Slashdot Mirror

The linked article is next to worthless. The real details are in this blog post.

"The Zbot Trojan is believed to have infected and subsequently accessed personal information from tens of thousands of computers around the world"

What Operating System did this Zbot trojan run on ?

Anyway, do you have a reference for Yoran's statements on weak Windows security? I must have chosen the wrong keywords when I looked for them.

Read his congressional testimony here:

http://kyl.senate.gov/legis_center/subdocs/022404_yoran.pdf

Note the frequent mention of specific Windows threats, something you will find few government people doing. Many trade press publication will often mention a new threat without regard to specific OS dependencies (and 99% of the time it's Windows). The company goes to great lengths to make sure its names aren't taken in vain in public.

He has been associated with user groups that are critical of Windows, but my guess is that his true feelings on the subject are uttered mostly off the record.

http://www.viruslist.com/en/news?id=764

http://radsoft.net/rants/20090318,00.shtml

In any event, the hiring of a former Microsoftie is the main issue here. Is he required to divest his stock options? I don't see that spelled out.

Hi,

I'm Denis Sinegubko. The one quoted in this article.

I want to clarify one thing about how malware steals passwords from webmasters' computers.

TCP traffic sniffing was only one of possible vectors.

However, now I have more proofs that malicious programs just read configuration files and registry settings.

Just check how this trojan steals FTP, email and IM credentials:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=147349

I checked programs, installed on my computer and indeed many of them store passwords in _plain text_, not encrypted. And those that encrypt
passwords use very weak algorithms.

FileZilla stores FTP credentials (including passwords) in .xml files in plain text. And this is "by design"! Check this thread:
http://forum.filezilla-project.org/viewtopic.php?f=2&t=12280

So why would malware bother with sniffing traffic or key logging (this activity can be detected by antivirus), when it can simply read everything it needs from files and Windows registry?

Apple is now at the point where Microsoft was in 1998.

In 1998, there were tens of thousands of Windows viruses (I remember reading a number like over 40,000, but I can't find a source), while at the same time, MacOS 8 had 7 or so, all of which were protected from freely by the anti-virus program Disinfectant. While I can't find a direct source for my Windows numbers, here's an article that makes it look like 1998 was not a very good year for Windows viruses. Even if my memories are off by an order of magnitude or two, it still wasn't a good time for Windows and viruses.

Are you honestly saying that Apple is at that point right now? We have yet to see an actual MacOS X virus in the wild, and there have been how many Trojans in the wild so far? 4?

"Gee, you had to go back 8 years to find three issues. The first one isn't even malware, just bad programming by the vendor that reduces performance. The next two are specific to Apache web servers, NOT Linux." - by parodyca (890419)
on Friday June 12, @10:12AM (#28307657) Homepage

Does it matter how far back I had to go, & no, not all are from "8 yrs. ago", because below also shows otherwise!

So, to prove the subject-line is bullshit? I provided contrary evidence thereof...

However, it appears You need more proofs then, apparently, so here you are/"ask & ye shall receive":

Linux RAMEN Worm:

http://service1.symantec.com/sarc/sarc.nsf/html/linux.ramen.worm.html

Net-Worm.Linux.Mighty:/b>

http://www.viruslist.com/en/viruses/encyclopedia?virusid=23864

DroneBL Security researchers warn of Linux Router worm (PsyB0t)

http://www.tcmagazine.com/comments.php?shownews=25399&catid=5

Linux ADORE Worm:

http://www.sss.ca/sensible/home.nsf/6481a22be8dfdd19852568c900171fc6/abbbaec934169f6d85256a280054fd31?OpenDocument

New Worm Targets Linux Web Service Holes:

http://www.eweek.com/c/a/Linux-and-Open-Source/New-Worm-Targets-Linux-Web-Service-Holes/

gicumz worm:

http://blogs.securiteam.com/index.php/archives/305

Linux malware list (37 Viruses, worms, & trojans on Linux):

http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses

(Want more?? I'll supply them... & they're not all "8 years back either", don't you OR can't you read & determine dates? Apparently not...)

APK

P.S.=> Better luck next time, because all of your "it's old news" b.s. propoganda doesn't matter, if your subject-line is absolute b.s. - gotta love the Linux Penguin crew around here, with their "straight outta pravda" 1/2 truths they spout... lol! apk

There are people collecting this kind of malware and reading their descriptions for fun. F-Prot (for DOS) even had a special setting for them as "virus collection".

It is a work of professional evil genius, no issue on that. I know 2 more viruses who were particularly interesting and probably was written just because they can. No kind of money involved.

They are MSDOS-GoldBug which does amazing things like hiding in video cards memory and Win32.Hybris which is a state of art code hopefully no virus/malware developer will never achieve again. To give a clue about the complexity of code, it didn't bother with users addressbook to grab new mail addresses, it basically watched the tcp stream of windows for mail-like addresses.

BTW, here is Goldbug description http://www.textfiles.com/virus/gold-bug.txt . This is Hybris http://www.viruslist.com/en/VirusList.html?page=0&mode=1&id=4112&key=00001000130000100044

Yeah, known-plaintext attacks work on it. The Gpcode author is generally really inexperienced, and is still making really basic mistakes (symmetric encryption, d'oh), but even persistent-but-dumb script kiddies are successful once in a while.

Yeah, known-plaintext attacks work on it. The Gpcode author is generally really inexperienced, and is still making really basic mistakes (symmetric encryption, d'oh), but even persistent-but-dumb script kiddies are successful once in a while.

"The virus encrypts all user files with the extensions listed below"

Does it require administrator rights to function?

Does it run on Vista with User Account Control active?

Very, very old idea. The first worm of this type was called "Reaper" and was created to kill the "Creeper" worm. http://www.viruslist.com/en/viruses/encyclopedia?chapter=153310937

This is not a new problem. There are viruses, for example, that encrypt a file system and demand a ransom for the key.

Gpcode-AI is one example.

As a Finnish citizen, I feel so lucky that all my internet communications will be monitored by a country I can not influence through voting!

I don't know about the rest of you who serve as help-desk for a wide circle of family and frineds, but the average user is completely lost if he clicks an icon and nothing happens. The only reason Linux isn't making inroads against MS on the desktop is that you can't go down to Best Buy and find computers with Linux pre-installed.

More than 60,000 Windows programs won't run on Linux. Partial List here.

Sorry, but Creeper beat that Apple II virus by about 10 years.

http://www.viruslist.com/en/viruses/encyclopedia?c hapter=153310937

Furthermore http://www.viruslist.com/en/viruses/encyclopedia?c hapter=153310910 states that such ideas and programs already started in the 40s and 50s.

Sorry, but Creeper beat that Apple II virus by about 10 years.

http://www.viruslist.com/en/viruses/encyclopedia?c hapter=153310937

Furthermore http://www.viruslist.com/en/viruses/encyclopedia?c hapter=153310910 states that such ideas and programs already started in the 40s and 50s.

story on one page, without 10 millions ads

I've never heard of a real, self-propagating, OS X virus in the wild.

Neither have I, although a few worms have appeared recently.

One of the tricky things about viruses (i.e. self-propagating malware) is that they have much more trouble propagating if most of the systems they reach are immune to the attack. If the Windows installed base is estimated at roughly 90% of computers, versus 3% for Macs, you can imagine how much harder it is for a Mac virus to propagate. 97% of the machines it tries to attack will be immune, so the odds are it will fail to spread unless it can directly attack 33 machines or so, and even then, only one of the potential targets will be a Mac. In contrast, if a Windows machine can access even one other machine, odds are that machine will also be running Windows.

If some users keep their their machines up to date with patches, the situation for minority platforms becomes even safer. E.g. if half of Windows and Mac systems contain patches neutralising a given exploit, that increases the number of machines a Mac virus has to be able to reach before the odds are in favour of it hitting one that isn't immune to about 67, where as for Windows the number only increases to 2.

The only place that would really provide fertile ground for an OS X virus would be an organisation that primarily uses Macs, and so has a network on which most reachable systems will be running OS X. At the same time, organisations with large numbers of machines are more likely to keep their machines patched than, for example, home users.

On the whole, Macs are much safer from malware of all kinds than Windows, but this is primarily because of obscurity, not because of any architectural differences between the two OSes. Mac OS is better about restricting user privileges by default, but this typically only matters for attacks that require the user to run something, as opposed to self-propagating viruses. Moreover, you don't need anything beyond normal user privileges to steal user information, act as a zombie, propagate to other machines, etc. (The main reason running as a normal user reduces vulnerability to malware on Windows is simply that most malware authors expect the user will have Administrator privileges, and their poorly-written malware falls over when faced with an unexpected environment.)

You're already wrong.

There's not a description for any of those. Just because something has the words OSX doesn't imply it is an OSX virus. I'm not saying there aren't OSX viruses (although I strongly doubt it). However outside of a rather contrived trojan horse I've not seen any evidence for anything.

No viruses, check.

You're already wrong.

Promoting the myth of invulnerability is not going to help anyone except Apple's PR department.

Just found the entry in the Virus Encyclopedia here: http://www.viruslist.com/en/viruses/encyclopedia?v irusid=123066 (although it hasn't been updated yet)

Antivirus firm Kaspersky is calling the virus "Stardust". This virus is basically contained in a StarOffice document that uses macros and then infects a global template, which is used by the application to generate new documents. If a victim opens the file carrying this virus, Stardust copies it into the global template and all contained in a StarOffice document that uses macros and then infects a global template gets infected by it used by that copy of the software.

Antivirus firm Kaspersky is calling the virus "Stardust". This virus is basically contained in a StarOffice document that uses macros and then infects a global template, which is used by the application to generate new documents. If a victim opens the file carrying this virus, Stardust copies it into the global template and all contained in a StarOffice document that uses macros and then infects a global template gets infected by it used by that copy of the software.

t's important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven't done so already, Ullrich said.

So is that the real intention of the entire article? The original report is at viruslist.com, which is again a Kaspersky owned site. So take a guess...

Also, at the end of the story on SANS they have put up an update saying that the virus will have to run as r00t to be able to do any real damage. Kinda like most proof of concept virii developed for *nix in the past isn't it?

Dioscription
urrently there is no description available for this program.

I look at Kapersky and all Linux ones have the same information: NONE.

So how real is this? Will it be used mainly for FUD?

SANS references Viruslist's report, but they forgot to include a link:
http://www.viruslist.com/en/weblog?weblogid=183651 915

We have a penalty for blatant ignorance. This results in a two year internet privilege suspension and an additional beating around the ears with an Internet for Total Fucking Dummies book. PLease step away from the keyboard and assume the position!

Symantec Antivirus Center
Computer Associates Virus Information Center"
McAfee Virus Library
Kaspersky Virus Encyclopedia
Panda Software Virus Encyclopedia
Sophos virus analyses
BitDefender Virus Encyclopedia

For those that will argue that these search engines do not behave as the article requested; it is simply a matter of searching for the right symptoms. If you accurately describe the behavior of the virus, all of these search engines give you the answer.

The fact of the matter is that the very best solution is simply to use a commercial antivirus solution. If you are infected with a 0hour virus, simply wait an hour and run the update utility. Such a product will at least see the virus and tell you its name, even if it is unable to clean it. Worst case you have to use a bootable CD-ROM OS to catch/clean it.

I agree with you, and have had issues with this as well.

You can look *SOME* of them up under the CME numbers (http://cme.mitre.org/), and you can try the vendor sites, including Kaspersky labs (http://viruslist.com./

To answer your question: NO! there is no comprehensive list.

BTW: Don't try to create one it'll be an exercise in futility!

Not very long ago, when the Kama Sutra (Nyxem.E, MyWife, whatever) worm was released to the world it seemed to take absolutely forever to find anyone with a solution for the removal or even the detection of the thing.

• Kaspersky (I think) - which seems to use GMT for their times,
  
• Symantec - I don't know what timezone they use.

How about Creeper and Rabbit created early 1970's and 1974 respectivly? Info here and here

Regarding first instances of worms, in the 1970's a program called "Creeper" was created and spread across networked computers running TENEX spreading independantly of user interaction. A second program called "Reaper" was then released to find copies of the first program and delete it. See The VirusList.com and digitalcraft.org for more information.

That being said the Morris worm was the first to get serious public attention, and a paper called "The Morris worm: a fifteen-year perspective" by Orman and Streak has an interesting analysis of it. Unfortunately it (appears) only to be available through IEEE so a subscription is required to view it.

He will have to do 100 hours of community service, and apologize for the blog posts.

Here in Oz you have to prove you're a lowlife scum to get 100 hours community service.

That's also the same sentence given to the Author of the Sasser/Netsky worm.

So given this blogger got the same penalty - MAYBE THEY SHOULD HAVE LOCKED THE SCUMBAG UP! (</sarcasm>)

From http://www.viruslist.com/en/weblog?discuss=1768925 30&return=1:

"... Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll... "

I may be a bit paranoid but I'd like to turn off images and video for a few days until this ".wmf" issue is resolved.

".wma" and ".wmv" file extensions seem closer to the ".wmf" extension than ".jpg" or ".tif" extensions, so they may also be loaded by programs that open ".wmf" files only to read the internal label and execute the malicious code.

I unchecked the box called "load images" in Firefox, but animated web sites still come up. So I reinstalled Firefox (also deleting the directory) to try to return to Firefox's original default settings, but my settings were still active. Apparently, Firefox saves personal settings in the registry even after it is uninstalled.

Security web sites seem to be of little help:

Secunia, Kaspersky strongly caution against opening any untrusted *.wmf files
http://secunia.com/advisories/18255/
http://www.viruslist.com/en/alerts?alertid=1767016 69

VNUNet.com says Firefox will first ask the user before opening the file.
http://www.vnunet.com/vnunet/news/2147909/hackers- attack-zero-day-windows

Pete Lindstrom, research director for Spire Security LLC, said,
"There's no such thing as 'extremely critical' when user interaction is required. [...] That's just silly."

Lisa Vaas of eweek.com says "Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether."
http://www.eweek.com/article2/0,1895,1906177,00.as p

Jay Wrolstad at CIO-Today says, "Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library".
http://www.cio-today.com/news/Flaw-Detected-in-Win dows-Metafile/story.xhtml?story_id=131004IKPNAU

Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."
http://www.eweek.com/article2/0,1895,1906489,00.as p

...a class action suit against Toshiba for a fault in the floppy drives used in some of their laptops resulted in a decision that cost them over wo billion dollars.
What's notable is that in the Toshiba case, not one person came forward to show that the fault had actually caused any data loss.
In this case, Sony is now responsible for every bit of malware that utilises their moronic rootkit to hide itself. It's worth noting that there's already one backdoor out there that does this...

From http://www.viruslist.com/en/analysis?pubid=1687408 59

Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.

This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.

Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.

So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.

It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).

Read the comments on their site. They say everything.
http://www.viruslist.com/en/weblog?discuss=1707215 77

The Viruslist is behaving really irresponsibly. The article is BS and should be removed.

1. Mozilla.org has nothing to do with it.
2. Looks like someone has deliberately planted an old virus to the source and put it on the server.
3. The "virus" is on the very lowest score on the "Thread Metrics" (Symantec) :
      Number of infections: 0 - 49
      Number of sites: 0 - 2
      Geographical distribution: Low
      Threat containment: Easy
      Removal: Easy
4. /bin-folder is not normally writeable in linux installation.
5. The virus is from 2002 and can not infect current distros.

Practically: the virus is not in the wild, can not spread, is no dangerous, is easy to remove and prevent. It a laboratory thing, made in order to create something difficult: a linux virus.

That's because I was arguing a totally different point that Windows bigots argue, that since Windows is more popular, that it gets a proportional amount of viruses.

No, you weren't. Windows "bigots" argue that since Windows is more popular, it is subject to far more malware. Proportionality is your own creation, probably because it supports your argument. I have just shown why linear proportionality is an especially poor model, and I'm not the only one that has questioned your original assertion.

Sure, you can use Metcalf's law. But then, where are the 186 viruses even using your formula?

Add up the numbers yourself:

http://www.viruslist.com/en/viruslistfind.html?fin dWhere=011&findTxt=linux

And no, we're talking about everything. You're complaining about obsfucated URL's, for God's sake. You pick viruses because Windows has automatic code execution (of course, so did MacOS prior to Mac OS X), but Linux and Unix service exploits are certainly automatable and common. Apache, Sendmail, BIND, inetd, and the list goes on and on. Either someone gets into your system and does damage or they do not. The particular method isn't of concern when you're tallying the damage.

No, rootkits don't count as they require hand-crafted attacks at single machines; not automated attacks, as in viruses and worms. There are only so many hours in the day for the black-hat hacker/script kiddie, and that's the biggest limiting factor right there.

That's plain ignorant.

http://www.spirit.com/Network/net0401.html

Automated eploitation and installation of rootkit. Would you like even more examples, or are you sufficiently embarrased as it is?

The fact is that automatic replication of code (viruses, trojans, and worms) requires more than a little bit of work from the user recieving such code. Indeed, email viruses are nonexistent on *nix (OS/X included) because propagation requires that the user save the file, chmod the execute bit to 1, and then run the file.

http://vil.mcafeesecurity.com/vil/content/v_100102 .htm

"Because the exploit is fully contained in the message it is possible for a not vulnerable mail tranport agent to forward the infected message to other systems."

Sounds like an email virus to me. It doesn't even require you to save a file and set a bit. Thanks for playing the game, but it's clear that you don't fully understand the rules.

On top of that, the little bundle of evil must also be binary compatible with the system that it discovers - in the *nix world, that's definitely not a given.

Yay! Grandma gets to attempt to COMPILE all her software before she can use it, she can't buy commercial software for her obscure configuration, and in exchange, she's completely immune from worms! Except, wait, there have been plenty of worms affecting UNIX and LINUX systems over the years, and your argument about binary incompatibility merely proves the Windows "bigots" right - the biggest bang for the least effort will attract the most collective effort. In the case of Linux, we can now further segregate that 5% into CPU families. The number of viruses predicted drops even further. It's now M verus 36M (2.5% share), or 72M (1.25% share), and 1/36^2, or 1/72^2. Better yet, it's security through obscurity, because the buffer overflow is still likely to be there, since it's a flaw in a high level language, not a CPU architecture. Pat yourself on the back for an own goal!

I think it's reasonable to use Metcalf's law to demonstrate virus propagation across a network populated with Windows machines as the machines really do have random connections between each other and that the barriers to propagation within the machines themselves are pretty low to b

Cases where it's actually happened:

Slapper
Lion
Scalper

Those are just from a quick Google. Then there's the list of Linux and Mac OS X vulnerabilities (take a look around www.cert.org). How could you possibly claim that Linux and Mac OS X "don't get viruses" when any one of those vulnerabilities might be actively exploited. Just because a worm or virus doesn't make the news doesn't mean it's not out there.

I'll be here waiting

Hope I didn't keep you too long. I'm not sure why you're fighting this fight, particularly if you position yourself as someone knowledgeable on IT.

Here is an article about Operation Firewall. Interesting that wikipedia does not yet have an entry on it... http://www.viruslist.com/en/news?id=154205192

Apparently the choir does need some preaching to. Last I checked herehttp://www.viruslist.com/en/viruslistfind?sear ch_mode=virus&words=linux there were a couple of viruses out there for linux and here http://www.icsalabs.com/html/communities/antivirus /macintosh/archives/macvirus/reference/viruses.htm l for Mac virus. This is not saying that one OS is better than another, just saying don't be so naive. I run both Linux boxes and Windows boxes, and I know, I have to be more careful about where I go with my M$ box.

Kaspersky says his comments have been misrepresented.

A chart like this perhaps ?

or maybe these charts that you can proudly display on your website ?
or how about a complete industry website dedicated to charts and rankings

shall we keep looking or do you see a relationship evolving ?

Why stop at corrupting data, when you can have way much more fun leaking it?
... someone thought about three years ago. How many internal office memos were delivered to your inbox by Sircam?

However a quick google turns up at least 36 known viruses/worms that attach IIS. Here is a link to a small list.

The market share of the operating system has little bearing on the number of exploits the system has. That is a false myth that has been going around the net for years. Not sure who started it but it is clearly false.

Perhaps you are thinking of Welchia which exploited IIS but also removed Blaster.

I wonder if MS can keep up this effort and if we'll eventually start to see sponsored virii added to the real TCO for windows OS'. Oh wait.

Never heard of a Linux virus?

Granted..it is a LOT more steps to go through to get it to do anything meaningful.
But, could you write a set of instructions that:
runs a keylogger
asks for admin rights and pops up the Admin pw box
Searches through all docs, and finds valid email addresses
Sends itself to those addresses
reports back to home base
and as an after thought, deletes all your /jpg files.

Sure you could.
The tricky part is getting the user to run it. And that's where this one is pretty good. It doesn't do anything that can't be done on another system. It just needs to convince the user that it is something else.

Some people call it a worm-virus. It requires user intervention to execute, but once executing, does not require further user intervention to spread (like sending around infected files) -- it has its own mail transport code and will transmit itself to other computers.

I can recommend an excellent antivirus solution - AVP (AntiVirus Protection), a prize-winning and blah-blah-blah. It is a policy of the company that protecting the public from viruses is more important than maximizing their own profits, which is why they intentionally allow pirated copies of their program to download regular updates. Think which company would you rather trust the well-being of your PCs - Symantec that is willing to implement a potentially risky product activation or Kaspersky Lab? Don't forget, any product activation system may crash eventually, just like MS systems did, and you will not be able to enable your antivirus for hours or even days. It would be really helpful for writers of the NextBigVirus to DDoS Symantec product activation servers, not Windows Update...

BTW, the creators (Kaspersky Lab.) also maintain a great online virus encyclopedia.