Win32 Blaster Worm is on the Rise 1251
EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and
download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.
Honest question (Score:5, Insightful)
Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.
Re:Fscking Windows. (Score:3, Insightful)
Risky business (Score:2, Insightful)
"Back up all your harddrives, we are not responsible if this program breaks your entire computer. Do you Accept?"
Well in the middle of a virus scare, nobody has time to back up every machine in the office. So that really doesn't make me feel comfortable. So far, so good though. No broken computers as of yet.
But another scary thought that crossed my mind while installing the patch... What if those smooth criminals had gotten into the microsoft servers and put a virus into that patch installer? That would be a killer!
If you need to use Windows, you might as well use win98.
Re:shutdown /a (Score:1, Insightful)
Uh... why didn't he just unplug the net cable and install the patches?
I mean that's how you're supposed to setup any operating system. No net connection until you've got all the necessary patches installed and firewalls set up. Don't give them even the smallest window of opportunity.
Re:shutdown /a (Score:3, Insightful)
on national television just a few minutes ago (Score:3, Insightful)
It was said that if you valued security, Microsoft wasn't the best solution. You'd be better off with Apple or Linux.
This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads.
Precisely (Score:5, Insightful)
All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.
If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...
Re:shutdown /a (Score:5, Insightful)
Rule 2: See rule 1. Then do it.
FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????
There are several reasons... (Score:5, Insightful)
Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.
Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...
J.
Also....... (Score:3, Insightful)
Nice twist of fate
Jaj
Re:In addition... (Score:3, Insightful)
I think that it would be sensible to have it enabled by default, but obviously Microsoft think otherwise. And yer-average punter won't even know what it is, let alone enable it. Shame, 'cos it works OK.
The Danger of Bug Complacency (Score:2, Insightful)
I've been trying to get relatives to fix the Windows DCOM security hole. At least two so far have said "oh! I didn't realize that was a security problem!" They thought the RPC service failing and causing a machine reboot was your everyday "bug", and since it just rebooted the machine (and even gave you 60 seconds to finish up what you were doing!), that it wasn't a big deal.
I think the 60 second thing is seen as a feature - along the lines of "see! Windows knows when its going to crash and lets you save your work first. Like the computer on Star Trek telling you how many seconds until there is a hull breach."
All of them heard the news about a security problem. None of them connected it with the problems they were having.
Finally, to make matters worse, Microsoft's page talks about patching the system, but says nothing about removing the worm. This is problematic since, as noted above, it can sometimes be pretty hard to download the patch if your computer wants to reboot in the middle of the download.
Stop Blaming Users, Blame Microsoft (Score:5, Insightful)
Re:Coincidence (Score:1, Insightful)
Re:Honest question (Score:5, Insightful)
Most people:
What's a port?
Do I have any?
How can I check?
Re:There are several reasons... (Score:5, Insightful)
How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.
Does windows still have 2 holes once you factor in Exchage, Outlook Express, IIS, IE, Office, SQL Server etc?
Re:Honest question [Corporate Answer] (Score:4, Insightful)
We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.
Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.
So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).
After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...
Why aren't they all patched? Because nothing moves fast in large installation bases.
Re:There are several reasons... (Score:3, Insightful)
Anyway: Linux had nine? Bollocks. I'm sure various packages associated with Open Source had vulnerabilities, but the kernel? No. Prove me wrong.
J.
Re:Echoes (Score:1, Insightful)
Re:Shoot The messenger... (Score:2, Insightful)
Re:shutdown /a (Score:3, Insightful)
Ever thought that's it's good practise to burn Service Packs and any critical patches on a CD-RW as they come by using an already secured computer? Then you don't have to expose your new setup? I know it's folly to trust the default Windows installation and don't fool yourself into thinking that a common distribution like RedHat 8/9 is secure out of box.
Do not connect to the net until you've secured the box. Standad practise and pure common sense when you think about it.
NO (Score:3, Insightful)
I get enough junk mail as it is. I don't want to be reminded of people who are too stupid to patch their computer. Besides, it wouldn't work. Even though "the most clueless of windows users can click on a link and then click the 'Yes' button", remember that they DON'T. Windows update comes by default set up to check for updates periodically...then the screen pops up and asks you if you want to update. Unfortunately, the screen also gives you the option to turn off windows update, and that's what the clueless people choose, because they don't want to be "annoyed" by it.
Instead of bothering me with e-mails, Microsoft should remove the option to disable Windows Update from the "first use" screen. If you can't figure out how to go to system properties and disable/reschedule your windows update, you're not supposed to have it disabled. I think that would maintain quite a few computers with up-to-date patches.
Re:Echoes (Score:3, Insightful)
People don't patch because, quite simply (not that it is true by any means), Windows is supposed to be perfect already, needing no further work. "Where do you want to go today" (besides offline)?
