Have you been affected by the W32.Blaster.Worm virus?
Just curious, because 7% of my country is...

I installed the patch for XP as soon as it was out, so no virus for me.

Edit: I know lots of people who have had it though.

No, but if you are unsure whether you might be affected, there is a very easy way to check (and remove the program, if you have it) described here.

- M.

not at all - have always been paranoid and have using dual firewalls (router and the excellent anti-hacker SW) for some time now.

I misvoted null while it should have been "no". Kerio Personal Firewall blocked it. Two of my MSN contatcs (among about 10 regulars) had it.

EDIT : by the way, did you like it ?

"1 : No, I think these stupid things are due to braindead people that should get a life instead of messing with others' computers"
"2 : Yes, I think it was a rather harmless warning for all of us who don't think about running Windows update, and a reminder of Windows' vulnerability"

I choose the answer 2. Imagine what would have happened if the code said "Format C:" or "xxflash" instead of "reboot". Any hacker could have done this just before Blaster was out. I think that the Blaster Worm saved our asses from a worldwide mess. Now most computers are patched against this security hole.

I voted NO.
Because my OS is Windows98 and nobody, not even hackers, seems to be interested in it anymore.
Anyway, my firewall (Kerio) would probably have blocked it (hopefully).

To all you people, who feel secure with Software Firewall please read this. It would have been a matter of just some lines of code to get all those people, too.

dev0

the main reason I have a SW firewall running is to know what is trying to make an outgoing connection - having the ports stealthed is just a bonus in my opinion.
I know better than to think that a firewall will magically protect me from gaping holes in the OS itself - I place more value in my router firewall than the SW side.

The percentage of answers should be compared to the percentage of users running Windows XP / 2k, since the worm only affects these two OS.

running winXP Pro Corporate and win2k pro here. My Mandy 9.1 box is seldom on, and would not apply here in any event.

I'm interested in it -- I have the same OS! (98SE).

It's interesting that I've had the same install running since 06 Sept 2001, and without a single memorable crash. I'm still hearing too often about crashes and issues with XP (and despite the fact it looks like a child's kindergarten concept of a user interface in the default configuration). Those audio-related issues... soon Microsoft will have the "secure audio pathway" installed through Windows Update, and XP users won't be able to play certain files anymore or rip certain CD's, or burn certain files, or listen to certain songs, or run certain programs...

*nix, here I come (soon)...

One of many reasons why C:\ is only my boot partion . Now if it said "format I:\" . . . that would not be cool.

I wonder how long it will take before there are a million hacks for that update.

I don't know how Microsoft justifies having the computer running so many services and listening on so many ports BY DEFAULT. Most people should zero services running (the ones that listen for internet connections anyhow.) They never use them. Why the hell is that stupid windows messenger spam recieiving thing on by default? Why is Windows listening on those RPC ports? Are they actually something that is critical for the operation of all Windows machines?

To be fair, a big part of the reason these become so widespread is because of the homogeneity of the internet. Windows machines comprise an overwelming majority of end-user machines. However, web servers running IIS do not represent a majority, and they're to blame for the IMO worst worm (codered) in modern times. There hasn't been a huge disasterous Apache worm, even though it runs on the majority of web servers.

I think part of the blame really needs to go to system administrators (and yes, end users). The hole has been known about for a couple months. The patch has been available for a couple weeks. A big warning about it has been in the headlines for at least as long. Yes, I understand that in corporate environments, it is hard to roll out a patch that quickly since it has the potential to break things. But I think it's been demonstrated time and time again that it's necessary. If you don't have a system for patching things QUICKLY, you need to get one, both for your benefit and the benefit of the millions who share the Internet with you.

The most interesting worm IMO is of course the first:
http://world.std.com/~franl/worm.html

And if somebody wrote one like this attacking a previously unknown vulnerability we'd be in deep doo-doo:
http://www.cs.berkeley.edu/~nweaver/warhol.html

That Zaweg targets only a specific firewall - and it wouldn't do anything at all,
as ZA blocks unknown connections if its administration program is off.
Software firewall should be a driver, operating at nearly lowest level of network architecture (below protocols).
(Most of them are services nowadays, which is just PLAIN STUPID.)
Trying to kill a running driver in NT/2k/XP is a no-go - result: BSOD.

/EDIT\
Fragment from the website:
So why should you install anything untrusted?
It is possible to check if it does anything, that's why the tests are written.
And you can always capture the output with another machine (or machines).
(That's how GRC detected that BlackICE Defender is crap.)

I wasn't affected by the worm, because my machine is quadruple-protected:
1. Machine running NAT & Firewall from copy-protected floppy - Linux-based.
2. Newest security (not all) patches from MS.
3. Local personal firewall to block outgoing connections with MD5 support (Kerio).
4. Constantly updated antivirus program.
\EDIT/

A friend was affected, he was away for a week and his second PC is always on, so when he came back, it constantly rebooted for two or three days already, hehe... but me and most of my friends usually install any new patch from Windowsupdate immediately. Oh, and having a hardware and a software firewall sure helps, too.

I voted no, but I'm not sure if my vote counts... using linux here

Im running windows 2003 which is said to be vulnerable, however my machine hides behind a linux server running iptables so my windows machine is more or less inaccessible for these kinds of things. Atleast until someone comes up with a bug smart enough to compromise NAT based networks.

Thank you for the info.
I usually pay no attention to the "epidemics" that break out everynow and then. I used to think that, for as long as you pay attention to the files you received and kept up on your machine's maintenance this kind of thing would not affect you.
But then a computer-savvy friend of mine told me that this was "different".
I decided to check your link, and was very helpful.

I think I will stop being so naive.

I would take anything the Mr. Steve Gibson says with a grain of salt.

Read around GRCsucks.com a bit, and you'll find out why.

Specifically related to BlackICE Defender are:

• The "Black Ice Defender" case
• BlackIce Defender (Leaktest update)
• The idiocy goes on and on

Horrible, I just got that yesterday
For months i dont upgrade my Norton Virus Def.
And Norton cant identify the worm!

Its so annoying, the blaster keeps on terminating a windows service that forces me to shut down

And I've 3MB of def. to download from Norton
Before the comp. shuts down i could only manage to download ~1MB coz i'm using 56k dial up.

So I finish download all the def. after 3 times of restarting! Then, i removed it successfully coz now Norton can identify it after def. upgrade

Who wrote that "blaster" worm

Well part of his idea was to get users to buck up about system security.
It seems here that he failed.

We shouldn't be needing worms and viruses to get us proactive in protecting our computers from the Internet.

I've always taken Steve's words with a bucketful of salt and I know about these pages.

BlackICE Defender isn't a firewall (it's an IDS) and doesn't block outgoing connections.

Modern hybrid protection systems (like Kerio 4.0.0 RC3 or Sygate) have both IDS and packet filter.

A friend's pc was infected. We got rid of it with the fixblast(found it on
www.filemirrors.com) prog and installed the patch afterwards. Before
the removal of the worm all kinds of Windows routines kept crashing
(e.g. Remote Procedure Call) making it impossible to do simple stuff like
copy/paste or open a new explorer window (weird...).



U could have prevented shut-downs by changing the attributes of some routines
(by running services.msc). That's what I did, 'cos the flippin' machine kept shutting
down.

What I need to know is: could there be any permanent damage on my friend's pc?

What do you mean it isn't a firewall?


I got sick of that popup asking me all the time if some program could access the Internet. I'm careful what I download, and I don't run spyware-ridden software.

Now that sort of program would be better for my moms PC, although I've teached her to never open any attachments from anyone. But she wouldn't know what to respond to a popup like that. Try teaching her about TCP/IP . So I'm going to install BlackICE on her computer as well.

BlackICE just seems like better software to me. It reports in great detail what's going on instead of dumbing it down, or not reporting it at all.

Yes, it's good at what it's doing. (though not as good as Snort I think)
Anyway, it's quite easy to teach someone to use a packet filter, especially after initial configuration.
- read program's name to not confuse it with something else
- place a checkmark in 'create a rule' or something similar
- if you're running a new program, allow access
- check if it's 'Modified software notification' or something like that and you didn't install new/old version of the program, block it
- if it's 'Server access notification' and the program is messenger, IRC DCC, Peer2Peer or network game, allow it

BlackICE is not a firewall, because it doesn't hide unused ports
and only blocks connection if it thinks it's a known attack (like trojan).
It will not protect you from unknown attack, unlike a good firewall,
eg. not recently updated Defender won't protect you from RPC exploit.

Surely they are network filter drivers, otherwise they were unable to operate. They need a service part to provide user interface, because driver can't do that.

Also "killing" a driver is impossible, because it's not a process. But stopping and unloading driver is pretty easy often.

-Eugene

Hardware firewall + software firewall = relatively safe...

" Got it 2 times..
Not bad i don't have anti-virus software....

More people around me got it too... ( i don't know why is that... )

( i think have some people don't know what happen to his/her pc ? )

nin...

I use an old machine to act as gateway using the FreeBSD OS (which also does NAT+firewalling+bandwidth management+dns cache+web cache+content filtering) to connect the win2k machine to the net. And i absolutely don't open weird attachments or use Outlook at all. Oh and the long ago released patches for win2k were installed promptly as well.

And the AVG Antivirus is up to date too. Is this much to ask to users? I guess so, they are too busy tuning their XP skins or their MSN6 emoticons.

My internet machine is wide open on a cable modem and STILL hasn't been infected. However, a friend on a crappy earthlink dialup was. Strange.




mobius

I disagree. BlackIce was a personal firewall and limited HIDS in one. Now it contains a lot of ISS' code (who bought BlackIce) and is bundled as "RealSecure Desktop Protector". BlackIce was well ahead of its time.

Anyway, a good firewall should BY DEFAULT block incoming traffic from the internet to your pc if the connection was not initiated by you (such a technique is called Stateful Inspection and was pioneered by Check Point). This means if someone would do a port sweep on your system everything is automatically dropped, since the firewall keeps a "state table" of all the active connections on your machine and does not allow connections to be initiated from the outside.

Anyway, firewalls and IDS (or IDP(revention)) systems are merging more and more until they will inspect traffic at all layers, not just Layer 3 and 4, even for unknown attacks. This is a trend in the network security space - a good one I might add.