Sunday, May 2, 2004

The various anti-virus and security sites are worried about two major threats to networks, the "Sasser" and "Gaobot" worms. Both of them exploit the hole that Microsoft patched with the April patches, released 4/13/04. Now it's the second day of June (er, May), and there are lots of systems that aren't patched.

These new worms have the potential to be "Blaster/Nachi" in their activity. The early ones are not quite as virulent, but they will cause problems on your network. They also have the potential to 'own' a computer, running commands that are sent to it. If your system is infected or vulnerable, you could experience reboots, become a spam 'host' or a p0rn file host, or damage or lose data.

There's lots of information about this problem. You could start with a look at the Internet Storm Center's "Handler Diaries". That link is for today's status report, and has lots of links to places to get the worm removed, and info about the "Sasser" and "Gaobot" worms. You can look at previous day's notes to see other warnings and information. Note that the Internet Storm Center has raised the alert level to "yellow", their second-highest alert level.

Microsoft has already supplied the patches for this problem. And on their web pages, they have a scanner/removal tool for the worm. Your favorite anti-virus site also has specialized removal and detection tools. Most anti-virus vendors have released special updates this weekend, so make sure that you update your anti-virus program.

Note that Sasser and Gaobot are 'worms', not viruses. A worm will get into your system without any action on your part (especially your inaction in installing updates). A virus needs the user to do something to infect a system, such as opening an email attachment. A worm will get into your system all by itself.

So, once again I am the "Man of the Mantra". The mantra is "update". Now. Then "Tell a Friend" -- and help them update.

Enough of that.

I was a bit busy yesterday. After getting Stacy to the airport at 5am, we came back here to get a couple more hours of sleep. Then it was over to the mother-in-law's house to meet a guy (named "Guy") who wanted to look at the Kubota tractor. He spent about an hour looking at it and all the attachments, and even took it for a short test drive. He finally decided to buy it, and we'll do all the final payments on Tuesday. It will take a while to get it all loaded on the trailer, but it will be nice to get that piece sold.

We put an ad in the local paper for the travel trailer. The ad started on Friday, but we haven't gotten any calls yet. You can look at it (and all the other stuff I need to sell) here.

After he left, I decided to work on the sprinkler system again. There was one 3/4" pipe sticking up at the corner of the lawn. I assumed that there needed to be a sprinkler head there. So all that was needed was a quick cut of the pipe, and glue in a fitting, and screw in the sprinkler head.

Bad assumption.

If you have worked with plastic sprinkler pipe, there is a neat little ratchet-cutter that looks like a pair of pliers or a hand garden trimmer. It makes a nice clean cut, and is much faster than a hacksaw.

So, I used that pipe cutter to cut off the top of the pipe (it had a cap on the end). And was immediately drenched with a 15 foot stream of water shooting up into the air.

Yep, it was supply pipe. Directly hooked to the main water supply. About 60 pounds of pressure. It was quite impressive to watch. And it was a bit cold.

So, when you are faced with a spouting pipe, the first step is to shut off the main water supply. The house is on a couple of acres, so it's not like a residential area where there is a meter box at the sidewalk. So I looked around the house first, and found one shut-off valve, but that was for the house. So I looked for the sprinkler system 'manifold', which is a place *usually" where all of the sprinkler controls are located. No joy.

I wandered around the house, looking for other shut-off valves. And found a blue flag, which marked a water meter. So I opened that up, dug out all the extra dirt, and closed the main valve. Then, back around to the front of the house.

Where I saw the 15 foot water fountain, still spouting. Which means that I just shut off the neighbor's water. Luckily, they weren't home at the time.

So, on to plan two. I'll find a hose clamp and a rag, and temporarily clamp the rag over the end of the pipe to reduce the water flow. Which I did. And got quite wet while the water sprayed everywhere. But I got the flow reduced a bit.

So, off to the local hardware store, just about five minutes away. I got a compression fitting, a couple more fittings, and some screw-in plugs.

Back to the fountain, still merrily gurgling through the rag clamped on the pipe. Took it off (sprinkler work is quite refreshing, what with all the cold water spraying on you). I slipped the screw bushing over the end of the pipe (water spraying everywhere), then the rubber compression sleeve (more water spraying), then the pipe, screwing it all together (yeah, more water spraying).

At this point (for those of you still following along), we've got the compression fitting on, with the other end still open, water still spraying out of the top (although not as much). I built a pipe plug (slip by thread union, short pipe, cap), gluing it together. Waited a minute for the glue to dry. Put on my glasses (it keeps the water from spraying directly into my eyes), and screwed the plug pipe into the compression fitting (more soaking, of course). And that was that. The fountain is closed.

And I am basically soaked.

Just a few more things to do. Like turn on the neighbor's water. Turn on the water supply to the house. And as I did that last part, I turned around.

About 15 feet away towards the fence and the edge of the property, is the water meter for the house. And the main shut-off valve.

Sigh.

So that was my Saturday. A bit damp, but the temps were warm (low 90's), so it was refreshing. Sort of.

Sunday was typical. Church administrative meetings in the morning, church meeting in the afternoon, dinner with the family (BBQ chicken, fresh fruit salad, french bread, corn on the cob), and relaxing in the evening (after the grandkids leave).

Tomorrow (and the week) should be interesting. We'll see how we fare with Sasser and Gaobot.

Monday, May 3, 2004

Let's get the Sasser news out of the way. Here's what the Internet Storm Center said today (emphasis added):

The Sasser worm outbreak that began early Saturday morning continues. There have been at least 4 distinct variants noted so far. The primary difference between the first 3 was in the name of the file installed and increasing the number of scanning threads from 100 to 1000. The fourth variant, Sasser.d, which started appearing this morning also added a component to use pings (ICMP echo requests) to scan for other hosts to infect. It can generate more than 30 packets/sec with no payload. On a network with many unpatched systems, this could lead to network congestion similar to what was seen when Nachi came out last August. Also, because it will scan multicast addresses, there have been some reports that some routers which route multicast traffic have become unstable as a result of Sasser infections. A reminder, that systems patched against the issues described in MS04-011 are not vulnerable to this worm. If you haven't patched yet, do so immediately.

Although there is some concern with this one, I think the corporate side will be a bit more protected than the home side. There were reports of university systems having significant problems, which is to be expected. And I think that we'll see more home systems get it, since they tend to be less-patched.

So, get your patches installed.

Brian B reports that my proofreading skills are less than perfect. My regular readers (yes, both of you) already know that. So, if you were to wander up to yesterday's post, you'll see a minor correction.

"Time flies like an arrow, fruit flies like bananas."

Tuesday, May 4, 2004

I (as Mike Barkman, fellow Daynoter, would say -- I think) am 'whacked'. It's been a busy day.

First off, some numbers about Sasser that I found on the Internet Storm Center:

According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.
The Internet Storm Center numbers are close to Microsoft:
500k [downloads] on May 1st, 700k on May 2nd

There is a lot of Sasser traffic out there, most of it infecting home users, who aren't usually the fastest to protect themselves. Conventional wisdom says that dial-up users are less likely to be infected by worms, since they are not usually on-line as long as broadband (cable/DSL/etc), and each time they dial in they get a different IP address. But the amount of Sasser traffic out there is such that dial-up users are getting infected also. Some aquaintenances I know got it.

Here's how to fix the Sasser infection. You'll know you have it when you see an error message from "LSASS", and your system will shut down and restart after a delay (two minutes, I think). (Later...some changes to the procedure are below.) If you see that message, immediately do a Start, Run of "SHUTDOWN -A". That will abort the shutdown process. Then disconnect from the Internet, turn on the Windows firewall, reconnect, and try to download the patches. You'll also need to run the Sasser removal tool (available from Microsoft or your favorite anti-virus vendor), disconnect from the 'net, restart, then run a full anti-virus scan on the computer (after ensuring that is up to date). Restart the computer again, don't connect to the Internet, and run the full anti-virus scan again. Then before reconnecting, set up for automatic download and install of the Microsoft Updates. Do the Windows Update thing manually one more time to ensure all the patches were installed properly. Set up your anti-virus update check to run at least once a day. Then you can relax until the next one.

I took the afternoon off to go over to my mother-in-law's. I had a guy what wanted to look at the travel trailer. And then Guy came over to get the Kubota tractor. That took a couple of hours to get loaded with all the attachments. I had to put one of them in my truck, so I followed him to his place, which is about a half-hour drive away. We got everything unloaded, then the trip back to my house. And here I am. All tuckered out (er, 'whacked').

Wednesday, May 5, 2004

After a bit more research, I came across a more complete way to remove the Sasser worm. Slight differences depending on whether you have WinXP or Win2K. (Source was Microsoft: http://www.microsoft.com/security/incident/sasser/asp ) You might want to print out their instructions (they have links to other information), or print out these instructions.

• Disconnect from the Internet (pull out the cable, hang up the phone).
• If you have WinXP, do a Start, Run of "shutdown.exe -a" to abort the restart process.
• Start, Run, "cmd.exe". Then run this command echo dcpromo > %systemroot%\debug\dcpromo.log , press Enter. Then run this command attrib +R %systemroot%\debug\dcpromo.log and press Enter.
• If things seem real slow, then get into the Task Manger (Ctrl+Alt+Delete), and end these tasks (all of them):
  • any task ending with _up.exe
  • any task starting with avserve
  • any task starting with avserve2
  • any task starting with skynetave
  • hkey.exe
  • msiwin84.exe
  • wmiprvsw.exe
• Enable a firewall.
  • On Win2K, you'll need to get one (ZoneAlarm is free, or get one from Norton, McAfee, Tiny Personal Firewall. Yeah, you'll need to download one, and you don't really want to do that from an infected computer. If you do, you might get reinfected and you have to start all over. You should have a firewall already, anyhow, so "Nike" (Just Do It!).
  • For WinXP, enable the built-in firewall (as a minimum). Instructions are in the WinXP Help Files, just search for "firewall". You can put in one of the other firewall products later if you wish.
• Now you can reconnect to the Internet. Get the MS04-011 update first. You can use the Windows Update process, and then just install that one patch (you'll get the others later).
• After the update is installed, you can remove the Sasser worm. Microsoft and others have a removal tool (see the Microsoft link). But you have to do the above steps before you remove the worm, otherwise it will reappear).'
• Update your anti-virus program.
• Disconnect from the 'net.
• Run a full anti-virus scan of your computer -- all files. Then restart your computer. Then run the full anti-virus scan again. Delete any infected files, don't try to save them. Repeat until the virus scan doesn't find anything.
• If all is well, then reconnect to the Internet. Get the rest of the Windows Updates. Install them.
• Then set up the Windows Automatic Updates process (full instructions at www.microsoft.com/protect ). Specify 'automatically download and install' setting. Then make sure that you anti-virus program is set up for daily update checks.

Now, you are protected. Go forth and make sure that your family and friends do their part.

(later...)

There are some that would say that if you get infected with a worm like "Sasser", you should just reinstall everything, including the operating system. Their theory is that since Sasser got into your system with by the 'back door', then other similar exploits may also be in there. Removal instructions are exploit-specific. It is quite easy for one version of Sasser to infect you differently than another version. Anti-virus detections are also exploit-specific. A slight variation of the exploit may allow it to be undetected by your anti-virus program. So if you remove Sasser.d, there may be other problems lurking into your system.

At a corporate level, it is useful to have a 'standard build' of your systems. If there is a problem with the computer, you just reinstall the build. It would be like using your 'restore' CD that came with your home system. You do have to be careful with that, though. You must make sure that your standard build (restore CD) is safe.

Or, you could do like Google. They have thousands of computers. When they get a new one, they just plug it into the rack with their standard build. And if one breaks, they don't bother to fix it. The just replace it. They may even leave the broken system in the rack until they need that slot.

So you could buy a new computer. But that computer out of the box may not be protected. They are often not patched to current levels. And if you connect to the 'net to get things updates, you might be infected (just like my test system was infected with Sasser after only one-half hour on line).

But there is a way to be a bit safer. Take a look at "Windows XP: Surviving the First Day". (Lots of other good info at that site.) Backup your data often (CD writers are a good way to backup data). Firewalls, updates, anti-virus, backups.

Thursday, May 6, 2004

Not much tonight. I've been working on another project. You'll hear about it when it's ready. Because of that project, and another one right after it, posts may be sporadic until the following weekend (May 17th).

If anything urgent comes up, I'll try to get something up here.

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story