Fog Creek Software
Discussion Board




MSBlast - I don't understand what the fuss is!

I have defended myself quite successfully from the MSBlast worm using the free version of Zone Alarm and the paid-for version of McAfee antivirus.

ZoneAlarm really stops the worm - it can't infect the PC.

However, yesterday I have stopped ZoneAlarm by mistake for about 20 minutes, and got infected.

McAfee immediately detected the virus, in spite of the fact that I didn't update the signature. It detected the virus as something generic (DCOM/RPC exploit), and said that it's a possible scanning attempt by the Retina security scanner.

I immediately sent the virus to McAfee, and they immediately responded with the precise identification of the virus, and told me to update the McAfee scanner, which I did, then removed the virus.

Since then I kept ZoneAlarm up and did not get infected.

It's really a good firewall software.

I have just applied the patch an hour ago.


So, I don't understand what the great fuss is.

If you are using a PC, then you NEED an antivirus AND a firewall.

If you didn't have these, then it's your mistake for inadequately protecting your computer.

I agree, tough, that in corporations, the system administrator should have installed these.

Gigi Duru
Thursday, August 14, 2003

Why were you not on the patch?

Just me (Sir to you)
Thursday, August 14, 2003

At the risk of feeding the troll ...

My Mom got the Blaster worm yesterday.  Could not have happened to a more computer illiterate person.  Took me an hour to walk her through installing TightVNC so I could log on to her machine and fix the bloody thing.

She doesn't want to worry about whether her antivirus and firewall is properly installed.  She doesn't even know what a firewall IS.  Bottom line, she doesn't want to jump through hoops to be able to use her machine in a secure fashion.  And she shouldn't have to.

Relying on user vigilance is the security measure of last resort.

Fortunately Blaster was fairly benign.  The next one may not be.

Alyosha`
Thursday, August 14, 2003

How does is the worm distributed? Is it by visiting a web-site on an infected server? Or by email?

The news releases were not very clear on that.

Tasha M
Thursday, August 14, 2003

It spreads directly from host to host. All you need is to be connected to the internet.

Eric Debois
Thursday, August 14, 2003

I exploits a buffer overrun in the RPC code. The only thing you need to get infected is having port 135 (TCP or UDP, not sure whether one or both) open to the net. No active action on your part is required.

Of course, anybody without a firewall is just begging for trouble.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, August 14, 2003

Tasha: this is the layman's version that I've been telling folks:

A worm is a program that exploits security flaws in internet services (such as web servers on port 80, file transfer servers on port 21, mail servers on port 25, and, in the case of blaster, the more obscure RPC server on port 135).

It's different than a virus, which is a program that relies on trickery to get people to run it (i.e., as an email attachment, or by attaching itself to a legitimate programs).

To protect oneself from a worm, there's many things you can do.  You can disable the vulnerable service on your computer, you can download a fix (or patch) for that service, or you could replace the program that provides that service (for example, replacing IIS with Apache). 

You can also install a firewall, which is a program (such as ZoneAlarm) or piece of hardware (such as a DSL router) that monitors all connections from and to your computer and (if setup correctly) denies most of them according to a strict policy.

Alyosha`
Thursday, August 14, 2003

Alyosha` nailed it.

Yeah, it's easy to say "Well, you should have your system patched." And if you are a developer or IT person then you should have.

But what about the *scads* of non-technical users out there who haven't the foggiest notion of firewalls or ports and acronyms such as DCOM scare them silly.

I know it's just pointless bitching, but this vulnerability - and the hundreds just like it - should not have existed in the first place. I make a living with MS software so I'm not in the anti-MS crowd, but I am fed up with this constant cycle of release-patch-release-patch while Redmond works to crank out more and more products.

What if this virus had been destructive?? What if it had zapped the hard drive? It's scary to think that it could have. It had full control of millions of machines worldwide.

It have to admit that I agree with the sentiment of the author of MSBlast: Microsoft, why do you let this happen??

