A war of the worms is being waged on computers, as a newly released beast attempts to slither into unprotected systems and pluck last week's worm from infected machines.
After removing its predecessor MSBlaster, the new worm, which -- just to add to the confusion -- has been dubbed WORM_MSBLAST.D, Nachi and Welchia by various security and antivirus firms, then politely patches the machine against the vulnerability that MSBlaster exploited.
Despite the worm's seemingly helpful nature, some security experts are not amused.
"Presumably this was a well-intentioned action, but where does it all end?" wondered Mike Fergamo, a systems administrator. "Next week will we have an antiworm for the antiworm's antiworm?"
But some users welcomed the worm.
"My computer hasn't been right since it was infected last week," said Nadine Lovell, a Manhattan textile designer. "This afternoon it's working perfectly again."
A scan of Lovell's system confirmed her machine had indeed been infected with the new Blaster variant.
"Thank you, worm!" said Lovell.
Despite solving the woes of some worm-infested computers, AntiMSBlaster is not benign, experts warn.
A significant spike in worm-generated Internet traffic was reported late Monday, resulting much the same effect on networks as the original MSBlaster worm had.
"Some may call this a good worm, but it can cause all sorts of problems when patches are applied to a computer unbeknownst to the administrator of a network or the owner of that computer," said Ken Dunham, malicious code intelligence manager for iDefense.
Dunham also warned that the new variant of MSBlaster could leave computers open to possible hack attacks down the line.
Some security experts were puzzled as to why users couldn't seem to deworm their own machines. MSBlaster is not especially difficult to remove.
But some users said that it was difficult to find any understandable information about removing MSBlaster.
"These virus and worm removal advice I see are obviously written by nerds for nerds," said Paul Pacifico, a beauty supply salesman in Brooklyn. "Most of the time I can't ever figure out what the hell they're on about."
Pacifico also said his computer was running perfectly today, and a scan shows that it, too, was infected with the new worm.
"Between the blackout and last week's worm attack, my computer was in rough shape," Pacifico said. "Now, it's apparently been healed. This worm works better than Windows Update does. It just showed up and dealt with the problem, no muss no fuss."
The AntiMSBlaster worm arrives the same way that MSBlaster did, through a network connection instead of as an e-mail attachment. It only affects Windows 2000 and Windows XP computers, and possibly Windows 2003 servers, that have not been patched for the RPC DCOM buffer overflow security flaw.
According to analysis by Trend Micro, AntiMSBlaster contains the following text strings in its code.
"I love my wife & baby~~~ Welcome Chian~~~ Notice: 2004 will remove myself:-)~~ sorry zhongli~~~=========== wins"
The original version of Blaster contained this message:
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible? Stop making money and fix your software!!"
MSBlaster first appeared Aug. 11. By Aug. 15 the worm had spread to more than 423,000 systems, according to Symantec's statistics.
It was a particularly annoying worm, because it often caused infected machines to reboot incessantly.
MSBlaster had also been programmed to use the infected computers to launch a denial-of-service attack against Microsoft's Windows Update website on Aug. 16. The site is used by millions of Microsoft customers each week to update their computers with the latest patches.
But Blaster's creator made a mistake. The URL specified in the worm's code, windowsupdate.com, only forwards users to the actual Windows update site, which is windowsupdate.microsoft.com.
On Aug. 14, Microsoft pulled the windowsupdate.com domain name offline, effectively blocking the attack, which could have taken down its security update site.
MSBlaster did cause some damage. Maryland's motor vehicle agency was forced to close for the day after the worm invaded agency computers, and some Swedish Internet users reported problems with their service on Tuesday night.
Others, like Florida's Orange County Sheriff's Office, opted to shut down their networks to protect their computers, according to a report by Local6.com and the Associated Press.
Orange County Sheriff's Office spokesman Perry Pierce told reporters about signs that "the worm was creeping into the network, and if the terminals remained on, the worm could have worked computer chaos.... It would have been a month before our guys could repair and clean all of the PCs in the sheriff's office."
"Basic computer maintenance can go a long way toward preventing such last-minute pull-the-plug hysteria," said systems administrator Fergamo. "But it's obvious Microsoft needs to figure out better ways to inform their users of problems and deliver these patches."
Some users complain that every time they visit the Windows update site, they are confronted with a cavalcade of patches and updates.
"I check Windows Update every couple of weeks," said Chicago art director Neil Golen. "And there's always a couple of dozen huge files that they want me to download. Can't they just have a special emergency section for the truly essential stuff?"
Stephen Toulouse, a security program manager with Microsoft, said the company is working on better ways to deliver patches and security information.
Last week Microsoft published a seemingly clear explanation of how computer users could protect themselves from MSBlaster on the front page of Microsoft.com.
"Hard to miss it, and it's worded in such a way that it should be totally understandable," said network administrator Jeff Godell of the new Microsoft warning.
"But I actually had one of our secretaries tell me today, after I warned the staff about this antiworm, that she'd rather let the new worm fix her home machine than to 'have to fuss with all this security stuff.'"
"I didn't know whether to laugh or cry," confessed Godell.
The AntiMSBlaster worm will remove itself from computers in early 2004.
Hopefully by then most Windows 2000 and XP users will have actually gotten around to patching their machines.
Are you a Good or Bad Worm?
Moderator: Thanas
Are you a Good or Bad Worm?
http://www.wired.com/news/infostructure ... 81,00.html
That's the wrong way to tickle Mary, that's the wrong way to kiss!
Don't you know that, over here lad, they like it best like this!
Hooray, pour les français! Farewell, Angleterre!
We didn't know how to tickle Mary, but we learnt how, over there!
Don't you know that, over here lad, they like it best like this!
Hooray, pour les français! Farewell, Angleterre!
We didn't know how to tickle Mary, but we learnt how, over there!
-
darthdavid
- Pathetic Attention Whore
- Posts: 5470
- Joined: 2003-02-17 12:04pm
- Location: Bat Country!