Massive DDoS Attack Brewing?

Quite a number of people wrote in with the news that CNN is reporting that a Back Orifice-like program masquerading as a movie clip is infecting thousands of computers worldwide. The prediction is that it's being setup for a DDos - but the technical details, are shall we say, "sketchy".

Re:Is it a criminal act to run this code?

[Protocull]

Now that is an interesting point. And a very good way to set up a DDOS, by creating such a file, would be to send it to all your friends and yourself, then when the attack commences you all say "oh, but someone sent it to me and it started itself". And, of course, send it to a few Government agencies (they're bound to download it) so they can all join in. Heh heh.

Re:I knew this would happen

[finkployd]

Just by the stats of guns vs gun violence I would say a pretty small percentage. Especially if we are just talking handguns.

Finkployd

Re:...sigh...

[Vanders]

Actually, this sounds more like a "Download this hot pr0n movie now!" type of thing. In theory it's damn simple, take one small pr0n movie, add a player with a BO trojan, stick it on a server(s) or Usenet somewhere, and you're set.

Most people who are gonna download this thing are gonna be looking for porn, so they won't care if "it needs a special file player", they'll download it and run it so then can see the action.

At least, that's my theory.

Finding a Cable modem on the Internet

[$nyper]

Just start scanning the rr.com domain

Re:Since when were movies executed as code?

[_xeno_]

Since I posted this, other people have posted explanations of how the file gets executed while appearing to be a movie. But you gotta love how Windows by default hides the actual extensions of your files...

Re:Lack of security in the 'net

[djrogers]

What a load of crap. I pay my ISP for straight juice, no filtering, no caching, nothing but juice. If they started forcing me to use a filtered service, I'd be gone in a flash. Now, as an option - that might be nice for some users, but you can't just go around filtering ports at the ISP because they might be used by a trojan. All that'd do is make the authors use more common ports for their apps...

Re:English lesson

[dagoalieman]

If we wanna be anal compulsive about this:

it's means "it is", its is the possesive. Its a shame that you can't use it right. In this case, it also is unclear, but I don't give a damn.

THE GROUP OF COMPUTERS combines into an unclear pronoun. Whatever that is.

And your last sentence is a fragment.

To hell with it though, cause I'm be a hick and I ain't here to speak english, and I'm be a tired of reading along and finding this crap.

Re:This sounds like a Tom Clancy novel

[onepoint-o]

keep reading comments and you'll soon learn that its an .exe file made to look like a movie to the untrained I. e.g. pornmovie.mpg.exe

Re:And this 'evil sleeper virus' affects Linux how

[Ventilator]

If you have a door that is insecure, this IS your fault. But what if someone goes in your appartment and turns on the gas at the stove to bomb the house? Is it your neighbours fault too?

Same thing is it with insecure OS. If you have security holes in your OS and someone installs a trojan to destroy your data or so, this IS your fault.
But let's say someone uses the security flaws of your OS to install a trojan that launches a DDoS-Attack against MY host, is it my fault too?

I doubt that.

Re:ASF as well as .EXE files

[Epeeist]

"the Register story you referenced"

I didn't reference a Register story, I referenced a Linux Today story and the comments on it.

I accept your correction on the ASF script files.

I don't spread "rabid pro-Linux FUD". I simply reported on information I saw elsewhere.

Re:I knew this would happen

[FFFish]

I'm not entirely sure that tobacco is "freely chosen." The tobacco companies do their damnedest to get children addicted. I'm not confident that many of these kids are mentally/emotionally mature enough to make free choices about a lot of their actions.

Which isn't to say that it absolves them of the consequences of their actions. Not in the least.

But to say that it's "free choice" and dismissing the causative role of the tobacco companies in creating a situation in which children wish to smoke is disingenuous at best.

The tobacco companies manufacture a product that is harmfully addictive, and go out of their way to promote that product to populations that are poorly informed regarding the consequences of their peer- and self-worth influenced choices.

They should not be let off the hook by the casual statement of "hey, free choice, man!" any more than any other company that creates hazardous situations for their workers, the general public or their specific consumers.

--

Re:DOS attack. Or solitaire, for that matter.

[nemoc]

well... my linux distro didn't come with solataire, and rebooting is kina a pane....

Re:DOS attack. Or solitaire, for that matter.

[Dr.+Sp0ng]

I don't know, and chances are very few people know, but does the backdoor "phone home" to say it's ready and waiting?

Apparently it puts the IP address of the machine it's running on in an IRC channel somewhere, where i'm sure there's a bot gathering the info. Pretty smart way of avoiding being traced :-)
--

If it is a DDOS brewing, we can do something.

[Paul+Crowley]

OK, so it's a trojan that opens a port to listen for arbitrary instructions, and broadcasts the port it's listening on on an IRC channel. Does it authenticate the instructions it receives with public key crypto?

If not, what's to stop us listening on the channel as well, and connecting to each advertised IP address, sending instructions which deactivate the trojan? Raises interesting technical and ethical issues, but it seems to me like the ultimate in "white hat cracking"...
--

Re:Palmer says....

[Bob(TM)]

Both of them.

Re:No Threat, except to your bankaccount

[neonsam]

I'm going to have to say that Symantec may be playing this thing down, but they certainly aren't providing a wealth of detail why. It looks to me like the typical "if we didn't find it first, then it must not be a real threat" attitude that most anti-virus vendors take.

Re:CNN ?

[Booxbaum]

The link to the advisory on www.netsec.net is here, has more technical info than the cnn article.

Killing of a subseven network...

[GoNINzo]

I recently killed around 250 nodes of a subseven network. Apparently, they thought my irc server would be a good harbor. They all used the same username, and they all used similar names. After I found the bots, I put a sniffer on the bot master, grabbed his password, and then used that to gather the ports and passwords of the bots. Then, I used the 'remove server' option of the server to remove the bots from the people's machines.

It was a huge project, took me around 8 hours to do, and was a huge pain in the ass. Subseven is a damn scary trojan, only has limited flooding abilities, but it can gather a lot of information and can redirect most anything. this would allow a cracker to gather personal information, bounce a web request off of it to use a stolen credit card, or ping flood some ip.

I hope to god they manage to catch these guys and that they don't pay much attention to the news.. heh.. i'm betting they are just using subseven to bounce off a client anyway, so their ip might be diguised. all I know is that 250 of these clients are no longer around because of me, and that makes me feel a little safer.

If anyone is involved in the clean up of these clients, please get in contact with me. I might be able to provide you with operational knowledge.

--
Gonzo Granzeau

Re:Killing of a subseven network...

[GoNINzo]

Two issues here, the time frame and the ability to script it.

I was unable to script this setup because subseven uses a windows based gui. I was unable to find a command line version that did what I needed it to do. Basically, a command line version that would log in, remove the server, and log out would be great, but right now no such tool exists. in theory, I should have then been able to pass it to a for list with all my ip's i knew. Yes, it would have been nice, but cut and paste into the GUI was all I had the time. I've spoken with people at Cert and NetSec and was told that something like this in the works.

The long time was because not all hosts are on at the same time. The bot net seemed mostly international. so at the time that people in Japan are turning their computers on, people in the UK are turning their's off, etc. Hence, there was a constant flow of bots in and out of the channel. By grabbing the ip when they joined, I cut and pasted it to the subseven client program, and then removed the server. It was a REAL pain in the ass because the subseven server only allows ip's, not hostnames. Anyway, after around 8 hours of doing this, I felt that the botnet was permenantly crippled, and left the rest. The guy is getting followed by several people, removing the rest of the clients.

no, it wasn't the most elegant solution, and yes, it sucked. I should have packet sniffed the connections and recorded the output, so i could script the whole thing to automate it for this current botnet.

--
Gonzo Granzeau

Re:Consumer Security

[narf]

You can get things like that (ie: Netopia), but it's much cheaper for the provider to use a bridge instead of an intelligent routing device. I got a 3Com "No Customer Maintence" DSL bridge, but I use a BSD box for NAT and IPF.

Re:I knew this would happen

[mwillis]

Ah, sarcasm.

I like sarcasm. But raw text, devoid of subtle body language and foreknowledge of the author, has probability 1 of being misinterpreted. So if you care what people might say, one must be very careful with sarcasm on the internet.

The polite thing to do seems to be to add a smiley for the humor-disabled, so as to aid their faulty recognition. That, or use HTML like tags to indicate <SARCASM> and </SARCASM>. Except both of those seem to dumb down everything for the lowest common denominator, and generally ruin the joke.

More illustrations of the dangers of sarcasm can be found in this article.

Re:WTF?

[Draoi]

Duhh! They're not even MPEGs. Problem is, there are so many dumb people out there mindlessly clicking on any old .exe file that flies into their mailboxes.
Pete C

Re:DOS attack. Or solitaire, for that matter.

[Vanders]

I dunno, Solitaire can be pretty damn adictive. Why do you think Microsoft included it in Windows?...

Re:WTF?

[Rjcc]

No, it's possible to embed an icon in a file, that's how windows displays icons for different exe's with the logo of said game or whatever. This is a common tactic for BO trojans.

Oh no

[nharmon]

The problem, detected by a security firm that works for the Justice Department

NETSEC, founded by two alumni of the National Security Agency and Department of Defense, provides computer emergency services to the Justice Department.

This is simply nothing more than a soft form of the word Echelon

No but seriously. What we're seeing here is Department of Defense working closely with the Justice Department. While you and some other people might think something along the lines of "big deal", I'd like to conjure up a few memories of each of these department's history.

First of all, in the United States, the military is not to be used in the policing of Americans. Their resources are off limits to police agencies, and their personnel are prohibited from engaging in law enforcement activity outside the bounds of their property (ie Military Police on Military bases).

And for very good reason is this division. First of all, look at the Branch Davidian incident in Waco, Texas. This was a USDOJ/USDOD joint activity. We're just now beginning to realize to what extent the DoD was involved.

I honestly think this is the beginning of a new policy where America's military will continue a mission of American policing. That is unacceptable, as the consequences are staggering.

I mean, is it just me, or is Janet Reno REALLY going against what America has stood for in the past two hundred years?

Re:Oh no

[thesparkle]

You are right, but you seem to be forgetting some things.

First, there are the voters who are duped into believing that some issues are so urgent the Constitution and rule of law should be circumvented in order to solve the problem.

Second, are the government officials in the Justice Department, federal and local law enforcement who are duped into believing they are really working on a specific problem, i.e. freeing Elian Gonzalez, getting guns from the hands of criminals. They get so caught up in their actions they forget what they are fighting for.

Finally, are the people who are behind it and have the overall agenda. All plans revolve around total control, if not direct then indirectly. The motivation for their actions are "We know what is best for you (average joe) because you are too dumb to know what is best for you". This applies to guns, drugs, tobacco and a few other things today. Soon it will apply to nearly everything.

This thing has been around for at least a month.

Everyone says they knew it was coming, heres my tale of why i thought something was a foot.. About 2-3 weeks ago, a friend of mine sends me a file called "blahblah.exe" and says "I found this running in the background? No idea where I got it". Running strings on it yielded it was a combo irc client/program launcher. For example, it connected for a certain "large popular irc network" (yah.. that one). Once connected it checked if some other .exe(s) were available, then msg'd someone indicating one way or the other. i think it joined a channel and did some other nonsense once on irc. It also used an .ini file containing 25-30 lines of encrypted text. You couldnt even tell which irc server it was going to connect to. After nullrouting myself and running, it attempted to connect to that "big irc network" on multiple servers, thus shutting down its route outbound to modify itself is fairly tough because it isnt fixed on one point of download, its got quite a few. Of course none of my win32s virus scanners cared about this "blahblah.exe" file either. It attempts multiple ports for irc as well, so those that filter 6660-7 are still vulnerable. Antivirus companies routinely take credit for discovering virus even though it was reported to them by someone like ourselves, that is why i saw no need to assist them in pointing out this new creature. This is also why I did not list the actual .exe or .ini file names and have been rather vague about all this, let them earn their supper like the rest of us. To make a long story short.. "I had a feeling this would happen".

Re:Since when were movies executed as code?

[mrfiddlehead]

HOW a movie clip can contain a trojan horse.

If the clip is repackaged as a .exe. Most Lusers have no clue about the difference between an .mpg, jpg, exe, doc, ...

I work with profs who still don't ken the difference after working with these file extension associations for the past decade.

Re:Lack of security in the 'net

[electricmonk]

That said, given that it's cable companies doing this, the login for administration would probably be: Login: admin

Password: admin

Oh yeah? Well, the password for @Home's support mode on their netdiag tool is:

login: athome password: athome

Just create a shortcut to the tool with the entry "netdiag.exe mode=support" at the end of the directory address.

Have Fun!

Inconsitances

[borg_1of0]

Maybe somebody can help me with this. I have been hearing it a lot from the media, but can find no technical basis for this. How does having Cable or DSL make you more volnurable? I mean there is always users shareing their hard drives, but that is just the same on the modems.

And a little note of caution ... the article mentions 'special software' that needs to be used to make your Cable modem secure. I am wondering if somebody is going to paddle something like Cybersister or some other senserware that (now possible that will filter out napster as well) under this excuse.

And one more thing ... how cold they possible know the 'handles' of the the people who probed them ?! This is CNN trying to get better rateings. "Hackers gathering their armies" to strike when you sleep. UGH ...

Re:Inconsitances

[centaurc]

>How does having Cable or DSL make you more volnurable?

I think what they are getting at is as follows (their points): 1. You are connected 24/365 and so there is a longer opportunity for people to check out vulnerabilities. 2. You have the same IP for a longer period of time, again like #1. 3. You aren't on the machine the whole time so would be less likely to notice that something was going on and/or, you would not notice if something huge (or many small things were) was sapping your bandwidth. :-)

Re:Inconsitances

[shanek]

Maybe somebody can help me with this. I have been hearing it a lot from the media, but can find no technical basis for this. How does having Cable or DSL make you more volnurable? I mean there is always users shareing their hard drives, but that is just the same on the modems.

The main difference is that Cable/DSL is much, much faster than a dial-up, and therefore doesn't take as long to perform your mischief.

Another difference is the "always-on" nature of many Cable/DSL providers. I have ADSL through BellSouth, which allows you to connect/disconnect like a normal dial-up, and gives you a different IP address each time. That's a lot better than a 24/7 connection with the same IP address the whole time. I'm still vulnerable to a degree, but not as much so as others.

And, of course, those with a 24/7 connection can always just disconnect the cable when they're not browsing. A little bit of effort will go a long way in this regard.

Re:Inconsitances

[Carnage4Life]

Maybe somebody can help me with this. I have been hearing it a lot from the media, but can find no technical basis for this. How does having Cable or DSL make you more vulnerable? I mean there is always users shareing their hard drives, but that is just the same on the modems.

Cable or DSL are more attractive to crackers and script kiddies because the IP is static (or at least semi-static) and there is more bandwidth to play with. Therefore if I find a DSL/Cable box to crack, I can be pretty sure that it'll have the same IP next time I come around and also that it'll always be connected to the internet while for dialup IP addresses change on each connection to the net and even when connected are unstable anyway. This is also a concern since IP ranges for the net addresses of ISPs can be estimated given one or two and then random portscanning will find suitable candidates.


And a little note of caution ... the article mentions 'special software' that needs to be used to make your Cable modem secure. I am wondering if somebody is going to peddle something like Cybersitter or some other censorware that (now possible that will filter out napster as well) under this excuse.

Nope, they mean firewall software which can detect port scans and/or warn or stop programs on your machine from connecting to the Internet without your permission. If you have a permanent connection to the Net and use a Windows machine at home I suggest getting a firewall, you'd be surprised at the amount of portscans you'll get a week and may be shocked that you already have a trojan on your machine.

Re:Inconsitances

[wolfgang_spangler]

maybe not more vulnerable but more attacked, if you were mounting a DDOS attack would you use a bunch of dial-up users? wouldn't work that way, you would use people with fast, perm connections to the net.

It sounds like CNN BS to me also though :)

I can relate

[psi-k0]

My girlfriend and I watched a movie clip about a massive back orifice once. She denied me her services for a week and a half. which half? the top half.

grunties, leave your inner ear alone.

ow my eye.

Re:I knew this would happen

[Syberghost]

I guess, then, the question would be - for an "average" gun, how many people is it used to injure (either on purpose or accidentally) during the course of its lifetime?

Rounded to the nearest tenth of a percent?

Zero.

Even if you count military-owned weapons. Even if you just count handguns, or just count miltitary-appearing semi-automatic weapons, or pretty much whatever anybody feels like banning this week.

Hell, even if you just count handguns used by citizens in the actual prevention of an actual attempted crime, it is less than .1%.

America's supposed gun violence problem is a myth, manufactured by the media for the purpose of scaring people; because scared people watch the news.

Tobacco kills over 400,000 people a year. Guns kill about 35,000 Americans a year, and over 2/3 of those are drug traffickers killing each other.

And as for accidental gun deaths; there are about 200 per year. That's less than three times as many as caused by lightning, and it's been going DOWN steadily (as a percentage) for decades.

Hell, more people (302) die of falling down in the state of Colorado than die from gun accidents in the entire country!

There are something like 2,500 deaths by drowning in the US every year. If you want to save lives, outlaw swimming pools.

More people under 24 die in traffic accidents every year than the TOTAL of all ages who are killed by firearms, accidentally or on purpose. Make the legal driving age 24 and you'll save more lives than by outlawing guns, even if you could make all the guns disappear!

If you take out drug-related murders, guns are used to kill about 11,550 people a year, plus another 200 that die by accident.

11,750 people seems like a lot, but it's less than die from falling down in their homes! It's twice the number who die in workplace accidents, and we don't hear about an epidemic in that!

And when you factor that against the number of times guns are used to prevent a crime, whether you accept 500,000 or 2 million for that number, one starts to wonder where exactly the hysteria is coming from?

It's certainly not coming from the tens of thousands of women who protect themselves from rape each year with a handgun.

A media facing declining ratings made the whole thing up.
--

Re:HOAX ?

[haapi]

The Conspiracy Theorist inside me that hasn't had
his tea yet today says, "The Feds have implanted
a controlling computer virus in Symantec's software, which will then be distributed world-wide in the mad rush to update virus checkers by every vulnerable user in the world."

Must have tea. Mmmm. Tea.

Question about this extension stuff

[spitzak]

If the user was mailed a *real* movie called foo.mov, isn't the extension hidden on them so the name they see is "foo"?

If this is true, why aren't the files named "foo.exe" rather than "foo.mov.exe" so they look more like movies.

(I think I know the answer, which a lot of people are not going to like: the answer is that "icons" are bunk, the letters ".mov" despite their cryptic nature, are far more compelling than any image to even novice users)

But if anybody has any better answers please tell me.

Also, are they able to make the icon an exact copy of the .mov icon by changing the icon embedded in the .exe? I recommend that MSoft at least show a generic .exe icon if this is the case.

Re:Stop it before it spreads

[erpbridge]

right, sure, we believe you!

Re:Massive automobile recall

[cyoon]

Hmm ... so when they say that "drivers" of "cars" are affected by "gas" price hikes, are they sleighting drivers of diesel-powered cars? Please. Car means to most people a gas powered automobile just like computer means to most people to a desktop machine, which for most people runs Windows. Linux is still a third class operating system for most people. Quit your whining.

Re:I knew this would happen

[BadERA]

Government intervention is obviously the solution. You are so correct -- what were all we free-thinking privacy advocates thinking? It should have been clear to us all along that there's less potential for harm with government intervention & contl than with security-smart sysadmins doing their jobs the right way. Duh.

Stop whining about the problem. Help fix it.

[BigBlockMopar]

As a security consultant for small and medium sized business, I'd like to personally thank you for putting food in my family's mouth and gas in the mercedes.

Okay. In reply to this and the earlier posting threatening to come after me with a hockey stick (re. NetBIOS comes back on with no provocation), I certainly agree with you all that Windows is a security problem, which is a big part of why I'm working my ass off to become familiar with Linux.

I don't expect Linux to be easy to learn; but I do have enough cross-platform experience to feel that at least installing it should be easier than it is.

There's no shortage of people who hate Microsoft and distrust their products. But there is a shortage of useable alternatives.

It doesn't matter that the world's greatest webserver is available for Linux if an average user can't get through the installation. Shit, an average user is very unlikely to even try to install Apache.

And let's face facts: high speed internet access appeals to us because we like computers, we play with them for fun, we administer networks at the office, we're in it because we like it. But most people just see it as a means to an end: they want the computer to hit ebay, to check out their e*trade portfolio.

These users want applications with which they're familiar, running on an operating system that is stable and easy to install.

Well, Windows isn't stable; just about anything beats it. Certainly the OS stability achieved through open-source development is incredibly impressive.

That's the difficult part, and it's done. So, why not be a part of the solution and work instead at improving the installation sequence and building more apps to ensure a bigger user base?

I hate to think this: I chose Red Hat 6.0 because it is, in my understanding, the best distribution for a new user. I researched it before I picked it up. It's got the best support, the best documentation, the best installer. And, while I lack the Linux/Unix skills that a lot of fellow Slashdotters have, I am a veteran assembly language programmer. That alone should be a testament to my comfort level with computers.

Installation should have been a breeze for me. For anyone who expects things to work out of the box, it would simply have been impossible.

If I only owned one machine, I would have formatted the drive, attempted to install Linux, then sworn off it with the hell I went through. While I like playing with computers, I also need them as tools, and if I didn't have the luxury of a spare (old) system, I would have been screwed. Sure, I could have repartitioned the drive and kept Windows up, but the LILO partition size bug would have still stopped me in my tracks. Expecting that new Linux users are going to try it out on old computers before migrating their main systems over, the support for older systems should be phenomenal. But it isn't.

The problem is that, because it's open source and written on a voluntary basis and peer-reviewed, it's easy for those programming to forget how difficult installation can be. One doesn't code for a sophisticated operating system without having a detailed knowledge of that operating system, and the focus is therefore distracted from what should be of prime interest to all involved: getting this thing to be more of an accepted replacement for Windows.

For all the bad things you can say about Microsoft, at least they actually get users (not programmers) to test the installation processes that their customers will have to endure after they stick that CD in the drive. Stick a Red Hat CD into an average user's hands, and watch what he goes through installing it. Take notes. Then start looking for solutions. Because you're not going to get alternatives to Windows out there unless they're installable.

So, instead of bitching about it, fix it. Take proactive steps to reduce the numbers of high-speed Internet users who are, out of necessity, continuing to run an operating system that puts the entire Internet at risk.

Or, sit back, do nothing, but don't blame me when it takes six months of diverting time away from my busy schedule to play with Linux before I can actually get the system to do something useful for me. And, be grateful that I'm trying to be a part of the solution.

Re:Stop whining about the problem. Help fix it.

[BigBlockMopar]

Good points although the major Linux distributions (Corel, Caldera & Redhat) have become nobrainers to install for semi-intelligent novices.

I picked up my Red Hat 6.0 distribution enclosed with a magazine. It was current in November or so. Now, I realize, we're up to 6.2 or 6.3 (can't remember which, and it's late, I had a long day, and I have to pull the motor out of a Volvo tomorrow, so forgive me for not double-checking Red Hat's website).

My skepticism remains. My install should have been a no-brainer. And, if I had known Linux very well, I'm sure it would have been quite easy. But I don't know it well enough to know how to partition the drive for a good install. And, even more irritatingly, no one can give clear and concise answers over how to properly do it. Asking someone on usenet will start a great flame-war. Not working to resolve this simple question of partitioning for a very basic install is a symptom of a lack of agreement and consistency over what makes a stable and secure system for a new user to learn about. And this serves as a roadblock to the usurpment of Windows.

I didn't (at the time) know about the LILO problem with some BIOSes and larger hard drives. The installation of PCMCIA support after I specifically told it not to during the installation process was thoroughly frustrating, since it meant that I could only start the system up in single user mode. Which I could only do after booting from the rescue disk because of the LILO problem.

Then, the distro didn't include the dhcpcd demon I needed to get a very basic networking feature running. (Yes, my Windows 95 firewall/gateway is also my home LAN's DHCP server.) That's another roadblock to someone who's installing on their main system and can now no longer access the Internet to download the client. I'd be digging out my Windows registration number again at that point. And it poses questions as to how well Linux is equipped to be the out-of-the-box networking solution that it claims to be.

As I indicated, no intelligent prospective user of a new operating system is going to install first on his current system if he's got a replacement around. Stevie Wonder could see that. I'm not advocating that Linux should pander to the lowest common denominator, but I can't believe that I would be the first or only prospective new user to attempt a workstation install of RH6.0 on a 486DX2-66.

I did notice something, however. It takes Gnome over half an hour to boot up on that system. So much for the commonly-broadcast myth that Linux/X is less resource-intensive than Windows 9x.

I'm still working to learn Linux, because I like a challenge and because I believe in it. I'm still running Red Hat 6.0, but I have experimented with the UMSDOS ZipSlack distribution, and found it to be far easier to get it happily running. In fairness to Red Hat, it's significantly less sophisticated.

But I rest my case: either start compiling, or stop bemoaning the compromised Internet security that millions of Windows boxes collectively represent. Be assured, after I'm familiar with my newly adopted OS, I'll be pulling my weight.

Re:Stop whining about the problem. Help fix it.

[teste_2000]

I reccomend trying slackware, install a basic system without X etc., then reboot after installation using the CD, at the boot prompt type
"vmlinuz root=/dev/hdaX load_ramdisk=0 initrd=" where "X" is your / partition. Go get the new LILO from freshmeat, run the installer and then LILO, and you should have next to no problems booting with a solid, command-line system. The folks at comp.os.slackware (I forget the exact name) are very helpful, laid back individuals who will almost always point you to the exact problem you're having. The system you wind up with will be 10X more secure than the magazine-rack Redhat you're currently trying to use (nothing against RH, but keep in mind that they are working towards being a general purpose, desktop distro. Slack still has the hobbyist in mind, and doesn't try to make things more convenient, which I find helpful.) Also it will be a little more difficult at first using only the command line, however by the time your done you'll not only have a solid simple system, but the know-how to maintain it (not to mention that feeling of accomplishment!)

For partitioning, I'd reccomend using "cfdisk" (mush more like the dos fdisk you're used to). Try a 1 gig partition for / a 500 meg for swap and maybe a partition or two for /home and /usr or /usr/local (conventional wisdom that if your root partition gets toasted you can reinstall and still have your user's apps and personal files) optional. Redhat and some of the based-on-RH get around the lilo problem by putting like a 10 meg partition at the beginning of the drive as /boot, although I've had much better luck just doing it the old-fashioned / way (no boot partition), as make bzlilo installs freshly compiled kernels neater that way.

Anyway, just my two cents of advocacy :-) People may feel free to correct any factual errors or mistakes in my instructions, however flames will be ignored.

Re:I knew this would happen

[finkployd]

The part about people jumping up a shooting a family member is right on the money.

One thing that bothers me is when people here stories about this kind of thing (however uncommon) they assume it is an indication of the dangers of guns, when it's simply a case of a misused tool by someone not trained properly. I can misuse plently of common household tools and kill someone accidently. That doesn't mean they are bad or that everyone misuses them.

Finkployd

Re:Better idea

[Ventilator]

1) Get modem and NIC manufacturers to modify the ports on their products so that they can eject a connecting wire under program control.

Oh yeah. With a feature like this, DoS never has been easier to do.

BTW: This exists already for some modems and is called "ath0ping". Some modems do not wait the obligatory second before and after the escape-code (+++) but return instantly to command-mode. So when you send the host a ICMP-Packet containing the string +++ATH0, it of course pongs this string. Due to this design-bug, the modem treats the string as a command and... (TADAA!) hangs up.
This bug is mostly found in el-cheapo modems. My USR Sportster is invulnerable however.

Hype, Hype, Hooray

[Phaid]

This is more corporate and government sponsored hysteria. This NETSEC company wants attention, so they issue a big press release at a time when all the major media outlets just eat up virus and DDOS stories. And the government wants to exploit this hysteria to pass stupid anti-encryption laws and gain broad wiretapping powers. Two great tastes that taste great together...

I dunno, maybe I'm too cynical but don't the names "Serbian" and "Badman" sound just a little corny? Almost like they were made up by someone who read a few glossy articles about the computer underground and then decided to write some FUD that would get people's dander up? Can anyone not involved in the promotion of this exciting story confirm that these guys really exist and that they're not more than a couple of kids being l33t on an irc channel?