Also, I would hazard to guess that most broadband providers don't know the email addresses of their customers (would YOU give up your addy to Comcrap? Not ME, bub!). Broadband providers care not a bit about communicating with customers, unless it is to request payment for services rendered.
"You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. "
Microsoft runs Hotmail. I have a Hotmail account, but I use an iMac, therefore it doesn't apply to me, so I would not want to get that message.
Besides... It would be just another message in my/your 'other Hotmail folder,' meaning it would be ignored as just another spam mail.
I agree with an earlier post, though. Everyone who says "Linux isn't ready for your grandma" should be forced to do community service cleaning this crap up. AND maybe doing weekly patches on all the Wintel machines in his/her neighborhood. AND maybe making sure certain ports are closed on those same PCs.
I could go on (but I won't).
Re:Honest question (Score:4, Insightful)
A lot of people shut that off after a patch awhile back that smoked JavaScript. (And guess what? It requires JavaScript to perform Automatic Updates, so they couldn't download the patch that fixed the patch.) I mean, when the first "visible" thing the Update does brings your system to its knees, and requires you to pay a tech to fix it, Joe Average User is going to be a little confused about exactly how it's supposed to *protect* you from a virus that brings your system to its knees, and requires you to pay a tech to fix it...
Re:Honest question (Score:2, Insightful)
Don't be ridiculous. For one thing it doesn't take that long to run Windows Update once a week, and for another you could just use auto update if you're that lazy. Have it run at 3am and download+update any new critical patches. Hopefully on newer versions of Windows they will make that the default so Mom and Pop don't have to even worry about it.
When your computer connects to the Internet it'll automatically download patches and apply them. In fact, you shouldn't have a choice whether it does it or not. Maybe make it a complicated registry hack to shut it off. Too many people are lazy or inept and don't apply patches which results in worms like this spreading.
Re:Precisely (Score:4, Insightful)
J.
Admins are not lazy (Score:2, Insightful)
Re:Just seen an ATM affected... (Score:5, Insightful)
Then try, really, really hard to stop laughing...
I don't know why I have to point this out, but that's NOT funny--it's freaking SCARY.
This is not FUD (Score:5, Insightful)
Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.
When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.
Regardless, people, patch your *#&($*@& machines!
Laptops (Score:5, Insightful)
Re:shutdown /a (Score:1, Insightful)
Re:Linux people: Rejoice! (Score:5, Insightful)
Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:
1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.
2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.
If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.
Re:Honest question (Score:5, Insightful)
Specifically, we were trying to figure out if a clients BOFH was a BOFH, a PFY or a PHB. We think he's a PHB since there's a lot of money (cash and obligations) sunk into a project that needs a port opened in their firewall and he won't/can't/hasn't opened it up yet.
This may still be better than the other (former) client who put two people in our office using VPN to connect to their home network... and then changed their proxy configuration without telling anyone (like their helpdesk). It took me a week of phone tag to get one of their network analysts to finally say "OK, try this". Then they sent her an XP laptop with that setting locked into the old-and-wrong setting. I think she had to ship it back since they wouldn't cut loose with the admin password. Neither would I, but the box would have worked before I sent it out. We aren't suing them for specifically "rampant idiocy", but that MUST be a factor. We're suing them, a spokesfigure was perp-walked recently and business is way down. I wonder how long they'll manage to stay out of Chapter 11.
Stupid people suffer.
Re:There are several reasons... (Score:4, Insightful)
Re:Precisely (Score:3, Insightful)
Because MS patches are often just as poorly written as their base software is? Patches take time to roll out on production servers because they have been known to break things.
Re:Sad really (Score:3, Insightful)
In a rational world, Windows should have been tossed out of the business door two years ago as a piece of junk product.
I'll just keep reading all this panic and scrambling from the quiet comfort of my OS X machine.
Re:shutdown /a (Score:2, Insightful)
I admit the default security of a fresh Windows installation is (or, after Windows 2003 Server: has been) abyssmal. That's why every self-respecting administrator does either have the new setups behind a proper firewall or he/she has stacks of CDs with all the relevant Service Packs and critical patches on them.
I don't see how something like a default Redhat 7.2 or 8.0 installation would be different. Every conceivable exploit is known not only to the real pros but to script kiddies (or actually their root kits) too.
Re:shutdown /a (Score:3, Insightful)
Re:Automatic updates (Score:3, Insightful)
Everyone who gets bit by this deserves it.
Re:Nice touch. (Score:3, Insightful)
In the form you described, yes.
It is a significantly more gray area if you were to listen for attempts on your machine and, after receiving an active probe (not just a SYN packet, because single SYNs are very fakeable), hit the attacking machine with something that used this vulnerability to wipe out the virus.
