Usenet weather phenomenon - the worm and the fool

Discussion in 'Computer Security' started by toro, Aug 13, 2003.

  1. toro

    toro Guest

    Isn't this beautiful ?

    One in two threads in this NG since 11/08 has to do with one of
    Usenet's most ridiculous persons, the infamous hunter of all hackers,
    the fruitcake avenger, Debbie the Tracker-whacker. Meanwhile, a big
    worm has gone wild and aproximately 188,000 (today's estimate)
    computers have been hit by the Blaster worm and in this NG there is
    only ONE (1) thread for this subject. Come on people, am I the only
    individual who is annoyed by this picture ?

    O.K. so I've also flamed this delusional whacko in the past like other
    people do. I've also made fun of this person's writings when I should
    ignore them instead. I've stopped though, and I think it's one easy
    thing to do. Is it so hard to stop feeding the seasonal trolls ? One
    warning should be enough, there's really no need for additional
    comments, corrections or remarks.

    I am bringing this up out of respect to people like Don, Jim, Lord
    Shaolin and a few others who are the reasons I lurk here. In an
    attempt to raise the level of the group a little bit, what do you
    think of the worm so far ? What are your experiences for the past few
    days ? Do you think the net was more prepared this time or M$ lost
    more customers with this ?

    --
    ____________________________________________________
    \___fwtis AT cha /__ / ACK and thou_______/
    \______DOT forthnet / / shall receive_____/
    \____DOT gr /_/ RLU#306453______/
    toro, Aug 13, 2003
    #1
    1. Advertising

  2. toro

    Lord Shaolin Guest

    toro <> randomly produced:

    :: Isn't this beautiful ?
    ::
    :: One in two threads in this NG since 11/08 has to do with one of
    :: Usenet's most ridiculous persons, the infamous hunter of all hackers,
    :: the fruitcake avenger, Debbie the Tracker-whacker. Meanwhile, a big
    :: worm has gone wild and aproximately 188,000 (today's estimate)
    :: computers have been hit by the Blaster worm and in this NG there is
    :: only ONE (1) thread for this subject. Come on people, am I the only
    :: individual who is annoyed by this picture ?
    ::

    I agree. KF the trolls don't feed them but well people just don't learn.

    If you follow my habits you'll probably be aware of where I reside now :)

    Full worm info here:

    http://www.security-forums.com/forum/viewtopic.php?t=7474

    Discussion here:

    http://www.security-forums.com/forum/viewtopic.php?t=7266 (With Snort sig)

    &

    http://www.security-forums.com/forum/viewtopic.php?t=7105


    Analysis of the exploit here:

    http://www.security-forums.com/forum/viewtopic.php?t=7341

    As for the worm?

    I think it's a badly coded kiddy attempt at something that could have easily
    overtaken everything that has EVER been before.

    It doesn't patch nor disable the exploitable calls nor block the port nor
    disable DCOM.

    The effect being that once a machine is exploited, it will exploit those in
    it's local subnet (40% of the time) thus it will keep getting re-infected
    and will keep crashing.

    This means any machine vulnerable to this worm within a couple of minutes of
    being online will just constantly crash.

    This in itself will prompt people to find out WTF is wrong with their
    machine and fix it.

    Especially with XP as the default behaviour is for it to shutdown in 60
    seconds.

    It wouldn't have been hard to make this worm fairly silent.

    How many machines do you think will be stable enough and still unpatched by
    the 16th? Not many..

    Just my 2c :)

    ST

    --


    ..: http://www.security-forums.com :.

    Share your knowledge
    It's a way to achieve
    Immortality.
    Lord Shaolin, Aug 13, 2003
    #2
    1. Advertising

  3. toro

    Bit Twister Guest

    On Wed, 13 Aug 2003 17:53:53 +0100, Lord Shaolin wrote:
    >
    > I agree. KF the trolls don't feed them but well people just don't learn.


    I mentioned that awhile back and a very good point was brought to my
    attention. Someone has to warn the newbie about Tracker.

    Toro is correct, one newbie warning followup and let it go.
    Bit Twister, Aug 13, 2003
    #3
  4. toro

    donut Guest

    toro <> wrote in
    news::

    > Isn't this beautiful ?
    >
    > One in two threads in this NG since 11/08 has to do with one of
    > Usenet's most ridiculous persons, the infamous hunter of all hackers,
    > the fruitcake avenger, Debbie the Tracker-whacker. Meanwhile, a big
    > worm has gone wild and aproximately 188,000 (today's estimate)
    > computers have been hit by the Blaster worm and in this NG there is
    > only ONE (1) thread for this subject. Come on people, am I the only
    > individual who is annoyed by this picture ?


    Traffic as a whole seems to be down in this newsgroup over say, a year ago.
    Is that my perception only?

    >
    > O.K. so I've also flamed this delusional whacko in the past like other
    > people do. I've also made fun of this person's writings when I should
    > ignore them instead. I've stopped though, and I think it's one easy
    > thing to do. Is it so hard to stop feeding the seasonal trolls ? One
    > warning should be enough, there's really no need for additional
    > comments, corrections or remarks.


    I've always wondered why Debbie inspires such a rush of hatred here. Aside
    from the fact that she may actually mislead somebody, she seems harmless
    enough and is actually kind of humorous in an offbeat, twisted way.


    >
    > I am bringing this up out of respect to people like Don, Jim, Lord
    > Shaolin and a few others who are the reasons I lurk here. In an
    > attempt to raise the level of the group a little bit, what do you
    > think of the worm so far ? What are your experiences for the past few
    > days ? Do you think the net was more prepared this time or M$ lost
    > more customers with this ?
    >
    > --


    For once, it's actually GOOD to be running Win9x rather than any of the NT
    flavors, which I am so often told are "so much better as far as security."
    HAH! ;)

    I went to Windows Update yesterday (not for this purpose, but just to see
    if anything new was released for ME) and it worked, but was it ever slow!

    Still, no complacency here. I defined new rules in Kerio yesterday
    specifically blocking ports 135 - 139, 445 & 593, both directions. That in
    addition to the already existing rules blocking RPCSS.EXE and DCOM.EXE. I
    can't see how it hurts anything, so why not?

    Funny - I remember people in different places saying that these are fairly
    harmless programs and not to worry about them. I was even called paranoid
    by a few because I blocked them. Well, where Microsoft is concerned,
    paranoia is a healthy thing, it seems.

    Now, I'm being taken to task (elsewhere) for even suggesting that Windows
    Media Player 9 should be avoided, and .wma type files as well, because the
    potential for TCPA and Palladium type behavior is built into them.

    If anybody really understands what Microsoft's goal is, they wouldn't have
    any trouble believing any of this.
    donut, Aug 13, 2003
    #4
  5. toro

    Lord Shaolin Guest

    donut <> randomly produced:

    ::
    :: Still, no complacency here. I defined new rules in Kerio yesterday
    :: specifically blocking ports 135 - 139, 445 & 593, both directions.
    :: That in addition to the already existing rules blocking RPCSS.EXE
    :: and DCOM.EXE. I can't see how it hurts anything, so why not?

    Actually you are going about this the wrong way.

    As someone recently called it "Shaolin's Firewall Mantra"

    "Block everything apart from what you explicitly require."

    You should have a rule at the bottom, block everything, all protocols, all
    ports in all directions and LOG it.

    Everything else you should allow on a per application basis for only the
    ports and IP addresses it requires, e.g. port 53 only to your primary and
    secondary DNS servers, your mail client only to port 110 for POP on your
    mail server, 25 on your SMTP server, 119 to your newserver etc etc.

    HTH

    Shaolin

    --


    ..: http://www.security-forums.com :.

    Share your knowledge
    It's a way to achieve
    Immortality.
    Lord Shaolin, Aug 13, 2003
    #5
  6. toro

    Caz Guest

    "donut" <> wrote in message
    news:Xns93D67CF55B712donut@216.102.43.227...
    > toro <> wrote in
    > news::
    >

    <snip>
    > If anybody really understands what Microsoft's goal is, they wouldn't have
    > any trouble believing any of this.


    May I ask you to expand on "Microsoft's goal"?

    TIA
    Caz
    Caz, Aug 14, 2003
    #6
  7. toro

    donut Guest

    "Lord Shaolin" <abuse@127.0.0.1> wrote in
    news:gxy_a.3289$9.net:

    > You should have a rule at the bottom, block everything, all protocols,
    > all ports in all directions and LOG it.


    Of course I have such a rule.
    donut, Aug 14, 2003
    #7
  8. toro

    donut Guest

    donut, Aug 14, 2003
    #8
  9. toro

    toro Guest

    On Wed, 13 Aug 2003 17:53:53 +0100, "Lord Shaolin" <abuse@127.0.0.1>
    wrote:

    >If you follow my habits you'll probably be aware of where I reside now :)


    Believe me, I'm glad I do :)

    >As for the worm?
    >
    >I think it's a badly coded kiddy attempt at something that could have easily
    >overtaken everything that has EVER been before.


    I agree. I expected more damage from a worm that exploits a
    vulnerability present in all Windows platforms, and the
    construction/effects of which had been discussed so intense for the
    past weeks.
    I had tested the exploit when it was first published against my own
    machines, and the results are identical. IMHO it looks as if somebody
    packed the published exploit in a worm costume and released it into
    the public, just to satisfy the demanding need for this worm.

    >Especially with XP as the default behaviour is for it to shutdown in 60
    >seconds.


    Oh, you mean that I'm not accidentally shutting them off each time ?
    Thanks, now I know I'm not clumsy ;)

    --
    ____________________________________________________
    \___fwtis AT cha /__ / ACK and thou_______/
    \______DOT forthnet / / shall receive_____/
    \____DOT gr /_/ RLU#306453______/
    toro, Aug 14, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shadow

    Re: Alien Society and the Abduction Phenomenon

    Shadow, Sep 1, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    740
    logosdream
    Sep 1, 2003
  2. AvengerĀ©
    Replies:
    13
    Views:
    594
    Jeff_Relf
    Feb 5, 2005
  3. SK
    Replies:
    3
    Views:
    473
  4. DVD Verdict
    Replies:
    0
    Views:
    406
    DVD Verdict
    Sep 2, 2003
  5. DVD Verdict
    Replies:
    0
    Views:
    415
    DVD Verdict
    Jan 26, 2004
Loading...

Share This Page