Slashdot Mirror
Sharpei Virus Written In C#
josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."
It's a worm spread by mail via Outlook 2000 or earlier (Outlook XP strips executables) or Outlook Express that will overwrite some .NET core components. (and only when the user is able to do that, thus has the right to overwrite the file).
.net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.
The virus is _NOT_ a
Never underestimate the relief of true separation of Religion and State.
Just because you can't, doesn't mean you shouldn't.
If the attachment is opened, then the worm uses the Outlook address book to send messages--with a copy of the virus attached--to every address in the book. It then deletes the e-mails from the sent folder and removes the copy of itself.
.NET exe files won't run unless the framework is present. They are "dead" exes that do nothing when double clicked. So the question is... is the bulk mailer part native code or
On PCs loaded with Windows XP and other
This *additonal* behavior that affects
If you actually step outside of the 'yet another microsoft virus' mindset you might be frightened more by the concept, although simple. Why hasn't someone (or has some one) created a virus that attacks the JRE. You could pretty well attack a large number of people by either A) attacking/modifying the JRE or B) Piggybacking java bytecode into other applications. Wouldn't one of these be just as damaging and at the current time even more wide-spread in their effect? Just a couple of thoughts.
Actually it is the AV researchers who give the name. Virus writers usually 'suggest' a name but this is almost never used. Usually we aim for a name that would piss off the writer.
Let's try your karma whoring strategy:
It's NOT a pink elephant!
Just trying to clear up a potential misunderstanding here: The Sharpei Virus is a worm spread by MAIL via Outlook. It has NOTHING to do with elephants, mammals in general, or any kind of pink lifeform. The virus may overwrite some files if the user has write access to them, but rest assured that you won't have to deal with 10,000 pounds of pink flesh suddenly appearing in your computer room.
I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.
The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.
Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.
They prefer the term "a few wrinkles here and there"
Ergonomica Auctorita Illico!
And guess what? It's implemented in C#. And when run, it will screw up other folders on the system. Imagine, if you will, a computer language, somewhere, that somehow, could not be used to write this virus. I'm drawing a blank, but I'm sure there will be lots of +5 funny responses.
Since my current sig just confuses everyone anyway, maybe I should change it to "$5 for a thousand pages of this!?" and save everyone the typing.
Seems to me this is more like a proof of concept virus, like that one that was written in Flash a while back, demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.
The message body is actually a very misleading one though... I mean, who wouldn't wanna speed up Windows by 50% and make it more secure? We can't get that kind of update, even out of Microsoft!
There are only 10 kinds of people in this world... those who understand binary and those who don't
I worry about SSSCA.
If it goes through, virii would definitely fall under the category of 'interactive digital devices'.
It will be illegal to write or transmit a virus unless it contains 'approved security measures'.
Any attempt to circumvent a virus' protection mechanism, or communicate to others the nature of a virus or possible defences against it, will be a criminal offence punishable by law
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
This is actually a win32 worm, with a .net virus payload.
.Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."
.net half is a true virus, and spreads among .net executables.
" On PCs loaded with Windows XP and other
The
Its a program designed to advertise the amazing new security features built into the incredible .net framework!
Similarly, LSD is capable of demonstrating the incredible new navigation (flight) features of Windows XP, and my assault rifle is useful to demonstrate windows new, millisecond speed shutdown procedure (along with security lock to ensure that no one who is not unauthorized won't be able to boot the machine).
Its the best, isn't it?
I should be on MS's marketing staff.
Mod me down and I will become more powerful than you can possibly imagine!
Did you read the article? They send an executable file, and ask the recipient to execute it. WTF are Microsoft going to do about that, short of hooking in a virus scanner by default into Outlook that auto-updates behind the user's back every time they connect to the Internet, and refuses to display mails that have a virus?
Oh, and before you say that they *should* do this, firstly think about people who may have a legitimate reason to want to download a virus[1] and secondly, think of the accusations of monopolistic practices - I can't see Norton, McAffee et al taking that without a fight.
Back to the subject, what else can Microsoft do about blatant user stupidity in the face of so much publicity about email viruses over the past year?
