Slashdot Mirror
Sharpei Virus Written In C#
josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."
One would think that Microsoft would have learned by now...
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
.net isnt even done and it is going to start getting ripped apart by the media ;]
It's a worm spread by mail via Outlook 2000 or earlier (Outlook XP strips executables) or Outlook Express that will overwrite some .NET core components. (and only when the user is able to do that, thus has the right to overwrite the file).
.net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.
The virus is _NOT_ a
Never underestimate the relief of true separation of Religion and State.
A virus that tries to infect the .NET framework. Wow... Like we didn't see it coming, what with the hatred of Microsoft and all. Whoever wrote it could've thought of a better name though.
Just because you can't, doesn't mean you shouldn't.
As usual poor code/data seperation..
They will never learn untill their platform is smashed into little bits by some hacker..
If the attachment is opened, then the worm uses the Outlook address book to send messages--with a copy of the virus attached--to every address in the book. It then deletes the e-mails from the sent folder and removes the copy of itself.
.NET exe files won't run unless the framework is present. They are "dead" exes that do nothing when double clicked. So the question is... is the bulk mailer part native code or
On PCs loaded with Windows XP and other
This *additonal* behavior that affects
If you actually step outside of the 'yet another microsoft virus' mindset you might be frightened more by the concept, although simple. Why hasn't someone (or has some one) created a virus that attacks the JRE. You could pretty well attack a large number of people by either A) attacking/modifying the JRE or B) Piggybacking java bytecode into other applications. Wouldn't one of these be just as damaging and at the current time even more wide-spread in their effect? Just a couple of thoughts.
it AMAZES ME, that the security analysts who keep saying there is no such thing as a unhackable system heap laud and praise on every "unhackable *" released. the hypocrisy is not only unprofessional, but it's a grave disservice to people that look to them for direction in securing their networks. remember, there is no such thing as a perfectly secure system, we try, but we are human and thus we fail (And learn). as much as I hate to say it, to an extent the crackers do us a service by keeping us honest. and we do the world a service by trying to send them to jail.
a bit more about me http://www.advogato.org/person/trelane/ or my private page http://trelane.net
My ex had a half sharpei, half lasso apso. I never could tell which end it ate from.
A worm named after a breed of dogs, cute. Does it get you in the heart?
Desperation is a stinky cologne
Let's try your karma whoring strategy:
It's NOT a pink elephant!
Just trying to clear up a potential misunderstanding here: The Sharpei Virus is a worm spread by MAIL via Outlook. It has NOTHING to do with elephants, mammals in general, or any kind of pink lifeform. The virus may overwrite some files if the user has write access to them, but rest assured that you won't have to deal with 10,000 pounds of pink flesh suddenly appearing in your computer room.
I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.
The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.
Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.
They take all of the power of Java and then throw in all of the security vulnerabilities of C/C++. It's only inevitable that C# is going to cuase all sorts of headaches for people like me (Security professionals).
Wherever you go, there I am...
They prefer the term "a few wrinkles here and there"
Ergonomica Auctorita Illico!
And guess what? It's implemented in C#. And when run, it will screw up other folders on the system. Imagine, if you will, a computer language, somewhere, that somehow, could not be used to write this virus. I'm drawing a blank, but I'm sure there will be lots of +5 funny responses.
Since my current sig just confuses everyone anyway, maybe I should change it to "$5 for a thousand pages of this!?" and save everyone the typing.
Go to sleep for gosh sakes. You've been posting since Noon yesterday.
Seems to me this is more like a proof of concept virus, like that one that was written in Flash a while back, demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.
The message body is actually a very misleading one though... I mean, who wouldn't wanna speed up Windows by 50% and make it more secure? We can't get that kind of update, even out of Microsoft!
There are only 10 kinds of people in this world... those who understand binary and those who don't
I worry about SSSCA.
If it goes through, virii would definitely fall under the category of 'interactive digital devices'.
It will be illegal to write or transmit a virus unless it contains 'approved security measures'.
Any attempt to circumvent a virus' protection mechanism, or communicate to others the nature of a virus or possible defences against it, will be a criminal offence punishable by law
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
This is actually a win32 worm, with a .net virus payload.
.Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."
.net half is a true virus, and spreads among .net executables.
" On PCs loaded with Windows XP and other
The
Its a program designed to advertise the amazing new security features built into the incredible .net framework!
Similarly, LSD is capable of demonstrating the incredible new navigation (flight) features of Windows XP, and my assault rifle is useful to demonstrate windows new, millisecond speed shutdown procedure (along with security lock to ensure that no one who is not unauthorized won't be able to boot the machine).
Its the best, isn't it?
I should be on MS's marketing staff.
Mod me down and I will become more powerful than you can possibly imagine!
Holy crap....you're right. I guess he never sleeps. Hey... job dedication I guess. Thats what we're going to be paying for, right?
A successful widespread virus attack proves that there are actually .NET users out there.
If no one attacks or cracks a software it's mostly not worth anything. To believe that it can't be successfully attacked is naive anyway.
Overall, viruses bring free publicity and prove the point that the product is a roaring success.
BTW: Who wants to be left out when all your friends have been hit by the new naughty Kournikova virus? There will be little left to discuss over a few beers.
A true test of the MS environment, at e-Week:8 &a=23115, 00.asp
http://www.eweek.com/article/0,3658,s=70
Yes, I had the same need... in order to test a virus scanner I mailed BO2k to see how it worked. :)
It wasn't necessary though; every virus scanner should react to the EICAR anti-virus test file (she here). So if any of you ever need to test a virus scanner and have some management guy brething in your neck and raving about how using a real virus can compromise security use the EICAR file. Just mail him the virus personally by another mail gateway after that just to prove your point
fsm
Don't click on executable attachments in your email.
Please. (Outlook team: Please don't execute everything I click on)
Also. Don't send me messages that are really just plain text in either html or word document format.
Coding Blog
Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.
For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error.
For the stable release of Debian these problems are fixed in version 3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.
For the unstable and testing release of Debian these problems are fixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.
There is no PHP4 in the stable and unstable distribution for the arm architecture due to a compiler error.
We recommend that you upgrade your PHP packages immediately.
Eat that, Microsoft haters.
hey, you took my advice! Thanks, friend!
it seems this is not a true .net virus but it does bring up some interesting possibilities regarding the gnome project. ximian has professed to wanting gnome 4 to use the .net framework. so either they'll code it in such a way to avoid all the security issues in microsoft's .net, or they'll have the same security issues.
.net implementation avoids security issues it's a pr disaster for microsoft. ditto if it has the same bugs as it will show a design flaw in .net.
in some ways either "wins." if the main linux
otoh it will "lose" - anti-virus companies will be against linux for taking away their product stream. and if the same security flaws show up then it removes a major distinguishing item from a linux desktop.
US Citizen living abroad? Register to vote!
Something about the wording suggests to me that this worm is intended to target only very stupid people. Does anybody reading this actually have friends who write emails like that?
Hrm. I don't seem to ever hear about any viruses for the Java platform, even though it would theoreticaly be possible.
And what about perl!?
autopr0n is like, down and stuff.
Outlook 2000 also strips those executables if you security patches that have been available for almost 2 years. This may be true of Outlook 98 as well. These patches also block the mass-mailers, so the only reason the mass-mailers exist is that people are running older versions of Outlook (97 and earlier) or not patching their current versions.
shell "FORMAT C:|Y"
When was the last time microsoft announced a security problem before there was a known exploit in the wild?
D.
Damian Conway wrote a piece of obfuscated code called SelfGOL that was several programs connected together. The primary one was the Game of Life, but among other tricks was it was a virus that could infect other Perl programs.
If you have basic technical skills you should now be able to find it, and extract the source-code. Figuring out how to get it to infect things might be harder, and figuring out the source-code is definitely harder.
However, respecting Damian's wishes, I will not explain any of these things on the Internet. He doesn't want a basic "proof of concept" turned into a real virus.
designed to infect computers loaded with the .Net framework."
.NET virus.
With the proper diligence, and a competent admin -- NO computer should ever be infected with the
Only a boob could ever allow such a thing to occur.
... heheh now this is a meme I like... if only i controlled the Media, I could infect billions with this simple mind-virus.
Muahahahahhahah
"Code Red"
The Sercurity Pacth was available in June. The Worm hit in August/September.
Let's see.
Code Red
Code Blue
Nimda
ILOVEYOU
Papa
BadTrans
Anna
And this list continues.
Sharpei exploits a "hole" in Outlook that was patched over two years ago. If you don't patch, you're still vulnerable, so what do you do short of driving across the country and cramming patches down people's throats? Do you think everyone in the world has already patched their PHP problems? Can you answer that question?
I had all my production servers, my home server, and my laptop patched within 30 minutes of reading about this PHP problem. That's the big difference between open source and closed source security. I don't have to wait six months for Microsoft to get around to fixing it (usually they get it right on the second or third patch).
Eat that, Microsoft loverslojack is to unix as an idling car in south central LA is to microsoft
Some might say "making things easy encourages mistakes." If any two bit script kiddie can jump in and write a powerful virus, than I would argue for making it harder to write code. It's not bad to make software engineers and developers stop to think carefully about how they are doing things. Maybe then management won't be as tempted to set unreal development schedules, thereby increasing the time for QA and producing higher quality applications. Using a tool that promotes itself as "super fast and easy" will only give management more reasons to shorten development cycles and make more bad code faster :)
At that point in time, they will con(vince) the government that virus-writers are terrorists, that terrorists are per default trying to kill people and destroy the economy and that as a result of that, that the government should invoke the death penalty for all virus writers.
Of course the upside of that, is that it only takes very little effort to prove, that Windows is a virus, and that every OS writer at Microsoft should be put against the wall and shot.
We do not live in the 21st century. We live in the 20 second century.
More successful virus writers use Microsoft compared to any other operating system. You too can be a successful virus writer. Get in on the cutting edge made by a company that knows how to mess with people.
[/sarcasm]
etc.
I just call all of these these Microsoft viruses. Makes life much easier.
"It is a greater offense to steal men's labor, than their clothes"
I sugguest you read Fletcher's "The Myth of Jury Nullification" (IIRC, that's the title).
Anarchy$ dd if=/dev/random of=~/.signature bs=120 count=1
Those security issues existed since PHP 3.0, no you didn't have to wait months, more like years.
Theres a difference between waiting for an update once the problem/hole is public and waiting for an update for a problem/hole nobody knows about....
:)
....you fucking idiot
The article doesn't get any of the terminology right, so I wouldn't put too much stalk in anything they say.
It is neither a virus or a worm, though they seem to think the two terms are interchangeable
It is a trojan horse. As a point of education:
1) A Virus attaches itself to a host program, and does not necessarily require user interaction to infect additional files (e.g. it may attach to an OS device driver or other system program.) It may be attached to an application, but no coaxing is done to get the user to run it. It simply waits for the user to do so, and then goes about it's business.
2) A Worm is a stand alone program that makes it's way through a system
3) A Trojan horse is a program that is sent to an ignorant user, and requires them to run the program. It may appear to be a program of another sort - hiding it's behaviour - or it may immediately and blatantly do it's thing. Solicitation like the E-Mail body is always a component of a Trojan horse. The fact that it is an E-Mail attachment in no way makes this a virus. It spreads only with the help of user interaction and involves the direct solicitation of said action. It is fundamentally undifferentiated from an E-Mail asking someone to download an
Come on folks
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
By default, the .NET framework will not run untrusted code and allow it to do anything of note.
You will notice that the host EXE being sent over email is native x86 code, NOT MSIL. Therefore, it has no security permissions of note.
If you were to attempt to write a pure-C# virus and mass-email it, you wouldn't get very far as the user would actually have to tell the framework to grant execute permissions to the downloaded code.
I even have to grant permissions to the files I myself write with Visual Studio.NET; they won't execute by default.
Lastly, Outlook 2000 w/security patches and Outlook XP both automatically disallow the user to download or execute EXE attatchments, period. Unfortunately, this makes it a hassle having to ZIP all EXE files before sending them (and VBS files, etc.), but that's a small price to pay to protect us from idiot users. My only complaint with Outlook security is that Outlook Express does not do this by default.
I think Microsoft is doing a better job these days; they still have things to address of course. Sometimes I think people just misunderstand though... calls for the removal of VBScript are like asking *nix distributors not to ship Perl with their installs; its kind of silly.
Fortunately, with XP Home, you don't have a bunch of home users running as Admin all the time; I think that's a big key right there.
Natural != (nontoxic || beneficial)
Still doesn't work with Mozilla, twerp.
This is totally dumb. The SSSCA is certainly a bad idea, but it's meant to force copy control mechanisms in hardware. It has nothing to do with this!
What do you mean biblical?
Fire and brimstone raining down from the sky
40 days of darkness
Earthquakes, floods
Cats and dogs living together, mass hysteria
;)
Gratuitous but obligatory ghostbusters moment to get your Monday* off to a good start...
*Okay, in the name of Geek Correctness, feel free to adjust the local, horribly provincial, time reference to match your currently preferred time/space coordinates.
My point was that the basic philosophy of Microsoft to security is that a security hole is not a problem until there is an exploit. Thus the previous authors comment about PHP, and the announcement of a security issue with no known exploit in the wild, in fact pointed to a strength in Open Source development rather than a weakness.
D.
Outlook2000 has a patch entitled "Fix stupid user", which prevents users from opening attachments. Outlook XP ships this way by default.
.EXE, the patch pops up when things connect to the Outlook COM objects and says "Hey, this thing is trying to send email.. is that ok dummy?"
Granted, the patch also does some useful things like changing the profile under which email is viewed to Restricted Sites Zone, thus disabling active scripting, etc.
And if some user still insists on running that
Wrong. CodeRed and others replicated through a security error in IIS, not in outlook (sorry to say, guy, you dont have a clue). The patch for IIS administrators was our a long time before Code Red hit. And wonder what? Code Red still tries to infect web servers all around the country. The number of idiots on this planet is monumental.
Bookmark this silly comment and watch the fun.
Fact: This is no exploit for the PHP bug mentioned by the author to which I responded
My Opinion: This points to a strength in Open Source development in that it demonstrates a willing to address security issues in a rapid and timely manner. Something that I find lacking in Microsoft.
Frankly, I don't a shit how many idoit sys admins are still infected by CodeRed. My point was to point out that the original author threw out as an insult of the open source development model something that sane people would consider a strength.
D.
if an external program (including any of these mass-mailer scripts) tries to send mail you are prompted to allow or deny the operation. After some period if you don't respond it times out and denies the mailing.
Of course, .NET support in GNU/Linux would make it that much easier to port a .NET virus when one finally is made...
I'm just glad to hear that C# is flexible enough to write viruses in. My job was considering not using C# due to flexibility concerns, but this virus has put all of our fears to rest. Haha.
lojack is to unix as an idling car in south central LA is to microsoft
That makes no sense. Car theft and security have no direct logical relationships with computer operating systems. Your analogy is twisted out of shape. You should have said
"unix is to microsoft as lojack is to idling a car in south central LA."
But are .NET virus's really a bad thing? Okay, so this isn't a virus, and the fact that it is related to .NET might not even be saying anything about.NET itself (it being an attachment worm), but, would someone please, or many people, start exploiting .NET, so that it doesn't get popular.
Do we continue to chang Microsoft's favorite slogan: "1 degree of separation"? Which starts to sound like "less protection"...and if it's really so easy to use...well...might make people wish for the old days with non-standard standards ;)
What is your Slash Rating?
what's a preview button anyway?
What is your Slash Rating?
