Fog Creek Software
Discussion Board




Web Worm Hits Windows, Crashes Computers Worldwide

Web Worm Hits Windows, Crashes Computers Worldwide
Tue August 12, 2003 05:01 PM ET
By Elinor Mills Abreu

http://www.reuters.com/newsArticle.jhtml;jsessionid=U2HFO1555KBQWCRBAE0CFEY?type=technologyNews&storyID=3266448

---------------------------------------------------------------------------
If I was the CEO of say Sun Microsystems (someone who happens to hate Microsoft) I would probably be secretly paying some of these virus writers.  Of course, I wouldn't pay them to write any old virus -- just ones that target Windows operating systems.  Seems to me to be the cheapest way to keep Microsoft out of the lucrative corporate enterprise market.

One Programmer's Opinion
Tuesday, August 12, 2003

This isn't some script kiddie either- this guy knew what he was doing:
http://www.eeye.com/html/Research/Advisories/AL20030811.html

I have to say it's actually rather elegant.  You almost have the admire the organic beauty of it all.

Ken
Tuesday, August 12, 2003

No the cheapest way is to sit back and watch Micorsoft flounder trying to write secure code.  Kind of like watching a beached whale trying to get back into the water.

Microsoft will keep themselves out of the datacenter.  Naming a version of their OS that is as close as they will ever come.

It is painfully obvious that the server version is the desktop version  sans a few limitations.  They need a home edition that has pinball, media player, etc and a server version that doesn't have any of this bs.  You do realize that Windows 2003 has a service that will manage your mp3 rights with the devices you hook too it.  WHO was the f'ing genius that thought this belongs in a server class product?

Will
Tuesday, August 12, 2003

Let's see, we still have nimda on the web, and a few instances of slammer.  Those were more directed at servers.  This is directed at everyone.  The server people will fix it soon, the home users will run infected until they buy their next computer. 

Care to fathom a guess on how much bandwidth is wasted per day on the entire internet with these damn windows machines trying to infect the rest of us? 

I hope the ISP's just arbitrarily close every damn windows specific port their is and keep them closed.

Mike
Tuesday, August 12, 2003

>You almost have the admire the organic beauty of it all. <

...Rather like the organic beauty of the mushroom cloud over Hiroshima?  Or Al-Kaeda's masterwork?

Well, I suppose the destructive impulse *is* organic...

Horse of a different color
Tuesday, August 12, 2003

I hope Microsoft asks users to factor these incidents into the TCO of Windows.

http://www.washingtonpost.com/wp-dyn/articles/A46233-2003Aug11.html

Mike
Tuesday, August 12, 2003

Maybe it's just targeting the platform that everyone runs.

http://www.pcmag.com/article2/0,4149,1210067,00.asp


Tuesday, August 12, 2003

Yes a lot of people run windows.  But exploiting windows is like taking candy from a baby.  Exploiting ANY other commonly used OS is like taking candy from a biker.


Tuesday, August 12, 2003

Funny. There's a patch that fixes this vulnerability. It was posted a month ago, and the security bulletin came out at that time.

This worm didn't affect me, my four Windows systems, or the three Windows servers I babysit.

So apparently, since a lot of Windows users don't follow security bulletins and that makes Microsoft an evil company.

Should we have gotten rid of all the Vax boxen after the 1988 worm?

Philo

Philo
Tuesday, August 12, 2003

"Exploiting ANY other commonly used OS"

That's the point - there aren't any.

Philo

Philo
Tuesday, August 12, 2003

I believe the Vax thing was one time.  The windows things are like waves on the ocean.  ENDLESS!

"So apparently, since a lot of Windows users don't follow security bulletins and that makes Microsoft an evil company."
If you are going to tailor your product to the masses, you must update it for them.

""Exploiting ANY other commonly used OS"

That's the point - there aren't any."

Unix, and Linux, and Mac OSX.  are used commonly.  At least Microsoft sure seems to feel Linux is.


Tuesday, August 12, 2003

So is Windows a monopoly or isn't it?

If it's a monopoly, then of course virus writers are going to target the OS that is 90% of the desktop market and a significant portion of the installed server base.

And if it's not a monopoly, then the Linux community can STFU. [grin]

Philo

Philo
Tuesday, August 12, 2003

They have a monopoly on the desktop. Operating systems are used in most computers.

Eric Debois
Tuesday, August 12, 2003

Whatever.  It is, once again, egg on Microsoft's face.

Maybe one day we'll look back at how stupid we were letting one company ruin the internet.


Tuesday, August 12, 2003

"Exploiting ANY other commonly used OS is like taking candy from a biker"

well...in all fairness to MS, the vast majority of problems are caused by users going "oh look, an attachment, lets run it....hey cool, it wants the admin password, it must be a security thing..."

and there is _no_ operating system out there which can protect against that.

The rest, like this latest, are a different story of course but even then there are not a lot of operating systems that receive the kind of scrutiny and continuous attacking effort that windows does.

As a rule the other operating systems are so seldom affected because they are less used by a big margin and therefore pretty much never targeted.

Certainly Im not convinced that many operating systems out there would fare much better if they were to become under a similar level of scrutiny and attack.

FullNameRequired
Tuesday, August 12, 2003

BTW Philo, patching isn't easy. It is on your home machine, but not if you have a lot of machines. And autopatching isn't always wise, since you still need to reboot the machines for some reason. And patches also have a tendancy to break unrelated things, so people have learned to NOT apply them.

mb
Tuesday, August 12, 2003

Mb hit it on the head for corporate America.  We have more than 4 machines to admin.  If you are giant, maybe you buy Tivoli or similar.  If you are 400 seats life with Windows is hell.  Patch, patch, patch, patch, patch.  Plus on old NT servers maybe you have a special fca controller that doens't have an updated sp6 driver.  How do you install a patch requiring sp6.  Things like this make Windows a poor enterprise operating system.

Mike
Tuesday, August 12, 2003

Well it would appear Road Runner is highly infected.  Here are my fire wall logs.

65.25.84.110    135
209.196.236.211    135
209.209.156.123    135
65.25.89.225    135
209.209.156.123    135
65.25.199.160    135
65.25.105.98    135
65.25.208.81    135
65.25.224.166    135
65.25.40.86    135
65.24.72.8    135
65.25.40.86    135
65.24.72.8    135
65.24.67.253    135
65.25.59.160    135
168.18.221.221    135
65.25.121.179    135
65.24.121.245    135
65.25.121.179    135
65.24.121.245    135
65.25.81.74    135
65.25.231.30    135
65.25.209.235    135
65.25.82.52    135
65.25.111.2    135
65.25.197.136    135
65.25.251.248    135
65.25.95.88    135
65.25.14.145    135
65.24.129.8    135
218.15.192.64    135
65.25.227.244    135
65.24.169.120    135
65.25.8.80    135
65.25.209.214    135
65.25.8.80    135
65.25.209.214    135
65.92.14.44    135
65.25.248.194    135
65.25.213.131    135
65.25.39.161    135
65.25.81.209    135
138.202.112.46    135
65.25.21.92    135
65.25.171.205    135
65.25.21.226    135
65.25.194.250    135
65.25.87.92    135
65.25.12.125    135
65.25.226.187    135
65.25.230.163    135
65.25.60.47    135
65.25.231.42    135
65.25.86.50    135
67.96.17.227    1434
65.25.86.50    135
210.5.22.11    135
149.43.130.248    1434
65.25.231.158    135
65.25.54.135    135
12.152.74.8    445
65.25.107.178    135
24.232.136.18    135
24.150.170.192    445
65.25.93.59    135
65.24.101.233    135
203.192.11.30    1434
64.12.137.56    49320
0.8.134.193    80
65.25.62.43    135

Mike
Tuesday, August 12, 2003

I fail to see how having to manually update 400 Windows machines is any different from having to manually update 400 [insert OS here] machines.  Why aren't these machines behind a firewall in the first place?

SomeBody
Tuesday, August 12, 2003

Yes they behind a fiirewall.  Think about VPN though....  Sales guy who hasn't been updated dials his ISP gets infected and then starts vpn.  Guess who's infected now?

"I fail to see how having to manually update 400 Windows machines is any different from having to manually update 400 [insert OS here]'

For one there are arguably fewer patches to install for Solaris than Windows.  Second, doing anything with windows remotely sucks compared to Unix.  Third as someone mentioned quality control issues with Microsoft don't give admins the warm fuzzies about applying them.  We all know how well that XP patch that left 600,000 users without internet access went over.  Fourth  Windows sucks to script.  WSH - great install it then all your machines are vulnerable to ever vb script ever.  It is a no win situation.

Mike
Tuesday, August 12, 2003

<philo>
So is Windows a monopoly or isn't it?

If it's a monopoly, then of course virus writers are going to target the OS that is 90% of the desktop market and a significant portion of the installed server base.

And if it's not a monopoly, then the Linux community can STFU.
</philo>

Game Set and Match :)

Damian
Tuesday, August 12, 2003

"Game Set and Match :) "

Hey that describes what happens when joe user meets a virus or worm while running windows.

