|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
|May the source be with you, but remember the KISS principle ;-)|
Three men have been arrested in the Netherlands on suspicion of controlling a vast illegal computer network made up of more than 100,000 "zombie" personal computers.
The colossal scale of the network indicates the growing sophistication of computer crooks, whose motivation is to make money via spam email, online extortion and identity theft.
The Dutch authorities accuse the three men of using a virus called W32.Toxbot, which was released in February 2005, to infect home computers with "bot" software in order to create a distributed "botnet" of machines all over the world.
"With 100,000 infected computers, the dismantled botnet is one of the largest ever seen," the Public Prosecution Service said in a statement.
Don't worry about defending your operating system—first, check your security software! Formerly, OSes were the victim of choice for cracker attacks. But on Monday, June 20, 2005, the Boston-based analyst firm Yankee Group released a study of industry vulnerability data that reveals an ironic new target—the very software used to shore up system security.
"It's not so much that vulnerabilities in and of themselves are a problem; the problem, of course, is the bad guys who use them to create packaged exploits, taking unprocessed uranium and making munitions out of them," Group Senior Analyst Andrew Jaquith told Software Development. "We don't want security software to become a preferred conduit for professionally designed malware."
The group's 15-month analysis of ICAT, the computer vulnerability database from the Computer Security Division at the National Institute of Standards and Technology, reveals 77 vulnerabilities affecting a range of security products, with the rate of increased attacks matching that of the growth of the industry itself.
What caused this shift from the system to the programs designed to protect it? The study posits three reasons: First, Windows' ongoing improvements in its most easily exploited security flaws, notably Windows XP, Service Pack 2. Second, due to a lack of third-party and media analysis, security companies may have grown lax in development, testing and repair of potential problems, turning their antivirus and host intrusion prevention products into an easy bull's-eye.
Microsoft said Thursday. The software will offer IT administrators central management capabilities and work with Microsoft's Active Directory and Windows Server Updates Services patch management tool, the company said.
The new Microsoft Client Protection product will guard against threats such as spyware, viruses and rootkits,
Microsoft did not say how much the new product will cost or when it will be available in final form. A "limited beta" is due out by the end of the year and Microsoft plans to share additional details on the new product in the coming months, it said in a statement.
... ... ...
Microsoft is alreadytesting Windows OneCare, the consumer counterpart of the newly announced Client Protection product. On Thursday, Fry Wilson said the company plans to deliver the final version of OneCare sometime next year.
In addition to its plans to secure enterprise PCs and file servers, Microsoft on Thursday said it is preparing the release of Microsoft Antigen for Exchange. The antivirus software for e-mail servers is a fruit of the company’s acquisition of Sybari Software early this year. A test version is due in the first half of next year, Microsoft said.
Three other Microsoft-branded Antigen products will also be available in beta next year, Fry Wilson said. These are Microsoft Antigen for SMTP Gateways, Microsoft Antigen Spam Manager and Microsoft Antigen Enterprise Manager, the representative said.
... ... ...
Since launching itsTrustworthy Computing Initiative three years ago, Microsoft has been building its security muscle.
The company has made several security-related acquisitions, including ID management company Alacris last month and hosted e-mail security provider FrontBridge in July. Analysts, however, have criticized Microsoft before for not having a clearer and more productive strategy.
"We have spent and invested two years in laying the groundwork. We are now moving into a new phase of focus where we will be offering new products and services to provide defense-in-depth technologies to help customers secure their networks and systems," Fry Wilson said.
The "groundwork," according to Fry Wilson, first and foremost was the delivery last year ofWindows XP Service Pack 2, a security-focused update to the operating system. Other pieces, she said, include the beta of Windows AntiSpyware and the launch of a new patching service in June called Microsoft Update.
... ... ...
The main lesson of the initial Zotob infection (which is the worst infection for the year) is that it's impossible to secure a large PC network from network worms without automated patch management system and no amount of policies, procedures and meetings can change this simple fact. Application of patches should be automatic for probably 80% of our PC base and manual (user controlled) for other 20% (PCs that contain few applications that proved to be highly "patch sensitive").
