Slashdot Mirror
The Next Generation of ILOVEYOU:The Porn Worm
Erik Green writes "I've been sent a new semi-benign ILOVEYOU variant - it's got a subject line of "Check this" and consists of a one-line message and an attachment named LINKS.VBS. Its only purpose other than self replication is to add a link to a XXX site to your desktop. The attachment is a self-replicating script that copies itself to all network drives and sends itself to everyone listed in outlook's address book. This variant is interesting since it's partially encrypted to obscure it's purpose. It's nice enough to ask if you want the shortcut added to your desktop, but it doesn't ask about replicating itself. It's basically a trojan advertisement. Fortunately, it doesn't delete any files.
Needless to say, only machines that run outlook and have visual basic scripting available are vulnerable.
"
A choice quote from the log: ('You' is the person giving the "help", and Oronde is the idiot)
You say "Type 'ls' and tell me what you see."
Oronde says "okay now what?"
Oronde pages: nothing...
You say "oops. I guess rm *is* the deleting files and 'del' isn't."
You say "Wow. What a mistake *I* made! I must have not read the manual!"
--
No more e-mail address game - see my user info. Time for revenge.
Win dain a lotica, en vai tu ri silota
damit the commerical world gets all the cool tools, the sound blaster live drivers where out first on Windows, and most of the new 3D cards are supported under windows, not to menation the cool automatic shutdown "blue screen of death" that is smart enough to turn it's self of and now this.
Dammit, I would like porn on my desktop, please please tell me this works under wine...
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Theoretically, I can see at least one good use of this stuff: remote administration.
A network admin/tech support department could save time by emailing auto-installing software updates to clueless users' machines, instead of having to trudge out to each users' machine to do the install..
Of course, this is just in theory - in reality, I've never seen it used, and I honestly think the *nix method (telnet/ssh/whatever) is less prone to abuse.. even telnet requires a PASSWORD to verify that the person attempting to to use the system is who they say they are..
All in all, it MIGHT have it's uses, if it were implemented in a more secure manner.
Yes, its true. Though it is far from a new thing - it's been around for about a year now.
So now Cyber Patrol will have to add the Windows Desktop to its blocked site list, right?
THAT should teach Microsoft to integrate its browser with its OS...
- Michael Cohn
-----
Go ahead, blame me... I voted for Nader!
I had the same thing happen to me with IRC. I didn't accept it because the person who was sending left a message in channel about the fact that they had some kind of weird virus. I didn't hear a thing about it after that.
I tried out the security update on one of the workstations at work. I think it was the best thing that ever happened for the user. She became so frustrated with the lack of functionality that they switched over to Netscape mail. Last one..........thankfully. As for seeing an end to the "worm" viruses, it won't happen until everyone learns the lesson of this user. Only took her a year of constant chaos.
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
I'm going to write a worm that finds everybody that is transfering copyrighted material, then I'm going to sue them...oh wait, nevermind.
Only the condom commercials.
Wow, a free app that adds a shortcut to a porn site on my desktop and generiously tells all my friends coworkers. Thats not a bug!
Of course not. It's a feature.
Someday, you're going to die. Get over it.
Viruses, whatever...
Source code virus?
Say someone has an infected version of the Apache source; it has embedded within it a modified 'ls' or 'find' or 'grep' or something. When compiled, it also replaces ls. Apache, of course, is also infected; it is a way into and out of your computer, and would be used to spread information, primarily.
Now when you do your usual make, make install, the source is modified to look perfectly normal, but the damage is done. You have an infected ls, find, grep, etc, as well as Apache. What the modified program would do is look for Makefiles and configures; when it identifies a directory with a Makefile and/or configure script, it will actually modify the process to build another infected program. In this case, it would get the infected source from Apache! See, while the server has been up, it has serriptitiously been downloading bad source and sharing bad source with other infected computers, without logging it, and placing it in strange and not commonly visited places.
So when you actually do another source compile, you get another infected program; say, ftp gets modified. Or telnet. Or man. Whatever. Until you have lots of malicious programs. All waiting for a signal, a trigger, a date, whatever. Or for apache to do something!
