Four Kids Confess to Goner Worm

imrdkl writes: "4 kids in Israel have confessed to writing and distributing the Goner worm, according to Fox." Yet another annoying worm comes and goes, wasting countless IT hours, to say nothing of bandwidth. The kids face up to five years -- of course since they aren't in the U.S., they might actually be punished.

Well blahs all around

[GlassUser]

At work, we got it about 1100 EST. One user got it and ran it, and it cascaded. Our servers groaned for about 30 seconds, by that time, the mail admin had run into the server room and yanked the network cable to them. Honestly, I don't think the fault rests on these kids at all. Sure, I guess they should face punishment if they broke the law, but that's their country's problem. I don't blame them.

If our users had listened to the rules, this wouldn't have been a problem. But within 30 seconds of the attachment entering our network, over 50 users had run it. Why can't someone hold the irresponsible user at fault? The instructions are easy - don't run attachments you weren't expecting. Instead of blaming some kids for playing around with code, why can't we find fault in the people that don't follow their instructions?

Yeah, I'm ranting, but to make something constructive out of my waste of bandwidth, how can we get the users to listen? Anyone have effective tools? Yeah, I'm all for firing the ones that can't observe policy, but that would mean firing my boss too. And she's actually pretty decent, as far as managers go.

Re:Well blahs all around

[slackergod]

This is more like handing someone a handgrenade,
with an attached note saying "pull this pin,"
and that person then proceeding to pull it,
even though they have been told OVER AND OVER
that if they pull the pin on a hand grenade,
it will hurt them.

The virus is dormant, completely harmless
UNTIL SOMEONE RUNS IT.
The fact that someone wrote and engineered it
to spread in this way, and convince people to run
it, they (the writers) should be held accountable.

But just because they are responsible doesn't
mean every other person down the line
isn't responsible as well.

Makes me think of an episode of Space Ghost Coast To Coast (Snatch, I think..)
which goes something like this:

"The rays... Its... Its feeding on the rays!"
"Then don't shoot it!"
"But.. The rays... It's feeding on them! Ohh."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Same old...

[powerlinekid]

Ok heres the basic cycle:

script kiddie/cracker/whatever create worm

worm gets out, spreading by point and click method

IT goes on about how bad this one is

Eventually worm dies and kids are caught

Big deal made over last worm causes more copycat type worms

Cycle restarts

Ok I mean thats pretty general, but goddamn if I'm not sick of all this. How about instead of going after the worm writers (they are not innocent but hear me out), why don't we try to at least educate the public into not opening things they don't know about. I mean what good does blackice and zonealarm do if someone opens a file and turns them off? The technology isn't the problem (except with IIS but thats whole different beast), its the people. Maybe someone (I know I'll be flamed as a bastard for this) should create a worm that actually fucks over the people that open it. Instead of making it so they download some roll-back registry fix, how about you just wipe out the registry? Why not make it so IE and Outlook have popup-adds with every page and email they view. What if the worm steals their emails and sends them to spammers list automatically? I mean obviously people aren't learning, or this crap wouldn't be happening over and over again. Yeah the people are victims blah blah blah... cry me a river. I've never had a worm, and never will. I'm not claming i'm smart or anything, but its common sense that an emailing "I'm asking for your advice" with a document that ends in scr or vbs is something that joe45@aol.com probably didn't mean to send me.

Re:Same old...

[Croaker]

Why not make it so IE and Outlook have popup-adds with every page and email they view. What if the worm steals their emails and sends them to spammers list automatically? I mean obviously people aren't learning, or this crap wouldn't be happening over and over again. Yeah the people are victims blah blah blah... cry me a river.

Ah yes. It's the user's fault. Damn them for actually using the features in their frigging e-mail clients. How dare they not go through arcane menu commands and figure out how to deactivate features. Let's shoot the slobs now, and totally ignore the fact that lazy-ass developers created all of these problems for the users to begin with.

I've never had a worm, and never will. I'm not claming i'm smart or anything, but its common sense that an emailing "I'm asking for your advice" with a document that ends in scr or vbs is something that joe45@aol.com probably didn't mean to send me.

