Slashdot Mirror
Gnutella "Virus" Roams
An anonymous reader noted a CNN story about a
Gnutella "Virus" floating around. It only affects windows, and its actually
more of a trojan then a virus, but once infected, it hijaacks your gnutella node to serve itself to other unsuspecting gnutella users. I'm sure this is only the beginning.
When I first read this article, I thought, hey , no problem, doesn't everyone select "automatically hide exe, vbs files" during installation? But I have certainly seen this 8192 bug even though I have this option selected. What's up with this? Does the file hide itself as another file type?
Hopefully I didn't put any [] around my words.
First of all I would like to say that this is a proof-of-concept worm. It is written by Mandragore, a member of the spanish-speaking viruswriting group 29A (666 in hex). If you look at all viruses/worm released by 29A, you would see that they are almost always proof-of-concept or very complex. :)
Secondly, this was released this weekend, why the story now? Also, regarding the post about viruses, why people write them, I would have to say that stories like this (on slashdot, cnn, zdnet or whatever) is probably what keeps the viruses coming. PUBLICITY!
Imagine being De Guzman (Loveletter Author), 20 years old in the Phillipines, knowing that you will never leave the place. Imagine writing a 50 line VBScript that does 3 rounds around the world in 1 hour. Thats power I guess
BdosError
Complexity is Easy. Simplicity is Hard.
This looks like its related to windows default 'simple mode' where it hides the extentions of 'known' file types (i.e. *.exe).. So if you call a file 'evilvirus.bmp.exe' Windows will hide the exe extention and to a luser it appears to be a graphic file. -Lovely, VB, etc.. etc.. Is there any way we could make Windows *more* virus/worm friendly?
--------------------------------------
--------------------------------------
Vices - what I lack in originality, I make up for in volume.
They think they got Napster beat, so now they are releasing their Winders virusus on Gnutella trying to keep users off. Obviously. Yes, that must be it. Of Course.
You may be misunderestimating people's ability to be "stupid". Also, I've discovered in a rather painful way that stupidity runs downhill.
When my company infected itself with the 'AnnaKournikova' virus, it was only *after* I had sent out a general warning.
One of the VP's, who *does* know better, opened the message while he wasn't paying attention, clicked on the file, and sent it to everyone else. Everyone else, those who didn't figure it out, opened it because it was from the VP.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Your description is excellent. I would, however, view this first generation as more 'proof of concept' than anything else. Devising variants which return back variable sized documents or which return 'correct' sizes for a limites set of specific requests can't be long in coming. Likewise you may assume that future versions will examine the request strings and reply only to a subset and only some of the time. Counter measures will develop, of cours, and so will the complexity of the trojan horses.
I think a bigger concern is the potential for this to undermine anonymous P2P networks. Inspired by the RIA, MPAA, hostile governments, etc., many efforts are being made to develop systems which fully hide the identity of the parties involved. It seems that this would also hide the origin of any trojans injected into the system. If users are no longer able to trust the content they receive, will they continue to use these systems?
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
It's pretty easy to determine which Gnutella users are infected. Just do a search for 'nsdkjfnlnponf' or some other completely nonsense phrase. You'll get a bunch of matches, all files 8,192 bytes long. These are infected nodes.
--
Ummm.... you do realize it's the Open Source nature of this project that makes it so OPEN to this type of exploit, right?
I don't use GNUtella myself - while the project does sound interesting, I've had too many of my friends tell me they completely gave up on the system months ago because too many hacked clients were appearing and spamming the entire system.
I am not going to make the claim that making this project closed source is a viable solution to correcting this problem. HOWEVER, I won't make the rather insipid statement that the problem will go away because the project is Open Source, either.
Open Source is a great idea. BUT, it is not a magic bullet.
I've seen this over the last couple of weeks on Gnutella servers. There's been some other discussion about it, I believe on The Register, and i've done a bit of nosing round myself.
.vbs, and .exe - these won't be susceptible to the worm at all. All the worm does is relpicate itself, nothing else. Though that's not to say someone else isn't going to use this mechanism to write something a lot nastier. But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)
Ultimately this is not a threat. It is quite obvious to spot (if someone is searching for, for instance "chemical brothers" it'll return "chemical brothers.exe", which is an unexpected result, ie no track name and not an mp3 or so), though i have seen a variation that tries to disguise the fact that it is an exe (i've seen some spurious entries in "file type" entries under the Gnucleus client), and even if infected, your machine runs as a server for the virus - as far as i can tell, this won't make your machine run as a server when you're not running a gnutella client/server anyway, it'll simply return itself when someone's search hits your machine.
Many (sensible) clients already screen out several types of files, such as
/Fross