Absence of Windows Update Services (WUS) or its alternative (for example, Tivoli patches deployment solutions) in the current many large enterprise IT infrastructure makes this infrastructure a lucrative target for any new network worm that exploits vulnerability patch for which was release by Microsoft less then a couple of weeks (worms authors disassemble the Microsoft patch and use the vulnerability in an already written skeleton code that is common for several recent worms). Actually enterprise users who used Microsoft update services in a guerilla fashion fared the best during the initial Zotob epidemics and were able to continue to work without interruptions.
That's why despite all the efforts in application of the patch MS05-039 during the week of Sept. 15 we were slightly hit by a new variant of the same worm at the end of the last week. This variant was better debugged then previous one and prey of corporate PCs that still does not have a patch MS05-039 installed. Both variants use the same exploit: Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445.
Please note that some new strains of Zotob (Zotob.C ) can spread via email, not just the PnP exploit, although Zotob.E that is discussed below is strictly network worm and does not use e-mail for propagation.
It looks like excessive centralization of it along with bureaucratization create worm-friendly environment in may large corporations.
The key question in this story is why the secondary infection with Bozori variant was successful in so many corporation that suffered from Zotob. As minor as it was that means that despite high visibility and additional management efforts for the initial worm, there were enough unpatched PCs for this new strain to infect initial set of PC to create a critical mass that permit the worm to propagate.
If we assume that the patching that was performed for Zotob was the best possible with the current technology, then the results suggest that the technology is completely outdated and inadequate. We all, and especially management, need to wake up to this fact. The sooner, the better.
BTW, if the first wave of the worm were destructive (like Chernobyl virus of few years ago was), the results would be pretty grim. So far non was. But in the future things might change. Unfortunately a possibility that in the future a worm can be released by a terrorist group with the explicit aim to damage as many corporate PCs as possible can not be completely discounted.
Unless patching technology is dramatically improved and some more or less modern technology implemented. large corporations will with their typical low pace of patching and huge volume of completely or partially unpatched PCs will be a lucrative target for any new worms.
One simple solution would be a switch to using Microsoft update site for up to 80% of PCs (users can enter this list voluntarily; some already did :-) or implementing an internal automatic update site. I think that no corporation has more then 20% of "special" PCs which might be negatively affected by "blind" Microsoft updates.
The second thing is to improve infrastructure that permits controlling PCs via agent and mass distribution of patches, programs on request. Here such packages as Tivoli, Microsoft Systems Management Server 2003, LANDesk, etc came to mind. Mass deployment of SFU3.5 + ssh might be cheap and very helpful addition in crisis situation when you need to perform similar tasks on all or most PCs in a short period of time.
- General Info
- Manual Removal using the W32.Zotob Removal Tool
- Links to relevant information
- Brief Summary
This worm creates up to 300 threads to scan for infectable systems generating random class B address in the segment where the infected workstation is. For each generated address the worm is sending SYN packets to TCP Port 445 trying to exploit the vulnerability.
When a vulnerable system is found, buffer overflow and shell code is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (ftp connection is established via TCP port 33333, haha.exe is fetched).
This is a burst-style, one-time process. After the worm is done with it, it generates almost no traffic. That's why most networks survived pretty well after the initial infection packets are all generated.
Summary of ports used:
- Port 445 - The worm scans for systems vulnerable to PnP exploit through this port
- Port 33333 - FTP server port on infected systems
- Port 8888 - The command shell port opened by the exploit code
Administrators can scan their segments using nmap -p 8888,33333 <segment> to detect infected computers. Please note that ports 445, 8888 and 33333 are blocked on many enterprise routers, so you can get results only within your local network segment. Please do not scan more then one C-class segment at a time.
Ports 8888 and 33333 should be blocked on all firewalls and routers.
Depends a lot on your point of view (Score:5, Interesting)
by Thumper_SVX (239525) on Thursday August 18, @01:00PM (#13348661)
Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.
We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.
See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.
So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.
Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.
This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.
One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.
Non-issue for any competent admin (Score:2, Informative)
by Mortimer82 (746766) on Thursday August 18, @01:17PM (#13348870)
Granted, I deal only with about 150 users, over about 6 companies, however, I haven't even had a reported case of this worm.
The only excuse for an administrator having a problem with this, is if the patch is incompatible with some or other software.
Any competent administrator knows:
- When microsoft is releasing their patches.
