backtop


Print 92 comment(s) - last by Pirks.. on Jan 23 at 5:45 PM


The new virus can infect USB storage devices, in addition to attack over corporate ethernet networks. While a patch from Microsoft will protect against the ethernet attacks, currently no patch can stop the USB-side attacks. Only antivirus software can block it.  (Source: IoCell)
New worm is very sophisticated and spreading fast

Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years.  The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday.  Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million.  It's getting worse, not better."

As of today, an estimated 8.9 million machines are infected with the virus.  The very sophisticated worm exploits multiple secure flaws in Microsoft's Windows OS's.  It injects itself into services.exe, a common system process.  It creates a new DLL file in Windows system folder with a random five letter name.  It makes registry edits referencing this DLL as a service, so it’s automatically run on restart.

Once it has its grips on the system, it proceeds to create an HTTP server and download malware onto the computer from hacker web sites.  It also wipes out the system restore with a reset, making it harder to recover the system.  While many viruses download malware remotely from a handful of web sites, allowing for easy removal of the installed files, this one is much trickier.  Every day hundreds of dummy domain names are generated by an algorithm coded in the worm, with only one being the actual malware site.  This makes it extremely difficult to find exactly what is being installed each day.

The virus's main method of transmission is via local networks.  Once a computer is infected on the network it scans for other computers on the network, and then it uses the aforementioned Windows security flaw to attempt to gain access to them.  While the computers are typically password protected, the virus can guess shorter passwords by a brute force method of random guessing.  Once it finds the right password, it infects the next computer, which joins the attacking ranks.

Microsoft has a patch which protects against the Ethernet side of the attack -- MS08-067.  Companies are strongly recommended to get this patch as the virus is rapidly spreading across Europe, the United States, and Asia.

Describes Graham Culley, senior technology consultant with anti-virus firm Sophos, "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.  A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.  What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order.”

However, while the patch may slow the spread of the virus it may not be enough to stop it.  The most recent variant of the worm, which is the one that was released two weeks ago and caused the number of infections to skyrocket, can transmit itself via USB, an attack route that currently no Windows patch blocks.  While properly patched antivirus software may block the attack, relying on such a software block is a risky proposition.

Kaspersky Lab's security analyst, Eddy Willems describes the virus's nightmarish spread, stating, "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

Thus far the virus has only been used to inject malware into PCs.  But security experts warn that attackers could use their foothold on the system to start stealing users' and customers' credit card numbers and personal information.  It could also be used to completely hijack the computer, adding it to a botnet.

Ultimately the only current solution is for companies to patch their machines, quarantine and remove malware from infected machines, and disallow use of USB storage devices.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 3:58:16 PM , Rating: 4
Isn't it more reasonable to just disable Windows autorun feature? So that it won't start those autorun.inf files automatically when USB stick is inserted. Can it be done with a group policy at once for the whole corporate network?

I just don't get it why cut off the arm or leg instead of curing it by a simple bandaid or something... could someone with Windows network administration experience please explain?




RE: Disallow use of USB storage devices? Why?
By lantr on 1/19/2009 4:33:01 PM , Rating: 2
There are several places to disable autorun and it's kind of a pain. I found this interesting solution:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Here: http://www.windowssecrets.com/2007/11/08/02-One-qu...


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 4:40:46 PM , Rating: 3
So it's impossible to disable autorun feature for USB sticks through the domain group policy, for the whole corporate network at once. Great. That's another nice heavy stick to beat Windows/Microsoft zombies when they start babbling about so called "Vista security". Thanks for the link :-)


RE: Disallow use of USB storage devices? Why?
By Jonesd on 1/19/2009 4:45:16 PM , Rating: 2
You can stop autorun via group policy or disable USB devices or be selective, no thumb drives, only printers and mice etc. The trouble arrives from the format being .admx instead of .adm so quite a few admins who haven't yet sampled Svr2008 or the Vista 70-622 exam won't have a clue.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 5:07:29 PM , Rating: 2
quote:
You can stop autorun via group policy
Which doesn't help according to http://www.windowssecrets.com/2007/11/08/02-One-qu...


RE: Disallow use of USB storage devices? Why?
By gonks on 1/20/2009 1:29:54 AM , Rating: 2
Just create a folder named "Autorun.inf" on your usb stick if you don't want to disable autorun on other devices


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/20/2009 4:16:06 PM , Rating: 2
Like it's gonna help in a corporate environment with 1000s of PCs all equipped with USB :))) *LOL*


RE: Disallow use of USB storage devices? Why?
By lantr on 1/19/2009 4:53:31 PM , Rating: 4
How did you read that and turn it into a Vista bash? You sound a bit biased. You sound like an an IT Zombie. BTW, Please explain Apple or Linux Group policy. Not in regards this, just in general.. How do you configure 1000 boxes in a corporate environment??


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: -1
RE: Disallow use of USB storage devices? Why?
By chick0n on 1/20/2009 9:13:22 AM , Rating: 4
No holes in Mac OS ? ROFL !!!!!!!!!

HAHAHAHAHAHAHa

You just made my day.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/20/09, Rating: -1
RE: Disallow use of USB storage devices? Why?
By Etsp on 1/20/2009 7:55:34 PM , Rating: 3
Wow, you're actually so ignorant it's funny. You want to know why Mac's get less detected infections? It's because no one want's to put the time in to writing viruses for Mac's. There simply isn't a market for it.

Now, if we see a 2 year trend where Mac dominates the Corporate Marketplace, you can bet on Mac's getting broken into, more often, and in worse ways than Windows based Machines do.

So, you're biased and misinformed comment of
quote:
No holes in Mac OS? No holes like "autorun" hole in Windows.
is so untrue it's almost laughable. There are no popular exploits for Mac's quite like this current virus, but that is by no means an indication that there isn't the potential for one.

Let's not forget their recent security hole in how they implemented DNS(granted, several other operating systems were also affected), which allowed for DNS poisoning. Now, other major operating systems patched that MAJOR SECURITY FLAW in days, while Mac took MONTHS to roll out a patch.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/20/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By mailtrust on 1/21/2009 1:06:04 AM , Rating: 2
How does OS X read a USB stick? And.. what is that fancy little thing that comes up on the desktop when you put in a USB stick in the drive?

Actually, can you go into exact detail of how OS X handles a USB stick? Heck, can you post the 'code' and all related handles with that? And.. can you give me some names of some large corporate companies that use OS X (besides Apple) as their main structure.. I'd like to be able to shoot that stuff around in my next visit to Apple store and i'm standing next to some bigshot executive.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/21/2009 5:25:04 PM , Rating: 1
quote:
can you give me some names of some large corporate companies that use OS X
"Large corporate companies" usually don't buy/lease Japanese or German luxury cars for their employees. They provide their employees with cheapo low quality American cars like Chevys. "Large corporate companies" save money by doing this. Got it?
quote:
How does OS X read a USB stick?
Mac OS X DOES NOT automatically execute any code from USB stick when it is inserted into the computer's USB port, but Windows DOES. End of story.


RE: Disallow use of USB storage devices? Why?
By wayout41 on 1/21/2009 5:42:29 PM , Rating: 2
Arg,

And how many luxury have the chassis of honda's and engines made by ford with huge bumped up profit margins and large price tags that make buys feel superior. Some buyers even find the need to join clubs and openly show off about their expensive car. Some mistake the large price tag they paid for actual knowledge of cars when actually as it turns out they are fools.

But hey mac OS is really different to all that. The fact that at the last security convention it was the first to be cracked out of 3 (vista, linux, osx) is not an issue because you paid a lot and Apple arn't just getting rich they really care.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/21/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By nilepez on 1/21/2009 11:34:28 PM , Rating: 2
quote:
You just noted an important difference between Mac OS X and Windows - while Mac OS X is getting hacked at security conferences, Windows is getting hacked everywhere else ;-)


Of course not.
Let's say that you're in the business of Crime/malware.

Let's make the following assumptions:

X hours is spent on each of 2 attacks.

Attack 1 targets windows and successfully infects 20% of the user base.

Attack 2 targets OS X and successfully infects 80%

Which system would you attack?

If you answer anything other than Windows, then you fail Math 101.

It's a numbers game, and despite it's growth in the past few years, Apple still doesn't have the numbers to justify the effort. Desktop Linux has even smaller numbers and generally more knowledgeable user base, which is the key to preventing most attacks (though not this one).

Besides, the reason this attack was successful is because Admins didn't patch the machines.

In the 90's, Unix servers were attacked (which brought the internet, in many areas, to it's knees). Why? Because admins hadn't patch known issues months after patches were issued.

In short, IT was too complacent about applying security patches. Some things never change, even if the OS that's attacked does.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/22/2009 2:32:54 PM , Rating: 1
quote:
the reason this attack was successful is because Admins didn't patch the machines
You forgot the main reason - the EXISTENCE of the autorun hole, created by brainless morons from Redmond. Hopefully they will be fired among the 5000 jobs MS has cut today. See how MS pays for its stupidity? Here's a tough lesson for you, Redmond. Be smarter next time and you won't need any job cuts like today :-P


RE: Disallow use of USB storage devices? Why?
By wayout41 on 1/22/2009 5:45:41 PM , Rating: 2
Wow and I didn't think you could come across as more of an idiot. But then you throw in a binder like that one. You become inconsiderate as well. Did you think for a moment about the fact that these guys are now out of a job? That they can't pay bills? Its not something to use in a argument you failing to make its actually people loosing their jobs. No one wants that, apart from you apparently. Enjoy fighting your corner here, I'm out.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/22/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By digimob on 1/23/2009 8:11:18 AM , Rating: 2
Or alternatively they could completely bolox up there OS and then just go buy someone elses... oh wait... Apple did that...

Lets be honest - Vista blows from some points of view, but then again, it's a completely different beast to OSX... It can't only be installed on one device with one spec sold by one vender... but that's the apple business model and they are happy with it and it makes them lots of money... so good luck to them!

But neither of these issues have anything to do with this worm... which is caused by poor administration of networks... as they said in the article, it's not been an issue for home computers because they were updated automatically...


By Pirks on 1/23/2009 5:45:04 PM , Rating: 2
quote:
this worm is caused by poor administration of networks
Why did you conveniently forget the "autorun" hole that has not been EVER patched by MS in Windows XP?


By Jack Ripoff on 1/21/2009 2:18:22 PM , Rating: 2
On Linux and on most Unix systems, the most straightforward (and simple) way is to set up NFS shared /etc folders for your boxes. This works with n boxes, there is no theoretical upper limit. There are other vendor-specific ways to do this though (Novell, Mandriva, Red Hat, etc.).


RE: Disallow use of USB storage devices? Why?
By Jonesd on 1/19/2009 4:41:55 PM , Rating: 2
Usually admins take the quick route, especially new admins that want an MCSE result. They skip the 70-622 exam and head straight for the easy 70-620. If they'd take the 622, they'd realise that the .admx group policy updates cover all of this. Either way, what's an admin doing letting ANY portable USB drive onto the network?

It would literally take minutes to turn off autorun and usb drive access using group policy. Job done. Also takes minutes to initially configure and force all pcs to use WIndows Software Update Servies (WSUS). Lazy.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By RubberJohnny on 1/19/2009 6:40:01 PM , Rating: 2
quote:
It would literally take minutes to turn off autorun and usb drive access


Can you read? or did you stop after the word autorun cause it suits your argument?


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: 0
By amandahugnkiss on 1/19/2009 10:17:39 PM , Rating: 2
No one should have to disable USB drive access (I think Jason Mick should be the one to give you your answer, he's the one that put the comment into the article).

Any company that has halfway decent IT shouldn't have users running unpatched machines, or using accounts with weak passwords, and if possible not running as admins (though it is understood that some older apps require this). Had they met these conditions then they would not be in a position to even consider needing to disable USB.

The article states that they are using brute force attacks to gain access on machines with simple to guess passwords, anyone who doesn't practice using strong passwords pretty much deserves what they get as brute force attacks are about as simple as they get, and the most simple to circumvent as well.

The title of this article should read more like "Dumb IT Guys Refuse to Update Machines with Security Patches and Cause Widespread Infection by Worm".


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 11:08:56 PM , Rating: 1
quote:
No one should have to disable USB drive access
Exactly my point!

I just can't get it why one should disable a useful feature such as USB thumb drive access when the real solution is to plug a huge security hole created by braindead idiots from Redmond.

Would you heal a bruise on your arm or would you chop your arm off instead of healing it? ;-)


By amandahugnkiss on 1/20/2009 12:55:21 AM , Rating: 1
yawn.


RE: Disallow use of USB storage devices? Why?
By mailtrust on 1/21/2009 1:13:47 AM , Rating: 2
I will answer the question for you.. as well as anyone else who works in any corporation that has any sort of competition (lo and behold, even Apple).

You should disable USB drive access because... users [you know, the people who sit in front of the computer] can buy a cheap USB drive.. put it into the computer [because that's what you do with USB drives.. you plug them into computers].. and what do you think will happen next?

POP QUIZ!!
Any IT administrator will..
1) Assume the worst.
2) Smile and say go right ahead.
3) Look up what a USB drive does.

Here's a hint: Think disgruntled underpaid employee who is looking to be hired by the competition.


By Pirks on 1/21/2009 5:30:39 PM , Rating: 3
Remove all PCs and all the internet access from the company. Hint: think disgruntled, inventive and underpaid employee who is looking to be hired by the competition.


RE: Disallow use of USB storage devices? Why?
By Lord 666 on 1/19/2009 6:57:52 PM , Rating: 2
Sounds odd, but I thought 70-620 was a bit more challenging than anticipated for that level exam. Just cleared 70-625 as well and that was straightforward.

Before you form any opinions on me, I also have MCSA/MCSE 2000/2003, MCDBA 2000, CCVP, and now have to reschedule my CCIE Voice before July. In the process as well for updating to 2008 revs for MCP stuff.


RE: Disallow use of USB storage devices? Why?
By Jonesd on 1/20/2009 2:31:28 AM , Rating: 2
Hello. The 70-620 is a 'fixing a client pc' type exam so it's a quick and easier path to MCSE/SA. Nowhere near as hard as the 70-270 for xp. The 70-622 fills in the blank and reaches the 70-270 level.

Not trying to annoy anyone, it's just that Microsoft should have placed the 70-622 as a required exam as it's a valuable exam for admins. 70-620- Home Clients. 70-622- Enterprise

Recently visited a training company and the 6 general access pcs in the front of the building.. no SP3, no ie7, no new updates then.... ooopsss


By Lord 666 on 1/20/2009 3:12:57 AM , Rating: 2
Also took 70-270 long time ago and will disagree with you on that it is "harder than 70-620." Maybe its the "newness" of Vista versus working with XP for so many years that threw me off.