It just seems so convenient...

Re:What they never say

[CerebusUS]

Why do you call it a virus when it's obviously a trojan?

Answer: not everyone is 100% clued in about everything... yet we get along :-)

Food for Thought

[Mzilikazi]

Many of the recent virus/internet security alerts have had fairly innocuous names thus far... "Melissa", "I Love You", or have been given technical names like "AutoStart Worm" or "DDOS"...

I wonder what the news media would do with a really foul-named virus... Wouldn't you just love to hear Tom Brokaw reporting on the "**** You In The *** With A ******** and a ****" Virus? (Use your imagination!)

Or if something used language that was not particularly vulgar but had a bad connotation when put together. "The Angry Shaved Gerbil" Virus... Hee hee...

Re:Food for Thought

[killbill!]

Just what imagine if someone spread a polymorph virus (inside the email) propagating like a worm virus and starting a DDOS attack on the domain where the email address is Or a virus masquerading as an antivirus update... It'd be really the end of the Internet as we know it for a good week, wouldn't it?

Re:Since when were movies executed as code?

[Phroggy]

The file name is something.mov.exe, and since Windows (by default) hides the file extension, all the user sees is something.mov, which they happily click on, and it probably plays a movie (I dunno, I haven't really been paying attention, but it probably does, to avoid suspicion).

--

You're on to something here!

[spiny+norman]

In Canada the dangers of cigarette smoking have led to the legislation of very large and extremist 'warnings' covering roughly one-third of a cigarette package - perhaps what is required is a similar gov't-mandated warning on all shrinkwrap and clickwrap copies of M$ software: "Warning: Using this software makes you vulnerable to 17,000 different security holes, trojans, macro viruses, etc, etc. Use at your peril!"

What we need

[Jon+Erikson]

Is for someone to do this, but instead of launching a DDoS attack, to set up people's firewalls to prevent this from happening again. Possibly the only good use of 0wning someone's box...

---
Jon E. Erikson

Re:What we need

[BigBlockMopar]

I saw a neat firewall made by ZoneLabs that does application control (pops up a dialog when a program attempts to connect to the Internet), but that is much more user intrusive.

Yeah. Okay. Don't flame me, I'm still a Linux newbie, but I'm working hard to learn it.

While I'm learning, my proxy server and firewall to the Internet - for all my home LAN, including my Linux box - is a Windows 95 machine. And I'm running ZoneLabs ZoneAlarm for protection.

I'm not sure what I think of it. I like the idea of allowing or disallowing communications by application, not by service or port. And it's really not that intrusive, since once you've told it that Eudora can use the Internet, it can save that information and always allow Eudora unrestricted access.

It's nice, too: WinVN is my text-based newsreader, and AS-A1 is my binary newsrover. Since they both connect thru port 119, most firewalls wouldn't know the difference. But ZoneAlarm knows them apart.

But, because you can't configure the ports allowed by certain apps, it's impossible to know for sure what ports your applications are using; a dishonest application or a hacked one could easily ooze information past the firewall.

So, I guess it's a pretty easy drop-in better-than-nothing security solution for cable/DSL home users. But I want to actually be able to set it up on a port level.

Re:What we need

[demaria]

Trojans are among the hardest things for a firewall to defend against. Is it a trojan, or just a normal Internet application?

Even personal firewalls that do intrusion detection has problems with trojan programs. Plus, you're at the mercy at the frequency of signature updates. Or run BO on port 5000, that throws some policy files off.

I saw a neat firewall made by ZoneLabs that does application control (pops up a dialog when a program attempts to connect to the Internet), but that is much more user intrusive.

Blocking all outgoing ports is an interesting idea but still problematic. A fun test I do on firewalls I test is playing with UDP port 53 (thats DNS). You can also send a DOS attack over port TCP 80, and even use valid http syntax too. The only other choice is bandwidth controlling, but even that won't help tremendously in a DDOS attack.

Anyone have any good ideas of how to defend against DOS and trojans, incoming and outgoing? The current firewall model is flawed with it's implementation. However, I can't think of any solutions, if there even is one.

Re:What we need

[krogoth]

Hey, i've got ZoneAlarm 2. You do have to allow each application to access the internet, but after all you apps have been added, it's not much trouble. I get a few alerts, but i never understand the logfile. You can lock internet access while allowing selected applications to get through, and you can stop all internet access. Is there any movie/exe name i should watch for?

Re:New Trogen Alert!

[TheDarkener]

win.com, you troll. =p~

Re:I knew this would happen

[Syberghost]

I don't think a manufacturer of widgets that resulted in 1 out of 3 people being injured (or say, hypnotized against their will) would be allowed to be sell their products for very long. Exceptions include: tobacco, guns, software... Why?

Uhm, sorry; exceptions just include tobacco.

Guns and software don't injure 1 out of 3 of their customers.

Guns injure something like 1 out of 278,000 of their customers. For software, even Microsoft's crap, it's even lower.

Bicycles have a worse "injures their owner" percentage than guns.

--

Re:Creepy?

[Phroggy]

And how the fsck do they know that the file is no longer available on the Internet?

They're referring to the specific file that the virus is trying to download, http://www.lomag.net/~ryan1918/MySissy.mpg.exe. That's the file that's no longer available. Sure, somebody probably has it mirrored somewhere, but the virus isn't programmed to download it from other locations.

--

Re:ASF as well as .EXE files - WMC SDK

[GKlesczewski]

Funnny - I went to the site for the story, interesting. MS patents the file format, then claims IP rights to the format. This effectively performs a Legal end run around reverse engineering rights. And even more fun, there is a link to another story at LinuxToday about this that states:

" A broken ASF file not accepted by the Microsoft parser would be lost; the patent would prevent anyone from writing a byte-level tool to recover the ASF file. A third-party Linux player wouldn't be legal, since there would be no way to legally extract the file data, even if third-party video and audio decoders were available. Attempting to transcode a compressed ASF to another format would be impossible with any Microsoft-licensed tools, even if you have the permission of the copyright owner, or even if you are the copyright owner, because the Windows Media Format SDK license requires programs to actively block this action. For instance, Microsoft compelled Nullsoft to disable DSP plugin support in WinAmp with Windows Media Audio content because the DSP interface could be used to transcode, even though DSP plugins normally just process the audio."

Out of curiosity, I went into MSDN and tried to pull up the license for the Windows Media Components SDK. If I understand the pages right, you can't get the licenses without applying for the license... I would be most interested in seeing this license to see what it actually permits, and does not permit. Maybe it is time to separate this topic???

Re:...sigh...

[phil+reed]

But I fail to understand the problem here. If the user is a moron and wants to run unsafe programs on their computer, why not let [him/her]?

Don't let your elitism show quite so much. Most computer users probably fall into your "moron" class, and they really aren't "morons" if they don't know any better. Lots of people drive without knowing the fine details of their cars, and doing a good job of computer security requires a knowledge of computers at the same detailed level. What kind of computing education would you like to require?

In the case of having mostly relatively uneducated users, it's not unreasonable to ask why the infrastructure doesn't do a better job of preventing unwanted security exposure. No, I won't accept a MSBob view of computing either, but we should be able to develop an approach that gives us security without comprimising convenience. That includes not letting mail programs blindly execute programs that can directly modify the computing environment (both the mail program and the operating system are at fault here).


...phil

Stop it before it spreads

[geoffeg]

To prevent this DDoS from happening I think that everyone should start turning off their computers. Anyone that works at an ISP should go to the server room's and shut everything off. Not only will this stop *this* DDoS right in its tracks, it will save power.

shutdown -h now damnit
Geoff

Re:Stop it before it spreads

[MrDelSarto]

don't worry ; i've written a small vbs file that will send everyone in your address book a message informing them they may unwittingly be part of a DDoS attack ...

Re:Stop it before it spreads

[fm6]

And while you're at it, unplug any clocks nobody is currently looking at!

Re:Stop it before it spreads

[Calamari+Indigo]

Great idea!
I'm doing that right n

Technical merit?

[Refrag]

What technical reasons do they have for feeling that its purpose is going to be a DDoS? If it's a BackOrifice type program it's probably just for some script kiddies enjoyment...


Refrag

Re:Technical merit?

[Listerine]

It did not say what the test run was. It seemed to me like the "test run" did not show anybody what it would do, just them accessed it briefly to see if it would respond.

Re:Technical merit?

[turg]

What technical reasons do they have for feeling that its purpose is going to be a DDoS?Did you read the article? It says the crackers have already given it a test run.

========

Re:Technical merit?

[mtallgeier]

Two issues: 1. Those who quibble about the particular type of trojan that we found have missed the point and display their ignorance of network security and hacking techniques. A trojan is a tool. It's no more dangerous than the person who uses it. In this case, a *variation* of a known trojan was being used by at least two "hackers" to attack third parties from a distributed base of hundreds/thousands of infected machines. Those hackers are now shut down, at least temporarily, due to the press and the threat of an FBI investigation. So, who cares what type of Trojan it is? 2. The naysayers here are the anti virus cartel who speculate without even bothering to gather fact (sorry to step on the toes of your little fraternity, guys.) This was proactive detection and prevention of an active attack before it caused major damage. What did companies like Network Associates and Semantic do to detect and prevent the last DDoS attacks BEFORE they caused millions in damage? The answer is: nothing. Thanks, Michael Allgeier mta@netsec.net

Re:Technical merit?

[Refrag]

Thank you for proving my point. No one knows what the trojan was going to be used for, so it was merely scare tactics when it was 'reported' that it probably was being setup for a DDoS.


Refrag

WTF?

[cancerboy]

If their so sure that the movie file is a trojan horse, why didn't they name the file?

Re:WTF?

[EricWright]

The problem is that, when Windows hands out icons, it only looks at the first extension and hides the rest of the filename (unless you specifically try to change it). I agree that the problem is people mindlessly clicking on whatever they get sent, but in this case, it looks like it's a movie. There's no harm in watching a movie clip, right ;o}

Eric

Re:WTF?

[Listerine]

Umm.. I don't quite understand how that is different than what it does now... and if you meant to say "first" extension, well I still don't see how that would help. I don't quite understand how having the extension determine how to open a file be a bad thing. It still needs the proper header to run it...

Re:WTF?

[toejam]

The default behavior of windows is to hide the file extension.
Quickflick.mpg.exe becomes quickflick.mpg as far as joe user is concerned. If the .exe has a plausible icon for an MPG movie then the average user would assume it's a harmless movie file.

Re:WTF?

[RCMD]

Sorry, I ment to say 'Use the LAST file extention to assiciate the icon'.

Re:WTF?

[jbarnett]

The Diable2 preview movie "trailer" that came out about a year ago was an .exe file, had the movie and a "internal viewer" all rolled up in one so the user didn't have to download a video player...

they double clicked on it, it load the internal viewer and then load the internal movie

then again, I got the file from http://www.blizzard.com and trusted it, if someone named "Bob" just emailed it to me in a chain letter I won't be so quick to run it. That and I would flame "Bob" for sending large data/programs over email...

Re:WTF?

[JackVance]

That's what they do.

If you have a file called GreatSex.mp3.avi.exe it will:
- Have an EXE icon unless it is set to use an embedded icon
- Be identified as an Application in Detail view
- Be identified as GreatSex.mp3.avi if you have the "Hide file extensions" turned on (default setting)
- Be identified as GreatSex.mp3.avi.exe if you have the "Hide file extensions" turned off.

Re:WTF?

[Sakke]

hmmm ??? QuickFlick.mpg.exe or MySissy.mpg.exe

most ppl will be clicking on these files because they don't see the .exe extension ('cause stupid windoze doesn't show them by default, which is kinda annoying)

Re:WTF?

[generic-man]

Remember that in Windows, you can select an icon for an EXE file when you build one. So you can select the standard Windows Media Player MPG icon (or something similar) and Joe User won't know the difference.

Re:WTF?

[Misch]

No, at least for me, it looks at the last one, and assigns an icon accrdingly. Then, if the particular extension is not set to "Always Show Extension", then the extension is not displayed.

Example on my machine:
"Misch.doc.txt" has the .txt extension and a Text File icon.
"Misch.txt.doc" has the .doc extension and a Word Document icon.
"Misch.txt.js" does not display the .js extension (in this example). It has a JavaScript icon.

Re:WTF?

[TheReverand]

Uhhh no. If the file is called QuickFlick.mpg.exe, It will look like an exe. IF people have the Hide File Extensions For File Types which are registered option on, The file will say QuickFlick.mpg, but it will still look like an EXE.

Marc

Re:WTF?

[EricWright]

Really?? I'm not sitting in front of a Win box, but I *thought* that's how it works. Oh well, it's Friday. I'm allowed to be a bit stupid, right?

Eric

Re:WTF?

[TheReverand]

You're right I forgot about that. Oh well I just woke up. =)

Re:WTF?

[Shirotae]

CNN also has a later version of the story which reports Network Associates and Symantec assessing this as "low risk". CNN still don't name the files, but Symantec have some details under the name Serbian.Trojan, but not really clear on how to remove it. They say it is also known as "downloader" and Network Associates (McAfee) have more details.

Re:WTF?

[mtallgeier]

Two issues: 1. Those who quibble about the particular type of trojan that we found have missed the point and display their ignorance of network security and hacking techniques. A trojan is a tool. It's no more dangerous than the person who uses it. In this case, a *variation* of a known trojan was being used by at least two "hackers" to attack third parties from a distributed base of hundreds/thousands of infected machines. Those hackers are now shut down, at least temporarily, due to the press and the threat of an FBI investigation. So, who cares what type of Trojan it is? 2. The naysayers here are the anti virus cartel who speculate without even bothering to gather fact (sorry to step on the toes of your little fraternity, guys.) This was proactive detection and prevention of an active attack before it caused major damage. What did companies like Network Associates and Semantic do to detect and prevent the last DDoS attacks BEFORE they caused millions in damage? The answer is: nothing. Thanks, Michael Allgeier mta@netsec.net

Re:WTF?

[_SIGKILL_]

...Network Associates [that they] think it's pretty much low risk

These sound like famous last words.

Re:WTF?

[Mike1024]

Hey,

Network Associates that they think it's pretty much low risk.

Didn't they once say the Millenium Bug was a high risk? Never underestimate the lameness of Windows.

Just my $0.02

Michael Tandy

Re:WTF?

[cancerboy]

Actually MSNBC has a better story, including the reply from Network Associates that they think it's pretty much low risk.

Also names the file which goes under two names

QuickFlick.mpg.exe or MySissy.mpg.exe

Re:WTF?

[RCMD]

If they insist on having such a sloppy security model (Associating file/programs via the file extention), why don't M$ use the LAST file extention, of a file that has multiple file extentions, to associate a program ? Joe User may not be protected, but it may give him a hint that somthing is up.

Re:WTF?

[Garpenlov]

No, at least for me, it looks at the last one, and assigns an icon accrdingly. Then, if the particular extension is not set to "Always Show Extension", then the extension is not displayed

That is true, for explorer. However, in Outlook the icon displayed for a file is NOT dependant on the extension -- it's set by the person sending you the e-mail. (I get documents created in Word 2000 that have the Word 2000 icon depicting them -- despite the fact that I don't even have Office 2000 installed). Here's one way to do this:

Open up Wordpad.

Drag whatever file you want to send in there.

Click on Edit ->Package Object ->Edit Package.

Change the icon to whatever you want.

Click Update, then close that window.

Drag your new object into an email and send it.

It's never as simple as it seems...

Re:WTF?

[NetJunkie]

ABCNEWS.com did. They mentioned quickflick.mpg.exe and mysissy.mpg.exe. So if you are dumb enough to run a .exe like that....

Could there be less details?

[EricWright]

They don't say how these guys got access to the computers, per se (not up to date firewall protection... ooo, that's informative). They don't say what the trojan is called so we can go looking for it. They don't say how 'xanim trojan-file' will cause anything other than an error to occur...:)

I find all of this somewhat hard to swallow, given the lack of details given. Does anyone know of another article with cold, hard facts?

Eric

Re:Could there be less details?

[panda]

According to previous reports, the trojan was posted in an adult chat room. You had to download it from a web site. It was called something like MySissy.mpg.exe. It is an executable file.

If, like most Windoze users, you don't change the default settings on your file viewer and you open most files by double clicking on document files, then once you had downloaded this file it would appear to be an ordinary file with the name MySissy. When you double-clicked on it, it would executre. I've not actually seen it in operation, but if the hackers were smart, they would have made it look like an MPG movie viewer and actually had it play a few minutes of a porn flick while it also did its dirty work.

Something like this is trivial to implement.

Re:Could there be less details?

[rtscts]

it would appear to be an ordinary file with the name MySissy

actually, if it was called MySissy.mpg.exe it would appear as MySissy.mpg as only the LAST period counts as the file extension.

Consumer Security

[NetJunkie]

The articles mention DSL and cable setups which is a good topic. I think you'll see a huge boom in the security software (BlackIce) and hardware (NETGEAR nad LinkSys NAT boxes) markets very soon, even larger than it is now. It just begs the question why aren't these companies doing this now? It wouldn't be hard to ship every cable/dsl modem with integrated NAT and have it enabled unless the customer specifically requested otherwise. It would be much more secure than just an open connection. People try to hit my cable modem ALL day long.

Re:Since when were movies executed as code?

[_xeno_]

Actually, Windows in a bid to look a little more like a Mac now actually HIDES the file extensions on a default setup. You then have to go into the view options and change it not to hide extensions on "recognized file types."

With the extensions turned off, you're forced to rely on the icon to tell you what the file is...

Massive automobile recall

[Megasphaera+Elsdenii]

Why on earth do these sources always talk about 'computers' without being more specific ? As if computer == 'a PC running DOS'. I smell a rat here (even though I'm sure CNN doesn't run their web servers under Mega$lob software, be that operating system-wise or application-wise)

Imagine the following press release:

REUTERS -- Somewhere.

A major car company has decide to issue a callback on one of their models. Under certain conditions a particular safe-critical part of the car might fail. Although the total cost of the recall is purported to be high, officials at the company were confident that it would not influence their quarterly results, due at some point.

Re:Massive automobile recall

[dagoalieman]

At first I just slightly agreed with this post. I mean, I understand what he said, but it wasn't that big of an issue. When on the news, many people can assume that it's a Macroshaft Winblows system that is being attacked, because that's all they know of. You'd be surprised how many people only know of MS Win NT, 95, or 98. Maybe 3.11. Dos is almost forgotten (even though I still love it.) Mac's are known to those who use them, and us techies. Linux, as much as I hate to say it, is for us /.ers, techies, and college students. No one else uses the great operating system.

I vaguely remember when a mac virus was released, they specified mac on the news. Melissa and Love bug, no OS or anything specified. Suprised? I'm not.

But, then I saw the Reuters release, and what Megashapera said carried more and more weight in my head's argument. How assinine is this stuff?? Half of these press releases that we get today barely mentions the fact that it is on the computer (however when the internet is mentioned, one can assume..).

Probably the worst of all things is, how many ever mention /.???

Re:Massive automobile recall

[Vanders]

I'm sure CNN doesn't run their web servers under Mega$lob software

Acording to Netcraft, it's Netscape Enterprise 2.01 on Solaris. Good for them.

Re:Massive automobile recall

[fritter]

Yes, but if 95% of the world drove a 1998 Yugo hatchback that article would likely make sense.

What they never say

[Salsaman]

Again this is a *windows* virus, not a computer virus. Why do they never say that ?

Re:What they never say

[panda]

'Cause computer == Intel-compatible PC running Windoze. That's why.

Anything else isn't a computer. :-)

Re:What they never say

[Vanders]

Duh, like, because a Computer is Windows. Don't you know? Are you think or something? ;)

This is SOOOO easy to do

[blakestah]

This is a trivial maneuver.

Make some neat looking cartoon like porno movie clip, distributed only in Windows executable format. When it executes, it sets up a DDoS client. You could easily have enough high bandwidth machines for a massive DDoS in a short period of time. It seems many Windows users do not even think about running untrusted binaries with their security model.

Re:I knew this would happen

[mOdQuArK!]

Your statistics sound like you pasted them from some NRA info pamphlet. I notice that you didn't include statistics of suicide-by-firearms, which by the statistics @ http://www.suicidology.org/suicide_statistics.htm, account for 43,240 deaths in 1997 alone.

I will grant that a big chunk of those people committing suicide by firearm would most likely have found another way of killing themselves if the firearm had not been available, however the fact that you did not include their deaths in your "statistics" makes your argument considerably less persuasive.

BTW, I'm hardly an activist either way - I regard widespread gun use as the result of a "prisoner's dilemma"-type situation: I think the world would be better off if NO ONE had the ability to kill each other easily, but the moment at least one entity gains that ability, then the other members of the society will have to figure out how to nullify that power, either by defense (try to get back to no one having ability to kill each other easily) or offense (mutual assured destruction), in order to prevent that 1st entity from dominating the society. Unfortunately, game theory indicates that trends will tend toward the MAD scenario - and if everyone else has a gun, I certainly don't want to be the only person w/o one.

I definitely know that I don't like BS, and your post smells of well-polished BS.

Re:...sigh...

[DustyHodges]

I don't think you have to be an 37337 HaX0R to know not to click on an infected file... It's like saying that people shouldn't know better then to have unprotected sex, and are 'victimized' by AIDS. There's plenty of education in the media now.

Maybe that's what we need! Public service announcements for AV programs, and 'scanning files'

Remember. When you use someone's floppy, you're sleeping with every computer they slept with.

-Dusty

foo.avi a virus vehicle?

[Cramer]

So, has anyone explained exactly how an AVI is infecting people's machines? Assuming everyone is talking about windows, explorer uses the file's extention (.avi) to know to hand the file to some media player (which one wins the war is often unpredictable.) Check my spelling here, but avi's don't carry any executable code that a player would execute. Even if I renamed format.exe to foo.avi, clicking on it isn't going to run it.

Has the media just "got it wrong" again? Or is the system infected in some known permiscous way and then ends up with some virus/trojan lurking as a <randomly named>.avi?

CNN: a checkup from the Spin Doctor

[0x0000]

The fact that the CNN stories chose not to say anything at all about affected platforms stinks.

Are they so anxious to protect M$ from negative publicity that they can't even give a list of what platforms are vulnerable to this new "threat"?!

I wasted almost 5 minutes tracking down the fact that only win machines are vulnerable. Even then it was not explicitly stated.

A. That's shoddy reporting (nothing new, for CNN), and B. It's an obvious way to avoid saying yet again "Only computers running M$ software are vulnerable to this Trojan." I wonder how much Gates & Co. paid to keep that out of print this time (CNN was a unix shop, last I heard, btw).

M$ is enabling these attacks. Hanging a Windoze box on a DSL line or cable modem should a misdemeanor, punishable my not less 6 months running MS-DOS 4.0 with no TCP/IP stack, and a fine of $1000.

Spin, spin, spin.

Re:DDos The worst thing that can be thought of now

[Phroggy]

I agree; very interesting. The reason is, Yahoo was taken down by a DDoS attack not long ago, but stealing credit card numbers is old news and nobody cares anymore.

--

Re:I knew this would happen

[rongen]

Software: Like guns, can be used for good or evil. However, I doubt that 1 on in three suffer any kind of injury (including financial) from their OS.

But we do need immeadiate "government intervention into the Internet" right?

NEWSFLASH

[zeusjr]

NEWSFLASH!
MODERATORS RELOCATE STASH!

Today on slashdot.org, a popular web community, at least two moderators mistook a comment intended as jest as being informative. The comment suggested windows users search their hard drives for ????????.exe to find a "randomly named file". It was meant to be humorous, as such a search would turn up hundreds of files even in the most bare installations of microsoft windows. [Ed: Microsoft, MSFT, which creates microsoft windows, owns everything, including the original poster, this one, and the two moderators.] The moderators however thought it was "informative", likely since it has been years since they used any microsoft software and didn't know any better. A user known as "anonymous coward" argued that this was yet another reason to add the moderation "Safe, +1". Many others ranted about moderation in general. This happens because no one who uses slashdot likes slashdot.

Re:NEWSFLASH

[zeusjr]

And hence the circle is complete!

Re:I knew this would happen

[rongen]

Who's missing the sarcasm now? :)

Movie file?

[zzen]

I wonder - aren't the computers used in DDoS attack usually 24/7 connected computers? Even more likely, aren't they usually some small, old and left-over university department servers -- like an ex-secondary mailserver or a callback dialup server and such - but all in all usually a server?

And how likely is a movie going to be played on that machine? It seems to me rather, that this trojan is directed at multimedia computers of porno-seeking perverts. This isn't likely the best platform for DDoS, I'd say...

Re:Here's the beef

[trcooper]

Looks like it spread pretty much entirely over Usenet. Here's a report on QuickFlix.mpg.exe as it was identified as Spam. Looks like it is probably dead now. Deja News

I know you like Minesweeper... but... jeeez

[CrusadeR]

http://download.cnet.com/downloads/0-10040-100-886 616.html?tag=st.dl.10040_106_16.ls t.td

"Professional Minesweeper is the BEST product ever. really."

Gonzo... please... say it ain't so!

Re:I know you like Minesweeper... but... jeeez

[GoNINzo]

It's true.

I am hopelessly addicted to professional minesweeper. and I'm damn good at it too.

Try it out, see if you can beat diamond in under 150 seconds like i can. `8r)

--
Gonzo Granzeau

Re:Lack of security in the 'net

[chrome]

Yeah.

How about, when you get a DSL link, they restrict inbound connects heavily by default.

Then, if you play a game like Quake 3 and want to host a game, you just call them up or go to a support page and get them to open up that port.

In my experience most users just want to be able to browse the web, ftp, chat on IRC and not much else. That only requires the ident port to be open.

Feh, its asking too much isnt it?

Ahoy there Sissy!

[FatSean]

Whatcha got in your mouth Sissy?

- Earlmeyer the Butt Pirate.

Re:I knew this would happen

[StoryMan]

Since texts have a multiplicity of interpretations -- semiotics, the sign/signified stuff -- then I'd advocate a more rigorous reading method on the part of the reader rather than a more critical posting method on the part of the poster.

It's up to the reader to determine what is and what isn't sarcastic. The reader must make that determination. I mean, what if, for example I say [sarcasm]I'm six feet tall[/sarcasm].

What exactly does this mean? Does it mean I'm actually four feet tall? Does it mean I'm six feet tall and I'm tired of people saying I'm five foot nine inches?

What's the context?

Let's face, if you're reading slashdot non-critically -- if you are, for example, a 'literal' reader -- then you're gonna get fooled by the presence of the [SARCASM][/SARCASM] tags, as well as their absence.

So goddammit, just try a closer reading, okay?

Re: Here's the mad cow

[Steepe]

Sure..
do a find for
???????.exe
and
????????.exe

Re:DOS attack. Or solitaire, for that matter.

[radish]

And also pretty common. Things like BackOrifice have been doing the irc thing for a while. The channels it broadcasts too are pretty busy with people going in to get details of open machines to play with!

HOW TO DETECT AND REMOVE SRVCP TROJAN!

[rigor1]

The virus is being typically transported by some bots/people as: DIVX_3e.exe (Remember installing those drivers?) PSXCOPY.ZIP (bleh n64 r00lz) CDRWIN3.8f (cracked) If you've installed these lately , you're probably running the srvcp daemon (do a ctrl-alt-del task manager and look!) and you'll find srvcp.exe in /windows/system and gus.ini (gravis ultrasound rules! hehe) in /windows/system. remove the files. run regedit.exe and remove the service profile for srvcp (find srvcp, delete the entry for service_profile) reboot trojan is gone. The bot will download files to your system, connect to efnet irc servers and will attack others and you'll eventually get our ip banned for running drones. bleh. lamers. rigor-http://sam.bytebandits.com

Re:DOS attack. Or solitaire, for that matter.

[titus-g]

it would be except that the netsec report says that they are 'modified' irc servers, therefore probably running on machines owned or 0wn3d by the authors. getting these shut down would seem to be a start. netsec seem to know an awful lot about these servers though, like that they are modified & they have lists of the compromised systems as well... all a little strange.

need to find the irc servers and post the ips here, put them out of action quite nicely

Re:Since when were movies executed as code?

[mrfiddlehead]

No, this is just another example of why they should take the Microsoft marketing twits, who decided that file extensions were to hard to use, out back and euthanatize the lackwits to put them out of their misery. Ooops, too late.

here we go again

[BadERA]

Sweet Jesus! Thank god for script kiddies -- else, what would the media have to hype up this week? Elian's over with, Timofonica isn't spreading beyond Spain, and Clinton's kept his dick in his pants, as far as the public knows ... so what better than a brand new DDoS that may or may not exist, and may or may not demolish the commercial Internet as we know it?

Re:here we go again

[Black+Parrot]

> and Clinton's kept his dick in his pants, as far as the public knows

Ok, now everyone knows that you haven't downloaded the movie.

--

I think I've seen it.

[shippo]

Two months ago or so I saw on usenet a Windows .EXE of dubious content masquerading as both .AVI and .MPG files.

They used the usual trick of nameing the .EXE somthing like foo.AVI.EXE, and made sure that the embedded icon colour matched that of the associated fake file type.

I dumped the file using 'strings', and it appeared to generate a fake error message regarding a missing codec, as well as a registry key to autorun a program at boot. I presume this trojan contained this code.

Re:I think I've seen it.

[finkployd]

I presume this trojan contained this code.

Well, I'm sure it does NOW! Way to give them ideas.

:)

Finkployd

Re:I think I've seen it.

[mrfiddlehead]

You'd think that these little weiners would start encrypting their strings internally to prevent this. Even a simple XOR encryption would do the trick.

Re:Since when were movies executed as code?

[Black+Parrot]

> Actually, Windows in a bid to look a little more like a Mac now actually HIDES the file extensions on a default setup.

Man. And I always thought mere hidden files were an insult to my intelligence.

--

Re:HOAX ?

[pvcf]

Exactly!! Who is to say that this NETSEC found anything! Perhaps they're just reporting everything to make people feel safe; that there actually is someone watching out for them...

They wouldn't need any proof. When nothing happens they just say, "Well, the purpetrators must have caught on to us and bailed. We'll get'em next time!"

Then again, perhaps they really have something and are afraid to tip they're hand too soon. They want to catch'em in the act.

....Paul

Here's the beef

[akey]

A quick check of the Network Security Technologies website has a bit more info than the CNN article. Read their advisory here. Apparently, the Serbian Badman Trojan (as they're calling it) is using an IRC channel to report the compromised IP address, and then starts listening on a port -- this is why they think it could presumably be used for a DDoS attack.

---

Re:Here's the beef

[doctorfaustus]

Am I the only one w3ho noticed that Symantic's stock price is currently (as of 12:15 pm, CST) up more than $3.00 per share?

Re:DOS attack. Or solitaire, for that matter.

[Refrag]

I think the most likely use of the "zombie" machine is to pop it's CD-ROM tray out. I know that is what most people that use BO like to do with it.


Refrag

Bridging the Gap

[GrayMouser_the_MCSE]

We're finally reaching a point in technology where the line between techno-savvy administrator and computer end-user is being blurred - not in terms of their knowledge (that's wider than ever) - but in terms of what they are setting up and runnning.

With tools like MS internet connection sharing and cheap networking cable, clueless users are now capable of setting up (almost setting up?) ethernet networks from the comfort of their recliners. Of course, this added ability does nothing to impart new information to the users.

It is possible to set up secure MS networks (this is what I do...) but its not easy, especially when the default settings for so many things are open access to everyone. Unless MS changes the settings (not very likely from what I've seen) or someone comes up with an easy and well publicized way for users to set up at least moderate security, these things will only continue to grow.

Actually, one other thing that could help is for the ISP's to use short lease DNS and keep everyones IP address changing. That would at least make things a little more difficult for crackers.

I've helped check and set up connections for my friends and found that more than a few of them had permitted open file sharing with their computers when all they wanted to do was share a printer.

Oh, and for people who think this is just a MS problem so linux users don't have to worry, if they get enough computers, they can start attacking backbone segments. Then everyone gets shut out.

Re:Bridging the Gap

[jazmataz23]

>Actually, one other thing that could help is for the ISP's to use short lease DNSand keep everyones IP address changing.
>That would at least make things a little more difficult for crackers.

The trojan reports the port it's listening on to an IRC channel. What's to stop it broadcasting its current IP?

>Oh, and for people who think this is just a MS problem so linux users don't have to worry, if they get enough computers,
>they can start attacking backbone segments. Then everyone gets shut out.

DDOS' suck for everyone, remember two weeks ago when we couldn't get onto /. because of a DDOS? I had to *gasp* work!
To get back ontopic, some linux distros are almost as bad Microsloth products as far as out-of-the-box security goes. I mean, there was a time when intalling linux was *shocker* difficult. You actually had to do some *oh no!* reading. Now Joe Sixpack's a linux admin, and goes frolicking around /etc/inetd.conf removing all those ugly comment hashes. Course, the windoze code doesn't run, but there's such an assload of buffer overflow exploits some cracker can depants his machine fast.

Clunk, Clunk, my $0.02
jaz

Re: Here's the mad cow

[superkorn]

According to the articles I read, the file almost always resides in the Windows directory and is approximately 370k in size. Finding this file using windows find is a trivial exercise. Just search for *.exe and limit the search to only files of 350k or more and that were created in the past, say, month. There are barely any .exe's which are installed in the windows directory which meet all of those criteria so if anything pops up you will know to be suspicious. ROTFL indeed...make sure you know what you are talking about...

Which is, of course...

[Skid]

... why you turn the friggin' filename extensions on under Windoze. If I saw something like foo.avi.exe, you'd be damned sure I wouldn't try running it.

--
These are *MY* opinions.

Re:a little ministry?

[feck]

some other guy managed to decipher some of SkinnyPuppy's lyrics a few page-ups up..

Re:tell 'em to run ZoneAlarm

[__aaedhn419]

Hear, hear! I started ZoneAlarm recently. At first I was scared stiff - I was getting at least one intrusion attempts every 10 minutes. Now I'm just happy the script kiddies are going home hungry.

Re:Palmer says....

[^chuck^]

Both of them
And I completely agree. But my anger would stay longer with the builder if he continued to do the same, or if he failed to warn other owners of houses he built, while the anger at the (non-burglar)intruder would go away once I learnt of the problem and moved or changed the locks. And then what would happen if the builder claimed that it wasn't his fault, because he took measures prevent illegal entry (under mat) and that the intruder should not do that anyways.
Basically, its my belief that if you leave your car door open and something gets stolen from inside, its really your own bloody fault, even if the law says otherwise. But if the car comes with car locks that look like they work, but can be opened by lifting the handle for five seconds, then the responsibility rests with the assholes who sold you the car.

Theft and illegal entry will happen[hell, what guy didn't try when he was 13/14?], but failing to prevent the obvious is just as bad a crime, if not worse.

It's all Bull$hit

[mrBoB]

The FBI is just trying to get more funding ;-) You all know that every executive enforcement agency is jockeying to be "The" internet defense agency. This is yet another installment of "Look at me, the FBI, I was first on site." I'll bet you the so-called "hackers" Serbian and Badman are actually working for NETSEC in one of those SecureRooms (tm). Keep in mind, like the article says, NETSEC was created by the NSA and DoD. Conspiracy, I think not.

Bob

And warn them about the BSoD when shutting down!

[chickenmadrasplease]

I reported this problem to the zonelabs dudes, and here's the response:

Thank you for using ZoneAlarm and providing us with detailed information.

There is a known issue with some Windows configurations not being able to shut down properly. This has to do with ZoneAlarm's TrueVector service not acknowledging the Windows request to shut down. To workaround this problem, close ZoneAlarm before you shut down your computer. You can do this by right-clicking on the ZoneAlarm system tray icon and selecting "Shutdown ZoneAlarm".

Another possible workaround is to go to Start/Run and type c:\windows\system\zonelabs\vsmon -uninstall

This will change the timing of the True Vector service. Best regards Zone Labs Support

The funny thing about the BSoD is that it appears after the "its safe to switch off yer doze ridden junk" message!

Re:HOAX ?

[AnarchoFreak_00]

Why are people so hungup on wanting a file name? There might be one knowen name. But that doesn't stop people renaming it 1000 times does it?

Re:...sigh...

[Listerine]

"Immediate execution of mail attachments" has nothing to do with Win95/98. That is purely up to the mail program. For instance, I have NSMail set to truncate any message over 12K, which nicely makes it so that I get less spam and shit like this.

But I fail to understand the problem here. If the user is a moron and wants to run unsafe programs on their computer, why not let [him/her]? I don't want some sappy dialogue box popping up every time I run a new program warning me that it may have viruses, and I definately don't want Windows to prevent me from working in the name of convienience.

Education is necessary, not the dumbing down of the OS until its just MS Bob all over again.

Why are you Microsft supporters so damn defensive?

[BlueUnderwear]

Is it the breakup, or what? Don't come and cry to us if you suddenly can't access your compressed partition because you mistook drvspace.exe for a virus.

Re:DOS attack. Or solitaire, for that matter.

[Listerine]

Apparently you never saw the "Compaq would like to preset you with a free gift" program. It would pop out the CDROM drive and say "Here is your complementary cupholder".

No Imagination

[StormyMonday]

Great. Somebody is getting set to collect massive amounts of information from a gazillion PCs and install remote-control software, letting them do essentially anything.

And the only threat that folks see is DDOS? Get real. Denial of service is about as exciting and useful as a traffic jam.

Some crackers with a bit of subtlety could clean up. Lets's see, we could:

• Steal everybody's Quicken/TurboTax files and start cleaning out bank accounts
• Scan for interesting trade secrets/blackmail info
• Plant kiddie porn on people we don't like
• Get in interactively and make some subtle changes in documents/spreadsheets/databases
• Periodically ping a website to jack up the hit counters.

I'm sure just about any /. poster could come up with enough "interesting" ideas to keep the nice people at the Justice Department awake for a long time.

They are on IRC network Newnet

[steveargonman]

They hangout on the Newnet IRC network. They use the channel #Jaxn on irc.jaxn.com

:\

Re:Yabut...

[titus-g]

joe sixpack isn't going to lash out the dosh for thier recommended firewall i'd guess, also i guess if all they have are ip's/login etc it could be difficult to track individuls down, they should be notifying the isps though.

erghh must sleep

Re:I knew this would happen

[Nygard]

Apparently the original poster's sarcasm was a little too subtle.

At least, I really really hope he was being sarcastic...

Re:DOS attack. Or solitaire, for that matter.

[iturbide]

Pah.

Honestly I don't know. I'd guess that the most efficient way to set up a dos attack on a wintel box is to use it to telnet to a decent platform and do the attack from there.

I don't know, and chances are very few people know, but does the backdoor "phone home" to say it's ready and waiting?

And don't underestimate solitaire. It's globally acknowledged as one of the most efficient productivity killers around.

Even better...

[Spirilis]

Make a DOOM patch that lets you watch for excessive ICMP packets (in the form of those annoying yellow flying fireballs), and get your little brother in the server room 24/7! He'll have a ball!

Re:Even better...

[Refrag]

That would be kick ass! Even better than the movie Hackers.

No, I'm not being sarcastic.


Refrag

Re:Even better...

[eudas]

it does if you are referring to several new things...

eudas

ASF as well as .EXE files

[Epeeist]

It would seem that the wonderful (patented) file format MS ASF can contain script/executables of some kind. See this article in Linux Today.

Re:ASF as well as .EXE files

[JonK]

And since Linux Today glommed their story from the Register, you'd better accept that correction too. And as for reporting on information you saw elsewhere, did it occur to you to check your facts? It's not that difficult - see here for details.
--
Cheers

Re:ASF as well as .EXE files

[JonK]

Does not compute - the Register story you referenced contains absolutely nothing about .asf files hosting script or executables: it says that Microsoft have exercised their IP rights.

What you are referring to, I presume, are ASF script files. From the MSDN: "ASF script files are text files that contain information about ASF file properties, such as title, author, and copyright; markers, which can be used as chapter marks or indexes; and script commands, which can be used for URL flips and closed caption text."

Or is this just more rabid pro-Linux FUD?
--
Cheers

Better idea

[FascDot+Killed+My+Pr]

Two step attack:

1) Get modem and NIC manufacturers to modify the ports on their products so that they can eject a connecting wire under program control.

2) Write a virus that does one thing and one thing only: Triggers the wire eject on the NIC and/or modem.

This automatically removes virus-running morons from the 'net.

...you know, I wrote that in a (probably vain) attempt to be funny. But then I thought: you could actually do this. How about a virus that disabled Dialup Networking (yeah, yeah "it's called AOL 5.0")? Sure, they could just reinstall Windows, but maybe they'll learn something in the process.
--
Wanna hook MAPI clients to your Tru64/AIX/Linux server?

Re:Better idea

[Imperator]

Isn't that somewhat akin to leaving anthrax-filled candy on the street, and teaching people a lesson about eating food from untrusted sources? Hurting innocent users is not the best way to bring them out of their ignorance.

Re:Better idea

[restless_ne'erdowell]

"How about a virus that disabled Dialup Networking (yeah, yeah "it's called AOL 5.0")? Sure, they could just reinstall Windows, but maybe they'll learn something in the process."

Trust me, nothing will be learned. They'll call their ISP because they can't get connected; the help desk will troubleshoot and walk them through uninstalling & reinstalling the corrupted DUN; the user will say "Thanks" and go on their merry way. DUN gets damaged far too often to always attribute it to a virus, and most users don't want to know why something happened; they're just glad it's fixed. That's pretty much true of anything that "breaks" on a computer.

Re:Better idea

[Roast+Beef]

Interesting idea, but it couldn't spread. Like the Ebola virus, it kills the host too quickly to spread effectively.

Re:Since when were movies executed as code?

[_xeno_]

Yeah, icons are embedded in the executable. So yes, you can make your program have an icon you damn well please. Plus with some simple tools, you can actually take icons from other sources - instant accurate MPEG movie icon, for fake MPEG movie.

Re:I knew this would happen

[rongen]

It's time to implemant changes so that people can be traced and logged, encryption all has back
doors that can be used against cyber terrorists, and we'll need to levy a tax on it to pay for this law enforcement.

How about having a security certification for operating system configurations and networked applications?

I don't think a manufacturer of widgets that resulted in 1 out of 3 people being injured (or say, hypnotized against their will) would be allowed to be sell their products for very long. Probably a government standard would prevent this? Or at least "flag" the product somehow to allow consumers to make an informed decision. Exceptions include: tobacco, guns, software... Why?

Re:Interesting quote ...

[wolfgang_spangler]

Yah, the NETSEC guy, but the media is still clueless. It's not like they listened to that guy, they just reprinted his words.

Re:I knew this would happen

[finkployd]

I don't think a manufacturer of widgets that resulted in 1 out of 3 people being injured (or say, hypnotized against their will)...

...Exceptions include: tobacco, guns, software... Why?

Tobacco: It's not against their will. People freely choose to kill themselves with tobacco. If a critical mass of people decided to drink paint thinner, should it also be banned?

Guns: I'm not going into a whole gun argument. The reason for gun ownership have been presented before and if you don't believe in gun ownership then I'm not going to preach to you. However, remember that those who want to keep guns, have them. Those who want to ban guns don't. Who do you think is going to get their way?

Software: Like guns, can be used for good or evil. However, I doubt that 1 on in three suffer any kind of injury (including financial) from their OS.

Finkployd

No Threat, except to your bankaccount

[Raindeer]

This is the same thing as a couple of months ago where a company warned that keys could be found on a disk full of data. It made a Slashdot story somewhere, but since I have to go I won't look it up. NETSEC seems to want to get some high level attention. If you look at the data on this trojan on the Symantec siteyou can see that it is not a big threat.

Quite simple these guys want your money and they created a media hype to get it. No reason to flip. And now I am off.

Next...

[Black+Parrot]

The next one won't set up any DDoS clients. It will just wait until Monday, and then send all your cow-orkers a message saying "I sat around and watched porno movies on my computer all weekend!"

Then, when the news reports that the new exploit does in fact send that message, and is in fact borne by a porno flick, everyone in your address book will know that it realy is true.

Heh heh heh. Maybe it will even count and report which scenes you replayed, and how many times.

--

Re:...sigh...

[Listerine]

: Lots of people drive without knowing the fine
: details of their cars, and doing a good job of
: computer security requires a knowledge of
: computers at the same detailed level. What kind
: of computing education would you like to
: require?

Still, most people wouldn't put sugar in their gas tank and expect the car to work perfectly, or just start sticking random modifications into their car. Its becase cars cost a lot of money and people don't want to ruin it and to have a proffessional fix it, but when it comes to computers a large amount of people feel that they know what they're doing when they don't (I feel this way because I worked for a year and half at a place that had public access to computers, and I was constantly resetting network settings and fixing computers that some "bright" user fiddled with).

Re:tell 'em to run ZoneAlarm

[DHartung]

Of course, the first Trinoo and TFN clients ran on what OS? The insecure consumer OS from Redmond ... or the free-beer hacker OS from Finland?

Just giving them Linux isn't going to solve the problem. You actually have to teach them how to implement security. Have you ever tried to teach your non-techie friends how to implement ... their e-mail program? "Click there ... no, no, THERE, no, you just shut the program down." Don't fool yourself. Not everybody is cut out to be a computer security expert.
----

Re:I knew this would happen

[Syberghost]

I notice that you didn't include statistics of suicide-by-firearms, which by the statistics @ http://www.suicidology.org/suicide_statistics.htm, account for 43,240 deaths in 1997 alone.

I discount that statistic for the simple reason that the CDC says there were only 30,535 total suicides that year, so how could 43,240 of them have been by firearm?

Also, statistics on places that have outlawed firearms shows that the effect is nearly zero; better than 99% of those who want to commit suicide will find a way, whether they have a gun or not.

But I see it as a freedom thing; if you want to commit suicide, who am I to say you aren't allowed to? And how is society worse off if you use a gun to do it than if you use pills or jump off a bridge?

Actually, society is probably better off if we don't have to fish you out of a river or repair the damage you cause to the bus when it hits you.

however the fact that you did not include their deaths in your "statistics" makes your argument considerably less persuasive.

Then what does the fact that the statistics you quote are nonsensical mean for your argument?

This is in fact typical of the anti-gun arguments; they quote easily-disproven numbers that are completely out of whack with reality, and conglomerate them into official-sounding foundations like Suicideology.org so that nobody will look too closely at where they come from. I got most of my numbers from the Centers for Disease Control and the National Safety Council. Some come from the Justice Department. Not only did I not go anywhere near the NRA's web page, but I'm not even a member. (Although I certainly appreciate the central role they've taken in reducing childhood gun accidents this century, and will undoubtedly join soon.)

All of the places I got my numbers from are run by an anti-gun Democrat Executive Branch, so if the numbers are off they're probably off in your favor, and they *STILL* support my argument.

My favorite tactic of the anti-gun folks is that whenever they quote numbers regarding children, they include everyone under 25!

And they count everybody killed in World War I, World War II, Korea, Vietnam, etc. in their "total American deaths by firearms" numbers. That one's priceless, because it means that even if civilians couldn't own firearms and criminals didn't own them, the numbers would hardly change.

And that brings us to the bottom line; gun laws only affect people who follow laws. Criminals by definition don't follow laws.

That's why *EVERY* state that has passed "shall-issue" concealed carry laws has seen an immediate drop in violent crime, greater than the national average drop. All of them.

Those statistics are from the Justice Department; check them out yourself.

--

Re:No Updated Anti-Virus Software

[Icebox]

Damn straight. At the time most email virii do their damage there are no virus definitions available to screen for them.

IT IS A HOAX

[FFFish]

IT IS A HOAX

The Register is reporting that this is a hoax.

Yes, the video is a trojan -- but it is a known trojan and is not a DDoS threat.

To summarize:
===========
"NETSEC alerted the Internet community about BackDoor-G2 by calling it 'Serbian Badman Trojan (TSB Trojan)'. News stories suggest that the controlling Trojan which is downloaded is a new threat -- it is not. Although the Trojan known as "Downloader" is new, the file downloaded is a known Trojan."

In other words, NETSEC's discovery amounts to nothing more than a publicity stunt by an opportunistic security firm in quest of free advertising in the form of media attention."

--

Video Trojan is a Hoax

[alanjstr]

As reported by The Register, here, there's nothing new about the video trojan. "We now know that the video Trojan, which NETSEC dubbed 'Serbian Badman' (ooohh, how scary that sounds), is actually known by the tragically prosaic name 'Downloader' (aka Backdoor.ldr; Downloader.Kit; Trojan.Win32.Loder.WPW; W95/Loader; and WWWPW).

It works by fetching, downloading and silently running another, and quite familiar, Trojan called 'Sub7', which consists of a remote server enabling a third party to control an infected computer.

We are terribly disappointed to report that the Sub7 server is not capable of launching DDoS attacks, unless it has been updated radically since the last time we, em, 'evaluated' it. "

This seems to have been a publicity stunt by a company called NETSEC.

Here is a REALLY good deal on that product..

[SethJohnson]

Speaking of the Linksys router, I just bought the same one you have, but without the 4-ports (I already have a hub). Supports the same features and is just $103 at buy.com. There should be a a $20 coupon available on orders of $100 or more for first-time and returning customers, which drops the price down to $83.

Sure, a linux router is a fun solution, but if you don't have the hardware to spare, this router does a great job.

Seth

proof-of-concept trojan and irc log files

[jeremygaddis]

someone was asking about the binaries for this. i got a trojan/virus the other day that does pretty much the same thing. connects to a remote irc server, joins a channel, and waits for commands from a remote user. all this without the users' knowledge. i tracked the trojan and found the person who gave it to me, then suckered him into talking to me and giving me a bunch of information about him and the trojan. full logs and a brief run through can be found at this page, including the trojan binary. be sure and read the irc logs where the 'culprit' states he uses it mostly for dos attacks. i got this about 2 days ago, before i'd heard anything on the news about this new so-far-unknown tool. -jg

a little ministry?

[chowda]

Jesus built my race car. dang a dang dang....
------
www.chowda.net
------

LOL the socially concious virus...

That would be humorous...engineer a virus to 'SECURE' the victims box correctly then delete itself with a polite comment :)

Re:Could you embed a Virus in a Codec?

[J-Bone]

Yes, i think this one could be an answer! I faced several times the request from Media Player to download a codec. And naturally I blindclicked on the "yes" button...

Re:Lack of security in the 'net

[RTMFD]

Hmm, maybe if software giants like Microsoft were legally liable for the software products they sold, this wouldn't happen. What would happen to Masterlock if they sold locks that simply unlocked after one sharp tug, or all had the same combination? Their collective ass would end up in court, that's what. Thanks to the some of the recent laws passed in this country though, it looks like that might never happen to large companies selling crap software in the United States.

Re:Inconsistancies

[titus-g]

there's definitally something that doesn't ring quite true about the whole thing. . .

like in the ap article

NETSEC employees have since monitored an Internet chat room set up by the hackers as the vandals identified victimized computers, discussed strategies and boasted of their work.

``When he thinks all of those clients are sleeping, one of them is really active and watching them,'' Waskelis explained.

err so these h4x0rs can write vb trojans, get them onto 2000++ comps, but they don't understand the concept of lurking?? (2nd thoughts, maybe the client mentioned is meant to be the trojan)

love this though, from their site

Search the hard drive for a .exe file with a random seven to eight character name. The file typically installs itself in /Windows directory. , now that advice is better than the trojan (the next step is to :)) even if you ignore the number of exe files on most pcs and that win95 doesn't show all cap filenames by default (?)

anyway off to delete any 7/8 char exe files in my win dir to be on the safe side

oo just a thought, anyone here work developing firewalls/etc? want to contact them to get a copy of the file to study in order to block it

This, of course, only affects Linux. Oh, wait!

[Vandermar]

It's funny how news companies in the past have tended to blame UNIX and OSs modeled after it for DDoS attacks. Now we have one in the form of a windows executable. Correct me if I'm wrong but doesn't Linux have the ability to bring network connections up and down even though it is still physically attached to something (eg dsl or cable modem). I'm sure others do too I just haven't used them yet. Wouldn't that be the safest thing? If you're not using your connection why leave it active?

When will people learn?

[soldack]

No need for virus scanners...just don't run things you don't know. What is it with people's strange need to double click on every single thing that appears in front of them?!!
This kind of stuff drives me nuts. You wouldn't talk to strangers but you will open up strange binaries from them? Ug...

Job description

[jovlinger]

Ok, so they say they noticed this virus because it caused unexpected network traffic.

That means that they actively go out and try to download software that might be infected, trying to find new viruses.

imagine the job specification:

"Candidates with at least 3 years experience in searching the 'net for pr0n are invited to apply to NETSEC as system infectors."

So there's this guy sitting in their office, probably dressed in a suit and tie, tongue lolling in his mouth, downloading one exe after another, hoping that this one won't be a virus so that he gets to watch some more porn.

You gotta grin.

Reminds me of the visual-recognition people a few years ago who were using pr0n as input -- it turns out that skin is such a uniform color, it's easy to discriminate. So they were sending their program -- funded by darpa no doubt -- into their collection to find matches for "woman, bent over".

It's all honest research. really.

Other uses for a large network of computers?

[Sangui5]

Maybe they want to increase their ranking on Distributed.net.

Maybe it's an experiment that got out of control.

Maybe pigs will fly.

Palmer says....

[^chuck^]

In the CNN interview
But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless?
So lets continue the analogie. What if the builder of your house left a spare key to your house under the mat without telling you, but has been known by people in the industry to this at every house he builds? Who would you be mad at? The person who got in without a challenge, or the person that gave him the opportunity.

Re:Palmer says....

[Bob(TM)]

Basically, its my belief that if you leave your car door open and something gets stolen from inside, its really your own bloody fault, even if the law says otherwise.

Actually, it's my irresponsibility (or, perhaps, naivete) that made it possible or easy, but I didn't commit a crime. Leaving a door unlocked is not illegal. The illegal act of theft is taking what does not belong to you, locked door not withstanding. The fact that the door was left unlocked does not equate to an invitation to take what's inside.

But if the car comes with car locks that look like they work, but can be opened by lifting the handle for five seconds, then the responsibility rests with ... who sold you the car.

I agree with you here. In your example, the seller bears some responsibility for the situation, but as it relates to the implication of providing a defective lock, not to the resulting theft.

I would further argue that even the thief who takes advantage of a situation is behaving irresponsibly. He could have taken responsibility for the situation and pass by (among other honorable actions) without opting to burden (or, unburden, as the case may be :) ) his neighbor.

Re:Palmer says....

[rjamestaylor]

if the builder of your house left a spare key to your house under the mat without telling you, but has been known by people in the industry to this at every house he builds? Who would you be mad at? The person who got in without a challenge, or the person that gave him the opportunity.

I don't know about being mad but I'd file a criminal complaint against the person who broke entry.

And, I'd sue the pants off the builder for negligence (and whatever else a lawyer could throw at him).

Oh, I almost forgot, since this post touched something related to the legal system I am required, as a good /. nerd, to add:

IANAL

Boy, do I hate I-A-N-A-L, as if we thought you were! (Sorry)

Re:Since when were movies executed as code?

[BrianW]

With the extensions turned off, you're forced to rely on the icon to tell you what the file is...

Hmmm... Doesn't Windows use icons in .exe files? (It's been a while since I was near a Windows box) If so, even looking at the icon is no guarantee that the file is actually what it claims to be.

Re:HOAX ?

It's more or less described here: http://www.netsec.net/advisory.html Roughly: an .exe file with avi icon and random name, about 373Ko.

you're a genious, you should patent that

[onepoint-o]

Boy is that a novel idea. That is what everyone's talking about. Thanks for spelling it out so clearly. Now all we need is someone to implement your idea. Oh wait, that's right someone already did. Nevermind.

Re:I knew this would happen

[finkployd]

It's funny, every time I use sarcasm, there is always one person who takes it seriously.

Maybe I should include some kind of disclaimer in the sig from now on :)

Finkployd

Re:Lack of security in the 'net

[jht]

Good point. Though Windows has no security whatsoever, it'd be trivial for the cable companies and DSL providers to provide basic, network-level security for their users that could at least block most of these DDOS script kiddie tools from getting "go" signals.

Ultimately, the responsibility falls on the user, but given the cluelessness of most home (and many office) users, and the inherent vulnerability of Windows, the network providers really need to step up and fill this gap soon.

There's no reason why filtering couldn't be built into the cable modem (the same way many of them now block NetBIOS), and updated by central control at the head end to block new threats.

That said, given that it's cable companies doing this, the login for administration would probably be:

Login: admin
Password: admin

Scary, huh?

- -Josh Turiel

I know how it works...

It gets the users machines to post a story to /. with the victims site URL in it. For extra damage it says "they said Linux sucks" in the story ensuring that rabid Linux users flame the site for months to come.

Be afraid.

Re:HOAX ?

[crazy_speeder]

" This sounds rather hoax'sih to me. "

maybe it is one of those mind Trojans. they prepare you for an attack, warn you of imminent doom, media alarms the world, there's hysteria, and then nothing happens. kinda like y2k.

DDos The worst thing that can be thought of now?

[FuzzyHairBall]

It's intresting the first thing some one thinks the use of taking control of 2000 computers (a very small number i think) is DDoS attack. What ever happened to simply stealing credit card information or finding those nice cross linked networks that never should be linked in the first place. I mean the artical said something about trying out a network of taken computers presumably this is how they found 2000 infected pcs. but It could be more like 200000 pcs. and those just where note activated(this time). ok im done bableing

Re:I knew this would happen

[mOdQuArK!]

I discount that statistic for the simple reason that the CDC says there were only 30,535 total suicides that year, so how could 43,240 of them have been by firearm?

I label myself idiot - I summed the entries in the suicide-by-firearm table @ http://www.suicidology.org w/o checking to see if they covered overlapping categories (which they do). Proper summation yields 30,535 number you mentioned above.

This is, of course, still ~30.5k more deaths due to firearms than you listed in your original message, a statistical modification which you conveniently dismiss as "their choice". You show a severe lack of understanding (or sympathy) on how depression can suppress critical thinking abilities & cause irrational behavior.

Not only did I not go anywhere near the NRA's web page, but I'm not even a member. (Although I certainly appreciate the central role they've taken in reducing childhood gun accidents this century, and will undoubtedly join soon.)

I certainly hope that, if there is no way to remove ALL guns from a society, then all gun-owners are thoroughly indoctrinated in safety. Unfortunately, that still doesn't remove the source of MY basic worry - as long as someone else has a gun, I have to worry about whether or not they're going to decide to shoot me (note that I don't distinguish between individuals or the "authorities" here). If they don't have a gun, then I don't have to worry about them shooting me - even if they're insane or really pissed off at me. All your statistics don't mean squat to me if you can't address that basic fear.

My favorite tactic of the anti-gun folks is that whenever they quote numbers regarding children, they include everyone under 25!

Children die when they get shot - why only include statistics for adults?

And they count everybody killed in World War I, World War II, Korea, Vietnam, etc. in their "total American deaths by firearms" numbers. That one's priceless, because it means that even if civilians couldn't own firearms and criminals didn't own them, the numbers would hardly change.

I don't think this was an issue with the statistics we were attempting to use (once I got my number right).

And that brings us to the bottom line; gun laws only affect people who follow laws. Criminals by definition don't follow laws.

Bullshit - if weapons were scarce, then even criminals wouldn't use them (since the criminals wouldn't have to worry about being shot, and since they would be damn expensive.) Since they aren't scarce (through the very diligent efforts of US arms manufacturers), to maintain a MAD (Mutual Assured Destruction)-type balance of power, suddenly EVERYONE needs to get a gun - and I no longer feel safe.

That's why *EVERY* state that has passed "shall-issue" concealed carry laws has seen an immediate drop in violent crime, greater than the national average drop. All of them.

Ah yes, the infamous correlation==causality argument - which is, of course, a classic logical fallacy.

I doubt anything I can say is going to change your mind, and I don't think anyone is listening to us anymore, so I'm going to get back to work now.

Re:IT IS A HOAX (that is incorrect)

[mtallgeier]

Two issues: 1. Those who quibble about the particular type of trojan that we found have missed the point and display their ignorance of network security and hacking techniques. A trojan is a tool. It's no more dangerous than the person who uses it. In this case, a *variation* of a known trojan was being used by at least two "hackers" to attack third parties from a distributed base of hundreds of infected machines. Those hackers are now shut down, at least temporarily, due to the press and the threat of an FBI investigation. So, who cares what type of Trojan it is? 2. The naysayers here are the anti virus cartel who speculate without even bothering to gather fact (sorry to step on the toes of your little fraternity, guys.) This was proactive detection and prevention of an active attack before it caused major damage. What did companies like Network Associates and Semantic do to detect and prevent the last DDoS attacks BEFORE they caused millions in damage? The answer is: nothing. Thanks, Michael Allgeier mta@netsec.net

Not a big surprise

[Animol]

Like someone mentioned in the article about the new cell-phone problem, it seems like there's been a HUGE proliferation recently of different types of infections for computers. Perhaps it's the damned Y2K bug, just a little late...
Seriously, though, this all has to make one think about security. Unless one is broadcasting the news. Then, it tends to make one ask questions like, "What's slashdot?" and "How did you get your nickname?"

...sigh...

[fuzzcat]

If only people weren't so stupid as to download everything that someone sends to them...

Re:...sigh...

[phil+reed]

People only see the convenience factor, not the dangers. It's the same reason that Win95/98 doesn't have a security model to speak of - that means increased complexity, and increased complexity means decreased convenience.

The solution will involve multiple layers: improved security on the part of the operating system (no more immediate execution of mail attachments), improved configurations on the part of network providers (how to do this without strangling the two-way nature of the net is hard - I'd like to see people still be able to run servers from their bedroom), and improved education all around. I'm not hopeful.


...phil

Yes!

[FascDot+Killed+My+Pr]

It's exactly like that! Now you're catching on!

I didn't say it was NICE, I just said it would WORK.
--
Wanna hook MAPI clients to your Tru64/AIX/Linux server?

Re:DOS attack. Or solitaire, for that matter.

[mtallgeier]

Two issues: 1. Those who quibble about the particular type of trojan that we found have missed the point and display their ignorance of network security and hacking techniques. A trojan is a tool. It's no more dangerous than the person who uses it. In this case, a *variation* of a known trojan was being used by at least two "hackers" to attack third parties from a distributed base of hundreds/thousands of infected machines. Those hackers are now shut down, at least temporarily, due to the press and the threat of an FBI investigation. So, who cares what type of Trojan it is? 2. The naysayers here are the anti virus cartel who speculate without even bothering to gather fact (sorry to step on the toes of your little fraternity, guys.) This was proactive detection and prevention of an active attack before it caused major damage. What did companies like Network Associates and Semantic do to detect and prevent the last DDoS attacks BEFORE they caused millions in damage? The answer is: nothing. Thanks, Michael Allgeier mta@netsec.net

Re:Interesting quote ...

[Mawbid]

Yeah, but they didn't get everything right. The (software) engineers I know generally aren't very firm.
--

Is it a criminal act to run this code?

[ikekrull]

Is it considered a criminal act under current law to deliberatelym run this program on your computer?

Re:Is it a criminal act to run this code?

[erpbridge]

Only in Pennsylvania, so far. See this article from Slashdot, June 2nd.

Re:I knew this would happen

[gwalla]

However, remember that those who want to keep guns, have them. Those who want to ban guns don't. Who do you think is going to get their way?

Um, the ones who vote? Unless you're planning a coup d'etat...

---
Zardoz has spoken!

DOS attack. Or solitaire, for that matter.

[iturbide]

Looks like the DOS attack was just dragged in for publicity's sake: "Once opened, the file infiltrates the computer, turns it into a "zombie" machine controlled by hackers.
It can then be used to launch a denial-of-service assault."

Yes of course. But then, it can also be used to launch solitaire. Sounds pretty upsetting to me.

René

Re:DOS attack. Or solitaire, for that matter.

[John+Napkintosh]

But what better way to prevent the worst (well, not really) than to scare people into thinking that this will happen, giving them time to do somthing about it? Soon enough DoS will be no big deal when enough people have taken measures to prevent being affected.

Re:DOS attack. Or solitaire, for that matter.

[phil+reed]

Given the two possibilities:

• The hacked machine will be used for remote solitare.
• The hacked machine will be used for a DDoS attack

Which do you honestly think will be more likely?


...phil

Re:DOS attack. Or solitaire, for that matter.

[Kingfox]

Actually, a mailing list I used to be on distrobuted a version of this program. It would pop out the CDROM tray, and play the Coke jingle. Of course, I was running a virus shield at the time, and it detected the attachment as being dubious in nature. The moderator had to send out a second message explaining that he wasn't sending people virii.

If you'ld like to read more about this 'virii', click here. A little description of the faux 'trojan'.

Re:DOS attack. Or solitaire, for that matter.

[mcrbids]

As the (now former) owner of a Computer Shop, I can say I'm surprised by the number of people who buy a computer --- and the killer app is Solitaire!

Don't knock solitaire. My wife likes KDE soooo much more now that it includes "freecell"!

Of course, I've always been somewhat partial to minesweeper...

Re:DOS attack. Or solitaire, for that matter.

[Stonehand]

And SOL.EXE the only game in town,
And every MPEG that he takes
Takes Amazon down
And later it's easy to pretend
He'll never FTP again...

-- with apologies to the Carpenters, 'natch.

Re:Connecting a Windows box to the Internet is stu

[BigBlockMopar]

Running windows on any machine connected to the internet is equally stupid.

I agree.

And yet, oddly enough, my Linux box is on my home LAN, working as a client. My Proxy and Firewall, ironically, is running probably the second most insecure operating system on the planet: Windows 95.

Now, I'm no dummy. File and print sharing was turned off. There's nothing of value on the hard drives of this server, either. All the latest service patches and things are installed. Going to http://grc.com doesn't show up any big holes on my system.

But I want to run Linux as a proxy/firewall. Why? Well, because I like the security, I like the power, and I want the experience. And I'm working towards it.

Why am I not running it?

Well, I got a copy of Red Hat 6.0, and installed it onto that server. It's a 486DX2-66 with 24 megs of RAM, 600 megs hard disk space, an NEC Multisync 3 monochrome VGA monitor and a Vesa bus.

First, the installer started up, and tried to detect the mono monitor for me. All my text became the same color as the background, and I couldn't read a damned thing. So I had to upset my main system and drag my color monitor off it. Installation was able to continue.

I was asked how I wanted to set up my hard disk. I attempted to just click "okay" and be able to install default settings, but it didn't like it. Clicking on the help button told me how to install partitions, but didn't tell me the syntax for making a root partition, or how big they should be, or anything. Finally, just by playing around, I was able to get Disk Druid happy with my partitions.

Then, I was asked if I wanted to install PCMCIA services. Well, this thing has Vesa architecture, therefore it's a desktop, therefore it probably doesn't have PCMCIA slots. I chose not to install PCMCIA services.

So, it copied for a while, and got everything installed. I rebooted the computer at the end.

"LI". Stall. LILO had died. I stuck my rescue disk into the drive, restarted the computer, and was able to get running again. I later found out that LILO had died because any boot partition bigger than 1024 cylinders, with some system BIOS, makes LILO unhappy. Even if the bug wasn't fixed, it would have been nice if Disk Druid (the "easy"-to-use alternative to fdisk) had warned of this possibility.

So, I booted the system on floppy. The root filesystem was mounted onto my hard disk, and everything continued from there.

Oops. What's this? We're stalling on starting PCMCIA. But I told it not to install PCMCIA support.

In frustration at an install process even more buggy, inconsistant and difficult to use than even the worst Microsoft product, I shelved the Linux machine for a while. I'm back at it now, but even as an advanced user with some UNIX experience, and lots of Unix-like AmigaDOS experience, I really have not enjoyed my Linux experience yet. I keep plugging away because I want to like it, and I will like it, and I will become good at it.

But, before you bash Windows users for the irresponsible act of hooking a Windows machine up to the Internet, consider that the Linux alternative is only there for the most advanced and dedicated users.

About 70% of the time, a new computer user could install Windows 95 successfully, just following through the defaults and reading the prompts. The other 30% of the time some hardware would be detected wrong and the system wouldn't work.

I consider myself to be an advanced user. I've been on the Internet since 1988. I got my first computer when I was nine years old, so I've accumulated 17 years of computer experience now, on a large variety of platforms and operating systems. I can think inside and outside the box. And I'll maintain that Red Hat 6.0 was the single most difficult piece of software I've ever installed on any computer system.

I don't like Windows any more than you do. I'm pulling myself away from it more by the day. And I'm lucky, because it's within my skillset to get Linux running.

So, perhaps this is the issue that needs to be addressed, not just another rant about how evil Windows users are. Instead, can you not sit down and help re-write the installation routines?

You can bet money that as soon as I'm familiar enough with Linux, my first order of business will be to try to make the installer a little bit more useful.

hidden file extensions...

[way2slo]

This obviously is yet another example of taking advantage of that little check box that says "Hide MS-DOS file extension for types that are registered", which can be found on a windows explorer menu under View --> Options and clicking on the View tab. Once that is checked, the .exe extensions are "hidden" from the user and the only way they have of knowing what kind of file they see is by the icon they see, which can be changed to be whatever the originator of the file wants. Naturally, they see an icon typically associated with an AVI file and think "cool, a movie...I wonder what it is..." and click on it to watch without ever suspecting that it is in fact not a video clip, but an EXE file. Most windows users don't even know about that checkbox and that it's usually checked for them by default. They just assume that the icon is true and run with it. Oh well...

find it with gnutella?

[dogshit]

Did anyone go looking for the movies and find them?

or is it more fud?

DDoS via Movies? I do it everyday...

[GodHead]

I know I've wasted countless hours watching forwarded e-mails. Does this count as a DoS? And if is send it to all my techie buddies am I causing a DDoS?

Look out Superfriends-"Wassup"-Guy! The DOJ will be coming after YOU!

Re:I knew this would happen

[mOdQuArK!]

I guess, then, the question would be - for an "average" gun, how many people is it used to injure (either on purpose or accidentally) during the course of its lifetime?

This sounds like a Tom Clancy novel

[Chitlenz]

I think that CNN needs to lay off the sensationalism and provide more relevant facts. This sounds a little odd IMHO, as media streams are not technically executable binaries, but are instead associated with executables. Unless M$ started putting activeX garbage into mediaplayer, I don't see how that's doable. Sounds like either CNN or this would be security firm is trumpeting themselves a bit much, and I'm sure we'll hear about day - saving when the attacks never come. Geez what weenies.

Re:And this 'evil sleeper virus' affects Linux how

[loccohombre]

Congratulations!!!! You're the first weaner to hit the 'write predictable comment about how fantastic Linux is but no-one give a toss because it's off topic' button. You sad, sad individual.

Lack of security in the 'net

[Gorbie]

The service providers really need to take some responsibility for these types of situations. The average user doesn't grok the concept that if they hook their computer directly up to a cable modem or DSL connection that they are inviting their computers to be messed with. There are ways to deal with this problem relatively inexpensively, but if people don't understand that there is a problem why would they look for a solution.

I have a nice little cable router that does I.P. packet filtering and also doubles as a 4 port switch. It is made by Linksys and costs about $180. Hawking makes one that is just a router that costs in the $150 range. If the cable companies just told people they needed the hardware up front, people would buy or rent it and not complain...and be safer for it.

Re:I knew this would happen

[circuskid]

Obviously we don't need government interference (especially not tracking everyone's moves across the net). If government is the solution to problems like this why didn't the FBI find it? Fact is, they didn't. It was found by a private company who informed the DOJ. Lets get real here, do you really trust your leaders and bureaucrats enough to let the know your every move on the net. "Hmmm... BadERA is pr0n surfing, how can we use this?" "The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

Re:This happens all of the time...

[AsmodeusB]

People should stop being so paranoid and just hire sys. admins that know a shred about security

Or, *gasp* they could run Linux.

Running linux is no guarantee against stupidity. There are a LOT of unsecured linux (and *nix in general) boxes around.

Space us!

[Jeff_NY]

(from these reporters) The article comments that most home computers are vulnerable to these exploits because "most home users have fixed Internet addresses that are easily identified." Woah. am I using the wrong ISP? I've sure like to get one of them fixed IP addresses myself.

Re:I knew this would happen

[Steeltoe]

You could just as well been meaning it. It's a most valid argument and solution to the problem. IF you have no problem with trampling peoples privacy and general rights.

- Steeltoe

No Updated Anti-Virus Software

[nlaporte]

Home users are especially susceptible because they do not have up-to-date antivirus software

That's the same kind of BS Micro$oft has been spewing about the ILOVEYOU virus. It doesn't matter at all if the antivirus software is up to date, although that is a great idea, it doesn't protect against any of the newest worms, virii or trojans. That's the problem with all the major companies, they feel like instead of taking the blame for stuff like this, they have to blame it on the user for "not having virus software up to date". What they need to do is find the security hole and patch it, not blame the clueless user.

tell 'em to run ZoneAlarm

[Pfhreakaz0id]

You should recommend to anyone (particularly not geeks) you hear is getting a DSL/Cable or any "always on" connection to go to www.zonelabs.com and get ZoneAlarm. It's free (beer) and it's really easy to use and it will alert you anytime any program tries to get out to the internet (in very easy to understand terms: "Program XXX is trying to contact the internet, do you want to let it?" -- along with a check box not to be bugged by that program again. Plus it does the blocking job of incoming probes too. Not and industrial strength firewall, but fine for home use. Plus, the new version has a nice "mailsafe" feature for vbscript trojans.
---

Re:I knew this would happen

[Zak3056]

Guns: I'm not going into a whole gun argument. The reason for gun ownership have been presented before and if you don't believe in gun ownership then I'm not going to preach to you. However, remember that those who want to keep guns, have them. Those who want to ban guns don't. Who do you think is going to get their way?

I'm sorry to interject this into this thread, and I am sure I will be moderated down as offtopic (hey, because I am) but I couldn't let this statement pass without comment. Those who want to keep guns do not always have them (Have you been to New York City lately? You're more likely to make the US Olympic Team than qualify for a handgun permit) and those who want to ban them sometimes do. At one point in time, Dianne Feinstein had the ONLY legal concealed carry permit in the city of San Francisco, because she "felt a need to protect" herself, while consistantly promoting an anti-rights agenda.

Rosie O'Donnel, who spoke at the hundred thousand woman march, a woman who really has NO cause to fear crime (last time she did, she sold her house and moved to a nicer house in a better neighborhood) has a bodyguard who has applied for a carry permit in Greenwhich, CT. Rosie, who once declared "Only police and the military should be allowed to have guns. If you own a gun, you should go to jail" is now in the position of being protected by an armed guard, and her stance is now, "If you're licensed, and registered, I have no problem with it."

The problem with these people is they are so full of bullshit that it's amazing you cant smell them from a thousand yards away. There are countless "gun control - we need to save the children" types like those I posted above, and what it comes down to in the end is that they want to control PEOPLE, and the easiest way to do that is to take away their means of self-defense.

You can call it an extremist stance if you want. I'm an NRA member, and a TFA member, after believing for years that groups like this were over the top, but look at the legal climate of the last few years. It's always called a "compromise" when someone proposes "sensible gun laws" and yet we never seem to get anything out of these compromises. Thats why alot of gun owners take an uncompromising stance, and end up getting labelled as nuts because of it.

It's enough to make you sick. And you know what? From time to time, it really does.

Re:Why are you Microsft supporters so damn defensi

[superkorn]

Drvspace.exe would not come up unless you only had windows installed for a month. Read my post again I suggested limiting the search to recent times only so that the windows installed files would not come up.

As for being a "defensive MS supporter" I don't feel as though that really describes me. I am not a linux/BSD zealot which maybe means you mistook me for an MS booster. I just wonder why you feel the need to put "espcially on windows" on your apparently mis-informed post claiming it was not possible to search for something random...if that makes me a defensive MS supporter then so be it I guess I am guilty as charged.

Re:I knew this would happen

[Syberghost]

Bullshit - if weapons were scarce, then even criminals wouldn't use them (since the criminals wouldn't have to worry about being shot, and since they would be damn expensive.)

Then why is gun crime increasing in the UK, and decreasing in the US?

--

What a sexist article!

[cosmol]

"They're gathering up their armies, and as that number increases, so will their testosterone level," said Todd Waskelis, a vice president at NETSEC.

Haven't we learned anything?

Bound to happen

[dopolon]

This kind of problem is bound to become more and more common place as DSL and cable (or more generaly speaking, permanent and high speed connections) get democratized.
I live in France and I am of of the first thousands of users who have had DSL and my linux firewall has been attacked several times by script kiddies, but the strong seetup hasnt allowed anyone in.
I remember of a internet cable provider setting up it's own firewall to protect its customers from nuke and stuff like that (and prevent them from sending any too) so that they don't have problems with their 24/7 connection.
I guess the only solution would be that everyhome had its linux / freebsd box to act as a router, proxy (protecting kids from porn), and anti hack system.
Hope everyone could be as lucky as I am...

D.

HOAX ?

[Tei'ehm+Teuw]

Where's the beef? This sounds rather hoax'sih to me. I would beleive that this could be done, but for all the press on radio and tv, someone would have come out with a real filename, or more information on what to look for if this was real. I have my doubts.

Re:HOAX ?

[Mike1024]

Hey,

"Well, the purpetrators must have caught on to us and bailed. We'll get'em next time!"

Yeah... that New York Times article mush have tipped them off...

Michael Tandy

I knew this would happen

[finkployd]

This should be a wake up call for government intervention into the Internet. It's no longer a place of students and computer enthusiasts, it's a place of business. It needs protected from hackers, and there needs to be accountability. It's time to implemant changes so that people can be traced and logged, encryption all has back doors that can be used against cyber terrorists, and we'll need to levy a tax on it to pay for this law enforcement.

Or perhaps that is the point to this story.

Finkployd

Re:I knew this would happen

[finkployd]

No, if you are referring to an earlier post that I made, that is positivly dripping with sarcasm. I'm sorry if it was too subtle.

Finkployd

Re:I knew this would happen

[finkployd]

Well, since the majority of voters own guns (actually the majority of American citizens), I'm not too worried about that either.

Finkployd

Re:I knew this would happen

[finkployd]

People, like me, want to regulate gun ownership so we can know where they are sold, and to whom, and to bust those people who sell illegally, or unsafely/irresponsibly store their guns.

I do as well, which is why I support ENFORCEMENT of the current laws. By following them, we will know every gun that is sold. More laws are not the answer, since criminals have no problem breaking the current ones.

The few cases of disreputable gun dealers alone is enough to regulate this trade a little further

It is currently one of the most regulated industries in the country. Since vehicular homicide is meny times more likely than gun homicide, why do we not push for stricter vehicle laws first? Seems that would affect more people.

The NRA uses more money to fight gun control laws than to offer free gun safety classes, something that I feel to be a requirement before owning any type of gun (the NRA's class is very good by the way).

First up, I'm glad they do. I disagree with the NRA constantly, but I'm glad there is is a "radical" group on the right to bring balance to the "radical" on the left who advocate making it illegal to own any kind of firearm.
I also support manditory "gun control" classes (I just like calling them that :)

I don't have any kind of irrational fear that the Dog Pound is going to come knocking on my door to take away my dog.

AS stated earlier, there plenty of people speaking out to have guns made illegal. Rosie O'Donell being one of the more recent ones. She publicly claimed that all gun owners should be sent to jail. Then she had her bodyguard apply for a carry permit.

As to the guns being bought in other states and brought into DC, if the guns are purchased without checking ID, that is currently illegal. Again, enforcement of EXISTING laws comes into play.

Not to mention, protection is hardly a valid argement.

You arguements are valid. However I'd point out that anyone with proper training (which I support) would know that they need 5 minutes from waking to effectivly deal with that kind of situation. They would also know to check all family members before investigating. The facts remain the accidental shooting (while unfortunate) are very rare, certinly not common enough to disarm a public. Cars should be banned before guns, they do much more damage and killing.

All this said, I agree with you position on most of what you wrote. However, the polls I've seen state that some 65% want current laws better enforced before adding new laws.

Finkployd

Re:I knew this would happen

[finkployd]

Who's missing the sarcasm now?

Nygard. He's the one who suggested that you missed mine. However, it seemed that you were reacting to my sarcasm as though you believed I was serious and were countering with sarcasm of your own.

Now my head hurts. :)

Finkployd

Yabut...

Can you believe they know of infected computers and will only tell the commercial concerns? What about the individual citizens? Excuse me! Why warn the commercials and not Joe SixPack?

Not only the extension

[bockman]

It is also, as said elsewhere in this thread, that you can embed in a file whatever icon you want, and that will be the icon shown by windoze. So you can have an executable looking like an AVI ( or JPEG or whatever ).

The information carried by the icon is prominent respect to the one carried by the extension, so many user whould probably believe that a .exe file is an image or a movie, if it looks like one.

Re: Here's the mad cow

[BlueUnderwear]

Search the hard drive for a .exe file with a random seven to eight character name.

Anybody know how to search for something random? Especially on Windows... ROTFL!

Re:Since when were movies executed as code?

[mrfiddlehead]

The problem isn't so much that Windoze has hidden files, but that their definition of a hidden file completely ignores the file attribute. As far as explorer is concerned, a hidden file is either hidden, system or dll. And there's no easy way to toggle display of these fscking files.

How's that for off topic!

Windows Firewall

[FFFish]

For those of you running Windows9x, you'll find that ZoneAlarm is a good firewall. Access Zone Labs here.

Also protects against .vbs worms, it claims. That, I'm not so sure about. But it does appear to be effective against a number of attacks, holes, etcetera.

Absolutely essential for anyone with a 24/7 connect.

--

So reduce the lethality...

[FascDot+Killed+My+Pr]

The virus keeps a counter. It kills DUN after 10 (or 100 or 500) more connections (reboots, etc). Or it mails itself, Melissa-style, to the addressbook and then kills DUN.
--
Wanna hook MAPI clients to your Tru64/AIX/Linux server?

Could you embed a Virus in a Codec?

If you wrote (or modified) yourself a video Codec, and then ditributed a VARY FUNNY video clip encoded using that Codec, you could in theory lure people into downloading the codec and viewing the video clip with it...

Question to those people who know this sort of thing...

does Video 4 Windows allow you to embed Codec download information into your video clip?

If it does, that may explain how a video clip (or any other streaming media requiring a codec) may be used as a virus transmission vector.

Just a thought......

Movies not executed as code, but ASF's DO have URL

[erpbridge]

This particular one is a .MPG.exe. Now, as everyone knows, you don't care about anything except the three characters after the last dot (a carryover of the old DOS 8.3 format, except now it's 255.3.)

Anyways, I know, and have seen, ASF's that can, toward the end of the page, redirect you to a webpage, usually the maker of the movie. However, you can make a quick 1 second, 5 second, whatever length you want, ASF, and have it redirect to a page that contains an ActiveX script, or Javascript. If you have those enabled on your browser, boom, instant run, and you don't even know about it!

We don't have anything to worry about

[FascDot+Killed+My+Pr]

I don't see what everyone is so worked up about. We already know you can't run DrDos with Windows.
--
Wanna hook MAPI clients to your Tru64/AIX/Linux server?

Interesting quote ...

[Draoi]

Interesting quote from the NETSEC guy:

"We're all hackers, in the traditional sense of the word," Waskelis said. "If we find something like this, we want to pick it apart and see what it's doing."

They're finally getting their terminology right ...

Pete C

Since when were movies executed as code?

[_xeno_]

Last time I checked, movie files were digital streams of audio/visiual information. When did they gain the power to run code on machines? It would seem to me that you would need to be rather foolish to run a movie file as a program. Or is this file just a shortcut under Windows?

This story's seriously lacking in technical merit as mentioned in the blurb. This is missing such important details as the platforms that can be effected (Windows? Mac?) to HOW a movie clip can contain a trojan horse.

Creepy?

[mrfiddlehead]

And yet this is the info found on symantec concerning the so-called Serbian.trojan.

This trojan horse attempts to download a program file from the Internet and execute it. The intended program file is no longer available on the Internet, thus it currently poses no threat to users.

This, in the context of the cnn report, I find to be a little bit creepy. And how the fsck do they know that the file is no longer available on the Internet? And then they go on,

This trojan horse was originally posted to an adult Internet newsgroup on June 7, 2000. It was described as an adult movie file. However, it actually attempts to download the file http://www.lomag.net/~ryan1918/MySissy.mpg.exe from the Internet and launch it after it has been downloaded. It performs no other actions. The program file no longer exists at this Internet address, thus this trojan horse essentially does nothing and poses no threat to users.