Win32 Blaster Worm is on the Rise 1251
EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and
download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.
shutdown /a (Score:5, Informative)
shutdown
That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)
Re:shutdown /a (Score:3, Funny)
You actually believe that reading
Re:shutdown /a (Score:4, Funny)
In some cases even THAT doesn't mean you'll see smart comments
(hell, look at MY 5 point comments sometime lol
Re:shutdown /a (Score:4, Funny)
Yeah, what do you think this is, a Holiday Inn Express [ichotelsgroup.com] or something?
Re:shutdown /a (Score:5, Informative)
I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.
Re:shutdown /a (Score:5, Funny)
Furthermore, Microsoft paid out $520M only yesterday due to patent infringement with a component in MSIE.
I mean, I'm all patched up, so I know I'm safe but.. oh shit.. the shutdown timer just popped up! Microsoft must be reading what I'm typing. If only I can do this thing quick enough. OH FUCK I have to wait 20 seconds from the time I hit the reply button til when I press submit and it's getting down near 1 nowwwww
Re:shutdown /a (Score:4, Interesting)
The box hadn't been on the internet for more than 15 minutes.
Re:shutdown /a (Score:5, Insightful)
Rule 2: See rule 1. Then do it.
FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????
Re:shutdown /a (Score:5, Interesting)
The largest ISP in Sweden, Telia, had 40 servers collapse from this virus and in effect prevented 16,000 users from logging on to their ADSL service. That gives you a great deal of confidence in an ISP, right?
Laptops (Score:5, Insightful)
Re:Laptops (Score:5, Informative)
Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion [ntbugtraq.com] about this very patch (MS03-026).
Re:shutdown /a (Score:5, Informative)
Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.
The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.
THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS (Score:5, Informative)
Regards/
JP
Re:shutdown /a (Score:4, Interesting)
Funny thing is I had her computer about a month ago, and I applied all of the available patches, followed the HOWTO's I could find on shutting off services to secure XP, and turned on the personal firewall on her dialup connection, and she *still* got hit. I guess RPC isn't in the list of services that you should disable... What freaks me out is that something turned off that firewall, though. I have no idea what. Does anyone know of any common Windows software that turns off XP's firewall?
Re:shutdown /a (Score:4, Funny)
Re:Remote Procedure Call (Score:5, Informative)
The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.
Re:shutdown /a (Score:3, Insightful)
Re:shutdown /a (Score:5, Informative)
I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)
I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.
Re:shutdown /a (Score:5, Funny)
So in my opinion.... Don't patch it
ChiefArcher
Re:shutdown /a (Score:5, Funny)
Re:shutdown /a (Score:5, Funny)
Re:shutdown /a (Score:5, Funny)
Exactly! It's pretty easy, actually:
If that doesn't work, just send an email to support@microsoft.com
Actual Removal Instructions: (Score:4, Informative)
1: Enable Internet Connection Firewall (for once, it actually has a use!)
2: Download and install MS03-026
3: Remove the following registry key:
HKey_Local_Machine\SOFTWARE\Microsoft\Windo
4: search for and remove all files beginning with msblast.exe
Turns out aside from DDOS'ing Microsoft, this worm is pretty harmless.
Re:Actual Removal Instructions: (Score:4, Informative)
Actually to be technically accurate, it is the RPC overflow that reboots your computer. The worm worm on your computer is actually rebooting *other peoples' computers* every minute
Re:shutdown /a (Score:5, Informative)
Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.
Re:shutdown /a (Score:5, Funny)
Perhaps he was meaning to suggest using a wireless access point. That way there is no physical medium for the virus to travel over.
Good timing... (Score:3, Interesting)
Re:Good timing... (Score:5, Interesting)
Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
Then run the tool afterwards to ensure it has
gone.
The exact patch needed is here
http://www.microsoft.com/technet/treeview/d
Re:Good timing... (Score:5, Funny)
Moral of the story: I'm an asshole.
(For the record, I then told him where to get the patch, and how to cancle a running shutdown.)
Wrong link (Score:5, Funny)
The Rise (Score:5, Funny)
DOOM-DOOM-DOOM-DOOM DOOM * PANG*
At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.
OK this is getting old.....
I might not be speaking for everyone, but I say: (Score:5, Funny)
Honest question (Score:5, Insightful)
Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.
Re:Honest question (Score:3, Redundant)
To whom it may concern:
Why aren't you blocking stupid useless open ports from the Internet? There are freely available tools [zonelabs.com] if you insist on running Windows. Then again, most electronics stores sell standalone broadband firewall/routers. If you used one of those, you could take your time and patch whenever you feel like it...
I tell all those in my circle of influence: never connect to the Internet without a firewall in place. It makes no difference what your host OS is. At the least, y
Re:Honest question (Score:5, Insightful)
Most people:
What's a port?
Do I have any?
How can I check?
Re:Honest question (Score:5, Insightful)
Specifically, we were trying to figure out if a clients BOFH was a BOFH, a PFY or a PHB. We think he's a PHB since there's a lot of money (cash and obligations) sunk into a project that needs a port opened in their firewall and he won't/can't/hasn't opened it up yet.
This may still be better than the other (former) client who put two people in our office using VPN to connect to their home network... and then changed their proxy configuration without telling anyone (like their helpdesk). It took me a week of phone tag to get one of their network analysts to finally say "OK, try this". Then they sent her an XP laptop with that setting locked into the old-and-wrong setting. I think she had to ship it back since they wouldn't cut loose with the admin password. Neither would I, but the box would have worked before I sent it out. We aren't suing them for specifically "rampant idiocy", but that MUST be a factor. We're suing them, a spokesfigure was perp-walked recently and business is way down. I wonder how long they'll manage to stay out of Chapter 11.
Stupid people suffer.
Re:Honest question (Score:5, Funny)
Do I have any?
How can I check?
A place where ships are safe from storms. See also 'port of entry'.
You have an output port on your behind.
Do yoga.
Re:Honest question (Score:5, Insightful)
Yes yes, services use it, as Steve Gibson's sayin "impossible to close without firewall"
Don't blame people not using firewall, they are mostly newbies , e.g. XP home users. Ask the real question: Why you open a port outside World by default OS install?
Everyone knew port 135 would be exploited in a real bad way before, that was just a matter of time.
If os is a client only, do not turn on rpc listening on port 135... Its THAT hard?
Precisely (Score:5, Insightful)
All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.
If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...
Re:Precisely (Score:4, Insightful)
J.
Re:Precisely (Score:4, Interesting)
Your point is certainly valid, but what makes this particular problem frustrating is not that it was a widely publicized hole, but that Microsoft's tools (e.g. Windows Update) for checking patch status are wholly inadiquate. There has been a fair amount of discussion [ntbugtraq.com] on NTBugTraq on this point leading up to the worm discovery.
Also, 30 days to test an impliment a patch on mission-critical production systems is sometimes more difficult than it seems like it should be.
There are several reasons... (Score:5, Insightful)
Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.
Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...
J.
Re:There are several reasons... (Score:5, Insightful)
How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.
Does windows still have 2 holes once you factor in Exchage, Outlook Express, IIS, IE, Office, SQL Server etc?
Re:There are several reasons... (Score:4, Funny)
IE is not a core part of the core Linux operating system no matter what you've heard.
Re:There are several reasons... (Score:4, Insightful)
Re:Honest question [Corporate Answer] (Score:4, Insightful)
We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.
Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.
So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).
After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...
Why aren't they all patched? Because nothing moves fast in large installation bases.
Honest answer (Score:5, Interesting)
I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.
My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.
Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.
We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.
When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.
At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.
So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.
Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.
And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.
The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.
Re:Honest answer (Score:4, Funny)
seriously, though, I, for one, thank you on the behalf of all us little peon users for testing before patching. I swear, the next time the sysadmin comes around an installs something on my computer that means I have to spend hours fixing my computer before I can do any more of my real work, I'm gonna kick him in the shins...
Re:Honest question (Score:4, Insightful)
A lot of people shut that off after a patch awhile back that smoked JavaScript. (And guess what? It requires JavaScript to perform Automatic Updates, so they couldn't download the patch that fixed the patch.) I mean, when the first "visible" thing the Update does brings your system to its knees, and requires you to pay a tech to fix it, Joe Average User is going to be a little confused about exactly how it's supposed to *protect* you from a virus that brings your system to its knees, and requires you to pay a tech to fix it...
Re:The problem with that is (Score:5, Interesting)
You just know you'll let auto-update run and one day it'll "disable" your MP3s because WMV offer so much more security, or something similar.
Nasty little bugger (Score:5, Informative)
Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.
