Friday, May 07, 2004

Bloody Sasser

Yep... you guessed it, I walked into work this week and one school is completely infested with the Sasser virus. Anyway... turned out okay because I was officially told to leave someone else to clean up the virus mess... RM networks are marvellous... can't install a microsoft patch because each PC has it's state built from packages on a central server which, apparently, is fine at doing connection sharing but hasn't got a firewall on it, hence the virus being present.

This package system works by making everything that goes onto a machine into Microsoft Installer .msi files, a marvellous idea which ensures easy software distribution, easy recovery should the individual client PC's go muppet but unfortunately a pain in the arse when it comes to installing anything at all.

Hence, I wasn't going to mess about making an MSI for the Microsoft patch, which can take forever with RM's buggy software, so I phoned the bod in charge of the borough's networks and he said he'd sort it out because RM have specially built-packages, which makes me wonder even more about how far RM are actually in bed with Microsoft, not to mention their Word-97-with-buggy-macros which they sell as RM Talking First Word.

Anyway, I had the staff on me from the second I walked in... not blaming me (not my responsibility, I didn't install the servers) but asking for help with their home PC's. Printed out a step-by-step plan for them, mainly so that they don't bring it back in to the network until it can be patched... believe it or, this network's only pencilled in for patching sometime this or next week... nothing like being up-to-date.

Got asked lots of questions about Sasser, and one of the top ones is if I'd got it at home. Unfortunately, I'm only using a router, (which blocks the virus without me having to touch any settings) another firewall, (which blocks the virus without me having to touch any settings) Zonealarm Pro, (which blocks the virus without me having to touch any settings), and a poor, decrepit, obsolete, operating system which I've been told to replace hundreds of times and never been given a definitive reason to upgrade. Oh, and in case you're wondering, it's my Windows 98SE that isn't affected by the virus.

Sadly, though, the complete lack of any anti-virus software on my machine was absolutely no problem whatsoever and never has been. I've cleaned viruses off of uncountable machines but have personally "caught" precisely one in all the years I've been using PC's and that came from a PC magazine's demo copy of Sin (that ancient 3D game). It caused me no damage, was cleaned within an hour of infection and detected because it had modified critical files which I just so happen to have a tiny little self-made Visual Basic program which can double-check MD5 hashes of.

If I ever have a suspicion of a virus on a file or I want to run untrusted floppies or executables I just visit Trend Micro's Housecall service which can detect viruses for free... manual removal instructions are always available for free on the internet and I personally prefer to delete viruses myself because then I know they have gone and exactly what they've damaged. Not that AV software would have helped at all, something which people seem to think they will. By the time the average person has bothered to update their anti-virus software and run a full scan, they've probably had one copy of every virus that had been released that month slip into their machines, not to mention spyware.

I've been waiting for Sasser... it's the natural evolution of a virus and they are getting better all the time. I love the way it can infect without any manual intervention. I also love the way it can do it to a base install of Windows, which ensures it'll circulate for several years at least because people will be reinstalling and putting unpatched Windows XP machines straight on the internet to get the patches from Windows Update.

I love the way that 90% of the people who need to install this patch will do so over the internet... the virus' main point of entry. And if you clean the virus but don't know of the patch (which is quite possible among ordinary home users) then you've wasted your time because it'll just come back on. And how many machines are there which are not on the internet yet, but will be put on at a later date, without the patches? Even BugBear, MyDoom and other ancient viruses are still circulating... proven by the fact that one laptop I cleaned for the school also had both of the above without anyone ever noticing.

Sasser is just the start. I'm still waiting for some super-virus to come along and give AV software companies and companies like Microsoft a kick up the arse in the security department. Hopefully then we'll get some decently programmed software with well-thought-out defaults.

No comments: