To Thread - Forum Home

The Mudcat Café TM
https://mudcat.org/thread.cfm?threadid=56076
35 messages

Tech: Worm rampaging the net

25 Jan 03 - 11:32 AM (#874664)
Subject: Tech: Worm rampaging the net
From: GUEST,amergin

Electronic attack slows Internet
'SQL' worm like 'Code Red,' but not as serious
Saturday, January 25, 2003 Posted: 8:49 AM EST (1349 GMT)

   Story Tools

RELATED
Interactive: The effect of the apparent Internet attack could be a 'denial of service'

• National Infrastructure Protection Center   
• CERT Coordination Center   

QUICKVOTE
   Is the Internet too vulnerable?


Yes   
No   
VIEW RESULTS   


WASHINGTON (CNN) -- A fast-moving computer worm slowed down Internet access Saturday for about 22,000 servers, according to the Internet security firm Symantec.

Oliver Friedrichs, a senior manager with Symantec, said the "SQL" worm was taking advantage of a vulnerability detected six months ago in Microsoft sequel servers, used mainly by companies to store information.

Friedrichs said businesses, rather than home users, would be affected by the worm, which was similar but not as serious as the "Code Red" worm. Code Red swept through hundreds of thousands of computers in a single day in July 2001.

"When we look at this threat compared to some of the other threats, it's not that significant," he said. "Not as many servers are affected as Code Red."

A computer worm is a program that reproduces by copying itself onto other machines, which then seek out other vulnerable computers.

Friedrichs said the SQL worm "breaks into the server and tries to spread."

"It really generates a lot of network traffic," he said. "It's really just going to slow down Internet performance."

Friedrichs said Microsoft issued "patches" to fix the vulnerabilities in its systems, which were detected in July 2001, but many companies did not install them, opening the door to the SQL worm.




as an aside....it should be a very slow day at work today....sigh....


25 Jan 03 - 12:19 PM (#874689)
Subject: RE: Tech: Worm rampaging the net
From: vindelis

I take it that this is not the same as the Sub Seven Trojan horse Worm, that has been block by my anti virus software, recently. I cannot find anything about it on the Symantic web site


25 Jan 03 - 12:23 PM (#874693)
Subject: RE: Tech: Worm rampaging the net
From: gnu

I just tried Environment Canada Weather Services, which was fine a few hours ago, and got yesterday's forecast. A security measure ? Something's got them upset.


25 Jan 03 - 12:56 PM (#874711)
Subject: RE: Tech: Worm rampaging the net
From: Noreen

hi amergin- you ok? not seen you around....


25 Jan 03 - 03:34 PM (#874792)
Subject: RE: Tech: Worm rampaging the net
From: JohnInKansas

I note that even the big guys get caught with "the fix was available, but many hadn't installed it."

Most of us - at least the ones who look at "worm" threads - are probably using at least some anti-virus; but I don't have the impression that many are using the available free upgrades for operating systems. There have been some significant (and some not-so-significant) fixes published within the last few weeks.

Windows users - probably the majority of us - can go to:

Microsoft Windows Update

I'd strongly urge that this address be bookmarked - added to favorites, so you can go back at least once a month.

The site will download a "manager" program that runs on your machine to determine whether you need anything, and then will give you a list of what's available. (Nothing that identifies you is sent back to Microsoft.) You can choose which, if any, fixes you want, and download and install them.

I will warn that some recent fixes are fairly large, and a few require "separate install and reboot," so if you're significantly outdated, you may have to go back to the page a couple of times.

You'll feel better once you've got it done.

John


25 Jan 03 - 03:59 PM (#874798)
Subject: RE: Tech: Worm rampaging the net
From: GUEST,amergin

some of those updates though havebeen causing problems with xp users....they install an update then suddenly cannot get to secure sites....even though the cipher strength is 128...a pain in the butt but we finally managed a fix here at work...

as for this worm...the isp i work for is basically down....so the lower tiers have been getting the brunt of it....as a tier three agent....I talked to four customers in a three hour time span....all less than five minutes long....then finally got sent home....


