Jump to content
SAU Community

Recommended Posts

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

yeah, my computers been reb00ting for the last few days, do you think it could be this worm?

And YAY! we've got a new RONIN! I see why you had to change that name now. I just checked and "tush" is still available.

  • 2 weeks later...

I don't know how many may know this but this is a bit of an interesting twist to the whole thing...

or maybe I've just been living under a rock for the last week.... haha

New variant of Blaster worm 'fixes' infected systems

Blast.D patches security hole

Story by Paul Roberts

AUGUST 18, 2003 ( IDG NEWS SERVICE ) - Microsoft Corp. Windows users whose systems were infected last week by the W32.Blaster worm might appreciate the attention of a new version of that worm that cleans corrupted systems and then installs a software patch to prevent future infections.

The worm, variously referred to as Worm_MSBLAST.D and Nachi, appeared today and spreads by exploiting the same Windows security hole as the original Blaster worm, according to advisories published by leading antivirus companies.

Antivirus companies disagreed on whether the new worm was a version of the original Blaster or a new worm type. Some, like Trend Micro Inc., consider it a Blaster variant, naming it Worm_MSBLAST.D. Others, declaring the worm a new type, named it W32.Nachi-A.

One thing is certain: Unlike the original Blaster worm, Blaster-D/Nachi is more concerned with fixing systems than exploiting their weaknesses.

After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.

The new worm hides behind a different file name from the Blaster worm, Dllhost.exe, which allows it to bypass antivirus software configured to detect and stop Blaster, according to Ian Hameroff, security strategist at Computer Associates International Inc.

While they disagree about the new worm's name, antivirus companies spoke as one in telling users to remove Blaster-D/Nachi.

"Anything that does something without the end user's approval or even knowledge is not good," Hameroff said. "It's like having a seasoned criminal break into your house and then, if he succeeds, install an alarm system."

Blaster-D/Nachi doesn't distinguish between infected and healthy systems, either. Instead, the worm spreads like Blaster by identifying unpatched Windows 2000 and XP systems, then infecting them, according to Hameroff.

Traffic from infected systems can also clog up computer networks and create denial-of-service problems on computer networks if many infected computers attempt to download the Microsoft Windows patch at the same time, according to David Perry, global director of education at Trend Micro Inc., which has North American headquarters in Cupertino, Calif.

However, for patched systems and machines that were not infected by Blaster, Blaster-D/Nachi is programmed to remove itself after a set amount of time passes, Hameroff said. CA is still analyzing the new worm and could not provide details or say how long Nachi will stay on systems before removing itself, he said.

There is no evidence that the worm installs Trojan horse programs or other kinds of snooping "spyware" on infected systems, Perry said.

Islandia, N.Y.-based Computer Associates rated Blaster-D/Nachi a "medium" threat, indicating only a few reports from CA's customers.

However, Trend Micro said the new worm is spreading rapidly in China and South Korea, prompting that company to issue a "red alert" to its customers in Asia, Perry said.

While the worm may ultimately benefit the Internet community by patching some of the loosely managed computer systems that are breeding grounds for viruses, organizations and individuals should not rely on Blaster-D/Nachi to take care of their patching problem, security experts agreed.

Do-gooder worms are no substitute for timely and responsible patching by systems administrators, experts said.

"It's not the same as having the end user apply the appropriate patches as they're going along," Hameroff said. "This [worm] isn't the ointment you apply to rid yourself of your wounds."

Its a nightmare eh Tosh.

On a thur/fri i normally do around 15-18 calls each day. Last thur/fri i did around 40ea day.

I had steam coming out my ears haha. Not only that but some of our Wireless users became infected with it and it chewed through our pipe to the world and made things hell slow I nearly thought I was in a passenger in a Commonwhore for a second or 6.

We got a firewall at work. And I heard about blaster and how it transmitted itself, so I went to block a few ports... Pricks in the U.K. offices had given us the read-only password to it. 7k worth of firewall that did jack shit, compared to my freebie at home that blocked it all... U.K's still not blocking those friggin ports!

