W32.Blaster.Worm--Fun stuff!

Chris Swingler · 2003-08-15T09:12:01-05:00 (Friday)

By now, I'm sure you've all heard about the news regarding W32.Blaster.Worm. If you haven't updated Windows recently, it's quite likely you got infected too. I brought my software firewall down for about 30 seconds last night--and that's all it took. Amazing. And since I don't have the time nor the bandwidth to run Windows Update, that's all I have to rely on.

Now, here comes the scary part. We know that most of the students in the dorms don't have a clue on how to keep their Windows machine secure and virus/worm/etc-free. I'm sure close to none have touched Windows Update in the entire life of their machine. And with a worm that requires no user intervention to install (which is typical with most worms/trojans that distribute through email), it's going to be infecting a _lot_ of machines.

According to the Symantec Antivirus Research Center's security response for this worm, "The local subnet will become saturated with port 135 requests." And it's true too. Take a look at my firewall logs for when the worm was active (http://www.siue.edu/~chswing/msblast.log).
(I'm 67.28.38.4. It's kind of odd that it used the IP that my ISP assigned me to do the attack on a LAN.) Granted, even through it tried almost every possible computer on the 192.168 domain, there was only one active, at 192.168.0.27, and it's a FreeBSD box. That's a lot of worthless packets. Am I the only one who thinks that that may have an adverse effect on bandwidth in the dorms? And is OIT planning on doing anything to enforce the clause in the "Policies of the Board of Trustees of SIU" that reads "The microcomputer user must be aware of computer viruses and other destructive computer programs, and take steps to avoid being either their victim or propagator by using up-to-date anti-virus software (3/13/03)."?

William Grim · 2003-08-15T09:44:54-05:00 (Friday)

I got infected too, but probably not from this virus since I didn't get an email attachment or anything. I'm guessing my problem is an RPC assault.

What particularly makes me mad is that getting infected wasn't exactly my fault. I had to take my system to work to get it ready for remote work, and a sticky enter key queued up some CRLFs that skipped on through and started formatting my drive that didn't need to be formatted.

So, I had to reinstall the OS at home last night and get it back up. I was going to go to Windows Update soon after, but I realized I'd already been hit. For one, someone tried to shutdown my computer remotely, and after that, all my windows that deal with anything like "Properties" do not open.

Another thing that made me quite angry is that I tried to disable File/Printer sharing on the modem before connecting to the internet. Now that I think about it, I disabled it on the NIC and not the modem. So, what about MS being user-friendly? I didn't bring the MS firewall software up because it has its own set of viruses that eat away at it.

Basically, you get a new Windows system, and you can not connect without being infected. Your system is now a "Trusted Computer" for virus infection. While software recalls are not a viable option, something better needs to be done on MS' side to ensure I don't get infected before getting a chance to update my OS. Perhaps offering even a direct-modem-dial toll-free number to do system updates would be good for home users. I know I would have used it first.

Now I'm going to have to reinstall again, and I'm pretty pissed off. I don't have anti-virus software, unless I can find some free demo versions. Normally my system is up-to-date and behind my own firewall. Plus, I don't run random crap off the Internet like lots of users do; so, a virus protection program is generally silly for me.

William Grim · 2003-08-15T09:51:09-05:00 (Friday)

One work-around to future virus infections in the dorms could be setting up our own alerts in the dorms.

I mean, it's not that viruses are any more malevolent than in the past; actually, I hear this virus is tame compared to some other recent ones, because it's supposedly poorly written, etc.

However, increasing Joe Blow's awareness of new predators on the Internet could help a lot. Not only that, but we could put up a web site for them to go to and see how to upgrade their computer systems and hopefully prevent infection. Also, we could place steps on the site to walk through steps to remove the infection, if that's possible.

Hmm, come to think of it, this would be a good volunteer opportunity for CAOS to give back to the community. Not only technical people could benefit from this, but everyone on campus could.

Michael Kennedy · 2003-08-15T18:50:56-05:00 (Friday)

QuoteWhat particularly makes me mad is that getting infected wasn't exactly my fault.

I disagree with that statement. I'm basically "in charge" of a great number of PCs that are owned by people who have either dialup, cable internet or have LAN access at a university. All of the cable/LAN PCs have a hardware firewall that blocks out all of that garbage. So, for less than $40 those people are protected. Now, the dialup people are in a different spot, but since everyone runs Norton constantly, they've been fine. And you STILL think running virus protection is "generally silly"? :-)

William Grim · 2003-08-16T17:30:36-05:00 (Saturday)

Pretty much. Good luck finding viruses on my computers. Software I use comes from trusted sources, including companies and well known sites with good credibility.

I'm in charge of PCs as well, but how does me running PCs for other people relate to me? Virus protection is good for a company, not necessarily for me.

I keep my systems well updated and haven't had a virus for years; so, yes, virus protection is generally silly. I'm not getting my money's worth. The ONLY reason I got this virus was from a sticky enter key formatting my hard drive by skipping through our company's tools and destroying the partition. The only reason I'm infected is because I lost all my updates and personal protection measures I had in place. So, yeah, it's not my fault.

I also have my own firewalls, but they are unable to be used on dialup during vacation time, away from school.

Kade P. Cole · 2003-08-17T09:56:13-05:00 (Sunday)

SIUE has set up a webpage with the patches and a scanning tool that will help keep people safe. I agree that this was a Microsoft fault and good coding would have kept everyone safe. This is something to remember now in the future. You will have to keep a machine off the Internet as a whole until you have patched your machine when you first install windows. SIUE has taken a proactive stance and tried to patch all campus machines and rid those infected machines of this worm to protect both those on campus and those that will be returning to campus. SIUE also will be educating as many students as possible to apply the patch and clean their machines before connecting them to the campus network. I hope this helps people feel safer now.

(The statements in this posting are the views of the poster and do not speak for the university or anyone other than the poster)

PS. Oh and I was safe cause I use a Mac! :-D

R. Andrew Lamonica · 2003-08-17T14:35:30-05:00 (Sunday)

Quotekcole wrote: PS. Oh and I was safe cause I use a Mac! :-D

Yah, but so was my grandpa because his computer runs Windows 95. :-P