RPC DCOM Worm On The Loose 604
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
Linux (Score:0, Insightful)
Re:I have already patched my entire network. (Score:1, Insightful)
Re:I have already patched my entire network. (Score:5, Insightful)
A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.
Firewalls *may* not protect you here (Score:5, Insightful)
Re:Great (Score:5, Insightful)
Re:Firewalls *may* not protect you here (Score:2, Insightful)
Honestly though, if you've taken the time to put firewall rules in place on each individual box, why not just patch each one while you're at it?
Egress Filtering (Score:4, Insightful)
While there is no excuse for not updating your systems, some people can't do so because of business policy reasons (non-tested patches against business critical systems).
EVERYONE with a server on the internet should also have Egress filtering in place. 486 mahcines are cheap. Unix/Linux firewalls are free. On the off chance you do get the M$ IS$ Worm of the week, at least your server can't initiate an outgoing connection to download more code and move on to the next system.
Re:I have already patched my entire network. (Score:2, Insightful)
I've seen MS-based sysadmins click through warnings and error messages like it's all acceptable. Then when things go boom, they come up with something like "the system is down for routine maintenance." And management takes it at face value because the servers go down more times than (insert crude comment here)...well, you get the picture.
There are plumbers and there are diplomats. I wouldn't be surprised if MCSE's have to pass a test on spin-doctoring.
Re:On the way? (Score:4, Insightful)
You should have had auto-updates turned on for your boxes and/or been using SUS server to push these kind of updates out. We had autoupdates on, and then when the free scanner tool from eeye.com came out last week, we used that to scan the rest of our machines to identify any that didn't get the patch yet (not everyone has bene migrated into our domain yet, and there are some rogue NT 4 boxes around still).
As a result, we had everything reasonbly secure last Monday, and AFAIK there are no vulnerable machines on any of our subnets, according to my scans.
So, uh, what were you other Windows admins doing when you should have been doing your job?
Re:This is just sick. (Score:5, Insightful)
Good (Score:1, Insightful)
Cant imagine how much more packets would be flying around if all those crashing machines would be spamming the worm right now....
firewall = good (Score:2, Insightful)
the fact that people are getting hit with this worm indicates that there is simply not enough education about computer security out there, or that there is too much laziness from both consumers and software licensing companies.
this worm is not an issue to people with the correct closed ports...
Re:users being hit hard (Score:5, Insightful)
I think it's pretty irresponsible of them not to allow the autoupdate really...
That's like stealing a car, bring it back to the car dealership to get a warantee issue fixed, and then acting all miffed when they call the cops on you.
If you steal something, don't expect the company you stole from to treat you like a customer.
Re:I have already patched my entire network. (Score:5, Insightful)
Firewall != security.
Re:users being hit hard (Score:2, Insightful)
A thief is a thief. They're responsible for their own actions. You can make all of the arguments you want about how software should be free, or how overpriced it is, or whatever -- but at the end of the day you've still got a person who decided to steal it instead of pay for it.
One of the consequences of that action is that they now have a machine they can't patch, which poses a risk to all of the other unpatched machines in existance. I feel no pitty for the thief, and very little pitty for the person who didn't keep their system up to date (which takes no effort with the way windows update works these days).
Re:Great (Score:3, Insightful)
Re:On the way? (Score:5, Insightful)
"the Sysadmins need to be
"You should have had auto-updates turned on for your boxes"
"the Sysadmins need to be
"We had autoupdates on,"
"the Sysadmins need to be
Reasonable boarder security, strict firewall rules, roll-over security, implementing patchs and updates after they've been tested within a "sandbox" or other non-production machine, and constant security/threat analysis - these are the building blocks to a secure and operational infrastructure; not turning on "auto-update" for all your windows boxes. That's absolutely ridiculous. Next time a faulty patch comes down the line, it's going to take down some, most, or even all of your machines. I can remember Microsoft security patches causing anything from network connection problems to out-right system corruption requiring repair/reinstallation of the OS. Be very careful throwing stones at other admins when your own procedures are just plain laughable.
"So, uh, what were you other Windows admins doing when you should have been doing your job?"
Where was I? Reviewing the procedures I have in place to ensure that this type of vulnerablity never touches anything that would be vulnerable to it, and ensuring that all critical systems are buffered in case of internal infection through user stupidity. Where was I? Doing my job, correctly.
Re:On the way? (Score:2, Insightful)
As for auto-updates, ideally you're going to want to use SUS, (which I also mentioned in my reply, and you ignored in an attempt to make me look dumb) but the reality is a lot of Universities and small-businesses don't even have a Domain in place for their users, much less something as sophisticated as SUS or SMS. I'd much rather take my chance on some patch causing some minor problems, than have machines sit for YEARS without any patches being applied, as is the case without auto-update. Use SUS for machines in a domain, where you can actually start applying group policy, but if you've got a machine stuck in some dark, damp, grad student office in the basement, that you maybe will see once every 2-3 years, at least try to get Auto-Update turned on.
As for AutoUpdates breaking things, sure, it could happen. But I'd rather suffer a random broken application than be rooted. I'd much rather have machines booted off the network from a borked net driver than being used for a DDoS attack.
Please provide for me an example of Microsoft patch provided in the Critical Updates section of Windows Update that has rendered 100% of systems inoperable or required a reinstalltion of the OS at any time in the last 18 months.
And, I was referring to the Sysadmins who hadn't done ANYTHING, and there are several. I asked my wife if they'd done anything at the Ad Agency she works at. They haven't. There are a large number of posts on Slashdot from people running Windows who didn't even know that the vulnerability existed before today. Those are the people I take issue with, people who said "Oh, the firewall will protect us" or "Oh, I'll run WindowsUpdate the next time I happen to be at one of those machines" or "I don't feel like installing those patches that the system tray is telling me to install right now".
Re:Great (Score:2, Insightful)
A friend of mine in San Antonio--also not a computer wizard--who works from home over a cable modem also was hit early in the day. Her computer was rebooting every 5 minutes or so. She couldn't even stay online long enough to get an IM conversation--she eventually called me on the phone and asked what I thought. I hadn't heard about the virus yet so I told her that her Windows had either gone unstable and she'd probably have to reinstall Windows, or she had been hit by a virus and also might have to reinstall Windows.
Then I read about this. So I don't know exactly who is or isn't affected, nor if there's some other way the worm can get loosed in a local network (I assume the university in Mexico has a firewall!), but it's definitely causing problems for many mortals. :)
I am happily running Linux behind a wirewall, though, so I just get to watch and grin at the hidden message left by the virus writer. "Billy gates why do you let this happen? Stop making money and fix your software." :)
Can businesses afford to deploy Linux with the SCO "threat"? My question is: Cant they afford NOT to? :)
Re:Great (Score:3, Insightful)
Re:firewall = good (Score:3, Insightful)
If your answer is "they don't", then you've effectively taken away the reason for having a network in the first place. If your answer is VPN, then you've left a gaping tunnel from the outside, through your firewall.
My point is not that firewalls are only one piece of the security plan, but they cannot solve everything.