Slashdot Mirror

Hmm

There's some anti-virus companies, which do not really work in any other areas of software business For example, F-Secure gets practically all its income from its Anti-Virus package. This kind of companies do not have an option to sell out, because if their customers can't rely on their products to stop all malicious attacks, they don't have any customers very soon.

Also, F-Secure happens to be a Finnish company so it does not have to follow the US rules (as a matter a fact F-Secure / SHH Inc were both created more or less thanks to the crypto export regulations in early 90ties..)

And no, I don't work for them..

In this case, the real problem is that people didn't see the 1995 movie: 'Hackers'. Doesn't everyone already know that the three most common passwords are: "god", "sex", and "love" ? It looks like those names are in the password list used by this virus ;-). That movie wasn't completely useless! (yes it was)

Interestingly, the register article says 'default', but the source they quote, http://www.f-secure.com/v-descs/deloader.shtml does not.

They cite 50 passwords that the worm tries:

Once a suitable machine is found, the worm tries to log on to the remote computer using login name Administrator and by trying 50 different passwords:

"" (empty)
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"admin"
"Admin"
"password"
"Password"
(you get the idea)


nowhere does it claim that these are 'default' passwords in the sense that windows installs leaving them set as default. The problem is that the person installing windows picked a "weak" password. Seems a stretch to call this "default". (as in "Fred was too lazy to some up with a good password, so he picked some "default": I think it was '12345')

Your comment has too few characters per line (currently 17.0).

now I am obliged to add more crap to my post in order to reach this C/L threshold:

Deloder is a network worm infecting Windows machines which have set a weak password to the "Administrator" account. It also installs remote access tool VNC, opening the computer to the world.

no, that wasn't enough, here's more:
1) The combination to the Air Shield is ... one. 2) One! 3) One! 1) Two. 2) Two! 3) Two! 1) Three. 2) Three! 3) Three! 1) Four. 2) Four! 3) Four! *pause* 1) Five. 2) Five! 3) Five! 2) So the combination to the Air Shield is one two three four five!! 3) One two three four five!?! That's the stupidest combination I've ever heard!! That's the kind of combination some idiot would have on his luggage!!

According to F-secure, these are the passwords it tries :

[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

the pat / patrick is rather weird, eh? only name in the list.

This works well for me.

I run a FreeBSD server for serving Windows users through Samba, and occasionally an infected Windows box drops malicious emails and exes all over my shared filesystem. You Unix zealots seem to brag about BSD not being as suspectiple. Need I remind you of Slapper, wwhich only infected Linux/Apache machines, but athe same vulnerability existed on any system running Apache. What we (or at least, I) need is a Unix-based virus scanner that can prevent the spread of viruses for all platforms.

• BBC
  
• F-Secure
  
• Sophos
  

for more details. Whee! 96 countries so far, but predominant in UK and Netherlands. Thanks for all the "security" work, M$, I can see how much you have improved. Surely the new total information awareness will have the foul criminals in jail before long, ha. Next year will be just like last year, but worse.

Hello, Bob, long time no see. *shake hands*. Welcome, Klez. Jeff too! Slapper, remember to behave yourself. As it seems everyone is here, could you please give the opening speech, Alex.

Hello, Bob, long time no see. *shake hands*. Welcome, Klez. Jeff too! Slapper, remember to behave yourself. As it seems everyone is here, could you please give the opening speech, Alex.

Hello, Bob, long time no see. *shake hands*. Welcome, Klez. Jeff too! Slapper, remember to behave yourself. As it seems everyone is here, could you please give the opening speech, Alex.

Hello, Bob, long time no see. *shake hands*. Welcome, Klez. Jeff too! Slapper, remember to behave yourself. As it seems everyone is here, could you please give the opening speech, Alex.

Hello, Bob, long time no see. *shake hands*. Welcome, Klez. Jeff too! Slapper, remember to behave yourself. As it seems everyone is here, could you please give the opening speech, Alex.