- Uses either Software Update Services, or more recently they may be using Windows Server Update Services [microsoft.com] (WSUS).
WSUS works like a charm, you can tell it to check for updates every day, and then all clients on the network can be forced to apply the patches.
There are instances where WSUS cannot really help much:
- Laptop users: These users may get infected from their home connection before they get to the office, however, this should not really be able to happen if they are running a personal firewall (such as Windows XP SP2's firewall), and even if they do get infected, the worst possible collateral should be a couple of other, as yet, unpatched laptops on the network.
- 0 day worms: I would say that, reasonably, you are looking at about 24 hours for all desktop machines to get autopatched. Worms that get made in this time window may be able to sneak in.
- Worms which target an unknown vulnerability: Short of ultra-strict firewall policies, as well as no laptop users, a worm like this is more than likely going to cause havoc.
It's called preventative maintenance, you can replace your brakes after they fail, but if you do it before they fail, it saves you having to repair the rest of your car as well.
In summary, all administrators from companies that that run a domain controller, and have a reasonable amount of resources should NOT have experienced any major outbreak. So stop whining, clean up your mess, do your job properly now and avoid future problems.
Re:Non-issue for any competent admin (Score:1, Insightful)
by Anonymous Coward on Thursday August 18, @01:59PM (#13349297)
Hate to tell you this, bub, but you and your 150 machines are small-time, so you shouldn't go making broad pronouncements about who's competent or incompetent, based on your limited experience-- you're just a babe in the woods.
Any competent administrator of large entities of the sort that are getting hit with these worms knows to never roll out any Microsoft patches without first testing them thoroughly on non-production hardware to see if they break anything important.
Too many companies have gotten burned in the past by patches [desktoppipeline.com] that caused [systemsman...peline.com] worse problems [asp.net] than the worm infections they were supposed to prevent. Blindly rolling out a patch to production machines just because Microsoft says it's okay is pure folly.
Re:Non-issue for any competent admin (Score:2)
by Scorchio (177053) on Thursday August 18, @02:30PM (#13349609)
That's a fair point about testing any new patches first. I feel an anecdote coming on...
A couple of years ago, there was a windows patch that somehow affected 3dsmax. Files saved from 3dsmax on a patched machine could only be read on other patched machines, while files from unpatched machines couple be happily read on either. Much confusion ensued. I think it took a day or so to uncover what was really going on, but it caused us more problems than we'd ever had with viruses.
Quite what the patch or 3dsmax was doing to accomplish this feat, I don't know. Utterly brilliant.
[ Reply to This | Parent ] Re:Non-issue for any competent admin (Score:1)
by Mortimer82 (746766) on Thursday August 18, @03:11PM (#13349988)
The only excuse for an administrator having a problem with this, is if the patch is incompatible with some or other software.
I fully understand that patches need to be tested. You know when the patches are about to be released and if 3 days is not good enough, then you need more IT staff, or more standardized hardware/software. In addition to that, allocate users/computers into update groups, and as you test one configuration, update that, test the next, and so on and so forth.
Security rollups and service packs don't need to be installed right away, to the best of my knowledge, Microsoft, at least initially, releases all security fixes individually as well.
If the company you work for isn't allocating the resources you need to roll out patches effectively, tell them, if they don't/can't give you what you need, they must accept it when a worm wreaks havoc on their network despite the IT departments best efforts.
Also "old man", I may be small fry in terms of number of users, but all to often I see so called "trained" and "experienced" people going about their IT job not really having a clue. If you are indeed good at what you do (I really would't know) you will know that the best people in IT are the ones that understand what they work on, as well as a lot of it's inner workings. I never just click something because that's what I am told works, I click a button because I know where I am headed, and why that click takes me closer to that goal.
Provided they listen to us, all the clients my company consults for have almost completely trouble free IT. And we haven't really had an unhappy customer because when things do go wrong, it is innevitably because they specifically chose, for reason's normally related to cost, not to go for our recommendations, and as such they humbly accept the consequences.