25 Jan 03 - 04:01 PM (#874800)
Subject: RE: Tech: Worm rampaging the net
From: Sorcha

What happened to your cookie, 'Gin? I need to send you a PM............


25 Jan 03 - 04:39 PM (#874819)
Subject: RE: Tech: Worm rampaging the net
From: *daylia*

"Most of us - at least the ones who look at "worm" threads"

John I do have Norton anti-virus, but would you mind explaining "worm threads"?    I think I should know if I'm looking at one ...

Thanks - daylia


25 Jan 03 - 05:06 PM (#874830)
Subject: RE: Tech: Worm rampaging the net
From: GUEST

Got to agree with taking advantages of the updates, John. I've not got this installed yet on my new Win2K set up but I had something, I think called "critical update" on Win 98 that used to check and inform me of new security patches.

daylia, I suspect John means any threads on viruses and other nasties we can get. A "worm" is one type but I'll leave John to explain.

Jon


25 Jan 03 - 06:13 PM (#874857)
Subject: RE: Tech: Worm rampaging the net
From: *daylia*

Thanks Jon - I thought maybe the links on some threads were suspicious, and those were what John meant by "worm threads".

daylia


25 Jan 03 - 07:36 PM (#874903)
Subject: RE: Tech: Worm rampaging the net
From: McGrath of Harlow

Anyone written a computer age update of the Lambton Worm yet?


25 Jan 03 - 09:52 PM (#874967)
Subject: RE: Tech: Worm rampaging the net
From: JohnInKansas

Quite a few people set up their 'cat browsing to filter out BS and Tech threads. My reference to "worm threads" was just to those that talk about worms, viruses, etc, and to those of us who go there.

And I'd have to agree with Amergin that sometimes getting up to date can make you readjust old settings that were apparently working fine. They say it's "for our own good," and they're probably not lying too much there, but it can be rather a trial when fixing something seems like it breaks something else.

To clarify a little - a first visit to the site will usually ask if you want to download the "manager" program - which you pretty much have to do in order to get much use out of the site. The program that you download will then look at what you already have installed, and will prepare a list of what's available - that you might need.

A "Critical Update" is something that they believe you really really really really should install, because it protects against someone's nasty stuff. You may also be offered "optional" items that you can pick and choose. A few of these (especially if you're XP or 2K) only apply if you're running server software, but you might find a couple of handy ones - like updates to Multimedia Player and such.

John


25 Jan 03 - 09:55 PM (#874968)
Subject: RE: Tech: Worm rampaging the net
From: Stilly River Sage

from the Associated Press:

Virus Overwhelms Global Internet Systems

January 25, 2003 06:15 PM EST

WASHINGTON - A fast-spreading, virus-like infection dramatically slowed Internet traffic Saturday, overwhelming the world's digital pipelines and interfering with Web browsing and e-mail delivery.

Monitors reported detecting at least 39,000 infected computers, which transmitted floods of spurious signals disrupting hundreds of thousands of other systems worldwide. Sites monitoring the health of the Internet reported significant slowdowns, although recovery efforts appeared to be succeeding.

"Everything is starting to come back online," said Bill Murray, a spokesman for the FBI's National Infrastructure Protection Center. "We know what the issue was and how to mitigate it, and we're just imploring systems administrators to apply the patches that will prevent this from propagating again."

Bank of America Corp., one of the nation's largest banks, said many customers could not withdraw money from its 13,000 ATM machines because of technical problems caused by the attack. A spokeswoman, Lisa Gagnon, said the bank restored service to nearly all ATMs by late Saturday afternoon and that customers' money and personal information had not been at risk.

Millions of Internet users in South Korea were stranded when computers at Korea Telecom Freetel and SK Telecom failed. Service was restored but remained slow, officials said. In Japan, NHK television reported heavy data traffic swamped some of the country's Internet connections, and Finnish phone company TeliaSonera reported some problems.

