Zobot Authors Caught

Throw away the Key on these Clowns

Published on August 29, 2005 By Dr Guy In Personal Computing

Zobot was one of the fastest exploits of a microsoft hole yet created. IN less than a week's time, these infantile idiots, Farid Essebar of Morocco, and Atilla Ekici of Turkey released what essential was an aggravation (the worm did not destroy data, just crashed servers). I am glad these juvenile deliquents were grabbed so fast as these clowns must be stopped before someone tries to outdo them in the future and release a deadly worm just as fast.

But I have to wonder about the so called Experts as well:

But experts said the damage probably wouldn't be substantial because most companies made the necessary software fixes quickly.

I dont know about these experts, but in our organization, with over 100 servers that need patches, even if we jumped right on them when a patch is released, it would still take 4 days to complete the patching. And we dont like to do that.

We have been burned in the past with bad patches from Microsoft breaking the system or other appications, so we like to test the patch for at least 2 weeks on Test boxes and redundant boxes to make sure we do not detect any ill effects. We did not have that luxury this time because of the release of the worm, but it still took us a week and 1/2 to get all the boxes patched. And we crossed our fingers the whole time hoping and praying that we were not doing more harm than good.

Dont get me wrong, we do have firewalls, and very few of our systems are even exposed to the internet (in a DMZ). But in an organization of 11k users, there are a lot of laptops, and they can be used to circumvent those firewalls. It has already happened once (but we were patched for that worm, just the user was not).

It is unrelealistic to think that patching can be done over night and the bug makers know this. I wish I had more confidence in Microsoft and its patches, but I have been burned too many times in the past by a patch (only to have it re-released in 2-4 weeks).

These juvenile deliquents should be made to pay with both complete revocation of any computer use, and a fine so onerous that they never see themeslves debt free. FOr only making it a harsh and painful penalty will the other miscreants out there think twice before getting their jollies.

Comments (Page 1)

terpfan1980

on Aug 29, 2005

Sadly Dr. Guy, at my place of work, we have found that the most recent round of Microsoft released patches breaks MS Office applications when users are writing to floppy disks. You can copy to floppy just fine, copy off of floppy just fine, but try saving Office application files to the floppy repeatedly and the system will hang (or at least the application will hang).

The problem is confirmed with Windows 2000, not certain with Windows XP. Again, only affects MS Office applications, but the problem definitely started when MS released their last round of patches.

Sadly, it seems that they have a history of this sort of patch -- fix the really bad security hole, but kill some functionality of the user in the process. Later they hopefully release a fix for the fix that takes care of the unintended consequence and gets stuff back in order.

iTZKooPA

on Aug 29, 2005

It also 'breaks' the drag and drop from untrusted sites, even if you are dragging TO the untrusted site (the other way around makes sense). But thats easily fixed by adding the sites as trusted.

Dr Guy

on Aug 29, 2005

Sadly, it seems that they have a history of this sort of patch -- fix the really bad security hole, but kill some functionality of the user in the process. Later they hopefully release a fix for the fix that takes care of the unintended consequence and gets stuff back in order.

Fortunately, I am in charge of the servers, so I was not aware of that bug. But even so, I always tell my users to save to HD and then copy to floppy. I guess that is why I was unaware of this one. Thanks for the tip tho!

Dr Guy

on Aug 29, 2005

It also 'breaks' the drag and drop from untrusted sites, even if you are dragging TO the untrusted site (the other way around makes sense). But thats easily fixed by adding the sites as trusted.

I am going to have to start a Microsoft bug column a week! Thanks for the 2 tips both of you! Glad I am the server nerd, and not the desktop nerd!

Zoomba

on Aug 29, 2005

I work for a company that can not risk any of their applications having compatability errors with the operating system. We have so many internally developed apps that patches take MONTHS to pass through Testing & Quality Control (TQC). The only thing that keeps us alive when these viruses go out is a draconian security infrastructure.

1. Internet access is off by default. You have to request a separate login/password to get through our Internet cache/firewall
2. All systems have centrally managed a/v software. Definitions get automatically pushed without user intervention.
3. Almost all servers are cut off from the external network. Only by going through the VPN can you get access to them if you're off-site.
4. Only company provided laptops can connect to the VPN. All laptops come equipped with several firewall and access restriction tools, plus the user does not have admin rights to turn any services off. VPN login requires one of those RSA SecureID keyfob thingies with the changing numbers.

The only systems that are externally available are replicated account databases and web servers. No external system can connect to or modify an internal one (information gets PUSHED to the external boxes). Those get patched immediately, but only because they don't run business critical software.

