Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×

Botnet Herders Attack MS06-040 Worm Hole 112

Posted by CmdrTaco from the worming-your-way-through-the-net dept.
Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."
This discussion has been archived. No new comments can be posted.

Botnet Herders Attack MS06-040 Worm Hole More

Botnet Herders Attack MS06-040 Worm Hole

Comments Filter:
  • If the hacker has to use IRC to command the bots, cant the entire virus be reverse-engineered to find out the IRC channel and then the hackers IP address?
    I would like to see these virus authors caught and publicly executed for once.

    • Re:IRC the weakpoint? (Score:5, Informative)

      by LiquidCoooled ( 634315 ) on Sunday August 13, 2006 @05:56PM (#15899624) Homepage Journal
      They know where its coming from, but the Chinese are still pissed at Jack Bauer so they won't shut it down.

      actually, they say its the same server thats been running for months:
      Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.

      • Is it a stretch..... (Score:3, Interesting)

        by zogger ( 617870 )
        ...to think some of this stuff is officially sanctioned, state sponsored or at least allowed to continue?
      • I think it's time we "brought freedom" to China.

      • Internet the weakpoint? (Score:5, Insightful)

        by twitter ( 104583 ) on Sunday August 13, 2006 @06:58PM (#15899807) Homepage Journal

        Suppose the bots all used AIM or MSN Messenger servers. Would you demand that those be taken down?

        The weak point is not IRC or any other communications method. The weak point is software that's so easy to exploit it has new "critical" patches every month [insert tampon jokes here].


        • It's a lot harder to exploit now. I guess the patch that came before the last one must have done something to the updater itself, because when these critical updates came out, my laptop nagged me like a four-year-old every five minutes about rebooting until I finally gave in.

          I'm not really complaining. From now on, any new computer that Joe Average gets (or if he happens to update his current box) will make sure at least Windows is up to date. Now, if only Joe knew that AVs have to be updated...
        • Uhm... I would say that the weak point is the guy who writes this kind of stuff in the first place? No matter how unsecure an OS is, or how guilt-free the (supposedly) illegal usage of IRC servers get, still the blame lies with the malware writer.
          You're kinda saying that strong encryption is responsible for its illegal usage by criminals, or that the "easily exploitable" p2p networks are responsible for IP infringment: but the technology has no responsibility, it's always a human being who actually *breaks
        • The point isn't to "Demand that the server be taken down," but rather for law enforcement personnel to go to the channel and find who is giving the botnet commands, then track that user down and prosecute him for what he is doing.
          • The point isn't to "Demand that the server be taken down," but rather for law enforcement personnel to go to the channel and find who is giving the botnet commands, then track that user down and prosecute him for what he is doing.

            If true, that's hardly a problem unique to IRC. The root cause remains Windoze.

            • Actually, the root cause is human nature. No matter what protocol/OS/browser becomes popular or available, someone will try to break it. Windows is popular now, so it would be the logical choice for which to develop an attack. If Windows falls out of favor when Vista is released as you have many times predicted here, and Linux becomes more mainstream, you can be assured that our less civilized members of society will be looking for a way to crack it. The wise old verse still holds true: "Seek, and ye sh

    • Re:IRC the weakpoint? (Score:5, Insightful)

      by winkydink ( 650484 ) * <sv.dude@gmail.com> on Sunday August 13, 2006 @05:56PM (#15899625) Homepage Journal
      How are the IRC channel and the hacker's IP address related? Just because somebody visits some random IRC channel doesn't make them the bot author. Security researchers, for example, will also be found there.

      Also, most bot herdes are in eastern europe, brazil, or developing countries. Catching hackers isn't high on the list of law enforcement priorities in the countries (and, if the right amount has been paid to the right people, it's completely ignored).

    • Re:IRC the weakpoint? (Score:5, Informative)

      by httptech ( 5553 ) on Sunday August 13, 2006 @06:02PM (#15899651) Homepage
      Modern botnet command-and-control IRC servers don't give out information like who else is connected. In this Mocbot C&C, you join the channel, get an encrypted command (in the channel topic) which tells the bot to join another channel. In that channel, another encrypted command in the topic tells the bot to download and execute a trojan (which currently is detected by some AV as Trojan-Proxy.Win32.Ranky.fv).

      The reason for all this subterfuge is, if the AV companies aren't spying on the control channel, they have no way to know about the second-stage infection, unless they get lucky - so even if they do clean the Mocbot infection, the proxy trojan still resides on the machine.

    • Seeing as Tor has been brought up lately as a way to "secure" yourself... Whats to stop virus writers using a proxy?... Hell they could probably proxy through a compromised machine (if its security sucks badly enough)

      • Whats to stop virus writers using a proxy?

        Nothing. They are doing exactly that.

        Modern botnets are organized more like terrorist cells than anything else. What they're doing is opening encrypted channels only between the infecting and infected machines, and run as a peer-to-peer network. It's very much run like a Tor network.

        So now, there's no single IRC server. The botherder can connect to any infected machine and issue a command, and the command will propagate peer-to-peer. The communications

  • strange hadlines... (Score:3, Funny)

    by imsabbel ( 611519 ) on Sunday August 13, 2006 @05:51PM (#15899604)
    Could be right out of a voyager episode or something.
    I really hope they reverse their shield polarity when attackign that wormhole, or it could trigger a tachyon cascade....

  • Whats gonna happen when Norton removes WGA? (Score:5, Funny)

    by LiquidCoooled ( 634315 ) on Sunday August 13, 2006 @05:53PM (#15899614) Homepage Journal
    from the analysis:

    This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.

    Do we actually know which is the more malicious variant?

  • Update Server 2003 and XP SP2 as well (Score:4, Informative)

    by jiushao ( 898575 ) on Sunday August 13, 2006 @06:00PM (#15899642)
    Notice: This worm cannot target Server 2003 or XP SP2, in fact, no exploit for them has been found. The basic flaw exists, but the stack guards used on all newer versions of Windows (post-security-push) trips all as of yet attempted attacks. To be really safe however make sure you update Server 2003 and XP SP2 machines anyway!

  • A Solution... (Score:5, Insightful)

    by nmb3000 ( 741169 ) on Sunday August 13, 2006 @06:02PM (#15899648) Journal
    Find a way to make the average user patch software.

    As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible. No product, be it OSS or commercial, is free of these banes. On the other hand, problems like this would nearly go away, if only users would patch the software. Whether it's a new exploit in Windows or Apache or phpBB, if you don't patch, you're going to get screwed. Yes, it seems like Microsoft products have more patches than average, but at least they have patches. Blaster and MyDoom? They'd have never hit the news if users were patched. Automatic Updates in XP is a great step forward, but it's still opt-in.

    Some people seem amazed when I say I had no direct problems with Blaster or Welchia, and they don't seem to get it that these problems essentially always appear after a patch is release which means there is no valid reason for their survival. Patch, patch, patch, patch, patch. Yes, slightly monotonous, but if users would simple do it, we'd stop seeing these equally monotonous news stories about Exploits of Doom.

    • Re:A Solution... (Score:5, Insightful)

      by Ph33r th3 g(O)at ( 592622 ) on Sunday August 13, 2006 @06:11PM (#15899682)
      A good start would be for Microsoft to stop attaching new EULA conditions or spyware (e.g. WGA) as a prerequsite to getting patches conveniently.

    • The testing process. (Score:4, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday August 13, 2006 @06:22PM (#15899709)
      It would almost as stupid for a company to deploy patches without testing them as it would be to never patch at all.

      So there will be a delay between a patch being released and that patch being deployed on production systems.

      And going into "crisis mode" for 2 weeks, starting the second Tuesday of every month is a bit much to expect of people.

