Slashdot Mirror

There's Winux whcih infects PE and ELF format files on Linux and Windows. Fortunately,according to the description, it doesn't work very well .

Specifically it's about creative.exe

Here is a better article on the same virus. A must read, contains much more info than the linked article.

McAfee information is here

Looks like it isn't very likely to succeed - it needs Windows NT and the stand alone version of the flash player.

Just proof of concept really.

Newly Updated Info from Network Associates. Time to run the DAT file scripts ....

And for those of you who prefer to play with these things yourself ("strings virus.xxx" always turns up something interesting...), I posted a copy (which happened to come from two people on the FreeBSD security mailing list), here (standard disclaimer: it's not my fault if you run it instead of saving it, blah blah blah). On a slightly related note, I espescially like the popup message displayed when you run the virus ... obviously a virus, right? Then why have I gotten multiple copies from the same person, obviously someone who tried to run it two or three times?

Wow! almost ...

A quick search on vil.nai.com for "Tiny" turns up sever small Virii. The smallest beeing Tiny Di with 94-110 Bytes.

But I think that is only possible because .com (the only files those virii infect) are much simpler in design than .exe (not to speak of .exe-files running in win32) and those virii had no way of spreading over a network on themselfes (they depended on some person to distribute the infected file in some way).

Aliz has the ability to distribute via the network and is much smaller than Goner (just 4098 Bytes).

All those Virii definitley don't come out of a Virus-Construction-Set (yet).

Wow! almost ...

A quick search on vil.nai.com for "Tiny" turns up sever small Virii. The smallest beeing Tiny Di with 94-110 Bytes.

But I think that is only possible because .com (the only files those virii infect) are much simpler in design than .exe (not to speak of .exe-files running in win32) and those virii had no way of spreading over a network on themselfes (they depended on some person to distribute the infected file in some way).

Aliz has the ability to distribute via the network and is much smaller than Goner (just 4098 Bytes).

All those Virii definitley don't come out of a Virus-Construction-Set (yet).

Wow! almost ...

A quick search on vil.nai.com for "Tiny" turns up sever small Virii. The smallest beeing Tiny Di with 94-110 Bytes.

But I think that is only possible because .com (the only files those virii infect) are much simpler in design than .exe (not to speak of .exe-files running in win32) and those virii had no way of spreading over a network on themselfes (they depended on some person to distribute the infected file in some way).

Aliz has the ability to distribute via the network and is much smaller than Goner (just 4098 Bytes).

All those Virii definitley don't come out of a Virus-Construction-Set (yet).

Finds those processes, kills them, and tries to clear those directories. I'd call that destructive.

Odd ... messagelabs reports an outbreak of BadTrans.b.

The only company which currently detects badtrans.b? NAI/McAfee.

Check your mailboxes on Monday morning while you're waiting for your AV vendor to catch up.

Mac/Simpsons@MM

I must get warnings for "Wobbler" and "All Seeing Eye" sent to me by my [L]users all the time, but you know what? It's a fair cop.

I set up filters, I block the sending and receiving of all .vbs files, I warn. And most of all, I know that many here will cringe when they read this, I actively encourage my [L]users to forward me all the warnings they get sent to them.

Know why? After the 4th one I send back to them with an URL and a "Thanks, but that one was a hoax", they start to catch on (well... many of them do). Some also start to forward any and all messages with attached files to me if they weren't expecting them. Again, many here may cringe, my email box is huge and I spend hours each day weeding through false alarms sometimes. But IMHO it's worth it.

Do you know how many actual FULL outbreaks this company has seen in the last year? One. Back in November of last year. It was Navidad and it was sent to a Hispanic employee (the CFO actually... hehehehe) from a relative, and since it was near Xmas, well, I forgave him. AFTER I made HIM clean out his own machine and then lambasted him in front of the entire company. But when people first saw the SIRCAM virus come in, even users who had not read my warnings yet spotted it instantly and sent it to me. This was before I'd set our mail server to send all messages with "I hope you like the file that I sendo you" in the body to /dev/null.

All things considered, though, seeing as this office is almost entirely Windows, I think my methods work. Yes, it's time consuming. Yes, it can be annoying. BUT, I rarely have to restore from backup, and we haven't had any major outbreaks.

I must get warnings for "Wobbler" and "All Seeing Eye" sent to me by my [L]users all the time, but you know what? It's a fair cop.

I set up filters, I block the sending and receiving of all .vbs files, I warn. And most of all, I know that many here will cringe when they read this, I actively encourage my [L]users to forward me all the warnings they get sent to them.

Know why? After the 4th one I send back to them with an URL and a "Thanks, but that one was a hoax", they start to catch on (well... many of them do). Some also start to forward any and all messages with attached files to me if they weren't expecting them. Again, many here may cringe, my email box is huge and I spend hours each day weeding through false alarms sometimes. But IMHO it's worth it.

Do you know how many actual FULL outbreaks this company has seen in the last year? One. Back in November of last year. It was Navidad and it was sent to a Hispanic employee (the CFO actually... hehehehe) from a relative, and since it was near Xmas, well, I forgave him. AFTER I made HIM clean out his own machine and then lambasted him in front of the entire company. But when people first saw the SIRCAM virus come in, even users who had not read my warnings yet spotted it instantly and sent it to me. This was before I'd set our mail server to send all messages with "I hope you like the file that I sendo you" in the body to /dev/null.

All things considered, though, seeing as this office is almost entirely Windows, I think my methods work. Yes, it's time consuming. Yes, it can be annoying. BUT, I rarely have to restore from backup, and we haven't had any major outbreaks.

I must get warnings for "Wobbler" and "All Seeing Eye" sent to me by my [L]users all the time, but you know what? It's a fair cop.

I set up filters, I block the sending and receiving of all .vbs files, I warn. And most of all, I know that many here will cringe when they read this, I actively encourage my [L]users to forward me all the warnings they get sent to them.

Know why? After the 4th one I send back to them with an URL and a "Thanks, but that one was a hoax", they start to catch on (well... many of them do). Some also start to forward any and all messages with attached files to me if they weren't expecting them. Again, many here may cringe, my email box is huge and I spend hours each day weeding through false alarms sometimes. But IMHO it's worth it.

Do you know how many actual FULL outbreaks this company has seen in the last year? One. Back in November of last year. It was Navidad and it was sent to a Hispanic employee (the CFO actually... hehehehe) from a relative, and since it was near Xmas, well, I forgave him. AFTER I made HIM clean out his own machine and then lambasted him in front of the entire company. But when people first saw the SIRCAM virus come in, even users who had not read my warnings yet spotted it instantly and sent it to me. This was before I'd set our mail server to send all messages with "I hope you like the file that I sendo you" in the body to /dev/null.

All things considered, though, seeing as this office is almost entirely Windows, I think my methods work. Yes, it's time consuming. Yes, it can be annoying. BUT, I rarely have to restore from backup, and we haven't had any major outbreaks.

That was Phil Zimmermann, author of PGP, who quit working for Network Associates.

On the windows platform, Network Associates did a pretty good job with their PGP implementation for Outlook/Netscape Communicator/Eudora.... I think it's really easy to use so there shouldn't be a reason for not using it. I think the only problem is that most people are unaware of things like php. I think there are two solutions for the problem:

1. Huge software gigants (Microsoft, AOL, Yahoo) need to put PGP in their e-mail clients AND their webmail programs.
2. Popular news sources (computer magazines, business magazines, ...) need to publish clear articles about it with an easy step-by-step guide so anyone knows about it!


(I still think nr.1 is the most important)

And regarding virii not found in the wild...(a) where do they get them from?? and (b) there are plenty of rumors that some (if not most) of these virii which never get seen by the public either don't exist, or are created by the labs (directly or indirectly) to keep the business ticking over. I have no evidence whatsoever that this is the case, but it's an interesting idea...

http://www.nai.com/asp_s et/ buy_try/try/products_evals.asp

If you are looking for an email scanner check this out, it is a great email scanner:

http://www.amavis.org/

CNN also has a later version of the story which reports Network Associates and Symantec assessing this as "low risk". CNN still don't name the files, but Symantec have some details under the name Serbian.Trojan, but not really clear on how to remove it. They say it is also known as "downloader" and Network Associates (McAfee) have more details.

Here's a link to Network Associates' (makers of Dr Solomons' and McAfee VirusScan) technical info on the Gnutella Worm, which also contains a complete listing of all the filenames created by the worm. Eerily, it's virus number 98666 on their database.

The press release from McAfee's site estimates damages of $2.61 Billion as of yesterday from the ILoveYou bug.

http://www.nai.com/asp_set/about_nai/press/release s/pr_template.asp?PR=/PressMedia/0505200 0.asp&Sel=751

Someone wanna send an email to CmdrTaco so he can update the table? (Of course, billions are made up of millions -- not much concern to Ballmer.)

Since only one event has occurred, yes a trend inference cannot be validly drawn. However, one might guess that future instances of d/l-able films at this level may follow the same format as the present instance (particularly if it is successful). That being said, Windows Media Player sucks shit. I would be willing to download/pay for the film (being a John Cleese fan and pretentious first-adopter) if the film were available in any other format (providing VHS or better quality). I do not like Microsoft and I do not support Microsoft, so I do not use their closed operating system or media player.

I do feel sorry for the many Windows users who are being told I Love You because MS refused to fix a glaring security bug in their product which has been exploited before in the same media-attention-grabbing fashion. Only a monopolist could ignore such a flaw and still retain their market position. Do Melissa and I Love You establish a trend regarding Microsoft's inability to defend against viral infection?

Since only one event has occurred, yes a trend inference cannot be validly drawn. However, one might guess that future instances of d/l-able films at this level may follow the same format as the present instance (particularly if it is successful). That being said, Windows Media Player sucks shit. I would be willing to download/pay for the film (being a John Cleese fan and pretentious first-adopter) if the film were available in any other format (providing VHS or better quality). I do not like Microsoft and I do not support Microsoft, so I do not use their closed operating system or media player.

I do feel sorry for the many Windows users who are being told I Love You because MS refused to fix a glaring security bug in their product which has been exploited before in the same media-attention-grabbing fashion. Only a monopolist could ignore such a flaw and still retain their market position. Do Melissa and I Love You establish a trend regarding Microsoft's inability to defend against viral infection?

lsof: [Description] Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.

and

CASL [Description] Custom Auditing Scripting Language (CASL) implements a packet shell environment for the Custom Auditing Scripting Language that is the basis for the Cybercop(tm) line of products by Network Associates. The CASL environment provides an extremely high performance environment for sending and receiving any normal and/or morbid packet stream to firewalls, networking stacks and network intrusion detection systems as well as being sufficiently rich of a language to write honeypots, virtual firewalls, surfer hotel, phantom networks and jails.

Check this paragraph out from a press release out from NAI, parent of myCIO.com:

"Currently, most DDoS Zombie code is written for the Linux operating system. However, agents will likely be written for other operating systems in the near future. With the widespread availability of other malicious code such as Back Orifice, McAfee recommends users scan regularly for abnormal behavior on any platform. If a DDoS or other agent is discovered, McAfee VirusScan is able to automatically remove the file in most cases; in others, the product assists with cleaning by naming the files to be deleted by command line. Regular scans can help ensure systems run at peak performance and stay malicious-code free."

Wonder where myCIO got the idea? &nbsp And I used to respect NAI too...

• Sophos
• Mcafee

--

I was pretty shocked by next article that an OpenBSD-user showed me. (I'm a Linux user, thank you). You can read it here.

From: Theo de Raadt
comp.unix.bsd.openbsd.misc

...

> I'm just
> curious to know if anyone has broken into an open source system because it
> was open source.

Linux is the best example of this, there are many examples. As the
system being attacked, that is -- even if their source was not being
analyzed earlier. Funny thing is, (especially around two years ago)
it was a case of _us_ finding the holes, fixing them in OpenBSD,
telling the BUGTRAQ mailing list, and then crackers writing exploits
and using them on _other_ operating systems. (I guess that is
distributed and applied ;-)

Sometimes, as in the case of the recent RedHat lpd security report,
years elapse. Let's look closer at what happened:

http://www.pr ogressive-comp.com/Lists/?l=bugtraq&m=947550717304 74&w=2
http://www.pr ogressive-comp.com/Lists/?l=bugtraq&m=947310141065 60&w=2
http://www.pr ogressive-comp.com/Lists/?l=bugtraq&m=947552011315 70&w=2

And then read

http://www.pr ogressive-comp.com/Lists/?l=bugtraq&m=947699382089 89&w=2

And pay special attention to the original bug report. That's October
of '97.

http://www.nai.com/ nai_labs/asp_set/advisory/20_bsd_lpd_adv.asp

The post office analogy is not really very accurate when you really look closely at the problem. The program that dumps the headers out for you (an MTA: Mail Transfer Agent, such as sendmail) already accesses and parses the whole message... it HAS to. Said same program can pipe a copy of the headers to a file thereby keeping the "contaminated" part of the process (the one that reads your mail) in the program and the "prying eyes" part of the process (the postmaster trying to fix her network) seperate. (this of course assumes morals, competency and a whole bunch of other stuff.....)

A much better analogy is the telegram (don't laugh!) operated by the old school telegraph operators that could tap out a message without reading it... or better yet, an illeterate operator! If all you know how to do is transpose '---' to 'O' and vice-versa then it doesn't matter if I'm sending a love letter or a creditcard number.

The biggest refrain in this though is that if you want privacy you must encrypt . GnuPG or PGPi or if you must have someone to sue if it breaks... PGP.

It doesn't seem that Dell is at fault here. If they applied a virus pattern file update last Thursday (Nov-11) and detected the virus, it makes complete sense. The virus was added to Network Associates' (McAfee's) list on Nov-9. Which means that two days after the virus was identified by the anti-virus community (and probably the very next pattern file update), Dell found it in their systems. Per the page at NAI, the virus is detected by the pattern file due out today.
This doesn't seem to be something we can blame Dell for.

Sorry for the repost; forgot to include the link...

One nitpick on an otherwise very insightful comment:

Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem.

Actually, Win2000 *does* have this problem, according to the advisory that was up at Network Associates' website (even though the McAfee page referenced here says it's Win98 only...hmm), because it shares Win98's use of IE 5 and Windows Scripting Host. Or, at least, Win2000 Beta 3 has this problem; of course, the final version will obviously include the patch for this exploit, which as noted earlier, has been out for about a month now.

So...either NA's advisory was wrong, and Win2000 doesn't have this hole even though it has all the components which enable it installed (IE 5 and WSH), or Win2000's security model has a big strike against it from the beginning. As you noted, that's completely to be expected with any new operating system, and *nix has certainly been there before. Still, it does make you wonder how long it will take before we can trust W2k...

From what I read on Microsoft's advisory on this bug, the same bug exists in NT.

I guess that Bubbleboy isn't exploiting it for NT, though.

NAI's page on Bubbleboy is here.

I read a news story which said that the author emailed the worm to Antivirus companies. So I guess that it was more of a demonstration of a serious problem than something malicous.

As an example, check out Network Associates McAfee Virus products for Unix. Click any of the "Try" links, and you'll find the form it takes you to is incorrect, and Netscape can't deal with it.

What's happened is their "ACTION='URL_HERE'" section has the URL_HERE word-wrapped. IE deals with it fine, Netscape results in a 404.

This (main topic) is an exceedingly important issue, but it's not the only one.

I already unloaded most of my comments on the subject in a hasty reply, but I thought I should point this out.

Over the past few years, human rights workers in extremely dangerous environments have written various letters to Phil Zimmerman. Not only do those letters thank him, but they essentially say that PGP -- and its availability abroad -- has saved lives. Strong PGP encryption in foreign countries has sometimes been the only barrier preventing perfectly good people from being murdered, raped, and otherwise hassled rather badly.

Now, of course, some of those human rights workers are indeed dissidents against their governments. Where they are, they break the law; they subvert the area governments' abilities to slaughter and suppress at will. But that's another discussion altogether.

-- Rene --

Try this press release on for size.

As for you not knowing much, well, Po Bronson points out that there are clear lines between who gets to know stuff about IPOs; of course, it has to do with securities laws in the end, but the practical effect is to make certain things very secret, even from the people whose lives are materially affected by the outcome.

As to how it works, "Mcafee.com" can easily be a stock-issuing subsidiary to another corporation. It happens in the other direction all the time: one corporation investing in another by buying, say, 10% of its stock. In this case, the subsidiary is in a substantially-enough different business from the main corporation that they want to give investors the ability to "track" its success separately. This can be done by a special class of stock, or as a semi-public subsidiary.
Since the prospectus isn't available yet (that I can find), it's hard to tell how much stock is being made public and how much NAI is still going to own.

Network Associates'PGP 6.02 (which is the US Export controlled version, btw (www.pgpi.com for the REAL version)) does not integrate with Netscape Mail, according to their webpage.

If you're talking about export regs, that question is irrelevant. If you have strong crypto code within the US, it is illegal to export it even if it was imported. The place of origin is irrelevant.

BTW, NAI has a neat way of dealing with it. All these export regs do not apply to source code in the form of a printed book. Publish, scan, and compile. And, voila! Legally exported code. NAI does this to ship their code to their international site in the Netherlands.

___________________________________
Forwarded Message
Subj.: Virus Warning!
From: HOONOZE
To: All@msn.com
To: Jake5551212@aol.com
To: President@whitehouse.gov
To: Pope@vatican.va
To: 007@MI5.com
To: Flounder@fish.net
To: Etal@etc.com

************************************************** ****************
WARNING, CAUTION, DANGER, AND BEWARE!
Gullibility Virus Spreading over the Internet!
************************************************** ****************

WASHINGTON, D.C.--The Institute for the Investigation of Irregular Internet Phenomena announced today that many Internet users are becoming infected by a new virus that causes them to believe without question every groundless story, legend, and dire warning that shows up in their inbox or on their browser. The Gullibility Virus, as it is called, apparently makes people believe and forward copies of silly hoaxes relating to cookie recipes, email viruses, taxes on modems, and get-rich-quick schemes.

"These are not just readers of tabloids or people who buy lottery tickets based on fortune cookie numbers," a spokesman said. "Most are otherwise normal people, who would laugh at the same stories if told to them by a stranger on a street corner." However, once these same people become infected with the Gullibility Virus, they believe anything they read on the Internet.

"My immunity to tall tales and bizarre claims is all gone," reported one weeping victim. "I believe every warning message and sick child story my friends forward to me, even though most of the messages are anonymous."

Another victim, now in remission, added, "When I first heard about Good Times, I just accepted it without question. After all, there were dozens of other recipients on the mail header, so I thought the virus must be true." It was a long time, the victim said, before she could stand up at a Hoaxees Anonymous meeting and state, "My name is Jane, and I've been hoaxed." Now, however, she is spreading the word. "Challenge and check whatever you read," she says.

Internet users are urged to examine themselves for symptoms of the virus, which include the following:

• the willingness to believe improbable stories without thinking
• the urge to forward multiple copies of such stories to others
• a lack of desire to take three minutes to check to see if a story is true

T. C. is an example of someone recently infected. He told one reporter, "I read on the Net that the major ingredient in almost all shampoos makes your hair fall out, so I've stopped using shampoo." When told about the Gullibility Virus, T. C. said he would stop reading email, so that he would not become infected.

Anyone with symptoms like these is urged to seek help immediately. Experts recommend that at the first feelings of gullibility, Internet users rush to their favorite search engine and look up the item tempting them to thoughtless credence. Most hoaxes, legends, and tall tales have been widely discussed and exposed by the Internet community.

Courses in critical thinking are also widely available, and there is online help from many sources, including

• Department of Energy Computer Incident Advisory Capability at http://ciac.llnl.gov/ciac/CIACHoaxes.html
• Computer Virus Myths page at http://www.kumite.com/myths
• IBM's Hype Alert web site at http://www.av.ibm.com/BreakingNews/HypeAlert
• Symantec Anti Virus Research Center Hoax Page at http://www.symantec.com/avcenter/hoax.html
• Network Associates Virus Hoax Listing at http://www.nai.com/services/support/hoax/hoax.asp
• Dr. Solomons Hoax Page at http://www.drsolomon.com/vircen/vanalyse/va005.htm l
• The Urban Legends Web Site at http://www.urbanlegends.com
• Urban Legends Reference Pages at http://www.snopes.com
• Mining Company Urban Legends Page at http://urbanlegends.miningco.com
• Datafellows Hoax Warnings at http://www.Europe.Datafellows.com/news/hoax.htm

Those people who are still symptom free can help inoculate themselves against the Gullibility Virus by reading some good material on evaluating sources, such as

• Evaluating Internet Research Sources at http://www.sccu.edu/faculty/R_Harris/evalu8it.htm
• Evaluation of Information Sources at http://www.vuw.ac.nz/~agsmith/evaln/evaln.htm
• Bibliography on Evaluating Internet Resources at http://refserver.lib.vt.edu/libinst/critTHINK.HTM

Lastly, as a public service, Internet users can help stamp out the Gullibility Virus by sending copies of this message to anyone who forwards them a hoax.

************************************************** ****************
This message is so important, we're sending it anonymously! Forward it to all your friends right away! Don't think about it! This is not a chain letter! This story is true! Don't check it out! This story is so timely, there is no date on it! This story is so important, we're using lots of exclamation points! For every message you forward to some unsuspecting person, the Home for the Hopelessly Gullible will donate ten cents to itself. (If you wonder how the Home will know you are forwarding these messages all over creation, you're obviously thinking too much.)
************************************************** ****************

ACT NOW! DON'T DELAY! LIMITED TIME! NOT SOLD IN ANY STORE!

Home Page of Robert Harris | SCC Home Page
Robert Harris is Professor of English at Southern California College. RHarris@sccu.edu


I keep it around for just this purpose
Mark