When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).
-Tim
Cancelling this problem (Score:5, Informative)
C:\WINDOWS>shutdown -a now
Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.
A BBC link (Score:3, Informative)
Virus (Score:5, Funny)
It is not easy, one stop! (Score:5, Informative)
Read more on SecurityFocus' mailing list [securityfocus.com].
RPC? (Score:4, Informative)
After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.
In addition... (Score:4, Informative)
also (Score:5, Informative)
Microsoft Bulletin [microsoft.com]
Note this is marked "Critical" now...
Nice touch. (Score:3, Informative)
If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?
Nahh....
A little something they left out... (Score:5, Informative)
Re:A little something they left out... (Score:5, Informative)
Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"
Echoes (Score:4, Informative)
Re:Echoes (Score:5, Funny)
Actually, in my hotmail spam repository account I already do get tons of messages saying things like that. But, I don't think they're talking about computer security. =)
This thing hit our customers yesterday... (Score:5, Funny)
Just seen an ATM affected... (Score:5, Funny)
Then try, really, really hard to stop laughing...
Cheers,
Ian
Re:Just seen an ATM affected... (Score:5, Insightful)
Then try, really, really hard to stop laughing...
I don't know why I have to point this out, but that's NOT funny--it's freaking SCARY.
Re:Just seen an ATM affected... (Score:4, Insightful)
Some things are completely understandable. But this just makes me want to sit down with the IT guy who dempt this up and ask him what the hell he was thinking.
Re:Just seen an ATM affected... (Score:4, Insightful)
You're wrong--it's not scary that the ATM is running Windows. It's not even scary that the ATM is in a reboot loop. What's scary is the ATM is connected to a public network (or connected to machines connected to the public network) such that it was able to contract this virus.
Inconvenience has NOTHING to do with it.
on national television just a few minutes ago (Score:3, Insightful)
It was said that if you valued security, Microsoft wasn't the best solution. You'd be better off with Apple or Linux.
This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads.
You got the wrong security bulletin (Score:5, Informative)
to disable the forced shutdowns...(XP) (Score:5, Informative)
screenshots on msblast (Score:5, Informative)
Linux people: Rejoice! (Score:5, Informative)
To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)
Now you can actually *see* when the worm tries it's futile attack on your superior OS.
Re:Linux people: Rejoice! (Score:5, Insightful)
Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:
1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.
2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.
If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.
Stop Blaming Users, Blame Microsoft (Score:5, Insightful)
Calling it what it is: A "Windows" virus (Score:5, Interesting)
Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.
Excuses not to be patched (Score:5, Interesting)
Now, I didn't get hit -- between the firewall, ZoneAlarm and the patches, I think I'm Ok.
This is not FUD (Score:5, Insightful)
Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.
When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.
Regardless, people, patch your *#&($*@& machines!
RPC, NetBios etc are a menace (Score:4, Informative)
Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).
And I am sure there are many, many more.
No patch for NT4 --- Thanks M$ ! (Score:4, Interesting)
Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.
Well, we patched what we could, and moved most critical services to Linux, but there's still one or two machines running NT. And it's only a matter of time before some luser slips a copy of this worm past our firewall....
Considering the amount if infrastructure that depends on NT4, doesn't this intentionally put the US at greater-than-necessary risk? I'd be fun to see M$ tried under the new anti-terrorism laws.....
Nessus did this attack months ago (Score:4, Informative)
Famous last words (Score:4, Funny)
"This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine."
Use Windows NT 4.0? (Score:4, Insightful)
Now, the karmaic debt in all of this - Microsoft's Windows Update will get attacked by WinNT 4.0 every month. Mmmm. So, everyone else gets fixed and the ones that MICROSOFT want you to upgrade become easily identified as problems on the net.
Sure, one P.-off muther-F. may have written this worm to get at Microsoft. Or maybe it came from somewhere in Washington state. So, what is next? All "obsolete" versions of Microsoft products get infected with worms that will install a gigabyte of child prono and then email the police? I guarantee with publicity like this, evildoers will be using WinNT as a platform for all kind of crap for now on. Thanks a lot, Microsoft, the Crackers Best Friend!
Here's the Microsoft spin on this from the FAQ in Microsoft Security Bulletin MS03-010 (http://www.microsoft.com/technet/treeview/defaul
"If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?"
"During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system."
"Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below."
"Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?"
"Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."
The moral is upgrade. Upgrade and get people like Microsoft who abandon you out of your life. Upgrade to Linux.
New version of Blaster is starting to appear (Score:4, Informative)
RPCsdbot.A Information [trendmicro.com]
Wow (Score:4, Insightful)
And of course the same thing could happen with Linux. There have been security holes in Apache and especially in various distros.
I guess we're lucky that people finding holes so far have been benign. (or at least more interested in having access then causing chaos...)
Correct method to circumvent the virus (Score:4, Informative)
1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool
Good Luck!
Internet 2 Ops letter regarding Blaster traffic (Score:4, Informative)
Abilene Connectors and Participants,
As you're all probably painfully aware by now, a worm exploit of the Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
regarding the vulnerability and exploit can be found at the references provided
below.
Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
network. We're performing an analysis of Abilene netflow data, and early this
afternoon will provide a private communication to sites that are sourcing a
large amount of worm traffic.
Recommendations for network border filtering are included the CERT W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
defined as input and output - to protect yourselves and to protect from
infecting others.
Abilene Connectors, please pass this communication on to your Participants.
References:
Microsoft DCOM RPC:
http://www.cert.org/advisories/CA-2003-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
W32/Blaster:
http://www.cert.org/advisories/CA-2003-20.html
Regards,
XXXX XXXXXXX
Director, REN-ISAC
msblast.exe available... (Score:5, Informative)
Also some cool screenshots of the beast in action here [baxter2.com], and here [baxter2.com]
Understanding Win2K Security Rating (mildly OT) (Score:4, Funny)
Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.
(Originally taken from rec.humor.funny [netfunny.com]).
Re:Fscking Windows. (Score:3, Insightful)
Re:Fscking Windows. (Score:3, Informative)
Yeah... nothing like that.
Other of course than the multitude of root kits out there, sendmail holes, bind holes, apache holes, anything else holes.
And yeah. Linux 7.2 - guess you havn't been around long enough to remember.
Will it halt the Internet? (Score:4, Informative)
Re:Much better removal tool.. (Score:3, Funny)
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.
C:\>fdisk
'FDISK' is not recognized as an internal or external command,
operable program or batch file.
C:\>format
Required parameter missing -
C:\>install FreeBSD
C:\>WTF !!!
Virus, not starring Jamie Lee Curtis. (Score:3, Funny)
Re:Sad really (Score:5, Funny)
Too bad that this "check daily, patch, reboot" procedures never get mentioned in any MS-paid TCO-analysis.
Re:Sad really (Score:5, Insightful)
Apple's versioning is as follows:
So, 10.1 was full price. 10.1.1 was free. 10.2 was full price. 10.2.6 was free. 10.3 is full price. 10.3.x will be free. 10.4 will be full price, etc.
Apple does not sell upgrade CDs. You buy a full install. This means you don't need to have any previous version of OS X on the machine. So compate the right things. So let's put this in terms the Microsoft Marketing Influenced(TM) can understand.
I paid $129 for the full version of OS X. You paid $299 for the full version of Windows2000 Professional.
I paid $129 for the full version of Jaguar. You paid $399 for the full version of WindowsXP Professional.
I will pay $129 for the full version of Panther. You will pay >$399 for the full version of Longhorn Professional.
Now who should we laugh at?
For all the ranting slashdotters do on how stupid the non-tech/geek person is, I find it hilarious that such a logical, programmer-centric versioning system totally confuses said slashdotter.
I guess MS was pretty smart to call Winnt 5 Windows 2000, and Winnt 5.1 Windows XP, or you'd all be screaming about that $399 "upgrade" as well.
Re:Windows Update slashdotted? (Score:5, Funny)
Re:A sure fire method to solve this RPC exploit (Score:4, Funny)
Threaten to not paddle her - that might make her change.
(She might be darker than you think!)
Re:60 second timer (Score:4, Funny)
A nasty work is quickly spreading across the internet forcing about 90 percent of the connected computers to become inoperable. Thousands of phones are ringing at IT desks all over the world. On the other ends of those phones are screaming, panicky users crying because their computers won't work. Management is calling because now you're the bottleneck causing inefficiency in the team, and you might need to start looking for a new job if this isn't taken care of. And then you trip over a network cable.
I think getting hammered is the best thing to do right now.
Re:Gimme A Chance!! (Score:4, Funny)