Mark Hoffman
Thursday, August 14, 2003

>>
She doesn't want to worry about whether her antivirus and firewall is properly installed.
<<

Then she either shouldn't be using a computer connected to the internet or she shouldn't be upset when it gets screwed up by something like this.  That's like saying someone who lives in a house shouldn't have to worry about locks. 

If someone knows how to click things with a mouse then they can click to agree when Microsoft sends an automatic update notification.  If she did this, MSBlast wouldn't be an issue. 

A firewall only needs to be set up once to work.  Windows XP ships with a rudimentary software firewall.  Assuming someone doesn't deliberately disable this firewall, you're safe from MSBlast on XP. 

Likewise, a virus scanner only needs to be set up once and can be configured to automatically updated.  I'm assuming someone set up the computer for her.  Why didn't they install a virus scanner?   

My mother is one of the most computer illiterate people that I know.  MSBlast wasn't an issue for her.  One reason it wasn't an issue is because we put her behind a hardware firewall when we (family members) set her PC and internet connection up.  Another reason it wasn't an issue is because she pays enough attention to the news to have seen the constant alerts for the past month about this and insisted that we update her PC with the patch. 

Ultimately, it's the fault of the losers who have nothing better to do with their time than write viruses and worms.  However, users have to have some sort of personal responsibility in the matter or they are going to continue to be affected by these things.  If you think you can design a system that is 100% free of all holes, please do so.  While you're at it, please design a car that's accident proof and doesn't require locks or alarms to be protected from theft.

Yes, I realize my car and locks analogies aren't perfect.  I'm hoping that JOS readers are intelligent enough to get the point.

Blaming Microsoft for this is a joke and once again suggests that a large portion of JOS readers aren't really in software development but like to pretend they are. 

SomeBody
Thursday, August 14, 2003

Assigning blame is always a fruitless activity.

Yeah, Microsoft should have caught that flaw before it went out the door.  Yeah, Microsoft should have a more agressive remote updater for serious security flaws.  Yeah, everyone should buy an antivirus and a firewall.  Yeah, people shouldn't be mean and write worms in the first place.

So much shouldawouldacoulda.  It happened.  Deal with it and move on.

. . .

Actually, when I think about it, the guy that wrote MSBlaster should be a considered a hero.

Think about it.  The patch was available for a month and not many people installed it.  It really took a real exploit to motivate businesses and individuals to patch up their systems.

The guy did the world a favor by writing a fairly benign (although somewhat annoying) worm.  It's a good thing he did it before a more malicious hacker got around to it.

Alyosha`
Thursday, August 14, 2003

I don't blame non-technical users for not being prepared for this sort of thing. I think the example, posted earlier, of the mom who paid attention to the news and insisted on getting the patch, is a rare exception in the world of home users, most of whom just want to read news or get mail or game.

But give me a break ... how many businesses, with full time systems administrators, were hit? I'm not talking about small businesses either ... major companies were affected. Why is that? How come I, whose job is not to maintain PCs but to write software, was patched up and had a virus scanner and firewall up and running, while the sys admins who are paid solely to administer PCs and networks didn't take those same basic steps?

I'll go further and say that people who write this stuff rely on the failure of sys admins to protect themselves. I suspect that, if there was no realistic chance of bringing down a major company -- if my best hope at fame was to mess with the minds of a bunch of home users -- a lot fewer people would be writing these things.

It feels like there are a lot of holes in Windows, but it's painless to patch them as the patches are released. In this job market, how can you make the mistake of not doing that?

Zahid
Thursday, August 14, 2003

I think it's hard to recommend a software-based firewall like ZoneAlarm for the non-geek population.  I think a simple SOHO router (e.g., Linksys) with a basic port-blocking firewall is a much better solution for most people.

It's ironic that Gigi claimed that ZoneAlarm worked great, until he mistakenly disabled it.  If Gigi -- who probably has more computer savy than 99% of the population -- can't get it to work consistently, how can Mom and Dad Wal-Mart be expected to rely on it for their security? 

