Slashdot Mirror
Gnutella VBS Worm
TRingstad writes: "ZDNet has an article about a new worm infecting Gnutella users. The worm changes the gnutella.ini file to accept VBS files and places 23 Trojan files in the Gnutella download directory so that others on the network may find them. It then creates a 'victim' file with some statistics on what generation of the worm infected the user and on what date. Finally, it copies a warning, 'If I was a naughty boy, I could use scripting to get name, email, whatever file I want.'"
I agree with the user in this situation. I should be able to open any e-mail I receive, and my mail reader sure as hell shouldn't be executing any code in that email without asking me first.
I receive unsolicited e-mail all the time, and I feel free to open it in mutt, because I know that embedded executables are not going to be run.
The user in this situation is absolutely correct. They're running under the assumption that just *looking* at an email should never be dangerous. They're assuming not only that a nobody would write a mail reader stupid enough to execute code without asking, but that if anybody did happen to write such a stupid program, the tech support department where they work would never allow such a program to be loaded on everybody's machine.
In a sane world, that would be a good assumption...
This could easily have been a lot worse -- the author could have trashed the systems of victims. However, it is simply a warning created to illustrate a serious security hole. Kudos! This is the ethical side of hacking that was always encouraged by the community as I was learning.
And spare the "hacker v. cracker" definition wars -- IMO, crackers are malevolent, and the author of this worm is certainly not.
--
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
Is it an underground effort by the Linux zealots to undermine Windows? Is it a cunning ploy by Micro$lop to get people to buy W2K?
Or is it the anti-virus vendors drumming up sales?
Or am I just paranoid, and it's all coincidence?
Strong data typing is for those with weak minds.
Strong data typing is for those with weak minds.
I have developed a simple test to check your virus and computer IQ. You get enterred into a drawing for a $1000 bill, just for entering.
To take the test, press Alt+F4, now.
-- What you do today will cost you a day of your life.
PamelaAndersonMovie.mov, collegesex.zip, MetallicaMP3crack.zip
.vbs files.
.vbs extension before you download. And think about it... would a good movie be only a few thousand bytes long???
To quote the article, it is in files marked "Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs"
Because of the way windows works, you may see something like "PamelaAndersonMovie.mov.vbs", much like the ILOVEYOU virus had. But more often, Windows defaults to not showing the extension on
Gnutella though, will show the
The problem is that the amount of common sense in the universe is a constant, however, the population keeps rising. This particular one can only really hit your system if you download and run it.
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
They say don't download/run anything from a source you don't trust ... the question is, why develop a client to interact on a GLOBAL, utterly anonymous peer to peer file sharing network if you can only download stuff from people you KNOW and TRUST?
... "use this product to get access to files you never would have dreamed of, but don't ever download or run anything you can't get from a local friend."
It's kinda like saying
Kinda defeats the purpose doesn't it? Rather, it illustrates the inherent weakness in this whole system and how people's desire to steal software overrides their common sense of not dealing with anonymous users you can't trust.
If someone on the street offered you an opened Coca-cola, who would be stupid enough to drink it? Change the Coca-Cola to Mad Dog 20-20 and almost any alcoholic would drink it showing that common sense is often thrown out the window to get what we think we want/need but what in a lot of cases is not good for us puts us (and in this case, our computers) at serious risk of harm.
No, the first big MS Word virus, way back in 95 or so, was exactly like this. It caused no damage, it just propagated itself to try to make people aware of the huge security hole in Word. The payload said something like "Now I think I've proved my point".
MS ignored it of course, and even released a new version of Word about a year later that opened the hole even further. Melissa, et. al. followed long after that.
Second, be very grateful the author was nice enough to make this a benign bug.. it could have had CIH as its payload.
I am not turning this into a whole OS security model vs stupid user war.
If my grandparents get infected with a virus, worm or buggy program, guess who gets to clean up the mess? Me. I am trying to put some basic sense in their heads so I don't have to go over there and restore it.
If they where running Unix or anything else I would say "Hey when someone says try `rm -rf
I don't know or really care if it is the fault of the user or the security model of the OS, the only thing I know is that I don't like restoring a computer from OS up when it could be prevented with a few precautions (in this case information the user)
Me sending them that program is my way to "test" them, you know those fire drills you had in school? that is what I am trying to do, it is intresting to see users reactions, but that isn't the point.
The point is, when they have a fire in there house they will make it out alive, err I mean when there is a virus in there house they, the point was, as I stating is so that they know how to use fire to kill any virii that may be infecting there house due to biological warfare started by malcious computer users...
As with any system (strong securtiy policy or not), you have to inform the users for the strengths and weaknesses of the system. Even if you have a extremely secure system, if you post the username and password to anyone, it becomes as secure as a overweight high school girl going to a dance...
I am trying to stay away from the "stupid user vs insecure OS" war going on, but I think both sides agree that the user needs to be informed of basic security measures. A Unix system can be secure tell Bob posts the root password on irc...
To test this theorgy someone please post there root password and ip on slashdot.
