Slashdot Mirror
Sharpei Virus Written In C#
josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."
It's a worm spread by mail via Outlook 2000 or earlier (Outlook XP strips executables) or Outlook Express that will overwrite some .NET core components. (and only when the user is able to do that, thus has the right to overwrite the file).
.net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.
The virus is _NOT_ a
Never underestimate the relief of true separation of Religion and State.
Just because you can't, doesn't mean you shouldn't.
If the attachment is opened, then the worm uses the Outlook address book to send messages--with a copy of the virus attached--to every address in the book. It then deletes the e-mails from the sent folder and removes the copy of itself.
.NET exe files won't run unless the framework is present. They are "dead" exes that do nothing when double clicked. So the question is... is the bulk mailer part native code or
On PCs loaded with Windows XP and other
This *additonal* behavior that affects
If you actually step outside of the 'yet another microsoft virus' mindset you might be frightened more by the concept, although simple. Why hasn't someone (or has some one) created a virus that attacks the JRE. You could pretty well attack a large number of people by either A) attacking/modifying the JRE or B) Piggybacking java bytecode into other applications. Wouldn't one of these be just as damaging and at the current time even more wide-spread in their effect? Just a couple of thoughts.
it AMAZES ME, that the security analysts who keep saying there is no such thing as a unhackable system heap laud and praise on every "unhackable *" released. the hypocrisy is not only unprofessional, but it's a grave disservice to people that look to them for direction in securing their networks. remember, there is no such thing as a perfectly secure system, we try, but we are human and thus we fail (And learn). as much as I hate to say it, to an extent the crackers do us a service by keeping us honest. and we do the world a service by trying to send them to jail.
a bit more about me http://www.advogato.org/person/trelane/ or my private page http://trelane.net
My ex had a half sharpei, half lasso apso. I never could tell which end it ate from.
A worm named after a breed of dogs, cute. Does it get you in the heart?
Desperation is a stinky cologne
Actually it is the AV researchers who give the name. Virus writers usually 'suggest' a name but this is almost never used. Usually we aim for a name that would piss off the writer.
Let's try your karma whoring strategy:
It's NOT a pink elephant!
Just trying to clear up a potential misunderstanding here: The Sharpei Virus is a worm spread by MAIL via Outlook. It has NOTHING to do with elephants, mammals in general, or any kind of pink lifeform. The virus may overwrite some files if the user has write access to them, but rest assured that you won't have to deal with 10,000 pounds of pink flesh suddenly appearing in your computer room.
I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.
The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.
Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.
They take all of the power of Java and then throw in all of the security vulnerabilities of C/C++. It's only inevitable that C# is going to cuase all sorts of headaches for people like me (Security professionals).
Wherever you go, there I am...
They prefer the term "a few wrinkles here and there"
Ergonomica Auctorita Illico!
And guess what? It's implemented in C#. And when run, it will screw up other folders on the system. Imagine, if you will, a computer language, somewhere, that somehow, could not be used to write this virus. I'm drawing a blank, but I'm sure there will be lots of +5 funny responses.
Since my current sig just confuses everyone anyway, maybe I should change it to "$5 for a thousand pages of this!?" and save everyone the typing.
Seems to me this is more like a proof of concept virus, like that one that was written in Flash a while back, demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.
The message body is actually a very misleading one though... I mean, who wouldn't wanna speed up Windows by 50% and make it more secure? We can't get that kind of update, even out of Microsoft!
There are only 10 kinds of people in this world... those who understand binary and those who don't
I worry about SSSCA.
If it goes through, virii would definitely fall under the category of 'interactive digital devices'.
It will be illegal to write or transmit a virus unless it contains 'approved security measures'.
Any attempt to circumvent a virus' protection mechanism, or communicate to others the nature of a virus or possible defences against it, will be a criminal offence punishable by law
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
This is actually a win32 worm, with a .net virus payload.
.Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."
.net half is a true virus, and spreads among .net executables.
" On PCs loaded with Windows XP and other
The
Its a program designed to advertise the amazing new security features built into the incredible .net framework!
Similarly, LSD is capable of demonstrating the incredible new navigation (flight) features of Windows XP, and my assault rifle is useful to demonstrate windows new, millisecond speed shutdown procedure (along with security lock to ensure that no one who is not unauthorized won't be able to boot the machine).
Its the best, isn't it?
I should be on MS's marketing staff.
Mod me down and I will become more powerful than you can possibly imagine!