Mike
Tuesday, August 12, 2003

"For one there are arguably fewer patches to install for Solaris than Windows."

In the past 24 hours there have been five errata issued by Redhat. Ten in August.

Solaris' August patch report for Solaris 9 has 15 patches for the past month.

Microsoft had ten patches since July 1 for WinXP.

Again, I believe the issue seems to be that Microsoft patches get more press because they're in broader distribution (and I wouldn't be surprised if a lot of *nix patches are blown off because it's not a big juicy target)

Philo

Philo
Tuesday, August 12, 2003

"Hey that describes what happens when joe user meets a virus or worm while running windows. "

Of course, this wouldn't happen if joe user had bought Linux, 'cause he wouldn't be able to get it running.

We can go on all night. Give it a rest.

Philo

Philo
Tuesday, August 12, 2003

I would never recommend joe user by Linux.  If Windows is beyond his comprehension Linux is unfathomable.  OS X might be a decent choice though.  I have no real love of Linux, in fact I think they are too zealous.  I am more pragmatic.  But after you see the same bridge fall down eventually you have to blame the engineers.

Good night.

Mike
Tuesday, August 12, 2003

"I have no real love of Linux, in fact I think they are too zealous"

are they? too zealous?  all of them? how dreadful....

is it _really_ so difficult for people to be specific about things?  a generalised comment like that is about as useful as a bug report that states:  "the program wouldn't run"

<sigh> Ive just finished hearing from my nephew that 'they' (americans) are an evil twisted empire of greed and....well....evil....
I can still recall the talk my grandfather gave me when I was 12 about 'them' (japanese) biding their time after the war, deliberately becoming an economic giant in order to conquer the world after being stymied during the war.

6 months ago I was given a lecture by some uneducated twat of a admin about the importance of not allowing 'them' (as far as I could tell, anyone who emailed him) to steal his personal info (which he, of course, stored in a plain text file on his desktop...)


Im sick of it, its genuine evidence of mental lazyness and/or outrageous stupidity.

the next person to tell me about 'them' is going to be hunted down by an outraged programmer armed with an ipod.

FullNameRequired
Tuesday, August 12, 2003

Joe User never gets any OS running.  The hardware vendor preinstalls it for him.  In this world, that usually means Windows.

peter f.
Wednesday, August 13, 2003

That's funny.  Must be some kind of dns error routing discuss.fogcreek.com to slashdot.org.  Interesting.


Wednesday, August 13, 2003

It is interesting, how Microsoft and Slashdot are both metaphors for shoddy quality.  Undeservedly, I think.

peter f.
Wednesday, August 13, 2003

This says it all.  From the worm:

"I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!"


Wednesday, August 13, 2003

How should Bill Gates fix his software? By releasing patches that fix the problem? Tried that, not everyone downloads them. Perhaps by releasing a new version of Windows that is more secure? That takes time and not everyone will upgrade.

What do you suggest?

John Topley (www.johntopley.com)
Wednesday, August 13, 2003

Next version of Windows users agree to mandatory, automatic behind the scenes security updates.  Part of product activation.  If they want to activate, but not the updates, the network capability should be disabled.

How many more times does this same scenario have to play out before MS gets smart enough to make security happen by taking a proactive approach.  Not just better code.  The programmers are human and using languages where buffer overflows are as common as the curly braces that enclose them.  Auto install of all security patches is what is required.


Wednesday, August 13, 2003

Microsoft usually get criticised for doing things automatically without the user knowing. I turned off automatic updating in Windows XP because I'm still on a dial-up connection and I'll decide what my limited bandwidth is used for, thank you.

And what happens if a bad patch gets auto-installed?

John Topley (www.johntopley.com)
Wednesday, August 13, 2003

A few points/questions:
1)  The errata from RedHat might not be comparable to the required XP updates because the redhat service downloads patches or upgrade for all the software which comes with RedHat- not just the operating system
2)  I have Windows 2000 and when I tried to install the last service pack (3 I think) it ruined my computer to the point I had to reinstall the OS.  Since then I have been afraid to run any updates.  I just hope my external firewall and virus protection hold up
3)  Yes Microsoft posted a patch for this in July, but I think the criticism is still valid because this is a buffer overflow in the RPC server (right?) and it exists in multiple versions of the OS spanning many years.  Perhaps one of you C++ mavens can correct me if I am wrong, but isn't there software out there to help ferret out buffer overflows?  If not, shouldn't code review have found it before the next version of the OS was released?

Name withheld out of cowardice
Wednesday, August 13, 2003

It certainly undermines the whole "full disclosure" idea.
Never before has their been so much warning about a coming attack. Remedies were available well before the actual strike and yet we still see poor adoption, as always.

The weakest link in the security chain is the people, not the systems.

Just me (Sir to you)
Wednesday, August 13, 2003

Redhat Errata...

I'm looking at the RH9 errata page right now. In the last month, there have been 12 entries. Of those, 8 are for optional software that I never installed.

Microsoft's security site is a little confusing, but I think they have three updates, not to mention the massive worm problem.

As far as number of security updates that apply to me, they seem about the same.

Of course, I don't trust anything other than Linux behind an OpenBSD firewall for my systems.

Gorkon
Wednesday, August 13, 2003

Apparantly it is not only Windows admins that do not apply patches:

http://developers.slashdot.org/developers/03/08/13/1530239.shtml?tid=117&tid=126&tid=172&tid=99

Just me (Sir to you)
Wednesday, August 13, 2003

Given the level of vitrol on this topic, I am resitant to reply. What the heck...

My sister called me in a panic last night. She had this worm and she was pissed. She thought that someone should have sent her an email warning her of the worm. I told her that the little icon on the taskbar was her warning. She told me that she just ignores them. Also, her PC is directly connected to the net via a cable modem. No anti-virus, no nothing.

This is an educated person.

I don't think the problem is the OS per se. It's how they are configured and how non-techie people use them. I bet she won't have this problem again.

Now, if the worm writer didn't cause the client machines to crash, the vast majority of users wouldn't even have known they were part of the coming DOS attack.

pdq
Wednesday, August 13, 2003

I don't understand why people are making such a big deal out of this worm. It would only hit people who *still* haven't put their machines behind a firewall, or, even more incredibly, poked a hole through their firewall for MS-RPC.

I guess some poor home users are going to be inconvenienced but companies will largely be unaffected, unless their system is grossly insecure to begin with -- in which case this is their 3rd or 4th wake-up call.

Nate Silva
Wednesday, August 13, 2003

Nate,

What about an employee who takes his Windows XP laptop on the road, dials in and gets infected.  The next time he comes into the office, he plugs in his laptop and begins infecting the rest of the office. 

GuyIncognito
Wednesday, August 13, 2003

That the GNU/FSF ftp site got hacked in March (see link a few posts above this one) and the amazing GNU/FSF admins just figured it out _now_ I think is just hilarious.  It was an OS exploit that let the bad guys in, and they didn't realize it for FIVE MONTHS!

Oh yes, they are running the mighty un-hackable Linux! 

What a joke
Wednesday, August 13, 2003

"Oh yes, they are running the mighty un-hackable Linux! "

???  why did you think Linux was unhackable?

FullNameRequired
Wednesday, August 13, 2003

It's funny how when an exploit comes out for Linux that has already been patched, all the zealots scream about how getting infected is your own fault for not patching.  When the same thing happens on Windows, MS gets the blame for writing crappy software.

Mike McNertney
Wednesday, August 13, 2003

It's funny how when an exploit comes out for Microsoft that has already been patched, all the zealots scream about how getting infected is your own fault for not patching.  When the same thing happens on Linux, OSS gets the blame for writing crappy software.

Its amazing :)  That sentence represents a truth however you write it...

FullNameRequired
Wednesday, August 13, 2003

Fullname, what are we without our Religions?  Stop that.

I was finally pushed into watching that Life of Brian movie.  "Judean People's Front, whatta load o' tossers!"  That actually happens with bureaucrats, when you're in a catch-22 and one of the offices laughs that it's the fault of the idiots in the other office.

Computer platform jokes are still funny, but we can also be a bit silly and funny too when we take ourselves seriously I guess...

anonymous
Wednesday, August 13, 2003

"If it's a monopoly, then of course virus writers are going to target the OS that is 90% of the desktop market and a significant portion of the installed server base."

Windows has a minority (i.e. < 50%) of the server market, but they still have the majority of security exploits.

T. Norman
Wednesday, August 13, 2003

"Windows has a minority (i.e. < 50%) of the server market, but they still have the majority of security exploits."

Prove it, or STFU.

What a joke part 10
Wednesday, August 13, 2003

I can prove it, but I won't respond to F'ing comments like that.

T. Norman
Wednesday, August 13, 2003

> Windows users agree to mandatory, automatic behind the scenes security updates

1. This is often against the law... Certain places like the gov't & banks cannot send anything over their network that they're not explicitely aware of.

2. This sounds like a giant hole waiting to be exploited.

www.marktaw.com
Thursday, August 14, 2003

*  Recent Topics

*  Fog Creek Home