Windows Virus Takes Out Gov't Agencies in MD, PA 984
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
Want to see the code? (Score:5, Informative)
have a look:
http://www.dslreports.com/forum/remark,7649146~
Their fault. (Score:3, Informative)
Philadelphia computer system. (Score:3, Informative)
As pissed as I am at the asshole who wrote the worm (it took nearly half an hour to schedule something that normally takes 2 minutes-- thank "Bob" that I was in Municipal Court, which is only starting to modernize from an old IBM mainframe setup, rather than in Common Pleas or Federal District Court, which are totally computerized-- and in he case of Common Pleas at least, running on Windows), this is, of course, another example of why governments, in the name of security, should go to more open-source solutions.
When are people going to wake up? (Score:5, Informative)
It took out more than MD and PA agencies (Score:1, Informative)
My section was not affected, because I took it upon myself to patch the computers I was responsible for. Hundreds of people in my building were unable to use their computers for half the day. My section had problems because the servers we rely on were infected.
I hope (in vain) that 'little' problems like this will teach system administrators to keep their machines up to date.
Re:3M Plant Shut Down (Score:5, Informative)
I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).
Re:Thanks, Microsoft! (Score:5, Informative)
Re:Philadelphia computer system. (Score:3, Informative)
Philadelphia (Score:4, Informative)
I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, [nipc.gov] and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.
Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.
~Philly
Re:A good arguement for... (Score:4, Informative)
Re:Want to see the code? (Score:3, Informative)
Here is the forum that matters:
http://www.dslreports.com/forum/remark,7652257~
Re:Yes (Score:5, Informative)
MY BAD: THE CODE IS HERE: (Score:4, Informative)
If you wanna look at the code its HERE:
http://www.dslreports.com/forum/remark,7652257~
The grain of salt is that they are reverse engineering. But it still is there and interesting.
Again my appologies.
Re:Yes (Score:5, Informative)
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
Doesn't mean there is a agenda but there could be.
Re:A good arguement for... (Score:2, Informative)
Our system (Score:5, Informative)
My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.
It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.
So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?
Re:When are people going to wake up? (Score:3, Informative)
The fact is that not only is OS X relatively insignificant on the market, but so is the CPU architecture that it runs on. AFAIK, there still hasn't been a virus or worm written for OS X.
And Apple has been good about making security patches available through Software Update. Good patches, that don't happen to unpatch previous security patches, like Microsoft's non-Service Pack patches have a tendency to do. (Something which was a problem when the Slammer worm hit.)
Guess I'm lucky.... (Score:3, Informative)
I have about 25 XP/98 machines to look after, but only 2 of them laptops (3 if I count my own). First thing I did when I was hired was grab both of the laptops and patch the hell out of them. Next was the 2K server, and lastly today I spent the whole day running around updating everything I could on the rest of the desktops. No programs got hosed in the update process either, which was a relief. We're behind a small NAT engine too, so I feel rather confident that we'll weather the storm.
My point is that businesses such as my current customer have no clue that an operating system (indeed, almost any program as well) needs to be taken care of. This is the issue that will keep biting Microsoft in the ass - until they make it plain as day that "You need to do regualar maintenance to our products" people will run with security holes. If they can't see that it's broken, why would they fix it?
Another point - I'm looking into SUS so I don't have to worry nearly as much (or spend so much time waiting for WindowsUpdate) but I'll need another server to use it. The lone server my customer has is almost over loaded at the moment, runing SBS with 256M of RAM. SUS requires 2k Server or above to run - why, I don't know. Just like Microsoft to turn a problem they've created into a marketing opportunity. No wonder they're having trouble stemming the Linux tide.
Soko
Actually, our hospital was hit pretty bad today (Score:5, Informative)
It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.
The patch isn't that great to begin with (Score:2, Informative)
Re:3M Plant Shut Down (Score:1, Informative)
I suggest that you know more about what you are talking about.
We still use good old fashioned PLC's for most of our control systems. The fault and downtime reporting goes to a computer in the sky, but it always has. We do have one system that is a mix of PLC and Windows, and ended up with a virus last night (second time in three months). The contractors say that we can't run virus scanners since they can't predict the results...
