Slashdot Mirror

I never encountered Brain (the virus, dammit!). The first (and only!) virus I've had infecting one of my computers was the Ripper virus. Damned annoying, especially being unaware of it for probably a year or more, and this during the time of zipping files across multiple (I think our record was 17 or so) floppy disks. At least one disk out of a set would always be "dead". Made it really annoying to share doom^h^h^h^h ultima7^h^h^h^h^h^h^h data with friends. Ah, the good ol' days. I did finally get rid of it, but I also dumped all my floppies - too much hassle to check each one of them.

Yep, Mac OS X can be hit with a Trojan not a big suprise there. Symantec has some info on this 'MP3Concept Trojan Horse', which is benign. It does use a neat trick to imbed the code in an MP3, but other than that it isn't that special. Tricking someone to run your program isn't really something that we will ever make impossible under every circumstances, but I will admidt that using filename extensions to identify file types is one very stupid thing that Mac OS X copied from Windows, and then hiding them by default only compounds the stupidity.

Exploit, infections from not known: http://www.macintouch.com/opener.html

But "opener" requires a previously comprimized system. A "rootkit" without a viable delivery mechinism isn't really a "virus" or "worm" or even a "trojan". Acording to McAfee: "This threat does not make use of an exploit, so to have the script run successfully on a system and make changes, the user account from which the script is run must have sufficient rights. If no superuser/root/admin access is available many of the subroutines will fail and generate errors." I don't know why McAfee classifies it as a virus/worm since it doesn't seem to have any propagation abilities.

In Wild exploit, known infections: http://news.zdnet.co.uk/internet/security/0,390203 75,39155837,00.htm

True, the exploit mentioned is a tricky thing (potentially allowing code that was downloaded to be run as trusted), however I don't know if any was ever found in the wild - and even then it would still require an administrator's password to do system damage. The "hole" was supposedly patched by Apple's Security Update 2004-06-07 according to Unsanity who had released a little application to guard against the exploit.

If those are the only ones you've found, you haven't really shown any "exploit[s] for a Mac OS X vulnerability", although the MP3Concept Trojan I guess uses some "social hacking" types of tricks that would also work in Windows by hiding that it is an application rather than an mp3 file. Even if we accept a count of 3 (or ten or twenty), Mac OS X would still be comparitively malware-free.

But "opener" requires a previously comprimized system. A "rootkit" without a viable delivery mechinism isn't really a "virus" or "worm" or even a "trojan". Acording to McAfee: "This threat does not make use of an exploit, so to have the script run successfully on a system and make changes, the user account from which the script is run must have sufficient rights. If no superuser/root/admin access is available many of the subroutines will fail and generate errors." I don't know why McAfee classifies it as a virus/worm since it doesn't seem to have any propagation abilities.

Exploit, unknown level of infections: http://news.zdnet.co.uk/internet/security/0,390203 75,39155837,00.htm

True, the exploit mentioned is a tricky thing (potentially allowing code that was downloaded to be run as trusted), however I don't know if any was ever found in the wild - and even then it would still require an administrator's password to do system damage. The "hole" was supposedly patched by Apple's Security Update 2004-06-07 according to Unsanity who had released a little application to guard against the exploit.

If those are the only two you've found, you haven't really shown any "In Wild, known Infections" in my opinion.

I think you mean Network Associates, who bought McAffee years ago. Just after they'd bought Dr Solomon's, in turn, as it happens.

how does underdeveloped countries benefit themselves by sending millions of dollars to the US and feeding the super rich software companies that effectively prevent any small comany in these countries to flourish?

They send viruses instead ;) (the original Brain virus was written in Pakistan to spite Westerners who could afford a trip to Pakistan to buy pirated copies of software, but were too cheap to pay full price for software, even though full price software would have cost less than the flight... Pakistanis (who didn't have the money), would get "genuine" pirated copies of Lotus 1-2-3, WordStar, WordPerfect or whatever, while the Westerners would get the "infected" version, as a punishment)

Next up, the BSA will attempt to prove that black is white, and then get run down on the next zebra corssing.

This detection was modified to cover a 0-day "Window()" remote code execution exploit. The change is represented in the 4633 DAT release. This is a non-specific, generic, detection of script code that intends to exploit various buffer overflow vulnerabilities (such as those that are known to exist in Microsoft Internet Explorer). Due to the fact that Internet Explorer executes script prior to writing it to disk (IE Cache), McAfee VirusScan's ScriptScan must be enabled in order to block this exploit prior to execution on the desktop with the On Access Scanner.

This rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software.

McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.

Microsoft is only removing XCP, not the DRM. I haven't been able to find any statements from Microsoft regarding the DRM at all.

Would you accept the same excuse for IIS?
FTA I don't see where it a linux worm, or even an appache worm it's primarily attacking php scripts even then it's only capable of attacking php scripts in servers that are configured to allow 2 very well known security configuration flaws and one that's recomemded against. NOTE the windows ME-XP instructions on the page.

http://vil.nai.com/vil/RateThisPage.asp

Let Mcaffe know how well they're trolling.

It looks like the begin of the end. When enought people come to there senses they might start looking for alternative OS's!
 
  Oh, you mean alternative OSs like LINUX for which NO rootkits exist?

SDBot is certainly not 'breaking news' variants have been out for more then 4 months!(http://vil.nai.com/vil/content/v_134563.ht m)

People choosing to run executables from IM's (while logged in as adminsitrators) get what they deserve.

Ripper was on of the first Virii I have seen in the weirld, and that was back of 8086's :)

It killed the MBR & BIOS and fucking up data been writen to the disc at random....

Unlike all these pussy WinBlowz & Macro Virus that are going around...

Check it out:

EPOC OS
Symbian OS
WinCE

Check it out:

EPOC OS
Symbian OS
WinCE

Check it out:

EPOC OS
Symbian OS
WinCE

The worm doesn't remove any spyware properly - it deletes some files and reg keys, but doesn't do a proper job.
Also, a tool similar to that you've described is stinger. It removes viruses, not spyware though.

McAfee also has detected this issue since 2003, see http://vil.nai.com/vil/content/v_100716.htm

This one was tougher to find. I had to go to McAfee's site and use their virus information database search tool instead of google.

Now if hackers break in, this will bring new life to the zombie virus.

Jim

More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:

Tools required:

Process Explorer(procexp) from http://www.sysinternals.com/
autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
Ad-Aware from http://www.lavasoft.de/
LSPFix from http://www.cexx.org/lspfix.htm/
Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
Experience enough to know valid windows processes and files.

Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.

Boot to safe mode

Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.

Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.

Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.

If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items

Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.

So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199

Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)

Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . . .

Now for the real manual part . . .

Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.

Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis

Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.

Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.

In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a .dll that is registered and can't be removed. Never fear! Write down the .d

Two years ago I noted in my blog about how Pakistan's entire bandwidth is depended on this one undersea connection (SMW3) and how 'little' it is when compared to what ordinary consumers have in the developed world.

Since then, Pakistan has leased a Hughes HGS-3 satellite and using it for various purposes, including telecommunications. Apparently now, all internet traffic is going through that and other satellite links... and from what I can tell even the country's biggest ISP Brain.NET (known for it's founders' famous DOS virus of the same name) site is taking forever to load. (Damn 6 second lags!)

Obviously, this is bad for the country's outsourcing ambitions, especially with a recent spike in interest in this sector due to rising costs in Bangalore.

Repost due to errors in original. Damn no edit rule!

Two years ago I noted in my blog about how Pakistan's entire bandwidth is depended on this one undersea connection (SMW3) and how 'little' it is when compared to what ordinary consumers have in the developed world.

Since then, Pakistan has leased a Hughes HGS-3 satellite and using it for various purposes, including telecommunications. Apparently now, all internet traffic is going through that and other satellite links... and from what I can tell even the country's biggest ISP Brain.NET (known for it's of the same name) site is taking forever to load. (Damn 6 second lags!)

Obviously, this is bad for the country's outsourcing ambitions, especially with a recent this sector due to rising costs in Bangalore.

Screenshots

What the hell took so long for this to happen?

It didn`t take that long! The first virus to take files hostage that I can think of is the casino virus discovered in 1991. (It wasn`t the only one, paper dated 1995) Also there was a worm more recently that attached itself to random files and the mailed them around. Some private files got very public this way.

ru 741kin 4B0u7 7|-|15?

http://vil.nai.com/vil/content/v_128617.htm

Add lots of dire warnings about how "YOUR virus-infected machine is ruining things for everyone".

There's absolutely no point in cleaning the virus off if the user doesn't patch the system. At the height of the Nachi outbreak, a machine would be reinfected before Stinger was finished checking it. Your users will pass the virus back and forth between themselves continuously. If you can't make them patch, then you are, as has been mentioned often above, doomed.

This arrangemnet is a lot of work to set up, but it might be worth it in your situation. It would look good on your resume, if nothing else :-)

"Yes, I demand that there be open source native Linux ports of all Windows viruses!"

They're native linux rather than ports, but you can get details of some linux viruses here. It's got about 3-4 pages of results for a search on "linux".

I would compare that to the number of results for "W32" in the virus list, but I've left the results page loading for about 3 minutes now and it's only got to S...

it could be something more than a non-event if stinger wasn't available for a long time and didn't remove more malware..

Wonder what the antivirus companies think about this

Probably very little...

McAfee already publishes a similar tool called Stinger which is periodically updated to cover new worms.

Read on, grasshopper:
Yourde and Peachy

Read on, grasshopper:
Yourde and Peachy

You insensitive clod, not all people want NT 4 SP2 on their win 98 boxes.

Seriously though, the first thing which goes on is the latest McAfee Stinger. When that's wiped out most of the viruses, I uninstall their out-of-date Norton - so many people don't realise that the major antivirus vendors are on a rental model and just buy the product and expect it to last forever. Then Avast! Personal Edition goes on, and the PC is fully scanned. After that comes Spybot and Ad-Aware. I use both because each product has its stregths and weaknesses. All of this is done form a CD burnt with the latest patterns so no internet connectivity happens until their PC has been cleaned. And then Sygate Personal Firewall completes the mix of security products.

After that comes Thunderbird and Firefox, The GIMP and Audacity (if they are into that sort of thing. And of course we musn't forget IrfanView.

Bah. Im suprised no one has mentioned housecall yet:

http://housecall.antivirus.com

Housecall is a web-based virus scanner that, since it is loaded anew every time, always has the latest virus definitions. Since it installs nothing but temporary cache files, you dont have to worry about it slowing down your machine.

Because of the nature of the application it can't always clean the offending virii/malware, but it will at least alert you to their presence and give you their names so that you can manually remove them. When combined with stinger, spybot and google it's an excellent choice for on-site calls to machines without AV or for your old boxen that just cant afford the extra cycles for full-time AV bloat.

If you prefer to do the offline thing, try the Knoppix anti-virus distribution (weak link I know). Once again it isn't a permanently installed application and since the OS isn't running it can slap down bugs before they're loaded into memory.

Cheers!

Fake DNS registration for google.com by gandi.net.
http://slashdot.org/comments.pl?sid=115798&cid=980 3037

Email worm Mydoom.o breaks out infecting Windows boxes across the planet. Part of the payload are searches against Google, Lycos, Yahoo, and Altavista (but not Microsoft) for email addresses from an infected domain.
http://vil.nai.com/vil/content/v_127033.htm

Internet users report google.com hit hard by virus activity. Google starts blocking searches from infected domains/regions. Users also report that other search engines like Yahoo have significantly degraded performance.
http://www.webmasterworld.com/forum3/25010.htm

Mainstream press picks up the news of Google's issues.
http://money.cnn.com/2004/07/26/technology/google_ site/index.htm?cnn=yes

You can't buy this kind of competitor slamming and market cornering on Internet searching in one day... or can you?

Viruses which could detect that they are being run in a debugger were common 10 years ago when I used to work for an anti-virus company. For example, One-Half is such a virus.

Some good additional available here

Judging by the links the Wheaton student included, the College appears to be using ZENworks, which is a separate product with its own client. Does Sophos use its own update client as McAfee does? If so, that's another, separate client. MBSA I've never used except as a local app.

My main security concern would be that these folks use Patchlink, which seems to require Active Directory -- are these folks integrating Novell's eDirectory and Active Directory? That can be chancy, as anyone knows who's seen a cracker leapfrog from a Windoze system to a connected server.

I use ZENworks and Active Directory, though not together [shudder], and I administer networks on multiple campuses for a commuter college; these measures seem reasonably less than draconian.

A valid question might be: What exactly are students worried about? Is the concern over authorities seeing their porn stashes, pirated software or MP3 and MPEG collections? Hey, you takes your chances when you connect to any network.

We got hit by Nachi/Welchia at the end of August 2003 while I was on holiday with my daughter.

I came back to work to find the place in chaos (the volume of traffic that critter produced on our network was astounding).

I knocked up a KiXtart script which, when run remotely with Administrator credentials using Sysinternals.com's PSExec detected the presence of the worm, killed the process if it was running, ran McAfee's Stinger and patched the workstation.

A modifed version of that script which detects over 100 common viruses is now run on every workstation when the users log in.

In my experience, there's a residual 2 to 3 percent of workstations which, for a variety of reasons, refuse to be patched remotely (usually no ADMIN$ share, sometimes in need of a service pack).

Every month I use the same techniques to push out critical patches to our 2000+ desktop PCs.

It's amazing what you can do with free software.

PATIENT (raising his arm): Doctor! It hurts when I do this. What should I do?
DOCTOR: Don't do that!

My partner and I carry CD's with the latest patches (Blaster, Sasser, etc.), Stinger, Spybot, AdAware and CWShredder.

The XP machine doesn't connect to the network--router or not--until are the patches are on, anti-spyware measures are installed and the built-in firewall is configured. No exceptions.

I've been doing the same for my family members, but with an extra touch. Same type of software (plus the latest stinger) but create an autorun menu driven cd. Something like AMenu for CDs works just fine for me. Or you can search google for some nice cd autorun apps.

McAfee has a free tool named Stinger that can remove Sasser and various other worms, yet people don't bother to download (only 770kb) it can scan their computers.

Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.

I guess if you had taken a peak at the link to the McAfee site you would have seen the pictures demonstrating how corporate users and retail users can turn on detection for non-viral programs that are listed in the McAffee database.

I guess if you had taken a peak at the link to the McAfee site you would have seen the pictures demonstrating how corporate users and retail users can turn on detection for non-viral programs that are listed in the McAffee database.

What's to say the situation has changed? And even if they did are we more likely to see something akin to Stinger which fixes a handful of virii but allows any 'below the radar' to molest your machine with impunity?

I wonder how long before this virus checker becomes the target of attacks itself. It happened in MS DOS, so I don't see any reason it shouldn't happen again. A crafted virus could probably lobotomize the virus checker but still give it the semblance that it is functioning correctly.

Once the virus writers get a hold of this viruses will be much harder to catch, unless anti-virus writers start looking more for virus-like activity.

Of course, virus writers have been using this since the early 1990s. One particular virus called Ontario III (there might be others before it) used this trick. An interesting part from the virus writeup: "The Ontario III virus uses a very complex form of encryption with no more than two bytes remaining constant in replicated samples."

the buddylinks spyware that the OP refers to actually pops up a box, complete with a link to a EULA, to accept or stop the install.

The text of the EULA lists all the stuff that it does - send ads out to other people on your buddy list with no action on your part. And yet people agreed to it. And in general, shrink wrap/click wrap licenses have been held as legal.

The problem is once again human nature - people are used to clicking yes on those boxes because they were originally for stuff you actually needed to view a webpage (Windows Update, shockwave and flash plugins, ect). People don't bother reading them, just click yes, and wind up installing toolbars, gator, weatherbug, bonzibuddy, and the rest of that crap.

I'm pretty sure, from the way others have posted on this article, and from the tech skills of the reporter, that it was a double-extension trojan, i.e. "file.jpg" was actually "file.jpg.bat" or whatever.

Although this is most likely the virus that is created by this program, it is also possible to write a program thus that pretends to be a JPEG, with the way Windows handles extensions.

Apache - 1

IIS - 14

I don't have stats on this, but I've seen many people indicate that Apache holds a large share of the webserver installations. If your argument of popularity and virus writer choice were accurate, why then do we find less in this case?

I also did the search using these keywords too, just out of curiosity (word - count):

UNIX - 26

MacOS - 24 (tried just on Mac, but that returned too many MS Office macro exploits)

Linux - 62

Win32 - 496

Win - 628

Granted that some of the virus's on the Win32 platform are indirect to the OS (caused by flaws in an application), but the ultimate problem appears to be bad system architecture of the OS. Why as a user on the system should should I be able to screw up the system? Even without administrator rights, a user can still take on greater permissions through exploits of the OS (the bad architecture).

Mac may not be a big target for virus writers, but even if it did dominate the market, I don't think it would experience nearly the number of exploits you see with MS Win32 systems.

Jim

I know, but ClamAV got it anyhow - impressive!

Stinger 1.9.9, McAfee's standalone disinfector for this and the other most common "out there" viruses is now out.

"(Stolen sig) Remember: it's a "Microsoft virus", not an "email virus", a "Microsoft worm", not a "computer worm"

Go to vil.nai.com

Enter "Linux" in the search box. Click "Search"

Try again with "BSD", "MacOS" and "Unix"

Think up your own sig, and make sure it's not blatantly fucking false.