Slashdot Mirror
Sharpei Virus Written In C#
josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."
It's a worm spread by mail via Outlook 2000 or earlier (Outlook XP strips executables) or Outlook Express that will overwrite some .NET core components. (and only when the user is able to do that, thus has the right to overwrite the file).
.net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.
The virus is _NOT_ a
Never underestimate the relief of true separation of Religion and State.
I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.
The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.
Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.
The problem is that the JRE has a security manager which, unless the user mucks it up, won't allow virii to access the local machine or resources (i.e. address book).
Wherever you go, there I am...
The JRE lives in a directory where normal users don't have write permission to. This is definitely the case in UNIX/Linux and our Win NT based machines at home are also set up this way. If someone installs something into a directory that is world writable, then they should be prepared for these kind of things to happen. If an OS insists on putting important things in silly places, then maybe software manufacturers for that OS should make their users aware of this and possible change the permissions on directories after their software has installed? If Windows XP treats users as dumbasses, why should these same users be expected to know anything about securing their system?
Follow me
This is actually a win32 worm, with a .net virus payload.
.Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."
.net half is a true virus, and spreads among .net executables.
" On PCs loaded with Windows XP and other
The
Yes, I had the same need... in order to test a virus scanner I mailed BO2k to see how it worked. :)
It wasn't necessary though; every virus scanner should react to the EICAR anti-virus test file (she here). So if any of you ever need to test a virus scanner and have some management guy brething in your neck and raving about how using a real virus can compromise security use the EICAR file. Just mail him the virus personally by another mail gateway after that just to prove your point
fsm
Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.
For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error.
For the stable release of Debian these problems are fixed in version 3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.
For the unstable and testing release of Debian these problems are fixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.
There is no PHP4 in the stable and unstable distribution for the arm architecture due to a compiler error.
We recommend that you upgrade your PHP packages immediately.
Eat that, Microsoft haters.
Click the 'Advanced...' button, then click on view/edit for one of the users. You'll see the fine grained security there, with a lot of options including the old favorites, and some others such as 'read attributes', 'take ownership' etc.
> friends who write emails like that?
No, but I have 15,000 users who might.
The article doesn't get any of the terminology right, so I wouldn't put too much stalk in anything they say.
It is neither a virus or a worm, though they seem to think the two terms are interchangeable
It is a trojan horse. As a point of education:
1) A Virus attaches itself to a host program, and does not necessarily require user interaction to infect additional files (e.g. it may attach to an OS device driver or other system program.) It may be attached to an application, but no coaxing is done to get the user to run it. It simply waits for the user to do so, and then goes about it's business.
2) A Worm is a stand alone program that makes it's way through a system
3) A Trojan horse is a program that is sent to an ignorant user, and requires them to run the program. It may appear to be a program of another sort - hiding it's behaviour - or it may immediately and blatantly do it's thing. Solicitation like the E-Mail body is always a component of a Trojan horse. The fact that it is an E-Mail attachment in no way makes this a virus. It spreads only with the help of user interaction and involves the direct solicitation of said action. It is fundamentally undifferentiated from an E-Mail asking someone to download an
Come on folks
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
By default, the .NET framework will not run untrusted code and allow it to do anything of note.
You will notice that the host EXE being sent over email is native x86 code, NOT MSIL. Therefore, it has no security permissions of note.
If you were to attempt to write a pure-C# virus and mass-email it, you wouldn't get very far as the user would actually have to tell the framework to grant execute permissions to the downloaded code.
I even have to grant permissions to the files I myself write with Visual Studio.NET; they won't execute by default.
Lastly, Outlook 2000 w/security patches and Outlook XP both automatically disallow the user to download or execute EXE attatchments, period. Unfortunately, this makes it a hassle having to ZIP all EXE files before sending them (and VBS files, etc.), but that's a small price to pay to protect us from idiot users. My only complaint with Outlook security is that Outlook Express does not do this by default.
I think Microsoft is doing a better job these days; they still have things to address of course. Sometimes I think people just misunderstand though... calls for the removal of VBScript are like asking *nix distributors not to ship Perl with their installs; its kind of silly.
Fortunately, with XP Home, you don't have a bunch of home users running as Admin all the time; I think that's a big key right there.
Natural != (nontoxic || beneficial)