Slashdot Mirror
Another Nasty Outlook Virus Strikes
Goldberg's Pants writes: "ZDNet and Wired are both reporting on a new virus that spreads via Outlook. Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does, such as emailing random documents from your harddrive to people in your address book, and hiding itself in the recycle bin which is rarely checked by virus scanners." I talked by phone with a user whose machine seemed determined to send me many megabytes of this virus 206k at a time; he was surprised to find that his machine was infected, as most people probably would be. The anti-virus makers have patches, if you are running an operating system which needs them.
> Why can't these virus writers do something cool?
You don't want virus writers with imagination. You *really* don't. A truly imaginative virus writer would likely devote all sorts of creative energy toward thinking up nasty things to do to your computer.
I'm still waiting for the trojan that silently installs itself, then once every day looks for spreadsheets on your system and randomly changes three numbers in every fifth file. Or perhaps it finds your Word documents and randomly removes the words "do not" from a few places. Or maybe it flips a few bits in your swap file, or munges your C++ compiler so that your programs randomly destroy the user's partition table one time out of a thousand. Maybe it sends death threats in your name to president@whitehouse.gov, or anonymously tells Microsoft that your company is pirating Windows.
No, I'm quite happy with the current crop of dull, stolid, entirely *un*imaginative virus writers, thank you very much!
So why doesn't Outlook do this automatically? Seriously - Outlook could set up a dummy user account at installation time and whenever an attachment is to be executed it could use the previously created dummy user to execute it. To all the posters who wrote that setting up a dummy user to execute attachments is too hard for most users, too cumbersome, or too inconvenient, what's the problem if this is built into Outlook and transparent to the user?
-----
Free P2P Backup, Windows & Linux
Ok, I have to respond to some of the folks here who believe that "Don't run Outlook" is an option. Well, pray tell, what should I do if I'm on a corporate Exchange server? With no other option? It's all well and good to suggest things, but the fact is, if the Exchange Admin won't use LDAP, you're out of luck, and quite stuck.
That said, the SP2 release of Office/Outlook prevents anything from accessing your address book, and will pop up a confirmation. It doesn't prevent idiots from opening the attachments, but it does create some thought beforehand.
I can appreciate the idealism of using Linux for everything (I'm a Debian developer for god's sake) but for my job, I have to use Outlook, so I do, because I like my job, and I'm not going to quit because of that minor inconvenience.
I suppose this qualifies as a rant, and possibly will be modded to "Flamebait" or "Troll" but let's try and tolerate some dissent on this board for a change.
----------------- "I have a bone to pick, and a few to break." - Refused -------------------
>This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.
>>Furthermore, Outlook actually helps out the "idiot" users.
There is a principle in the Toyota Production System that goes something like this: "If a worker makes a mistake once, it may be the workers fault. If a worker makes a mistake twice, it is the supervisors fault. If a worker makes a mistake three times, it is management's fault".
Most human beings on the face of the earth are not technically minded and DO NOT WANT to understand the details of how the tools they use work. If every time Joe Homeowner flipped on a light switch there was a 1% chance of a nuclear power plant melting down, we wouldn't be using much electricity, now would we?
While Microsoft is to blame for creating insecure tools (keeping in mind that larger market share means more attaraction for attackers), responses along the line of "stupid users don't understand how to use e-mail" are not acceptable, either.
sPh
Seems like folks using a "Trojan" should be safe from getting a "Virus". :-)
--j
I'm a nature photographer.
Why can't these virus writers do something cool? Like install the SETI@home client on every infected machine? Or install something to DOS the RIAA/MPAA/Bad-guy-of-the-week (how about having the DOS daemon check Slashdot to determine who the current bad guy is)?
I'm sure that someone can come up with even more interesting things than this...
--
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
I'm sure a lot of people here are going to go out and blame Microsoft for the Outlook-virus-of-the-week. But the fact is, Microsoft is just giving the user what they want.
Good Lord.
This reminds me, almost word for word, of statements typically made by rapists and child molesters. While the situation is vastly different (thankfully), the behavior of the guilty party, Microsoft, is appallingly similar: refuse responsibility for one's own actions and blame the victim.
The cause of these (now almost cliched) viruses is, quite simply, the appallingly lax security in the Microsoft Operating System and mail utilities, a lack of which is unequaled anywhere else in the computing world. Whether by design, negligence, or simple incompetence the fact remains: if you run any version of Windows, IIS, or Outlook, you are vulnerable to this sort of thing regardless of how savvy or cautious a user you are, and there is little or nothing you can do to protect yourself. Indeed, by the time you know of the exploit (assuming you are savvy enough to keep up on such things, which IMHO is asking far more of the user than simply learning a few basic commands a la GNU/Linux or DOS, much less a few GUI variations from with Windows paradigm a la Mac, KDE, or Gnome) chances are the malicious crackers have been exploiting it for weeks or even months.
