Slashdot Mirror

2. Offer different proxies with multiple levels of popup/junk filtering that your savvy customers can opt-into.

3. Send out a CD with free versions of Ad-Aware, Spybot S&D, and so on. Or point them to links like the online version of X-Cleaner or one of many online virus scans.

4. You could also be a real saint and figure out how to put most of the important Windows Updates on CD for your dial-up users and have it automatically do its thang. At a minimum, the Service Packs and Security Rollups will make you their hero.

5. ???
6. Profit!!!

We know there isn't a quick fix solution, but 1 and 2 are eminently doable. I personally use a proggie called AdMuncher(.com) and since Dec. 25th its blocked 13,100 ads/popups/etc and supposedly saved me around 102MB of bandwidth. It ain't free, but goddamn its good (and only 157K).

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

There are worms for ICQ, AIM and MSN. Yahoo IM is the only one that doesn't have a worm right now.

MSN worms have been around for a while now. This isn't news in any way. The worm relied on a website that is now shut, so the worm is effectively disabled.

If you want to know about IM spreading worms, read this or this

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

Yes, they have.

Did you actually check before making that claim?

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

Yes, they have.

Did you actually check before making that claim?

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

Yes, they have.

Did you actually check before making that claim?

Tuxissa?

i have several locations with the symantec 200 routers (pdf link) with dual wan ports.

i would love to replace them with an ipcop type of open source / flashdisk / bootable cd / etc firewall that supports dual wan ports.

would be nice with a dmz as well, so that would be 4 nics total. 2 wan with failover, dmz, and lan.

A while back I received the SirCam virus via text message to my cellphone.

Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks

Daniel

So I did; and what I found there was:

"What you should look out for: Warning Signs"

And clicking on that I found this, from which I quote:

"Users should exercise caution in the following circumstances:

If the bottom of the browser window is intentionally hidden."

Now try clicking on the thumbnails at the bottom and see how many of their examples appear to be from evil spammers, based on Symantech's own advice.

Nearly all the software advertised in spam is counterfeit, so you can forward spam that advertises software to the BSA. Selling illegal copies of software is something that law-enforcement takes more seriously than spam itself.

A few software companies actually ask you to forward them spam that advertises their products. See Symantec's Spamwatch site as an example.

Like another post said, the fact that infected machines try to DoS anti-spam services is a pretty strong indication. Also see the recent Sobig worm that installed a mail proxy on infected machines. The sole purpose of this worm is to create proxy servers to relay spam through. This has been well-documented.

Actually, some jerkoff in his garage has either:

1) Made 1000 pirate copies of Norton and is selling them via spam.

or 2) Is willing to accept your credit card information and not send you anything.

Virtually all spam offers are bogus.
See Symantec

you need this switch -fni
ice

Here's a list of switches

Microsoft software has nothing to do with DDoS. DDoS cannot by stopped except by cutting off the source.

DDOS attacks are usually launched through Windows boxes that have been exploited, for example by worms such as SOBIG.

As far as a new machine goes, I always recommend installing a fresh copy of 2000 or XP if you are installing to just a single machine. This way everything is nice and clean, no old drivers can crud up the system, any and all resident spyware and viruses are gone. XP even has the Files & Settings Transfer Wizard to move everything over to a new machine and it has always been a good tool in my experience.

As for multiple machines, I've always gone with Norton Ghost Enterprise. Where I work, we recently got a new shipment of 120 Dell Dimension GX270 desktops, P4 2.8Ghz, 120GB disks, top of the line machines. However since we are a government agency we have certain security policies that must be in place on each machine regarding user logins, domains, file permissions and network access. Setting this up on 120 machines would be an impossible chore. So I set up a spare Dell server running Windows 2000 Advance Server with Norton Ghost Enterprise. We then took one of the new Dells, reinstalled Windows XP from scratch and began applying all security measures and end-user programs to the install. Next, a Microsoft program called System Preparation Tool was run to prepare the system for the end-user, and the machine was shut down and booted off a Norton Ghost rescue disk with drivers for the onboard ethernet. Then the machine was conencted to the Ghost server and an image of the hard disk was dumped. From there the only remaining work was to boot a dozen or so new machines at a time and point them to our Ghost server and have them image the drives, then we repackaged them and delivered them to the users. The whole process took about 2 weeks from when we got the first machine to when the last one was delivered to the user.

Norton Ghost is great for rolling out images to identical machines, but it's hit-or-miss with machines that differ on hardware. And it certainly helps to have coprorate editions of the Microsoft software to avoid activation issues.

Could this mean that Microsoft are, at long long last, taking security seriously?

Hahahaha! Tell me another one! That was GREAT.