/plays world's smallest Violin for Ben

I took 111 in 1 day with that shit......

yeh we had a day when it was slow as, the connect, optus and paradox networks were experiencing shocking packet loss, at one stage paradox got upto 89% packet loss, connect upto 54% and optus in the 50's as well... was ridiculous

Tosh, Ben - Interested to know if 'Blaster traffic' is billable by your organisations ? I'm trying to find out form Telstra.......???

PS - Smoothwall is the shit ! Works great - free - no probs ! :D

Ha ha - yeah yeah !

User's fault or Microsoft's fault ?

ISP's & software providers have an obligations - Internet is a service, Software as a product should work - This Blaster thing is causing such high packet loss on the net - Currently, I am not getting the service I signed up for. - I don't have Blaster cause my firewall stopped it and I patched straight away - But my 'Internet Service' sucks ass ATM - Not my fault, Not My ISP's fault. Who's getting away with it ??

That's the bit that shits me !

Not much I can do about it - but if the whole internet community did - different story.

:D

B-Man its just considered normal data usage as far as we are concerned. Infact it could be a -very- nice month for 'excess' usage (although the old guy with the new ADSL connection whom left KaZaa open and discovered 40gb of -excess- usage afew months back probably takes the cake) :D

I sit and watch the MRTG graphs all day (shows data in/out from all routers etc) and it was literally flat-lined for all of thursday and friday. Then for the last 4 days its been back to normal with spikes now and then as customers connect and we identify them (before disabling their connection entirely).

Probably created an extra oooh 300 Support calls for us in the last 7 days (keeping in mind that we are a small ISP).

Isn't everything Microsofts fault? But then again... where would we be without Microsoft these days? Can't live with them... can't live without them !

It's the same story with all these different virus types out in the last year or 2. We can't live with them but we need them to increase security in software and the internet.

Most servers around the world use Cisco hardware (I wish my parents bought shares in Cisco for me when I was born) and they have sent around instructions on how to minimise the impact of the W32.SoBig virus and W32.Blaster virus by disabling ICMP packets and other various services.

This almost immediately reduced alot of the abnormal usage. The rest now is up to the end user to protect themselves.

You wouldn't believe how many calls I get along the lines of "I left my PC switched off for the last week while this virus is going around. My PC isn't protected but if I switch it back on now I should be protected right?" Errrr No!

Hey,

Imagine this:

You buy a new Ford XR6 Turbo (of course) 2005 model Falcon. (ie. analogy is PC P7 5 Ghz with Windows 2005).

You drive your XR6 around and everything is great. Goes strong, fuel economy is OK - all performing to specification (analogy is you play a few games on the PC for a month - fantastic)

Then one day you fill up with petrol - you might be say, on holidays in central Australia. (Analogy - you subscribe to an ISP for internet access)

At first - the car goes well - same as normal - you travel around Australia a bit more - you fill up at the same Chain of Petrol Station all the time cause they offer you the best deal. ( You download lots of pRon cause it is good and cheap)

All of a sudden - Your car is consumimg petrol at 10 litres per kilometer - and the car is going really bad. (eg Blaster) ( the pRon downloads are costing heaps more than before)

You take your car to the nearest dealer (ring your ISP) 200kms away & it costs you $180 in petrol (Internet charges) (and 6 hours on the phone with Ben or Tosh cause you are a shmuck when it comes to the internet)

Car dealer (ISP/Petrol company) finds that the problem was that the settings for the fuel line were bad thus fuel was being wasted all over the place - common problem - all 2005 XR6's do that - Ford (Microsoft) admitted it (eg Microsoft vulerability that causes Blaster to eat bandwith - Microsoft admitted the vulverability cause they released a patch)

You get the car fixed for free (you download the patch) (BTW it's not really free cause you gotta pay your ISP for the bandwidth)

Then you ask the Ford for the $180 you spent in petrol - (Internet bandwidth)

Will they (Ford/Microsoft) give it to you ???

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...