at all, it just makes me wonder when you'll finally come to your senses and use a technology that doesn't let you down so badly. I'm guessing not too soon, though.

- ethereal, who bitches all the time about the Microsoftening of his workplace, because the IT team deserves to hear exactly how their "solutions" are working out. "Not well" is the answer.

We need 'Bandwidth Liscenses'

[eth1]

They would work just like a driver's liscense.
Class A: You can administer high-bandwidth connections (ISPs)
Class B: You can get broadband
Class C: 56k dialup max
Class D: 28.8 AOL for you!