LovSan Clone Let Loose

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

gotta say it

[minus_273]

Bill gates, why do you let this happen? any coincidence that the attack is exactly 1 month to the day that the hole was announced..

Ugh, lazy patchings

[AEton]

The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK [microsoft.com] in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.

Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...

Re:Ugh, lazy patchings

[Doppler00]

Actually, I'm wondered why the heck RPC service is allowed to be exposed to the internet interface in the first place. There is absolutely no good reason for Microsoft to design it this way. Sure, I could understand it being useful for corporate networks, but to leave it on and not allow you to turn it off is ridiculous.

This isn't so much about security as it is poor design on the part of microsoft leaving so many useless services exposed to the internet.

MS Worm & Power Cuts

[Anonymous Coward]

OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.

bleh

[Solikawa]

I think it's funny that I've had the patch since it's been out and almost everybody in the US doesn't have their boxes patched. It kinda pisses me off though, that M$ is not getting blamed for having the vulerability. Yes, nobody is perfect, I'm sure Linux and MacOS have exploits that can do the same things, except they don't make $498,324,059,872,309 a minute. The world needs to realise thats all bill wants to do: make money from idiots

Re:And while you all get easy 5, funnies.

[Anonymous Coward]

Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.

So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.

Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.

the average user reaction...

[mraymer]

First, let me say that in Soviet Russia, the file sends YOU to have MY advice!

Yeah that sucked. Anyway, I find it interesting to note the common public reactions to these outbreaks of exploits.

For example, this link [cnn.com] shows a CNN poll where "Doing Nothing" about the worm is tied with "already downloaded a patch" -- this is kind of interesting, since CNN would be a more "general user" audience than tech savvy folk here.

I wonder why no one seems to really care about computer security until it hits them with data loss, or worse.

Patches and backups are things people always promise to do "later" -- and, luckily for data recovery companies, later seldom comes.

I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems? Would you trace them to user negligence, or Microsoft software, or perhaps a combination of the two? Perhaps it's some other factor, such as the "dumbing-down" of computers by the media leading to common misconceptions?

Sometimes, as reports of Windows exploits become a daily news item, I often wonder when people will, en masse, decide they've simply had enough and switch?

a deep dark thought....

[ecalkin]

i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.

i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?

somethings smells here.

eric

Create a worm that patches the vulnerability?

[Larthallor]

I'm surprised someone doesn't write a worm to patch the vulnerability and clean the system, if already compromised. After all, if you don't mind leaving yourself open to attack by a malicious worm, how can you complain about getting repaired by one that is beneficial?

Exactly.

[jpsowin]

Yes, and notice that their anti-virus program detects both versions of the virus (the old and the "expectant" one) without even an UPDATE? Hmmmm... ;)

Re:Let's see here

[Frenchy_2001]

There is also a difference of scale in the sheer number of computers running the infected software. Outside of /., what is the percentage of people running anything else than windows on their desktop? Moreover, what are the technical competencies of those people? M$ tried to make the update process as painless as possible through their windows update website, but it seems to me that it is STILL a failure. 300k+ computers already infected? I cant believe this is ONLY NT4 machines with no auto updates...

Benevolent Virii

[pavon]

You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.

When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.

Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.

culpability

[negacao]

This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.

Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.

Re: a deep dark thought....

[Black Parrot]

> i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story? somethings smells here.

I've always wondered whether someone planning a criminal break-in somewhere might not release a virus as a cover, so that the victim would shrug off any anomalies on their system as side effects of the virus, and think the virus fix was end-of-story.

Re:It's a little fishy

[WHudson]

I always wondered if the anti-virus companies have some programmers in their payroll who work on developing viruses -- either to predict things before they hit, or to keep product updates coming and profitable.

Net slowdowns...

[antdude]

This might be off-topic. I have a question on "Net slowdowns are expected over the weekend when both versions of the virus start their attack."

Is this why slashdot.org feels slow/not responding and have missing images? All other Web sites seem fine. I noticed this at work, home, etc. with Mozilla v1.4.

Re: Cloning..

[Henry V .009]

Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically. If you wanted to get really fancy, you could have it completely rewrite the code randomly by substituting different assembly sequences that are mathematically equivalent.

Re: Cloning..

[Black Parrot]

> Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically.

Maybe some of them do do that, and the A-V firms haven't caught on yet.