However I can pretty much predict what will happen once their stuff gets infected (the first time it caused to crash and nearly destroyed two cars).
I can't speak about other plants, but by and large PLC's still rule.
For those of you that are new to this, check out http://www.plcs.net/ for a primer on the subject.
And as for "well documented comodity hardware", that would be a PLC. Natch
And as for tours, we run a tour bus through the place nearly every day. So stop by and give us a visit (if you are a hardware geek, we've got some realllyyy big iron
And who am I? Just your average Saturn Controls Engineer goofing off at work
Philadelphia federal courts, too (Score:1, Informative)
Re:Want to see the code? (Score:5, Informative)
link to the article [dslreports.com]
Re:Yes (Score:2, Informative)
Re:Our system (Score:4, Informative)
Hopefully, the other worm you are seeing isn't a mutation.
You are an ignorant idiot. (Score:2, Informative)
Yeah, we know. (Score:3, Informative)
Who installed the logic module in your brain?
Re:Thanks, Microsoft! (Score:2, Informative)
Re:Yes (Score:4, Informative)
Text in the Virus (Score:3, Informative)
The worm contains the following text, which is never displayed:
So it seems the creator did have a point to prove.
Re:Apache is a brick (Score:3, Informative)
Secondly, most of those systems have versions which can use LDAP and/or a database as authentication sources, freeing it from the OS.
Thirdly, you've just annoyed people who have access to these different systems as they now have to change their password in 3 (or more?) different places.
Not all of us (Score:2, Informative)
I work for one of the largest health care systems in the US, and we didn't even hardly get touched by this new virus. We did have I think one office (NOT in a hospital, one of the 'corporate' ones) get hit by this, but it only affected a handful of users.
Then again, we are tortured by VMS and some Sun Mail programs...
Re:Speaking of Money (Score:3, Informative)
Windows: Unsafe at any speed.
Re:Windows Update and regular users (Score:5, Informative)
I just got back from visiting "the relatives" all of last week. Heartland area of the US. Farm-type folks that grow food many of you eat. Anyway, the parent poster's statement is correct. These people have a few PC's as a matter of modern necessity. One of these (win98) runs a payroll app, is connected via dialup to the internet, is connected via ethernet to two other "critical" systems running WFW3.11, and was running a *completely* unpatched version of IE4.0 / Outlook Express. Oddly, they didn't have near the problems one might expect for all this (impressively, ad-aware came up clean aside from cookies) but when I mentioned "Windows Update", which sits right there on the Start Menu plain as day, to my relative who runs the '98 box, all I got was "what's that?".
My early-teen cousin was running his family's 98 box similarly. Unpatched. Ad-aware found all manner of crap that might just have, with luck, woken him up. Still, I had to explain all this nonsense, including *what* windows update was, *how* to run it (click here, click here, look the list over, click this, wait. reboot. repeat until the list is empty), how spy-ware/ad-ware differs from virii/worms, etc.
These aren't stupid people. Ignorant of the complexity of things that we all here take for granted. (In fact, I'd wager we give "joe sixpack" too much credit, not that I'm calling dumb on the world or anything.) It is just that their priorities are differently aligned than the hobbyist/admin types here (or that of people who try to design software with these people in mind, even). It was an eye-opening experience.
Now, to the credit of my linux geek membership, I might be able to upgrade the WFW systems to hardware made inside this decade and run the critical software in dosemu or the like, put the dialup on a firewall, and other things before they get convinved to shell out $20,000 on software and hardware upgrades this time next year.
Re:Speaking of Money (Score:3, Informative)
BBC [bbc.co.uk] California-based IT consultancy Computer Economics estimated worldwide damage to be $2.6bn by the end of Thursday. It said that figure could soar to $10bn by next week.
USAToday [usatoday.com]
Lloyds of London put the estimate for Love Bug at $15 billion.
Melissa 1 Billion
USAToday [usatoday.com]
the economic damage from the Melissa virus in 1999 to be about $1 billion.
CodeRed 2.6 Billion
BizJournals.com [bizjournals.com]
"Code Red, which started in mid-July, so far has cost the U.S. economy $2.6 billion."
Klez 9 Billion
The Register [theregister.co.uk]
"The Klez virus last year cost businesses $9 billion worldwide in lost productivity,"
SirCAM 1 Billion
BSTPierre.org [bstpierre.org]
"SirCam", which also propagates through email, cost $1 billion.
TOTAL for these alone: at least 16.2 - 28.6 billion
MSBlaster Worm Symptoms and Remediation (Score:3, Informative)
MSBlast Symptoms:
Windows XP: Computer displays a message that the computer will shut down in 60 seconds.
Go to a command prompt and type "shutdown
This indicates that your computer is infected with the MSBlast worm.
Windows 2000: Computer displays an error message about "svchost.exe" fatal errors. Odd behavior follows, such as not being able to drag-and-drop certain items, Internet Explorer context menus (right click menus) don't work properly, and other bizarre behavior.
This _does_not_ necessarily mean that a computer has the worm, but the svchost.exe could be crashing as a result of the worm trying to get in. However, you should still run the removal tool to make sure.
Some people have associated this with the install of Service Pack 4, but it appears to be coincidental and not related to the SP4 install. However, SP4 does seem to have it's own user-reported set of issues unrelated to this worm, as discussed here:
http://www.w2knews.com/anecdotes.htm
Windows ME/98/95: Unaffected by this worm.
Windows Update: Windows Update is running incredibly slowly.
You may or may not be able to get in to update your system. This is due to the fact that millions of people are all hitting the service at once trying to get the patch to stop this worm. If you keep trying, you will eventually get in, but it may take a number of tries and 5 minutes or so per try. Additionally, you may get an HTTP 1.1 Server Too Busy error message even after you are in. Just keep clicking on the "Review and Install Updates" link on the left side pane and it will eventually let you in. When it does make a connection, the window or system may appear to hang for up to a minute or two. Just wait it out and it will eventually wake back up with the Blindly-Accept-Our-New-License-Terms window. Read the license terms thoroughl and print out a copy for your files (sorry, couldn't resist) and then OK" and the updates will then download (slowly) the needed files and install them.
To make matters worse, the worm will start a Denial of Service attack against the Windows Update site on Saturday Aug 16, so if you think it's bad now, you aint seen nothing yet.
Worm Trivia: The worm contains the following text, which is not displayed on the screen:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
If you experience either of the above symptoms on your PC's, you need to apply the appropriate patch from here immediately:
Windows XP Security Patch:
http://download.microsoft.com/download/9/8/b/98bcf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe
Windows 2000 Security Patch:
http://download.microsoft.com/download/0/1/f/01fdd 40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB8239 80-x86-ENU.exe
Windows NT 4.0 Security Patch:
http://download.microsoft.com/download/6/5/1/651c3 333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Wind ows NT 4.0 Terminal Server Edition Security Patch:
http://download.microsoft.com/download/4/6/c/46c9c 414-19ea-4268-a430-53722188d489/Q823980i.EXE
Wind ows Server 2003 Security Patch:
http://download.microsoft.com/download/8/f/2/8f211 31d-9df3-4530-802a-2780629390b9/WindowsServer2003- KB823980-x86-ENU.exe
Then, run this program to scan your system for any remaining parts of the worm.
Removal Tool:
http://securityresponse.symantec.com/avcenter/Fix
Fix Info (Score:3, Informative)
I got to spend most of the day playing with this. Turns out this is msblast. The '60 seconds to reboot' thing only affects XP, not 2k. The reason we were getting these strange symptoms and nothing for the virus scanners to catch is that this is a failed msblast. The buffer overflow hit, but failed to download the payload through tftp. (Yes! Finally, an advantage to having your WAN links running at 750% of capacity - virus-induced TFTP transfers fail!) We found that installing MS03-026 on the system and rebooting cleared the weird behavior, and for one or two that did actually manage to download the actual virus file, Trend's newer virus defs find it and kill it mercilessly (even removing the registry entry.)(Trend pattern file v606, released yesterday, supposedly found msblast, but we didn't see any actual detections until v608 came out today. Could have just been that none of the machines had downloaded it yet yesterday...)
Hope this helps the people who had similar symptoms.