I now know of some that have survived the BLASTER, and have totally fallen
to NACHIA.
WRT the laptop / unmanaged machine issue - we shouldn't trivialize this
totally, even in cases where you are allowed to require patches there are
cases where there are 250+ users in a building for every tech support rep,
and not like they weren't busy before ... Having said that, I still think
they should be patched and 'surpervised' :).
For those curious about NACHIA, the short version is:
Attempts to patch machine (ms03-026)
Attempts to remove BLASTER
Generates a tremendous amount of ICMP traffic, to the point that
just a few compromised hosts seem to be sufficient to hammer
networks down.
The longer versions:
Symantec http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
Sophos http://sophos.com/virusinfo/analyses/w32nachia.html
Network Assoc. http://vil.nai.com/vil/content/v_100559.htm
SANS http://isc.sans.org/diary.html?date=2003-08-18
Truly amazing.
Thanks!
TJ
[EMAIL PROTECTED]
-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: Monday, August 18, 2003 3:23 PM
To: [EMAIL PROTECTED]
Subject: RE: OT Microsoft worm [7:74045]
Evans, Timothy R (BearingPoint) wrote:
>
> I know of several organizations in the Washington / NoVa / MD
> area that were
> effected - the MD Motor Vehicle Administration was offline for
> quite some
> time, for example.
>
>
> Sadly - too many people, many who should know better, assumed
> that as long
> as the "edge" was secured than all was good. Unfortunately it
> only takes
> one laptop (for ex) to break that theory :).
Makes me wonder about people's security policies. Bringing in a laptop that
isn't running software approved by IT shouldn't be allowed. This software
should include patched OSs, anti-virus, and personal firewall.
Of course, enforcing that is difficult.
Friday night I was walking by a local bank and noticed that the ligths were
still on. I had to chuckle when I looked inside and noticed IT guys hunched
over PCs at the tellers' stations. I'm pretty sure I know what they were
doing. And yes, IT guys are easy to recognize. You know who you are. :-)
Today I went to my favoriate local coffee shop. The public Internet acccess
PC was turned off with a sign that said, "Not in service due to virus. Bye,
bye Miss American Pie." Ah, the day the music died.
This blaster thing is yet another wake-up call. The big one is still coming.
We are lucky that so far it's been benign tricksters attacking our networks.
Sorry for the dire warning, but I truly predict a huge failure at some
point. Argh....
>
>
> Luckily - this was/is a very sloppy worm:
> Noisy enough to easily tracedown
> Poor propogation method
> Limited vectors of attack
> No destructive payload
> (don't get me wrong - having a backdoor is bad, but let's say
> it wiped data
> from hardrives 8 hours after infecting them, or performed some
> other
> non-randon act of data destruction)
> ... and, to top it all off, its attempted DoS was to the wrong
> URL and
> was easily sidestepped, although some people caused local RST
> floods on
> their network by attempting to mitigate it incorrectly :)
It's not just Microsoft that has software bugs! Getting the wrong URL was an
amazingly stupid bug, but benign. A lot of the infamous worms of the past
spread unintentionally like wildfire because of software bugs.
Why is software so hard to get right? Well, I know why. But this has gotta
change....
Priscilla
>
>
>
> Thanks!
> TJ
> ... not all windows admin's are incompetent
> ... and some are network admins as well :)
>
> -----Original Message-----
> From: Reimer, Fred [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 16, 2003 4:23 PM
> To: [EMAIL PROTECTED]
> Subject: RE: OT Microsoft worm [7:74045]
>
> For reasons of confidentiality I won't and can't name any
> names, but I am
> aware of several hospitals that were affected pretty
> seriously. Everyone
> here knows that Cisco Call Manager runs on Windows, so imagine
> what happens
> to your entire phone infrastructure if you are running VoIP.
> Network grinds
> to a halt and admitting can't access the applications to admit
> people in the
> ER. Lab orders don't go through, so meds can't be dispersed
> based on the
> results of tests. Everything goes back to a paper fall-back
> scheme until
> the Windows administrators patch the systems like they should
> have done
> weeks ago.
>
> So no, don't assume that even large organizations have a handle
> on things.
> Especially hospitals which are notoriously on the low end as
> far as
> adequately staffing, at the right levels, their IT staff.
>
> One thing I sincerely hope is changed in our lexicon is calling
> Windows
> administrators "network administrators." It makes me
> physically ill,
> because those folks don't "administer" the "network," if
> anything they
> actually do can be classified as competent administration.
> They should be
> called what they are "systems administrators," or, if you want
> to be more
> specific, "Windows administrators." I personally think they
> deserve a
> classification of their own.
>
> All I can say is that the Windows systems that our group has to
> use and is
> responsible for were patched long ago, and did not exhibit any
> issues.
>
> Fred Reimer - CCNA
>
>
> Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA
> 30338
> Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050
>
>
> NOTICE; This email contains confidential or proprietary
> information which
> may be legally privileged. It is intended only for the named
> recipient(s).
> If an addressing or transmission error has misdirected the
> email, please
> notify the author by replying to this message. If you are not
> the named
> recipient, you are not authorized to use, disclose, distribute,
> copy, print
> or rely on this email, and should immediately delete it from
> your computer.
>
>
> -----Original Message-----
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 16, 2003 1:22 PM
> To: [EMAIL PROTECTED]
> Subject: OT Microsoft worm [7:74045]
>
> Just wondering, is this new LOVSAN msblast worm as big as it
> seems to be?
> I've been helping lots of Windows users clean up their
> machines. They all
> had the worm. These are mostly home users. I can't believe they
> would use
> broadband, "always-on" access and not have a firewall, but they
> didn't!
>
> What are you all seeing? Is this a big one? I suppose
> enterprise networks
> are much better protected (hopefully) than the home networks
> I've been
> helping out with.
>
> One has to wonder if the huge power outage could be related. I
> can imagine a
> Windows computer somewhere in Ohio that played a surprisingly
> important role
> in keeping the grid working and had been infected..... But I
> read a lot of
> science fiction. :-)
>
> By the way, the stupid worm is attacking the wrong Microsoft
> URL! So that
> aspect of it isn't going to be as bad as once thought.
>
> Comments?
>
> Priscilla
> **Please support GroupStudy by purchasing from the GroupStudy
> Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> **Please support GroupStudy by purchasing from the GroupStudy
> Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
>
>
>
****************************************************************************
**
> The information in this email is confidential and may be
> legally
> privileged. Access to this email by anyone other than the
> intended addressee is unauthorized. If you are not the
> intended
> recipient of this message, any review, disclosure, copying,
> distribution, retention, or any action taken or omitted to be
> taken
> in reliance on it is prohibited and may be unlawful. If you
> are not
> the intended recipient, please reply to or forward a copy of
> this
> message to the sender and delete the message, any attachments,
> and any copies thereof from your system.
>
****************************************************************************
**
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
******************************************************************************
The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the
intended addressee is unauthorized. If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
******************************************************************************
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74127&t=74045
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
