Slashdot Mirror
Clever New Windows Worm
freakboy303 sent in linkage to a new worm
that will no doubt be cluttering our inboxes soon. Clever bits include running its own SMTP
service to increase chance of success, as well as using a bunch of spaces
to disguise the true extension of the executable. No doubt countless copycats
will soon follow and our inboxes will be cluttered by countless copies
of the thing. Not that there's a problem with windows security.
Not that there's a problem with windows security.
Why do the editors of Slashdot ALWAYS put their unproductive, derogatory, flaming, two cents at the end of _every_ story regarding something "AWFUL" Microsoft has done? Either they are really insecure about "their Linux," and can't get fullfillment from any other means than bashing the competition, or they really don't believe in what they advocate so much. I'm sick and tired of hearing it! Come ON Slashdot! There are countless posts in previous stories that sound just like this one - all in reponse to the crap you guys put in the Microsoft stories. Get the picture: no one wants your bias. Bias makes for unreliable, untruthful, and slanted news.
With that being said, of course there are problems with Windows security. There are security problems in EVERY OS. Stop pointing the relentless finger at Microsoft every chance you get.
Man is born free; and everywhere he is in chains.
Chances are that this has already had a patch released, I am sure. Chances are also that there are an awful lot of unpached machines out there. I have to say the social engineering on this one is pretty clever. Who hasn't gotten a message like that? I mean in Outlook.
Now for the usual run of blame: hackers for writing it, MS for releasing Outlook, users for not patching. For the real solution, see my sig.
Do not touch -Willie
.. windows handling of this pisses me off and all that, but if these were ELF executables being tossed around that did the same thing (all of which is possible through a normal user account on most unix machines), I doubt that we would be laughing so much. Especially those of you who administer 1000+ users with shell accounts...
Just my $.02
Anyone know how widespread this is?
... who hasn't gotten a single one of these worms? I think the only one I got was the "I send you this file in order to have your advice" thing like 6 months ago. No Nimda for me, no Sircam, no other elite macro viruses. Are the people I converse with in email just cooler/smarter than everyone else, or is this whole email virus thing more hype than reality?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Gag, I hope I didn't understand that correctly...
These mail viruses have all been evolutionary steps. The big one will run straight from the preview pane, will send e-mails with no real signature, and will mimic other emails sent by that user.
.EML files. That would get around the filters many companies have set up.
As a simpler step, these viruses should be hiding themselves within attached
Let's not stir that bag of worms...
Windows is so easy to write worms for that we see a constant influx of simple stuff. Simple VB scripts, etc., can do a great deal of damage, and worm authors don't seem motivated to try a harder because they don't have to. This new worm seems like a step in a scary direction, towards real sophistication. Depending on system services to propagate will not be easy forever, and I expect to see more worms with their own protocols (like SMTP) built-in.
The "optimal" worm is one in which all it needs is a thread of execution and access to basic OS APIs like sockets and elementary file access. You're not going to stop a worm from calling the most basic APIs, so the key to stopping worms (once all the fundamental holes are patched in Windows, if ever) seems to be not letting them have that thread of execution in the first place. Of course, there will always be lots of users willing to run unknown executables, but the less automatic, the better. Patching buffer overflows in IIS, etc., will only go so far because there will always be users ready and willing to execute email attachments. Until focus comes to bear on ways to keep unsophisticated users from doing this sort of thing, there will always be a cornucopia of devastating worms.
Funny that SOMEONE at Microsoft is finally, publicly, admitting that there's a pattern to Microsoft vulnerabilites.
Go Lakers!
It just ships in a default configuration that is about as tight as a gay man's asshole.
IIS is an excellent piece of software. I've used it before, and I'll use it again. Remember Code Red, et cetera? Guess what? I didn't have to patch my servers because they were IMMUNE. IIS "flaws" are NOT part of IIS itself, but part of different addon modules that should be easily removed by any knowledgeable sysadmin. Anyone knows that running script modules for everything in the world that you're not using is asking for trouble. IIS just ships that way for ease of use for the consumer. I can easily make IIS just as secure as Apache --- it takes about the same knowledge required to set up apache.
So quit the FUD.
See here for a discussion on the experiments of a particular fellow on finding a list of offending Windows extensions that are not unhidden even if "Show all extensions" is used.
Slick idea.. building in SMTP so it doesn't need an email client... on reason for making your SMTP server require a logon! Geez, i thought LAN hoppers like Nimda and the like spread quick...
:)
Anyone thought of a lightweight FTP server built into the virus? That would prove more interesting than CodeRed, everyone's machine be wide open anonymouse FTP server. That random file sending crap's for the birds, let everyone see all your files!
Er... what am i thinking? you dont need a virus for that, you need XP!
Why are companies letting people thrash the mail system inadvertantly and go on like nothing happened? This is a social problem, albeit one that has been made more prevalent by bad technology. So what if Outlook took out the double-click-run-and-destroy feature for attachments? Trojan's would get mailed along w/ instructions on how to safe to your disk and run the program. And some idiot would do it too.
I'd much rather see corporations making their employees responsible for breaking things on the network. If the admin fscks up the entire system he'd be up to his knees in shit -- but the "users" are allowed to do it because they can claim ignorance? No thanks. Draw up some strick hard-line rules for your employees and get this crap taken care of. My personal suggestions would be:
Sure, it's a bit drastic. But is productivity really benefiting from wreckless use/abuse of insecure software? Must your employees use Outlook so they get that warm fuzzy feeling of being able to fiddle with all sorts of buttons on their screen? Why can't the computer be viewed like another other tool? If you don't know how to use it why in the world are you using it at work? I wouldn't dream of putting joe-schmoe on a fork life w/out some training, why put people w/ no training on a computer? If joe-schmoe runs the fork-lift into a wall you bet he'll get some heat for it. Run a virus though? Nah, everybody does that.. let it slide, let IT clean it up.
I haven't seen the source, but I'll take a stab:
I believe that for a given mail address, bob@foo.com, the infected machine attempts to connect directly to the foo.com mailhost on port 25. This is what similar viruses have done in the past.
I block and log outgoing connections to that port (among others) from our local network, so if something like this does get loose, we can at least be saved the embarrassment of having it go back out to our clients.
So, for the inbound side, does anyone know of a free procmail-esque mail filtering solution for Exchange? I would LOVE to throw the Exchange server in the river, but it seems to have grown roots here what with the gee-whiz outlook integration, global address book and Schedule+ stuff.
I don't like the "deny all of them" approach taken by the last security patch and we don't have the cash for one of the commercial filtering solutions.
I hope to move us to IMAP + LDAP + CGI (for the calendar and scheduling stuff) in the near future.
It's funny allright. However there is an explanation that 5 years ago this was less feasible.
Earlier we used to be suspicious only of very small executable attachments. Often that would be a virus. If someone mailed you a large executable attachment it would probably be a legitimate file. However after all the legitimate funny files that are sent to friends (you know, those cartoon like programs, or sheep floating on your desktop) nobody is surprised anymore about a rather large attachment.
There have been so many 'harmless' funnyfiles that people don't believe you anymore when you say "never open executable files!". Not to mention the fact that it's allways "safe, because a friend sent it to me". Oh well...
karma capped
My office is now 100% Window-less as of about 6 months ago, but we're instead 100% Mac OS X (currently 10.1). It's great. I don't miss Windows at all, and the myth that you "can't get applications for the Mac" is such a load of cr@p.
In fact, the new Office for Mac OS X is, in my opinion, much BETTER than the Windows version.
Networking has been faster, too, and that's important to us. You'd never believe it, but it's cheaper too. No more calling for technical support or having someone on duty to fix problems with our systems. You just don't need it with a Mac because the hardware and software is so well integrated.
The machines themselves have been CHEAPER for us. $1199 iMacs as clients and G4s to handle some of the heavier loads. It's worked great.
And by the way... that 22" Apple flat screen is not only beautiful for working with, but it impresses customers too. I know it seems like a detail, but people have gotten the impression we're an upscale successful business because they see those screens and comment on them.
I know I seem like a troll ranting about this or that, but I just want to get the word out, because I'm a very pleased Apple customer... and I'm laughing at myself for ever having used Windows for so long.
A Credit Card Processor, CCBill has been hacked and credit cards were stolen. No mention of it on Slashdot. Is it because the site runs Apache/PHP?
You've never done corporate IT support, have you? Even if you could convince the pointy-haired bosses to accept these draconian security restrictions, the employees would attempt lynch you for it. Business people don't like being told what they CAN'T do! They aren't like apthetic college students, who usually care less about the rules (unless it affects their precious beer supply).
If a manager (Or a sales guy, or an accountant, whatever) is used to using IE at home and sending e-mails with pretty fonts and pictures attached, they'll demand that they can do it at work. They'll want to be able to read Word attachments from outside sources, and share files with their co-workers. If you say no, they'll just keep complaining louder to your manager and your manager's managers until someone forces you to cave in to their demands. Most of your changes will get shot down, and you'll put up with a lot of grief in the process.
Most users don't give a rats ass about security, they just want to be able to do their jobs as quickly and easily as possible. If you try to get in their way, they'll fight you on every change until you get frustrated and give up.
That's why it's important to make SMALL security improvements, and make them slowly. Start by blocking certain attachments on the server side, and continously remind people not to click on unknown files. Make sure that your virus software runs automatic scans, and updates itself automatically. The users aren't going to do it for themselves, or at least not until they are already infected. Warn constantly, but never try to FORCE anything on your users unless it's absolutely necessary. The nastier you get, the more that they'll start ignoring you.
Let's see, I'm 35 and work for a US national sized company. They have not fired me yet, so I must have some tact.
I'm interested in all the windows worms and I'm glad that Slashdot documents them. Here disasters that cost companies that trust M$ millions of $ are treated rather cooly, exept by folks like me. You see, here I get to scream my head off about how stupid, irresponsible and incompetent the exchange group is. You don't think I'd actually tell anythig to the moron "standardized" on Exchange then got clobbered by all this? I mean, they tried very hard. They spent all the company money on all the band-aid virus checkers, comercial mail filters and what not. Heck, they are still trying very hard to recover all the contacts, email, calender events, daily journals and what not that contained the characters "hi" in them? Nah, they might get their feelings hurt if they learned how badly the company they trusted let us all down. Here I can scream it all out loud, share laments with others who suffer and more important, learn exactly why such things happen and why they will always happen when you do things the M$ way. Slashdot is teaching me with good and bad expamples of how to do things. Shame on M$ for the way they do things. Here I can gloat and bitchslap trolls like you in a way that would get me shitcanned at work. When I'm finished learning good conceptes and taking out my frustration on loosers like you, I can gently suggest things to my co-workers that might improve the place I work. I don't have to gloat about new viruses, the NAV packs and viruses themselves do that for me.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
You mean the same way some trolls are now hiding Goatsex links by putting a popular site in the front of the url (like Yahoo), having it show [yahoo.com] on Slashdot, then redirecting the user to Goatsex?
Windows isn't the only one with flaws...
If any of these employees wore a bathrobe to the office, and sat all day watching television, I'd fire their ass in no time flat. Yet they do this at home all the time.
I don't mean to come off as a flame, as I agree for the most part with your post, but employees are paid to do a job, and to do as *I* the employer says with *my* equipment. A huge problem with email viruses is that because they're computer related, we somehow feel we shouldn't be able to hold employees accountable for their actions. If an employee doesn't want to lock his house door, fine. If he leaves my office door unlocked after hours, he's gone. When I tell an employee "DO NOT open email attachments" and they do, I'm sorry, but the employee is at fault.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
When I read this article I couldn't believe I was reading slashdot. I didn't think some bad non-threat virus warning article would ever be posted to slashdot.
As a starter I can say that I work for an antivirus company as a virus analyzer. I have analyzed and written detection/repair for atleast a few hundred viruses/worms/trojan.
In regards to this article, I have to start by pointing out the fact that NOTHING in this worm is new. In fact, this worm is something I consider a non-threat.
Secondly, this worm is written in VB. In other words, if you don't have MSVBVM60.DLL, the worm is not going to work.
Clever bits include running its own SMTP service...
Do you have any idea what it means to have its own SMTP service?? It takes roughly 40 lines of code to get you own "SMTP Service". It so simple, that it's hardly worth mentioning.
No doubt countless copycats will soon follow...
THIS IS A COPYCAT. Sircam for one has it's own SMTP services, and Nimda uses the IFRAME exploit (and so does atleast 20 worms released BEFORE this one).
This is a copycat worm, written in Visual Basic, that introduces nothing new and will not spread.
Sorry for posting anonymously, but I figured that was the safest thing to do...
In 1997 (I think it was could have been 1998 though) the company I work for Delft Hydraulics used Z-mail as the windows platform e-mail client (they used popmail, a text based e-mail client on dos).
I was presented the task of picking out a browser and an e-mail client for the windows95 platform we were preparing to roll out (about 400 computers used by the people that design dykes and harbours for places all over the world).
I knew some software but to be fair I started looking around for all kinds of e-mail packages and browsers. Z-mail was not really an option because it was unstable and required a lot of ram. After playing around with some five or six different e-mail packages the choices became evident.
The advantage of having a browser e-mail combination ruled out all of the separate e-mail programs, not that I found a lot of great ones. (Pegasus, Z-mail, pine, IMC and Eudora where all missing some functionality I whished for our company.)
So the choice was between Microsoft's Internet Explorer in combination with Outlook Express (I never considered Outlook an option since we use sendmail for mail exchange from the early beginnings of the internet in the 80's) or Netscape Communicator (including Navigator, Mail, Calendar and some more stuff).
I summed up the advantages and disadvantages for all products and stated that the software of my choise was the Netscape package.
But, my superiors ruled out Netscape. They did not want to pay $50,- per computer for 'just a browser and an e-mail package' when they could get Internet Explorer and Outlook Express for 'free'. Back then I was in no position to tell them the $50,- was really worth not using all software of one vendor. Today I could, but not back then. So am I to blaim for getting Outlook Express into the company?
1 month after we started to roll out windows95 everywhere the Netscape Communicator package was suddenly available at no cost. But by then Netscape had lost and Microsoft had put it's monopoly foot deep into our company.
We are still using windows95 with Microsoft Office and Internet Explorer and Outlook Express to this very day. All email virus and worm checking is performd by our e-mail server and a strong firewall in combination with PC viruschecking software should keep browser virus out.
sig not found