If you want to stretch things, it might even be acceptable to then download and install the microsoft security patch (although that's pushing things a bit). Maybe. Much more acceptable would be to replace the worm with something that looked sufficiently like the worm to prevent re-infection, but did nothing.
However, creating and releasing a "beneficial virus" is just flat out illegal and dangerous. Have you ever written code that worked exactly as it was supposed to, on systems you've never seen? Have you ever gotten a piece of code bug-free before the first large test? Have you ever created a binary that someone could look at and easily verify behaved exactly as advertised?
The idea is that so long as you are disarming a machine that has directly attacked one of your machines, you are on defensible moral (IANAL, so I won't talk about legal) ground. However, forcing an update on a third party, or even doing more than the minimum necessary to disarm the machine attacking you, places you in the same category as the original virus writer - you cannot know all the effects of your actions, therefore doing more than the absolute minimum necessary is irresponsible.
Re:Honest question (Score:5, Insightful)
Yes yes, services use it, as Steve Gibson's sayin "impossible to close without firewall"
Don't blame people not using firewall, they are mostly newbies , e.g. XP home users. Ask the real question: Why you open a port outside World by default OS install?
Everyone knew port 135 would be exploited in a real bad way before, that was just a matter of time.
If os is a client only, do not turn on rpc listening on port 135... Its THAT hard?
Re:Honest question (Score:3, Insightful)
Because it's not always that easy. Have you ever tried convincing very busy people to apply a patch when Windows Update has completely screwed their machine twice before? They'd rather risk spending an hour cleaning up after than risk another full day reinstalling and reconfiguring their machines. Having seen what happened the last time, I can understand their point of view (even if I don't agree myself).
Re:Just seen an ATM affected... (Score:2, Insightful)
If it was just out on the net and got hit by that I would be pulling all my money from that bank rather quickly.
Re:Echoes (Score:2, Insightful)
Now how is the Isp going to keep track of what their Customers run. How are we supposed to get in touch with them? Looking at our maillogs (I admin a small, 13K or so ISP). Half or our customers don't even check their e-mail we provide them, their boxes just sit and collect spam until they hit quota. So it would be for naught. Even when we do send out e-mails most people ignore them anyway. Or call tech support to ask what they have to do.
Enough babbling out of me. I guess I need a lot more sleep, the 2 hours last night is no where near enough.
Re:Will it halt the Internet? (Score:3, Insightful)
It seems that the only machines inside that have this are portables, which probably picked it up from the outside, and some departments who run their own servers for testing and development (and often have under-the-radar links to the outside so the dept. admins can play with them). InfoSec is pulling the plug on anything that shows symptoms, which means that servers keep dis and re-appearing. The PC-support work queue in Rhode Island usually has 3-10 items in it, and I'm counting 40 right now.
I'm also getting calls from remote sites connected through frame-relays that are saying they can't access anything reliably if it's off their LAN.
I'm quite thankful for our InfoSec folks, and the fact that we use Novell for most servers, I'll be sad to see it go to XP/2003 in the fall...
Re:I suppose it's too much (Score:3, Insightful)
I think you mean lazy and incompetent admins, plus thousands upon thousands of home users who have no idea what a patch is, or what a firewall is, or what ports are in this context. It appears that you'd want nearly all home users of Windows XP to be "stoned, burned, crucified, sterilized and beheaded". That seems a bit extreme to me.
The reason I am gloating (I can't speak for other slashdotters) is that I'm sick of reading that Linux is not ready for the desktop because it's too difficult to use. I'm looking forward to the many many accounts of normal Windows users who are able to successfully patch their systems in the sixty seconds they have before it shuts itself down again.
If ATMs, then what else? (Score:2, Insightful)
And will these problems again be explained as "user error"? (think Florida '00)
Re:Calling it what it is: A "Windows" virus (Score:3, Insightful)
I think you may be right. If the worm spread itself solely due to a flaw in Microsoft Outlook (I know, perish the thought!), then would the mainstream press have labeled it as an "e-mail virus" or a "Micorosoft Outlook virus"? My guess is that it would be the former with the real culprit mentioned as an afterthought.
Re:There are several reasons... (Score:3, Insightful)
Use Windows NT 4.0? (Score:4, Insightful)
Now, the karmaic debt in all of this - Microsoft's Windows Update will get attacked by WinNT 4.0 every month. Mmmm. So, everyone else gets fixed and the ones that MICROSOFT want you to upgrade become easily identified as problems on the net.
Sure, one P.-off muther-F. may have written this worm to get at Microsoft. Or maybe it came from somewhere in Washington state. So, what is next? All "obsolete" versions of Microsoft products get infected with worms that will install a gigabyte of child prono and then email the police? I guarantee with publicity like this, evildoers will be using WinNT as a platform for all kind of crap for now on. Thanks a lot, Microsoft, the Crackers Best Friend!