[1] I wrote a website that allowed users to upload documents available for public download. Being a community spirited sort of chap I included a server side virus scan, and needed a copy of a virus in order to test it was working. I was sent a copy of I Love You in the end by a friend. See, I really did mean there are legitimate reasons.
Go to sleep for gosh sakes. You've been posting since Noon yesterday.
My god you're right! Timothy has has less than 3.5 hrs between posts for the past 24 hrs! A quick breakdown of Timothy's postings:
March 03 3:15 AM
March 03 6:47 AM
March 03 8:29 AM
March 03 11:59 AM
March 03 12:22 PM
March 03 12:57 PM
March 03 2:16 PM
March 03 3:56 PM
March 03 5:19 PM
March 03 5:35 PM
March 03 5:46 PM
March 03 7:47 PM
March 03 10:35 PM
March 03 11:11 PM
March 04 3:17 AM
I say go for another 24 and then see what happens, turn it into a sort of geeky endurance test or something.
The future isn't what it used to be.
what else can Microsoft do about blatant user stupidity
1. sandbox any executable
2. introduce an executable bit into the file system so that downloades CANT auto execute
that's 2 things off the top of my head.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Yes, I had the same need... in order to test a virus scanner I mailed BO2k to see how it worked. :)
It wasn't necessary though; every virus scanner should react to the EICAR anti-virus test file (she here). So if any of you ever need to test a virus scanner and have some management guy brething in your neck and raving about how using a real virus can compromise security use the EICAR file. Just mail him the virus personally by another mail gateway after that just to prove your point
fsm
It's not a single click to execute attachments, it's double click; ergo you need to be twice as stupid as some to run an executable attachment sent to you unannounced.
PGP KeyId: 0x08D63965
You have quotes and references to the same security analysts making both of these claims?
it seems this is not a true .net virus but it does bring up some interesting possibilities regarding the gnome project. ximian has professed to wanting gnome 4 to use the .net framework. so either they'll code it in such a way to avoid all the security issues in microsoft's .net, or they'll have the same security issues.
.net implementation avoids security issues it's a pr disaster for microsoft. ditto if it has the same bugs as it will show a design flaw in .net.
in some ways either "wins." if the main linux
otoh it will "lose" - anti-virus companies will be against linux for taking away their product stream. and if the same security flaws show up then it removes a major distinguishing item from a linux desktop.
US Citizen living abroad? Register to vote!
Something about the wording suggests to me that this worm is intended to target only very stupid people. Does anybody reading this actually have friends who write emails like that?
You're shitting me... there are .NET users?
Wow.
yeah, that's the reality. Of course the poster was suggesting that Microsoft can do nothing. This is obviously bunk.
I feel slightly sorry for Microsoft. I used their products in a LAN environment and these features did actually come in handy. They've been exposed by a transition from (relatively) trusted clients to untrusted clients which is a massive paradigm shift. Unix, oth, has had untrusted clients in mind since not long after it's inception (that security was not in mind at the start still reveals itself and plenty of situations).
Of course MS are hobbled by being a desktop OS provider. Thin clients booting across a network where real file permissions and a sensible built in backup procedure protect the time sharing device from malicious clients make the most security sense I think.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Click the 'Advanced...' button, then click on view/edit for one of the users. You'll see the fine grained security there, with a lot of options including the old favorites, and some others such as 'read attributes', 'take ownership' etc.
designed to infect computers loaded with the .Net framework."
.NET virus.
With the proper diligence, and a competent admin -- NO computer should ever be infected with the
Only a boob could ever allow such a thing to occur.
... heheh now this is a meme I like... if only i controlled the Media, I could infect billions with this simple mind-virus.
Muahahahahhahah
At that point in time, they will con(vince) the government that virus-writers are terrorists, that terrorists are per default trying to kill people and destroy the economy and that as a result of that, that the government should invoke the death penalty for all virus writers.
Of course the upside of that, is that it only takes very little effort to prove, that Windows is a virus, and that every OS writer at Microsoft should be put against the wall and shot.
We do not live in the 21st century. We live in the 20 second century.
More successful virus writers use Microsoft compared to any other operating system. You too can be a successful virus writer. Get in on the cutting edge made by a company that knows how to mess with people.
[/sarcasm]
etc.
I just call all of these these Microsoft viruses. Makes life much easier.
"It is a greater offense to steal men's labor, than their clothes"
These patches also block the mass-mailers, so the only reason the mass-mailers exist is that people are running older versions of Outlook
<sarcasm>Must be the new AI feature that automagically separates spam from legitimate mail.</sarcasm>
This last is a pretty broad claim. Seriously, though, what is this and how does it work? Spammers may be the only group on the planet that I hate more than MS (in the 'technical' arena, anyhow).
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Those security issues existed since PHP 3.0, no you didn't have to wait months, more like years.
The article doesn't get any of the terminology right, so I wouldn't put too much stalk in anything they say.
It is neither a virus or a worm, though they seem to think the two terms are interchangeable
It is a trojan horse. As a point of education:
1) A Virus attaches itself to a host program, and does not necessarily require user interaction to infect additional files (e.g. it may attach to an OS device driver or other system program.) It may be attached to an application, but no coaxing is done to get the user to run it. It simply waits for the user to do so, and then goes about it's business.
2) A Worm is a stand alone program that makes it's way through a system
3) A Trojan horse is a program that is sent to an ignorant user, and requires them to run the program. It may appear to be a program of another sort - hiding it's behaviour - or it may immediately and blatantly do it's thing. Solicitation like the E-Mail body is always a component of a Trojan horse. The fact that it is an E-Mail attachment in no way makes this a virus. It spreads only with the help of user interaction and involves the direct solicitation of said action. It is fundamentally undifferentiated from an E-Mail asking someone to download an
Come on folks
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Looks like you need to read the story more carefully -- if you get all your information from Slashdot's misleading headlines, you're going to be pretty misinformed!
.NET). It's just a regular e-mail worm that happens to also have a .NET payload, part of which is written in C#.
This worm really has nothing to do with C# (or even
By default, the .NET framework will not run untrusted code and allow it to do anything of note.
You will notice that the host EXE being sent over email is native x86 code, NOT MSIL. Therefore, it has no security permissions of note.
If you were to attempt to write a pure-C# virus and mass-email it, you wouldn't get very far as the user would actually have to tell the framework to grant execute permissions to the downloaded code.
I even have to grant permissions to the files I myself write with Visual Studio.NET; they won't execute by default.
Lastly, Outlook 2000 w/security patches and Outlook XP both automatically disallow the user to download or execute EXE attatchments, period. Unfortunately, this makes it a hassle having to ZIP all EXE files before sending them (and VBS files, etc.), but that's a small price to pay to protect us from idiot users. My only complaint with Outlook security is that Outlook Express does not do this by default.
I think Microsoft is doing a better job these days; they still have things to address of course. Sometimes I think people just misunderstand though... calls for the removal of VBScript are like asking *nix distributors not to ship Perl with their installs; its kind of silly.
Fortunately, with XP Home, you don't have a bunch of home users running as Admin all the time; I think that's a big key right there.
Natural != (nontoxic || beneficial)
Outlook2000 has a patch entitled "Fix stupid user", which prevents users from opening attachments. Outlook XP ships this way by default.
.EXE, the patch pops up when things connect to the Outlook COM objects and says "Hey, this thing is trying to send email.. is that ok dummy?"
Granted, the patch also does some useful things like changing the profile under which email is viewed to Restricted Sites Zone, thus disabling active scripting, etc.
And if some user still insists on running that
Don't file permissions only work on shared folders on drives formatted with NTFS? I just tried to set permissions on executables in an unshared folder on a FAT partition in XP Professional and there was no place to do that. I can only set permissions on shared files, as far as I can see, and that's what I remember from the documentation as well.
right. That's why you shouldn't use FAT. using FAT on an NT/2000/XP kernel-based Windows and you throw security out the window. It's strictly a legacy thing.
DO NOT DISTURB THE SE
How is it that someone calling themselves a security professional can't be bothered to take the time to actually research a topic before injecting their opinion?
Just curious. I take it the GISSP is like the MCSE, it only requires memorization skills?
You might want to look into GIAC.
Oops, sorry. I meant CISSP. My memorization skills aren't that good.
UNLESS you have Windows set to "single click to execute stuff". Yes, there is such a setting, and I've met crazy users who have it turned on. Eeeep!
~REZ~ #43301. Who'd fake being me anyway?
lojack is to unix as an idling car in south central LA is to microsoft
That makes no sense. Car theft and security have no direct logical relationships with computer operating systems. Your analogy is twisted out of shape. You should have said
"unix is to microsoft as lojack is to idling a car in south central LA."
From reading the article, it seems that this is a win32 worm that patches security components in the .NET runtime before running a damaging .NET application. A program similar to this written in Java would have several disadvantages:
.EXE to disk and then manually run it.
.NET support, this situation won't last long. Soon everyone will have a .NET runtime on their machine whether they're aware of it or not. And, these will be the same machines that are running Outlook.
.NET runtime components in well-known places so this isn't a problem when making hostile C# patches. A worm written in Java would probably have to lug around its patched JRE with it- making it too heavy to spread very far.
:)
.NET runtime is so easy to patch using a little native code, means that MS has to seriously rethink its strategy of what types of mobile code are allowed to run.
1. It has no natural vector. Outlook serves well as a vehicle for socially engineered worms/viruses because it automates the execution of mobile code that arrives in attachments. The recipient only has to click on an attachment, and there is no way to know what it does unless you already know what it is. People using non-MS mail clients have to save an
2. The JRE doesn't have Microsoft's assistance in getting onto every shmoe's machine out there. While XP doesn't currently have
3. The security concerns surrounding Java and C# are quite similar. Either runtime can have a patch applied by wily native code. However, the average target machine will not have a JRE simply because it's a non-MS technology- it's not "part of the OS". (You won't find the old MS JVM on an XP machine.) If it does have a JRE, it will be deployed in the arbitrary directory that the user installed it into, which is unknown to the worm code unless it scans the disk. IIRC Microsoft puts the
4. The people who write worms won't pay any attention to Java as long as C# is around.
Of course, if the executable is running with no security manager in place, you can do whatever you want even if the runtime isn't patched. I can write a Java class that does a Runtime.exec() of anything I want, and send it to you. If you execute it as an application, it has no problems. I don't know personally what security constraints are placed on C# arriving in an Outlook attachment, but I can imagine they would be roughly similar to the constraints browsers place on applets. The fact that security constraints can't easily be placed on incoming native code, and the fact that the
OK, by mass-mailer you mean a virus. I thought mass-malier was referring to spammers. "Never mind." ;-)
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
This is an example of an increasing bias in Cnet and Zdnet reporting - the desire to push out information as fast as possible and as loosely checked as possible grows daily.
/. team to task a little - a small amount of research would have seen that the virus may be the first written in C# but its not designed to attack .NET. It makes use of some .NET frameworks components to spread but its simply a mass mailing worm and an exe file to boot, it creates a VBS.
.exe and .vbs into your environment in any form your not qualified to work in it.
But i have to take the
Now to look at at that in another way.
1. Systems vulnerable to this are 2 years behind the curve - if you still allow
2. Not keeping virus scanners up to date is asking for it
3. These guys simply did the invitable and made a virus in the new language - its been done with every language and OS platform since computers began and will no doubt continue.
I dont want to attack anyone but i would suggest that we might all be benefited by spending 5 minutes researching before we comment (and to the anti MS crowd - if you cant be bothere finding out the truth dont comment - to be honest the attacks on every mention of microsoft is getting tedious and pointless and i suspect is driving people away from open source - enough is enough - you dont like MS - they are evil - we know so dont keep telling us)
It depresses me that the level of technical discussion of anything non linux on here is lower than a snakes arse - i wish we could see the same passion that is applied to Kernal Updates applied to other areas.
Editors - check your sources please !!
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
how does one pronounce that? Is it C-pound? C-number? C-two sets of lines at near-right angles?
C-sharp. Or the enharmonic equivalent, D-flat.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
If these virus writers were really against MS, they would have named the virus .Net, which reallyl would mess with the heads of corporate management teams. I could imagine something like that slowing down the adoption of .Net in the corporate world.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet