衝擊波蠕蟲:修订间差异
删除的内容 添加的内容
Neversay.misher(留言 | 贡献) 內容擴充 |
无编辑摘要 |
||
| (未显示30个用户的49个中间版本) | |||
| 第1行: | 第1行: | ||
{{Multiple issues| |
|||
'''冲击波'''(''Worm.Blaster'')是一种[[蠕虫病毒]]。 |
|||
{{Expand language|en|time=2024-11-06T04:44:10+00:00}} |
|||
{{Unreferenced|time=2024-11-06T04:44:10+00:00}} |
|||
}} |
|||
{{noteTA |
|||
|G1=IT |
|||
|G2=Windows |
|||
}} |
|||
{{Computer virus |
|||
|Fullname=衝擊波蠕蟲 |
|||
|Technical name=Blaster |
|||
|Aliases= 衝擊波蠕蟲 |
|||
|Family= M.Blaster家族 |
|||
|Classification=[[電腦蠕蟲]] |
|||
|Type=[[Windows]] |
|||
|Subtype= |
|||
|IsolationDate= 2003年8月11日 |
|||
|Point of Isolation= |
|||
|Origin=美國明尼蘇達州 |
|||
|Author=Jeffrey Lee Parson |
|||
}} |
|||
'''衝擊波蠕蟲'''({{lang-en|'''Worm.Blaster'''}}或{{lang|en|'''Lovesan'''}},也有譯為「疾風病毒」)是一種散播於[[Microsoft]][[作業系統]],[[Windows XP]]與[[Windows 2000]]的[[蠕虫病毒]],爆發於2003年8月。 |
|||
本蠕蟲第一次被注意並如燎原火般散佈,是在2003年的8月11日。它不斷繁殖並感染,在8月13日達到高峰,之後藉助ISP與網路上散佈的治療方法阻止了此蠕蟲的散佈。 |
|||
The worm was first noticed and started spreading in the wild on [[August 11]], 2003. The rate that it spread increased until the number of infections peaked on [[August 13]]. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster. |
|||
在2003年8月29日,一個來自[[美國]][[明尼蘇達州]]的18歲年輕人杰弗里·李·帕森(Jeffrey Lee Parson)由於創造了Blaster.B變種而被逮捕;他在2005年被判處十八個月的[[有期徒刑]]。 |
|||
On [[August 29]], [[2003]], Jeffrey Lee Parson, an 18-year-old from [[Hopkins, Minnesota]] was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005. |
|||
==影響== |
==影響方式== |
||
此蠕蟲試圖在8月15日發動一波SYN資訊洪水,目標是[http://www.windowsupdate.com windowsupdate.com] {{Wayback|url=http://www.windowsupdate.com/ |date=20070911192020 }}的80埠,藉此對此網站做出[[分散式阻斷服務攻擊]](DDoS)。由於此蠕蟲的目標是windowsupdate.com(微軟的重定向網站)而非windowsupdate.microsoft.com(微軟更新的本站),因此微軟便暫時地關閉此網站以降低此蠕蟲對網站造成的可能影響。 |
|||
通过RPC漏洞传播 |
|||
此蠕蟲藉由一個在[[DCOM]][[远程过程调用|远程过程调用(RPC)]]出現的[[緩衝區溢位]]漏洞而在受影響的作業系統上散佈。此漏洞的修補檔已在一個月之前就已公佈在[https://web.archive.org/web/20050225010955/http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx MS03-026]以及[https://web.archive.org/web/20040603065110/http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx MS03-039]上。 |
|||
The worm was programmed to start a [[SYN flood]] on [[August 15]] against port 80 of windowsupdate.com, thereby creating a [[distributed denial of service attack]] (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm. |
|||
本蠕蟲將兩段訊息隱藏在程式碼中,第一個是: |
|||
The worm spread by exploiting a [[buffer overflow]] in the [[Distributed component object model|DCOM]] [[Remote procedure call|RPC]] service on the affected operating systems, for which a patch had been released one month earlier in [http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx MS03-026] and later in [http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx MS03-039]. |
|||
{{Cquote|I just want to say LOVE YOU SAN!!}} |
|||
The worm contains two messages hidden in strings. The first: |
|||
''I just want to say LOVE YOU SAN!!'' |
|||
is why the worm is sometimes called the Lovesan worm. |
|||
The second: |
|||
''billy gates why do you make this possible ? Stop making money'' |
|||
''and fix your software!!'' |
|||
is a message to [[Bill Gates]], the co-founder of Microsoft, and the target of the worm. |
|||
也因為此句話,本蠕蟲也稱為Lovesan蠕蟲。 |
|||
==感染徵兆== |
|||
病毒利用Windows系统的RPC(远程过程调用)一个[[缓冲区溢出]]漏洞进行传播,攻击端口为445。病毒可能导致有些系统的svchost.exe进程崩溃,表现为出现1分钟后重新启动的倒计时对话框。该漏洞为国外安全研究人员发现。中国民间网络安全研究站点[http://www.xfocus.net 安全焦点]的成员flashsky在微软尚未发布安全补丁时发布了[[exploit]]。 |
|||
第二個: |
|||
Although the worm can only spread on systems running Windows 2000 and Windows XP (32 bit), it can cause instability in the RPC service on systems running [[Windows NT]], [[Windows XP Professional x64 Edition|Windows XP (64 bit)]], and [[Windows Server 2003]]. If the worm detects a connection to the Internet (regardless of dial-up or broadband), this can even lead to the system becoming so unstable that it displays the following message and then restarts (usually after 60 seconds): |
|||
{{Cquote|billy gates why do you make this possible ? Stop making money<br /> |
|||
Windows must now restart because the Remote Procedure Call |
|||
and fix your software!!}} |
|||
(RPC) Service terminated unexpectedly. |
|||
是一個給[[比爾·蓋茲]](微軟的開創者,以及本蠕蟲的攻擊目標)的訊息:“為什麼比爾·蓋茲要讓這(漏洞)可行?不要只顧著賺錢並趕快修補軟體漏洞!!”。 |
|||
==感染徵兆== |
|||
雖然此蠕蟲只能在Windows 2000與XP上傳播,但是它也可讓執行RPC的作業系統如[[Windows NT]]、[[Windows XP Professional x64 Edition|Windows XP (64 bit)]]與[[Windows Server 2003]]造成不穩。一旦此蠕蟲在網路上偵測到連線(不論撥接或寬頻),它將會造成此系統的不穩定並顯示一道訊息以及在一分鐘之內重新開機: |
|||
==解法== |
|||
{{Cquote|Windows must now restart because the Remote Procedure Call |
|||
This error message and the Windows restart can be avoided by changing the properties of the Shutdown service, buying an infected user enough time to remove the virus from their system and install a patch removing the vulnerability. The procedure is done as follows: |
|||
(RPC)Service terminated unexpectedly.}} |
|||
==解法== |
|||
*Go to Start->Run |
|||
*Type "''services.msc''" and press '''Enter''' |
|||
*Find the "''Remote Procedure Call''" service (not RPC Locator), right-click, and select ''Properties'' |
|||
*Select the ''Recovery'' tab, and set all failure actions to "''Take no Action''" |
|||
*Select ''OK'' |
|||
Windows的錯誤訊息以及重開機狀況可藉由更改重開機服務的設定而避免,使得使用者有足夠時間移除Blaster病毒以及安裝漏洞的修補程序。此步驟如下: |
|||
Because the Remote Procedure Call is an integral part of Windows, the failure actions should be reset to "''Restart the Computer''" as soon as the Blaster worm is removed. |
|||
*進入:開始->运行 |
|||
Another method to stop the computer from restarting is as follows: |
|||
*鍵入"'''services.msc'''"並按下'''Enter''' |
|||
*找出"'''Remote Procedure Call'''"服務(非RPC定位器),按下右鍵並選擇'''屬性'''('''Properties''') |
|||
*選擇'''恢复'''分頁,並設置失敗行動選項為「不做動作」 |
|||
*選擇'''確定''' |
|||
由於RPC是Windows的內嵌部件,因此失敗動作在移除Blaster後理應儘快設定回'''重開機'''。 |
|||
*Go to Start->Run |
|||
*Type "''shutdown -a''" and press '''Enter''' |
|||
If run as an Administrator, this will stop the reboot (-a stands for "Abort"). |
|||
另外一個阻止電腦重新開機的方法為: |
|||
The above procedure must be done within the time limit displayed in the shutdown notice. The "shutdown.exe" file is not available within Windows 2000 unless you extract it from the Windows 2000 resource kit. |
|||
*進入:開始->執行 |
|||
Additionally, systems running the [[Open Software Foundation]]'s [[Distributed computing environment]] can be affected by traffic generated from the worm. Packets generated by the worm can cause DCE to crash causing a Denial of Service of DCE. |
|||
*鍵入"'''shutdown -a'''"並按下'''Enter''' |
|||
如果你以管理者登入系統,這方法可以順利停止重開機(-a代表'''Abort''')。 |
|||
以上動作必須在重開機訊息出現後,在時限內完成。而'''shutdown.exe'''檔案並不能在Windows 2000直接找到,必須從Windows 2000資源包中提取出。 |
|||
A rule-of-thumb for users of Microsoft Windows is that they should remain vigilant in keeping up-to-date with [[Microsoft Update|updates from Microsoft]], as well as [[anti-virus software]]. Windows Update is especially crucial because malware such as the Blaster are often created upon vulnerabilities that are addressed by recent software patches, in hopes that many users are not yet fully protected. |
|||
另外,執行[[开放软件基金会]]的[[分散式運算環境]]有可能被此蠕蟲造成的流量所影響。此蠕蟲產生的網路封包對DCE造成DDoS,也會造成DCE的崩潰。 |
|||
對微軟Windows使用者的最佳方法是時時登入[[Microsoft Update]],將系統保持在最新狀態,以及更新[[防毒軟體]]。Windows Update尤其重要,因為惡意軟體(例如Blaster)常常利用最近找到的漏洞來破壞,因為這類的新漏洞許多使用者還來不及更新修正程式。 |
|||
==趣聞== |
==趣聞== |
||
在仔細檢查Blaster的程式碼後,研究者發現原始碼中內嵌了Parson的名字,而警方也因此逮捕了他。{{Fact|time=2007-07-16T11:04:41Z}} |
|||
After close examination of Blaster's code, researchers found Parson's name embedded in the code which police later used to convict him.{{fact}} |
|||
==外部連結== |
==外部連結== |
||
* [http://www.cert.org/advisories/CA-2003-20.html CERT Advisory CA-2003-20] |
* [http://www.cert.org/advisories/CA-2003-20.html CERT Advisory CA-2003-20] {{Wayback|url=http://www.cert.org/advisories/CA-2003-20.html |date=20141017130853 }} |
||
* [http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html Security Response site from Symantec] |
* [https://web.archive.org/web/20060421220623/http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html Security Response site from Symantec] |
||
* [http://www.vnunet.com/vnunet/news/2123165/fbi-arrests-stupid-blaster-b-suspect Article from Vnunet] |
* [https://web.archive.org/web/20070927195105/http://www.vnunet.com/vnunet/news/2123165/fbi-arrests-stupid-blaster-b-suspect Article from Vnunet] |
||
==參閱== |
==參閱== |
||
*[[知名病毒及蠕蟲的歷史年表]] |
|||
*[[Timeline of notable computer viruses and worms]] |
|||
*[[被逮捕的黑客]] |
|||
*[[Crackers (convicted)]] |
|||
{{compu-soft-stub}} |
|||
[[Category:电脑病毒]] |
|||
[[Category:蠕虫病毒]] |
|||
[[de:W32.Blaster]] |
|||
[[en:Blaster (computer worm)]] |
|||
[[fa:کرم بلستر]] |
|||
[[fr:Blaster]] |
|||
[[it:Blaster]] |
|||
[[sv:Blaster]] |
|||
2024年11月6日 (三) 04:46的最新版本
 |
| 技術名稱 | Blaster |
|---|---|
| 別名 | 衝擊波蠕蟲 |
| 家族 | M.Blaster家族 |
| 分類 | 電腦蠕蟲 |
| 感染系统 | Windows |
| 發現時間 | 2003年8月11日 |
| 來源地 | 美國明尼蘇達州 |
| 作者 | Jeffrey Lee Parson |
衝擊波蠕蟲(英語:Worm.Blaster或Lovesan,也有譯為「疾風病毒」)是一種散播於Microsoft作業系統,Windows XP與Windows 2000的蠕虫病毒,爆發於2003年8月。
本蠕蟲第一次被注意並如燎原火般散佈,是在2003年的8月11日。它不斷繁殖並感染,在8月13日達到高峰,之後藉助ISP與網路上散佈的治療方法阻止了此蠕蟲的散佈。
在2003年8月29日,一個來自美國明尼蘇達州的18歲年輕人杰弗里·李·帕森(Jeffrey Lee Parson)由於創造了Blaster.B變種而被逮捕;他在2005年被判處十八個月的有期徒刑。
影響方式
[编辑]此蠕蟲試圖在8月15日發動一波SYN資訊洪水,目標是windowsupdate.com (页面存档备份,存于互联网档案馆)的80埠,藉此對此網站做出分散式阻斷服務攻擊(DDoS)。由於此蠕蟲的目標是windowsupdate.com(微軟的重定向網站)而非windowsupdate.microsoft.com(微軟更新的本站),因此微軟便暫時地關閉此網站以降低此蠕蟲對網站造成的可能影響。
此蠕蟲藉由一個在DCOM远程过程调用(RPC)出現的緩衝區溢位漏洞而在受影響的作業系統上散佈。此漏洞的修補檔已在一個月之前就已公佈在MS03-026以及MS03-039上。
本蠕蟲將兩段訊息隱藏在程式碼中,第一個是:
| “ | I just want to say LOVE YOU SAN!! | ” |
也因為此句話,本蠕蟲也稱為Lovesan蠕蟲。
第二個:
| “ | billy gates why do you make this possible ? Stop making money and fix your software!! |
” |
是一個給比爾·蓋茲(微軟的開創者,以及本蠕蟲的攻擊目標)的訊息:“為什麼比爾·蓋茲要讓這(漏洞)可行?不要只顧著賺錢並趕快修補軟體漏洞!!”。
感染徵兆
[编辑]雖然此蠕蟲只能在Windows 2000與XP上傳播,但是它也可讓執行RPC的作業系統如Windows NT、Windows XP (64 bit)與Windows Server 2003造成不穩。一旦此蠕蟲在網路上偵測到連線(不論撥接或寬頻),它將會造成此系統的不穩定並顯示一道訊息以及在一分鐘之內重新開機:
| “ | Windows must now restart because the Remote Procedure Call
(RPC)Service terminated unexpectedly. |
” |
解法
[编辑]Windows的錯誤訊息以及重開機狀況可藉由更改重開機服務的設定而避免,使得使用者有足夠時間移除Blaster病毒以及安裝漏洞的修補程序。此步驟如下:
- 進入:開始->运行
- 鍵入"services.msc"並按下Enter
- 找出"Remote Procedure Call"服務(非RPC定位器),按下右鍵並選擇屬性(Properties)
- 選擇恢复分頁,並設置失敗行動選項為「不做動作」
- 選擇確定
由於RPC是Windows的內嵌部件,因此失敗動作在移除Blaster後理應儘快設定回重開機。
另外一個阻止電腦重新開機的方法為:
- 進入:開始->執行
- 鍵入"shutdown -a"並按下Enter
如果你以管理者登入系統,這方法可以順利停止重開機(-a代表Abort)。
以上動作必須在重開機訊息出現後,在時限內完成。而shutdown.exe檔案並不能在Windows 2000直接找到,必須從Windows 2000資源包中提取出。
另外,執行开放软件基金会的分散式運算環境有可能被此蠕蟲造成的流量所影響。此蠕蟲產生的網路封包對DCE造成DDoS,也會造成DCE的崩潰。
對微軟Windows使用者的最佳方法是時時登入Microsoft Update,將系統保持在最新狀態,以及更新防毒軟體。Windows Update尤其重要,因為惡意軟體(例如Blaster)常常利用最近找到的漏洞來破壞,因為這類的新漏洞許多使用者還來不及更新修正程式。
趣聞
[编辑]在仔細檢查Blaster的程式碼後,研究者發現原始碼中內嵌了Parson的名字,而警方也因此逮捕了他。[來源請求]