Of course this is speculation on my part. Do wiser heads think this is impossible?
-AS
-AS
*Pikachu*
Since I don't keep any addresses in my Outlook Contacts List, it couldn't spread, no matter how much I prodded with it. The encryption was kinda cool, but the guy I got it from was apologizing profusely to all his clients.
This isn't new, it's not a LOVEBUG variant.
I'm sure I had heard about this one before...
BlackNova Traders
It is like a typo, only smaller.
"Trademarks are the heraldry of the new feudalism."
I was just thinking one could put a virus into a source tarball as an executable file, have the Makefile call it...
Perhaps it could make it's own version of ls, or ldconfig! After the "make install" by root the virus can do anything it wants. Imagine, everytime you call ldconfig it spreads further, it would be literally impossible to repair the damage at that point.
The downside: it wouldn't take long for people to find the virus, but most people don't even bother to watch the compile screens let alone go through all of the source code files.
P.S. it would be fun and easy to release the virus in RPM format...
P.S.S. Maybe one could modify pine or sendmail to spread the virus.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
Actually thats not such an unusual Idea. I have often discussed this theory with a number of professionals always with the same sceptiscm. But consider it this way. Users ( the end user kind ) are notoriously inept at upgrading. If there were a way to write Upgrade software distributed in a virus vector it might reduce your work load. MIGHT that is.
... sigh !
I even played with the concept in my earlier code days. Having written a client/server app that passed patches between computers it could find on its network where the computer was running the client. And did not inform the user.
Still i suspect the whole concept is considered disgusting and not worthy
And thats why Firecrackers and kittens don't mix.
The short answer is that most flavours of Unix, including Linux, don't have much to worry about from the current crop of viruses. This may change in the future, but due to the architecture of Unix it is more difficult for viruses to propagate or to really damage a system.
The long answer is "it depends". Details as follows.
Viruses and trojans that are embedded in Word documents, Visual Basic scripts, or the like have no effect under Unix, because most Unix systems don't process Word macros or Visual Basic scripts. Thus, most of the crud that has been affecting Windows users has been completely unnoticed by Unix users.
If you are sent an executable, or fetch an executable yourself, and run it, it can modify anything that you have permission to modify, even under Unix. This means that a trojan executable, if you run it, could quite easily destroy all of your files - but not the files of anyone else using the machine, and not the operating system files. In principle, a trojan could also access any facilities that you have access to; this means that a sufficiently clever trojan could mail itself to other people from your account. However, it would have a harder time finding addresses to send itself to (maybe scan ~/mail and
A true virus is capable of infecting arbitrary executables, which themselves will contain the virus and infect other executables. While in principle this could be done under Unix, the virus would again be limited only to executables that you have permission to modify. System tools would not be affected - you couldn't infect "cp" or "ls", for instance. Distribution would also be curtailed, as you don't usually send executables to your friends; you send them a source tarball, or point them to where they can download an executable. So, while something like this could be done, it wouldn't be as devastating as it is under Windows or DOS.
Social engineering remains one of the biggest threats under Unix. It means, simply, convincing a user to do something harmful. In the case of email viruses, the virus must convince the user to open the attachment. Heaven help us when inexperienced users have root access; a virus could simply tell you to "su to root and run this install script" to have devastating impact. This will probably be one of the biggest threats in terms of viruses under Unix.
The idea of a Linux email worm is so interesting that I'm tempted to write one. Must... stay... good...
If they don't have outlook, the virus can no longer spread. So in a sense, they would be an endpoint for the virus. The virus uses mapi calls to outlook to replicate.
And yes, any windows version with WSH installed is vulnerable (well.. vulnerable is a shitty word. Of course any windows machien with WSH installed can run scripts...)
Man. I should write a program in C that formats your HD after mailing itself to everyone in your outlook address book, and then I could be a famous virus writer too!
The Turkish trojan. ;)
--
Not macro. Just an attached vbscript.
you gotta ask yourself here...is this such a bad thing? :)
if the links are quality...sure..why the hell not
There's another "legitimate" portal site called Go Hip! that also uses viral advertising.
If you use Outlook and Explorer, the virus will add another "toolbar" to your browser (which only contains banner ads), and attaches an advertisement for itself onto the end of every email you send out. The program does all of this without the users knowledge or permission.
I would normally call this just merely annoying except for the fact that it is impossible to uninstall it via any normal means. I removed it from my registry, but it just copied itself back. The only way to remove it is to dig deep in Go Hip!'s customer service page and run a "remove" utility.
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
The second point, the install base, removes one of the major incentives of the perpetraitors: notoriety. Lack of familiarity might also play a part.
THe third (and maybe biggest?) factor is: Unix users are generally much more educated in computer use, and knowledgeable about it. And with all the M$ targeted viruses about, they will know not to run random binaries from unknown sources. So again, a succesrate limiter, reducing the chance of notoriety.
That are in my estimate the main reasons we haven't seen much abuse in the @Unix so far. The only notorious exception being Morris, who wormed himself rather more succesfully than intended through sendmail holes.
Stefan.
<B5>There is a hole in your mind.</B5>
The truth shall make you fret. (Ankh-Morpork tImes motto)
Wow, a free app that adds a shortcut to a porn site on my desktop and generiously tells all my friends coworkers. Thats not a bug!
Geoff
Links.vbs predates ILOVEYOU. It scans net blocks looking for open shares and replicating, and was out there in early 2000 at the latest.
I can remember someone trying to send me a file on mirc... called links.vbs, about 6 months ago. I never accepted it, but anybody know what i'm talking about?
Hopefully we will see an end to these e-mail "worm" virus. An article at Network World Fusion describes how Microsoft has released a security update for Outlook, which among other things, blocks 38 different file types, like exe, vbs, bat, and others. The funny thing is, scripting is STILL ACTIVATED, unless turned off. Personally, I think scripting is useful, but, for the average user, I feel it should be left off unelss the user turns it on. It does, although, prevent scripts from accessing the address book.
Its funny, "It's a feature, not a bug", yet they issued a patch for it...
They don't bother us in the slightest, other than the fact that we have to read the stupid news articles. These virii are incapable of bothering us. In fact.. they aren't even really virii. They require the manual intervention of a user to consciously run them.
Given how easy this would be to implement by modifying the ILOVEYOU virus, even if it started as a hoax, how long would it be before someone, given the suggestion, implemented it?
Reality immitates fiction immitates reality.
These concepts are probably patented. You shouldn't even be discussing them w/o licensing the technology from the patent holders.
Well then, instead of accomodating this virus, why not take control of your desktop with an alternative shell (like a Window Manager). The main one I use is Litestep
You should never take life too seriously - You'll never get out of it alive.
Deep in the code of every variant of UNIX and Linux sits a very well hidden easter egg! /*".
;)
Log in as root on any *N*X machine and run "rm -rf
I can't spoil the easter egg, but after it's done running I'm sure you will be very suprised!
--
Note: If you were stupid enough to actually do this, I think we're better off without you in the *N*X world.
You didn't, by chance, click on the "download browser enhancement" link, did you?
I've got IE5 and Outlook2k on my Win2k box... and nothing happened by just looking at the site. Are your IE security settings set to "bend me over again"?
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
alter the virus to make the porn site the default page for the browser, not just add a desktop link.
Maybe if Bill gets his default page set to "Naughty Barnyard Nyphos" a few times he will pay more attention to security.
"Trademarks are the heraldry of the new feudalism."
I played with the concept as well, albeit less viral in final form. Had a wee little VB client sitting on a port that just did nothing more than report a patch number when queried. An admin script on a *NIX box would, based on patch number, mail out wrapped updates to responsible users and complain if they weren't installing them in a timely fashion. (Rechecked the patch # in one hour, mail a complaint to the user, and if unchanged in 12 it would mail a notice to me) When executed, the update wrapper would query all of the machines in that segment, ask the server if they had been bothered, and mail itself to them too if required. (Only needed to 'seed' a list of fifty users this way; The BSD box was WAY underpowered too.)
.sig: Now legally binding!
...but rather a precursor. It's almost a year old. Details here.