[News] Sasser net worm disruption grows...

[Tech Zero]

Story from BBC http://news.bbc.co.uk/go/pr/fr/-/2/hi/business/3679511.stm


Disruption caused by a new internet virus known as Sasser is showing
signs of worsening.

In two separate cases, companies in Taiwan and Finland reported the
worm had disrupted their computers.

Sasser, unlike a virus which travels through e-mails and attachments,
spreads directly from the internet.

It attacks recent versions of Microsoft's Windows causing the computer
to shut down. Experts believe millions of computers may be infected.

Shut down

Taiwan's national post office said a third of its offices had been
paralysed by the virus.

The company said it had started to receive complaints from around 10:00
(03:00 BST) that computers in its offices were shutting down and
rebooting automatically.

The disruption left customers queuing in long lines at many of the
company's offices, according to television reports.

Meanwhile, Finnish bancassurer Samp said it had temporarily closed all
of its 130 branch offices as a precaution against Sasser.

In Moscow a computer security firm warned of a possible major epidemic.

Microsoft has acknowledged that the worm is spreading but played down
the threat.

"It seems to me an exaggeration to say that millions of computers have
been affected," said Bernard Ourghanlian, Microsoft's technical
director in France.

Software

Microsoft has made available a software update to fix the flaw and
offers a guide to those afflicted on its website page
www.microsoft.com/security.

Sasser attacks recent versions of Windows 2000, Windows Server 2003 and
Windows XP.

The computer has to be rebooted several times but appears to suffer no
lasting damage.

"Worst affected will be small and medium-sized businesses that don't
have the resources to update their anti-virus software," said Mark
Grady, principal consultant at IT consultants Intraliant.

"Large corporations have the time and money and will have updated their
patches," Mr Grady said.

A Microsoft patch was released on 13 April and revised on 28 April.

Internet users have been warned that they are more likely to get the
virus the more they surf the web.

The virus is picked up by clicking on any one of a number of sites.

The worm is the third major internet infection after Mydoom in January
and Bagle in February but computer experts are saying that unlike
previous ones it does not appear to damage the hard drive.

 

[null]

Story from BBC http://news.bbc.co.uk/go/pr/fr/-/2/hi/business/3679511.stm

<snip>

AV vendors have started providing removal tools:

http://www.sophos.com/virusinfo/articles/sasser.html


Art
http://www.epix.net/~artnpeg

 

[optikl]

"Worst affected will be small and medium-sized businesses that don't
have the resources to update their anti-virus software," said Mark
Grady, principal consultant at IT consultants Intraliant.

"Large corporations have the time and money and will have updated their
patches," Mr Grady said.

Ha! That's funny. He shouldn't count on that. I work for a very large
corporation, with many "divisions". Yesterday morning, my firewall
detected SASSER.A trying to make contact with my system (laptop) on my
company's LAN. The computer was another IP address assigned to our
corporate network. I reported this, but my report wasn't taken
seriously. Yesterday PM, I reported another attempt by another computer.
Again, I reported this, but it wasn't until several systems began
rebooting that anyone took this seriously. Since I'm one of the "few"
with anykind of network firewalling protection, I suspect this thing to
become very wide spread. Yesterday afternoon, our IT people began remote
scanning of systems to see which were vulnerable so that patches could
be pushed to the appropriate systems. Sort of pathetic....

 

[Dave Budd]

Anybody observed Sasser uninstalling itself?
Amid the chaos, I've looked at one machine where it simply disappeared
once I went into Safe Mode.

 

[imbsysop]

snip
with anykind of network firewalling protection, I suspect this thing to
become very wide spread. Yesterday afternoon, our IT people began remote
scanning of systems to see which were vulnerable so that patches could
be pushed to the appropriate systems. Sort of pathetic....

... especially if one considers that the patch was released by MS on
April 13th ... we already installed it on April 15th .. so maybe you
should better boot up yr IT responsibles

 

[Mal]

imbsysop wrote:

.. especially if one considers that the patch was released by MS on
April 13th ... we already installed it on April 15th .. so maybe you
should better boot up yr IT responsibles

Unless you only have 10 desktops and 2 servers, any Microsoft patch
needs time to be tested, packaged, piloted and then rolled out to the
entire environment.

Unfortunately while big companies have lots of It staff, it also means
the systems they look after tend to be more complex, more numerous and
have more impact when they fail.


