Slashdot Mirror

What I find interesting is the next one in sequence, Bloodhound.Exploit.14. Looks like IE has problems parsing TIFFs, too. First time I've heard of this. Apparently, Microsoft hasn't acknowledged this one as there's no link on the Symantec site for further details like they do will all the previous ones in the Bloodhound.Exploit series.

What I find interesting is the next one in sequence, Bloodhound.Exploit.14. Looks like IE has problems parsing TIFFs, too. First time I've heard of this. Apparently, Microsoft hasn't acknowledged this one as there's no link on the Symantec site for further details like they do will all the previous ones in the Bloodhound.Exploit series.

Symantec also said it expects more viruses and worms in the future to be written to attack systems that run on the Linux operating system and hand-held devices as they become more widely used.

Hmmm, Symantec sells virus protection for hand-helds and Linux. I sure hope that they believe there will be more virus/spam attacks against these systems.

Yes.

That's just the first of 3237 search results for "Linux" at SARC.

targo says after a cheap shot at Slashdot, "...you actually have to open and run the attachment yourself in Outlook in order for it to do anything..."

That used to be the case, then those clever people figured out how to do it so you don't have to click on anything.

evil, evil world...

Maybe if you posted as a registered user and not a cowardly AC, you might get modded differently. Oh yeah, why don't you use your "secure" web browser to find out the worldwide dollar figure for all the Windows vulnerabilities. And here's one to add to your list:
Which operating system permitted a virus to destroy the data and BIOSes of over one million computers?

I don't have any spyware on my Windows machine. Unlike viruses, the user has to actually install them (though that may involve just clicking "yes" in IE).

Is flashing the bios damaging enough for you?

It's been done. See this writeup for the Welchia virus.

This thing actually caused more problems at my site in the form of network saturation than the blaster worm it was written to eradicate!

At least from what I'm reading on Norton's site, this sounds like a match:

http://securityresponse.symantec.com/avcenter/venc /data/w32.ircbot.h.html

The referenced item from Intego was about a theoretical Trojan horse that no one appears to have actually taken advantage of to do evil (symantec's take on it. Also a detailed look at the "security alert" can be found here.

Anyway yes any storage device could have a Trojan, etc. dropped onto it. Yet in the case of the iPod and other storage devices (at least under Mac OS X) just because such a beasts exists on the storage device doesn't mean that once connected it spreads (no auto-run of code on mounted devices is supported on Mac OS X without third-party tools).

Not much can protect one from a Trojan if the victim cannot recognize it for what it is (sure virus scanners may hit on it if it is a known trojan).

Anyway the real issue is mostly about users dropping company data onto their iPod, etc. (likely unencrypted) and then walking out the door and possibly losing it...

The list of apps that don't work on Linux has already been compiled here: http://securityresponse.symantec.com/avcenter/vinf odb.html

" the concept of 'a process configured to run under an administrative privilege level' which, based on authorization information 'in a data store', may perform actions at administrative privilege on behalf of a 'user process'."

Hell, that sounds like Klez!

I used a win98 box as my game machine for a good while. Just through normal use, the damn thing would degrade over the course of a year and become sluggish and erratic. Grant you, I'm using it like a 15 dollar ho, but that's not acceptable. (I've still got the comp, and its running RedHat8, and STILL getting slapped around, and it's got an uptime of 108 days (Power failure). Vive la differance.)

The secret is to keep a data drive and a OS drive, and when it ends up in the shitter (as it will, without a doubt), copy your data and reinstall. Sure, you can screw with the registry and a vast array of tools that claim they'll fix your computer...But trust me, they're a waste of time. A clean 98 install is good for 6 to 8 months of only minor suckitude.

Even better to make a ghost image of a good install, and then restore it whenever you need to.

Their Windows Security Alerts interface isn't compatible with my corporate Norton I have from my work place. It isn't a big whoop, but I am surprised they don't work together.

As per

http://www.symantec.com/techsupp/enterprise/sp2/co mpatibility.html

Symantec Client Security 2.0 DOWNLOAD NOW
Symantec Client Security 2.0 Business Packs DOWNLOAD NOW
Symantec AntiVirus Corporate Edition 9.0 DOWNLOAD NOW
Symantec AntiVirus 9.0 Business Packs DOWNLOAD NOW

Symantec Client Security 1.1.1 August 18 - 31, 2004
Symantec Client Security 1.1.1 Small Business September 1 - 15, 2004
Symantec AntiVirus Corporate Edition 8.1.1 August 18 - 31, 2004
Symantec AntiVirus 8.1.1 Small Business September 1 - 15, 2004
Symantec Client Security 1.0.1 August 23 - September 6, 2004
Symantec AntiVirus Corporate Edition 8.0.1 August 23 - September 6, 2004
Norton AntiVirus Corporate Edition 7.61 September 7 - 21, 2004

So, current products are supported already. Older versions, Symantec will roll out patches for in the upcoming weeks. Sounds reasonable. Feel free to point this out to your administrator in case they're not aware of this patch requirement.

Check out Symantec's FAQ on SP2.

According to Symantec, this virus was dicovered on January 7th... Did it really take 7 mos. to get out to the wild/become a threat, or is the BBC just having a slow news day?

Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

Perhaps lots of people, including Microsoft itself, have an interest in perpetuating the myth that software is inherently insecure.

One really odd thing I noticed in the footnotes:

Footnote 2: It also has come to our attention that P2P file-sharing technology is being used as a means of transmitting computer viruses and worms because conventional virus protection programs, such as those marketed by Novell, do not scan files exchanged via such technology. If such is the case, then it would be incumbent upon your companies to warn your users of this risk.

Since when did Novell sell anti-virus products? I don't see any on their website. They do make a firewall called BorderManager (which arguably could be used to block a number of P2P services) but it's not an antivirus program.

I could be wrong, but even if Novell does make some AV program nobody's heard of, it's not a very good example, since nobody uses it. More likely they meant Norton, but it's hard to keep straight all those software vendors who have names starting with N.

Between that and the comments on your computer sharing files when it's off, one wonders why they can't find one person with a high-school level of technology expertise who can act as a consultant for the AG's. Probably because they can't find someone who knows anything about technology and is willing to bash P2P.

> have there actually been exploits for outlook that didn't involve social engineering?

One Word:

Bubbleboy

And the first link tells me that W32.Welchia attacks the RPC DCOM vulnerability found in Windows {NT,2K,XP,2K3} and the WebDAV vulnerability found in IIS 5.0, but specifically lists Windows 98 among the "Systems Not Affected". Is there a different version which also attacks stock 9x installations?

It would seem that Symantec's LiveUpdate falls into the same category... see http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PT O2&Sect2=HITOFF&p=1&u=/netahtml/search-bool.html&r =2&f=G&l=50&co1=AND&d=ptxt&s1=liveupdate&OS=liveup date&RS=liveupdate. It would seem from Symantec was talking about this feature in 1996 http://www.symantec.com/press/1996/n960916b.html/, well before filing date of 4/20/2000 for the patent in question.

Windows Update is owned by microsoft - in fact, it is one of the URL's that the blaster worm DOS'ed.

According to this register article that someone posted, the website that the spammer registered was windowsupdateNOW.com

Maybe you're trying to be funny, but I don't think that's a good idea at all. If anything, Welchia showed us that well-intentioned unauthorized code execution can cause disaster.

A better, less intrusive and bandwidth-heavy solution might work, like leaving text documents or changing the homepage -- but even then, it's illegal and I wouldn't advocate doing that. We open source folk are supposed to be above that.

This story comes at a perfect time for me. I'm a Mozilla diehard, and I just ran Ad Aware 6 to find that some malware bypassed security (even Norton Internet Security) to install itself. One of the progs I found was malware called Winfavorites, and although Symantec says this is detectable malware, I had run Norton Antivirus and it went undetected. Looks like it's smartest to run a combination of programs just in case!

I might add that I don't blame Mozilla for it. I blame the programmers who sell their soul for cash to these unscrupulous companies only looking to profit while hurting the systems they populate.

I wonder how long it will be before the first worms show up probagating via bluetooth interfaces, turning cellphones into bots sending out mass SMS spam...oh, wait a minute...Why only cell phones, why not as well printers or any other bluetooth device? Next thing you know, your printer starts printing all that pr0n spam!

Attempts to spread across file-sharing networks, such as Kazaa and iMesh, by copying itself into folders that contain the string "shar" in their names. The worm uses the following file names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

sure...and type 'IIS' into the search field for worms and exploits affecting IIS.

And yes, I do remember them all getting hacked last year...do you remember MS products being hacked yesterday? the day before? the day before that?...

Nobody is saying that there is a magic server or os that can't be hacked. What I was pointing out is that just because you are popular doesn't mean that you are the easy target that receives all the attention.

Do you remember the article Slashdot posted that showed Linux was the most breached OS on the net?

Yes, and I also remember how that report was for directed attacks. That means that what was conveniently left out was the fact that nobody even bothers to direct an attack at a Windows box, you can just take them down wholesale. One attack, 10,000 machines...more bang for your buck.

From Symantec Security Response:

Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x

You are safe, for now. =)

If you want the Symantec release re-written by someone who knows what they're talking about, look here.

"Evaman occupies a false email address" doesn't fill me with respect for CoolTechZone's credentials.

Okay, fine, users are dumb. How how about we give them a slight break in this case? Failed deliveries are far enough out of most people's 'normal' e-mail experience that i can understand why they'd read the message. No it doesn't excuse opening anything with .scr, but txt.scr, html.scr, outlook.scrtxt.exe might dupe your avg users.

Anyways, here's a better article linked by McAfee and The Article That Started It All from the Sydney Morning Herald. Perusing the summaries off of Google News makes it seem like this will either be "unlikely to have a major impact on Australian businesses." or (now this is really crazy because it's from the same website, but a different article) "clog mail servers, cause severe slowdown and wreak financial damage as it spreads rapidly around the world when businesses return to work today"

I love that everyone can quote the Sydney Morning Herald to report that the sky is falling, or that things will mostly be okay. how do two journalists end up with such completely different viewpoints? They both quote Tim Hartman

"Tim Hartman, senior technical director at the security firm Symantec, said Evaman had the potential to be "every bit as bad as MyDoom. It's really shaping up like that. Mr Hartman estimated the virus would spread at an uncontrollable rate as people returned to work"

"We don't think it's going to be a major outbreak... most businesses had been able to filter out the affected emails" Mr Hartman said.

Again...can't be just start posting a weekly news post on /. to the affect of "Somewhere, someone created another virus for Windows?" Wouldn't that be equally effective, and still truthful?

Getting the news out in a timely manner is better than leaving people exposed. If you're not interested, you can always uncheck that slashbox labelled "security". After all, you're using Linux? Right?

Having said that, Symantec have the gory details.

Rather than reading a journalists munged interpretation of what Symantec said, you can look at Symatec's original statement

Ditto the viruses.

Indeed.

That one's pretty harmless and easy to spot since it's proof of concept, but it's nevertheless scary thought to have viruses that could hide themselves to pseudo-files that are not visible in any way if you don't know what to search for, and even then only enumerably by weird totally unrelated and/or undocumented functions...

The summary mentions pr0n and no one thinks of the obvious! Come on: filter MSN, closed-source, etc.

But no matter how hard you try, your kids will learn about these sins in the school playground and will most probably experiment with it to look cool in front of their friends. Pretty soon, they're stuck awaiting their next fix or two to help keep the monkey off their bootsector... err... back.

Unfortunately, I have quite a history with these things so I'd look like a hypocrite (hence: posting AC). Such is the dilemma.

The idea is to make people feel stupid for being a part of the chain letter, not to insult them.

This works for me as well. I usually refer them to the following hoax busting sites:

Snopes
Urban Legends
Symantec Hoax Warnings ("$800 from Microsoft" is listed first on this page!
Hoaxbusters
VMyths

If more gullible journalists and people would think a little and do some simple, quick research before hitting the SEND button then we'd all be a lot better off.

> Greetings, You have just received the "IRISH VIRUS".
> As we don't have any programming experience, this Virus
> works on the honour system. Please delete all the files
> on your hard drive manually and forward this Virus to
> everyone on your mailing list. Thank you for your cooperation.

A simple answer to this is found by checking Symantec's Site for one. I'm sure google would have coughed up the answer to this as well.

That is the definition of worms, but virii can still be virii without duplicating itself. SDBot is definatly a virus, but it does not replicate itself, it tricks folk into running it (well, the creator has to some how, simply emailing porn.scr should be simple enough)

After installing this patch, I found that several of my existing programs ceased working, not that I need them for anything important - see the list below

• Adobe Creative Suite

  Macromedia Studio MX 2004

  Mozilla Firefox 0.9

  Symantec Antivirus Coprorate Edition

  Windiows Media Player 9

  Microsoft Excel 2003

  and most perplexing - Windows XP

Burn a CD with the latest norton defs, windows service pack 1, all those little updates for the trojans, and a firewall (I personally like Kerio Personal Firewall), and install that before you even put the network cable back in.

That's not true, a worm needs no user intervention in order to infect a computer. Think Sasser .

If nothing else (it will be extremely difficult to police, after all), this bill will hopefully increase spyware awareness amongst the average n00b user. While most users are aware of the need for up-to-date antivirus packages, especially after the recent spate of high-profile hits, most are blissfully unaware of programs like Spybot Search and Destroy or Lavasoft AdAware, which I feel are just as critical a part of my security armoury as my firewall (ZoneAlarm) and my AV (NAV).

On a slight aside, Norton AV does include a certain amount of spyware scanning in their latest version (NAV 2004).

If nothing else (it will be extremely difficult to police, after all), this bill will hopefully increase spyware awareness amongst the average n00b user. While most users are aware of the need for up-to-date antivirus packages, especially after the recent spate of high-profile hits, most are blissfully unaware of programs like Spybot Search and Destroy or Lavasoft AdAware, which I feel are just as critical a part of my security armoury as my firewall (ZoneAlarm) and my AV (NAV).

On a slight aside, Norton AV does include a certain amount of spyware scanning in their latest version (NAV 2004).

HyperACCESS. HyperTerminal's big brother.

ProComm. Not just for BBS's anymore.

Feel free to search the web for more

EPOC.Cabir is a proof-of-concept worm that replicates on Nokia Series 60 phones.

In the symantec article (I could access it) it is suggested : "Turn off and remove unneeded services." I can't help laugh. Buy a blue-tooth enabled mobile phone, and turn off blue tooth stuff as soon as you have it out of the box... Or pay to have something removing the stuff you paid to get.

Hum... may I suggest not ot get such a mobile phone ?
By the way, turning off what I don't need, is something I do with my car, my house, my computer... That is why I have no viruses, no slow down, no whatever I don't want. It's a kind of brake-through: don't use what what you don't need, you'll have less problemes. Ho peoples, I am in great shape today !

I'd just like to say that this is why it's still nice to have a phone with relatively limited features - well, that and it's a Motorola (T720). I don't have to worry about the Bluetooth stuff, and I don't even have web access activated on it.

Also, according to the SARC article linked - this worm will attack any bluetooth device that it finds in it's range - not just phones - SARC uses a printer as an example, but what about those nice bluetooth mice/keyboards and PDAs, etc?

They have an image of the phone with the message displayed on it too.

NAV Corporate 7.x (and probably 8.x) eats Mozilla inboxes. Very annoying.

Yes it does, if you have it set to scan ALL files, or if you fail to exclude the Mozilla inbox.

That's actually been a long-running problem since the Netscape 4.x days. It also affects MS Outlook Express users.

Here's the Symantec tech bulletin about NAV and Mozilla/Netscape mail.

Umm same email client? Outlook doesn't let you run executables period. It doesn't even let you recieve executables(.scr .bat .vbs .exe), this has been a secuiryt feature since outlookXP(2002). New viruses zip their content and user must open the zip file and fun the executable. This is not a flaw in outlook, outlook express, eudora on any other mail program. Its a flaw of the user.

Outlook XP Default Security
My doom email virus

VIRUS: File infector, Self-Replicating A virus will insert it's own code into another _pre-existing_ file. It also replicates automatically every time it's run.

WORM: Self replicating
A worm self-replicates liek a virus, but it does not infect pre-existing files. A worm will create a whole new file that is pure viral code (usually with a spoofed name like iexplorer.exe as opposed to the legit file iexplore.exe)

TROJAN:
A trojan is also it's own file of pure viral code, but does not self-replicate (However, they frequently facilitate remote control of the Trojan that can be used to replicate it)

Symantec has a document on this, the link is... What is the difference between Viruses, Trojans and Worms?