Merged: W32 Blaster Virus

[Alan Waddington]

Quote:

Originally posted by zoombini
Hmm, I can see plenty of wannabe hackers taking advantage of this then, going through thier firewall logs and finding out who's PC they can visit.

I had hoped that people would have wised up after the Bugbear attacks.

Quote:

Originally posted by distortal
I run a website design company but, because it grew from a hobby, I also have an interest in PC Security. I get to play with nice pirces of kit at my company's expense and I currently lurk behind a D-Link DI-614+.

The program came about from a discussion with a friend of mine who writes shareware in VB and who was getting hammered as well. It started out as an intellectual excersise really, and once we found a way to get a message back to infected people then it kinda grew from there into a small app you can run on your desktop.

One thing to note: Most of the machines hitting us don't appear to be protected at all. You can access the drives remotely using 'backslash-blackslash-ip' (eg: \\11.22.33.44) and most of them will show a list of shared directories, so it turns out that this worm is advertising open machines.

Just doing our part

Excellent, I have a few friends that are computer illiterate and think that a virus scanner and firewall are for paranoid people.
How I could have strangled them last night when they came screaming for help.
Your app may have come in handy, then they could sort it for themselves.

[distortal]

I've just got a jump in port 4444 scans, and for some reason I'm getting a lot of port 3's from a single IP and 62002's from another - anyone else seeing this?

[distortal]

Quote:

Originally posted by BenH
I'm starting to feel a bit jealous, I've had none as of this morning. But then again I am behind layered firewalls beginning with a D-Link 614+ and ending with SuSE firewall.

In the router config, go to the Status tab, click on Log and then the grey Log Settings button. Tick all the checkboxes, enter smtp.ntlworld.com as the SMTP server and an email address in the other box. You should receive an email every time the log fills up - which it will.

[BenH]

Quote:

Originally posted by distortal
In the router config, go to the Status tab, click on Log and then the grey Log Settings button. Tick all the checkboxes, enter smtp.ntlworld.com as the SMTP server and an email address in the other box. You should receive an email every time the log fills up - which it will.

One of the first things I did when I got the router, the only activity is when I either ssh into my box or connect via my handheld. No activity on ports 135 or 4444 what so ever.

Looks like I've beaten the odds so far on the probes, still I'll check again tonight and run netstat JIC

Regards,

Ben

[hawkmoon]

Quote:

Originally posted by BenH
The principle problem with windows update is the sheer number of patches you need to install. Broadband is pratically a requirement for Xp users.

SuSE however, well look here:

http://www.suse.co.uk/uk/private/sup...ity/index.html

There have been 9 updates in the last five months, 10 if you include the kernel patch I'm expecting sometime today and is already available via YaST.

What more do I need to say?

Regards,

Ben

Well that is funny - Broadband was a requirement for both my Redhat and Mandrake installs. After install the first udates (security) added up to around 40 - 60Mb for each Distro!

Fine if you want to sit back being complacent thinking it will never happen to me - so be it.

This is the last I am going to say on the matter as it is clear that you seem to think your are invunerable to any exploit or virus!

[distortal]

I'm responding to 135 and 4444 with the messages so they don't appear in the router logs, but I'm getting loads of scans on port 3 which, according to GRC.com, is "compressnet, Compression Process". I seem to get a block of scans/attempts all from the same IPs, currently 80.0.190.120 and 80.1.192.146 - what the...?

[BenH]

Quote:

Originally posted by hawkmoon

Fine if you want to sit back being complacent thinking it will never happen to me - so be it.

This is the last I am going to say on the matter as it is clear that you seem to think your are invunerable to any exploit or virus!

Now your putting words into my mouth. At no point have I said that I am invuneranble to exploits and viruses, at no point have I said that I am complacent. I am anything but and have just spent the morning updating several SuSE pro servers and one SLOX machine.

I have been saying that due to the nature by which Linux has been created and the security models used, that it offers far, far superiour protection against viruses and has far fewer actually useful exploits than its competitor. You have been responding with inane statements and worthless generalities, at no time countering the points I raised.

Edit: For the spectators The 40 - 60 Meg downloads our helldesk slave is refering to include things such as an optimised kernel (20Megs easy), Product updates (not security related), Drivers that are not allowed to be commercially distributed (such as nVidia), Font packs (such as MS's) a few additonal programs that they would have liked to include on the disks but left off by mistake or due to lack of space and updates and security patches for _every_ piece of software that the update manager can detect.

This doesnt even remotely compare with windows update which only offers critical fixes and MS only product updates, complete with altered EULA's.

Regards,

Ben

[BenH]

Quote:

Originally posted by distortal
I'm responding to 135 and 4444 with the messages so they don't appear in the router logs, but I'm getting loads of scans on port 3 which, according to GRC.com, is "compressnet, Compression Process". I seem to get a block of scans/attempts all from the same IPs, currently 80.0.190.120 and 80.1.192.146 - what the...?

Anybody else waiting for the scream?

Regards,

Ben

[duncant403]

Quote:

Originally posted by distortal
Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

No that was yesterday, between 1700 and 1800.

[Shaun]

Well between 14.36 and 15.36 I have had 56 on pot 135 and I catn seem to get Kazza lite or piolet to connect, but overnet seems to work fine. Do you think it could be connected?

[keithwalton]

well i'm glad now that i'm with an isp that knows what they are doing and not ntl, as soon as this virus started lurking its head my isp (plusnet) blocked the two ports involved on there end so that even vunerable machines wont get infected as no data can get through. They then let us know that they had done this and recomended on getting the updates as well.

If anyone wants to move over to them now let me know as they do a referal scheme which gives you a discount off your bill for refereing someone else to them :-)

K

Ps about linux, the reason you dont see many updates for them is because they update entire distros frequently, suse 8.2 is only a few months old 8.1 is less than a year old etc

[distortal]

Quote:

Originally posted by BenH
Anybody else waiting for the scream?

Is there something I should know?

The program is available online btw:
http://www.tnk-bootblock.co.uk/prods...terBlaster.zip

[Chimaera]

Quote:

Originally posted by distortal
Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

I've lost count of the number I've had - stopped counting at 50 (in 25 minutes). Have scanned my pc for viruses and it's ok, and have up to date McAffee - will that do?

[hawkmoon]

Quote:

Originally posted by BenH


Edit: For the spectators The 40 - 60 Meg downloads our helldesk slave is refering to include things such as an optimised kernel (20Megs easy), Product updates (not security related), Drivers that are not allowed to be commercially distributed (such as nVidia), Font packs (such as MS's) a few additonal programs that they would have liked to include on the disks but left off by mistake or due to lack of space and updates and security patches for _every_ piece of software that the update manager can detect.

If you take another read of what I wrote very carefully you will notice that I said that the 40-60Mb updates WERE SECURITY RELATED! The full update including non-security related came to over 150Mb! Oh and there was no optimized kernal included in those downloads.

Just for the record I do not do helpdesk. Not all support analysts are helpdesk. I am actually part of system services which looks after servers - no user interaction at all.