Disney's Computers Are Down

njblackberry

njblackberry

New Member
peter11435 said:
Like Invero I am no expert on the subject, however I have always heard that 2000 is more bug free and secure than XP. That said I am currently running on XP with no problems, and their crashed.
Click to expand...
I'm a computer security manager. I have been working this since 5:30 this evening.

Windows XP is significantly more secure than Windows 2000. That having been said, the particular vulnerability here (outlined in too much detail by Microsoft last Tuesday as vulnerability MS05-039) affects both early versions of Windows XP and Windows 2000. A patch was released then, but it is REALLY HARD to get thousands of laptops, desktops and servers updated. It can take weeks. And this vulnerability was exploited very quickly.

This worm, which is NOT Zotob, but a new variant, attempts to spread and infect as many computers as possible, turning them into "zombies" awaiting their next command.

So.. Keep your anti virus software updates, turn on Windows Update and make sure you apply all Microsoft "Critical Patches" when they are released...

This is also a fairly easy worm to detect and clean up. There will be some sleepy admins around, but they should be able to clean up fairly quickly.
 
njblackberry

njblackberry

New Member
It's (unfortunately) the world we live in. This one got a lot of publicity because it hit CNN, ABC and the NY Times very early. So they get the word out. Then the Anti Virus companies got involved. It's a royal pain, and today it cost Disney some serious $$$.

And I'm still up at 12:22, but at least my folks in Europe are getting up now!
 
Woody13

Woody13

New Member
Worm Hits TV Networks, N.Y. Times




[size=-1]By Brian Krebs and Mike Musgrove
Washington Post Staff Writers
Wednesday, August 17, 2005; D04
[/size]

<NITF>A new Internet worm infected and disrupted computers and networks at CNN, ABC and the New York Times yesterday.

Security experts said the worm is a variant of Zotob, which first appeared on Sunday and does not limit its attack to media companies. Zotob infected computers running Microsoft Corp.'s Windows 2000 operating system. A spokeswoman for Microsoft said yesterday that the company does not know yet whether the new software, which it has named worm_rbot.ceq, is a version of that worm.

Ken Dunham, director of malicious code at the Reston-based computer security firm iDefense Inc., said his company had also seen networks for companies in the financial, medical and computer services industries compromised by the troublesome software.

If the new worm is related to Zotob, the malicious software takes advantage of a Windows security flaw that Microsoft first detailed and provided a fix for last week. Microsoft is posting the latest information it has on the outbreak, including the patch it released last week, at http://www.microsoft.com/security .

Though Microsoft issued the patch last Tuesday, hackers worked faster than the tech teams at some companies, Dunham said. Companies may find that infected networks will take "days, if not weeks, to repair," he said.

"If you aren't patched, you're going to get hit pretty hard," he said.

The worm, if successfully installed on a computer, could be used by hackers to gain remote access to a compromised computer, he said.

ABC News spokesman Jeffrey Schneider said the worm knocked out computers for two hours in the network's newsrooms on the East and West coasts.

"This was the first time I've seen writers at 'World News Tonight' banging away on electric typewriters," Schneider said.

On CNN yesterday afternoon, Wolf Blitzer reported that a computer worm had taken out many of the news networks' computer systems in Atlanta, New York and other bureaus around the country. The cable channel showed pictures of an infected CNN computer constantly rebooting.

Kathy Park, a spokeswoman for the New York Times, said the newspaper was battling a similar problem. She said the outage affected computers in news bureaus around the country that were connected to the New York office's network.

The Zotob worm was unleashed over the weekend, though it attracted little attention outside of computer-security circles. According to computer-security firm Trend Micro Inc., the original worm and a sequel compromised about 1,000 computers.
 
Woody13

Woody13

New Member
Security Watch: New Worm Hits Windows Hole in Record Time
ARTICLE DATE: 08.15.05

By Larry Seltzer, eWEEK
The Watch

It didn't take long: less than a week after Microsoft revealed a serious vulnerability in the Plug and Play service, worms were out on the Internet exploiting it. See how to identify the worms in <ZIFFARTICLE id=158096 page="2">this week's Top Threat section</ZIFFARTICLE>.

Spam, worms, DDOS attacks and many of the other ills that plague us are perpetrated through botnets. Whose networks are these botnets on? We name names in <ZIFFARTICLE id=158096 page="3">the Top Botnets section</ZIFFARTICLE>.

The Plug and Play vulnerability was a biggie, but it wasn't the only big deal this week. See all the other problems you should be addressing in <ZIFFARTICLE id=158096 page="4">the Top 5 Vulnerabilities section</ZIFFARTICLE>.

When you get a text e-mail, you might feel secure about it because it doesn't have any of that HTML nonsense in it, but is it really text? Things are not always what they seem, as we demonstrate in <ZIFFARTICLE id=158096 page="5">this week's Top Phish</ZIFFARTICLE>.

How do you identify a phishing attack? One way is to take advantage of a feature your e-mail client probably has. See what it is and how to do it in <ZIFFARTICLE id=158096 page="6">this week's Security Tip</ZIFFARTICLE>.

Since it's the most feared of last week's disclosed Windows vulnerabilities, this week we take a more detailed look at the Plug and Play vulnerability in the Security Alerts and Updates section.

Large corporations, universities and ISPs all have an ASN assigned to them. Find out what it is in <ZIFFARTICLE id=158096 page="8">Jargon Watch</ZIFFARTICLE>.

A Florida man stole 1.5 billion data files. Find a news story about this and other topics in <ZIFFARTICLE id=158096 page="9">the Security Watch Story Feed</ZIFFARTICLE>.

<ZIFFPAGE title="Top Threat: Zotob.a, Zotob.b">Top Threat:Zotob.a, Zotob.b

Executive Summary
Name: Zotob.a, Zotob.b (Symantec)
Affects: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP, but Windows 2000 most seriously

What it does: Perhaps the most serious of the vulnerabilities that Microsoft announced last week, MS05-039 (Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege) affects Windows 2000 systems most seriously.

Zotob.a and Zotob.b are the first variants of a new worm which uses the MS05-039 vulnerability as a means of propagation. For more on this vulnerability, see <ZIFFARTICLE id=158096 page="7">the Security Alerts and Updates section</ZIFFARTICLE>.

When the worm executes, the first thing it does is to check for the existence of and then, if not found, create a mutex (also known as a semaphore) on the system named 'B-O-T-Z-O-R'. This prevents more than one copy of the worm from running at any one point.



Zotob.a then makes a copy of itself on the system named %System%\botzor.exe. Zotob.b copies itself as %System%\csm.exe. Then it adds the appropriate value to the
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersionRunServices
registry keys:

  • "WINDOWS SYSTEM" = "botzor.exe"
or

  • "csm Win Updates" = "csm.exe"



It then sets the value:
  • "Start" = "4"
in the registry key

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess
in order to disable Windows Shared Access service.



Now things get really nasty. The worms connect to IRC servers on TCP port 8080 to allow for unauthorized remote access to the system. Zotob.a and Zotob.b use different servers. For similar reasons it also opens an FTP server on TCP port 33333.

It now generates a random IP address in its subnet in order to attack computers at that address using the MS05-039 vulnerability. Once the system is compromised, it runs an FTP script named %System%\2pac.txt. This downloads (as %System%\haha.exe) and executes a copy of the worm from the attacking computer.



Finally, it adds a taunt to the HOSTS file, followed by entries meant to disable access to a number of security-related sites and other innocent victims, including eBay and PayPal:
 
peter11435

peter11435

Well-Known Member
njblackberry said:
I'm a computer security manager. I have been working this since 5:30 this evening.

Windows XP is significantly more secure than Windows 2000. That having been said, the particular vulnerability here (outlined in too much detail by Microsoft last Tuesday as vulnerability MS05-039) affects both early versions of Windows XP and Windows 2000. A patch was released then, but it is REALLY HARD to get thousands of laptops, desktops and servers updated. It can take weeks. And this vulnerability was exploited very quickly.

This worm, which is NOT Zotob, but a new variant, attempts to spread and infect as many computers as possible, turning them into "zombies" awaiting their next command.

So.. Keep your anti virus software updates, turn on Windows Update and make sure you apply all Microsoft "Critical Patches" when they are released...

This is also a fairly easy worm to detect and clean up. There will be some sleepy admins around, but they should be able to clean up fairly quickly.
Click to expand...
Thanks, like I said. Im not expert.
 
wdwmagic

wdwmagic

Administrator
Moderator
Premium Member
wdwprincess03 said:
Anyone think the funny thing is that Disney and the other companies still runs on Windows 2000.....not XP?....
Click to expand...

Windows XP is a desktop operating system. The impact on major systems will be affecting Windows 2000 Server. Windows 2000 Server runs major systems, Windows XP just runs things on a desktop, like word processors and web browsers. Much of the worlds major servers use 2000, its very standard. Windows Server 2003 is the replacement for Windows 2000 Server.
 
njblackberry

njblackberry

New Member
It is only a huge event because the news media (particularly CNN) was hit. At 6PM they put up a big red banner on their home page announcing "Windows 2000 computers worldwide hit by virus" - meaning THEY got it :)

This worm didn't do any significant damage - it clogged up computer networks as it tried to spread. It spread PC to PC to PC to Server to PC eating up bandwidth. Fortunately it wasn't more destructive. That would have been the big one.

And it was probably only a sample of what's next.

Patch away people....
 
CoffeeJedi

CoffeeJedi

Active Member
njblackberry said:
It is only a huge event because the news media (particularly CNN) was hit. At 6PM they put up a big red banner on their home page announcing "Windows 2000 computers worldwide hit by virus" - meaning THEY got it :)
Click to expand...
my dad was freaking out on me last night, thinking he was "helping" by telling me what he had heard on CNN, then got upset when i laughed about it. the only reason why CNN said anything was because they got it :lol:
when i had heard that ABC got hit, i put 2 and 2 together and figured that's what happened to Disney yesterday

i came in this morning and found out that Software Update Service had happily downloaded the patch and distributed it to my remaining Win2k boxen A WEEK AGO. i chuckled to myself and logged onto to WDWMagic, happy that i wouldn't spend the day chasing virii
 
wannab@dis

wannab@dis

Well-Known Member
wdwmagic said:
Windows XP is a desktop operating system. The impact on major systems will be affecting Windows 2000 Server. Windows 2000 Server runs major systems, Windows XP just runs things on a desktop, like word processors and web browsers. Much of the worlds major servers use 2000, its very standard. Windows Server 2003 is the replacement for Windows 2000 Server.
Click to expand...

Thanks for posting this. I was fixing to do the same thing until I saw your post. This is a popular misconception that many people have. There are two lines of products -- one is for desktops and one is for servers. All the servers in our office are 2003 except the domain controller which is still 2000. We didn't seem to have any problems since our patches are up to date.
 
wdwmagic

wdwmagic

Administrator
Moderator
Premium Member
wannab@dis said:
Extremely slow. I'm sure it's the traffic generated by the worm.
Click to expand...

Yes it is, internet traffic as a whole is crawling due to all the garbage traffic being created by the worms attempting to seek out hosts.
 
DanStat

DanStat

Well-Known Member
All the news...that's fit to print...

The newsroom where I intern had problems. Too bad not everyone is using a Mac! If they were - they wouldn't be affected. :)
 

Register on WDWMAGIC. This sidebar will go away, and you'll see fewer ads.

Back
Top Bottom