Slashdot Mirror

← Back to Domains

Domain: symantec.com

Stories and comments across the archive that link to symantec.com.

Comments · 1,115

  1. If SPAM is so bad.. by QuantumG · · Score: 0, Flamebait · on Spammer Hangout's Membership Roster Left Exposed

    why do reputable companies like Symantec, Amazon and others spam me?

  2. W32.Sobig.F@mm worm uses NTP Servers by stock · · Score: 1 · on Netgear Routers DoS UWisc Time Server
    From the Virus description of W32.Sobig.F@mm found here :

    http://securityresponse.symantec.com/avcenter/venc /data/w32.sobig.f@mm.html

    it reads :
    "Sobig.F obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port)."

    I then would expect the following screnario : Very likely most netgear router users have used its nifty builtin dhcp server. cisco also has such embedded dhcp servers and does SMC barricade. So far nothing special. However if the embedded dhcp server of the netgear router also has dhcp option "option ntp-servers ip-address" configured, using the UWisc Time Server ip-number then the following most probably has happened :

    W32.Sobig.F@mm is released on the Internet and hits hard. It spreads through email. upon storing itself on the NT4, win2k, winxp PC, it asks for UTC time through the NTP protocol. If the dhcp client has through dhcp already a configured ntp-server, that one (The UWisc one) will be used. If no ntp-server is configured only then the virus will try to reach the ntpservers listed on the symantec security response description for W32.Sobig.F@mm.

    Robert

  3. Uninformed discussion is so entertaining by stevel · · Score: 2, Informative · on Symantec Adds Product Activation

    It would appear that few here have bothered to go look at Symantec's web site to see what they have to say about activation. Some of the things people have complained about, based solely on reading the Slashdot blurb, have no basis.

    Interesting points are:

    • You get 15 days after first install to activate
    • You can activate over the phone
    • You can transfer to an upgraded or new PC without repurchase

    As a commercial software developer myself, I can understand why Symantec is doing this, though I too am amused at the "for your protection" approach that is so common. I also see activation is becoming more common (PowerQuest's new DriveImage 7 has it too), especially in products that people tend to buy once and install on multiple systems.

    If formal and informal piracy wasn't so pandemic, such things would not be necessary. But it seems so many people believe that it's their RIGHT to steal software (or music), if they don't feel like paying for it. I know this is heresy for Slashdot, but there it is....

  4. Re:.... WTF? by janolder · · Score: 1 · on P2P Spam?
    I'm not at all convinced that expiration dates are "clearly" an indication of spam being the goal of this effort. Expiry dates are a simple and effective way of ensuring that future improved versions don't compete with the old one. If getting the highest threat rating from symantec is the goal, putting experimental versions in the wild and analysing comments and reactions is a great way to go.

    Loading arbItrary code from somewhere is a great way to leave flexibility in the system and also demonstrate destructive capability without actually having to resort to it. What does that have to do with spam?

    The worm does definItely not create open relays - it can be used to create them through the backdoor it presents. The same backdoor can be used to run seti (hmm, there's a thought), delete files or any other annoying activity.

    Yes, the payload download feature could be used for anything, including spam, but I find that hardly likely that a spammer is behind this for the reasons listed in the grandparent.

    Occam's Razor is telling me that this article and the ones referenced by it are most likely unintentional FUD written by people that benefit from it (symantec et al sell anti-virus protection, while journalists sell papers, magazines or page impressions). While I wouldn't put it past Symantec and peers to intentionally spread FUD, I don't see journalists doing anything other than repeating what Symantec is publicising. Don't ascribe to malice what you can explain with incompetence. :-)

    Occam's Razor also indicates that you'll have better chances in life if you brush up on your spelling. :-)

  5. Re:Methods used to obfuscate worm code by Erasmus+Darwin · · Score: 0, Redundant · on The Origin Of Sobig (And Its Next Phase)
    "But whoever wrote this virus will no doubt learn from this, which was likely the whole point of the exercise, and do something even sneakier, or just bigger (more than 20 hosts), next time."

    According to the Symantec write-up, the worm had at least one more trick up its sleeve with regard to the 20 hosts. It seems that if an infected machine receives a properly signed packet on UDP ports 995-999, it'll update the list of 20 hosts.

    Of course the trick is finding a way to get that update out to all the infected machines. But really, all the virus writer has to do is update one machine (say by spamming a few IP ranges with likely victims *cough*homeDSLusers*cough*). The updated IP list will point to hosts that refer the infected machine to download an executable that cause the infected machine to start spamming out the master list update to random IP addresses. After that, the update should spread similar to a typical non-email network worm.

  6. Re:Related to SoBig perhaps? by orkysoft · · Score: 1 · on NZ Spammer Shutdown Makes Big Difference

    Then why does Symantec offer a program to remove the virus from a computer, for free?

  7. Re:What a nice guy though by Jugalator · · Score: 3, Informative · on The Origin Of Sobig (And Its Next Phase)

    If anyone is intersted, here's a "release history" :-P

    SoBig.A

    - Copies itself over network shares to shared start up folders on other computers.
    - Sends a message to an address on pagers.icq.com.
    - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
    - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
    - Stores sent messages in the file %Windir%\Sntmls.dat.
    - Uses 4 random subject lines.
    - Uses 4 random attachemenet names.
    - Always uses big@boss.com in the "From" field in the mails sent.
    - Size: 65,536 bytes

    SoBig.B

    Changes from SoBig.A:

    - Always uses support@microsoft.com in the "From" field in the mails sent.
    - Uses 9 random subject lines.
    - Uses 9 random attachemenet names.
    - Uses a deactivation date.
    - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
    - Size: 52,898 bytes

    SoBig.C

    Changes from SoBig.B:

    - Always uses bill@microsoft.com in the "From" field in the mails sent.
    - Uses 7 random subject lines.
    - Uses 8 random attachemenet names.
    - Size: ~ 59 KB

    SoBig.D

    Changes from SoBig.C:

    - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

    SoBig.E

    Changes from SoBig.D:

    - Always uses support@yahoo.com in the "From" field in the mails sent.
    - Uses 18 random subject lines.
    - Uses 5 random attachemenet names.
    - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
    - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
    - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

    SoBig.F

    Changes from SoBig.E:

    - Size: about 72,000 bytes
    - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
    - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

  8. Re:What a nice guy though by Jugalator · · Score: 3, Informative · on The Origin Of Sobig (And Its Next Phase)

    If anyone is intersted, here's a "release history" :-P

    SoBig.A

    - Copies itself over network shares to shared start up folders on other computers.
    - Sends a message to an address on pagers.icq.com.
    - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
    - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
    - Stores sent messages in the file %Windir%\Sntmls.dat.
    - Uses 4 random subject lines.
    - Uses 4 random attachemenet names.
    - Always uses big@boss.com in the "From" field in the mails sent.
    - Size: 65,536 bytes

    SoBig.B

    Changes from SoBig.A:

    - Always uses support@microsoft.com in the "From" field in the mails sent.
    - Uses 9 random subject lines.
    - Uses 9 random attachemenet names.
    - Uses a deactivation date.
    - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
    - Size: 52,898 bytes

    SoBig.C

    Changes from SoBig.B:

    - Always uses bill@microsoft.com in the "From" field in the mails sent.
    - Uses 7 random subject lines.
    - Uses 8 random attachemenet names.
    - Size: ~ 59 KB

    SoBig.D

    Changes from SoBig.C:

    - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

    SoBig.E

    Changes from SoBig.D:

    - Always uses support@yahoo.com in the "From" field in the mails sent.
    - Uses 18 random subject lines.
    - Uses 5 random attachemenet names.
    - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
    - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
    - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

    SoBig.F

    Changes from SoBig.E:

    - Size: about 72,000 bytes
    - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
    - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

  9. Re:What a nice guy though by Jugalator · · Score: 3, Informative · on The Origin Of Sobig (And Its Next Phase)

    If anyone is intersted, here's a "release history" :-P

    SoBig.A

    - Copies itself over network shares to shared start up folders on other computers.
    - Sends a message to an address on pagers.icq.com.
    - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
    - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
    - Stores sent messages in the file %Windir%\Sntmls.dat.
    - Uses 4 random subject lines.
    - Uses 4 random attachemenet names.
    - Always uses big@boss.com in the "From" field in the mails sent.
    - Size: 65,536 bytes

    SoBig.B

    Changes from SoBig.A:

    - Always uses support@microsoft.com in the "From" field in the mails sent.
    - Uses 9 random subject lines.
    - Uses 9 random attachemenet names.
    - Uses a deactivation date.
    - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
    - Size: 52,898 bytes

    SoBig.C

    Changes from SoBig.B:

    - Always uses bill@microsoft.com in the "From" field in the mails sent.
    - Uses 7 random subject lines.
    - Uses 8 random attachemenet names.
    - Size: ~ 59 KB

    SoBig.D

    Changes from SoBig.C:

    - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

    SoBig.E

    Changes from SoBig.D:

    - Always uses support@yahoo.com in the "From" field in the mails sent.
    - Uses 18 random subject lines.
    - Uses 5 random attachemenet names.
    - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
    - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
    - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

    SoBig.F

    Changes from SoBig.E:

    - Size: about 72,000 bytes
    - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
    - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

  10. Re:What a nice guy though by Jugalator · · Score: 3, Informative · on The Origin Of Sobig (And Its Next Phase)

    If anyone is intersted, here's a "release history" :-P

    SoBig.A

    - Copies itself over network shares to shared start up folders on other computers.
    - Sends a message to an address on pagers.icq.com.
    - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
    - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
    - Stores sent messages in the file %Windir%\Sntmls.dat.
    - Uses 4 random subject lines.
    - Uses 4 random attachemenet names.
    - Always uses big@boss.com in the "From" field in the mails sent.
    - Size: 65,536 bytes

    SoBig.B

    Changes from SoBig.A:

    - Always uses support@microsoft.com in the "From" field in the mails sent.
    - Uses 9 random subject lines.
    - Uses 9 random attachemenet names.
    - Uses a deactivation date.
    - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
    - Size: 52,898 bytes

    SoBig.C

    Changes from SoBig.B:

    - Always uses bill@microsoft.com in the "From" field in the mails sent.
    - Uses 7 random subject lines.
    - Uses 8 random attachemenet names.
    - Size: ~ 59 KB

    SoBig.D

    Changes from SoBig.C:

    - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

    SoBig.E

    Changes from SoBig.D:

    - Always uses support@yahoo.com in the "From" field in the mails sent.
    - Uses 18 random subject lines.
    - Uses 5 random attachemenet names.
    - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
    - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
    - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

    SoBig.F

    Changes from SoBig.E:

    - Size: about 72,000 bytes
    - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
    - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

  11. Re:What a nice guy though by Jugalator · · Score: 3, Informative · on The Origin Of Sobig (And Its Next Phase)

    If anyone is intersted, here's a "release history" :-P

    SoBig.A

    - Copies itself over network shares to shared start up folders on other computers.
    - Sends a message to an address on pagers.icq.com.
    - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
    - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
    - Stores sent messages in the file %Windir%\Sntmls.dat.
    - Uses 4 random subject lines.
    - Uses 4 random attachemenet names.
    - Always uses big@boss.com in the "From" field in the mails sent.
    - Size: 65,536 bytes

    SoBig.B

    Changes from SoBig.A:

    - Always uses support@microsoft.com in the "From" field in the mails sent.
    - Uses 9 random subject lines.
    - Uses 9 random attachemenet names.
    - Uses a deactivation date.
    - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
    - Size: 52,898 bytes

    SoBig.C

    Changes from SoBig.B:

    - Always uses bill@microsoft.com in the "From" field in the mails sent.
    - Uses 7 random subject lines.
    - Uses 8 random attachemenet names.
    - Size: ~ 59 KB

    SoBig.D

    Changes from SoBig.C:

    - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

    SoBig.E

    Changes from SoBig.D:

    - Always uses support@yahoo.com in the "From" field in the mails sent.
    - Uses 18 random subject lines.
    - Uses 5 random attachemenet names.
    - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
    - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
    - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

    SoBig.F

    Changes from SoBig.E:

    - Size: about 72,000 bytes
    - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
    - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

  12. Re:What a nice guy though by Jugalator · · Score: 3, Informative · on The Origin Of Sobig (And Its Next Phase)

    If anyone is intersted, here's a "release history" :-P

    SoBig.A

    - Copies itself over network shares to shared start up folders on other computers.
    - Sends a message to an address on pagers.icq.com.
    - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
    - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
    - Stores sent messages in the file %Windir%\Sntmls.dat.
    - Uses 4 random subject lines.
    - Uses 4 random attachemenet names.
    - Always uses big@boss.com in the "From" field in the mails sent.
    - Size: 65,536 bytes

    SoBig.B

    Changes from SoBig.A:

    - Always uses support@microsoft.com in the "From" field in the mails sent.
    - Uses 9 random subject lines.
    - Uses 9 random attachemenet names.
    - Uses a deactivation date.
    - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
    - Size: 52,898 bytes

    SoBig.C

    Changes from SoBig.B:

    - Always uses bill@microsoft.com in the "From" field in the mails sent.
    - Uses 7 random subject lines.
    - Uses 8 random attachemenet names.
    - Size: ~ 59 KB

    SoBig.D

    Changes from SoBig.C:

    - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

    SoBig.E

    Changes from SoBig.D:

    - Always uses support@yahoo.com in the "From" field in the mails sent.
    - Uses 18 random subject lines.
    - Uses 5 random attachemenet names.
    - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
    - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
    - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

    SoBig.F

    Changes from SoBig.E:

    - Size: about 72,000 bytes
    - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
    - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

  13. Re:Damn... by AKnightCowboy · · Score: 1 · on The Origin Of Sobig (And Its Next Phase)
    It is pure, gleeful schadenfeude for me to think of all the hapless PHBs and MSCSE CIOs who are finally being given a little hint as to just how vulnerable they've left their companies.

    Look, you don't have to be a pretentious dick about it. Worms can hit any platform including your relatively secure operating systems. People in glass houses shouldn't throw stones, and frankly, major Linux distributions have more than their fair share of major security vulnerabilities. The only saving grace of Linux is that it's relatively obscure OS compared to other major operating systems like Windows or MacOS. I count 41 security vulnerabilities in Red Hat 9 alone since late March. Many of those could've been exploited by a worm or malicious trojan and spread if as many people used Linux as they do Windows.

    So get off your high horse and realize that every one of those operating systems you're pointing out was affected by major security vulnerabilities in the last year. Even OpenBSD, that bastion of secure operating systems, had a MAJOR remote root exploit in the default install (OpenSSH). Nobody is immune to bad programming and just bad luck. Shit happens, that's why there are patches. The problem is lazy incompetent system administration and not patching systems when they become available.

    *rant* And for Christ's sake people, SHUT OFF DAEMONS YOU DON'T USE! Does your Solaris box REALLY need to be running ANY of that shit in /etc/inetd.conf that comes enabled by default? The answer is NO. Solaris works just peachy with everything in inetd.conf disabled, RPC disabled, and practically every other daemon started in the init scripts disabled. I'm sick of coming upon workstations with all this shit turned on and trying to figure out why they're running it on a desktop. */rant*

  14. Re:Instructions to cure worm. by Alakaboo · · Score: 1 · on The Origin Of Sobig (And Its Next Phase)

    I also heard that one "features" of Sobig is that it will copy itself to any visible network shares. Fortunately, due to some bug(s) in the programming, this does not work.

    Ah, I read it here.

  15. Re:How many for Linux? by Sepper · · Score: 4, Informative · on Mac's Immunity To Recent Virus Attacks

    you'd be suprised...

    Altough most are worms, there are about 50-60 virus existing.

    Symantec: 1592 results found (includes articles)
    Mcafee: found 58 record(s) matching

  16. use a virus like id by phaetonic · · Score: 1 · on Using Spyware to Report Pirates?

    id didn't creat this.. hmm...

  17. coming spike in old-fashioned spam by jdunlevy · · Score: 4, Informative · on SoBig: Worst is Yet to Come

    Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam -- with the corresponding spike in spam volume that would bring.

    According to this article:

    After examining two month's worth of junk e-mail earlier this year, New York City-based e-mail security company MessageLabs found that roughly 65 percent of spam originated from computers running proxy servers. More than 75 percent of those servers appeared to be installed on PCs that showed signs of being infected with Sobig and similar viruses.

    And Symantec:

    Sobig.F can download arbitrary files to an infected computer and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.
  18. browser cache by jdunlevy · · Score: 1 · on Microsoft Virus Spam: SoBig.F
    The point though is this: even if your e-mail address is a "hidden" link on a web page, it is still part of that html file. So, when somebody surfs to your web site, odds are that page -- "hidden" link and all -- is getting saved as an html file to that user's local browser cache.

    Let's say that user's computer gets infected with W32.Sobig.F@mm. Well, the worms starts sending

    itself to all the email addresses it finds in the files that have the following extensions:
    * .dbx
    * .eml
    * .hlp
    * .htm
    * .html
    * .mht
    * .wab
    * .txt

    (See Symantec description.)

    It's reading your "hidden" address from browser caches on infected machines of people who've visited your web pages.

  19. Re:I predict that we haven't seen the last of this by DotWarner · · Score: 1 · on Worm vs. Worm Battle Slows Networks
    Just as I posted in the first thread about Welchia:
    The Cheese worm did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.
    It amazes me how many people in that thread regarded this as a clever, useful thing to do, while in this one it is universally declared an obvious problem.
  20. Here's Trend Micro's article by jdgreen7 · · Score: 2, Informative · on Microsoft Virus Spam: SoBig.F
    Description of SOBIG_F

    Here is HouseCall - Their online free virus scanner.

    Anyone without an antivirus program seriously needs to get one:

    McAfee

    Symantec (Norton)

    Trend Micro

    Just to name a few...

  21. Re:Security is a Myth. by bill_mcgonigle · · Score: 2, Informative · on Mac OS X Maximum Security

    There was an AppleScript worm. I suppose you could call it 'the applescript worm'. Of course, it required a Microsoft mailer to propogate.

  22. W32.Welchia.Worm by jolshefsky · · Score: 1 · on Microsoft wants Automatic Update for Windows
    And I thought they already released this feature [that is, Symantec AntiVirus Center].

    (har har.)

  23. This happened to Linux first by DotWarner · · Score: 3, Informative · on RPC DCOM Cleanup Worm Appears

    The Cheese worm did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.

  24. Dangerous in the wrong hands? by bc90021 · · Score: 5, Interesting · on Satellite Views Of The Blackout

    If a private citizen were to show the interconnections of the power grid on their website, what would happen? How long would it be before the government ordered him/her to remove that information in the interest of "National Security"? Why is it that CNN can show it freely? A similar map was being broadcast on TV all morning.

    And as for how the software works, it would be interesting to know just what OS the power company computers were running. Not to sound like a conspiracy theorist (well, ok, that's exactly what I'm trying to sound like ;) ) as soon as there were variants on the Blaster worm, a large section of the power went out? Hhhmmm...

  25. fixblast.exe by golgotha007 · · Score: 1 · on LovSan Clone Let Loose

    if you don't already know, head on over to Symantec's blaster removal site to fix any systems that have already been infected.

    there are many systems infected on our apartment network, and everyone is looking at me to fix them.

    i think i will wait until sometime next week. i mean, how many times can you legally DOS microsoft?

    this should be fun...

  26. If you need a commercial product with 24x7 support by phaetonic · · Score: 3, Informative · on Three Snort Books Reviewed

    Check out Symantec's ManHunt. Besides getting great support, this uses open source software (snort) and now runs on Red Hat Linux!

  27. Re:Patches were *not* available on the update page by TrancePhreak · · Score: 1 · on Windows Virus Takes Out Gov't Agencies in MD, PA

    Successful Wednesday, July 16, 2003 Security Update for Windows XP (823980) Web site
    Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
    W32.Blaster.worm

  28. Text in the Virus by ChopsMIDI · · Score: 3, Informative · on Windows Virus Takes Out Gov't Agencies in MD, PA
    According to the Symantic page regarding the worm:

    The worm contains the following text, which is never displayed:

    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!
    So it seems the creator did have a point to prove.
  29. Re:Our system by Antitorgo · · Score: 1 · on Windows Virus Takes Out Gov't Agencies in MD, PA

    Or perhaps W32.Randex.E which explots the same DCOM RPC vulnerability as MSBlaster.

    I'm gonna stick to the Backdoor.irc.Cirebot theory just because I think this one has been more widespread.

    See MS03-026

  30. Re:Our system by Antitorgo · · Score: 4, Informative · on Windows Virus Takes Out Gov't Agencies in MD, PA

    If the other worm you are talking about is hitting port 445 it is probably the Backdoor.irc.Cirebot trojan. It targets port 445 (vs 135), and opens up a backdoor. Its still an RPC attack though...

    Hopefully, the other worm you are seeing isn't a mutation.

  31. great patent idea by Parsec · · Score: 1 · on Microsoft Nailed by Software Patent

    Let's patent applications that run in Outlook. I can't think of any similar prior art.

  32. great patent idea by Parsec · · Score: 1 · on Microsoft Nailed by Software Patent

    Let's patent applications that run in Outlook. I can't think of any similar prior art.

  33. great patent idea by Parsec · · Score: 1 · on Microsoft Nailed by Software Patent

    Let's patent applications that run in Outlook. I can't think of any similar prior art.

  34. great patent idea by Parsec · · Score: 1 · on Microsoft Nailed by Software Patent

    Let's patent applications that run in Outlook. I can't think of any similar prior art.

  35. You got the wrong security bulletin by daun3507 · · Score: 5, Informative · on Win32 Blaster Worm is on the Rise

    While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

  36. W32.Blaster.Worm Removal Tool by SailorBob · · Score: 2, Informative · on RPC DCOM Worm On The Loose

    Here's the homepage for Symantec's tool which removes this worm.

  37. Re:On the way? by throwaway18 · · Score: 1 · on RPC DCOM Worm On The Loose

    >It's been hitting efnet for the past week
    Uh, I think the lame trojan backdoor.irc.cirebot is a different thing to the worm that this story is about. It used the same hole to install a backdoor but didn't spread on its own.
    Some irc networks make your ip address visible to others, I suspect kids were manually launching cirebot at people.

    The blaster worm which this story is about dosn't seem to be anywhere near the scale of code red. Yet. I'm seeing a couple of incoming connection attempts an hour to 135 and 445 which is normal.

  38. More Information by epsilonzero · · Score: 2, Informative · on RPC DCOM Worm On The Loose

    SecurityFocus has an analysis for the worm here.

  39. Symantec's analysis by bitkid · · Score: 1 · on RPC DCOM Worm On The Loose

    here. Includes snort signature etc.

  40. Confirmed some details by RobertB-DC · · Score: 2, Informative · on RPC DCOM Worm On The Loose

    Just FYI, I've confirmed on my system that at least some of the parent's information is true. I got hit around 2pm Dallas time, and I've now got a file called msblast.exe in c:\winnt\system32 with a file length of 6176 bytes.

    After the "to say LOVE YOU SAN!!" string, I find these words: bill gates you make hi possi. And before it, it looks like it says "I ju wan to say" (with control characters that may or may not be of interest).

    Sure enough, Symantec has some info now, too (just sent by someone in my co.).

    Timing sucks on this one -- I'm right in the middle of coding for 3rd quarter tax changes. Crap!

  41. Some evidence for you.. by schon · · Score: 1 · on Russian Minister Gets Spammed, Spams Back
    Please provide evidence that replying to spam actually puts you on a high value list.

    How about this?

    according to the Federal Trade Commission (FTC) [...] responding to spam may actually result in even more unsolicited email as these responses confirm to spammers the accuracy of the targeted email address. In fact, the FTC recently conducted a study wherein the Commission and law enforcement partners tested whether "remove me" or "unsubscribe" options in spam were being honored. Their findings showed that 63 percent of the removal requests were not honored.
  42. Re:Where is coverage for security issues? by Keith+Russell · · Score: 1 · on Microsoft Improves Its Licensing Terms

    Next time there's a thunderstorm warning in your area, watch your front door. When somebody from the National Weather Service arrives to personally inform you of the warning, you be sure to let us know, OK?

    And don't forget that, long before Outlook existed, malware writers were tricking unsuspecting users into falling for trojans and hoaxes by claiming to be from Microsoft.

  43. Re:Why are they running Windows then? by RyuuzakiTetsuya · · Score: 1 · on Can .NET Really Scale?

    Judging by the the amount of traffic the machine in question is going to deal with, a "point, click and go" solution isn't going to cut it. It needs to be reliable, stable, and not vulnerable.

    Unfortunantly, Microsoft can't keep my web browser from being constantly attacked by unscrupulous websites and other bits of malicious code. Why should anyone trust them to build a stable webserver?

  44. Also, make a backup! by antdude · · Score: 1 · on Microsoft Releases SP4 for Windows 2000

    Before upgrading to SP4, make a back up! I will on my workstations. Use a drive image software like Norton Ghost. If SP4 is bad, then restore the image(s). These utilities are life savers. :)

  45. Re:Difference between FAT32 and NTFS by frozenray · · Score: 1 · on Tom's Hardware Looks At WinFS

    > What exactly do you call a stream in that context?

    Symantec, NTFS Streams primer

    Carvey, "The Dark Side of NTFS"

    more...

    BTW, two PC forensics packages we looked at recently didn't know about NTFS streams...

  46. NTFS gaping security holes by Anonymous Coward · · Score: 0 · on Tom's Hardware Looks At WinFS

    I know there is at least one gaping security hole in NTFS. By now, however, it is probably a class of vulnerabilities .

  47. Re:Later in the discussion... by McCow · · Score: 2, Informative · on Sen Hatch Would Like To Destroy Filetraders' PCs

    I can Ghost an 80 gig drive in under 10 minutes. There are other commercial products.

    I have far too many other projects that could use 6-7 hours...

    //cow

  48. This should be standard on mice... by mwa · · Score: 1 · on A Shocking Controller For The Xbox
    so anyone who opens on an attachment in Outlook without first saving and scanning it gets immediate "Don't ever do that again" feedback.

    We could also implement a freedb-like data base for virus hoaxes. Anyone who tries to forward a known virus hoax gets zapped and IE opens a hoax explanation page so they learn to check first.

    Imagine how much safer the Internet could be!

  49. Re:Possible addition to Exchange? by jat850 · · Score: 3, Informative · on Microsoft Acquires RAV Antivirus

    Good probability ... although Symantec currently has a great product for corporate use, (see it here) including Exchange mail filtering/virus scanning (Symantec AVF), and server/client management utilities that are great (Symantec AV Corporate Edition) that have proven very useful to our business in the past. I think Microsoft would be in for some tough competition, unless of course they bully Symantec out of the job.

  50. Re:Symantec? by MacTenchi · · Score: 1 · on Inappropriate Spam Reaching Children?

    i'm sorry, this page certainly doesn't seem like "refusing complaints" to me.