Clever New Windows Worm

freakboy303 sent in linkage to a new worm that will no doubt be cluttering our inboxes soon. Clever bits include running its own SMTP service to increase chance of success, as well as using a bunch of spaces to disguise the true extension of the executable. No doubt countless copycats will soon follow and our inboxes will be cluttered by countless copies of the thing. Not that there's a problem with windows security.

Re:problem with the users

[Wire+Tap]

just like the rep AOL gets, the more users you have the more dumb users you have.

Do you know what that means? It means the system needs to be engineered to handle those users. It does NOT mean we should shout and flame about how stupid those users are. Guess what: Everyone who uses an online service (or the Internet, for that matter) is NOT a Computer Science or Engineering major, and they should NOT be expected to act accordingly. They are there for their own purposes, to accomplish their own ends. The systems should be designed accordingly, with error prevention and correction built in, to catch things that would otherwise hurt users or administrators.

I wonder how long it will be before...

[mrroot]

Viruses get sophisticated enough that they look at subject lines in your current "Sent Items" folder and use the same subject and text, just adding the attachment, or if they find an email you previously sent that had an attachment and replace it and re-send the message.

Its only a matter of time. Its amazing how even a dumb virus can fool so many people.

Not a bad virus...

[Pete+(big-pete)]

Most sensible organisations will already be blocking .pif files in mail - this virus is already known by McAfee as W32/Shoho@MM and they have detailed it as a LOW risk worm.

On another note, I hope Slashdot isn't going to run a story on every new virus that gets released...

-- Pete.

Re:Am I the only one...?

[ethereal]

That's the idiot that picked Outlook/Exchange for the corporate messaging system, right? Sorry, I'm not ranting at you, but I hear this a lot at work and want to set the record straight.

I don't think it's fair to blame the user for not knowing that ".txt.pif" is a magic extension that can hurt their computer, or just to tell them "don't open email from someone you don't know". The fact of the matter is that it's wrong for your email client or your web browser to executed code from an unknown source, and the user should have to take positive steps (more than one) to execute such things. Microsoft's email tools are fundamentally broken, even to the point where they betray their supposed ease of use by requiring the user to puzzle over which emails are safe and which aren't.

So no, I don't really blame the marketing guy for not knowing that ".txt" is OK but ".txt.pif" isn't OK - it's not his job to know. It's the job of the tools Mr. Marketing is given to tell the difference for him and not automatically or easily do something dangerous. And it's the job of corporate IT purchasers to make sure that the right tools are being given to Mr. Marketing. More than anything, the repeated Microsoft virus and worm attacks point to a fundamental failure to learn from past IT purchasing mistakes.

Don't get me started on my company's new internal IM system that only works from Windows - thanks for nothing there, guys.

You don't get it

[Frank+Sullivan]

Apache has a veto-proof majority of the web servers out there. Where are the Apache worms? Why is IIS, with far less market share, getting them? It's because Apache is secure and IIS is not, period.

Linux and OSX are both based on the Unix security model, a fundamentally sound design refined by two decades of real-world practice (dating back to the RTM worm in the early 1980s). It's not a matter of the virus writers aren't looking... it's a matter of a lack of exploitable holes. Name ONE Unix email client stupid enough to auto-execute code. Just one!

Yes, there are still exploitable holes here and there in Unix/Linux. But they generally require real mastery to find. Windows macro viruses can be written by 14 year old boys. My wife, a technical writer, doesn't know enough programming to write heapsort (do you?), but she knows enough to write a macro virus in VBA.

Get it through your head... the number of viruses and worms today is not a function of popularity or attention. It is a function of poor design and poor implementation, combined with security by obscurity (a technique discredited everywhere but Microsoft).

Really, learn about it. Don't just whine because Microsoft is getting a richly deserved spanking, and you don't want to hear how bad your favorite OS sucks.

Re:You don't get it

[rlp]

I agree with your basic thesis. However, it should be noted that Unix design and Windows design started with different premises. Unix was derived from Multics which was an early time-sharing system designed to be (relatively) secure. As a multi-user system, mechanisms had to be built-in to protect a users environment from other users. Windows is descended from DOS (and CP/M) and came from an environment that assumed one machine / one user. Hence their were no protections built in.

Unix was built by developers for developers. In many cases the system administrators were also the system programmers. System administration problems tended to be solved by code. For example, in the early 80's Unix did not limit the number of processes per user. At Bell Labs, whenever the Intro. to Unix Programming class got around to the 'fork()' system call, machines started crashing. This was soon fixed by a kernal change. Linux has continued (and expanded) on this tradition.

In contrast, Microsoft has focused on ease of use for the average user. This focus has been rewarded with market share. Security has been an after thought. Prior to mass adoption of the Internet - this was not an unreasonable approach. Now, of course, it's a disaster.

Re:More Slashdot demagoguery?

[Hormonal]

It's unfortuante, as Slashdot is one of the best places on the Internet to go for news, and heady, informed discussion.

OK, I come here for news, and for discussion. I read the headlines, generally the blurbs, and I poke around in the discussion until I can't stand it any more.

I don't use this site as a basis for generating opinions regarding what company is bad, what company is good, or what text editor I should use. I have my own methods for said exercise.

Surely, you realize that this site is coded, maintained, and read by geeks. I find it quite unlikely that a reader of this site hasn't formed an opinion one way or another regarding Microsoft. We don't thaw out cavemen, and then teach them to read, using Slashdot (boy, that's be an exercise in futility, with the l33t speak, and the horriffic grammar and spelling.)

Bottom line is this, and I know it's been said many times in the past: This is not a real news site. It's just a weblog, and it happens to have a lot of people who like it. The Slashdot editors are under no obligation to be fair, or unbiased. If you don't like it, create your own site. Buh-bye.

Re:Is this slashdot or a Windows bug tracker?

[Frank+Sullivan]

The XP exploit, at least, is an entirely new class of security hole, not seen before, and every last one of the 10M+ XP boxes shipped is vulnerable to total control from the outside.

If that ain't news, what is?

As for the worm... well, it's mildly technically interesting. But if Microsoft worms have become so common that they are no longer news... well, i think that's news, too!

Re:More Slashdot demagoguery?

[JabberWokky]

But editors in the respected news firms of the world do not say things as unproductive as those who edit on Slashdot. As editors, they have a RESPONSIBLITY to get _news_ to us, not their own biased point of view.

Bullshit. If Slashdot wanted to be a "respected news firm", then that would make sense. However, it's run by some guys who liked Legos, Star Wars and KDE on Debian. They post links to stuff they think is nifty around the web, and a community grew around it. Now most links are submitted by readers and we all chat in the discussion board under each story. But at the heart, it's *still* just a website run by some guys who think legos (now mindstorms) Star Wars (now the pre-trilogy) and... well, CmdrTaco still uses KDE on Debian at any rate.

Think about what influence Slashdot has over a very large proportion of the "geek community" and other technical and scientific gropus.

It's opinion. People have them, and some people make theirs very public. It's part of human nature. I'm sure your office has a guy who goes off about how great some type of coffee is, or some woman who will tell anybody who will listen the plot of last night's TV show that she loves. Well, remember how I said that this is *not* a news site, but a site run by some guys who like geeky stuff? Their opinions are that Microsoft generally sucks (and it's shared by quite a few people). I may not agree (in fact I don't - and I run Linux on server and desktop), but I don't bitch about them stating their opinion on the site they run.

Dear Ghod - do you write in to Art Bell and bitch that he shouldn't have weirdos on his show? Do you write in to Howard Stern and tell him he should be more compassionate? Do you write in to Rush Limbaugh and tell him that he should stop expressing his opinions on political issues? No - they (and two of those three I can't stand listening to), are great radio *because* they are opinionated bastards that put weird, occasionally informative crap up on their show.

--
Evan

Proper Egress Filtering

[Gothmolly]

Egress filtering at the firewall will block the spread of this. Simply don't allow anything but the mail server to make SMTP connections out. Done. Same thing with all of those "home firewall" products.