"It's not debilitating," said Howard Schmidt, President Bush's No. 2 cybersecurity adviser. "Everybody seems to be getting it under control." Schmidt said the FBI's cybersecurity unit and experts at the federally funded CERT Coordination Center were monitoring the attack and offering technical advice to computer administrators on how to protect against it.

"We as a technical group are getting better at identifying these things and putting filters in place in a timely manner," said Marty Lindner of the CERT Coordination Center.

Tiffany Olson, spokeswoman for the President's Critical Infrastructure Protection Board, said the White House may not determine the scope of damage "for at least a couple of days, and we may not know the full impact of this attack at all." She said companies often don't report such damage to the government.

The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp. called "SQL Server 2000." The attacking software was scanning for victim computers so randomly and so aggressively, sending out thousands of probes a second, that it saturated many Internet data pipelines.

Most home users did not need to take any protective measures.

The FBI was searching for the origin of the attack, which experts variously dubbed "sapphire," "slammer" or "SQ hell." Some security researchers noted that software unleashed in Saturday's attack bore striking resemblance to blueprints for computer code published weeks ago on a Chinese hacking Web site by a virus author known as "Lion." An FBI spokesman said he couldn't confirm that.

Tracing the attack, which appeared to strike first in the United States, might be impossible because it used a transmission method that made it unusually easy to falsify its digital trail, experts said. Mysterious scans that could have been a precursor to Saturday's attack have been detected by Internet sensors since last year, searching out vulnerable computers.

"Scanning has been going on for months and months," said Chris Wysopal of AtStake Inc., a security firm in Cambridge, Mass. "This person probably launched this attack at hundreds of machines all at once."

The attack resembled the "Code Red" virus that struck the Internet during the summer of 2001.

"This is like Code Red all over again," said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the earliest to study samples of the attack software. "The sheer number of attacks is eating up so much bandwidth that normal operations can't take place."

Schmidt said disruption within the U.S. government was minimal, partly because the attack occurred early on a weekend. The departments of State, Agriculture, Commerce and some units of the Defense Department appeared hardest hit among federal agencies, according to Matrix NetSystems Inc., a monitoring firm in Austin, Texas.

Some Associated Press news services were affected but were restored by morning.

The attack temporarily interfered with the computer network at The Atlanta Journal-Constitution, delaying publication of Sunday's first edition, normally delivered to newsstands Saturday afternoon, and delaying updates on the newspaper's Web site, http://www.ajc.com.

The world's largest Internet provider, America Online, reported no problems. "We remain on alert and continue to closely monitor this situation," spokesman Nicholas Graham said.

The attack sought to exploit a software flaw discovered by researchers in July 2002 that permits hackers to seize control of corporate database servers. Microsoft deemed the flaw to be critical and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix.

The latest attack could revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed.

During the Code Red attack in July 2001, about 300,000 mostly corporate server computers were infected and programmed to launch a simultaneous attack against the Web site for the White House, which U.S. officials were able to defend successfully.

Unlike that episode, the malicious software used in this latest attack did not appear to do anything other than try to spread its own infection, experts said.

---

AP technology writers Anick Jesdanun and Frank Bajak contributed to this story from New York.

---

On the Net:

Technical details: http://www.eeye.com/html/Research/Flash/AL20030125.html

More details:

http://www.iss.net/security(underscore)center/static/10031.php

Microsoft fix:

http://www.microsoft.com/technet/security/bulletin/MS02-039.asp


26 Jan 03 - 06:18 AM (#875063)
Subject: RE: Tech: Worm rampaging the net
From: Mr Red

that the Sub Seven Trojan horse Worm is worrying - I pride myself on updating regularly. Norton would loose a lot of trade if they didn't keep their integrity - are they that stupid or incompetent? Nothing is impossible. But........


26 Jan 03 - 08:46 AM (#875118)
Subject: RE: Tech: Worm rampaging the net
From: GUEST

Have just read a bit about subSeven. It seems that there have been quite a number of variations. Perhaps Vindelis got a new one before Norton had a signature file to deal with it. That could happen with any AV software (at least of that type, there ways of monitoring systems for suspicious behavour, e.g. my BIOS monitors attempts to write the the boot sector), the companies are constantly playing "catch up". The message is to regulary update but be aware that things can get through so be catious.

