Hello guys, first of all, let me describe my situation. I live in a pretty big dorm, it features a LAN with about 1200 computers, of course, most of them run Windows and their users don't know how to update the system. Various worms (most notably Blaster, Welchia, Sasser and Agobot) regularly flood the lan, and at the beginning of the outbreak they usually knock out our internet access several times before the administrators find out what's going on. The user also almost never knows (s)he is vulnerable/infected. Also, there are no "real" administrators here, just some students doing this as a part time job, so there is no hope of some strong action. Last saturday I finally got fed up with the worms and wrote a perl script. There is nothing special about it, I write perl scripts almost every day. But this one actually worked :-) and also had such a tremendous impact and showed so much potential, that I realized I shouldn't keep this to myself. What does the script do? - it binds to UDP port 138 and listens for NMB host and lmb announcements. - if it detects one, it checks when it contacted sender IP last time, and if it was at least an hour ago, it makes a connection to the sender TCP port 445 and checks whether the "sasser patch" (KB835732) is applied (I got this check from nessus-plugins, and ported it to perl, so I don't pretend to understand how it works, but it really does :-)) - if an unpatched version is detected, it uses smbclient to send a WinPopup with the text: "Your computer is vulnerable to the Sasser Worm. Please visit http://windowsupdate.microsoft.com and update your system." - if a patched version is detected on an IP that was previously vulnerable, it sends another WinPopup with the message "Thank you for updating your system and keeping our network safe.\r\nThis free security service is brought to you by shurdeek." (yeah, advertising myself isn't such a bad idea) - data is stored in a tied GDBM hash, so isn't lost when the script crashes (which unfortunately happens from time to time, so I check it from cron) - every 5 minutes a website is generated with a complete status list As the more experienced of you can see, this has very low requirements on everything (CPU, RAM, disk, net, I run it on a Pentium 75MHz/32MB with barely noticeable load), behaves very politely and still inspires the user to update the damn thing. Moreover, it only detects those who actually run the server, and if one has a vulnerable open version, one almost surely will receive the WinPopup as well. Also, unlike most of the available solutions, it is a preventive action (not infection or infection attempt but vulnerability is detected). At the beginning of the tests I found out a guy living next door was vulnerable, so I walked over and talked to him. He thought the message came from the system directly, and when I told him that it was me who sent it he thanked me and told me he'll update (some time later, the computer was indeed updated). So I decided to keep the program running. The results are simply amazing. During the about 4 days it has been running now, about 49% of the vulnerable users actually updated their systems (123 of 251). As not all the users use their computers constantly and we have internet connection problems at the moment, and I assume this number will rise even more. I don't think it will ever reach 100% (as you may know, sometimes Windows is so fscked up that WindowsUpdate doesn't work, and some have "badly stolen" XP on which you can't install SP1). Nevertheless, the IPs are on the website and available to the administrators, who can take action whenever they decide necessary. I recommended them to block Internet access to the machines (except for *.microsoft.com) after 2 days of being vulnerable, and also modified the script that after 2 days of continuous vulnerability it changes the formulation to somewhat stricter one, like "if you don't update soon, the computer administration will block your internet access". In summary, this project is IMHO a big success, and I decided to add more features when I find the time (checks for Blaster/Sasser/Agobot infection, checks for weak passwords just as Agobot does, etc). Right now I was browsing the web and found out yet some more articles came out today about how the worms are bad and crashed this and overloaded that, and a lot of experienced computer users in their posts blaming the poor "never update"-guys. But I realized noone actually DOES anything to help (well, antivirus vendors sell their programs :-)). This got me thinking: hey, perhaps this script can be used to help on a global level. This would happen if a substantial amount of "good guys" installs it on machines with a public IP, preferably on various topological locations. That way a LOT of people with vulnerable or infected machines will be bugged until they update. I would also like to point out that at the moment the script is only running inside a LAN with no access from the outside, so "live internet tests" will have to be done. However, I would like to avoid the current antivirus situation. As just about everyone knows, there are thousands of old and/or incorrectly configured antivirus mail filters that notify a faked sender (which unfortunately some hundred times a day happens to be me). As clearly evident, it is not enough when an bugfixed antivirus version is available from the vendor later, the lame admins keep using the buggy one (and don't read abuse@/postmaster@). So, I would like to prevent a similar situation happening to my script in forward before I publish it (under GPLv2 of course :-)). So, concluding my email, I would like to ask my fellow butraquers the following: - is a global deployment of such a program a good thing? - how to program it so that misbehaviour is apriori prevented? I tried my best but noone is perfect so maybe I'm missing something. - what are the "right" values for waiting for rescan/update_windows_now_message? Now it is at least 1 hour and only happens when the remote machine sends a NMB announcement (I could perhaps add a faked server that would detect an infection attempt and act on that as well). Happy to be hearing from you soon, Peter Surda (Shurdeek) <shurdeek@xxxxxxxxxxxx>, ICQ 10236103, +436505122023 -- To understand recursion, one must first understand recursion.
