back to article Superworm seizes 9m PCs, 'stunned' researchers say

Downadup, the superworm that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million. The astronomical growth …

COMMENTS

This topic is closed for new posts.
  1. Keith T
    Black Helicopters

    Where is government ? Where are the lawyers?

    We all know our various governments spy on various percentages of emails and other web traffic, especially those that cross national borders. And perhaps/probably this spying is excessive.

    For the cost to privacy of this major intrusion, it certainly does not seem to be helping national security or individual security in any meaningful way -- if it did the authors of this worm would be locked up right now.

    Why isn't protecting the public and the nation when the public can't protect itself the purpose of government?

    For example, why is proof of identification not required to register a domain name?

    A domain name on the internet is published, so it is public. I can see keeping the identification of the domain owner confidential between the registrar and the domain owner, but only until a valid court order is produced.

    So here we have an example of a simple non-intrusive security measure that would be effective: requiring valid personal identification. Does the fact it is non-intrusive makes it unattractive to the law enforcement and the intelligence community?

    For nobody, not even the registrar, to know who the owner is, is an abdication of responsibility bordering on, and maybe surpassing, gross negligence.

    Such gross negligence on the parts of registrars and ISPs is causing us all to run more and more expensive (in terms of computer resources) anti-malware tools and operating systems. (Yes, invulnerable sections of code require more resources.)

    I'd really like to see some lawyer types in a major jurisdiction launch some class action lawsuits on this.

    I (and much of the public) malign lawyers and law enforcement, but this is a situation where they could easily step in, and where they should step in, because this worm and malware in general is a gross threat to the privacy of us all as individuals, and is a threat to economic and national security.

  2. Herby

    Why not...

    Have the "central control" send a message to self destruct. If the security guys know where it is going to connect, just have a domain name waiting that has the proper destruct sequence. Then add in a nice patch that inhibits further infection.

    Am I being to obvious here?

    If the security researchers understand the worm correctly, use it against itself. Hopefully sooner than later!

  3. Anonymous Coward
    Anonymous Coward

    'massive networks of infected Windows machines'

    Oh! didn't I say this in another thread?

  4. Jon
    Flame

    @Why not...

    > Have the "central control" send a message to self destruct.

    Because that would be hacking, which is illegal. I happen to believe that there should be exceptions in the law to allow trained Police officers to do that sort of thing (probably with judicial pre-approval for each specific case), but there currently isn't.

    Also, you rapidly run into jurisdictional issues (even if it's legal in the UK the person who does it might find themselves extradited to the USA & prosecuted there for disinfecting a PC in the USA; and IP-address-based geotargeting isn't perfect). There are also major liability issues for when it goes wrong (and writing bugfree software that runs under every version of Windows is impossible, so it will go wrong).

    Also, @Where is government ? Where are the lawyers?:

    > why is proof of identification not required to register a domain name?

    Well you probably need at least a credit card. But it might be a stolen card. If I had an 9m-strong identity-stealing botnet, then providing a stolen ID to register a domain name would be kinda easy.

  5. Robert E A Harvey
    Gates Horns

    One in three?

    Those one in three who have not updated would not happen to be those who find WIndows Genuine Armlock to be unfair and intrusive would they?

  6. Steven Knox
    Paris Hilton

    @Keith T

    "We all know our various governments spy on various percentages of emails and other web traffic, especially those that cross national borders. And perhaps/probably this spying is excessive."

    No, we don't all know that. Accepting the premise that some governments do monitor some communications (I do believe this is true) does nothing to indicate the scope of the monitoring, nor the quality of analysis.

    "For the cost to privacy of this major intrusion, it certainly does not seem to be helping national security or individual security in any meaningful way -- if it did the authors of this worm would be locked up right now."

    There are so many assumptions in this paragraph it's hard to know where to start. First of all, we don't know how "major" the communications monitoring is. For the sake of argument, however, I'll give you the benefit of the doubt. Let's say that each government has access to all international communications. The next assumption is that the goverment has the capability to analyze these communications in real-time (because if they couldn't the backlog would grow exponentially). But let's give that to you as well. We next have to assume that the perpetrators have in fact identified themselves and given away their locations in international communications. Then we have to assume that these worm authors are, in fact, high enough on the list of criminals exposed by this supreme analytical database for the government to allocate resources to apprehend them. Then we have to assume that the government has either a) some legal agreement with the government of the location where these individuals are residing, or b) the resources and the nerve to invade the sovereignty of another nation (okay, maybe I'll give you that -- but for a few worm-writers...?) Then we have to assume that the government would necessarily publicize its efforts, which I find highly unlikely given that such would likely expose illegal activity on the part of the government

    "Why isn't protecting the public and the nation when the public can't protect itself the purpose of government?"

    1. The public CAN protect itself -- the patch has been available for THREE MONTHS. There are also antivirus programs, firewalls, alternative operating systems, just doing something else instead of using a computer...

    2. The purpose of government is to protect the interests of said government. Anything more is an assumption of your ideology.

    "For example, why is proof of identification not required to register a domain name?"

    Because it's worked so well in bars and at border crossings? For the record, contact information is necessary to register a domain name, but there's no easy way to prove identity. There is no such thing as a reliable proof of identification. All attempts at creating such a thing have met with strong opposition from privacy advocates, as it would require large amounts of personal information in the hands of those with questionable ablility to protect it. In fact, I find it ironic that you bemoan governments' excessive monitoring of communications and yet propose a solution which would require an equal invasion of privacy. It's clearly not as "non-intrusive" as you think.

    "For nobody, not even the registrar, to know who the owner is, is an abdication of responsibility bordering on, and maybe surpassing, gross negligence."

    The owner of what? The worm-writers haven't registered any of the domains the worm is contacting. That's why the security professionals have been able to register them.

    "(Yes, invulnerable sections of code require more resources.)"

    Significantly more resources? Not likely. Not if your development is security-focused to begin with and if you develop on security-focused platforms.

    "I'd really like to see some lawyer types in a major jurisdiction launch some class action lawsuits on this."

    Against whom?

    "I (and much of the public) malign lawyers and law enforcement, but this is a situation where they could easily step in, and where they should step in, because this worm and malware in general is a gross threat to the privacy of us all as individuals, and is a threat to economic and national security."

    No, they could not easily step in. And no, this is not a reasonable prioritization of resources. Bringing these people into a court of law isn't going fix the infected systems, or prevent anyone else from registering the domain names those systems will contact in future. It also will do nothing to stop the real crimes that are happening on a daily basis. The inconvenience of patching security flaws and using antivirus software is NOT on the same order of magnitude as the major financial scams and physical violence and exploitation, not to mention inefficent use of resources, global pollution, etc., which are going on in our lovely world. And if the lawyers and the government can't stop those, why do you expect them to be able to fix the IT world's minor boo-boos?

    Have some fairy cake and get yourself a sense of proportion.

  7. Alice Andretti
    Black Helicopters

    Maybe CIA could assassinate scumbags

    Steven Knox wrote:

    "Bringing these people into a court of law isn't going fix the infected systems, or prevent anyone else from registering the domain names those systems will contact in future. It also will do nothing to stop the real crimes that are happening on a daily basis."

    Hi Steve. I understand what you're saying, and I agree with many of your points. You have a rational/realistic view of things.

    One has to wonder, though, if other steps might eventually be needed to combat this sort of thing - if it someday gets *really* out of hand to the point where it's threatening national security (or some other such serious-sounding thing like that, which would finally get the attention of the lawmakers etc.).

    I agree that bringing people into court isn't much of a deterrent these days (revolving door, at least here in the U.S.).

    However, if there should happen to be, say, a long string of gruesome unexplained *assassinations* of scumbag botmasters/spammers/etc., word would get around and it might start to have an effect, at least on new recruits. Being in the botmaster business might not seem like such an easy way to make money after all... having to watch their back all the time... wondering if they'd be next...

    Where's the CIA when you need them, anyway? ;) Aren't they supposed to be good at that sort of thing? Or NSA or whoever.

    (Okay, if one disagrees with the whole assassination idea as most civilized people probably would [at least publicly], then maybe just figure out some legal way to freeze the scumbags' financial assets - surely if humans can send a man to the moon ;) we ought to be able to find out where these miscreants are laundering their money and DO SOMETHING about it.)

    Just my two cents.

  8. jake Silver badge

    @Jon, by way of Herby

    >> Have the "central control" send a message to self destruct.

    >

    >Because that would be hacking, which is illegal.

    No, hacking is not illegal. In fact, I make a pretty good living hacking, and have done since roughly 1974. I'm in the open, I'm not hiding, you can find me in the 'phone book. Occasionally, even law enforcement and the court system asks me to help out with ... uh ... "stuff".

    The problem with the "central control" concept is that there isn't such an animal. It doesn't exist, at least not within the current iteration of what we call "the internet".

  9. N

    No surprises

    considering the lack of security offered from a PC

  10. Jeff
    Thumb Down

    Bill G's true legacy...

    An internet full of infected MS machines - his name shall live on forever - or at least until everybody does a clean install all at the same time.

  11. Roger Greenwood
    Go

    Non-patched machines

    As has been pointed out, if your windows machines have been patched in the last couple of months, then you have nothing to worry about.

    I then wonder why most of the currently affected machines appear to be in Russia, China, Brazil etc. Could they be (shock horror!) pirated copies and therefore not allowed to be patched by MS?? (the "genuine" crap mentioned previously?).

    As you sow, so shall you reap. My current favourite crop is Ubuntu.

  12. Charles

    @jake

    What you do is under the auspices of law enforcement, with their permission and against machines within their jurisdiction. Now, try applying this principle to millions of machines all around the world, across multiple jurisdictions, sets of laws, and relations with your home country.

  13. Roger Heathcote
    Flame

    Jesus you idiots...

    ...who are calling for the spooks to swoop in, draconian new internatinal rules on domain ownership and even, yes, assasination would be the frist to get pissy were any of your governments try and do any of that. Get a grip Keith / Alice It's just fucking data.

    I'm sure the govt would love to have a new raft of powers over a technology they seem incapable of understanding but at the end of the day you're dealing with an inter-fucking-national network and unless you can get your rules made law in every country in the world then you'll just get your ass hacked from somewhere else.

    This shit is a fact of life, these are problems that you can't wish or legislate away - they have to be fixed. If your bank lets some russian teenager clean out your account your bank has failed, they need to sort _their_ shit out not send in a hit squad - I don't know if you've noticed but quite a few banks have started issuing secure tokens totheir customers recently - that's a solution, installing your updates is a solution, being a bit more fucking careful is a solution, blaming the ISPs and the script kiddies is _not_ a solution.

  14. Toastan Buttar
    Linux

    @N

    "considering the lack of security offered from a PC"

    You can get versions of Linux, BSD and Solaris that run on a PC these days, you know.

  15. Anonymous Coward
    Boffin

    Patches

    There is a little more to this worm than is being made clear

    Already patched machines do get infected, either via windows shares or careless use of USB memory sticks

    My fully patches machine was hit via a shared folder from a server in work. Both the server and laptop had a fully up to date version of CA antivirus.

    Even when infection has been cleaned the rootkit he worm installs simply makes it look like the patch was applied (in reality it hasnt been)

    Additionaly the CA antivirus (for example) CANT fully disinfect Conficker it requires several additional tools. In addition it appears that CA don't think that they will be able to include proper disinfection within their regular AV package.

    From other accounts Sophos didn't manage to clean machines particularly well either, so don't expect things to get better for a while.

    There's whole IT companys infected in the UK and I doubt that the rest of the world is any better in this respect

    AC cos you never know who is watching

  16. Antony Riley
    Thumb Up

    Simple solution

    Publish the details and/or code required to self-destruct the bots, in some sort of kneecapped form, then wait for some white hat in a country where there are less laws to fix your code and run it.

    Does not involve any qualified government or police personnel (I seriously doubt their existence, most governments can't afford any qualified personnel these days), does not involve breaking any laws.

