Slashdot Mirror
McAfee Manufactures Virus Threat
The latest "news" to come out of the AV industry is New Virus Infects Picture Files. McAfee put up their description and made sure to issue a wide-spread press release to stir up some interest. McAfee's spokesdrone fans the flames:
- "Potentially no file type could be safe."
That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said.
"Going forward, we may have to rethink about distributing JPGs."
Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code. An image file is just data to be displayed. The line between "data" and "code" is a little bit fuzzy - often particular characters or a particular file can be both data and code, depending on the context of how other code handles it. Or a particular file can include both data and code separately, like a Microsoft Word file that includes data (your text) and code (some macro designed to be executed by Word when the document is opened).
But for JPEGs there's a well-designed standard, and it doesn't include executing code of any sort. If a JPEG-handling program doesn't like the data it sees, it should just stop trying to display the image, not decide to start executing code from the image. JPEGs are mostly harmless.
McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code. What it comes down to is:
Once you're infected with a virus, the virus can set you up to be infected by other viruses.
No shit, Sherlock. Once you have enemy code running on your system, you're toast. A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone. But this isn't a new virus threat of any sort. It isn't a breakthrough. It's a consequence of being infected, not a new method of being infected.
Two weeks ago, we ran a story about a cross-platform virus. Like this one, it didn't really exist in the wild. Like this one, it was mainly a PR ploy (by Symantec, in that case). But we thought it had at least some minimal technical interest as a bit of code that would run under Windows or Linux.
McAfee and Symantec (and all the other AV vendors out there) are waging a PR war to "discover" ever more news-worthy viruses to defend against. To get maximum coverage, your new virus needs to do something unique or different -- make your computer turn green, or infect something previously uninfectable, or whatever it might be. Compare this to Klez, a very basic virus similar in most ways to viruses that have gone before, which is still out there looting and pillaging tens of thousands of computers every day, but isn't ideal for AV vendors because they don't have a monopoly on the cure.
The press is catching on, to some tiny extent at least, that most virus alerts are fictitious and just designed to drum up business for the vendors. But it's far easier to repurpose a vendor's press release and call it a story than to dig into real threats that exist on the Internet, and the causes of those threats. Today, like last year and the year before and five years ago, there are major email-borne virus threats out there. (There are still old-school viruses out there too, transmitted by sneaker-net or by downloading suspicious software, but email is clearly the way to go for the discriminating virus creator.) All the real email virus threats share a few distinguishing characteristics:
- They only affect Microsoft Windows. If you aren't running Windows, you are safe.
- They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email.
- They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has finally made some progress, after many years, in reducing the vulnerability of their flagship email programs. So if you have a recent or fully-updated version of these programs, you may not be as vulnerable as people running older versions. Nevertheless, this was (and still is, since so many people don't have recent or fully-updated versions) a primary vector.
And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.
McAfee, and Symantec, and everyone else involved in the anti-virus FUD business: lay off. I mean that literally, as in, "Lay off the people you employ for the purpose of drumming up new virus threats." Lay off the public relations people you employ to say things like, "We may have to rethink about distributing JPGs." Lay off the BS. There's a real market for your product, people who (for whatever reason) are using Windows and/or Outlook, and haven't received the half-hour training course necessary to avoid viruses. You can market to them based on your fast responses to real virus threats - you don't need to manufacture any more.
. . . that all this time, the satire about the virus development divisions of anti-virus software companies actually contained a kernel of truth? Who woulda thunk it?
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
I use AVG from Grisoft and just updated the signature file. I am SOOooo glad I use a freeware/shareware product that keeps up with REAL virus and not marketing. As they say here in the U.S. "There ought to be a law..."
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
Attention, AV companies:
You could make some money offering training classes on how to avoid common viruses.
Against misinformation the public via the news channels? I understand they want business, but using FUD techniques will only backfire and cause major distrust among the public.
Would you want to use a product from an entity you don't quite trust?
I am the evil aardvark!
When I first heard about this yesterday, I was thinking "So what? This is the same kind of Windows&Outlook-only virus problem that's been painfully well documented and explained". I saw no point in the FUD coming from the anti-virus people. Good to see someone else makes those observations, and in such a public forum.
-----
Apple hardware still too expensive for you? How about a raffle ticket?
Come to the University of Mars! Classes starting soon!
It's pretty simple to stay safe, and I have repeated this many many times to customers when I worked at an ISP. If you are using Windows or Outlook, do not open an attachment if you don't know what it is. It's very simple. I don't care if it says "This is very important, Bob and you must open this now." Unless you know specifically what it is and you were expecting it, don't open it. There is no need to, and you aren't going to miss out on much.
Of course, in the case of stupid users, there are some steps you can take on the server side to filter some viruses, but it's not perfect. In the end, patch Outlook, and educate your users. You could probably pretty easily drop any potentially executable attachments before they even got to Outlook (which drops many of them on its own).
What?
They only affect Microsoft Windows. If you aren't running Windows, you are safe...
No you are not. Its not what fscking OS you are running, it about what OS and applications are running on the system to which you gave your credit card number and your SSN. Its about what OS your company runs to store the employee databases. You can hide your head in sand and pretend that you are safe ofcourse..
Shows what you know. You Linux lusers don't even have Microsoft ActiveJPEG Technology yet?!?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I am sure I can prevent my computer from being infected just by using common sense (don't open unexpected attachments, download only from trustworthy sites, etc). Even if I did get infected, I could just re-ghost my drive and be done with it. Sure I have to make current ghost images, but I do that anyway and storage is cheap these days. On the up side, I don't have to take the performance hit of running AV software, and I don't have to deal with constant updates.
A friend of mine who's into conspiracy theories thinks that the anti-virus companies like McAfee also have people writing the viruses - so they can sell "subscriptions" to keep the definitions updated.
I'm reserving judgement on that one until a virus is actually tracked back to an author who's affiliated with an anti-virus company.
But I *do* wish they cut out the FUD. It's bad enough getting my weekly dose of "Delete jdbgmgr.exe from your system! It's a virus!" from my friends and relatives, who then get dutifully pointed to www.snopes.com to read "Inboxer Rebellion," without having people who supposedly know better promoting the same kind of crap.
Specialization is for insects. - R.A.H.
I'm running Windows and Outlook, and I haven't been infected with a virus yet. It's just common sense... "MY WIFE NUDE.JPG.exe" probably isn't something I want to open. The real anti-virus software is common sense, but there don't seem to be many available copies out there. :-/
say an attacker knows you use a certain program to view JPEGs, or other data/multimedia files. This attacker knows that certain program contains a buffer overflow, and how to exploit it. The attacker can assemble a specially formed file that exploits the overflow and opens a backdoor on your machine, granting himself some level of access to your computer (most likely user level access). Combined with knowledge of a local root hole, the attacker now has root access to your machine (ie, he 0wns j00). The attacker delivers this specially formed file to you in some manner (email, webpage, etc).
Suddenly, this "data" file is now containing a virus, isnt it?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Someone should make a special program to detect and turn off Virus programs! I get a lot of calls from family members complaining about their slow computers, I check it out and they have the defacto McAfee install which checks all email, boot sector and floppy on boot, and (the worst one) EVERY exe before it starts. This causes a horrible delay everytime you do anything! I refuse to install any AV software on my computer simply because I am not stupid enough to open any of these files, and I consider the AV software itself to be a performance affecting Virus.
There was a Charlie Chaplin movie, silent, made in 1926? that was about a glazier(Charlie) who needed to drum up some business, so he employed a small boy to run around town, breaking windows. The victims of this nefarious window breaking were then offered "discounts" if they purchased charlies services. Odd, how history seems to repeat itself....
Stupid Humans.....
Intelligence is my anti-virus. I have been running Windows for a long time now, and have never been infected with a virus. Why? Because I am careful about what I allow to run on my computer. Linux or Windows, it doesn't matter. If you don't have some common sense, you are going to get burned.
The world moves for love. It kneels before it in awe.
... unless you're using a Mac. Oops.
Not Windows = Linux, right?
Or maybe they are being written by Linux fanatics :->.
Seriously, the rise of Unix-like OSes, a full ten years after they were supposed to be dead (Byte, July 1992, anyone else remember? - be a good slashdot posting now the anniversary is coming up) must be a real threat. I am sure we can expect to see lots more FUD-enducing "cross platform" nonsense shortly.
Just because an image file consists of data, if a poorly designed decoder has been written, then if the data is corrupted, you could end up spewing data over stack or even main memory.
If you had some control over what data is written, then you could get the decoder to write out what amounts to a virus, and then get the decoder to execute it (by trashing the stack).
I won't use JPEG as an example, but some lossless compression, such as GIF. Instead of having the image compressed, you could have your program compressed. Decompressing the data would effectively copy the code into some memory location. The difficult bit would be getting the decoder to actually execute it.
Don't forget that such a virus doesn't actually need to spread itself in images; it could be a simple bootstrap loader in the images that downloads a larger virus with its own payloads.
I would rather throw out Windows out of the computer...
abstraction. Virus companies must PROMOTE
thier product for the good of everyone.
These companies make money by making sure you don't notice any interruption in the use of your computer.
Think, If the average computer user never noticed an interuption wouldn't they one day say "why am i spending this much on an anti virus package that dosen't do anything for me"
Any computer that has a virus can potentially be part of a DoS attack. all of a sudden you're not only losing money on the customers that don't have anti virus packages but on those that get hit by DoS attacks (despite having anti-virus SW)
it is in ALL of our best interests that everyone has an anti virus package. and it is a RESPONSIBILITY of these companies to make sure that they promote knowledge of how much dammage a virus can do.
if symmantec et al. make money in the process SFW ... we need them ... more than you realize
http://www.pulse24.com/News/Top_Story/20020613-008 / age.asp
You can't handle the truth.
One statement of yours needs modification:
They only affect Microsoft Windows. If you aren't running Windows, you are safe.
There have been macro viruses which have inadvertently worked on the Mac versions of Word and Excel. I would correct the statement to:
They only affect Microsoft products, primarily Windows. If you aren't running Windows, you are almost entirely safe.
Check out this spam email a bunch of people in my office got yesterday:
s ion: 1.0
-=-=-=-=-
Return-Path: postmaster@salisbury.net
Received: from salisbury.net (12.152.4.9) by myoffice.com with ESMTP (Eudora
Internet Mail Server 3.0.3); Wed, 12 Jun 2002 23:08:21 -0400
Date: Wed, 12 Jun 2002 23:09:46 -0400
Message-Id: 200206122309.AA2564817116@salisbury.net
Mime-Ver
Content-Type: text/plain; charset=us-ascii
From: "postmaster " postmaster@salisbury.net
Reply-To: postmaster@salisbury.net
To: people in my office
Subject: WARNING: YOU WERE SENT A VIRUS
X-Mailer:
X-Mozilla-Status2: 00000000
On 06/12/2002 at 23:09:45 Our special virus software on our servers at salisbury.net
reported that your were sent an Email Virus containing the Unknown Virus in the Unknown File attachment.
The subject of the E-mail was "L Specifies the length". The E-mail containing the virus from kbndl@salisbury.net has been quarantined on our servers to prevent further damage. The virus never made it to your mailbox. (emphasis mine)
Internet Of Salisbury, Inc. provides this service free to our customers while other providers charge
a monthly fee. Though this software should catch up to 99 percent of viruses, a new virus could make it in.
If you are not running Anti-Virus software you should ASAP!
Please Contact N-Techsolutions @ 704-638-2422 or visit their website at:
http://www.n-techsolutions.com Look for the Norton Anti Virus Special! (emphasis mine)
Please do not call Internet Of Salisbury, Inc.
-=-=-=-=-
Not that there was ever any question about sleazy spammers being out there, but this one takes the cake.
Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code
.exe files. In windows 98/2k you can be infected simply by clicking on a file once (because of the little preview window thing). Holes in Word, outlook, IE, IIS, and even windows explorer have made things completely ridiculous.
No, and HTML readers don't download HTML with an expectation to run the code natively, but it can happen thanks to bugs in IE.
Just like Outlook, the program you deride for its ubiquity, a huge, huge number of jpegs are viewed through the Microsoft libraries. If a hole was discovered in that library, it could be used as a vector for viruses.
The truth of the matter is that if you run windows, there is a real risk of getting a virus from things other then just running
Also, Your list of things not to do to catch a virus reminds me like avoiding pregnancy via the 'pull out' method. Sure it might improve your chances, but it won't 'protect' you in any real sense.
I don't think viruses on Linux have any real future, due to the fact that the most obvious holes would get fixed quickly, but if you run windows you really should get some Anti virus software.
autopr0n is like, down and stuff.
It's been more-or-less common knowledge that McAfee has done this since the Michelangelo scare in 1993.
I recommend going to vmyths.com to read their "rantings" section.
Let me predict that about 50% of the replies in this thread will consist of arguments like "Well even if we did get rid of MSFT products we'd still have a virus problem: look at staoG or Bliss or Ramen or the '88 Internet worm."
Those replies are guilty of a flaw called The Excluded Middle where one argues that a situation that in reality has a spectrum of situations only has the 2 extreme cases. In this case the replies will say that even Linux has viruses and worms (true and probably inescapable for a Turing-complete computer) so doing away with the source of 99.44% of viruses and worms won't solve the problem.
Of course this is crap. I'm still getting hits from Code Red I v2 nearly 10 months after it was released. When was the last time you got a sadmind/IIS hit? The problem isn't to eliminate 100% of all worms chainmails and viruses the problem is to keep worms chainmails and viruses from ramping up the exponential part of the logistics curve.
Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Years ago - early 90s, the AV vendors had cash 'awards' for new virus discoveries.
Therefore, this story is not a big surprise.
a steady stream of new threats. There was another model for anti-virus
software. One that didn't have a patch model, but it was ignored because
profit driven companies require "revenue streams".
Rather than having a program that removes a virus from your system after
you've been infected or which requires an "inoculation" to recognize
viruses, the other system looks at program activities.
The actions taken by a virus are painfully obvious when you look at them
from a macro point of view (no pun intended). While not a trivial coding
task, it's possible to monitor for these types of action and freeze a
program that would take them. More over, with an ample supply of ram and
CPU, new programs could be tested in a "Safe Zone" the first time they are
run, ensuring that problem programs would be caught in the act.
Unfortunately this type of protection doesn't require incremental upgrades
from Anti-Virus companies and so we're stuck with something that can make
profits rather than something that works pro-actively. Thus is the basic
flaw of capitalism.
I'm lead tech at a small computer store. The massive onslaught of Klez in the wild makes us techs more money per day than a good, strong lightning storm will in a week with modem replacements. People in the general public that aren't in the "know" on computers are deathly afraid of viruses, and generally have no idea how to protect themselves.
Most of the John Q Publics out there buy a cheap computer from *.mart that has MS Windows pre-loaded on it that has virus protection software that will expire in 3 months, or require the end user to manually update the definitions. Most of them have no idea that their protection will run out, or that they need to update their software in order to keep it up to date and protecting them from the latest greatest virus.
So these folks turn to their cousin's brother who knows a bit about computers, and ends up screwing the computer up worse, or finds that they are unable to remove the virus from the computer. That's when they turn to us, and other techs. And they're generally willing to pay good money to get rid of the virus, have up to date protection that actually works installed, and be shown how to keep it up to date for a very long period of time, not to mention given a quick tutorial on what to open in their email and what to delete immediately.
In a perfect world un-educated folk wouldn't be given the option to purchase un-educated software, but until that time comes they need to rely on people that do know something about computers, and on software that can help protect them from their own lack of knowledge.
Duris MUD - The best pkill MUD. Ever.
Things like this are what happen when the news media are owned by giant corporations. They do not care about truly informing the public, they care about selling papers, ads, etc. And what's the best way to do that? Scary headlines.
50% of the news nowadays is reprinted press releases from companies. There should be some kind of accountability, both for the misleading/false statements coming out of these corporations, and for the idiot reporter that took this "news release" off the fax and submitted it for print without any kind of fact checking.
-Just my $.02
Wulfhere
-- Sent from a computer.
I'm just gonna start ranting and hopefully a point will come out of this somehow ;). Anyway, who cares? Seriously... I haven't had a virus since I was 15 or so and know better now. If this "marketing hype" is to just sell virus scanners but scares the public into being more secure then thats fine with me. Potentially means less code red in my logfiles and less klez complaints to deal with. Look, yeah hyping something up thats bad so you can sell a cure sucks and is rather unethical, but the vast majority of computer users have no clue on why they get virus's besides some vague knowledge that it has to do with the internet. So, again... whatever. Calm down. Take some deep breaths. Do some pushups. Go conspire about something that matters. Now some additional things because well goddamn it, this is my post and I'll say what I want and you'll listen. Please spare the +5 funny "what virus? i use linux" and "windows, by definiton it is a virus" post. Please Please Please. Please follow the directions I gave above before posting them. As for linux and virus... soon my pretty... you will have your virus. Yeah yeah, root blah... blah... doesn't mean your home directory can't get wiped and doesn't mean some sad bastards out there don't run linux in root. Anyway I'd like to close this with a little simpson's quote:
Actually can't remember it, but it had something to do with flu shots and flanders and not believing in them and it was funny. Just trust me it had some relevance to all this.
can't sleep slashdot will eat me
If you have basic email skills, you're safe.
.jpg and mp3 files with dummy executables that Explorer will foolishly make look like the original files. So common MP3 shares and such make a pretty good vector for crossing the network, as well.
Unfortunatley, this is not entirely true. Quite a few of these viruses are happy to infect non email files once they get on a network via the email vector. We haven't seen many where I work, but we have seen a few that will infect various system files. Then, when a user logs into that system, the virus infected system will gleefully infect any exe's on the network that that user has write access to. Log into a machine like this as a domain administrator, and the chances of it getting to every machine on the network without them opening any email message is quite good.
Some of them will replace
Ever checked for spyware?
autopr0n is like, down and stuff.
I run Windows (as well as linux) because of software I must use that is only available for windows. I use Outlook because it is the ONLY program available that does everything it does and syncs so nicely with my Palm. I know there are horrendous security holes. And guess what, I have never been sent an email virus. Every time my computer catches viruses it is off of other people's removable media, or, from a malicious web page trying to infect me. No, I'm not going to turn off scripting, or activeX, or anything else because then my web browsing experience is limited.
Anti-virus makers are in the business of letting people use their computers with the freedom and expectations they were designed for. Not just to protect the uninformed. I've noticed the uniformed are the ones who never update their virus profiles, and never let the full scan go through....and then are even more suprised and frustrated when a virus infects their machines.
I'm out of my mind right now, but feel free to leave a message.....
I mean really; so what? A company tries to drum up business. To Ma and Pa MidAmerica viruses are a scary thing.
Windows isn't going away, neither are bored teens and so we can conclude that viruses (virii if you like) aren't either. MacAffee and Symantec have the most popular AV systems at the moment and of coure they are trying to come up wih something interesting to talk about.
We all use *nix, I assume we all avoid Outlook like the plauge (that it is) and so why are we "supposed" to get angry about this?
I would assume that the Windows machines we own (for gaming, or to keep our SOs off of our OS X boxes) are locked down tight and more than likely using either NAV or MAV so how pissed can we really get about this?
Be thankful there are viruses to fight. It's probably a big part of your job.
This
BS. Lusers are called lusers for a reason. I'm not talking about every Windows user here, but all it takes is one to be a problem.
With some people, You can tell them to their face "Do not open emails from people you do not know", print it out in 124 point font banners hung over their cubicles, show them pict-o-grams of evil viruses destroying their data, bring Special Guest Star Burt Lancaster to reinforce the point, and drop by daily with the message written in icing on delicious chocolate cake. The minute you turn your back, they're off checking out the cool new Shakira screen saver someone sent them. The point is, it's still a problem, and it's not a problem you can completely solve with "30 minute training courses".
And please don't lay this all on Windows and Outlook either. Yes, there are some questionable design decisions in these programs. But if the whole world was running Linux or something similar, people would be causing problems running everything as root, or whatever other stupid things you can do to get yourself in trouble.
Do McAfee and Symantec sometimes go overboard with their warnings to sell more copies of their software? Of course they do. What company doesn't? Or did you think it was absolutely, positively necessary to see your doctor about Prilosec?
The next question is does such an exploit exist and does it affect enough users that it could gain critical mass? The answer is probably no. Every piece of image software, emailer, browser uses it's own implementation jpeg. This is true even on Windows where there was no way to read a jpeg file via Win32 until recently. Even apps that just use libjpeg will use different versions, might be customized and compiled with different flags. So the landscape is too hetrogeneous to favour a virus.
If I had to lay money down, I would say this is McAfee playing up a threat (just like Ashcroft and dirty bombs) for their own interests.
Besides the obvious 'don't run random executables', keep in mind that by default, Windows has 'Hide File Extensions Of Known File Types' enabled. So, Joe End User thinks he's opening BritneySpearsNaked.jpg, when he's really running BritneySpearsNaked.jpg.exe. Never mind the fact that Joe End User doesn't realize that this 'jpg' doesn't have the normal .jpg icon.
I believe this is one of the worse Windows offenses, yet gets zero press.
Plus... rather than delete all attachments in a panic, it's fairly easy to save to disk, then scan with your favorite AV software prior to opening/running/etc.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
What's next? By using your computer while you have a cold you could hose your hard drive? But, for only $9.95 McAffee makes these plastic covers to keep YOU from infecting your computer...
In all seriousness, does anybody dispute that at least some percentage of our remaining "tech" economy is held up by victimzing the ooh-aah/Joe Sixpack crowd into paying $2500 for an $800 box, and other such silly "what the market will bear" injustices?
I predict another shakeout in a few years when the kids who are becoming experts in grade school become the consumers and not their tech-phobic baby boomer parents who think high price == high quality and service. Guess what? The next generation doesn't think that way.
Even my 11 year old cousin knows that inexpensive Dell gear blows, and he figured it out without an indoctrination from me...
Who did what now?
How many of these virii are written by the anti-virus software writers. Doesn't it seem really strange that updates to detect, fix or remove these virii are almost immediately available? It just seems to me that someone can't really analyze what these things do and write a fix that fast. I mean, the software writers have to most to gain.
I'm surprised that McAfee's consultant (they admit that they received the virus from the author; they didn't deny hiring him) didn't create a real JPEG virus. It shouldn't be too difficult; just select an application that is widely-used to view image files, and then look for a buffer-overflow bug that can be exploited with a non-standard file.
Suppose you found a bug in IE that let you execute code packaged in a JPEG. With some clever coding, it would still display normally, but it would alter all other JPEGs on the system. When a web developer gets infected, his web site will spread the virus. It could spread quite widely.
Open-source anti-virus would be very cool, but it's really labor intensive and the signature databases are the vendor's crown jewels.. as it were.
The Virus Bulletin's VB100 test rates AVG fairly low. Do other tests rate it higher?
In fact, if the file name say "MY WIFE NUDE.JPG", I don't recommend opening it. (Well, ok, if it was MY wife, no problem. Quite the cutie. But I know some people's wife who.... *SHUDDER*)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
...saying a lot of what we all knew. I read the article on CNN about the "JPG virus", and it was obvious that they'd either got it totally wrong, or were trying to hype it.
/. should follow suit and do the same thing. Unless, of course, michael does some actual investigative research and finds out something *new* and *exciting* or *revealing* and then has something to tell us.
One of my favorite quotes was:
Until now, viruses infected program files -- files that can be run on their own. Data files, like movies, music, text and pictures, were safe from infection. While earlier viruses deleted or modified data files, Perrun is the first to infect them.
Uhm... see. I had always thought that Word documents were data files (text). And I remember them being particularly responsible for a whole lot of annoying macro virii.
But on the Katzian subject, at least it was obvious that michael knew more about the subject than the people who wrote (and were interviewed) for the article I quoted. And it was nice to see an article that presented a bigger picture.
However, just because every other news outlet in the world spends all their time trying to expose shocking stories about conspiracy, etc, etc -- all of which could probably be titled something like "capitalists still trying to make money off of consumers" -- doesn't mean that
What's my point? Well - Slashdot already links to other stories from other news sources. We don't need to steal their shitty journalism too. We already have our own style of shitty journalism.
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
True, it helps, but dropping Outlook (Express) for any other mail program of your choice will have largely the same effect.
Actually I think they farm this out to their overseas operations in Bulgravia or someplace similar. Keeps it better for the bean counters. Plausible denial, etc.
Although I can see the scandal if it was found that they actually do have virus writers on payroll someplace.
"It is a greater offense to steal men's labor, than their clothes"
Ever hear of calligraphy? Its a process of hiding data into pictures, and lots of it.
Calligraphy? I thought it involved writing fancy-shmancy letters with a special pen or brush.
Do you mean, perhaps, "steganography"?
Programs like Apple's Mail.app or Mozilla's built in browser, or Ximian's Evolution client aren't as badly written from a security viewpoint so it would never have reached the repeately epedemic proportions we have seen in recent years.
(And the same goes for IIS vrs Apache, and IE verus Mozilla, and Microsoft Office vrs OpenOffice, AbiWord, StarOffice, KOffice, or Corel's Office Suite!)
So I agree, the target would shift, but the results would most certainly not be similar, or even comparable.
Except that Klez will go right by mcafee and AV programs tend to make people let their guard down.
It's funny but where I work the systems with AV installed get infected by klez more often.
...Yes, it's time to take on the anti-virus software vendors.
It looks like your whole point is that anti-virus companies are using media sensationalism to further their agenda (increase profits). I can only guess what your agenda is. Are you trying to foster a 'without us the whole world would be corrupt' image? Or is it a slow news day?
Not to say I don't agree that Virus companies are corrupt. There was a case a few years back when a virus author sent one copy to a certain well-know anti-virus company for academic purposes. Soon after it was found in the wild. But this story is a good example of the Slashdot opnionated stories that preach to the choir. I am personally very weary of the motives of anyone that preaches any type message to the already converted.
_______
2B1ASK1
On reading this article, it occurs to me that I run this utility every week or two (mostly to get a chance to drink my coffee) and it downloads on the order of 200K of data.
Does anyone have any evidence that they might be "padding" the downloads to make sure there is often something to download, or that the download is large, to ensure that people think "Oh, there's a lot of bad stuff out there, I better keep my subscription!"?
Just a paranoid thought.
It's not wasting time, I'm educating myself.
Michael used this article to exploit paranoia of large companies who exploit paranoia. Clever. Would he prefer that McAffee, having found a vulnerability, would inform only the manufacturers of JPEG readers of the problem, and not release information to the public (as a certain OS manufacturer suggests of those who find security flaws in its product)? Would he prefer that people ignore security holes that are only "theoretical vulnerabilities"?
Fire Michael. Fire Katz too.
Toronto-area transit rider? Rate your ride.
I have done in-home computer service, often removing viruses from client's machines.
I explain to them that they could avoid this trouble in the future by purchasing McAfee or Norton Anti-Virus for $40 from the local computer shop or even WalMart if they're desparate ($20 when its on sale). Anti-Virus software is simple to install -- these people were able to download Kazaa and make it work, they can get their favourite AV software to install.
I'm more often than not called back for another unrelated problem a month or two later, and lo and behold, they didn't buy the anti-virus software.
I have to question why people do this... I really think its about time I buy a supply of boxed AV software so I can resell it on the spot!
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
I wouldn't say it's because no one uses it. By even the most cautious estimates, there are more Linux users than Mac users. Add to that the fact that much of the internet (web/ftp/etc sites) is powered by Linux and you see that Linux is indeed a big target.
/home directories that I discovered one for a user I never added... But I do know I had been compromised.
But with Linux we will never see the same level of email virus type threats that we see on Windows, because Linux users are encouraged to not run as root (the system administrator). Non-root users can do little more than destroy their own personal files. They will not be able to take down the system or do any real damage to the OS (unless, as I said, they are logged in as root).
With Linux the threat is more in the sense of exploits: either as a worm type virii that exploits some known problem in a large number of Linux systems (eg those Lion variants from several years back) or from some cracker out there who knows the exploits and uses them to gain malicious access to your system.
So, just like Windows, as a Linux user you still have to be carefull... keep up on the latest pacthes for your distro/software you use, and be paranoid... It's just that the threat is different, and in many ways, not as easy to neglect.
I've used Linux as my primary OS for some 6-7 years now. I've never gotten a virii or worm of any sort. I browse the web comfortably, and read mail without worry. However, I have had problems. About a year and a half ago I had someone break into my home system and use it to launch attacks on other systems. This person used some exploit I didn't know about, gave themselves and administrative account, and then proceeded to install and setup various cracking utilities. I'm not really certain what (if anything) they did with my system, because shortly after this happenned, I rebuilt my desktop (switched from RedHat to Debian), and it was only when I was restoring my
So the moral of the story is that you are never completely secure or safe. But with Linux, you do start out more secure than you otherwise would on Windows.
BTW, the way I now handle security is I just have an external firewall and router that protects my private home network. I have an old 486 running Coyote Linux that sits between me and the rest of the internet. It's still not Fort Knox... but it is very very close.
Until a virus comes out that seeks out Linux boxes, uses several well known vulnerabilities to attempt to get root only to then set itself up on that box and seek out other boxes to infect.
What? You thing that everyone who runs Linux as a server keeps it fully up to date with all the latest patches?
Face it, if you're connected to the internet -you're stupid to assume you're safe.
So, to correct you: If you don't run Windows you're safer .
Avantslash - View Slashdot cleanly on your mobile phone.
I give it 45 minutes before the storm of emails from family, friends, etc., arrives warning about this one.
All caps, of course.
::sigh::
I won't dance in a club like this...All the girls are slags, and the beer tastes just like piss! -The Specials
Seriously, as cynical as it sounds, this happens every day in security marketing. I've had sales reps look me in the eye and straight-out lie about their products. When caught, they'll back off frantically, or try to talk their way out of it, but never admit that they lied.
The main problem these days is that security software sales are driven not by business decisions, but by fear. Fear of virii, 3v1l h4ck3rz, etc. Once you're buying something out of fear, it's really easy for the sales folks to play off that to make their product sound like it's the ultimate safety blanket.
I hate it. Not just because it's unethical, but also because it makes my job of evaluating products much harder. I can't even trust the feature lists in deciding which products to evaluate, since some of those are full of lies & vaporware. I keep wanting to explain the Tragedy of the Commons to the sales folks that try this c*$p, but they're always too stupid to understand it.
sigh.
Go out and get FRISK Software'sF-Prot antivirus instead. It is competently written with timely updates. I have relied on it since before I ever heard of the internet. There are DOS, Windows (network or standalone) and ($free) Linux versions. They do not generate hype or nasty bloated programs. They do generate a good antivirus product.
I do not work for this company. I am just a satisfied customer. You can get free trials on their site. Prices: US$25/yr for single private license, US$2/machine for corporate or educational ($40min) and there are extra educational discounts.
http://www.sophos.com/virusinfo/articles/perrun.ht ml
.JPG virus, and urges anti-virus companies to exercise restraint
Picture this: a virus in a JPEG
Sophos advises on threat posed by new
Sophos, a world leader in corporate anti-virus protection, today called for the anti-virus industry to act responsibly in light of the discovery of the first virus capable of infecting JPEG graphic files.
The virus, known as W32/Perrun-A, was sent directly to the anti-virus community by its author and is considered to be a "proof of concept". It spreads in the form of a traditional Win32 executable virus (usually called proof.exe), making changes to the Registry to mean that JPEG (.JPG) graphic files are examined by an extractor (called EXTRK.EXE) before they can be viewed. If the extractor finds viral code inside the graphic file it is executed.
"Some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Not only is this virus not in the wild, but also graphic files infected by this virus are completely and utterly harmless, unless they can find an already infected machine to assist them. It's like a cold only being capable of making people who already have runny noses feel ill."
"The virus relies entirely upon you running an infected EXE file, which is hardly rocket science," said Paul Ducklin, Head of Global Support for Sophos Anti-Virus. "Yet we are already seeing reports suggesting that this virus could spread via websites containing so-called 'infectious' images. This sounds like scare-mongering about image files to me."
Sophos has issued protection against W32/Perrun-A to customers concerned by the media reports and alerts from other anti-virus vendors.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Do any of you remember the double free zlib bug?
