×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Witty" Worm Wrecks Computers

timothy posted more than 10 years ago | from the your-ruse-your-clever-trick dept.

Security 587

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

587 comments

Stick to hardware routers and firewalls... (4, Insightful)

berniecase (20853) | more than 10 years ago | (#8623915)

Although they ain't perfect, at least they're not running on your computer. Yikes.

Re:Stick to hardware routers and firewalls... (5, Insightful)

U.I.D 754625 (754625) | more than 10 years ago | (#8623964)

Windows software firewalls have a shoddy history anyway. I remember BlackICE exploits from years ago. I don't see anything wrong with Linux' Netfilter or Open BSD's packet filter. This is code that the security experts use to secure their own machines, and is probably running on hardware firewalls anyways (like cisco).

Re:Stick to hardware routers and firewalls... (5, Funny)

Frambooz (555784) | more than 10 years ago | (#8623970)

"Although they ain't perfect, at least they're not running on your computer. Yikes."

People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes.

Re:Stick to hardware routers and firewalls... (1)

Etcetera (14711) | more than 10 years ago | (#8624022)


People would be much better off with hardware versions of Internet Explorer and Outlook (Express) in that respect. Yikes.

Wouldn't that basically be an embedded system [embeddingwindows.com] , running on non-volatile or read-only memory?

Re:Stick to hardware routers and firewalls... (2, Informative)

slash-tard (689130) | more than 10 years ago | (#8623991)

I agree, except in some colo/hosted environments its not practical or cost effective to have each customer on its own isolated firewall interface. In this environment a local firewall is better than nothing. Security should be applied in layers.

Re:Stick to hardware routers and firewalls... (3, Insightful)

JPriest (547211) | more than 10 years ago | (#8623997)

They call it security software and have services in listening state? Nobody seems to get it.

Re:Stick to hardware routers and firewalls... (5, Insightful)

hendridm (302246) | more than 10 years ago | (#8624025)

Ehh, customers of BlackICE are probably used to annoying software being installed on their computers anyway. The loss of data is probably on par with the annoyances BlackICE's notifications create for both the user and the poor soul(s) at the call center of his/her choice.

luser: "It says someone might be trying to break into my computer! How can I stop them?"
Me: "Um, it's just a port scan. You probably get scanned hundreds of times a day. It's normal."
luser: "But BlackICE says it might be an attack!"
Me: "Try clearing your Internet Explorer cache and rebooting. Call back if problems persist."

For the love of GOD, please don't install BlackICE or similarly annoying firewalls on your parent's or novice friends computers! Spend the $30 and get them a hardware solution, or at least use something that is less of a PITA.

Re:Stick to hardware routers and firewalls... (4, Insightful)

Nogami_Saeko (466595) | more than 10 years ago | (#8624093)

Well, blackice should probably default to logging, but not alerting about the most common scans and such, but it's certainly useful for detecting a large number of attacks coming from specific addresses or blocks.

I think it's a pretty good piece of software myself as far as protection for novices goes, but I don't work in ISP tech support, and have no desire to :)

I've used it in combination with a hardware firewall for years. The hardware firewall catches 99% of the crap as far as scans and such, and blackice catches server-attacks such as badly formatted HTTP requests, DNS hacks, FTP exploit attempts, and such.

N.

Re:Stick to hardware routers and firewalls... (3, Insightful)

Zocalo (252965) | more than 10 years ago | (#8624047)

Stick to hardware routers and firewalls

And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then? All of your boxes are potentially vulnerable instead, that's what. Trusting your security to a single product, hardware or software, is a disaster waiting to happen, and for some of ISS's customers its probably happening right now.

Pretty much all SOHO routers have a firewall capabilty these days, and there are free "personal" firewall systems for all majors OSs. If you are connected to the net and have a clue about security, you'll be using both and monitoring both white and blackhat security sites daily. That all patches are applied as soon as prudent goes without saying of course...