Server/network-level blocking (Score:2)
by phorm (591458) on Thursday August 18, @01:28PM (#13348976)
(http://www.phormix.com/ | Last Journal: Monday May 19, @01:08PM)
Just a curious question:
Are there any systems that could be setup to locate clients (say in a LAN) attempting to propogate worm infections, and then pass on an autopatch or something similar to clean it out (using whatever exploits/backdoors the worm opens or got in with).
Alternately, how about something that would deny those machines access to the network, perhaps by having a master password on local routers and commands capable of directing traffic from infected machines (on infection ports at least) to the bit-bucket.
[ Reply to This ] Re:Server/network-level blocking (Score:0)
by Anonymous Coward on Thursday August 18, @03:14PM (#13350011)
#1. Snort + shell scripts.
[ Reply to This | Parent ] Re:Server/network-level blocking (Score:0)
by Anonymous Coward on Thursday August 18, @03:54PM (#13350348)
Cisco has a product like that, called CSA. It detect odd machine behavior and shut only the port. Say a workstation start to massively send smtp to anywhere, it will shut the smtp port, cause it's not the expect behavior for this workstation. so even if your not patch against a virus or a worm, it will prevent it to propagate. It also scan and quarantine any new workstation and won't permit it to reach the rest of the network until it's compliant to sercurity policy inside the company.
Here is the way to do it using XP’s built-in features. These are NOT images. They simply restore files. You can export the registry to a file but there is no way I know of to restore the registry from this file in the event of a disaster. To do so: Press the Windows & R keys > type regedit > highlight My Computer in the window > on the toolbar choose File > Export and choose a title and location for the file.
XP PRO (and XP HOME too!)
You use the Backup utility. Go to: START > PROGRAMS > ACCESSORIES > SYSTEM TOOLS > BACKUP. The wizard will launch, click next. Choose BACKUP FILES AND SETTINGS. Click next. Choose LET ME CHOOSE WHAT TO BACKUP. Click next. Expand the section for MY COMPUTER (click the minus sign next to it) and place a check mark in the box next to SYSTEM STATE DATA. (My advice is to also add the drive containing XP or at least the WINDOWS folder. However this does add considerable time and size to the backup.) Click next. Now choose a place to store the info and name it. (If you want to backup to a CD, go here to find out how: NTFAQ.com) Click next. At the next screen, most users should just click next. Advanced may want to choose a different type of backup by using the advanced tab.
Go to: START > PROGRAMS > ACCESSORIES > SYSTEM TOOLS > BACKUP. The wizard will launch, click on the ADVANCED button. Click on the RESTORE WIZARD (Advanced) button. Click next on the following screen. Choose the backup you want. Click next and follow the remaining screens. You are done.
You don’t see the Backup option in XP Home? You have it on the CD. It just isn’t part of the default installation. Put the XP CD in the drive and exit out of the screen that pops up. Go to My Computer > Right Click on the drive containing the XP CD > choose Explore. Now click on VALUEADD > MSFT > NTBACKUP > click the NTBACKUP Installer Icon.
- RepairIE4XP.reg [right-click and select: Save As]
Restores the IE search URLs, HTTP prefixes, and many others.
- RepairDefaultPrefix.reg [right-click and select: Save As]
Repairs the corrupted or altered (spyware) HTTP prefixes
Note: HijackThis can also repair the DefaultPrefix entry [more info]
- RepairTabs.reg [right-click and select: Save As]
1) Restores the missing Tabs in IE (usually spyware related)
2) Unlocks the grayed-out Home Page section
3) Removes the Administrator message in Internet Options
Note: HijackThis can also repair the "Missing Tabs" restriction [more info]
- UnlockNoBrowserOptions.reg [right-click and select: Save As]
Removes the Administrator message in Internet Options
SpyBot also has this option in the Immunize section [more info]
- EnableRegistryTools.reg [right-click and select: Save As]
Unlocks the "Disable Regedit" entry, or use HijackThis [more info]
- UnlockHomePage.reg [right-click and select: Save As]
Unlocks the grayed-out Home Page section on the General Tab
Tip: Prevent your "HomePage" setting from being Hijacked
To use: download - right-click and select: Edit to view in Notepad.
Right-click and select: Merge - to enter the info into the Registry, and reboot.
Note: always backup the Registry before making any changes. Also be aware these reg files are intended for stand-alone or home users. Corporate users are urged to check with their network supervisor before removing restrictions.