Very wicked, but you had to a) know the type of system and b) the viewer the person was using. This sort of technique, using data to act as code is clever and quite real. In fact, there is nothing different between this and those URL hacks for IIS; data appears where it wouldn't normally be expected and it can be leverage into code space and executed.
However, in the case of JPEG, considering its block oriented format it would be quite difficult to engineer a buffer overflow condition.
Black holes are where the Matrix raised SIGFPE
"The best way to protect yourself from this virus is to defenestrate your computer and install GNU/Linux.
If you can't throw the Windows out of your computer, throw your computer out the window!" - from here.
(This came from an internal MIT mailing list and was forwarded all over academia about a year ago.)
McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code.
That's technically not true. Although I've never seen it done with JPEGs, it's entirely possible that there could be a potential buffer overflow in the image viewer's decoding algorithm. This wouldn't be a JPG virus per se, because it would only be specific to a certain viewer. And the virus would only have the rights that the image viewer had. But it's still possible.
For this to be used effectively it would require that a large number of people use the same image viewer - which is not entirely impossible in today's Microsoft monoculture.
This onion-like story may have been prescient:
Anti-Virus Software Pop-Up Reminders Behave Much Like Virus
Yes, it's possible. In fact, I think there was once talk about a possible MP3 buffer overflow in the ID3 code. It was found and fixed quickly.
Nonetheless, it's impossible for a "universal" JPEG virus to ever exist. It would affect one or two specific viewer programs, at most.
Also, since the JPEG format has a very specific rigidly predefined algorithm, it should be easy to check the code for buffer overflow vulnerabilities.
retrorocket.o not found, launch anyway?
...implementations from Intel, LeadTools and Pegasus. and, i think Adobe has their own implementation, too.
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
"A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter"
;-)
Obviously you haven't read Snow Crash
The image could be infecting you, of course!
(to those who wonder: in Snow Crash there is a virus which is transmitted to the programmer via a visual image that looks like white noise).
Integrate Keynote and LaTeX
Well, let's be fair. Once upon a time, there was no such thing as an email virus, and a great way to have some fun was to email someone with a message saying, "If you're reading this, you've been infected with a virus!" or some such. Then, Microsoft discovered the internet and wrote an email client, and now the old-fashioned method of spreading viruses by infecting a file and uploading it for public consumption is completely defunct. All viruses that make the news are spread by email attachments.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
It's precisely crap like this that resets any trust a user has in a knowledgable IT person. We despirately try to simplify the concepts enough to be understand, but not so much that it creates a security risk.
The problem is this type of press discredits experts who have been saying JPGs are harmless for years, by suggesting we all have been overlooking this huge hole.
We always knew about this scenerio with JPEGs or any other benign file type. The reason we never discussed it is because spreading viruses via JPEGs isn't very effective because you need to infect the computer with ANOTHER virus first!
It's one of those defeats the purpose scenerios.
This is also an obvious attempt to hijack credible sources of information, so they can replace it with thier "amazing tales that defy conventional wisdom and common sense" source of information.
"Communism is like having one [local] phone company " - Lenny Bruce
I realize the list was abbreviated, but after writing "x on any platform" so many times, you should have included "NetBSD on, literally, any platform."
This sig is xenon coated, and will glow red when in the presence of aliens
McAfee, and Symantec, and Norton, and everyone else involved in the anti-virus FUD business: lay off.
Why would they lay these people off when they are tricking every day people into thinking there are real threats? That is their *job*, and their doing pretty well at it if they can convince alot of people that there really is an insane virus threat.
On a side note, Symantec and Norton are the same company.
On another side note, this article should be modded -1, Troll/Flaimbait.
void women (int money, time_t time);
I used AVG for quite a while, but I very VERY rarely get viruses. I thought AVG was great. Then my brother got Nimda, so I recommended he download it and clean his machine. And it didn't work. New infected files kept being detected by AVG until eventually he went and bought Norton which fixed the problem right away. Freeware may be good, but not great.
Netscape 4 on linux had an exploitable hole in their JPEG decoder. That is, a specially crafted JPEG could be used to execute arbitrary code on the target's machine. Could that code then "infect" other JPEGs? Sure. Would it actually spread? No, but if there were a similar bug in the default windows JPEG viewer, it wouldn't be surprising at all to see a similar worm spread.
a pe -jpeg.txt
http://www.openwall.com/advisories/OW-002-netsc
(I recall that this bug was successfully exploited; that advisory seems more tentative..)
I'm really kind of surprised by the comments in this thread. It's almost like nobody remembers the fairly recent JPEG comment heap overflow problem in Netscape. I can't find the Slashdot comment right off-hand, but do a netsearch for more information. This issue is not that far-fetched, folks.
http://online.securityfocus.com/bid/1503
A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone.
:/
This is an excellent example of why you shouldn't do actual work and day to day tasks while logged in with the super user/administrator account. If you're not using an OS that allows user specific file access, change to NT (or it's derivitive MS Windows X Professional series), or Linux.
When you need super user access to install new software globally, or to change system settings, quickly log in, do your work, log out. This way any potentially dangerous software you execute can only access the files that you have read/write/change/delete access to. This is EXACTLY why I maintain a few different logins with my Linux box. Depending on what I'm doing on the system, I log in as a different user, who can only access the specific files associated with the task at hand. (examples; Browsing, Authoring, Coding, and Work)
This is one of those classic lessons you either learn when you first start using computers, or it seems ridiculous.. right up until one of your pals decides it'd be real funny to hop in front of your machine and do an rm -rf (Comp Sci majors are funny when their drunk and bored.. no.. REALLY!)
-GiH
No thanks, I don't smoke.
They covered the fact that Microsoft was the most vulnerable to email viruses earlier. The little comment just makes micheal look like a small small man.
Brant
Argle. Bargle.
If "Show Preview Pane" is checked (don't know if it's the default), an Outlook virus can run.
With W32.Klez.E@mm, the message itself, and not the attachment, causes the infection. With all this focus on "don't open the attachment!", some people will forget the better "don't even read it!".
Many people have long theorized that a number of the virii out there are actually invented in the AV companies' labs. They all employ "virus experts", who in the process of virus defense research can and do write real viruses themselves. It's in the companies' and employees' best interests to anonymously infect the world with their research creations in order to further the business model.
I know for a fact that many viruses indeed come from the wild, from little cracker-wannabes. But consider that probably 80%+ of "new" viruses are obviously script-kiddie chop-up jobs of other peoples' virus code found on the net, and begin to see a pattern of a very small handful of very talented programmers who actually innovate the new viruses that end up plagueing us. What percentage of those talented programmers with intimate knowledge of and obsession about virii work at AV companies in the research lab?
Inquiring minds want to know...
11*43+456^2
the signature virus?
.sig file" or something.
You know the one, it's a signature that says: "Hi, I'm a signature virus. Copy me into your
Seriously though, I always get pissed when i open an avi, asf or quicktime movie with an url embedded in it, so you are sent to some website after viewing your favorite pr0n/movie/music video. This could also run commands on your local machine.
Ok, you should get a "do you want to execute this command" warning, but chances are it's possible to exploit this.
So jpeg no, but I wouldn't be surprised by an avi/mov virus.
Be wary of any facts that confirm your opinion.
Appreciate the reference... I have a new copy of McAfee AV 6.0 at home, but, well, it sucks. It locked up both my computer and my wife's computer repeatedly. She finally removed it. I finally blew away Windows and installed Linux.
What's particularly interesting, however, is for anyone who remembers the origin of McAfee -- they started out as a shareware/freeware shop. Corporations "had" to pay, individuals were "encouraged" to pay, and educational (and possibly non-profit) were totally free to use it at no cost.
They've long since abandoned that license and even abandoned free updates. You have to pay for support every 12 months, which I dislike. Particularly since at irregular intervals they change their core engine and render all older versions of the software incompatible with new updates.
Seriously, I can only recall seeing two or three viruses in the wild in the 15 or so years that I've been using computers seriously. One of them was in highschool, in a public computer lab, another was in college, in a machine that had dozens of students using it.
... if you take a few easy precautions, it's pretty safe.
Antivirus companies thrive on hysteria. Computing is just like sex
Of course, these days "easy precautions" include not running any Microsoft applications, but you shouldn't be having unprotected sex in bathhouses, either. High-risk behavior.
This morning I heard the host of the morning show talking about the McAfee story. My first thought was, "Damn, did something happen overnight? This didn't look like a big enough deal last night to make the regular news." Then he went into a pitch for a local computer consulting company, explaining how they could help keep you up to date with virus protection.
Magazines and TV have to clearly label advertisements as such. Are there no such laws for radio?
Nope, no sig
Experts have been telling people that it's safe to view attachments like JPGs and GIFs. A press release like this aims to discredit experts who have despirately tried to explain some basic precaution, so users can try new things without fearing they'll delete everything or activate a virus.
This sort of nasty press gets picked up for the sole purpose of changing people's behavior and discrediting any other credible source of information that isn't the mainstream media.
"Communism is like having one [local] phone company " - Lenny Bruce
Loading a virus scanner on an already infected machine is likely to fail. I've found however, with a little help, AVG will clean Klez. First, boot in safe mode and delete the wink-something.exe file. Then reboot and install AVG. Then update (I have it downloaded already and just use the download file to do the update). Then scan. Seems to clean rather well. To test, I then added the harddrive as a slave to a clean machine with Norton already installed. Scanned with Norton and it came back clean.
I didn't try this with Nimda, but I suspect the process is the same. If you don't clean out the running virus executable BEFORE attempting to load and clean, you won't clean.
With some virii (Klez) actively attacking Norton, and McAfee being trouble (I've lost count how many boot up problems I've traced directly to McAfee, and then this JPG nonsense), maybe there is room for a smaller player. Certainly the price of AVG, free for home use, will offer many people better protection than nothing, which is what they would other have (too cheap to buy Norton or something else).
I beg to differ.
That picture of Cowboy Neal and the penguin hat is perfectly safe for your computer system.
Your eyes, however, may not survive a prolonged viewing.
How can you expect them to fund their research efforts without some sort of recurring income? If they are public, they are also doing the 12 month license thing so they can give some sort of future projections so their stock price doesn't ride a roller coaster. I agree that releasing FUD press releases is sleazy, but the recurring license thing lets them employ good people in stable jobs. Unfortunately, life in commercial software is not as simple as it is for open source software. Sure, you can get paid writing OS software, but some people don't like the idea of living with 5 other roomates and eating cold pizza for breakfast every day. If they are actively updating their virus definitions, then the cost should be worth it.
Now if MSFT made a virus cleaner, you would probably have to wait 3 months for a patch. From what I've seen, the AV companies tend to come out with fixes fairly quickly. Having people available to do that type of work on short notice takes some money.
... and at one time there was.
... corporate rights to lie are not (unless more than an average number of justices have been smoking crack of late).
... i.e. the only way there will ever be a remote chance for the free market to work as intended (and as it is advocated to supposedly work).
It was called "truth in advertising," which has gone completely by the wayside. Corporate speech is not the same as individual speech, and is NOT entitled to the same constitutional protections.
Individuals' rights to lie may be constitutionally protected
I am not normally one to advocate new legislation, but in this particular case it is sorely needed.
We need firm, explicit, unequivocable laws requiring truth in advertising and marketing (and yes, that includes press releases), with real punishments, involving real sums of money (and/or real jail time) for those who violate the law. It is the only way corporate entities like McCaffee will ever be forced to modify that sort of behavior, and the only way consumers will ever have even a remote chance of making an informed purchase
The Future of Human Evolution: Autonomy
I used to do that - it's not a big deal. Abstract the user data away from the system data and use a ghost multicasting to reinstall the standard OS image. You might lose about an hour or two of your time to manually reimage 100 machines, most of which is spent rebooting. Automatic re-images on Sunday evening would save even that time. :)
I know, but it's fun to be a smartass once in a while.
I got a response later that day: No, even a file that ends in .jpg could contain a virus. Don't open any attachments.
I was amazed that somebody would actually make such a statement, and was going to make a reply but I realized I probably wouldn't be able to convince him if he was just making blanket statements without any reasoning to back it up. Now, after doing a search for the original article, I see that my letter was posted to the site. Maybe it did some good. Or maybe they just pointed and laughed at me. Whatever, I refuse to care if the staff of Wired doesn't like me.
Give people simple advice if that's all they want, but don't make sweeping generalizations (such as ""). The people who took the article seriously are going to be laughed at if they make those statements in the company of knowledgable IT people.
I really hate signatures, but go to my website.
Back a decade or so, there was a similar "scare" involving the possibility of putting executable code in the generally-unused comment field of GIF files.
While it was demonstrated to be doable, it never occurred in the wild.
The hitch being that GIFs aren't self-executing files. To be executed, the virus code would need to be extracted and run by whatever program is viewing the GIF. Relying on the chance of some 3rd party app doing just what you need it to do is a lousy way to propagate viruses. So while it was an interesting concept, it never went anywhere because it simply wasn't practical.
~REZ~ #43301. Who'd fake being me anyway?
Someone posted a link on IRC to a JPEG image min_tjej.jpg, That's my_girlfriend.jpg for those who's not familiar with swedish.
w w.gay . om:80'",pik);
It contained the following code, wich was instantly executed by IE 6.
var pik;
var temp;
function test(temp) {
pik = temp * 100
setTimeout("window.location.href='telnet://w
}
for (i=0;i
1000 , how thoughful to not make an endless loop.
A link to the code, edited to only run once.
http://peterj.freeshell.org/code.jpg
I dont know the reason for a webbrowser to execute code in a file that ends with JPG, Maby it's a way of IE to work even if a user has put the wrong file ending.
Still I think IE is the best web-browser and i would use it on all platforms if it was available.
W3C's web-browser Amaya
will not execute code in JPEGS , but then http://www.w3.org/ is one of the few pages that will display correct in that browser.
I would be much more surprised to hear about a buffer overflow in libjpeg than I would in a hand coded jpeg routing from w00tb0y embedded in some random RPM somewhere.
WinXP is not comperable becuase its closed source.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Did anyone think that perhaps the viruses they think can be transmitted by jpg's are the en from Snow Crash?
:)
Makes ya think.
Travis
Be sure to look out for the new halitosis worm!
In case you don't get the allusion, listerine invented a disease called halitosis and claimed that Listerine cured it--very much like what today's anti-virus industry is doing.
Now, they use it as a scientific-sounding term for bad breath
any sort.
However, if you know of bugs in the jpeg decoder (and on Windows it should be built-in to the system, so you only have to find a bug in a single decoder), then you could craft a jpeg such that the decoder chokes on it, overruns some buffer, and get it execute code that way (same method as with any other buffer overflow really). I'm sure Michael meant well, but they say that jpegs are by definition safe is just too naive.
"Researching" is a joke. It's merely a tech support thing of "Hey, you found a new virus. Neat...give it to us and will put it in the definition file." Nevermind CLEANING the virus; the only solution for every virus problem nowadays is deleting the file. Virus cleaning used to be sort of an artform, but now they are too lazy for their own high-paying jobs.
Zodiac Survey
Your assertion is effectively nullfied by the fact that much smaller niche operating systems have had their share of viruses. If a system is fundementally insecure, SOMEONE will start writting virii for it.
It doesn't really matter how widespread the platform is.
A Pirate and a Puritan look the same on a balance sheet.
Alright, everyone might be just slinging it at the commercial AV developers... - but WHO NEEDS THEM?
There used to be a cooperative movement for AV software called Safe Hex International and they were responsible for collecting examples of viri from volunteers and methods for identifiying them were also developed by volunteers. AFAIK, Amiga AV S/W was relying on the efforts of that particular group of people. However, it seems to have dissolved since 1998.
However right now there is another thing called
Virus Help Denmark (http://home4.inet.tele.dk/vht-dk/) - I am not sure if there is another cooperative effort such as this. - oh, well...
I miss my rubber keyboard.(Homepage)
>>3) Throw your computer out the window!
;-)
;-)
Alternatively, let a moving truck do it for you.
A while back, I read this story (don't remember where -- I think it may have been 'Computer Stupidities' on rinkworks.com or some such place) about a fellow who wanted to network his PC with that of a friend who lived in an apartment directly across the street from his window.
They ran a regular 10Base-T crossover cable from one computer, out the window and across the street, straight into the friend's window and then into their computer. I guess they thought they were high enough up, floor-wise, that vehicle traffic in the street below would not be a problem.
They were soon proved very wrong. The setup worked just fine until, one day, this guy's computer literally flew straight out the window in mid-type (his friend's computer was saved when the network cable snapped). It seems that a good-sized truck, with a nice tall exhaust stack, had passed by and snagged the network cable as neatly as any fighter jet's arresting hook would snag the braking cable on an aircraft carrier.
Is that taking 'mobile computing' just a bit far, or what?
Bruce Lane, KC7GR,
Blue Feather Technologies
Disinfection is accomplished by sending ninja technical support people to the homes of all the recipients and deleting the offending messages before the recipient gets infected.
I'd be curious to see the programatic solution, though.
P.S. So what if it's off topic!
--- Jason Olshefsky
Karma: Poser (mostly affected by adding this line long after everyone else did)
Most AV software already has a scan optional called a "heuristic scan" - a scan that checks executable code on your computer for programs that look like they might be viruses, since virii usually do well defined actions related to infecting and causing damage. I know Norton Anti-Virus does, they call it "Bloodhound". I'd be very surprised if McAfee doesn't since Dr. Soloman's did, and they own that now.
As for running programs in a "safe area," that sounds like something that the operating system should be doing, not some anti-virus pack. A capabilities system in essence does that - it sets what actions a user/program can take. So that a user can be created with very basic permissions such as "access the screen" (ie, connect to the X server/call API functions in the GDI), but not more complicated things like "access the file system."
Of course, as far as I know, capabilities are not wide spread yet although I believe there is work to try and implement them in the upcoming Linux 2.6/3.0 using the new plugable security model.
So basically, the features you ask for either already exist and are turned on by default, or aren't part of what an AV program should be doing and are part of the operating system's tasks.
You are in a maze of twisty little relative jumps, all alike.
Nigerian email scams,
the dying boy who wants to make a chain letter,
Bill Gates' request for your help with his new email software,
the little girl who has been missing for "weeks now",
the party where you wake up in the bathtub with no kidneys,
That game kids are playing with the flaming thing in car windows,
and all the fake virus warnings as well. (would they have to include this most recent warning?)
I bet this could be a pretty hot product, too - the app would scan for hoaxes, and offer to send a polite message informing the sender that it is a hoax (and plugging the filtering software as well). I wouldn't buy it because I use Google to search for key phrases I find in suspect messages (and then I email a link of google results back to the sender), but a lot of people I know could use it. Sourceforge anyone? (I'm not much of a programmer but if anybody else wants to work on it I'll help where I can)
I really hate signatures, but go to my website.
Funny thing about that, Linux and other Unix OS's actually had the biggest GIF/JPEG vulnerability to date. It was in all Netscape's prior to 4.77, and it allowed javascript to be embedded in comments of GIF89a/JPEG and executed.
GIF/JPEG comment vulnerability in Netscape
Good thing this wasn't widely deployed around the world, or bought by millions during Christmas time. Having a small marketshare does offer a lot of "protection". Most virii writers are going for a large impact.
-Malakai
A Dragon Lives in my Garage
Unless you'd love to be DDoS port-scanned 100 times a second by a million Micro$oft IIs infected with code red, be quiet and let the AV vendors do what they want. If all AV vendors go bust, then a worm that propogates via CVS app buffer overruns gets released, what will you do then?
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
You need to read the comp.basilisk FAQ.
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
Apparantly their "advanced streaming format" can carry the codec, which gets auto-installed into media player with little or no user intervention. Not sure if there's a major security hole lurking there, but it seems rather dangerous.
PJRC: Electronic Projects, 8051 Microcontroller Tools
That's a lot of i's for the end of a word that looks a lot like cactus or octopus or rebus or syllabus in it's singular form. Oddly enough, like those others, the plural of virus doesn't have all those i's at the end. It's just plain "viruses", man.
I could see where it might be "viri", maybe; catci and octopi both set that precedent. But not "virii". That's just nasty. Can you imagine someone using "rebii" or "cactii"? Or maybe even "trojii" and "worii", while we're adding i's to everything that can infect your PC.
Anyway, I don't mean to harp on you, necessarily. It's just that "virii" is the literary equivalent of fingernails on a blackboard. I'm not the only one with this hangup either, although I have mixed feelings about being in the same boat as Tom Christiansen on any issue...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Reading email recently I had a good laugh. There was a .sig at the bottom that said
"Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system http://www.grisoft.com)."
But there wasn't a message digest, a pgp signature, or anything. What's to stop me from taking that signature and appending it to my email, especially just before I send out an infected file? Or if I were a virus writer, having my virus include this in some of its email payloads?
AVG's message is training people to trust a message (and all attachments) based on a simple text sig. What could be more easily faked?
Seems like a backwards step in security, to me.
there are other places to put stuff in a JPEG file besides the image. there are the 15 (count ?) JPG_APPx markers where EXIF and IPTC data, among others, live, and then there's the JPEG_COM marker, too. you can store up to 64K in each of these and they have no effect on the image. if a buffer overrun exploit was found in code that uses these, there's a lot of potential for harm. but, it's still not a "virus".
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
Paying money is no guarantee that software will work as expected.
Sorry, but I'm tired of hearing this piece of crap "solution".
Anyone who works in an ourward-facing business capacity (read: not most IT people, but most everyone else at the company) generally receives email from people they don't know, and they don't have the luxury of simply trashing it. If you work in customer service, marketing, accounting, sales, you have to check out these emails and see if they are for real. Fine, not the ones that are obviously spam, but the spammers are getting smarter and disguising their spam as legitimate email. Just because the address is unfamiliar doesn't mean that it can be trashed.
Any IT person who thinks they can issue the "Don't open emails from people you don't know" edict and then just crawl back into their cubicle with a smug little CYA attitude is living in a fantasy world. Stop making such an unrealistic demand of your "lusers" (who, BTW generate the business needed to pay your paycheck, process the invoices needed to get you your latest gadgets and do all those things you hate so that you can stay happily employed.)
Instead; treat with them with either a) respect or b) a grade school mentality. In either case, please assume that they are really not sitting at their cubicles trying to think up the best way to make your life hell. Assume that they just want to do their job, and the computer is one of the tools they need to do it. Just as most of them don't know how to program their speed dial or change the copier's toner, they don't know or care about the inner workings of the computer. That's YOUR job. Make it fool proof if needed. Explain as necessary. Give them a reason to trust that you are not simply trying to make THEIR job more difficult. That distrust works both ways; if a "luser" thinks you are just making unrealistic demands that make them unble to do their job, they're going to ignore you and do what they need to do to get their job done, and you're left with cleanup duty when something goes wrong.
And above all, work with them. Understand what their needs are (do they receive unsolicited business mail? does it have attachments that they have to read? so what are they supposed to do?) and then help them understand the consequences that viruses can have and minimize their risk of catching and spreading one. Yeah, sure, that means actually pulling yourself away from Slashdot and Doom tournaments for a while, but that's the way it goes when the company pays you money to do your job.
A new virus has been released which is spreading through a network of cats. When your cat goes out hunting it is likely to be infected. The virus rewrites part of the cats brain to add a 'trgger' which will force the cat, when it spots a computer, to attempt to delete information from the computer. Within seconds most of the text on the screen will be deleted, and if the cat is not removed it may eventually erase all data from your hard drive, network drive, and any other drive currently accessible. It is also possible for the keyboard to become damaged beyond repair.
Weenie gets notified by Firewall. Weenie starts sending snotty threatening emails to me. I explain very calmly and correctly what had happened, what the output of his Firewall actually meant and how it was all a mistake and even if it wasn't there was nothing at all to be concerned about.
Weenie continues slinging accusations around and threatening all sorts. I lose my rag and tell him to (in a slightly less polite way) sod the hell off unless he had some real evidence (as it was his 'evidence' would mean that not only had our systems been owned or that I was trying to crack his computer but so were a number of the University's email systems and if so the whole uni admin staff would be quite anxious to know about it, thankyou very much, yer useless, jumped up f***wit...etc). Weenie finally shuts up.
