** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]

[Alun Jones [MS MVP]]

If every user had a good firewall and AV, then this, and many other, worms
wouldn't spread. In this case, it connected to other servers (well, it was
supposed to) so a good firewall would've blocked that. In the case of
Blaster, that spread by connecting to other computers, so that would've been
stopped as well

If every user had the good sense not to go wildly clicking on attachments
they didn't ask for, then this worm wouldn't spread, either.

After a year or so of trying to get the point across, I've finally convinced
myself that if he receives an attachment out of the blue, even if it's from
someone he knows, he shouldn't open it. He should call the person first,
and say "did you send me this file?"

Attachments that are not part of your usual email traffic - don't open them.
No! Never!!!! BAD!

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Alun Jones [MS MVP]]

XP is the only Microsoft OS which includes firewall functionality.

The firewall is not turned on by default. This may change with future OS
versions, and even future SP's on XP, I suspect.

Turning on the firewall in a service pack would be quite an issue.
F'rinstance, in any small office like mine, that'd result in the instant
curtailing of LAN activities. We've already got a firewall between us and
the rest of the world. Putting an extra one between me and my wife would
be a bad move.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[J Shoemaker]

dolt> They have a balloon that says "we downloaded updates now
dolt> click to install them" already by default. If they just
dolt> sporadically rebooted users machines, then they'd be yelled
dolt> at, and it seems if they _don't_ reboot user's machines,
dolt> then they get screamed at as well, catch 22

dolt> -- --Jonathan Maltz [Microsoft MVP - Windows Server]
dolt> http://www.imbored.biz - A Windows Server 2003 visual,
dolt> step-by-step tutorial site Only reply by newsgroup. If
dolt> I see an email I didn't ask for, it will be deleted without
dolt> reading.

[...]

Afraid to even read your email? You post here enough that
people would think you're a security expert, yet you're unable
to think of a better solution than to be terrified of email?

Why on earth did you quote 785 lines only to top-post and not
even reference any of the quoted material?!

 

[Super_Geek]

Hi.

The worm wouldn't even run if the user didn't open the received attachment
in the first place.

Actually FYI, the worm uses an exploit in the remote procedure call to
install itself to. A faked request is sent which causes a buffer
overflow and allows the attacker to do his stuff.
So with or without using Email you can be infected.

 

[Jonathan Maltz [MS-MVP]]

wrote:

dolt> -- --Jonathan Maltz [Microsoft MVP - Windows Server]
dolt> http://www.imbored.biz - A Windows Server 2003 visual,
dolt> step-by-step tutorial site Only reply by newsgroup. If
dolt> I see an email I didn't ask for, it will be deleted without
dolt> reading.

[...]

Afraid to even read your email? You post here enough that
people would think you're a security expert, yet you're unable
to think of a better solution than to be terrified of email?

Where on earth did you read that? Jonathan's sig seems to suggest more that
he's just getting way too much unsolicited "help me please" emails, and
doesn't do those for free. He provides free support in newsgroups, so that
many people can learn from his advice - free support by email would be
one-on-one, and somewhat of a waste of effort, since he'd be answering the
same questions over and over.

Exactly. I'm not "afraid" to read my email, I just don't want "please help
me with ___" then I answer, then I get the same question from someone else a
day later.

Even the best of posters can hit the "send" button to early once in a while.
I'm sure Jonathan knows to trim quoted material - right, Jonathan?

Yup, I actually forgot how much would be quoted, and hit send before the
trim. Sorry if I offended anyone

Alun.
~~~~

[...]

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

 

[Bill Sanderson]

"Bill Sanderson" <[email protected]> wrote in message

<snip>

There's also a problem with MSBA - sometimes even if you apply the
patches it recommends the same vulnerablity shows up the next time you
run the tool. That makes it hard to trust the MSBA, since if it gives
false weaknesses, why wouldn't it give false securities as well?

(Did I say it was perfect?)

Frankly, I tend to trust MBSA because the patch-detection code comes in the
form of HFNETCHK from a third-party. I've observed the public newsgroup
interactions between Microsoft, who publish the XML file whose details are
used by Shavlik and other third-parties to produce added-value tools, and
Shavlik and other interested members of the public. Mistakes are made in
the XML files, and they are caught by interested 3rd parties, and corrected.
Shavlik also enhances the information in the XML files and republishes their
own versions. I can use Shavlik's tools to second guess Microsoft's and I
can get good support and answers to questions about why/how certain messages
are generated on a given machine, in the public newsgroups.

I've been generally impressed over time with the candid answers and speed of
response to issues with the underlying technology of patch detection.

If you get a "patch not installed" from MBSA after installing the patch, I
would recommend going to the KB article associated with the patch and
checking the file date and size details manually on a given sample machine.
I would think the chances are rather high that it isn't in fact
installed--the patch installers, for a variety of reasons, I'm sure, don't
always give accurate indication of the success of a given install.

Those groups are:
(on msnews.microsoft.com)
microsoft.public.security.baseline_analyzer
microsoft.public.security.hfnetchk

(on news.shavlik.com)
shavlik.hfnetchk
shavlik.hfnetchklt

 

[Mike Simone]

(Did I say it was perfect?)

No, you sure didn't. Sorry if I offended you - I assure you it was
not my intent. I need to make sure I'm not too far in caffiene
withdrawal before I post in the morning - nobody likes an incoherent
cranky guy.

Frankly, I tend to trust MBSA because the patch-detection code comes in the
form of HFNETCHK from a third-party. I've observed the public newsgroup
interactions between Microsoft, who publish the XML file whose details are
used by Shavlik and other third-parties to produce added-value tools, and
Shavlik and other interested members of the public. Mistakes are made in
the XML files, and they are caught by interested 3rd parties, and corrected.

Very interesting and good to know.

If you get a "patch not installed" from MBSA after installing the patch, I
would recommend going to the KB article associated with the patch and
checking the file date and size details manually on a given sample machine.
I would think the chances are rather high that it isn't in fact
installed--the patch installers, for a variety of reasons, I'm sure, don't
always give accurate indication of the success of a given install.

Ah, so I would probably get a more accurate result from the MBSA if I
ran it now.

Those groups are:
(on msnews.microsoft.com)
microsoft.public.security.baseline_analyzer
microsoft.public.security.hfnetchk

(on news.shavlik.com)
shavlik.hfnetchk
shavlik.hfnetchklt

Thanks for the info, and again, sorry if I came across poorly in my
original post.

Sincerely,

Mike Simone

 

[Super_Geek]

Super_Geek
asks a question to do with PCs, Super_Geek dives in and tries to help:

Actually FYI, the worm uses an exploit in the remote procedure call to
install itself to. A faked request is sent which causes a buffer
overflow and allows the attacker to do his stuff.

Hang on, we're talking about SoBig not Blaster, so this does not apply.
I'll just shutup now. But yeah, so many ppl just run email attachments
wildly it's insane. At least they are providing work for people in Av
firms.

 

[svaardt]

Simple question.

Why can't MS as part of their MS Upgrade service do a MS validation service
? Surely MD5 checksums are possible on binaries and if they don't match the
agreed patch level then a warning should be issued ?

MS Baseline tool security checker ? Doesnt seem to help here ...
why not add a very simple check:

For example:

%WINDIR% <directory>/ {[directory]/...} [filename] {[checksum]...}

simple enough..... perhaps too so for their MIT trained folks... (talking of
which if you've met people from good universities... MIT/Oxbridge,etc.....
in general they try to talk down to you - make you feel small and them feel
important... in my experience those types of people are just as insecure as
the rest of us, and probably more danger than good... the really good ones
are those who can contribute back to no matter what level! -- so those MS
Employee's who send responses to this group, I say good on you!).. okay back
to my ideas:

ALL known MS files should checked and validated

3rd party files, could be validated - but that's up to the 3rd party -
they'd have to (a) register their checksum file with MS so that it becomes a
known file and (b) release their checksum file independently to the client -
thereby ensuring double-source checking.

Any files that aren't know about should be flagged as such and alerted to
the user - stuck into a DB of unknown files and if needs be erased or moved
somewhere out of the search path.



Now back to this virus, the fellow who wrote it has apparently been
identified (almost) and the FBI are homing in on him. Personally, I think he
did us a service - sure he distributed a non-destructive worm around the our
systems and it caused downtime... BUT, and here's where you have to take a
deep breath, let's just say someone with a grudge against the U.S....
(topical), wanted to go one step further, they could have done the same
thing and made consequences a lot worse.... And where would Microsoft's
Indemity clause get you... ?
Sorry ain't our software/responsibility/etc. etc... So in my view this guy,
deserves a kick in the balls, and be put to good community service - namely
fixing problems he has identified and others in order to save his ass.

Taking things further, why not setup a centralised group on non-destructive
hackers, to find weaknesses in whatever system they choose - exploit it, and
develop something that becomes an annoyance, but to package it with a
solution advising the administrators anonymously of the fix. A right to
hack - sure, but who's going to stop some-one with a grudge doing the same
thing on the quiet... timebombs, etc, etc... and worse an enemy of the
state...

911 is coming up soon., another year. I just hope these new fangled
in-flight computer hookups to the internet are run on completely... and I
mean.. completely separate nets internally to the computers used by the
flight control systems. Otherwise who knows, we wont need terrorists to be
on board the doomed flight... merely the virtual terrorist who downloads a
virus to take control of the systems and play MS Flight Sim as well as i
do... but with the real thing - who's going to identify this before it
happens, the corporate wanting to make money or a state/world sponsored
group of intellectual hackers conforming to a code of conduct ?

Views ?

Anyone worried yet ? I'd start to be, guess you wouldnt have thought a
simple computer program could transmit itself unattended from one machine to
another on the same OS... all we need now is a hetrogeneous virus... it's
probably on the cards right now - how many of us want to make our logins
easy to achieve to Unix boxes, etc. Exceed, .rhosts files, etc... nice
one....

Anyways, we've all been given a kick in the butt, we all know MS cant keep
up with the latest loop holes in the sieve - and indeed given MS's practices
it's hardly surprising, so it's up to us to be on alert, to be careful, to
spread the word of common sense - wear a condom when interfacing with
others... etc...

Views .... ?



Steve