IN < - aktuelno: Slammer - >LO (1/1) :: Odgovori! |
Autor: Killer : |
izvor pc mikro Slammer usporio Internet, ali ga nije zaustavio ---------------------------------------------------------------------- Nov racunarski crv krenuo je u napad prosle subote iskoriscavajuci poznati propust u Microsoftovim Web serverima SQL 2000 i prilicno je usporio ili gotovo zaustavio saobracaj na Internetu sirom sveta, sto je kompanije koje prate njegovo sirenje navelo da ga porede s druge dve bezbednosne pretnje koje su ranije protutnjale Mrezom - Code Red i Nimda. Izdato je cak desetak biltena u kojima se opisuje crv zaveden pod oznakom W32/SQL Slammer (treskadzija) ili Sapphire (safir). Crv preplavljuje Mrezu paketima tako sto iskoriscava propust poznat kao prepunjavanje bafera i stvara efekat slican napadima koji izazivaju servere da odbijaju izvrsenje usluga zbog prevelikog broja zhateva. Tim za hitne antivirusne intervencije kompanije Network Associates (Anti-Virus Emergency Response Team, AVERT) procenjuje da je zarazeno 150.000 do 200.000 servera sirom sveta. Kad je napad zapoceo (u subotu oko 5.30 ujutro po Grinicu) gubici paketa na Internetu narasli su na 20 posto, izvestila je teksaska kompanija Matrix NetSystems koja prati mrezni saobracaj. Uobicajeni proceat izgubljenih paketa najcesce ne prelazi jedan posto. Najvise je bila pogodjena Juzna Koreja u kojoj vecina korisnika fiksnih i mobilnih veza nije mogla da se poveze s Internetom skoro pola dana. "Mreze juznokorejskih dobavljaca Internet usluga bile su dobrim delom nedostupne od 14.30 po lokalnom vremenu", izjavio je tehnicki pomocnik korejskog tima za hitne racunarske intervencije cije je sediste u Seulu. "Od tada pa nadalje vecina ljudi u Juznoj Koreji nije mogla da koristi Internet." Deset sati po izbijanju napada saobracaj je poceo da se uspostavlja i procenat izgubljenih paketa pao je na pet posto, izmerio je Matrix NetSystems. Oporavljanje od napada je jednostavno, slazu se sve bezbednosne kompanije: instaliranje Microsoftovog nedavno objavljenog servisnog paketa SQL Server 2000 Service Pack 3 resava problem. Ima i preporuka da adminstratori sistema blokiraju saobracaj koji pristize s nepoznatih masina preko ulaza 1434. Ono u cemu se ne slazu odnosi se na ozbiljnost pretnje. Trend Micro oznacava ovog crva etiketama "Destruktivan" i "Visokorizcan", dok Symantec smatra da je steta koju moze da izazove "mala". Network Associates i eEye Digital Security, jedna od prvih kompanija koja je registrovala pojavu Slammera i analizirala njegov kod, izdali su upozorenja u kojim navode da je u pitanju pretnja visokog rizika. Mada je odbrana od ovog crva lako izvodiva, veliki broj sistema je jos uvek nezasticen i ranjiv. "Situacija je trenutno verovatno gora nego pre tri ili cetiri sata i nece se rascistiti tako brzo", izjavio je potpredsednik AVERT-a Vinsent Guloto priblizno dvanaest sati posto je napad zapoceo. "Slammer ne unistava, ne uklanja, ne krade i ne izdvaja nikakve podatke", saopstio je Tom Olson iz kompanije Matrix NetSystems. "Medjutim, izuzetno je agresivan kad je rec o samoumnozavanju." Slammerova brzina sirenja podseca na jednu drugu napast koja je zadesila Mrezu sredinom 2001. i zarazila na stotine hiljade servera: crva Code Red. Uprkos tome sto je postojala zakrpa Code Red je napravio stetu od dve milijarde dolara, sudeci prema podacima jedne istrazivacke kompanije. Nove infekcije nastavile su da se sire jos citavih godinu dana posle njegove pojave. "'Treskadzija' je slican 'Sifri crveno' po brzini sirenja ali nije mu ni blizu po destruktivnosti", smatra Olson. Predstavnik americkog centra za zastitu nacionalne infrastrukture (National Infrastructure Protection Center, NIPC) potvrdio je da ovaj centar ispituje problem. NIPC nije postavio nikakvo novo upozorenje u vezi propusta koji ovaj crv zloupotrebljava jos od vremena kad ga je Microsoft identifikovao u julu 2002. Portparol federalnog istraznog biroa (FBI) odbio je da detaljnije komentarise najnovije probleme na Internetu i samo je izjavio "da je Biro svestan ovih napada i pomno prati sta se desava". "Crv ne sadrzi nikakav podatak o autoru", saopstio je Denis Zenkin, portparol moskovske kompanije Kaspersky Labs. "Izgleda da je autor veoma vodio racuna o velicini crva i nastojao je da bude sto manji. Ima svega 376 bajta i dodavanje bilo kakvog imena samo bi ga ucinilo vecim." "Nemamo konkretnih podataka ali ja bih rekao da je poreklom iz Kine", izjavio je Miko Hiponen, rukovodilac u finskoj kompanioji F-Secure. "Mogao bi to biti isti autor koji je napravio crva Lion za Linux jer je u jednoj diskusionoj grupi objavio nekoliko poruka u kojima raspravlja o teorijskim osnovama Slammera." Mala velicina otezava pracenje jer se crv prenosi veoma brzo, dodao je Hiponen. "Ovo je jedan od najmanjih crva koje smo videli. Tvorac verovatno nije imao na umu zagusivanje Interneta ali ocigledno nije imao ni predstavu o tome kojom brzinom ce se prenositi." Crv se pojavio svega jedan dan posto je juznokorejsko ministarstvo za informisanje i komunikacije objavilo upozorenje o mogucim napadima izazivanjem odbijanja usluge, prenose lokalni mediji. Ministarstvu je navodno dojavljeno da ce juznokorejski racunari biti upotrebljeni kao odskocna daska za napade, navodi novinska aagencija Yonhap. Cetrdeset osam sati posle prve registrovane pojave sirenje ovog crva je usporeno i trenutno nema izvestaja o vecim prekidima i smetnjama u radu Interneta. U subotu je bilo izmedju 200.000 i 300.000 napada na sat a u nedelju 9000 do 10.000, koliko i Nimda prosecno izaziva dnevno. Novi napadi mozda ce buknuti u ponedeljak kad zapocne novi radni dan ukoliko osoblje koje se stara o bezbednosti racunarskih mreza nije preduzelo neophodne mere u nedelju. Microsoftov bezbednosni bilten koji se odnosi na pomenuti propust nalazi se na adresi http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp . CERT je svoj savet objavio na aderesi http://www.cert.org/advisories/CA-2003-04.html . (M.V.) |
Autor: Puky : |
Izvor: Elektronske vesti casopisa Mikro Spor odziv na Slammerov napad stavio NIPC na muke ---------------------------------------------------------------------- FBI se u ponedeljak nasao na udaru kritika jer je u subotu "spavao na nogama" dok se racunarski crv W32.Slammer brzinom rakete prenosio po svetu i zarazio na stotine hiljada racunara u prvih nekoliko sati posto je uocen. Ispostavilo se da je spor odziv Federalnog istraznog biroa (FBI) na subotnju pojavu i brzometno sirenje novog virulentnog racunarskog crva nazvanog Slammer posledica nedavne reorganizacije americke vlade kojom je stvoreno novo ministarstvo za bezbednost zemlje (Department of Homeland Security) i povecane zabrinutosti zbog pretnji kiberterorizma s drugih strana. FBI-eva ruka zaduzena za kiberterorizam - Centar za zastitu nacionalne infrastrukture (National Infrastructure Protection Center, NIPC), nije se oglasio u vecem delu subote dok su poznate antivirusne kompanije kao sto su Internet Security Systems (ISS) i Network Associateov ogranak McAfee AVERT (Anti-Virus Emergency Response Team - Tim za hitne antivirusne intervencije) odmah izdale saopstenja o sirenju Slammera. Reporteri koji su pozivali ovu vladinu agenciju u potrazi za komentarima dobijali su odgovor da NIPC "prati situaciju", ali ne i bilo kakve zvanicne biltene. NIPC je prvi savet pod naslovom "Crv cilja na propust u bazi SQL" (Worm Targets SQL Vulnerability) objavio na svojoj Web strani tek u 18.41 po Grinicu, cak 13 sati posle njegove pojave. U to vreme mnoge organizacije su vec identifikovale opasnost i preduzele mere zastite i sprecavanja daljeg sirenja. U diskusiji preko Interneta koju je organizovao neprofitini institut SANS (SysAdmin, Audit, Networking and Security) i u kojoj su ucestvovali strucnjaci za bezbednost, predstavnici savezne vlade i Microsofta, Markus Saks, direktor za zastitu komunikacione infrastrukture u odeljenju Bele kuce zaduzenom za kiberbezbednost (White House Office of Cyberspace Security) rekao je da je kombinacija loseg tajminga i nedavnog preseljenja centra NIPC i drugih vladinih bezbednosnih odeljenja u novo ministratvo za bezbednost zemlje mozda odigrala glavnu ulogu u trapavom odzivu agencije na pojavu Slammera. "Crv nije mogao izabrati bolje vreme da se pojavi", nasalio se Saks. Inauguracija novog ministarstva proslavljena je dan ranije, u petak. Pored toga osoblje NIPC-a je koordiniralo svoj rad s ostalim osobljem zaduzenim za bezbednost saveznih racunarskih resursa ali na temu koja je u vezi s Irakom. Rezultat svega je da se vecina NIPC-ovih istrazivaca nalazila kod kuce kad je Slammer krenuo u svoj pohod a bilo je problema i da se okupi "pravo osoblje" koje ce odgovoriti na Slammerov napad, objasnio je Saks. Medjutim, NIPC-ov predstavnik za stampu Bil Mari porice da je bilo ikakavog kasnjenja u odzivu na sirenje Slammera. "NIPC objavljuje upozorenja i savete tek kad je sasvim siguran da su informacije proverene i kompletne." Mari je odbio da okarakterise NIPC-ov odziv u subotu kao spor ili brz i dodao je da nema nameru da se poredi s antivirusnim kompanijama u pogledu objavljivanja informacija o iznenadnim mreznim pretnjama. "Verujemo da je NIPC uradio ono sto je bio duzan da uradi i sto je ovlascen da uradi. Analizirali smo pretnju i objavili oprecizno upozorenje", istakao je Mari i dodao da ce buduci odzivi biti ocenjivani od slucaja do slucaja. |
Autor: Puky : |
Kaspersky Labs analyzes the consequences of the latest epidemic. The "Helkern" epidemic has become huge, not only in the number of infected severs (nearly 80,000), geographic coverage and its rate of spreading, but also in the consequences it has caused regarding the general functioning of the Internet. Never before has a malicious program threatened to tear apart the composite parts of the worldwide network and destroy communications between regions. "Helkern" has managed to: disrupt the operation of and temporarily shutdown the Internet installations in the U.S., South Korea, Australia and New Zealand. According to Kaspersky Labs, "Helkern", at the peak of the epidemic (January 25, 2003), slowed the Internet's performance by 25%. This means that every 4th site was either unable to respond or was under duress. Similarly manifestations were seen in other services using the Internet, such as email, FTP servers, Internet messaging among others. Is "Helkern" an isolated event or unpremeditated attack? Or is it the next step for cyber-terrorists exposing network weaknesses that model the collapse of the Internet? What consequences will result from this epidemic have on the future of the Internet? These questions raise concerns for everyone who is in some way exposed to the Internet. It is essential to understand the real danger posed by "Helkern". It attacks only servers; so many Internet users may feel that safe as if a computer does not have the database management system Microsoft SQL Server installed, the worm is unable to inflict damage. However, the scale at which "Helkern" spreads and the consequence of exponential rises in Internet traffic could lead to an Internet outage. Therefore, all Internet users are at the least indirectly made to suffer. The future of the Internet is not only put in jeopardy just by "Helkern" but by the application of technologies that can in a flash slowdown networks. More than likely, very soon, just after the source code of this worm appears in sites and forums dedicated to computer viruses, the computer underground will set to the task of cloning "Helkern". New modifications will be created that will distinguish themselves with even greater spreading capabilities and destructive payloads. The consequences of this developing event and the potential damages to the world economy are practically beyond placing a value. The "Helkern" attack demonstrates the general vulnerability of the Internet. It graphically demonstrates one of the weakest points through which it is possible to, on the whole, halt network operation, namely, vulnerabilities (breaches) in security systems that viruses can unimpeded exploit to penetrate computers. It would be hard to find a better example of this danger than with the current circumstances involving "Helkern". It is well known that the 100% protection of software does not exist. Each day up to 10 vulnerabilities are discovered in a myriad of operating systems and applications, for which their creators quickly release patches. Weak system kernels, as is often the case, is an unavoidable human factor. Making matters worse is that many system administrators infrequently install these patches, leaving their networks open to potential attack from new malicious programs. The "Helkern" experience has shown just how "productively" it is possible to take advantage of these shortcomings. The main threat lies in the fact that nothing can stop virus writers from continuing to create network worms targeting software vulnerabilities. Pandora's Box is open and already there is nothing that can be done to rein in its destructive power. From another side, the amount of software vulnerabilities existing today is enough for the release of "Helkernesque" worms each and every day over several years. Under such circumstances the Internet would fail as a means for business communications, entertainment or information searches. The danger posed by the abuse of software vulnerabilities was foreseen by Kaspersky Labs experts several years ago with the appearance of the first "stealth" worms ("BubbleBoy" and "KakWorm"), which penetrated computers via security system vulnerabilities. Until recently this information remained with a narrow circle of specialists who intentionally did not leak it to the public for fear of instigating a catastrophe. However, in August 2001 Nicholas Weaver of the University of Berkeley, published research analyzing the technologies used to create the worm "Warhol" (a.k.a. "Flash-worm"), which over just fifteen minutes could manage to spread around the entire world. For this very reason the worm was given its moniker, as it was Andy Warhol who coined the phrase, "In the future everybody will have 15 minutes of fame". Today, this idea has been realized, and thus we can observe how virus authors have taken it to heart. This provokes the question of whether or not "Helkern" was created to "test the water" of the Internet in order to detect weak spots, only to later follow up with a full scale attack. We are far from conspiracy thoughts however; most likely this is just usual cyber hooliganism. Hooliganism in terms of approach, but when considering results - it is indeed terrorism. Usually the scale of the consequences differentiates these two terms. In this specific case, where there has been a deliberate attack on and violation of global communication systems, it is possible to be classified as a cyber-terrorist act. To our opinion, without urgent preventive and prophylactic measures in the nearest future this situation might go out of control and even cause us to question the Internet's existence. However, under current conditions to dramatically alter how we approach preventative measures is almost impossible. An effective system aimed at virus epidemic detection and prevention cannot rely on today's standards of identifying Internet users, which is now basically chaotic. When such an epidemic occurs it is almost impossible to locate its epicenter - with the exception of when the virus author by mistake gives himself away. In the event of the wide spread of a malicious program, in order to prevent it from spreading further, entire regions of the network must be disconnected and switched off. These measures are meaningless, you can endlessly patch the holes in a security system, but this won't prevent further attacks. Basically today we are fixing consequences rather than the causes - while at the moment the sheer volume of "consequences" or symptoms have already reached such a level that it would be cheaper, faster and in the end more efficient to cure the problem at its roots. As was mentioned earlier, the reason it is so difficult to prevent virus attacks is due to Internet anarchy. It is much more tempting to abuse the network when one is sure he or she can't be tracked. On the other hand, to reform the Internet in order to fix this problem (to introduce personal IDs) appears to be almost impossible as this process is confronted with extremely complex political and economic problems at an international level. The only possible and realistic solution would be if large multinational corporations - the "locomotives" of the modern economy develop a parallel network where they concentrate all their business communications and limit this network's exposure to the Internet; doing this will allow the processing of new standards to happen faster and less painfully. To summarize, we must note that the scale of virus epidemics similar to that of "Helkern" will happen again and that the frequency of such epidemics will most likely only increase. Eventually, using the Internet will become so inconvenient, with constant interruptions and malfunctions at the hands of viruses and hacker attacks, that users will be forced to switch to other means of communication. Naturally, "snail mail" and telephone communications do not offer the kinds of conveniences that the Internet does. Therefore the development of a parallel network that offers a high level of reliability and security is today a matter of high priority. Kaspersky Labs Corporate Communications ~~~ Singi ing by Kaspersky Lab. |
> Odgovori |
^ Povratak na viši nivo |