Forgot your password?
typodupeerror
Windows Operating Systems Software Security

LovSan Clone Let Loose 631

Posted by CowboyNeal
from the coming-around-again dept.
JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."
This discussion has been archived. No new comments can be posted.

LovSan Clone Let Loose

Comments Filter:
  • Cloning.. (Score:5, Funny)

    by Stalus (646102) on Thursday August 14, 2003 @08:19PM (#6701701)
    Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.
    • by Black Parrot (19622) on Thursday August 14, 2003 @08:21PM (#6701727)


      > Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

      The scary part is that if they mutate and interbreed we could end up with a virus with four asses.

  • by NanoGator (522640) on Thursday August 14, 2003 @08:19PM (#6701711) Homepage Journal
    "It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems."

    To be fair, the media's not going to be interested in reporting that it's not as bad as it seems.

    (Note: I'm not saying it's not that bad, I'm saying don't trust the media to tell is its dying.)
    • Maybe I'm confused, but how does "no real end in sight" indicate that the worm is dying?
  • gotta say it (Score:2, Interesting)

    by minus_273 (174041)
    Bill gates, why do you let this happen? any coincidence that the attack is exactly 1 month to the day that the hole was announced..
    • Re:gotta say it (Score:4, Interesting)

      by Overly Critical Guy (663429) on Thursday August 14, 2003 @09:34PM (#6702255)
      The 800kb patch has been out since last month. If you didn't patch, you know who to blame. Not Bill Gates.

      As a matter of fact, this has been the only vulnerability in Windows Server 2003 since its release, and it was a vulnerability that was inherent in the interprocess structure of the Win32 library itself and so affected all the products in the Windows line.

      I doubt we'll see any other holes in Windows Server 2003 for the rest of the year, especially since they're already working on the service pack (their plan is to phase in Blackcomb features). Microsoft's reputation is riding on this, and you better believe they were checking their code like crazy.
    • Re:gotta say it (Score:4, Insightful)

      by PhxBlue (562201) on Friday August 15, 2003 @12:59AM (#6703313) Homepage Journal

      Right, Bill Gates personally wrote this worm and released it into the wild.

      I'm no fan of Microsoft, but cut them some slack. They released a fix for this vulnerability two months ago. If people are still vulnerable, it's their own damned fault.

  • by Anonymous Coward on Thursday August 14, 2003 @08:20PM (#6701721)
    Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovesan worm (also know as "Blaster").

    Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.

    Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.

    Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.
  • by Exiler (589908) on Thursday August 14, 2003 @08:20PM (#6701723)
    that an antivirus lab announced that a new clone was on the way, not spreading but on the way.
    • Exactly. (Score:4, Interesting)

      by jpsowin (325530) on Thursday August 14, 2003 @08:41PM (#6701889) Homepage
      Yes, and notice that their anti-virus program detects both versions of the virus (the old and the "expectant" one) without even an UPDATE? Hmmmm... ;)
      • A little late (Score:3, Informative)

        by einhverfr (238914)
        Symantec lists *three* versions on their web site. One of which has its executable named penis32.exe (the B worm uses penis32.exe and the C worm uses teekids.exe)

        Source: http://www.sarc.com
    • It's not unthinkable that they would get a copy early, if one of their users sends it to them for analysis...
    • by WHudson (31692) on Thursday August 14, 2003 @08:56PM (#6702004)
      I always wondered if the anti-virus companies have some programmers in their payroll who work on developing viruses -- either to predict things before they hit, or to keep product updates coming and profitable.
    • by heli0 (659560) on Thursday August 14, 2003 @09:16PM (#6702138)
      The same warning about the new clone has been released by dozens of other groups including...

      http://www.f-secure.com/v-descs/msblast.shtml

      http://securityresponse.symantec.com/

      http://us.mcafee.com/virusInfo/default.asp

    • by morven2 (5718) * on Thursday August 14, 2003 @09:45PM (#6702303)
      While some companies in the AV industry have shown (ahem) questionable ethics in the past, I think it's stretching to say they WRITE the viruses, rather than just hype them.

      For one thing, there are plenty of idiots out there quite willing to write a virus for free.

