Viruses - I feel your pain

re: Viruses - I feel your pain

Todd Spatafore — Fri, 18 Jun 2004 19:07:00 GMT

This is also a great example of why it is important that the firewall is enabled by default on SP2 even on a corporate LAN. People that are complaining and stating that they'll just disable the firewall are in for a world of hurt. Protect the LAN, Protect the Host, and Protect the Application should be drilled into everyone that uses a computer.

re: Viruses - I feel your pain

Scott — Fri, 18 Jun 2004 19:19:00 GMT

I got hit once at work. Instead of reading my web based email in FireFox(bird at the time) like I usually do I read it in IE. It just so happened that I was debugging an application at the time and had the task mangaer open watching the processes. I opened the email and bink, another process popped up in task manager. I didn't recognize it so I killed it. then I ran a scan and found a virus. Luckily it was just a VBScript virus that hadn't fully installed itself and was cleanable.

Now if you'll all open you copies of "Writing Secure Code version 2" to page 723 and cross ridiculous excuse # 6 off your list... ;)

re: Viruses - I feel your pain

Abiola Lapite — Fri, 18 Jun 2004 19:58:00 GMT

First of all, I have to ask why you were running as a member of the Administrator to begin with. Why didn't you log in as a member of the Users group and then use RunAs to launch the Service Pack install? Had you done this the worm wouldn't have been able to write itself to your %WINDIR% directory. One would think a Microsoft employee would know better ...

The second thing to point out is that your statement that "IMHO, once you’ve confirmed that you’re infected with a virus, you really have no choice but to wipe the machine since you have no way of knowing what’s been compromised" is strictly speaking false. There are in fact excellent ways of ascertaining that files haven't been tampered with, and some even <a href="http://www.tripwire.com/">run on Windows</a>, though you have to pay for them. It's too bad that Microsoft's own (unsupported) <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;841290">File Checksum Integrity Verifier</a> is such a limited application, as a tool with Tripwire-like functionality is sorely needed on the Windows platform.

re: Viruses - I feel your pain

Abiola Lapite — Fri, 18 Jun 2004 19:57:00 GMT

Arrgh! I take the time to enter in links and they get horribly munged by your weblogging app; .Text really needs preview functionality.

re: Viruses - I feel your pain

Larry Osterman — Fri, 18 Jun 2004 20:12:00 GMT

Abiola: I wasn't running as a member of the administrator group, it's one of the first things I do when I get a machine.

You're right that .text needs to support some form of bbtext or formatted links in it's comments, I've asked Scott about it :)

The worm didn't have to infect the %WINDIR% directory. I don't know what it infected, I just know the symptoms. It's entirely possible that I didn't even get infected it's just that there was a machine that was aggressively probing my machine. It didn't matter.

re: Viruses - I feel your pain

Derek Simon — Fri, 18 Jun 2004 20:21:00 GMT

The machine shouldn't have been plugged into the network in the first place. Until the operating system, firewall and anti-virus software are installed and updated, plugging into the Ethernet jack on the wall just isn't a good idea. If you have no choice but to perform a network install of a service pack, make sure that Windows XP's firewall (or another commercial firewall product) is on prior to doing so.

I do agree with you Larry on the "you really have no choice but to wipe the machine" principle.

re: Viruses - I feel your pain

Don Newman — Fri, 18 Jun 2004 20:56:00 GMT

I can understand getting the virus, happens to the best of us. The one thing I found odd is that a company the size of MS wouldn't have a hard drive image to just install that already had all current patches. At least for the OS since I imagine the apps used probably vary quite a bit between departments and even users (especially coders).

re: Viruses - I feel your pain

Larry Osterman — Fri, 18 Jun 2004 20:59:00 GMT

We do. I spaced originally and used the XP RTM CD I have in my office, but this morning I used RIS (Remote Installation Services) which installed the system over the net for me, with all the latest patches on it.

The thing about RIS installs is that they wipe the machine, and it wasn't until yesterday afternoon that I was willing to take the pain of reformatting the hard disk. Live and learn.

re: Viruses - I feel your pain

Cesar Eduardo Barros — Fri, 18 Jun 2004 21:02:00 GMT

Er... If there is a worm-infected machine somewhere in your network, shouldn't you tell the network administrators?

Then post here a story about how the worm got inside the firewall ;-)

re: Viruses - I feel your pain

Larry Osterman — Fri, 18 Jun 2004 21:06:00 GMT

Cesar: The worm probably got inside the firewall because someone took their laptop in from outside the firewall.

What's more interesting is (a) why it apparently was able to spread inside the firewall, given that our IT department mandates (and enforces) that we be running the most recent patches and (b) our IT department aggresively scans for machines trying to spread the worm.

I've got some emails out about that but I'm not holding a lot of hope out for figuring out what happened.

Derek: The problem is: How do I get the patches for the machine without plugging it into the net (where the patches are). The machine has no floppy (it's a laptop) and I have no CD burner available. I get the software on the machine from the net. It's a horrid chick and egg problem caused by ubiquitous networking. The good news is that the RIS install above worked.

re: Viruses - I feel your pain

Drew — Fri, 18 Jun 2004 21:06:00 GMT

Probably one of the sasser variants. Pre-SP2, there is a window for the worm to hit before the firewall comes up (if it's turned on at all). SP2 has the MS04-011 fix and also has a better firewall that should block the worm regardless.
If this was a test machine, you might want to consider using Virtual PC. You can configure the VPCs to use NAT, so they don't catch any of the nasties that run loose on corpnet. It's how I've been testing upgrade/uninstall variations with old unpatched OS's.

re: Viruses - I feel your pain

Pavel Lebedinsky — Fri, 18 Jun 2004 21:29:00 GMT

Abiola Lapite wrote:

> First of all, I have to ask why you were running as a member of the Administrator to begin with...

First of all, you need to realize that running as administrator vs. regular user is totally irrelevant here. LSASS is a system service so if at any time you have an unpatched version of LSASS running while connected to network, you are vulnerable. You don't even need to log on to be infected.

re: Viruses - I feel your pain

Larry Osterman — Fri, 18 Jun 2004 21:48:00 GMT

Thank you Pavel :) This is absolutely accurate.

This is the difference between a trojan horse and a worm - a worm affects a system service and can infect your system regardless of the user logged into the console. A trojan can only mess with the user's data.

Running as a non admin fixes the trojan horse problem but it does nothing to fix the worm problem.

That's why so much effort is being expended to reduce the number of services that run as LocalSystem in XP.

re: Viruses - I feel your pain

Abiola Lapite — Fri, 18 Jun 2004 23:57:00 GMT

Pavel,

I actually did do my homework before posting. The fact is that all five variants of Sasser identified thus far rely on the ability to write to %WINDIR% as well as [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].
Follow the links to, say, Symantec or Trend Micro's bulletins from http://www.microsoft.com/technet/security/alerts/sasser.mspx if you doubt I'm correct.

The worst that SASSER variants can do on machines which haven't been patched for the LSASS vulnerability is download themselves locally and cause a system crash - they can't even run themselves after a reboot, as none of them even bother to write an entry into [HKCU] to run on startup.

re: Viruses - I feel your pain

Random Reader — Sat, 19 Jun 2004 02:17:00 GMT

Abiola,

You don't understand. Sasser _has_ the ability to write to those locations. Why? Because it's executing in the security context of LSASS. The currently logged on users, if any, are completely and utterly irrelevant.

In regard to TripWire-style solutions, "rootkits" et al exist that are capable of avoiding even them. There are published methods of A) loading arbitrary code into kernel space and B) using that code to filter and report false information to apps querying such things as file sizes and data.

TripWire-style things are good for auditing and forensic analysis, but not for guaranteeing integrity.

re: Viruses - I feel your pain

Abiola Lapite — Sat, 19 Jun 2004 03:17:00 GMT

"You don't understand. Sasser _has_ the ability to write to those locations. Why? Because it's executing in the security context of LSASS. The currently logged on users, if any, are completely and utterly irrelevant."

Ah, I get what you're driving at. Mea culpa.

"In regard to TripWire-style solutions, "rootkits" et al exist that are capable of avoiding even them."

Not if you create a database for all the critical system files while in a known good state. Run tripwire and record all the information it generates to a write-once medium like CD-R; then all you have to do even in the case where a rootkit's been installed is boot up another operating system which can read the NTFS filesystem but can't execute Windows binaries (like, oh, I dunno, Linux?) and compare the files on the hard drive to the information on your CD. A system compromise need *not* mean a total wipe and reinstall, though in Larry's case the efforts involved in following the alternative route I've suggested probably wasn't worth it.

re: Viruses - I feel your pain

same Random Reader — Sat, 19 Jun 2004 05:54:00 GMT

That's a good point -- I was looking only from the perspective of scheduled checks running under the same system. An offline comparison would of course work great.

re: Viruses - I feel your pain

Saurabh Jain — Sat, 19 Jun 2004 10:33:00 GMT

Larry,

You dont have to reformat the harddisk to reinstall using RIS. Just uncheck that "Automatic Format" option.

re: Viruses - I feel your pain

Larry Osterman — Sat, 19 Jun 2004 14:44:00 GMT

Didn't realize that Saurabh. Doesn't matter though, the machine had already been reformatted, and it had to be reformatted because of the worm :)

But good to know if I need to reinstall XP again.

re: Viruses - I feel your pain

Florian — Sat, 19 Jun 2004 15:47:00 GMT

I know that nowadays nobody cares about the differences between virii, worms and trojans anymore (and in some cases they're getting blurred) and they get used interchangeably. But could you at least stick to one term after picking it? =)

re: Viruses - I feel your pain

Larry Osterman — Sat, 19 Jun 2004 17:43:00 GMT

Fair 'nuf Florian. Here's what I'll use from now on:

Worm: Self replicating piece of code exploiting a vulnerability in a network facing component. It does NOT require user intervention to run.

Virus: Self replicating piece of code that attaches itself to an executable and modifies that code. Different from a worm because the virus requires user intervention (typically by launching an infected program).

Trojan: piece of code that replicates using social engineering. A trojan usually is a program that masquerades as one utility in an attempt to trick the user into downloading the program. Once downloaded it does not typically spread. In many cases, spyware is a trojan (IMHO, even addware like Gator which is spread intentionally by the distributor (like DivX)).

And the reason I (and others) aren't precise is because the line is very vague. Often times (ILOVEYOU for example), a virus spreads via the mechanisms normally associated with a trojan - ILOVEYOU required social engineering to get the offending code to run, but once the program was launched, it propogated itself like a virus).

re: Viruses - I feel your pain

Cesar Eduardo Barros — Sat, 19 Jun 2004 18:06:00 GMT

Wasn't ILOVEYOU a worm? I don't recall it infecting binaries.

re: Viruses - I feel your pain

Larry Osterman — Sat, 19 Jun 2004 18:20:00 GMT

Nope - it required user intervention to activate. It didn't attack binaries though, you're right.

Ok, so what was ILOVEYOU. It required user intervention to activate. It spread itself. It didn't modify executables. But it wasn't autonomous.

Sasser and MS-Blaster (and SQL-Slammer) were all clearly worms because they were autonomous.

As Florian said - it's complicated :)

re: Viruses - I feel your pain

Random Reader — Sun, 20 Jun 2004 03:39:00 GMT

In the classic definitions I remember, the key difference between "virus" and "worm" is that a worm is capable of spreading itself over a network. A virus is not network-aware.

As far as ILOVEYOU, TechNet called it a virus, while most of the AV vendors say it's a worm. Since CERT also says it's a worm, I'd probably go with that.

I couldn't find any formal definitions on CERT's site, but this page has some hints (see 6.4.4.3): http://www.cert.org/research/JHThesis/Chapter6.html

That "autonomous" definition differs from your own; going by the quotes on that page, ILOVEYOU is classed autonomous (as are all viruses).

Anyway, yes, very fuzzy lines :)

re: Viruses - I feel your pain

Dennis T Cheung — Sun, 20 Jun 2004 06:18:00 GMT

Blue badger here. I followed the RC2 instructions to a T, and uninstalled RC1. Was prompty infected with Korgo. Bummer. I guess I need to reformat as well :(

re: Viruses - I feel your pain

Florian — Sun, 20 Jun 2004 09:03:00 GMT

I know the lines have gotten blurry. I am not the one to jump on people for not using the technically correct term, so my comment was a little tongue-in-cheek. Unless you're in the business of computer security or anti-virus software the difference doesn't really matter anyway. It sure doesn't for grandma. It just tends to bug me a little when different terms are used for the same thing in one thread/article/sentence by well-respected, tech savy people who have been in the industry long enough to understand the difference (note: not necessarily know, but understand). =)

Also it seems that we have forgotten what the original definitions were. I noticed that my definitions differ from both Larry's and Random's.

re: Viruses - I feel your pain

Cesar Eduardo Barros — Sun, 20 Jun 2004 14:26:00 GMT

http://www.catb.org/~esr/jargon/html/W/worm.html
http://www.catb.org/~esr/jargon/html/V/virus.html
http://www.catb.org/~esr/jargon/html/T/Trojan-horse.html

Looks like it's really in the twilight zone between virus and worm.

But I really think we should stop this subthread now.

re: Viruses - I feel your pain

Centaur — Mon, 21 Jun 2004 05:55:00 GMT

> I followed the RC2 instructions to a T, and
> uninstalled RC1. Was prompty infected with
> Korgo.

So here’s what I would have done:
* Download the standalone, so-called full cab version.
* Unplug the network cable, physically.
* Uninstall the previous SP or whatever is necessary.
* Install the new SP from the full cab version.
* Plug the cable back.

This way, you are not exposed to the aggressive environment while your protection is down.

re: Viruses - I feel your pain

Scott — Mon, 21 Jun 2004 13:11:00 GMT

Looks like Slashdot feels your pain too Larry.

http://slashdot.org/article.pl?sid=04/06/21/0024208

One of the more interesting ideas, using a live Linux distro to download the patches and burn them to a CD before installing Windows. That would be an interesting idea. Maybe Microsoft could change the install process and use a special runtime/ftp process that downloads the patches and places them in a folder on the hard drive. Then the install can take the network down, finish installing the OS, and then install any patches necessary. After all that, then bring up the network.

Of course that would only work on future products. :( You're still screwed if you are re-installing.

re: Viruses - I feel your pain

Larry Osterman — Mon, 21 Jun 2004 14:45:00 GMT

Yeah Scott, I noticed that yesterday. It was an interesting synergy.

Actually if RIS as deployed at Microsoft has the ability to avoid reformatting the hard disk, then it might be an option.

Also, don't forget that for XP SP2 and beyond, the firewall is on from the get-go, which means that if you've got an SP2 slipstream CD, then you're good to go. It didn't help me, but...

My personal recommendation for the /. crowd is the DI-604 btw. The best $45 I ever spent.

re: Viruses - I feel your pain

Derek Simon — Mon, 21 Jun 2004 16:46:00 GMT

"Derek: The problem is: How do I get the patches for the machine without plugging it into the net (where the patches are). The machine has no floppy (it's a laptop) and I have no CD burner available. I get the software on the machine from the net. It's a horrid chick and egg problem caused by ubiquitous networking."

If the network can't be trusted, then don't trust it. It's that simple. Download the updates/patches to an alternate machine, along with Microsoft Baseline Security Analyzer and the latest "mssecure.cab". Then transfer the files to the fresh installation (via a USB drive, network cable, etc.), run the command-line version of MBSA specifying the local copy of "mssecure.cab" and apply the updates/patches as need be. After that, make sure ICF is enabled and then, and only then, connect the computer to the network.

Of course this method requires a secondary machine, but we've been using the method successfully for months with no problems whatsoever. Granted the procedure is a bit lengthier than the more direct (but security prone) route, but doing something half-assed is just that-- half-assed.

re: Viruses - I feel your pain

Don Newman — Mon, 21 Jun 2004 17:48:00 GMT

The other option is employ a cheap DSL/Cable router using NAT. I'm sure the boys over in IT would have had one for you kicking around (if not somebody at home).

Here is an odd question. For a company like Microsoft, how do you differentiate between IT and the rest of the staff? Do you ever find yourself explaining that you work in IT but not in the IT dept?

re: Viruses - I feel your pain

Larry Osterman — Mon, 21 Jun 2004 17:52:00 GMT

Don: I work in development, not in IT. IT runs the network, development makes the products.

Actually humorously enough, I have a DI-604 in my office, I'm using it to manage a private network for my Fjord work (http://blogs.msdn.com/larryosterman/archive/2004/06/21/161532.aspx).

But there are issues with NAT boxes and our internal deployment of IPSEC from what I understand - effectively I can't firewall my office from the corp net :(

Larry got infected by a Virus, the aftermath...

Larry Osterman's WebLog — Thu, 24 Jun 2004 20:56:00 GMT

It is not possible to keep a real big network 100% virus free

Sergey Simakov blog — Fri, 25 Jun 2004 14:10:00 GMT

re: It is not possible to keep a real big network 100% virus free

hxx — Thu, 01 Jul 2004 21:56:00 GMT

It's possible just unplugged all your network from Internet, or another Lan. And crash all floppies and CD-ROM drives. =D

re: Viruses - I feel your pain

Larry Osterman — Thu, 01 Jul 2004 22:03:00 GMT

As long as you allow computers to enter or leave the network, it doesn't work any more.

Which makes things kind-of hard on the sales guys - they kinda like having laptops to do work when they're out of the office.

Every programmer should know assembly language - part two

Larry Osterman's WebLog — Wed, 21 Jul 2004 20:35:00 GMT

Despues de zero | hilpers

Despues de zero | hilpers — Tue, 20 Jan 2009 22:41:00 GMT

PingBack from http://www.hilpers-esp.com/358136-despues-de-zero