Here's the Microsoft spin on this from the FAQ in Microsoft Security Bulletin MS03-010 (http://www.microsoft.com/technet/treeview/defaul
"If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?"
"During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system."
"Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below."
"Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?"
"Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."
The moral is upgrade. Upgrade and get people like Microsoft who abandon you out of your life. Upgrade to Linux.
Wow (Score:4, Insightful)
And of course the same thing could happen with Linux. There have been security holes in Apache and especially in various distros.
I guess we're lucky that people finding holes so far have been benign. (or at least more interested in having access then causing chaos...)
Re:Precisely (Score:3, Insightful)
Call me incompetent if you want. It's incompetent not to install "critical" updates from the company who made your freaking operating system. My network went 100% untouched. You're the one whining.
Re:Just seen an ATM affected... (Score:2, Insightful)
Re:you think MS is going to go down easy? (Score:2, Insightful)
If Linux has as many security problems as Windows I really doubt you can name too many of them since you're not even aware of general facts.
Reformatting, reinstalling, and patching in the long run will save time versus trying to find needles in the haystack of which files were modified, deleted, or otherwise compromised if you were hit by this RPC exploit. Weeks later you'd be hunting around for incorrect files or would have IRC bots screwing you up. Penny wise, pound foolish.
Re:Sad really (Score:5, Insightful)
Apple's versioning is as follows:
So, 10.1 was full price. 10.1.1 was free. 10.2 was full price. 10.2.6 was free. 10.3 is full price. 10.3.x will be free. 10.4 will be full price, etc.
Apple does not sell upgrade CDs. You buy a full install. This means you don't need to have any previous version of OS X on the machine. So compate the right things. So let's put this in terms the Microsoft Marketing Influenced(TM) can understand.
I paid $129 for the full version of OS X. You paid $299 for the full version of Windows2000 Professional.
I paid $129 for the full version of Jaguar. You paid $399 for the full version of WindowsXP Professional.
I will pay $129 for the full version of Panther. You will pay >$399 for the full version of Longhorn Professional.
Now who should we laugh at?
For all the ranting slashdotters do on how stupid the non-tech/geek person is, I find it hilarious that such a logical, programmer-centric versioning system totally confuses said slashdotter.
I guess MS was pretty smart to call Winnt 5 Windows 2000, and Winnt 5.1 Windows XP, or you'd all be screaming about that $399 "upgrade" as well.
Re:Just seen an ATM affected... (Score:4, Insightful)
Some things are completely understandable. But this just makes me want to sit down with the IT guy who dempt this up and ask him what the hell he was thinking.
Re:Just seen an ATM affected... (Score:4, Insightful)
You're wrong--it's not scary that the ATM is running Windows. It's not even scary that the ATM is in a reboot loop. What's scary is the ATM is connected to a public network (or connected to machines connected to the public network) such that it was able to contract this virus.
Inconvenience has NOTHING to do with it.
No, But You May Get Locked Out Anyway (Score:2, Insightful)
Re:Precisely (Score:3, Insightful)
Heh. Not only can MS updates break things, there are other factors that come into play here. We have an http uploading control that we use in conjunction with a web application. It relied upon IIS's willingness to accept malformed HTTP headers (there was an extra null character appended to the end). It was a bug that was uncaught, because IIS accepted those headers.
MS released a patch about a month ago that tightened the security of IIS. I've got no problem with that. Instead of accepting malformed headers, it denied all of them. This broke the control that we were using, causing a down time for our production application.
It probably cost us a bit of money. It was not directly caused by a MS patch, I'm more inclined to blame the company that produced the control. The fact of the matter, however, was that a MS patch was applied without being tested in a production environment. Something broke. It's best to do some QA on your systems before updating, even if MS isn't the one at fault. It's just good practice, and can save your butt in the long run.
Re:Remote Procedure Call (Score:3, Insightful)
Actually, it's possible to close all ports in windows, but it's harder than it should be. Just close all those services that nobody needs and run dcomcnfg.exe and remove all remote DCOM/COM+/whatever support. If you know that you need those, you obviously shouldn't do this. But if you know that you need those protocols, you probably work for Microsoft anyway. Dinkumware's fport [google.com] helps you to find out which programs keep all those ports open.
Yes, the default settings from redmond are brain-dead at best - what else is new?
I don't run a firewall on my windows workstation but on the other hand it doesn't have any ports open, other than those opened by Mozilla to browse the web and those opened by miranda. Having a firewall doesn't help with those ports. Obviously, running a firewall could help catching software that's trying to call home, but I don't run every random piece of software I can get my hands on. If somebody can still crash a windows that doesn't have a single port open, you're fucked anyway.