    I believe this is what happened to storm.

  17. David Glasgow
    Joke

    Henny Penny...

    Henny Penny! The sky is falling!...

    So? Jaunty Jackalope and Hardy Heron are my friends.

    ;-)

  18. Anonymous Coward
    Thumb Down

    @ Roger Heathcote

    HEAR HEAR!!

    Less moaning minnie and more security patching action if you please!

    The reason these viruses proliferate is typically due to lax security and patching policies! Get your systems up to date and keep them up to date and where will the virus be able to go! Lazy sys admins are the root cause of the reasons for viruses spread.

    What is it with the world today, I don't want the UK Gov responsible for wiping my ass! they'd use up too much loo roll and then charge me to flush it!

    Let them get on with whatever job it is they claim they do and let the rest of us mere mortals pull our fingers out and concentrate on keeping the planet spinning on it's axle, tomorrow never comes to patch up today.

  19. jai

    numbers

    i think it was on the bbc site, they had a list of the estimated infected in countries - the UK and the US were the bottom of the list, only 3000 in the states and nearly 2000 in uk. the majority of infected were in china and eastern europe

    so while it seems that western users are making use of the security patches, it's the rest of the world that are at risk

  20. Dave The Cardboard Box

    internet censorship only applies...

    ... if there's a 100,000-1 chance it could f*ck up YOUR computer

    I presume these guardians of our safety went through a huge number of legally acceptable steps to close down these sites

    Double standards only apply to people with double standards.

  21. Kanhef
    Stop

    Can we please

    have some coordination between the A/V outfits so there's only *one* name for every virus, not two or three? Even the Reg hacks haven't agreed on what to call it.

    Assuming what they found is a 'machines infected' counter, I think they're interpreting it the wrong way, given the discrepancy between counter totals and unique IPs seen. It could be counting the number of machines attacked, whether or not it's successful. Alternatively, the virus could attack a machine, then query it to confirm that it was successfully infected. If the target was already infected, it would still be counted as a successful attack. This would substantially over-count the number of infections as it spreads across a corporate network.

  22. Chris C

    Windows Updates

    Regarding the comment "Those one in three who have not updated would not happen to be those who find WIndows Genuine Armlock to be unfair and intrusive would they?", either you don't understand Windows Updates, or you're just trolling. I can't stand WGA, and I explicitly recommend that nobody install it. Having said that, it does NOT block Windows Updates. It DOES block you from going to the Windows Update website. Yes, there is a difference. Without installing WGA, the systems I administer update perfectly fine when set to automatic updates or download-and-notify. If I think there's an update my system hasn't checked for, I'll go into the Windows Updates control and disable it, wait 30-60 seconds, then re-enable it, and it will go out and immediately check for updates. My system is fully patched, and I do not have WGA installed or use the Windows Updates website.

    Having said that, one reason people MAY not want to set Windows Updates to automatic is that as part of installation, it will automatically reboot your system no matter what. What' s that, you say? You had something important open, or were running scientific simulations, Pime95, StressPrime2004, download a large file, etc? Too bad. It shows a dialog box that says it will reboot in 5 minutes, and if you don't click no, that's exactly what it will do, no matter what is open or what app is running. That's why I set my personal system to download-and-notify. Download-and-notify wouldn't be bad for most companies, either, as long as the users shut their systems down at the end of the day (and let Windows install the updates during shutdown).

  23. mario
    Linux

    update your systems

    load linux, bsd etc.

    i've loaded Fedora10 on my laptop and it rocks. easy to install, has all that i need and didn't face any issues. right from wifi, to the webcam to bluetooth, every thing works pretty much out of the box. and did i mention that performance wise it's blazingly fast?

    oh and no antivirus. don't need one. linux is secure by design.

  24. Anonymous Coward
    Anonymous Coward

    What are the ISPs doing?

    If they told the ISPs the pattern of the domains. Then they could start blocking the connection of the infected PCs until they are cleaned by the users? Put these systems into a walled garden with limit access to patching and clean up tools sites.

    If the ISPs offer a clean up service they could also make a bob on helping clueless customers clean up their PCs.

  25. Kevin Bailey

    We have to solve the root problem

    Get clients over to Open Source. We know MS can not produce reliable software. No wonder all our development has been moved to the LAMP stack - now get get the clients to use a browser via Ubuntu, MAc or similar.

    Let's solve the core problem, people - not chase tails over the symptons.

  26. Mike Morris
    Alert

    Fully Patched is NOT fully protected

    MS patches up to date.

    AV definitions up to date.

    Behind corporate firewall - no idea if THAT means anything.

    Scenario: AV software detected 2 files, one quarantined, the other untouchable - oops.

    Requires a supershell to allow permissions changes to registry to even see where the services were hacked so that the bastard worm could be disabled and destroyed.

    Took several hours to clean all the machines in the office - most fully patched XP & 2000 boxes of the 2 different Downadup varieties we encountered.

  27. Andy Worth

    Re:update your systems

    "no antivirus. don't need one. linux is secure by design"

    Linux is "more" secure by design, there are also less viruses written for Linux than for Windows but that does not mean you can neglect to install an anti-virus. It almost sounds like you are new to Linux (because you seem almost surprised that it is so easy to use these days) - in which case I am guessing someone you know told you that you don't need an anti-virus on a Linux install.

    I've heard it all before and it's a common misconception that you "can't" get a virus on a Linux machine.

  28. Ash
    Unhappy

    Precedent

    I believe there was talk of a White-Hat pushing out destruction code for the MyDoom / Sasser worm half a decade ago. As I recall, the scanning algorithm was so efficient that it caused more network traffic than the original worm.

    Even with the best of intentions, sometimes they get it wrong.

  29. Mark

    @Chris C

    But these are the same people who, being unable to work icons under Ubuntu because they look different, are recommended to use Windows "because it is so easy".

    Someone that clueless about computers won't know that they don't have to go to the Website.

  30. Anonymous Coward
    Anonymous Coward

    It is the users

    They don't update, they don't upgrade, they run unverified executables, they don't reinstall, they don't know how.

    Is really is not the OS, if the 'users' would jump to a different OS same story; it is their actions and their inability that enables malware to proliferate.

    There is no de-infect, there is no central control, there are just clueless users.

    Malware nowadays can adapt, can check for the presence of other running software. Check out corewars, that's the game http://www.corewars.org/ and a lot of malware uses a variant on the idea.

    The problem is a general purpose computer system is always going to be vulnerable, just by the nature of it being general purpose, there are ways to reduce vulnerability, but none are simple 1 dimensional ideas, at the base it requires constant monitoring and trusted sources.

  31. phil
    Linux

    advocacy

    >oh and no antivirus. don't need one. linux is secure by design.

    lol

  32. Rob Crawford

    STFU girls

    FFS grow up no one OS fits all, have you not learnt that by now.

    IF 90% of desktop machines where basised on a single linux distribution you would be suffering the same as the windows crowd are now.

    Oh Mario, if you think you are secure why don't you have a go at posting a public address for your machine, and see how long it stays clean.

    Windows, Linux, BSD, Solaris, OSX, VMS or even VME they all have holes and always will, it's just weight of numbers means that it's windows machines that get all the attention pais to them.

    Grow up.

  33. Mark

    @Kevin Bailey

    I don't think it is that MS can't produce secure software.

    It's that they don't want to.

    Because such software would be harder to use and MS would have an OS that is on an equal footing with other OSes and therefore couldn't use their monopoly power to keep it number one.

  34. Huw Davies
    Flame

    @mario

    I'd gladly upgrade all the systems here - if it wasn't for one major point.

    $IMPORTANT_BIT_OF_BUSINESS_SOFTWARE does not run on anything other than Windows.

    If the developer was prepared to spend the £££ required to re-write this product so it would run on $INSERT_OS_OF_YOUR_CHOICE then I'd do so.

    But they can't/won't. So I'm stuck with it.

    And before anyone else starts, there is no comparable product that isn't also Windows only. Trust me, I've looked.

  35. TeeCee Gold badge
    Joke

    @Roger Greenwood

    I'm sure that the Russians, Chinese etc. would like to move to Ubuntu, but there's one thing stopping them.

    Where do they get the pirated version from?

  36. John Hughes
    Linux

    @Huw Davies - $IMPORTANT_BIT_OF_BUSINESS_SOFTWARE

    Tried Wine?

  37. Mike

    @update your systems

    >no antivirus. don't need one. linux is secure by design.

    hahahahahahahahahahahahaha............

    Viruses were born on OS's like Linux, (anyone guess what the "root" in rootkit originally meant?), I've seen many a Linux virus.

    Linux can be more secure than Windows, Windows can be more secure than Linux.

    Linux is very unpopular compared to Windows (this is purely a numerical fact), this is why there's not much effort trying to infect it, now if it was as popular as windows, it would not only have a much better selection of software available, but it would be worth the effort of Virus writers to attack it. OK it's not as simple as that, but run everything as root (like Lindows) or be complacent and you will have problems, have you noticed how similar UAC is to the default sudo in Ubuntu?

    Don't get me wrong, I love Linux, I have two systems running at home 24x7, one internet facing

    but I use Vista for general surfing, games and photo editing, if Counter-Strike:Source ran on Linux and Gimp was as good as Photoshop:CS2 then maybe I'd replace my desktop, but probably not, if there's something I want to do, I can do it easily on Windows, can't always expect that on Linux, and all too often on Linux I have to build a package from source.

    One day Linux might have the wealth of software of Windows that just works "out of the box", but when it does it will probably have a wealth of viruses too.

    OK, still not convinced? just check all of the patches, revisions and security vulnerbilties in the LAMP stack over the last 2 years, now imagine that clever people wanted to take advantage of these vulnerbilities and took advantage of them before they were patched, and that's just in one, very open, well maintained, well written set of applications.

  38. Bumhug
    Thumb Down

    @John Hughes

    Tried getting support when an app goes wrong and its running through Wine? Even if you are 99.999999999% certain its an app related problem rather than a OS based problem they wont want to know

  39. Craig
    Jobs Halo

    Happy

    I feel so left out, 18 virus free years on a mac, maybe there will be one this year we'll see....

  40. Anonymous Coward
    Flame

    ISPs failing in their duty

    ISPs should be detecting unpatched machines and then blocking their access until the user sorts it. Running a secured PC should be written into the contract with the suer and enforced.

    We don't need governments to stick their beak in, we need ISPs to actually do the job they are paid to do.

  41. The Fuzzy Wotnot
    Linux

    Feel a little sympathy for MS but....

    MS are damned if they do damned if they don't!

    If you knock off Windows and you get "caught" you are denied updates necessary to project the install, that natty little box in the corner and nice WWII blackout curtain backdrop. MS have every right to protect their product from unauthorised use, well MS I'm afraid this is the payback!

    Don't give me all that cack about "Well Windows is so widely used it is obviously going to get attacked!". Let give you a one word argument to that old cods, APACHE.

    Apache runs 70%+ of the worlds web servers and it manages to stay ahead of the game and not get infected, while IIS lags behind and is always under attack.

    MS write shonky code and release half-backed software, deal with it!

    ( Just slip into my flame-proof suit here! )

  42. Anonymous Coward
    Flame

    @mario

    >oh and no antivirus. don't need one. linux is secure by design.

    Pfft. Linux is only "secure" because it does not yet have enough penetration to warrant writing attacks that target its users (worms, trojans etc). Where is does have enough penetration, it can and does get attacked and hacked into.

    You can make Windows more secure (top tip: dinnae have your user account being an admin), but most people do not do this. Which is THEIR OWN STUPIDITY.

    You attitude is *EXACTLY* what causes the kinds of problems we are seeing. I bet you log in as "root" because Linux is soooooo secure.

  43. Huw Davies

    @John Hughes

    Yup.

  44. Anonymous Coward
    Anonymous Coward

    hum..

    "Get clients over to Open Source. We know MS can not produce reliable software."

    *cough* debian SSH *cough*

    anyway this is a patched vun. So if all computers are patched it needs to get on the network by somewith with admin priviledges running the .exe or other file via the other methods).

    If this was linux/mac it would be the same thing, weekest point in pc security is the user , simple as

    Stop blaming MS and the WGA , I seem to remember at the start when they bought it out they did block ALL updates to non verified users, btu then there was a big fuss about it cause millions of pirate machines couldn't get security fixes.

    If you don;t like WGA cause it phones home,fine.Install and edit hosts file etc to block access. if you don;t like WGA cause it means you actually have to pay for software, grow up and see the real world.

  45. Fred
    Linux

    Yet more common sense reasons to dump windows

    Ha ha!

    Like lemmings off a cliff this will never stop until evolution replaces either windows or man-kind!

  46. Mike

    @The Fuzzy Wotnot

    >>Don't give me all that cack about "Well Windows is so widely used it is obviously going to get attacked!". Let give you a one word argument to that old cods, APACHE.

    >>Apache runs 70%+ of the worlds web servers and it manages to stay ahead of the game and not get infected, while IIS lags behind and is always under attack.

    Have a look at the vulnerbilities against 1.3/2.0/2.1/2.2 on the apache.org site - remember these are only the ones that have actually been fixed!

    Some of the highest profile web page defacements and root compromises have been due to Apache not patched to the latest level (and there are also zero day hacks too), which is actually a perfect example of when something becomes popular it gets attacked, so I guess your one word argument actually is more valid round the other way.

    The other thing to note that if a server has Apache, you don't know what distro (or even OS) is behind it, could be windows, could be Solaris/Linux and a whole host* of others, otoh if a server has IIS, likely it's Windows on x86 so any compromise is far more likely to be predictable.

    *host.... gedit?

  47. Joe Montana
    Stop

    Monoculture

    This just goes to show how harmful the windows monoculture is...

    If windows had a smaller market share, say 30% with linux and mac also having 30% (and 10% of misc others), then the damage such a worm could do would be considerably less. And you would have something else to use while one system is unsafe to connect to the internet due to 0day bugs.

    Someone else mentioned Debian SSH... But that just goes to further illustrate how a monoculture is bad, if everyone was running Debian the SSH bug would have been far more damaging.. But instead, the Linux community is split between a number of major distributions as well as countless smaller ones... Those which were not Debian based had nothing to worry about. Windows only has one "distribution", and is therefore far more reliable to target.

  48. Mark

    re: Monoculture

    But monoculture doesn't make as much damage if the underlying system is secure.

    See, for example, Apache installs (60%). Fewer infection notices than IIS (30% or less).

    MS make their OS "easy to use". Which is also easy for the worms to use too.

  49. Mark
    Paris Hilton

    @Anonymous Coward

    Nope, wrong.

    Windows can install via Office problems. Why? Because IE is run as admin (some of it higher than that) and it is used in Office for rendering messages.

    Autorun is how this worm manages to propogate.

    No autorun on Linux.

    Therefore this vector CANNOT EXIST on Linux.

    Your statement is just wishful thinking and completely and utterly without any data that could suggest it may be true.

  50. Mark
    Paris Hilton

    re: hum..

    SSH is available for windows.

    This is an OS flaw. Not an application one.

    SSH is an application.

    Idiot.

  51. Rob Crawford

    @mark

    Do you want to try reading the worm description again ?

    No the aurorun feature is no the only attack vector.

    1: is a overflow compromise in windows

    2: by network shares

    3: aurorun

  52. Maliciously Crafted Packet

    And the most common line of bullshit is...

    If OS X/Linux had the same market share as Windows it would suffer the same amount of viruses and security threats.

    With OS X market share approaching 10% in the US. I need to ask where's our 10% share of viruses?

    In fact where's our 0.010% share of viruses, Eh?

  53. Anonymous Coward
    Thumb Up

    The funniest thing about this whole affair...

    ...is BBC news trying to explain it: http://news.bbc.co.uk/1/hi/technology/7832652.stm

    Scroll to the 'Method' section, and giggle.

  54. Tone

    @Maliciously Crafted Packet & John Hughes

    I thought the 10% was growth and not installed base and the figure is only for devices that have accessed any of Net Applications clients who log this information.

    There are probably millions of windows boxes that have never been seen by Net Applications, only Apple and Microsoft know the real numbers..

    "Wine is still under development, and it is not yet suitable for general use."

    http://www.winehq.org/about/

  55. William Old
    Gates Horns

    @Mike and Andy Worth...

    > I've heard it all before and it's a common misconception that you "can't" get a virus on a Linux machine.

    No, it's not. There are no Linux viruses, and never will be. However, shedloads of malware exist for all platforms, including Linux - trojans, worms, miscellaneous security vulnerabilities... the list is long.

    The problem is caused by the likes of Sophos, who will admit (in direct correspondence) that there is no such thing as a virus (executable malware that propagates through self-replication without user intervention) for Linux, but will then explain that, for marketing reasons (because they are selling their products mostly to non-techies) they now use the word "virus" instead of "malware" because (as is the way of the world) they sacrifice accuracy for the need to "dumb down" in talking to their customers. Presumably, such users are too stupid to understand the word "malware", but comprehension dawns if "virus" is used instead. Sigh.

    Language is designed to convey meaning, and so accuracy in the use of language (including the use of correct spelling and grammar) is important. Hence this post.

    So, in summary - lots of malware exists for all distributions of Linux. But there are no viruses for Linux. If you think you've found/invented one, use it to attack a properly-configured machine run by Eddie Bleasedale at NetProject, and thereby claim the prize of (whatever) thousands of pounds that he's been offering for years for this impressive task.

    And don't bother to post if you find advertisements for the "Linux anti-virus software" that actually runs on Linux to remove Windows viruses passing through in e-mail messages and attachments, and think that this proves the converse.

    Sigh. Again.

  56. Mark

    @Rob Crawford

    "No the aurorun feature is no the only attack vector."

    But if you patched Windows, the autorun feature is the only one that causes this problem to still exist.

    Buffer overflows mean that your malware runs as you, not root. Whereas malware for IE runs as system.

    Network shares are shared as user nfs and has no capability to run anything other than network shares except as user nfs and when there is an exploited bug (Which, since Linux is variable in character, is harder to exploit since it relies on certain versions to be installed which probably aren't).

  57. A J Stiles
    Alert

    And it's not going to go away

    Part of the problem is that you can never make a building secure by screwing on a lock from the outside -- because it can be *un*screwed from the outside. You have to screw the lock on from the inside.

    The other part of the problem is that the business activities going on in that building rely on all manner of tradespeople having access. Not only that but they have got used, over the years, to having full and unfettered access to the building -- and learned to take shortcuts through rooms to which they never really needed access. Although *most* of them are well-behaved and don't poke about in other people's drawers, anybody could wander in pretending to be on official business and wreak havoc. And *any* access restriction is going to affect people who have a legitimate reason to be there.

    Across the way, meanwhile, is another building. This one had locks fitted properly from the inside ever since it first opened for business; and any tradesperson who needs access has to have their own key, which only opens doors they actually need to use in order to go about their legitimate business. Occasionally, someone in that building leaves something unlocked and a malicious interloper gets in. But that building's blueprints are available in the library for anyone to look at; and nine times out of ten, a problem will be spotted by some responsible person who will inform the management rather than exploit it for their own ends.

  58. Anonymous Coward
    Paris Hilton

    @ Steven Knox

    The public can protect itself by learn to use a BSD/GNULinux otherwise their in for tough times it would appear.

    And NO!! the ratio of effective attacks won't increase proportionately.

    Paris, because I know someone will say that the ratio of effective attacks won't increase proportionately.

  59. Rob Crawford

    @ mark

    We had several patched machines that where infected and it wasn't from removiable media.

    Up till Monday we where still seeing the AV popping up every few hours saying that the inefction had been cleaned. That's after the registery was fully cleaned and the patches where checked (yet again) though things have ben San since then

    You may want to disagree but it dosnt change reality

This topic is closed for new posts.

Other stories you might like