Seriously, IMO the kind of worms we've seen so far are child's play compared to what we can expect when someone wants to do some serious damage. In the future we'll have stealth worms that just flip a few bits on your system and then erase themselves after propagating to another computer or two, worms that work as a genetic algorithm to optimize effectiveness and continually feed new variants into new "ecological niches" of the internet, worms that are mathematically optimized for the fastest spread, or conversely for the broadest under-the-radar spread, etc.

The future is bleak, IMO.

Re:Feeling left out

[anubi]

Oooh man, tell me about it. I don't know what I'm missing, I suppose.

I had been working on my CAD system on my home machine running WIN95 and DOS. I wasn't even aware anything was amiss until I logged onto Slashdot to see whats new. I was wondering why it was so slow. My firewall responded in a bit and told me I was getting a helluva lot of connect attempts on port135. So, I go look up the log file and it looked like SQL slammer all over again. Almost a megabyte of infection attempts. I wondered at first if I had made an enemy on a dialup??? In 4 hours??? Why did the whole world seem determined to wax me off the web? Damm, it seemed like everyone in the world was wanting my port135.

Ok.. so I continue to read Slashdot and the story finally loads about this new LoveSan virus making the rounds. Hmmm. When I think of how much work would have been lost had something came in and messed up my machine, I shudder. But then, I don't run my machine wide open to the net. I try to practice secure techniques - such as never allowing any programs to run that I have not verified their intentions, and don't run anything that allows embedded executables ( read: javascript and later things post DMCA that haven't been "cleared" by what I consider trusted groups - which are mostly the groups the DMCA was aimed at in the first place. )

Sure, there are a lot of websites that I can no longer see. I can not even access the Southern California Edison site, nor many business sites - as they require these embedded-executable technologies as a requisite to viewing their content.

So, I sit here, with a pretty fast system, as its pretty simple. I have no virus scanning going on, as I am not running just anything I get in. I do have an integrity monitor running, which does a quickie on startup to see if any critical files are amiss ( it just calculates an MD5 on my key executables and compares to what they should be. ).. if so, booting to GUI is aborted and I drop to DOS to straighten it out - but its never happened outside a test situation.

I keep getting all these people telling me I should upgrade and be current with the times. I would gladly upgrade if the later stuff was actually better and more robust than the earlier stuff - but thats not what I see.

Oh yes, the "presentation skills" are definitely better on the new stuff, but I see the new systems much like a stunningly beautiful secretary that I can't trust, and spends a helluva lot of time doing her makeup.

I try to tell these business people what they are getting into by running software that hasn't been verified for trustworthiness, but they seem happy to go ahead and do it anyway as long as there is someone else to blame if things go amiss. I hoot till I'm blue in the face about these businessmen who put content on the web that can only be viewed with proprietary readers, whose underlying trojan motives, if any, can no longer be legally ascertained as a result of the DMCA.

I am especially puzzled by business's perception of proper etiquette. Would they hire a sales rep that constantly interrupted a customer in mid-question with comments on his grammar or spelling? Or worse yet, rudely hangs up on customers if they don't understand something? Is not a corporate web-site their sales-rep in cyberspace? Why would a business hire such rude representatives that coin their own protocols and chide the customers relentlessly for not adhering to their latest incarnations of the communications protocol "standard"?

At the risk of redundancy, I'll say it again. I do not like these proprietary unverifiable protocols. I consider them very risky - to me. I really don't care if YOU get hit with a virus, but I don't want any part of it.

Ok.. I just had to get this off my chest. It might cost me a bit of karma, but I had to say it in public in the hopes that someone in management that makes the decisions will hear my plea.

Re:Great. Just great.

[PhoenixK7]

It is certainly evident that either Windows was not originally designed to be secure, or that those who coded it were fairly sloppy in implementing the design (perhaps a little of both).

The fact that nobody patches their systems is an indication that the delivery method is flawed. It must be that the patching system has one or more of the following problems:

1. Too complicated, or too flaky to make updates simple
2. The importance of patching is not impressed on the user at install time
3. Patches are too flaky to have automated installations done without even bugging the user

The thing is, all of the above are true on some level. Windows update is flaky, patches don't always install properly. And on top of that it doesn't keep good track of what updates are installed. It doesn't check library versions, or versions of actually installed files, it checks some database that IT generates. Regarding the second point, its too damn easy to switch off automated updates altogether. No reason to bug the user more than once, but use some bold type in there noting that they could get r00ted and their files could magically disappear. The last point is valid as well. If I recall correctly a patch for a recent worm, in its original incarnation conflicted with another patch or broke certain pieces of software.