(techinally if it was behind a firewall and had tcpwrappers installed and telnet/ftp/etc disable it still could be consider secure)
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
And I quote, from the Gnutella home page:
"Some reports have been circulating in some of the online press about a 'Gnutella Worm'. This 'worm' does not exploit any weaknesses in gnutella itself, but rather weaknesses in the Windows operating system and more importantly, the user. This 'worm' will not affect anyone who doesn't manually download it, and subsequently manually run it. Gnutella does not execute any files it downloads. Be smart, don't run anything from an untrusted source without checking it first. This is an exploit of human gullibility and a weak operating system, nothing more."
Gnutella powerful, humans weak. Grunt, grunt.
John S. Rhodes
WebWord.com (Usability Vortal)
How to Download YouTube Videos
This is a really clever infection mechanism but it is hardly the worst problem facing Gnutella. Many servers simply house large numbers of files (with appropriate names) that redirect users to the owner's porn site or places a desktop link to said porn site. Many novice users will not think to check the file size and will end up with just porn advertising instead of what they were looking for.
I think this low signal/noise ration is what is going to hurt Gnutella. Napster avoids this problem by only allowing MP3 files. If it is a worthless file, it will only open in an MP3 player and be found to be an invalid file. On Gnutella, the user could execute a file in the appropriate program--making novices all the more vulnerable to viruses and advertising.
ByteMyCode.com: A Web 2.0 code sharing community.
This is not a Gnutella issue. It's a weakness in Windows, one that has been exploited time and time again via email. This 'trojan' just happens to propogate via Gnutella.
Oh, yeah. Kudos to the author. Novel delivery mechanism! Better than ILUVYOU and it's attempt to spread via IRC!
.sig: Now legally binding!
This is a UNIX email virus. It works on the honor system:
If you're running a variant of unix , please forward this message to
everyone you know and delete a bunch of your files at random.
Thank you for your cooperation.
< snip >
The only thing this Gnutella trojan can prey upon is an idiot user and there really isn't much one can do to protect against that.
carlos
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Conscience is the inner voice which warns us that someone may be looking.
Conscience is the inner voice which warns us that someone may be looking.
-- H. L. Mencken
There was something more interesting, though, that I discovered. Somewhere, someone figure out a way to take the search words that get sent out, and automatically create an HTML file from it. If you download it (as I have, a couple of times), thinking maybe it's an HTML file linking to some place that may have what you want, you'll find it's something else totally unrelated - somewhat akin to getting the xxx sites when searching for completely innocuous topics because they manipulated the search engines. Nonetheless, an unscrupulous (relatively speaking, given the nature of Gnutella, and because after all, who would complain?) could link to a site full of banner advertising or some such to get hits.
Back in my day we didn't have any scripting launage to code virii/worms in, we had to do it in hard code ASM, by hand, without an assembler, in the middle of winter, without power in middle of a frozen lake. Back then, there wasn't "documenations", we had to reverse engineer the processer to get the correct op codes, then write are own assmebler.
Then when we wanted to run the file, we had to transfer it via 340K 5 1/4 floppy disk, we didn't have networks, the Internet or fancy hard drives.
Then once the floppy was in the users machine, we had to call up and have the user run 4 differant executables, this took a lot of social engineering.
Seriously though, who says Microsoft isn't invonative? If you want to write a virii/worm for DOS you needed with ASM or C/C++, which is differant for the typically script kiddie to understand. Hand someone Visual Basic for dummies book and with a week have a worm that can prograte around the Internet within the matter of days. Thank you Microsoft for your weak securtiy premissions and easy to use high power octane scripting launage.
Seriously though, if Microsoft wanted to make it more security, give it user premissions like Unix, but if they want to keep it easy to use, have a popup box when something (program/script/command) wanted to access/write/read another users file and say "This program needs to run at a differant user level: level foo, are you sure you want to run this?" and when they click "ok" it gives them a popup box to enter username/password for level foo and if they are entered correctly it runs the program with higher premissions. Easy to use and somewhat secure. Just have Unix or Unix like premissions, with the easy of use of Microsofts pop up and dialog boxes, the user won't even have to touch the command line (btw command.com sucks compared to bash, and edit is pathetic compared to vi, I won't wish Microsoft command line interface to my worst enemy)
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
I don't believe you'll find a less security-aware company on the face of the planet. If they did port Office to Linux I have no doubt in my mind that it'll need root privs, and include all the happy horseshit that's been getting Windows users infected for years.
You can keep MS and the virusses that come with them.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I just tested this, I emailed my grandparents and told them to NEVER execute an attachment. I told them it was probably a worm or virus, when into the whole anti-virus/windows progranda and told them not to even click one executables for people they know and exchange email with regular and even trust. They understood it pretty well.
I wrote a quick, "Hello World" command line program in C, emailed it to them, and guess what, they ran it. I just told them 5 minutes ago that it would probably be a virus, did they question it? No, they ran it blindly.
It just printed the string "some one just told you not to double click on executables, if I virus or worm, you would have to restore from backup, do you even have a backup. Glad I like your mug"
They emailed me back saying "opps". I think they better understand now, the real test is when I email them here in a couple weeks and see if they remember then.
They aren't computer savy, they chat with old army buddies via email and view cooking guides on the web, they are "normal users" and don't really have a concept of virii or malice users, even when it is clearly explained to them. Sure they understand it, but do they practice it?
I am going to wait a couple weeks then email the same program from an unknown (atleast to them) hotmail or yahoo email account and see if it "stuck" with them
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG