·Carolina Mountai.. Synology RT2600ac Linksys E2000
1 edit |
to vic102482
Re: Blackice "Witty" Worm: source port 4000 UDPI'm using a Linksys BEFSX41 followed by BlackIce V3.6ccg and I have yet to see anything get past the Linky, (BID is Silent) and BID is cranked up all the way (Paranoid, with audible & visual alerts at max sensitivity)...
So far nothing here..... But today's UDP 4000 probes are directed at my Local 46657 |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB 1 edit |
to underattack
first totally harmful virus in a whileWorth noting that: 1. This corrupts the hard drive of the infected computer, usually meaning total data loss. 2. That AV products may not warn of it because it isn't written to disk. 3. The ISC recommendation that systems running BlackIce be removed from the Internet until the patch is installed. 4. That a patch to prevent this has been available for over a week. » iss.custhelp.com/cgi-bin ··· **&p_li=» xforce.iss.net/xforce/al ··· s/id/167quote: Witty Worm Remediation Information:
This information applies to customers currently using an impacted ISS product as detailed in X-Force Alert Article 167, which is referenced above. Consult this article for determining if a system is currently infected.
For systems that are NOT infected with the Witty worm:
- Update your ISS software to the latest version. The latest version of every ISS product is not impacted by the Witty worm.
For systems that are infected with the Witty worm:
- Power off the infected machine immemdiately.
- Since the worm overwrites random sectors of the hard drive as it executes within memory, customers should recover any available hard drive data using a noncompromised operating system.
- Customers should reload a working system image from backup using normal restore procedures. If reinstalling the ISS software is necessary, customers should update to the latest version.
Further questions should be directed to ISS Technical Support.
quote: ISS network customers have been protected from this potential threat for more than a week prior to the release of the worm, removing any threat before impact. The fix was delivered as a maintenance update before eEye publicly disclosed the vulnerability. Before any worm could be developed 'in the wild', ISS customers were protected automatically via a simple update that shielded the vulnerability from attack.
|
|
jeisenbergNew Year's Eve join:2001-07-06 Windsor, ON |
to Jan Janowski
Re: Blackice "Witty" Worm: source port 4000 UDPIn order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.
I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way. |
|
psloss Premium Member join:2002-02-24 |
to justin
said by justin: But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived.
Same idea, I would speculate, with malware that acts in an overt way versus malware that acts more covertly. Exploit-based malware that scans like mad (high packet rates and broad IP address space "coverage") draws more attention to multiple aspects of the scanning (not just the ports, but also things like the "exploit"). And it will likely provoke a higher/escalated response to address the scanning -- usually involving an escalation of traffic filtering and patching. (Blaster being an example, I believe.) E-mail based malware is a more complicated situation, I believe (more factors). In this case, I don't think the author of this thing cares as much about the level of response -- other than striking at a time which allows for a perhaps two-day headstart -- since the "average" response time is still so long that a good portion of the infected systems will have crashed before someone gets to them. Philip Sloss |
|
|
to vic102482
said by vic102482: How would this affect hardware firewalls:(
It doesn't. I'm glad I have a NAT router instead of some buggy firewall software. |
|
jeisenbergNew Year's Eve join:2001-07-06 Windsor, ON |
to justin
said by justin: Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS.
I agree that a disgruntled employee is a good place to start for the author of the worm. Another source might be an overzealous employee of a competitor, trying to drive sales toward their own product. Whatever the motivation, it would be naive to believe that copycat virii / worms are not just around the corner. And I'd expect to see random source ports to begin shortly as well, further disguising and confounding attempts to head off this threat. |
|
DoesItMatterNow What?? Premium Member join:2002-02-18 Mount Vernon, NY |
to justin
I agree with Justin, the "good ole days" where viruses destroyed the system they were on may be back, and I had thought the same thing. Can't destroy the PC you are on if you want to use it, but it also has contributed to the general apathy, I think, of most people. They hear about pop-ups (or get them and think it is part of the net) or they hear about a friend who got a virus, but no big deal, because there were no consequences really (they weren't inconvenienced).
Some people are in for a rude surprise. And they will also be the ones screaming loudest. |
|
psloss Premium Member join:2002-02-24 |
psloss
Premium Member
2004-Mar-21 12:27 pm
said by DoesItMatter: Can't destroy the PC you are on if you want to use it, but it also has contributed to the general apathy, I think, of most people. They hear about pop-ups (or get them and think it is part of the net) or they hear about a friend who got a virus, but no big deal, because there were no consequences really (they weren't inconvenienced).
