Another Nasty Outlook Virus Strikes

Goldberg's Pants writes: "ZDNet and Wired are both reporting on a new virus that spreads via Outlook. Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does, such as emailing random documents from your harddrive to people in your address book, and hiding itself in the recycle bin which is rarely checked by virus scanners." I talked by phone with a user whose machine seemed determined to send me many megabytes of this virus 206k at a time; he was surprised to find that his machine was infected, as most people probably would be. The anti-virus makers have patches, if you are running an operating system which needs them.

Re:It's the culture, stupid.

If microsoft cares so much about giving the users what they want, why don't they actually strive to create a situation where the users have what they want?

What i mean: Users want the ability to run email attachments indiscriminately. They do not currently have this ability, not safely.

Microsoft could make this safe. Microsoft could (at the LEAST, this could be done within the context of XP; create a user with no priviliges?) throw together something that would run executables attached to email in a sandbox that couldn't touch the hard drive or do anything "evil". Then the users would be happy.

Hm. A secure sandbox that programs in emails or webpages can run inside of. You know what would be a good way to give the users this? Give them the ability to double click and run java applets from their email, then encourage joe cartoon and everyone to distribute their attachments as if for the java vm. Oh, wait, i just remembered-- Microsoft just struck java vm access from outlook for "security" reasons, didn't they? silly me. Well, i guess it's good to know that microsoft is doing something to send a signal that security is more important to them than the things the users frivolously want.

Re:An observation...

Perhaps you have no friends TO send you mail.

Re:solution: don't use outlook

Any mailer that displays even plain HTML as soon as you view the message can be attacked, and ones that do Javascript are INSANE.

Don't be rediculous here. How can you say that ANY MAILER that renders HTML is vulnerable to an attack? Does that apply to my browser accessing my webmail account?

Though Outlook may have some problems here, it is entirely acceptable to believe that a mailer can render HTML emails in a safe and protected way. And the same for Javascript - Javascript can be annoying, but the security holes it has introduced have not been severe. The security problems here are not inherent to HTML and Javascript, they are caused by poor mail clients. It is important to not confuse the problem.

Re:unfortunately,

[mosch]

yeah, there are NO viruses for outlook express. oh wait, i was thinking of netscape on macintosh, my bad!

--

Re:How long?

[abischof]

F-Secure (the F-Prot people) have more information on One Half.

Alex Bischoff

Media is now just as slow as about a decade ago

[Alex+Belits]

I have received the first email sent by that thing three days ago and reported some brief analysis to bugtraq, got a "rejected, send to incidents" response, sent to incidents, and apparently there is still nothing in the archives -- I have no idea why, incidents list posts all kinds of "I have seen a big spider hanging over my keyboard, I think he tried to hack me" stuff.

.

For everyone interested, messages with virus and extracted infected documents are here.

Re:These virus writers have no imagination...

[jbuhler]

> Why can't these virus writers do something cool?

You don't want virus writers with imagination. You *really* don't. A truly imaginative virus writer would likely devote all sorts of creative energy toward thinking up nasty things to do to your computer.

I'm still waiting for the trojan that silently installs itself, then once every day looks for spreadsheets on your system and randomly changes three numbers in every fifth file. Or perhaps it finds your Word documents and randomly removes the words "do not" from a few places. Or maybe it flips a few bits in your swap file, or munges your C++ compiler so that your programs randomly destroy the user's partition table one time out of a thousand. Maybe it sends death threats in your name to president@whitehouse.gov, or anonymously tells Microsoft that your company is pirating Windows.

No, I'm quite happy with the current crop of dull, stolid, entirely *un*imaginative virus writers, thank you very much!

Re:MacOS

[Chris+Johnson]

Depends on how you look at it.

I'm on MacOS using _eudora_ and all these sorts of files are dead inanimate matter to me.

Almost a megabyte of dead inanimate matter over a 56K modem just since this afternoon alone...

I am _so_ _pissed_ _off_ at this crap. I've taken to spamcopping the victims, using this note to their postmasters (where applicible):

"Please suspend this user's account. They are propagating the SirCam worm, and that must stop directly.
-postmaster@airwindows.com"

I have it as a clipping ready to be dragged into the spamcop personalize box, which is what I do when I am so overloaded with spam that I can't get time to type, but not so overloaded that I just give up- which has been the case until recently and this is what brought me back into the fray. _I_ _hate_ _this_... can't we declare Outlook illegal or something? Classify it as a weapon for denial of service attacks.

Re:But Unix has been able to do this for 30+ years

[extra88]

Windows NT has had user level security for something like 8 years. Windows 2000 added the "runas" command which is a lot like "su" and some other improvements. What they both lack is sufficiently restricted permissions by default and don't discourage putting user accounts in the Administrators. Since Win2k, having an account in only the Users group and applying the Basic security template, makes it reasonably restricted.

Re:What does your post have to do with the OS?

[Tim+Macinta]

OK, so you've shown that if a friend emails you a suspicious .exe, you create a phony account with no permissions then run it from that account. This is also possible in Win2K and Windows XP. So what's your point?

So why doesn't Outlook do this automatically? Seriously - Outlook could set up a dummy user account at installation time and whenever an attachment is to be executed it could use the previously created dummy user to execute it. To all the posters who wrote that setting up a dummy user to execute attachments is too hard for most users, too cumbersome, or too inconvenient, what's the problem if this is built into Outlook and transparent to the user?

there's a mushware version, too

[hawk]

every few months I get notices from a turkish political party, apparently urging me to vote that day . . .

hawk

good bloody luck . . .

[hawk]

> The only way that this sort of activity can
> be stopped is by making it socially unacceptable (improper netiquette)
> for anyone to send executables through email.

For crying out loud, we can't even get people not to send messages in html . . .

Re:These virus writers have no imagination...

[hawk]

> You don't want virus writers with imagination. You *really* don't.

absolutely not. One of the things I learned practicing law is that the reason we're not in serious danger from the criminal element is because *criminals are stupid*. They don't draw the connection between crime and punishment. THeir planning is lousy. I actually had one where five of them stole 70,000 (using my client's mother'ss car as a getaway vehicle), and each took their $5,000 share. It took the police ten minutes to get it through to them that the ringleader ripped them off.

Or the one that had to be rescued by the police after getting toasted, robbing a bar with a toy uzi, and then *going back in*, whereupon it was recognized and he was stabbed nearly to death . . .

If they had what we generally think of as "Average intelligence," we'd be in serious trouble (of course, this would in many cases keep them from criminal behgavior, too).

virus writers are just another kind of criminal . . .

hawk, esq., etc.

Devil's Advocate

[Outlyer]

Ok, I have to respond to some of the folks here who believe that "Don't run Outlook" is an option. Well, pray tell, what should I do if I'm on a corporate Exchange server? With no other option? It's all well and good to suggest things, but the fact is, if the Exchange Admin won't use LDAP, you're out of luck, and quite stuck.

That said, the SP2 release of Office/Outlook prevents anything from accessing your address book, and will pop up a confirmation. It doesn't prevent idiots from opening the attachments, but it does create some thought beforehand.

I can appreciate the idealism of using Linux for everything (I'm a Debian developer for god's sake) but for my job, I have to use Outlook, so I do, because I like my job, and I'm not going to quit because of that minor inconvenience.

I suppose this qualifies as a rant, and possibly will be modded to "Flamebait" or "Troll" but let's try and tolerate some dissent on this board for a change.

Re:Devil's Advocate

[iabervon]

The solution to that is, of course, don't have your admin run Exchange. Really, it should be the admins who tell you not to run Outlook, not slashdot, because it's their job to understand what people should be doing with their email and so forth. Users have better things to do than really understand what's going on with their generic programs. That is, of course, why they should not be trusted with anything as hazard-prone as Outlook. Sure, they can run it safely, but if they know how to do this, they're spending brain power they should be devoting to actual work.

Re:Devil's Advocate

[iabervon]

So configure Exchange to work with other clients than Outlook and have people use something more secure. And tell the voice mail vendor you want their next version to be more portable.

Re:Devil's Advocate

[wirefarm]

I think your post underscores a lot of the frustration that people feel. What can you do?
Probably nothing.
It's as if your company's policy is to have a night watchman who invites his friends over at night to go through your desk and try to trash your stuff and see what they can embarrass you with.
Since the PHB's are incapable of seeing that this is a bad idea, you are forced to live with it, by not keeping anything personal in your desk and keeping important files backed up and encrypted.
If Microsoft would publish a protocol for connecting to Exchange servers, this problem and all its waste would _vanish_ as other clients emerge.
POP 3 is a pretty good standard in that it lets users use any mail client that they like to get their mail.
I use Sylpheed for Linux - I could just as easily use Outlook Express or Netscape or whatever...
All you can do at your company is to be as careful as you can in protecting your files and be ready to explain the alternatives to anyone who is starting to realize that Outlook is a Bad Idea.
In the mean time, well, hang in there.

Cheers,
Jim

MMDC Mobile Media

Re:Devil's Advocate

[RallyDriver]

Outlook's so-called "workgroup" features are a thin pastiche of what is possible with Lotus Notes. And no, I don't like either of them.

Re:Devil's Advocate

[BlueUnderwear]

> Lotus Notes.

True enough. However, it has its own slew of problems:

• although it has POP support, the access through this protocol is severely limited: you cannot delete or file mails, just read them. Why, o why don't they add a full-featured IMAP support?
• There is still no Linux client, although technically feasible (but it runs nicely under wine).
• If you receive spam in Lotus Notes, there's no way of tracing it, as Lotus hides all relevant headers (Received/from/by). There is a menu option to show more headers, but the Receiver/from/by headers are still not shown!
• For certain versions of Domino (Lotus Notes server), the server is incredibly easy to crash: just log in to a protected Web page, and supply a bad password...

Re:Devil's Advocate

[BlueUnderwear]

> Notes includes full Internet Headers in the message, although in a hidden field. You can see it via a properties dialog,

Interesting. Indeed, the second tab of the properties dialog gives access to "Received" header fields. Thanks for the info, our local Notes gurus didn't know that ;-) Now, I'll finally be able to stem the tide of spam that is swaping my Notes account by complaining to the spammer's ISP. That's so much easyer to do now that I know where it is coming from.

> It also supports IMAP/LDAP if someone turns it on.

This is also interesting. Our guys here claim that the best that can be done is (limited) POP3. Could you post a small description of how to enable Imap? Is the Imap support reasonably full featured, i.e. does it allow deleting mails, and moving mails between folders?

