Slashdot Mirror

I'd recommend McAfee's standalone disinfector Stinger to everybody. It's a small executable which detects and cleans the most common viruses. Version 1.9.7 disinfects this beast (needs a reboot).

http://vil.nai.com/vil/content/v_100983.htm

(Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.

According to Network Associates "at the time of writing the the worm was unavailable from this URL".

There's no personal data stored in an ATM. It's just a dumb terminal.

And Nachi basically makes the machine unusable.

Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device.

Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen.

Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.

it did NOT fit inside a udp packed, the command to retrieve the virus fit in the udp packet..

try learning about what you talk about....

if a virus is not written in assembler, it's from a poeser wannabe.

Oh, puhhlleeeze:

Read the virus analysis before making untrue claims:

The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com. If successful, an attack is initiated on the following domains:

* spews.org
* spamhaus.org
* spamcop.net
* www.spews.org
* www.spamhaus.org
* www.spamcop.net

At my place of business, we use Network Associates for our virus scanner (warning: PDF!). It is available with an enterprise control panel that other sites in my org enjoy. (I prefer to script out most of the deployment functions for my site.)

This, combined with good general IT practices, have kept us virus-free for quite some time. YMMV, of course :)

At my place of business, we use Network Associates for our virus scanner (warning: PDF!). It is available with an enterprise control panel that other sites in my org enjoy. (I prefer to script out most of the deployment functions for my site.)

This, combined with good general IT practices, have kept us virus-free for quite some time. YMMV, of course :)

Network Associates is reporting an E variant that just came out of W32/Mimail that attacks the following domains:

spews.org
spamhaus.org
spamcop.net
www.spews. org
www.spamhaus.org
www.spamcop.net

Here is the link to the description:

Link to W32/Mimail.e@mm description

This might explain some of the other issues folks mentioned above like getting to Spamhaus, etc... I saw a few instances of W32/Mimail.c@mm on Friday in my day job. That one launched DoS against darkprofits.net besides sending itself to everyone in an address book.

bbh

Look up VBS/PeachyPDF@MM

I started a point-by-point refutation of everything that you said, but then I realized that it would be pointless because you are just spreading FUD.

Actually I'm debunking FUD but lets carry on.

Most of it doesn't even make sense, as when you claim that hardware for Linux is free ("typical computing tasks? Linux can do all that too - for free"),

I didn't say hardware for Linux is free - that would be extremely silly now wouldn't it? There are certain things I think that we can take for granted, such as I'm 96.5% certain that readers here understand what Linux is and that computer hardware is not "free". Fair comment one must always take the cost of the hardware into account but its the OS that we are talking about here.

...and how you claim that the author's statement that there are no Mac viruses in part because there aren't enough Macs is wrong, because there would be viruses if there were more Macs).

I said people attack the most prevailant system, which is presently Windows. If OS X was as prevailant as Windows is now, there would be more attacks targetted at it. the amount of attacks scales with popularity.

I don't believe you actually own a Mac, because you are about as hostile toward Macs as some of the most rabid Windows fanboys I've run into. If you do actually own an iBook, here's my suggestion: sell it. We don't need people like you spreading this sort of FUD.

Well I certainly do own an iBook and how you can call me hostile towards Macs I find quite frankly confusing (did you READ what I wrote? I like OSX). I like OS X a lot - (I certainly wouldn't have bought an iBook if I didn't, and I definitely would not be thinking about a G5) plus I do support (amongst other things) a 200 host Mac network complete with XServe (which I personally recommended & installed).

The article I debunked is FUD - it makes contradictory points. For example, this paragraph:

So, if you're a Windows user, you could sit tight, apply all the patches, worry about all the viruses and hope that the spring's Service Pack will solve most of the security problems without breaking other key features of Windows or interfering with programs you use.

This is clearly putting the concept of patches in a negative light, and inserting FUD into the process by implying that applying a patch may cause problems. Some facts:

OS X needs patching, (as do all other current operating systems.)
Applying patches can be risky, however its important to keep up to date. Apple suffered from this exact issue recently with the 10.2.8 update causing problems for many users.

So Apple are "guilty" of two of the alleged "crimes" of Windows.

It would be like an airline saying something like "So if you fly with our competitors, sit tight and hope there are no bombs or terrorists on the plane with you" while trying to sell plane tickets. It's ridiculous.

It says that Microsoft release patches and puts that in a negative light and later on says that Apple release patches but it's "ok" because they are less frequent!