From reading the article, it seems that this is a win32 worm that patches security components in the .NET runtime before running a damaging .NET application. A program similar to this written in Java would have several disadvantages:
.EXE to disk and then manually run it.
.NET support, this situation won't last long. Soon everyone will have a .NET runtime on their machine whether they're aware of it or not. And, these will be the same machines that are running Outlook.
.NET runtime components in well-known places so this isn't a problem when making hostile C# patches. A worm written in Java would probably have to lug around its patched JRE with it- making it too heavy to spread very far.
:)
.NET runtime is so easy to patch using a little native code, means that MS has to seriously rethink its strategy of what types of mobile code are allowed to run.
1. It has no natural vector. Outlook serves well as a vehicle for socially engineered worms/viruses because it automates the execution of mobile code that arrives in attachments. The recipient only has to click on an attachment, and there is no way to know what it does unless you already know what it is. People using non-MS mail clients have to save an
2. The JRE doesn't have Microsoft's assistance in getting onto every shmoe's machine out there. While XP doesn't currently have
3. The security concerns surrounding Java and C# are quite similar. Either runtime can have a patch applied by wily native code. However, the average target machine will not have a JRE simply because it's a non-MS technology- it's not "part of the OS". (You won't find the old MS JVM on an XP machine.) If it does have a JRE, it will be deployed in the arbitrary directory that the user installed it into, which is unknown to the worm code unless it scans the disk. IIRC Microsoft puts the
4. The people who write worms won't pay any attention to Java as long as C# is around.
Of course, if the executable is running with no security manager in place, you can do whatever you want even if the runtime isn't patched. I can write a Java class that does a Runtime.exec() of anything I want, and send it to you. If you execute it as an application, it has no problems. I don't know personally what security constraints are placed on C# arriving in an Outlook attachment, but I can imagine they would be roughly similar to the constraints browsers place on applets. The fact that security constraints can't easily be placed on incoming native code, and the fact that the
how does one pronounce that? Is it C-pound? C-number? C-two sets of lines at near-right angles?
This is an example of an increasing bias in Cnet and Zdnet reporting - the desire to push out information as fast as possible and as loosely checked as possible grows daily.
/. team to task a little - a small amount of research would have seen that the virus may be the first written in C# but its not designed to attack .NET. It makes use of some .NET frameworks components to spread but its simply a mass mailing worm and an exe file to boot, it creates a VBS.
.exe and .vbs into your environment in any form your not qualified to work in it.
But i have to take the
Now to look at at that in another way.
1. Systems vulnerable to this are 2 years behind the curve - if you still allow
2. Not keeping virus scanners up to date is asking for it
3. These guys simply did the invitable and made a virus in the new language - its been done with every language and OS platform since computers began and will no doubt continue.
I dont want to attack anyone but i would suggest that we might all be benefited by spending 5 minutes researching before we comment (and to the anti MS crowd - if you cant be bothere finding out the truth dont comment - to be honest the attacks on every mention of microsoft is getting tedious and pointless and i suspect is driving people away from open source - enough is enough - you dont like MS - they are evil - we know so dont keep telling us)
It depresses me that the level of technical discussion of anything non linux on here is lower than a snakes arse - i wish we could see the same passion that is applied to Kernal Updates applied to other areas.
Editors - check your sources please !!
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
What took them so long? I mean... really.
-iie1195
"Audaces fortuna juvat"
In a situation where the user's op sysytem is unknown, VBscript is far more efficient. It cannot mess with .net framework, howvwer it can essentially do the same job.
(ex. Plancolumbia and Iloveyou)
lol, i don't think so!
If these virus writers were really against MS, they would have named the virus .Net, which reallyl would mess with the heads of corporate management teams. I could imagine something like that slowing down the adoption of .Net in the corporate world.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
ARIEL!!!!!!!!!!!
(what?)
KURUZZZZzzzzzzzZzZZZzzzzz!!!!!
Well, sorry guys, I'm testing something.. oh, and I'm looking for a girlfriend. For more information: CooK4Me