Slashdot Mirror
Sharpei Virus Written In C#
josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."
It's a worm spread by mail via Outlook 2000 or earlier (Outlook XP strips executables) or Outlook Express that will overwrite some .NET core components. (and only when the user is able to do that, thus has the right to overwrite the file).
.net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.
The virus is _NOT_ a
Never underestimate the relief of true separation of Religion and State.
Just because you can't, doesn't mean you shouldn't.
If the attachment is opened, then the worm uses the Outlook address book to send messages--with a copy of the virus attached--to every address in the book. It then deletes the e-mails from the sent folder and removes the copy of itself.
.NET exe files won't run unless the framework is present. They are "dead" exes that do nothing when double clicked. So the question is... is the bulk mailer part native code or
On PCs loaded with Windows XP and other
This *additonal* behavior that affects
Let's try your karma whoring strategy:
It's NOT a pink elephant!
Just trying to clear up a potential misunderstanding here: The Sharpei Virus is a worm spread by MAIL via Outlook. It has NOTHING to do with elephants, mammals in general, or any kind of pink lifeform. The virus may overwrite some files if the user has write access to them, but rest assured that you won't have to deal with 10,000 pounds of pink flesh suddenly appearing in your computer room.
I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.
The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.
Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.
The problem is that the JRE has a security manager which, unless the user mucks it up, won't allow virii to access the local machine or resources (i.e. address book).
Wherever you go, there I am...
They prefer the term "a few wrinkles here and there"
Ergonomica Auctorita Illico!
The JRE lives in a directory where normal users don't have write permission to. This is definitely the case in UNIX/Linux and our Win NT based machines at home are also set up this way. If someone installs something into a directory that is world writable, then they should be prepared for these kind of things to happen. If an OS insists on putting important things in silly places, then maybe software manufacturers for that OS should make their users aware of this and possible change the permissions on directories after their software has installed? If Windows XP treats users as dumbasses, why should these same users be expected to know anything about securing their system?
Follow me
And guess what? It's implemented in C#. And when run, it will screw up other folders on the system. Imagine, if you will, a computer language, somewhere, that somehow, could not be used to write this virus. I'm drawing a blank, but I'm sure there will be lots of +5 funny responses.
Since my current sig just confuses everyone anyway, maybe I should change it to "$5 for a thousand pages of this!?" and save everyone the typing.
Seems to me this is more like a proof of concept virus, like that one that was written in Flash a while back, demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.
The message body is actually a very misleading one though... I mean, who wouldn't wanna speed up Windows by 50% and make it more secure? We can't get that kind of update, even out of Microsoft!
There are only 10 kinds of people in this world... those who understand binary and those who don't
I worry about SSSCA.
If it goes through, virii would definitely fall under the category of 'interactive digital devices'.
It will be illegal to write or transmit a virus unless it contains 'approved security measures'.
Any attempt to circumvent a virus' protection mechanism, or communicate to others the nature of a virus or possible defences against it, will be a criminal offence punishable by law
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
This is actually a win32 worm, with a .net virus payload.
.Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."
.net half is a true virus, and spreads among .net executables.
" On PCs loaded with Windows XP and other
The
Did you read the article? They send an executable file, and ask the recipient to execute it. WTF are Microsoft going to do about that, short of hooking in a virus scanner by default into Outlook that auto-updates behind the user's back every time they connect to the Internet, and refuses to display mails that have a virus?
Oh, and before you say that they *should* do this, firstly think about people who may have a legitimate reason to want to download a virus[1] and secondly, think of the accusations of monopolistic practices - I can't see Norton, McAffee et al taking that without a fight.
Back to the subject, what else can Microsoft do about blatant user stupidity in the face of so much publicity about email viruses over the past year?
[1] I wrote a website that allowed users to upload documents available for public download. Being a community spirited sort of chap I included a server side virus scan, and needed a copy of a virus in order to test it was working. I was sent a copy of I Love You in the end by a friend. See, I really did mean there are legitimate reasons.
Go to sleep for gosh sakes. You've been posting since Noon yesterday.
My god you're right! Timothy has has less than 3.5 hrs between posts for the past 24 hrs! A quick breakdown of Timothy's postings:
March 03 3:15 AM
March 03 6:47 AM
March 03 8:29 AM
March 03 11:59 AM
March 03 12:22 PM
March 03 12:57 PM
March 03 2:16 PM
March 03 3:56 PM
March 03 5:19 PM
March 03 5:35 PM
March 03 5:46 PM
March 03 7:47 PM
March 03 10:35 PM
March 03 11:11 PM
March 04 3:17 AM
I say go for another 24 and then see what happens, turn it into a sort of geeky endurance test or something.
