Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Windows Virus Takes Out Gov't Agencies in MD, PA

Comments Filter:
  • Newsflash! (Score:5, Funny)

    by ackthpt (218170) * on Tuesday August 12, 2003 @10:58PM (#6682111) Homepage Journal
    Government officials for the first time discover computers infected with Windows.

    C'mon, this is getting so old ... but I guess that's the really pity, isn't it? Gives cities like Munich the last laugh.

  • by Anonymous Coward on Tuesday August 12, 2003 @11:00PM (#6682120)
    The person who created this worm did so to show that Microsoft's software was insecure. Their methods are bad, but they've shown that no matter how good WinXP sounds compared with Win9.x, it is still made by Microsoft. If you don't want this kind of rubbish, don't use Microsoft.
    • by Anonymous Coward
      blah blah, if anything they are showing how many people use MS products.

      There could be this kind of problem w/Linux but no one would ever know because a) Linux/Unix users are more clueful than Windows users and b) there are FAR fewer Linux/Unix machines out there.

      Blah blah, don't use MS, blah blah. That's just not an option for 90% of the world.
    • by wwest4 (183559) on Tuesday August 12, 2003 @11:37PM (#6682417)
      you're assuming too much about their intentions. based on the maturity level apparent in the strings in the executable, i'd say that anti-ms bashing and ostensibly noble intentions are just a convenient excuse for script-kiddie vandalism.

      if it weren't, they'd post an exploit in a public forum and/or notify ms, not write a worm and release it into the wild.

      i'm personally annoyed at all of the extra work this fscking thing cost me today - never mind that both my ISPs seem to be slower than shit and my iptables log grew 10 megs this week.

      to the author - grow up and put a grey or white hat on if you want to play with the rest of us.

  • by westyvw (653833) on Tuesday August 12, 2003 @11:00PM (#6682124)
    DSL reports has a security forum that has been taking this sucker apart and giving us the code:

    have a look:

    http://www.dslreports.com/forum/remark,7649146~r oo t=security,1~mode=flat
  • by raider_red (156642) on Tuesday August 12, 2003 @11:01PM (#6682131) Journal
    Bringing down the DMV may be the best use anyone's ever found for a virus.
  • We Got Hit (Score:5, Funny)

    by Snoopy77 (229731) on Tuesday August 12, 2003 @11:01PM (#6682132) Homepage
    We discovered we got hit when our Sonicwall connections hit the limit every 10 minutes. It took us two tries to clean it all up.

    And who was it who brought it into the office? The CEO. He thought he had a virus but connected to the network anyway. Mod that funny if you will but try being part of our network support team.
    • by Kenja (541830) on Tuesday August 12, 2003 @11:15PM (#6682251)
      I keep 13 inches of sharp folded steel in a glass case above my desk with a sign that reads "break in the event of user error". I never have those kind of problems.
    • Re:We Got Hit (Score:5, Interesting)

      by PetoskeyGuy (648788) on Tuesday August 12, 2003 @11:20PM (#6682294)
      Preaching to the choir.

      I remember the Klez virus kept infecting our system. I put antivirus on all the machines and wiped and cleaned them several times. Still my boss had his computer go down several times and started to suggest I was incompetent.

      Turns out he got a fake email on his AOL account with the virus attached from a potential client who he has been trying to sell to for a long time. He loaded the virus from his laptop and ignored and disabled the antivirus warnings desperately trying to see what this guy was sending him. For those that don't know, Klez emails itself to any email addresses it can find.

      Problem finally solved. I was not mention this matter to anyone else. Yeah Right. :)
      • Re:We Got Hit (Score:5, Insightful)

        by larien (5608) on Wednesday August 13, 2003 @04:53AM (#6683729) Homepage Journal
        ignored and disabled the antivirus warnings
        Ah, there's your problem; you let users disable AV software. AV software should be mandatory and it should immediately and automatically clean and/or quarantine all suspicious files without allowing anything less than and administrator to override it. Make it part of company IT policy and wave it in front of anyone who complains.

        Like it or not, Windows systems need a solid antivirus policy in place; even if you filter at the firewall/mail gateway/web proxy, viruses will still find a way into your network.

  • Thanks, Microsoft! (Score:5, Insightful)

    by imag0 (605684) on Tuesday August 12, 2003 @11:01PM (#6682134) Homepage
    Looks like viruses like this may help speed adoption on alternate operating systems (like linux, OSX, et. al) on the desktop quicker than a dozen ESR's with geek infantry in tow.

    Spoke with both sides of the family this evening, going on about how messed up their computers were acting and all they had to go through to get it patched up. I listened and informed them how well my iBook and the relative merits of UN*X and they listened...

    Thanks again, Bill!
    • by Juanvaldes (544895) on Tuesday August 12, 2003 @11:13PM (#6682237)
      and how many switched after Code Red? ILoveYou? the countless others? Those who got inffected either had someone take care of it or just reinstalled the system. This is what they are trained to do and expect it with computers.
  • by green pizza (159161) on Tuesday August 12, 2003 @11:02PM (#6682137) Homepage
    ... Windows Update once every couple weeks.

    I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)
    • by MeanMF (631837) * on Tuesday August 12, 2003 @11:10PM (#6682206) Homepage
      I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)

      Yeah, but it's not like the Department of Homeland Security put out a notice telling people they should install the patch. Oh wait, yes they did [dhs.gov]. Maybe that's why a group of us worked late on Friday 8/1 making sure the patch was installed on all of our servers and workstations.
    • by thomas.galvin (551471) <.moc.nivlag-samoht. .ta. .todhsals.> on Tuesday August 12, 2003 @11:21PM (#6682295) Homepage
      Which has only been labled 'critical' very recently, and, as far as I can tell, isn't on the suggested list of patches when Windows Update runs. I spent a good part of last night putting together a web page for my friends telling them what was wrong and how to fix it.

      The fact is, quite simply, that they should have been running a *nix. It amazes me how much MS can get away with; debit cards weren't working at the local Price Chopper today because of this, some guy posted that at least one ATM in the UK was down, which suggests that a lot more followed suit, the DMV, the IRS, etc, etc. Yes, the people responsible for this virus are to blame, and yes, the people that left their boxes exposed and flapping in the breeze are to blame, but the Windows culture also has a big part to play in it. Need a computer? Toss up a windows box, and you're all set.

      I think a big part of it is just that people expect Unix administration ot be tough, and hire someone competent, whereas the Windows boxes get Joe MSCE.
    • by bricriu (184334) on Tuesday August 12, 2003 @11:27PM (#6682339) Homepage
      According to the DSLReports thread posted/linked above, people who were up to date with their Windows Update or had Windows Auto-Update on still got hit. :-/
    • by KalvinB (205500) on Wednesday August 13, 2003 @12:49AM (#6682821) Homepage
      Getting hit by this worm demands complete apathy towards patching your system. One faculty member at the University I do tech for was complaining about doing patches. It's so hard to open IE go to tools and then Windows Update and click a couple buttons. If that. We tend to set Windows to automatically download and install critical patches and then cross our fingers and hope the users are too lazy to disable it.

      In my case I just run a $50 router with NAT that blocks everything I don't need which makes the entire house network of around 10 computers immune from this worm regardless if they're patched or not.

      This worm doesn't prove anything. Linux users need to be patching their systems as well and when it becomes mainstream it'll be the target of script kiddies as well. It's just pointing out what techs all know: people are lazy and don't care until it's a problem.

      Ben
  • Worm (Score:5, Insightful)

    by aligma (682744) on Tuesday August 12, 2003 @11:02PM (#6682139)
    Are you, by any chance talking about MS Blaster Worm?
    Its good for us to keep using the correct terminology ... Maybe then the media will get the idea too!

    Ok, time to get modded down. :/
  • Patch! (Score:5, Insightful)

    by focitrixilous P (690813) on Tuesday August 12, 2003 @11:02PM (#6682146) Journal
    I can forgive stupid home users, but shouldn't mission critical things like these patch every now and then? The hype surrounding this has been huge, and if you run unpatched microsoft stuff, well, good luck fixing it now. It will take a long time, but at least this worm can be fixed with little damage. Maybe this worm will get people to pay attention to security, but then again people said that about the last dozen MS worms.

    STUPID!!
  • Their fault. (Score:3, Informative)

    by man_ls (248470) on Tuesday August 12, 2003 @11:03PM (#6682155)
    Their fault-the patch was released over a month ago, before there were any known exploits for it.
  • by apc (193970) on Tuesday August 12, 2003 @11:05PM (#6682167)
    Interesting. I had noticed when I stopped by Municipal Court to schedule a trial date that the computers were down. I was told by an employee that it was due to the power outage [philly.com], a comment that didn't make sense considering that I knew for a fact that the server farm was a floor above us...

    As pissed as I am at the asshole who wrote the worm (it took nearly half an hour to schedule something that normally takes 2 minutes-- thank "Bob" that I was in Municipal Court, which is only starting to modernize from an old IBM mainframe setup, rather than in Common Pleas or Federal District Court, which are totally computerized-- and in he case of Common Pleas at least, running on Windows), this is, of course, another example of why governments, in the name of security, should go to more open-source solutions.
  • by BWJones (18351) on Tuesday August 12, 2003 @11:05PM (#6682169) Homepage Journal
    My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them. I guess a few computers were infected with this worm and they wanted to ensure things were taken care of. So, here's the deal: I figure that today alone, due to lost productivity, salaries, benefits etc.... this company lost $250k from this worm. So, I ask: When are companies going to wake up and realize that the fundamental foundations that Windows are built on are flawed when it comes to security? There have got to be studies out there examining total cost of ownership of the various platforms. For instance, I spent a couple days of my time updating our remaining Wintel systems to guard against this virus and am soooo happy 95% of my work is done on OS X.

    • Of course, if 95% of people used OS X instead of Windows, more virii and what not would be written for OS X and more vulnerabilities would be discovered, etc.

      If only 1 person drove a Pinto, we might have never found out the problems with it. Since so many people drove them, the serious problems quickly became evident. It's the same kinda thing with operating systems. The more they're used, the easier it is to find vulnerabilities.
    • by Black Parrot (19622) on Tuesday August 12, 2003 @11:35PM (#6682406)


      > My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them.

      Where I work they just kicked everyone with an exposed system off the network as soon as the DoHS warning came out 2-3 weeks ago, and let them back on the network when they could demonstrate that their system was fixed.

      Call it "opt-in security", if you will.

  • by Da Penguin (122065) on Tuesday August 12, 2003 @11:06PM (#6682174)
    I keep hearing that windows 2k3 is the most secure windows, but (and I'm truly asking), what makes people say so? I'm using it at home. Evidence for: logs changes, logs every reboot and needs you to enter a reason, insists that every site (including google) has a security issue, comes with almost everything disabled, doesn't let users use shockwave et al without permission, probably some bug fixes. Evidence against: see the article above. At least it informed me afterwards that the computer unexpectedly rebooted . . .

    PS: Please don't mod me for flaming, I'm really wondering what inner changes there are, other than the ones above that give the impression of security.
    • I'm really wondering what inner changes there are, other than the ones above that give the impression of security

      Besides the default-lockdown mode, they supposedly did a review of the entire operating system looking potential security holes like buffer overruns. There's an awful lot of code in Windows though, and it's hard to know exactly how thorough that review was - especially since they missed this one. Time will tell.
    • by westyvw (653833) on Tuesday August 12, 2003 @11:16PM (#6682257)
      Well everything off is a good idea for a server. YOU should make the choices to turn anything on, and YOU should know why you did. The port this worm attacked has no justification for the home user. This is the same port that annoys most users of Win XP, but they dont know it. The only reason MS should have allowed this to be turned on was for administration on a LOCAL network.

      By the way I can make win 2003 server crash in minutes if I am allowed to be a user on it. Shame, its not that much better, but leaving ports closed is a good idea, and a long idea comming.
    • by Anonymous Coward
      It installs with just about everything turned off, instead of turned on.

      It is also the first version of Windows that had teams of programmers whose sole purpose is to audit code and check it for security problems. Sweeps for coding patterns that lend themselves to exploitable bugs were done. Utilities were written to help flag suspicious bits of code. And so on ... time will tell how effective the changes were.
  • Monoculture (Score:5, Insightful)

    by the eric conspiracy (20178) on Tuesday August 12, 2003 @11:07PM (#6682182)
    One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.

    As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.

    • Re: Monoculture (Score:5, Insightful)

      by Black Parrot (19622) on Tuesday August 12, 2003 @11:29PM (#6682354)


      > One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.

      Everyone says that, but does it really? If all OSes and their associated software had easy exploits, would it really be that hard to write a polymorphic worm?

      > As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.

      So true. That's why it's important to design OSes and user software for safety rather than for a faux ease-of-use. I hope the GNOME and KDE hackers and other FOSS writers are seeing the right message in this.

  • Philadelphia (Score:4, Informative)

    by phillymjs (234426) <slashdot.stango@org> on Tuesday August 12, 2003 @11:23PM (#6682314) Homepage Journal
    The 10pm news here in Philly interviewed one of the city's IT guys. He stuttered and stammered his way through the whole thing, and looked to me like a man afraid for his job as he claimed that there was "no warning and no way to be prepared for this"-- not a verbatim quote, but close enough.

    I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, [nipc.gov] and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.

    Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.

    ~Philly
  • by Phoenix (2762) on Tuesday August 12, 2003 @11:30PM (#6682361)
    And I know this for a fact. I had a machine that I re-loaded XP on for a customer since he was upgrading his mootherboard. Friday I finish the windows load and I install all the patched available on the update page. Ran it once to get the first 80Mb of patches, ran it to get Media Player 9, ran it again to get the security patch for Media Player 9.

    That's everything on the update page.

    Installed Norton AV 2003 and got all the updates available as of last Friday. After doing that one would have a reasonable expectation of being safe against a problem, especially since the problem was discovered a full month ago.

    Monday the customer called with the machine giving a 60 second countdown and rebooting.

    Now even if the people at the MVA and other places *did* the updates from the updates page, they'd still be screwed.

    All I want is these virus programmers, their fingers, a ball-peen hammer and 5 minutes...it's all the time I'd need
  • by westyvw (653833) on Tuesday August 12, 2003 @11:31PM (#6682367)
    My bad. I made a bad link that wasnt what I wanted:
    If you wanna look at the code its HERE:

    http://www.dslreports.com/forum/remark,7652257~r oo t=security,1~mode=flat

    The grain of salt is that they are reverse engineering. But it still is there and interesting.

    Again my appologies.
  • by LibertineR (591918) on Tuesday August 12, 2003 @11:34PM (#6682398)
    This virus is the result of companies putting idiots in charge of setting up and administering Windows-based networks. There are so many Windows-based organizations, that only a small percentage of idiot admins will create enough insecure systems for a virus to do damage large enough to get noticed.

    The fact is, there is no 'secure' operating system, but there are enough things that can be done to prevent virus infections that any large company stricken by this virus should fire their IT staff TODAY.

    What company does NOT demand auto updating anti-virus software on every system connecting to their corporate network? What company does not have a person in charge of installing MS patches within 24-48 hours of their availability? Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.

    Viruses are a reality for Windows networks, and companies without policies and recovery plans to deal with them should fire their staffs and get competent people in place. Businesses need to understand that competancy costs MONEY, so if your IT people are paid dirt wages, your network is a sitting duck, trust me. Can your MCSE who cant tell you what circular logging does on an Exchange installation. Fire the fool who told you to build trusts between multiple AD forests, I dont care how reasonable his explaination was. I see this shit every day, because 80% of Windows admins suck monkey dick. Microsoft is on their 3rd round of creating a certification program. Maybe they should consider taking the aftermarket PROFIT out of it, and stop caring about pass/fail rates long enough to get a core group of people who know what the fuck they are doing?

    There is no excuse for this shit anymore. A virus attack on a company running Windows these days should mean an instant termination of the staff that let it happen.

    • by Zarquil (187770) on Wednesday August 13, 2003 @12:27AM (#6682735)

      Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.


      No way!

      If one of my clients happened to have mission critical software that was taken down because I applied a patch, then I'd deserve to get turfed. I agree that patches breaking other software is used far too much as an excuse for laziness, but testing your patches before you go live is still critically important.

      If I ended up costing a company a $10,000 gig (say I couldn't recover a database - or maybe just had so much downtime the company missed a deadline) I'm not going to last long enough to point the finger and say, "It's Microsoft's fault!" I'd likely have my ass grinding over the welcome mat on my way out the door. And in the small businesses that I deal with, losing more than one or two shows will bring the company down anyways.

      Part of competency is understanding risk management. If I have the time to test patches before applying them, there is no excuse to patch blindly. If it's a nice standard shop that doesn't have anything exotic, then yeah I'll let auto-update take care of it. But you better understand the business and what kind of tolerance they have to down time or broken patches!

      For the record, all of the systems have been clean and, knock on wood, I'll drop by the last of my clients this weekend and check theirs in person (I haven't got a complaint call yet, so I'm hoping things are as I left them.)

      - Zarquil
  • Our system (Score:5, Informative)

    by Jade E. 2 (313290) <slashdot@perlsBLUEtorm.net minus berry> on Tuesday August 12, 2003 @11:44PM (#6682460) Homepage
    I'm an admin for a local County department. While our network was mostly unaffected (I'll get to that in a second), the county's Central IS department, that runs the county backbone from which we get our internet feed, had their exchange 5.5 box (on nt4 - not patchable) go down sometime really early this morning.

    My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.

    It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.

    So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?

    • More info (Score:4, Interesting)

      by Jade E. 2 (313290) <slashdot@perlsBLUEtorm.net minus berry> on Wednesday August 13, 2003 @12:08AM (#6682621) Homepage
      Yeah, yeah, it's bad form to reply to yourself. But I'm leaving for the night so I figured I'd post a few more details I remember in case it helps anybody else.

      If the worm we got autostarts anything, it uses one of the sneakier methods. I didn't check the ini files, but I did check out both run and both runonce keys and there was nothing unexpected in any of them. File sizes and dates on the files that were there matched a clean system (although that's not a guarantee, I didn't run checksums). The damage to explorer, IE, and Word did survive a reboot, however, so it modifies something on the system. We had the system up for the better part of an hour on the network, watching ethereal on the switch's mirror port, and didn't see any strange traffic, so I don't know what triggers it's spread. The dial-in client that was one of the original vectors had been connected for something like 8 hours when it started scanning, and we are it's internet access so it couldn't have been (easily) infected from outside today without us seeing it (we were monitoring after central's exchange server went boom), so I strongly suspect it's got a timer or trigger to start scanning. (Maybe idle time? It started roughly half an hour after they closed for the night, hence us kicking them off and revoking their dial-in privliges instead of just calling them.) I didn't catch any actual infections in the packet dumps, only scans after the vulnerable machines had already been hit, so I don't have a network dump, but I'll hook an infected machine to the test network in the morning and try to get one. If I can talk the manager into leaving me alone for long enough I'll try to get it to infect a dummy machine I've imaged and see exactly what changes it makes. Anyways, good luck to anyone still playing with these things.

    • Re:Our system (Score:4, Informative)

      by Antitorgo (171155) on Wednesday August 13, 2003 @01:57AM (#6683125)
      If the other worm you are talking about is hitting port 445 it is probably the Backdoor.irc.Cirebot [symantec.com] trojan. It targets port 445 (vs 135), and opens up a backdoor. Its still an RPC attack though...

      Hopefully, the other worm you are seeing isn't a mutation.
    • Re:Our system (Score:4, Interesting)

      by pavera (320634) on Wednesday August 13, 2003 @04:35AM (#6683674) Homepage Journal
      I saw this exact same problem today at one of my client's sites. I do work for a few small businesses, and one of them had this exact same problem, it wasn't msblast (that process wasn't running, and nothing was found by virus scan or the symantec remover) but we showed the exact same problems, the only fix we found (In nearly 8 hours of trying) was to complete reformat and reinstall...)

      Hopefully someone will find out what this new virus is and create a removal tool for it, however I think this one might be pretty nasty, it completely hosed word/outlook and norton av on one system and trashed the windows installer service on another causing office and norton av to think they weren't installed, and making it impossible to reinstall them.

      We also did not see it scanning, and it seemed to be infecting slowly (the client has 30+ machines all win2k, and after 8 hours only 3 had been infected, those 3 were pulled from the net then but they had many hours to infect the rest of the hosts on the network and didn't).

      Any info on this new strain would be greatly appreciated.
  • by RALE007 (445837) on Tuesday August 12, 2003 @11:47PM (#6682486)
    "It's likely that people who have not turned on their computers yet will discover that they have already been infected if they do not have the Microsoft patch, a firewall of some sort or anti- virus program installed,"

    How could one already be infected if their computer hasn't been running? Maybe he's implying "as soon as you turn on your computer you'll be infected", I don't know.

    Millions of unprotected personal computers remain vulnerable to the worm, which can infect any machine connected to the Internet, experts said Tuesday.

    Really? I thought it was only Win2k, XP, and 03, not every computer on the planet. But experts said so, so I guess it must be true.

    The worm attacks computers through a flaw in the part of Windows that allows computers to share files and control Inter net traffic. Four versions of Windows operating systems are targeted: Windows NT, Windows 2000, Windows XP and Windows Server 2003.

    Oh you are aware it doesn't affect every computer on the planet. That's good because five paragraphs before you said it did and now you're contradicting yourself. Wonderful

    "This is certainly a capable person who did this," Sundwall said. "In most cases, it takes about six to nine months for a worm to appear after a patch is released. This is certainly something that did occur quicker than we are accustomed to."

    Because it is just so hard to create a self replicating buffer overflow program. It's not like this is down to a science. The statement implies a team of developers would have to sit down for a year to create something this "sophisticated". It couldn't be that MS products are inherently insecure and easily exploitable. There are thousands if not millions of people "capable" of this, just not immature enough.

    You'll notice some of my excerpts are quotes from within the article, and not necessarily the words of the author. The author still choose to include this malformed crap.

    I would recommend seeing this older Slashdot article [slashdot.org] concerning the worm or going to google to find better written information on the matter. The facts within the new article are interesting, but so blatantly misrepresented it's annoying and I would view an alternative source.

  • Virus? (Score:4, Funny)

    by Flakeloaf (321975) on Wednesday August 13, 2003 @12:09AM (#6682634) Homepage
    No problem, Sir. We'll just switch our AI on and squash this thing. Skynet is ready to go live.
  • by rediguana (104664) on Wednesday August 13, 2003 @12:44AM (#6682803)

    I was at the gym for the 3pm NZST news today, and Microsoft took a hammering. Only Microsoft Systems are affected... MSFT this, MSFT that - I'd like to see what Microsoft New Bliss-Land [microsoft.com] do to spin this.

    I've just checked their NZ home page [microsoft.com] and they are soliciting for feedback on customer feelings towards MSFT today, and have some obvious customer advice in big, bright colours. Microsoft US [microsoft.com] doesn't seem to care in comparision.

    The feedback form has three cute faces with various different states from happy to angry on them. Perhaps you may want to give them some feedback to ;)

  • by Splat (9175) on Wednesday August 13, 2003 @01:49AM (#6683095)
    So, as a Philadelphia area resident can anyone get me a list of infected business/departments so I can fill the positions of the soon-to-be-fired IT Staff?

    Yes - I am partly serious.
  • by 26199 (577806) * on Wednesday August 13, 2003 @04:42AM (#6683694) Homepage

    "I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."

    How about downloading security patches, too?

  • by hondo_san (565908) on Wednesday August 13, 2003 @07:10AM (#6684055)
    I can imagine the ire that l33t haXors/crackers are voicing about this. The worm infects. The worm is easily removed. The patch is applied. For most systems, if not all, this fixes it. (Disclaimer: I have not yet removed this from a system. I have only talked to colleagues that have, and customers who have been affected.)

    Let's try to imagine if it carried a Chernobyl-like payload, or the feared root name server DDoS. Man, that's scary. So, the first one with an exploit ruins it for the rest, as at least some of the world finally realizes that it needs to patch, rendering the real killer-virus less effective, should it ever see the light of day.

    I guess in that context, we should be grateful. It's kinda like if your're walking down the street in a bad neighborhood. Wouldn't you rather have some a**hole just slap you in the face, rather than said person walking up and shooting you?

  • by digrieze (519725) on Wednesday August 13, 2003 @09:10AM (#6684737)
    I know /. is the place to bash the microsofties, but don't let it get to your head. Remember, anything with the name Microsoft gets instant press, outside the techies the public thinks "apache" is the old movie name for a First Nations tribe.

    I regularly do security audits of all kinds of systems. When I walk in to a microsoft shop I can immediately tell how it goes. If the sysop says "I don't trust the patches, I test them, but they're not deployed unless there's a REAL problem" It won't go well, those guys usually don't update virus files either. On the other hand if the sysop is using patch management practices he can often go out in real time and check the current status of a server, workstation, and active version of the virus definition file in realtime (they usually have good WRITTEN policies on unauthorized (untested) soft/hardware with sanctioned backup). I haven't found malware in any of the latter cases.

    I've yet to find a good *.nix shop. They often have good processes and procedures that SHOULD avoid problems, but the truth is it's easier to sign a piece of paper that says sourcecode was patched and applied than to actually do it. Things look great on paper. Check the source or decompile sendmail (one of my favorite targets) and it's another story. I'm still finding the same hole T.Morris used years ago on active servers. The excuse is always the same, "that was the way it came, shouldn't that have been fixed in the distro by now?" (i.e. too lazy to look, just signed the paper). Many don't even check SANS or CERT regularly. At least windows will notify you when critical updates are available, and all you have to do to apply it is run the .exe. Even then you get guys like this story highlights:

    "I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."

    (How did this guy get his position or experience? Even "end-users" successfully use critical update with relatively NO technical experience or fiscal responsibility.)

    Any sysadmin that can't keep a system patched, or falsifies patch records should be punished up to and including dismissal as far as I'm concerned.

    Incidently, just so you know my audit document is the CERT advisories on securing systems. If you want a great basic book try OReillys "Practical Unix and Internet Security"

    Has anyone figured out yet that as far as I'm concerned the problem is NOT theoretical design differences in OSs as much as the incompetance of the people running them?

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...