It sounds as if a firewall will help with SubSeven. It is a backdoor trojan - one that allows someone else control over your computer.

Jon


26 Jan 03 - 11:21 AM (#875194)
Subject: RE: Tech: Worm rampaging the net
From: *daylia*

Thanks so much for the info/link John, SRS et al

daylia (the computer neophyte)


26 Jan 03 - 12:20 PM (#875223)
Subject: RE: Tech: Worm rampaging the net
From: Stilly River Sage

I have DSL now, and a firewall, but I intend one of these days to put in a router, which will further shield the computer(s) behind it. And for added peace of mind, I manually turn off the power supply when I turn off the computer, so there isn't any turning it self on in the wee hours and following viral commands.

SRS


27 Jan 03 - 01:02 AM (#875564)
Subject: RE: Tech: Worm rampaging the net
From: Mark Cohen

I have Norton Internet Security and it frequently picks up access attempts by SubSeven. At least, I think that's what keeps popping up. Haven't seen it in a while so I'm not certain. But the phrase "backdoor trojan" sounds familiar, whatever it means. I also run Norton's LiveUpdate once a week, which updates both AntiVirus and Internet Security. (There's no wood on my computer, so I'm not going to say "It's worked so far.")

Aloha,
Mark

PS Was this attack the kind that Steve Gibson predicted would happen when XP came out? I still can't figure out whether he's a genius or a nut.


27 Jan 03 - 01:33 AM (#875571)
Subject: RE: Tech: Worm rampaging the net
From: mg

OK folks...can one of you tell me what is happening to my computer? I have a Mac, and never really believed they were virus proof and they aren't..but I just used shareware..now I got Norton and scanned everything and found no viruses (maybe I did it wrong). I had to take it off again because i froze up my computer. I really don't have anyone local I can ask about this...I talked to my ISP and they said it doesn't seem to be a virus, but I have been unsubbed from 3 lists (one that I run) for full mailbox, bouncing messages etc. I have had several messages in the last few weeks from places I have never heard of saying I can't subscribe to their lists. I have gotten messages saying that I had a virus or a worm and messages I never sent could not go through (thank heavens). I got some wierd message from congress. A lot of my mail is not coming through. I know Pacifier was having problems themselves so that might explain some of it but not all. I have had people on other ends scan me for incoming viruses and they say I am clean..or my computer is anyway. So what could this be? They at Pacifier, and this was my thought, said it might not be a virus. I thought someone got hold of my address, either personally or a computer, and is using my address to do other things with. I know I have to change my address right away. Can I still keep my old email?

What else?

mg


27 Jan 03 - 02:26 AM (#875580)
Subject: RE: Tech: Worm rampaging the net
From: JohnInKansas

mary g -

There are several nastys that infect a machine, read the address book on that machine, and then "fake" senders address using names picked at random from the address book.

It is quite possible that you're getting a lot of flak just because your email addy was in the book on someone else's machine that got infected.

If it were not for all the SPAM, a conscientious ISP could check whether the "return address" was real, but they're snowed under so if it says its from you, they block you.

Mark Cohen -

Ten years or so ago, Steve Gibson was one of the "wunderkind" of the PC (and general computing world). His "signature" program was call "SpinRight." In the old days, hard drives had a tendency to "drift" off the track, and lose the ability to read cleanly. The standard procedure was to reformat the drive, to move the tracks to where the heads happened to be, and then reinstall everything. SpinRight made it possible, in essence, to "reformat" the drive without moving the data. It amazed nearly everybody.

Better drives have made it less necessary, and the "Windows Protection Layer" pretty much prevents the kind of direct hardware access to the drive that the program used.

Steve seems to be devoting his efforts now almost exclusively to hacker/antihacker and antivirus stuff, and you're not likely to see him "sparkle" at what he does unless you get "into the inside" of that world; but based on his past performance, if he says it - believe it (with a small safety net just in case).