Used both 70-620 and 70-625 as training elements for my helpdesk; after sitting for both myself to gauge complexity, had to revise the training schedule and push back the Vista one while they sat for the Hyper-V exam before the free exam expired 12/31.

However, will check out 70-622...


By blwest on 1/20/2009 6:03:45 PM , Rating: 2
Anyone who gets an MCS* loses credibility in my book.


RE: Disallow use of USB storage devices? Why?
By MrPoletski on 1/20/2009 7:20:32 AM , Rating: 2
It has to be said, the USB memory stick autorun virus trick is something that should have been killed ages ago.

I mean it's so rubbish even total n00b virus programmers use it. I had a 'virus' on a company PC once that banned you from loading firefox or about 5 websites, thats it. It didn't mask itself or anything, just a hidden folder with the executable and the bloody source code. When you fell foul to it, it just closed ie/firefox and played an mp3 of cackling laughter.

I mean what a crap virus, made by some joker with real basic virus experience probably.

So I guess this is the result of what happens when a dude who knows how to code a decent virus puts his mind to it.


The March of the Haters
By Smilin on 1/19/2009 12:05:27 PM , Rating: 5
For this worm to massacre your corporate network it's a five step process:

1. Do not apply an update that came out back in October of last year. You have to outright block it or MS will fix things for you.
2. Do not enforce any sort of strong passwords on your network so the brute force cracking of those passwords happens rapidly.
3. Do not block SMB and RPC on edge firewalls...don't use Windows defaults as these will protect you as well.
4. Do not deploy or update antivirus or Windows Defender that can detect this vulnerability should it come in by other means. Ignore that big red warning MS gives about not having antivirus.
5. Pick your nose like a retarded monkey instead of paying attention to security news telling you to fix steps 1-4 above.

It looks like MS already protected home users with the update but corporations are getting hit.

Where is the screaming mad outrage at MS? There is a worm right? Aren't we going to posse up and March to Redmond with pitchforks and torches?




RE: The March of the Haters
By William Gaatjes on 1/19/2009 1:20:33 PM , Rating: 1
Microsoft patches have a habit of breaking compatability or crashing your system

(Compatability breaking can happen by using undocumented features of the OS or errorprone documentation about win32 api functions or bad programming on the part of the 3rd party software writer).

It can happen that a 3rd party program that is used a lot in the company can not be used anymore after these updates. This can be an important program for business. Let's say the program does not function anymore after the MS-KB update. The writer of the program has to be informed. The writer of the program has to write an update and test it thorougly because unless a large amount of people are hit by an MS update, microsoft is not going to solve it unless you are willing to pay a lot of money. Thus thoroughly testing of windows updates is very important (This also applies to other OS's too) . That is 1 of the reasons why IT departments of companies do not or should not use auto update. Updates are applied afcourse but only after testing and the green light is given. Otherwise havoc can happen. You don't want to be an IT admin and find out that you have to solve the problems of for example 100 pc's.


RE: The March of the Haters
By Smilin on 1/19/2009 1:52:27 PM , Rating: 4
quote:
Microsoft patches have a habit of breaking compatability or crashing your system

When root cause is determined rarely does an MS patch break compatibility or crash the system. When root cause is actually found it is so rare that MS was the true cause that I'm not sure how you can say "habit". By example there was a software firewall company last year whos software broke after an update. It was determined they were hooking directly into the memory space of a loaded DLL instead of calling the function properly. When the DLL's default load location in memory changed the app broke. No excuse.

quote:
The writer of the program has to write an update and test it thorougly because unless a large amount of people are hit by an MS update, microsoft is not going to solve it unless you are willing to pay a lot of money.


First of all, Microsoft fixes bugs free of charge. It doesn't matter if it's a small number of users or large. If you pay to open a support case and it is determined the problem is due to an actual bug and not a misconfig then your support case continues but your money is refunded. This is policy.

Second, if the writer of the program has to fix his program then he has to fix his program. MS isn't going to QQ because you don't know how to write your app. You can't leave systems unsecured indefinately while some craplication writer sorts HIS bug. For this particular update there are mitigation and workarounds available. It also is associated with using RPC without authentication which is horrible programming practice (and not even allowed in Vista/2008). In that DLL example above MS gave the developer a fix the SAME DAY he called (fix = here's a workaround to change dll location until you fix your crap).

quote:
That is 1 of the reasons why IT departments of companies do not or should not use auto update. Updates are applied afcourse but only after testing and the green light is given. Otherwise havoc can happen. You don't want to be an IT admin and find out that you have to solve the problems of for example 100 pc's.


100s? That's chump change. How about 100,0000? Regardless.. IT departments test before they apply. This update came out in October and is listed as a critical update. It is now January. If such an IT staff exists they should be fired. It's a tough economy and plent of good admins are standing by to replace them.