I just don't understand why people put up with this. After you've lost as much money to downtime as it would cost to replace those windows boxen with some other solution (linux, mac os x, or anything else. this applies especially to systems where doing remote updates is easy and free. microsoft charges for tools to deploy plugs for all the holes in their operating system on a large scale. linux and mac os x updates can be performed via the command line, so you could script updates to network machines)

Intranets being infected.

[bruthasj]

One major manufacturing facility in Taiwan that I work with had its internal network hit including control devices running on Windows NT. It probably caused between 1 to 2 million dollars in damage because of production delays.

I had to stay up till 12am trying to figure what the crap was going on with my equipment when it was communicating with those stupid NT servers. We're running Redhat and I was sitting there using tcpdump trying to figure out what was wrong with the packets.

It looks normal from the Redhat side, but you'll get no responses from the Application layer on the NT side. It must flood the send pipe in the TCP/IP socket layer on the NT side.

WARNING: If you're running Linux in the Enterprise and you're interfacing NT, you'll be blamed first. Just know it ain't your fault.

Re: Cloning..

[DeadMeat (TM)]

Self-mutating viruses have been around for over a decade. They're called polymorphic viruses, and they usually work by reordering instructions, randomly inserting useless instructions (like NOP or OR AX, AX), or encrypting the virus against a varying table of keys and then decrypting the virus at runtime.

Re:gotta say it

[Overly Critical Guy]

The 800kb patch has been out since last month. If you didn't patch, you know who to blame. Not Bill Gates.

As a matter of fact, this has been the only vulnerability in Windows Server 2003 since its release, and it was a vulnerability that was inherent in the interprocess structure of the Win32 library itself and so affected all the products in the Windows line.

I doubt we'll see any other holes in Windows Server 2003 for the rest of the year, especially since they're already working on the service pack (their plan is to phase in Blackcomb features). Microsoft's reputation is riding on this, and you better believe they were checking their code like crazy.

The really sad thing about this.

[mAineAc]

What was it a month or two ago that Microsoft said they were going to start charging for updates? If they were to start doing that tomorrow Microsoft will become richer adn more powerful because every will remember this adn start paying for the updates because they don't want to see this happen to their system again. Very few people even realize there are other options out there for operating systems. I hope people start waking up soon.

Re:That's media reporting for ya

[Anonymous Coward]

To be fair, the media's not going to be interested in reporting that it's not as bad as it seems.

(Note: I'm not saying it's not that bad, I'm saying don't trust the media to tell is its dying.)

Well, to be honest, if it didn't sell, the media wouldn't report it that way. People LOVE catastrophe and doomsday predictions, for some odd reason.

Re: Cloning..

[J.J.]

In my opinion, you have three classes of people that are capable of writing a worm:

The curious amateur

This guy has a couple clever ideas, few scruples, and a lot of spare time. All the wide-spread (and well-covered) worms, to date, have come from this kind of guy.

The white-hat professional

These are your security researchers other security professionals. these are the guys that get paid to work in this field every day. They're smart, the understand the details of the security business, and they're fully aware of the extreme vulnerability of the Internet. Like you, the know how bad a "real worm" could be.

The black-hat professional

These are your security researchers and security professionals. These are the guys who's job is security. They're smart, they understand the details of the security business, and they develop tools (including worms, trojans and viruses) to take advantage of these vulnerabilities. These tools are developed for a specific purpose: to further the objectives of their employer. You don't hear about them, because their tools are low-n-slow and their impact is very targeted and controlled.

The difference between a white-hat and a black-hat is a matter of perspective. The world is a big place. Certain governments do not have the same morals as others. Read The Economist [economist.com]. The French intelligence services work very closely with French businesses. The Chinese have equally questionable practices.

The future is not that bleak. The worms that are designed and released for wide-spread, global impact are the modern-day equivalent of graffiti on billboards. It's an ego trip, nothing more. The ones to worry about are the ones who don't have an ego, and have a specific purpose.

Hope you're checking your logs, and I hope you notice when he hacks your systems.

J.J.

Re: Cloning..

[nolife]

I know it is the "in" thing to rag on script kiddies but it does not matter who did the damage. Why someone has more or less respect for a root kit user or a exploit writer because it was easy or hard to implement is beyond me. It would not matter to me if my systems were cracked by Solar Designer, Linus, or a t33n gamer. My claiming I was only cracked by a script kiddie does not make it any better, the damage is still the same. If it was something I could have patched but did not, I'd blame myself first.

