Push that patch! (and best card trick)

Be afraid. Be very afraid. It's IT Blogwatch, in which malware spreads, but Windows Update is broken. Not to mention the best magic card trick in the world...

The ISC's Swa Frantzen warns of new malware:

Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory ... Be on the lookout for:

• laptops that might have been infected returning to the inside of your perimeter.
• infected machines scanning the rest of the network
• infections flaring up due to the above

Preventive actions to take:

• If you have not done so yet:

Roll out the MS06-040 patches ASAP.

Do not forget to reboot those machines after patching!

• Check that all machines have been patched and rebooted, we have confirmations that the patches are effective in stopping the initial attack.
• Update anti-virus signatures: They might not be in the mainstream signature yet, so check manually what your vendor has to say.
• While at it, install filtering wherever possible for ports 135-139 and 445. E.g. enabling personal firewall on laptops is very smart in future-proofing your machines against this kind of attack.

But Microsoft's Adrian Stone sees no reason to panic:

this is rated as a low threat and doesn’t at this time replicate automatically from machine to machine.  So it’s impact in terms of infection base appears to be extremely small.  We’ve updated the security advisory related to MS06-040.  What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update.  Thus far we have not seen this attack impacting any other versions.  We urge everyone to apply the update however, and should the situation change we will post more information and guidance as it becomes available.

Ed Bott is very, very worried:

MS06–040 ... Department of Homeland Security issued an urgent news release recommending that all Windows users apply this security patch as soon as possible ... supposed to be released via Automatic Updates and automatically delivered to computers that have the Automatic Updates service turned on. They’re also available via Windows Update ... Microsoft’s update servers have apparently collapsed under the load ... I’m not the only person experiencing problems ... In the past, I’ve never had to wait more than 48 hours to receive updates. A four-day wait is simply inexcusable ... Microsoft needs to explain exactly what’s going on here. What’s the problem with Windows Update, and when will it be fixed?

Kent Newsome plays AOLuser:

Me too. It's bad enough that you can't use Windows Update manually via Firefox. And it's bad enough that both Zone Alarm and Norton Antivirus (last year's model for the reasons stated here, which is soon to be uninstalled forever as I move to the stupidly named but generally well received Windows Live OneCare) can trip up the Windows installer program and make it hard to install updates. But now it seems the Windows Update servers are having problems of their own. I have had a constant yellow updates available icon in my system tray for the past week- and updates often either don't work or seem to work, only to be followed by the immediate reappearance of the yellow update icon. This problem, while a mild annoyance for desktops that are always connected to the internet, is a royal pain for laptops that are updated periodically. I haven't been able to successfully install any updates on my Thinkpad in over a week.

John Dowdell does the math:

Many millions of people are contacting [the Windows Update servers] this weekend, so even a 0.0001% failure rate would still produce many reports, but Ed does raise a solid question here. He also has personal observations on machines whose auto-update has still not triggered. I'm on a Mac here at home, but after reading this, I'm going to doublecheck my Windows machine as soon as I get in the office Monday.

Slashdotters discuss the botnet's command & control mechanism:

Progman3K: Does that mean that if someone reverse-engineers the bot command set, maybe we can send them all a command to shutdown the service?

httptech: Yes, actually there is a remove command built in to Mocbot. However, you have to issue the command from the proper user@host mask; something you can't do unless you have admin access to the IRC server. An alternative is to use DNS to redirect the bots to a blackhole IRC server where the remove command can be executed. Of course, this only works if you have control over the DNS (e.g. an ISP redirecting their own users). Getting someone responsible for the authoritative DNS server is not likely to happen given the Chinese origin.

winkydink: How are the IRC channel and the hacker's IP address related? Just because somebody visits some random IRC channel doesn't make them the bot author. Security researchers, for example, will also be found there.

httptech: Modern botnet command-and-control IRC servers don't give out information like who else is connected. In this Mocbot C&C, you join the channel, get an encrypted command (in the channel topic) which tells the bot to join another channel. In that channel, another encrypted command in the topic tells the bot to download and execute a trojan (which currently is detected by some AV as Trojan-Proxy.Win32.Ranky.fv). The reason for all this subterfuge is, if the AV companies aren't spying on the control channel, they have no way to know about the second-stage infection, unless they get lucky - so even if they do clean the Mocbot infection, the proxy trojan still resides on the machine.

Buffer overflow:

Around the Net

• Ray Beckerman: RIAA Wants to Depose Dead Defendant's Children; But Will Allow them 60 Days to "Grieve"
• Tim O'Reilly: Blackboard E-Learning Patent
• DrunkenData: ILM and ITIL: The Perfect Storm
• Bram Cohen: Ergonomic Keyboards
• Mobile Technology: China Mobile Now Largest Mobile Operator
• Om Malik: Best of Both Worlds, PC on a Mac
• Nathan Weinberg: Windows Live Writer: First Impressions
• Ben Rockwood: WTF Dept: Brocade Acquiring McData
• Eric Bangeman: AOL data leak may give data retention bill new life

Around Computerworld

• Michael R. Farnum: OpenOffice Security: Benefit or harm?
• C. J. Kelly: QOTD (Question of the Day): What's wrong with all-in-one security appliances?
• Frank Hayes: Making good business
• Jerri Ledford: It won't be long now ...
• Shark Tank: See? He got the impending doom right after all
• Martin MC Brown: DTrace on OS X
• Martin McKeay: Is your bank responsible for protecting you from key loggers?
• SaaS Revolution: Forrester rates the on-demand office productivity suites
• Douglas Schweitzer: The laptop luggage conundrum 

And finally... Only the best magic card trick in the world!

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.