Slashdot Mirror
Gnutella "Virus" Roams
An anonymous reader noted a CNN story about a
Gnutella "Virus" floating around. It only affects windows, and its actually
more of a trojan then a virus, but once infected, it hijaacks your gnutella node to serve itself to other unsuspecting gnutella users. I'm sure this is only the beginning.
Lets say Adobe (being probably one of the most pirated companies out there) decided to write a trojan that spread though a P2P network and once on a users system searched for pirated Adobe software. Then, once They had the info, they could look then better target thier anti-piracy efforts.
Before someone says that once it was known that Adobe was doing that...blah blah, bad PR blah blah...say it was a "black" project and done in a closed non-adobe environment. How would you tell?
Remember it, write it down, take a picture, I dont give a fsck!
When I first read this article, I thought, hey , no problem, doesn't everyone select "automatically hide exe, vbs files" during installation? But I have certainly seen this 8192 bug even though I have this option selected. What's up with this? Does the file hide itself as another file type?
Hopefully I didn't put any [] around my words.
Of course, being open source, this bug will be fixed quickly. (Unlike certain other things **cough**cough**outlook**cough**cough)
Reality has a liberal bias
Is this just another way to talk about Napster again?
Executables are not traded on Napster, and mp3 files are not executed by an mp3 player, so there isn't any danger of a Napster virus.
Can I run it under wine?
"I've seen plays that were more exciting than this.
Honest to god... Plays!" Homer Simpson
"This is not a threat... it doesn't effect me anyway..." sounds like the canonical initial cry whenever a security hole the size of the grand canyon is revealed.
It may not effect you, but if it gives the network a bad reputation or screws up enough people who aren't you it's your problem anyway.
you can set windows to show extensions of known file types, just go into your explorer window settings and you should be able to find it from there. still doesnt stop people from creating a zip file with the install files for an app, rename the virus to setup.exe and placing it in the zip file. only a decent anti-v program will detect that, even then, users will most likely turn the V-prog off to install the app! people never learn......
No sig here...
First of all I would like to say that this is a proof-of-concept worm. It is written by Mandragore, a member of the spanish-speaking viruswriting group 29A (666 in hex). If you look at all viruses/worm released by 29A, you would see that they are almost always proof-of-concept or very complex. :)
Secondly, this was released this weekend, why the story now? Also, regarding the post about viruses, why people write them, I would have to say that stories like this (on slashdot, cnn, zdnet or whatever) is probably what keeps the viruses coming. PUBLICITY!
Imagine being De Guzman (Loveletter Author), 20 years old in the Phillipines, knowing that you will never leave the place. Imagine writing a 50 line VBScript that does 3 rounds around the world in 1 hour. Thats power I guess
I keep getting "nsdkjfnlnponf.htm"...who is generating those?
Skip ------ See the latest from http://www.anArchyFortWorth.com
I hate to break it too you but this is a peer to peer network. When you download a file, you don't download it through something, your getting it directly from the person who replied to your search query. Also, there are two reason this is spreading slow, the first has already been addressed, you have to be dumb to download and execute this virus. The second is simply that the virus answers all search queries it gets and that slows done the user's node to a crawl.
Well actually, if someone finds a buffer overflow in Napster's parsing of an mp3 file header, then there will be a virus.
So there's actually plenty of danger with Napster.
It is not the first.
On many Windows machine, a file named *.mp3.vbs will show up with an mp3 icon, yet when double-clicked on by an unsuspecting user will run the Visual Basic Script it contains, so actually embedding viruses in mp3s isn't necessary.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Before that happened, I think they'd have to find a way to insert viruses in most media files (or can they do that already?) such as MP3 or MPEGs etc... since that's what most people look for. I mean knowing NOT to run an executable from a computer you don't know SHOULD be common sense no?
"I'm not a procrastinator, I'm temporally challenged"
file a.out
'nuff said.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Si[plastic] 6 % ls -l /usr/bin/false
/usr/bin/false
-r-xr-xr-x 1 root wheel 2932 Jan 16 17:53
... no visual cue indeed.
Si
ps. I thought Microsoft only employed smart people 8-)
Can you be more specific? I really don't think this is the case - if I remember correctly, the ILOVEYOU virus used an attachment name like ILOVEYOU.TXT.VBS and was displayed as ILOVEYOU.TXT with a VBScript icon (a wavy scroll that looks similar to Notepad's icon but not the icon for text files). Perhaps you're thinking of the EXPLORE.ZIP virus? That was an executable with an attachment name like EXPLORE.ZIP.EXE, and executables can contain their own icons; it used WinZip's icon for Zip files.
As long as that's allowed:
..
Volume in drive C has no label.
Volume Serial Number is 1C8B-5434
Directory of C:\projects\meef
01/17/2001 01:58p .
01/17/2001 01:58p
11/29/2000 05:22p 1,144 Form1.frm
01/15/2001 05:01p 20,480 meef.exe
01/17/2001 01:58p 1,408 meef.frm
01/17/2001 01:58p 740 meef.vbp
01/17/2001 04:20p 50 meef.vbw
01/15/2001 05:52p 3,964 meef_pure.log
01/07/2001 11:04p 335 MSSCCPRJ.SCC
11/29/2000 05:22p 749 Project1.vbp
12/07/2000 06:11p 50 Project1.vbw
That's with "Hide Extensions of Known Types" turned on. Looks like both operating systems are doing things just fine.
What's gravi? Perhaps you meant something like "aviation" ? Or "Feliz Navidad" ? But who wants to watch movies of planes with guys singing "Merry Christmas" in Spanish?
Not I.
kickin' science like no one else can,
my dick is twice as long as my attention span.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
under bash executable files are green with dircolors turned on, so yes there can be a visual cue if you decide that suits your fancy
It is funny to see that this story appears after we heard lots about Napster issues with file marking.
I just wonder whether this story is FUD... After all, it is Napster's interest to discourage their userbase to migrate to GNUtella.
Of course, there could also be a real bug somewhere....
--
Trolling using another account since 2005.
I suppose that every virus writer has his/her own reasons for writing their virus. Whatever their reasons, virus writers should get some credit for making networks more secure. Can you imagine how insecure computers would be if there were nobody attempting to exploit their weaknesses? For security to evolve, so must the efforts of destructive code writers.
My Blog
Sure.. We know what it would do.. If you ran it it would delete all your MP3's, or other files, so you best not use any dirty file-sharing software, hint hint, nudge nudge.
--------------------------------------
--------------------------------------
Vices - what I lack in originality, I make up for in volume.
the same as this one ?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Burris
but what happens when .sh or .pl files start popping up? (-=
You Like Science?
You Like Science?
You Like bottomquark.
man ls
This is exactly like the previous VBS gnutella worm, except that it's an executable this time. See a June 2000 ZDnet story and this old Slashdot thread for more information.
Pretty much everything you download with gnutella is "an unknown file from an unknown source". Your solution isn't much of one.
I love going down to the elementary school, watching all the kids jump and shout, but they dont know I'm using blanks.
I see lots of comments here about how easy it is to spot, it doesn't do much, etc. But don't forget that this is the first.
The Melissa virus was (I believe) the first major virus to take advantage of the vulnerabilities of having Windows Scripting Host running (read: Outlook), and while all it did was forward an attachment to everyone in your address book, it didn't 'do much', it just so happened to clog up mail servers. Just recently we had ILOVEYOU which did a lot of damage.
Virii development is getting more and more sophisticated and as it has been said, this is just the first. Look out for greater levels of sophistication as the virus developers learn what they can do with this new platform.
--
Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
I don't think you would find too many companies willing to tie their product/service to a virus.
Later...
KangarooBox - We make IT simple!
First off there has been a .VBS running around GNUTELLA servers for as long as I can remember so this definately isn't the first p2p virus. Secondly the anti-virus folks are ranting and raving again... Throwing around buzz words to scare the masses of winblows users. Napster won't allow you to send exe's, vbs', or any other executables. AFAIK there is no way to embed a virus in a win media file so Napster users are quite safe... Only the Gnutella users that are happy to download a 2k MP3 in the first place, then double-click this mp3 with the wrong icon-are suceptable to viri.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
alot more people use windows than those who use unix, therefore it only seems natural to have more virii spread this way.
-
i happen to be a gnutella user who runs a reasonable size server, under a windows client. i dont see how it won't affect me. :>
:)
people who follow basic internet security procedures (dont open unknown exe files, for instance) won't be affected, or indeed effected, by it. would you drive a car without learning what all those signs mean?
Military intelligence.
Microsoft Works.
Windows security.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
You mean like a virus that installs Linux ;-) ?
The only thing being proven here is that people who download unknown executables and actually run them will have bad things happen to them. Gnutella, like Napster is useful for sharing data files, but not executables or vbs's etc. The real weakness being shown here is the crappy OS which allows file type to be hidden, enables auto-running of VBS scripts, etc. The extensions to the gnutella protocol which were discussed at P2P will enable new tools to protect users from some hazards but there is no way to protect someone who hands over control of his machine to an anonymous stranger. There never has been and there never will be.
you are not vulnerable. .EXE files don't run (in a staightforward way) under Linux.
So yes, thank GNU and Linus for Open Source!
From the looks of it, this is definatly more of a trojan... maybe I'm wrong, but it seems as though you have to actually download AND execute this thing manually in order for it to infect your client. If this is the case, I have a good anti-virii solution: Don't execute unknown files from unknown sources (duh?).
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Most of these problems are solves with a little thinking.
The death of one man is a tragedy; the death of a million is a statistic --Joseph Stalin
Guess I should've seen this one coming...
--
--
Todd's Law: All things being equal, you lose!
BdosError
Complexity is Easy. Simplicity is Hard.
Use either Furi or LimeWire. Both can be found under the clones at http://www.zeropaid.com.
Javascript + Nintendo DSi = DSiCade
This looks like its related to windows default 'simple mode' where it hides the extentions of 'known' file types (i.e. *.exe).. So if you call a file 'evilvirus.bmp.exe' Windows will hide the exe extention and to a luser it appears to be a graphic file. -Lovely, VB, etc.. etc.. Is there any way we could make Windows *more* virus/worm friendly?
--------------------------------------
--------------------------------------
Vices - what I lack in originality, I make up for in volume.
That wavy scroll is Windows for 'I don't know what this thing is'
Notepad's icon is, oddly enough, a little notepad...
They think they got Napster beat, so now they are releasing their Winders virusus on Gnutella trying to keep users off. Obviously. Yes, that must be it. Of Course.
As I read earlier on this, it requires the user to be "stupid", to run it.. hence why it spreads so slow. Really, this could be any file from a FTP site, or something - it is really the same case as Outlook Viruses =P
-Stskeeps, http://unrealircd.com
Maybe humankind can be blessed with a new virus to be hidden in one of the chain friends/good luck/other junk e-mails. When the message is forwarded to the requisite number of friends the forward function of the sender's mail client is disabled. The creator of this would get my vote for Commander of the Universe and Master of Time and Space.
RIAA may be behind it.
I ran into this worm when a did a search on my own name for hahas. Imagine my surprise when I found several files out there that were named after me! I downloaded one and opened it with a hex viewer. After seeing the name "Mandragore" I was able to look it up and find out what was going on.
To see who has the worm do a search on Gnutella for a long nonsense string like "apuqoierk;afiekda". When you find an exact match you can see which nodes have been infected.The Moore-Murphy Law: The number of things that will go wrong will double every 2 years.
You may be misunderestimating people's ability to be "stupid". Also, I've discovered in a rather painful way that stupidity runs downhill.
When my company infected itself with the 'AnnaKournikova' virus, it was only *after* I had sent out a general warning.
One of the VP's, who *does* know better, opened the message while he wasn't paying attention, clicked on the file, and sent it to everyone else. Everyone else, those who didn't figure it out, opened it because it was from the VP.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Your description is excellent. I would, however, view this first generation as more 'proof of concept' than anything else. Devising variants which return back variable sized documents or which return 'correct' sizes for a limites set of specific requests can't be long in coming. Likewise you may assume that future versions will examine the request strings and reply only to a subset and only some of the time. Counter measures will develop, of cours, and so will the complexity of the trojan horses.
I think a bigger concern is the potential for this to undermine anonymous P2P networks. Inspired by the RIA, MPAA, hostile governments, etc., many efforts are being made to develop systems which fully hide the identity of the parties involved. It seems that this would also hide the origin of any trojans injected into the system. If users are no longer able to trust the content they receive, will they continue to use these systems?
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
I found this story on infoworld when I went there 'cause I couldn't get through to ./ . So later when I could get through to ./ and submitted it, I added a blurb that it was probably only a matter of time before it gets married to linsniffer or whatever...there seemed to be a large number of submissions before me when I submitted, so anonymous must have been in that group. Makes me wonder what was with /. that made everyone so busy...
People who advocate the linux model underestimate how much real-world users won't follow the implicit or explicit security rules. Even me, using it for a number of years (slackware, redhat, a few others), and following the virus news groups off and on for a decade, I got hacked recently 'cause I just don't have the time or inclination to spend all my non-work hours patching stoopidass security holes. I have a real computer job, after all. Fortunately not much damage was done because I had so much half-configured crap on there.
But I gotta say, people who blame the user for being vulnerable, ought to be mugged.
By the way, I'm not reading email until I get around to reinstalling an OS again. It seems the first thing you need to do when your unix gets hacked is get off the net.
Oracle and unix guy.
Just loaded up BearShare and GNUtella and went searching for these files, haven't found any yet.. Even connectiong to 100 hosts. Seems pretty localized, which is good. Let's hope it doesn't start going insane and end up on most people's computers. But then again, arent the majority of GNUtella users *nix anyway?
----------------------------------
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
Nice Troll. YHBC. YHL. HAND.
---
It certainly won't effect him, since he's already come into being. It might affect him, though.
.. i may be wrong, but wasnt there somthing similar to this with napster. A re-hashed version of the prog that forced serving... I know there are/were a few of these for IRC clients. Honestly, this SHOULDNT be that hard to take care of
if you mod me down, Darth, i shall become more powerfull than you can possibly imagine.. f33r |\/|1 |\|3g4+v C4r|\/|4
I know that there are some virii/worms/whatever nthat infect *nix systems...The DNS worm of the late 80's comes to mind. But why are there so many more 'virii' that infect windows systems? Is it easier to develop them? Is it a security thing? Is it that most l337 d00dz are anti-windows, hence, windows virii? Just wondering...
It scared me a little. This was when I was first looking into Linux and did not know much better. At the same time, I figured he knew his friends. Looking around here, I see the same thing from time to time as this little beauty from message #33 by Fross (+5 interesting) "But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)". Nod nod, wink wink, not very funny.
Thankfully, nothing bad ever happened.
Friends don't help friends install M$ junk.
Windows what? Windows 3.1? 95? 98? ME? NT 3.51? NT 4.0? 2000? If you're going to Troll, at least be more specific.
As for the universal search matching capability, that's nothing new. Remember Flatplanet?
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
RIAA to put Napster in Crapster
"Lovable Lars" Fan Club
Cue James Earl Jones ...
Cue music ...
This...
is the Time-Warner Propaganda Network.
microsoftword.mp3 - it doesn't care that they're not words...
But people are stupid. See the subject line. This is how a typical virus is initially spread. And yes, there are plenty of people stupid enough to download and run stuff like this. Curious kids who don't know better. People using computers that aren't theirs (e.g., school computers) so they don't care if they get infected. AOL users, etc.
I actually find it interesting to download these and run them through 'strings' to see what's there. Silly messages, "Ha ha ha ha!", long lists of IP addresses and hostnames and port numbers. Then probe the sites to see what I can find there.
It:s written in Java and compatible with the Gnutella protocol, so it's impervious to windoze viruses : http://www.jps.net/williamw/furi/
-- javaDragon is an instance of JavaDragon.
It's pretty easy to determine which Gnutella users are infected. Just do a search for 'nsdkjfnlnponf' or some other completely nonsense phrase. You'll get a bunch of matches, all files 8,192 bytes long. These are infected nodes.
--
Agreed, as most people seem to use bearshare, EXEs get filetered out anyway. The thing is that not that many newbies use Gnutella anyway, so the penetration of a virus of this nature is very limited.
When questioned on weather this has anything to do with bad security in Windows Bill Gates replied:
"HA! Bad security in Windows? See the GNU at the beginning? That is what's causing this. Anything to do with GNU WILL cause harm to your computer, eat your filesystem, documents, grandma, etc... Besides the only ones getting effected are evil music theives..."
Bill was later seen walking away with a bag with the words "RIAA Bribe money" over his shoulder.
This kind of thing could be a boon to non-Windows OSes. More virii, please!
Do domain names matter?
"I think so Brain, but where are we going to find a rhinoceros in heat at this time of year?"
---
...a file sharing project, written by a bunch of rookies whose only interest is in illegally copying files, has a security hole? Is this the part where we're supposed to act surprised?
Yeah a really effective virus is one that is half there... much like most of the half mp3's on napster!!
napster sucks... well at least most of the people serving up the mp3's suck!
moo.
I want to make a SETI@Home virus...
Besides the fact that I doubt they're going to find anything.. you'd certainly get closer to taking over the world than they would to finding something worthwhile, with all of their computing. Even if they can say that they're not wasting unclaimed processor cycles.
Insert mind here.
The same thing that's wrong with idjits here on /. with nothing better to say than "First Post!" Some people just delight in making trouble, just because they can.
--
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delenda est Windoze
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delendae sunt RIAA, MPAA et Windoze
If you execute an EXE from any file sharing service, you run the risk of getting a virus. If you're inclined to think the EXE is a virus, virus scan it! Or don't run it! And never run a .mp3.exe file, that's just plain stupid! If you are stupid enough to do that, you deserve to get a virus!
It might would be a nice way to increase your effective bandwidth for poorly linked places like .ru, etc.
Maybe this virus model could have beneficial use for something like that? Instead of your data taking (mainly) one route, it takes many routes through your distant friends in chunks to find you more quickly?
/muerte
Let the conspiracy theorists go on this one.
Isn't it obvious that the MPAA and the DoD are in on this? And do you really think that Norton will come up with a solution? =) heheh
If all these smart people writing these virii, etc would just download linux or something they could use there skills to write some cool software.
My theory is that these elite groups use windows, don't know anything else is out there (or are to snobbish to use anything else) and get bored when they realize the only cool thing they can do with it is 'hack' the registry.
Look at it this way - all you ever see on C|net about doing cool stuff to windows to speed it up is really gay.
Open source is the cure because when these guys (kids) get board they can hack the kernel or something.
I got it - why not a damn virus that partitions your hard drive and puts Linux on it, but then it wouldn't really be a virus; more of an anti virus.
Get your Unix fortune now!
I guess the RIAA is hard at work
I've seen this over the last couple of weeks on Gnutella servers. There's been some other discussion about it, I believe on The Register, and i've done a bit of nosing round myself.
.vbs, and .exe - these won't be susceptible to the worm at all. All the worm does is relpicate itself, nothing else. Though that's not to say someone else isn't going to use this mechanism to write something a lot nastier. But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)
Ultimately this is not a threat. It is quite obvious to spot (if someone is searching for, for instance "chemical brothers" it'll return "chemical brothers.exe", which is an unexpected result, ie no track name and not an mp3 or so), though i have seen a variation that tries to disguise the fact that it is an exe (i've seen some spurious entries in "file type" entries under the Gnucleus client), and even if infected, your machine runs as a server for the virus - as far as i can tell, this won't make your machine run as a server when you're not running a gnutella client/server anyway, it'll simply return itself when someone's search hits your machine.
Many (sensible) clients already screen out several types of files, such as
/Fross
What's wrong with these jerks that keep spreading viruses/trojans around. Just because you know how to write something to do this destructive/dos/whatever crap, doesn't mean that you should unleash it on the world...why not use the talent to create something helpful instead of harmful?
terradot, growing awareness
I saw that a few ip addresses were returning "[search].exe" and "[search]" the other day on gnutella. Out of curiosity, I tried to download them, but was unsuccessful. Then I blocked these IP addresses and dropped all messages from them. It seems that the real reason this 'virus' will spread slowly is because its nearly impossible to download anything from gnutella. The authors of this trojan must not have been too bright--they should have infected a P2P network with better throughput, like Napster.