Forgot your password?
typodupeerror
Windows Operating Systems Software

Win32 Blaster Worm is on the Rise 1251

Posted by CmdrTaco
from the i-can't-hold-her-together-any-longer-captain dept.
EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.
This discussion has been archived. No new comments can be posted.

Win32 Blaster Worm is on the Rise

Comments Filter:
  • shutdown /a (Score:5, Informative)

    by mjmalone (677326) * on Tuesday August 12, 2003 @10:06AM (#6674769) Homepage
    My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

    shutdown /a

    That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)
    • by Pionar (620916)
      >Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.

      You actually believe that reading /. makes you smart? Apparently, you never read comments below 5.
    • Re:shutdown /a (Score:5, Informative)

      by Anonymous Coward on Tuesday August 12, 2003 @10:14AM (#6674883)
      You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

      I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

      • by inKubus (199753) on Tuesday August 12, 2003 @04:13PM (#6678952) Homepage Journal
        Sorry to whore this out here, but has anyone actually looked at the patch? I mean, this affects a rather important part of the Windows operating system. RPC is used for interprocess communication, named pipes, etc. Couldn't the CIA or something put a bug in it that will forward everything you cut and paste, type, send, etc. to some other entity? And what better way to get the masses to install it than a little worm to exploit a hole they purposely left open?

        Furthermore, Microsoft paid out $520M only yesterday due to patent infringement with a component in MSIE.

        I mean, I'm all patched up, so I know I'm safe but.. oh shit.. the shutdown timer just popped up! Microsoft must be reading what I'm typing. If only I can do this thing quick enough. OH FUCK I have to wait 20 seconds from the time I hit the reply button til when I press submit and it's getting down near 1 nowwwww
    • Re:shutdown /a (Score:4, Interesting)

      by TedCheshireAcad (311748) <ted&fc,rit,edu> on Tuesday August 12, 2003 @10:17AM (#6674914) Homepage
      How creepy. I was setting up a relative's DSL modem yesterday, when I saw that the RPC service was shutting down the machine. Thought it was just Windows XP being retarded, but I guess it's time for a new visit.

      The box hadn't been on the internet for more than 15 minutes.
      • Re:shutdown /a (Score:5, Insightful)

        by Tony Hoyle (11698) <tmh@nodomain.org> on Tuesday August 12, 2003 @10:21AM (#6674965) Homepage
        Rule 1: The first thing you do when putting any system on the net is make sure it's behind a firewall.
        Rule 2: See rule 1. Then do it.

        FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????
        • Re:shutdown /a (Score:5, Interesting)

          by Jugalator (259273) on Tuesday August 12, 2003 @10:43AM (#6675186) Journal
          Home users, maybe but businesses????

          The largest ISP in Sweden, Telia, had 40 servers collapse from this virus and in effect prevented 16,000 users from logging on to their ADSL service. That gives you a great deal of confidence in an ISP, right? ;-)
        • Laptops (Score:5, Insightful)

          by mrscott (548097) on Tuesday August 12, 2003 @11:05AM (#6675436)
          Think about this scenario: a perfectly competent administrator has a properly configured firewall which blocks the problem. The "road warrior" brings his laptop from from 3 weeks on the road and had used a bunch of hotel access points where he got the worm. He connects it to his docking station in the office effectively bringing the problem behind the firewall.
        • Re:shutdown /a (Score:5, Informative)

          by zoombat (513570) on Tuesday August 12, 2003 @11:08AM (#6675473)
          FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

          Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

          The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

    • by kunsan (189020) on Tuesday August 12, 2003 @10:31AM (#6675056)
      I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

      Regards/
      JP
    • Re:shutdown /a (Score:4, Interesting)

      by MSG (12810) on Tuesday August 12, 2003 @10:56AM (#6675317)
      You can also turn on the firewall in Windows XP and download the patches. That's what I did on my girlfriend's PC.

      Funny thing is I had her computer about a month ago, and I applied all of the available patches, followed the HOWTO's I could find on shutting off services to secure XP, and turned on the personal firewall on her dialup connection, and she *still* got hit. I guess RPC isn't in the list of services that you should disable... What freaks me out is that something turned off that firewall, though. I have no idea what. Does anyone know of any common Windows software that turns off XP's firewall?
      • by Anonymous Coward on Tuesday August 12, 2003 @11:09AM (#6675495)
        your_girlfriend.exe
  • Good timing... (Score:3, Interesting)

    by tbase (666607) on Tuesday August 12, 2003 @10:07AM (#6674776)
    Someone in my office just gave me a screen shot of a shutdown timer on their computer at home. Anyone used the removal tool yet and had any luck with it?
    • Re:Good timing... (Score:5, Interesting)

      by brejc8 (223089) * on Tuesday August 12, 2003 @10:11AM (#6674846) Homepage Journal
      The removal tool takes several minutes to run.
      Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
      Then run the tool afterwards to ensure it has
      gone.
      The exact patch needed is here
      http://www.microsoft.com/technet/treeview/de fault. asp?url=/technet/security/bulletin/MS03-026.asp
    • by irc.goatse.cx troll (593289) on Tuesday August 12, 2003 @10:36AM (#6675104) Journal
      Something similer happened to me yesterday. A friend of mine immed me saying his computer kept saying it had 60 seconds to reboot, and something about rpc crashing. So I responded with a screenshot of dir c:\ running on his machine.
      Moral of the story: I'm an asshole.
      (For the record, I then told him where to get the patch, and how to cancle a running shutdown.)
  • Wrong link (Score:5, Funny)

    by JPelzer (202626) * on Tuesday August 12, 2003 @10:07AM (#6674783)
    Shouldn't the "Removal Tool" link point to a Linux ISO download site or something? I mean, this is slashdot... :-)
  • The Rise (Score:5, Funny)

    by mao che minh (611166) * on Tuesday August 12, 2003 @10:07AM (#6674784) Journal
    DOOM-DOOM-DOOM-DOOM DOOM *PANG*
    DOOM-DOOM-DOOM-DOOM DOOM * PANG*

    At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.

    OK this is getting old.....

  • Honest question (Score:5, Insightful)

    by lseltzer (311306) on Tuesday August 12, 2003 @10:09AM (#6674806)
    Dear all of you who are being hit by this attack:

    Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.
    • by killmenow (184444)
      (Better yet)

      To whom it may concern:
      Why aren't you blocking stupid useless open ports from the Internet? There are freely available tools [zonelabs.com] if you insist on running Windows. Then again, most electronics stores sell standalone broadband firewall/routers. If you used one of those, you could take your time and patch whenever you feel like it...

      I tell all those in my circle of influence: never connect to the Internet without a firewall in place. It makes no difference what your host OS is. At the least, y
      • Re:Honest question (Score:5, Insightful)

        by caluml (551744) <slashdot&spamgoeshere,calum,org> on Tuesday August 12, 2003 @10:36AM (#6675107) Homepage
        Why aren't you blocking stupid useless open ports from the Internet?

        Most people:
        What's a port?
        Do I have any?
        How can I check?

        • Re:Honest question (Score:5, Insightful)

          by Maserati (8679) on Tuesday August 12, 2003 @11:07AM (#6675466) Homepage Journal
          I had to explain ports and firewalls to one of our Account Services people yesterday. My analogy was a company with oine main number and everyone else on extensions behind that number. So if calling their number (IP address) and asking for extension 80 (port) lets you talk to Janie (900.69.69.69:69) then that's just like connecting to a web server at an address:port combination.

          Specifically, we were trying to figure out if a clients BOFH was a BOFH, a PFY or a PHB. We think he's a PHB since there's a lot of money (cash and obligations) sunk into a project that needs a port opened in their firewall and he won't/can't/hasn't opened it up yet.

          This may still be better than the other (former) client who put two people in our office using VPN to connect to their home network... and then changed their proxy configuration without telling anyone (like their helpdesk). It took me a week of phone tag to get one of their network analysts to finally say "OK, try this". Then they sent her an XP laptop with that setting locked into the old-and-wrong setting. I think she had to ship it back since they wouldn't cut loose with the admin password. Neither would I, but the box would have worked before I sent it out. We aren't suing them for specifically "rampant idiocy", but that MUST be a factor. We're suing them, a spokesfigure was perp-walked recently and business is way down. I wonder how long they'll manage to stay out of Chapter 11.

          Stupid people suffer.
        • by wfrp01 (82831) on Tuesday August 12, 2003 @11:34AM (#6675785) Journal
          What's a port?
          Do I have any?
          How can I check?


          A place where ships are safe from storms. See also 'port of entry'.
          You have an output port on your behind.
          Do yoga.
      • Re:Honest question (Score:5, Insightful)

        by Ilgaz (86384) on Tuesday August 12, 2003 @11:27AM (#6675692) Homepage
        Well, I wonder why MS opens RPC (135) to outside World.

        Yes yes, services use it, as Steve Gibson's sayin "impossible to close without firewall" ...

        Don't blame people not using firewall, they are mostly newbies , e.g. XP home users. Ask the real question: Why you open a port outside World by default OS install?

        Everyone knew port 135 would be exploited in a real bad way before, that was just a matter of time.

        If os is a client only, do not turn on rpc listening on port 135... Its THAT hard?
    • Precisely (Score:5, Insightful)

      by Overly Critical Guy (663429) on Tuesday August 12, 2003 @10:21AM (#6674964)
      There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.

      All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

      If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...
      • Re:Precisely (Score:4, Insightful)

        by aug24 (38229) on Tuesday August 12, 2003 @10:57AM (#6675340) Homepage
        I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.
        Did you merrily click past the EULA that said if it destroyed your system and data it wasn't MS's fault or responsibility? Did you install on one box and then do a complete round of System Test, or did you just blindly trust MS?

        J.

      • Re:Precisely (Score:4, Interesting)

        by zoombat (513570) on Tuesday August 12, 2003 @11:20AM (#6675617)
        I can't think of any reason why someone shouldn't be doing the same to their Windows network

        Your point is certainly valid, but what makes this particular problem frustrating is not that it was a widely publicized hole, but that Microsoft's tools (e.g. Windows Update) for checking patch status are wholly inadiquate. There has been a fair amount of discussion [ntbugtraq.com] on NTBugTraq on this point leading up to the worm discovery.

        Also, 30 days to test an impliment a patch on mission-critical production systems is sometimes more difficult than it seems like it should be.

    • by aug24 (38229) on Tuesday August 12, 2003 @10:21AM (#6674970) Homepage
      Have you met many people who are MS sysadmins? A good proportion of those that I have met are Joe User types who have knowledge of how to set up, auto-reboot and backup machines, and not a lot more.

      Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.

      Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...

      J.

    • by Anonymous Coward on Tuesday August 12, 2003 @10:37AM (#6675121)
      Welcome to the corporate world. All things, including service packs, must be tested on all platforms with all applications before being deployed into the environment.

      We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.

      Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.

      So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).

      After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...

      Why aren't they all patched? Because nothing moves fast in large installation bases.
    • Honest answer (Score:5, Interesting)

      by djembe2k (604598) on Tuesday August 12, 2003 @11:02AM (#6675401)
      OK, maybe I'm not really who you are aiming this question at, but probably those folks aren't going to answer, or give the serious and honest answer you're looking for, so I'm what you are going to get.

      I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.

      My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.

      Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.

      We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.

      When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.

      At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.

      So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.

      Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.

      And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.

      The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.

      • by allism (457899) <alice DOT harrison AT gmail DOT com> on Tuesday August 12, 2003 @12:13PM (#6676268) Journal
        Monitoring slashdot...I need to remember that phrase if I ever get reprimanded for excessive internet activity...

        seriously, though, I, for one, thank you on the behalf of all us little peon users for testing before patching. I swear, the next time the sysadmin comes around an installs something on my computer that means I have to spend hours fixing my computer before I can do any more of my real work, I'm gonna kick him in the shins...
  • Nasty little bugger (Score:5, Informative)

    by snack (71224) on Tuesday August 12, 2003 @10:09AM (#6674812) Journal
    I've been helping my friends get this NASTYNESS off of their machines too.

    Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

    When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

    -Tim
  • by UnassumingLocalGuy (660007) on Tuesday August 12, 2003 @10:09AM (#6674818) Homepage Journal
    Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

    C:\WINDOWS>shutdown -a now

    Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.
  • A BBC link (Score:3, Informative)

    by azzy (86427) on Tuesday August 12, 2003 @10:10AM (#6674825) Journal
    Another article here [bbc.co.uk]
  • Virus (Score:5, Funny)

    by Anonymous Coward on Tuesday August 12, 2003 @10:10AM (#6674827)
    If this thing wouldn't keep crashing computers, it would be spreading like greased wildfire.
  • by Eric Ass Raymond (662593) on Tuesday August 12, 2003 @10:10AM (#6674829) Journal
    The patch does not appear to work properly.

    Read more on SecurityFocus' mailing list [securityfocus.com].

  • RPC? (Score:4, Informative)

    by Quasar1999 (520073) on Tuesday August 12, 2003 @10:10AM (#6674834) Journal
    Funny, a few days ago I had my XP system exhibit the same problem (after using windowsupdate)... but I checked the event log and it told me that 0x70/0x71 was accessed by the BIOS unexpectedly.

    After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.
  • In addition... (Score:4, Informative)

    by OrthodonticJake (624565) <[[OrthodonticJak ... ail]}{[,][[com]]> on Tuesday August 12, 2003 @10:11AM (#6674840) Homepage Journal
    My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".
  • also (Score:5, Informative)

    by BigBir3d (454486) on Tuesday August 12, 2003 @10:11AM (#6674844) Journal
    Internet Storm Center [sans.org]

    Microsoft Bulletin [microsoft.com]

    Note this is marked "Critical" now...

  • Nice touch. (Score:3, Informative)

    by bbum (28021) on Tuesday August 12, 2003 @10:12AM (#6674862) Homepage
    From Symantec's analysis:

    If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

    With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


    Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?

    Nahh....
  • by EvilNight (11001) on Tuesday August 12, 2003 @10:13AM (#6674874)
    If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.
  • Echoes (Score:4, Informative)

    by saskwach (589702) on Tuesday August 12, 2003 @10:15AM (#6674893) Homepage Journal
    Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. Even the most clueless of windows users can click on a link and then click the "Yes" button. I can see my logs filling with failed attempts to bring down my machine already...
    • Re:Echoes (Score:5, Funny)

      by fishbert42 (588754) on Tuesday August 12, 2003 @10:44AM (#6675194)
      'You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail.'

      Actually, in my hotmail spam repository account I already do get tons of messages saying things like that. But, I don't think they're talking about computer security. =)
  • by Snarfangel (203258) on Tuesday August 12, 2003 @10:16AM (#6674904) Homepage
    I work at an ISP, and over half of our tech support calls yesterday were because of this worm. You wouldn't believe the number of people who thought we were somehow going into their computer and not only kicking them off the internet, but rebooting their computers. (Yes, sir, the tech support staff feels horribly underworked today, so we thought we'd make things more exciting and pi** off a few customers in the process.) I hope they find the person involved and perform medical experiments on him.

  • by mccalli (323026) on Tuesday August 12, 2003 @10:17AM (#6674922) Homepage
    Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.

    Then try, really, really hard to stop laughing...

    Cheers,
    Ian

    • by Zak3056 (69287) on Tuesday August 12, 2003 @11:02AM (#6675406) Journal
      Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.
      Then try, really, really hard to stop laughing...


      I don't know why I have to point this out, but that's NOT funny--it's freaking SCARY.
      • by Dalcius (587481) <chrism3413+slashdotNO@SPAMgmail.com> on Tuesday August 12, 2003 @03:09PM (#6678318)
        An ATM running an open and unpatched SMB on a network that, directly or not, is exposed to the internet...

        Some things are completely understandable. But this just makes me want to sit down with the IT guy who dempt this up and ask him what the hell he was thinking.
  • by Basje (26968) <bas@bloemsaat.org> on Tuesday August 12, 2003 @10:19AM (#6674941) Homepage
    RTL Z (national television, all day business news), the Netherlands, this afternoon:

    It was said that if you valued security, Microsoft wasn't the best solution. You'd be better off with Apple or Linux.

    This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads.
  • by daun3507 (116384) on Tuesday August 12, 2003 @10:21AM (#6674962)
    While you should have the MS03-010 [microsoft.com] patch installed, it is the wrong one for this worm. Make sure you use MS03-026 [microsoft.com]. This is the patch that it links to in the removal tool [symantec.com] link.
  • by j0se_p0inter0 (631566) on Tuesday August 12, 2003 @10:23AM (#6674983)
    Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.
  • by Eudial (590661) on Tuesday August 12, 2003 @10:28AM (#6675032)
    All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

    To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

    Now you can actually *see* when the worm tries it's futile attack on your superior OS.
    // begin mblaster_l.c
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    #define PORT 135

    int main()
    {
    int sock_f;
    struct sockaddr_in sockaddr_l;
    socklen_t len_s;
    struct sockaddr_in remote_a;
    char buffer[4096];
    int remote_p;

    sock_f=socket(AF_INET,SOCK_STREAM,0);
    if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

    sockaddr_l.sin_family=AF_INET;
    sockaddr_l.sin_port=htons(PORT);
    sockaddr_l.sin_addr.s_addr=INADDR_ANY;
    memset(&sockaddr_l.sin_zero,0,8);
    if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
    { printf("Error: %s \n", "Could not bind socket"); return 1; }

    if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
    len_s=sizeof(struct sockaddr);
    while(1)
    {
    if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
    if(recv(remote_p,&buffer,4096,0)==-1) continue;
    printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
    printf("%s",buffer);
    close(remote_p);
    }
    }

    // end mblaster_l.c
    • by Junks Jerzey (54586) on Tuesday August 12, 2003 @11:06AM (#6675449)
      All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

      Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:

      1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.

      2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.

      If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.
  • by mizidymizark (669232) on Tuesday August 12, 2003 @10:31AM (#6675057) Homepage
    I know this is Slashdot and all the Linux users need their daily affirmation that they are right, but guys, lay off the common user. To expect someone over dialup to have Windows XP patched with the 200 MB of updates since XP came out is rather harsh. I know this hits more broadband users, but working in tech support, we have seen a fair amount of dialup users get hit as well. So before telling the everyday user to switch to Linux for their home machine, maybe we should get Microsoft to check their product for problems before shipping it out.
  • by FunWithHeadlines (644929) on Tuesday August 12, 2003 @10:42AM (#6675180) Homepage
    I heard about this latest virus scare on the radio, and I noticed it was called a "Windows virus" this time, and not the usual "computer virus." It seems even non-techies are finally catching on that these are Windows problems being exploited, and if you run non-Windows machines you are unaffected.

    Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.

  • by unfortunateson (527551) on Tuesday August 12, 2003 @11:00AM (#6675375) Journal
    Yeah, it's stupid, but there's a lot of machines that won't get patched:
    • Dialup -- those patches are big
    • FUD about Windows Update watching your machine for bootleg licenses
    • but most of all, warnings from folks such as Brian Livingston [briansbuzz.com] and Woody Leonhard about flawed patches prompt folks like me to delay installation of just about any patch for at least a week, to see if they'll patch the patches.

    Now, I didn't get hit -- between the firewall, ZoneAlarm and the patches, I think I'm Ok.
  • This is not FUD (Score:5, Insightful)

    by JRHelgeson (576325) on Tuesday August 12, 2003 @11:04AM (#6675420) Homepage Journal
    The security community has been saying for nearly a month that people needed to update their machines. We watched as the hacker community perfected their code for the RPC/DCOM vulnerability and posted their work on hacker sites and discussion groups. Yet the more we begged and pleaded people to update their machines, the more I heard "Aw, they're just hyping the FUD factor."

    Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.

    When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.

    Regardless, people, patch your *#&($*@& machines!

  • by g8oz (144003) on Tuesday August 12, 2003 @11:04AM (#6675425)
    All these crappy Microsoft net-enabled 'features' turned on by default are a menace to the average user and the Internet in general.

    Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).

    And I am sure there are many, many more.
  • Micro$haft says: [microsoft.com]

    Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.

    Well, we patched what we could, and moved most critical services to Linux, but there's still one or two machines running NT. And it's only a matter of time before some luser slips a copy of this worm past our firewall....

    Considering the amount if infrastructure that depends on NT4, doesn't this intentionally put the US at greater-than-necessary risk? I'd be fun to see M$ tried under the new anti-terrorism laws.....

  • by four12 (129324) on Tuesday August 12, 2003 @11:30AM (#6675737)
    I was experimenting with nessus [nessus.org] several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."
  • by dtfinch (661405) * on Tuesday August 12, 2003 @11:41AM (#6675864) Journal
    From the Microsoft security bulletin on the vulnerability:

    "This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine."
  • by UrGeek (577204) on Tuesday August 12, 2003 @12:17PM (#6676310)
    Then "no soup for you!" Microsoft has not and (at this time says) will not provide a fix for this. They claim that "the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future." WHAT HORSESHIT! So all of the Windows NT 4.0 machines of the world are open doors to this (and other) attacks. Oh, they do recommend that you put it behind a firewall and block port 135. And if you happen to be using 135, well, you gotta have to recode and recompile any and all programs that do. Don't have the source code? Well, how good are you are reverse engineering. And be careful, it may be illegal were you live. AND you gotta trust everyone behind that firewall to not crack your machine!

    Now, the karmaic debt in all of this - Microsoft's Windows Update will get attacked by WinNT 4.0 every month. Mmmm. So, everyone else gets fixed and the ones that MICROSOFT want you to upgrade become easily identified as problems on the net.

    Sure, one P.-off muther-F. may have written this worm to get at Microsoft. Or maybe it came from somewhere in Washington state. So, what is next? All "obsolete" versions of Microsoft products get infected with worms that will install a gigabyte of child prono and then email the police? I guarantee with publicity like this, evildoers will be using WinNT as a platform for all kind of crap for now on. Thanks a lot, Microsoft, the Crackers Best Friend!

    Here's the Microsoft spin on this from the FAQ in Microsoft Security Bulletin MS03-010 (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/ms03-010.asp):

    "If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?"

    "During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system."

    "Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below."

    "Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?"

    "Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."

    The moral is upgrade. Upgrade and get people like Microsoft who abandon you out of your life. Upgrade to Linux.
  • by Jugalator (259273) on Tuesday August 12, 2003 @12:19PM (#6676330) Journal
    A new version of Blaster has started spreading. The new version is called RPCsdbot.A by Trend Micro and appears to be more stable and can also open a backdoor to IRC.

    RPCsdbot.A Information [trendmicro.com]
  • Wow (Score:4, Insightful)

    by autopr0n (534291) on Tuesday August 12, 2003 @12:26PM (#6676392) Homepage Journal
    I wonder when someone will release a virus for an exploit that they just found, one that they didn't tell Microsoft about. If they found one for IIS it would basically kill the entire windows internet (since you couldn't just firewall off the port).

    And of course the same thing could happen with Linux. There have been security holes in Apache and especially in various distros.

    I guess we're lucky that people finding holes so far have been benign. (or at least more interested in having access then causing chaos...)
  • by mortisnoir (645829) on Tuesday August 12, 2003 @01:16PM (#6677056) Homepage
    Since the shutdown tends to occur the moment you access the internet, do the following;

    1. Unplug internet connection
    2. Enable Win XP firewall on all valid connections
    3. Connect internet connection
    4. Download and install the patch from MS
    5. Update anti-virus or download and run the removal tool

    Good Luck!
  • by jgaynor (205453) <jon AT gaynor DOT org> on Tuesday August 12, 2003 @01:25PM (#6677165) Homepage
    Just got this from the Abilene (Internet 2) Operations Center. Apparently this is significantlyi affecting at least the .edu side of the network:

    Abilene Connectors and Participants,

    As you're all probably painfully aware by now, a worm exploit of the Microsoft
    DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
    regarding the vulnerability and exploit can be found at the references provided
    below.

    Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
    network. We're performing an analysis of Abilene netflow data, and early this
    afternoon will provide a private communication to sites that are sourcing a
    large amount of worm traffic.

    Recommendations for network border filtering are included the CERT W32/Blaster
    advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
    defined as input and output - to protect yourselves and to protect from
    infecting others.

    Abilene Connectors, please pass this communication on to your Participants.

    References:

    Microsoft DCOM RPC:
    http://www.cert.org/advisories/CA-2003-16.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2003-0352

    W32/Blaster:
    http://www.cert.org/advisories/CA-2003-20.html

    Regards,

    XXXX XXXXXXX
    Director, REN-ISAC

  • by dark-br (473115) on Tuesday August 12, 2003 @01:33PM (#6677245) Homepage
    for analysis here [trustmatta.com]

    Also some cool screenshots of the beast in action here [baxter2.com], and here [baxter2.com]

  • by Embedded Geek (532893) on Tuesday August 12, 2003 @08:00PM (#6681130) Homepage
    Jonathan Shapiro of the Johns Hopkins University Information Security Institute recently posted [jhu.edu] a commentary on the fact that Windows 2000 (with service pack 3) has been assigned a Common Criteria certification Evaluation Assurance Level (EAL) level of 4. In response to the question "What does this mean?", he replies:

    Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

    (Originally taken from rec.humor.funny [netfunny.com]).

While money can't buy happiness, it certainly lets you choose your own form of misery.

Working...