Zone Alarm works great when it's confiugred properly, but requires fairly sophisticated knowledge and frequent user intervention.  (I found the constant "Do you want Program X to have access to the Internet" interruptions to be more annoying than Clippy.  <g>)

Robert Jacobson
Thursday, August 14, 2003

> It's ironic that Gigi claimed that ZoneAlarm worked
> great, until he mistakenly disabled it.  If Gigi --
> who probably has more computer savy than 99% of
> the population -- can't get it to work consistently,
> how can Mom and Dad Wal-Mart be expected to rely
> on it for their security? 

I have now purchased the Zone Alarm Pro version and set an option to ask for a password for shuting down.

This way, I will never accidentally turn it off.


> Zone Alarm works great when it's confiugred
> properly, but requires fairly sophisticated knowledge
> and frequent user intervention.  (I found the
> constant "Do you want Program X to have access
> to the Internet" interruptions to be more annoying
> than Clippy.  <g>)

Here I think you are wrong.

The alternative is a firewall which follows a fixed set of rules. What happens then?

It's simple - when you install GeeWizApp, it won't work, because the firewall is not configured to allow connections to the ports GeeWizApp uses.

This is why Zone Alarm (or Armor2Net, or Tiny Personal Firewall, or Sygate) are GREAT: they ask you if you want to allow GeeWizApp to behave as an UDP server, for example.

Gigi Duru
Thursday, August 14, 2003

<<The alternative is a firewall which follows a fixed set of rules. What happens then?>>

Actually, the option that I suggested -- a hardware-based firewall -- works by blocking all unsolicited incomming traffic.  Unless you need to use your computer as a server (e.g., web hosting or hosting certain online games), you never need to change those settings.

The trade-off is that it doesn't block outgoing traffic if your computer becomes infected.  If you have a decent antivirus program installed, though, it will detect any infections and prevent malicious outgoing traffic.  (Plus the incomming firewall should prevent most infections in the first place.)

Don't get me wrong -- I think ZoneAlarm is a great product for users who want advanced control over their firewall settings.  I just think that it's overkill for the typical home user.  It's better to have a product with install-it-and-forget-it simplicity (like a SOHO hardware firewall), than a software product that may confuse many users and end up being configured improperly or disabled.

According to a newspaper article this morning, many home users didn't install the current patch because they didn't understand how Windows Update worked.  (They thought that the automatic downloading was itself some sort of virus attack, and so declined to install the patch.)  Better for these people to have a good basic firewall than nothing at all.

Robert Jacobson
Thursday, August 14, 2003

> Don't get me wrong -- I think ZoneAlarm is a
> great product for users who want advanced
> control over their firewall settings.  I just think
> that it's overkill for the typical home user.  It's
> better to have a product with
> install-it-and-forget-it simplicity (like a SOHO
> hardware firewall), than a software product that
> may confuse many users and end up being
> configured improperly or disabled.

The problem is, the so called "install it and forget it" firewalls are in fact "install it, forget it, and then simply accept that some Internet related programs don't work".

For example, many times the ICQ chat client wants to be a server...

:-(

Gigi Duru
Thursday, August 14, 2003

"Blaming Microsoft for this is a joke and once again suggests that a large portion of JOS readers aren't really in software development but like to pretend they are. "

Or many here have their heads to far up redmond's ass and think stuff like this affects all operating systems.  Please name the worm that infected millions of hosts on ANY other operating system in the last 5 years.

why do you let this happen
Thursday, August 14, 2003

>Or many here have their heads to far up redmond's ass and think stuff like this affects all operating systems.  Please name the worm that infected millions of hosts on ANY other operating system in the last 5 years.

Name an operating system that has a user-base of "millions of hosts" that would have such a far reaching affect.  You can't.

The main problem is not that Windows isn't the most secure OS, it is that it is the most widely used OS and most likely OS to not be maintained & updated as it should be.  In other words, it is an OS that a layman can setup & use. 

It's just like anything else in life.  I know people who didn't know they were supposed to change their brake pads on their cars until they rear-ended someone. 

