Clever New Windows Worm

freakboy303 sent in linkage to a new worm that will no doubt be cluttering our inboxes soon. Clever bits include running its own SMTP service to increase chance of success, as well as using a bunch of spaces to disguise the true extension of the executable. No doubt countless copycats will soon follow and our inboxes will be cluttered by countless copies of the thing. Not that there's a problem with windows security.

When will we see the real worms?

[tuxlove]

Windows is so easy to write worms for that we see a constant influx of simple stuff. Simple VB scripts, etc., can do a great deal of damage, and worm authors don't seem motivated to try a harder because they don't have to. This new worm seems like a step in a scary direction, towards real sophistication. Depending on system services to propagate will not be easy forever, and I expect to see more worms with their own protocols (like SMTP) built-in.

The "optimal" worm is one in which all it needs is a thread of execution and access to basic OS APIs like sockets and elementary file access. You're not going to stop a worm from calling the most basic APIs, so the key to stopping worms (once all the fundamental holes are patched in Windows, if ever) seems to be not letting them have that thread of execution in the first place. Of course, there will always be lots of users willing to run unknown executables, but the less automatic, the better. Patching buffer overflows in IIS, etc., will only go so far because there will always be users ready and willing to execute email attachments. Until focus comes to bear on ways to keep unsophisticated users from doing this sort of thing, there will always be a cornucopia of devastating worms.

This is funny.

[JeremyYoung]

From the AP on Yahoo:

Just last week, Microsoft's corporate security officer, Howard Schmidt, expressed frustration about continuing threats from overflows. ``I'm still amazed that we allow these things to occur,'' he said at a conference of technology executives. Schmidt is expected soon to resign from Microsoft to work for President Bush's top computer security adviser.

Funny that SOMEONE at Microsoft is finally, publicly, admitting that there's a pattern to Microsoft vulnerabilites.

Quite a large list of offending extensions

[mclearn]

See here for a discussion on the experiments of a particular fellow on finding a list of offending Windows extensions that are not unhidden even if "Show all extensions" is used.

Okay... so we can't fix the software or the users.

[pi_rules]

It's still mind-boggling to me that companies don't have better policies in place for handling these situations. As another poster mentioned using mail filters to strip attachments w/ dangerous file types is nice and all, but it isn't going to be 100% effective. George Guninski released an example a while ago where filename.txt.{some big guid here} would look just like filename.txt on the desktop, but when opened you'd find it was HTML w/ an IE exploit inside. So... now you have to add a rule to your filter script to catch those, and hope that you knew about it before an expoit in the wild. Not 100% safe.

Why are companies letting people thrash the mail system inadvertantly and go on like nothing happened? This is a social problem, albeit one that has been made more prevalent by bad technology. So what if Outlook took out the double-click-run-and-destroy feature for attachments? Trojan's would get mailed along w/ instructions on how to safe to your disk and run the program. And some idiot would do it too.

I'd much rather see corporations making their employees responsible for breaking things on the network. If the admin fscks up the entire system he'd be up to his knees in shit -- but the "users" are allowed to do it because they can claim ignorance? No thanks. Draw up some strick hard-line rules for your employees and get this crap taken care of. My personal suggestions would be:

1. No using IE at work -- Netscape/Mozilla/Konq only. Far fewer vulnerabilities.
2. No Outlook/Outlook Express for mail. Use Outlook -only- for calendering functions. I'd personally like to see corps going back to how my old university did it. One Unix box w/ pine on it for users to read their mail. Use SMB to attach the user's /home dir to the Windows machine and let them save attachments that way. No HTML email viruses, no buffer overflows. Plain jane simple email.
3. Running an attachment sent via email should be punished just as if the user walked in w/ a virus on a disk and ran it from home. And make them -work- to get that attachment to run.
4. Forgo the use of the .doc format entirely. What's so bad with RTF? Do you -really- need to spend all this extra time authoring up nifty documents for internal use only? Sure, use .doc to interface with clients but keep it's use limited.

Sure, it's a bit drastic. But is productivity really benefiting from wreckless use/abuse of insecure software? Must your employees use Outlook so they get that warm fuzzy feeling of being able to fiddle with all sorts of buttons on their screen? Why can't the computer be viewed like another other tool? If you don't know how to use it why in the world are you using it at work? I wouldn't dream of putting joe-schmoe on a fork life w/out some training, why put people w/ no training on a computer? If joe-schmoe runs the fork-lift into a wall you bet he'll get some heat for it. Run a virus though? Nah, everybody does that.. let it slide, let IT clean it up.

Credit Card Processing

A Credit Card Processor, CCBill has been hacked and credit cards were stolen. No mention of it on Slashdot. Is it because the site runs Apache/PHP?

Re:Okay... so we can't fix the software or the use

[leonbev]

You've never done corporate IT support, have you? Even if you could convince the pointy-haired bosses to accept these draconian security restrictions, the employees would attempt lynch you for it. Business people don't like being told what they CAN'T do! They aren't like apthetic college students, who usually care less about the rules (unless it affects their precious beer supply).

If a manager (Or a sales guy, or an accountant, whatever) is used to using IE at home and sending e-mails with pretty fonts and pictures attached, they'll demand that they can do it at work. They'll want to be able to read Word attachments from outside sources, and share files with their co-workers. If you say no, they'll just keep complaining louder to your manager and your manager's managers until someone forces you to cave in to their demands. Most of your changes will get shot down, and you'll put up with a lot of grief in the process.

Most users don't give a rats ass about security, they just want to be able to do their jobs as quickly and easily as possible. If you try to get in their way, they'll fight you on every change until you get frustrated and give up.

That's why it's important to make SMALL security improvements, and make them slowly. Start by blocking certain attachments on the server side, and continously remind people not to click on unknown files. Make sure that your virus software runs automatic scans, and updates itself automatically. The users aren't going to do it for themselves, or at least not until they are already infected. Warn constantly, but never try to FORCE anything on your users unless it's absolutely necessary. The nastier you get, the more that they'll start ignoring you.

no, knowledge to help.

[Erris]

Remember, the men behind /. are kids fresh out of school, without any business tact (not that I've shown much, but I'm not being paid to be here...).

Let's see, I'm 35 and work for a US national sized company. They have not fired me yet, so I must have some tact.

I'm interested in all the windows worms and I'm glad that Slashdot documents them. Here disasters that cost companies that trust M$ millions of $ are treated rather cooly, exept by folks like me. You see, here I get to scream my head off about how stupid, irresponsible and incompetent the exchange group is. You don't think I'd actually tell anythig to the moron "standardized" on Exchange then got clobbered by all this? I mean, they tried very hard. They spent all the company money on all the band-aid virus checkers, comercial mail filters and what not. Heck, they are still trying very hard to recover all the contacts, email, calender events, daily journals and what not that contained the characters "hi" in them? Nah, they might get their feelings hurt if they learned how badly the company they trusted let us all down. Here I can scream it all out loud, share laments with others who suffer and more important, learn exactly why such things happen and why they will always happen when you do things the M$ way. Slashdot is teaching me with good and bad expamples of how to do things. Shame on M$ for the way they do things. Here I can gloat and bitchslap trolls like you in a way that would get me shitcanned at work. When I'm finished learning good conceptes and taking out my frustration on loosers like you, I can gently suggest things to my co-workers that might improve the place I work. I don't have to gloat about new viruses, the NAV packs and viruses themselves do that for me.

Re:Okay... so we can't fix the software or the use

[freeweed]

If a manager (Or a sales guy, or an accountant, whatever) is used to using IE at home and sending e-mails with pretty fonts and pictures attached, they'll demand that they can do it at work.

If any of these employees wore a bathrobe to the office, and sat all day watching television, I'd fire their ass in no time flat. Yet they do this at home all the time.

I don't mean to come off as a flame, as I agree for the most part with your post, but employees are paid to do a job, and to do as *I* the employer says with *my* equipment. A huge problem with email viruses is that because they're computer related, we somehow feel we shouldn't be able to hold employees accountable for their actions. If an employee doesn't want to lock his house door, fine. If he leaves my office door unlocked after hours, he's gone. When I tell an employee "DO NOT open email attachments" and they do, I'm sorry, but the employee is at fault.