Have you guys heard why the LoveSAN/MSblast worm failed to launch a decent DOS attack on Microsoft?

Most media sources are saying that microsoft "thwarted" or "prevented" or even "stopped" the attack, but the real reason was outright stupidity by it's author.

The worm was told to attack http://windowsupdate.com (a redirect), NOT http://windowsupdate.microsoft.com!
:jawdrop:

All Microsoft had to do was remove the re-direct to the correct page for a few hours, and the whole thing blew over.

My two cents:

One: I'm not a worm or virus writer, but I'd at least check to make sure the URL was correct if I was going to spend a long time writing something. :roll:

Two: Don't give microsoft all the credit. They lucked out this time!

I'm not a worm or virus writer, but I'd at least check to make sure the URL was correct if I was going to spend a long time writing something. :roll:

:duh: The work of a scr1pt k1dd13. They'll go to all the effort to orchestrate something like this and botch the URL they want to ddos. :rofl:

Actually, it's a bit more sophisticated than that -- Microsoft could remove windowsupdate.microsoft.com and still have the site work -- Windows uses a redirection off of microsoft.com to determine what the "current" Windows Update URL is.

Instead, a DDoS against microsoft.com itself would have been more effective. But Blaster was a very buggy worm in any case; a better RPC-exploit worm would have caused much more damage.

--janak

This worm did many dollars worth of damage, regardless of the idiocy of the author and the lack of hurting MS. My company got nailed big time. We have tens of thousands of PCs. If you calculate the hours invloved in cleaning out this thing, the cost would run into the millions. One of our PCs in my local work area was in the process of receiving a Windows update when the worm hit it. The PC went into continuous reboot and had to be re-imaged. All data lost.

Granted the worm didn't achieve what the author wanted it to do, but it still hurt some.

News on Wired was that Blaster infected all of about 300,000 pcs. "that's all?," I thought. That's hardly a news item. I say the media falsely hyped this "threat" to the internet like so many before. More silicone snake oil, more hype to distract consumers from real issues in the information age.

More silicone snake oil, more hype to distract consumers from real issues in the information age.

AMEN!

What they really should be focusing on is how EXPENSIVE, UNSTABLE, and INSECURE Windows© is. For the cost of Windows XP Pro, you can build an entire computer. I'd like to know what the profit margin is on Office XP and Windows XP.

Windows 2000, however....MMM! That's an OS! :D

What they really should be focusing on is how EXPENSIVE, UNSTABLE, and INSECURE Windows© is.

If Windows was only on 1% of the machines out there and no virus writers were bothering to target it, enthusiasts would be touting Windows as being "incredibly secure"... :wink:

Steve

News on Wired was that Blaster infected all of about 300,000 pcs. "that's all?," I thought. That's hardly a news item. I say the media falsely hyped this "threat" to the internet like so many before. More silicone snake oil, more hype to distract consumers from real issues in the information age.
I suspect it's a lot more than that, actually; and it's possible many organizations didn't report infection -- it often looks bad from a PR view.

--janak

What they really should be focusing on is how EXPENSIVE, UNSTABLE, and INSECURE Windows© is.
If Windows was only on 1% of the machines out there and no virus writers were bothering to target it, enthusiasts would be touting Windows as being "incredibly secure"... :wink:
Absolutely -- and yet MS can and needs to do more to prevent buffer overflows. As a fundamental concept, buffer overflows are usually engendered by lazy programming. A more proactive sweep through legacy error-prone code is in order.

The (somewhat) good news is, Microsoft has finally been listening. If you install WS2k3, you'll notice a host of new security features to lock down the server with much less work. It would have been nice if they took it seriously from day 1. Let's see what happens over the next 6-12 months...

--janak

What if they used that URL on purpose not to actually take MS down but as a warning of what could happen? What if they really didn't want to do any damage but did not know it would make some machines reboot constantly. This that didn't happen your PC could be happily infected and you'd never know.

Just a thought.

A new variant of the worm actually plugs the security hole... So not all worms are bad! :roll:

A new variant of the worm actually plugs the security hole... So not all worms are bad! :roll:

The new worm exploits the DCOM RPC vulnerability descibed in MS03-026. This worm, called Nachi by Network Associates and Welchia by Symantec, will terminate any process named Msblast.exe and then the delete Msblast executable. It will attempt to connect to Microsoft's update site to download the MS03-026 patch then reboot the PC. And yes it will look for other vulnerable PCs. Details below...

http://vil.nai.com/vil/content/v_100559.htm

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Steve

It's still evil, to some extent. You don't really want worms going around doing anything to your PC behind your back... OTOH, it's cool that someone got fed up of having to patch too many systems or anything. ;)

--janak

What ever happened to all the "really bad" worms and viruses? When was the last time a major virus infected a few million computers and erased the HD?

Have all the really good virus writers grown up?

Two reasons:

1. Nowadays, erasing isn't as interesting as collecting people's data;

2. By erasing the HD, you erase an infection vector for worms. In the old (floppy) days, the contents of the computer were irrelevant, as long as it was on the floppy you distributed. Today, by keeping the computer alive longer, it can infect more targets.

That said, I'm surprised someone hasn't written a truly stealthy and devious worm -- the greatest damage one could do is not erasure, but random changes (could you imagine your financials Excel spreadsheet with just a few tweaks? It's far worse than not having it at all, because you wouldn't know!). Either that, or we're all already infected... ;)

--janak

That said, I'm surprised someone hasn't written a truly stealthy and devious worm -- the greatest damage one could do is not erasure, but random changes. Either that, or we're all already infected... ;)

--janak

Which explains all the random garbage posted by my username at times.

(What?!? You think I'd do stuff like that? :shocked!: )

Which explains all the random garbage posted by my username at times.

(What?!? You think I'd do stuff like that? :shocked!: )

He heh. Dave should add this on his pet peeves page (http://www.beauvais1.com/ppc/forum_pet_peeves.html): Users denying their own crazy posts.

Seriously, Ct, I personally find some of your posts to be very entertaining. Sometimes your posts give me chuckles during a bad office day. Keep up the good work Mr. Pocket PC Jester :p

1...
2...
3. I think the antivirus software providers deserve some credit here, too,with helping stem the flow a bit. In addition, online communities are much stronger than they were even a year ago, so warnings and help get spread almost as quickly as the viruses and worms.

3. I think the antivirus software providers deserve some credit here, too,with helping stem the flow a bit. ...
Agreed. McAfee's Stinger (http://vil.nai.com/vil/stinger/) app and Symantec's FixBlast made it much easier and faster for me to remove the damned thing from clients' machines. I was faced with driving all over town to remove the thing from about thirty-five systems that had been hit with it. I copied Stinger to a location on the networks that all affected PCs could get to, patched the operating systems, and then started Stinger on each PC, moving to the next one while it was running.

Put about 125 miles on my car, though. :evil:

--Dave

Which explains all the random garbage posted by my username at times.

(What?!? You think I'd do stuff like that? :shocked!: )

He heh. Dave should add this on his pet peeves page (http://www.beauvais1.com/ppc/forum_pet_peeves.html): Users denying their own crazy posts.

He already has me there on an unrelated account. :mrgreen:

He already has me there on an unrelated account. :mrgreen:

Yeah, the 'Currently 8 layers deep' post should be considered as 'classic'. Ha ha ha.