Contrast this with the rest of the computing world, in which exploits are published and fixed as soon as they are found (and usually found by the product developers and/or testers before they are exploited), and in which the basic security paradigms allow one to secure the system in as paranoid a fashion as the situation requires, and the mind truly boggles at Microsoft's inability to at least match the quality of competing products such as Mac OS/X, the various *BSD flavors, and GNU/Linux.
It is bad enough that Microsoft appears incapable of building a secure system. It is even worse that they knowingly market an insecure and unstable system as though it were secure and stable (were there still any kind of "truth in advertising" requirements they would certainly be paying hefty fines for falsly marketing their products). It is unconscionable that they refuse to accept responsibility for their own engineering, choosing instead to blame the victims of its failure: their customers.
The Future of Human Evolution: Autonomy
I've been getting this for about a week or so I think.. 4 copies today.. I thought it was just more porn spam at first..
.. :)
Cheers to mutt
BilldaCat
$ su /home/fred123 /home/fred123/* /home/fred123/* ./suspicious.exe
/etc/shadow: permission denied
Password:
# useradd fred123
# passwd fred123
Changing password for user fred123
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
# cp suspicious.exe
# chown fred123.fred123
# chmod 700
# exit
$ su - fred123
Password:
fred123$
suspicious.exe:
Aha!
fred123$ exit
$ su
Password:
# userdel -r fred123
# exit
The problem here isn't even gullible users. It's the fact that under Win9x, you're running as god all the time, and can seriously hurt yourself. Under Linux, I can create a temporary user in about 30 seconds, go crap all over the resulting sandbox, and I *might* release a forkbomb or fill up /home... if I was being lazy. If I was really worried about it, I could ulimit the bejeezus out of the new userid, and whatever little surprises lay in that exe wouldn't get past first base.
And it's not just Linux, or other Unixes... VMS, NOS, NOS/VE, VM/CMS... IS there another OS out there that DOESN'T have proper ACL's and CPU/process limits? BeOS, MAYBE?
Yes, there are a lot of clueless Windows users. There is still no excuse for deliberate insecurity on the part of the OS. As for Microsoft "giving the users what they want"... As Norm Schwartzkopf would say, bovine scatology. See previous comment.
Actually, there is a simple cure to this, and it has even been used by Code Red: operate in two phases:
- A spreading phase, where you don't do anything malicious, except infect other machines. Best if done as low-key as possible: only attempt to infect those people that use Outlook (analize headers of recently received mails), attach yourself to documents that the user sends, rather than making up documents of your own, etc.
- An active phase, where the fun really starts: DOS the withehouse, mail out confidential
.doc files, thrash the BIOS and hard disk, etc.
The difficult part of course is timing. If the active phase starts too early, you may not have enough of an "installed base" to really wreak havoc. And if it starts too late, a cure may already exist by then.Good idea... but who assigns virus names? It was my understanding that the names under which a virus is known is usually not chosen by the author, but by the anti-virus community once it is "discovered". Thus, it would be rather hard to scan for its name, as it will not be known at the time of writing...
This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.
Outlook Express, at least, has a horrible user interface for attachments. First, *any* attachment with *any* extension will trigger the dialog, which means users will ignore the dialog after seeing it several times. Second, it conveys the possible threat from the file type only by displaying the extension, and many users haven't memorized what extensions are safe and which aren't. Third, it only asks that you "be certain that [the] file is from a trustworthy source", which doesn't help much if the "trustworthy source" is infected by the same attachment.
The shareholder is always right.
It is exactly the same as if the user downloaded the trojan from an FTP site or through Gnutella, it's strictly an application. It doesn't rely on being received via email, all it needs is for the user to choose to execute it. Now if that application (trojan) happens to be a Linux executable, it's going to run when the user tells it to run. It's going to go ahead and read whatever address book it can find and spam everyone with a copy of itself.
It's naive to think this problem only affects Windows users. It's only a matter of time before someone creates a Mac or Linux port.
Of course, then the headline would have to be "Idiot Users Still Exist, Nobody Surprised" -- doesn't really have the same aire of panic though, does it?
Joe emails a rogue application to Jane, Jane runs the code which then emails itself (and an arbitrary document) to people in Jane's address book. Sounds like something that could be implemented on any OS, doesn't it? You can't patch user stupidity.
Anyhoo, let the Microsoft bashing begin! Everyone get your pitchforks and flaming torches, but leave your dictionaries at home.
OK, so you've shown that if a friend emails you a suspicious .exe, you create a phony account with no permissions then run it from that account. This is also possible in Win2K and Windows XP. So what's your point?
.sig).
All you've shown is that you are an extremely paranoid person and not that your OS of choice is some fantastically secure manifestation of operating system design. Most Linux users I know would not go through all that trouble if mailed a perl script or executable (or heck, compiling some obsfucated source from someones
And it's not just Linux, or other Unixes... VMS, NOS, NOS/VE, VM/CMS... IS there another OS out there that DOESN'T have proper ACL's and CPU/process limits?
Windows' ACL support has been more mature than Linux's for a long time. Because you don't know about it doesn't mean it doesn't exist.
--
One thing I've noticed is that it's always my work address that seems to get the viruses. In the 10+ years that I've had personal email addresses, I think I've only had maybe 2 even delivered to any account. (This includes free Outlook-enabled web accounts).
There's only a couple conclusions I could draw from this:
1) I am a supreme personal system administrator and do not let any common mundane virus issue affect the harmony of my smoothly oiled machine. (you do you oil computers, right?)
2a) All of my personal friends are apparently not as stupid as they look (this one is hard to believe).
2b) All of my work collegues are definately more stupid than they look (ok this one isn't so hard to believe). heh
3) There is some kind of shield made up of impervious virus-fighting smurfs that protect my personal computer 24 hours a day.
4) Karma (no not that kind)
or most probable:
5) Someone has been reading and deleting my personal email for years.
"It relies on the user executing the attachment, it doesn't execute itself."
Unless, of course, it's something like Javascript code, or an unruly image tag. Exploits of this nature have been discussed on BUGTRAQ (more recently as an example of how poor PHP programming can cause security problems [duh!], so don't think I'm picking on Outlook here). Any mailer that displays even plain HTML as soon as you view the message can be attacked, and ones that do Javascript are INSANE.
Sotto la panca, la capra crepa
WMBC freeform/independent online radio.
It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad
But has anybody (specially Timothy) actually paid any attention to the damn stories?
Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.
Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!
In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.
The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.
All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:
http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A
http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A
http://www.sophos.com/virusinfo/analyses/w32sircam a.html
http://www.europe.f-secure.com/v-descs/sircam.shtm l
http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1
http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010
You know... maybe somebody should figure out how to send mail thru it. It could be used instead of MS Exchange... I bet this thing is smaller, qucker and uses much less resources than Exchange... ;>
---------------
I never wanted to go anywhere. I'm happy here...
The Sig, the sig
also, the number of emails processed increases the probability of infection, spread, etc. for the above class of people, they spend much more time at work on a computer than they do at home.
----
Another Nasty Outlook Virus Strikes
Score: -1 (Redundant =)
-Kef
Who would bother writing a virus that will affect 11 people ?
Learn to Improvise
How long before one of these reformats it's host after reproducing 500 times?
Rhetorical questions - I hope.
--
"I'm not downloaded, I'm just loaded and down"
...spread as source code and then recompile on various client computers, thereby appearing to be different viruses on different platforms...
Is this how java got so damn popular?
<-- You are here.
pr0n - keeping monitor glass spotless since 1981.
This will not be the last time we see a Slashdot headline of this nature (and I seem to recall that it's not the first either...)
The underlying problem here is that people have come to accept executable attachments as the norm. Years of silly Flash greeting cards, "snowball fight" games, and Joe Cartoon crap sent across offices since the mid-1990's have hooked Windows users on native-binary attachments. The only way that this sort of activity can be stopped is by making it socially unacceptable (improper netiquette) for anyone to send executables through email. Think about what would happen if one of your colleagues sent you a random Linux binary through email and claimed it was a greeting card - would you run it? Well, the drooling masses will run any .exe that a "known" source sends to them, and that is the crux of the problem.
Unfortunately, it is in content producers' best monetary interest not to change their distribution strategy to use a format that requires less trust (such as .swf or even .html). That would artificially limit the quality of their goods, and closes the door to including "value-added features" (like spyware) to their attachments. Therefore, the situation shows few signs of changing anytime soon, and users will simple work around any stopgap measures in their email software so that they can continue to play their "frog in the blender games" in perpetuity.
-all dead homiez
I've just realised it doesn't matter what mailer I use. The fact that this virus/worm/whatever even exists means I'm gonna suffer!
With all this media attention my Mom's gonna start sending every freaking bogus virus warning on the planet (She scares very easily; The poor dear!).
I'd rather get the virus.
:)
I wish I used Outlook...
I completely missed out on that whole "Anna Kournikova" thing and now I can't even run this one...
It's either buy Outlook or hope Lotus Notes releases a "Microsoft Virus Enabler" patch
*sigh*