Slashdot Mirror
New, More Destructive Love Bug Variant
Everyone and their brother wrote in to say that a new and more destructive version of the ILOVEYOU virus has hit the net. Instead of deleting on a few files, this one deletes every file not in use. And even more amusing, rather then using a hardcoded subject line, it uses the host's email archive to cause the subject to change while it propogates. Intelligent mail client users continue
to be unaffected (although the ILOVEYOU sympathy virus has been annoying the heck out of us for days now... it works on the honor system: Please delete some files and mail to all your friends).
could someone please alter this virus so that its payload turns off the registry setting that allows it to propagate, and end this mess once and for all? a self-vaccinating virus, what a concept. then we can safely ignore this problem (for a while).
. . . check out this file, on the Samhain project. This is basically a polymorphic-stealth worm system, that was developed as a proof-of-concept (and was never finished).
It's cross-platform (as in, Unix and NON-Unix), it goes really far to evade detection and analysis (not to mention removal), and the freakiest part of it is, the whole system was designed to work in a distributed, intercommunicable fashion ("wormnet"). It's scary shit. Especially an observation the lead programmer makes near the end-- "sure, we didn't release this, but what if some other intelligent but deranged programmer out there has?"
iSKUNK!
- A.P. (seriously, folks, WHAT ELSE is VBscript for?!)
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Why don't we start taking the usefullness of a virus back?
What I mean is, why doesn't someone write a virus that does good? It could auto-run and disable all of the cheesy security holes that MS hasn't fixed yet. It could spread like a worm, and just go on a rampage fixing problems.
Why must virii always be bad?
I'm surprised noone has mentioned this wonderful procmail setup/script that has been around for some time to protect against HTML or file attachments in email.
i ty.html
I've been using it for some time and it has protected myself and my users against almost any macro viruses I have heard about.
http://www.wolfenet.com/~jhardin/procmail-secur
Funny yes, but people seem to be missing the fundamental reason why this happened.
It has nothing to do with MS letting people run attachments without saving them first.
This is all about mapping extensions to applications.
This is a broken idea - totally. For starters it is quite simply dangerous, as the mappings happen everywhere. And installing an application might setup random mappings. But add onto that the fact that its used to associate scripts with their executor, much like the shebang line, only worse - the file needs no execute privileges. If you like, every mapped file extension automatically sets execute privileges. It is this functionality that is broken - not the mail client. And this has been in existance since DOS days, IIRC. So removing or fixing this "feature" is next to impossible.
Good luck MS fans - it's a rocky road ahead.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
You can get a freebie add-on from:
Nemx called Power Tools. It runs as a service under exchange and allows stripping of attachments via extensions.
"shop smart:shop s-mart" ash
The real problem here with these kinds of things isn't just Outlook. Or just moronic users.
The whole security system in Win9x is flawed. Windows9x was never intended to be on a network. Win98 is just a rehashed version of Win95, wich is just a rehashed Win 3.1. Single user OS's that had "root" access everywhere were fine in the early and mid '90s. That's not the case anymore. Now that everyone is hooked up to the itnernet, and other people have access to these single-user OS's such as Win9x. it's didn't matter that you had "root" back in the day, you were the only one using the system. Now many people can run code on you computer. Be it a vbs, java, etc.
A *nix variant doesn't have this problem. Unix was deigned with networks and network security in mind for over 30+ years. I couldn't if I tried to screw up my system like these vbs files do to Windows computers.
Even Win2k security is lax. For instance, how many times does a typical linux install(be it Redhat, Debian, or anything else) go "DON'T USE ROOT AS A USER!" and foces you to make a regular user account? Now look at Win2k's installation, that gives you your user name with admin. privs.
If Microsoft really wants to stop stuff like this, they need update their entire network security model to the 21st century....or at least the 1970's. Windows9x was not designed to be on a network. That's the reason it has no security. "access zones" and what have you in programs like Outlook are just a cheap hack to hide the real problem of the Windows security model. The problem being, it wasn't designed to have one.