Thanks

Re:Devil's Advocate

[Lxy]

First off, there's some blatant misconceptions about this trojan. It is *NOT* an OutCrook only trojan. The trojan does a MAPI lookup so anything that gets stored in the Windows Address Book is vulnerable. An SMTP server embedded in the attachment is what does the real work. That way it can sneak right by the network virus scanners because it's not using the e-mail system (Groupwise, Exchange, etc) that's being scanned. Unless you've made some really neat filter that sits on your T1 router and watches packets, you'll never catch it.

Now, in refernece to other OutCrook-only virii. There is a neat hack floating around that allows Evolution to connect to an Exchange Server through the HTML interface. I haven't done any research so I can't provide a URL, but it's out there. Might help you in your situation.

I believe that many of these virii/trojans/whatevers are just because users are dumber than hammers. With the exception of the auto-open exploit type virii (I think they patched that awhile ago in OutCrook) all attachments have to be executed. That requires the end user to open attachments. No matter how many viruses knock out companies and parts of the internet, there will be idiots who open attachments. As an experiment, I should write up some VBscript that uses the standard "e-mail to everyone in MAPI" trick with the subject line "This is a virus" and a body of "this attached script is a virus. Please don't open it" and see how far it propogates.

Re:Devil's Advocate

[frankie]

what should I do if I'm on a corporate Exchange server? With no other option?

Well, one easy option is Get a Mac. Fully compatible with Exchange, except for worms and trojans.

Re:Devil's Advocate

[twitter]

What exactly are you advocating?

"Don't run Outlook" is what every PHB that reads this site needs to see. They also need to see and read parts of Building Linux and OpenBSD Firewalls, Published by Wiley, 2/2/2000 where the authors point out exactly what's wrong with it, MSIE, non Mozilla Netscape, and Windows. They recomend never using Windows to connect to the internet, ever.

I work in a place that uses NT. When asked I will give my honest and full opinion of such things. I have my doubts that MS will ever fix its little problems, and know that free and superior alternatives exist.

Oh yeah, you know as well as I do that nothing is going to keep rouge applications from reading or writing your Outlook address book. Saying things you don't believe to garner ignorant responses is also known as trolling.

Re:Devil's Advocate

[vex24]

If you can convince the Exchange admin to turn on IMAP support on your Exchange server, you can run any email client you want (I run Mozilla, even though my clients are "standardized" on OL98). The only thing I need Outlook for is my calendar, which I look at about once a day, leaving Outlook safely closed the rest of the time. True, I don't have a 10,000 entry addressbook, but I seem to get by without it... (note: Exchange also supports POP if you're into outdated protocols ;)

Yeah, I got a couple this evening

[jonabbey]

Seems this one is pretty popular. I never got any I LOVE YOU mail or anything of that ilk, but I've had a couple of copies already today, both with attachments named after somebody's Excel spreadsheets.

- jon

Re:Why continue using Outlook?

[sphealey]

>This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.
>>Furthermore, Outlook actually helps out the "idiot" users.

There is a principle in the Toyota Production System that goes something like this: "If a worker makes a mistake once, it may be the workers fault. If a worker makes a mistake twice, it is the supervisors fault. If a worker makes a mistake three times, it is management's fault".

Most human beings on the face of the earth are not technically minded and DO NOT WANT to understand the details of how the tools they use work. If every time Joe Homeowner flipped on a light switch there was a 1% chance of a nuclear power plant melting down, we wouldn't be using much electricity, now would we?

While Microsoft is to blame for creating insecure tools (keeping in mind that larger market share means more attaraction for attackers), responses along the line of "stupid users don't understand how to use e-mail" are not acceptable, either.

sPh

How 'bout several alternatives...

[Svartalf]

Bynari Insight client/server
Lotus Notes
GroupWise

These all provide the same general functionality as Exchange/Outlook does.

Of them, Bynari works both on Windows and on Linux.

And, I'd beg to differ about the "hard to beat" since most companies can get the same functionality and most of them don't really use the thing to it's fullest anyhow.

Win2k running idle IIS by default...yeah, but...

[Tumbleweed]

Please to note that many Linux distributions have done this for a long time, and not just a web server, either.

Re:Why continue using Outlook?

[Joe+Decker]

I have Outlook running for my work email, even though it is the viral target of choice, becuase having it run is required for the Exchange Calendar system to work, which my company seems to be stuck on. More of the Microsoft "use one of our products, use all of our products" strategy, I guess.

For my own stuff, I'm a fan of Eudora.

--j

Re:Sheesh...

[Joe+Decker]

...it's somewhat ironic that the Slashdot editors don't know the difference between a "Virus" and a "Trojan".

Seems like folks using a "Trojan" should be safe from getting a "Virus". :-)

--j

Re:What does your post have to do with the OS?

[RelliK]

Not available in Windows 2000. Care to give more details? BTW, I hate it when moderators decide to give points without checking the facts first.
___

Re:solution: don't use outlook

[crisco]

I believe it's a win32 executable.

the two I received had the extension .pif but digging around with a hex editor just about convinced me they were a standard executable. I'm not sure how windows handles .pif files though, there are definately some different things going on there.

Chris Cothrun
Curator of Chaos

File extension

[crisco]

The 2 copies I received had the extension .pif. Windows hid that extension from me, only displaying filename.doc. Pegasus Mail displays the entire filename.

Windows also brought up a different right click context menu with the file.

don't ask about accidently double clicking the thing...

Chris Cothrun
Curator of Chaos

Re:File extension

[dodobh]

I suggest going through the registry. there are some extensions with NeverShow next to them. Removew that, since show all extensions still ignores these extensions.

Re:File extension

[quintessent]

Windows hid that extension from me.

I was quite upset when Windows started doing that. When I get on a new setup, I am quick to go to the folder options and have it display all extensions. But like I said, a careful user can always tell what type of attachment it is.

Re:unfortunately,

[johnnyb]

However, this brings up an interesting point that Robert Cringely wrote - if we all standardize to any given system, a single exploit could wipe everything out.

Many people really want all computers to be the same. However, it appears that variety may save us from the "one true exploit". If we didn't all run the same freaking programs, problems like this would have a much milder effect.

The Microsoft Patch

[Francis]

Agreed - it's not that bad. You'd have to deliberately run a binary executable to get infected. Which also means Netscape + all others on windoze can be afflicated.

But, technically, you can't *get* this virus on M$ Outlook, if you're reasonably up to date on patches. Outlook "protects" users from viruses by simply disallowing you to look at *.exe attachments. You can't even forward them to yourself through Outlook. Dumbest solution I've ever heard of.

--
#include <malloc.h>

Re:The Microsoft Patch

[Aphelion]

This trojan also hides its extension, in the form of a DOC file.

The actual name of the received file, for example, is [b]resume.doc.pif[/b], but in Windows Explorer, even with "show filename extensions" turned on, it shows up only as [b]resume.doc[/b].

Re:The Microsoft Patch

[Fred+Ferrigno]

If you think that's bad, take a look at this virus/trojan that was floating around IRC a while back. The thing is indistinguishable from a text file at first glance, even if you're bright enough to check the extension. When it executes, it even opens a contained note in Notepad so you don't think anything is wrong.

--

Re:The Microsoft Patch

[tswinzig]

But, technically, you can't *get* this virus on M$ Outlook, if you're reasonably up to date on patches. Outlook "protects" users from viruses by simply disallowing you to look at *.exe attachments.

Actually, it disallows most executable attachments.

You can't even forward them to yourself through Outlook. Dumbest solution I've ever heard of.

No, what's really dumb is forwarding executable attachments to yourself. WHY WOULD YOU DO THAT?

People like to invent ways to prove that this protection method is dumb, but I actually use Outlook with this security update installed (not that I would ever open an executable attachment anyway). The very few times I've actually received an executable that I want, e.g. a beta test I was expecting, I just ask the company to re-send it .zipped or renamed.

Re:The Microsoft Patch

[uigrad_2000]

When it executes, it even opens a contained note in Notepad so you don't think anything is wrong.

Hmm, it would make me suspicious. I'm used to all text files being opened in gvim.

Im sticking with Outlook

[ZxCv]

I've been using Outlook for far too long and get far too much functionality out of it to switch to another app because macro viruses for it are spreading. I've got the ultimate in Outlook macro virus protection-- it's called a BRAIN.

First off, the only way to make macro capabilities even worth a damned was to include functionality that could also possibly be used for - *gasp* - viruses! Oh no! Shit man, big deal. Why is it that I can look at the attachments on my emails and plainly see an attachment that ends with .vbs, yet somehow others cannot? These viruses are the tamest you could ask for-- don't run the damned script file and you won't be infected! Oh wow! True genius, I know!

I certainly understand that these viruses are capable of creating better disguised files (such as spreadsheets with autorun macros), but every Office app has an option to NOT autorun macros. IIRC, this is the default option (at least on Office 2000-- havent touched XP). And beyond that, that virus started off at some point as a script file. It took some jackass who wasn't paying attention to get it going.

As well, the only reason this is even an issue is because of the number of people that use Outlook. Say someone wrote a "macro virus" for some Linux GUI mail client which supported scripting of some kind (Python, for arguments sake). It could disguise itself into other files, send random files to random people and generally spread itself just like these Outlook ones do. The only reason we'd never see news about something like that is because there arent the numbers of people using such clients that are using Outlook clients and as such, I imagine there aren't very many virus kiddies out there looking to target the Linux geeks of the world.

Now, don't get me wrong. I'm no GO MICROSOFT! guy or anything, but at the same time I realize that when it comes to them, many people on this site don't even give a second thought before finding them guilty of murder...

Re:Im sticking with Outlook

[Asic+Eng]

Why is it that I can look at the attachments on my emails and plainly see an attachment that ends with .vbs, yet somehow others cannot?

That is because some people have "hide extensions" enabled - that's the default setting. :)

I agree with you about the origins of the problem: monoculture of mail clients and scripting. However most engineers when adding scripting to an email tool would give security a thought. Why not implement a sandbox? Why not write sensible warning messages which *only* apply to executables?

You could put the effort in to implement scripting in a mail client while maintaining security. Just compare Sun's approach when they introduced java. They realized when you execute code coming from the web you need a security system - and it had one right from start.

Sure, just having such a system is not enough, it's implementation might be flawed, there could be holes which can be exploited. However Microsoft put no effort in at all. I think it's fair to put the blame on them, too. Outlook is sub-standard engineering, MS should take responsibility for the damage they cause to customers.

These virus writers have no imagination...

[kcbrown]

Why can't these virus writers do something cool? Like install the SETI@home client on every infected machine? Or install something to DOS the RIAA/MPAA/Bad-guy-of-the-week (how about having the DOS daemon check Slashdot to determine who the current bad guy is)?