Re:Stick to hardware routers and firewalls... (2, Insightful)

berniecase (20853) | more than 10 years ago | (#8624103)

And when the hardware box has a 0-day exploit and a worm gets loose before the patch, what then?

I'd rather my hardware firewall be exploited and/or DoS'd because it doesn't have GB upon GB of data on it that could potentitally be lost. And yes, I back up my data. A lot of users don't, though.

First Post! (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8623916)

Dammit lucky i run LuNicKs!

Bear! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8623917)

Jennifer, I am in love with you.

One question (4, Funny)

slash-tard (689130) | more than 10 years ago | (#8623919)

How can we blame M$ for this?

Re:One question (1)

FireBird615 (524539) | more than 10 years ago | (#8623941)

Don't think we can, since it's only affecting (or appears to be - I'm sure it'll mutate soon) users of certain software - that's not made by M$..

Re:One question (0)

Anonymous Coward | more than 10 years ago | (#8624006)

It's easy to blame M$ because they designed the breeding grounds for worms. The worms are merely thriving in their natural habitat: Microsoft Windows.

Re:One question (2, Interesting)

CodeMaster (28069) | more than 10 years ago | (#8624014)

How about: by generating the need to create a patchwork of protections on your OS...

For crying out loud - it's supposed to _protect_ your computer - not be a target for an attack... And an ISS product of all... yikes.

I think I'm going to stick to my debian / iptables. Never had a problem (3 years same install and still counting), and it does not thrash my HD ;-)

One answer: (0, Insightful)

Anonymous Coward | more than 10 years ago | (#8624075)

The Witty worm only infects specific builds of PAM listed below, and can only infect Win32 systems [iss.net] .

You could say this was Microsoft's fault for making a crappy, userless don't-manage-memory-well kernel, for having inadequate file systems that lack permision bits, and the list goes on and on. Why else did the poor suckers have to BUY a third party firewall? Because Microsoft is a toy OS that has no place on the internet, that's why. There are many other good reasons this is Microsoft's fault, I'll leave them to others. That would be funny if it were not true.

Liability? (0)

Anonymous Coward | more than 10 years ago | (#8623931)

Ouch. Is the company liable for the backdoor used?

Re:Liability? (5, Interesting)

wo1verin3 (473094) | more than 10 years ago | (#8623954)

I was just thinking about this, can the company be held liable for their software allowing others to basically destroy all data on the computer?

Then I got to thinking, what about Microsoft whose os's and products who have cost millions and millions of dollars.... while some of them require user interaction, others have effectively shutdown the internet for wide areas for short periods of the time.. remember the sql one? :)

Re:Liability? (1)

Dan East (318230) | more than 10 years ago | (#8624065)

I would say not, especially in this case. According to Internet Security Software:

certain ISS products were targeted with a malicious worm based on a known vulnerability. All ISS products have had protection in place prior to the vulnerability being publicly disclosed and prior to a worm being developed in the wild.

So in other words, the ones that are being hit by this worm didn't patch their software. Of course this still reflects very poorly on ISS for a number of reasons, which would almost certainly hurt their sales.

Dan East

Read the User agreement Re:Liability? (2, Informative)

Bruha (412869) | more than 10 years ago | (#8624097)

Most if not all user agreements for any software, anti-virii, Windows and it's related software usually contain:

In no way can you hold us responsible for loss of data, damange to your system bla bla bla.. basically use at your own risk.

where are all the virus's that do real damage? (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8623932)

glad to see virus's doing some real damage now, im tired of these stupid virus that just send out emails.. how weak, if we had more virus's that would wipe out entire systems then there would be some more pressure on software companys to fix things

Re:where are all the virus's that do real damage? (4, Insightful)

aenea (34844) | more than 10 years ago | (#8624007)

And more pressure on users to keep their systems patched up. It's a rare virus/worm that comes in through an unknown exploit.

If someone wrote a destructive netsky/bagle variant the email traffic on the Internet would probalby drop in half overnight as infected machines got taken out.

Re:where are all the virus's that do real damage? (1)

draziw (7737) | more than 10 years ago | (#8624079)

Yup - and if that happened people would have no choice but to patch. Now a bunch of non computer people with computers have no idea they are screwing everyone else..

--
+1 for low user ID and love for SCO

Re:where are all the virus's that do real damage? (4, Interesting)

JPriest (547211) | more than 10 years ago | (#8624063)

Why is this modded troll, it is a good point. If they wipe the disk clean they force the USER to police their own system, rather than forcing admins to try an police the mess of traffic caused by users that don't give a shit.

Users are not going to remove all the worms from their PCs, maybe it is a good thing to have a worm that cleans the PC for them every 6 months or so.

Re:where are all the virus's that do real damage? (0)

Anonymous Coward | more than 10 years ago | (#8624119)

Many people have been on the same windows install of windows for 3 or 4 years and the machines are infested with virii, worms, and spyware. Starting from scratch might be good for them and the people they share the internet with.

FP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8623933)

FP by GNAA!!!

Nasty flaw (5, Insightful)

BlueLightning (442320) | more than 10 years ago | (#8623937)

It's a shame when the very piece of software you set up to protect your system turns out to be your system's destruction :(

Back in my day... (5, Interesting)

Anonymous Coward | more than 10 years ago | (#8623944)


Worms and Viruses caused DATA LOSS!

It's nice to see a worm that actually damages your disk once again. Perhaps people will begin to see them as more than a nuiscance.

Thats what you get (3, Insightful)

MajorDick (735308) | more than 10 years ago | (#8623946)

I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router. I have never understood why you would want to run the firewall on the actual connected system. Guess they cant say its better than running nothing anymore.

Re:Thats what you get (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8623974)

I mean seriously who ever thought it was a good idea to run a firewall on the actual computer connected to the net ? I mean you can buy an applicance router/firewall that is GOOD for what 29 Bucks , thats what I just paid for my netgear wireless router.

Three words: application access privileges.

Re:Thats what you get (2, Insightful)

jhoger (519683) | more than 10 years ago | (#8624098)

Well the disconnect is that most people think of firewalls as what protects them from the Internet. You are more interested in protecting your network from your users. That is a worthy goal.

You should still have a separate box to run the firewall on the edge of the network. But if you have stupid users or strict policies for use, you could run local software firewalls.

They are independent issues...

Re:Thats what you get (1)

Stinking Pig (45860) | more than 10 years ago | (#8624113)

Reasons:

a) you know what you're doing and want a lot of control. Of course, since you're running *nix of some sort, it's fairly safe.

b) You don't want a lot of boxes on your desktop.

c) It's just another thing to buy, and my nephew got me this software thing for free.

Oh no (-1, Redundant)

KingDaveRa (620784) | more than 10 years ago | (#8623951)

This is bad
This represents the first major internet worm which actually does cause REAL damage. Blaster disabled a system, but it was fixable. This one can make a total mess. I get the feeling we're going to see more of these. Buckle up people.
Or buy a Mac.

Re:Oh no (4, Informative)

delta407 (518868) | more than 10 years ago | (#8624044)

Blaster disabled a system, but it was fixable. This one can make a total mess.
Oh, whatever.

Several months ago, Microsoft CHKDSK effectively destroyed one of my NTFS partitions -- it managed to screw up $MFT (which points to the location of the Master File Table) and the copy of $MFT within $MFTMirr (which is supposed to be used if $MFT is broken). Anyway, long story short, I spent a couple weeks staring at hex dumps and printouts of the Linux-NTFS project's NTFS documentation [sourceforge.net] . After consuming inordinate amounts of caffeine, I came up with SalvageNTFS, an open-source NTFS data recovery tool [salvagentfs.com] that got back all the data I wanted. Assuming the physical media is intact (as in, all read requests to the disk are successful), SalvageNTFS can retrieve data if there is even a single record of the MFT intact.

If the first few sectors of the disk are overwritten, you'll lose the MBR, the partition table, and maybe the boot sector of your first partition. However, the filesystem of that partition is likely to be largely or completely intact. Think: in a few weeks with no prior knowledge of NTFS internals, I created a tool that can continue to operate in this environment. I'd hardly call that a "total mess".

Come on.... (4, Funny)

karlm (158591) | more than 10 years ago | (#8623952)

Do you really expect us to believe more than ten people worldwide run Windows on their firewalls? ;-)

Say it With Me Now, Folks... (0, Funny)

shadowcabbit (466253) | more than 10 years ago | (#8623959)

FUCK!

I just now (10 min ago) plugged my laptop into my brand new DSL modem... Now I have to install the antivirus program before rebooting... Shit shit shit...

I propose we introduce the death penalty on the sick motherfucker who wrote this fucking piece of shit virus. FUCK!

(And no, I haven't watched any Tarantino films lately)

Re:Say it With Me Now, Folks... (1, Funny)

Anonymous Coward | more than 10 years ago | (#8623994)

Homer: Kids, would you step outside for a second?
[the kids run out]
[standing up] F --
[a church organ plays a chord; birds fly away; everything stops]
Ned: Dear Lord! That's the loudest profanity I've ever heard.

Re:Say it With Me Now, Folks... (1)

JPriest (547211) | more than 10 years ago | (#8624028)

Actually the answer here would be to REMOVE norton before rebooting.

Re:Say it With Me Now, Folks... (0)

Anonymous Coward | more than 10 years ago | (#8624032)

Stay right where you are.

You have committed multiple violations of the FCC perversion code.

A white van with antenna will be along shortly to re-program your speach patterns

Re:Say it With Me Now, Folks... (1)

CodeMaster (28069) | more than 10 years ago | (#8624042)

Or maybe to the developers who created such a piece of shit of an OS that you can't even connect to the internet without a days worth of patching and proyecting.

(or use the quick n' dirty protection - put a condom on your RJ45 ethernet plug before ya' stick it in ;-)

ok (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8623965)

i can see the fun in doing stuff like attacking microsoft or so etc, you're using peoples computers against a big target, though this isn't right, ofcourse.

but to actually destroy the computer is outright mean, what's the point in that? it's like graffiting a train and blowing up a train, people get hurt.

OK that was a terrible analogy but you get the idea. THIS IS WRONG.

Imprecise! (1, Flamebait)

Knights who say 'INT (708612) | more than 10 years ago | (#8623966)

"All computers", you sure?

Don'tcha mean "Windows computers"?

Me and my Quantian box are browsing safely and recklessly.

On a less triumphant note, I'll eventually get called to fix Windows machines that suffer from that worm. How can you recover someone's data from an unbootable HD?

Re:Imprecise! (1, Informative)

Anonymous Coward | more than 10 years ago | (#8623988)

Presumably by sticking it into a machine that has a different boot disk. Or using a boot CD.

"all computers" (1)

cgenman (325138) | more than 10 years ago | (#8624020)

"All computers", you sure?

Well, any computer running BlackICE under Linux is screwed too, though for different reasons.

Re:Imprecise! (2, Insightful)

djupedal (584558) | more than 10 years ago | (#8624026)

How can you recover someone's data from an unbootable HD?

Bolt it into a G4 Mac tower and pull files to your heart's delight.

Re:Imprecise! (2, Informative)

orkysoft (93727) | more than 10 years ago | (#8624037)

If it destroys just the first sector, and the disk had just one big partition, you can use fdisk to fix the mess.

If it had more partitions, use gpart to find the partitions. It's not perfect, so watch what you're doing.

If it destroys more than just the first sector, it'll (on FAT filesystems) destroy the partition boot sector, the directory, and the FATs. Which means you have to recover the data from backups.

Re:Imprecise! (1)

Anonymous Coward | more than 10 years ago | (#8624039)

"How can you recover someone's data from an unbootable HD?"

what a luser

Re:Imprecise! (2, Funny)

Stinking Pig (45860) | more than 10 years ago | (#8624060)

I'm sorry that you read so poorly. Here, let me help by quoting the relevant sentence for you:

"all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure,"

Google tells me Quantian is Knoppix/Debian.

http://www.iss.net/products_services/blackice.ph p

While there are RealSecure sensor nodes for Linux, the desktop software being referred to here is also a Windows product.

In other words, BZZZT! Thanks for playing the troll today.

Re:Imprecise! (1)

secolactico (519805) | more than 10 years ago | (#8624100)

How can you recover someone's data from an unbootable HD?

I dunno what gets erased, but, can't it be fixed with a boot floppy and "fdisk /mbr"?

Or if NTFS, you can try to boot with Win2k or WinXP in recovery console and FIXBOOT/FIXMBR.

What's the problem (1)

tgraupmann (679996) | more than 10 years ago | (#8623968)

So who is responsible. Is it the MSFT developers for making the exploit, or is it the harddrive manufactures for making those sectors readable?

Re:What's the problem (2, Insightful)

kormoc (122955) | more than 10 years ago | (#8624016)

The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data.

Well, from this, it just overwrites the boot sector, so just booting off of a floppy and running fdisk /mbr would fix it, as well as just booting and reinstalling windows. No data is destroyed perminatly, no major problems this time...

Is it the MSFT developers for making the exploit, or is it the harddrive manufactures for making those sectors readable?

if they arn't readable, well, what good are they?

Ooh, I bet you ment writable, well if they wern't writable, then you couldn't boot anything that the harddrive didnt intend you to. that's not a good idea in my openion.

Now that's powerful (4, Funny)

CGP314 (672613) | more than 10 years ago | (#8623969)

Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones

I didn't know worms were so powerful now that they could melt a computer into a pile of toxic sludge. : /


-Colin [colingregorypalmer.net]

Worst of the worst (0)

Anonymous Coward | more than 10 years ago | (#8623978)

OS bugs are bad enough, but this flaw is totally confined to the very code that was purposely added to protect you. I had a few customers on this product, but got all of them behind cheapo linksys routers long ago. Someone is surely going to get sued over this.

This is crazy (0, Redundant)

Stevyn (691306) | more than 10 years ago | (#8623979)

Seriously, I was working on removing blaster from my friends computer less than an hour ago.

I don't get this shit on my computer because I use a firewall and PC-Cillin updates daily. It's a shame because as linux becomes popular, viruses will exist for it too. True, they may not exploit holes known publicly for months, but they'll still exist.

not crazy (0)

Anonymous Coward | more than 10 years ago | (#8624117)

It's a shame because as linux becomes popular, viruses will exist for it too. True, they may not exploit holes known publicly for months, but they'll still exist.

Bill Gates will pay you good money if you can write such a thing. Gooooooood Luck. Ha.

This is a perfect time to promote the expression (5, Funny)

Eudial (590661) | more than 10 years ago | (#8623980)

"FGTRGDI" (Feels good to run gnu/linux doesent it?)

More cryptic acronyms to the people!

Re:This is a perfect time to promote the expressio (1)

VargrX (104404) | more than 10 years ago | (#8624054)

More cryptic acronyms to the people!

well, you did ask....:

'FRTBRaBDI'
=Feels Rightous to be running a BSD, Doesn't it=

'FRGTBUABMSDI'
=Feels real good to be using anything but MS, doesn't it= (ok, this one's a bit much, I think...)

'IARGFTNHTWAVAWSMIT'
=It's a real good feeling to not have to worry about virus's and worm's so much, Isn't it?=

'NIKWIUU!'
=Now I know why I use Unix!=

'W!IHTIUAM!'
=Wow! I'm happy that I use a MAC!=

--- ok, that's enough, need more beer.

have fun!

Re:This is a perfect time to promote the expressio (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8624067)

"FGTRGDI" (Fucken Great Twat Randa Get Dick Inya)

More Perversity to the people!

Re:This is a perfect time to promote the expressio (0)

Anonymous Coward | more than 10 years ago | (#8624087)

Elitist Mac-Using Fuck, And Proud Of It...
Did I Mention I Never Get Windows Viruses

EMUFAPOIDIMINGWV

It's the catch phrase that's sweeping the nation! Okay, okay, that's "You're Fired" but this one is gonna be hot next year!

Ughhhhh (-1, Offtopic)

Otter (3800) | more than 10 years ago | (#8623982)

Meanwhile, I just checked a POP account for the first time in maybe 48 hours. Over 3200 mails, of which maybe 6 are going to be meaningful. The rest is a mix of worms, spam and bounces from worms and the scumbags forging my domain in their spam.

Yeah, POPFile catches 99% of it and since I've stopped job hunting, I'll just delete everything it catches (screw my friends if it gets their mail by mistake) but that's 3000 mails to get over dialup before I can read my mail. As I keep saying here, something will get done to fix this mess because it absolutely has to. There's no way MS and AOL are going to let this get even worse.

(Meanwhile, in the 30 seconds I spend typing this, I miss the end of both the Stanford-Alabama and Syracuse-Maryland games! WTF? It's been a rough week for Stanford, between the worm that checks available bandwidth by saturating stanford.edu and now this. Woah, I even stayed on topic!)

Avoiding Viruses and Trojans (4, Funny)

RGautier (749908) | more than 10 years ago | (#8623985)

Now that you've got yourself a computer system at home, you'll want to protect it from the evils of the Internet. Because Operating Systems are chock full of holes just waiting to be exploited, you should, at a minimum, take the following steps... Step 1. Go out and buy a firewall product for your machine. Also pick up some virus protection software. Step 2. Ok, now install the firewall software... Oh......Damn It!

More Steps! (0)

Anonymous Coward | more than 10 years ago | (#8624076)

you forgot Step 1.5 "buy another Firewall/AV product" and Step 1.75 "Follow 'Scotty's guide to backup systems' "

two striking things... (4, Interesting)

psycho_tinman (313601) | more than 10 years ago | (#8623987)

First, the speed at which the exploit was translated from advisory to a malicious worm.. Second, this is one of the few old-school "do as much damage as you can" worms. At least it makes a change from the monotony of the mass mailing attachment exploit variety of viruses..Not a welcome change for the people who got hit by it of course :(

By the way, in case you get prompted for registration and your principles don't allow you to give out your email address, use Bugme Not [bugmenot.com] to find a login. Click here [bugmenot.com]

how do you lose the data? (4, Interesting)

Sivaram_Velauthapill (693619) | more than 10 years ago | (#8623989)

How would overwriting the first few sectors result in loss of all data? Wouldn't that just overwrite the boot sector only? Can't you still retrieve your data?

Sivaram Velauthapillai

Re:how do you lose the data? (0)

Anonymous Coward | more than 10 years ago | (#8624030)

It writes 72 bytes (iirc) to random sectors.

Re:how do you lose the data? (4, Informative)

Stinking Pig (45860) | more than 10 years ago | (#8624089)

If it's a FAT16 or FAT32 partition, the primary FAT table will be wiped. While there is a second copy at the end of the partition, finding and restoring it will not be trivial.

Very sad. (4, Insightful)

lazy_arabica (750133) | more than 10 years ago | (#8623990)

Now, every windows user aware of this will believe a firewall is a great danger for his computer.

Oh... After all, what will it change ?

How does this thing spread? (2, Interesting)

cmacb (547347) | more than 10 years ago | (#8624000)

If the only thing this does is wipe out the hard drive, how does it spread to other systems? Is there a dormant version of this, or does it postpone doing the damage for a certain number of hours? The articles didn't explain.

Re:How does this thing spread? (1)

voxel (70407) | more than 10 years ago | (#8624034)

It only wipes the hard disk out if you have a specific firewall software package installed. So, this means the whole world helps spread it, and those with the firewall software get to stop booting their computer...

Infection (1, Offtopic)

CGP314 (672613) | more than 10 years ago | (#8624003)

"With all these hard drive problems, the infection rates are going to shrink pretty quickly as all these affected machines grind themselves to a halt," Stewart said.

Well thanks Stewart. I'm glad to know I won't have to worry about the infection rate of AIDS once most people have AIDS.


-Colin [colingregorypalmer.net]

This is an interesting one, almost biological (5, Informative)

myowntrueself (607117) | more than 10 years ago | (#8624015)

From LURHQ [lurhq.com]

"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."

Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.

It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).

I think this will be with us for a while, particularly when mutations start showing up.

Worthless govt agency (5, Interesting)

EvilStein (414640) | more than 10 years ago | (#8624027)

It's a weekend, why should they care about putting out their timely alerts, eh?

"Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment."

Start time of the infection (0)

Anonymous Coward | more than 10 years ago | (#8624046)

This infection started as early as 9:00pm central time.

How... (1)

}InFuZeD{ (52430) | more than 10 years ago | (#8624050)

Why does Windows allow writing to a part of the hard drive that would permanantly corrupt it?

Or are they just blowing the whole story out of proporting when it in fact just erases your boot sector?

This is why I use double firewalls (0)

Anonymous Coward | more than 10 years ago | (#8624056)

IPCop for a router/firewall, then Kerio Personal Firewall on each Windows machine.

Hardware FireWalls (2, Insightful)

Bruha (412869) | more than 10 years ago | (#8624062)

I'd advise anyone who depends on any kind of software firewall to go out and buy some sort of hardware firewall.

I reccomend Linksys

Those who depend on Windows Firewalling should beware also.. in fact I'm surprised it wasnt that firewall that was exploited in the first place.

Serves 'em right. (3, Funny)

ljavelin (41345) | more than 10 years ago | (#8624068)

Hey, serves these folks right! I mean who'd be stupid enough to have a Windows machine on the internet without any kind of firewa...

err, never mind.

Snort Detection (3, Interesting)

Leme (303299) | more than 10 years ago | (#8624074)

Installed a snort rule this morning using:

alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e73657274207 76974747920 6d6573736167652068657265|";re\v:1;)

Found via http://isc.incidents.org/diary.html?date=2004-03-2 0 [incidents.org] .

After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.

First Hand Experience (4, Informative)

tuckericj (658475) | more than 10 years ago | (#8624083)

This is indeed a particularly nasty worm. Several other divisions of my company are battling infections. The master boot record on an infected host is almost certainly destroyed by this little dandy and any host which might have been rebooted before an infection is detected is inoperable. Thankfully it is only the relatively recent versions of the software packages that are effected. The divine combination of wisdom and laziness has found this systems administrator blessedly behind the times. The decision to stop upgrading out ISS tools in favor of a push towards OSS now seems all the more prescient. For those in the community who expect big businesses to flop over to OSS immediately, don't hold your breath. Nothing happens over night because big business is slow, no matter how fast the company's advert department declares them to be. We've been actively switching systems over to Linux and OSS for two years now, but the average depreciation cycle means that it takes a minimum of 5 years to switch over an environment, and that only if you put a stake in the ground. Realistically it takes 7 to 10 years to switch over and IT environment in a company which judges IT investment solely on Cost Benefit Analysis.

Thats why I don't use Windows! (-1, Troll)

haxor.dk (463614) | more than 10 years ago | (#8624090)

I don't see Macs or Linux boxen having "features" like this.

And no, that is most certainly not a troll, it's a statement of fact. If you were thinking of modding me down, you're just pissed that I'm right.

Release information process (1)

KingJoshi (615691) | more than 10 years ago | (#8624096)

eEye Digital Security supposedly found the flaw last wednesday. Did they publish the information last wednesday after giving Internet Security Systems plenty of time to fix it? Or did they release it without ample time? If the former, how much more liable would ISS be? If the latter, wouldn't that be irresponsible?

wait, nevermind.. The ISS download site says they released the patch on the 9th. So I guess people had about a week to update the firewall?

My personal theory (3, Funny)

PacoTaco (577292) | more than 10 years ago | (#8624110)

I bet this worm was written by a disgruntled network administrator sick of those "I'm being attacked" emails.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...