The larger the corporation, the longer it takes for them to roll out patches. Patches change the OS, and OS changes can ruin app compatability, and in a very large environment, it takes a lot of time to push out a patch, and even more time to roll a patch back. Here we deal with about 30k employees world wide. It is a major task to update ANY software for the enterprise.

Hell, we JUST upgraded systems to WinXP within the past year and a half.... And we're resisting Service Pack 2 to the very end.

bakerstreet

on Aug 29, 2005

They don't want what I would give them. I *HATE* virus checkers. I hate running them, they slow down your PC and take resources that could go elsewhere. The fact that literally billions of people have to slow down their computers because of a bunch of no-life geeks who supplement their flaccid, sexless lives with this kind of mayhem is a real crime.

I don't think any punishment is too harsh, honestly. I coulnd't personally pull the switch, but if someone wanted to I wouldn't run over and stop them. Attacking the daily lives of billions of people, and causing companies to spend billions in time and labor to protect themselves is enough for at least life in prison, imho.

Dr Guy

on Aug 29, 2005

Hell, we JUST upgraded systems to WinXP within the past year and a half.... And we're resisting Service Pack 2 to the very end.

Well, you are stricter than we are, but we do not require special permission to access the Internet. HOwever, the firewalls would prevent a bad bug (unless specifically downloaded) from entering. Our AV is the same way, but the defs for Zobot did not come out until Tuesday, and the bug hit late Saturday. (Life Styles caught us the same way).

And you are wise to resist SP2 EXCEPT on the Laptops. It helps there, but not on a regular desktop.

Zoomba

on Aug 29, 2005

We basically take the "Everything OFF unless an exception is needed" approach to security. Even if you have 'net access here, any scripts (Java, ActiveX, JavaScript etc...) are blocked unless an additional exception for that specific page is granted.

Things tightened up a lot after a user disabled NAV on their laptop this past winter and brought in one of those scan-and-replicate viruses to the main network. Our entire CT network as well as our primary corporate data center were taken offline for a full day. That cost us around $25million in lost productivity and recovery costs. A small thing can be devastating for us here. It wasn't even a malicious virus, just one that flooded the network with scans and replication.

If a patch can't be certified for desktops it can't go to the laptops either because there's no real "zone" for laptop users. If you're a remote worker you probably do the same stuff someone at an office location would, and many office users have laptops too. Laptop use and desktop use is indistinguishable, so it's an all-or-nothing proposition with patches and the service pack.

You're the server geek, we've got a few desktop geeks... I'm becoming a security geek

Dr Guy

on Aug 29, 2005

I could not agree more. Unfortunately, since 1991, and NAV 1.0, we have had to run it on the desktops (we got Dark Avenger and it took our network down for 3 days). It is at least better in the NT days as we are no longer constrained by the 640k (actually 1mb) limit, but it still dogs a system.

Dr Guy

on Aug 29, 2005

You're the server geek, we've got a few desktop geeks... I'm becoming a security geek

We all are becoming those! Trust me on that!

Phoon

on Aug 29, 2005

don't think any punishment is too harsh, honestly

I agree. These bastards should be taken out to the woods, stripped and made to sit on a tree stump. Nail their sacks to it and push them over backwards.
Do that to a few of them and viruses will decrease. But Nooooooooooooooooooooooo, lets swat them on the back of the hands then offer them jobs as security experts. That will discourage them won't it!!

Dr Guy

on Aug 29, 2005

agree. These bastards should be taken out to the woods, stripped and made to sit on a tree stump. Nail their sacks to it and push them over backwards.

I was trying to be civil and politically correct. However, that does not mean I am not open to suggestions. Yours and Bakers are welcome. I am not going to argue with them.

Phoon

on Aug 29, 2005

civil and politically correct

Dr. I'm not one to be politically correct. As a matter of fact, that in itself is a HUGE pet peve of mine. Sugar coating things does nothing but instigate whining, frivilous lawsuits (all because someones feelings get hurt), and more rebelious behavior without fear of penalties.

starkers

on Aug 30, 2005

These juvenile deliquents should be made to pay with both complete revocation of any computer use, and a fine so onerous that they never see themeslves debt free.

Not harsh enough....the removal of body parts essential to key tapping and button pushing....a lobotomy to prevent virus instuction.

at least life in prison

with enforced gender reasignment to attract the worst attentions of the vilest of prison miscreants.

Far from being politically correct, perhaps inhuman, but these parasites deserve no less than the worst for such ill intent.

Dr Guy

on Aug 30, 2005

Normally, I hate PC as well. I guess I do here as well. I think the penalty should be severe, but one that can be held up so that others will think thrice before creating a bug. Death is too quick and easy.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!