Macintrash files have, in fact, two invisible 4-character extensions.
The filetype -- it contains the file type which says what kind of data is in the file.
The creator -- which identifies the application that created the file, and which should be used to work with the file.
Applications have a file type of 'APPL' and the creator field identifies the application; that is, it is what ends up in the "creator" field of files generated by this application.
Additionnal trivia: Beige toaster files are, in fact, divided in two. There is a data fork , and a ressource fork . The ressource fork contains information that can be easily edited by a resource editor program, allowing to change certain aspects of, say, an executable file, like the icons, fonts, sounds and strings it uses. The data fork contains, well... (drum roll) data... (In the case of an APPLication, it is the actual binary code. GUI details are in the ressource fork). Either (of both) of those data fork can be of zero length.
It is not a bad system, except that it is totally shielded from lusers and, although it can prevent them from doing mayhem on their filesystems, it is a royal pain in the ass to change if you don't have the proper utilities.
I suppose it could be desirable to have a filesystem that allows you to have as many forks on your files as you want (did I hear somewhere that Windoze NT has something like that? Or is it Novell?), but in my opinion, nothing beats the simplicity of a "flat file" filesystem such as we enjoy so much on Linux.
However, I still don't dislike the concept of embedding file type information and whatnot within the directory entry/fdn.
--
Here's my mirror
You can't possibly consider a virus writer to be an artist? I'm sure that some of code they produce is elegant, or at least quite advanced and technical. But to call the result of that work 'art' is just fallacy.
Unfortunately, destruction is creative.
-- iCEBaLM
Do any virus writers read Slashdot? And if so, would any of you care to explain *why* you do it? Ignoring the simple macro viruses, some stuff, especially the polymorphic ones are incredilbly clever pieces of code. Why put that talent to waste?
Now weary traveller, rest your head. For just like me, you're utterly dead.
The changing subject line helps its messages avoid being deleted by the Spam filters, but since the message does not change, the user is not likely to thinkt that it actually came from the person it says it does. What these viruses need to do is examine the context of all of the messages in the user's Inbox that come from the individual who it is being sent to and generate a context-sensitive reply to that individual.
In addition, these viruses will ultimately not be limited to VBA. A program could easily open the default Netscape inbox text file and scan for the @ character--extracting all e-mail addresses in the entire Inbox file. The virus could also discriminate against which users it destructively effects--deleting only the files of people whose identity says they are in the aol.com domain, for instance.
I think that we have only seen the tip of the iceberg as far as intelligent viruses that are distributed by e-mail.
I posted this filter up on freshmeat as well, but now that there is a more destructive version of this floating about, it should be distributed more. All you admins who are using procmail can add these two rules to your global procmailrc to prevent the execution of .vbs attachments to email messages. The email isn't deleted, just that the files extention is changed so that it will not execute on the end users system.
:0 Bf2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: viruscheck"
:0:
*!^X-Loop: viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\
$ORGMAIL
If you have any questions, please feel free to contact me about it.
I woke up this morning to my radio. (Which is unusual. It usually takes my alarm going off at full volume for about 10 minutes. The alarm goes off after 10 minutes of full-volume radio.) I heard the announcer state that there was a new strand of the ILOVEYOU virus released, much more deadly. I just rolled over and went to sleep. I pitty the fool who subjects himself to such things.
What type of real-life virus might computer viruses be comparable to? STD's? You 'sleep around' without protection, you'll get em. What might that make Microsoft products, then? :)
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
DO NOT LEAVE IT IS NOT REAL
It has NOTHING to do with the OS used, and everything to do with the administrator.
--
If I may quote my favorite CEO: "Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem. Because PCs and their software are too similar, one noxious automaton can do much more damage than would occur if we had several alternative life forms.
This argument deserves closer examination. True, BeOS, MacOS, and Linux users were not infected by the Love virus. Had each system had 25% market share, a single virus could only infect 25% of the population."
The ILOVEYOU virus is kindergarden stuff compared to what a real programmer could really do if he/she put their mind to it, but since experienced programmers are (most of the time) fairly matured individuals, but it would only take one fairly good hacker to release a plague on the world...
It helps to thin out the herd. What you want is a more or less constant nonzero low probability of catching and incurring damage from one worm/virus/trojan or another. This will serve to harden the resistance of the community and cull out the weaklings. Just like in the solid world the most destructive virulent phages do not have the best logevity because they kill too many of their hosts too quickly. Ergo the liklihood of some super Marburg or Ebola with 97%+ mortality spreading all over the world is rather low. Of course the garden variety with 70%+ mortaility is none to good either. OTOH a continual exposure less virulent forms of other types of phages actually hardens both the individual and the community leavingit better prepared to resist the next variant. Exhibit the indigenous peoples of the Americas in the 15th-16th C. exposed to Smallpox for the first time. Infected populations decreased by 90% in <10 years whereas the Europeans were already largely resistant and could survive even many epidemics with <25% mortality.
So it is with a dynamic community of computers. Somebody who doesn't have a scanner will die. Somebody who rarely updates the sig files will die. Somebody who doesn't think it can happen to them will die. Someone who doesn't pay attention and goes on as normal will die. Somebody who is more thorough and less trusting or ignorant will survive. Remember not all of these screaming headlines are about viruses at all. They are simply a matter of benhavior and social engineering. Do you think as many people would have been infected if the ILY worm had a heading that said "opening this note will destroy or damage your machine and the machines of everyone in your addressbook." OF course not.
Which leads me off in another tangent. How to get more people to open destructive messages since everyday we're more jaded and suspicious? Well if I was a badguy what I'd do is use the message header to refer to some online purchase. Sure, if you didn't buy anything then you'd be less likely to open the message but the people who did would probably open the message approaching 100%. So what is a poor website to do? It seems that one avenue that should be pursued for this and for eComm generally is a way to generate a CRC at the point of purchase and then send the confirmation/receipt with the CRC in the header so that before you do anything you manually cross check the numbers to insure they match. Or something like that. I guess I'll stop blathering now.
Check out the virus warning I recently came across:
Pay close attention to this warning!
If you receive an email entitled "Bad-times," delete it immediately. Do
not open it. Apparently this one is pretty nasty. It will not only erase
everything on your hard drive, but it will also delete anything on disks
within 20 feet of your computer through the use of subspace field
harmonics. It demagnetizes the stripes on ALL of your credit cards. It
reprograms your ATM access code, screws up the tracking on your VCR and
uses subspace field harmonics to scratch any CD's you attempt to play. It
will program your phone auto dial to call only your mother-in-law's
number. This virus will mix antifreeze into your fish tank. It will drink
all your beer. (For God's sake man are you listening?) It will leave
dirty socks on the coffee table when you are expecting company. It will
replace your shampoo with Nair and your Nair with Rogaine, all the while
dating your current boy/girlfriend behind your back and billing their
hotel rendezvous to your Visa card. It will cause you to run with
scissors and throw things in a way that is only fun until someone loses an
eye. It will rewrite your backup files, changing all your active verbs to
passive tense and incorporating undetectable misspellings, which grossly
change the interpretations of key sentences. If the "Bad-times" message
is opened in a Windows95/98 environment, it will leave the toilet seat up
and leave your hair dryer plugged in dangerously close to a full bathtub.
It will not only remove the forbidden tags from your mattresses and
pillows; it will also refill your skim milk with whole milk.
*********WARN AS MANY PEOPLE AS YOU CAN.*********
Hope I don't get that one.
http://crummysocks.com
I LIKE IT!
:)
We're genetically engineering bacteria to eat oil spills, and designing cancer cells to secrete insulin. We're cloning sheep and making real viruses to attack malignant tumors.
Somehow, the symmetry of a worm that scours the Internet exploiting M$ security holes in an effort to fix them is.. poetic. Sort of like autonomous garbage collection.
Arguably, any virus/worm that deletes Windows system files is already trying to do this; but in a very heavy-handed way. A lighter touch is called for. Disabling the registry settings that allow auto-invokation of scripts attached to email is one good way to make the world a better place.
And hey! How could anyone (besides Micros~1) get upset over a benevolent virus?
Maybe it could even open a pop-up on the screen every 20 minutes, to remind the user to stretch their hands to prevent RSI?
Maybe it could replace the talking paper-clip with a talking Penguin? "I see you're trying to write a letter. Wouldn't you rather write it on actual paper, and add some humanity to your interpersonal communicaton?" "I noticed your key-stroke rate drop over the last hour. You seem tired. Shall I have some pizza delivered?"
-- What you do today will cost you a day of your life.
Viruses infect other executables, such that the original functionality is still there, but the viral code is executed when the program is first run, which gives it a chance to spread to other executables and/or become resident in memory.
Worms, on the other paw, are self-contained programs which contain nothing but the worm itself.
The definitions of these things are hardly new, they have been around for YEARS. I suggest reading section B2 of the comp.virus FAQ for more information.
As has been thoroughly hashed out in the threads of the articles following the last virus/worm outbreak, Linux isn't 100% immune from viruses/worms, but it is much more resistant due to a few reasons:
First, executability is determined by access bits, not by file extension. This means that normally downloaded files like attachments get saved un-executable, meaning that users have to intentionally try to change the access bits on the files to execute them, not just click on them.
Secondly, unless the root user is the one reading the email and running attachments, the virus/worm is limited by security/permissions rights to what it can do. While it can do damage to a single user's files, it can't very easily blast other user's files or system files. On Windows 9x, there is basically no security, so viruses/worms like ILOVEYOU are free to twink with the registry, etc.
Thirdly, the homogenous nature of the Windows world makes it a much easier and more attractive target for virus/worm authors. It is pretty safe to assume that virtually all Windows 9x clients will have Outlook and all the associated DLLs on their system. There is no single email client in the Linux world that is so ubiquitous. That makes it more difficult to write viruses/worms that will affect a large percentage of Linux users because the virus/worm creators can't make the kind of assumptions about how to read things like address books, etc. that they can under Windows. This is unlikely to change any time soon, because the Linux world is much more diverse than the Windows world.
While you are right up to a point that in many ways it is the users that are stupid, Outlook and Windows make the problem worse by making it so much easier for the users to shoot themselves in the foot. And to a certain extent, Windows is plagued with a much higher percentage of stupid users because it intentionally caters to the least common denominator. To a certain extent, as Linux gets easier to use, it may start to see more of the semi-stupid users.
Hear me out. Linux is Microsoft's main competition right now. Because of this we are forcing them to "innovate", something they would usually avoid.
.exe files to make DAMN SURE you read any EULA contained within). This sounds like a good idea to people who believe renaming directories to folders made computing possible for the common man, but security wise it's like vigorously shaking a package from the Unibomber.
Now if MS Bob has taught us anything, Microsoft is not a company that should be innovating. When they do, they don't come up with things like "better security" or "stability", they come back with "talking paperclips", and "throw in every usless feature we can think of, memory footprint be dammed".
Unfortunatly, they also come up with the bright idea of executing email. Now MIME attachments aren't enough, they want you to be able to run/open attachments right when you get them (presumably to make sure you EXECUTE
So my friends, we are to blame. We pushed them into frantically trying to invent "necessary" features to stay on top, and look where it got us. Many of us are watching our beloved mail servers go down under the strain and rebuilding our company's PC because of our pointless competition with Micosoft.
I implore you all, please just drop this Linux thing before Micosoft innovates again.
Finkployd