This factors into the miscreants' "strategy", though, too. Apathy is good for them, and of course the opposite isn't. Dead PCs are just as bad for those miscreants as they are for their owners -- for completely different reasons. Philip Sloss |
|
|
|
to jeisenberg
That is one of the things that made this worm unique, in that the source port is usually dynamic and the destination port is static (but this was reversed in the Witty worm), now certainly this is somewhat unique to ISS products and I would think that it was meant as a security measure to vary the ports used between installations, but if it coded it can be cracked, just takes some time (cracking code is like trying to figure out where a train goes when your standing on the tracks, just takes some time).
Given that this worm is clearly malicious/criminal and has 'real' damage associated directly to it, if they ever catch who is responsible I can see real jail time and such in their future, not to mention pretty well endless civil suits. I would also hope that eEye and ISS worked together in harmony on this.
A week might not be long enough to patch 6000 laptops considering some might be used by remote users (for example traveling sales dudes who have been out of town for longer then a week). This exploit didn't take very long to hit the streets so either they were working on it independently (most likely), or they were totally tipped off by eEye announcement which would be bad as then we might have to rethink delays between patch releases and announcements of vuls.
Blake |
|
SYNACKJust Firewall It Mod join:2001-03-05 Venice, CA |
to DoesItMatter
It is ironic how in this case running a "security product" makes you actually more vulnerable.
This is just a reminder that computer security is never a "set-it-and-forget-it" process.
I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track. |
|
|
to underattack
Maybe some of these people will go buy a G5 so they can lessen their exposure to this crap by a factor of 10 or more. I'm sorry, but The Windows world got to be too dangerous for the likes of mere mortals so I jumped ship last year. Best thing I ever did. I read these stories and shake my head. One day the first big OS X worm will come along Im sure but thats day's not here yet.
Sometimes I think I dont want the mac platform to get any bigger - if it does someone will surely write something. |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
to jeisenberg
said by jeisenberg: In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.
I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example. But, I can tell you that this is one of the reasons I haven't done this. I would want an old, cheap PC with absolutely nothing of consequence on it, and for which I could completely restore not only the hard drive image, but -- if necessary -- the hard drive itself before I'd try this. Well, I don't have one. (And I would also totally isolate it from machines behind the firewall or second router.) There are people here (gkweb comes to mind), who routinely put machines up, let them get slaughtered, and then take them down and reconstitute them. (After a few repeats, one can pretty much automate this process, I suspect, but I'm not there yet.) This is inherently a dangerous process and I doubt you're going to see anyone publish directions on how to do it. It's not so much that some of these guys worry that they're going to miss something, so much as them worrying that someone might read the process they enumerate and then decide to do the same thing -- eliminating some of the steps in the process as being "unnecessary". |
|
Mike Mod join:2000-09-17 Pittsburgh, PA ·Verizon FiOS
1 edit |
to justin
Using the philosophy base of George Carlin, except on airport security... » www.humorcafe.com/humor/ ··· rlin.htmsaid by main quote: As far as I'm concerned, all of this airport security--the cameras, the questions, the screening, the searches--is just one more way of reducing your liberty and reminding you that they can fuck with you any time they want, as long as you're willing to put up with it. Which means, of course, any time they want. Because that's the way Americans are now. They're always willing to trade away a little of their freedom for the feeling, the illusion--of security.
The anti-viruses, the people who don't patch, nor switch OSes yet who always complain when some super virus turns their computer to digital poop. Why? They have a weak defense system and they deserve it. Screw em. You can defend something for so long before you have to fall back or get your ass handed to you in a doggy bag. I'm going to state the obvious by saying nothing is unbreakable. Except, something is a larger target and that what appears to be getting hit the hardest. When you fix your OS, then you can fix mine. PS, I'm in Windows XP right now since I want to play BF 1942 after this post so this IS my problem. I don't want my nazi killing machine to be a doorstop anytime soon and I want all the idiots I shoot at to be there without a worry in their mind that the next virus is going to school them. I need things to shoot damn it! These little wimpy viruses so far are basically, "let's see how many people we can infect" like scouts. You run the numbers and compare to see how savvy people adapt to these new waves. Then when the numbers are in their range... Then BLAM! Virus writers can basically screw with millions of people anytime they want. There is no set public schedule to this at all, or at least none that I've seen. Give us $40 and we'll protect your computer. False sense of security. Bull crap, how many people have an expired version of some AV (or fully patched AV) that didn't really work and they're screwed? It's a false sense of security. There will always be that idiot running outlook, msie, or some other piece of crap windows software with more holes than a Krispy Kreme factory that will keep the spread of this stuff going strong. Like I tell people. Let someone get pissed off enough to write some super virus that will destroy 70% of the machines that are connected to the internet with some super-windows virus. I wonder how many of those 70% of people whine and those 70% reinstall the same system and have it killed nearly immediately because they reconnected a less patched version of the OS just because that's what came on the CD. I also wonder what the profit for Microsoft is going be? After all the old versions of MS software are ripped in half, people will most likely go right back to the mothership for a brand new "more secure" target on their back because the old one was shot the hell apart. I've heard this before, Windows 2000 is bug free. I guess that means Windows XP, 2003, or whatever the next monstrosity that comes out is even better is that sequential order. /fixed engrish, added something |
|
jeisenbergNew Year's Eve join:2001-07-06 Windsor, ON |
to jvmorris
said by jvmorris: (And I would also totally isolate it from machines behind the firewall or second router.)
Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case. |
|
psloss Premium Member join:2002-02-24 |
to SYNACK
said by SYNACK: I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track.
I was/am wondering that, too, but it occurred to me that it's probably faster to bind to a single port and then fire out 20000 packets than to both grab a new source port (indirectly via the OS) and send out the packet 20000 times. (Notice how I made the former sound faster... ) That's what I was speculating about with "performance" above. I do agree that letting the OS pick an open ephemeral port would make this harder to track. Philip Sloss |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
to jeisenberg
said by jeisenberg: . . . Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.
When (and if) I do this, there's definitely going to be a second router/firewall inline. As for using the software firewall (which I presume you're really using primarily for its logging function), I would point out that PhatBot, in particular, has a very extensive list of AV/AT/PSF applications that it will attempt to nullify -- and Witty of these suckers is the only one I've seen to date that tries to work by exploiting a vulnerability in a particular PSF; the others rely on social engineering to get 'on the box'. In other words, I would always consider the box in the DMZ 'at risk' (regardless of what security applications are installed on it) and I certainly would not depend on software applications (residing on that box) to isolate it from the rest of my machines. (And it's gonna get worse out there, RSN.) |
|
psloss Premium Member join:2002-02-24 2 edits |
to jvmorris
said by jvmorris:
said by jeisenberg: In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.
I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example.
Here's a quickie, which is that at first blush I don't know that I can make as good an argument for leaving the system up vs. the argument that jeisenberg makes for taking it down. Because the maliciousness of this malware is independent of how it infects the system. In other words, MyDoom could have just as easily added the gradual hard drive trashing code. However, in the case of a security conscious person like jeisenberg, he still has his common sense to defend against something like MyDoom...whereas something like Witty or SQL Slammer may act quickly enough to defeat that type of common sense. (Or, well, make it largely irrelevant.) I'm sure with more consideration there are likely better arguments... As you noted in the rest of your post, one can better insulate against critical data loss by using either a "disposable" system or a system with disposable data. That's what I'm doing here. I'm running custom network applications on a system with disposable data. There's no security software or security configurations on it. Which doesn't mean that it couldn't be brought down very quickly in a similar manner to this malware -- all it would take is someone finding and exploiting a similar issue with Pcap (for example). Philip Sloss |
|
|
to underattack
I must say that I purchased Link Logger software a couple of months ago, and I'm glad I did. I'm amazed at how many times source port 4000 has come up the last 2 days, and that its coming from some of the same IPs mentioned in this thread. Makes me a little less frustrated with the time my weekly Backup takes on both of my systems. I like OS X, but its day will come. The G5 is still a wee bit outside my budget (and if I'm gonna have a MAC...I want a dual G5...hey, I can dream) |
|
CableConvert |
to underattack
|
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB
1 recommendation |
to underattack
why few worms destructiveThere is a reason why influenze is a far more successful virus that kills many times more people than ebola.
Ebola victims are contagious for only a few hours or a day before they are incapacitated. And then they quickly die.
Influenza leaves most of its victims walking around contagious.
Another reason for the lack of "fatal" computer viruses are the motivations of different sorts of virus writers and distributers:
- Simply wanting to make other people's machines available for conversion to commercial spamming or pustro zombies.
- Out for publicity or recognition for having discover a "serious exploit" or having "written a virus", but not wanting to do any real damage (not thinking about admins getting sacked, SOHOs going belly-up, or the shut-in elderly loosing their computers). (If you want to impress me, write an AV tool or an OS.)
- Out for kicks, but afraid of hard jail time
- Out for little rebellious kicks and too ignorant to realize the real damage viruses and trojans create (again not thinking about admins getting sacked, SOHOs going belly-up, or the shut-in elderly loosing their computers).
- "Promoting security" but not wanting to spur true comprehensive security reform because it would result in a lot of security firms and departments closing up shop. |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
to psloss
Re: Blackice "Witty" Worm: source port 4000 UDPPhilip, said by psloss: ... Because the maliciousness of this malware is independent of how it infects the system. In other words, MyDoom could have just as easily added the gradual hard drive trashing code.
Thanks for adding that. I didn't make that point terribly well. And, indeed, for almost three years now, people have been asking "Why's there no destructive code?" Well, now we've seen it (once again, after a long hiatus). quote: . . . . As you noted in the rest of your post, one can better insulate against critical data loss by using either a "disposable" system or a system with disposable data. . . . .
Yeah, I think to do this (in any prudent manner), you've got to have a box that you're willing to sacrifice completely if it comes to that -- because it may. And, again, the box really need to be totally isolated from one's operational machines (i.e., the machines that one really uses for getting things done on the 'net). |
|
psloss Premium Member join:2002-02-24 |
to Mike
said by Mike: These little wimpy viruses so far are basically, "let's see how many people we can infect" like scouts. You run the numbers and compare to see how savvy people adapt to these new waves. Then when the numbers are in their range...
Then BLAM!
Virus writers can basically screw with millions of people anytime they want. There is no set public schedule to this at all, or at least none that I've seen.
Why simply "screw with millions of people" when you can make lots of money (albeit illegal) by using their computers? That's what malware writers are doing today. In my opinion, it's not a game anymore, it's become big business in a very short time, and the way that these miscreants act has to be governed in part by the operating model of business they are currently in. If they are willing to change that operating model, then they could screw up millions of systems just like that. But that doesn't make any business sense to me, because then they have to drastically change the way they do business. Much more than they do now -- gradual adaptation is still necessary, but it's much less time/expense consuming than (for example) radically altering attack mechanics. Philip Sloss |
|
SYNACKJust Firewall It Mod join:2001-03-05 Venice, CA |
to keith2468
Re: why few worms destructiveAn intriguing note from the writeup at eeye: "It should be noted that the BlackICE/RealSecure engine listens for packets received on the broadcast interface. This allows the vulnerability to be exploited simultaneously across every vulnerable host within a targeted network by issuing a single, spoofed, UDP datagram."I am curious how many other vulnerabilities can be exploited in this fashion. |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to jeisenberg
Re: Blackice "Witty" Worm: source port 4000 UDPJeisenberg, this really belongs in another thread, but what hardware firewall do you have? MyNetWatchman can process the logs of many NAT routers and firewalls, including a few not directly mentioned here: » www.mynetwatchman.com/setup.asp |
|
techjoe Premium Member join:2004-02-20 Lombard, IL |
to underattack
This could spark the desire to create more of the virii of old -- Wait until we start seeing more bios-flashing virii. Cih anyone? |
|
|
KF_PM to justin
Anon
2004-Mar-21 4:03 pm
to justin
6000 laptop users all used the unpatched version of black ice? Give or take, yes. Sad isn't it? I love it when companys lay of most of their IT department, get struck with an 8 million dollar debt and wonder what happened. Maybe if you just kept a few employees on the payroll, things like this wouldn't have been so destructive. My peticular company did not have trucks moving for over 24hrs, huge impact. Maybe the CEO's will get the message. The conversation in the bridge call was kinda funny. One of the support guys was instantly giving a new job and new title and was told to hire a team of people to keep on top in this stuff. Hmm... where did those other people go that got laid off? |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to underattack
Several airlines, including Air Canada, had 747s, 737s and Airbuses sitting idle for 5 to 20 hours when the Nachi type viruses made their rounds.
Those who haven't worked in large enterprises may react with disbelief, but the impact of these little viruses can be mammoth.
6000 laptops is nothing if you have 30,000 laptops in your enterprise.
And in many companies, a few of those laptops are bound to be with salespeople wanting to make live presentations to customer executives on Monday morning in far-off countries with few technical resources, like Africa or Siberia.
Someone has to pay the price.
Will it be the CFO? The CIO? The Director of Small Systems? Or a couple of the PC System Admins?
The CFO, CIO, and Director of Small Systems will hold a meeting and decide, so you can guess the outcome. |
|
|
to underattack
...BlackICE Server Protection 3.6 cbz, ccd, ccf...
I have 3.6.ccb so I am not vulnerable? My newly formatted Win 2003 did crash three times since the beginning of March with a BSOD "KERNEL_STACK_INPAGE_ERROR" and yesterday I changed some settings and this morning the machine was frozen but was still pingable. Anybody know if the BSODs are related to this worm? |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
1 edit |
justin
Mod
2004-Mar-21 4:35 pm
Yes BSOD is a sign. The worm scribbles over random sectors of the disk until the OS dies due to corrupt files.
on the other hand, if you are not vulnerable, you are not vulnerable. If you can reboot ok... well, I'd uninstall blackice and/or upgrade it immediately. |
|
|
New User
Anon
2004-Mar-21 4:54 pm
I think that the worm probably couldn't get thru but was only able to crash the system and I was able to reboot. Anyone agree? |
|