August 25th, 2003
|jimbojones||05:21 pm - The road to hell is paved with well-meaning retards|
Okay, by now, unless you live under a bigger rock than vyacheslav, you've already heard of (and possibly had to get rid of) the MS-Blast worm. And if you keep abreast of the field, you'll also have heard of Nachi, a variant which the drooling retard of an author intended as a sort of "white knight" to patch machines against the vulnerability that MS-Blast exploits.
Unfortunately, said drooling retard never bothered to think about how ABUSIVE the worm is to network resources. And as it turns out, if a machine behind a home or small business router starts trying to portscan out through the router as fast as the worm tries to, the router gets overloaded and completely quits responding to ANYTHING in seconds. So in the name of "helpfully closing off the vulnerability" by exploiting it the same way that MS-Blast would, it also kills your network just as fucking dead. Actually, I think deader. I've seen plenty of ACTUAL MS-Blast infections in the past couple of weeks, and none of THEM actually brought their entire local network down.
And if that wasn't irritating enough already, the drooling retard also thought that he would demonstrate his "cleverness" by doing a far, far better job of hiding his "Good Guy" version of the worm than the original author did. The original worm simply runs from the "Run" key in the registry, and is very easily found and dealt with. But Dipshit McClueless that wrote the "Good Guy" version decided that he'd make HIS version install itself as a service, and mimic the WINS service closely enough that it took me a solid hour of poking around at an infected system before I could figure out what the HELL was running on it and DOS'ing the router.
Now, if Nachi was supposed to be a Good Guy thing, and it was just supposed to apply the patch to machines whose admins were too clueless to know how, why the fuck would it need to HIDE better than the original does, hmm? Shouldn't we be presuming that the act of inspecting the registry for rogue keys would, in and of itself, signify that the machine was getting the attention it needed, and that Nachi could/should be removed? It doesn't really matter, in the long run. Because the long and the short of it is, whatever cowboy-ass motherfucker wrote this thing has caused my customers more havoc than MS-Blast itself could ever HOPED to have done, and if I got the chance I'd string him up by his shriveled little dick and use his nutsack for a pinata.
Current Mood: pissed off
Current Music: Amon Tobin - Verbal (ft MC Decimal R)
| ||From: lauracroft|
Date: August 26th, 2003 - 05:31 am
Re: I did it, too
Jimbo, thought you'd be interested in the following excerpt from an email received from the network security team here at work. Mind you, My departments users aren't having problems 'cause we're all patched up (=D) but less than half of the 21,000 employees here are supported by my department.
I wanted to make sure everybody understood what we are identifying now in the network as far as the current virus/worm activity. There are two major strains of worm that we are currently fighting:
Blaster.A (Lovsan, Welchia/Nachia/Walachia, Blaster.D) -
This worm infects MS-Windows systems that are vulnerable to the RPC-DCOM exploit(7/16). The worm identifies an exploitable system, installs itself and attempts to contact the worm's creator with information about the PC infected. The (Welchia/Walachia/Nachia) Blaster.D variant tries to infects MS-Windows systems as above, but copies and installs the Windows update fix for the RPC and then reboots the PC. It then uses the subnet it is running on to look for other systems to infect. It uses an ICMP ping to find other exploitable systems and the result is general network slowness due to the high volume of pinging generated by the infected system.
What we have done: The perimeter firewall ports used to transfer the worm have been blocked for almost all locations. We have also used the IDS, combined with network scans to identify infected systems and block them, then contact the owners of the PC so it can be cleaned. In the event we do not have information on a particular IP Address, the IP address is sent to the ICSC for help in identifying the system.