Building The Ubervirus

Johnath writes: "The HNN has a rather eye-opening article about a potential disaster dangling overhead. It's not so much that the ideas presented are revolutionary -- most /. readers would probably come up with a similar scheme, if called upon to design a killer net virus, but nevertheless, it pretty lucidly addresses the potential damage."

Second post!

[Russ+Nelson]

That is to say, this is the second time this article has been posted to slashdot. /me is too lazy to find a link to the first time it was posted. Search is your friend.
-russ

Re:Second post!

[Russ+Nelson]

I lied. Search is not your friend. The virus article is dated from last year, yet there's no way to get slashdot's search to sort its results by date. Heck, it doesn't even tell you what *year* it's returning the results from.

Re:Second post!

[axel+from+afkmn]

i think that teh slashdot is not y2k compliant, or sometihgn ok bye.

loev,

Re:Second post!

[Russ+Nelson]

Cool idea. Why doesn't Rob just re-post everything more than a year old, so we can have the same discussion over and over again?

Re:Second post!

[miracle69]

This is happening frequently enough that I can't help but wonder if this is a new troll technique. Every day, submit a post or two from a few months back and sit back and laugh as it gets rehashed all over again.

Were I a troll, I'd use this.

Heck, it might even incite some changes around here - like moderators being able to see submitted stories and rank them. Once a story hits a threshold, it makes the main page...

Re:Second post!

[jekk]

> Why doesn't Rob just re-post everything more
> than a year old, so we can have the same
> discussion over and over again

Wait.. isn't that how it works?

;-)

-- Michael Chermside

Re:Second post!

[_Marvin_]

>Heck, it might even incite some changes around here -
>like moderators being able to see submitted stories and rank them. Once
> a story hits a threshold, it makes the main page...

This is already reality. Look at Kuro5hin!

Re:Second post!

[synaptic-impulse]

that is a really interesting idea - democratic media.

but the problem is that you would have to rely on the good judgment of the moderators (which is, in effect, what we do with rob, taco et al)

anyway - off topic I know ....

but would be great to see how such a system would work. and what stories would make it to the front.

Re:Second post!

[_Marvin_]

As I said - look at Kuro5hin.

> but the problem is that you would have to rely on the good judgment of the moderators (which is, in effect, what we do with rob, taco et al)

Actually, at Kuro5hin there is no distinction between moderators and readers - anyone can vote!

Aaaarrrgh!

[mister7]

For the benefit of those trapped behind the berlin firewall (filter), could somebody mirror or paste the article contents here?

Large corporate filters don't like us to visit seedy places like HNN.

Mucho Thanks

Re:Aaaarrrgh!

[Saxton]

Are you sure it's your firewall? Looks like it's /.'ed to me, and there's only 3 or so comments as I type this... Mirrors?!


_________

Re:Aaaarrrgh!

[mister7]

Yep, I got redirected to a page here telling me to stop slacking off and get back to work. "Restricted site" as I remember.

Re:Aaaarrrgh!

[Icebox]

Indeed, I think the problem is on their end.

Re:Aaaarrrgh!

[zaf]

Wow, amazingly the site ISN'T blocked by my company. Thankfully, though, this is my last day here, and I'll be moving on to a company that doesn't filter information out.
HNN's still bein slashdotted, so I can't read the article anyway.. bah

Re:Aaaarrrgh!

[mikpos]

Well I hardly think it counts as "stealing" when the government gives it to you willingly.

More like "steal it from the people, then give it to the people".

Re:Aaaarrrgh!

[Kev+Vance]

The problem's on both ends. It's completely blocked by the corporate firewall over here, and from home (ah, ssh :) it's unresponsive.

Slashdotted.

[sung]

They were slashdotted by the slashdot effect!

uber-virus - yeah right

[warez_d00d]

this exists already. It's called the dumb PR/HR employee, more interested in loveletters from strangers than in network security.
Sadly they are also the type most likely to grow exponentially as the internet becomes even more KEWL.
we're doomed *sigh*

Da Warez D00d

Not really news

[Kondoor]

Basically all these people have done is make a list of the parts of trojans, virii, hacks, that work the best and list some thoughts and figures on what they could do if someone actually spent some time to do a good distribution of a virus using IRC, FTP and user ignorance and then exploit the user ignorance factor to get it to spread like wild fire. It was a good read but not really news, I agree with the post, most any /. reader could come up with the same if they spent a couple minutes thinking about it.

Isn't this, like, old?

[Kaa]

I've read this article at HNN at least half a year ago, maybe more. It's clearly interesting, but is this news?

Kaa

diversity = increased security?

[Jeppe+Salvesen]

in a networked invironment, diversity = more applicable exploits. simple as that.

Phrack has discussed similar stuff

[sTeF]

in one of the recent phrack releases, an ubervirus with AI capabilities has been discussed, but the phrack website seems to be down at the moment. check it out, it was quite frightening stuff...

Re:Phrack has discussed similar stuff

[Wedman]

But really, who is going to code something like this? I mean, if somebody has the time and know how to do something like create an awesome ubervirus, are they really going to it?
...Wait a minute... I'm forgetting about the Unabomber.

Anyway, what I was going to day is that it seems that most of these new, terrible viruses are created by people who have some know how, but for the most part, are pretty much idiots

It would have to take either a brilliant madman, or a corporate/government sponsored team of bright people to create something like that - not script kiddies and hacker wannabes (not even your typical /.'er). :P Besides, what incentive (I mean really) would these entities have to do so?

Re:Phrack has discussed similar stuff

[Peter+Dyck]

I mean, if somebody has the time and know how to do something like create an awesome ubervirus, are they really going to it?

Yes. And why?

"Why did you do it?"
"Because I could."

I still think that is the best and the most honest answer such a person with above average intelligence could give. Boredom and frustration combined with a chance for a worthy intellectual challenge. Add a political or a personal motivation (vengeance against a person/society/human race, for instance) to that and it suddenly becomes very tempting.

Re:Phrack has discussed similar stuff

[Wedman]

---
"Why did you do it?" "Because I could." I still think that is the best and the most honest answer such a person with above average intelligence could give. Boredom and frustration combined with a chance for a worthy intellectual challenge. Add a political or a personal motivation (vengeance against a person/society/human race, for instance) to that and it suddenly becomes very tempting.
---

Sure, but creating an ultimate virus with power to kill the internet... Compare that with weapons with the ability with wiping an entire country off the map. That's power that (I hope) people with 'above average intelligence' are smart enough not to mess with. For one, it threatens to destroy something that that person wouldn't want destroyed. Also, how many people would nuke a country simply because 'they could'?

Yeah baby, that's tempting.

When someone does something 'because they could', that person is probably not trying to be malicious on that grand of a scale.

Intelligence and good moral sense grow in relation to each other - unless you're frickin' insane

Re:Phrack has discussed similar stuff

[_Marvin_]

Call me a freak, but I've been thinking (well, rather phantasizing) about writing that ubervirus.
And I don't usually consider me an emotionally disturbed person (mind you, that may be why I
only thought about it and didn't actually do it - it'd take a LOT of time).
The point is, it's just VERY tempting for some amongst us to get in such a powerful position.
That person probably wouldn't use it to destroy the internet, however, that example just serves
to show just HOW powerful that position would be!

Re:Phrack has discussed similar stuff

[Wedman]

---
Call me a freak, but I've been thinking (well, rather phantasizing) about writing that ubervirus.
---

Then bring it on, code boy. Seriously, I'd like to see you try. I believe you'd have the guts to pull something like that off; Oh, and the 'know how' too! Really!

Well, you know what? I've already coded the blasted thing! Yeah, that's right! However, because I'm such a nice super geek with sooper dooper coding ability with the power to bring the world to it's knees...

...I've decided to destroy the code so it may never fall into the wrong hands

Give me a freakin' break...

More social engineering needed in viruses

[ajm]

Ok, people are doing some fine things with Outlook and other tools nowdays in the virus world but I think where they fall down is in the social engineering area :) I don't know whether this is technically feasible and I have no desire to find out (I take no responsibility etc....)

Let's say the point of the virus is not to physically disrupt the mail system, but to mentally disrupt it. People should be afraid to open mail messages, and disbelieve the ones they do open, rather than have the mail server crash.

So, step one is to send out the messages gradually so that people don't realise immediately that something is wrong. You don't want to make people wary at the begining. After some interval when you've infected enough machines, then go for the full virus crash.

Step two is to vary the subject. One way would be by making the subject be Re: of something already in the mailbox from the person you are sending the current message to. Make all others that you can't find messages to reply to start with Fwd:.

Step three is to look in the mailbox to see if you can find an administrator of some sort. Look for system administrator or something similar in the title, or look for membership of the admin group or similar. If you manage to get on an administrator's machine then send out a virus alert message to everyone in the address book. Include in the alert a copy of the virus with instructions to double click to disinfect the machine. If you are not on an administrator's machine then send to one or two people in the address book a message that says in the subject Fwd: Virus loose (from admin name here) to see if you can fool people that way.

Anyway don't try any of the above because they probably don't work, and I certainly don't want to be responsible if it does. I'd guess this is the sort of stuff that a professional/governmental virus would try to do. If you were China (for example) and wanted to disrupt email in the US (why I don't know) social engineering to produce a lack of trust in the system is more likely to be successful and effective than the sort of spam attacks we've been seeing lately.

Re:More social engineering needed in viruses

[Xzzy]

The problem with this: People are stupid.

I can't recall how many times people at my workplace (and at least one other; I could relate stories of one friend who suffers the same problems) CONTINUE to open up those damn Melissa-deriviative virus emails. They'll even open different copies of the SAME virus.. multiple times!

I tell them "if you see an email with a .vbs attachment in it, don't open it." What do they do? They open it. I tell them how to turn off the scripting foo that runs these scripts. What do they do? They ignore it.

Basically, the ignorance of users would undermine any of the deviousness of your stated plan; it's too complicated for them.

The only way to get the attention of a luser is to beat them over the head with something. Erase their hard drive, and THEN they start to wake up. It's not their problem until they suffer data loss.

Re:More social engineering needed in viruses

[11223]

Exactly - most current virii are doing a piss-poor job of social engineering. You could even make a .exe virus, with the proper engineering - simply have it pass itself along as a "Virus alert", describing some (made-up) worm, and then instruct the user to run the disinfector - voila! Instant dumb-user virus.

Ever notice how most current worms aren't even in the best english? It seems that nobody in the US is writing worms, and so we get people with a bad knowledge of the language trying to fool people into clicking on the stuff.

Hey, where's the "This is more informative" link-trap?

Re:More social engineering needed in viruses

[nstenz]

For those people who are too stupid to listen to advice about those .VBS attachments, just write a little batch file or short program to rename their 'wscript.exe' (for Win98), or whatever the DLL used for scripting in Win95 is... Of course, if they're going to be stupid and open anything after you tell them not to, they're probably not going to open something from you... but you can try. There's probably a better chance of them opening it if you spoof the e-mail address to make it look like it's coming from one of their friends though... no one in the corporate world seems to give a shit what the sysadmin says, but that latest chain letter is vitally important to them.

BTW... If you think work is bad, try dealing with 2 younger siblings... and parents who would go nuts if their kids started bitching because the computer wouldn't let them open any .EXE attachments... "But my friend so-and-so can open them! WAAAAAAAA!" Just shoot me now...

Re:More social engineering needed in viruses

[11223]

Well, that's just fine for you, because you think about it, but I'm trying to get to the newbie moderators who just leave their settings on defaults - which are usually set to 'Highest Scores First' in an effort to see, well, the comments that are scored highest - and that's exactly what they're looking at when they moderate. That's why so many points are wasted unnecesarily (sp?!?) pushing +3 comments to +5 instead of finding comments at 1 that should be a +3.

</offtopic rant>

Re:More social engineering needed in viruses

[slycer]

Bah..
I work for a large (30,000+) company on the help desk. Believe me, the majority of people are scared to open their mail as is, once we get the warnings out anyways.. next bunch of calls are people wanting to know whether they can even open mail.. and don't get me started on the godamned chain letters that warn about viruses.

People are too stupid to be scared by anything subtle. Just having a title of "I Love you" (or whatever it was) is enough to get most people to open it, and after that they don't touch the mail for at least a couple of days.

Re:More social engineering needed in viruses

[_Marvin_]

That's "sentence", not "sentance", stupid.

AOL to the rescue!

[dmccarty]

Don't worry! As soon as the virus/worm starts to spread we'll all be inundated with "DON'T OPEN [MELISSA/STACY/LISA/BELINDA] IT WILL ERASE YOUR COMPUTER!!!1!!" emails, which will spread faster than the worm itslf.
--

Slashdotted?

[cornette]

I'm getting no response from the server.
That was fast.

how many supervirii are out there already?

[axel+from+afkmn]

i work for teh it at my university, and it seems liek every week there is teh ms outlook virus that uses built in vb scripting and teh gaping security flaws in windows to spread across the world in a matter of days. most of these do silly little things, and are easily detected because of it. what happens when some cracker decides to use these same old tricks to write a virus that spreads by ms outlook, but hides itself from detection and does something really really evil at a future preset date? how many virii like that are out there? care to venture a guess? ok bye.

loev,

Re:how many supervirii are out there already?

Nobody is doing this or we would have already witnessed a disruption. It would not be difficult for a really dedicated team to wreak havoc as you indicate, but unfortunately those with the talent are not inclined to use it to cause trouble for others.

That is too bad because a war really is being waged by MS against the rest of the computing world. I consider it perfectly fair to counter with virii and trojans that are designed to disrupt MS networks and systems.

To take it a step further, a really dedicated engineer could design a virus/trojan that speaks directly to the hardware (since almost all MS systems run only on x86) and cause rapid thrashing of the hard disk while also turning off the fans and sensors which monitor temperature. These would cause the boards to melt and possibly cause fires as well. Well, that could have serious, possibly fatal, consequences for persons nearby or who depend on the systems affected for critical services.

It seems that these kinds of attacks are not being done for the same reasons that people don't start nuclear wars. Fear of retalliation and also very few persons are motivated to really be that destructive, even in terrorist organizations. It is one thing to think about it and quite another to follow through.

However, it if comes down to a guerialla war of individualism against corporatism, which is a real possibility, these kinds of destructive attacks will become quite common, and also the penalties for getting caught will be severe. Possible death sentences are likely. When and if people who had high hopes for freedom and free enterprise on the internet feel that their freedom to even access the internet (and other systems) is in imminent danger of being taken away, then a real guerilla war is on, just like in the cyberpunk novels. We could all become involed and forced to choose sides whether we want to become involved or not.

Nothing like a little drama...

Re:how many supervirii are out there already?

[DavidOgg]

Do chills go up anyone elses spine when you see someone use the word "teh"?

Re:how many supervirii are out there already?

[DavidOgg]

May I axe you why? nm

waiting for...

[GungaDan]

Instantaneously slashdotted. Now get back to work already so I can read it.

Research being done?

[FascDot+Killed+My+Pr]

Is any research being done to compare computer virus/security hole propagation patterns? I'm sure the CDC (that's "center for disease control", not "cult of the dead cow") would have a lot of useful input on this "ubervirus" problem.

I'm not an expert so I'm not going to try to defend the following statement, I'm just going to make it. I recently finished "Chaos" by James Gleick. He mentioned that one of the places you can find chaotic behavior was in the spread of an epidemic. In fact, efforts to step up vaccination (and other disease prevention techniques) actually caused an increase in the rate of infection (sometimes and short- to mid-term). Apparently this has something to do with perturbing an oscillating phenomena.

I bring this up as a warning to those who think we should all immediately rush out and start locking things down. We might make it worse if we do. I know this statement sounds ridiculous--I'm just saying that maybe we should slow down and think before rushing off to act. Do the research, ask the questions.
--

Re:Research being done?

[Luminous]

I bring this up as a warning to those who think we should all immediately rush out and start locking things down. We might make it worse if we do. I know this statement sounds ridiculous--I'm just saying that maybe we should slow down and think before rushing off to act. Do the research, ask the questions.

I strongly concur with this statement and it doesn't sound ridiculous to me at all. I cannot speak to the 'perturbing an oscillating phenomena' or even any underlying chaos theory. What I can speak to is how my parents, brothers, and sisters would react to the situation.

Once they start hearing about new improved virii filters, improved protection from viral infections, they will stop taking the extra precautions they take now. Their confidence in the system will be increased without just cause. That is when they start downloading any ol' thing, not paying attention to what is being sent to them, and the like. Virii that aren't caught by traps and other protections suddenly run rampant.

There is no panacea. We need to progress slowly, fully aware that we might miss something. I'm a paranoid user and I still got nailed by a Trojan Horse once. It was all my fault because it could have been easily avoided, but I felt confident in my 'virus protocol' to protect me. Too bad I failed to update the software for that month.

Re:Research being done?

[roystgnr]

I'm sure the CDC (that's "center for disease control", not "cult of the dead cow") would have a lot of useful input on this "ubervirus" problem.

Not to knock the Center for Disease Control, but I think the other CDC would have a lot more useful input. In real life, "ubervirii" can't download DLLs with new 'sploits off the net, can't insert trojan kernel modules or wrapper DLLs to hide their own existance (Ok, I guess there are analogies for that), and can't insert a remote "backdoor" into your brainstem for the biowarfare script kiddies to play with.

At least, I hope they can't...

Re:Research being done?

[gordon_schumway]

Certainly knowledge about viruses spreading in (non-cyber) populations has application to viruses spreading in the cyber-world. For example, there are two keys to effective viruses: infectiousness and latency.

A large latency period caused HIV to really take off (because people didn't know they had HIV much less that they were spreading it). In contrast, Ebola is horribly infectious but has almost no latency period (a few days) and so every "outbreak" of ebola has been confined to villages.

I think this also makes sense in the computer virus world.

Can anyone mirror it?

[jjr]

Can someone mirror this website please

Shades of Shockwave Rider

[georgeha]

Brunner describes a similar scheme in Shockwave Rider, way back in 1975.

Nick Halflinger (an uberhacker who can cracka system using a touchtone phone) travels the world coding a giant worm designed to be launched as a simultaneous, distributed attack from hundreds of different computers, quaintly visiting each site in person.

Portions of the head of the worm are used for replication, other parts are used to detect and deter anti-virus attempts, the middle part breaks into secret archives, and the tale is the contents of the secret archives.

I can't recommend this book highly enough.

George

Re:Shades of Shockwave Rider

[AstroJetson]

1. Ohhh, the bats are busy today. In what way was this post OT? Everytime I use my last mod point I see something like this. Stoopid, crack-smoking moderators....

2. Funny you should bring this up. I just finished the book for the second time. I originally read it just after it came out (c. 1977, or so). I was surprised at how much of it I mis-remembered. I had the basic plot about right (just as you've outlined it), but many of the details I totally garbled. Damn memory...second thing that goes, eh? Anyway, it's a great read; I recommend it highly.

Virus = 1st real a-life?

[exploder]

Most (computer) viruses today are created with malicious intent. When you are infected, you know it. I was thinking the other day that if a virus were to arise "organically", i.e. not designed (or alternatively, mutated from a designed virus), that its best chance at survival is the exact opposite of what most viruses do. The best strategy would be to lie low, staying as much out of sight as possible, and continue reproducing when possible. Has a virus like this been seen? If so, then I wonder how many more have not been seen?

Re:Virus = 1st real a-life?

[Brew+Bird]

It's called Windows, you may have heard of it? It spreads in a most insideous fashion, by using truely awe inspiring social engineering techniques to quitely invest all PCs that must share documents between themselves...

The ultimate stealth virus. and people are even making money off it! One could argue that windows is not a virus because it is not self replicating, but I would say that it _is_ self replicating, just not via an electronic means.

Re:Virus = 1st real a-life?

[stevey]

That was always one of the big "debates" .. back in the x86 assembly languages viruses:

Back then there were two types of virus:

• Fast Spreaders, which would try to spread themselves around rabiddly. eg. Every time an infected program was run it would attempt to infect, say, 3 other programs.
• Slow Spreaders, which would only try to infect another file, say, every other day.

The fast spreaders were more prolific, but they did tend to get spotted more quickly. If I was the virus writing type of person I'd write a slow spreading one.

Steve
---

Re:Virus = 1st real a-life?

[randombit]

The best strategy would be to lie low, staying as much out of sight as possible, and continue reproducing when possible.

And, if the writer was of malicious intent, wait a month (or whatever), then do a low level format of all local disks on a Sunday at 4 in the morning. Be interesting to wake up one morning and find out a third or half of all computers worldwide got wiped. Especially if it spread via multiple methods (ie, Outlook bugs, trojaned EXEs [little games or whatever], etc, and each method knew how to spread the others) - ie, someone downloads a trojan, and then when the next time they run Outlook it starts spreading itself through that, mailing itself to others. And polymorphic behaviour (ie, choosing from a few dozen different subjects/messages, not just "I LOVE YOU") would reduce the chance of discovery, giving it a chance to spread before detonating.

And if the writer took a few psych classes (or has a gift for social engineering), oh, man, we'd be _so_ fscked. :)

Re:Virus = 1st real a-life?

[Pentagram]

Sure, why not? After all, that's pretty much how viruses evolved in real life after all. The only difference is that mutation in electronic systems tend to be pretty small. I wouldn't be surprised if a few of the more simple viruses around were born in this way.

And once you have viruses evolving, why can't they develop and exchange genes before evolving into higher beings and taking over the world? :) Sounds like a decent sci-fi film!

Re:Virus = 1st real a-life?

[exploder]

wait a month (or whatever), then do a low level format of all local disks on a Sunday at 4 in the morning

Aargh! What is it about computer viruses and malicious intent? It seems that they are inseparable. This is exactly the opposite of what I'm talking about. Format somebody's disk and you'll have the antivirus software after you before long. I'm wondering how long and how well a virus could survive and spread if those were its only goals. And especially if there were some mechanism for communication between different instances of the virus, you might see some very interesting results.

Re:Virus = 1st real a-life?

[DrEldarion]

One could argue that windows is not a virus

Reminds me of an old tagline from the days of QWKmail:

Windows is not a virus. Viruses do something.

-- Dr. Eldarion --

Re:Virus = 1st real a-life?

[randombit]

I'm wondering how long and how well a virus could survive and spread if those were its only goals.

If it really has no purpose, who cares? Except for curiously, which IMHO is not worth the trouble of risking jail time (after all, you are probably still violating any virus-writing laws). And if they tried to communicate with each other I'm sure they would be found out quickly, as that matches the pattern of a DDOS system.

Re:Virus = 1st real a-life?

[Sodium+Attack]

Excellent point, especially considering the analogy to biological viruses:

Ebola virus is quite deadly, but kills in a matter of a few days. It may wipe out an entire village, but doesn't spread beyond that because it killed all its hosts too quickly.

HIV is also quite deadly, but it takes 10 or more years to kill. Despite the fact that it's relatively hard to transmit (compared to most other viruses), there's tens of millions of people infected with HIV. It has plenty of time to spread itself to other hosts.

Re:Virus = 1st real a-life?

[Zan+Zu+from+Eridu]

And if they tried to communicate with each other I'm sure they would be found out quickly, as that matches the pattern of a DDOS system.

There are several ways of communication. What about a virus/worm that just tries to infect pograms/systems, but when it succesfuly infects a program/system, it searches for other copies of itself within that program/system, and exchanges data with them. Next, new copies of the virus/worm are sent out with the new data.

If we use a genetic algorithm, the data would be the "genome", and we would have viruses/worms not only changing each generation, but actually evolving into more effective ones (from the viewpoint of the virus/worm), spreading information by "mating".
-><-
Grand Reverence Zan Zu, AB, DD, KSC

Re:Virus = 1st real a-life?

[KjetilK]

Yep. What I don't understand is that people are actually worried about viruses (or rather trojans), they should be concerned about the mechanisms that lets them thrive. I mean, a trojan that attacks randomly and with a lot of kaboom is going to make people aware of it and act against it. A trojan for e.g. industrial espionage may use the same methods as e.g. the love-trojan to infect computers and make them send e-mail with sensitive information. E.g., spread a virus to Wall Street with a script that makes Excel send you (or just put it open on the web) the latest spreadsheets from everybody's computers. Silently. I'm not too into it, but I would be surprised if it couldn't be done. If it can be done, that's what they should be worried about.

Re:Virus = 1st real a-life?

[exploder]

Exactly what I'm getting at. Fascinating prospect, isn't it?

Re:Virus = 1st real a-life?

[Zan+Zu+from+Eridu]

Fascinating? Yes. Dangerous? Very.

What is there to keep the virus/worm from evolving in such a way that it would no longer lay low (read: become more damaging)? Even a "harmless" virus/worm causes damage by using up recources like diskspace, memory, cpu time and bandwidth.

If it started out as a stealth-type, using minimal resources, chances are it would get nasty rather late in its evolution. It would evolve rather slow until there where enough infected "victims" to speed up the breeding/mating process. Once this happened, our little critters would evolve to take advantage of their "power in numbers" in no time.
-><-
Grand Reverence Zan Zu, AB, DD, KSC

Re:Virus = 1st real a-life?

[exploder]

Could it be that it's only a matter of time until what you describe happens?

Re:Virus = 1st real a-life?

[Zan+Zu+from+Eridu]

It would be really hard to code such a virus/worm. You would need some kind of virtual machine (within the v/w itself) to run the "genome" on. Then you'ld probably have to emulate that VM within the "genome" code, or build a more expressive VM in "genome" code. (Building a 2nd VM that is able to evolve might very clever or eternaly stupid, I'm not sure). Next you'ld "genome" code the v/w itself to run on that 2nd VM.

It may sound simple, but designing this would be very difficult. The main problem I see is what functionality to put in the VMs and what in the v/w code. Put to much in the VMs and it won't evolve much, or in repeating patterns. Put to much in the v/w code and it will produce mainly freaks.

All in all a gigantic effort, I don't think we will see anything like this soon.
-><-
Grand Reverence Zan Zu, AB, DD, KSC

Das Uebervirus

[blueg3]

Oh, sure, it seems all-powerful, but doesn't it still suffer from the same problems that plauge other worms? Namely, you have to a) be running an insecure system or b) be a sucker.

I'd like to think that most people don't use the dummy settings of Outlook (or even use it at all), and that they scan files they download for viruses, and that they don't blindly accept (or auto-accept) DCC sends.

Of course, I also think the succeptible masses don't really use IRC anyway. Now, if the virus could infiltrate various Instant Messenger networks...

I guess it would be nice to think that worm viruses shouldn't work, but as we all know, this is not the case. So, I'll just sit here with my Mac, running Eudora, and wait for this new worm to come out, as it inevitably will, and not affect me.

Re:Das Uebervirus

[deefer]

So, I'll just sit here with my Mac, running Eudora, and wait for this new worm to come out, as it inevitably will, and not affect me.
Whilst it may not _directly_ affect you, don't you think your internet connection & mail delivery will be a tad slower, as a virus emails itself 2000 times from each infected machine, simultaneously? Routers, switches, firewalls... A certain sort of virus could, in effect, be aimed at one whole massive DoS, and not targeted at any particular site/piece of hardware. The fact is, if a massive net intensive virus decided at one point to start generating internet traffic internationally, with enough infected machines, you'd be lucky to see the internet again for at least a week...

Strong data typing is for those with weak minds.

Re:Das Uebervirus

[Cedric+C.+Girouard]

So, I'll just sit here with my Mac, running Eudora, and wait for this new worm to come out, as it inevitably will, and not affect me.

You say it will not affect you ? I can tell you it will. If some or all of the recipient your are usually mailing to are infected. This reduces your efficiency at work, therefore affects you, and costs the company paying you in lost labor.

We all get affected to some level, infected or not.

Re:Das Uebervirus

[blueg3]

I suppose. Fortunately, our network here at Clemson is relatively secure and almost completely Eudora-based. We also try to have relatively decent user awareness, and the computing department may even go as far as to identify and filter out e-mails that are known to contain viruses (before the user can receive them). With all of the worms recently, I can't recall a single problem on campus. (In fact, I don't think I ever received one copy of the Melissa, Happy99, or I Love You worms.)

Re:Das Uebervirus

[tbo]

I've always wondered why Mac users get so goddamned high-and-mighty about email viruses. Macs are NOT immune to email viruses, just the current batch of Windows-centric ones. I, or anyone else experienced with AppleScript, could write an email virus that would duplicate most of the features of Melissa, I-Love-You, or other email viruses. Outlook Express, Eudora, and Claris Emailer are all scriptable.

It's true that Mac users would probably have to decompress the attached virus and then double-click it, but that could easily be accomplished through basic social engineering. Also, there wouldn't be a file extension to give away the fact it was a script... (Just call it Pamela.jpg and give it a custom icon).

About the only things the Mac really has going for it to prevent such a catastrophy is a smaller userbase.

If I was going to create a virus (which I'm not--I'm not evil, but it's fun thinking about it), it would parse IE's preferences to get your home address (from AutoFill), and use it to order pizza for you from Pizza Hut's online ordering site. With anchovies.

Re:Das Uebervirus

[lucius]

If I was going to create a virus (which I'm not--I'm not evil, but it's fun thinking about it), it would parse IE's preferences to get your home address (from AutoFill), and use it to order pizza for you from Pizza Hut's online ordering site. With anchovies.

anchovies???

you evil bastard!!

Re:Das Uebervirus

[blueg3]

Well, Macs typically have fewer security holes than Windows. There have been a number of Mac viruses out, really -- but these days people are targeting the sucker programs that will let them run scripts without the user knowing and then cause all sorts of fun bad things to happen.

Although it certainly would be possible to run said AppleScript, it would be pretty obvious that this was going on, if you were paying attention, and a number of more devastating actions are non-scriptable (although you could use the script to decode and run a second attachment).

Really, it does all come down to social engineering -- as does pretty much every other scam on the books. It just so happens that most of these suckers also use Windows and Outlook -- because they come with the computer that everyone else uses.

Killer Net Virus Can Happen Anytime

[Carnage4Life]

A killer net virus that would destroy the Net as we know it has been very easily in reach once the majority of computers on the Internet became homogenized Windows//MSFT Office//Outlook boxes.

Whenever I read about a Mellissa or an I Love You I smile to myself and think "I would have trashed their hard drives after spamming myself to all their friends.". If Mellissa or I Love You hadn't been content with simply bogging down net servers and had decided to set the file length of all .doc , .xls, .sys, .bat, .dll, .html and .jar to 0, I am sure corporations would probably be fuming about Trillions of dollars in irreparable damages (after all how much stuff is actually backed up or centrally stored in a Windows world).

In my opinion the article is overkill, a virus doesn't have to be particularly clever or well designed to cause havok anymore thanks to the beauty of MSFT operating systems. Any script kiddie or MSCE with a passable knowledge of Virus Building Script can bring it all toppling down.

Off course, none of us will ever do it because we know it would do so much damage to the 'Net (government would step in hard) and also hurt many of us financially in some indirect way.


WHY C SUCKS
-----------
int i =0;
i = i + 1;

Re:Killer Net Virus Can Happen Anytime

[Jetifi]

If I had written ILOVEYOU, it would have sent out copies of itself with the recipients' first name (from Outlook address book) as well, and reply to all e-mails in the inbox with "re:" + subject + something else.

Re:Killer Net Virus Can Happen Anytime

[cybercuzco]

A bit OT, but you mention that any MSCE could create such a virus, An ad has been running in my area (DC) about computer training courses to become MSCE. The best line in the ad is "No computer knowledge required" Which pretty much says it all ;-)

Re:Killer Net Virus Can Happen Anytime

[Captain+Derivative]

In my opinion the article is overkill, a virus doesn't have to be particularly clever or well designed to cause havok anymore thanks to the beauty of MSFT operating systems. Any script kiddie or MSCE with a passable knowledge of Virus Building Script can bring it all toppling down.

<SARCASM>Yes! Since Microsoft has scripting support in their OS, that means they're to blame for script viruses! How dare they have scripts that run under Windows! Wait a minute...doesn't Linux also support scripts? Never mind that -- more MS bashing!</SARCASM>

But seriously (read before moderating this as Troll of Flamebait), the reason that the e-mail script viruses we've seen all attack MS Outlook isn't because of how terrible Windows is. It's because most computers run Windows! They're targetted just because they're more common! If you wanted to write a malicious virus, would you target at a rarely-used platform or the most common?

Like I said in the rant section of this post, Linux also allows scripts to be run. If Linux were to suddenly have 90% market saturation after MS is (finally!) broken up, we'd start seeing script kiddies targetting Linux users. So maybe they won't be e-mail viruses, but there's always r00tkits and other methods.

Sure, I hate Microsoft as much as the next guy, but this is ridiculous. But I guess since Microsoft == evil, we on /. must always blame them 100% when someone uses Windows's capabilities maliciously.

--
"Better dead than smeg."

Re:Killer Net Virus Can Happen Anytime

[Carnage4Life]

But seriously (read before moderating this as Troll of Flamebait), the reason that the e-mail script viruses we've seen all attack MS Outlook isn't because of how terrible Windows is. It's because most computers run Windows! They're targetted just because they're more common! If you wanted to write a malicious virus, would you target at a rarely-used platform or the most common?

Obviously you do not have *nix background. In Unixland there is this concept called security which implies that a user's email program would never be able to run as root. It is ludicrous to think that a script in an email can modify your registry... were the Outlook team drunk when they designed Outlook without any sort of sandbox?


WHY C SUCKS
-----------
int i =0;
i = i + 1;

Re:Killer Net Virus Can Happen Anytime

[pb]

Um... no.

Because Microsoft has no real *security* for their scripts, writes programs that can run them automatically when sent over e-mail, and refuses to fix the issue... Well, it's like running all your mail servers with Sendmail 4, and having everyone tell you there isn't really a problem.

E-mail script viruses target Outlook because it is an easy target. If it wasn't so easy to exploit, less people would do it. Have you seen the source to ILOVEYOU? It's childish! I wrote trivial file-system crap like that in BASIC, that just called system commands. At least back then it didn't operate transparently over networks, though.

Of course Linux allows scripts to be run. But not automatically upon receipt over e-mail. Also, every user is not root under Linux, as is the case on Windows '95/'98/whatever.

I hate Microsoft because they foist bad software on people and refuse to fix it. They need to rewrite the Windows security model completely, and admit their mistake with Macros that they've been hiding since Word 6. Before Word 6, there was no such thing as a Macro virus; the GoodTimes Virus used to be a joke, but Microsoft made it a reality.

Therefore, please moderate the parent post as either "Troll", or "Clueless", or reply explaining to me what he said that was actually correct.
---
pb Reply or e-mail; don't vaguely moderate.

Re:Killer Net Virus Can Happen Anytime

[tietokone-olmi]

A killer net virus that would destroy the Net as we know it has been very easily in reach once the majority of computers on the Internet became homogenized Windows//MSFT Office//Outlook boxes.

No no no no. It wouldn't destroy the 'net as we know it; the 'net as we know it still doesn't run on microshit/outhouse. Never will, either.

The virus would only wipe out the least fit (i.e. microshaft/outhouse users), which is actually fine with me.

Re:Killer Net Virus Can Happen Anytime

[pnkfelix]

You missed the point of the Captain Derivative's post.

Unix is not immune to viruses. Check out Communications of the ACM 32, 6 (June 1989) pages 678-687

The article dissects an Internet Worm from 1988 that spread across the Internet infecting Sun 3 and VAX machines running BSD 4.

The point that Captain Derivation is making is that Windows is the most popular platform at this point and therefore the ideal target for exploiting security flaws.

Yes, the flaws that exist there are braindead, but there are plenty of even less secure operating systems in existence; why not target them? Because it would be pointless, they aren't POPULAR.

Unix programs still have plenty of security flaws. They aren't targetted as much because there's less bang for the buck in doing that.

Re:Killer Net Virus Can Happen Anytime

[WNight]

Nor should they worry. If a user deletes their own home directory, it's their choice. If they configure their email client to auto-execute scripts, they deserve it.

All the admin needs to do is restore from the most recent set of backups. If the user refuses to listen to reason and does the same thing again, the admin still doesn't need to worry, untarring stuff is trivial, much easier than spending ten minuted talking to a clueless user.

It'd be like if you properly maintained a Windows LAN, a local drive C with just the OS, apps remotely read from the server, and all data stored on a mapped drive D which the server backs up every night. The worst a virus could do would be force you to toss in a network recovery CD, ghost C and restore D from backup. But, few admins do this, I guess MSCEs don't teach practical methods.

Re:Killer Net Virus Can Happen Anytime

[Captain+Derivative]

OK, I'll bite.

Granted, it is pretty bad how Microsoft's scripting system will let an e-mailed script screw up anything and everything. I'm not disputing that.

However, you can't blame the OS for everything. In the end, it's the user's fault for running those scripts. It doesn't matter how secure the OS is, if the user is going to do something incredibly stupid to compromise everything. Quick anecdote: where I work, one of the salesman associated with the company ran the ILOVEYOU virus more than three weeks after all the news reports, warnings, and magazine articles about it! You have to use the security built into the OS for it to do anything.

And yes, although I am only learning about *nix-type systems, it seems to me you don't have to be logged in as root to do damage. For example, ILOVEYOU didn't screw with any system files. It targetted data files like mp3s and jpegs. Maybe I'm just a newbie, but wouldn't it be possible to delete a user's mp3s and graphics files without logging in as root? It's still destructive, and sure, it doesn't bring the entire system down. But then, ILOVEYOU didn't cripple the computer itself either.

Here we get back to a clueless user. Of course a networked *nix box will have some decent security on it. But if Joe user buys the latest version of Red Hat Linux and installs it on his machine, what's stopping him from always logging in as root? Sure it's a terrible idea, but he doesn't know that. For him, it lets him get into Linuxconf more easily, and it's the only way he knows how to mount his Windows volume. (OK, he's not a complete idiot, but being fresh from Windows, he isn't familiar with system security procedures.)

Obviously, a script kiddie will choose the path of least resistance if he wants to damage a nameless person's computer. If Windows is the most open to attack, he'll use VBScript. But like I believe I mentioned before, script kiddies use r00tkits to hack into *nix machines, and they have about the same level of expertise as it takes to find a VBScript virus and send that.

Finally, I know Linux mail programs don't allow scripts to run as root. But last time I checked, viruses existed before MS Outlook became the norm under Windows. VBScript might make them easier to write, but when that disappears, they'll target a less insecure platform.

In conclusion, although Microsoft might^H^H^H^H OK, does make it easier for viruses to entire a system, you can't blame them for the entire problem. Someone still has to create the thing (no matter how easy or unsophisticated it is), and the user still has to run the script. My original post was in response to the dozen or so posts that did little more than say "It's all Microsoft's fault!" That's a sure-fire way to getting lax about safeguarding other platforms.

--
"Better dead than smeg."

Re:Killer Net Virus Can Happen Anytime

[Quietust]

They need to rewrite the Windows security model completely, and admit their mistake with Macros that they've been hiding since Word 6

I'm no expert, but I believe this is one of the ideas behind Windows NT. File system security in NT, as I have observed, is similar to that of Linux, so you would have to be logged in as Administrator in order to trash the system (or have a virus do it for you).
The network, however, is a different story. And I do not believe Outlook needs administrator access to copy itself to network drives with full write access and email itself to everyone in your address book, though ILOVEYOU would only end up renaming/trashing YOUR files rather than everyone else's (as well as the system's).

--
Your friendly neighborhood mIRC scripter.
if (ismoderator(reader)) hidemessage(this);

Re:Killer Net Virus Can Happen Anytime

[Jeppe+Salvesen]

Once code is actually executed(even in userspace), the number of possible exploits is multiplied by a factor of a lot.. So - Linux is not that invulnerable. Luckily, it's actually tricky to activate a trojan in Linux. I think that's the real Linux user-level security model - make it harder to install new binaries.

Re:Killer Net Virus Can Happen Anytime

[esnible]

Why stop at truncating all of the files to nil?

Many corporations do automated network backup. An Uberworm could attempt to start some of the more common backup programs.

Many admins think they save money but not cycling the tapes very often. I don't know which would be worse: A virus that merely does a backup of empty files, or one that is good at getting itself safely backed up.

Re:Killer Net Virus Can Happen Anytime

[Mr.+Barky]

I'm no expert, but I believe this is one of the ideas behind Windows NT. File system security in NT, as I have observed, is similar to that of Linux, so you would have to be logged in as Administrator in order to trash the system (or have a virus do it for you).

Although this is strictly true, if you're doing development under NT and installing/uninstalling programs often or modifying system settings you'll realize it is a royal pain to restrict your own access. You need to completely log out, log in as administrator, log out, and log back in as yourself. Personally, I usually have about 10 programs open at a time. This means that I have to quit all those programs, do the admin stuff then open all those programs again. Forget it, I'll just log in as administrator the first time. On average (even if now and then my system gets trashed) I'll spend less time doing stuff.

Unix does this better. You can just use su in an x-term to quickly change some settings - no need to quit everything else. I've heard that MacOS X will allow you to log in as su when having a control panel open, so you can modify system settings. Again, no need to log out and log back in again.

Re:Killer Net Virus Can Happen Anytime

[Twanfox]

I'm going to relay a little notion here that I had when I was working in a Windows shop. We wanted to impliment filesystem security because we were having users (in a school lab environment) install anything they wanted to. It was easy, Windows doesn't prevent any install program from running, not even in NT, not even as a normal user.

Here's the tricky part. Half the programs that ran on those NT machines went about using their filesystem space very recklessly. Whereas with Unix, if you run a program and it needs config files or such, it writes them from a default world-readable but not world-writable batch into your user's filespace. On Windows, it's a different matter. There's one config file. The system's, unless it's smart enough to write it into the Windows Registry under the user's account. Most aren't, that I've seen.

However, irreguardless of the config files, they'll often create temporary files, or need to write into data directories within the normal program filesystem heirarchy. Can't just mask all programs directories as read-only, it broke the programs. So we had to start from 'more secure' read-only and soften the filesystem. We had to run the programs once, find out what files they created, and either let them write anything into that directory, or 'catch' the file in existance, and lock it as undeletable so the program doesn't have to create a new one each time.

Needless to say, this became very tedious, and time consuming, and at my last check, it was still not implimented. I changed jobs before it was completed, and this project was months in the works.

WindowsNT default file creation is for ANY user to be able to read and write to anywhere on the disk, with the caviat that maybe you can't uninstall something because you can't access the system registry settings. NT sets up no userspace, so it must permit C:\ to become a users homespace, and with it, the ability to write to the disk. I have yet to see a successfull filesystem security implimentation for WindowsNT (so if someone can point me to one, it'd help).

Re:Killer Net Virus Can Happen Anytime

[hardcode]

> Unix is not immune to viruses. Check out Communications of the ACM 32, 6 (June 1989) pages 678-687

And a fine article it is too, but since then all the machines that were running the bugged finger and VERY insecure version of sendmail will have been patched (this is *NOT* 100% true I have seen a sendmail 4 box out there).

> but there are plenty of even less secure operating systems in existence

WHERE??

> Unix programs still have plenty of security flaws.

Agreed, however a decent installer for Linux and a little bit of common sense can result in a box infinitly more secure than anything MS could create.

It would be interesting to see if the roles of MS and *nix were developed how the scripting would develope on the *nix side and how MS would fight back, do you think they COULD secure NT/98/2000?

...lets hope all your doughnuts look like Fannys'...
- A badly chosen phrase livens up an early BBC cookery programme

Re:Killer Net Virus Can Happen Anytime

[hardcode]

That should be...

It would be interesting to see if the roles of MS and *nix were reversed how the scripting would develope on the *nix side and how MS would fight back, do you think they COULD secure NT/98/2000?

hardcode (not enough caffiene yet)

Punctuality: the virtue of the bored.

Re:Killer Net Virus Can Happen Anytime

[pb]

That's true; ultimately, a stupid user can bypass the best security by clicking on a trojan.

If you were on Linux, you got a suspicious script, unattached it, didn't read it, and ran it as a user, and it trashed your files, that's it. It trashes all the files owned by that user. (you did make backups, right? ;)

However, if you ran that same script as root, (analogous to running it under Windows...) it could trash *all* your files.

If Joe user buys the latest version of RedHat, it will *tell* him to make a user account, and use that to login. No, really. If he doesn't, well, again, that's his fault. If he wants to mount his Windows volume, make sure it's in fstab. Linuxconf should be able to do that. Then it'll be automatic. Or use autofs if you have to... Of course, there is a learning curve associated with jumping into a Unix system for the first time. :)

I *can* blame Microsoft for all problems to do with Macro viruses. They started it, it was a dumb idea in the first place, and I'm still waiting for an apology. If they had made it more secure, or had never released it, we'd never have this problem. I'm not blaming them for all viruses, or all exploits, just for all Macro viruses. Note how I'm not blaming Sun for Java: they made it secure enough that virus writers aren't really targeting it, as attractive a platform as it may be...
---
pb Reply or e-mail; don't vaguely moderate.

Very scary NOT

[Jetifi]

It's a nice scaremongering document, but the hypothetical worm is a *worm*. We've already been bitten by vbs and StagesA, so the potential for a virus that self-replicates is, IMHO, diminished.

As for having web-servers which relay instructions/recieve data, the 'bot would have to know how to fill out registration forms/upload information, and even then the server would have to have some kind of handshake with the worm, which could be detected by the hosts of the web-site.(i.e. geocities)

Why not have the server host misc. content, with the instuctions embedded in the HTML?

In any case, is it a good thing to have people publishing design documents for killer virii? The script kiddies which came up with ILOVEYOU weren't smart enough to design something really nasty, and HNN are just providing inspiration, which means they'd be liable in the event such a worm was released.

Re:Very scary NOT

[tringstad]

In any case, is it a good thing to have people publishing design documents for killer virii?

Isn't that what this post does? Or at the very least, builds on design for killer virii?

The script kiddies which came up with ILOVEYOU weren't smart enough to design something really nasty,...

How do you know that the opposite isn't true? Maybe they were smart enough to design something that wasn't really nasty? It certainly wouldn't have taken any amount of programming genius to delete those mp3s/jpgs rather than renaming them. It seems to me that ILOVEYOU was a gentle slap on the wrist, which certainly made a large quantity of the users I know, just the tiniest bit more security aware. Perhaps that was the intent, perhaps it wasn't, but underestimating your opponents has never won a battle.

... and HNN are just providing inspiration, which means they'd be liable in the event such a worm was released.

Maybe we shouldn't post these kind of things, so that we can't debate the implications, or try to find ways to defend our systems before the script kiddies come up with something new. Then of course, people would be saying HNN was liable in the event that they knew such a thing was possible and they kept it to themselves.

I prefer it the way it is.

-Tommy

So what?

[Peter+Dyck]

But so what? If a supervirus strikes, it will only affect single workstations ("Oh my. Something must be wrong with my Win98...") and shouldn't cripple any of the critical components of the net.

Re:So what?

[warez_d00d]

Tell that the user support people who have to deal with them "Oh my. Something must be wrong with my Win98..." - problems... :)

Da Warez D00d

Re:So what?

[Peter+Dyck]

Do businesses do any kind of "vulnerability analysis" of their IT systems?

I mean, if you're doing business you should have at least some kind of a contigency plan for a partial or even total failure (whatever the reason) of your network connection. Fax, phones and the good old fashioned mail haven't gone anywhere. Use FedEx/UPS/DHL to ship critical documents and data on CD-ROM, DLT-tape or DVD-RAM if necessary. Isolate critical systems from the net physically, maintain a room of backup workstations to keep the priority work going on even in the case of a complete infection of the bulk of the workstations, etc.

It would be plain silly should a company come to a grinding halt due to a virus, denial of service attack or any net related event.

Re:So what?

[Frank+T.+Lofaro+Jr.]

If a really bad virus attack hits the world at large FedEx, etc may not be able to cope with the extra demand and/or their own problems due to the attack. Something to think about. Hopefully those companies take steps to protect against viruses, but even if they are unscathed, do you think they could handle a 1000% increase in demand? Or more?

Re:So what?

[Star*Dot]

Yes, but i've seen setups where some of the server directories are writable to most users for changing websites etc. So you wouldn't be all that safe as you seem to think.

Re:So what?

[DrSkwid]

ntl nottingham got shut down by ILOVEYOU

they us NT for their networking

:_)
.oO0Oo.

Viruses

[deefer]

I can remember when virus writing used to be _hard_. You had to be a bit 1337 to be able to write a TSR, or a boot block virus.
Now look at the state of the virus world - ILOVEYOU.vbs (OK, it's a trojan, but still replicates like a virus) and the damage it caused. I'm not talking about the x billion the media claim it cost, just the panic in my IT department when virused email couldn't be deleted fast enough. Look at the code for ILOVEYOU.vbs - it is a doddle. No real inspiration involved - just patch 4 entries out off bugtraq together, and there you go.
What we have now is a state of play where the entry level in writing malicious code is dropping rapidly as more and more people get into computers. Don't want to spend a few years learning to code? Hah, our whizbang COMActiveXCORBA plugin gives you the power on your desktop!!!
Don't worry that your soft underbelly is now exposed because we can't give you the ease of use you want, without you knowing what you're doing!!! And you're too stupid to realise!!!
So now that the learning curve has been removed, you will have people all over the net trying to write and run viruses, without a clue of the repercussions it may cause. Because they don't really understand what they are doing.

Strong data typing is for those with weak minds.

Re:Viruses

[shiftaling]

yesterday at h2k in nyc there was a great presentation on virus writing (it was academic, not destructive). it was presented by V1RU5 (i dont happen to recall his real name. he basically summed all of this up. i was very impressed with his presentation.

he outlined the the types of viruses (basic stuff) and discussed the progression of virus writing from an actual skill to a 10 minute joke. he also discussed the future of *nix viruses. very informative. very cool guy too.

Re:Viruses

[deefer]

Heh! I remember having some fun based on the fact MSDOS used to execute same-named files in the following order: .bat, .com, then .exe.
So a directory in which there were 2 files, foo.exe and foo.bat, if you type foo, it would run the .bat by default... Had to run foo.exe to override this... Wonder if NT still carries this? :)

Strong data typing is for those with weak minds.

Re:Viruses

[ucblockhead]

I just tried it. Under Windows 2000, the order seems to be .exe then .bat.

Re:Viruses

[Bongo]

And you're too stupid to realise!!!

I think the term you were looking for was "uninformed".

Apart from that though, I have to agree with you. I don't think people should be put in jail for picking up stray banknotes off the bank entrace hall floor. It's the bank managers that need grabbing. Being open to attack from VBS is like the bank leaving it's money in the street.

If this sort of think keeps happening, we may have to see legislation of 'professional negligence' like you see with doctors, engineers etc.

Re:Viruses

[Hard_Code]

I know early versions of DOS played around with file extensions but if you are talking about batch files then I don't think that's on the same level. Installing interrupt vectors, relocating memory, altering pointers...all very complicated and confusing, at least to me. Perhaps it was because the original design of the x86 was so brain damaged to begin with.

Re:Viruses

[subuser]

the ones who should be held accountable are the ones whos "trusted" programs open up security risks to people running the program as intended. when a massive virus flies who should take the real blame, the ones who made the cheese or the ones who said "this cheese has so many holes its got to be swiss" and showed everyone else?

Re:Viruses

[spezz]

I'm not pickin' a fight or nothin' but stuff randomly seems to go wrong in databases anyway. Users put in weird crap. There are bugs in the code, or at least artifacts of previous incarnations that cause weird crap to happen. Lots of stuff goes wrong anyway (jeez, I hope it's not just me).

I agree this would be a nightmare but there are already error trapping (if you will) systems in place that catch input errors (and bugs) and I think these systems would catch such a virus.

Something that could learn what your controls do and then remap the code (Save button now reformats hard drive). Then I'd buy a nice ranch...out west someplace.

Re:Viruses

[bit]

"I can remember when virus writing used to be _hard_. You had to be a bit 1337 to be able to write a TSR, or a boot block virus."
"What we have now is a state of play where the entry level in writing malicious code is dropping rapidly as more and more people get into computers."

And they say computers aren't any easier to use now than some years ago :)

Re:Viruses

Install an interrupt vector:
1) turn off interrupts.
2) store the address of the old handler.
3) put the address of your handler in the table.
4) you're done.

anyone with a PC internals book can do this.

"Altering pointers?" have you ever written a line of code in your life?

writing viruses is a skill on about the same level as writing buffer overrun exploits. all it takes is some basic assembler knowledge and a good debugger.

slashed and dotted

[nicky_d]

Site appears to have baulked. I got as far as page 3, and then drew a blank. Give them air!

/.ed

[wishus]

well, i read the first page before the server evidently got /.ed.. sounds like nothing new to me. ILOVEYOU cost, what, "billions of dollars?"

people need to quit blindly trusting their computers and the benevolance of other internet users. it's like driving.. you don't have to know how your car works under the hood, but you MUST know how to operate it.

Computers are the same way. You don't have to know what goes on inside the box, or how the kernel works, but you have to know how to operate your computer, and part of computer operation is security.

having a computer is a responsibility just like having a car. if you use your computer carelessly, and by doing so your system gets compromised and used to attack other systems, are YOU not responsible for that? Just as if you failed to pay attention at the wheel and killed someone with your car?

Ignorance is not an excuse for carelessness.

wish

---

Eye-opener? Maybe later.

[gunne]

What I fail to see is how this could be an eye-opener. Within the /. and HNN communities the facts presented in the article should be obvious. Disaster almost happened at least twice already (remember melissa? loveletter?), and the only reason things didn't turn out worse was because of either some kind of empathy and/or bad coding on the virus-programmers' side. Heck, most of us could modify loveletter's code in 5 minutes to make it 10 times more deadly to those windows boxen.
I know people are going to yell "What disaster? These viruses affects only Micros~1!" but face it, that's where the majority of the money invested in information are.
I _do_ think that should a larger newsprovider, like cnn, post these facts, albeit 'dumbed down', we would see a genuine eye-opening of the general public, PHB's included.
That would be something!

How a Ubervirus should work

[beebware]

To work effieicently, the virus would have to be fast spreading. To do this, it's no good delivering it's payload straight away - sit on the users sytem and send out 1 or 2 messages _per day_, with a timed payload in a month's time. Make the virus metamorpheric to help reduce the anti-virus systems and nobody will know they've been infected until umpteen numbers have been distributed and the payload is delivered.

Oh - it would be better if the virus could cope with as many different platforms as possible.

An ideal method for 'mass distribution' would be a crack to put it in a MS Website upgrade patch, then release a mini-virus targetting against MS system to 'encourage' people to download the infected patch file. Obviously, you'll probably need someone inside Microsoft, but...

Richy C.
--

Uber "Slashdot" Virus

[edibleplastic]

The uber virus already exists!!! Here's how to do it, in one quick easy step:

1) Post an article on Slashdot reffering to a particular web site

Now sit back and watch the fun! The Slashdot Virus is guaranteed to take down ANY website within seconds!!!

Can we be 100% virus free?

[Flounder]

Is it possible to build software that is 100% resistant to computer viruses? Can software be coded with no possible pathways for a virus to spread?

Microsoft is the primary cause for the proliferation of viruses in the past few years. Scripting ability is a nice feature in software, but should it be defaulted to be active upon installation of the software? A vast majority of users don't need scripting in spreadsheets and word processors.

But with all of the holes in older software (sendmail, etc), it seems that the problem is getting worse, not better.

So, where does the problem lie? Programmers not willing to look back over their own code and eliminate such holes? Corporations that are pushing for release, regardless of the security issues (hmmm, could it be... M$!!!)? Users that blindly open attachments without looking to see what they are opening?

Re:Can we be 100% virus free?

yes and no.. yes- write software that has ridiculous restrictions (read uninteresting) I know of no LOGO virus. no- interesting software is a complex system--and with Hilbert's tenth problem answered fully, there is no way, in general, to see if software is malicious or not without running the software to completion. Human's are the weak link, then, since they are the ones tasked with choosing to run (directly or indirectly) the software. The only true secure system is one that has no IO, is turned off, put in the middle of a 6'x6'x6' block of concrete, buried 100 ft underground, on another planet, in some other universe, and, just so that no human can interface with it in any way, shape or form, made of anti-matter (I know the concrete is matter;). Otherwise, human mistakes (whether they be poor code in the OS or poor administration), will always allow a wonderful breeding ground for virii, trojans, worms, etc. There is no way to program a complex (algorithmic) system to detect all malicious programs, so they must be detected by humans. If humans fail, then the system is at risk. All viruses I know of rely on human stupidity to transmit. (This goes back to virii like Stoned through ones like Monkey, NYB, right through to Melissa and onwards). I have no knowledge of virii before Stoned so, I am making a broad generalization that seems to fit for the past 11 years of virii spread.

Re:Can we be 100% virus free?

[phil+reed]

The IBM mainframe and AS/400 environments are incredibly hard to get a virus into. AS/400s have an object-oriented security model in which it's absolutely not possible for a text or data object to be executed.


...phil

Re:Can we be 100% virus free?

[cybercuzco]

Microsoft is the primary cause for the proliferation of viruses in the past few years.

This is not neciserally true per se, the reason why Microsoft coputers are most vulnerable is not just because theyre Microsoft computers, but because everyone uses them. If everyone used Mac's I would think that we would have the same problem. The only solution is to not have a computing monoculture, we need to have multiple different operating systems preferably non regional in nature, so that its much harder to bring down the whole system. Heres the kicker These operating systems cannot be significantly interoperable, if you can write once run anywhere, then youve defeated the purpose of the diversity. As long as only one os, or a system of interoperable oses are out there, there will be the risk for UberViruses like ILOVEYOU. Its the same problem in nature, something like 90% of the corn grown in america comes from a few genetically similar hybrids. If a virus or disease comes along that significantly affects a species, a huge amount of the corn crop can and will be wiped out. Humanity runs a fine line between prosperity and extinction.

Re:Can we be 100% virus free?

[Phredrick+Dobbs]

Yay for NYB, I remember that virus, I got it about 6 times about 3 years ago. Friends of mine and I apparently had quite a few infected floppies, and it is rather easy to accidently leave a disk in the drive ;)

-Phredrick Dobbs
Emperor of the Universe
Grand and High Protector of Everything

Re:Can we be 100% virus free?

[jafac]

If everyone used Macs, we'd be totally screwed. AppleScript can do lots of nasty stuff.

if it ain't broke, then fix it 'till it is!

Re:Can we be 100% virus free?

[spezz]

I know I'm supposed to blame MS (and I'm supposed to use a "$" instead of an "S") but really I think the reason so many viruses pop up in Outlook and the whole office package (I'm honestly surprised there aren't more excel viruses, I used to code in VBA and a template replacement script was easily altered to delete entire directories on firing it up) is that currently it's the easiest way to write a far reaching virus.

If the easiest viral language were a unix flavor, we would see more of that. If it were really easy to crack open apache servers that's were you'd find your attacks. Sure, MS is the wimpiest kid on the block security-wise but just because Bill (well, Steve) leaves the door unlocked, don't think that the rest of us live in vaults. So no, I don't think we'll ever be 100% free of viruses as their evolution will continue with computing's...Quantum Viruses, Holographic Viruses, all of it.

But it will maintain the balance we have now, I think the security people and the virus kids (tomorrow's security people) will maintain much of the give and take they 'enjoy' now, each trying to outdo the other.

Re:Can we be 100% virus free?

[Bob+Uhl]

This may actually be true, but somehow I doubt it. After all, what is to stop someone writing a programme which does certain things based on certain inputs? Is that not, after all, what _all_ programs do? So it is possible, by constructing certain inputs, to cause certain things to occur. From this, it is (in time and given the existence of bugs) possible to write a bootstrapper to then run a virus. Voila!

Re:Can we be 100% virus free?

[phil+reed]

After all, what is to stop someone writing a programme which does certain things based on certain inputs?

True, a virus is a program. What makes it a virus is the way it gets introduced into the system. Since the AS/400 has incredibly well thought out security that prevents any object introduced into the system from executing without a tightly controlled process, the normal methods of virus propogation will fail. Period.

You have not described a virus, you've described a trojan horse.


...phil

Spell Checker Blues?

[CMiYC]

Consider using other operating systems, like Line or BSD.

Is this a case of a unenlighten spell checker, or is Line an operating system I've never heard of?

---

Viruses

[Signal+11]

I know of a virus which would be much worse than any of the current crop of viruses: Make one that randomly changes bits in a database. Just think about it for alittle bit...

Networks threatened...

[don_carnage]

You know, after working in communications for a large company for 4 years, I have learned a lot about what can take down a network.

The network is always going to be vulnerable to some sort of attack -- be it DDS, electro-magnetic pulse, SYN Flood, email virus, spam or whatever. Some well placed, unexpected volume will even do the trick.

Let's think outside the M$ box for a minute and consider what a 'virus' could do to routers and switches. Everything that carries configurable software is vulnerable to some sort of attack!.
--

Re:Networks threatened...

[eudas]

actually i was just thinking earlier about a virus that targets cisco ios to do something like get into a router, make it dump its configs (erase them), and shut itself down.

(note to the picky: no, i don't have a ccne. obviously.)

this would be much more interesting than a(nother) m$ box virus.

eudas

Trial Lawyers Will Save us All

[YIAAL]

By suing Microsoft, etc. for having such crappy software and security. Of course, that may be a cure worse than the disease.... Question: is the court system really like a computer that runs on people and paper? And are bogus lawsuits its version of a virus?

ahh, but...

[MenTaLguY]

diversity also = smaller chance of finding a particular exploit, thus restricting (and in some cases stopping) the transmission of a particular virus that can only use a limited set of exploits.

As a corrorlary to this, given sufficient diversity, it becomes impractical for a particular virus to carry the code necessary to infect all of the availible machines.

Putting all your eggs in one basket is never a good idea. You might be a smaller target, but if you do get hit (and it's foolish to think you're invulnerable), you're automatically 100% dead.

Among other things, this is borne out by quite a few thousand years of agricultural experience.

You'd be hard-pressed to find any farmers or biologists who would argue that monoculture is the best way to limit your vulnerablity to crop diseases, just because there are fewer possible diseases that could infect your crops.

Re:ahh, but...

[MenTaLguY]

Putting all your eggs in one basket is never a good idea.

You got that right. Yet another reason why a monolithic Linux-dominated IT world will be an unmitigated disaster, if we're ever unlucky enough to end up with it.

But really, shouldn't we all just be slagging Microsoft here??

I'd much rather not see monolithic anything (although Jeppe does make some good points in his reply, which I'll have to think about).

Since you brought it up, though, if I was forced to choose a monolithic environment, I'm not sure that a Linux-dominated IT world would be worse than the current Windows-dominated one.

Although I've seen some stupid things done on both sides, at least on the Linux/Unix side, you see coders actually bothering to do simple things like putting their VB implementations in security sandboxes (i.e. Gnome Basic).

Re:ahh, but...

[Dirt+Road]

A version-control system can go a long way toward preventing that kind of damage.

1. Check out the files you're working on today.
2. Contract a nasty virus... tell today's updates bye-bye.
3. Virus attempts to wipe server... it can't because you don't have write access to the archive.

So you end up losing a day's worth of work. Not good, but I've seen all my company's PCs shut down for a day -- twice -- to clean up Windows viruses. Meanwhile, the few Mac and Un*x users kept working.

Multi-user projects should use some kind of source/version control anyway, regardless of the virus du jour. Having two people working on the same files, unknown to each other, can be nearly as bad. (Been there, done that.)

-- Dirt Road

Re:ahh, but...

[Jeppe+Salvesen]

I lie in the dirt.. Thanks for clearing up! BTW - what's a good revision control system that's free and works crossplatform? I think we could use one around here anyhow.. :)

Re:ahh, but...

[Dirt+Road]

I think RCS and CVS both might fit the bill.

We're using a web-based commercial system at work.

-- Dirt Road

Re:ahh, but...

[castanaveras]

Go with CVS - it's network friendly.

And you can configure it to use SSH as the transport mechanism.

Mirror/cache of article on google!

[philj]

1st, 2nd, 3rd and 4th page, cached by Google.

Offtopic?????

[georgeha]

Let's see, the /.'ed article talks about a worm/virus that coordinates it's attacks through several web sites, and becomes unstoppable.

I describe a book, in 1975, that had a very similar subject.

This is offtopic?

I could care less about the kharma loss, I have tons, but really, is watching Barney and having the intellect of a 2 year old a pre-requesite to be a moderator now?

Let me try to shamelessly get my kharma back now.

Killer virus possible becuase of too many Windows.

Use Linux to stop this.

Linux good, Windows bad.

George

Re:Offtopic?????

[deefer]

I'm with you on this one...
If only I hadn't spanked my mod points that I had this morning...
[OT] I wonder if CT holds stats on moderators? Like, how long they hold on to them for, on average - do people splash all 5 on one story, a few stories, or eke them out until they would expire anyway? Is that a poll, or what? Where is PollMastuh when you need him? :)

Strong data typing is for those with weak minds.

Re:Offtopic?????

[georgeha]

Thanks for the support.

I don't worry about the loss of kharma for myself, I have lots to spare, but I worry about,

the children.

What if a young child had posted here, a young child of little kharma, eager to impress the moderators with a literary reference that they thought was directly relevant to the discussion.

Instead, they get a -1 offtopic. Their spirits would be crushed, they would disillusioned, they had played by the rules, tried to make /. a better place, and only got slapped down for it.

A few, well adjusted children could shake that off, but some, well, some might feel angry and bitter, and give into the dark side, and start posting about grits, or Natalie Portman.

Please, moderators, consider, when you mark down a poster as off-topic, they may rise up again as a troll.

George

Re:Offtopic?????

[AstroJetson]

Yep, good point. Next thing you know you've got another Columbine HS on your hands. Please, mod squad, think before you act.

Re:Offtopic?????

[georgeha]

Hmm, do you suppose Katz will write a column about oppressed /.'ers?

Their views are a little too outside the mainstream of /., they get disenfranchised, discouraged and then bitchslapped.

He could call it the Trollmouth series.\

George

Re:Offtopic?????

[AstroJetson]

omg...just spewed coffee on my keyboard. You owe me a new one. That's funny as shit!

Re:Offtopic?????

[DavidOgg]

Yes, Moderators have been smoking crack for the past few months. I dont even try anymore. Moderation system needs an overhaul (sigh)

How are you looking at the problem?

[dbthomas]

Why does a virus get more attention here in the USA than the AIDS epidemic in Africa? Proximity. We here in the /. community are so close to the issue of viruses and virus-fighting that it is taking over our lives. If you take a step back from the monitor (remember in "Fight Club": you are not your job)you will see that non-MIS people saw Melissa, and other viral attacks on businesses, as a half-day off work and nothing more. Like most other problems in the USA it is going to take an epidemic to get the common man's attention. We are still living under the mid-20th Century pretense that the US is indestructable. Until a virus comes along that will wipe everything in its path and reach home computers (like an AOL instant message script) we are the only ones who are going to sit up and take notice. dbthomas

Re:How are you looking at the problem?

[SEE]

We here in the DirtBike community are so close to the issue of dirt bikes and bike modification that it is taking over our lives. If you take a step back from the monitor (remember in "Fight Club": you are not your job)you will see that non-biker people saw the K-Rad 7, and other 2000-model bikes, as a nice thing to ride on you half-day off work and nothing more.

Steven E. Ehrbar

Interesting problem

[FascDot+Killed+My+Pr]

"Is it possible to build software that is 100% resistant to computer viruses? Can software be coded with no possible pathways for a virus to spread?"

Good question. To answer it, we'd need a rigorous definition of "virus", but let's take a whack without this: "An entity is a virus if it can induce a program to reproduce it."

First, trivially, yes it is possible. Here's a program that does not spread viruses:

void main(void){}

So we the real question is "can any interesting programs be made virus-free?" And what is interesting? Well, minimally, it needs to accept input and produce output. The input to a program (actually, to a function) is called the "domain". The output is called the "range". If there is no overlap between domain and range (say, you input an integer and it outputs a color) then you clearly cannot induce the program to reproduce the input in the output. But that doesn't put us in the clear. A pair of programs that complement each other such that the range of A overlaps the domain of B (and vice versa) could be induced to reproduce the virus.

Note that domain/range overlap doesn't guarantee there exists a virus that can exploit the program. It is a necessary but no sufficient condition.
--

A sucker is born every minute.

[TwistedGreen]

And that's all i have to say about that.

If you want to create real havoc

write a M$ Lookout!(tm) virus that not only uses the target's address book to find new targets...
But also forwards everything in the targets in/out boxes to everyone in the address book...
This should probably have some sort of time-delay "dribble" effect so that it covers the most distance...

Just imagine the fun when some HR person or the CEO (with budget or payroll info) gets nailed by this. People quitting, people fired, death threats, arson, arsenic in the coffee pot.

Then organizations will start taking security seriously. And rightfully slamming M$ for creating an environment that fosters such problems. oh, and...
[91 days without being moderated!]

In a word, YES.

[jcr]

Check out the Extremely Reliable Operating System. www.eros-os.org.

If you do everything on a "least privilege" basis, then a virus is infeasible. There's no reason why anything in an incoming mail message (for example) should have access to your address lists, or your outgoing mail queue.

In an EROS system, since there's no reason for a program to have write access to its own code space (let alone anyone else's!), the virus can't alter it.

Remember, a virus is only only half of the problem. The other half is the brain-dead children at MicroSquish who built a mail client with a turing-complete language, and full access to the whole goddamned machine.

-jcr

Re:/.ed (with added analogies)

[Shyryly]

having a computer is a responsibility just like having a car. if you use your computer carelessly, and by doing so your system gets compromised and used to attack other systems, are YOU not responsible for that? Just as if you failed to pay attention at the wheel and killed someone with your car?

Good start to a bad analogy. You are responsible if you leave your car running, up on a wobbly jack, in front of a playground and someone gets hurt. You aren't responsible when someone steals your car and then commits a hit-and-run with it.

The computers, and users (for the majority), involved in spreading this type of virus aren't being negligent. It's a fair analogy to describe the average net-user as the average drivers because they are likely the same people these days. They don't know the risks involved in just double-clicking attachments and launching them any more than they know the risks of getting into a friend's car and driving it around. "If it's my friend's car, it must be safe.", unless someone has sabotaged your friend's car, or car-jacked it that is...

A better question might be to ask if the car manufacturer is to be held accountable when they don't install doorlocks and the car theft/hit-and-run occurs, or when they fail to make modifications that would prevent future events of this sort from occuring again in the future. The responses to-date from companies like M$ have been less-than-acceptable; the equivalent of (if I can continue to over-use the car analogy) like plating over the windows and welding the doors shut on the car to prevent future thefts.

We need computer control now

[DonkPunch]

This just goes to prove the insanity of low-cost easily-accesible computers and software in the hands of everyone. Every day, hundreds, perhaps thousands of machines are infected with virus and trojan software. The cost in lost data and productivity is easily in the millions.

We have to stop this madness now.

Right now, computers are less regulated than lawnmowers or automobiles. We require drivers to pass a proficiency test, why not computer buyers? It's time we registered computers and performed background checks on people who buy them. This is the only way to keep computers out of the hands of children and criminals.

I am proposing a Million Geek March. We will have speakers telling stories of how their lives were destroyed by computers. Let's send a message to Washington now: "We need to be safe from computers!" It is absurd that in the year 2000, I have to scan every attachment I receive and every program I download. We need to make our information infrastructure safe again.

All of you who oppose my plan, I ask, "What do you have to fear?" We're not planning to take away your computers. We just want some common-sense legislation for the safety of all. It will be a tough fight -- the rich lobbyists from Dell and Microsoft will try to stop us. They'll claim that the right to access information cannot be restricted. They'll claim that computers aren't the problem. We know they're wrong. Modern computers make it easier than ever to create destructive programs. A computer in the home is a tragedy waiting to happen.

Let's get some common-sense computer regulation now. Thank you.

Re:We need computer control now

[generic-man]

I am proposing a Million Geek March. We will have speakers telling stories of how their lives were destroyed by computers.

And just how do you expect to get a million geeks out of their homes? Do you have any idea how much free beer, pizza, and pr0n you'll need?

Re:We need computer control now

[killbill]

You forgot to mention more common sense legislation... Why would anyone ever need to buy more then one computing device in a month?

Not to mention requiring a keyboard lock, it only costs a few pennies after all.

And no one should be in such a hurry that they can't handle a 5 day cooling off period before picking up a new computer.

And we REALLY need to do something about those high capacity hard drives, did you know one 20 gig drive can store tens of thousands of ILLEGALLY obtained MP3 files?

And don't get started about "easily concealed computing devices" like the palm pilot, especially the inexpensive "saturday night special" variation, the Palm IIIe.

Stop the insanity!

Bill

Re:We need computer control now

[DrEldarion]

And we REALLY need to do something about those high capacity hard drives, did you know one 20 gig drive can store tens of thousands of ILLEGALLY obtained MP3 files?

Yeah, but what about people who want to run Windows? There's about 3/4ths of that space gone right there... ;)

-- Dr. Eldarion --

Re:We need computer control now

[pendrake]

The problem isn't the users - it's the OS vendors.

We have regulations on our lawnmowers and automobiles (yes, seatbelts are a good thing!). Imagine if your car didn't come with brakes - or if they did, you had to install them yourself after spending hours upgrading your car to the latest version.

This is like Microsoft asking you to upgrade your Exchange version to turn off a "feature" which should never have been the default in the first place. This is the class action lawsuit that should really be taking place - thousands of businesses suing Microsoft for the time lost due to monkey scripts for features they never wanted in the first place and couldn't turn off without a CS degree...

Any OS vendor which provides an OS which connects to the Internet should have to have a default level of security that requires the level of knowledge for hacking to rise above kiddie scripting...
--
Windows 2000. Security and Stability from the company that brought you the "ILOVEYOU" virus and the Blue Screen of Death...

:-)

Re:We need computer control now

[scott@b]

And no one should be in such a hurry that they can't handle a 5 day cooling off period before picking up a new computer.

Uh - won't that new computer just about be obsolete in 5 days ?

Re:We need computer control now

[Legion303]

Viruses don't kill computers; virus-writers kill computers. :P

-Legion

Re:We need computer control now

[jesterzog]

We require drivers to pass a proficiency test, why not computer buyers?

Well I for one consider car drivers licenses a good thing. As long as I know everyone's up to a set standard of driving, I can be reasonably confident that the driver coming head on towards me at 100kph won't swerve accross the centreline.

I don't agree with computer buyers needing licenses. For the most part, it would only add inconvenience to the millions who just want computers. Owning a computer and not knowing how to use it is mostly a danger to yourself more than anyone else. If buyers decide not to learn about what they're doing with them, it's their own decision. As long as I know what I'm doing, it won't effect me one way or the other.

If and when businesses need someone reliable, they can look for someone with a proper qualification. I think the biggest problem is that either businesses and organisations don't do this properly, or the qualifications aren't reliable qualifications. In the latter case, it's the education system that would need to be controlled - not the users and buyers.

===

ahh, but...

[Jeppe+Salvesen]

But.. Let's say that I've got a diverse network. Some Macs, some MS boxes, some Linux boxes and a couple of solaris boxes for the fun of it. Now, we all work on the same project - say a web project. So - we all have shares from the file servers mounted on our workstations. It is now sufficient to find an open exploit on one of the four operating systems to hurt my business. See - this bug doesn't attack the plants - it attacks the soil itself(roughly speaking). So, the entire monoculture point becomes moot.

Furthermore, it's not necessary for the virus to carry code for all operating systems. ILOVEYOU et al taught us that. If the virus infects one machine, that's enough to clean out all network shares, and start spreading itself randomly (or less than randomly.. it could look in the inbox, and check what emails originate from vulnerable systems). Voila.. A few thousand years of agricultural experience gone.

You could easily get much more nasty than that

[tilly]

Here is a clue.

The Samba folks don't publicize it, but they have found a number of buffer overflows in the stacks of every single OS out there. (They patched the ones they found in Linux.:-) A truly nasty critter would be set up to transmit itself using those overflows.

If done right you would get a worm or virus that can transmit from computer to computer without any manual intervention. There has to date been exactly one such on the internet. The Morris worm. It went out of its way to be nice, and it still shut down the Internet through sheer speed of reproduction.

You see getting a human in the loop slows things down. If you want to be truly nasty, automate it from start to finish. Then the first people will hear about it is when their networks go down.

Cheers,
Ben

Re:You could easily get much more nasty than that

[Twanfox]

You know, I came across this neat little library for Linux. libsafe, produced by Bell Labs. I haven't had a chance to test it's effectiveness, but you know those functions that you use to exploit buffer overflows? Well, this thing, using the libc runtime linker, Preloads this library before all others, and therefor, it's implimentations are the ones that remain resident for those insecure functions. As I hear it, it blocks any buffer overflow using those functions for that reason.

I run the thing on my machine at home, and while I haven't had any hack attempts since my last using buffer overflows, it seems like a smart thing to me. Catch ALL buffer overflows by the OS itself, don't rely on the programs to have done everything right. This means, though, you have to secure the OS as much as possible, but there're tools for that. Seems like an ideal way to block buffer-overflowing viruses to me. :)

ahh

[mikpos]

Nice to see that we have the first ever 100% bug-free piece of non-trivial software: it's EROS! I guess you just install that once and then forget about it? No security updates or anything like that?

Not to knock you completely. Capabilities make for a very nice security system, but if you think that it will *ever* be completely secure, or completely impervious to malicious code, which is what the OP was asking, you're kidding yourself.

So the answer is: NO.

Re:ahh

[randombit]

Nice to see that we have the first ever 100% bug-free piece of non-trivial software: it's EROS! I guess you just install that once and then forget about it? No security updates or anything like that?

Calm down guy. It's just a research OS. :)

Not to knock you completely. Capabilities make for a very nice security system, but if you think that it will *ever* be completely secure, or completely impervious to malicious code, which is what the OP was asking, you're kidding yourself.

Obviously not. OTOH, cap-based systems are more likely to be secure than uid/gid/ACL based systems. Which certainly is a start.

Re:/.ed (with added analogies)

[wishus]

Yeah, all analogies break down when you start to push them. :) And I agree with you completely about the difference between the wobbly jack and the stolen car. It's just my opinion that doing certain things out of ignorance is more "wobbly jack" than "stolen car."

For instance, if you have an e-mail program that the entire world knows has a gaping security flaw, it is your responsibility to remedy the situation. Now that doesn't mean you have to re-program the software, it means you need to find different, better software.

I agree completely with your assessment of certain software companies also, but remember that those companies' software is used by choice of each user.

To be blatant and to the point, and stretch that analogy a little more, running Microsoft Outlook is like leaving your car running, up on a wobbly jack, near a playground.

wish
---

This has been done - and succeeded

[tylerh]

The famous Robert Morris Internet worm of 1988 did precisely this.

It worked beyond the author's wildest dreams - but the worm didn't do a good job "staying out of sight." Once a machine, it did *nothing* except try to infect another machine. The problem was that it was too good of a cracker: The worm spread like wildfire, spamming the network and bring many machines to a crawl by infecting them thousands of times. Read more here.

Just an idea...

[dagoalieman]

If a website doesn't meet those "requirements", instead of linking in the article, we could place an unlinked http address in the article. That way people interested can go ahead and see the article, and some lazy bastards won't try to get to the site. Just a few people less, and maybe some sites won't get slashdotted. Probably won't work, but what the hey???

evolver virus?

[SparkMan]

Many interesting ideas here about how to write viruses which are difficult to detect. But what if they are out there already? Would we know it? Seriously how difficult would it be to create an "evolver" virus which:

1. reproduces without human intervention
2. is harmless (doesn't try to crash anything)
3. occasionally mutates itself at a random time

We could have a whole virus ecosystem evolving out there right under our noses without us even having a clue. Part of their strategies for surviving would necessarily include not crashing the systems they were "living" on.

In fact this sounds like one of those things that because it CAN happen, it MUST eventually happen. Eventually somebody will do it and there will be no way to undo it once done. Maybe the first Artificial Intelligence created on Earth will be an internet-dweller who has never even met a human being before.

Re:evolver virus?

[Blue23]

Hidden virii that mutate? You know, this would explain much about Windoze.

Think about it. An organism is much more likely to grow in an environment that provides it's needs. This is why your bread gets moldy but your car usually doesn't. (And if it does, why I'm sorry for you). But getting back to the topic, say that Win32 has lots of nice little niches for virii. Not really a stretch of anyone's imagination. Now assume that a self mutating virus would spread there better then someplace without all of the problems.

So now we have our Win32 petri dish. How do we test for it. Well, we can look for the virii themselves, but that may be hard, they are small. Let's look for some second order effect. Well, self-mutating virii would occasionally end up bad and crash either an app or the system. Hmm, check, windows has that. Some virii would mutate away from being able to save themsevles to disk, so time went on your system would get slower and slower from more virii, and rebooting would make things nicer for a time since all of those non-disk virii would go away. Windows - check.

That's good enough for me. Windoze is really a petri dish for a new flavor of virtual life. Next the EPA will be getting an injuction against people rebooting NT servers.

Save the virii!

=Blue(23)

Re:evolver virus?

[Quietust]

I saw something similar to this described in a magazine article a long time ago, but it wasn't a virus. The scenario was as follows:
1. Create a 'sandbox' in which programs can run without screwing up the rest of the system (a Virtual Machine(TM)).
2. Write a small program that does nothing more than copy itself (i.e. reproduce). But give it a buggy copy routine that might remove, change, and/or add bytes to the output (similar to how radiation messes up DNA/RNA).
3. Run a program a few times and then delete it (limited lifespan). Repeat for each program generated. Some programs generated will have changes that will break them (and they are subsequently removed from the 'gene pool'), some programs will have changes that have no effect on the functionality, and some programs will have changes that add functionality.
If this were run at a high enough speed, theoretically, the programs would begin to show signs of evolution.

--
Your friendly neighborhood mIRC scripter.
if (ismoderator(reader)) hidemessage(this);

Re:evolver virus?

[Quietust]

Should've previewed before I noticed something that didn't quite make sense the way I phrased it :P.
"at a high enough speed" should read "enough times".

--
Your friendly neighborhood mIRC scripter.
if (ismoderator(reader)) hidemessage(this);

Links, mirrors, etc.

[Omniscient+Ferret]

The oh-so-lovable Google has cached pages 1, 2, 3, and 4. You might want to turn off image loading first, because the page might not render without the images from the slashdotted site.

Different scary attack thoughts: Samhain (mirrors - linux-list, Red Rock Eater, bugtraq).

Security by obscurity is bad for your health

[Pac]

In any case, is it a good thing to have people publishing design documents for killer virii?

One of worst things that can happen is the information about virii and other security threats to be shared only among some selected few. You may have seen the story about a 3 year old AOL security hole this weekend. The only way to prevent this kind of problem to become a major problem is to publicize the risk to the maximun possible extend. It guarantees that every system administrator in the world will hear about it and take the necessary steps to protect his/her piece of the network.

Re:Security by obscurity is bad for your health

[eudas]

rootshell.com used to do this, but i haven't seen their pages updated very much in a long long time.

eudas

Re:How many hits

How many hits does a page get from the slashdot post?

One, two, three, --crack! We'll never know!

Physically Dangerous Virus

[mikeage]

Has anyone ever thought of / heard of viruses that do physical damage? I'm talking about anything from the wasteful (printing 1 character per page on a printer, and then formfeeding it), to a virus that might cause actual permament harm to a computer. They say (and I assume it's true) that if you tamper with the refresh rates of your monitor, and set them too high, it can hurt the machine. What if (and PLEASE don't try this) a virus tampered with these settings? Maybe billions in damages is possible after all...

Re:Physically Dangerous Virus

[Denor]

IIRC, the Chernobyl virus that went around a while back did something like flash your BIOS, so it wasn't even possible to reboot the machine.
A nice idea, but it had the unfortunate timing of coming immediately after the Melissa virus, when people were still paranoid. It didn't make it very far.

Re:Physically Dangerous Virus

[z4ce]

I forget the virus name.. but I remembering hearing of one that would slam your harddisk arm into the extended area over and over and over till it would break. No idea if it's true or not.

Re:Physically Dangerous Virus

Hmm... when I boot Windows with the printer on (it's an HP Deskjet), it prints "ê" at the top of the page...

Re:Physically Dangerous Virus

[Kronovohr]

The refresh rate change was done already by the Hellraiser family of viruses. This program would reproduce quickly, and cause the monitor to cycle its refresh rates until the monitor smoked. There was a variant a few years ago that combined its normal principal with a time bomb; theoretically, that's why many of the newer monitors have some mechanism enabled to prompt you for changes of refresh rate.

Re:Physically Dangerous Virus

[F2F]

There was a story not so long ago about viruses which insert the '25th frame' on your screen...

you know, the kind you can't really see, but which has a psichological effect on you (fight club has a better explanation :)

My dealings with an uber virus...

Back in 1995 I used to monkey around with virus writing.

My favorite was a little randomly mutating virus. I wrote the little bugger to duplicate twice and erase itself. On each duplication the virus could chose to mutate or not (50% chance), if it did mutate it could either randomly alter or add data to it's data section, or randomly alter or add an opcode at any point in the instruction section. Also if there was a floppy in the floppy drive it would append itself to the largest executable file.

I ran this on my 90Mhz Pentium running DOS and after about an hour my computer froze. I rebooted and nothing happened. I whipped out Norton Disk Utilities and looked at the contents of the drive. One of the little buggers copied itself into the MBR but didn't know how to boot.

The lesson here is that the Uber virus could very well take very little planning and simply be a genetic mutation of a simple assembly program.

If I were to write this program today, I would give it networking libraries, code to try the 10 most commen sploits on target machines, binary formats to run on all the major platforms and mabey even a DB of opcodes for different arcitectures so it can translate itself from an x86 bug to an Alpha bug and so on.

A virus like that would suck and I haven't touched Assembly for two years so I'm not going to code it up but somebody might...

...but I hope anybody with that much talent would rather do somthing constructive like make video games ;p

a true infowar virus

[entropy42]

I wasn't able to read the original article, either because the site is being slashslammed or because half the net seems unreachable, but...

If someone wanted to write a virus to do really lasting damage, it wouldn't do boring stuff like delete files or steal credit card information. Come on, who cares.

The road to immortality is to hack people, to change relationships permanently. So here's what you do: propagate like iloveyou, but with vastly more discretion. When launched on a new machine, take the following steps:

1. Dig through all the places typical mail clients store mail. Build up a list of all the subject's correspondents.
2. Send the virus along to various correspondents, but do so with a very plausible looking reply to their last email. If you really want to go to town, emulate the subject's writing style, but some brief nondescript text should be sufficient. Lots of optimizations here, all with the goal of getting the subject to execute the attached program.
3. Now, after enough delay to get that thing propagating a bit, search all the mail looking for mentions of people in the third person. Then package it all up and send it anonymously over. Thus, every mail our subject "Foo" has ever received mentioning "Bar", or ever sent mentioning "Bar", is now in Bar's hands. Repeat for everyone else in their mail.

It should be obvious how devastating this would be, especially at cutthroat companies. The effects of such a virus getting much propagation would be felt for a long, long, long time.

Nobody should do this, of course!

SlashDot effect = DDOS?

[Alien54]

Considering everything, SlashDot becomes another way to take out a slow server on a site:

submit a story that was interesting, but is slightly stale.
Watch it make the front page
watch the site get slash dotted.
Presto chango! instant DDOS!

the poor guys trying to run the site probably haven't even figured out what is going on yet - They just know it looks like legit traffic, and they likely have an account that that charges big bucks for heavy traffic.

so for them they are likely just standing back in awe at an attack that looks like it is coming in from maybe 100,000 sites.

Imagine if the site is hosted on some kids home machine?

Re:/.ed (with added analogies)

[Shyryly]

That's just it; I don't think the average Outlook user knows about its weakenesses. Also, I also know it's safe to say that the average Outlook user doesn't have a choice as to whether or not the use Outlook. Large corporations usually have software standards that are used throughout the company. My company uses Lotus Notes ubiquitously, so Outlook isn't a problem even if someone wanted to use it. You're not allowed. Period. The MIS police come and remove it and break your mouse fingers or something. If it happened to be Outlook (which it was at one point) then the whole company is wide-open when this sort of threat happens.

As for home users with Outlook, well, ignorance is the only excuse I can find for them. I cannot believe the average net-user is aware that they're using an 'unsafe vehicle' for their email transportation and those that might know don't necessarily know of an alternative (my ISP distributes Eudora Lite to new members, thank God). [Good poll idea: what email software comes bundled from your ISP, if any?]

So again it comes back to accountability. Let's enjoy the car-analogy a bit more. If the drivers can rightly claim ignorance as a defense (which most can I believe)and we don't want to go after the manufacturer, can the distributor be responsible? If I know I'm selling you a dangerous vehicle, am I accountable? I'd think so. Hrm. Any lawyers care to bite at this one?

My idea for a virus

Here's an idea for a virus that would really be killer. I'm not sure how it would be distributed, but this is what it would do: all RAM (SDRAM, and I believe RDRAM as well) has something called SPD data. There's a tiny EEPROM on the RAM module that holds information about the RAM: it's CAS latency, the size, technology (64 Mbit, 128 Mbit, etc.), and other things. The BIOS reads this data to figure out what kind of ram is in the system (NOTE: some RAM does not have an SPD chip on it, and many BIOSes just run some algorithm to determine how much RAM you have... but this can't detect things like CAS latency so performance can be lost if you have good RAM and this is done). Anyway, the SPD data is read using SMBus... thing is, THIS DATA CAN ALSO BE WRITTEN OVER SMBUS. So the virus would just write fake data over the RAM's SPD data, telling the BIOS that the user either has far more or far less RAM, or that it runs at a greater speed/CL than it should, which will generate all kinds of errors when programs are run, or not let the system boot up at all. It would be deadly because not only would it not let the computer work, it would be very hard for the average person to get rid of. And info on programming SMBus and SPD data are readily available on the web...

buisness idea

[BeerHunter]

Start a data recovery buisness, then set your l33+ hax0rz to the task of creating a "uber-virus" that will format/fdisk on a certain day whenever. There will be pleanty of buisness for everyone, and lots of money to be made.

Soft white underbelly

oh yuck. There's some social engineering for you.
Just target FedEx and UPS with a virus and watch as the go-go-go e-conomy grinds to a halt.

Re:Soft white underbelly

[_Marvin_]

a: Highly critical. Still not very vulnerable, because large parts even of the distribution chain haven't been e-something'd yet.

b: Critical. But I think it's not very vulnerable, those systems usually aren't (yet?) connected to the internet to a degree where you could shut them down remotely.

c: Well, critical to many companies, but not soooo critical for J.Average. Could be reduced back to the traditional communication channels (Phone, Snailmail,...)

Hiding code for a trojan to execute

[Bob+Ince]

Why not have the server host misc. content, with the instuctions embedded in the HTML?

Bzzt bzzt!

I still can't get to the HNN article, but I can tell you that such a virus is indeed possible, because I've written one.

As well as trapping filing system calls to stealth the virus, it is possible to take the opportunity (while a file is being accessed, so the user wouldn't notice a slowdown) to scan through the file for magic words that cause embedded code to execute locally. You need a CRC to avoid executing random code of course, and a text encoding scheme (I used a 64-bit code starting at '?').

Thus you can turn any non-executable piece of content (mail, web page, news posting) into a harbour for native executable code, something that up to now Microsoft have at least only been doing by accident. ;-) The advantage is that the client itself accesses the code; unless BO and co., the virus supplier doesn't need to make a connection to the victim machine to execute things on it.

Obviously I no intention of letting this see the light of day, but it's also unlikely to take over the 'net since it doesn't run on Windows. I guess it'd be possible, but I don't have enough knowledge of Windows internals (shurely m4d sk1llz? -Ed.) to write it.

Anyway, it'd have to be rewritten into a mail worm, since actual viruses are terribly out-of-fashion these days. <g>

--
This comment was brought to you by And Clover.

Sigs

[veldrane]

And created a new sig for each person containing itself so the person could be sending it out with each new e-mail they sent.

It wouldn't be "easy".

[tietokone-olmi]

The Morris worm only worked because the net, at the time, was rather homogenous. That kind of shit won't work today because there's at least four or five different processor architectures (OK, one might be able to get past that problem by using shell script or some such, but then there's the problem of reproduction across the network) and a big honking lot of different software configurations. Sure, the worm might be able to punch through the by default insecure ia32-redhat installs, but how many of these are being used in critical backbone-related tasks? Not a lot, I'd guess. There was even enough bandwidth in the US backbone for it not to go down because of Melissa, and that thing was HUGE.

The internet's major strengths are redundancy and diversity. Let's hope that neither of those go away.

Re:It wouldn't be "easy".

[bgat]

The internet's major strengths are redundancy and diversity. Let's hope that neither of those go away.

... which is precisely why I think my next workstation will be StrongARM-, Mips-, or Alpha-based. True they're more expensive than converting a Wintel box to Linux, but the value of the diversity to be gained isn't to be underestimated...

b.g.

Re:It wouldn't be "easy".

Unless diversity is extreme, you just need a few versions of the exploit, and have the propogation scanning phase detect the remote OS, and use the appropiate exploit and virus binary. Of course, each specialized binary would carry as data the binaries for the other platforms.

the Sun+Digital+Intel+PPC+MIPS diversity is not nearly enough.

I'm sick of hearing...

[QuarterSauce]

"But PLEASE don't do this."

"Don't get me wrong; nobody should do this"

"It would be really cool but please don't take me seriously"

Uh...if you wanna talk about building viruses, fine. Free country, etc. But don't try to cover your shiny little butt with a little disclaimer at the end.

"So here's the step-by-step procedure on how to steal 14 million dollars without getting caught...but, uh...please don't do it."

Please.

Re:I'm sick of hearing...

[Alpha+State]

"So here's the step-by-step procedure on how to steal 14 million dollars without getting caught...but, uh...please don't do it."

Um... I don't suppose you could tell me where you heard this one?

This was explored in the X-Files

[groke]

Not really adding anything, but this idea (the sentient virus thing) was explored in a season 5 episode of the X-Files.. the Gibson episode (2/15/1998).

With my own content, the idea of a self-modifying virus seems.. abstract. The best virii are as compact as possible, although I could see something that randomly changes a footer or something to prevent antivirus detection. A sentient version though.. I don't know. I don't think that AI is impossible, or even improbable, but I kinda doubt that it could work as a virus. I'd think you'd need something more intellegent than the average human (or has some mechanism to fake it) to learn how to exploit systems. At least without any intervention.

Then again, I could be speaking out of my ass.

Someone should write a virus...

[ODiV]

(or trojan or worm or whatever) that gives hits to the hunger site.

That would really kick ass.

(oh, and I don't know how to do any of this stuff, so if it happens, it's not me.)

Melissa, I Love You and derivatives are peanuts

[Drashcan]

I work in a corp. which imperatively standardises on Windo$$$e and MS Office crap.

From time to time those corporate morons have their ass kicked by a sweet Windoze-only virus or hack.

In our spare time we, *nix addicts and Mac faithfull, think of a Win-only apocalyps.

Here comes our version of the almost perfect Win virus (=Winrus?).

Imagine a virus similar to I Love You but which replies everyone who mailed the given Windows looser. Replying simply with the standard RE: [original subject] and in the body "Conclusions" or something similar. Every time another short body text (out of a range of possibilities) can be produced in order to make the simple protection by spreading the word not to open an attachment entitled X or Y or Z or etc. more difficult.
Anyway you get the picture: those "Conclusions" or whatever are clickable and after spreading the word to other users wipe out some crucial registries or other files.

Isn't Windows wonderfull?

The Singing Skunk

Mutual Assured Destruction

[sulli]

Off course, none of us will ever do it because we know it would do so much damage to the 'Net (government would step in hard) and also hurt many of us financially in some indirect way.

This is true as long as those with the virus-writing skills (a) have some stake in the Net as we know it and (b) are fairly rational about things. In this case, even though everyone has a loaded weapon at his/her disposal, it's not used, because the consequences are seen as too severe. (In the Cold War, we didn't have nuclear exchanges in large part because we and our adversaries acted rationally. Similarly, we don't have carnage on the highways, because people know that intentionally causing severe accidents could put them in the hospital and/or jail.)

But one can imagine another world in which people did NOT have stakes in the continued utility of computing and the Net, and therefore had an incentive to do severe damage, just because they could. In this case we would be constantly in a war of destructive viruses vs. security tools, and many innocents would be severely damaged. (Think about Sierra Leone, for example, where almost total anarchy prevails.)

Fortunately we are closer to the former condition. But it could change. If the economy severely tanked and several hundred thousand geeks suddenly became unemployable, for example...

sulli

you forgot something

[Hollins]

Background checks and proficiency requirements are a good thing. But what about the loose cannon out there who has nothing bad in his background but one day gets up in the morning and thinks "I'm gonna go out ta buy me one of them compewters and turn loose one helluva vearus!"

Obviously, the only way to protect ourselves from these nuts is to also implement a mandatory five day waiting period to buy a computer.

Also, what possible need does anyone have for more than a Pentium 166? It does word processing, email, web browsing and runs solitaire. Any more power can only be used by someone with dangerous intent. We need to start worrying about these assault-computers, namely those with 64-bit processors. The evil PC makers (such as Dell and Micron) are already planning to unleash these weapons on the consumer market. They need to be stopped now with sensible legistlation that outlaws assault computers.

Yes, it *IS* terrible...

[SvnLyrBrto]

>Yes! Since Microsoft has scripting
>support in their OS, that means they're to blame
>for script viruses! How dare they have scripts
>that run under Windows! Wait a minute...doesn't
>Linux also support scripts? Never mind that --
>more MS bashing!

>But seriously (read before moderating this as
>Troll of Flamebait), the reason that the e-mail
>script viruses we've seen all attack MS Outlook
>isn't because of how terrible Windows is.

Yes, windows *IS* terrible (ESPECIALLY from a security context). Or have you simply not been paying attention for the last year and a half?

The DEFAULT configuration of the DEFAULT mail client will run a script with the windoze equivelent of root permissions when you open it. It is ridiculously STUPID to allow a user-space email client to run amok in system space. Absolutely poor design, and worse implimentation.

And worse, they have known about this for a good YEAR AND A HALF! Ever since Melissia, this has been a known flaw... but gates REFUSES to fix it!!!

Now, since you complain that Linux includes scripting as well as windoze, let's look at the equivelent sequence of events that would have to happen for a malicious script to be a problem:

Say that someone sends me a malicious perl script as an attachment to an email. Well, when I open up that attachment, pine DISPLAYS it as a TEXT file. It is NOT run by default when I open it. I have a chance to examine it BEFORE I let it run, if I run it at all (not bloody likely unless I'm about to switch distros and am already backed up). Now, in order for it to be run in such a way that it could trash my system, I would have to:

1) Save it as virus.pl, or whatever
2) su to root
3) Run it by typeing "perl virus.pl"

Or, if I am doubtful as to wether it is harmful or not, I could run it in user space with NO CHANCE of it trashing anything important.

Now... which security paradigm is better?

Not that Linux (or any given xBSD or Unix) is PERFECT... but it is by all means hella-better than anything that hath spewed forth from redmond.

john
Resistance is NOT futile!!!

Haiku:
I am not a drone.
Remove the collective if

You missed one or two...

[davebooth]

Ever hear of network.vbs? that ones sneaky but doesnt use buffer overflows or other sploits at all.. It just randomly scanns IP addys for windows machines with drive C shared and no password on it. When it finds one it installs itself.

If your firewall is getting hammered by UDP-netbios crap its a fair bet thats where its coming from. If you're a windows user just look for a file called NETWORK.VBS in your startup folder, in c:\windows\system and the root of drive C... if you got them, you got it and are portscanning other folks networks whenever you are online.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking

Re:You missed one or two...

If you're a windows user just look for a file called NETWORK.VBS in your startup folder, in c:\windows\system and the root of drive C...

The share must be named "C" and set to "full access" for this to work. Also, the virus copies itself to "C:\Windows\Start Menu\Programs\Startup", which is not necessarily the startup directory (then again, people smart enough to change the startup directory are probably smart enough not to share their hard drive without a password).

web-based worm

[PotatoNO]

Thanks to the miracle of Captive-X, it is already possible to make a web-based worm that executes upon viewing. Just look at all these delicious exploits. And since more and more windows apps (e-mail, newsreaders,etc) are using IE as the in-app browser then those are affected too. What is rediculous is that the 'good times' virus is now a very real possibility.

I don't have to worry about it as I use Linux (not that we don't have exploits) but if you're a windows user please turn ActiveX off. The uberworm will happen eventually, and next time maybe it'll delete *.DOC,*.XLS,*.MDB instead of just *.JPG and *.MP3. That's going to seriously break some corporations off.

It's already been done!

[Admiral+Burrito]

Building a killer virus for fun and profit
By Bill Gates

1- Buy "Quick and Dirty Virus" from some other guy.

2- License virus to a large company that manufactures chess grandmasters. This should provide a fruitful infection vector. And remember: 640k is enough for anyone, so don't worry if your virus does things that prevent access to the rest of memory, nobody will notice.

3- When other, nicer looking viruses come along, copy the user interface, but make it quirky and inconsistant (this is a virus we're talking about here, so it has to be nasty in one way or another).

4- When "dr-virus" threaten to replace our virus, spit out weird error messages to confuse and disorient the user, allowing our virus opportunity to re-establish control over the system. Viruses that are dependant on our virus, however, can be left free to roam.

5- A web browser should be integrated into the virus. Everything integrates a web browser sooner or later so make sure its ours and not somebody else's. This will expose you to the feds, who love to go after virus writers, so be careful not to get caught.

6- By this time the virus should have infected most of the world. For new challenges, create another virus (or several!) and start the process again. If the feds put a stop to our old virus we'll still have this new virus already spreading.

7- And whatever you do, don't call it a virus!

Re:It's already been done!

[tooth]

Windows isn't a virus, virii do something...
:)
--

Net Virus

[Hard_Code]

Don't worry...just practice safe cybersex.

HNN is old news too, these worms already exist.

[kbonin]

Take this specific (5/7/2000) article from BugTraq with as few or as many grains of salt as you want:

"I don't think I really love you", or writting internet worms for fun and profit

Anyone doing serious work in these fields could write this. It's just a matter of time before one is released into the wild. Genies, bottles, and all that.

On a related note, the potential impact of this class of worm is probably responsible for funding approval to the new "Infrastructure Protection" the USGOV is deploying to protect us from ourselves. Amusing, considering that this is one class of worm that will likely evolve to a point where it can't be eradicated from the net, at least as long as a few insecure systems are still online.

Die Ubervirus, Die

[_SIGKILL_]

Why did you tattoo "Die Ubervirus, Die" to your chest?

No, no. It's German for "The Ubervirus, The."

Well, no one who speaks German could be an evil man.

1 Crackbrained Dolt Doth Not A Broken System Make

[Tim+C.]

Yes, this particular moderator was a nit. Either that, or he/she/it accidentally mis-moused in the drop-down box, clicking "Offtopic" instead of "The Greatest Damn Brilliant Piece Of Insight To Issue From The Human Mind Since Plato", and then moderating in blissful ignorance of the error.

Humans are not infrequently A: stupid/destructive/confused twits or B: butterfingered. We should not act surprised when proof of this fact is, as here, made evident to us. Nor should we presume the fact that a system does not absolutely prevent all foolishness or error on the part of its moderators to be an indication that this deliberately subjective system is functioning in an unintended manner. That's what the multiplicity of moderators is for -- to (most often) sufficiently compensate for blunders like this.

The Easy is Inevitable

[Tim+C.]

Nuclear weapons are really hard for the average person to make or get a hold of. Try it sometime and see. One needs, ideally, to run a government of a good-sized country for a number of years. Failing that, one generally needs lots of money, a huge amount of planning, a good number of friends/followers who share your plans, and a willingness to risk being apprehended and unpleasantly killed by agents of a concerned superpower.
Virus-writing, however, has rather lower barriers to entry. Psychological stability is not one of them.

Re:The Easy is Inevitable

[Peter+Dyck]

Or then you just go and buy one from Russia.

SU-XXX

[Sangui5]

There were a set of viruses (supposedly) written by people working for the Soviet Union that could physically damage you computer. One of them did do the monitor refresh rate thing. Another (supposedly) fiddled with the DAC on you video card to fsck it up royally.

Of course, while a friend of mine did have some actual binaries claiming to be some of these viruses, he never tried them out. But then again, who would?

I've also heard it rumoured that by poking the same register over and over and over again as fast as possible you can blow them out on some chips that were marginal so far as the specs went.

You could also seriously mess up certain types of hard-drives by doing a 'low-level format'. The procedure used to be used to clear older drives and prepare them for an ordinary format. Some newer drives respond poorly to this sort of thing, and end up getting necessary information (sector coding + the like) wiped.

Also, for BIOSes that support it (all new ones) you could (I suppose) have a boot virus that immediately causes a hard boot. Might possible hurt the power supply it happened unoticed for long enough. You could do the same thing to the motor on the CD-ROM drive (or a hard-drive), by spinning it up and down repeatedly. Of course, if the user is sitting at the machine when this happens, it's a bit suspicious. But if you did it to a closeted server, you'd have hours to cause mechanical failures.

This whole post is a bit vague, rumourish, and unconfirmed. Except the monitor-refresh thing. I've had a monitor die because of that (no virus, just a stupid shareware game poking the video card). The rest is just hearsay. But it's all plausible/probably hearsay.

And another one.

[Sangui5]

I forgot. I have heard of a (confirmed) virus that does physical damage. It pulled a neat hardware trick that on one of the original IBM-PC's, would cause the disk drive to make a little clicking noise. Perfectly harmless, and did it ~ once a month. No biggy.

Thing is, that on later hardware, that harmless bit of code would fry the drive motor.

I have no clue as to whether it damages modern floppy drives. Given that it was written for the IBM-PC, it may not even run properly anymore.

bastard!

[feck]

that'll teach me to hover my damn links...

Click of Death

[Rix]

There was a bug in Zip drives like this. A particular scratch on the magnetic surface would slightly dislodge the read/write head. If a fresh disk was put in, the dislodged head would replicate that scratch.
Cheers,

Rick Kirkland

Re:If monoculture is a threat...

[_Marvin_]

> Or do all TCP/IP exploits rely on knowing the target architecture (buffer overrunns need to inject machine code... etc).

Nearly all of them, at least those that allow you to take over a machine.
TCP/IP itself had(s?) some glitches that allow for DoS attacks of strict implementations thereof, but those do not allow you to write an ubervirus, or indeed any virus at all.

Re:If monoculture is a threat...

[_Marvin_]

...and that's simply because TCP/IP itself hasn't got any mechanisms for transmitting and executing CODE.
Forgot to say that...sorry...I'm pissed...

Sexploitations and Windows for Whiners

[Graymalkin]

There is no perfect operating system which is immune to the maliciousness of certain individuals. If you have a computer you have something that can pontentially run code that will fuck things up. This is a given and is true for any operating system. When I see people boast that they run Linux or Mac and are therefore immune to virii and exploits I just shake my head and usually sigh. I'm still waiting for one final thing from the virii and worm dudes. Virii as part of a business model.
Just imagine a virus that spread as fast as Melissa (in the course of a weekend) that didn't do anything too terribly maliscious but did replace your screensaver and bookmarks with some new internet start-up's advertisements. Or how about a worm that replaced your GUI libaries with logos and ads for some start-up. Maybe companies will get so bold as to unleash virii into competitor's computer systems. We're already at a point where taking out a businesses infrastructure could cripple and/or destroy a company. Right now we're seeing lots of worms just floating about because someone was pissed off at the world because they were a loser who had no other form of expression. What will happen when malicious exploits hit the mainstream of business and are actually aimed at individual companies. Script kiddies can cause a company's servers to stumble for a day but that is all pretty meaningless when compared to a virus bootstrapping all of a company's office systems. It isn't the OS that you need to worry about or boast over, it is how much you'll be fucked if that system fails.

Author of original article - few notes.

[LocalH2O]

Hi,

The article on HNN appeared last year, round about August...i think. I wrote it. That was a while ago.

The article was nothing *new* - no revolutionary concepts - it was, as the article suggests, a culmination of all the bad things out there, neatly packaged. The article was written before the outbreak of Outlook and MS based viri and as such this avenue was not even fully explored.

The idea was basically just to give the readers an idea of what could be done - how the viri and worms that we were seeing back then were actually quite "harmless" in comparison with how they could have been. I still think that this statement is very relevant today.

I have received many suggestion on how to further enhance the worm/virus, and many suggestions on how "easy" it could be stopped. Like I said in the conclusion - I am not the brighest person on the planet - I am sure that there are many ways to further "enhance" the thing, and just as many ways to try to stop it. The idea was just to see how bad such a thing could be - to toy and share the idea with others in the field.

We would be blind to think that such a monster (or something more dreadfull) cannot and will not be developed in the near future (or maybe even as we speak).

My 2c,
Roelof.

PS: I have no idea how it got to /. after all this time...
PPS: ...and yeah... the "Line" O/S...a case of an over eager spell checker, and some finger trouble :)

-------------------------------------------
Roelof W Temmingh
SensePost IT security
roelof@sensepost.com
http://www.sensepost.com
-------------------------------------------

No talented virus authors

[xixax]

We discussed this some months ago and decided that it is damn lucky that no truely talented software authors have put their hand to writing virii. And that most virus authors have publicity closer to mind than virus longevity. By looking at virus ecology (there's a large body of literature on propagation strategies) and design, you could get results far more scary than anything we have seen so far.

X.

How about both!

[cpeterso]

I don't know which would be worse: A virus that merely does a backup of empty files, or one that is good at getting itself safely backed up.

Let the virus sit idle for 1.5 weeks (assuming companies backup once a week?). Once the infected files have been "safely" backed up, then the virus awakens, zeros all files, then backs up the zeroed files. :-o

Re:How about both!

[superkorn]

Then it would zero itself out too? Or if it didn't then it might be a little obvious which files are virus related since they will be the only ones left.

HNN DDOS

[cr@ckwhore]

Hmm...kinda ironic that HNN's servers can't handle traffic.

What kind of virus is this again? Think about it.

--cr@ckwhore

Mirror of article (single page, no fluff)

[achurch]

http://achurch.org/nitmar.html or http://achurch.dragonfire.net/nitmar.html (on different servers)

Cool: H a c k e r N e w s Slashdotted

[VB]

I couldn't get to it from any of my servers. Nice job, guys.


Linux rocks!!! www.dedserius.com

Re:Virus = 1st real a-life? Dashed off thoughts...

[Keith_Beef]

What you are suggesting here is akin to a description of a good parasite.

A bad parasite is usually one living in a host other than its usual host, and doing too much damage. The point of a parasite is exactly to not do very much damage.

A badly adapted parasite, for example a worm that lives happily in a pig without damaging the pig, can do a lot of damage if a human eats undercooked pork.

Thus, the parasite kills its host. The well adapted parasite does not kill the host, lives long and prospers and reproduces more (which is its goal, if it can be said to have one).

It follows that if the goal of the computer virus is to propagate itself as widely as possible, it should not do immediate crippling damage to its host system.

There's absolutely nothing new even in the vocabulary used to discuss computer viruses...

Viruses could easily do much more damage

[orabidoo]

As many posts have said before me, most computer users are too dumb (or uninformed, or uninterested) to worry in about security *and do something about it* (i.e not opening dubious attachments). So I don't think much social engineering is needed on the part of viruses; we *will* have more ILOVEYOUs.

Anyway, what strikes me is that these email and msword viruses have on the whole been quite tame in their side-effects. The ILOVEYOU virus, aside from emailing itself to your whole addressbook, replaced all the .mp3 and .jpg files on your hard drive. Some graphics people may have lost actual work stored in .jpg files, but on the whole, I don't think much got destroyed aside from porn and mp3 collections. Yet, it woudl have been just as easy for the virus to erase all your data; just replace "mp3" with "doc" and see the *real* damage!

And then there's another, more insidious way, in which an email virus could do very serious harm: by randomly forwarding your emails to people. Imagine a virus that forwards each email in your inbox to one random person in your addressbook. Whoops, there go most companies' secrets!

Buffer Overflow

[Lozzer]

I just tried to connect to hackernews and got a buffer overflow error, Should I be scared? or them? Or is it just thier 404?

Ever wondered about an unstoppable virus....?

[vAMP]

These 2 ideas i have wondered about for a while...
1)

Why do viruses attack machines they are on?? Isn't this giving insentive for the owner of the host to get rid of it? For example.. lets say a virus (call it x) is spread. Now as long as x is small and and doesn't take much resources then how would people know they have it? Even if it is detected by scanners there are plenty of people without scanners who may be hosts. This is where x differs from other viruses. If x is attacking a remote system (for example a DOS attack) having a virus detection program won't help, and people won't be inspired to get rid of it.
2) Why not model x on a real human virus!!! as silly as it sounds i believe it may work. My idea was to have a core unit of the virus which doesn't change. This unit duplicates the virus and makes random changes to the rest of the virus. Alhtought most of the duplicates wont work there will be some which will work.

Survival of the fittest!!

Now lets say x has both of these characteristics.. it spreads mutants.. and lets say at a specified time (after it has spread) it begins a large DOS attack. The amount of traffic on the net and networks could become intollerable. As well how can it be cured?? ONLY by every person on the netowkr (or internet) to scan for the virus..

Basically i believe that a lot of viruses lately have failed because they harm the host.. What are your opinions? I'd be interested to know..

Ü NOT U!

[fforw]

argh.. if you want to borrow some expression from Nietzsche then use the correct spelling :

Übervirus - from german über mostly meaning above. (see this Dictionary entry for about 190 different meanings =)

And if you have no 'Ü'-Key on your Keyboard - hey.. that's HTML here.. the correct character is just an &Uuml; away.

Benificial Intent?

[Nyarly]

Claimer: this is response to replies to the article, not the story itself, but neither is it in response to any one post.

What if you took the philosophy behind the Morris worm: that a virus could benifit from security heuristics, and extended that to the motives of the worm. Couldn't, for instance, a slowly spreading Windows trojan that exhibited some descretion (for instance, only spamming the first dozen email addresses lexigraphically following its current host) and some polymorphism (pretending to reply to Inbox email) and known security glitches in windows (between vbs and that weird Windows scrap file thing) to patch said glitches? To basically rate the host system on some level of newbiedom and then make basic and fairly transparent security changes?

Possibilities include:

• Changing default settings of Outlook to disallow autorun of attachments, and especially of VBS stuff.
• Installing a faceless MacAffee ripoff (or better still, a Virex port) to do virus checking quietly for the user.
• Change some default settings to foil simple scripts; like moving the Start Folder, or Sharing setups.

Is there something wrong with this idea? My gut feeling is that any virus is wrong since it removes control of the machine from its user. But then again, if you targeted Windows, control over system was never a concern of those users.

I guess the biological analogy would be to release a weakened influenza virus to innoculate a populace too ignorant (or "underinformed") to get vaccinated. Sure, some people are going to get very sick, and the weak, the sickly, the very young and the very old will exhibit casualties, but over all lives might be saved. Same deal here: the worst, closest to breaking systems will probably break, but everyone else should be better off, right?

Ushers will eat latecomers.

Nobody ever cracked KeyKOS.

[jcr]

Look up the papers on EROS. It's provably secure. If you don't have a capability to a resource, you can't even DETECT its existence: it's not in your address space.

The contention that no OS will ever be completely secure is a crock, and it's used over and over to excuse the half-assed security hacks that UNIX and NT layer over their broken kernals.

-jcr