Slashdot Mirror
Gnutella "Virus" Roams
An anonymous reader noted a CNN story about a
Gnutella "Virus" floating around. It only affects windows, and its actually
more of a trojan then a virus, but once infected, it hijaacks your gnutella node to serve itself to other unsuspecting gnutella users. I'm sure this is only the beginning.
When I first read this article, I thought, hey , no problem, doesn't everyone select "automatically hide exe, vbs files" during installation? But I have certainly seen this 8192 bug even though I have this option selected. What's up with this? Does the file hide itself as another file type?
Hopefully I didn't put any [] around my words.
"This is not a threat... it doesn't effect me anyway..." sounds like the canonical initial cry whenever a security hole the size of the grand canyon is revealed.
It may not effect you, but if it gives the network a bad reputation or screws up enough people who aren't you it's your problem anyway.
First of all I would like to say that this is a proof-of-concept worm. It is written by Mandragore, a member of the spanish-speaking viruswriting group 29A (666 in hex). If you look at all viruses/worm released by 29A, you would see that they are almost always proof-of-concept or very complex. :)
Secondly, this was released this weekend, why the story now? Also, regarding the post about viruses, why people write them, I would have to say that stories like this (on slashdot, cnn, zdnet or whatever) is probably what keeps the viruses coming. PUBLICITY!
Imagine being De Guzman (Loveletter Author), 20 years old in the Phillipines, knowing that you will never leave the place. Imagine writing a 50 line VBScript that does 3 rounds around the world in 1 hour. Thats power I guess
Well actually, if someone finds a buffer overflow in Napster's parsing of an mp3 file header, then there will be a virus.
So there's actually plenty of danger with Napster.
On many Windows machine, a file named *.mp3.vbs will show up with an mp3 icon, yet when double-clicked on by an unsuspecting user will run the Visual Basic Script it contains, so actually embedding viruses in mp3s isn't necessary.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
file a.out
'nuff said.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
It is funny to see that this story appears after we heard lots about Napster issues with file marking.
I just wonder whether this story is FUD... After all, it is Napster's interest to discourage their userbase to migrate to GNUtella.
Of course, there could also be a real bug somewhere....
--
Trolling using another account since 2005.
the same as this one ?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Burris
This is exactly like the previous VBS gnutella worm, except that it's an executable this time. See a June 2000 ZDnet story and this old Slashdot thread for more information.
I see lots of comments here about how easy it is to spot, it doesn't do much, etc. But don't forget that this is the first.
The Melissa virus was (I believe) the first major virus to take advantage of the vulnerabilities of having Windows Scripting Host running (read: Outlook), and while all it did was forward an attachment to everyone in your address book, it didn't 'do much', it just so happened to clog up mail servers. Just recently we had ILOVEYOU which did a lot of damage.
Virii development is getting more and more sophisticated and as it has been said, this is just the first. Look out for greater levels of sophistication as the virus developers learn what they can do with this new platform.
--
Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
First off there has been a .VBS running around GNUTELLA servers for as long as I can remember so this definately isn't the first p2p virus. Secondly the anti-virus folks are ranting and raving again... Throwing around buzz words to scare the masses of winblows users. Napster won't allow you to send exe's, vbs', or any other executables. AFAIK there is no way to embed a virus in a win media file so Napster users are quite safe... Only the Gnutella users that are happy to download a 2k MP3 in the first place, then double-click this mp3 with the wrong icon-are suceptable to viri.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
PerES Encryption
i happen to be a gnutella user who runs a reasonable size server, under a windows client. i dont see how it won't affect me. :>
:)
people who follow basic internet security procedures (dont open unknown exe files, for instance) won't be affected, or indeed effected, by it. would you drive a car without learning what all those signs mean?
Military intelligence.
Microsoft Works.
Windows security.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
You mean like a virus that installs Linux ;-) ?
BdosError
Complexity is Easy. Simplicity is Hard.
This looks like its related to windows default 'simple mode' where it hides the extentions of 'known' file types (i.e. *.exe).. So if you call a file 'evilvirus.bmp.exe' Windows will hide the exe extention and to a luser it appears to be a graphic file. -Lovely, VB, etc.. etc.. Is there any way we could make Windows *more* virus/worm friendly?
--------------------------------------
--------------------------------------
Vices - what I lack in originality, I make up for in volume.
They think they got Napster beat, so now they are releasing their Winders virusus on Gnutella trying to keep users off. Obviously. Yes, that must be it. Of Course.
As I read earlier on this, it requires the user to be "stupid", to run it.. hence why it spreads so slow. Really, this could be any file from a FTP site, or something - it is really the same case as Outlook Viruses =P
-Stskeeps, http://unrealircd.com
You may be misunderestimating people's ability to be "stupid". Also, I've discovered in a rather painful way that stupidity runs downhill.
When my company infected itself with the 'AnnaKournikova' virus, it was only *after* I had sent out a general warning.
One of the VP's, who *does* know better, opened the message while he wasn't paying attention, clicked on the file, and sent it to everyone else. Everyone else, those who didn't figure it out, opened it because it was from the VP.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Your description is excellent. I would, however, view this first generation as more 'proof of concept' than anything else. Devising variants which return back variable sized documents or which return 'correct' sizes for a limites set of specific requests can't be long in coming. Likewise you may assume that future versions will examine the request strings and reply only to a subset and only some of the time. Counter measures will develop, of cours, and so will the complexity of the trojan horses.
I think a bigger concern is the potential for this to undermine anonymous P2P networks. Inspired by the RIA, MPAA, hostile governments, etc., many efforts are being made to develop systems which fully hide the identity of the parties involved. It seems that this would also hide the origin of any trojans injected into the system. If users are no longer able to trust the content they receive, will they continue to use these systems?
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
Just loaded up BearShare and GNUtella and went searching for these files, haven't found any yet.. Even connectiong to 100 hosts. Seems pretty localized, which is good. Let's hope it doesn't start going insane and end up on most people's computers. But then again, arent the majority of GNUtella users *nix anyway?
----------------------------------
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
It conforms (mostly, it seems) to the spec for xferring data. That makes it a valid gnutella client. Without a montioring of the type of client sharing data, there is no fix.
In other words, this is as much a bug as typing:
and expecting the operating system from preventing attacks. It is not a software nor an implementation problem. Rather, it is an attack on the protocol that relies on human engineering to work. (ie, Gnutella operates on a big fundamental flaw.. all clients are kind and good)The way I see it, it was just a matter of time. Those who wish to transfer data anonymously should consider the source of the data. Fact is, unless you can authenticate the source, then expect garbage and get surprised from time to time.
In other words.. I double dog dare somebody to fix this in software. And even if they manage by some stroke of super-genius to fix it, it will not prevent similar attacks entirely.
PerES Encryption
It may be that Napster is immune, but I see a lot of weird stuff like *.mp3.mpg and *.mp3.vbs when I use the OpenNap servers.
I do not have a signature
It scared me a little. This was when I was first looking into Linux and did not know much better. At the same time, I figured he knew his friends. Looking around here, I see the same thing from time to time as this little beauty from message #33 by Fross (+5 interesting) "But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)". Nod nod, wink wink, not very funny.
Thankfully, nothing bad ever happened.
Friends don't help friends install M$ junk.
RIAA to put Napster in Crapster
"Lovable Lars" Fan Club
Cue James Earl Jones ...
Cue music ...
This...
is the Time-Warner Propaganda Network.
microsoftword.mp3 - it doesn't care that they're not words...
It's pretty easy to determine which Gnutella users are infected. Just do a search for 'nsdkjfnlnponf' or some other completely nonsense phrase. You'll get a bunch of matches, all files 8,192 bytes long. These are infected nodes.
--
Ummm.... you do realize it's the Open Source nature of this project that makes it so OPEN to this type of exploit, right?
I don't use GNUtella myself - while the project does sound interesting, I've had too many of my friends tell me they completely gave up on the system months ago because too many hacked clients were appearing and spamming the entire system.
I am not going to make the claim that making this project closed source is a viable solution to correcting this problem. HOWEVER, I won't make the rather insipid statement that the problem will go away because the project is Open Source, either.
Open Source is a great idea. BUT, it is not a magic bullet.
When questioned on weather this has anything to do with bad security in Windows Bill Gates replied:
"HA! Bad security in Windows? See the GNU at the beginning? That is what's causing this. Anything to do with GNU WILL cause harm to your computer, eat your filesystem, documents, grandma, etc... Besides the only ones getting effected are evil music theives..."
Bill was later seen walking away with a bag with the words "RIAA Bribe money" over his shoulder.
"I think so Brain, but where are we going to find a rhinoceros in heat at this time of year?"
---
Erm, but if no one was attempting to exploit any weaknesses, why bother with security at all?
...j
What a load. Not worth attempting to rebut, since the main point seems to be to construct an Open Source zealotry windmill at which to tilt.
I do not have a signature
I've seen this over the last couple of weeks on Gnutella servers. There's been some other discussion about it, I believe on The Register, and i've done a bit of nosing round myself.
.vbs, and .exe - these won't be susceptible to the worm at all. All the worm does is relpicate itself, nothing else. Though that's not to say someone else isn't going to use this mechanism to write something a lot nastier. But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)
Ultimately this is not a threat. It is quite obvious to spot (if someone is searching for, for instance "chemical brothers" it'll return "chemical brothers.exe", which is an unexpected result, ie no track name and not an mp3 or so), though i have seen a variation that tries to disguise the fact that it is an exe (i've seen some spurious entries in "file type" entries under the Gnucleus client), and even if infected, your machine runs as a server for the virus - as far as i can tell, this won't make your machine run as a server when you're not running a gnutella client/server anyway, it'll simply return itself when someone's search hits your machine.
Many (sensible) clients already screen out several types of files, such as
/Fross
I saw that a few ip addresses were returning "[search].exe" and "[search]" the other day on gnutella. Out of curiosity, I tried to download them, but was unsuccessful. Then I blocked these IP addresses and dropped all messages from them. It seems that the real reason this 'virus' will spread slowly is because its nearly impossible to download anything from gnutella. The authors of this trojan must not have been too bright--they should have infected a P2P network with better throughput, like Napster.