New Virus hitting hard and furious!!!

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

[STFrancis]

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...

[tortoise]

ANY operating system is inherently insecure unless it does B3 out of the box. Which according to reports Longhorn is suppose to do. Can't wait to see a finished version of it and hope *pray* MS doesn't screw it up. And IF (that's a caps IF there) they do it right Unix is going to have a HUGE challenge

Conceptual mixing/matching. B3 is a feature set available within a certain environment. It gives you a description of security features in a perfect world. It doesn't tell you dick about how secure it is in the real world. There is something fishy about this in that any environment that would meet that classification would necessarily bludgeon the Windows APIs to death, meaning that you either 1) can't run your old XP software on Longhorn, or 2) one of the conditions for B3 constrains the core APIs you are allowed to use and probably invents new ones.

And as anyone can tell you, the BSD variants are among the most bullet-proof and hack-proof network server OSes in common use, and they don't even have a certification. What they do have is incredibly well-engineered and thoroughly reviewed/tested code. This is why so many of the major Internet sites run on FreeBSD even though it is not a common desktop OS.

I've managed all manner of OS on the Internet, and I for one would put my money on FreeBSD versus Longhorn for real-world security. And even though we have tons of Linux boxes running around here, they never have the security problems that the Windows boxes have in practice. If Windows ever became even AS secure as Linux (or even better, FreeBSD), it would really make the NOC guys happy because it would eliminate a lot of pain.

[JustPiper]

Soon as I logged into my server I got some update through Norton, hope thats it!

[graycamel]

I just sprayed my computer with OFF! It contains DEET. That should do the trick.

[graycamel]

My university has several computer labs, only one of which has Macs. Nobody touches those until the PC's fill up. At first I had trouble with them, but I have overcome that. I still don't see what's better about them. I guess possibly in gaming and graphics.

[kitkat]

Right click? Mac? Huh? Wow! I know even less than I THOUGHT I DID! LOL!

[LayoutGuru2]

Finally back online after six hours.

Comcast has been MIA (no DNS) most of the night here in Oregon City. Coincidence? I doubt it, hope they spent some of the time shoring up their defenses.

Our machines are behind two firewalls and we're up to date with Microsoft and Norton updates so we apparently were not at risk, but we seem to have felt the effects here locally.

[umbagi]

The fact that you knew that off the top of your head (or off the top of a quick google), boggles the mind.

You out-nerd me. ;)

No Google, just long-infected nerd.

My old C-64 -- my first computer -- along with a pair of 8514 drives, a cassette drive, and a 14" 40x25 monitor, are up in the attic to this day. I wrote just enough 6510 code to get the bug, badly enough to give up practicing law for writing code as soon as I got good enough to get a job at it -- one Kaypro and one Compaq later.

That was really cool, and I made a lot of money at it, until last December. I got canned right before Christmas, after nearly a decade with the company :-).

Of course, there aren't a lot of lawyer jobs available, either...

[Jeff Gordon]

Seven. Powerbook G4, here.

No fair. You were already included in the original count.

[malia]

bump

[exnavy]

Zone alarm pro is at work on my 'putor.

[MrsEmmaPeel]

Here some things to take a look at. Remember, Apple is only at 3% market share, so when there is a security problem, it gets very little coverage. Here's a story (dated May 5, 2003) about a security flaw that was "caught" (when-- what damage was done before it was "caught"-- the article doesn't say. But if this were true in the MS world, there would be no end to the coverage) http://www.macnn.com/news/19343

Wired News reports that Apple fixed a security flaw at its online store late last week that could have enabled attackers to hijack customers' accounts and place fraudulent orders: "The flaw, discovered by an anonymous Canadian security researcher who uses the nickname "Null," potentially allowed malicious users to change Apple Store customers' passwords and gain control of the victims' account data."

Look at the comments when Apple releases a security update: http://www.versiontracker.com/dyn/moreinfo/macosx/15934&page=16

What you need to bear in mind, all CERT advisories for UNIX (BSD) need to be considered for Apple OS X. Apple repeatedly will answer: "Does Not apply". Then 6 months or so will go by, before Apple will quietly release an "update" that will address the security issue they've previously claimed: "does not apply". That’s how Jaguar came out. Also, Apple, even though they technically "don't support" OS9, still has OS 9 elements in Mac OS X and therefore there are ways to break into a system that way too.

The particular flaw discussed in http://www.pcw.vnunet.com/News/1133364 was in the OS X since the beginning and finally addressed by Apple about a year later. (Could Microsoft get away with ignoring an open security flaw for a year?) I’ve had personal experience with Apple ignoring flaws in the TCP/IP layer for more than a year – the OS was mis-negotiating the packet size.

It is possible to hijack an Apple system (its just UNIX underneath). And if Mac users are conditioned not to administer their system, and get sloppy, and Apple denies that there is anything wrong, when great flaws were there, then Apple will stay at 3% or less of the market.

No system is perfect. Windows is a big target. And the biggest problem with windows is not so much the weird ways people can figure out malicious attacks against the systems, but the sloppy administration habits of Windows Administrators. A fix was available for the Code Red worm, for example very early when the vulnerability was found, but not enough people applied the update that was available for them. I guess I’d rather be with a company that makes updates available than with one that denies there is a problem. Macs have their uses, but not for serious administration given the current attitude of the Apple management.

[zeugma]

I've a cousin who has been a major MAC user for years. A few months ago his wife pursuaded him to get a new system...a PC... He went along with it, figuring it couldn't be that bad. He's cursing Gates big-time now. I suspect that after he goes through another month of pain, he'll be ready for the Ultimate Service Pack... Linux.

[upcountry miss]

Bookmarking also, for my daughter who is more computer savvy than I. I know we have Norton but nothing else is in my computer illiterate mind

[zeugma]

or you can get out your wallet and buy a supported copy of Windows.

By all means. Get the latest windows and still find yourself being hacked.

Or, next time your PC needs to be reloaded, (Which should be NOW btw, if you got infected, because there is no way to tell how much damage was done.) Why not download a copy of RedHat, Mandrake, Debian, or SUSE Linux and install it instead of windows. Use it for a few days to a week. If you find it doesn't suit the way you like to work with a computer, you can always simply reload windows, and you're no worse off than you were before, but you will at least have tried to get off the windows treadmill.

[zeugma]

There should be a place where you can DENY all traffic by default, but have a list of allowed ports/protocols/hosts that ARE allowed to contact your network.

Excellent advise. The default policy on any firewall should be DENY ALL. Then, if you find you really need a specific port, you can open it up. It's even better if you can open up a specific port to a specific computer.

[qwertyz]

Yes, for Win 98 also, you must close port 135. Go to www.grc.com and test your system.

[null and void]

If y'all would just keep your flux capacitors calibrated, ya wouldn't have ta worry about no virus nonsense!

True, but post 9/11 it's been a lot harder to get plutonium...

[Salo]

I keep all of my systems patched up. Nothing is immune from bugs, security and otherwise. I had not heard of the bug you mentioned until you mentioned it. So I went to cert and checked out what they had. Thank you for bringing it to my attention.

As for poor Microsoft, they do get away with having open holes. In fact, it's almost comical to watch a disclosure tapdance around using the word "Microsoft." One virus alert I read listed the dozens of systems NOT affected without ever saying the only system affected was MS Windows X.

[reaganite]

I followed your instructions in post #17, and it worked perfectly. I started having this problem about 6:00 pm yesterday. I could do anything I wanted on my computer, except stay online. It would shutdown within about 5 minutes, everytime. My virus software detected nothing. Thank you so much!