Slashdot Mirror

F-Secure Blacklight is a rootkit scanner/detector in beta , free to download and use.

Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
http://www.f-secure.com/weblog/

More info about the worm: Looks like its Zotob.A., and weblog. Here are some comments.

More info about the worm: Looks like its Zotob.A., and weblog. Here are some comments.

We just found a new worm using the 5-day old PnP exploit. Film at 11, more at http://www.f-secure.com/weblog/.

Let me get this straight.

You used dictionary.com to find out a technical definition of an acronym and came up short? Wow, apparently you couldn't get the MCSE either.

Esperanto & Mac.Simpsons are not OS X viruses, per f-secure:
http://www.f-secure.com/v-descs/esperant.shtml
http://www.f-secure.com/v-descs/macsimps.shtml
So you're wrong again there. Maybe if you could provide an actual link. You might need directions.

And Renopo was a shell script, not a virus, that was fixed with a security update from 2004:
http://www.lindqvist.com/index.php?ID=1735
And, no, there are still no viruses for OS X. But good luck trying!

Let me get this straight.

You used dictionary.com to find out a technical definition of an acronym and came up short? Wow, apparently you couldn't get the MCSE either.

Esperanto & Mac.Simpsons are not OS X viruses, per f-secure:
http://www.f-secure.com/v-descs/esperant.shtml
http://www.f-secure.com/v-descs/macsimps.shtml
So you're wrong again there. Maybe if you could provide an actual link. You might need directions.

And Renopo was a shell script, not a virus, that was fixed with a security update from 2004:
http://www.lindqvist.com/index.php?ID=1735
And, no, there are still no viruses for OS X. But good luck trying!

See this post on F-Secure's site:

"These proof-of-concept viruses will never became [sic] a real-world problem, but the case is interesting historically, as these are the first viruses for a totally new platform."

Is a virus a virus if it never is "a real-world problem"?

http://www.f-secure.com/weblog/archives/archive-08 2005.html#00000613

And yeah, these viruses do not exploit any vulnerability in Monad. But very few of the most widespread viruses in the world rely on vulnerabilities. For example, email viruses are so common not because email clients would have tons of remote exploits - they are common because users are happy to execute random attachments.

Original posting on the whole thing at http://www.f-secure.com/weblog/

Mikko Hypponen

Sorry, folks. Saying *nix doesn't have viruses is just fan-boy. Believing it is ignorant. As a matter of fact, I run Windows and Linux. Windows does tend to get more, simply because it has more market share. However, I can say that the only virus/worm I've ever gotten that DESTROYED important data was on Linux. God damned phpBB worm that replaces *.html among other things.

Anyway, such generalizations are foolish anyway, since it's usually not the OPERATING SYSTEM level software getting the virus/worms. It's some badly written service.

• Can we say Slammer?
• Can we say Santy?

Anyway... you get the point. But please, stop being slashdot zombies and claiming Linux is perfect.

Keith

This leads to many problems like stuff found recently in almost all Computer Associates eTrust Antivirus products. Because Zonealarm licenced the same software, they were affected, too.

This is just one example of many :

• McAfee
• Trend Micro
• F-Secure
• Symantec

So many well known enterprice Antivurs/Firewall companys create drivers that lead to security flaws and it is not limited to Windows....

No, but I've seen too many computer or cell phone users who click "Yes" to a series of damn clear messages just to have an alert go away.

The RFID system will have a moderate amount of false alarms, and guards will do anything to return to browsing Playboy and/or playing cards.

The F-secure anti-virus team tested a Prius for bluetooth virus susceptability. It wasn't interested.

I used to read virus descriptions as entertainment - here's one: Tremor, "the first known polymorphic stealth virus."

Permalink

Oh boy, we will spend a long time for nothing.

Viruses exist for Symbian, they really spread. Nobody will come up and say "Hey, I had taken my nokia 7650 to service because my one of (install cool name here) program 10.000 cracked app cd "

You all go out once in a while, like big concerts, make your phone visible and see if it exist or not.

http://www.f-secure.com/corporate/intro.shtml

It really looks like they want to sell software to couple of symbian geeks and threatening their reputation since 1989, yea right.

For people that doesn't get what you talk about, here is my favorite DOS.

http://www.f-secure.com/v-descs/goldbug.shtml

Respect, really :)

You should be glad the elite ones like below:
http://www.f-secure.com/v-descs/hybris.shtml

Was killed by their author I suppose.

For people that doesn't get what you talk about, here is my favorite DOS.

http://www.f-secure.com/v-descs/goldbug.shtml

Respect, really :)

You should be glad the elite ones like below:
http://www.f-secure.com/v-descs/hybris.shtml

Was killed by their author I suppose.

Don't count on that being the reason.

We have seen viruses where user needs to jump through many hoops:

1. open the .zip attachment
2. enter the password for the zip (following the instruction in the email, embedded as .gif semicatchpa to prevent the virus scanners from using the the password to open the zip.
3. saving .exe in zipfile
4. running the .exe

I thought the file was safe since it was password protected

Tell me, how is this different from a virus telling user to save an ELF attachment, chmod a+x it and run it?

Viruses rarely anymore exploit software flaws - they exploit the weakest link: user, via automated social engineering.

Apart from disabling users ability to execute arbitary binaries and perl/python/shell scripts, there only alternative I see is chopping a finger from the infected user everytime they get themself a virus.

Unfortunatly the first one creates practical problems and the second one legal.

Today's news is F-Secure Security Bulletin FSC-2005-1 Code execution vulnerability in ARJ-archive handling!

It is obvious that this guy should have had an anti-virus package active

My Linux box certainly doesn't have or need a virus scanner, and the Windows box I have has no virus scanner and I've not had a windows virus or worm on it or any other box of mine in I think fourteen years. (This is the last virus I got. Downloaded it from a BBS from a disk usage program. du.exe.)

It's all a matter of being smart about what you run and disabling services that you don't need. And keeping up to date on patches doesn't hurt, and neither does doing most of my Internet stuff on my Linux box. (The Windows box is mostly for games, and the occasional program my wife needs.)

I'd hate for the banks to start requiring that their electronic banking users have virus scanners installed in a knee-jerk reaction to this sort of incident.

The worm penetrates the system and will then be activated each time the phone is started. Cabir scans for all accessible phones using Bluetooth technology, and sends a copy of itself to the first one found.

Here is a link Caribe

Anti-virus companies have been warning for some time that mobile networks could be the next targets of virus authors. Mikko Hyppönen, director of anti-virus research at F-Secure, said several months ago that there was a danger of viruses spreading into GPRS networks through USB ports, and that pocket-PC devices would be easy targets for virus coders.

Oh, using PHP will make sure the sites are in sync.

Seriously, why one language over another? The guy was asking about application technology. It sounds like he wants something that works, and dammit right now. He doesn't need a programming task on top of all the other sh*t he has to get done. Think of the children.

Is reporting that they don't know if the worm actually patches it sucessfully. For all we know, it could be infecting the System. When searching, only 3 results came up.

I don't run anti-virus. I don't have a firewall. I don't run spyware-removals under normal circumstances. If I feel the computer is feeling odd I download and run F-Prot's free DOS version followed by running Adaware 6. On some single occasion I've run Norton Anti-virus just to be on the safe side

I'm not alone in using this computer, my not quite so computer-literate girlfriend does too. I often download shareware games and freeware programes, not to mention warez every now and then.

Despite all this - I have never (*knock on wood*) been virus-infected. I have never gotten any spyware.

So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault?

You are drawing conclusions. f-secure didn't say that the meta tag was FOLLOWED by lycos client, merely that spammers added a meta refresh tag. In fact, it was debunked it on their weblog:

Update on 4th of December, 2004: Lycos has confirmed to us that their screensaver does not follow Meta Refresh tags, so this attempt by spammers will fail. --Mikko

According to this it's already happened:

Spammers fight back Posted by Alexey @ 09:37 GMT

In an interesting twist, apparently one of the spam sites under attack from Lycos' "Make Love not Spam" operation has turned the tables. The front page of a spammer site called www.moretgage.info (which used to sell cheap mortgage loans) has been changed to contain a Meta Refresh tag, redirecting all web traffic to...www.makelovenotspam.com.

As an end result, depending on how the Lycos client works, the screen savers downloaded from makelovenotspam.com might be attacking the download site itself.

It's according to Netcraft. Their story is Spam Sites Crippled by Lycos Screensaver DDoS, followed by Lycos Screensaver Site Blocked by Internet Backbones and Lycos Screensaver Site Changed, Now Says "Stay Tuned". F-Secure also says spammers are beginning to fight back by redirecting traffic back to Lycos.

Come on people, primary sources! This isn't elementary school.

It was W32/Netsky.P

The only new thing about the email that I got was the subject line.

India's political commitment to free software is second only to Brazil's

Well, it stands to reason. In the Indain sub-continent (which includes Pakistan and Banglsdesh) where they have railed against high software prices for decades (and incidentally Pakistan produced the first virus - apparently aimed deliberately at foreigners who could afford to fly in to buy cheap copies of pirate software), then "Free and legal" is better than "Free, 'cos it's pirated"

I guess the motivation for writing these things has changed or something. I don't understand the mentality, but apparently it's not about being destructive these days. There were some truly evil old-school MSDOS viruses, i.e. fumble and dbase.

Maybe all the "talented" guys are actually making money from their spambots, and don't want to kill the goose that lays the golden egg or something. Still, it would only take one anarchist, I'm amazed it hasn't happened yet.

I guess the motivation for writing these things has changed or something. I don't understand the mentality, but apparently it's not about being destructive these days. There were some truly evil old-school MSDOS viruses, i.e. fumble and dbase.

Maybe all the "talented" guys are actually making money from their spambots, and don't want to kill the goose that lays the golden egg or something. Still, it would only take one anarchist, I'm amazed it hasn't happened yet.

There was a destructive internet worm recently.
It attacked PC's via a hole in BlackICE firewall.

After reproducing for a little while, it began randomly overwriting sectors on the HD. Eventually your OS (and probably a lot of data) would be fubar.

URL: http://www.f-secure.com/v-descs/witty.shtml

wasnt hard to find at all.

http://www.f-secure.com/v-descs/monkey.shtml

Subseven achieved this level of intrusion, offering it as a convenient menu option!

Many news outlets, including ourselves, reported that a trojanised version of Mosquitos game for Symbian Series 60 smartphones was circulating online and across P2P networks. Cracked versions of the game secretly sends SMS messages to premium rate numbers, according to reports on various online forums.

Illegal copies of the game display the following message on start-up: This version has been cracked by SODDOM BIN LOADER No rights reserved. Pirate copies are illegal and offenders will have lotz of phun!!!

Yesterday Symbian put out a statement which contributed to the impression that malign code was inserted into 'cracked' versions of the game by members of the computer underground. However it turns out that the hidden SMS functionality, along with a message written in the best vernacular VXer speak, was put in the game from the beginning by the original games publisher Ojom.

In an advisory, AV firm F-Secure explains: This functionality was intended to be a copy-protecting technique - it didn't work as planned and the whole functionality backfired.

The premium rate contracts for the phone numbers have been terminated, so although old versions of the game still send hidden SMS messages, it only costs the nominal fee of sending the message itself. Current versions of this game no longer have this hidden functionality, but 'cracked' versions of Mosquitos still float in P2P network - and they still send these messages, it adds.

So what appeared to be a Trojan is actually a rather sneaky and somewhat ineffective copy-protection technique. Proof that even if something looks like a duck, talks like a duck and walks like a duck it isn't necessarily Anas platyrhynchos.

Although the Mosquitos saga turns out to be an urban myth, the recent discovery of the first malware capable of infecting smartphones shatters the comforting belief the mobile phones are safe from viral infection. The threat is very low at present but shouldn't be completely discounted. ®

Here's a post with a little thought in it. It's not the user, it's M$'s crappy software. The long and complicated steps you talk about are not found in fsecure's description, so I have no idea what user intervention you are talking about. I'm also used to the variants boing full auto more than I'm used to them depending on some poor hapless user pulling ROT13.

So enlighten us. How would you have handled this in your hypothetical email client that engineers user stupidity away. I'll even let you pick the OS you'll be running it on so you don't have to be saddled by the deficiencies of "Windoze".

Users trained to click things all day are not stupid, their software is. Kmail on any OS only hands files to clients for viewing. The long chain of exploits are missing there and you don't know what client my users have for a given file type. Files are never saved with executable permission turned on. There is no system wide registry for you to hide in. The list of dumb stuff M$ did to make this possible goes on. The most important thing is that my users are not conditioned to click things without reading them. Free software users don't see many "I submit" buttons and stupid workarounds to Windoze's core inability to easily share work.

Hows that for a ray of sunshine? You need to get out more.

Witness the marvel of the Windoze desktop. First, there's the plethora of technical BS admins try to cram into their user's heads via ... popup messages that must be clicked "OK" for the user to do even simple tasks. The average corporate user also suffers a veritable flood of "communist propaganda" to their inboxes, which must be read for fear of missing something important, much of it attachments. The company and M$ has trained them to click without reading, so you are surprised how? Then there's double extensions, extension hiding and all the dozens of "executable" extensions to keep up with! Even users with a clue have a hard time. Between that environment and the stupid way Outlook runs as root and can write to system folders, you get MyDoom internet storms. You don't have to be an idiot to get viruses on Windoze, you have to be a fucking genius to avoid them.

Fsecure is still up and has a reasonable description of how this M$ carried dissease gets around. It's a little dated and for this one menace there dozens of versions that have gone full auto by taking advantage of other holes, like download.ject did. Oh well.

The real idiots are administrators who still recommend the same platform for their place of work that's caused them all of these problems. How many times are YOU going to be fooled? It's not convincing your users.

There already are PalmOS viruses. See here for an example. The key difference is that PalmOS has had only recently gotten any sort of wireless connectivity. So these virus all spread via human intraction (i.e. Hotsync of an infected file, or IR beam of an infected file).

Give it time and there will be ones that spread via bluetooth or WiFi.

Not as flawed as this (page renders like shit in moz - scroll to the bottom...) How did this one get around?

NAME: Simpsons
ALIAS: Trojan.BAT.Simpsons

This is a simple BAT trojan that deletes all files on C:, A:, B: and D: drives. The trojan uses 'DELTREE /Y' DOS command to delete the files. The trojan then tries to delete SIMPSONS.* files, but there are no more files on affected drives after the DELTREE command.

The trojan is distributed as a self-extracting WinZip package that displays standard WinZip message after being run and then extracts the trojan and spawns it.

This trojan was reported to be in the wild in late June, 2000. However, it does not seem to be significantly widespread (as it does not replicate further by itself).

[Eugene Kaspersky, KL]

The bear thing is not important at all. There was a similar hoax that was related to long filenames in Win9x, which was sometimes a bit more troublesome.

its actually this trojan (upx packed)

has built in mailserver/proxy so that is confirmation its spam related

http://www.f-secure.com/v-descs/padodorw.shtml

Seems like a nice keylogger. It also installs another trojan. Virus vendors seem to be getting on the ball. Also the site which distributes the payload is currently dying under the load. The virus is apparently bit too succesful for it's own good.

F-Secure Anti-Virus for Symbian 60 series will detect the Cabir and delete the worm components.

F-Secure Anti-Virus for Symbian 60 series will detect the Cabir and delete the worm components.

F-Secure Anti-Virus for Symbian 60 series will detect the Cabir and delete the worm components.

This is my original attempt to post this story, it got rejected, but now that someone else brought it up, I will post my version. Primarily because there are some cool links in it that should be seen:

Yesterday InfoWorld reported a new first for viruses. Believed to be the work of international group 29a, Cabir is the first worm to infect mobile phones! Cabir is a proof of concept worm infecting Symbian mobile phone operating system by Symbian Ltd, used by Nokia. Cabir does not include a malicious payload.

It wouldn't be so damn bad if the new chip name had a ring to it.

Take "Athlon" for example: The "Ath" part of the name reminds me of Athens, Greece. You know, home of the Roman empire, which was a powerful force in it's day. The "ion" part of it reminds me of the word "marathon" which says to me it can keep going and going. Kind of a powerful runner if you will...

Now take "Duron", the "Dur" part reminds me of "endurance" whicn means it's not running for speed, it's an endurance runner. The "on" part still reminds me of marathons.

These to me, seem like very fitting names. However, I'm not sure what to think of Sempron. Excluding the obvious porn reference, it does remind me of the Sampo Virus.though.

F-Secure Weblog says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...

Nothing is funnier than running these old DOS viruses such as walker and ambulance using vmware or virtual pc.