GiorgioG
Thursday, August 14, 2003

http://www.cio.com/archive/010103/tl_security.html

This incident wasn't the first virus to hit Linux, and it certainly won't be the last. "As the installed base of Linux grows, we expect to see more such incidents," says Kevin Haley, group product manager at antivirus software maker Symantec in Cupertino, Calif. And because the Linux community has reached a critical mass of millions, Linux.Slapper.Worm spells Linux's coming of age as a security target.

In fairness:
"Linux is built around the Unix security model, which is a relatively uninhabitable place for viruses," he says. Linux and its accompanying Apache Web server "have been exposed, attacked and patched for a much longer time than comparable Microsoft products," he says.

Philo

Philo
Thursday, August 14, 2003

With security like this, you don't need a worm:
http://ftp.gnu.org/MISSING-FILES.README
http://news.com.com/2100-1001-961311.html
http://news.com.com/2100-1001_3-857265.html
http://news.com.com/2100-1002-994711.html
http://news.com.com/2100-1001-239696.html

I seem to recall a worm (sendmail related, if I'm remembering correctly) that made it's way around a bunch of Linux servers a couple of years ago.  However, searching for Linux security flaws returns way too many hits to easily find any particular one. 

SomeBody
Thursday, August 14, 2003

Of course to us uber-geeks this worm was a puny nuisance (or non at all), but to the millions of brain dead AOLers connecting to the Internet via dialup, this was a major inconvenience. 

Out of the kindness of my own heart (OK, I’m a loser and I didn’t have anything better to do), I spent a couple of hours on Wednesday sitting in an AOL chatroom on my father’s computer helping people patch their system and remove the worm.

To get an idea of their level of computer familiarity, not one knew how to open up the Services Console to prevent the RPC Service from restarting the system on failure.  Very few even knew how to adjust the system date/time so that they would have longer than 30 seconds before their computer started.  Even fewer knew what a command prompt was or how to get to one to abort the system shutdown.  I didn’t bother recommending to turn on XP’s included firewall, because I would have had to explained what a firewall was.

For the most point, they were familiar with powering on the PC, opening a web browser and clicking back, forward and typing in the occasional URL.

If these frustrated people had another OS choice, many of them probably would have plunked down their cash at that moment and voted with their checkbooks.  Lucky for Microsoft it has a monopoly.

Guy Incognito
Thursday, August 14, 2003

>If these frustrated people had another OS choice, many of them probably would have plunked down their cash at that moment and voted with their checkbooks.  Lucky for Microsoft it has a monopoly.

They do have a choice.  It's called Apple.  They still won't go there.  Why?  Because it isn't that big of a deal 99% of the time.

GiorgioG
Thursday, August 14, 2003

"If these frustrated people had another OS choice, many of them probably would have plunked down their cash at that moment and voted with their checkbooks.  Lucky for Microsoft it has a monopoly."

They *do* have a choice - an AWESOME choice! A choice so great that Microsoft has to break the law to keep it in check!

It's called Linux, and it's the wave of the future!

And those people you were helping out in the chat rooms sound like tomorrow's linux rpm dependency checkers/ kernel recompilers to me!!!

Philo

Philo
Friday, August 15, 2003

Why aren't all these moms on automatic update? Might it be because of their geek nephews scaring them into believing the "Micro$oft will scan your computer and know all your dirty little secrets" or "your machine will get a bad patch and fry" FUD stories?

Just me (Sir to you)
Friday, August 15, 2003

Oh, it's always fun/pathetic to see a Microsoft zealot trying to bash Linux zealots. The moms aren't using automatic update because they have no idea what it is. Did you read the above posts? Normal home users hardly know anything beyond what they do regularly with their PCs. A girl I know couldn't even change her password in hotmail, and had to ask me to help her...

BC
Friday, August 15, 2003

Windows XP comes with automatic update enabled, so, if they don't have automatic update, someone must have disabled it.

Also, somehow, we expect people with very little training to be able to operate a computer, and - get this - when they can't operate it properly, it's the fault of the OS manufacturer!

What if the same mentality was applied to cars?

Gigi Duru
Friday, August 15, 2003

What about if we assign the blame more equitably:

33% of the fault is by the users

33% by the OS manufacturers

33% by the assh#le who wrote the worm

Gigi Duru
Friday, August 15, 2003

The goal of Microsoft is to push Windows to everyone's desktop.  Therefore blaming the users only gets so far, since Windows is positioned for everyone.

Security trades off with usability.  It's a hard problem.  OpenBSD's default install is orders of magnitude more secure than Windows/Linux, but people don't rally around it.

anonymous
Friday, August 15, 2003

Macs are an option, but not for everyone.  Most Macs are more expensive.  I can walk into my local retailer and find a much larger selection of HPs, Compaqs, Sonys, and cheaper budget systems.  Not to mention, more than 75% of the store's software is for the IBM PC.

As for Linux... how many computers that you can buy at your local big box retailer come preinstalled with Linux?  I can't imagine my father installing a new OS out of the box.  He still can't tell the difference between an email address and a web address.  It took him forever to master the double-click.  The list could go on...  And this is a man who's been using computers since his first home computer (the Osbourne running CP/M) in the early 80's.  The level of complexity has multiplied since those days and for your average user (who America keeps telling us can't program his/her VCR) expecting them to protect themselves with a never ending stream of patches is wishful thinking at best.

I understand trying to use an analogy with software and any other purchased good is often difficult, but at what point would you return your problematic new Ford Focus to the dealer for a full refund after one too many factory recalls or trips to the service center?

Guy Incognito
Friday, August 15, 2003

"What if the same mentality was applied to cars? "

That's a cute analogy, but it falls apart pretty quickly for one simple reason: You have to be licensed to operate a car. It's silly to compare operating a motor vehicle to operating a computer.

Some of you people amaze me....You sit there so high and mighty and say "All these idiots that didn't patch! Ha! They are subhumans who don't deserve to live! Are they stupid or what?! Can't open control panel!? Idiots!!"

Get over yourselves.

Lots of people that use computers every day have no clue how to secure them. And before you blast them for being idiots, remember...Many of them are buying your software you morons.

So many arrogant techies who haven't the basic business sense...

Get Over Yourself.
Friday, August 15, 2003

A company where the operational procedure for critical computing facilities does not allow them to react to the higest level security warning in a months time has a serious operational problem. They should carefully review what kept them for reacting in time and mend the process.

Private persons and small business entities that run computer systems should make use of the facilities provided out of the box. Unless they know very well what they are doing they should be on automatic update. This is the very reason for the existence of this facility.

Just me (Sir to you)
Friday, August 15, 2003

another auto-update problem:
the user only uses AOL to check their email. they log on for half an hour once a week over a 56k modem on a bad phone line.

autoupdate is set to download everything. how long (in weeks) before everything actually gets downloaded? let's say 1 per patch?

btw, according to another post here this hole was reported in 1991.

mb
Friday, August 15, 2003

Well, autoupdate will not cover all fringe cases.
If you do not have the accumulated spare bandwith to download the critical patches, well, you're not going to get them unless you take effective action, like lea ving the machine on for an extra half hour every Sunday, but if you were informed enough to take action, you would not even need autoupdate ... hmmm

Just me (Sir to you)
Friday, August 15, 2003

But if you aren't online for longer than a half hour a week, you probably aren't going to get hit by a worm!  How much more circular can we get? 

SomeBody
Friday, August 15, 2003

"btw, according to another post here this hole was reported in 1991."

And thoroughly debunked. Those who repeat Cringley will often get what they deserve. That man is a buffoon.

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, August 15, 2003

I'm quoting Zahid, because the original message is far above in scrollbar-space:

"But give me a break ... how many businesses, with full time systems administrators, were hit? I'm not talking about small businesses either ... major companies were affected. Why is that? How come I, whose job is not to maintain PCs but to write software, was patched up and had a virus scanner and firewall up and running, while the sys admins who are paid solely to administer PCs and networks didn't take those same basic steps?"

