Slashdot Mirror
Clever New Windows Worm
freakboy303 sent in linkage to a new worm
that will no doubt be cluttering our inboxes soon. Clever bits include running its own SMTP
service to increase chance of success, as well as using a bunch of spaces
to disguise the true extension of the executable. No doubt countless copycats
will soon follow and our inboxes will be cluttered by countless copies
of the thing. Not that there's a problem with windows security.
We were all talking about this a week or two ago, but I'm too busy trying to get this pinball machine on eBay, so no time to search through old articles.
woof.
Mail worms/virii/sausage - whatever - can be unbelievably contained with a simple attachment checking process - after Melissa, I implemented Mail Essentials (www.gfi.com) at my company - one server - 200k+ messages a day capacity - extention filtering ON.
.procmail GUI. Works with any SMTP server.
Since then, we got hit with evey major email worm, but got infected by none - 1,000's of messages per incident blocked at the server - none made it to the internal Exchange box... they all get blocked at the "mailman" (block EXE, VBS, PIF, whetever)
The sender gets a "kindly" message saying "Sorry, we don't accept this extention type - try again".
It'll even scan for uncertified macros in Office Docs, filter spam (i.e. GREP searches), autorespond, basically a nice
It's amazing how a small company like us can spend the $1,500 to protect our mail system, while larger ones (i.e. employers of my roommates) would rather lose 4 hours of mail to one of these buggers.
It makes no sense NOT to use a simple filter - when will people learn. Until then, I'll just laugh.
Umm no only root can bind to low numbered ports (of which port 25 is a member)
Contrary to popular belief - and it's really, really prevalent on Slashdot nowadays, of all places - you don't need an SMTP server to send an email. You just need a client.
All you need to do is open a connection to port 25 on an existing SMTP server to send an email to an address it assumes is its own, and send off a bunch of commands: HELO, MAIL FROM, RCPT TO, DATA, and QUIT.
Try it sometime. Telnet to a mail server on port 25, and type the following commands, without using the backspace key:
HELO heaven.gov
MAIL FROM: god@heaven.gov
RCPT TO: <actual email address>
DATA
I've been watching you. Your fly is down.
.
QUIT
Make sure the email address domain is one that the mail server will answer for, otherwise you'll get an error saying it won't relay for you. (Usually.) And make sure the user is a valid user on that domain. If those two requirements are met, you've sent an email - without needing an SMTP server, I might add.
So if you don't need a server, you don't need to bind a port, and a worm like this could spread through Linux systems the way it spreads through Windows systems.
I got my Linux laptop at System76.
Have a read of this article at Wired entitled "The Great MS Patch Nobody Uses". (brief extract below).
A free, downloadable update that transforms Microsoft's Outlook into a significantly more secure e-mail application has languished virtually ignored on Microsoft's website for more than a year.
Although the majority of recent viral attacks have come compliments of worms that don't rely only on e-mail to spread, the Outlook E-mail Security Update (OESU) can stop or greatly lessen the impact of most malicious code, such as BadTrans and SirCam, if only people would download and install it.
OESU blocks the receipt and transmission of most of the e-mail attachments that typically can contain virus or worm code. The update also stops malicious code from spreading by blocking unauthorized access to Outlook and its address book. Many viruses and worms spread by surreptitiously e-mailing themselves to e-mail addresses culled from an infected computer's system files.
Funny how if the other 99% of people had this patch then virus spreading would drop drastically.
Avantslash - View Slashdot cleanly on your mobile phone.