The future isn't what it used to be.
what else can Microsoft do about blatant user stupidity
1. sandbox any executable
2. introduce an executable bit into the file system so that downloades CANT auto execute
that's 2 things off the top of my head.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
You have quotes and references to the same security analysts making both of these claims?
it seems this is not a true .net virus but it does bring up some interesting possibilities regarding the gnome project. ximian has professed to wanting gnome 4 to use the .net framework. so either they'll code it in such a way to avoid all the security issues in microsoft's .net, or they'll have the same security issues.
.net implementation avoids security issues it's a pr disaster for microsoft. ditto if it has the same bugs as it will show a design flaw in .net.
in some ways either "wins." if the main linux
otoh it will "lose" - anti-virus companies will be against linux for taking away their product stream. and if the same security flaws show up then it removes a major distinguishing item from a linux desktop.
US Citizen living abroad? Register to vote!
Something about the wording suggests to me that this worm is intended to target only very stupid people. Does anybody reading this actually have friends who write emails like that?
You're shitting me... there are .NET users?
Wow.
At that point in time, they will con(vince) the government that virus-writers are terrorists, that terrorists are per default trying to kill people and destroy the economy and that as a result of that, that the government should invoke the death penalty for all virus writers.
Of course the upside of that, is that it only takes very little effort to prove, that Windows is a virus, and that every OS writer at Microsoft should be put against the wall and shot.
We do not live in the 21st century. We live in the 20 second century.
More successful virus writers use Microsoft compared to any other operating system. You too can be a successful virus writer. Get in on the cutting edge made by a company that knows how to mess with people.
[/sarcasm]
etc.
I just call all of these these Microsoft viruses. Makes life much easier.
"It is a greater offense to steal men's labor, than their clothes"
The article doesn't get any of the terminology right, so I wouldn't put too much stalk in anything they say.
It is neither a virus or a worm, though they seem to think the two terms are interchangeable
It is a trojan horse. As a point of education:
1) A Virus attaches itself to a host program, and does not necessarily require user interaction to infect additional files (e.g. it may attach to an OS device driver or other system program.) It may be attached to an application, but no coaxing is done to get the user to run it. It simply waits for the user to do so, and then goes about it's business.
2) A Worm is a stand alone program that makes it's way through a system
3) A Trojan horse is a program that is sent to an ignorant user, and requires them to run the program. It may appear to be a program of another sort - hiding it's behaviour - or it may immediately and blatantly do it's thing. Solicitation like the E-Mail body is always a component of a Trojan horse. The fact that it is an E-Mail attachment in no way makes this a virus. It spreads only with the help of user interaction and involves the direct solicitation of said action. It is fundamentally undifferentiated from an E-Mail asking someone to download an
Come on folks
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
By default, the .NET framework will not run untrusted code and allow it to do anything of note.
You will notice that the host EXE being sent over email is native x86 code, NOT MSIL. Therefore, it has no security permissions of note.
If you were to attempt to write a pure-C# virus and mass-email it, you wouldn't get very far as the user would actually have to tell the framework to grant execute permissions to the downloaded code.
I even have to grant permissions to the files I myself write with Visual Studio.NET; they won't execute by default.
Lastly, Outlook 2000 w/security patches and Outlook XP both automatically disallow the user to download or execute EXE attatchments, period. Unfortunately, this makes it a hassle having to ZIP all EXE files before sending them (and VBS files, etc.), but that's a small price to pay to protect us from idiot users. My only complaint with Outlook security is that Outlook Express does not do this by default.
I think Microsoft is doing a better job these days; they still have things to address of course. Sometimes I think people just misunderstand though... calls for the removal of VBScript are like asking *nix distributors not to ship Perl with their installs; its kind of silly.
Fortunately, with XP Home, you don't have a bunch of home users running as Admin all the time; I think that's a big key right there.
Natural != (nontoxic || beneficial)
Outlook2000 has a patch entitled "Fix stupid user", which prevents users from opening attachments. Outlook XP ships this way by default.
.EXE, the patch pops up when things connect to the Outlook COM objects and says "Hey, this thing is trying to send email.. is that ok dummy?"
Granted, the patch also does some useful things like changing the profile under which email is viewed to Restricted Sites Zone, thus disabling active scripting, etc.
And if some user still insists on running that