Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Microsoft Bracing for Worm Attack 256

10010010 writes "A network worm attack targeting a critical Microsoft Windows vulnerability appears inevitable. The flaw is easy to exploit, as evidenced by the quick release of an exploit module for HD Moore's Metasploit Framework. Within hours of the Patch Day release Tuesday, two pen testing companies (Immunity and Core) created and released 'reliable exploits' for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1."
This discussion has been archived. No new comments can be posted.

Microsoft Bracing for Worm Attack

Comments Filter:
  • by Anonymous Coward on Friday August 11, 2006 @08:03AM (#15888368)
    This article mentions the 23 patches that Microsoft released. It then goes on to say:
    Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.
    And mentions that
    Aitel's company was able to reverse-engineer Microsoft's patch and create a working exploit in less than 24 hours.
    So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered? Or is Microsoft waiting for all the people who didn't patch their systems to be hit with what the DHS warned about and Microsoft fixed?

    I'm confused and I'd like to know if my building's Window's administrator needs to be put on suicide watch. He was up all night last night. From what it sounds like, he spent all that time trying to increase the security of our machines when he was really just altering the application so that the virus that came out 24 hours later would be able to attack the machines ... there is one non-Windows machine in my lab. I think I'll use that one today.
    • by Anonymous Coward on Friday August 11, 2006 @08:07AM (#15888384)
      you can get the patch for the patch here [ubuntu.com]
    • by Anonymous Coward on Friday August 11, 2006 @08:15AM (#15888439)
      It wasn't 23 patches: it was 12 patches that covered 23 vulnerabilities.

      Yes, it's worms exploiting the MS06-040 vulnerability that they're worried about.

      As long as you're properly firewalled from the rest of the world it can't get in but you should still get everything patched in case the worm gets inside your firewall e.g. as a trojan.
    • by Anonymous Coward on Friday August 11, 2006 @08:28AM (#15888516)
      They looked at the patch to find what is being patched, so now they know how to exploit the bug that is fixed by the patch. If your admin updated every Windows computer, you should be fine. The millions of unpatched systems on the internet however will most likely be wide open and added to botnets in a couple of days. Consequently even the users of well-administered Windows computers and other operating systems will feel the fallout of this vulnerability.
    • So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered?

      Wrong conclusion I think. More likely the reverse engineering is comparing the patched and unpatched code and actually working out what the exploit is, then writing the code to use it. (this is why the behaviour of the Rails team holding back details of their exploit is rather weird; especially when the sourc

    • by Anonymous Coward on Friday August 11, 2006 @08:34AM (#15888544)
      The fix for MS06-040 is KB921883, which is part of the recent batch of critical updates from Microsoft.
      TFA is confusing because it makes it appear as though the latest MS updates *cause* this vulnerability, while in actual fact they *fix* it.
    • Look, whatever the article says, it probably makes sense to ban all liquid or gell substances from any building that has Windows PCs, make all people stand in rediculously long lines to have their pocket books and napsacks security-checked for 8.5" floppy disks carrying said exploit, and even perhaps start a secret list of people who are banned by name from actually accessing a PC at all. I recommend the first name be John Smith, that bastard.

      Further, we should probably ban anyone that has dirt on their shoes, because I hear worms like dirt.

      Saftey first people. It may be an inconvenience, but it's all about your saftey, and the saftey of democracy across the world. We will prevail over the security-exploiters.
    • by TheGhostOfDerrida ( 953992 ) on Friday August 11, 2006 @09:34AM (#15888929)
      I tried to read the article, but it got a little confusing... is this a worm for a patch? A patch for a worm? A patch for a patch? A worm for a patch for a patch? a patch for a worm for a patch for a patch? A worm that patches? A patch that worms? Patches for worms? Does my dog (patches) have worms? I lost interest. And I think the TV is on...
    • Immunity RE'd the patch to find the original vulnerability. The exploit attacks unpatched machines. Sorry if you were being sarcastic or weird or something (I find it hard to tell the difference.) Anyway, CANVAS (which costs mucho dineros) is not the problem. I'd be more enclined to worry about the (Free) Metasploit Framework [metasploit.org] exploit, by H D Moore - it only works on XP SP1 , W2K3 SP0 and W2K, but there are probably still lots of machines out there in those categories. You may remember Mr Moore, he it was w
    • Todays Microsoft Update menu

      KB666123456 - Patch, Worm, Worm and Patch
      KB666456789 - Patch, Worm, Worm, Worm, Worm and Patch
      KB666666666* - Worm, Worm, Worm, Worm, Worm, Patch, Worm and Worm


      * May not contain patch
  • by $RANDOMLUSER ( 804576 ) on Friday August 11, 2006 @08:07AM (#15888382)
    From TFA:
    In most enterprises, Pescatore said the use of firewalls and the automatic blocking of TCP ports 139 and 445 should help mitigate the risk. However, he cautioned against IT administrators letting their guards down.
    If you have 139 or 445 exposed to the Internet, you've already been infected with something.
    • by 140Mandak262Jamuna ( 970587 ) on Friday August 11, 2006 @08:30AM (#15888530) Journal
      Well, In almost all companies and most homes the ports 137-139 and 445 are blocked at the firewall. But internally these ports are open otherwise file sharing/printer sharing inside the network is impossible. True, it wont be serious as long as the firewall holds. But all it takes is one home user bringing an infected laptop to work and plug it in and all hell breaks loose. I had an old NT4.0 machine just to support old releases of our product and for debugging. A salesman from Taiwan came in plugged his laptop in and I was hosed. Worse, the worm was probing rest of the corporate network so seriously that network traffic slowed to crawl in the company. All the top management knew was that I had an unpatched old computer in the network and compromised the company intranet and lost half their work day.

      How easy it is to bring an infected laptop and plug it in behind the firewall? Our salesmen travel all over the world, plug into untold number of hotel intranets and wi-fi cafes. They leave these two ports open when plugged into company intranet. Do they always remember to close these ports when they work in an untrustable network connection? Chances of infection are great. Chances of them bringing the infection behind the firewall into the corporate network is great. I would not hastily dismiss it nonchalantly.

      • Yup, you're absolutely right. And as I said, if you've exposed those ports on an unsecure network, you (your sales guys) are ALREADY infected...
      • by walt-sjc ( 145127 ) on Friday August 11, 2006 @08:49AM (#15888636)
        IMHO, you should not be blocking those ports at the firewall, but rather redirect them to a responder that floods the return path with copies of the Ubuntu ISO. Run QOS on your outbound and set it at a lower(est) priority than your normal traffic so it doesn't impact you.
        • Hmm. Got modded funny, but I was serious. If the ports are blocked on your firewall, the worms just move on. If enough people would respond back with a flood of garbage, it would be a reverse DOS. Instead of reponding with an ubuntu ISO, you could scan the attacker for open ports and flood those with SYN packets. Enough is enough. If we just do nothing about zombie attacks and machines, they will just continue. It's time to fight back and make zombie networks useless.
          • What? That's your solution? Flood the internet traffic even more! Besides a worm is spread by people who can't or don't know how to patch. You're not helping anything by doing that.
        • by g-san ( 93038 ) on Friday August 11, 2006 @01:35PM (#15890573)
          Nah.... tarpit. Put a listener on those ports (you windows users will have to reboot into linux for this. try it, you'll like it.) Open the connection, read from the channel, then just sit there until the remote end times out. If the worm is stupid enough it will connect back to your PC a few times. That slows them down, and doesn't cause any harm to the net. Or send back three bytes of data every 20 seconds or so... the remote end will buffer it expecting more to come and stretch the timeout even further.
      • This is why I make it my personal policy, and would (if I could) make it company policy, to never run Windows on a laptop. It's just a bad idea.
      • by mdarksbane ( 587589 ) on Friday August 11, 2006 @09:56AM (#15889104)
        Yep, the company I used to work for made a product to stop just that.

        One of the emerging areas in enterprise security is so-called "endpoint" security solutions, that will verify whether a user plugging into a corporate network has
        1) approved virus software with updated definitions.
        2) an approved firewall
        3) Any software updates that the techies have deemed required.

        If you don't, you get shunted off to a quarantined part of the network with instructions on how to obtain the software to make you compliant.

        On the one hand, it sounds like a pain to set up and annoying for the users (and as it usually requires dhcp enforcement can be bypassed by someone who knows the network), and we didn't run in it at our own company, but on the other hand I bet that if they required it at the university I went to the virus problem there would have been much more controlled.
        • My son is heading off to university in a month, and he just bought a Netgear NATing firewall to keep the personal equipment in his dorm room isolated from the rest of the worm-ridden idiots at the school. So that leads me to a question for you: How does your company's device handle non-Windows equipment hooking up to the network? Alternately, how could it verify the anti-virus software was present behind a hardware firewall? How does it deal with a Linux or Mac box hooking up? Or is the device made pri
        • My university does just that. It didn't work that well; in the semester or so while I had a Windows machine, there were periods in which I received virus notifications on an hourly basis, and I've been cleaning spyware out of that computer ever since.

          Now, of course, I don't use Windows, and consequently have no viruses. (It helps that my computer is in storage, too.)
      • How easy it is to bring an infected laptop and plug it in behind the firewall?

        It is pretty easy and even when it isn't there are plenty of droppers and trojans and multi-vector worms that can get past your firewall. Security at the network edge is all well and good, but if you're still vulnerable to this type of attack you might want to look into some internal hardening. The latest generation of IDS-like devices can really make a difference. They tell you something is spreading in your network, machines

      • IANANA (Network Admin) but can't you do something with DHCP and MAC indentification? Via DHCP, any MAC not in the pool of known workstations gets shunted into a private subnet that's outside the firewall.

        In short, any laptop, by definition, is always outside the firewall.

        If they really need to print or email or mount shares, then they should be using whatever sort of technology (VPN, IMAP/SSL, etc) to do that outside the network. Or walk to a workstation.
    • by telchine ( 719345 ) on Friday August 11, 2006 @08:47AM (#15888623)
      I'm a Windows user.

      Can somebody please tell me what the hell a port is? :)
      • <troll>It's like a train station, but for ships.</troll>
      • by neo ( 4625 )
        "I'm a Windows user.

        Can somebody please tell me what the hell a port is? :)"

        A port is where software pirates come to collect their booty. In this case your pron. They sail in by using special software to "surf the web" and come into your port. Once in your port they have to fight with swords in order to capture the port (just like in the game Pirates by Sid Myers... it looks just like that.)

        Once they are in your port you're screwed, all the walls in the world wont stop them.
    • by Corbets ( 169101 ) on Friday August 11, 2006 @08:49AM (#15888639) Homepage
      Unfortunately, it's not that easy. You can (and most everyone does) block those ports at the firewall level. However, people that VPN in or connect via dialup, people who previously connected via the wireless at the local Panera, and either disabled their software firewall or just kept using their machine after that particular piece of software crashed.... they're infected, and when they VPN in, they go right through that precious firewall.

      Every.layer.Every.step.Every.machine.Must.be.secur ed.and.patched.

      It is, unfortunately, the only way.
      • Every.layer.Every.step.Every.machine.Must.be.secur ed.and.patched.

        William Shatner is a sysadmin?
  • It's been a while (Score:5, Insightful)

    by ronanbear ( 924575 ) on Friday August 11, 2006 @08:07AM (#15888389)
    Since there's been any worms attacking new exploits. I'd even begun hearing from some people that the days of Blaster style attacks are over.

    This should remind Windows users about complacency.

    • It is really funny, There are pundents out there that jump on the fact that OS X, Linux have been found with a possible security hole, so people are afraid of going to these OS because of security, but they stay on Windows wich is a much higher Risk.
      It is like saying I will just walk across the country because I heard of a person who died on an airplane.
    • Until after this theorectical worm takes over the planet?

      There are a lot of things in place today which weren't in place back with Blaster that allow IT depts to respond to these events... beyond just patching I mean.
  • by devnullkac ( 223246 ) on Friday August 11, 2006 @08:08AM (#15888398) Homepage

    OK, maybe I'm just missing an acronym/typo somewhere, but "pen testing?" Will the worms come through my Mont Blanc?

  • by krell ( 896769 ) on Friday August 11, 2006 @08:13AM (#15888429) Journal
    "The Cyber Gnome here. Denouncer of computer myths. Who needs to download security patches? I don't, and I've never had any prob%$#@@@@#^_@_#@ NO CARRIER"
  • by ericlondaits ( 32714 ) on Friday August 11, 2006 @08:13AM (#15888431) Homepage
    From TFA:<BR>
    <blockquote>A spokesperson for Microsoft said it is difficult to predict the motives and actions of attackers but insisted the company is "watching round-the-clock" and actively encouraging customers to download the update immediately.

    "We will mobilize if something does happen," the spokesperson said.
    </blockquote>
    They'll mobilize? Mobilize? As in "get the heck out of here"? Or are they calling the [GI]Joes?
  • The Patch (Score:3, Informative)

    by nherc ( 530930 ) on Friday August 11, 2006 @08:17AM (#15888454) Journal
    • I believe you meant to say "every *supported* version of Windows", as I see no patch for Windows 98 users. I'm not one of them, but unfortunately, some family members still are.

      Of course, these family members are also firewalled, so I'm not particularly frightened.
  • Not quite (Score:5, Informative)

    by jackmama ( 34455 ) on Friday August 11, 2006 @08:17AM (#15888455)
    which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1

    HD Moore posted a followup to the Daily Dave mailing list admitting defeat on those two platforms:

    Time to eat my words. The wcscpy() destination pointer trick doesn't seem
    doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug
    for more than a DoS on 2003 SP2/XP SP1. If you have information to the
    contrary, please share.


    All other Windows platforms remain easily exploitable, though.
  • by krell ( 896769 ) on Friday August 11, 2006 @08:17AM (#15888460) Journal
    Here's my suggestion for a new Microsoft Windows mascot [halcyon.com]. She's old enough to be public domain, she's tanned, she's rested, she's ready, and she's all patched to hell. All the better that Redmond is located in the vicinity of America's "Emerald City". Please, pay no attention to the borg behind the curtain.
  • FTFA it seems that my Windows 98 box is quite safe, thank you very much.
  • by Anonymous Coward
    From the title, I wondered if they were harvesting spice. "Wormsign! Is that wormsign?"
  • by brian23 ( 962399 ) on Friday August 11, 2006 @08:28AM (#15888520)
    So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos? Impressive as it may sound, I would be more interested to hear of a company discovering a vulnerability and releasing it to Microsoft so it can be patched. If I can't create a virus/worm to wreak havoc on Windows machines, what makes these companies able to reverse-engineer and release the "0-day" exploit? It almost seems unethical. Also, it seems like Immunity and others are trying to make a name for themselves rather than being interested in user security.
    • by OriginalArlen ( 726444 ) on Friday August 11, 2006 @09:53AM (#15889063)
      So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos?

      Nope, they do it to make money from selling the superb CANVAS product to penetration testers and other security professionals. They couldn't give a rat's ass what some random fucko on Slashdot thinks of it. Sorry to be the bearer of bad news... ;p

  • I wonder what the DHS has to say about this, having just the other day told us all to patch all our Windows systems [slashdot.org].
  • When I saw the list of patches my machine had downloaded the other day, I thought "this one's going to be trouble. Maybe we'll see a blaster-style worm based on this one."

    However, the vulnerability I was looking at was MS06-041 (remote buffer overflow in DNS client) [microsoft.com], not MS06-040 (remote buffer overflow in server) [microsoft.com] which I figured most people would have firewalled/disabled anyway.

    I mean, DNS client? The best the "mitigation" section of the advisory can say is that an attacker would have to make your machin
    • The DNS client vulnerability still puzzles me. From reading the advisory it appears as if the malicious party would have to be on a subnet between the DNS client and the DNS server. If this is the case exploiting this via the Internet might be a bit tough. But internally, a company that uses DNS could get rocked since the DNS clients and servers would likely be on the same LAN/WAN. Just thinking out loud...
  • by geobeck ( 924637 ) on Friday August 11, 2006 @09:04AM (#15888749) Homepage

    Emperor Shaddam Gates IV admitted today that the high rock formations that ring the city of Arredmond might not be able to repel a full-on attack by the Frehax0rz and their giant worms. Story at 11.

  • This would not have happened had Microsoft walked without rhythm.
  • So, everyone was saying "EEEEEvilllllllle Homeland Securtiy is telling us to do something with out releasing details! They must be up to something..."

    Yep, they were telling us that something like this was about to happen.
    • See now, the problem is that your tin foil hat isn't on tight enough, and the government brain wave monitors have got to you. The Eeeevil Homeland Security is obviously propagating these rumors of a worm just to make sure that everyone install their little spyware patch.

      Geez, you probably believe all those news stories about that "foiled terror attack", too. That's obviously a conspiracy created by the folks who make those little travel bottles of shampoo to increase their sales once you get to your destina

  • This makes me long for the good old days, with Windows 98SE, where most ports were closed and exploits mostly came in through Outlook and IE.

    Running Thunderbird and Firefox would solve the Outlook and IE exploits today.
  • The Department of Homeland Security was on top of this. It seems like they are starting to understand what is going on. It makes you wonder if they are going to be proactive and raise the 'Terror Alert Level' when Vista is finally released.

    This signature was going to be a lot nicer but I had to cut a lot of features in order to get this post out without any further delays.

  • by mabu ( 178417 ) on Friday August 11, 2006 @12:11PM (#15890030)
    It's also worth noting that according to the reports, the now "un-supported" Win98/ME OS is not vulnerable to these exploits.

Congratulations! You are the one-millionth user to log into our system. If there's anything special we can do for you, anything at all, don't hesitate to ask!

Working...