I agree though that patching needs to happen quicker and that there are
some pretty slack IT staff out there.. but that even with 18 days a lot
of companies would struggle to meet that patching deadline.

 

[Dave Budd]

imbsysop wrote:




Unless you only have 10 desktops and 2 servers, any Microsoft patch
needs time to be tested, packaged, piloted and then rolled out to the
entire environment.

If you have more than that, and you don't make them stick rigidly to
some software image, then you effectively have no way to test so you may
as well not bother.
And if they're using a proper image, there's only one to test.

....and all the MS patches come with uninstallers.

 

[Mal]

Dave Budd wrote:

If you have more than that, and you don't make them stick rigidly to
some software image, then you effectively have no way to test so you may
as well not bother.
And if they're using a proper image, there's only one to test.

...and all the MS patches come with uninstallers.

Even with one corporate image for servers, and one for desktops you have
a lot more to test.

Sure you have the same base image and the same standard apps, but what
about custom apps, off the shelf apps that are only used in one division
etc etc etc.

How about your software vendors that only support eg W2K for their
server apps, when your standard is W2k3.

This is OT for this newsgroup, but patching a large enterprise really
isn't as easy as some people make it out to be.

 

[Dave Budd]

Dave Budd wrote:



Even with one corporate image for servers, and one for desktops you have
a lot more to test.

Sure you have the same base image and the same standard apps, but what
about custom apps, off the shelf apps that are only used in one division
etc etc etc.

How about your software vendors that only support eg W2K for their
server apps, when your standard is W2k3.

This is OT for this newsgroup, but patching a large enterprise really
isn't as easy as some people make it out to be.

tell me about it. which is why i say, basically, you may as well not
bother testing.

 

[Gabriele Neukam]

On that special day, Tech Zero, ([email protected]) said...

"It seems to me an exaggeration to say that millions of computers have
been affected," said Bernard Ourghanlian, Microsoft's technical
director in France.

He'll be talking otherwise within 48 hours, I bet.

The computer has to be rebooted several times but appears to suffer no
lasting damage.

"Has to be"? Or "does", each time the wrong exploit has been tried? And
a backdoor established by Sasser probably isn't deemed to be "damage",
eh?

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.d.htm
l
says:

"Degrades performance: Generates significant network traffic.
....
Compromises security settings: Opens an FTP server on port 5554, and a
backdoor on port 9995."

"Worst affected will be small and medium-sized businesses that don't
have the resources to update their anti-virus software," said Mark
Grady, principal consultant at IT consultants Intraliant.

Worst affected are those who didn't take their time to patch their
machines with the MS04-011 patch, no matter how large or small the
"company" is. A virus scanner can only mop up after the infection has
occurred. And as long as the machine isn't patched, it will be
reinfected within seconds, as long as it is online.

"Large corporations have the time and money and will have updated their
patches," Mr Grady said.

Really? That does very much depend on the internal security policy, I
suppose.

The virus is picked up by clicking on any one of a number of sites.

Bruhahaha. Heh, it comes from the neighbour machine, not from a
trojanized site. If you connect, you are already in the line of fire, a
shower on pings is trying to find your machine, even before you have
started fetching your mail, or chatting, or sharing files, or listening
to a web radio, or retrieving the headers from Usenet.

The worm is the third major internet infection after Mydoom in January
and Bagle in February but computer experts are saying that unlike
previous ones it does not appear to damage the hard drive.

<cough>
You probably mean in *this* year. And that year isn't even half over...
</cough>


Gabriele Neukam

(e-mail address removed)

 

[* * Chas]

(e-mail address removed) says...

If you have more than that, and you don't make them stick rigidly to
some software image, then you effectively have no way to test so you may
as well not bother.
And if they're using a proper image, there's only one to

test.

A friend runs a 72 location WAN for a regional fire
district. All of the PCs on the network are mission
critical. No one is allowed to make any changes to the local
PCs, surf the web or store personal files on them. If the
firemen want to play games or surf the web they are supposed
to do it on their own PCs.

These guys have a lot of time on their hands and sometimes
are able to hack their station's PC.
My buddy carries a stack of freshly cloned hard drives with
him when he visits the fire stations. Any changes to a local
system and he just swaps out the hard drive!

Chas.

 

[Conor]

Dave Budd wrote:



Even with one corporate image for servers, and one for desktops you have
a lot more to test.

Sure you have the same base image and the same standard apps, but what
about custom apps, off the shelf apps that are only used in one division
etc etc etc.

Bit pointless testing then isn't it?

By the time you get round to testing all possible configurations, the
latest malware has come screaming through your firewall and trashed the
LAN.

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the
wonderful person "cquirke (MVP Win9x)" <[email protected]>
said

2) So you should swallow "code of the day" as soon as it comes out,
even if there's no way to uninstall it

There is =always= a way to un-install it, that is what backups are for.
With XP/Me you also have system restore, and there are copious 3rd party
products which provide the same functionality.

Failing to install an MS security related patch these days is just
asking for trouble shortly thereafter.

 

[cquirke (MVP Win9x)]

tell me about it. which is why i say, basically, you may as well not
bother testing.

Well, think what it's like for stand-alone users who don't have the
luxury of disk images, spare PCs to test on, etc. You have ONE PC
that has to work all the time. Patch or not patch? Wait and see if
anyone has problems on the 'net, then patch if OK after 14 days?
Well, that might be waiting too long...

Think about the logic:

1) Patching is required because even after months of intensive
development, in-house testing, wide-beta testing, software carved into
thousands to millions of CDs may still be defective.

2) So you should swallow "code of the day" as soon as it comes out,
even if there's no way to uninstall it and you are installing onto a
working system that has diverged from the initial clean-slate install.

See the problem?

------------ ----- ---- --- -- - - - -

The most accurate diagnostic instrument
in medicine is the Retrospectoscope

 

[cquirke (MVP Win9x)]

Bitstring <[email protected]>, from the
wonderful person "cquirke (MVP Win9x)" <[email protected]>

There is =always= a way to un-install it, that is what backups are for.

"full system backups" are a myth for most folks - they aren't possible
to do, and they aren't always restorable when done.

With XP/Me you also have system restore, and there are copious 3rd party
products which provide the same functionality.

More flakware to rely on. Every month.

Failing to install an MS security related patch these days is just
asking for trouble shortly thereafter.

I'm leaning the same way, i.e. towards patching immediately, even if
only the critical ones. But even if that's the lesser evil, it's
still an evil. Any code changes can blow up in your face, and for
many busineses, month-end is a really bad time for that.

-------------------- ----- ---- --- -- - - - -

Trsut me, I won't make a mistake!

 

[null]

"full system backups" are a myth for most folks - they aren't possible
to do, and they aren't always restorable when done.

Dunno what you're driving at here. I routinely do a full Windows
backup, and it's easy to restore.


Art
http://www.epix.net/~artnpeg

 

[imbsysop]

imbsysop wrote:




Unless you only have 10 desktops and 2 servers, any Microsoft patch
needs time to be tested, packaged, piloted and then rolled out to the
entire environment.

I'm running a lot more than 10 machines in the node I manage but it
boils down to taking a calculated risk .. wanting to aplly MS patches
blindly or spending nights debugging machines and/or shuting down
network services in order to remove sasser or agobot ... or worse ..

 

[Dave Budd]

Well, think what it's like for stand-alone users who don't have the
luxury of disk images, spare PCs to test on, etc. You have ONE PC
that has to work all the time. Patch or not patch? Wait and see if
anyone has problems on the 'net, then patch if OK after 14 days?
Well, that might be waiting too long...

Run Linux.

Think about the logic:

1) Patching is required because even after months of intensive
development, in-house testing, wide-beta testing, software carved into
thousands to millions of CDs may still be defective.

2) So you should swallow "code of the day" as soon as it comes out,
even if there's no way to uninstall it and you are installing onto a
working system that has diverged from the initial clean-slate install.

See the problem?

Every day.
(a) Proper backups, so you can be back to where you were at end of
business the previous day within a couple of hours tops.
(b) What's a "mission critical" machine doing running the worst OS in
history? If you must, and it really is _that_ critical, you have _two_
machines.
(c) Does nobody actually USE system restore? [rhetorical - none of the
users who come to me for de-virusing have set restore points, ever]
(d) For machines that are mission critical, you surely have some plan
for recovering from a catastrophic hardware failure (like when my HDD
failed a few weeks back)? The same plan can surely cover deciding you're
not happy with the latest patch?