Merged: W32 Blaster Virus

[hawkmoon]

Don't get me wrong - I am not in the Windows is better than Linux camp, nor vice-versa.

My point is that all OS's have flaws, both minor and serious.

Already Linux is starting to see an increase in the number of viruses.

Even BSD-based OS's have their flaws and exploits. I remember one that related to a vulnerability with certain SSH installs, though I can't remember what the vulnerability was though.

When more and more crackers and hackers turn their attention to Linux then I think you will see an increase in the number of vulnerabilies / exploits.

Nobody can anticipate every interaction that code can have under every situation and this is why vulnerabilities such as the RPC one can exist in an OS for years before coming to light.

[BenH]

Quote:

Originally posted by hawkmoon

As for the advisory in Samba - you can find it here. https://rhn.redhat.com/errata/RHSA-2003-137.html

Samba versions above 2.2.8 don't have this exploit. [/B]

Looks like it was RH only. SuSE have a similar advisory, but instead detail it to be a buffer overrun with the possibility that it might be publically available. With a mention of the weak encryption generated by a VNC cookie that is well known.

Hardly an internet stopper, but something to keep an eye on.

Thanks,

Ben

[BenH]

Quote:

Originally posted by hawkmoon
My point is that all OS's have flaws, both minor and serious.

So you keep repeating, despite noone disagreeing with you.

Quote:

Already Linux is starting to see an increase in the number of viruses.

3 last year none serious, the only one that was ever any trouble was Bliss back in '97, and that was only a threat untill Alan Cox ripped it apart.

Linux represents a very unhealthy enviroment for any virus, theres no VB macros, no unlocked ports, seperation of users and administrators and lack of binary executables, let alone executables that run without permission.

For an interesting and accurate article on linux viruses, rather than speculation, try this:

http://librenix.com/?inode=21

Quote:

Even BSD-based OS's have their flaws and exploits. I remember one that related to a vulnerability with certain SSH installs, though I can't remember what the vulnerability was though.

And then they are fixed as soon as they are uncovered, as opposed to being hidden. You are completely ignoring the tremendous difficulty in exploiting one of these flaws and the lack of technical knowledge within the cracker community that would be required to exploit them.

Quote:

When more and more crackers and hackers turn their attention to Linux then I think you will see an increase in the number of vulnerabilies / exploits.

1) Linux is a Hacker OS, its growth is in part due to this. 2) Hackers dont crack systems or write viruses _ever_. Theres no challenge, no profit in destroying something bad when you can create something better and give it away. 3) Hackers despise crackers. Crackers are the lowest form of life, who belive that by exploiting some slight loophole they show how clever they are when in fact its been shown time and time again that they are nothing more than arrogant little ****s who have some very basic technical knowledge centred around VB and microsoft. You show some ******* script kiddie some C and they fall apart.

The only ones that have the kind of skill needed to crack Linux or any other kind of Unix are usually far too busy running security companies or writing virus TK's to be used against windows due to some kind of beef they have against MS.

Even if they were to start writing viruses to be used against Linux, it would still be reliant on the user to do something truely stupid in order to allow the virus to propegate.

Quote:

Nobody can anticipate every interaction that code can have under every situation and this is why vulnerabilities such as the RPC one can exist in an OS for years before coming to light. [/B]

The problems with RPC have been known about for years. I seem to recall the CDC writing about the topic time and time again. This vunerability is however new(ish) it is not the first RPC vunerability, and it will be far from the last.

Ben

[darant]

LOL.

Everything is open for exploitation whether it be Microsoft, Linux, Mac. Just cos Microsoft are the largest people think it shouldn't happen.

[duncant403]

It's probably also fair to say that people who run Linux are likely to keep up to date with all the patches and bug fixes that are released.
While some Windows users do, unfortunately a large proportion don't. This is the main reason why Windows virii propagate so well.

[BenH]

Quote:

Originally posted by duncant403
It's probably also fair to say that people who run Linux are likely to keep up to date with all the patches and bug fixes that are released.
While some Windows users do, unfortunately a large proportion don't. This is the main reason why Windows virii propagate so well.

The principle problem with windows update is the sheer number of patches you need to install. Broadband is pratically a requirement for Xp users.

SuSE however, well look here:

http://www.suse.co.uk/uk/private/sup...ity/index.html

There have been 9 updates in the last five months, 10 if you include the kernel patch I'm expecting sometime today and is already available via YaST.

What more do I need to say?

Regards,

Ben

[distortal]

I'm sure you'll have seen in the news mention of the latest worm that's doing the rounds on the internet - W32.Blaster.Worm. This particular nasty will cause your machine to shut down and is designed to launch a DDoS attack against WindowsUpdate from the 16th. It is causing a whole lotta traffic on port 135 as the worm seeks to propagate itself.

We sat up late last night developing a small app that would use the port-forwarding abilities of a router firewall. Basically the incomming port 135 requests are router to port 10000 before they reach the machine so that Windows ignores them, and the app sends out a Net Send message to the connecting IP advising them they they appear to infected with W32.Blaster and would they please go to a webpage for more info.

It does have the side-effect of messaging back those Messenger spammers that lurk around the net as well, but that's only a plus in my opinion.

Most of the scans I get are from other NTL IPs, which indicates that the worm bases it's scanning on the local machine's IP, but there have been a few others. As a guide to how bad it's getting, I received 20 scans this morning while I was in the bath, and I wasn't in there that long.

We may release the app when it's complete, but in the meantime check your firewall logs and let us know how many connection attempts you've had on port 135 over the past few days.

Its great that people are developing ways to combat this worm. But I would hope people would be getting the security update from MS and running the MSblaster fix from symantec. I personally fixed two machines last night this way.

One thing that surprised me was that when I closed MSBlaster.exe from the processes list, approx 3 mins later the machine still shut down, the command had restarted itself, this made removal of the virus a tad tricky......eventually though I got the machine to stay on long enough to remove the infection.

I dont know how many people would be interested in your application, I may be, but firstly I'd have to enquire who you work for

Keep up the good work
TW2001

[Mark W]

well, as of lastnight, this was the fix we were giving out last night.... version 5 i think

Quote:

Ntl:home customers may currently be experiencing problems with their PC arising from a Microsoft Windows vulnerability. The virus/worm in question which exploits this vulnerability is called W32.Blaster.Worm and it will affect Windows XP (all versions), Windows 2000 and Windows NT.

In order to prevent your machine from repeatedly rebooting please carry out the following:

1. (Broadband customers only) Unscrew CATV (Co-axial) cable at the rear of the cable modem or set-top box †“ this is normally a thick white cable (not required for dial-up)
2. Re-start PC.
3. †œOpen Task Managerââ‚à ‚¬Ã‚ÂÂ� by holding down the CTRL and ALT keys and press the Delete key once.
4. Click on Process tab, and find Msblast.exe.
5. Highlight the file and click 'end process' at the bottom right
6. Say 'Yes' to the warning.
7. Now close Task Manager (by the cross in the top right)
8. Click on †œstart⠀ Â� and choose †œFindâà ƒÆ’¢â€šÂ¬Ã‚ � or †œSearchà¢ÃƒÆ’¢â€šÂ¬Ã‚Âà ‚Â� then choose files or folders.
9. In the †œlook inââ‚ ¬Ãƒâ€šÃ‚ÂÂ� box choose †œMy Computerââ‚à ƒâ€šÃ‚¬Ãƒâ€šÃ‚ÂÂ�
10. In the †œnamed⠀ Â� box type msblast.exe then click on †œfind nowââ‚Âà ‚¬Ãƒâ€šÃ‚ÂÂ� or †œsearchà¢ÃƒÆ’¢â€šÂ¬Ã‚Âà ‚Â�
11. If any items are found right click on these and choose delete.
12. If using Windows XP enable the in built firewall (see below)
13. (Broadband customers only) Screw the CATV cable back into the modem or set-top box, (not required for dial-up)
14. (Broadband customers only) Re-start Cable Modem or Set-Top Box, (not required for dial-up)
15. Re-start PC
16. Download the Microsoft Patch (from the link below) choosing †œsave this program to diskâ₠¬Ã‚Â�
17. In the †œsave asâ₠¬Ãƒâ€šÃ‚Â� window choose †œdesktopà¢ÃƒÂ¢Ã¢â‚¬Å¡Ã‚¬Ã‚ Â� from the dropdown †œsave inâ₠¬Ãƒâ€šÃ‚Â� box
18. Open the file from your desktop and follow the on-screen instructions.
19. Restart your machine when requested to do so by the patch.

Microsoft Download Links

Windows XP (all versions)

Windows 2000

Windows NT

You should now find that your PC and connection are restored to a working state.

Enable the in built firewall in XP windows

1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
4. If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.

If you are not using Windows XP you may wish to visit
http://www.ntlworld.com/zonealarm/ to obtain advise on another firewall option.


For further information on this issue please see:

Ntl:home Server Status Page
or

Microsoft Knowledge Base

If you continue to experience problems of the same nature, please call the Technical Support Bureau on your relevant support number.

[duncant403]

Quote:

Originally posted by distortal
let us know how many connection attempts you've had on port 135 over the past few days.

I had 140 in the space of an hour...

[distortal]

Quote:

Originally posted by timewarrior2001
I dont know how many people would be interested in your application, I may be, but firstly I'd have to enquire who you work for

I run a website design company but, because it grew from a hobby, I also have an interest in PC Security. I get to play with nice pirces of kit at my company's expense and I currently lurk behind a D-Link DI-614+.

The program came about from a discussion with a friend of mine who writes shareware in VB and who was getting hammered as well. It started out as an intellectual excersise really, and once we found a way to get a message back to infected people then it kinda grew from there into a small app you can run on your desktop.

One thing to note: Most of the machines hitting us don't appear to be protected at all. You can access the drives remotely using 'backslash-blackslash-ip' (eg: \\11.22.33.44) and most of them will show a list of shared directories, so it turns out that this worm is advertising open machines.

Just doing our part

[Alan Waddington]

I did consider 'net send'ing to folks during the worst of the Bugbear attacks, but refrained after having had a bad experience after replying to the sender of an email virus.

In that case, the receipent of my well-meaning note, thought that I'd caused the virus infestation of his PC, rather than being the receipient of the virus email that he had sent. He thoughtfully copied his flame to the postmaster at my ISP. Fortunately my ISP had better sense then to get involved.

On a more positive note, the Messenger service displays your machine name rather than you IP address (I think), so Mr Angry would be unlikely to be in contact.

Yours cautiously,
Alan

[distortal]

Quote:

Originally posted by duncant403
I had 140 in the space of an hour...

Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

[zoombini]

Quote:

Originally posted by distortal

One thing to note: Most of the machines hitting us don't appear to be protected at all. You can access the drives remotely using 'backslash-blackslash-ip' (eg: \\11.22.33.44) and most of them will show a list of shared directories, so it turns out that this worm is advertising open machines.

Hmm, I can see plenty of wannabe hackers taking advantage of this then, going through thier firewall logs and finding out who's PC they can visit.

[BenH]

Quote:

Originally posted by distortal
Is that today? Yesterday was extremely busy but this morning I'm down to 43 in the last hour.

I'm starting to feel a bit jealous, I've had none as of this morning. But then again I am behind layered firewalls beginning with a D-Link 614+ and ending with SuSE firewall.

Ah Well :-)

Regards,

Ben