I couldn't agree more!!!!  Never mind about your average consumer.  Why can't the pros do their job???  My 500-person biotech company, with a 10-person fulltime IT staff, just got hit by this worm yesterday because some of our desktop PC's weren't patched.  If they don't want to install every patch MS recommends, well, I think it's stupid in a commercial setting but there are reasons.  But the worm hit the news MONDAY and by THURSDAY they still hadn't patched???

Gross negligence.  Incompetence.  If I wrote code and analyzed data the way they "maintain" our PC network, I'd be fired in a heartbeat.

Actually we just had 25% of our biology R&D staff laid off this week, including 4 programmer-scientists in my dept.  But no IT staff got fired.  Ha!

Biotech coder
Friday, August 15, 2003

These worms, viri and their variants are not symptomatic of a poorly written operating system, as many Mac-heads and Linux enthusiasts might argue.  Windows is fine; the mere march of progress and the public's demand for an OS that is all things to all people mean that as time goes on, flaws will be found and new patches will be released to plug the holes.

The Internet has grown exponentially over the last 10 years, as has the number of users.  The effect has been paradoxical; as more users 'log on', the ratio of those who know what they're doing to those who don't have a clue becomes larger and larger.  Worms like Blaster and Sasser don't prey upon Windows vulnerabilities, they prey upon users' ignorance.  The phrase "there's a sucker born every minute" may have been coined in the 1800's, but it is oh so cogent in this day and age of ubiquitous computer use.  Those who mange to get their computers infected repeatedly utterly befuddle me.  They're told time and time again to use antivirus software and a software or hardware firewall, to keep Windows updated often, and still they get stung.  Why?  Complacency and ignorance - they take their computers and the people who keep fixing them for granted, and don't follow the sound advice given them.  If you kept stepping on the same rake in the same place in the back yard and each time it whacked you in the face, surely you would eventually move it or go around it.  If you don't then you deserve to be whacked doubly hard each time you step on the rake.  Odd analogy, perhaps, but my point is that the people who keep opening up suspicious attachments, those who refuse to use antivirus software and firewalls, and those who refuse to update Windows for whatever reason, deserve whatever fate befalls them.

As a person in the IT industry, ignorant users and the virus writers who prey upon them represent my bread and butter.  Blaster and Sasser have generated so many service dollars in my store that it's almost unreal.  Let's hear for suckers!

Rick Salt
Thursday, May 06, 2004

These worms, viri and their variants are not symptomatic of a poorly written operating system, as many Mac-heads and Linux enthusiasts might argue.  Windows is fine; the mere march of progress and the public's demand for an OS that is all things to all people mean that as time goes on, flaws will be found and new patches will be released to plug the holes.

The Internet has grown exponentially over the last 10 years, as has the number of users.  The effect has been paradoxical; as more users 'log on', the ratio of those who know what they're doing to those who don't have a clue becomes larger and larger.  Worms like Blaster and Sasser don't prey upon Windows vulnerabilities, they prey upon users' ignorance.  The phrase "there's a sucker born every minute" may have been coined in the 1800's, but it is oh so cogent in this day and age of ubiquitous computer use.  Those who mange to get their computers infected repeatedly utterly befuddle me.  They're told time and time again to use antivirus software and a software or hardware firewall, to keep Windows updated often, and still they get stung.  Why?  Complacency and ignorance - they take their computers and the people who keep fixing them for granted, and don't follow the sound advice given them.  If you kept stepping on the same rake in the same place in the back yard and each time it whacked you in the face, surely you would eventually move it or go around it.  If you don't then you deserve to be whacked doubly hard each time you step on the rake.  Odd analogy, perhaps, but my point is that the people who keep opening up suspicious attachments, those who refuse to use antivirus software and firewalls, and those who refuse to update Windows for whatever reason, deserve whatever fate befalls them.

As a person in the IT industry, ignorant users and the virus writers who prey upon them represent my bread and butter.  Blaster and Sasser have generated so many service dollars in my store that it's almost unreal.  Let's hear for suckers!

Rick Salt
Thursday, May 06, 2004

*  Recent Topics

*  Fog Creek Home