    • Re:A Solution... (Score:5, Insightful)

      by Jerf ( 17166 ) on Sunday August 13, 2006 @06:29PM (#15899730) Journal
      This is a complicated topic, and I don't have a pat answer. But let me give you two of the counterpoints:
      1. Corporate users can't do that; they need to test the patches first. Obviously, "corporate" users could then get an option to not auto-download the patches. But the corporations aren't conservative about patching because they like to drag their feet; technically it's easy to roll out a patch in a matter of hours, even minutes for small ones that don't require a reboot. The problem is that patches aren't perfect, and they will tend to break computers that used to work, and programs that used to work. Worst case scenario they can even destroy data.

        Corporations have trouble because they may well have thousands of configurations they need to support, so even if 1% of them fail, it's a major problem. Still, imagine if Microsoft forces a patch out, and they cause the machines that have Quicken version 6.3532 build 4 to completely destroy all financial records on their next startup. (Or even just render them unreadable, since we're assuming non-technical users.) Imagine the liability issues, which, frankly, probably terrify the executives at Microsoft already when they issue a patch. Forcing the patches on users makes those issues even worse.
      2. If Microsoft has the ability to force your machine to run an update, they literally own your machine. They can make it do anything, and you can't stop them. Already the activation stuff has caused some issues, and I've basically bailed on Windows as a result and consider it a good reason for everybody else to bail, too. The computer needs to belong to you, not your corporate overlords. (The term "corporate overlord" in this case is used without sarcasm, because at least in computing terms, they really are.)
      I think the problem boils down to the fact that it may not be possible to run a general-purpose computer in an incredibly hostile environment without a high degree of operator skill, and people in general, quite justifiably, do not wish to attain this high degree of skill, just so they can safely surf the web, send email, and use IM. Until a completely secure computer is built, or at least a far more secure one, I'm not sure what can be done about this.

      The worst part is, none of what I've said here contradicts anything you've said. It's all in play at once? So, which side dominates, and under what circumstances? I really couldn't tell you. However, I would think the empirical evidence at the moment is in your favor. But is the only/best solution really to cede control over your computer to Microsoft (which are the people who got you into this situation in the first place)?

      At least Open Source doesn't have that issue; since nobody is in charge and nobody is making money by controlling your computer (DRM, etc), the conflict of interest involved in creating a security situation where what seems to be the best solution is deeding your computer over to the same people doesn't come into play.
    • I am firmly against a vendor forcibly installing any patch or other software without the computer owner's consent. I will not install the Genuine Advanantage patch (or whatever it's called) on my XP box, and I believe that MS has no right to force me to install it (I am running legit OEM Windows).

      I agreee that some people are too stupid to be allowed to breed or own a computer, that does not not mean that they should be forcibly castrated or neutered, nor shoukd they should MS force them to install softwar
      • I won't install WGA either. I have a legit copy of Windows, but I'm running a pirate copy because of their stupid protection scheme--five hardware changes and you have to re-register. A lot of people I know won't install a legit copy of Windows for the same reason. I can do five hardware changes in five minutes if I'm testing hardware. I'll be damned if I'm going to contact Microsoft at 2:00 in the morning to ask them for permission to use MY computer--that's just stupid. Fortunately I'm heavily firewalled,
        • See, Activiation is a non-issue for Corporate Customers. They have Volume Licenses, with corresponding VLP Keys.

          Same goes for WGA. WGA Updates aren't even synced with WSUS (small-to-medium Business Patch Deployment Solution, Free), or SMS (medium-to-big Software Deployment / Patch Managment Solution, Costs money).

          So all this stuff isn't interesting for corporate users, because it doesn't concern them.

    • Re:A Solution... (Score:5, Interesting)

      by tymbow ( 725036 ) on Sunday August 13, 2006 @06:36PM (#15899748)

      Patches are one thing but if people just used a firewall (even the built in one in Windows XP) or even just turned off the Server service (most home users don't need it) most of these worms would not have anywhere to go.

      I'm amazed at the number of PCs that are are still blindly connected to the Internet with no firewall. Crank up NMap and run it over your ISPs dyanmic address range and have a look.

      • There would be no need for a firewall if only Microsoft didn't by default enable services that no one needs. A home user's box doesn't need to export ANY services.

    • Re:A Solution... (Score:2, Insightful)

      by kfg ( 145172 ) *
      As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible.

      Correct me if I'm wrong, but isn't a patch software?

      KFG
    • is that their patches generally involve strengthening not only system security for the user, but system security for use by ms against the user (e.g. DRM)

      prime examples so far - bundling of windows genuine advantage with security patches and xbox 360 forced updates through live.
      • I just thought I'd take a moment out of my busy day to inform you that you don't need to install WGA if you don't want to. You can still continue patching your machine. Why, just the other day I got the latest security updates from Microsoft. WGA isn't being forced on anyone who is savvy enough to know that they don't want it.

    • Re:A Solution... (Score:4, Interesting)

      by the_bard17 ( 626642 ) <theluckyone17@gmail.com> on Sunday August 13, 2006 @06:45PM (#15899774)
      This is a great idea, right until a patch breaks something. I can't remember the exact patch, but back in April MS released a patch that messed with IE's ability to automatically correct a URL's format. Id est, "google.com" doesn't get changed to "http://www.google.com". The patch conflicted with some HP software (Share-To-Web or something like that), and broke the URL correction.

      I had a couple clients (residential, not commercial, mind you) who had me correct the problem. One of these clients had ben prior customer... and I had stressed updating Windows on a regular basis. Let me tell you... that was a fun conversation. "Yes, an update to Windows broke your system. Yes, I do have to charge you for this service. Yes, I realize I told you a few months ago to make sure you updated Windows regularly. No, unfortunately I cannot fix this for free since Microsoft screwed up the patch."

      Danged if you do, darned if you don't...
      • Hmmm, I wonder if that former customer could find a lawyer who could find you responsible for instructing them to blindly install a patch that broke their system. Even if they don't win the suit - you loose, and who knows; they might get a good lawyer and luck out with a judge who finds you responsible for telling them to blindly install patches as soon as they are released. It is MS's fault that the patch wass are screwed up, it was your fault that the your customer installed it.

        • Re:A Solution... (Score:1, Flamebait)

          by real_b0fh ( 557599 )
          if he gets his ass sued into oblivion, that will teach him to not touch that crap even with an 20-inch stick.

          'supporting' windoze, besides making your work life a living hell, does not do anyone any good. Let them windows lusers get screwed to the point they will get sufficiently pissed of at microsoft to do something to rid themselves of that misery.

          as long as there is a nerd-bitch to 'fix your windows box for some bucks', this crap will go on endlessly. I, for one, plainly refuse to do anything on any fam
          • How is this flamebait modded insightful? The moderators defy logic sometimes...

            If you can answer how using Windows makes my work difficult or establish any criterion for what "good" for me is, then maybe it might be insightful. Could you explain who "he" is? Not to be pedantic or anything. I'm only asking because your attitude pisses me off.
            • 'he' is the guy (or gal) above who instructed a client to 'always keep windows updated, always apply the paches ASAP' (which is good), but one of the patches from redmond that the client applied broke some critical application of said client (heh, newsflash...), and 'he' had to charge the client for the support to fix it, because it was MSFT's fault, not his, yada, yada. Given that, the parent post to my mild flame said that the client had grounds to sue 'him'. Then, my 'flamebait' post.

              My attitude may piss
        • If that were the case, I suspect the consultant could then successfully sue Microsoft. Before someone mentions it, I know Microsoft's EULA says they're not responsible for damages to their system, but I'd like to point out that it's likely the consultant has some sort of escape clause in his contract as well. (In other words, if you proposed that the company sue the consultant, ignoring that escape clause, then why not also ignore the Microsoft EULA escape clause?)

          However I doubt the company would sue the

          • Re:A Solution... (Score:3, Insightful)

            by Secrity ( 742221 )
            MS has deeper pockets and can afford more expensive layers and iron clad EULAs. A consultant is less likely to be able to afford an expensive lawer and is also more likely to have a contract that a can be shredded by a competent lawyer. A jury is likely to be more sympathetic to a user suing a computer consultant than a computer consultant suing MS.

        • Re:A Solution... (Score:4, Insightful)

          by the_bard17 ( 626642 ) <theluckyone17@gmail.com> on Monday August 14, 2006 @12:26AM (#15900798)
          So let's play the other side: I tell the client not to install any patch without explicitly finding out what the patch corrects and ensuring that it will not damage his computer (with regards to software, not that many of my clients would be able to tell the difference). Most of my clients do not have the patience nor the time to research each patch. Of those that do, most would not be able to understand exactly what the patch does. Following that, most of my clients will not install the patches.

          So when the next Blaster/Welchia-like worm hits, they haven't downloaded the patch 'cause they listened to me... and then I get to go back out and clean the virus off their system, and explain how they got the virus (worm, really, but I usually get that glazed-eye look when I explain the difference), and what they could've done to prevent it. Then I get to charge them, and explain why I'm charging them. See a pattern here?

          End result: the client (end-user) is the one left hanging. If he blindly patches, he runs into problems. He blindly ignores the patches, he runs into problems. If we could only raise his level of computer literacy, he might actually have a chance to understand what the patch does, what might interfere with it, and possibly even solve the problem on his own if it occurs.

          Seeing as that's very unlikely to occur, the system breaks down. Something's gotta give. Something's gotta change. Until it does, the end-user gets left hanging.

          • Re:A Solution... (Score:3, Informative)

            by Secrity ( 742221 )
            This all goes back to the two main problem with computer security: 1.) People who are barely technically proficient to safely operate a toaster are operating computers that require a considerable amount of technical knowlege to safely operate. 2.) The vendor that provides the vast majority of the OS and office suite patches has a less than stellar track record at producing bug-free patches (the patch process has also has been known to introduce what some people consider to be malware masquerading as criti

            • These computer end-users are the same people that have to be told:
              Do not operate toaster outdoors in a wet location.
              Do not insert fork or other metal object into toaster slots.
              Do not operate toaster while any part is under water.

              • Most users don't even know that there is a major difference between a toaster and a computer. Personal computer users in general either need to be educated or the computers that they use need to be made as safe as a toaster. Electricity is still a mystery to many people. I had a person attempt to give me serious grief because I had put a plastic fork along with my food into a microwave oven -- she pointed to a "NO SILVERWARE IN MICROWAVE" sign. She had no idea that there was a difference between putting
    • >>Find a way to make the average user patch software.

      Preachin' to the choir there. We just started getting a new crop of students in our graduate college(so these are mostly people who spent at least the last 4 years as undergrads) and so far about 2 of the students were still on XP SP1 and the rest had about 3 reboots worth of updates to pull down on average. That's why we have classes where all we do is walk them through how to update Windows, anti-virus, and anti-spyware software. The number of

    • Find a way to make the average user patch software. As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible.

      It's very easy with Debian's stable distribution:

      1. point to security.debian.org
      2. apt-get update
      3. apt-get upgrade

      That's it, all done and it never breaks anything.

      If it were that easy to upgrade commercial software, users would do it but it's not. Commercial software lacks both the resources to fix things and the ability to co o

      • It's very easy with Debian's stable distribution:

        It's even easier with Windows - it's called Automatic Update (SP1 or later) and it does it all itself and the only part you have to worry about is when it asks you to reboot, and you click Restart Now. Alternatively, you can follow these steps:

        1. Go to Start->All Programs->Microsoft Update.
        2. Click the button labelled Express (if you're not the Joe Average sort and you want more options, you can click Custom).
        3. If there are new updates, I think you click Inst
        • Can you provide proof that they actually sabotage [reference.com] (as in deliberately subvert) other software?

          No, it takes a court of law to prove something like that. All I can do is point you to the DRDos and Netscape trails, where your government used M$ internal emails to prove sabotage and other nasty behavior. You will have trouble finding the DRDOS case because M$ and SCO had it shredded.

          • No 'twitter', the OP is asking you to provide proof of your claims. Even a link with some "OMFG my app is being sabotaged by Microsoft" proof would help. Please provide specific examples of your claim. Otherwise all you have is a bunch of "M$ Windoze is teh suxx" bullshit that everyone with half a brain has problems taking seriously.

            Oh, and the OP took his time to reply to your post point by point - it would be nice for your credibility if instead of just doing some selective quoting you could reply with

      • Re:make them use free software. (Score:4, Insightful)

        by Firehed ( 942385 ) on Sunday August 13, 2006 @10:39PM (#15900480) Homepage
        Any updating system that requires users to type in commands, especially any commands not written in plain English ("Patch my computer.[return]"), will fail miserably among the mainstream users. Let's face facts here - Windows Update is *easier* than that. Safer? No. Forces EULA changes? Yep. But it's automatic and requires absolutely NO thinking on the part of the end-user. An update system that requires the user to do pretty much anything besides clicking 'OK' at the automatic installation prompt isn't going to work.

        We need a best of both worlds solution here. Windows Update is an excellent concept. But the execution sucks for the reasons you specified - EULA changes, WGA, poor/untested/damaging patches. It needs work. But in the long run, it'll be a lot more successful and helpful than any apt-get command, or anything else that's not entirely automatic beyond authorizing changes.
    • Patch, wow that's easy enough, I wish I would have known. But first, if you could please talk to my third party vendors and make sure my MS patch won't break something else. It's sooo simple to say patch, but some 90% of the time that single patch breaks third party software. Normally costing me hours of play before I can get everything back up. What's worse? When a patch says you must shutdown a service for a specified period of time...(BES server wanted the service down for 20 minutes. Nobody could send o
    • A good way to check your computer or your Windows machines on your local network for basic security problems and patches is with the MS Baseline Security Analyzer. The download [microsoft.com] is free.
    • > Automatic Updates in XP is a great step forward, but it's still opt-in.

      If it's anything like it's on 2k, it's like having a funnel right through your mouth straight through to your stomach shoving stuff down and calling that opting-in to eat dinner.

  • It's interesting to note that the Microsoft Security Bulletin [microsoft.com] does not disclose the component of the "Server Service" that is subject to the vulnerability. In particular, one cannot simply disable the relevant service. Actually, I don't even know whether their software is built to make such things possible. The reason I'm suspicious is because they recommend blocking certaing ports with a firewall rather than disabling the relevant component.

    I'm completely unfamiliar with MS server software, but there

    • Re:Compartmentalization and openness (Score:1, Informative)

      by Anonymous Coward
      What are you talking about? The "Server" service is the component (handles file, printer, named pipe sharing, etc), and is very easily stopped or disabled.

    • Re:Compartmentalization and openness (Score:2, Informative)

      by Anonymous Coward
      It's interesting to note that the Microsoft Security Bulletin [microsoft.com] does not disclose the component of the "Server Service" that is subject to the vulnerability. Yes, actually, the bulletin does. The problem is within Netapi32.

  • Wondering... (Score:5, Interesting)

    by Progman3K ( 515744 ) on Sunday August 13, 2006 @06:40PM (#15899762)
    Does that mean that if someone reverse-engineers the bot command set, maybe we can send them all a command to shutdown the service?

    • Re:Wondering... (Score:5, Informative)

      by httptech ( 5553 ) on Sunday August 13, 2006 @07:03PM (#15899818) Homepage
      Yes, actually there is a remove command built in to Mocbot. However, you have to issue the command from the proper user@host mask; something you can't do unless you have admin access to the IRC server.

      An alternative is to use DNS to redirect the bots to a blackhole IRC server where the remove command can be executed. Of course, this only works if you have control over the DNS (e.g. an ISP redirecting their own users). Getting someone responsible for the authoritative DNS server is not likely to happen given the Chinese origin.
  • I know that the patching after you're infected may not do you much good, except to prevent reinfection after you clean your system, but why don't viruses and worms start doing things like pretending to be a firewall and blocking sites like microsoft.com, or monitor what you search for and prevent you from searching for its own name?

  • As I understand it... (Score:3, Interesting)

    by JetScootr ( 319545 ) on Sunday August 13, 2006 @08:02PM (#15900003) Journal
    MS06-040 is a vulnerability that allows an attacker to take over a PC whose only crime is running Windows while connected to the internet. No user action required.
    It looks like the blog on technet calls the current attack "extremely small" and "extremely targeted" - to only those PCs running W2K, which as I understand it, is millions of bidniz PCs.
    This is like calling 911 and having the dispatcher say "It can't be a very bad fire if it's only in the kitchen! Call us back when it gets to attic."

    • Re:As I understand it... (Score:4, Informative)

      by gregarican ( 694358 ) on Sunday August 13, 2006 @09:16PM (#15900245) Homepage
      ...a PC whose only crime is running Windows while connected to the internet...

      Actually it's a PC who is running Windows with open Microsoft Networking ports open while connected to the Internet. Big difference. There are many holes over the years that have been exposed with the NT LAN Manager networking stack that have led to these ports being blocked at the firewall as standard practice. Going back to 1997 from what I recall someone could open up an anonymous IPC$ pipe with an NT box and create their own admin account. Things have improved since then, but anyone who has these ports up and listening on the Internet is an idiot. Back in 2000 my company got its first DSL router for Internet acccess. Even that hardware came with an option just called "Microsoft Networking" blocks. Of course patch your boxes. Keep them updated. This would avoid some local host getting something propagated through your LAN/WAN. But as for the Internet aspect, God knows people should have learned. Ports 137, 138, 139, and 445 should be nowhere to be found from the Internet!

    • This is like calling 911 and having the dispatcher say "It can't be a very bad fire if it's only in the kitchen! Call us back when it gets to attic."

      If you're going to use bad analogies, it's closer to, "Your house burned down because you were using 50 year old wiring that wasn't up to code. We inspected your house and even offered to update all of your wiring for free, and you declined. Now your house is on fire, and we can send out a fire truck, but there's really nothing more we can do as it'll be

      • Wish I had mod points. +1 fo shizzle...
      • In my analogy, it's the INDUSTRY calling 911, not an individual. MS, when speaking on the technet blog, is describing the impact of the virus on the internet as a whole. In the analogy, the burning house represents the vulnerable systems on the internet, and the dispatcher (MS) is saying the fire (MS06-040) is unimportant because "only part of the kitchen is burning" == "only some vulnerable systems are being attacked". I do agree that MS products, in general, implement older technologies ("50 year old wir

        • I do agree that MS products, in general, implement older technologies ("50 year old wiring"), and after MS's inspection of their own products, MS decides not to "update the wiring" except when forced by industry or circumstances (like Blaster). And I really don't think MS would ever suggest to the industry to "get out of the house" when "the house" is Windows.

          If you're going to claim I misunderstood your analogy, you should at least try to understand mine. I wasn't saying that Microsoft implements olde

  • I just read the title and wondered if I woke up in the year 3000...
  • Video of a real life worm hole ... http://www.youtube.com/watch?v=c5MGfEVBs1s [youtube.com]
    • You probably already know this but the video shows a missile launch from Vandenberg AFB, CA. Something the folks of SoCal are very familiar with and which can be a bit disconcerting when viewed for the first time as evidenced by the tone of the woman's voice in the video.
  • I thought DS9 and a cluster of self-replicating mines was supposed to protect the MS06-040? Or is this a different worm hole? Are the "Botnet Herders" a Dominion force?

  • In all seriousness, couldn't the world community impose "Internet sanctions" on a country, cutting them off from the Internet at large until they take action against these sorts of people? We already impose trade sanctions for other offenses. Of course, somebody will invariably point out that no one entity owns the Internet, thus such sanctions would be hard to enforce; I don't buy that for a second. You may not be able to completely cut a country off from the Internet, but you could, say, have backbone

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close