Did you read the article? They send an executable file, and ask the recipient to execute it. WTF are Microsoft going to do about that, short of hooking in a virus scanner by default into Outlook that auto-updates behind the user's back every time they connect to the Internet, and refuses to display mails that have a virus?
Oh, and before you say that they *should* do this, firstly think about people who may have a legitimate reason to want to download a virus[1] and secondly, think of the accusations of monopolistic practices - I can't see Norton, McAffee et al taking that without a fight.
Back to the subject, what else can Microsoft do about blatant user stupidity in the face of so much publicity about email viruses over the past year?
[1] I wrote a website that allowed users to upload documents available for public download. Being a community spirited sort of chap I included a server side virus scan, and needed a copy of a virus in order to test it was working. I was sent a copy of I Love You in the end by a friend. See, I really did mean there are legitimate reasons.
A successful widespread virus attack proves that there are actually .NET users out there.
If no one attacks or cracks a software it's mostly not worth anything. To believe that it can't be successfully attacked is naive anyway.
Overall, viruses bring free publicity and prove the point that the product is a roaring success.
BTW: Who wants to be left out when all your friends have been hit by the new naughty Kournikova virus? There will be little left to discuss over a few beers.
Go to sleep for gosh sakes. You've been posting since Noon yesterday.
My god you're right! Timothy has has less than 3.5 hrs between posts for the past 24 hrs! A quick breakdown of Timothy's postings:
March 03 3:15 AM
March 03 6:47 AM
March 03 8:29 AM
March 03 11:59 AM
March 03 12:22 PM
March 03 12:57 PM
March 03 2:16 PM
March 03 3:56 PM
March 03 5:19 PM
March 03 5:35 PM
March 03 5:46 PM
March 03 7:47 PM
March 03 10:35 PM
March 03 11:11 PM
March 04 3:17 AM
I say go for another 24 and then see what happens, turn it into a sort of geeky endurance test or something.
The future isn't what it used to be.
what else can Microsoft do about blatant user stupidity
1. sandbox any executable
2. introduce an executable bit into the file system so that downloades CANT auto execute
that's 2 things off the top of my head.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Yes, I had the same need... in order to test a virus scanner I mailed BO2k to see how it worked. :)
It wasn't necessary though; every virus scanner should react to the EICAR anti-virus test file (she here). So if any of you ever need to test a virus scanner and have some management guy brething in your neck and raving about how using a real virus can compromise security use the EICAR file. Just mail him the virus personally by another mail gateway after that just to prove your point
fsm
Very nice ideas (a little unix oriented, but that shouldn't be the issue). Unfortunately they both suffer the same problem:
If a user receives an executable and it won't run either because it is in a sandbox, or it is flagged as non-executable (when you open an attachment in Outlook it gives a warning and the option to save it or run it, default being run. Wouldn't this be the same as just greying out the Run option in effect, if not implementation?) then the user will simply save it, then execute it with full permissions. Remember, these are the users who are still sending requests for my linux box's cmd.exe webpage, who open files asking for their advice, and who try several times to look at Anna Kournikova's breasts before giving up.
You can either make it impossible for a user to run an attachment (and lose functionality) or let them burn themselves, and unfortunately others. I used to think the third option was to educate the users, but I've given up on that one.
Don't click on executable attachments in your email.
Please. (Outlook team: Please don't execute everything I click on)
Also. Don't send me messages that are really just plain text in either html or word document format.
Coding Blog
Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.
For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error.
For the stable release of Debian these problems are fixed in version 3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.
For the unstable and testing release of Debian these problems are fixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.
There is no PHP4 in the stable and unstable distribution for the arm architecture due to a compiler error.
We recommend that you upgrade your PHP packages immediately.
Eat that, Microsoft haters.
it seems this is not a true .net virus but it does bring up some interesting possibilities regarding the gnome project. ximian has professed to wanting gnome 4 to use the .net framework. so either they'll code it in such a way to avoid all the security issues in microsoft's .net, or they'll have the same security issues.
.net implementation avoids security issues it's a pr disaster for microsoft. ditto if it has the same bugs as it will show a design flaw in .net.
in some ways either "wins." if the main linux
otoh it will "lose" - anti-virus companies will be against linux for taking away their product stream. and if the same security flaws show up then it removes a major distinguishing item from a linux desktop.
US Citizen living abroad? Register to vote!
Something about the wording suggests to me that this worm is intended to target only very stupid people. Does anybody reading this actually have friends who write emails like that?
Hrm. I don't seem to ever hear about any viruses for the Java platform, even though it would theoreticaly be possible.
And what about perl!?
autopr0n is like, down and stuff.
yeah, that's the reality. Of course the poster was suggesting that Microsoft can do nothing. This is obviously bunk.
I feel slightly sorry for Microsoft. I used their products in a LAN environment and these features did actually come in handy. They've been exposed by a transition from (relatively) trusted clients to untrusted clients which is a massive paradigm shift. Unix, oth, has had untrusted clients in mind since not long after it's inception (that security was not in mind at the start still reveals itself and plenty of situations).
Of course MS are hobbled by being a desktop OS provider. Thin clients booting across a network where real file permissions and a sensible built in backup procedure protect the time sharing device from malicious clients make the most security sense I think.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Click the 'Advanced...' button, then click on view/edit for one of the users. You'll see the fine grained security there, with a lot of options including the old favorites, and some others such as 'read attributes', 'take ownership' etc.
Outlook 2000 also strips those executables if you security patches that have been available for almost 2 years. This may be true of Outlook 98 as well. These patches also block the mass-mailers, so the only reason the mass-mailers exist is that people are running older versions of Outlook (97 and earlier) or not patching their current versions.
As for contributing to the distribution, it goes something like this:
Points to note include the fact the virus was not sent in executable form, and could not have been executed unless the key was compromised. Also, that the virus never left a linux server. It was chmod 000 and only myself or root could change that. It only existed on my system for as long as it took to perform the test. Also, the very first action taken by the web page if a virus was found was to unlink the file in the tmp directory. Not set a flag, display an error, but delete the file from the server, and then carry on.
Actually, I think I should labour a point here: It never existed on a platform that could execute it
The only safer way would have been to use the test file which the helpful other poster provided a link to.
PS. As for being in the user base, I'd rather not, I like being paid large sums of money for being a developer thank you.
PPS. It wasn't a community website, the community can rarely afford this sort of site.
PPPS. IHBT?
When was the last time microsoft announced a security problem before there was a known exploit in the wild?
D.
designed to infect computers loaded with the .Net framework."
.NET virus.
With the proper diligence, and a competent admin -- NO computer should ever be infected with the
Only a boob could ever allow such a thing to occur.
... heheh now this is a meme I like... if only i controlled the Media, I could infect billions with this simple mind-virus.
Muahahahahhahah
Let's see.
Code Red
Code Blue
Nimda
ILOVEYOU
Papa
BadTrans
Anna
And this list continues.
Sharpei exploits a "hole" in Outlook that was patched over two years ago. If you don't patch, you're still vulnerable, so what do you do short of driving across the country and cramming patches down people's throats? Do you think everyone in the world has already patched their PHP problems? Can you answer that question?
I had all my production servers, my home server, and my laptop patched within 30 minutes of reading about this PHP problem. That's the big difference between open source and closed source security. I don't have to wait six months for Microsoft to get around to fixing it (usually they get it right on the second or third patch).
Eat that, Microsoft loverslojack is to unix as an idling car in south central LA is to microsoft
Some might say "making things easy encourages mistakes." If any two bit script kiddie can jump in and write a powerful virus, than I would argue for making it harder to write code. It's not bad to make software engineers and developers stop to think carefully about how they are doing things. Maybe then management won't be as tempted to set unreal development schedules, thereby increasing the time for QA and producing higher quality applications. Using a tool that promotes itself as "super fast and easy" will only give management more reasons to shorten development cycles and make more bad code faster :)
At that point in time, they will con(vince) the government that virus-writers are terrorists, that terrorists are per default trying to kill people and destroy the economy and that as a result of that, that the government should invoke the death penalty for all virus writers.
Of course the upside of that, is that it only takes very little effort to prove, that Windows is a virus, and that every OS writer at Microsoft should be put against the wall and shot.
We do not live in the 21st century. We live in the 20 second century.
More successful virus writers use Microsoft compared to any other operating system. You too can be a successful virus writer. Get in on the cutting edge made by a company that knows how to mess with people.
[/sarcasm]
etc.
I just call all of these these Microsoft viruses. Makes life much easier.
"It is a greater offense to steal men's labor, than their clothes"
I sugguest you read Fletcher's "The Myth of Jury Nullification" (IIRC, that's the title).
Anarchy$ dd if=/dev/random of=~/.signature bs=120 count=1
Those security issues existed since PHP 3.0, no you didn't have to wait months, more like years.
The article doesn't get any of the terminology right, so I wouldn't put too much stalk in anything they say.
It is neither a virus or a worm, though they seem to think the two terms are interchangeable
It is a trojan horse. As a point of education:
1) A Virus attaches itself to a host program, and does not necessarily require user interaction to infect additional files (e.g. it may attach to an OS device driver or other system program.) It may be attached to an application, but no coaxing is done to get the user to run it. It simply waits for the user to do so, and then goes about it's business.
2) A Worm is a stand alone program that makes it's way through a system
3) A Trojan horse is a program that is sent to an ignorant user, and requires them to run the program. It may appear to be a program of another sort - hiding it's behaviour - or it may immediately and blatantly do it's thing. Solicitation like the E-Mail body is always a component of a Trojan horse. The fact that it is an E-Mail attachment in no way makes this a virus. It spreads only with the help of user interaction and involves the direct solicitation of said action. It is fundamentally undifferentiated from an E-Mail asking someone to download an
Come on folks
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
By default, the .NET framework will not run untrusted code and allow it to do anything of note.
You will notice that the host EXE being sent over email is native x86 code, NOT MSIL. Therefore, it has no security permissions of note.
If you were to attempt to write a pure-C# virus and mass-email it, you wouldn't get very far as the user would actually have to tell the framework to grant execute permissions to the downloaded code.
I even have to grant permissions to the files I myself write with Visual Studio.NET; they won't execute by default.
Lastly, Outlook 2000 w/security patches and Outlook XP both automatically disallow the user to download or execute EXE attatchments, period. Unfortunately, this makes it a hassle having to ZIP all EXE files before sending them (and VBS files, etc.), but that's a small price to pay to protect us from idiot users. My only complaint with Outlook security is that Outlook Express does not do this by default.
I think Microsoft is doing a better job these days; they still have things to address of course. Sometimes I think people just misunderstand though... calls for the removal of VBScript are like asking *nix distributors not to ship Perl with their installs; its kind of silly.
Fortunately, with XP Home, you don't have a bunch of home users running as Admin all the time; I think that's a big key right there.
Natural != (nontoxic || beneficial)
This is totally dumb. The SSSCA is certainly a bad idea, but it's meant to force copy control mechanisms in hardware. It has nothing to do with this!
My point was that the basic philosophy of Microsoft to security is that a security hole is not a problem until there is an exploit. Thus the previous authors comment about PHP, and the announcement of a security issue with no known exploit in the wild, in fact pointed to a strength in Open Source development rather than a weakness.
D.
Outlook2000 has a patch entitled "Fix stupid user", which prevents users from opening attachments. Outlook XP ships this way by default.
.EXE, the patch pops up when things connect to the Outlook COM objects and says "Hey, this thing is trying to send email.. is that ok dummy?"
Granted, the patch also does some useful things like changing the profile under which email is viewed to Restricted Sites Zone, thus disabling active scripting, etc.
And if some user still insists on running that
Don't file permissions only work on shared folders on drives formatted with NTFS? I just tried to set permissions on executables in an unshared folder on a FAT partition in XP Professional and there was no place to do that. I can only set permissions on shared files, as far as I can see, and that's what I remember from the documentation as well.
right. That's why you shouldn't use FAT. using FAT on an NT/2000/XP kernel-based Windows and you throw security out the window. It's strictly a legacy thing.
DO NOT DISTURB THE SE
Fact: This is no exploit for the PHP bug mentioned by the author to which I responded
My Opinion: This points to a strength in Open Source development in that it demonstrates a willing to address security issues in a rapid and timely manner. Something that I find lacking in Microsoft.
Frankly, I don't a shit how many idoit sys admins are still infected by CodeRed. My point was to point out that the original author threw out as an insult of the open source development model something that sane people would consider a strength.
D.
if an external program (including any of these mass-mailer scripts) tries to send mail you are prompted to allow or deny the operation. After some period if you don't respond it times out and denies the mailing.
Of course, .NET support in GNU/Linux would make it that much easier to port a .NET virus when one finally is made...
I'm just glad to hear that C# is flexible enough to write viruses in. My job was considering not using C# due to flexibility concerns, but this virus has put all of our fears to rest. Haha.
lojack is to unix as an idling car in south central LA is to microsoft
That makes no sense. Car theft and security have no direct logical relationships with computer operating systems. Your analogy is twisted out of shape. You should have said
"unix is to microsoft as lojack is to idling a car in south central LA."
Do we continue to chang Microsoft's favorite slogan: "1 degree of separation"? Which starts to sound like "less protection"...and if it's really so easy to use...well...might make people wish for the old days with non-standard standards ;)
What is your Slash Rating?
From reading the article, it seems that this is a win32 worm that patches security components in the .NET runtime before running a damaging .NET application. A program similar to this written in Java would have several disadvantages:
.EXE to disk and then manually run it.
.NET support, this situation won't last long. Soon everyone will have a .NET runtime on their machine whether they're aware of it or not. And, these will be the same machines that are running Outlook.
.NET runtime components in well-known places so this isn't a problem when making hostile C# patches. A worm written in Java would probably have to lug around its patched JRE with it- making it too heavy to spread very far.
:)
.NET runtime is so easy to patch using a little native code, means that MS has to seriously rethink its strategy of what types of mobile code are allowed to run.
1. It has no natural vector. Outlook serves well as a vehicle for socially engineered worms/viruses because it automates the execution of mobile code that arrives in attachments. The recipient only has to click on an attachment, and there is no way to know what it does unless you already know what it is. People using non-MS mail clients have to save an
2. The JRE doesn't have Microsoft's assistance in getting onto every shmoe's machine out there. While XP doesn't currently have
3. The security concerns surrounding Java and C# are quite similar. Either runtime can have a patch applied by wily native code. However, the average target machine will not have a JRE simply because it's a non-MS technology- it's not "part of the OS". (You won't find the old MS JVM on an XP machine.) If it does have a JRE, it will be deployed in the arbitrary directory that the user installed it into, which is unknown to the worm code unless it scans the disk. IIRC Microsoft puts the
4. The people who write worms won't pay any attention to Java as long as C# is around.
Of course, if the executable is running with no security manager in place, you can do whatever you want even if the runtime isn't patched. I can write a Java class that does a Runtime.exec() of anything I want, and send it to you. If you execute it as an application, it has no problems. I don't know personally what security constraints are placed on C# arriving in an Outlook attachment, but I can imagine they would be roughly similar to the constraints browsers place on applets. The fact that security constraints can't easily be placed on incoming native code, and the fact that the
2. introduce an executable bit into the file system so that downloades CANT auto execute
Just one problem: What kind of files would *not* have this bit set? Actually the only one I can think of would be plain text and graphics...
Just disable the ability to open any attachments would probably be much simpler.
duh,
you have the bit set off for all attachments
you have to manually set it to make it run
it's how unix executables "work"
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
how does one pronounce that? Is it C-pound? C-number? C-two sets of lines at near-right angles?
This is an example of an increasing bias in Cnet and Zdnet reporting - the desire to push out information as fast as possible and as loosely checked as possible grows daily.
/. team to task a little - a small amount of research would have seen that the virus may be the first written in C# but its not designed to attack .NET. It makes use of some .NET frameworks components to spread but its simply a mass mailing worm and an exe file to boot, it creates a VBS.
.exe and .vbs into your environment in any form your not qualified to work in it.
But i have to take the
Now to look at at that in another way.
1. Systems vulnerable to this are 2 years behind the curve - if you still allow
2. Not keeping virus scanners up to date is asking for it
3. These guys simply did the invitable and made a virus in the new language - its been done with every language and OS platform since computers began and will no doubt continue.
I dont want to attack anyone but i would suggest that we might all be benefited by spending 5 minutes researching before we comment (and to the anti MS crowd - if you cant be bothere finding out the truth dont comment - to be honest the attacks on every mention of microsoft is getting tedious and pointless and i suspect is driving people away from open source - enough is enough - you dont like MS - they are evil - we know so dont keep telling us)
It depresses me that the level of technical discussion of anything non linux on here is lower than a snakes arse - i wish we could see the same passion that is applied to Kernal Updates applied to other areas.
Editors - check your sources please !!
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
What took them so long? I mean... really.
-iie1195
"Audaces fortuna juvat"
InfoWorld reports that M$ alerted that a flaw in its jvm that could allow an outsider to view user information while they are surfing the Web. The jvm allows applications written in Java to run on any computer regardless of the operating system. Outsiders can exploit the flaw only when information passes through a proxy server. i think the matter with .NET seems to be similar with this incidents?
If these virus writers were really against MS, they would have named the virus .Net, which reallyl would mess with the heads of corporate management teams. I could imagine something like that slowing down the adoption of .Net in the corporate world.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet