New Virus hitting hard and furious!!!

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

[STFrancis]

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...

[STFrancis]

Well, it's not a virus... But the sheeple won't understand any other terminology...

[Luke Skyfreeper]

Port blocking varies from package to package, so you should check the documentation for the software that you use.

Cool. Figured it out, thanks.

[STFrancis]

Totally agree... There are lot's of people doing lot's of things and when you actually start watching ZoneAlarm to closely you COULD get paranoid...

[STFrancis]

This one would have been somewhat nastier, methinks, if the writer hadn't been so arrogant as to make his presence so clearly known on an infected machine. From what I understand so far, this malware propogates on its own to any machine with the unpatched vulnerability. The user could be infected without ever knowing that they had gotten it, except that the writer intentionally makes the system barf and reboot over and over.

What if it was NOT meant to hurt anything..??? But just a grey-hat wanting to get peoples attention to this *serious* windows flaw? This way everyone HAS to get their systems patched. Basically he is offering a stick instead of the carrot . Don't agree with the method being used but that's what my hunch is on this. Anyone smart enough to write an exploit for this NEW vuln should know how to code their way out of a paper sack....

[STFrancis]

In my world though, I hide everything behind really good firewalls (I dig PIX) and get pretty jealous of what I let through. I also strip off any executables (among others) from e-mail messages. I have for years. It's saved me a lot of grief waiting for AV providers to update files when a new pattern needs to be released.

That's a good start. However, if you are running any serious network you should know that 80% of the hacks are coming from the inside... The fortress/moat model is outdated... You need to treat every server like a bastion. Not just the system in the DMZ etc... Even though you are safer then prolly 80%+ out there..

[Lighthouse Lady]

Thank you. I have a slow dial up and the virus kept shutting down my computer before I could even read the helpful posts (the others were so frustrating because I had to read fast.) It shuts down in one minute.
How does one get this virus?
Thanks again,
LL

[STFrancis]

Go and follow the instructions from Symantec. Make sure you clean your registry etc..

[umbagi]

I just upgraded to this nice Commadore 64. I never had virus problems with my VIC-20. Should I be concerned?

No.

Your TCP/IP stack, in optimized 6510 Assembly, still takes 38,511 of the 38,711 bytes available on your machine after the OS is loaded.

This worm can't get it up in 200 bytes.

Relax.

[sonserae]

I've been telling everyone to get a Mac. Mac's don't get viruses as most viruses are .exe files....exe files can't run on Macs.

[ASA Vet]

Thank you. I really was concerned and considered going back to the VIC.
I do like this hugh RAM available on the 64 though.
That's some series computing power.

[HAL9000]

How does one get this virus?

By using a Microsoft Windows operating system.

[umbagi]

That's some series computing power.

Simple enough for dumbies, too.

[STFrancis]

There is an easier way. Download a copy of your favorite Linux distro, burn to cd, put cd in drive, push the reset button on front of computer, follow instructions on screen. In about 10 minutes you will have a virus free system.

While I get quite sick over the win vs. lin/unix debate the statement above is so stupid it's almost DANGEROUS. There are so many viruses/exploits for unix out that are released every day it's not even funny. While I like both OS systems (they both have their place) crowing like this is just plain stupid. Hope you got this one fixed: http://www.securityfocus.com/bid/8315

There is a reason some Win Security guys out there drive around with the Bumper Sticker:

"My next workstation is YOUR linux box".

ANY operating system is inherently insecure unless it does B3 out of the box. Which according to reports Longhorn is suppose to do. Can't wait to see a finished version of it and hope *pray* MS doesn't screw it up. And IF (that's a caps IF there) they do it right Unix is going to have a HUGE challenge

And unlike popular belief MS is doing a 180 when it comes to security and they have made GREAT progress. Am actually astounded at some of their initatives and outreach to the community. They still have a long way to go though...

And to the Mac guys out there... You know who one of the biggest Mac shareholder is right..??? and who bailed Mac out when they almost became toast???

Sorry for jumping on my soap box for a sec... But I just hate arguing over OS'es... they ALL have their time and place..

[STFrancis]

Those where the times.... I miss my blazing WAY COOL but hugely EXPENSIVE 1541.... And the output of my MP803 is just simply AMAZING....

(I actually have an emulator running the C-64 stuff and two actual units in the attic... )

[Mjaye]

Learned Ones:

I had this "virus" happen today (Monday), but got through it like everyone else with the patch. Now, when I finally got into my e-mail, I found a ton of "returned" messages purporting to be from me (never sent them, don't know the recipients).

These messages purport to be from my system's "mail administrator", but who knows. I've had some of these before, but never a whole bunch like this. Is this a weird other virus that seizes one's address book and sends out mail? Or just SPAM of some sort that pretends to be returned mail?

Any info would help, thanks!

[STFrancis]

Just to add a couple for the Apple folks that think they are completely imune (as Apple would like for them to think):

http://www.securityfocus.com/bid/8266

http://www.securityfocus.com/bid/8293

http://www.securityfocus.com/bid/6884

[STFrancis]

Without more info I would like to think that this is another form of virus/worm at work here. Download and install the latest version of McAffee or Symantec etc.. Load the latest definition and see what you come up with.

Also, give ad-aware at www.lavasoftusa.com (Ping to the germans ) and spybot a shot.

Hope that helps...

[Quick1]

The fact that you knew that off the top of your head (or off the top of a quick google), boggles the mind.

You out-nerd me. ;)

[Mjaye]

Thanks! I did download Norton's latest updates earlier today and did a complete virus scan after I patched up the Microsoft .exe problem. Nothing was detected, nothing quarantined. This "returned mail" thing really bugs me, I hope to heck nothing weird is going out to anyone in my address book in my name.

I correspond with bosses from home and would NOT want them to receive weird mail allegedly from me. So far, none of these returned items were to anyone I ever heard of.

[baseballfanjm]

Double that number in my house. BTW, do you find Macs to be an improvement?