Page 1 of 2
Problem with MS blast? 2nd round comming up NOW
Posted: 2003-09-10 03:19pm
by Faram
Okay read this:
Microsoft
Same info but for non techinical people
Microsoft
DL the patch now!
And spread the word.
This is no scare the threat is real and urgent.
Transformed into an announcement - Phong
Posted: 2003-09-10 03:29pm
by Vertigo1
Just incase more problems arise...
HOW TO KILL MSBLAST:
1. Click start, select Run and type in CMD and hit the enter key. You only have 60 seconds to do this. When the command prompt comes up, type in "shutdown -a" (without quotes) to abort the shutdown.
2. Hit CTRL ALT DEL and kill the MSBLAST.exe process. You can end the process by right-clicking on MSBLAST.exe and select "End Process'.
3. Click start, click on search and select "Files or Folders". Run a search for any copies of MSBLAST on your hard drive and delete them. Empty your recycle bin.
4. Goto Windows Update and download all the critical updates.
5. Kick yourself in the balls for being a dumbfuck by not keeping your operating system up-to-date like any responsible user would.
Posted: 2003-09-10 03:33pm
by Faram
Sorry for the missleading title.
This is the same attck type as MSblast used but through a new vector.
The old patch for MSblast don't help against this one. A firewall or Router that correctly configured helps but get the patch anyway.
More info from
Yahoo:
Microsoft Admits New Windows Problem
1 hour, 26 minutes ago
Add Technology - AP to My Yahoo!
By TED BRIDIS, AP Technology Writer
WASHINGTON - Just moments before a top Microsoft executive told Congress about efforts to improve security, the company warned customers Wednesday of serious new flaws that leave its flagship Windows software vulnerable to Internet attacks remarkably similar to the Blaster virus that infected hundreds of millions of computers last month.
Missed Tech Tuesday?
Become a Wireless Whiz -- get connected in every room and secure your wireless network in six steps
Microsoft urged customers to immediately apply a free repairing patch from its Web site,
www.microsoft.com. It cautioned that hackers could seize complete control over a victim's computer by attacking these flaws, which affects Windows technology that allows computers to communicate with others across a network.
Outside experts said the new flaws were nearly identical to problems that were exploited by the so-called Blaster infection, which spread last month with devastating damage. Computer users who applied an earlier patch in July to protect themselves still must install the new patch from Microsoft.
"They're as close as you can be without being the same," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., one of three research groups credited with discovering the new problems. "It's definitely a big oversight on Microsoft's part that they missed these."
The embarrassing disclosure by Microsoft came just moments before its senior security strategist, Phil Reitinger, told lawmakers on the House Government Reform technology subcommittee about the company's efforts to help consumers defend themselves against viruses and other Internet attacks.
"Microsoft is committed to continuing to strengthen our software to make it less vulnerable to attack," said Reitinger, a former deputy chief in the Justice Department (news - web sites)'s cybercrime division. Still, he acknowledged, "There is no such thing as completely secure software."
The July announcement from Microsoft about the earlier software flaw in the same Windows technology was deemed so serious it prompted separate warnings from the FBI (news - web sites) and Department of Homeland Security. Roughly three weeks later, unidentified hackers unleashed the earliest version of the Blaster infection.
Posted: 2003-09-10 05:02pm
by EmperorMing
Jesus fucking christ!!!
Here we go again.
Since I work on a helpdesk, you can imagine why I am sooooooo upset at this.
Posted: 2003-09-10 05:13pm
by Einhander Sn0m4n
Why do I get the feeling there's gonna be a third, fourth, and fifth iteration of this shit?
IMHO Round 2 is worse, it doesn't kill your machine outright, it can run any code whoever's holding the other end of the stick wants!
Posted: 2003-09-10 05:53pm
by Vendetta
Now would ba a good idea to go to
GRC and run the DCOMbobulator.
The Distributed Component Object Model is the actual component of windows that these exploits target. (The Remote Procedure call is just the interface that allows the attacker to access DCOM and cause a buffer overrun in it)
Guess what? Nothing you have uses DCOM, it's a Microsoft Me-Too-Ware version of CORBA. Unless you're running network-aware programs that you've had custom written to use DCOM, you don't need it.
In fact, the only publicly released code that's ever used it is W32.Blaster.Worm.
Microsoft have handily given you this component, handily given it to you in an Always-on state, handily presented an internet interface to it in the form of the Remote Procedure Call service, and handily left in several critical vulnerabilities. As you may have recently found out.
They also provide a handy way to turn off Universal Plug and Play. Which is also something you don't need and will never use, (it's nothing to do with ordinary Plug and Play), which is also handily packaged in an always-on state, and is always listening on Port 5000 for TCP connections and Port 1900 for UDP connections. Are you running an internet server? If not, turn this fucker off as well, before someone does find and exploit a gaping hole in it.
Posted: 2003-09-10 05:55pm
by Vendetta
EmperorMing wrote:Jesus fucking christ!!!
Here we go again.
Since I work on a helpdesk, you can imagine why I am sooooooo upset at this.
So do I.
For the Public.
All of them.
(at least those in the UK who bought a PC from the largest electrical chain in the country).
Man the trenches!
Posted: 2003-09-10 06:36pm
by DarthBlight
ok, patch d/led, installed, computer restarted. Let's hope that does it. x_x
Posted: 2003-09-10 11:51pm
by EmperorMing
Vendetta wrote:EmperorMing wrote:Jesus fucking christ!!!
Here we go again.
Since I work on a helpdesk, you can imagine why I am sooooooo upset at this.
So do I.
For the Public.
All of them.
(at least those in the UK who bought a PC from the largest electrical chain in the country).
Man the trenches!
I do corporate helpdesk and have seen *several* networks trashed because of this shit. Accordingly, my stress level has gone up...
Posted: 2003-09-10 11:53pm
by EmperorMing
And then you wonder why I still run 98SE...
Posted: 2003-09-11 01:24am
by Vertigo1
Vendetta, I can't believe any self-respecting techie actually pimped Steve Gibson's paranoia-inducing garbage. Don't bother running his useless programs. Just kill the un-necessary services and be done with it.
http://www.blkviper.com/WinXP/servicecfg.htm
I used a modified version of the "Safe" config and even that saved me about 40MB of RAM. While you're at it, you can kill ActiveDesktop by running MMC and plug yet another security hole just WAITING to be exploited.
That being said,
DON'T RUN YOUR OS WITH YOUR ADMINISTRATOR ACCOUNT! Create a Power User account and use that instead!
Posted: 2003-09-11 02:58pm
by Vendetta
Whether you agree with the spin he puts on things or not, the fact remains that a lot of these components, like DCOM, should not be enabled by default, because they only provide any functionality to people who specifically write for them, and for the rest of the world, they just provide security messes.
Windows is a leaky bucket because the default configuration enables so much of this shit, which 99% of Windows users will never use, knowingly or unknowingly, either automatically, or on request.
Posted: 2003-09-19 12:29am
by Uraniun235
Patched on Sept. 10.
Posted: 2003-09-21 01:35am
by TrailerParkJawa
It is funny, since Ive been unemployed I dont keep up on the virus'. I keep my OS updated and firewalled. However, last week I spent 2 days straight helping a company patch, fix, and update remote users laptops after the Welchia virus ran rampant on the corporate network.
After Nimbda kicked my company's ass a year or two ago, I said never again. Even if it means I spend most of my time updating machines at work. I worked way too many hours that week. At least I was hourly.
Posted: 2003-09-21 02:54am
by phongn
Hrm. Well, today we have tools like SUS which greatly speed up deployment of patches.
Posted: 2003-09-21 01:05pm
by TrailerParkJawa
phongn wrote:Hrm. Well, today we have tools like SUS which greatly speed up deployment of patches.
Got any links for SUS? Id like to automate anything I can. Although if it costs money, the business climate is such out here that no spending is approved.
Pennywise and pound foolish is quite common when it comes to IT budgets.
Posted: 2003-09-21 01:10pm
by Faram
TrailerParkJawa wrote:Got any links for SUS? Id like to automate anything I can. Although if it costs money, the business climate is such out here that no spending is approved.
Pennywise and pound foolish is quite common when it comes to IT budgets.