I'm sure that someone can come up with even more interesting things than this...


--

Re:These virus writers have no imagination...

[ajm]

More social engineering is needed. The most effective sort of virus would be one that made people distrust the information the computer gave them. What about proxying connections to cnn to another site that looks the same and announcing Bush's assasination? Good for some stock trades I'd guess.

Re:These virus writers have no imagination...

[Goblin]

Well, there is a virus which installs the SETI client on infected machine. Its name is Hadra.

Re:These virus writers have no imagination...

[1010011010]

It'll be interesting when viruses that delete or corrupt the WPA database start showing up...

- - - - -

Re:These virus writers have no imagination...

[BlueUnderwear]

> Or perhaps it finds your Word documents and randomly removes the words "do not" from a few places. Or maybe it flips a few bits in your swap file, or munges your C++ compiler

That reminds me of a prank we played back in high-school: a small program that would randomly change a semicolon into a colon in Turbo Pascal's editor. On the low-quality screens of that time, both signs were hard to distinguish, and moreover, as they are on the same key, people first thought about silly typoes before thinking that it may have been due to malicious code.

The program itself was well hidden too: it was a TSR being started from autoexec.bat, namded <shift-space>. The shift-space just looks like a normal space, but was legal as a character in filenames, so you could invoke a program like this, and somebody checking autoexec.bat wouldn't notice anything fishy...

As this was an external program, re-installing Turbo-Pascal wouldn't help. Eventually, the teachers completely re-installed the OS (which wiped the tampered-with autoexec.bat) to restore normal operation.

Re:These virus writers have no imagination...

[NReitzel]

Maybe somebody should build a vbs virus that distributes deCSS. Just for grins.

Re:These virus writers have no imagination...

[Greyfox]

While I was working on PostScript drivers back at the Printing Systems Company, I thought up a really cool printer virus that would propigate from network printer to network printer and quietly replace every instance of the word "strategic" to hit the printer with the word "satanic" in the output. Imagine that at a presentation.

Fortunately the job kept me busy and I never quite did figure out how to open a network socket in PostScript. As an academic problem it was quite a nifty idea.

Re:These virus writers have no imagination...

[CaptainAvatar]

Well ... now that you mention this idea, how do you know they aren't doing this already? Sounds like it could be causing half the win and macos problems I have to troubleshoot every week!
--

Re:These virus writers have no imagination...

[panum]

Time to wake up, this is old news indeed.This bug attacks dBase files and corrupts them. dBase was quite a popular database in late 80's, IIRC.

The nasty thing is that the bug is able to hide in memory and reverse the damage to the .dbf file when dBase loads it. Therefore file corruption is not noticed at once. Unsuspecting user will make proper backups of the damaged file. After a while the file is wasted, and the corrupted backups are good for nothing.

-P

Re:These virus writers have no imagination...

[dasunt]

There is already a trojan out there that installs the dnetc client to your machine, and spreads via poorly-protected windows shares. I disinfected a machine last week with that virus.

Now the virus I would write, if I ever decided to be 1337, would be one that simply removes one card from microsoft solitaire... :)

Re:These virus writers have no imagination...

[baptiste]

Well, that's what Max Vision did and got thrown in jail for 18 months - course he was stupid enough to fix the exploits on the computers and then installed his own little back door - kinda like making change in the offering plate and taking out more than you put in :)

Re:It's the culture, stupid.

[Syberghost]

Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.

And if that was all Microsoft did here to cause a problem, you'd probably be right.

But most users do not want the system to lie to them about a file's name, causing them to think it's NOT an executable file when it in fact is.

Most users do NOT want their email to be able to destroy their entire system, and thus would be perfectly happy if said executables ran in a "jail" that couldn't affect the rest of the filesystem without a prompt. "This program is attempting to delete c:\windows\SOMEFILE.EXE, should I allow it to do that? (OK/CANCEL)".

Most users do NOT want their email to be able to run scripts without them even having opened the message, much less clicked on something.

Microsoft themselves have admitted that a number of things have been included because exactly one large customer wanted it, that affect how everything else on the system is designed. This is more than likely one of those things.

-

Be that as it may

[FreeUser]

The problem is people hate account security and won't use it. They don't like the bother of having to log out, closing everything they were doing, and log in as someone else just to install a new app. Heck, half the *linux* users I know log in as root all the time!

Be that as it may (and you certainly know a different breed of GNU/Linux users than I ... even my mother doesn't mind logging into her GNU/Linux box), it is no excuse for building a system which even the most conscientious user cannot secure because the design (or lack thereof) simply makes it impossible.

It is one thing for foolish users to undermine or gut existing security features. It is another to make the features non-existent, then blame the users with "well, it's what they would have done on their own anyway." People aren't generally as stupid as we like to think ... I've had numerous Windows users ask me how they can secure their system ("firewall" I tell them and, if they are serious, "switch to GNU/Linux or FreeBSD, because even a firewall can't effectively protect a system as ridden with exploits as Windows." You'd be surprised at how many of them fall over themselves to install and learn a new system.)

Unconscionable

[FreeUser]

I'm sure a lot of people here are going to go out and blame Microsoft for the Outlook-virus-of-the-week. But the fact is, Microsoft is just giving the user what they want.

Good Lord.

This reminds me, almost word for word, of statements typically made by rapists and child molesters. While the situation is vastly different (thankfully), the behavior of the guilty party, Microsoft, is appallingly similar: refuse responsibility for one's own actions and blame the victim.

The cause of these (now almost cliched) viruses is, quite simply, the appallingly lax security in the Microsoft Operating System and mail utilities, a lack of which is unequaled anywhere else in the computing world. Whether by design, negligence, or simple incompetence the fact remains: if you run any version of Windows, IIS, or Outlook, you are vulnerable to this sort of thing regardless of how savvy or cautious a user you are, and there is little or nothing you can do to protect yourself. Indeed, by the time you know of the exploit (assuming you are savvy enough to keep up on such things, which IMHO is asking far more of the user than simply learning a few basic commands a la GNU/Linux or DOS, much less a few GUI variations from with Windows paradigm a la Mac, KDE, or Gnome) chances are the malicious crackers have been exploiting it for weeks or even months.

Contrast this with the rest of the computing world, in which exploits are published and fixed as soon as they are found (and usually found by the product developers and/or testers before they are exploited), and in which the basic security paradigms allow one to secure the system in as paranoid a fashion as the situation requires, and the mind truly boggles at Microsoft's inability to at least match the quality of competing products such as Mac OS/X, the various *BSD flavors, and GNU/Linux.

It is bad enough that Microsoft appears incapable of building a secure system. It is even worse that they knowingly market an insecure and unstable system as though it were secure and stable (were there still any kind of "truth in advertising" requirements they would certainly be paying hefty fines for falsly marketing their products). It is unconscionable that they refuse to accept responsibility for their own engineering, choosing instead to blame the victims of its failure: their customers.

Re:It's the culture, stupid.

[Lumpy]

Actually no, it's not.

you just set up your email server to automatically destroy any attachment that is not an accepted attachment.

and if your users whine, tell them to work at another place you arent going to allow it.

Simple, to the point. and Voila... No more problems...

In fact I have my servers set to reject all html email. bouncing the message back to sender stating the fact why it's not allowed.

Works great, and as a gigantor corperation, we can get away with it.

Re:It's the culture, stupid.

[Sloppy]

No, the problem is with the applications. NT is multiuser (even though everyone logs in as administrator anyway, since NT doesn't have a "su" command and logging out/in whenever you want to install something is too much trouble). Having the apps run scripts as a sandboxed user wouldn't be very hard to do. But Microsoft just doesn't care enough about the problem to actually bother doing it. (And since their apps are closed, no other party can add this feature, so what Microsoft cares about actually matters.)

---

Re:How long?

[Sloppy]

It is hard to get into the heads of virus writers, so this is mostly just speculation, but...

I suspect the reason we haven't seen any seriously malicious email viruses yet, is because the virus writers don't want the problem to get addressed. They are enjoying seeing their viruses spread. Right now, the industry tolerates the viruses and doesn't mind losing a few million dollars here, a few million dollars there, etc.

If a truly malicious virus appears on the scene, and the loss figures go into the billions of dollars area, then the industry will stop tolerating the viruses and the software that executes them. Outlook/Word/Excell/IE will get fixed or be replaced, and that will be the end of the virus writers' fun.

---

Damn..

[BilldaCat]

I've been getting this for about a week or so I think.. 4 copies today.. I thought it was just more porn spam at first..

Cheers to mutt .. :)

It's the OS, stupid.

[warpeightbot]

Think about what would happen if one of your colleagues sent you a random Linux binary through email and claimed it was a greeting card - would you run it? Well, the drooling masses will run any .exe that a "known" source sends to them, and that is the crux of the problem.

Sure, I'd run it.

$ su
Password:
# useradd fred123
# passwd fred123
Changing password for user fred123
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
# cp suspicious.exe /home/fred123
# chown fred123.fred123 /home/fred123/*
# chmod 700 /home/fred123/*
# exit
$ su - fred123
Password:
fred123$ ./suspicious.exe
suspicious.exe: /etc/shadow: permission denied

Aha!

fred123$ exit
$ su
Password:
# userdel -r fred123
# exit

The problem here isn't even gullible users. It's the fact that under Win9x, you're running as god all the time, and can seriously hurt yourself. Under Linux, I can create a temporary user in about 30 seconds, go crap all over the resulting sandbox, and I *might* release a forkbomb or fill up /home... if I was being lazy. If I was really worried about it, I could ulimit the bejeezus out of the new userid, and whatever little surprises lay in that exe wouldn't get past first base.

And it's not just Linux, or other Unixes... VMS, NOS, NOS/VE, VM/CMS... IS there another OS out there that DOESN'T have proper ACL's and CPU/process limits? BeOS, MAYBE?

Yes, there are a lot of clueless Windows users. There is still no excuse for deliberate insecurity on the part of the OS. As for Microsoft "giving the users what they want"... As Norm Schwartzkopf would say, bovine scatology. See previous comment.

Re:It's the OS, stupid.

[NeoMage]

You are also forgetting something that a lot of tech savvy people forget... you -know- how to do this stuff.

I support people everyday in using technology, both corporates and home users. A lot of people simply don't know how to do what you do to protect yourself. "Well they should learn", you say. Easy for you. Do you think my mother could learn it? She's flat out turning a computer on let alone creating a user "sandbox" to run attachments on her email.

The glory of Windows (be it good or bad) is that it makes communicating on the Internet really easy for those that can't do what you can. Unfortunately, the age old trade off of ease-of-use for security is still present although becoming less and less.

It's hard to please everyone all the time, and if a software company had to focus on every angle to the Nth degree all the time, then we'd never get software out the door. Sure Linux is well developed from a security standpoint, but it's no where as easy to use as Windows/Mac for the average consumer.

If Windows had of been as security focused as Unix from day one, then I doubt it would be as rich in user interface and ease of use as it is today. Hopefully Windows 2000/XP will pick up some of the slack reputation that the Windows 9x line has earnt Microsoft in being inherently insecure, but only time will tell.

Just remeber it's all very easy from where you stand, and not so easy for others, even the software companies.

Re:It's the OS, stupid.

[dodobh]

First
$strings suspicious.exe|more

/etc/shadow

Why does this need to access /etc/shadow?
$cp suspicious.exe /chroot/user/tmp
$su - chroot_user
chroot_user@host]$ gdb suspicious.exe
gdb>

Re:It's the OS, stupid.

[tshak]

Right, because the average user knows what su, chown, chmod are for.

Re:It's the OS, stupid.

[morcego]

I hope you are not serious, or you are in for a nasty surprise.
What is this binary exploit something on your machine ? Remember a worm that was attacking RH machine some time ago ?
Never, ever, not even consider running something you are not VERY sure of in a production machine. If you want to test it, make sure you do so in a machine you can easily reinstall, and that is not connected to any network.

---

Re:It's the OS, stupid.

[OSgod]

Yes, and this works well under NT/2000 as well.

The unfortunate fact is that most users would not do this no matter what OS they are on. It requires thinking differently -- starting from a my system is secure perspective. Users in general start from the "my system is easy" perspective.

So in general, on Linux, the end user would always log in as root. Would execute any binary executable the minute it was received as root. Would say that Linux (or any other OS) is insecure.

Re:It's the OS, stupid.

[Waffle+Iron]

But if you can't even train people to not click on unknown attachments, you'll never train them to create a bogus account to run an attachment in. The outlook worms work just fine with default user privileges, so Unix doesn't really solve the problem any more than NT/Win2K do (under which you can also create bogus accounts in 30 seconds, BTW).

The real root of this problem is that MS created an application (Outlook) that is an ideal breeding ground for social engineering attacks. In theory, a similar application could be created for Linux; we just don't expect that such an app would become popular on this platform. (But you never know ... they're porting .NET as we speak.)

Re:How long?

[sunking]

Simple solution - the virus should scan Wired for its name every hour. When it finds a match, the fun begins.

-sam

Re:Why continue using Outlook?

[PovRayMan]

For me I just use...

mozilla.exe -mail

It's basically the old school Netscape Communicator email client with a dash of red lizard hehe.

I don't believe it has the email attachment flaws Outlook is prone to, but anyone who decides to see the attachments included deserve what they get. It should be common sense to not open anything remotely suspicious if you're on a Win32 platform.

Anyways, I like using Mozilla's mail client. Reminds me of the days when Netscape was decent.

----------

Re:How long?

[Restil]

Reformating really isn't the worst thing that could happen. It'll hurt anyone who doesn't keep backups, but they're likely to get hit by a random non-virus windows bug anyways. Something that is really nasty would SLOWLY corrupt documents, so they get backed up and it will be months before the damage is realized and simply restoring the previous night's backup won't work, because you never know what's dangerous and what isn't and how far back it goes and what other payload is sitting around waiting.

-Restil

News five days old...

[EvilMagnus]

Norton released patches for Sircam on the 18th, and even AICN reported on this virus before slashdot. ;-)

That said, I popped in to work this weekend to upgrade my servers AV protections (liveupdate refuses to work on my email servers. grr.) and, sure enough, I've been averaging one infected document every two hours. So it's possible we'll see a whole host of fun come Monday, 9am, when all those folks who got infected emails over the weekend open them up...

Re:Sheesh...

[mpe]

Joe emails a rogue application to Jane, Jane runs the code which then emails itself (and an arbitrary document) to people in Jane's address book. Sounds like something that could be implemented on any OS, doesn't it?

The last point is untrue. Since in order for this to work you need mail software which treats emails as executable code. Something which is rather specific to Windows apps (and Windows itself.)

Re:How long?

[csbruce]

This is correct. So far, Outlook viruses have been mostly just an irritation. Nothing of any substance will be done by Microsoft or users in general until the shit really hits the fan. If half the PCs on Earth were suddenly wiped out, Microsoft would actually take some heat. Virus writers need to grow some balls!

Re:documents

[NettRom]

but from all the stuff I received over the weekend, I noticed it's just the name of the document it uses...

You're either incorrect or a lucky recipient. The largest infected e-mail I've received so far had an attachment of 17.5MB.

Oh, I forgot, that's the average size of a Windows-binary.

Re:Sheesh...

[Malcontent]

Umm yea but if I got this virus in linux it would not effect me at all right?

Re:Sheesh...

[Malcontent]

"If it were a Linux binary it would"

No it would not really. I know of no linux email readers which let you execute an attachment by clicking on it. Also There is no such thing as a "standard address book" in linux so the virus would not be able to spread itself so easily. BTW the same applies for eudora. If doubleclicked on a .VBS file with eudora The virus could not propagate.

The point is that windows and outlook have a myraid of security holes which are very easy to exploit by any body who can hack out a few lines of VB. Other systems don't.

Re:What does your post have to do with the OS?

[Dr.+Smeegee]

But all that rebooting gives me time to leaf through my certifications.

Not that new

[gizmo_mathboy]

This is relatively old news. There is a previous Wired article from Friday discussing this virus. I would say the only thing new is that all of the anti-virus house have come to an agreement about its name, what it does, and how it does it.

Re:Not that new

[baptiste]

This is relatively old news.

Perhaps, but it is spreading faster and faster which makes it news. I'm starting to see more of these damn emails than SPAM! Which is scary! Mostly from folks I don't even know but probably sent email to at some point (I own a small business) Of course I had to laugh when I sent a detailed email reply to one user saying he'd been infected and sending him to sarc.com for more details. He replied back yelling at me for trying to infect his computer with an obvious virus email and suspect URL (it wasn't HTML format - just plain text) Makes it clear why some folks get infected. *cough*idiots*cough*

Re:documents

[cyberdonny]

> anyway, one stupid thing is that all the reports call it "privacy" sensitive because it sends out personal documents from your drive... but from all the stuff I received over the weekend, I noticed it's just the name of the document it uses... the actual content is the virus itself; an executable disguised as a document...

I dunno about this virus, but the Magistr virus only mails out full documents with a certain (low) probability. I.e. most of this virus' mails will just use the title of the document, or small extracts as the mail subject, but every now and then, a full .doc attachment would be sent out. Probability of this happening is very low, but not zero.

The interesting thing about this is that it gives "cover" to disgruntled employees who wish to deliberately leak confidential stuff to suppliers or to competitors: as the virus exists, and its modus operandi is "well known", those people now have an easy excuse ready if they're caught. Quite a cunning move of the virus writer actually!

Re:How long?

[cyberdonny]

> all one would have to do would be put some unique, memorable name or catchphrase somewhere within their infection/payload scheme.

... and hope that the anti-virus community names the thing before they reverse-engineer it sufficiently enough to find out what triggers the active phase... Man, would they look stoopid if they named it the "catch me now" virus, and as soon as news about it hit the major outlets, its very name would trigger armageddon...

Re:How long?

[cyberdonny]

> They can't do anything *too* malicious without calling enough attention to it that the spreading slows down.

Actually, there is a simple cure to this, and it has even been used by Code Red: operate in two phases:

• A spreading phase, where you don't do anything malicious, except infect other machines. Best if done as low-key as possible: only attempt to infect those people that use Outlook (analize headers of recently received mails), attach yourself to documents that the user sends, rather than making up documents of your own, etc.
• An active phase, where the fun really starts: DOS the withehouse, mail out confidential .doc files, thrash the BIOS and hard disk, etc.

The difficult part of course is timing. If the active phase starts too early, you may not have enough of an "installed base" to really wreak havoc. And if it starts too late, a cure may already exist by then.

Re:How long?

[cyberdonny]

> Simple solution - the virus should scan Wired for its name every hour. When it finds a match, the fun begins.

Good idea... but who assigns virus names? It was my understanding that the names under which a virus is known is usually not chosen by the author, but by the anti-virus community once it is "discovered". Thus, it would be rather hard to scan for its name, as it will not be known at the time of writing...

MacOS

[chrysalis]

Are Macintosh running Outlook also vulnerable to these shits ?

-- Pure FTP server - Upgrade your FTP server to something simple and secure.

Re:Sheesh...

[Dwonis]

( ... ) is a subshell. The gunzip does nothing. if the ".gz" file isn't actually gzipped, it will be executed by the "source" command.
------

Almost.

[jcr]

Not using outlook isn't quite enough to solve this problem. The long-term solution, is not to use anything from a company that's so bloody incompetent that they'll not only put a Turing-complete interpreter into all kinds of apps that don't need one (like mail clients, word processor apps, etc,) but having done so, they give the interpreter access to EVERYTHING.

The long and short of it is, that microsquish still fails to understand even the rudiments of multi-user systems, let alone networked systems that require serious security. MicroSquish apps and OS's are unsecure and unsecureable, and it's about fucking time that people started to get fired for buying this kind of shit.

-jcr

Re:Almost.

[imipak]

The long and short of it is, that microsquish still fails to understand even the rudiments of multi-user systems, let alone networked systems that require serious security. MicroSquish apps and OS's are unsecure and unsecureable, and it's about fucking time that people started to get fired for buying this kind of shit.

Sir, you are mistaken! (Well, actually, you're trolling like a penisbird, but wtf, I'm on holiday this week :D ) Some of Microsoft's software is broken in some respects - certainly, Outlook's security model is one of the best (worst?) examples. But it's not all insecure, and it /definitely/ isn't unsecurable to the typical level of security required for day-to-day corporate desktop use (and even departmental file & print.)

But have you taken a look at Bugtraq recently? In my mail right now I happen to have 1084 mails since the 18th of May. And I'm sorry to tell you that (a) the vast majority concern Linux, BSD, or commercial Unixen; (b) many are remote root vulnerabilities; (c) for every conscientious sysadmin who checks every post, every day, and immediately applies (or starts regression testing to apply) relevant patches, there are *hundreds* of admins who don't even read Bugtraq, or distro security alerts, let alone apply the damn patches.

Some of these holes have been absolutely horrendous; the ftp globbing issue that turned out to be a bug in the C library and affected many different ftp daemons. The current ssh vulnerabilities. The BIND fiasco. xinetd. Mutt. fingerd. yppasswd. Sendmail. Tripwire, FFS!! And so on, and on.
--
"I'm not downloaded, I'm just loaded and down"

Exchange Calendar is BROKEN.

[jcr]

>I have Outlook running for my work email, even though it is the viral target of choice, becuase having it run is required for the Exchange Calendar system to work

Let's see... A mail-based calendaring system requires a particular client to work?

Back in 1986, I wrote a mail-based calendaring system (using NeXTSTEP as the GUI), which worked just fine with generic text-based mail clients if you didn't have NeXTMail to show you the spiffy 'RSVP' envelope icons.

If your company puts up with apps that force you to use particular other apps to get generic functionality (like, say, MicroSquish Exchange), then it has a serious management problem.

-jcr

Re:Exchange Calendar is BROKEN.

[imipak]

If your company puts up with apps that force you to use particular other apps to get generic functionality (like, say, MicroSquish Exchange), then it has a serious management problem.

Only if other companies behave differently. If (as is indeed the case in the real world) 99.9% of companies have IT Directors or VPs who are convinced that Microsoft Groupware is the bees knees (wow, look! you can email appointments back and forth, book time slots, see attendee's schedule to see if there's a better time..!) then they are all equally handicapped. You see much the same thing with Big Bang systems like Oracle Financials or SAP; and on a wider basis, with management fads like TQM, flattening the pyramid, customer focus, 360 degree reviews and all the rest of the buzzword bullshit. They're the most sheeplike, gullible people imaginable. No wonder companies like Marconi lose 90% of their value in 24 hours when it turns out their expensive Solutions are less use than a bunch of spreadsheets.
--
"I'm not downloaded, I'm just loaded and down"

Re:Why continue using Outlook?

[norton_I]

Yeah, or you could put ANSI codes in zip file headers to bind 'e' to format c:. (if they had ansi.sys loaded)

It isn't like MS invented this type of security hole, you would just think that after this many years, things would have gotten better, not worse. It used to be that when a problem like this was discovered, the author would do something about it: strip ANSI codes, etc. Instead, MS, dealing with an audience about 100 times less computer literate on average than the people above, insits on using user education, rather than the "right" solution of making a language and sandbox that lets people have dancing babies but not damage their system.

I don't mean to knock user education: I am all for it. But in this case, even if possible, user education can't solve this problem. There is *no* way for a user to determine if a file is safe to open, without actually doing so.

Re:Why continue using Outlook?

[dimator]

I really don't know how one company's "good" name can dissuade those with decision making power (read: IT departments) to not choose a more secure solution for their firms/comapnies/clients. I mean, it's kind of important.

Maybe this is the software equivalent of "it's not what you know, it's who you know."

(Btw, you really can't compare Communicator's mail program to Outlook in terms of features and functionality, unless you meant Outlook Express.)


---

Re:How long?

[BlueUnderwear]

> Simple solution - the virus should scan Wired for its name every hour. When it finds a match, the fun begins

Or, even better: every now and then, download the signature updates from McAffee, Norton, Symantec, Kaspersky, whatever, and as soon as its own signature appears, let the fun begin ;-)

Re:Why continue using Outlook?

[jesser]

This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.

Outlook Express, at least, has a horrible user interface for attachments. First, *any* attachment with *any* extension will trigger the dialog, which means users will ignore the dialog after seeing it several times. Second, it conveys the possible threat from the file type only by displaying the extension, and many users haven't memorized what extensions are safe and which aren't. Third, it only asks that you "be certain that [the] file is from a trustworthy source", which doesn't help much if the "trustworthy source" is infected by the same attachment.

Re:Why continue using Outlook?

[szcx]

I've Been using Netscape Communicator's E-mail program for years, without a problem.

All it takes is for the trojan author to support Netscape's address book format and hey-presto, Netscape is affected. Someone ports the trojan to a Linux email client and now Linux is affected. This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.

Re:Sheesh...

[szcx]

If it were a Linux binary it would. And what if it is a CLR binary? If you want a reason to fear Mono/.NET, there it is.

Re:Why continue using Outlook?

[szcx]

WRONG! The trojan in this article not a scripting exploit. It's a user exploit pure and simple. It relies on a user knowingly executing it.

I just got a user who sweared never opening any attachment has his computer infected with this.

Users always swear they "didn't do anything!" when they fuck something up. 99.9% of the time it's not true. Yes, HTML mail is evil. Yes, scripting exploits are evil. But this case is neither. So put down the bold tag and exclamation marks, there's no need to get worked up.

Re:Why continue using Outlook?

[szcx]

No, they don't. They rely on the user executing the code. Have someone DCC the attachment or FTP it from somewhere. You have to run it, not the client. That's why it's a trojan, fool.

This sort of trojan can theoretically be ported to any platform that has an email client and an address book.

Re:Sheesh...

[szcx]

Incorrect. This trojan is executed by the user not the email client. It arrives as a file attachment, just like any other attachment. It comes down to the user having sense enough not to choose to double-click everything they see.

It is exactly the same as if the user downloaded the trojan from an FTP site or through Gnutella, it's strictly an application. It doesn't rely on being received via email, all it needs is for the user to choose to execute it. Now if that application (trojan) happens to be a Linux executable, it's going to run when the user tells it to run. It's going to go ahead and read whatever address book it can find and spam everyone with a copy of itself.

It's naive to think this problem only affects Windows users. It's only a matter of time before someone creates a Mac or Linux port.

Sheesh...

[szcx]

You know, for all the bitching Slashdot does about the media confusing "Hacker" with "Cracker", it's somewhat ironic that the Slashdot editors don't know the difference between a "Virus" and a "Trojan".

Of course, then the headline would have to be "Idiot Users Still Exist, Nobody Surprised" -- doesn't really have the same aire of panic though, does it?

Joe emails a rogue application to Jane, Jane runs the code which then emails itself (and an arbitrary document) to people in Jane's address book. Sounds like something that could be implemented on any OS, doesn't it? You can't patch user stupidity.

Anyhoo, let the Microsoft bashing begin! Everyone get your pitchforks and flaming torches, but leave your dictionaries at home.

Re:Sheesh...

[purplemonkeydan]

Indeed. If/when Linux is mainstream, and newbies are using it, the potential is there for script viruses to be invoked.

Most Linux systems have Perl. All it would take is a Perl script that scans your Mozilla or Netscape prefs file for info, parse the address book, and bam! It replicates.

The average luser will click on anything, regardless of whether its .vbs or .pl.

Re:Sheesh...

[chuqui]

I'm a little surprised we haven't seen java viruss start to propogate -- since they can be transmitted the same way as windows-specific ones, but could be programmed to be more platform independent.

Re:Why continue using Outlook?

[Jens]

"Most human beings on the face of the earth are not technically minded and DO NOT WANT to understand the details of how the tools they use work."

Right. They only have to understand how to use them, and that includes understanding possible consequences of using them incorrectly.

Morale: "Messer, Schere, Gabel, Licht, ist für kleine Kinder nicht." Don't give someone who does not know how to use it, a tool that could become hazardous.

Just as an example: Today's internet is swamped by users who want to send e-mail "cuz its c00l" but probably don't know what an attachment is. They don't need to know - as long as their email client does not support attachments.. As soon as they get the possibility to send attachments, they must learn

• how to send and receive them (of course)
• how not to trust them
• why not to send 20MB files to unsuspecting modem users (what's a modem?)
• why not to send binary files (what are those?) to Usenet newsgroups (what are those?)
• etc.

You don't give a 15-year old a 200mph racing car just because "everyone has one". Similarly, you don't give someone without training a gun. (Yes, I know it's different in the US. Does that make me wrong?)

Use the tool that do the job. And make sure the user is educated. Simple tool: simple education. Powerful, complex tool - detailed education. Simple as that.

(Yes, I know I'm dreaming. Please reply to slashdot at jensbenecke dot de if you are interested in serious discussion. I might miss you here.)

Re:solution: don't use outlook

[Greyfox]

You mean like this one?

Yes, it's old news and yes it's been fixed but I think it illustrates quite well that you can never blindly trust your apps to be secure, not matter what platform you're on.

Re:What does your post have to do with the OS?

[twitter]

This marked as flamebait is an abuse of moderation! Parent is reasonable, non offensive and should be reviewed.

Re:shutupshutup!

[twitter]

Don't worry, if the support mechanisms were in place to do this MS might have done it. It's not really there, as problems like this demonstrate, and they won't put it in either. It would cost about a billion $ to fix Windows, AKA the quick and dirty operating system (QDOS), and MS would rather spend that kind of money on Adverting the public.

Too bad they are like that.

I like em big and stupid.

[twitter]

Works great, and as a gigantor corperation, we can get away with it.

So what do you do with the Boss's Word attachments? How do you keep him and his secretary from running comet cursor or some other more malicious trojaned piece of fluff off the web? Have you disabled Java in Netscape and MSIE?

If you are so big, you might make a real difference and run a real OS! Good luck if you don't.

What does your post have to do with the OS?

[Carnage4Life]

OK, so you've shown that if a friend emails you a suspicious .exe, you create a phony account with no permissions then run it from that account. This is also possible in Win2K and Windows XP. So what's your point?

All you've shown is that you are an extremely paranoid person and not that your OS of choice is some fantastically secure manifestation of operating system design. Most Linux users I know would not go through all that trouble if mailed a perl script or executable (or heck, compiling some obsfucated source from someones .sig).

And it's not just Linux, or other Unixes... VMS, NOS, NOS/VE, VM/CMS... IS there another OS out there that DOESN'T have proper ACL's and CPU/process limits?

Windows' ACL support has been more mature than Linux's for a long time. Because you don't know about it doesn't mean it doesn't exist.

--

Re:What does your post have to do with the OS?

[Erasmus+Darwin]

The malicious code could do something even more clever, like not dropping or revealing its payload unless it can figure out that the current user has some realistic-looking number of files in its home directory.

Assuming that I always saferun the executable, I'm still safe. Imagine combining saferun with a CVS-like system such that the files that the executable works with get copied to the jail, the executable does what it does, then the changes get imported back into my home directory. The worst the executable can do is destroy the work that I've done during that session of using the executable (which isn't too different from the program crashing from a bug).

But you're certainly right in that saferun isn't foolproof. However, when it comes to computer security, the realistic goal is to minimize risk, within a given usability-versus-security tradeoff. I would feel comfortable using saferun to run arbitrary code from semitrusted sources. If I were truly paranoid, I'd only trust personally audited source.

Re:What does your post have to do with the OS?

[Erasmus+Darwin]

OK, so you've shown that if a friend emails you a suspicious .exe, you create a phony account with no permissions then run it from that account. This is also possible in Win2K and Windows XP.

Can you do the following in Win2K/XP? (This is only half rhetorical -- I freely admit that I'm less than fully versed on Windows-based security. I suspect that at least some of these are doable in Windows.)

• Run the program in a chroot jail
• Run the program with ulimited resources
• Set up a script to quickly and easily do the previous two items (and run it as a throwaway user account, as previously mentioned).

The scripting issue is, I suspect, where it really wins. If a user can start something with 'saferun some_app' instead of just 'some_app', it's much less of a hassle, and it's that much more likely that a user won't do something stupid. It also limits damage to programs that're capable of breaking out of chrooted jails, when running as a user-level process. It's at least theoretically possible, but in the process, we've managed to cut out a lot of potential exploits.

Re:solution: don't use outlook

[-brazil-]

Now it would be harder to do, but imagine a worm written in C that would spread as source code and then recompile on various client computers, thereby appearing to be different viruses on different platforms...

Your imagination lags far behind reality. This is exactly how the first really widely spread virus, the Internet Worm spread in 1988.

An observation...

[brianboru]

One thing I've noticed is that it's always my work address that seems to get the viruses. In the 10+ years that I've had personal email addresses, I think I've only had maybe 2 even delivered to any account. (This includes free Outlook-enabled web accounts).

There's only a couple conclusions I could draw from this:

1) I am a supreme personal system administrator and do not let any common mundane virus issue affect the harmony of my smoothly oiled machine. (you do you oil computers, right?)
2a) All of my personal friends are apparently not as stupid as they look (this one is hard to believe).
2b) All of my work collegues are definately more stupid than they look (ok this one isn't so hard to believe). heh
3) There is some kind of shield made up of impervious virus-fighting smurfs that protect my personal computer 24 hours a day.
4) Karma (no not that kind)

or most probable:

5) Someone has been reading and deleting my personal email for years.

Re:It's the culture, stupid.

[softsign]

I wish someone would actually use Outlook before disabusing it so much.

I use Outlook, every once in a while I hop on over to Windows Update and get the latest security patches. It's painless.

Guess what? I haven't been hit by SirCam or Code Red. I've gotten more than a few SirCam messages from people I don't even know (including one that was mailed to me by a stranger through my Slashdot sneakemail account).

An up-to-date and properly configured Outlook will not arbitrarily execute EXE/COM/BAT binaries. It won't even open HTML attachments without permission. Mine won't even let me see the attachment I was getting from SirCam victims. I had to ssh to my mail server, use Mutt to save the attachment and run "strings" on it to see what it was.

Not to mention, the really poor English in those SirCam messages is a dead giveaway.

--

Re:solution: don't use outlook

[autechre]

"It relies on the user executing the attachment, it doesn't execute itself."

Unless, of course, it's something like Javascript code, or an unruly image tag. Exploits of this nature have been discussed on BUGTRAQ (more recently as an example of how poor PHP programming can cause security problems [duh!], so don't think I'm picking on Outlook here). Any mailer that displays even plain HTML as soon as you view the message can be attacked, and ones that do Javascript are INSANE.


Sotto la panca, la capra crepa

Re:This thing has it's own SMTP server...

[SuiteSisterMary]

Microsoft is a big ole' relational database. It will use all available RAM. When other programs request RAM, outlook will relinquish some. This is normal behaviour, it is by design, and my usual response is 'if you don't want your programs using that RAM, why is it in your box?'

Re:Praises to Pine.. Outlook? Would MS make a patc

[SuiteSisterMary]

However, our intrepid IT support person was also COMFORTABLE IN THE KNOWLEGE THAT THEY WERE RUNNING A FUCKING VIRUS SCANNER ON THE MAIL SERVER, thus removing any and all possibility of users receiving nastyness through their email, or accidently propegating it should it come in through another vector.

Re:This thing has it's own SMTP server...

[SuiteSisterMary]

Holy CRAP I'm incoherent this morning. Microsoft EXCHANGE is a big ole' relational database (as opposed to being an OLE relational database) which will use all available RAM. When other programs want some, EXCHANGE will relinquish some.

Re:This thing has it's own SMTP server...

[SuiteSisterMary]

The other thing to remember is that Exchange is NOT an email server. Exchange is a corporate groupware server. If you're not running a whack of people on an intranet who want to use Outlook for shared calanders, contacts, etc etc, you really don't want to use exchange.

The "Virus"

[x-empt]

This file may be of use to all you network security guys wishing to investigate the stuff for yourselves. I do not recommend running it outside of a secured lan that has NO internet connectivity. You've been warned.

A valid URL to download this "worm"
that is going around right now in Outlook is:

http://206.106.0.240/~x-empt/FEDEX1.doc.com

x-empt

documents

[rixdaffy]

this virus has already been spreading actively since last thursday or something...

anyway, one stupid thing is that all the reports call it "privacy" sensitive because it sends out personal documents from your drive... but from all the stuff I received over the weekend, I noticed it's just the name of the document it uses... the actual content is the virus itself; an executable disguised as a document...

of course, since lots of windows users use 50% of the document contents in the name of the file, it could be quite emberassing if it picks the right document ;)

No, the real question is:

[Rimbo]

...How long is it before the Chinese hackers sue eEye under the terms of the DMCA?

Re:How long?

[e_lehman]

I think you're right. After all, this is precisely the prescription for a really deadly real-world disease.

For example, Ebola has very high mortality, but the onset is so fast the epidemic potential is limited. On the other hand, AIDS is awful because of its long dormancy; someone can transmit it for years before they realize they have it. The real nightmare would be a highly contagious form of AIDS-- that would be pretty much end the human race. As you point out, there is no reason why one couldn't craft an analogous computer virus... and so someone probably will shortly.

GET A DAMN CLUE PEOPLE!!!

[cosmicaug]

It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad

But has anybody (specially Timothy) actually paid any attention to the damn stories?

Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.

Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!

In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.

The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.

All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:

http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=99141&

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.sophos.com/virusinfo/analyses/w32sircam a.html

http://www.europe.f-secure.com/v-descs/sircam.shtm l

http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1

http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010

This thing has it's own SMTP server...

[BigWhale]

You know... maybe somebody should figure out how to send mail thru it. It could be used instead of MS Exchange... I bet this thing is smaller, qucker and uses much less resources than Exchange... ;>


---------------
I never wanted to go anywhere. I'm happy here...

Re:This thing has it's own SMTP server...

[loraksus]

Though I don't want to troll, I just installed exchange server (was kind of bored, wanted to learn) and I'd say that freaking ANYTHING is smaller, quicker and uses less resources. It uses 150mb of RAM. WTF?

The slashdot 2 minute between postings limit:
Pissing off coffee drinking /.'ers since Spring 2001.

Re:It's the culture, stupid.

[IronChef]

FWIW my mail server kicks back any message with an executable attachment. Only a few clueful friends use it so I don't have a security issue, but it was the Right Thing to Do. I hate attachments of all kinds, especially executables.

Re:Why continue using Outlook?

[MrBogus]

"Pretty much every consultant or author involved with Office seems to have slammed that one"

Note that Outlook XP ships with this functionality (or lack of), so the protests have not been effective.

(And I can understand why. Everyone can point fingers all day long, but the root issue is the culture of executables in mail, as someone pointed out above. Kill the kulture, kill the problem. Anything else MS did would just be papering over the root problem.)

um... the answer is simple

[G+Neric]

computer darwinism. people who are stupid and inexperienced enough to click on dangerous attachments are not knowledgeable enough to maintain a working computer at home, they need a tech support and IT infrastructure to sustain them. this exists in the workplace.

also, the number of emails processed increases the probability of infection, spread, etc. for the above class of people, they spend much more time at work on a computer than they do at home.

----

Another Nasty Outlook Virus Strikes

[Kefabi]

Another Nasty Outlook Virus Strikes

Score: -1 (Redundant =)

-Kef

Re:i don't think it's an "outlook" virus

[Gordonjcp]

.exe, .bat, *.tif* etc.. can all be executables

Surely that should be .pif?

Not everyone escaped Code Red lightly

[jesterzog]

We escaped Code Red (if you can call it 'escaping' when the security and network admins of half the world spend 12 hours on Friday working on it) largely because eEye reversed the worm , giving the Whitehouse.gov people enough time to blackhole the IP the worm author had hard-coded.

For the record, I'd like to point out that not everyone did escape Code Red lightly. The contractor in the office next to ours came back from a holiday this morning to find a $US1500 ISP bill on his desk, which would usually have been about $US50 max for a month.

This bill might seem unusual to people in the states but in lots of non-US places, international traffic isn't cheap.

The irony is that he wasn't even running a web server. His Win2k install had put it on the system and set it up idle by default. Pretty silly if you ask me.

===

Re:Really Malicious Payloads

[dbirchall]

Actually, things like Magistr@ and this one, which send random files, can have some pretty nasty results. I get hundreds of copies of every trojan that comes along, since I manage a large mailing list with an average subscriber IQ of right around 100. Many, many times I've seen trojans pull random content out of random files to use as a "message body" - and wind up with stuff about bank accounts and whatnot.

Of course, this isn't as bad as plain ol' human stupidity, like the folks who mail me M$ sex-sells spreadshits showing all their employees' personal info including SSNs...

And my cow-orkers wonder why I'm so cynical about humans.

--

Re:Why continue using Outlook?

[quintessent]

Web based e-mail is a pretty good solution for some. However, Netscape Communicator will not stop you from being infected by this virus. It comes as a .COM file that will run on any windows system when you tell the computer to run it. If you get infected, it may choose to wipe out or fill up your hard drive. The virus only relies on the Outlook address book to find e-mail addresses. It would have been just as easy to program it to look at your Netscape address book, once you have run the .COM attachment. If you get an attachment, look at it and figure out what type of file it is. Some people have their computers set to hide file extensions. If none of your other files show extensions, but a certain attachment has an .XLS extension (for example), get the file's real extension. If it's .COM or .EXE, you may be about to open a virus. This is not rocket science. However, since the average user is not this smart, Outlook XP by default keeps you from running program attachments.

Re:Recycle bin

[sasha328]

Yes it does. The "austomatically delete" items option only works during the action of putting/moving files into the "recycle bin". This is the same process as manually copying the file (in a dos prompt) to the "recycle bin" folder location; the gui would not know about it.

Why continue using Outlook?

[guru_steve]

What with all of these viruses spreading via the aid of Outlook these days, i tend to wonder why people don't use other programs to check their email.

I've Been using Netscape Communicator's E-mail program for years, without a problem.

As an added benefit, it stores all my e-mail as plain text (NOT like Outlook)

Re:Why continue using Outlook?

[Merkins]

I've Been using Netscape Communicator's E-mail program for years, without a problem.

Who would bother writing a virus that will affect 11 people ?

Re:Why continue using Outlook?

[Mr.+Foogle]

yeah, I'm stuck in the same Microsoft boat at work. It's even worse here, most of the computers are MACs. I just keep forwarding this information to our IT people.

Hello. I *am* your IT department and guess what? We know Exchange/Outlook isn't the best choice for you guys. We also know that we didn't choose Exchange, it was chosen *for* us - decisions like that just are not made by IT.

So. Keep sending us crap. We've already seen it. We're also laughing at you behind your back.

Re:Why continue using Outlook?

[jsse]

This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.

WRONG! Outlook Express reads html in mailbox as local file - it's a serious mistake that they should have fixed long time ago!!

HELP.VBS hides itself in html files, and infect other files if open with full local privilege. I just got a user who sweared never opening any attachment has his computer infected with this. He just looked at a HTML mail that's all!

So stay away from Outlook Express for GOD's Sake! I know Outlook does have some improvement, but I've already lost my confidence....

It's like hell supporting users who never take your advises.

Re:Why continue using Outlook?

[imipak]

And who does Bug Finder General Georgi Guninski work for? Why, Netscape!

Oddly, though, he seems to be doing much more work for Microsoft... why, he lists forty security holes in Internet Explorer/Outlook, alone!
--
"I'm not downloaded, I'm just loaded and down"

Re:Why continue using Outlook?

[baptiste]

But remember, there have ben virii that have exploited vulnerabilities in Outlook that don't even require you to open anything - they were rare and not wide-spread, but it has been possible. Because Outlook is so closely tied to the rest of your system, it is dangerous. All it takes is a hacker finding a vulnerability in the Outlook security setup and they can own you without you even knowing it. So don't be so hellfire confident in Outlooks ability to avoid getting you infected.

The bottom line is you need a multi-layer defense. I laughed at our users who would call with a virus and say 'I never opened it - I have no idea where it came from, I have Outlook totally secure' yet their weekly anti-virus scan was disabled to catch anything that might have gottne through.

Re:Use Pine

[FatOldGoth]

Ever heard of a Pine virus?

Nah. The closest I can think of is Dutch Elm Disease.

--

Better solution - update Outlook

[tswinzig]

I've used all the email clients, and irregardless of who makes it, Outlook has been the best to use overall. If you want to avoid viruses, just upgrade the client from office.microsoft.com to not allow any executable attachments. I deal with a ton of email every day, and it has not hampered anything. People that really need to receive an executable from someone can get it .zipped, or have the extension renamed to something benign.

Re:It's the culture, stupid.

[tswinzig]

Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.

Gee, someone better tell Microsoft that, since Outlook 2002 (XP) is bolted down with the same patch that's been available for the other Outlook's for some time -- it disallows all executable attachments. That is most definitely the default (as it should be). I really don't know if there is a way to turn it off, either.

There was an old DOS virus like that

[phr1]

It hooked the LPT printer interrupt and looked at the characters going by. Most of the time it didn't do anything. But if it noticed you were printing row after row of numbers (i.e. a spreadsheet), every now and then it would change one of them. Insidious.

Re:It's the culture, stupid.

[Mr_Silver]

But most users do not want the system to lie to them about a file's name, causing them to think it's NOT an executable file when it in fact is.

Just a tad harsh. All windows is doing is hiding the ending of known filetypes (as set up in its configuration) because ... people asked for that option.

Microsoft have given the people what they want, its hardly their fault that after it has been enabled, the users promptly go and forget that they've enabled it.

Not forgetting that they don't seem to spot that the icon is completely wrong.

--

Clear up some misinformation.

[Chetmurray]

I am a moron. I admit it - I caught this last wed. Even had Norton running. It didn't blink. The email came from a client during the day. The attachment was an excel spreadsheet that I had sent her earlier. Yes, I should have read the email and then I would have been suspicious, yes Norton should have caught it, but I open maybe 15 excel spreadsheets a day sometimes from this client. I don't read every email - or I didn't.

My personal firewall blocked their smtp program from sending - but then it attached itself to ie and ran through IE's security area in my firewall. It is set to send thru the smtp server you have setup in your mail program. It sent thru my local email. The only reason I noticed was paranoia and running netstat.

This virus can and does attack more than just outlook. I run Pegasus. If it infects an outlook machine it sends to emails in their address book, in my case it went thru the cache of IE. I had to send apologies to a bunch of tribes players. It doesn't parse emails very well as I got 10-20 obviously broken emails bounced back.

Norton would not remove it and at that time their was no mention on any site or newsgroup so I was forced to remove it myself. Hiding in the recycle bin took me a second time to catch.

If you read your email from a web client you can still get infected and it can still send out depending on your setup.

If you run an email server - you can block this virus very easily as the text comes in two flavors an English and Spanish version. Here is the text:

I send you this file in order to have your advice

Espero me puedas ayudar con el archivo que te mando

Pretty embarrassing, but don't just dismiss this as another love bug virus hitting outlook.

Chet

Re:solution: don't use outlook

[Majik+Sznak]

Not just Outlook: I received a panicked call from a Eudora user who had been infected as well.

It's not just the users.

[DeadMeat+(TM)]

There's a lot of people to blame. Including Microsoft.

Blame the users. Every time a new trojan gets passed around, it's on the news, and every time they have a security expert from Symantec or McAfee on TV warning everybody to please for the love of God stop opening attachments you're not expecting, especially if you get a generic message like "Hey, open this, it's really cool!" And every time without fail they open it anyway.

Blame the ISPs. They ought to be running a filter on their SMTP servers, with signatures updated daily. If you can't send the trojan to other people, it effectively dies. Same goes for POP3. Incidentally they have the greatest incentive out of everybody to kill this sort of thing, since they're the ones paying for the bandwidth and rebooting the flooded mail servers, but from my experience surprisingly few actually run any type of filter at all on mail servers, and fewer keep it up to date.

Blame Microsoft. What were they thinking when they released a mail program that lets external programs silently read your address book? (I'm told recent versions of Outlook/OE warn users now, but that sort of thing should have been in the original version.) And AFAIK no version of Outlook/OE will tell the user that running executables attached to messages is risky, especially if you're not expecting them, so maybe you would like to reconsider? Instead Microsoft releases a brain-dead patch that simply prohibits you from running .EXE attachments at all and declares the problem solved. Trouble is, people are afraid that sometimes there might be a legitmate reason to run .EXE attachments, so they don't install the patch.

Now Microsoft isn't the party at the biggest fault here (IMHO the ISPs who don't run mail server filters are really dropping the ball here) but they're not blameless either.

Re:solution: don't use outlook

[einhverfr]

Imagine this... People used to consider virii programs that were written in Assembly language. Virii written in C were considered laughable, because they were so damn big. I find it rather amusing how things have changed.

Still would be laughable. You would have to upload a C compiler to use it effectively if it were to be cross platform... Actually you would have to upload several C compilers (one for each target hardware/OS combination).

"Hey John, why am I downloading 384 MB of material from your Mac?"

I said it as a joke. It is entirely impractical.

Sig: Tell all your friends NOT to download the Advanced Ebook Processor:

Re:solution: don't use outlook

[einhverfr]

Actually, it is probably written in VBS, and I wouldn't mind taking a look at it if it comes my way. My employer naturally, probably already has screening up on our email ;) Though, when the Lovebug hit, most of the people in my building downloaded it and opened it in notepad in order to see how it worked... Funny, the people that got infected were mostly the management and a few non-technical people in my environment.

Sig: Tell all your friends NOT to download the Advanced Ebook Processor:

Re:solution: don't use outlook

[einhverfr]

Another virus that doesn't affect web-based email (not to mention pine or MacOS or whatever). Seems pretty clear that Outlook will continue to be exploited in new ways for the forseeable future.

I don't know enough about it to determine the extent to which it can affect non-Outlook clients. I do know that, according to CNET, it does try other means of spreading as well.

Curiously, the virus resides in the recycle bin... If you don't run Windows, no worries ;)

A little off-topic but:
Now it would be harder to do, but imagine a worm written in C that would spread as source code and then recompile on various client computers, thereby appearing to be different viruses on different platforms...

Sig: Tell all your friends NOT to download the Advanced Ebook Processor:

Writing viruses != computer valdalism

[einhverfr]

For the most part, writing viruses as proof of concept which are tested in controlled lab environments is perfectly legal... Intentionally releasing a virus you wrote onto the internet is not. I would imagine that if you attempted to hand infect a computer with someone else's virus, it would also be illegal. So the Bliss virus was probably not an issue of criminal law (I suppose one could sue for negligence) but it was hardly computer vandalism.

For those unfamiliar with the Bliss Virus, it is/was a research virus written as a proof of concept (complete with all sorts of safety features, like an auto-removing feature) which eventually accidently was released on the net. ig the adminsitrator ran:
bliss --disinfect-files-please
the virus would remove itself from the system (good responsible code design-- it cleans up after itself).

My point is that writing viruses != computer vandalism. They usually coincide but not always. This virus we are following is pretty clearly one covered under computer valdalism (who writes Outlook viruses as proof of concept anymore anyway-- it is too easy and would not do any good). ANY virus with a payload is malicious and probably a criminal offense in most countries. This worm carries a payload, so its intents are clear.

Sig: Tell all your friends NOT to download the Advanced Ebook Processor:

Re:What's that, again?

[J'raxis]

I guess he meant "nothing particularly original" as in "yet another Outlook virus that propagates itself by mailing people." Means different ends same.

Re:Once again I miss out on everything

[jsse]

That's it! It does free me from any legal responsiblity by using this virus to spread my personal creating of p0rns and MP3! (Hey I'm a victim!)

It's even better than Napster....Cool that's very useful!

Re:Install Patch for Correcting Outlook Express

[imipak]

I'd love to, if you could show me how. I spent a very frustrating weekend poring over docs and googling around trying to get the damn thing to work. It doesn't appear to support POP3... that, or I'm going blind.

I did finally move email client last week, tho - from Netscape 4.7 to mozilla; the mail+news client finally seems fast & stable enough for daily use (to me, YMMV)
--
"I'm not downloaded, I'm just loaded and down"

How long?

[imipak]

How long can it be before one of these uber-worms carries a really malicious payload, or doesn't get reversed in time? We escaped Code Red (if you can call it 'escaping' when the security and network admins of half the world spend 12 hours on Friday working on it) largely because eEye reversed the worm , giving the Whitehouse.gov people enough time to blackhole the IP the worm author had hard-coded. If that hadn't happened - or if the IP was looked up in DNS - or the thing hadn't happened to be programmed to stop spreading itself on the 20th, the day after it exploded around the world (not that the author could have predicted that)... things could have got /really/ messy.

How long before one of these reformats it's host after reproducing 500 times?

Rhetorical questions - I hope.
--
"I'm not downloaded, I'm just loaded and down"

Re:How long?

[s20451]

where the fun really starts: DOS the withehouse [sic]

Actually I think it would be fun to Linux the whitehouse.

Whoops, too late: The site www.whitehouse.gov is running unknown on Linux.

OK, I'll stop now.

Re:How long?

[moncyb]

This sounds kind of like a virus I heard about around 10 years ago.

The virus would encrypt all the files on infected machines, and the only way to get their data back was to pay the virus writers. It didn't work out very well for the virus writers--a bunch of programmers got together and figured out how to decrypt the files and gave the key/code away so that anyone infected could get their data back.

Could you imagine if this were an email virus/worm launched today (especially with the better encryption methods)?

Now before any of you go yelling "we can't allow this to happen! Make encryption illegal!" You should realize that if someone is going to do something like make a virus and send it out, they probably won't care about breaking any laws. This attitude reminds me of companies requiring signing a paper that said: (paraphrasing) "I certify under penalties of perjury that this package doesn't contain a bomb" To that the shipping manager said: "Oh yeah, if I'm sending a bomb, I'll really be afraid of adding perjury to the list of charges"

Re:Better Solution:Don't click everything!

[baptiste]

SARC lists the following ICQ virii in its I Index:

• ICQ.81493.PWSteal
• ICQ.82424.PWSteal
• ICQ.Flooder
• ICQ.PWS.Trojan
• ICQ.Revenge.Trojan
• ICQ.Trojan
• ICQ2000
• ICQPass

Unfortuantely, SARC is uncharacteristically vague on these virii with very little info beyond "NORTON Anti-virus catches this" Time to check McAffee's and CERT :)

Re:solution: don't use outlook

[morcego]

Any mailer that displays even plain HTML as soon as you view the message can be attacked
Errr, I'm still waiting to see any HTML attack agains my mutt+w3m reader.
Now, be serious. The problem is not HTML nor JavaScript, but the bad programing skills used to create some mail readers.
Or simply plain stupidity, like OutLook running lost of things by itself.
The is that it is impossible (thanks God) to create a computer program that is smarted then a human being (at least, smarter then us /. reader). So, if someone create some kind of smart program that decides to do this or that on itself, you can be sure that someone will outwit the program and create a hell.

---

Re:Use Pine

[morcego]

I did. There was a buffer overflow in Pine a year or two ago.
---

Re:solution: don't use outlook

[refactored]

So you have never run GhostView on a postscript document have you? Or JavaScript in your browser?

What about that fetchmail exploit that went by the other day?

Are you "up to date" on your distributions security patches?

Have you read http://project.honeynet.org/

I think we linuxers are too complacent and will suffer one day...

comp virus == true viruses?

[anshil]

I think comparing computer viruses with real life viruses reveals a lot similarities.

For the real life viruses the human body as defender is the "operating system" it tries to keep itself clean from evil attackers. But it doesn't bother to spend energies on harmless intruders. There a dozends of harmless bacterias even one or two harmless viruses, some of these even help the human body. Especially I remember one virus that attacks and spreads only through "unwanted" bacterias. This virus is the human bodies friend, on we all have tousends if not millions of this one on our body.

If an intruder seems to be harmfull your body starts to attack it, it's a common trick for viruses/bacteria to trojan themselfs into the human body, in the beginning they are nice and cute and after some time if they are strong enough they suddendly start to mean, salmonella is such a bakteria, or AIDS that lives quitly and hidden over 10 years or more. BTW, there some brand new cures in evalation building on this knowledge, "telling" the human body early that this introdur is evil.

So each virus goes a small path between being tolerated, survive/spreading itself and how much attention it will receive. Also a virus doesn't gain anything if it's host dies, in history there were viruses which completly killed a whole population (I think there is some proof that it happened to some bird kinds), and at the end the virus dies himself.

Okay what has it to do with computer viruses? Take in example the "parityboot" virus in our capital city (Vienna) this virus was spread every some years ago, why? Because it didn't destroy any data, yes the paritity boot errors were nasty if you didn't know the virus and that it was the cuase, but once you knew it you just had to ignore that message and everything was fine. People knew it. However to completly clean it from a companies net required to scan all discs, that times the main medium, which of course would cost quite an amount and time, so many simply chosed to live with that virus, it was even funny in some kind. Same as the old 'gimma a cookie' virus everybody found it so cute you was even happy if you got it.

However the meaner a virus the harder it counter attacks. If in example I know I've a virus that bombs some IP address I'll think yes I'll clean it, as soon I've time, maybe tomorrow. If I know it might delete my data I want it removed from my harddisk NOW! If I know it sends confidential data to my competitors/costumers I would consider completly wiping all infected harddisks. A virus beeing that mean,ie by altering files it will have no spreading, people will put all afforts in killing it quickly.

BTW: how many viruses for linux exist? ;o) And please don't come me with because nobody uses it. It's because all the programs run in an isolated sandbox by default, and have no possiblity to alter any sytem files.

Re:solution: don't use outlook

[tb3]

PIF stands for Program Information File (from the Microsoft Department of Redunancy). It's a Windows 3.X hold-over that basically describes how a DOS program is going to run under Windows (full-screen or windowed, how much extended/expanded RAM to allocate, etc).

Thanks to the wonders of Microsoft backward-compatibility, the darn things get treated as execuatables in the Win32 environment.

Even better, if you have a file with a double extension, such as .txt.pif, Outlook shows it as a .txt file, but the OS treats it as a .pif file. Microsoft makes things too easy for the virus creators, don't you think?

Incidentally

[MacGod]

For whatever it's worth, the copy of the virus I got (I'm on a Mac so it did a whole lot of s**t-all), came as a 1.5MB .text file. Neither of the articles linked by this story list .text as one of the common extensions. Just one more thing to watch out for.

Re:solution: don't use outlook

[flippety_gibbet]

...spread as source code and then recompile on various client computers, thereby appearing to be different viruses on different platforms...

Is this how java got so damn popular?

Unthinkable - Thinkable

[flacco]

To paraphrase an admin at our University during a mailing list discussion about Outlook:

"Prior to MS Outlook, if you suggested to ANYONE that a mail client should be able to execute foreign code sent to you through e-mail, they'd have looked at you like you just grew an extra head."

Use Pine

[s20451]

Ever heard of a Pine virus? Exactly.

solution: don't use outlook

[MajrMeximelt]

Another virus that doesn't affect web-based email (not to mention pine or MacOS or whatever). Seems pretty clear that Outlook will continue to be exploited in new ways for the forseeable future.

This will not be the last time we see a Slashdot headline of this nature (and I seem to recall that it's not the first either...)

Yet again, we see

[kypper]

that Java is not the issue with Microsoft and viruses.

I'll be good goddamned if I'll ever use Outlook again, simply because it is so easily picked and well susceptable to Vbasic script viruses etc.

Screw 3...

Install Patch for Correcting Outlook Express

[christoofar]

1. Click Start, Settings, Control Panel.
2. Click Add/Remove Programs
3. Select Outlook Express
4. Click Remove or Uninstall (depending on OS version).

5. Go get a copy of Pine compiled for Win32 and install it ASAUC (As soon as you can).

{awaiting the flame-bait}

It's the culture, stupid.

[All+Dead+Homiez]

I'm sure a lot of people here are going to go out and blame Microsoft for the Outlook-virus-of-the-week. But the fact is, Microsoft is just giving the user what they want. Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.

The underlying problem here is that people have come to accept executable attachments as the norm. Years of silly Flash greeting cards, "snowball fight" games, and Joe Cartoon crap sent across offices since the mid-1990's have hooked Windows users on native-binary attachments. The only way that this sort of activity can be stopped is by making it socially unacceptable (improper netiquette) for anyone to send executables through email. Think about what would happen if one of your colleagues sent you a random Linux binary through email and claimed it was a greeting card - would you run it? Well, the drooling masses will run any .exe that a "known" source sends to them, and that is the crux of the problem.

Unfortunately, it is in content producers' best monetary interest not to change their distribution strategy to use a format that requires less trust (such as .swf or even .html). That would artificially limit the quality of their goods, and closes the door to including "value-added features" (like spyware) to their attachments. Therefore, the situation shows few signs of changing anytime soon, and users will simple work around any stopgap measures in their email software so that they can continue to play their "frog in the blender games" in perpetuity.

-all dead homiez

Re:unfortunately,

[Unknown+Bovine+Group]

Yeah there's no viruses for my VIC-20 either. Why? Nobody cares enough to write 'em.

Re:solution: don't use outlook

[Unknown+Bovine+Group]

Yeah these articles are getting pretty weak. What's up with:
Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does

Hmm. It's unoriginal, yet totally new in how it operates and what it does.

Does this strike anyone else as contradictory?

-- Just your average guy, except with 2 heads and an eye stalk in my chest.

Re:Better Solution:Don't click everything!

[Budster]

Uh... wakeup... You are thinking of the innocent days of viruses where it often required user intervention to infect the system via reboot (left floppy in drive A:) or run an EXE by mistake.

Thanks to Microsoft's innovation, and a few behind the scene flaws or features, a macro-virus can now infect the system without the user even knowing an infected letter had arrived. By then its too late.

I've seen it where as soon as the letter arrived in the mailbox, the machine was infected. This was due to a buffer overrun which allowed the mail to automatically launch the attachment.

Heck you don't even need Outlook, just run ICQ and someone can drop a trojan on you so fast, you won't know what hit you - until that day you see "You Are Now Owned Asshole!".

Subseven and a few others are a real pain to get off a system. I saw a Win98 machine rendered totally useless, even so the format and rebooting did not work. I had to delete the partitions and then rebuild. I found 7 trojans on that system. All the person ran was ICQ!

So that line about Dont Run Attachments is kind of outdated... Users are held defenseless when the company that writes the OS... calls the shots.

Oh Crap!

[Nathdot]

I've just realised it doesn't matter what mailer I use. The fact that this virus/worm/whatever even exists means I'm gonna suffer!

With all this media attention my Mom's gonna start sending every freaking bogus virus warning on the planet (She scares very easily; The poor dear!).

I'd rather get the virus.

:)

Once again I miss out on everything

[Nathdot]

I wish I used Outlook...

I completely missed out on that whole "Anna Kournikova" thing and now I can't even run this one...

It's either buy Outlook or hope Lotus Notes releases a "Microsoft Virus Enabler" patch

*sigh*