RE: The March of the Haters
By William Gaatjes on 1/19/2009 2:24:36 PM , Rating: 1
quote:
quote: Microsoft patches have a habit of breaking compatability or crashing your system When root cause is determined rarely does an MS patch break compatibility or crash the system. When root cause is actually found it is so rare that MS was the true cause that I'm not sure how you can say "habit". By example there was a software firewall company last year whos software broke after an update. It was determined they were hooking directly into the memory space of a loaded DLL instead of calling the function properly. When the DLL's default load location in memory changed the app broke. No excuse.


The patches can create problems no matter which software company caused the problem. As i have written in my post. But i can understand an admin does not want problems caused by updates to happen. Non IT people blame the It department for failures they can only circumvent when using tight rules such as not blindly updating but testing for compatability issues first. And i know that most of the compatibility issues are not caused by microsoft but they are microsoft related. Back in the days, microsoft had to patch windows numerous of times to run badly written software. This software was used by many users that microsoft could not always keep faithfull to design rules. Raymond CHen has some nice stories about that on his blog.

See these links or just search and read some stuff about backwards compatability.

http://blogs.msdn.com/oldnewthing/archive/2003/10/...

http://www.joelonsoftware.com/articles/APIWar.html

quote:
First of all, Microsoft fixes bugs free of charge. It doesn't matter if it's a small number of users or large. If you pay to open a support case and it is determined the problem is due to an actual bug and not a misconfig then your support case continues but your money is refunded. This is policy.


That's good to know, thank you. But it will still take some time before the issue is resolved does it not ?

quote:
Second, if the writer of the program has to fix his program then he has to fix his program. MS isn't going to QQ because you don't know how to write your app. You can't leave systems unsecured indefinately while some craplication writer sorts HIS bug. For this particular update there are mitigation and workarounds available. It also is associated with using RPC without authentication which is horrible programming practice (and not even allowed in Vista/2008). In that DLL example above MS gave the developer a fix the SAME DAY he called (fix = here's a workaround to change dll location until you fix your crap).


It's nice from you to gice such a throrough explanation. But you forget that company x is making money with that craplication y and thus needs craplication y. That can be a reason not to update untill the craplication becomes less crap. As i have posted above.

quote:
100s? That's chump change. How about 100,0000? Regardless.. IT departments test before they apply. This update came out in October and is listed as a critical update. It is now January. If such an IT staff exists they should be fired. It's a tough economy and plent of good admins are standing by to replace them.


Please, keep your manlyhood in your pants. No need to start comparing sizes. I am not an admin and just gave an example. Although i am very capable of analyzing and solving problems with computers i do not enjoy nor do i want to be an IT specialist. But the good IT specialists have my respect.


RE: The March of the Haters
By Smilin on 1/19/2009 2:45:46 PM , Rating: 4
You're playing quite the devil's advocate here. Problems with updates are rare and I've not heard of any problems at all with this one. Further more we're talking about an October patch when it's January.

The only things that would be broken by this patch are those things that are using RPC directly (bypassing normal documented API calls) with no authentication. The fix would not be difficult. If someone's software breaks because they are:
1. Writing software badly like this to begin with.
2. Can't implement what would be an easy fix in 3 months time

..then I think you should look at replacing the software.

quote:
It's nice from you to gice such a throrough explanation. But you forget that company x is making money with that craplication y and thus needs craplication y. That can be a reason not to update untill the craplication becomes less crap. As i have posted above.


There are mitigating steps and workarounds for this particular vulnerability (not the least of Which is to upgrade your 8 year old OS already). The vendor of the craplication has the same access to MS as an individual user. They also have access to MS Developer support who takes issues with security updates as serious as a heart attack.

quote:
Please, keep your manlyhood in your pants. No need to start comparing sizes. I am not an admin and just gave an example. Although i am very capable of analyzing and solving problems with computers i do not enjoy nor do i want to be an IT specialist. But the good IT specialists have my respect.


The point wasn't a comparison of my network size to yours. The point is that if a company with 100,000 machines and god knows how many custom apps can get the patch rolled out then there is no excuse for a company of 100. With a company that small and assuming the worse possible patch outcome (reboot loop) the two guys in the IT dept could still roll back the patch on every box by hand in a weekend.

My tolerance for excuses from sloppy IT staff just don't go very far. They are the keepers of the data and it's their sole duty to protect it. This particular worm hitting millions of machines is utterly intolerable.


RE: The March of the Haters
By William Gaatjes on 1/19/2009 3:15:05 PM , Rating: 1
quote:
You're playing quite the devil's advocate here.
And i do not know all the examples from memory but usually there is always a reason. The devil is in the details, so to say...

Thank you anyway, i always try to keep a broad view and look from different angles at the same problem to keep an open mind and not take follow blindly what others say without confirmation.

quote:
My tolerance for excuses from sloppy IT staff just don't go very far. They are the keepers of the data and it's their sole duty to protect it. This particular worm hitting millions of machines is utterly intolerable.


Well, it is not a perfect world and only by pushing unwilling people we can sometimes make progress. But sometimes behaving unwilling is not always about being unwilling...


RE: The March of the Haters
By JediJeb on 1/19/2009 5:21:27 PM , Rating: 5
quote:
The only things that would be broken by this patch are those things that are using RPC directly (bypassing normal documented API calls) with no authentication. The fix would not be difficult. If someone's software breaks because they are:
1. Writing software badly like this to begin with.
2. Can't implement what would be an easy fix in 3 months time

..then I think you should look at replacing the software.


This is good only if there is other software to replace what is being used. In out small laboratory we are stuck with software that controls our analytical imstruments that is written by the vendors. I still have a few boxes running Win95 because the instrument manufacturer never wrote newer software for it. I can't afford to replace a $100k piece of equipment that works flawlessly simply because the software is outdated, that would be like replacing your car because the oil needs changing.

With every new piece of equipment we buy, we get the newest computers available to help keep them as future proof as possible, but when equipment last 20 years, it is inevitable that the computers are going to leave them behind.

With these problems it is very important we test every single patch and service pack as any one of them could shut us down and cost us a fortune. We are already to the point of having to manually enter data from some instruments that used to be able to send it across the network to the servers, simply because the software on the servers will no longer talk to that on the instruments, and the server side software had to be updated because it would not work on newer server hardware that came with newer versions of Windows. We just had to update to the newest version of Office because we have clients sending us spreadsheets in the newest version of Excell that we have to fill out, and our older version can't read them. There is nothing in the new version that enhances our work, as any version will handle putting in some numbers and doing simple calculations on them, but if we can't read what our clients send us then we lose clients.

Im not against patching security flaws, but if they weren't there in the first place it would be so much better.


RE: The March of the Haters
By Smilin on 1/19/2009 6:14:18 PM , Rating: 3
quote:
Im not against patching security flaws, but if they weren't there in the first place it would be so much better.


I guarantee the airbag sensors never fail on a '57 Chevy.

If all you need to do is a simple task then take the Win95box off of the network and let it do it's thing. Patches aren't needed at all for such things. This isn't all that uncommon of a scenario. If hardware upgrades are needed (face it 486s are getting rare) then use Virtualization.

If for some reason what you are doing requires being on the network then you should expect the software vendor to update. Otherwise what did you really get for your $100k?

These are not insurmountable problems for a good IT dept. They should either patch the box, leave it off the network, secure it some other way or skip all of the above and go look for a different job.


RE: The March of the Haters
By Lord 666 on 1/19/2009 10:34:49 PM , Rating: 2
Any scanners for detecting this virus on a network? Could nmap be used to scan network ranges to find this http server?

Looking to either confirm or deny companies exposure to this problem.


RE: The March of the Haters
By SilthDraeth on 1/20/2009 1:47:37 AM , Rating: 2
I want to jump in and state, that the companies hit by this worm, will quickly find that the "potential cost of implementing the fix, and breaking compatibility of a essential piece of software" would have been far lower than the cost they are paying now with every computer they own being infected.

It is always best to fix the leak and patch the holes than wait for the damn to break and try to rebuild it in the middle of a flood.


RE: The March of the Haters
By TSS on 1/19/2009 11:31:58 PM , Rating: 4
from the source article:

quote:
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.


well there's your problem. i think it has less to do with lazy IT staff, and more with legal windows versions that can actually be updated.


RE: The March of the Haters
By Mortando on 1/19/2009 7:15:24 PM , Rating: 3
But... if I only did a whole lotta #5 I'm okay, right???


RE: The March of the Haters
By Denithor on 1/20/2009 10:23:12 AM , Rating: 2
1) Not done, we're still running SP2 on our corporate systems. And typical users are given limited access accounts so we cannot update for ourselves.
2) Passwords assigned by IT. Who picks regular full words, no numbers. Bright boys.
3) I'm not privy to this, cannot say.
4) We do run F-Secure so hopefully it's worth something.
5) Knowing our IT guys there is a high probability this is the most pursued activity all day.


RE: The March of the Haters
By SilthDraeth on 1/20/2009 5:43:48 PM , Rating: 2
Usually IT assigns you a password, that is TEMPORARY. It is up to you to create your own. But if they are using regular words, they aren't using any sort of strong password enforcement anyways.


RE: The March of the Haters
By Smilin on 1/20/2009 3:17:01 PM , Rating: 2
As default settings on Windows will stop this thing then actually yes.


admin/UAC?
By MadMan007 on 1/19/2009 10:38:14 AM , Rating: 2
So does this require an Admin account on XP to execute?

Does UAC catch it on Vista?




RE: admin/UAC?
By Lord 666 on 1/19/2009 11:05:27 AM , Rating: 2
Appears that the Vista based code (Vista and Server 2008) reduces the risk for the issue; its listed as important versus critical here

http://www.microsoft.com/technet/security/bulletin...

Seem to remember that UAC was listed as a reason for the reduced risk.


RE: admin/UAC?
By Josh7289 on 1/19/2009 1:37:42 PM , Rating: 2
It's hard to tell, but they don't say if the Windows 7 beta is affected or not.


RE: admin/UAC?
By BikeDude on 1/19/2009 2:34:46 PM , Rating: 2
A few weeks ago, after visiting an internet cafe, my USB key suddenly had a few new files on it. "autorun.inf" (of course) plus a hidden executable... (1+1 = trouble)

So, to answer your question: If Win7 makes it easy to execute autorun.inf, then it is vulnerable.

UAC will of course help, because running in regular user mode will make it much harder for the malware to disguise itself and spread further. Simply re-creating the user account will get rid of it.

And for those advocating antivirus software: in 2008 antivirus software caused more problems than they cured. Deleting system files important to Windows is something a virus rarely does, but antivirus software seemed to develop a nack for it.

If you have an unpatched hole, then no amount of antivirus software will help you. (with an unpatched hole, you are vulnerable to new variants of all malware -- your signature files may not update fast enough... I strongly suspect most of those infected this time HAD up to date signatures... Just like last time... And the time before that... etc...)

Much more important then is to run IE with DEP enabled. But to do that, you still have to disable Java VM (unless Sun fixed their old sins recently).

(Me? I am never infected. Sure, my USB memory stick got a broadside, but I noticed it immediately, and did of course not let autorun launch on my own computer)


RE: admin/UAC?
By Smilin on 1/19/2009 2:49:41 PM , Rating: 1
Executing autorun.inf is not itself a vulnerability. The user could just as easily double click something on the drive.

Taking that function out would detract from ease of use without enhancing security.

You still have to have admin rights to break a machine. With Windows 6+ you don't have this unless you are running as an admin and have also disabled UAC.

As for your USB stick getting infected...maybe you should rethink your advice about antivirus software. It would have saved your bacon here.


RE: admin/UAC?
By Smilin on 1/19/2009 2:52:32 PM , Rating: 2
Pretty sure Win7 has the october update included already.


RE: admin/UAC?
By bluemagic on 1/19/2009 5:15:07 PM , Rating: 2
1)Windows 7 is affected.(cant say for sure 100% that it is able to transmit commands though but i reckon it does)
2)Windows defender does not detect it
3)avg does not detect it

Windows vista would probably not stop it if you have UAC because the user will already have opened the file so most likely will just say go ahead to the UAC prompt. UAC is utterley pointless in most circumstances.

To my knowledge there is no known solution to it yet because every time you install it the file name and filesize and content is slightly different. At least in my limited experience with it.

One of THE best ways to defend against this and other attacks is to use VMware with a virtual copy of XP or whatever and install a monitoring programme like spy the spy which can detect whenever a file is modified or added to the windows system 32 folder for example.

This method detected this virus for me and i could go in and delete the .dll files it added to the windows 32 directory with no problems. Or indeed just delete xp and use a fresh copy of xp or windows 7 in vmware.


RE: admin/UAC?
By Lord 666 on 1/19/2009 5:50:53 PM , Rating: 2
#3 - avg as in Avast?


RE: admin/UAC?
By 7Enigma on 1/20/2009 9:26:05 AM , Rating: 2
No AVG as in AVG antivirus, previously a very good free virus detecting software, no longer unfortunately (bloated, detects less). Avira Antivirus (also free) is the one I personally use as it is highly rated and frequently updated (practically on a daily basis). Avast is another one recommended frequently, but I prefer Avira.


Sounds like...
By cscpianoman on 1/19/2009 9:37:01 AM , Rating: 3
Sounds like we know which companies have a weak IT security policy.

I'm still amazed at how many companies still use passwords like, password, qwerty, topsecret, fluffy, bruno, fido123 or the names of their grandchildren. I worked for one IT company with access to the server being a three-letter word followed by two numbers. Ouch!




RE: Sounds like...
By TimberJon on 1/19/2009 12:01:34 PM , Rating: 2
haha.. I use passwords using factions or ships from different games with strings of numericals inbetween or substituting alphas. A majority of mine are 20+ long as a rule. I knew some people who used to write code for brute force or even patient password breakers, and all the Vets said they didnt bother wasting cycles trying to crack passwords in excess of 7 digits. That was like 8 years ago though. Not sure how that has changed. Processing power certainly has, but so has security to a degree.


RE: Sounds like...
By wayout41 on 1/21/2009 5:36:50 PM , Rating: 2
Wikipedia ships in games:compile list, wikipedia factions in games:compile list, write script;

Where do you work again? :P


RE: Sounds like...
By RamarC on 1/19/2009 12:47:21 PM , Rating: 2
since the virus is running rampant in corporate environments and the patch was issued 10 weeks ago, it seems to me that corporate policy which prohibits windows update from automatically applying patches is also a culprit.


RE: Sounds like...
By bfellow on 1/19/2009 1:50:39 PM , Rating: 3
Stop giving away our corporate domain admin passwords!


RE: Sounds like...
By rdeegvainl on 1/21/2009 2:31:43 AM , Rating: 2
it wasn't "one23" by chance was it?


RE: Sounds like...
By cscpianoman on 1/21/2009 6:44:00 PM , Rating: 2
No, but your in the right ballpark.


By amandahugnkiss on 1/19/2009 12:58:10 PM , Rating: 2
Is this an XP SP2 only attack or Vista only, or both? Seems like listing the targeted systems would be required info to have in an article that covers a virus attack. It is odd that anyone would ommit such info.




By Lord 666 on 1/19/2009 1:00:41 PM , Rating: 3
RE: admin/UAC?
By Lord 666 on 1/19/09, Rating: 2
By Lord 666 on 1/19/2009 11:05:27 AM , Rating: 2

Appears that the Vista based code (Vista and Server 2008) reduces the risk for the issue; its listed as important versus critical here

http://www.microsoft.com/technet/security/bulletin...

Seem to remember that UAC was listed as a reason for the reduced risk


By Smilin on 1/19/2009 2:05:54 PM , Rating: 2
Vista & 2008 don't allow unauthenticated RPC calls from the network.


The best way to protect yourself...
By greentech on 1/20/2009 12:03:45 AM , Rating: 2
Is to Get a Mac. Or learn Linux. Better to spend the extra money or learning effort now than keep on paying for it forever.

I find this quote at the bottom of the site hilarious:

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates

Bill, what have you been smokin?




By Smilin on 1/20/2009 11:26:05 AM , Rating: 2
There is a goat on your bridge. Why don't you go harass him?


By blwest on 1/20/2009 6:05:18 PM , Rating: 2
By once a month, he really means once a minute.


Link
By L1011 on 1/19/2009 9:35:30 AM , Rating: 5
Good job posting the link to the patch from Microsoft. Much appreciation!




Good times!
By Motoman on 1/19/2009 9:29:38 AM , Rating: 2
...brings back memories of when I was in college...before teh intarweb really happened, the only way viruses spread was via floppy disk infection. Oh, those were the days! <sniff>




RE: Good times!
By wired00 on 1/19/2009 6:06:45 PM , Rating: 2
"Your PC is now Stoned." :D


Things like this...
By excrucio on 1/19/2009 9:46:32 AM , Rating: 2
Things like this is what makes me not lose my job.
PC repair is a job security, it'll never go away.

These IT guys, need to learn to keep up to date, if they aren't. It's a hassle to update every computer on the network, but if you gotta do it, you got to do it. Work overtime if necessary.

Bring it on!




RE: Things like this...
By Drexial on 1/19/2009 11:51:31 AM , Rating: 2
If only bureaucracy was as easy to update as PCs.... The IT industry would be a lot more efficient.


By Fenixgoon on 1/19/2009 10:22:29 AM , Rating: 2
and the standalone patch tells me it doesn't apply to my system. What gives?




By Fenixgoon on 1/19/2009 10:24:45 AM , Rating: 2
the patch was issued in October, so Windows update automatically grabbed it for me.


Not Good
By Jonesd on 1/19/2009 9:50:51 AM , Rating: 2
I know it's not as clean cut as people may think, but it's very, very easy to setup a WSUS (Windows Software Update Services) server and centrally distribute updates after testing.

There's no excuse for being sloppy. Test the damn updates and get them out to the darn pcs.




Here's de patch
By heffeque on 1/19/2009 11:13:31 AM , Rating: 2
Wow...
By FaceMaster on 1/19/2009 11:16:44 AM , Rating: 2
...the crafty bugger!




Was caught by it-
By nah on 1/19/2009 12:06:18 PM , Rating: 2
but nothing happened--d/led the patch + had ZoneAlarm and AntiVir updated, so no probs




For further reading ....
By The Irish Patient on 1/19/2009 5:46:50 PM , Rating: 2
and detection/disinfection tools, see this link to F-Secure, a company mentioned in the post.

http://www.f-secure.com/v-descs/worm_w32_downadup_...




This worm...
By Runner3001 on 1/19/2009 7:19:55 PM , Rating: 2
It's a lot older than just last week, it sprung up in the middle of November. I had a lot of fun dealing with it before any of the disinfection tools came about. We got nailed by it before there were proper antivirus definition files for it, the result was hundreds of blue screened computers, once they finally received the KB958644 update, it was wiping out system files. The worm itself will attack antivirus software as well as remote assistance tools. To make matters worse the update for this was pushed out before it was fully tested by MS, it has caused issues as well.

Frankly I'm surprised I haven't seen anything regarding this until today, this is a nasty little bugger.




By greentech on 1/22/2009 1:28:09 AM , Rating: 2
What could be better for business than having 1/3 of your competition be crippled? Oh but Windows is SO much more secure than Mac, right? Oh, so THAT explains why my computer still works.




Linux
By blwest on 1/20/2009 6:01:28 PM , Rating: 1
This kids, is why you should run Linux.




"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki