dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12360
share rss forum feed


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to Link Logger

Re: Nachi the new champion bad boy

said by Link Logger:
You might want to look into DeepSight at Symantec which my partner and myself designed and built while at SecurityFocus (my partner stayed on so now he is a Symantec kind of guy ). There is a free component that you can join (see »aris.securityfocus.com ) and there are all sorts of global reports and analysis available(most are in the $ side however, but still there is a lot that is free). The idea is you send your IDS logs (supported systems here »analyzer.symantec.com/requirements.asp ) to DeepSight and you can use DeepSight to create all sorts of reports and such.

Blake

I will assume that help will soon be on its way here.
--
oO^..^Oo oO^..^Oo


antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
Reviews:
·Comcast
reply to Link Logger

said by Link Logger -"I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?"

... my guess, virtually none - unless it's a small private shop that builds their own and helps customers get set up, and I don't know any of those around here ... I'm sure there are some, but not many ...

said by Boris - "Microsoft is still selling the Windows XP OS software to computer companies that don't have the MS updates?"

... hell yes ! ... you think they run off a few, re-tool the OS, then run off a few more? ... they burn the cd, ship it off, then hope the user updates ... did you really think H/P or Compaq or Dell or Gateway was gonna update the software for you ? ... if that were true I'd expect the Easter bunny to deliver my Sunday paper in a nice basket, with coffee and bagels ...

... f w i w ...

--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ...


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to Link Logger

Re: Nachi

FYI,

I've noticed only a slight rise in 135 and 445 activity from around 20:00 UCT at one of my clients, a public sector entity located in Ohio. No problems deflecting same, only 3-6 per hour.
--
I hate jogging. It makes my beer foam up...


Maven
Premium
join:2002-03-12
Canada
reply to Link Logger

Re: Nachi the new champion bad boy

Are Windows 2000 and XP the only OSes targeted by this worm?


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to Sparrow

Re: Nachi - map link

Hi CS,

As for a map, I have this one on a on the ol' browser Links bar... Data gathered from Housecall scans.

»www.trendmicro.com/map/

I *definitely* agree end users need to be educated! I've attended several meetings where FBI agents, US Attorneys, Law enforcement and military representatives are eagerly encouraging private industry folks like myself to work with them. Their efforts are quite remarkable.

We can make a difference - I intend to use all the resources they provide to do my small piece to work to a more secure, private, reliable and functional global system of communications.

I'll post all that's appropriate for public forums here ... Any non-public or restricted items will have to be distributed through channels authorized for same.

HTH

EG
--
I hate jogging. It makes my beer foam up...


GotGhosts
Premium
join:2002-07-16
boo
reply to antiserious

Re: Nachi the new champion bad boy

said by antiserious - did you really think H/P or Compaq or Dell or Gateway was gonna update the software for you ? ...

I asked if Microsoft was still selling the "swiss cheese" operating systems to computer manufacturing companies.

The Microsoft updates are a fix for those security holes in the operating system. Why isn't Microsoft fixing the software before it leaves Microsoft? I suppose that would be a good question to ask Microsoft.

I wouldn't expect Dell, HP, or any other computer maker to do that. But if Microsoft updated their software before it got to the computer manufacturers that would be a huge help.


Randy Bell
Premium
join:2002-02-24
Santa Clara, CA


Default Out-of-the-Box Settings for Automatic Updates
said by GotGhosts:
The Microsoft updates are a fix for those security holes in the operating system. Why isn't Microsoft fixing the software before it leaves Microsoft? I suppose that would be a good question to ask Microsoft.

Probably because the security issues come out after the live release of the XP operating system, or even after major upgrades such as Service Pack 1. If MS started issuing different CDs on a weekly basis, that would create chaos, as each CD would contain a different "mix" of security patches. The practical way, the way they're doing it, is to release XP SP1 {Windows XP, Service Pack 1} on all new machines and leave it to the user to install the security patches which keep changing dynamically as new issues arise. Out of the box, my XP Home Edition that I got with my new Compaq couple months ago, already had the automatic updating enabled by default {see pic}. All the user has to do is enable his {usually broadband} connection to the Net and the Windows Updates occur automagically in the background, with a SysTray Popup when downloaded and ready to install. The main thing, as Blake {LinkLogger} has emphasized, make sure to enable ICF the first thing, before your first connection to the Net, to prevent Nachi or MSBlaster infection.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)

qrkx
Premium
join:2003-04-26
Montreal, QC

1 recommendation

reply to Link Logger
said by Link Logger:
Comments, questions, abuse, this article is meant to create discussion as to what can be done to improve security on the internet.

If I were to throw my 50 cent in, I'd venture to say educating the IT people should be a start. Then - place some degree of responsibility on the vendors(for their claims). Educating the home user is utopian - imho.

Large ISP's should also be held liable for letting worms affect their infrastructures. With a minimum of competent staff, such outbursts can easily be controlled with ingress/egress filtering without any impact on end-user functionality.

I guess it all comes back to one thing: unless dedicated and trained personnel is at hand, there is little we can do to improve Internet security. No soft/hard vendor will ever do that. The answer could be found in having the allocated budgets to hire the necessary skilled security people to handle these things.

An analogy would be the health care system; do you start training people at home to self medicate(mmmm...self triple by-pass toolkit) or do you invest in trained professionals and relevant equipment?

How can we expect the end user to become "educated" if most - I repeat - most of the corporate IT infrastructure is largely ignorant with respect to security matters(not necessarily a fault of their own...but still)?

rgds.
Expand your moderator at work


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to EGeezer

Re: Nachi - map link

said by EGeezer:
Hi CS,

As for a map, I have this one on an ol' browser Links bar... Data gathered from Housecall scans.

»www.trendmicro.com/map/
...................

We can make a difference - I intend to use all the resources they provide to do my small piece to work to a more secure, private, reliable and functional global system of communications.

HTH
EG

Thank you for the link, EG. I was surprised to see that Asia is in third place. This is precisely why I like the idea of the maps. It is a good learning and teaching tool to show worldwide internet habits.

The computer is not just a toy, and although we can still have fun with it, end-users need to understand the necessity of safe computing. No matter what the extra-curricular activity one is involved in there are risks involved, and understanding what those risks are and how to avoid them are all part of playing the game. Sometimes the old clichés just fit.

I think the fact that Nachi was almost (or was) designed as a counter-attack against W32/Blaster-A, requires some reading between the lines. Who knows what the creator of Nachi was thinking. They were even kind enough to apologize to Zhongli (perhaps the creator's wife?) in the hidden signature:

Once running, it will attempt to remove W32/Msblast.A from that system, as well as attempting to update the system with the security patch from Microsoft which addresses this vulnerability.

The worm contains the following string, never exposed to the end user:

"=========== I love my wife & baby ~~~ Welcome Chian~~~ Notice: 2004 will remove myself ~~ sorry zhongli~~~========== wins"
»www.f-prot.com/virusinfo/descrip···i_A.html
Hopefully we will all win in the end.

P.S. The smilies are part of the sig as well...
--
oO^..^Oo oO^..^Oo


CylonRed
Premium,MVM
join:2000-07-06
Bloom County
reply to Link Logger

Re: Nachi the new champion bad boy

Got nailed as an experiment when I rebuilt my hard drive and updated without a firewall in place - got infrcted with blaster within seonds of being online. When I did get my firewall I got several notices within a few seconds attacking port 135/139....

Amazing how fast this got into an unprotected system...
--
Brian
America's Army Forum Moderator and America's Army Beta Tester


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
The part that interests me is you got hit with MSBlast which given how effective (if you can call flooding the internet effective) Nachi/Welchia is at finding and nuking MSBlast installations would lead me to think that the system that infected you is hiding behind a firewall and hence immune to Nachi attack or your ISP is doing something which inhibits Nachi, but not MSBlast which would be interesting.

As you can imagine we don't have any MSBlast infected systems around here (or if there are they are extremely rare and hidding behind a firewall or short lived before Nachi gets them).

Blake


Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
said by Link Logger:
.. would lead me to think that the system that infected you is hiding behind a firewall and hence immune to Nachi attack ..
In which case, the obvious question would be: if that system was hiding behind a firewall and hence immune to Nachi attack, how did it become infected by MSBlaster? Both Worms use the same RPC Vulnerablity that cannot be exploited when the MS Patch and/or a functioning firewall are in place. ;=)
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)


ObdH
Premium
join:2003-06-11
Abilene, TX
reply to Link Logger
tell me about it bro, nachi was on two of our michigan servers........

sucked...


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Randy Bell
said by Randy Bell:
In which case, the obvious question would be: if that system was hiding behind a firewall and hence immune to Nachi attack, how did it become infected by MSBlaster? Both Worms use the same RPC Vulnerablity that cannot be exploited when the MS Patch and/or a functioning firewall are in place. ;=)
The most common way for this to happen is if someone connects an infected laptop to the 'protected' network, thereby infecting other systems on the network. Second someone installed a firewall after the system was infected (ie someone hears about how evil the internet is and buys a firewall and installs it without checking to see if any of their systems are already 'evil', more common with home users, this could also apply to enabling ICF on an infected XP box for example). There are other ways but these are the most common methods that I can think of right now.

Blake

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

1 edit
reply to Randy Bell
said by Randy Bell:
said by Link Logger:
.. would lead me to think that the system that infected you is hiding behind a firewall and hence immune to Nachi attack ..
In which case, the obvious question would be: if that system was hiding behind a firewall and hence immune to Nachi attack, how did it become infected by MSBlaster? Both Worms use the same RPC Vulnerablity that cannot be exploited when the MS Patch and/or a functioning firewall are in place. ;=)

If pings are blocked but port 135 isn't, and your machine is unpatched, Nachi won't infect, since it didn't get response to the ping, but Blaster will.

Also, maybe the machine was behind a firewall, but someone brought in a Blaster-infected machine and plugged it in to the LAN, behind the firewall, and infected the machines on the LAN.

vfpguy
Alias Dotnetguy

join:2001-07-21
Wayne, NJ
reply to Link Logger
said by Link Logger:
I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?
I do. I run MS's SUS Server on my network server. When I build a new computer I connect it to my network and redirect Automatic Updates to my server. I come back in 20 minutes and the new system is up to date.
--
"...a great, serene and peaceful future can slip from us quite as irrevocably by neglect, division and inaction, as by spectacular disaster." -- H. Truman, 6/21/56

hoyleysox
Premium
join:2003-11-07
Long Beach, CA
reply to Link Logger
Good thing Nachi is supposed to 'uninstall' itself 1/1/2004...

Nachi has hit broadband tech support hard. Customers finally get their fast-internet working and complain that the internet is slow, because their upstream bandwidth is maxed out.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
said by hoyleysox:
Good thing Nachi is supposed to 'uninstall' itself 1/1/2004...
That is the plan until some idiot takes a hex editor to the worm and changes the the date to something like the year 3032 or something like they did with Code RedII. I think Nachi is going to be around for a long time.

Blake


CylonRed
Premium,MVM
join:2000-07-06
Bloom County
reply to Link Logger
The other thing I thought was odd - I never saw any of the typical symptoms. My Control Panel never went nuts and my PC never re-started itself.... I would have never known had I not seen the msblast.exe in the Processes...
--
Brian
America's Army Forum Moderator and America's Army Beta Tester

ghost16825
Use security metrics
Premium
join:2003-08-26

1 edit
reply to Link Logger
Worse, some of these patches don't patch it properly.
The blaster patch sometimes works and sometimes doesn't.
I "patched" a machine the other day and using the DCOMulator from grc it tells me it's unpatched.
The worrying thing is about these machines is that they're free for the taking. That's thousands of machines with free processing power and free bandwidth.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Link Logger
I just got a new Dell and it came with ICF enabled so Dell is doing their part in this respect. I have XPSP1a. However, when I went to Windows Update, I found 13 critical updates waiting for me. It would not help for Microsoft to issue updates to the OEM's because at least Dell (I don't know about the others) doesn't even install XP as Microsoft sends it to them. Dell takes quite a bit of time to "tweak" XP for Dell computers and then finally installs it. The XP CD Dell sent me is not the same as the XP CD I would get if I bought XP in the store off the shelf. There is already a significant lag time from the time Microsoft sends an OS to the OEM before it gets on the OEM's new machines. Sending CD's with the latest patches would not solve a thing.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning

anthrorules
Premium
join:2003-09-14
Rollinsville, CO

1 edit
That is one reason I bought a license of XP Professional from the store and upgraded my Dell computer.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I would have done the same except my old W98SE box is not upgradeable to XP. So, I didn't have much a choice. I also wanted W2000 PRO instead of XP Pro but again unless I just fork out extra money now at the store, I have to live with XP.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning