Slashdot Mirror

It was a Nokia 6600. Interesting phone. As I remember the hardware was very attractive but the UI was confusing. I remember it taking more time to figure out where the web browser was in the thing than to actually download and eradicate the virus.

Here's your proof that this virus exists:

http://www.f-secure.com/v-descs/commwarrior.shtml

You are clearly wrong that no phone virus causing monetary harm has ever existed. MMS messages cost money to send. This virus sent hundreds of them. I will admit I only have her word that the virus caused her a $300 phone bill. But I believe MMS messages cost about two Philippine pesos (at the time $ 0.20) to send. When she discovered the problem, her phone was continuously sluggish and so I have no problem thinking she might have sent a thousand or so messages, so close to $300 in MMS.

I am not an expert about virus propagation, but I suspect you need millions of users for it to be financially worthwhile to write a virus. Nokia/Symbian does have that critical mass. I do not believe there are enough jailbroken iPhones to be a sufficiently fertile market for a virus, but if you could do it on all iPhones it might be. Furthermore, if you jailbreak you iPhone, you and not Apple are responsible for your acts. So you could get a virus on your phone but Apple would not be liable in any way.

Curiously enough, the iPhone's third party software development is done through a model surprisingly similar to what we expect Apple to do. Installer.app is a centralized repository for iPhone software. I would certainly assume that if someone added a virus to installer.app's list of software it would be rapidly removed and the developer blacklisted. Most people are relying on installer.app instead of searching the Internet for software.

While the existing mechanism is probably very safe, I think Apple is right in being concerned about viruses,especially as adding software to the iPhone spreads from what is probably a community of a few hundred thouand at most to a community of millions.

Hope that was of interest.

D

Anybody got any more dirt on them?

Am I the only one who finds it TOTALLY bizarre that MS compares their newest desktop operating system to a Linux server operating system?

And quoting an installed user base of less than 1% for desktop Linux as other people have done in this thread just mystifies me even more.

I think that there's just no way you can compare operating systems based on vulnerabilities in a meaningful way because they don't have the same number of users, they're not used for the same things, and they all include different programs that may or may not be counted alongside. Honestly, how many security vulnerabilities can there be in Notepad, Paint and Calc?

I think Jeff Jones is absolutely correct when he says that you should count what comes with the default install of a common, working setup. But you shouldn't count vulnerabilities, like he does.

The only way to get any kind of metric for how secure an operating system is, is by looking at how many of these vulnerabilities are actually exploited. So what if Ubuntu or RHEL has a vulnerability that could somehow, potentially let someone take over my computer under the right circumstances? If this vulnerability isn't even close to being exploited by shady types, what difference does it make to me, the user?

How about looking at how likely I am to be robbed of personal information, having my credit card number stolen, or being included in a botnet to do evil?
Although, with F-Secure's 2007 count of 500,000 pieces of malware for Windows (a doubling since 2006), maybe I'd stare real hard at meaningless statistics too if I were Jeff.

I'm not surprised that F-secure did so well in behavioural blocking test, F-Secure Deepguard is amazing in recognizing malware application behavior even if it's not a know virus. Truly a nice advancement in virus prevention. Let's hope the competition gets as good as well.

How far are people willing to take the monoculture analogy? Nature doesn't have the ability to make iterative improvements to existing individuals, and the magic wand of software updates is a lot more magic than the magic wand of modern medicine.

Even if you posit that something like 100 different operating systems would make any sense, by the time you have 1 billion computers connected together, a flaw in any one of those operating systems gives you access to some big chunk of 10 million machines. That's still an awful lot of resources to be chasing after.

The economics of targeting Mac platforms have apparently become good enough:

http://www.f-secure.com/weblog/archives/00001312.html

so I don't think I'm way off base here.

User education is getting easier; people that have any sort of investment in their data and setup usually don't want to lose it a *second* time.

If networked computers didn't come with all the new problems that they come with, they would likely be awful boring to use; I'd bet that many of the security problems of today turn out, in hindsight, to be little more than growing pains.

Well, yes and no. Yes, 'nothing is foolproof, because fools are ingenious', and social engineering is still the most effective way to breach security. But no Unix-type operating is even close to being as porous as Windows. Windows is designed to welcome and execute untrusted code, and it finds a clear path directly into the guts of the operating system. Windows users find all kinds of barriers to actually doing anything useful, but hostile executables can dive right into the Registry, replace .dlls, and do whatever they want. The smartest Windows user in the world is still at risk through no fault of their own.

Unixes and Mac OS X require the user to jump through a few hoops to run any executable code; they can't just go "Cool! Free pr0n!" and activate it with a click, and even when they do something stupid there are a lot of built-in barriers to being totally pwned.

But now I'm remembering the Skype worm, which used the lamest social engineering in the solar system, and it still worked....this is a sample of the "clever chat" that got people to visit the infect web sites
http://www.f-secure.com/v-descs/im-worm_w32_skipi_a.shtml

# look what crazy photo Tiffany sent to me,looks cool
# matai :D
# now u populr
# oh sry not for u
# oops sorry please don't look there :S
# pala biski
# patinka?
# really funny
# this (happy) sexy one
# u happy ?
# what ur friend name wich is in photo ?
# where I put ur photo :D
# you checked ?
# your photos looks realy nice

I give up. Humanity is doomed.

Ironically, Hungary is known for some very good virus writers.

http://www.theregister.co.uk/2004/06/30/hungarian_vxer_escapes_jail/
http://www.f-secure.com/weblog/archives/archive-062004.html

Etc. And more from the early 90es and 80es. And as far as i remember, some of the early Polymorphic virus engines etc.

I think every country with teenagers+computers got some of these kids who dream in assembly code. And some of them might be eager to earn some easy money.

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

F-Secure has information as well.

F-Secure has information as well.

I sure do. Apple screwed up an implementation and therefore no one else will ever be able to get it right.

Similarly, Nimda, Blaster, and SQLSlammer permanently ended the use of webservers, operating systems, and databases.

How'd you want to create the "perfect" AV product?

back in the day (1998), I designed a mobile banking product for the palm pilot for the consultancy I worked for - the idea was that you could sync the palm pilot using IR through the front windows of the high street bank securly. needless to say, it never sold. for those that developed palm apps; it uses the palm prc identifier "BANK" !!!

The bank I'm working at now is going down the mobile banking route. Here in the UK the operator of one of the largest cash machine (ATM) networks LINK is producing a national white labelled system so that all banks can buy into it at low risk. One of the problems with this is that with some 2 factor authentication schemes using the mobile phone will end up losing "a factor" and will have to use other 2 factor schemes such as one time passcode schemes or the APACS CAP EMV Cards with a card reader.

The problem with the mobile devices is their security of static data - as much blogged by mikko at f-secure

rd

Most of the malware is for IE, but it's quite frequent for an advertising network or such to be compromised and to send out infected ads. Plenty of websites and ad networks have been hacked for no apparent reason other than to infect people. It's far from the only way they trick people, of course. They like to require special software to use their smileys, screen savers, programs to download some site's crap (especially for porn, like the porn dialers from the days when modems were common), fake anti-virus and spyware tools, etc. If you have to download some special tool to use a site, and it's not a well-known thing like a common media codec or something to extract RARs, etc., it seems like it's almost certainly illegitimate.

That said, I personally have not been affected, but I use Firefox (which has the less critical holes) + NoScript (which completely blocks the holes in TFA, not to mention many others). And even if they did get the exploit to work and had it steal my cookies, there's hardly anything in there because all cookies get deleted when I log out. And I have Adblock Plus, so I'm not going to get hit by any compromised ad networks or whatever to begin with, especially because I'm incredibly mistrustful about what programs I install.

If you want a blog to read, try F-Secure's blog.

Of course it's not intentional. However, this is completely avoidable.

This is evidence that it's time to wave goodbye to signature based anti-virus methods. If we had anti-malware techniques that actually weren't anti-malware, but actually pro-goodware (bonware?), we would never have this problem. Essentially, in a production environment, we want to split all executable code into two categories: 1) Certifed, and 2) Non-certified. If we had tools that would only allow certified code to execute, who cares about AV (or anti-spyware, anti-ransomware, anti-bloatware, anti-threat-du-jour-ware)?

This is starting to get insane. Look at F-Secure's latest rate of malware growth. The amount of bad software (non-Certified for the sake of consistency above) compared to good software is unreal. Essentially anti-virus software is the process of outsourcing the software inventory of one's environment for the purpose of determining trustworthiness, only we require our outsourcers (the AV vendors) to work backwards (defining bad, not good) and blind (guessing at what software lives on our systems). With this premise, it's no wonder these mistakes happen. AV Vendors, by their signature-nature, are forced to implement significant changes to our systems several times per day to maintain effectiveness. And when any changes on this level occur at this frequency, there are bound to be quality assurance issues like overlooking critical system files from alternate languages during the testing phases.

Notice the date on the original article: http://www.f-secure.com/f-secure/pressroom/news/fs _news_20070329_1_eng.html
Could this be perhaps an April Fool's press release that just got released a few days early so the date did not scream "April 1, 2007"?

Better method:

- 1. Disconnect network cable
- 2. Install Windows
- 3. Install F-Secure as firewall, get the 30 day trial from here: http://www.f-secure.com/small_businesses/evaluatio ns/ . Use another computer for this.
- 4. Install patches, SP2, your programs, etc.
- 5. Now you can remove F-Secure, or buy a license. IMO F-Secure is has best price/quality ratio...

Just my 0.02

I always wondered what would happen if the author of Hybris wanted to harm the systems. I also believe that Virus was so advanced that it got own "uninstall yourself" command from its master/creator.

http://news.com.com/2009-1017-250870.html
http://www.f-secure.com/v-descs/hybris.shtml

When you look at detail, it is much more advanced than this trojan which does amazing things such as finding out the e-mail addresses via watching the communications just like Ethereal.

The genius of old time DOS viruses is IMHO GoldBug, it did an amazing job as hiding itself to video memory.

http://www.f-secure.com/v-descs/goldbug.shtml (Mikko Hypponens original analysis)

Now imagine if these guys decided to make money via trojans.

I always wondered what would happen if the author of Hybris wanted to harm the systems. I also believe that Virus was so advanced that it got own "uninstall yourself" command from its master/creator.

http://news.com.com/2009-1017-250870.html
http://www.f-secure.com/v-descs/hybris.shtml

When you look at detail, it is much more advanced than this trojan which does amazing things such as finding out the e-mail addresses via watching the communications just like Ethereal.

The genius of old time DOS viruses is IMHO GoldBug, it did an amazing job as hiding itself to video memory.

http://www.f-secure.com/v-descs/goldbug.shtml (Mikko Hypponens original analysis)

Now imagine if these guys decided to make money via trojans.

So, instead of having someone cause you few hours of trouble, you'd rather have an actual malicious virus writer infect all your users by including a client side exploit with such a worm? Yeah, making secure systems sucks, but had he not forced the fix to take place, we probably would've seen the worm install spam relays or ddos zombie bots to vulnerable end user computers. Heck, there have even been exploits to execute code that only needed the img tag to be used. Does your social networking site re-encode image files? It damn well should, as the files could contain pretty much anything. Heck, allowing external images also means users can track (ip address and browser info) who visits their pages and when. This can lead to identity discovery and allows targeted and direct attacks to be performed outside the site.

Allowing any HTML on social networking sites is like allowing any HTML in email message. You know what it did to Outlook in form of viruses and trouble, so why would you want to repeat the same experience?

Oh, and here's a tasty on-topic link to a source with a bit more authoritity than an anonymous coward: http://www.f-secure.com/weblog/archives/archive-07 2006.html#00000930

I'm not sure but I imagine the zombie PC's grab this text directly for themselves.

The actual spam mails are sent by thousands of infected home PCs. Sending the emails don't cost the spammers anything. Investigating such a spam network, F-Secure downloaded 68 gigabytes of addresses from a distribution server so it's unlikely you'll be able to overload that end. Besides, if it became a bottleneck they'd just rejig their system to make it even more distributed and hard to catch.

Not much on specifics in TFA, but apparently the major increase in spam (mainly those pump'n'dump stock scams) appears to due to the Spamthru trojan which is being dropped by Warezov.

We've had a few stories on this before here and here.

I'll use your only argument that OS X is secure (which I've already addressed over, and over), and replace "OS X" with "MS-DOS 6.22".

Cite a single "remote vulnerability exploit in the wild" against MS-DOS 6.22. You can't, go ahead, I dare you. With Windows I have to worry about hackers writing remote exploits, but with MS-DOS 6.22 none exist at all. MS-DOS 6.22 is therefore more secure than Windows NT 5.x.

By the way, cite a remote exploit for Windows XP SP2.

It's called an inbound firewall, and any OS with one, which isn't being used as a server, can't have a remote exploit in the sense you require.

This makes the number of remote exploits an absurd metric for desktop computer security. What about number of vulnerabilities / number of users? Who do you think would have the largest ratio out of Apple and Microsoft given this more sensible metric?

From what's been announced, the disk duplication step of manufacturing was fine. Ironically, it sounds like the virus got onto the iPods as a post-manufacturing quality check where the manufacturer connected a few iPods to PC's to check them, and some of those iPods got infected from an infected PC. But this apparently affected a very small number if iPods.

To keep this in perspective, in 1995, the first Word macro virus -- now called Concept -- was massively distributed by Microsoft on a CD-ROM called Microsoft Windows 95 Software Compatibility Test. The shipment went to hundreds of companies in August 1995. And MS has distributed viruses on CD's to huge numbers of their customers numerous times. (http://www.soci.niu.edu/~crypt/other/onestop.htm, http://www.f-secure.com/v-descs/wazzu.shtml, http://pcworld.com/article/id,101930-page,1/articl e.html) So while I am sure that MS' quality control has gotten better, I think that MS isn't in much of a position to play "holier than thou" on the issue of distributing viruses in their products.

No it's exactly like like McD's distributing virus ladden MP3 players. http://www.f-secure.com/weblog/archives/archive-10 2006.html#00000997

Well of course, but at no point was I ever talking about trojans, I was talking about viruses, right?

And where I live, over 70% of the population lives over the poverty line and are making more than ten times that much. So yes, spending a few hundred bucks for MANY people is nothing, unless your demographic are the very poor or those with next to no disposable income. That's a stretch.

I think the point was that they are a legitimate distributor that "plays for sure", since they distribute mp3s without DRM. But I must question your "spy/adware" comment...

First of all, there is a difference, between spyware and adware.

Secondly, I've been using their service for almost a year and have never had adware pushed on me. Frankly, the first site's description of the adware looked like shortcuts to sign up for their services. "Desktop and start menu links"? Come on...

I'm not even sure how accurate this information is. It was last updated almost a year ago. I do have an option to uninstall the eMusic download manager. And if you're concerned about your personal information being shared you can opt out. Most people do not seem to have a problem with is, as eMusic is the second largest legitimate download service.

Also, how do they "push" these files to you? Based on the links you provided it sounds more like Winamp and other free software are bundling these shortcuts to help support their business.

I will say that I hate spyware, adware, and malware as much as the next guy, but it sounds like you're mostly spreading FUD here. I like eMusic and haven't had any problems with adware from them. Do you work for Apple?

What about Skulls? I seem to remember that this affected Symbian S60 devices, disabling everything and speading itself to other phones via a nasty .sis file. There was reports of malware for WinMob/PPC, but I don't think it went really far.

Linux/Bliss.

Now you've heard of one. There are more out there, too, if you bother to look.

Doing what is required is not mutually exclusive of not doing things that you DON'T want it to do. The day your machine becomes a zombie and is packed with trojans and viruses, it may still do what is required but it is also doing other things that you don't want.

Dumb is assuming that just because it does what is required that is also isn't doing something you don't want it to do.

My older machines are relatively static. Very little new software is installed on those machines, and the new stuff I *do* install is obtained from trusted sources and then scanned anyway before it's installed (as well as when it is executed each time). I also pay some attention to my firewall logs, so things like new programs calling home are quite likely to be noticed (many things show up on my IPTRAF screens).

In other words, I don't make assumptions about the condition of my machines. Even my non-Windows machines at home are monitored quite carefully.

Now, I certainly realize that not everyone is as aware of the state of their machines. However, I would guess that most of the folks who are running an older OS are also not very likely to be installing new software on those machines, expecially things like POS systems (which already do what the company needs to be done). That eliminates trojans and many traditional virus infections (file infectors), leaving only worms and macro viruses. I do acknowledge that those can represent real threats even on older platforms, but defenses still exist if one is aware of them (my F-Prot example is one of these), and systems like POS systems aren't really at risk.

Just because a product exists, doesn't mean it's up to date support. This product hasn't been up to date with current viruses for a LONG time. As I said, no one is writing virus UPDATES not virus software.

Dumb is assuming that just because you have a product, it is always going to be up to date.

F-Prot's virus and macrovirus signature files for the DOS and Win9x scanners are still updated daily by the program's author, and I have a wget runstream which updates my copies on a weekly basis. As you well know, it's those signature files which are most important when new viruses are discovered -- the scanning shell doesn't require updating in most cases.

F-Prot Antivirus for DOS Latest F-Prot signature files

Dumb is assuming the end user knows what he's doing.

While true, many of the folks I know who are running older machines fall into three categories:

* Hobbyists like myself who are aware of the risks.

* Small business owners or corporate users who are aware of the risks.

* End users or businesses who are not aware of the risks, but who only tend to engage in low-risk activities on those older OSes such as e-mail, web surfing, or running one or more dedicated applications (e.g., POS systems).

For those folks, the problems encountered by more active (but ignorant) home users are somewhat minimized.

On proprietary systems where no one else is allowed to look at the code, modify the code, patch or update? I tend to think the proprietary vendors support is a very highly regarded commodity. And you know what else? Businesses and IT departments do as well. This has nothing to do with blindly applying patches... it has to do with patches being available when no one else can patch.

We're talking about Windows 9x, which received VERY few patches or free updates from Microsoft. Don't map their current patch release practices to the reality which existed 7-10 years ago. For Win95 systems it's mostly a nonissue, and the only way to update things was to pay to

This gives us another tool that can be used to repair windows systems that have been hit by some of the newest rootkits that can hide from detection when windows is running. Can't hide from a Linux boot disk and with complete write support, now these can be cleaned and studied more effectively.

I agree that case-insensitivity is nice when working in English; however, in Arabic, short-vowel insensitivity would be more useful. In German, you have the complexity of ß versus SS versus ss. French requires you to ignore some accents. In short, the rules for each language are different, and on Windows 98, I had a few problems with foreign colleagues creating file names I couldn't handle (until we agreed on all-uppercase, English only names), because the two filenames were identical to Windows 98 English edition, but not to their foreign edition.

The point at which case sensitivity should be fixed is the point at which an application is prompting for a filename, not lower. If you're using tab-completion, I can do (locale-specific) processing to determine other plausible filenames, and print them for you to choose from. If you're using a GUI application (far more common), I can do case-insensitive handling of typed filenames, and highlight the file you've selected in a dialog box. I can even prompt you when you're creating two files with names that only differ in case, so that you can't do that accidentally. Any lower level, and you get into trouble with different languages having different case sensitivity rules.

F-Secures rootkit scanner detected Sonys rootkit as such from the very beginning, AFAIK. Also, Bruce Schneier said: "Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions..

-Eric

This is the "screenshot" virus from a few months ago:
http://www.f-secure.com/v-descs/leap_a.shtml

It installs into a InputManagers directory that is writable by the default user.

Time to switch to F-Secure. At least Finland is still a relatively sane place (from what I hear, anyway)...

This has been written about before on the F-Secure security blog. There's also a nice pic of what all the different parts of bagel look like and how they interact.

This has been written about before on the F-Secure security blog. There's also a nice pic of what all the different parts of bagel look like and how they interact.

You should check out F-Secure , they have a very good, searchable database with descriptions of various viruses, worms, and spyware.

This is merely a case of ease of use. If it's easy for someone to "0wn" a Windows machine, of which there are far more desktops, why go for anything else? That has no bearing on any other system being good, just that you can attack a majority of computers rather easily. Take away those computers, or make them "secure" (no such thing online, it's either security, or use, not both) and you'll get virii that target something else. Either a different OS, or a different way in.

On top of that, a lot of this is human error. The social aspect of worms is highly downplayed. How many of these virii do you think people get from clicking popups? Or on a link in someone's AIM profile? Or that attachment that says how much their significant other loves them? For that matter, if you got a letter from your would you suspect it first? Or open it up? What about on Valentine's Day, or your birthday? The point I'm trying to make is, even those who believe they're totally secure aren't. You can harden Windows all day, and if the user meeses up once, it's all negated. You can do the same for *nix, Mac OS, or any other OS. To not acknowledge that is ignorance, and blind faith in computers.

Yes, worms spread without human intervention, but so many virii are passed out through human error, the OS almost doesn't matter. And if Windows was secure, or gone, another OS would be hit, whatever's easiest. Tell me, if there were a rash of *nix virii, would you decry it's vulnerabilities? No, you'd probably praise how quick a patch comes out.

Don't blindly trust any OS, and don't blindly hate any.

No, Leap.A does not "[replicate] itself into other executable code or documents". According to http://www.f-secure.com/v-descs/leap_a.shtml,

Leap.A installs a bundle to '~/InputManagers/apphook' that hooks certain iChat functions. When any of the user's buddies change their status, the worm initiates a file transfer and sends a copy of ' 'latestpics.tgz'. The file transfer is not visible to the user as the worm hides the transfer status information.

The worm enumerates all applications on the computer that were used during the last month. Leap.A replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename. When the application is opened the worm activates first, then it runs the original application from the resource fork.

http://www.f-secure.com/v-descs/inqtana_a.shtml/

http://www.f-secure.com/weblog/archives/archive-02 2006.html#00000810.

Lets hope the industry learns soon. There are recent products shipping with rootkits on them like the german release of Mr. and Mrs. Smith. http://www.f-secure.com/weblog/archives/archive-02 2006.html#00000810

You could just get Superbar which is an alternative.

Also see here (if you speak Italian)

Seems like having to have 10,000 computers shut down for a day is a big deal... We won't hear about the real impact until next week, I'm guessing.

The people over at F-Secure seem to think it's too early for any real damage assesment. Their arguement makes a lot of sense.
--
From the weblog:
So far today we haven't received any significant Nyxem damage reports.
Vast majority of the machines infected by Nyxem are home computers. Nothing will happen on them until people get home from work and boot up their machines. Half an hour later the damage starts. The user won't realise what's going on until an hour or two later, when it's already late Friday night.
The full scope of the problem won't come to light until during the weekend or early next week.
We'd like to think that they whole problem was avoided and everybody cleaned up their machines in time. But unfortunately that's probably not true.

It's not a patch, there is no patch. You can, however, get the update for Microsofts security tools which will remove it. Or, you can run one of the removal tools from the anti-virus vendors.

ftp://ftp.f-secure.com/anti-virus/tools/f-force.zi p

Nope.

Nyxem/Blackmal/Kama Sutra hits .zip & .rar.

http://www.f-secure.com/v-descs/nyxem_e.shtml