It also says (correctly, unless the "switchback" "virus" isnt a hoax) that there are no viruses for OSX, yet you should still run antivirus. Sophos, Symantec and Network Associates all produce OS X antivirus, which you have to admit is a little strange. I suppose they are selling insurance against future incidents.

If I've posted anything factually incorrect, then please set the record straight.

What is it with all the anonymous postings anyway? Why are people afraid to put their names to their opinions?

Besides, every time I see an exploit, it's after Microsoft has already issued a patch.

Aditionally, your claim is simply false. There are many known vulnerabilities (and even more plain misbehaviours, like Outlook not following RFCs) for which no patches exist, nor is it likely that there will until massive, higly visible exploits start damaging Microsofts image. One of them is currently being exploited in the wild.

Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.

...you get Anthrax? (or maybe the less dangerous VBS/Anthrax?)

Network Assocaites has some screenshots of the installer http://vil.nai.com/vil/content/v_100662.htm

Did you even look at that list?!
Variants in build or in NAME you troll!
I counted 7 on that page if you're willing to look at them closely.
I could probably find a couple more in the list if I tried.
Now it's my turn.
Lets look here NAIThey report that their database holds 71000!!!! viruses. OOOOHHHH, but you found 7 that affect vulnerabilities of applictions that run on Linux.
I work with Microsoft products.
I study Microsoft products.
Microsoft's record with regards to virus' and vulnerabilities is indefensible! So stop trying.


Microsofts OS's have had more root exploits, period.

What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123 [google.com]", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.

OK, let's see how you would do it...

The payload of the original virus would be a encrypted peer-to-peer daemon somewhat like Freenet, except that it would only allow uploads signed with a particular digital signature. The client would of course have to include the public key of that signature, but not the private key.

Once infected a machine would open a listening port and attempt to connect to machines chosen randomly but with a bias to its local class C (as with CodeRed). Once contact has been established the machines would exchange IPs so that each could recontact the other. Each machine would continue to probe for peers until it had found a certain number - say twenty - and then it would remain quiescent, just listening. Periodically (say weekly) it would handshake again with its known peers, and if any failed to handshake twice successively it would seek others until it had again reached quota.

Once the virus was widespread the author would send a signed file to one infected machine. The name of the file would be a unique string (for simplicity of exposition say a serial number, although any systematically unique string would do) so the first file the virus author injected might be 0001, the next 0002 and so on. The machine would accept the file as genuine because it could decrypt it with its local copy of the public key, and would pass it on unchanged to all the other infected nodes it knew about. If a machine had already received 0001 and was offered 0001 by a peer it would refuse it to save time and network congestion - not to be nice to other users, but because if the thing blocked up network bandwidth completely, it wouldn't be able to do it's own dirty work.

The signed files could contain

1. a list of targets and a date/time. When the action date/time in the file was reached, the virus would mount a DDoS attack on the hosts listed in that file for twenty four hours and then delete the file.
2. the URL of a file to load and then spam out in the same way the virus itself originally spread. Because this file doesn't have to be put up before the virus is launched it could be put up on any defaced site anywhere and need not be tracable back to the author.
3. a hotfix patch to the virus itself, which would immediately be installed and run.

This would be incredibly difficult to defend against because

• in DDoS mode the hosts to be attacked wouldn't be known until the attack file began to propagate - and it could propagate very, very fast indeed, since the peer-to-peer network has connected itself in advance.
• It would be impossible to introduce 'white' payloads into the network because only the author would have the necessary private key.
• Because of the upgrade facility, as defences against the virus became available the author could inject into the network 'hot fixes' which would work around these defences.
• Because the author could inject new signed files into any infected node, it would be very difficult to track down where they were being injected.

Furthermore, the network could be used to launch several sequential attacks, which would not even need to have been planned at the time the virus was written. The author could, in effect, sell use of a flexible, massively distributed mass-UCE/DDoS attack engine to the highest bidder...

Hang on, hang on... just wait until I get a patent on that idea!

this is a battle of bad worm vs. less obviously bad worm. i don't understand why nobody seems to realize that naichi is also a threat. besides the fact that it's a worm, it leaves behind a pair of services, exposing the "repaired" computer to future exploitation, next time through a more convenient tftp interface.

is it really that much to ask people to read an advisory of how the worm works before cheering it on?

into the worm see the network associates

also: I remember a worm (maybe a year and a half ago) which ran directly through outlook (by simply activating an email-without opening the file). Does anyone remember this? if so, please refresh my memory. Thanks.

NAI report that this is a self-removing worm after 1st January 2004.

Stinger 1.8.0

So, a virus would be legal so long as it had a click this EULA?

Probably. Remember that the Friend Greeting "worm" had an installer where you had to consent to its operation (ie sending itself to all your contacts). But it still gets detected as malware by eg McAfee

I've posted all the relevent information about this virus since 4pm on Tuesday, which beat out most of the major news outlets, except cnet. I've keep the info upto date with the list of virus vendors and latest virus news in the online media, and manual removal and automatic removal tools.

I would like to thank messagelabs, as they are always the first to notify about major virus outbreaks. Sophos is a close second and is good about notifying about everyday viruses. Mcafee's alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO

If you would like to sign up to messagelabs's great early warning notification service go here.
If you want Sophos excellent everyday notification about all virus's go here.
If you would like to get McAfee's avertlabs notifications, go here.
or you can just checkout my virus posts on the security-forum.com, but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one. ;)

I've posted all the relevent information about this virus since 4pm on Tuesday, which beat out most of the major news outlets, except cnet. I've keep the info upto date with the list of virus vendors and latest virus news in the online media, and manual removal and automatic removal tools.

I would like to thank messagelabs, as they are always the first to notify about major virus outbreaks. Sophos is a close second and is good about notifying about everyday viruses. Mcafee's alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO

If you would like to sign up to messagelabs's great early warning notification service go here.
If you want Sophos excellent everyday notification about all virus's go here.
If you would like to get McAfee's avertlabs notifications, go here.
or you can just checkout my virus posts on the security-forum.com, but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one. ;)

Uh... Patch for what? I was unaware I could apply a "patch" that would prevent me from getting viruses. It exploits a user vulnerability (stupidity), not an OS one. And McAfee seems to disagree with you about when this was discovered. See here

> It will never catch on though.
>

I dunno what colour the sky is where you live, but believe it or not lots of people are ALREADY telecommuting, at least some of the time. I can't think of anywhere I've worked in the last ten years where SOME home working was the norm. Apart from a certain horrible US mega-corp, management tend to judge by results. 'Presenteeism', ie being in the office in body but absent in mind (for whatever reason) really doesn't work. Any decent employer should trust you to get the work done - if you do so, who cares where (or when) you did it?

It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.) Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

NAI's AVERT Listing for this worm/virus/doomsday device/shark with laser beam.

Seems that there shouldn't exist Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting. since the AV companies can detect and remove it.

Sheesh, what a crap article.

The virus does exist.

Full description on NAI web site http://vil.nai.com/vil/content/v_99992.htm#Removal Instructions

Need both MS02-034 and MS02-039 MS02-034 must be included on SP3.

same here only its:

Messagelabs and Network associates.
No Viruses, Viri, virii or virus from e-mail since we implemented them.

[Disclaimer: I work in AV]

If cost is even slightly an issue, I can recommend using qpsmtpd and clamav. The clamav team are pretty fast at adding new virus signatures to their database, and they catch most of the common viruses out there. I've written a qpsmtpd plugin for clamav which you can find here.

I can't honestly recommend Sophos for gateway scanning. They are better on the desktop. If you can I would go for NAI who have the best gateway scanning of the commercially available scanners (according to our live tests).

Alternatively, if a 100% guarantee appeals to you, the company I work for, MessageLabs will give you a 100% guarantee against letting through an email virus. We'll also do spam scanning for you. Yes, I'm biased.

Speaking as a UK academic sysadmin, transparent bandwidth control is something I also do. Our academic link to the net is only 2Mbit at present and all it takes is a few bandwidth hogs trying to download warez or using P2P applcations to really slow down access for legitimate users.

One thing I have done is limit bandwidth according to MIME type - download HTML and it runs at top speed. Download binary files from certain segments on the network and your bandwidth is limited. This I implemented after finding someone downloading a 600Mb RAR file (OfficeXP.rar - go figure - The only thing that is puzzling me is exactly what he was going to do with it - he didnt have access to a burner and so had no way of getting the data off the box.)

As for P2P applications, there is no way I would (or could) allow these things to run otherwise I'd be opening us up to all kinds of problems along with having FACT on my back. These guys visit me from time to time and ask what I'm doing to stop copyright infringement(!). Exactly how legal this is I'm not sure however if they suspect something they can arrange a search by the police which obviously could cause problems.

Quite frankly I'm surprised that UCI allow P2P at all, and suspect that in the near future this sort of thing will be getting blocked from the peer or be a condition of bandwidth provision.

The BBC and News.com reports. News.com in depth multi page thang.

This looks like it was compiled after extensive consultations with commercial inter^w^w leading experts. The
recommendations appear to boil down to "1. Use Symantec[tm] and Network Associates[tm] Products;
2. Encourage commercial software more secure, then sell it to *everyone*;
3. Train more experts". Am I too cynical, or are they missing
"4. Profit!" ? (Symantec and NAI are apparently doing product
releases to cash in?!) Where does Free software figure in these expert
recommendations? Oh, and privacy concerns have been quietly shelved.

Although... perhaps the news that BGP (the Internet's backbone routing
protocol) has vulnerabilities is news outside NANOG-l?

Here you can find the antivirus Scanners for linux
Network Associates

This one was Network Assiciates though... not to be confused with Network Solutions.

I thought only huge megacorps like Network Associates could rip off Free software with impunity.

...inasmuch as Symantec are competitors of Network Associates, a fine corporation with a long history of upholding the values of freedom and good corporate governance,... I'm very happy for Symantec =)

What you said is theoreticly possible, however if you read the alert, you'll see that this virus just hides code inside jpegs and needs an trojan program (included in the virus) to actually extract and execute the virus. It also says the virus can't spread itself on uninfected computers.

Sarcasm: Oh yeah, this virus will spread like wildfire!

Windows has had batch file viruses for ages.

It is the first to use pretty much the same injection code routines for both, though. The previous virus I referenced had two separate infection routines for PE and ELF files.

McAfee's description. The AV vendors are calling it Spida, instead of snake.

Twisted-pair ethernet uses differential signaling (a transmitted "one" bit is sent out as a positive pulse on the TX+ line and a negative pulse on the TX- line). There is no requirement for a common ground.

It is entierely possibal for your comptuer to be at 100 volts realtive to your neighbors.

No, because the ground on both computers is plugged into, well, the ground.

it will destroy your computers.

But what won't these days?

Monday I ran into W32/Klez.h@MM which was no big deal by itself, but the W95/Elkern.cav.c nailed two computers so bad that they needed to be reinstalled.

So far at work we have been lucky and never gotten any of the "Hyped" viruses, just all the hoaxex; however, we tend to get the viruses that are not hyped and make small messes.

I wish that in this case that Klez was all hyped up since then McAfee would have released the DAT file that would detect Elkern. McAfee's website says that DAT 4198 will detect the virus, but they have only released 4198 today!

The anti-virus industry depends on the continued introduction of new viruses

Not totally true. Look at April's wild list. Form.A is on the list and has existed for over 10 years.

They don't generally stop improper behavior by all possibly-hostile content

Because behavior blocking doesn't work. It is difficult to distinguish between malicious behavior and things that users want and need to do. Too many false alarms => software disabled.

Over at mcafee's website, this image leads to this site. I've seen these fake search windows on other sites, but mcafee is one of the main places people go to check out virus hoaxes etc. That site caters to the end user, as mcafee has another domain for the pros (nai.com or mcafeeb2b.com)I just think it's pretty shady to set up a site for users and then use tricky ads.

While doing this, I discovered that quite a few companies do support OpenPGP but it's our job to continue this effort in 2 ways:

1. Educating others about it
2. Participating in development efforts (and this also means bug reporting, translation and documentation, stuff that even I can do!)

For a sample of companies supporting OpenPGP "movement" as Salon calls it, see:
http://www.openpgp.org/members/

It's a shame that the Salon article totally ignored to mention at least two of the easier (although not easiest) ways to use OpenPGP: Enigmail (for Mozilla/Netscape) and WinPT (for Windows/clipboard-based), among others.

They also fail to mention that GnuPG really is the command line application/libraries, and then there's a layer of front end or integration to other products. A thourough visit of GnuPG.org will reveal this.

Finally, for the webmail-oriented crowd, there's also Hush Mail (which is, BTW, a company that PZ joined after leaving NAI). What's so technically difficult about using this ?

I work with a virus removal group on the undernet that works from the channel #dmsetup. We often locate new stuff all the time. Below Im pasting all my links I usually give out to users. Included are keepers of the gates of hell (stuff you use before you get infected.) and some stuff that gets out out of hell (what you use after your girlfriend opened that attachment)

Cleaners and virus scanner suites

Housecall online antivirus scanner
PC-Cillin virus scanner suite
Central command Virus Scanner Suite
Puppet's Cleaner
Puppet's Cleaner Alternate Site
Mcafee virus removal suite
Norton Antivirus, virus removal suite
Frisk software's f-prot antivirus suite for windows dos and linux

Firewall software

Zone Alarm Firewall
Conseal Firewall

Various tools used to get out of hell or figure out what hell you are in.

Boot disk images
Dmsetup.org
Common port usage/abuses

Goodtimes is cross-platform.