      For another, if the viruses/worms/trojans were written by the AV firms, they'd be MUCH better. My co-workers and I would regularly discuss how one could, hypothetically, write the ultimate virus ... some of our ideas would have been quite evil indeed. And most of us were pretty good programmers.

      Contrast that with the true nature of most successful 'in the wild' viruses -- most of which aren't that well written ...
  • by cesman (74566) on Thursday August 14, 2003 @08:20PM (#6701724) Homepage
    I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.
    • christ, right after i wander over to symantec's website to see what this thing really is. the few friends of mine that i've talked to about this, they told me it was some kind of security breaching attack against a system, and that msblast.exe is the program that a hacker can use to remotely control a pc, perhaps to host an ftp server or some other hoopla. then i received some distressful emails from the ITS department at my university, saying many of the computers have been infected but are now isolated in
    • by alonsoac (180192) * on Thursday August 14, 2003 @08:42PM (#6701899) Homepage Journal
      No seriously, I once was regarded by friends and family as the guy who could fix their computers. Now they call like crazy saying their PC is rebooting and I don't know what the hell they are talking about. Then I read about the virus and tell them what to do but of course I wouldn't know if it will work (or why it didn't work) since I dont have an infected machine to try it. This has made me look like an idiot plus I'm here working all day while my friends enjoy a couple days of forced vacations while someone has time to fix their machines. Grrrr..

    • Re:Feeling left out (Score:5, Interesting)

      by anubi (640541) on Thursday August 14, 2003 @09:09PM (#6702087) Journal
      Oooh man, tell me about it. I don't know what I'm missing, I suppose.

      I had been working on my CAD system on my home machine running WIN95 and DOS. I wasn't even aware anything was amiss until I logged onto Slashdot to see whats new. I was wondering why it was so slow. My firewall responded in a bit and told me I was getting a helluva lot of connect attempts on port135. So, I go look up the log file and it looked like SQL slammer all over again. Almost a megabyte of infection attempts. I wondered at first if I had made an enemy on a dialup??? In 4 hours??? Why did the whole world seem determined to wax me off the web? Damm, it seemed like everyone in the world was wanting my port135.

      Ok.. so I continue to read Slashdot and the story finally loads about this new LoveSan virus making the rounds. Hmmm. When I think of how much work would have been lost had something came in and messed up my machine, I shudder. But then, I don't run my machine wide open to the net. I try to practice secure techniques - such as never allowing any programs to run that I have not verified their intentions, and don't run anything that allows embedded executables ( read: javascript and later things post DMCA that haven't been "cleared" by what I consider trusted groups - which are mostly the groups the DMCA was aimed at in the first place. )

      Sure, there are a lot of websites that I can no longer see. I can not even access the Southern California Edison site, nor many business sites - as they require these embedded-executable technologies as a requisite to viewing their content.

      So, I sit here, with a pretty fast system, as its pretty simple. I have no virus scanning going on, as I am not running just anything I get in. I do have an integrity monitor running, which does a quickie on startup to see if any critical files are amiss ( it just calculates an MD5 on my key executables and compares to what they should be. ).. if so, booting to GUI is aborted and I drop to DOS to straighten it out - but its never happened outside a test situation.

      I keep getting all these people telling me I should upgrade and be current with the times. I would gladly upgrade if the later stuff was actually better and more robust than the earlier stuff - but thats not what I see.

      Oh yes, the "presentation skills" are definitely better on the new stuff, but I see the new systems much like a stunningly beautiful secretary that I can't trust, and spends a helluva lot of time doing her makeup.

      I try to tell these business people what they are getting into by running software that hasn't been verified for trustworthiness, but they seem happy to go ahead and do it anyway as long as there is someone else to blame if things go amiss. I hoot till I'm blue in the face about these businessmen who put content on the web that can only be viewed with proprietary readers, whose underlying trojan motives, if any, can no longer be legally ascertained as a result of the DMCA.

      I am especially puzzled by business's perception of proper etiquette. Would they hire a sales rep that constantly interrupted a customer in mid-question with comments on his grammar or spelling? Or worse yet, rudely hangs up on customers if they don't understand something? Is not a corporate web-site their sales-rep in cyberspace? Why would a business hire such rude representatives that coin their own protocols and chide the customers relentlessly for not adhering to their latest incarnations of the communications protocol "standard"?

      At the risk of redundancy, I'll say it again. I do not like these proprietary unverifiable protocols. I consider them very risky - to me. I really don't care if YOU get hit with a virus, but I don't want any part of it.

      Ok.. I just had to get this off my chest. It might cost me a bit of karma, but I had to say it in public in the hopes that someone in management that makes the decisions will hear my plea.

      • by radish (98371)
        I keep getting all these people telling me I should upgrade and be current with the times. I would gladly upgrade if the later stuff was actually better and more robust than the earlier stuff - but thats not what I see.

        Believe me, there are many things which are more robust than win95. Whilst your paranoia is your business, saying you run win95 because it's more stable than say, w2k, flies in the face of the evidence. And that's not even going into the realm of things like Linux/BSD, which I assume you ca
    • by Nucleon500 (628631) <tcfelker@example.com> on Thursday August 14, 2003 @09:42PM (#6702287) Homepage
      I'm told it works in Wine.
    • All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

      To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

      Now you can actually *see* when the worm tries it's futile attack on your superior OS.

      // begin mblaster_l.c

      #include <sys/types.h>
      #include <sys/socket.h>
      #include <netinet/in.h>
      #include <arpa/inet.h>
      #include <stdio.h>
      #i

    • Me too - none of my 3 windows machines (including the one at work) were affected at all :(.
  • Ugh, lazy patchings (Score:5, Interesting)

    by AEton (654737) on Thursday August 14, 2003 @08:21PM (#6701728)

    The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK [microsoft.com] in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.

    Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...

    • by Doppler00 (534739) on Thursday August 14, 2003 @08:24PM (#6701763) Homepage Journal
      Actually, I'm wondered why the heck RPC service is allowed to be exposed to the internet interface in the first place. There is absolutely no good reason for Microsoft to design it this way. Sure, I could understand it being useful for corporate networks, but to leave it on and not allow you to turn it off is ridiculous.

      This isn't so much about security as it is poor design on the part of microsoft leaving so many useless services exposed to the internet.
      • We were infected by someone dialing in to (of all places, MSN) and opening an *authorized* VPN tunnel to our network.

        Users will not patch their machines, even if there's a bright icon in their start menu. Even if it reminds you all the damn time. If it doesn't automagically download and install, they're not going to do it.

        Should they have to? No. No one should have to patch as often as they do. Especially not desktops. Home users, for the most part, are technically savvy enough to plug in a USB device and

      • They leave all those ports open and services running so that when someone on the outside tries to access a feature that hasn't been enabled yet, it'll be able send back "Access Denied" in a friendly fashion rather than just refusing the connection.

        Or at least that how I imagine they would try to explain it.

        Today I noticed that every morning our couple XP computers at work send out a few uPnP related packets to 239.255.255.250:1900. They're going beyond our lan and out through our gateway to the internet.
        • by wfberg (24378) on Thursday August 14, 2003 @09:16PM (#6702135)
          Today I noticed that every morning our couple XP computers at work send out a few uPnP related packets to 239.255.255.250:1900. They're going beyond our lan and out through our gateway to the internet. It's probably not worth the effort to investigate further and correct, but it bugs me a little.

          Your network is misconfigure. 239.255.0.0/16 is a local scope multicast address. (RFC2365) The message sent is to let other uPNP devices know your computer is there.
    • >> I wonder what'll happen when Microsoft's numbering system overflows...

      Credit MS with a little bit of insight. They increase the data type for the numbering to a double a long time ago. ;)
    • Even just TURNING ON THE FIREWALL BUILT INTO XP would prevent 90% of the machines out there being infected. I know my g/f and her roommate haven't been infected yet even though her roommate's system (which is unpatched) is the ICS "server".
    • by Pompatus (642396) on Thursday August 14, 2003 @09:02PM (#6702041) Journal
      I agree that everyone should at least check out windowsupdate.com every once in awhile, but I am always hesitant to update my windows box. Windows Media Player 9??? Don't need it, don't want DRM. What about SP1 deactivating xp installs with pirate serial numbers? I've had DirectX updates that actually crashed previously working games (not lately though, gotta say that's getting better).

      I like to wait to update my box for about a week or so to see if there is any outcry about some nasty thing Microsoft slips into the update. I'll bet I am not alone. As far as Blaster is concerned, I rely on independant firewall and antivirus applications to deal with these threats. IMHO it works better than relying on MS to secure their OS.
  • Phew (Score:4, Funny)

    by tarquin_fim_bim (649994) on Thursday August 14, 2003 @08:22PM (#6701742)
    "All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update."

    Guess they were just damned lucky there.
    • Re:Phew (Score:3, Informative)

      If past performance is any indication, it's because Kaspersky takes multiple strings from harder to modify areas and also supports wildcards - the guy who started it (Eugene Kaspersky) is a badass at assembler and has generally produced some of the best virus analysis in the industry. I use and recommend F-Secure [datafellows.com], which uses a combination of his engine and Fridrik Skulason's for scanning - that way you get the advantage of having two sets of seperately picked virus signatures plus different heuristical sca
  • by Black Parrot (19622) on Thursday August 14, 2003 @08:23PM (#6701750)


    If we're lucky the power will be out and the worms won't be able to carry out their attack.

  • Nothing really changed other than the exe filenames and registry keys as far as I know. It doesn't even look like updated functionality from the author, just copycats.
    • The executable compression scheme used has changed too, as the article states.
      They also state that their software detects both without an update. Thats interesting- I always figured (and never bothered to educate myself and discover otherwise) that virus definitions were less flexible than that- like md5 sums or something. Or is Kaspersky ahead of the game?
      • A lot of antivirus packages have been able to 'see through' lousy encryption schemes and packing techniques for a long time. The polymorphic viruses (viruses with a pseudo-random encryptor/decryptor around them) and high level language viruses forced that back in the early 90's. A few have pretty serious processor emulation built in for heuristics to detect unknown viruses, although others use code signatures for the same purpose.

        Most of the good AV packages do perform a hash of some sort on the unchang

  • by blair1q (305137) on Thursday August 14, 2003 @08:23PM (#6701756) Journal
    How many times do people need to be told this?
    • That is a blanket statement that has little truth to it. The internet is made of the computers that connect to it. Many computers that make the internet are not secure. A fully patched system, be it Linux, Unix, or Windows is for all intensive purposes, secure -- for the time being. What people don't get is that security is not a constant thing. It has to be kept up with. How many times do people need to be told to patch their system? But the model and structure of the internet as a decentralized sy
  • by 3seas (184403) on Thursday August 14, 2003 @08:25PM (#6701770) Journal
    Those in the US north east and south east Canada.....

  • MS Worm & Power Cuts (Score:5, Interesting)

    by Anonymous Coward on Thursday August 14, 2003 @08:25PM (#6701771)
    OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
    And I thought those guys were just exagerrating things.
  • News Flash (Score:5, Funny)

    by ReyTFox (676839) on Thursday August 14, 2003 @08:27PM (#6701778)
    SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.
  • The new version targets power generating stations running Win2k and leaves the following line in the event log:

    The Continue Generating Power For Most Of North America Server service failed to start due to the following error: The system cannot find the file specified.

  • by SimplexO (537908) on Thursday August 14, 2003 @08:30PM (#6701803) Homepage
    This post is about what Symantec [sarc.com] calls W32.Blaster.C.Worm [sarc.com]. Don't forget that there is also a W32.Blaster.B.Worm [sarc.com].

    B:
    Adds the value:
    "windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.


    C:
    Adds the value:
    "Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.


    The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.
  • by sgtsanity (568914) on Thursday August 14, 2003 @08:31PM (#6701810)

    This uses the same vulnerability as before. Which means that if you were hit by but recovered from blaster, you'll be safe from this one. That said, this is a more virulent form, and will screw over unprotected networks even faster. But it won't be nearly as damaging as the original. This is just an example of an anti-virus software producer hyping up a virus to sell their product.

  • bleh (Score:2, Interesting)

    by Solikawa (604301)
    I think it's funny that I've had the patch since it's been out and almost everybody in the US doesn't have their boxes patched. It kinda pisses me off though, that M$ is not getting blamed for having the vulerability. Yes, nobody is perfect, I'm sure Linux and MacOS have exploits that can do the same things, except they don't make $498,324,059,872,309 a minute. The world needs to realise thats all bill wants to do: make money from idiots
    • Re:bleh (Score:3, Insightful)

      Honestly, that was a silly rant. What does making money have to do with it? Why do you suddenly end with a rant about what Bill wants to do, as if you know?

      I guess I'm just curious how this became "+4 Interesting." Yes, we know Microsoft tries to make money.

      Why should "M$" (that always-clever dollar sign that never stops being incredibly amusing and funny) take the blame for what you started out saying--people who don't patch their boxes are getting hit?
  • by MacrosTheBlack (169299) on Thursday August 14, 2003 @08:34PM (#6701842)
    Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
    Download [microsoft.com]
    Network admins have fun.
  • by mraymer (516227) <mraymer@@@centurytel...net> on Thursday August 14, 2003 @08:37PM (#6701861) Homepage Journal
    First, let me say that in Soviet Russia, the file sends YOU to have MY advice!

    Yeah that sucked. Anyway, I find it interesting to note the common public reactions to these outbreaks of exploits.

    For example, this link [cnn.com] shows a CNN poll where "Doing Nothing" about the worm is tied with "already downloaded a patch" -- this is kind of interesting, since CNN would be a more "general user" audience than tech savvy folk here.

    I wonder why no one seems to really care about computer security until it hits them with data loss, or worse.

    Patches and backups are things people always promise to do "later" -- and, luckily for data recovery companies, later seldom comes.

    I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems? Would you trace them to user negligence, or Microsoft software, or perhaps a combination of the two? Perhaps it's some other factor, such as the "dumbing-down" of computers by the media leading to common misconceptions?

    Sometimes, as reports of Windows exploits become a daily news item, I often wonder when people will, en masse, decide they've simply had enough and switch?

    • by Un pobre guey (593801) on Thursday August 14, 2003 @08:56PM (#6701995) Homepage
      I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems?

      Most common "problem" I have seen is that people do the following:

      1)Get a computer, with OS and some software installed

      2)Use the computer

      3)If buy commercial software, install it, hitting OK every time it appears

      4)If download arbitrary software from the net, install it, hitting OK every time it appears

      5) If computer seems sluggish or something seems wrong, do one or more of the following:

      • Go to the Program Files directory (of course it's Windows) and delete one or more directories containing programs you recall having installed recently
      • Hunt around the hard disk and delete things that don't look right
      • Buy software that supposedly fixes your system, and run it several times consecutively, choosing different options each time
      • Reboot
      • Re-install the operating system
      6) Go to 2)

      This algorithm is run continuously for several years.

  • by thanjee (263266) on Thursday August 14, 2003 @08:37PM (#6701863) Journal
    Lovsan is a proprietry product of SCO. All users who are running Lovsan on their computers without a lisense will face charges of $5,000.
    Lisensing fees start at $699 for home users.
  • by ecalkin (468811) on Thursday August 14, 2003 @08:39PM (#6701874)
    i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.

    i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?

    somethings smells here.

    eric
    • by Black Parrot (19622) on Thursday August 14, 2003 @08:54PM (#6701990)


      > i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story? somethings smells here.

      I've always wondered whether someone planning a criminal break-in somewhere might not release a virus as a cover, so that the victim would shrug off any anomalies on their system as side effects of the virus, and think the virus fix was end-of-story.

  • I'm surprised someone doesn't write a worm to patch the vulnerability and clean the system, if already compromised. After all, if you don't mind leaving yourself open to attack by a malicious worm, how can you complain about getting repaired by one that is beneficial?
    • Probably a troll - but a really *bad* idea. It's been done in the past. Problem being - the follow up virus caused more damage than the original, and infected a lot of uninfected user's machines. In the worm world (worm = nonparasitic network-based), it would still cause heavy traffic with the scans, even if it didn't infect anyone but already infected machines.

