MSBlaster: Is the worst yet to come?

self

[Rodney King]

You sure? I thought that the ip between the wireless and my computer was different than over the cable line. Or something like that.

[Billthedrill]

Infected computers will attempt to effect a Denial of Service (DoS) attack by sending 50 packets a second to www.windowsupdate.com. Sorry if this looks like gibberish, it isn't, trust me. This is from the latest Symantec security bulletin:

DoS traffic has the following characteristics:
Is a SYN flood on port 80 of windowsupdate.com.
Tries to send 50 HTTP packets every second.
Each packet is 40 bytes in length.

Some fixed characteristics of the TCP and IP headers are:
IP identification = 256
Time to Live = 128 Destination IP address = dns resolution of "windowsupdate.com"
TCP Source port is between 1000 and 1999
TCP Destination port = 80
TCP Sequence number always has the two low bytes set to 0; the 2 high bytes are random.
TCP Window size = 16384

Because of this Microsoft has taken the site with that URL down. It could still mess up people's internal networks with excess packets, though.

[Chad Fairbanks]

True. I also always lock down any ports, and use firewalls, too. I'd do the same if I was using Linux or a Mac or any other OS - Good Security just makes good sense.

[Rodney King]

How do you lock down ports?

[IpaqMan]

This particular attack only requires the proper version of Windows and an internet connection. If you do not have a "patched/fixed" system or a firewall, you will be infected.

Staying away from your email will not stop the attack. Bypassing attachments will protect you from other viruses but not from this "worm".

Turning on your computer and connecting to the internet will allow it to be infected.

[Neets]

You are absolutely correct about what OS's it affects.

We have to down load critical updates every two weeks now because of these things.

[Rodney King]

Fascinating. I don't have the patch. I also don't have the virus I don't think because I have had no problems, and I am running McAfee VirusScan online and am fully updated, plus I just ran a check and am all clear. I guess it comes down to whether or not I need a firewall for my Dell wireless setup. I think it was the dell people who told me that the wirless unit was its own firewall, but then again I don't really trust them.

[IpaqMan]

You lock down ports with a firewall. You can use Zonealarm. There is a free version. Or if you have XP, you can turn on the firewall option. I don't use XP, so I don't have the exact procedure.

[IpaqMan]

If you have a wireless "router" such as the Linksys wireless four port router, you have a built-in firewall.

[Rodney King]

OK, thanks.

[IpaqMan]

BTW, I believe that the easiest way to find out if you have been infected is to bring up the task manager with CTL ALT DEL. If you find MSBLASTER as one of the tasks, you have been infected.

[Chad Fairbanks]

Hardware and Software Firewalls, usually - as an added measure, under the advanced section of the TCP/IP Properties you can specify only those ports you want open...

But for most people, a Router or software such as ZoneAlarm are the best bet...

[glock rocks]

fwiw... some stuff I picked up at work, and a new news release from microsoft here...

how you know you've got the virus (worm, actually) is if your PC reboots itself every few minutes.

ha ha... looks like the worm author screwed up... he wanted it to cause a flood of connections (denial of service) to the microsoft update site, but used the WRONG URL! ... so microsoft disabled the invalid address (they'd been redirecting traffic to the real site). from AP just in the last hour:

The worm caused computers to reboot frequently or disrupted users' browsing the Internet. But it also packed a second punch: starting at midnight local time on Aug. 16, infected computers that have not cleaned up the virus will in effect turn into a legion of zombies instructed to repeatedly call up a Microsoft Web site that houses the software patch. With so much traffic flooding the network, the site could be unreachable and computer users would be unable to access the patch.

But there's a flaw. The worm instructed computers to call up http://windowsupdate.com — which is an incorrect address for reaching the actual Microsoft Web site that houses the software patch. Although Microsoft has long redirected those who visited that incorrect address to the real site — http://windowsupdate.microsoft.com — the company disabled the automatic redirection Thursday in preparation for the onslaught of infected computers.

Microsoft's real Web site should still be accessible to users, said Microsoft spokesman Sean Sundwall. However, those who don't know the correct address may be confused and believe that the so-called "denial of service" attack worked. The company is taking other measures to keep its site up and running, he said, although he declined to give specifics.

[IpaqMan]

A plus for a software firewall like ZoneAlarm is stopping zombie-bots. Those are little programs that an outsider puts on your PC via attachments or "click here" items. These bots sit in the background and listen to the internet for remote commands such as initiating a denial-of-service attack. This allows an attacker to work anonymously because he is using your computer to do the attack.

ZoneAlarm can be configured to prompt you when a program on your PC wants to connect to the internet like IE, Netscape, Outlook, etc. If a zombie-bot tries to connect to the internet, you will see ZoneAlarm prompt for permission for this specific program. Please note that some zombie-bots have been named netscape.exe. ZoneAlarm can distinguish between programs named netscape.exe. If you are already running Netscape (prompted and confirmed) and ZoneAlarm later prompts you for netscape.exe, you can be sure that this is not the same netscape.exe. This warrants further investigation.

Many zombie-bots are relatively harmless. They are simply tools for an outside hacker to act anonymously using your PC.

[Squantos]

Kewl ! I keep my AVG, Zone alarm and Ad-Aware pretty much up to date. If I get a virus then I just dump, format and load my old backup CD . I have a really good "home built" desktop yet only use it for graphics, music and home editing of documents, photos ect ect. I use an old Compaq presario 12XL500 laptop that I surf the net with.....so far the shit filters seem to work pretty good. At least in one direction .......:o)

Ya'll Stay Safe !

[glock rocks]

i've got ad-aware and zone alarm.

there's a free cleaner called "search and destroy" that's very similar to ad-aware, but finds stuff it doesn't too... I use both once a week. good stuff.

[Squantos]

Do ya have a link for search and destroy ?

Stay Safe !

[glock rocks]

yep. good stuff.

http://www.pcworld.com/downloads/file_description/0,fid,22262,00.asp

[Squantos]

Got it dooooood ! Thank Yew ! Will download and give it a try !

Stay Safe !

[glock rocks]

cool. gotta ping my bro... he's lookin over my shoulder while we watch nascar qualifying... he wants it too for when he gets home.