Botnet Herders Attack MS06-040 Worm Hole 112
Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."
IRC the weakpoint? (Score:2, Insightful)
I would like to see these virus authors caught and publicly executed for once.
Re:IRC the weakpoint? (Score:5, Insightful)
Also, most bot herdes are in eastern europe, brazil, or developing countries. Catching hackers isn't high on the list of law enforcement priorities in the countries (and, if the right amount has been paid to the right people, it's completely ignored).
A Solution... (Score:5, Insightful)
As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible. No product, be it OSS or commercial, is free of these banes. On the other hand, problems like this would nearly go away, if only users would patch the software. Whether it's a new exploit in Windows or Apache or phpBB, if you don't patch, you're going to get screwed. Yes, it seems like Microsoft products have more patches than average, but at least they have patches. Blaster and MyDoom? They'd have never hit the news if users were patched. Automatic Updates in XP is a great step forward, but it's still opt-in.
Some people seem amazed when I say I had no direct problems with Blaster or Welchia, and they don't seem to get it that these problems essentially always appear after a patch is release which means there is no valid reason for their survival. Patch, patch, patch, patch, patch. Yes, slightly monotonous, but if users would simple do it, we'd stop seeing these equally monotonous news stories about Exploits of Doom.
Re:A Solution... (Score:5, Insightful)
The testing process. (Score:4, Insightful)
So there will be a delay between a patch being released and that patch being deployed on production systems.
And going into "crisis mode" for 2 weeks, starting the second Tuesday of every month is a bit much to expect of people.
Re:A Solution... (Score:5, Insightful)
Corporations have trouble because they may well have thousands of configurations they need to support, so even if 1% of them fail, it's a major problem. Still, imagine if Microsoft forces a patch out, and they cause the machines that have Quicken version 6.3532 build 4 to completely destroy all financial records on their next startup. (Or even just render them unreadable, since we're assuming non-technical users.) Imagine the liability issues, which, frankly, probably terrify the executives at Microsoft already when they issue a patch. Forcing the patches on users makes those issues even worse.
The worst part is, none of what I've said here contradicts anything you've said. It's all in play at once? So, which side dominates, and under what circumstances? I really couldn't tell you. However, I would think the empirical evidence at the moment is in your favor. But is the only/best solution really to cede control over your computer to Microsoft (which are the people who got you into this situation in the first place)?
At least Open Source doesn't have that issue; since nobody is in charge and nobody is making money by controlling your computer (DRM, etc), the conflict of interest involved in creating a security situation where what seems to be the best solution is deeding your computer over to the same people doesn't come into play.
Re:A Solution... (Score:2, Insightful)
Re:Whats gonna happen when Norton removes WGA? (Score:3, Insightful)
Re:A Solution... (Score:2, Insightful)
Correct me if I'm wrong, but isn't a patch software?
KFG
The problem with that assertion.. (Score:2, Insightful)
prime examples so far - bundling of windows genuine advantage with security patches and xbox 360 forced updates through live.
Internet the weakpoint? (Score:5, Insightful)
Suppose the bots all used AIM or MSN Messenger servers. Would you demand that those be taken down?
The weak point is not IRC or any other communications method. The weak point is software that's so easy to exploit it has new "critical" patches every month [insert tampon jokes here].
Re:A Solution... (Score:3, Insightful)
Re:A Solution... (Score:2, Insightful)
Re:make them use free software. (Score:4, Insightful)
We need a best of both worlds solution here. Windows Update is an excellent concept. But the execution sucks for the reasons you specified - EULA changes, WGA, poor/untested/damaging patches. It needs work. But in the long run, it'll be a lot more successful and helpful than any apt-get command, or anything else that's not entirely automatic beyond authorizing changes.
Re:A Solution... (Score:4, Insightful)
So when the next Blaster/Welchia-like worm hits, they haven't downloaded the patch 'cause they listened to me... and then I get to go back out and clean the virus off their system, and explain how they got the virus (worm, really, but I usually get that glazed-eye look when I explain the difference), and what they could've done to prevent it. Then I get to charge them, and explain why I'm charging them. See a pattern here?
End result: the client (end-user) is the one left hanging. If he blindly patches, he runs into problems. He blindly ignores the patches, he runs into problems. If we could only raise his level of computer literacy, he might actually have a chance to understand what the patch does, what might interfere with it, and possibly even solve the problem on his own if it occurs.
Seeing as that's very unlikely to occur, the system breaks down. Something's gotta give. Something's gotta change. Until it does, the end-user gets left hanging.