dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13824
share rss forum feed

Selecter8

join:2003-11-23
Charles Town, WV
reply to underattack

Re: Blackice "Witty" Worm: source port 4000 UDP

Maybe some of these people will go buy a G5 so they can lessen their exposure to this crap by a factor of 10 or more. I'm sorry, but The Windows world got to be too dangerous for the likes of mere mortals so I jumped ship last year. Best thing I ever did. I read these stories and shake my head. One day the first big OS X worm will come along Im sure but thats day's not here yet.

Sometimes I think I dont want the mac platform to get any bigger - if it does someone will surely write something.


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to jeisenberg
said by jeisenberg:
In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.

I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example.

But, I can tell you that this is one of the reasons I haven't done this. I would want an old, cheap PC with absolutely nothing of consequence on it, and for which I could completely restore not only the hard drive image, but -- if necessary -- the hard drive itself before I'd try this. Well, I don't have one. (And I would also totally isolate it from machines behind the firewall or second router.)

There are people here (gkweb comes to mind), who routinely put machines up, let them get slaughtered, and then take them down and reconstitute them. (After a few repeats, one can pretty much automate this process, I suspect, but I'm not there yet.) This is inherently a dangerous process and I doubt you're going to see anyone publish directions on how to do it. It's not so much that some of these guys worry that they're going to miss something, so much as them worrying that someone might read the process they enumerate and then decide to do the same thing -- eliminating some of the steps in the process as being "unnecessary".
--
Regards, Joseph V. Morris


Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1
Reviews:
·Verizon FiOS

1 edit
reply to justin
Using the philosophy base of George Carlin, except on airport security...

»www.humorcafe.com/humor/gems/geo···rlin.htm

said by main quote:
As far as I'm concerned, all of this airport security--the cameras, the questions, the screening, the searches--is just one more way of reducing your liberty and reminding you that they can fuck with you any time they want, as long as you're willing to put up with it. Which means, of course, any time they want. Because that's the way Americans are now. They're always willing to trade away a little of their freedom for the feeling, the illusion--of security.
The anti-viruses, the people who don't patch, nor switch OSes yet who always complain when some super virus turns their computer to digital poop. Why? They have a weak defense system and they deserve it. Screw em.
You can defend something for so long before you have to fall back or get your ass handed to you in a doggy bag.

I'm going to state the obvious by saying nothing is unbreakable. Except, something is a larger target and that what appears to be getting hit the hardest. When you fix your OS, then you can fix mine. PS, I'm in Windows XP right now since I want to play BF 1942 after this post so this IS my problem. I don't want my nazi killing machine to be a doorstop anytime soon and I want all the idiots I shoot at to be there without a worry in their mind that the next virus is going to school them. I need things to shoot damn it!

These little wimpy viruses so far are basically, "let's see how many people we can infect" like scouts. You run the numbers and compare to see how savvy people adapt to these new waves. Then when the numbers are in their range...

Then BLAM!

Virus writers can basically screw with millions of people anytime they want. There is no set public schedule to this at all, or at least none that I've seen.

Give us $40 and we'll protect your computer. False sense of security. Bull crap, how many people have an expired version of some AV (or fully patched AV) that didn't really work and they're screwed? It's a false sense of security. There will always be that idiot running outlook, msie, or some other piece of crap windows software with more holes than a Krispy Kreme factory that will keep the spread of this stuff going strong.

Like I tell people. Let someone get pissed off enough to write some super virus that will destroy 70% of the machines that are connected to the internet with some super-windows virus. I wonder how many of those 70% of people whine and those 70% reinstall the same system and have it killed nearly immediately because they reconnected a less patched version of the OS just because that's what came on the CD. I also wonder what the profit for Microsoft is going be? After all the old versions of MS software are ripped in half, people will most likely go right back to the mothership for a brand new "more secure" target on their back because the old one was shot the hell apart.

I've heard this before, Windows 2000 is bug free. I guess that means Windows XP, 2003, or whatever the next monstrosity that comes out is even better is that sequential order.

/fixed engrish, added something


jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
Reviews:
·Cogeco Voip
reply to jvmorris
said by jvmorris:
(And I would also totally isolate it from machines behind the firewall or second router.)
Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to SYNACK
said by SYNACK:
I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track.
I was/am wondering that, too, but it occurred to me that it's probably faster to bind to a single port and then fire out 20000 packets than to both grab a new source port (indirectly via the OS) and send out the packet 20000 times. (Notice how I made the former sound faster... )

That's what I was speculating about with "performance" above.

I do agree that letting the OS pick an open ephemeral port would make this harder to track.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to jeisenberg
said by jeisenberg:
. . . Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.
When (and if) I do this, there's definitely going to be a second router/firewall inline.

As for using the software firewall (which I presume you're really using primarily for its logging function), I would point out that PhatBot, in particular, has a very extensive list of AV/AT/PSF applications that it will attempt to nullify -- and Witty of these suckers is the only one I've seen to date that tries to work by exploiting a vulnerability in a particular PSF; the others rely on social engineering to get 'on the box'.

In other words, I would always consider the box in the DMZ 'at risk' (regardless of what security applications are installed on it) and I certainly would not depend on software applications (residing on that box) to isolate it from the rest of my machines. (And it's gonna get worse out there, RSN.)
--
Regards, Joseph V. Morris

psloss
Premium
join:2002-02-24
Lebanon, KS

2 edits
reply to jvmorris
said by jvmorris:
said by jeisenberg:
In order to take part in myNetwatchman's service as a reporting node, I have had to set one of my PCs to run in the DMZ, then using a software firewall to catch and forward intrusion attempts. After seeing this "Witty" worm, I'm going to have to rethink that strategy.

I don't mind volunteering to fight against hacks and zombies, but I didn't bargain for being put in "real" harm's way.
What you really need here is a response from Link Logger, kpatz, or psloss, for example.
Here's a quickie, which is that at first blush I don't know that I can make as good an argument for leaving the system up vs. the argument that jeisenberg makes for taking it down.

Because the maliciousness of this malware is independent of how it infects the system. In other words, MyDoom could have just as easily added the gradual hard drive trashing code.

However, in the case of a security conscious person like jeisenberg, he still has his common sense to defend against something like MyDoom...whereas something like Witty or SQL Slammer may act quickly enough to defeat that type of common sense. (Or, well, make it largely irrelevant.)

I'm sure with more consideration there are likely better arguments...

As you noted in the rest of your post, one can better insulate against critical data loss by using either a "disposable" system or a system with disposable data.

That's what I'm doing here. I'm running custom network applications on a system with disposable data. There's no security software or security configurations on it. Which doesn't mean that it couldn't be brought down very quickly in a similar manner to this malware -- all it would take is someone finding and exploiting a similar issue with Pcap (for example).

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org



CableConvert
Premium
join:2003-12-05
Atlanta, GA
reply to underattack
I must say that I purchased Link Logger software a couple of months ago, and I'm glad I did. I'm amazed at how many times source port 4000 has come up the last 2 days, and that its coming from some of the same IPs mentioned in this thread.
Makes me a little less frustrated with the time my weekly Backup takes on both of my systems.
I like OS X, but its day will come. The G5 is still a wee bit outside my budget (and if I'm gonna have a MAC...I want a dual G5...hey, I can dream)


CableConvert
Premium
join:2003-12-05
Atlanta, GA
reply to underattack


keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB

1 recommendation

reply to underattack

why few worms destructive

There is a reason why influenze is a far more successful virus that kills many times more people than ebola.

Ebola victims are contagious for only a few hours or a day before they are incapacitated. And then they quickly die.

Influenza leaves most of its victims walking around contagious.

Another reason for the lack of "fatal" computer viruses are the motivations of different sorts of virus writers and distributers:

- Simply wanting to make other people's machines available for conversion to commercial spamming or pustro zombies.

- Out for publicity or recognition for having discover a "serious exploit" or having "written a virus", but not wanting to do any real damage (not thinking about admins getting sacked, SOHOs going belly-up, or the shut-in elderly loosing their computers). (If you want to impress me, write an AV tool or an OS.)

- Out for kicks, but afraid of hard jail time

- Out for little rebellious kicks and too ignorant to realize the real damage viruses and trojans create (again not thinking about admins getting sacked, SOHOs going belly-up, or the shut-in elderly loosing their computers).

- "Promoting security" but not wanting to spur true comprehensive security reform because it would result in a lot of security firms and departments closing up shop.


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1
reply to psloss

Re: Blackice "Witty" Worm: source port 4000 UDP

Philip,
said by psloss:
... Because the maliciousness of this malware is independent of how it infects the system. In other words, MyDoom could have just as easily added the gradual hard drive trashing code.
Thanks for adding that. I didn't make that point terribly well. And, indeed, for almost three years now, people have been asking "Why's there no destructive code?" Well, now we've seen it (once again, after a long hiatus).
quote:
. . . . As you noted in the rest of your post, one can better insulate against critical data loss by using either a "disposable" system or a system with disposable data. . . . .
Yeah, I think to do this (in any prudent manner), you've got to have a box that you're willing to sacrifice completely if it comes to that -- because it may.
And, again, the box really need to be totally isolated from one's operational machines (i.e., the machines that one really uses for getting things done on the 'net).
--
Regards, Joseph V. Morris

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to Mike
said by Mike:
These little wimpy viruses so far are basically, "let's see how many people we can infect" like scouts. You run the numbers and compare to see how savvy people adapt to these new waves. Then when the numbers are in their range...

Then BLAM!

Virus writers can basically screw with millions of people anytime they want. There is no set public schedule to this at all, or at least none that I've seen.
Why simply "screw with millions of people" when you can make lots of money (albeit illegal) by using their computers? That's what malware writers are doing today. In my opinion, it's not a game anymore, it's become big business in a very short time, and the way that these miscreants act has to be governed in part by the operating model of business they are currently in.

If they are willing to change that operating model, then they could screw up millions of systems just like that. But that doesn't make any business sense to me, because then they have to drastically change the way they do business. Much more than they do now -- gradual adaptation is still necessary, but it's much less time/expense consuming than (for example) radically altering attack mechanics.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
reply to keith2468

Re: why few worms destructive

An intriguing note from the writeup at eeye:

"It should be noted that the BlackICE/RealSecure engine listens for packets received on the broadcast interface. This allows the vulnerability to be exploited simultaneously across every vulnerable host within a targeted network by issuing a single, spoofed, UDP datagram."

I am curious how many other vulnerabilities can be exploited in this fashion.


keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
reply to jeisenberg

Re: Blackice "Witty" Worm: source port 4000 UDP

Jeisenberg, this really belongs in another thread, but what hardware firewall do you have?

MyNetWatchman can process the logs of many NAT routers and firewalls, including a few not directly mentioned here:

»www.mynetwatchman.com/setup.asp


techjoe
Premium
join:2004-02-20
Warrenville, IL
kudos:1
reply to underattack
This could spark the desire to create more of the virii of old -- Wait until we start seeing more bios-flashing virii. Cih anyone?


KF_PM

@192.97.x.x
reply to justin
6000 laptop users all used the unpatched version of black ice?
Give or take, yes. Sad isn't it? I love it when companys lay of most of their IT department, get struck with an 8 million dollar debt and wonder what happened. Maybe if you just kept a few employees on the payroll, things like this wouldn't have been so destructive.

My peticular company did not have trucks moving for over 24hrs, huge impact. Maybe the CEO's will get the message. The conversation in the bridge call was kinda funny. One of the support guys was instantly giving a new job and new title and was told to hire a team of people to keep on top in this stuff. Hmm... where did those other people go that got laid off?


keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
reply to underattack
Several airlines, including Air Canada, had 747s, 737s and Airbuses sitting idle for 5 to 20 hours when the Nachi type viruses made their rounds.

Those who haven't worked in large enterprises may react with disbelief, but the impact of these little viruses can be mammoth.

6000 laptops is nothing if you have 30,000 laptops in your enterprise.

And in many companies, a few of those laptops are bound to be with salespeople wanting to make live presentations to customer executives on Monday morning in far-off countries with few technical resources, like Africa or Siberia.

Someone has to pay the price.

Will it be the CFO? The CIO? The Director of Small Systems? Or a couple of the PC System Admins?

The CFO, CIO, and Director of Small Systems will hold a meeting and decide, so you can guess the outcome.


New User

@uu.net
reply to underattack
...BlackICE Server Protection 3.6 cbz, ccd, ccf...

I have 3.6.ccb so I am not vulnerable? My newly formatted Win 2003 did crash three times since the beginning of March with a BSOD "KERNEL_STACK_INPAGE_ERROR" and yesterday I changed some settings and this morning the machine was frozen but was still pingable. Anybody know if the BSODs are related to this worm?


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

1 edit
Yes BSOD is a sign. The worm scribbles over random sectors of the disk until the OS dies due to corrupt files.

on the other hand, if you are not vulnerable, you are not vulnerable. If you can reboot ok... well, I'd uninstall blackice and/or upgrade it immediately.


New User

@uu.net
I think that the worm probably couldn't get thru but was only able to crash the system and I was able to reboot. Anyone agree?


crypto7ogic

join:2001-08-29
Dayton, OH
reply to underattack
Yesterday was not fun. We have ~500 users on VPN, using the Nortel Contivity VPN client and blackd v 3.5.105 (at least, the version in Properties for the exe).

VPN users started calling early with various bluescreen situations due to this problem (about 50). We block port 4000 inside and to these users, so they were infected before they established a tunnel inside. The trojan does not drop any files to search for and writes 64 K of junk (I think the compromised DLL) to a random location on the hard drive, sometimes (?) causing boot problems when the machine is rebooted. A reboot unloads it from memory. So I'm guessing there are more than 50 infected; these are just the ones who cannot reboot. So, we are watching for an update from McAfee, then I learn that McAfee Avert says McAfee DAT version 4340 addresses this - BUT it has a listed release date of 03-24-2004!

Avert also states: "[while] version 'BlackIce 3.6.ccf' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not. A patch for BlackIce products is available at: »blackice.iss.net/update_center/index.php."

So we implemented the 3.6.ecg (the web page lists the version incorrectly) patch at around 1545 ET to the server. Fortunately, the client sends out a heartbeat every 60 minutes to check for updates; it sends a heartbeat out when it first boots up as well. So subsequent VPN users pick up the new client when they heartbeat in. That, combined with the fact that we already block port 4000 should mean that no more machines are infected, however we still have to get DAT 4340 (or an extra.dat beforehand) to see how many are infected but still bootable, if any. And there are the 50 or so people who need PCs re-imaged, plus the ones who had crapulous VPN package installs in the first place, so the update fails (only 1 so far). I'm not going to be one of those users who states "this is why I use another operating system," because it is not the reason, however, I still happily accept another of the fortunate by-products of using a UNIX kernel (Darwin) on a RISC processor. In fact, I'd probably be unemployed were it not for Windoze sucking so badly.

Kiwi
Premium
join:2003-05-26
USA/MidWest
kudos:1
Reviews:
·AT&T U-Verse
·Comcast
reply to underattack
I hate to be a party popper, but I owned BI since it's conception and used it right up till they got sold out! Cost me a quite a few bucks too.

I hate take overs, so never used it again. Though with reasonable consideration if anyone is trying to dis them, perhaps they are trying; because only BlackHats try to kill protection, just a thought!

Still, I stick with:

~A good NAT box
~Adaware
~Spybot
~HijackThis
~CWShredder

In spite of all this, the internet is still a risky business, particularly for home users.

As for VPN I have seen Cisco Re-route Government systems, using their software to 'Keep' records. Essentially, recording traffic within the Federal government, outside of their contractual Rights.

BlackICE has become not just a target, but a risk...That's just my opinion.

Opinions are free, right?

Cheers
--
2.66g/533fsb Intel CPU @ 3.28g 512meg Twinmos PC3700~466 DDR @ 2.8v ATI 9500 Pro @ 9700 Pro@1.6vAMD ASUS A7N8X-E2500+@3200 ATI 9500 Pro, Corsair 512LL.

Bobcat79
Premium
join:2001-02-04

1 recommendation

reply to crypto7ogic
said by crypto7ogic:
So, we are watching for an update from McAfee, then I learn that McAfee Avert says McAfee DAT version 4340 addresses this - BUT it has a listed release date of 03-24-2004!

however we still have to get DAT 4340 (or an extra.dat beforehand) to see how many are infected but still bootable, if any.
It probably won't do you much good. Read the following from »vil.nai.com/vil/content/v_101118.htm

"Rebooting an infected system removes the virus from memory and the virus will not be reloaded on system startup... As no files are dropped on the machine by the worm, detection in the 4340 DATs and later will be detection for the worm running in memory when the machine is infected... Damaged files need to be replaced from a backup - they can't be cleaned as they have been overwritten."

So, I guess the solution is to uninstall/upgrade the BlackIce products, then reboot the machines. If they work, you're OK. There's nothing you can do with an anti-virus scan.
--
"...Saddam Hussein still has chemical and biological weapons..."
» George W. Bush, October 7, 2002.


pcdebb
RIP lil hurricane
Premium
join:2000-12-03
Brandon, FL
kudos:5
Reviews:
·Bright House
reply to underattack
really sux. Altho I havent used blackice in over three years, I think it's time I did a good backup of my system. who's to say that another one isn't being written to go after users of other firewalls? I'm probably way off on that, but at this point anything is possible....
--
I want to die in my sleep like my grandfather...not screaming and yelling like the passengers in his car ... (posts) ... AIM ...

Kiwi
Premium
join:2003-05-26
USA/MidWest
kudos:1
Reviews:
·AT&T U-Verse
·Comcast
reply to underattack
History, either in War or Peace ~Hardly few of the millions understand, basic concepts! McAfee -Go check Hx on who owned and operated and the following consequences, that goes way back -FOUR products! GuardDog et al. Anyone remember?

At one point I owned ALL their products, that was before I knew better! At a fairly large cost as well. Anything CA "Incorporated" I avoid, like the plague ~Having gone there in 1991; I know better.

Again just an opinion, with some experience! It's really called dumping good programmers, for profit!

Cheers
--
2.66g/533fsb Intel CPU @ 3.28g 512meg Twinmos PC3700~466 DDR @ 2.8v ATI 9500 Pro @ 9700 Pro@1.6vAMD ASUS A7N8X-E2500+@3200 ATI 9500 Pro, Corsair 512LL.


keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
reply to underattack

The Value of Defense in Depth

With the software firewall (or IDS) layered behind an NAT (or hardware firewall), when an exploit is found for one, the other is still able to provide protection.


Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3
reply to crypto7ogic

Re: Blackice "Witty" Worm: source port 4000 UDP

crypto7ogic, You don't really have to wait for version 4340. You can always use the daily updates here:

»vil.nai.com/vil/virus-4d.asp

The signatures are released immediately and daily. Once a week they are combined to one dat file. Once you manually update with the newest Daily, your dat version will show as 4100 but disregard that. They use a low number so the next automatic update will have a higher number to ensure your AV will pick it up.
--
You can catch the Devil, but you can't hold him long.


jig

join:2001-01-05
Hacienda Heights, CA

1 recommendation

reply to underattack
scary, a little, when you think about how this can collapse the range of protective software used. imagine a one-two punch where first the blackice users are targeted, then a week later a similar exploit for the most recent version of zone alarm is hit. with all the hoopla from the first worm, everyone updates their software to the latest (nervous paranoia reflex) and many switch from blackice (some percentage going straight to zone alarm).

also, you've mentioned that this worm is self defeating in that it kills the host, but as far as i can understand, it only kills the host once there is a reboot. considering how robust and long lived code red has been (infection vector stopped with a reboot), i don't think you are necessarily 'killing the host' if the host can still function till a reboot. because there seems to be plenty of hosts out there that aren't well managed or rebooted regularly, it is shrewd to assume that a high enough percentage of infection vectors will continue to function long enough to widely disperse the infection.

consider further that the outgoing ports could be randomized and that possibly the source ip could be spoofed (easier with UDP?), maybe even intelligently as if within the same subnet. i'm not sure what the trade off is for source spoofing. i know that at least some hardware is set up to not pass unknown source ip traffic from lan to wan, but i'm thinking this feature is hardly ever used across random port traffic. an infection vector could stay active for a very long time.

anyway, targeting a specific protective software product (immunity response) hits a little close to home, for once, though i don't use the particular product. i've pretty much stopped caring about all the new exploits for outlook express or even email in general. oh well. backups, ho!


jeisenberg
New Year's Eve

join:2001-07-06
Windsor, ON
The virus overwrites a 64K chunk of random disk memory every 20,000 attack cycles. Even without a user-initiated reboot, eventually the host machine will blue screen, forcing the reboot.


Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1
how long is an attack cycle?