Oh yeah. very common sense. Unless, perhaps you know joe45@aol.com. Which is the case in most of these "scan the user's address book and send a copy" schemes. That's why it's so successful... e-mails go to people who know, and perhaps trust, the person who launched the virus. Hell, a lot of the viruses are in the form of Word documents, which, believe it or not, are actually passed around via e-mail. See, e-mail is all about communication. People send people things. People open them up. 99.99% of the time, nothing bad happens. That's what e-mail is for. That's why we have attachments. If people aren't supposed to open them, what's the point of having that capability in e-mail clients?

Do you actually expect people to know what the hell a .scr file is? Maybe you've got all of Window's file extensions memorized. Most people I know have more important things to think about.

No, if you want to code up a virus to "fix" this problem, code up one that goes out and downloads and installs an e-mail client that was written by someone with a clue about security. Perhaps install an operating system where something run in userland can't fuck with system files. Hell, write a virus with some AI that can seek out and destroy the source code to lousy e-mail clients, scripting systems that have no concept of security, and operating systems that have no security model to speak of.

In the mean time, screeching at people that doing things that the e-mail clients were designed to do in the first place is grounds for a cyber-anal-raping is about as productive as screeching that they're a witch if they float in water. It may seem obvious to you, but you're not speaking their language.

Fixing the staff problem

[Anonymous+Brave+Guy]

I don't agree entirely with what you write, since I assign the blame for things like this almost entirely to those who write the stuff in the first place. I'm sure you'll get plenty of other replies saying the same.

OTOH, you make a fair point about employee training. The small company where I work, a software development house, has had a few e-mail viruses mailed to it over the past year or two. It's interesting to note that these often get forwarded around the office, but invariably by non-technical staff. The developers and tech support guys and gals generally have the sense not to run blind attachments; the admin and management guys and gals are more trusting, and bite the bullet.

Our IT support guys have long had a record kept of exactly when everyone runs the anti-virus update they mail round every month. Recently, they've instituted a "leader board", which is mailed to everyone, showing who ran it fastest. It's an amusing little game for those of us who are sitting in front of our PCs anyway, but the really telling thing is the people who don't appear on the list at all (which is typically mailed around the afternoon after the update), i.e., those people who still haven't updated their systems several hours later. Guess who they are...

So, we have established that certain types of users are more vulnerable to this than others, and we know who they are. The next question, of course, is what to do about it. You can come up with any number of penalties, but how are you going to turn around and slap them on, say, the MD of your company (a repeated offender in our case)?

Personally, I always liked the "drill" approach. The IT guys occasionally create a Hotmail account or some such, and mail something cool-looking to a few random accounts at the company. If you run the attachment, it pops up a simple message on your screen informing you that if this had been real, you'd just have cost everyone in the company a day's work/sent abusive mail to your most profitable client/whatever. This isn't publicly embarassing, and it makes the point. It's certainly proven very successful in a couple of cases I know of.

You could complement that with a "three strikes" sort of rule. Anyone who falls for it gets a couple more spams shortly thereafter. Anyone who falls for it repeatedly has maximum security settings imposed on their machine thereafter. It will cause them hassle if, for example, they have to send or receive a genuine executable attachment, but such is the price you pay for keeping your systems secure from your own users as well as people outside. Better that than watching offensive mail go to those top five clients...

Re:Fixing the staff problem

[Typingsux]

Well....

At least in my company, the first person to send this out (company name to remain anonymous.) was the CTO

This is not a lie or an exaggeration. Our companies CTO was the first damn fool to send it.

I'll now read the rest of this thread to see other replies.

Attachment blocking at the server

[bubblegoose]

This virus wasted about 5 minutes of my time. I read an article about what it did, then the next day I deleted about 150 copies of this that got quarantined on our company's Exchange server.

I use a virus scanner on the Exchange server capable of blocking attachments based on extension (Scanmail by TrendMicro works nicely for me). I always block:
ade,adp,asx,bas,bat,chm,cmd,com,cpl,crt,exe,hlp, ht a,inf,ins,isp,js,jse,lnk,mdb,mde,msc,msi,msp,mst,p cd,pif,reg,scr,sct,shs,url,vb,vbe,vbs,wsc,wsf,wsh

Bingo - no e-mail virus problems :)

I figure if my users really need them and the person sending the message is smart enough (and meant to send it) then they can zip it. If the sender wasn't smart enough to zip it, then I can always pull it out of the quarantine folder.

This Is Bullshit

[Lethyos]

The kids face up to five years, of course since they aren't in the US, they might actually be punished.

Computer crimes are MORE than sufficiently punished in the US, thank you very much. I don't know where you get off implying that the US goes easy on computer "crime". I had a little incident during my freshman year of college. The FBI was very determined to get me jail time for a ridiculously minor offense. It was only through sheer wit and creativity of my laywers that we got the offense down to a misdemeanor and a lousy 600$US fine. That was the most hellish time of my entire life and could have ruined my career forever. All over a tiny little deal (no damage was done).

Imagine what these kids would get in the US for writing such a worm. It'd be a helluva lot worse than 5 years in prison. So put your pro-punishment attitudes away and get real. Remember what our government does to computer criminals.

procmail filter

[CodeMonky]

There is a nice procmail filter (ftp://ftp.rubyriver.com/pub/jhardin/antispam/proc mail-security.html) that renames incoming attachments and makes them non-double clickable as well as pseudo scans office dcuments for dangerous macros.

The extra level of 'abstraction' (the user having to rename the file to run it) has saved us from every major email born virus in the past two years while still allowing people to get there precious attachments if they are expecting them.

Don't worry too much.

[Apuleius]

They're first time offenders who confessed. They're high school students who would otherwise be preparing to be drafted to the Israeli army soon, and the government will not want to disrupt that if it isn't necessary. Finally, they are from a town that is notorious for inducing boredom for its teenagers. They may get a few months, but I wouldn't count on it, and they'll get assigned to the Ma'asiahu prison, where conditions are very good (it's Israel's prison for first time offenders, and it's probably the only place in the world you could call a re-education camp without irony.)

Re:Don't worry too much.

[gnovos]

They're first time offenders who confessed. They're high school students who would otherwise be preparing to be drafted to the Israeli army soon, and the government will not want to disrupt that if it isn't necessary. Finally, they are from a town that is notorious for inducing boredom for its teenagers.

No, no, no! They are T E R R O R I S T S! Come on people, if you let terrorists like these kids off the hook, it's only a matter of time before they start bombing things and mailing anthrax, right? Gotta be tough.

Defense against information warfare

[xiphosuran]

These virus writers are doing a public service. Serious problems with our communications infrastructure might not be fixed if it weren't for them.

Imagine what could happen if the first exploits of these security flaws came, not piecemeal from a scattering of amateurs, but rather from some adversary who could call on the services of numbers of technically proficient individuals. A hostile government say, or a terrorist movement that drew in disaffected persons in many countries. What if the vast majority of business users had no idea of how vulnerable they were until the system suffered a massive failure?

There is an enormous learning process going. People are finding out the hard way, what they would never otherwise have the time to focus on: computers can fail, for very subtle reasons, and we are more dependent on them every day.

Re:they didn't do anything wrong.

[crucini]

I guess you think the architects should have been held accountable for the twin towers not withstanding a plane hitting them.

That's a bad analogy. It's more like four kids pressed a button on the outside of the WTC at street level, causing the towers to explode due to an engineering flaw. In other words, there is no way for a mail message to directly cause harm to your computer. It must be interpreted by a program which you trust (a traitor, in other words) which is willing to harm your computer at the command of an outside party.

I hate M$'s practices as much as the next guy, but you can't hold them responsible when someone else knowingly takes advantage of a problem that they did address in hotfixes and patches!

I absolutely can and do hold them responsible. Their decision to facilitate running programs that arrive in the mail without any kind of sandbox or access restrictions was an obviously dangerous one whose implications were immediately visible to people who understand computers. Microsoft spins their product as the omniscient gatekeeper to the internet and handholder to the clueless. They encourage the computer-illiterate to put their trust in Microsoft rather than learning how computers actually work. They created both the software and the culture that propogate malicious code. All of which means that they are greatly to blame for deliberately bringing into existence email viruses.

We must now bomb Irael

The new US Patriot Act (HR 3162) makes creating and spreading virus and worms an act of terrorism. As such King George must require extradition of the offending youths and hold a military tribulan. If israel refuses to give up these kids, then we must bomb Israel at a cost of $1 billion dollars per month to US taxpayers as punishment for harboring terrorists. We must make sure to hit any buildings with big red crosses on them and then deny it. We must kill many civilians and deny it and when US soldiers get killed, we muist blame it on friendly fire.