IMHO (not probably not a popular one), someone who writes a virus that replicates by seeking out other victims through sockets is not what I consider to be a script kiddie [google.com]. Code Red and Slapper were similar. Regardless of how poorly you think it is written, it has taken down [infoworld.com] between 250,000-500,000 internet users in only three days.

Re: Cloning..

[Shanep]

I'm waiting for the day when something as effective as these worms, bring a payload that writes pseudo random data to all your hard drives and even firmware (motherboard, MODEM, hdd, etc) of popular devices.

Re:Older folks & updates

[harmanjd]

Well that and many home users are just barely computer literate and don't know how to update their computers. If they buy one that doesn't have the automatic update feature already turned on, then they have no idea how or where to get the updates. My parents got the worm mostly because they didn't know there were updates, and secondly they didn't know how to do the update.

Re: Cloning..

[Firehawke]

They already exist. Chernobyl trashes the BIOS when it detonates, and there are old old virii from the 80s that could destroy monitors and video cards by forcing them to send bad signals. There was also at least one virus which would destroy hard drives back in the day by forcing the drive to overstep its bounds on each side, essentially beating the head against each end of the disk at high speed until it was destroyed.

Poorly Written Worm?

[MrIcee]

Yesterday we received a call from our COLO who said he was monitoring unusual activity on our SUN servers. He said we were getting constant port scans solid for the last 12 hours.

I asked if he could determine where the scans were coming from and he said that this was unusual and he was looking into it. He pointed out that there was no damage being done, but was curious as to who would be doing 12 hours of constant port scanning.

After an hour he called back and said that the scans were coming from just about everywhere, and that they were scanning only the port used by the Worm. His conclusion (and mine as well) was that a fault in the random number generation method used by the worm caused it to pick our Class C address block more than other ones, and thus we were getting the scans.

No damage is being done... so I guess we merely wait until (hahahahah) all these lusers patch their systems - but really, can the script kiddies out there PLEASE learn how to write GOOD code before releasing their worms? (or did this come straight out of microsoft labs itself - seems their typical crap coding style).

Perhaps they should have used the SGI LAVA RANDOM NUMBER GENERATOR.

This is a good thing.

[Anonymous Coward]

Lucky for everyone the Blaster worm is just annoying enough people are now aware of the security flaw in windows xp and patching it. I work tech support, since tuesday morning we have been getting a steady stream of users bitching about how they could get a virus just by being connected to the internet.

If blaster had not come out think of all the trojan ddos viruses that would be spreading to all these XP and 2K machines and people would never know they had been compromised.

Sure its a pain in the ass for me to fix everyone's pc, but it should of been done in the first place and once again people are starting to realize that if you are running microsoft software you better keep your critical updates, umm up-to-date

-nayr

SYN flood unlikely....

[yomamasbooty]

We played with the worm at work in order to try and limit its damage. We found (like a lot of other companies) that if we poisoned our internal DNS by returning a null value for a DNS query for 'windowsupdate.com' that the worm stays in its propagation mode, and does not enable the SYN flood mode.

If you do a lookup on 'windowsupdate.com' today you'll notice there is no A record entry. So the magnitude of the coming SYN flood will be minimal. Granted there may be some hosts out there with the entry cached, but their effect should be minimal. Although I would have loved to see MicroSoft get blasted this weekend (and next week when all the returning people turn on their infected workstations at work), I really did not want to see our WAN links and firewalls get flooded.

I don't know about anyone else, but MicroSoft's help on this from a corporate standpint was piss poor. I am a security engineer in a Fortune 100 company with 30,000+ employees. Despite all the millions we blow on M$ products every year, we were unable to get a dedicated M$ resource for this event. Any questions we had were forwarded to a "representative", and answered hours later with the answer usually being "patch your boxes". Gee thanks for the obvious answer M$, now how about some guidance from a holistic standpoint. They were unable to share any real analysis of their exploit, or what to expect. I can only imagine what little help smaller companies, and consumers received.

M$, take note: If you are going to produce the most easily exploitable code on the planet, then you better damn well get a dedicated security staff and make them available for events like these. Especially for large companies that have been fooled into thinking that M$ products are "enterprise ready" and that patch management for their is a no brainer. Since things only seem to be getting worse for you (and the rest of us), I would also suggest you ramp up on the number of resources you make available. It's time to get serious.

One other interesting point is that although the SYN flood has been averted, the worm author was still successful in DoS windowsupdate.com by forcing them to take it down. It will be interesting to see how long the DNS entry is missing. Knowing how ineffective patching is I don't expect to see 'windowsupdate.com' anytime soon.