Usenet weather phenomenon - the worm and the fool

Isn't this beautiful ?

One in two threads in this NG since 11/08 has to do with one of
Usenet's most ridiculous persons, the infamous hunter of all hackers,
the fruitcake avenger, Debbie the Tracker-whacker. Meanwhile, a big
worm has gone wild and aproximately 188,000 (today's estimate)
computers have been hit by the Blaster worm and in this NG there is
only ONE (1) thread for this subject. Come on people, am I the only
individual who is annoyed by this picture ?

O.K. so I've also flamed this delusional whacko in the past like other
people do. I've also made fun of this person's writings when I should
ignore them instead. I've stopped though, and I think it's one easy
thing to do. Is it so hard to stop feeding the seasonal trolls ? One
warning should be enough, there's really no need for additional
comments, corrections or remarks.

I am bringing this up out of respect to people like Don, Jim, Lord
Shaolin and a few others who are the reasons I lurk here. In an
attempt to raise the level of the group a little bit, what do you
think of the worm so far ? What are your experiences for the past few
days ? Do you think the net was more prepared this time or M$ lost
more customers with this ?

--
__________________________________________________ __
\___fwtis AT cha /__ / ACK and thou_______/
\______DOT forthnet / / shall receive_____/
\____DOT gr /_/ RLU#306453______/

toro

toro <> randomly produced:

:: Isn't this beautiful ?
::
:: One in two threads in this NG since 11/08 has to do with one of
:: Usenet's most ridiculous persons, the infamous hunter of all hackers,
:: the fruitcake avenger, Debbie the Tracker-whacker. Meanwhile, a big
:: worm has gone wild and aproximately 188,000 (today's estimate)
:: computers have been hit by the Blaster worm and in this NG there is
:: only ONE (1) thread for this subject. Come on people, am I the only
:: individual who is annoyed by this picture ?
::

I agree. KF the trolls don't feed them but well people just don't learn.

If you follow my habits you'll probably be aware of where I reside now

Full worm info here:

http://www.security-forums.com/forum...pic.php?t=7474

Discussion here:

http://www.security-forums.com/forum...pic.php?t=7266 (With Snort sig)

&

http://www.security-forums.com/forum...pic.php?t=7105


Analysis of the exploit here:

http://www.security-forums.com/forum...pic.php?t=7341

As for the worm?

I think it's a badly coded kiddy attempt at something that could have easily
overtaken everything that has EVER been before.

It doesn't patch nor disable the exploitable calls nor block the port nor
disable DCOM.

The effect being that once a machine is exploited, it will exploit those in
it's local subnet (40% of the time) thus it will keep getting re-infected
and will keep crashing.

This means any machine vulnerable to this worm within a couple of minutes of
being online will just constantly crash.

This in itself will prompt people to find out WTF is wrong with their
machine and fix it.

Especially with XP as the default behaviour is for it to shutdown in 60
seconds.

It wouldn't have been hard to make this worm fairly silent.

How many machines do you think will be stable enough and still unpatched by
the 16th? Not many..

Just my 2c

ST

--


..: http://www.security-forums.com :.

Share your knowledge
It's a way to achieve
Immortality.

Lord Shaolin

On Wed, 13 Aug 2003 17:53:53 +0100, Lord Shaolin wrote:
>
> I agree. KF the trolls don't feed them but well people just don't learn.

I mentioned that awhile back and a very good point was brought to my
attention. Someone has to warn the newbie about Tracker.

Toro is correct, one newbie warning followup and let it go.

Bit Twister

toro <> wrote in
news::

> Isn't this beautiful ?
>
> One in two threads in this NG since 11/08 has to do with one of
> Usenet's most ridiculous persons, the infamous hunter of all hackers,
> the fruitcake avenger, Debbie the Tracker-whacker. Meanwhile, a big
> worm has gone wild and aproximately 188,000 (today's estimate)
> computers have been hit by the Blaster worm and in this NG there is
> only ONE (1) thread for this subject. Come on people, am I the only
> individual who is annoyed by this picture ?

Traffic as a whole seems to be down in this newsgroup over say, a year ago.
Is that my perception only?

>
> O.K. so I've also flamed this delusional whacko in the past like other
> people do. I've also made fun of this person's writings when I should
> ignore them instead. I've stopped though, and I think it's one easy
> thing to do. Is it so hard to stop feeding the seasonal trolls ? One
> warning should be enough, there's really no need for additional
> comments, corrections or remarks.

I've always wondered why Debbie inspires such a rush of hatred here. Aside
from the fact that she may actually mislead somebody, she seems harmless
enough and is actually kind of humorous in an offbeat, twisted way.


>
> I am bringing this up out of respect to people like Don, Jim, Lord
> Shaolin and a few others who are the reasons I lurk here. In an
> attempt to raise the level of the group a little bit, what do you
> think of the worm so far ? What are your experiences for the past few
> days ? Do you think the net was more prepared this time or M$ lost
> more customers with this ?
>
> --

For once, it's actually GOOD to be running Win9x rather than any of the NT
flavors, which I am so often told are "so much better as far as security."
HAH!

I went to Windows Update yesterday (not for this purpose, but just to see
if anything new was released for ME) and it worked, but was it ever slow!

Still, no complacency here. I defined new rules in Kerio yesterday
specifically blocking ports 135 - 139, 445 & 593, both directions. That in
addition to the already existing rules blocking RPCSS.EXE and DCOM.EXE. I
can't see how it hurts anything, so why not?

Funny - I remember people in different places saying that these are fairly
harmless programs and not to worry about them. I was even called paranoid
by a few because I blocked them. Well, where Microsoft is concerned,
paranoia is a healthy thing, it seems.

Now, I'm being taken to task (elsewhere) for even suggesting that Windows
Media Player 9 should be avoided, and .wma type files as well, because the
potential for TCPA and Palladium type behavior is built into them.

If anybody really understands what Microsoft's goal is, they wouldn't have
any trouble believing any of this.

donut

donut <> randomly produced:

::
:: Still, no complacency here. I defined new rules in Kerio yesterday
:: specifically blocking ports 135 - 139, 445 & 593, both directions.
:: That in addition to the already existing rules blocking RPCSS.EXE
:: and DCOM.EXE. I can't see how it hurts anything, so why not?

Actually you are going about this the wrong way.

As someone recently called it "Shaolin's Firewall Mantra"

"Block everything apart from what you explicitly require."

You should have a rule at the bottom, block everything, all protocols, all
ports in all directions and LOG it.

Everything else you should allow on a per application basis for only the
ports and IP addresses it requires, e.g. port 53 only to your primary and
secondary DNS servers, your mail client only to port 110 for POP on your
mail server, 25 on your SMTP server, 119 to your newserver etc etc.

HTH

Shaolin

--


..: http://www.security-forums.com :.

Share your knowledge
It's a way to achieve
Immortality.

Lord Shaolin

"donut" <> wrote in message
news:Xns93D67CF55B712donut@216.102.43.227...
> toro <> wrote in
> news::
>
<snip>
> If anybody really understands what Microsoft's goal is, they wouldn't have
> any trouble believing any of this.

May I ask you to expand on "Microsoft's goal"?

TIA
Caz

Caz

"Lord Shaolin" <abuse@127.0.0.1> wrote in
news:gxy_a.3289$:

> You should have a rule at the bottom, block everything, all protocols,
> all ports in all directions and LOG it.

Of course I have such a rule.

donut

"Caz" <nospam@allthanx> wrote in news::

> May I ask you to expand on "Microsoft's goal"?

Read this:

http://www.againsttcpa.com/tcpa-faq-en.html

Does any of this come as a surprise?

donut

On Wed, 13 Aug 2003 17:53:53 +0100, "Lord Shaolin" <abuse@127.0.0.1>
wrote:

>If you follow my habits you'll probably be aware of where I reside now

Believe me, I'm glad I do

>As for the worm?
>
>I think it's a badly coded kiddy attempt at something that could have easily
>overtaken everything that has EVER been before.

I agree. I expected more damage from a worm that exploits a
vulnerability present in all Windows platforms, and the
construction/effects of which had been discussed so intense for the
past weeks.
I had tested the exploit when it was first published against my own
machines, and the results are identical. IMHO it looks as if somebody
packed the published exploit in a worm costume and released it into
the public, just to satisfy the demanding need for this worm.

>Especially with XP as the default behaviour is for it to shutdown in 60
>seconds.

Oh, you mean that I'm not accidentally shutting them off each time ?
Thanks, now I know I'm not clumsy

--
__________________________________________________ __
\___fwtis AT cha /__ / ACK and thou_______/
\______DOT forthnet / / shall receive_____/
\____DOT gr /_/ RLU#306453______/

toro