Klez, The Virus that Keeps on Giving

kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson." God bless microsoft email viruses. I'm on a modem for a few weeks and downloading countless megs of mail viruses is extremely frusterating. Course I'm still getting sircams.

Virus writers and spammers

[Vicegrip]

May they spend the rest of eternity having to listen to Oral Roberts sermons

Worse than porn spam from a priest...

[brooks_talley]

Try operating a legit, non-spamming adult site that's worked hard for years to get a decent reputation, only to have klez emails that appear to come from your customer support email address.

People are going to believe a priest when it's explained that it was a virus; nobody is going to believe a legit company that's operating in an industry where so much spam originates.

Argh.
-b

f-prot and perl solved my problems

[Nos.]

After getting infected with sircam (My mcafee wasn't updating or scanning properly for some reason) I decided to say screw it, and start scanning email on my server. Now, anything that comes in, gets scanned firts. If f-prot can't find anything, then it gets delivered, otherwise it never show up in my inbox. If you want a look at what I did, check out my scanner.

Re:f-prot and perl solved my problems

[ScoLgo]

After I got burned a few times by Norton coming out with an upgrade 2 hours AFTER I got infected, I stopped relying on it.

This is the whole problem with anti-virus software. Your best defense is your brain, not relying on someone else to write a defense program for you.

I have a novice friend who recently asked me about viruses. He runs Win98, IE5, OE5. I helped him with security settings and explained the significance of file extensions to him. Even my beginner buddy easily understood that having a secondary extension on an e-mail attachment is a red flag to not open that attachment. That knowledge, along with some logical security settings, (scripting host 'off', please), is your best defense against these viruses. My brother-in-law OTOH, opened a virus recently and is waiting for me to come over and clean it off for him. It's an 80-mile drive so I think I'll let him stew for a couple days. Hopefully, he's learned his lesson.

Sidebar - One of the biggest complaints I have about the default Windows install is that it hides extensions of known file types. Who was the genius at Microsoft that made that decision?

Save your bandwidth

[shepd]

telnet mail.xyz.com 110

user (username)
pass (password)
list
top (number of message to check) (kb to read)
dele (message to delete)
retr (number of message to read entirely)
quit

Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin. :)

Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader? ;)

Re:Save your bandwidth

[elefantstn]

Of course, I would ask why CmdrTaco didn't check the RFC...

Because it doesn't work if you spell all the commands wrong.

Re:Save your bandwidth

[rediguana]

If you want a pretty windoze gui for doing the same thing, and free as in 'beer' / nagware, try Mailwasher. The ability to bounce spam and delete virii from POP boxs before downloading, not to mention dickheads who send huge emails is very useful. It has saved me numerous times.

Re:Scripts

[grahamsz]

So targetted marketing campaigns can track which users look at what and for how long.

The average user?

[marekk]

From the Wired article:

"Anytime you have a virus that is not easily identifiable visually, it tends to linger," Rod Fewster, Australian representative for antiviral application NOD32, said. "SirCam and Klez both vary the subject lines of the e-mails they send, which makes it hard for the average user to spot."

Unfortunately, I'm sure the average user can't spot any e-mail viruses, let alone ones that change their subject line. While Outlook/Outlook Express greatly facilitates the spread of these viruses, a large part of the problem lies in the fact that too many people click on attachments and/or don't run proactive AntiVirus software on their system.

Really, how common are these things?

[Malc]

"Course I'm still getting sircams"

I've been working for 2.5 years for a company that uses Exchange and Outlook. Most of my friends and colleagues use Outlook or Outlook Express at work and home, although I still use Netscape for personal stuff. I've received 2 email viri ever, and neither of them were the "common" ones like Melissa or SirCam. It leaves me wondering if people are making a big fuss out of nothing, and being a bit sensationalist or simply an anti-Microsoft bigot.

Re: Really, how common are these things?

[ttyp0]

Quite common. If you just sit and post on slashdot all day, then no, you probably aren't much of a target for virii. However, I run 3 large websites, active on 10 mailing lists and send close to 50 emails a day. My email address is spread all over the Internet like a bad case of herpes. In return I get close to 30 - 40 infected emails a day. That was before I installed a virus scanner on my mail server.

Try qmail-scanner

[Havokmon]

Qmail Scanner uses the qmailqueue patch, supports your favortite virus scanner (FProt free for Linux), MIME decoding, and hacked up MS email.

Works wonders

Mailing-lists

[chrysalis]

The worst thing about that virus is that it has massively hit a lot of mailing-lists.

Interesting threads on mailing lists died because of this. People got insulted although they didn't send anything. A lot of people unsubscribed from mailing-lists due to this.

So people installed antivirus software, personal firewalls, etc. The result was that on mailing-list, instead of having tons of viruses, we got tons of "alert: you have sent a virus, it has been removed by our robot", that is as frustrating as the original virus.

Thanks a lot to Microsoft for being responsible of the most annoying viruses so far.

Re:Mailing-lists

[gwernol]

Thanks a lot to Microsoft for being responsible of the most annoying viruses so far.

Isn't that a bit like holding Napster responsible for all theft of music that happens on its systems, or the manufacturers of CD-RW drives for all software piracy done on their machines? That's the argument used by the supporters of DCMA and other nasty bills that outlaw fair use.

The scum-wad(s) who wrote the virus are responsible for its actions. Microsoft should do a better job of writing secure software, but the primary responsibility lies with the virus writer. Any responsibility born by Microsoft is equalled by the responsibility born by those users who don't apply security updates and don't run up-to-date firewall and virus checking software.

Just another reason...

[Gizzmonic]

to use a Mac.

Typical.

[scrytch]

The patch that prevents this has been out for over a year now. It's downloadable here. Microsoft included the patch with IE6 and IE5 SP2, so if you have either, you don't need it.

Good dose of blame goes all around here.

it's a boon for email farmers

[mo]

Klez passed through my work a ways back and ever since then we've all been getting all kinds of spam. From what we can figure, the virus replied to all kinds of spam with the From line set to everybody's email address, including mine. So even though I hardly ever give my email away except for work issues, i'm now inundated with spam. Makes me think that someday some spammer out there will write a virus solely to collect email addresses.

This thing is nasty

[stoolpigeon]

A week or so I start getting all these emails from different mailbox administrators, etc. informing me that emails I was trying to send had invalid addresses.

I'm looking at them and it shows my address in the from area and it was mostly spam for beastiality sites. My wife went ballistic.

I got tons of them back as undeliverable. How many made it through? And now people think I was sending them spam for a porn site.

They were coming back to my wife's WIN98 machine, so she called MS. The help desk chick tells her "Someone else has a virus and it is sending out emails w/your address" So my wife says "What do I do?" and they tell her to update her virus definitions. My wife said, "But you just told me that the virus is not on my computer, someone else has it. Is there nothing that I can do?" the girl says "Well download new virus definitions and check for service packs"

The whole thing was rather humorous.

.

Virii? What Virii?

[kindbud]

Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).

MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.

Re:Using open relays to boot

[trix_e]

Last thing is that I hate the Corporates assigning a value on a virus. 10 billion done by Melissa. OK. Show me the physical harm done to your computers.

it's not the *physical* harm... it's the freaking man-years of time that is wasted. IT departments are strapped enough as it is, but then lump on top of that all of the time spent chasing crap like this down, and it *is* a strain on resources (bandwidth, server drive space, and the valuable attention it takes to diagnose and resolve a particular problem). The cost is real. Whether it's $10B or not, I have no idea, but it certainly isn't trivial.

Re:Pornographic attachments from priests?

[xZAQx]

Pretty funny.

Keep in mind the hundreds of priests now being wrongfully prosecuted due to a stererotype that is spreading like wildfire. Bear in mind how it is ruining their lives.

I love how on slashdot, insults and slander made about religion are modded as funny, yet if I were to say, "Porn from black people? What was it, pictures of fried chicken?" I'd be modded as a troll. It's all ignorance; it's all slander; it's all hatred. Stop modding self-righteous science-worshipping trolls like the parent up.

Although, I'm sure that now I'll be modded as a troll. Whatever.

Dare to think for yourself.

Re:that is what

[MisterBlister]

You don't need to be infected by Klez to be spoofed. If you're simply in the contact lists of anyone who gets infected, people might get some odd spam that's 'from you'. So not only can you not run outlook but you have to make sure nobody that emails you or might add you to their email contact lists runs outlook...Good luck.

Unfortunately Microsoft can't take ALL the blame for the problems of Klez... The SMTP itself is inherently insecure to begin with and anyone can send mail that looks like it is from anyone else. Of course you can deduce that the mail is probably not from the source it says it is by tracing the SMTP headers back, but that's esoteric geek knowledge that not many people have relative to the total number of people who use email.

The real solution

[pmz]

is for the World to begin the arduous and expensive task of removing Microsoft software from their computers.

The first step is to eliminate Outlook for e-mail. There are other options, even Emacs, that really aren't too user unfriendly.

The second step is to eliminate Office for shared documents. There are other options, perhaps Open Office, that will be less prone to viruses and will be more maintainable over time.

The third step is to begin evaluating other operating systems besides Windows. This is harder, because it will be difficult to replace all the software that was useful in Windows. Over time, however, a fairly comprehensive list can be developed, and a plan can be made to make the switch to a non-Windows OS.

The fourth step is to take the plunge and dump Windows entirely. This may be the hardest step, because this is where the most learning needs to take place. But it is just a matter of time before users adapt to the new environment.

This is what I have been doing at home and know it isn't easy to make a full transition. However, I have found adequate replacements for nearly everything and am pretty satisfied with the results.

This doesn't have to be an all-Free-all-the-time solution, either, because there really is a way to mix open and closed software to meet your needs. It just takes research, time, and patience to find that Microsoft really doesn't rule the world at all--they just want us to think they do.

I'm impressed.

[EvilNight]

The person who wrote this spent some time thinking of the way to do the most damage. This virus nails you to the wall the instant it infects someone who just has your email address. That was some vicious thinking. The problems caused by this virus actually extend into social engineering. Pure genius.

Makes you wonder what else they'll come up with...

Maybe someday we'll have security, and patch this sort of thing...

Re:that is what

[damiam]

I also use Outlook, and I have had no viruses. I suspect the reason is that neither of us has any friends.

Re:that is what

[Surlyboi]

That is what happens when you don't use protection

Yes. Remember. when you have unsafe email with
someone, you're having email with all the
other people that person's had unsafe email with...

or something like that.

Another argument for CONFIRMING list subscribe

[Seth+Finkelstein]

Quoth the article:

People signing up for newsletters and mailing lists that they never subscribed to has been a major source of frustration for both users and the list owners.

If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

This is another reason why all lists should confirm subscriptions. I'm seeing the Klem-virus beating on my own mailing list, and I'm very glad I spent the time to get the software to do confirmations of subscriptions.

Sig: What Happened To The Censorware Project (censorware.org)

Re:MOD THIS UP

[S.Lemmon]

Yeah right - it's just a cut and paste job from sophos' web site and they didn't even get the right virus!

It's a description of badtrans not klez.

Re:Pornographic attachments from priests?

[weatherbee]

Keep in mind the hundreds of priests now being wrongfully prosecuted due to a stererotype that is spreading like wildfire. Bear in mind how it is ruining their lives.

OT I guess, but... a headline I saw recently:

Priests Decry Witch Hunt

All I could think was "What comes around..."

Fool! use IMAP

[benploni]

IMAP would allow to get all the email, minus the atachments. You can pick which attachments you want. People, read the IMAP spec. It offers so much that ppl dont take advantage of.

Umm...

[virg_mattes]

> I'm afraid that the original poster is correct, the only place you'll find an adult site's reputation being seen as good is at their colocation (bling bling) and a pedophile convention.

Why would pedophiles care about an adult site?

Virg

Re:My OSS plug... (Not off-topic though)

[JoshuaDFranklin]

Dude... just use Procmail's built-in capabilities.
No need to put an interpreted script in between
your MTA and MDA. Out of the goodness of my heart,
here's some actual working stuff to put in your /etc/procmailrc that dumps all email with
executable attachments in /var/virusdump/:
#/etc/procmailrc
VIRUSLOG=/var/ virusdump/viruslog

:0 # Use procmail match feature
* ^To:\/.*
{
HTO = "$MATCH"
}

:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

NL="
"

:0
*.for virususer;.*
/var/virusdump/virususer

:0
*^Content-type:.*
{
:0 HB
*name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|js )"
{
:0c
! virususer

:0 fhw
| (/usr/bin/formail -r; \
echo -e "This is an auto-generated message on behalf of${HTO}:\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@iocc.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"

:0
| echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG

:0
/dev/null
}
}

The cost of viruses, worms, and spam

[gujo-odori]

I'm a sysadmin at an ISP, and we have been filtering Klez inbound and outbound for 13 days, and the load basically hasn't tapered off at all. Since we started the Klez filter (thank you, Exim!) the number of bounces in our postmaster box doubled and show no real signs of slowing up.

That is a lot of bounces because we also filter on SirCam (still see some of those everyday), use several RBLs, and have extensive local spam filters and reject lists, as well as optional spam filters for Korean-encoded and Chinese-encoded mail (just rolled them out and over 800 customers have started using them already).

The cost of this is a lot of wasted bandwidth consumed by spam, worms, and viruses, in hardware (we run 4 MXes where two would otherwise suffice, because of the filtering load), and the countless hours we spend each week on defending our mail system and our customers from all this crap.

Besides the usual suspects (MS for their security holes, users for their laxness on applying updates, and the virus writers themselves), I also have to blame a lot of adminstrators for this. Mail admins, listen up! You KNOW Klez is out there and you KNOW it's going through your systems. You probably have a ton of captive specimens of it. Start filtering it inbound and outbound. You're not only helping other admins to control this problem, you're helping yourself.

And let's all be thankful that virus writers and spamware writers come from two camps that aren't likely to like each other, because if they got together and wrote a worm that silently propagated itself and turned Windows boxes into selectively open relays for use by the spammer/authors, that would be a real problem. The scary part is that it wouldn't be all that hard. The worms already have their own SMTP engines these days. The leap is small. Let's hope they don't make it, but let's think about how we're going to control it when they do.

Line of defense number 1: ISPs - if you don't already block port 25 in/out from your dial pools (requiring your dial users to smarthost through your outbound SMTP or send through it directly), start NOW. The ass you save will be your own. If we all do this (my employer has done this for years) we will cut off spam.