Hey all,

Ero Carrera at F-Secure.com asked that I post this for them:
"Information and live status about the worm can be found at http://www.f-secure.com/slapper/"

Inner Monologue I wonder if Ero is a guy or a chick? And if it's chick is she like looking, ya know what I mean?

If you for example mean Slapper scroll down in that page and look how the worm was almost killed after 3 days. Although no system can ever be totally secure (except dead systems) it seems that linux machines are much easier to clean up and patch then Windows machines.

Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.

Help me out here.

Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.

Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.

slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.

So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]

Thank you.
--mandi

One year after Nimda. We are fighting the Slaper worm. Did anyone say Deja vu?

Wonder what we are going to fight next year.

Why?

Because the fewer than 14,000 servers infected with slapper are nothing compared to the infection of NIMDA and its derivatives.

duh.

I've yet to see an explanation (other than "It's Magic!") of how a Palladium/TCPA/Fritz-chipped computer will end up more secure against viruses and worms. For starters, note that the most prevalent viruses for the last several years have affected *macros*, and assume that the "worms" they talk about are things like Klez, SirCam and etc, basically Outlook viruses.

Certainly in a Fritzed Palladium computer, software like Word and Outlook will have "certification". I mean, MSFT will certify their own software, right? The Word macro virus just gets interpreted by the certified Word executable. Similarly, Klez would just cause the "certified" Outlook executable to do certain things.

Given that any computing system that is Turing-complete can support viruses, how does Palladium make a system resistant to them? Is a Palladium system just not Turing-complete? Will "certified" executables not have features like scripting languages, macros, etc built into them?

And, seeing as my mother can't figure out that clicking "update" on the liveupdate popup from Norton will update her antivirus and that it's a good thing, I guess I should be happy that she can't download. :p

Although she does seem to keep on top of things like the teddy bear virus.

-Sara

The truth of the matter is that back in the early days of SSH, the world was entirely SSH.COM (now F-Secure). That's because there was noone else. SSH 1.x was all we had, and it was free (for non-commercial use, after 1.2.something).

It's profoundly clear that the large majority of businesses are switching to OpenSSH. The numbers prove it (check out openssh's statistics, posted here several times). Why? Because the old SSH 1.x installations are steadily dying, and people are forced to perform a semi-major upgrade. It's clear they're choosing OpenSSH. If you read the statistics in fact, it appears that the number of F-Secure installations is dropping. (not couting F-Secure 1.x, which is dropping like a stone).

You may think "oh, big conservative companies want a commerical product". Take for example UBS Warburg. A mega-huge conservative financial institution. They use OpenSSH whever possible ("as a matter of policy" to use your words). In fact, several of their employees are involved in OpenSSH development. I used to work for a hosting company, and there were other fiancial institutions that used OpenSSH. Of course not just banks liked OpenSSH. We had very few requests to support F-Secure.

They're by far not the only ones. Your "horses mouth" argument is way off the mark, too. The vast majority of development is going on in the OpenSSH world, not the closed proprietary world of F-Secure. Oh, and F-Secure's SSH isn't without a recent hole either.

There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.

One of our software vendors recommended the use of F-Secure for their support dept. to get a remote connection to our AIX-based accounting system. We replied and asked them why we can't use OpenSSH, since f-secure's license is about $500. They replied they'll look into it, but it's not a high priority. Since SSH is a standard protocol, couldn't we just use OpenSSH despite whatever implementation of SSH they're using on their end? I know my boss doesn't care, his favorite phrase is, "We like free." (But we use Windows NT for everything but our accounting system... Go fig.)

--

This one seems pretty objective: http://www.f-secure.com/v-descs/perrun.shtml

This is not really the first win/linux virus. There was a cross platform virus over a year ago. Wired had an article on it, as did f-secure.com. This may be more malicious, but the first was GPL'd.

And left open security holes, and been vulnerable to virii. But, but, fewer lines of code!

Never mind the the Klez virus, those elaborate virus hoaxes are far more annoying because you need to educate the person that emailed you about it that it is in fact a hoax. One only has to look at the latest hoax that tricks user into thinking jdbgmgr.exe, the Microsoft Debugger Registrar for Java is a virus.

Don't know if this will help you or not. Google returned this link that has detailed info on Hybris and suggestions for cleaning your system.

Good luck!

Interesting -- I wonder if they wrote their own policy server, or are OEM'ing someone else's stuff? There are several vendors who have products in this space: Zone Labs Integrity, Sygate Secure Enterprise, Symantec Enterprise Security Manager, F-Secure Policy Manager, and probably some others I've forgotten.

The tricky thing is writing a server that integrates well with existing back-end security and authentication infrastructure: having a bunch of standalone systems really sucks from a management point of view. Depending on how the client/agent/firewall (in software or firmware, as on a NIC) is structured, it may be possible to mix and match vendors in the future. (For example, another vendor's server monitoring these 3com NICs.)

The protocols themselves don't really need to be proprietary to the point of precluding interoperability: most are based on good solid Internet/IETF standards like IPSec, SSL, TCP, XML, etc. (Full disclosure: I was the system architect for Zone Labs Integrity.) If the protocols could be standardized, I could easily see ZLI serving policy to the various firewall-enabled gadgets out there, as the server is easily extensible.

I guess I just want to see things interoperate, but that's probably just because I'm an old Unix hacker....

I dont like windows based anti-virus software because it often requires infected parts of the os to run. i have seen Norton not clean stuff up properly and out right miss things witht the latest definitions.

Personally i use the free version of f-prot from f-secure
it runs in any version of windows, is updated weekly, is free, and works.

Sounds like the vaporware phenomenon has extended to virii.

1. It's 'viruses'. ESR says so.

2. Concept Virus is also the name of the virus commonly known as Nimda.

If that's not what you were refering to, ignore me.

F-Secure's researchmanager, Mikko Hyppönen, advices people to "update virus scanners and change to Linux, if possible".

Quote taken and translated from finnish newspaper's article.

- blwrd

F-Secure have a page describing the W32.Goner.A@mm as well.

- If youre worried about the american AV-firms being leaned on or something like that i'd suggest F-Secure, Finnish high-tech AV-detection and they also have encryption products etc, check it out.

- "Is Linux Safe?" has come up several times.. If you are really paranoid you should use OpenBSD. It's about as secure as an operating system gets AFAIK. Personally i'll stay with Linux as I have for a long time.

- It's really really scary to see the amount of reports of new laws on "anti-terrorism" and how FBI etc is getting more and more authority. It's kind of a dark future we're moving into - I hope they realise what they are doing to basic freedom before its too late.. Im glad that Europe hasn't gone as far (yet?) though..

...H

The link you provided goes to a german software reseller, the official site for f-secure anti-virus (and older f-prot) is http://www.f-secure.com/products/anti-virus/

[All links pulled from google's first page for each letter - sick, ain't it?]

Then again, now that I think about it I can't think of a major anti-virus application for Linux. Can anyone suggest one?

Try the venerable F-SECURE: workstation and firewall products.

Then again, now that I think about it I can't think of a major anti-virus application for Linux. Can anyone suggest one?

Try the venerable F-SECURE: workstation and firewall products.

...including what looks like an attempt to exploit boxes still rooted by Code Red

Assuming that refers to this:

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

then that's an exploit for Code Red II infected machines, not the original Code Red.

The Fish virus, IIRC, would remove the Stoned/Michaelangelo virus if it was found, and then infect the machine itself.

Further info about the virus is found here from Datafellow's virus database.

A friend of mine was holding a very important 2 hour demo for an important customer in our office. The customer had sent several people so he decided to hook up the demo machine to the projector which created a 4 by 3 meter image of his screen.

As the demo was for several hours there was a 15 minute break in the middle. Being in our office he was connected to the network and during the break he decided to check his email. At that time someone had sent him the "You have been bearded" exe. As he had several windows on his desktop he never saw the x-rated image that the program placed on his desktop.

Client reps return after the break. The demo progresses smoothly. After the demo finished he shut down all windows while he is talking about the work etchics and dedication of our programmers. After shutting down the last window his desktop (with the heavily bearded girl as the desktop image) is displayed in 4 by 3 meters in front of the customer.

There is a 10 second silence after which he discovers why all eyes are staring at the image. His first reaction is to close the lid on his laptop. As we all know this does not remove the 4 by 3 meter image produced by the projector. His next reaction is to remove all cables attached to the laptop which eventually removed the 4 by 3 meter x-rated image.

The customer was very satisfied with the demo. One guy even asked if he could borrow the demo computer back to his office...

There is a big difference between intellectual propery and physical good. Let's take your example, lamps:

• You don't see lamp manufacturers actively encouraging disgruntled employees to break their desk lamps. Sure, it might boost sales, but lamp manufacturers are above such sleezy tactics.
• Lamps are actually useful, and if broken, it gets noticed pretty quickly. Whereas a missing license sticker on a PC might not get noticed for months... You'll never know for sure whether it was Joe who tore off the license of his computer when before he left, or whether that computer was part of a batch which happened to have no sticker, or whether it was Paul who did it 3 months ago, before he left!
• Motivation is difficult to prove. Somebody might have torn off the sticker, not because he wanted to get his boss into trouble, but just because he considered it an eyesore. However, smashing a lamp is somewhat harder to justify. If the fluorescent lights in the office annoy you, you just leave them off. But you don't smash them.
• And most important: people never leave or get fired over their taste in desk lamps (well not usually, at least). You get that distinct "they slept with the dragon; they got eaten by the dragon" mentality that fosters poetic justice.

If this is company-owned IP, it will in most cases be only known by a handful of people. And if it tend to get leaked, it will thus be pretty easy to find out who did it (Who had access to it? Who had a motivation to do it? Where did the leaked info first turn up?). Of course, the raise of the Sircam and Magistr virii has changed the outlook on this issue (pun intended...) by providing enough plausible deniability, but this is a quite new phenomenon.

There is a big difference between intellectual propery and physical good. Let's take your example, lamps:

• You don't see lamp manufacturers actively encouraging disgruntled employees to break their desk lamps. Sure, it might boost sales, but lamp manufacturers are above such sleezy tactics.
• Lamps are actually useful, and if broken, it gets noticed pretty quickly. Whereas a missing license sticker on a PC might not get noticed for months... You'll never know for sure whether it was Joe who tore off the license of his computer when before he left, or whether that computer was part of a batch which happened to have no sticker, or whether it was Paul who did it 3 months ago, before he left!
• Motivation is difficult to prove. Somebody might have torn off the sticker, not because he wanted to get his boss into trouble, but just because he considered it an eyesore. However, smashing a lamp is somewhat harder to justify. If the fluorescent lights in the office annoy you, you just leave them off. But you don't smash them.
• And most important: people never leave or get fired over their taste in desk lamps (well not usually, at least). You get that distinct "they slept with the dragon; they got eaten by the dragon" mentality that fosters poetic justice.

If this is company-owned IP, it will in most cases be only known by a handful of people. And if it tend to get leaked, it will thus be pretty easy to find out who did it (Who had access to it? Who had a motivation to do it? Where did the leaked info first turn up?). Of course, the raise of the Sircam and Magistr virii has changed the outlook on this issue (pun intended...) by providing enough plausible deniability, but this is a quite new phenomenon.

F-Secure (the F-Prot people) have more information on One Half.

Alex Bischoff

The nasty thing is that the bug is able to hide in memory and reverse the damage to the .dbf file when dBase loads it. Therefore file corruption is not noticed at once. Unsuspecting user will make proper backups of the damaged file. After a while the file is wasted, and the corrupted backups are good for nothing.

Well, there is a virus which installs the SETI client on infected machine. Its name is Hadra.

It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad

But has anybody (specially Timothy) actually paid any attention to the damn stories?

Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.

Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!

In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.

The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.

All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:

http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=99141&

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.sophos.com/virusinfo/analyses/w32sircam a.html

http://www.europe.f-secure.com/v-descs/sircam.shtm l

http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1

http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010

.. not even funny.. check this and this.

.. not even funny.. check this and this.