Slashdot Mirror
Klez, The Virus that Keeps on Giving
kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson."
God bless microsoft email viruses. I'm on a modem for a few weeks and downloading
countless megs of mail viruses is extremely frusterating. Course I'm still
getting sircams.
May they spend the rest of eternity having to listen to Oral Roberts sermons
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
Hrm, I can't think of any practical uses of scripting in emails anyway. Can anyone help me out?
Try operating a legit, non-spamming adult site that's worked hard for years to get a decent reputation, only to have klez emails that appear to come from your customer support email address.
People are going to believe a priest when it's explained that it was a virus; nobody is going to believe a legit company that's operating in an industry where so much spam originates.
Argh.
-b
After getting infected with sircam (My mcafee wasn't updating or scanning properly for some reason) I decided to say screw it, and start scanning email on my server. Now, anything that comes in, gets scanned firts. If f-prot can't find anything, then it gets delivered, otherwise it never show up in my inbox. If you want a look at what I did, check out my scanner.
telnet mail.xyz.com 110
:)
;)
user (username)
pass (password)
list
top (number of message to check) (kb to read)
dele (message to delete)
retr (number of message to read entirely)
quit
Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin.
Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader?
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
They infect or have infected 7.2% of all computers. (more than any other virii)
A windows version for cleaning your pc of Klez. (and removes Nimbda, Melissa, etc.)
The number of virus alerts I get from my mail gateway has been inundated with Klez for the last week or so. Identifying remote infections was at least possible with Magistr variants, as it only did minor iterative changes to email addresses. Klez lives on an entirely different stratum of nuisance.
"Course I'm still getting sircams"
I've been working for 2.5 years for a company that uses Exchange and Outlook. Most of my friends and colleagues use Outlook or Outlook Express at work and home, although I still use Netscape for personal stuff. I've received 2 email viri ever, and neither of them were the "common" ones like Melissa or SirCam. It leaves me wondering if people are making a big fuss out of nothing, and being a bit sensationalist or simply an anti-Microsoft bigot.
Works wonders
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
The worst thing about that virus is that it has massively hit a lot of mailing-lists.
Interesting threads on mailing lists died because of this. People got insulted although they didn't send anything. A lot of people unsubscribed from mailing-lists due to this.
So people installed antivirus software, personal firewalls, etc. The result was that on mailing-list, instead of having tons of viruses, we got tons of "alert: you have sent a virus, it has been removed by our robot", that is as frustrating as the original virus.
Thanks a lot to Microsoft for being responsible of the most annoying viruses so far.
{{.sig}}
to use a Mac.
(-1, Raw and Uncut is the only way to read)
The patch that prevents this has been out for over a year now. It's downloadable here. Microsoft included the patch with IE6 and IE5 SP2, so if you have either, you don't need it.
Good dose of blame goes all around here.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Klez passed through my work a ways back and ever since then we've all been getting all kinds of spam. From what we can figure, the virus replied to all kinds of spam with the From line set to everybody's email address, including mine. So even though I hardly ever give my email away except for work issues, i'm now inundated with spam. Makes me think that someday some spammer out there will write a virus solely to collect email addresses.
A week or so I start getting all these emails from different mailbox administrators, etc. informing me that emails I was trying to send had invalid addresses.
I'm looking at them and it shows my address in the from area and it was mostly spam for beastiality sites. My wife went ballistic.
I got tons of them back as undeliverable. How many made it through? And now people think I was sending them spam for a porn site.
They were coming back to my wife's WIN98 machine, so she called MS. The help desk chick tells her "Someone else has a virus and it is sending out emails w/your address" So my wife says "What do I do?" and they tell her to update her virus definitions. My wife said, "But you just told me that the virus is not on my computer, someone else has it. Is there nothing that I can do?" the girl says "Well download new virus definitions and check for service packs"
The whole thing was rather humorous.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).
MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.
Edith Keeler Must Die
http://www.ultrafunk.com/products/popcorn/ is the website for the program.
I have nothing to do with the program or its development, I'm just a happy user.
it's not the *physical* harm... it's the freaking man-years of time that is wasted. IT departments are strapped enough as it is, but then lump on top of that all of the time spent chasing crap like this down, and it *is* a strain on resources (bandwidth, server drive space, and the valuable attention it takes to diagnose and resolve a particular problem). The cost is real. Whether it's $10B or not, I have no idea, but it certainly isn't trivial.
No man is an island, but Gary is a city in Indiana.
We got hit by Klez (AMG; allmusic.com). Let me tell you, it SUCKED. This was a really potent virus. It got in through our video department (somebody opened an email...) and from there, it spread through some shared network apps. Within an hour or so, virtually everyone was toasted.
Since this one spread through exe's, and since it was one strain of like 20 different Klez variants, cleaning was a real bitch. Luckily, I'm in programming, so I didn't have to do much of the visit-everyone's-machine thing. I did have to format my box, tho, as all my applications (including system apps) were hosed.
mike feldkamp
Pretty funny.
Keep in mind the hundreds of priests now being wrongfully prosecuted due to a stererotype that is spreading like wildfire. Bear in mind how it is ruining their lives.
I love how on slashdot, insults and slander made about religion are modded as funny, yet if I were to say, "Porn from black people? What was it, pictures of fried chicken?" I'd be modded as a troll. It's all ignorance; it's all slander; it's all hatred. Stop modding self-righteous science-worshipping trolls like the parent up.
Although, I'm sure that now I'll be modded as a troll. Whatever.
Dare to think for yourself.
We dance to all the wrong songs.
--Refused.
Unfortunately Microsoft can't take ALL the blame for the problems of Klez... The SMTP itself is inherently insecure to begin with and anyone can send mail that looks like it is from anyone else. Of course you can deduce that the mail is probably not from the source it says it is by tracing the SMTP headers back, but that's esoteric geek knowledge that not many people have relative to the total number of people who use email.
is for the World to begin the arduous and expensive task of removing Microsoft software from their computers.
The first step is to eliminate Outlook for e-mail. There are other options, even Emacs, that really aren't too user unfriendly.
The second step is to eliminate Office for shared documents. There are other options, perhaps Open Office, that will be less prone to viruses and will be more maintainable over time.
The third step is to begin evaluating other operating systems besides Windows. This is harder, because it will be difficult to replace all the software that was useful in Windows. Over time, however, a fairly comprehensive list can be developed, and a plan can be made to make the switch to a non-Windows OS.
The fourth step is to take the plunge and dump Windows entirely. This may be the hardest step, because this is where the most learning needs to take place. But it is just a matter of time before users adapt to the new environment.
This is what I have been doing at home and know it isn't easy to make a full transition. However, I have found adequate replacements for nearly everything and am pretty satisfied with the results.
This doesn't have to be an all-Free-all-the-time solution, either, because there really is a way to mix open and closed software to meet your needs. It just takes research, time, and patience to find that Microsoft really doesn't rule the world at all--they just want us to think they do.
Healthcare article at Kuro5hin
hmmm, that web interface look suspiciously like squirrelmail.
n +maildirs and all mail problems tend to disappear.
IMAP Rules, plain and simple. Take an old PC, throw Debian on it, and use courier+postfix+squirrelmail+procmail+spamassassi
The person who wrote this spent some time thinking of the way to do the most damage. This virus nails you to the wall the instant it infects someone who just has your email address. That was some vicious thinking. The problems caused by this virus actually extend into social engineering. Pure genius.
Makes you wonder what else they'll come up with...
Maybe someday we'll have security, and patch this sort of thing...
Hell is being intelligent in a world full of idiots.
The real problem is that Klez is emailing itself from an infected machine to a flood of people using your and my email address in the From: line. Not only does this cause a ton of people to respond to you and me saying "you must have a virus" or thinking that we really think that this penis enlargement solution works (or that we need one) -- but, it distributes your email address to others who may potentially get infected themselves, who may in turn infect others. Next thing you know, your email address that you've been so diligent about keeping somewhat private is inundated with spam and viruses.
I also use Outlook, and I have had no viruses. I suspect the reason is that neither of us has any friends.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
That is what happens when you don't use protection
Yes. Remember. when you have unsafe email with
someone, you're having email with all the
other people that person's had unsafe email with...
or something like that.
Mod me down and I will become more powerful than you can possibly imagine...
Sig: What Happened To The Censorware Project (censorware.org)
Unfortunately Microsoft can't take ALL the blame for the problems of Klez... The SMTP itself is inherently insecure to begin with and anyone can send mail that looks like it is from anyone else.
But only Microsoft provides a hands off and automagic way for somebody to take advantage of the insecurities in SMTP with little trouble.
Thats what is so bad about these little episodes. SMTP has existed since the early 70's, yet e-mail born viruses that take advantage of the SMTP header spoofing have only existed a few years.
Hmm.....
Do you have Linux and a DotPal? Click here now!
It's a description of badtrans not klez.
OT I guess, but... a headline I saw recently:
Priests Decry Witch Hunt
All I could think was "What comes around..."
Ok, I know that many worms have been propagated through MS LookOut, etc, through the years, and I've been on the sysadmin end of shutting them down and cleaning them up. But, you can't blame MS quite so much for this one. For one thing, the vulnerability has been patched for an entire year, so anybody who is still vulnerable isn't really trying at all to stop it. For another thing, the security settings in Outlook XP (and I think 2K, IIRC) are much stricter by default. I've actually opened these klez emails, but Outlook won't display them. It says something about having HTML that it won't display, or something to that effect. It also won't do .exes, .mdbs, etc without a registry modification, which has annoyed me on occasion, but is doubtless much safer than the previous way of doing things.
Let the flames begin.
IMAP would allow to get all the email, minus the atachments. You can pick which attachments you want. People, read the IMAP spec. It offers so much that ppl dont take advantage of.
Many ATMs and cash registers run OS/2, but you don't hear about it because there is no problem.
Fight Spammers!
I got tired of dealing with my users' virus problems a long time ago. So I wrote batemail. It's a Perl script that you slip between your MTA (e.g. Sendmail) and your local mailer (e.g. Procmail) that filters out ALL executable attachments.
I've been using it in my production environment for over a year now and it works like a charm. And it's open source, too!
> I'm afraid that the original poster is correct, the only place you'll find an adult site's reputation being seen as good is at their colocation (bling bling) and a pedophile convention.
Why would pedophiles care about an adult site?
Virg
I got sick of all the spam, all the chain letters and all of the virus's. So I decided to run my own small mail server. I changed my email address and only gave it to people that would not open foolish attachment, and would not forward crap on to me.
:-)
Running linux the virus's aren't a problem, but downloading and the wadding through hundreds of emails sucked.
I then use procmail along with spam assassion. Now when I check my email there is usually one or two messages, and they are relivent.
Even the mailing lists I'm subsribed to get put in a sepereate folder.
I can't complain at all anymore.
What about those less the brillent friends that are still affected? Well I leave icq and aim running so they can just leave me a message that way.
Hey if my mother can avoid getting infected with these stupid virus's so can you!
I am the network administrator for the Absentee Shawnee Tribe of Oklahoma, recently we were assaulted by no less than 5 variants of the klez worm. Klez.C,E,F,G, and H... WATCH OUT FOR Klez.H!!! It is stinking creepy smart! Not only does it play the normal irritating klez crack games with your email system, it also knows how to delete your antivirus software (I've observed it doing this to Norton, McAfee, and InoculateIT), but worst of all, given time it actually knows how to write into motherboard and video card bios space on reboot with win9x! (it does this even if the stupid "boot virus protection" is enabled in the bios and bios flashability is TURNED OFF! This is NOT a joke or a prank, this thing is freaking dangerous. I've already sent emails to Computer Associates, Norton, and McAfee... be careful people, be bloody careful
-----------------------------------------
Remove the Greed which plagues mankind.
I finaly printed my address book out on paper. I put the address on it as a barcode. Now I e-mail people and put in addresses in via the free scanner provided by Radio Shack. Now if everyone would delete their electronic address books, much of the MS spread security problems would go away.
Not many people would drop the convience so I don't see this as working. Too many users just can't be bothered to keep up on security and are way too willing to run an attachment sent to them that is supposed to keep them from getting a virus. It's OK to send me a virus warning. Don't send me an attachment to fix it. I'll check the usual trusted sources for the description and measures to fix it. Too many viruses are spread via social engineering.
The truth shall set you free!
No, the plural of virus is Microsoft.
I'm a sysadmin at an ISP, and we have been filtering Klez inbound and outbound for 13 days, and the load basically hasn't tapered off at all. Since we started the Klez filter (thank you, Exim!) the number of bounces in our postmaster box doubled and show no real signs of slowing up.
That is a lot of bounces because we also filter on SirCam (still see some of those everyday), use several RBLs, and have extensive local spam filters and reject lists, as well as optional spam filters for Korean-encoded and Chinese-encoded mail (just rolled them out and over 800 customers have started using them already).
The cost of this is a lot of wasted bandwidth consumed by spam, worms, and viruses, in hardware (we run 4 MXes where two would otherwise suffice, because of the filtering load), and the countless hours we spend each week on defending our mail system and our customers from all this crap.
Besides the usual suspects (MS for their security holes, users for their laxness on applying updates, and the virus writers themselves), I also have to blame a lot of adminstrators for this. Mail admins, listen up! You KNOW Klez is out there and you KNOW it's going through your systems. You probably have a ton of captive specimens of it. Start filtering it inbound and outbound. You're not only helping other admins to control this problem, you're helping yourself.
And let's all be thankful that virus writers and spamware writers come from two camps that aren't likely to like each other, because if they got together and wrote a worm that silently propagated itself and turned Windows boxes into selectively open relays for use by the spammer/authors, that would be a real problem. The scary part is that it wouldn't be all that hard. The worms already have their own SMTP engines these days. The leap is small. Let's hope they don't make it, but let's think about how we're going to control it when they do.
Line of defense number 1: ISPs - if you don't already block port 25 in/out from your dial pools (requiring your dial users to smarthost through your outbound SMTP or send through it directly), start NOW. The ass you save will be your own. If we all do this (my employer has done this for years) we will cut off spam.
And you don't remember any religious persecution going on during World War II? None? I dare say, without his anti-Semitic rhetoric, Hitler might never have come to power. And the Japanese believed in the divinity of their emperor, too--the word "kamikaze" means "divine wind."
At least part of the Arab-Israeli conflict is religious in nature. You just don't see a lot of atheist suicide bombers. A lot of "ethnic cleansing" is done along religious lines as well.
The expansion of European nations into the Americas was often justified under the aegis of "divine right."
That's not to mention the religious rhetoric that's used to get men to go to war. Ever hear the song "Onward Christian Soldiers?"
So the original poster might be a little bold about his statistics...but don't fool yourself into thinking religions have their hands clean, even today.
"Hardly used" will not fetch you a better price for your brain.
I wonder how many responses to Klez emails bounce back with an "address unknown" error?