I'd doubt that he specifically predicted this particular "hole" when XP came out, but he has been pretty good at making both general long term and pretty specific shorter term predictions of where the next problems are likely to pop up. And his criticisms are usually specific enough to be helpful, rather than just a buch of whining like some others.

John


27 Jan 03 - 10:27 AM (#875752)
Subject: RE: Tech: Worm rampaging the net
From: Stilly River Sage

Mary,

I've started using Eudora mail, and it seems to have a subscription spam filter (you can test it free for a month). I'm not sure how that one works, if your mail goes through Qualcomm somehow, or if it just adds to filters resident on your computer any time you identify something as spam. You can set up filters yourself if you want, all of these programs have them. I use Earthlink as my provider, and their Spaminator is free and catches a heck of a lot of the stuff while it's on their servers. I dump it regularly (daily! as many as 20 a day!).

The other answers were correct, about your address in someone else's book and infected computer being used to "fake out" recipients. I also received an email from some congressional looking location--now I KNOW that was spam! No way in hell anyone would offer me an appointment in the Bush administration! The man doesn't have the intelligence to think his way past all of the ideology that was programmed into him. . .but I digress. . .since you're on a Mac, you should have fewer problems, but don't assume you lead a charmed life because of the Mac. I'd go ahead and put the Norton back on. I think you just happened to be in the path of that worm that sent out all of the junk email this weekend.

SRS


27 Jan 03 - 10:56 AM (#875774)
Subject: RE: Tech: Worm rampaging the net
From: *daylia*

click here for related info in the news this morning. (Click on the story "Vicious Internet Worm May Strike Again Today").


27 Jan 03 - 12:42 PM (#875857)
Subject: RE: Tech: Worm rampaging the net
From: Stilly River Sage

Here's a more stable link to that story.


27 Jan 03 - 06:02 PM (#876104)
Subject: RE: Tech: Worm rampaging the net
From: Mr Red

Thankx GUESt for the reassurance. I read about the BugBear here the day after I got an attachment that slipped through - I have a policy never to open attachments immediately and if I don't understand the extension I wait a day or two. I updated Norton immediately after. You have to update daily to reduce the risk but it's all about percentages - you can't be faster than the AV s/w house.


27 Jan 03 - 06:03 PM (#876107)
Subject: RE: Tech: Worm rampaging the net
From: Jeri

I have received worms (eeew!) from what appeared to be Mudcatter e-mail addresses. (2 or 3 of the messages) These didn't come from the folks it said they came from, but my guess is someone on somebody-or-other's huge mailing list got infected. At least it was somebody with a lot of Mudcatters' addresses.

I've also been getting spam with other Mudcat names in the "To" or "CC" headers. Some spammer has harvested these from either an e-mail, Mudcat (but other folks would be getting the spam too) or someone's computer through a back-door virus.

What it means is that if you use Microsoft Outlook (usually it's that program) and don't have adequate protection, you're putting everyone in your address book at risk.


27 Jan 03 - 06:13 PM (#876120)
Subject: RE: Tech: Worm rampaging the net
From: SINSULL

Just got my computer back after it finally crashed. I had a "techie" wipe the slate clean and re-install my software. I lost almost everything in the crash which was somehow related to a virus that blocked access to any anti-virus websites. I will be very careful from now on. Meantime, PM me your email addresses if you haven't heard from me recently. As I said - I lost almost everything. BACK UP! BACK UP! BACK UP!


27 Jan 03 - 06:48 PM (#876144)
Subject: RE: Tech: Worm rampaging the net
From: Bill D

I really hope no one here gets hit with any of these new attacks by idiots! (I suspect that anyone who had lost most of their data would consider the death penalty too good for whoever thinks it is 'fun' to loose these things)_

frustrating though it is, Microsoft products are hated so much by some, that I have no doubt that there are virus writers making special efforts to discover and exploit any weakness in MS programs to discredit MS, thus Outlook Express users need to take extra care.