It is a part of SMS server 2.0
Posted: 2003-09-21 01:47pm
by TrailerParkJawa
Faram wrote:
It is a part of SMS server 2.0
Thanks guys. SUS also looks like it can be downloaded by itself from the Microsoft website. Although it will not work with NT. The OS distribution at my last company was 25% Win98, 50% NT, 25% 2000, and no XP, So while it would have helped a bit, manual intervention would still be required. Or a purchase of a more complete system ( SMS ) would have been required.
Posted: 2003-09-21 02:08pm
by phongn
You could deploy a Group Policy login script that automatically runs patches in 'quiet mode' in the background.
Posted: 2003-09-21 02:16pm
by TrailerParkJawa
phongn wrote:You could deploy a Group Policy login script that automatically runs patches in 'quiet mode' in the background.
Id need to know how to do that!
Seriously though, I know how to setup login scripts from the NT server, forgive me isnt a Group Policy login part of an AD domain? Or does that opiton exist in an NT domain as well.
We pushed out Norton updates from Norton Server that were invisible to the user, as well as installing the help desk inventory/tracking software in quiet mode. But critical updates were done by hand. Basically every machine I touched for the day for what ever reason, had critical updates run.
Posted: 2003-09-21 04:53pm
by phongn
IIRC, NT has group policies as well? I seem to remember that you could set security policies and login scripts via NT Server. There's also the AD client that you can install on NT4, IIRC.
Would it be possible for your team to get a license for Ghost Enterprise and push images out over the network?
Posted: 2003-09-21 05:43pm
by TrailerParkJawa
phongn wrote:IIRC, NT has group policies as well? I seem to remember that you could set security policies and login scripts via NT Server. There's also the AD client that you can install on NT4, IIRC.
Would it be possible for your team to get a license for Ghost Enterprise and push images out over the network?
I dont have a regular job anymore. I was laid off last October. I just use my previous regular job as an example. No, they would not go for a Ghost Enterprise license. Especially after I found a closet full of Ghost Personal Edition CD's. I built a .gho library for all our Dell's but had to ghost machines 1 at a time. Enterprise edition just rocks, doesnt it?
Even if we had a license for Enterprise, pushing out images would only be usefull if the user wanted their machine done clean. Far too many of them had lots of files or custom installs.
I'll dig out my NT Server book and look up group policies. I was the Desktop/Telecom guy at my last place. The Servers and Network were taken care of someone else.
Posted: 2003-09-22 01:11pm
by fgalkin2
Good thing I use Win 98.
Have a very nice day.
-fgalkin
Posted: 2003-09-26 08:38pm
by phongn
TrailerParkJawa wrote:I dont have a regular job anymore. I was laid off last October. I just use my previous regular job as an example. No, they would not go for a Ghost Enterprise license. Especially after I found a closet full of Ghost Personal Edition CD's. I built a .gho library for all our Dell's but had to ghost machines 1 at a time. Enterprise edition just rocks, doesnt it?
From what I hear, Ghost EE is quite good, but I've never used it. However, I know a bunch of universities and schools use it to deploy images to fix computers - hell, some do it nightly or weekly to make sure that nothing's messed up on it.
Even if we had a license for Enterprise, pushing out images would only be usefull if the user wanted their machine done clean. Far too many of them had lots of files or custom installs.
What? No offense, but shouldn't the workplace have as much of a homogeneous setup as possible?
Also...
De-Announcing thread
Posted: 2003-09-26 08:52pm
by TrailerParkJawa
phongn wrote:
From what I hear, Ghost EE is quite good, but I've never used it. However, I know a bunch of universities and schools use it to deploy images to fix computers - hell, some do it nightly or weekly to make sure that nothing's messed up on it.
I've used EE to help somone roll out 200 new computers with XP. It was great, we could image 16 machines at time in 3-4 minutes.
What? No offense, but shouldn't the workplace have as much of a homogeneous setup as possible?
Also...De-Announcing thread
I totally agree. The computer fleet should be homogeneous as possible. However, it is not uncommon in many companies for the IT dept to be underfunded and unsupported. Underfunded was not the issue for the first year in my last job. The issue then was growth problems related to being a small company and a CEO would wanted us to focus on customer service and not the integrity of the network.
The arrival of the nimbda virus helped us gain some control we should have had since the start. Also, 12 months of constant downsizing also allowed us to spend the proper amount of time focusing on the network and not helping people with their favorites folder.