Come on. "Trustworthy Computing" was supposed to be Microsoft's stab at taking security seriously - an initiative that, in two months, will be two years old. Not much has changed.

Trustworthy Computing was the launch of some kind of supposed effort by Microsoft to tighten down security in their products. That obviously failed. So now, rather than stomp out the bugs in their products, they figure they might have better success by simply eliminating those who exploit the bugs.

The features clearly states that it blocks adds in its personal firewall application.

NEW! A Web assistant lets you block ads and access other program options from Microsoft(R) Internet Explorer.

Disable it and watch ads as I do! I even click on banners and browse around on the sites the ads link to.

Ok, I disable popups whenever I can, those are annoying.... ;)

Just like to mention that it's not Norton Antivirus, but Norton Internet Security and Norton Personal Firewall that seems to have this feature.

And what's more: NIS/NPF 2003 had this last year. I used it for a while, and it worked great. But to be honest, I've never been bothered by ads, so I turned it off (I rather have less taking up memory/CPU time than some piece of software block a few ads).

Now, pop up blocking? That's a different story... I'll definitely leave that setting in Firebird for that one.

NEW! A Web assistant lets you block ads and access other program options from Microsoft(R) Internet Explorer.

NEW! A Web assistant lets you block ads and access other program options from Microsoft(R) Internet Explorer.

• Block Web sites by category
  Specify which categories of sites users can and cannot access. You can also add or remove specific sites to or from the list of blocked sites in a category. Use this option to restrict users from visiting specific types of Web sites, but to allow everything else.
• Create a list of websites that can be visited.
  Specify the Web sites that all users can visit. Use this option to strictly control users' Internet activities, regardless of users' account types.

probably this dude.

http://www.symantec.com/corporate/ceo.html

And when their work computers get infested with the latest virus and their kids say, "Don't worry, Dad, we don't need Norton Anti-Virus because we have a Mac," the wheels will turn some more.

If he were a smart dad, he'd wonder why it was on sale then.

We got caught out by Welchia by someone kindly connecting an infected laptop directly into the network behind the firewalling. Ironically this was possible due to a mistake in SMS package deployment (was done hastily - my fault).

My solution was to deploy honeypot windows machines running snort which reported into a central SQL server database.

Using Windows scripting host, I then wrote a script that ran periodically on a network management workstation which queried the database, creamed off the last machine that was an infector and using the wonderful free PS Tools from Sysinternals automatically determined what OS the machine was running (PSInfo), updated its antivirus signatures (PSExec), de-wormed the machine using the Symantec "FixWelch" utility (again using PSExec), decided if the machine was up to service pack spec (data from PSInfo) and if not service packed it (PSExec) then applyed the patches to prevent re-infection (PSExec).

All worked a treat.

I'm kind of glad we got hit because as a result I can now insist machines get patched (previously people would complain about a "box on the screen" (SMS installer)) while also being able to remove machine admin rights across the board and ban any machines that are not ours from being connected on pain of a disciplinary offence.

A lot of work but ultimately, I WIN. MOO HAR HAR!!

I forget the name of this particular gem but it modified the HOSTS file to redirect websites to *other* sites.

That sounds like Trojan.QHosts.

it's probably this. likely your hosts file has been hijacked, and quite possibly moved to a different folder (try c:\windows\help\hosts). the link has a removal tool.

I started a point-by-point refutation of everything that you said, but then I realized that it would be pointless because you are just spreading FUD.

Actually I'm debunking FUD but lets carry on.

Most of it doesn't even make sense, as when you claim that hardware for Linux is free ("typical computing tasks? Linux can do all that too - for free"),

I didn't say hardware for Linux is free - that would be extremely silly now wouldn't it? There are certain things I think that we can take for granted, such as I'm 96.5% certain that readers here understand what Linux is and that computer hardware is not "free". Fair comment one must always take the cost of the hardware into account but its the OS that we are talking about here.

...and how you claim that the author's statement that there are no Mac viruses in part because there aren't enough Macs is wrong, because there would be viruses if there were more Macs).

I said people attack the most prevailant system, which is presently Windows. If OS X was as prevailant as Windows is now, there would be more attacks targetted at it. the amount of attacks scales with popularity.

I don't believe you actually own a Mac, because you are about as hostile toward Macs as some of the most rabid Windows fanboys I've run into. If you do actually own an iBook, here's my suggestion: sell it. We don't need people like you spreading this sort of FUD.

Well I certainly do own an iBook and how you can call me hostile towards Macs I find quite frankly confusing (did you READ what I wrote? I like OSX). I like OS X a lot - (I certainly wouldn't have bought an iBook if I didn't, and I definitely would not be thinking about a G5) plus I do support (amongst other things) a 200 host Mac network complete with XServe (which I personally recommended & installed).

The article I debunked is FUD - it makes contradictory points. For example, this paragraph:

So, if you're a Windows user, you could sit tight, apply all the patches, worry about all the viruses and hope that the spring's Service Pack will solve most of the security problems without breaking other key features of Windows or interfering with programs you use.

This is clearly putting the concept of patches in a negative light, and inserting FUD into the process by implying that applying a patch may cause problems. Some facts:

OS X needs patching, (as do all other current operating systems.)
Applying patches can be risky, however its important to keep up to date. Apple suffered from this exact issue recently with the 10.2.8 update causing problems for many users.

So Apple are "guilty" of two of the alleged "crimes" of Windows.

It would be like an airline saying something like "So if you fly with our competitors, sit tight and hope there are no bombs or terrorists on the plane with you" while trying to sell plane tickets. It's ridiculous.

It says that Microsoft release patches and puts that in a negative light and later on says that Apple release patches but it's "ok" because they are less frequent!

It also says (correctly, unless the "switchback" "virus" isnt a hoax) that there are no viruses for OSX, yet you should still run antivirus. Sophos, Symantec and Network Associates all produce OS X antivirus, which you have to admit is a little strange. I suppose they are selling insurance against future incidents.

If I've posted anything factually incorrect, then please set the record straight.

What is it with all the anonymous postings anyway? Why are people afraid to put their names to their opinions?

We're getting closer...

Hmm... I like them being fined, and california needs the money, that's for sure.
However, I wouldn't jump too high right now. I think we are just changing the game, not winning it. Here's an example of what spammers are doing now.

I believe whitelisting is one of the only way to go about stopping spam, but it has obvious problems associated.

Ah well, atleast the government is doing something... 5 years too late.

I was trying to point out that while Macs can get Word/Excel/PowerPoint-based viruses, there really aren't that many being produced anymore. If you look at Symantec's Latest Virus Threats list (W32.Marque@mm is the newest listed), there's only two that uses Word/Excel/PowerPoint as it's carrier: W97M.Rochitz.C and W97M.Tabi.Trojan. W97M.Rochitz.C doesn't do anything but spread. W97M.Tabi.Trojan downloads an EXE file which won't work on a Mac.

I had forgotten about the OS 9 Office package. I switched to OS X and haven't looked back.

Maybe you're new here, but "white hat" hacking is dangerous. Just look at the Welchia worm. Someone tried to fix computers infected with Blaster, but their "white hat" hacking worm only made things worse.

Good intentions doesn't always mean you let it slide when someone breaks the law.

Take a look at their 2004 consumer products. It seems every companies are doing it these days. Most people have no problems with Symantec's activation since it is not bad Intuit's (based on MBR).

You didn't say "today." You said "lately."

Actually, the CIH virus awhile back did kill motherboards. It wasn't "frying" it but it would corrupt the flash BIOS and therefore make the motherboard not bootup at all.

I think parent means Slapper, rather than Slammer. Slammer was an evil, ISP-crippling MS SQL malady which was far more widesperead than 14,000. That number could be about right for Slapper, though Symantec puts it around 3,500.

ya both my roommates got this, but QHosts wrote a hosts file in c:\windows\help (not in it's usual location at drivers\etc) which threw me for a loop cuz i wasn't aware that windows would look there for a hosts file (or even that you could have 2 in the first place)

QHosts also adds stuff to your registry, check here for info on what it does and how to undo the changes in your registry.

then reboot (or maybe just re-login might work?), and you should be fine, and google won't be dead anymore (along with altavista, yahoo, msn, ask.com, lycos, hotbot...).

Hehe. I didn't think about the whole goatse thing when I posted the link. It is fine, it's Google's IP addy.

It sounds a lot like Trojan.QHosts causing the problem. Check out Symantec for some info about it.

• Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
• Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
• Attempts to remove W32.Blaster.Worm.

I see the problem coming when the unknowing masses start downloading this patch and thus making all of our "it's just an optional patch" handwaiving seem like inaction. So here's my advice: start sending those stupid f**king "I've given you a virus!" emails to people, like the one about jdbgmgr.exe (the teddybear icon). Except instead of being aimed at system lint, say it's this new patch's executable. The brainless masses will eat this up as they usually do, and all of /.'s readers will get it filtered out of their masterfully protected inboxes anyway. Maybe DRM is an argument for technical know-how haves and have-nots, in the end: If you care to share, figure it out. Otherwise, DRM you to hell :)

Agreed, that the general behavior of "Swen" is that of a virus.

However, I still stand by my statement that using a vulnerability in Outlook to auto-execute is like the behavior of a worm. So is running in the background and sending out e-mails of itself (as defined here).

The SirCam worm also behaved like Swen, in that it arrived as an attachment or was copied to a network share, played with the registry, etc.

And I didn't mean to say it required Outlook. I meant that "all it takes is for some guy to open Outlook," meaning that the minimum user interaction level would be if you open Outlook, and the worm is the topmost message, bam, it gets previewed and executed if you're not all patched up.

In addition, Symantec is classifying it as a worm. So you'd better go try to explain to them why they're wrong, too.

----
On a lighter note, WTFA (Wrote The FA) could be a humorous comeback to "RTFA".

Someone: /makes a comment
Slashdotter: RTFA!
Someone: WTFA! And I'm right!

Actually, if you'd bothered to read the description of the worm, you'd know that users can infect their machines - if they do not have the 2 1/2 year old IE patch installed - just by viewing the e-mail in an IE-friendly e-mail client that has HTML enabled by default. This is directly from Symantec's description of the WORM: "This worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message." Outlook would do the job nicely.

actually the worm exploits an outlook security flaw to run itself. Thats how i got infected at work :-( damn outlook and your wonderful autopreview feature.

wang33

Seems like this is an attempt at creating a network of spam zombies. I mean, think about it... it asks for your email information and LOGS INTO YOUR ACCOUNT. (Symantec has a good writeup, with screenshots about it)

Maybe this is the culmination of all the "research" using SoBig? Aren't there rumors that those worms/viruses were used to "research" making a spam network? Interesting indeed...

And whoever wrote this one did a helluva job, it really looks authentic.

Did it come across as Worm.Automat.AHB?

Norton seemed to find it as that, when I received it (both the fancy MS Update and the other, obvious "we couldn't send this to your destination" note...

Their pages here shows nothing about the worm I saw and here seem to corroborate with the misdiagnosis...

Did it come across as Worm.Automat.AHB?

Norton seemed to find it as that, when I received it (both the fancy MS Update and the other, obvious "we couldn't send this to your destination" note...

Their pages here shows nothing about the worm I saw and here seem to corroborate with the misdiagnosis...

That isn't fully true. The virus also exploits unpatched versions of Outlook Express so it can spread itself. See this page for information. It's pretty close to the top of the page.

I've had about 4 or 5 copies come in to my computer today (I use MozillaThunderbird). All together, I've received about 3 that look like failure notices from a qmail server and probably a dozen that look like that stupid fake MS security patch.

1 XP Admin with $40,000 annual salary

Are you serious? The average IT technician is paid more like $14000 in the average UK academic institution. Whats more, a $14000 a year tech can clean up a Windows XP machine unlike the $40000 you would need to pay a *NIX expert.

Again, I agree, it would be a bad idea. The poor overworked XP Admins I know are starting to ask for Linux training.

And I suppose worms are impossible on Linux are they?

*cough* Ramen *cough*

Simple fact - a worm is feasible on ANY moderately sophisticated OS. If most of the world used Linux, then we would see more Linux worms. If the whole world changed to Sun's desktop, I guarantee you that we would see malware targetted at that.

Bloodhound.Exploit.1

Which according to Symantec is "likely to be a new worm or Trojan that makes use of the DCOM RPC vulnerability.".

I'm pretty sure it's a false positive as the machine is patched, firewalled, and the file was found in the offline file cache (I've seen a few false positives in that directory).

For a minute or two I though the worm we are all expecting RSN, had been released.

Only the latest virus definitions catch this thing.

Actually, some worms do ask for permission.

For example, the Repad worm will terminate if you click 'No' on the 'Do you wish to continue?' box. Of course they're not quite there because the yes/no box isn't a click-through licence per se, but it's pretty close.

According to Symantec, SoBig uses its own SMTP engine to propagate. And according to my analyses of the headers, it appears that it attempts direct-to-MX sending.

This gives you two advantages.

First off, it means that the first Received: header in the mail will contain the IP address of the infected machine. This will give you enough information to inform the ISP (who can then inform his customer) if you're so inclined. Or at minimum, you have an address you can temporarily block until the storm dies down.

The second advantage is that you can keep it from spreading beyond your own network if you block your customers from port 25 (and force them to send all mail through your mail server.) While this may annoy a few customers, most probably won't even notice, and it will keep any infected customers from spreading the virus to the rest of the world.

Unfortunately, there's nothing you can do about all the bounces caused by other people that are spewing the virus with forged headers. I found that (for myself, anyway), the easiest way is to mark the bounces as spam with Mozilla, and let the Baysian filtering move them out of my way. But this doesn't do much good if you're looking to protect a mail server.