When I discovered this, I tried other programs and found out I actually liked the interfaces of several other programs better anyway! (Eudora, Calypso, Pegasus...or even the email part of Agent newsreader) I even like other browsers better than IE, and use 4 others regularly. (Opera, Mozilla (and its smaller first cousin, Phoenix) and K-Meleon. So far, there have been only two things I HAD to use IE for.

But, I still use filters for spam, an anti-virus program (AVG) and 'usually' look at my mail in a mail checking program before even down loading it....thus, we have had only one virus attack of note in 6 years, and it was caught just fine.


27 Jan 03 - 08:26 PM (#876221)
Subject: RE: Tech: Worm rampaging the net
From: NicoleC

The latest worm is unlikely to affect any home users, except that your email and such may be slowed down. Of course, I'm staying late tonight to patch up my SQL Servers (uninfected... we have the additional layer of "obscurity" to our security system...).

Of course, I hadn't installed Service Pack 3. It came out 10 days ago fercrissake... and about 25% of the time when you install a brand spanking new MS patch, it makes something else stop working. MS *IS* getting better about bug-testing their bug-fixes though.


27 Jan 03 - 09:19 PM (#876243)
Subject: RE: Tech: Worm rampaging the net
From: JohnInKansas

The Microsoft "fix" for the current worm has been posted there since July - so I guess we know now that all those system administrators were caught asleep at the switch????

Unfortunately, news of this sort always seems to wake up other dormant crud. We've had 4 emails (so far) today that Norton blocked for the Klez32 virus. One was "faked" back to CowPie, and the others all appeared to come from a porn-SPAM distributor.

Ambivalent feelings about a spammer getting a virus, I guess. Unfortunately, they're set up to spread it.

John


27 Jan 03 - 09:26 PM (#876244)
Subject: RE: Tech: Worm rampaging the net
From: GUEST

Our history with MS SP3 for win 2000

Killed Folkinfo for a while., ended up writng some simple php script to show what was happening...

Jon


27 Jan 03 - 09:34 PM (#876251)
Subject: RE: Tech: Worm rampaging the net
From: Jeri

Bill, I've used Agent for something like 6 years. I think they upgraded it once in all that time, probably because it's simple and they got it right from the start. I've used Outlook. While I liked some of the business-related things I could do with it, I don't think all the bells and whistles are worth the amount of space it takes up or the virus risks.

I've noticed there are Linux server viruses now, so they aren't being ignored.

I don't know how many people have ISPs that check for viruses, but several recent e-mails have had a notice that a virus/worm had been removed. The only bad thing was that it never said which virus or worm it zapped.

I use EZTrust at https://www.my-etrust.com/services/ipe_support. I used the InoculateIT for free for over a year and when they started to charge for the EZTrust, I figured 1) I liked it, and 2) you can't beat $19.95. They seem to updated their signature files as fast as anyone and I find it very easy to download them.


27 Jan 03 - 09:44 PM (#876257)
Subject: RE: Tech: Worm rampaging the net
From: NicoleC

Right you are, John. Turns out I had the fix installed already, but I *did* have a couple of other things to catch up on. These little incidents do act as good reminders :)


06 Feb 03 - 02:06 PM (#884170)
Subject: RE: Tech: Worm rampaging the net
From: Stilly River Sage

I heard a report on the news yesterday that this worm spread around the world in only 10 minutes. It was due to the agressive way it searched for computers without Microsoft's patch. Am I alone in feeling that this was just a test or a precursor?

SRS


06 Feb 03 - 02:08 PM (#884173)
Subject: RE: Tech: Worm rampaging the net
From: MMario

10 minutes is a LONG time - *grin*


06 Feb 03 - 04:47 PM (#884259)
Subject: RE: Tech: Worm rampaging the net
From: Stilly River Sage

A long time for what? *BG*

Since it went through servers and didn't have to go through email (thus waiting for people to open it and become infected), it could go quite rapidly. Maybe it took this long because a few people had put in the proper patches.