BLaster/Lovesan has a sibling now.

[Thermodyne]

What is occurring here is a form of terrorism. Sure its probably bored kids, but they are putting people’s lives at risk. At my work the patch was installed on the test network the first week it came out, then on the servers shortly there after. Desktops were ignored, a) because we don’t have the bodies to address them, b) because Citrix shields them from the outside world. But when the DMV went down, the situation was reevaluated and we began to patch. So far, nothing has been found on any systems. There was a false alarm, but it was a bad power strip.

The main reason that these people can get away with this stuff is the current IP/TCP system we use. NAT makes it hard to trace events back to the source, but without NAT we would have to disconnect most of the world. Also, many of these attacks originate outside of the US, and are not subject to our laws. IPv6 will help the problem a lot, and implementation has been pushed up. The second thing that needs to happen is this: people need to be responsible for the systems they own. On my wan subnet there are about 60 systems, about 25 of them are infected and 4 of them constantly sniff data and test my firewall. If I catch it in my server logs, I know Comcast does. But Comcast refuses to take any action on the problem. People that unknowingly have infected systems need to be disconnected and referred to professional repair sources. People that knowingly hack and probe need to be prosecuted. The law allows for stiff penalties for gaining unauthorized entry into a protected network. But they do not do much to deter the attacks.

We need to develop a package of laws that address the illegal activity on the internet, and then apply minimum sentencing rules to those who break them. They should cover Sniffing, Unauthorized Access of all types, including the insertion of software (viruses and worms along with ad and spy ware) and the unlogged forwarding of email. Then we should remind the world that America gave them the internet and that we can also disconnect them. With that said we should ask them to sign a convention adopting the same rules. The states and nations that refuse (Nigeria, Iran, China come to mind) should then have there connectivity terminated. When I use my satellite, fully 1/3 of the background activity is probing by the Asian Pacific Network. Anyone care to guess who they are? They know about this on the hill, but I guess there is not enough money to be made from the law and order side of this problem.

This particular attack was aimed directly at MS, it looks for a folder that is only present on some MS systems and then goes to work. So the Authors had an axe to grind with MS. And they probably will brag about it sooner or later. I only hope that they are caught and severely punished. And if they are kids, I hope that the injured parties line up and sue their parent’s right out of their homes. If they did it at school, then the school should pay the damages, they are supposed to be supervising what happens on their systems. If the rumor about them hacking a backbone switch to insert the worm is true, then I hope the company that owns the switch has been in compliance as for as logging goes.