      Ever written a complex low-level program that ran on millions of machines without a single user ever finding a bug in it? printf("Hello world!"

  • Benevolent Virii (Score:4, Interesting)

    by pavon (30274) on Thursday August 14, 2003 @08:44PM (#6701920)
    You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.

    When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.

    Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.
  • culpability (Score:5, Interesting)

    by negacao (522115) * <dfgdsfg@asdasdasd.net> on Thursday August 14, 2003 @08:45PM (#6701923)
    This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.

    Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.

  • Net slowdowns... (Score:4, Interesting)

    by antdude (79039) on Thursday August 14, 2003 @08:57PM (#6702008) Homepage Journal
    This might be off-topic. I have a question on "Net slowdowns are expected over the weekend when both versions of the virus start their attack."

    Is this why slashdot.org feels slow/not responding and have missing images? All other Web sites seem fine. I noticed this at work, home, etc. with Mozilla v1.4.
  • by jprupp (697660) on Thursday August 14, 2003 @09:01PM (#6702037)
    Hey AV experts, just wait till the 17th to post a fix, please?, in the meantime, have fun, enjoy the beach, watch windowsupdate.com as it goes DoSed, what a wonderful life!. At last a virus that goes to the source of the problem. hehehe I think I'll get some Karma for saying this, well, some Karma is not too bad!.
    • by abcxyz (142455) *
      Actually the DDOS attempt should have be to windowsupdate.microsoft.com. Windowsupdate.com is not the correct alias and currently does a redirect to the correct website. I suspect they will make sure that the DNS settings are modified so that any hits from the worm don't impact their website.
  • by FuzzyDaddy (584528) on Thursday August 14, 2003 @09:09PM (#6702086) Journal
    Given the size of the vulnerability (all windows systems connected to the internet, regardless of whether you're running any applications), we should be thankful this worm came out so everyone will get out and patch their system.

    If this worm didn't exist, the systems would remain unpatched until some much more destructive exploit was distibuted (say, deleting all your files).

    Think of it as vaccination - a mild form to shore up our defenses, so a killer form doesn't get us.

  • by bruthasj (175228) <.moc.oohay. .ta. .jsahturb.> on Thursday August 14, 2003 @09:26PM (#6702196) Homepage Journal
    One major manufacturing facility in Taiwan that I work with had its internal network hit including control devices running on Windows NT. It probably caused between 1 to 2 million dollars in damage because of production delays.

    I had to stay up till 12am trying to figure what the crap was going on with my equipment when it was communicating with those stupid NT servers. We're running Redhat and I was sitting there using tcpdump trying to figure out what was wrong with the packets.

    It looks normal from the Redhat side, but you'll get no responses from the Application layer on the NT side. It must flood the send pipe in the TCP/IP socket layer on the NT side.

    WARNING: If you're running Linux in the Enterprise and you're interfacing NT, you'll be blamed first. Just know it ain't your fault.
  • by codepunk (167897) on Thursday August 14, 2003 @09:27PM (#6702205)
    Damn if you are going to write a worm make it do some damage. You back hats are really starting to bore the shit out of me.

    For instance take this worm and add the ability for it to seek the network for every single excel spread sheet it can find and randomly mix up a couple of cell values. Then have it set the access time back to the original.

    Hell just write a few bytes to a random location in any file you can access.

    Come on black hats, quit boring me!
  • by sanx (696287) on Thursday August 14, 2003 @10:18PM (#6702547) Homepage
    OK - maybe this is a -5 Flamebait here, but here's a couple of my thoughts.

    The desktop world is ruled (by numbers, anyway) by Microsoft. Any potential malware s'kiddie can knock together some malware in a few hours, dump it into some unsuspecting newsgroup somewhere or email it to his Outlook-using mates and start an epidemic relatively easily. The sheer number of vulnerable machines makes that easy.

    The installed base of Windows boxes also means that, despite MS not opening up their code to anyone (except governments and universities willing to sign away their first-born as insurance against breaking the NDA), large numbers of people spend vast tracts of time throwing McValue Meal-sized URLs at web-servers and mutant packets at RPC interfaces.

    Lots of people x Lots of time x Lots of machines = lots of vulnerabilities found...

    Now consider *nix. It has a number of advantages straight off the block:

    1. It's open source. Code that finds its way into the kernel goes through the best peer-review system available; public scrutiny.
    2. Generally, the people who run *nix are more tech-savvy than an average Joe Blow.
    3. Any vulnerabilities that are found get acknowledged and fixed very quickly.
    But what would happen if *nix had the sort of desktop penetration that Windows does? How quickly would the kind of person that thinks a computer case is called a 'hard drive' apply a *nix security patch? If *nix was that popular, how many more people would devote vast tracts of time to finding obscure security holes and vulnerabilities?

    Just a thought. Now flame away ;)

  • by seattlenerd (688404) on Thursday August 14, 2003 @11:10PM (#6702805) Homepage
    Just in case others got misled by the general press reports: The MSBlast (and its two known variants) worm attack against WindowsUpdate.com will really start at 4 a.m. Pacific Friday (Redmond time). As noted in this News.com piece [news.com] the widely-reported "midnight" is really "when a PC clock shows midnight" -- whenever Friday becomes Saturday, starting across the International Date Line [timeanddate.com] in Anadyr, Russia. Set your TiVos accordingly, assuming you have power.
  • by mgpeter (132079) on Thursday August 14, 2003 @11:42PM (#6702957) Homepage
    I was updating a couple computers tonight, and at 10:20 Central Time, windows update worked great. At 10:30 windows update and microsoft.com website is unaccessible.

    Nothing, Nada.

    I guess in a weird sort of way, its ironic.
  • by steveoc (2661) on Thursday August 14, 2003 @11:55PM (#6703016)
    There are massive legal rammifications to this.

    Firstly, the second strain of the virus is clearly derived from
    the first strain. This is blatant piracy, and a violation of the
    cherished IP of the original authors.

    The original author of the virus is now in a position to reap a windfall, by :
    - Suing the second author to the tune of $3Bn for having blatantly stolen their code.
    - Suing the thousands of owners of infected machines because they may be running pirated code in violation of the DMCA.
    - Offering infected users a $699 licence fee for running the derived virus, which will protect them from any further legal action.

    What the authors of the second, derived virus have done is abominable, and shows a callous disregard for the IP rights of the original authors. They are nothing but pirates, and a threat to the wholesome values of benign free-trade capitalism.

    -----------------------
  • by billsf (34378) <billsf&cuba,calyx,nl> on Friday August 15, 2003 @05:30AM (#6704112) Homepage Journal
    Perhaps to not be redundant, most appear to view this as a comedy issue. Maybe all future Microsoft security issues, worms and trojans should be filed under the comic section?

    It is certainly redundant to state the simple solution is to abandon all Microsoft products. There must be hundreds of exploits 'widely known among hackers' but not known to Microsoft and/or published. Any 'hacker' worth his salt can get into any NT type server with a minimal effort and can certainly get to clients and install servers. The truth of he matter is us old hacks are really bored with Microsoft.
  • Poorly Written Worm? (Score:4, Interesting)

    by MrIcee (550834) on Friday August 15, 2003 @11:17AM (#6705559) Homepage
    Yesterday we received a call from our COLO who said he was monitoring unusual activity on our SUN servers. He said we were getting constant port scans solid for the last 12 hours.

    I asked if he could determine where the scans were coming from and he said that this was unusual and he was looking into it. He pointed out that there was no damage being done, but was curious as to who would be doing 12 hours of constant port scanning.

    After an hour he called back and said that the scans were coming from just about everywhere, and that they were scanning only the port used by the Worm. His conclusion (and mine as well) was that a fault in the random number generation method used by the worm caused it to pick our Class C address block more than other ones, and thus we were getting the scans.

    No damage is being done... so I guess we merely wait until (hahahahah) all these lusers patch their systems - but really, can the script kiddies out there PLEASE learn how to write GOOD code before releasing their worms? (or did this come straight out of microsoft labs itself - seems their typical crap coding style).

    Perhaps they should have used the SGI LAVA RANDOM NUMBER GENERATOR.

Two is not equal to three, even for large values of two.

Working...