We don't need this hassle for sure and if he'd known *anything* about networking or if his firewall hadn't been so bloody minded and overzealous it wouldn't have happened. The thing is, especially with dialup, you get loads of connections flying around that are pure mistakes (using the IP of someone that's logged off and someone else has dialled in and got it, an ip quad with one digit out, spelling mistake etc), harmless probes or plain malicious but won't harm your machine (eg Code Red if you don't run IIS). You'll probably get far more attempted connections at a firewall than you can possibly deal with and it's only really worth going for the really persistent ones. Thing is if it's showing up on your firewall then you're generally not being hurt by it.
The connections that really hurt are the ones that aren't in your firewall logs.
Frink
"Don't get mad, get a monkey!"
There was another one called Gatekeeper that was a bit more advanced. It had a set of actions, and you'd tell it what could or could not be done, and from which programs. An impressive piece of software.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
Now, I won't disagree that it is possible, but then this wouldn't really be a virus, would it? From my understanding, if you imagine each data block as looking like this:
...
10 01 01 01 01 44 44 44 44 88 88 88 88 CC CC CC CC 00
Where that first byte is the length (hex 10, or 16 bytes) and then there are 16 bytes following it, followed by '00' to signal the next header is coming up. The specially-constructed one might look like
10 01 01 01 01 44 44 44 44 88 88 88 88 CC CC CC CC 15 24 5A C8
And those last four bytes overrun the buffer, and are executed as code. Yes I know it's extremely simplified, but this (AFAIK) is the basic premise of the buffer overflow. A proper JPG viewer should crap out at this point, but the MS product starts executing it as code. It sounds more like there is a vulnerability in the MS (surprise surprise) fax and image viewer, and a specially formed JPEG file could exploit that vulnerability. That's a problem with the viewer, not the input file.
Calling the vulnerability-exploiting JPEG a virus will lead to some interesting conclusions. What if, for example, a similar vulnerability existed in a Linux viewer application? I might make my specially-constructed jpeg (named hole.jpg) but leave off the executable code. Then, I'd make a simple program in C (called yes_oncrack) that fills /dev/hda with the character 'y'. Last but not least, I'd pipe the output of `cat hole.jpg yes_oncrack` to the viewing program.
If the jpeg is the virus in your example, then what is the virus in my example: hole.jpg, yes_oncrack, cat, "|", or stdin?
I'm not trying to be a jerk about it because I see where you're coming from, but calling the jpeg a virus is inaccurate since it is merely the exploit for a vulnerability.
I really hate signatures, but go to my website.
I'm not an expert on exactly how and when a file's MIME information gets parsed, but I know enough that I don't totally discounted the possibility of a trojan or virus masquerading as a JPG.
.exe, I'll know something is amiss. And I DO think the major AV vendors are some of the worst FUD mongers out there. But I also think it pays to be cautious, and not shrug off the possibility of a threat entirely just because it is couched in a lot of overblown hype.
For instance, if I take an animated GIF, rename it to image.jpg, and link it on my website, the server (or browser) is still smart enough to know it's really a GIF and display it as intended.
I've seen people use similar tactics on free web hosts which don't allow external image linking. They link the file as "image.txt" (the web hosts do allow external linking of text files), but it shows up as an image just fine.
If tactics like this could be used maliciously, I don't think it'd be a trivial task -- after all, if I click on link.jpg and the browser tells me it wants to fire off an
Now you can catch *real* viruses from looking at internet pr0n!
No shit!
This happened 4 years ago to me. However, it all happened on a W95 box. McAfee fscked up my box so badly W95 wouldn't boot, unless in safe mode. Uninstalled McAfee while in safe mode, then went out, bought NAV, and never looked back.
The punchline to this story is that I kept my copy of McAfee Anti Virus until the next Spring Internet World. I brought the boxed software to the Network Associates booth, where I ceremoniously and with much indignation presented it to one of the NA people. I got emails for months after that from the McAfee division of NA making me offers to switch me back to their product from Norton. Bwahahaha!
I'm seriously looking at Kaspersky because Norton 2002 only gives you three months of free updates instead of a whole year like earlier versions. Lousy bastards.
Oh yeah: best anti-virus move of all? Get your email only on your Linux or MacOS box. Don't even touch email on a Windozer. Works for me.
Knowledge is power. Knowledge shared is power multiplied.
"They only affect Microsoft Windows. If you aren't running Windows, you are safe. "
This speaks for itself....
"That's Tron. He fights for the Users."
If you truly think that a global switch from Microsoft OS'es to Linux would prevent viruses, you've isolated yourself from the common user.
Linux viruses would be prevelant because of 1) a multitude of linux boxes, 2) uneducated users, 3) weak or broken security systems (if I log in as root, everything still works), and 4) a lack of updates. In my experience, people open up all attachments, will always try to run with the highest security priviledge they can get, will try to use servers as workstations, and will never do updates.
Just my $.02
Surely it is sensible to be defending against potential threats before you are actually exposed to them? In other words, if a threat actually exists in the wild, it will be too late for a lot of people to download the right updates. Especially with this "Warhol Worm" idea going around.
If there was a security hole in a server and the vendor said "this hasn't been exploited in the wild", surely that would be a sign of the vendor's incompetence?
My favorite bit:
The virus still needs modifications to become dangerous, because it arrives as a program file that can be attached to an e-mail. Security experts always warn against opening programs sent as e-mail attachments.
So... explain something to me McAfee... how will they make it so that the JPEG itself can become more dangerous? I'm sorry, but there is no possible way a JPEG can be dangerous unless there is some other program executing code from it. If that were the case, then the other program is the virus, not the JPEG... sheesh.
IBM used to sell the excellent IBM Antivirus program. They also had a webpage that explained viruses. But IBM was too honest for their own good. Their website had articles about how you can't catch a virus from a jpeg, tips on how to avoid viruses, and a diatribe from Gibson on how virus writers weren't evil geniuses but malcontent dumbnuts.
All in all, the IBM website was very informative, very honest, and killed their antivirus business. Oh well. I guess MacAfee, Norton and all the rest think dentists are stupid for telling their customers to brush their teeth.
A Government Is a Body of People, Usually Notably Ungoverned
With some people, You can tell them to their face "Do not open emails from people you do not know", print it out in 124 point font banners hung over their cubicles...
The problem with that advice is, e-mail viruses come from (the computers of) PEOPLE YOU KNOW. The virus found your e-mail in the address book of the last computer it took over. It will apparently come from the owner of that computer. Probably they aren't a complete stranger. So if someone is following your advice, he'll think that Shakira screen saver from his buddy Joe Luser is just fine.
What you have to do is find out whether your buddy Joe KNOWS he sent you a Shakira screen saver, before you touch that attachment. Or have the brains to figure out that Joe is more likely to send you a virus than anything worth downloading... Or have enough system knowledge to tell executables from non-executables, enough sense to thoroughly check the bona fides of any executables, and (if in Windows) enough paranoia to make damned sure the non-executables are really non-executable in spite of M$'s efforts to hide such details, and to open the semi-executables like Word or HTML in a mode that won't allow their scripts to run.
It's not all Windows and Outlook, in fact it is mostly stupid users, but M$ has made the stupid user problem worse by hiding file types by default, creating more than a dozen different executable file types, and allowing scripts to run in all sorts of places where simple text was all that anyone really needed. True, put the same lusers on Linux boxes and they'll have remote login to root enabled with their cat's name "Fluffy" as the password. But their e-mail tool won't be running script viruses before they've even opened the message because Linux e-mail tools don't do HTML, let alone allow scripts embedded in it to run wild.
Followup: Check here for an old-fashioned email virus hoax. Even more here. The attitudes of the posters are telling...they bluntly dismiss the idea that an email could ever spread a virus in the same way that one would dismiss any well-known urban legend.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Here's what I see, based on reading our support email.
First, there are plenty of real viruses out there. The big companies are stupid to try to spread FUD...the real viruses are scary enough already.
Second, there are a lot of people out there who really do just use their computer as an appliance, for email and web and games and music. They aren't technical at all, at least when it comes to computers. They can get through an install wizard, but after that, they pretty much run with default settings.
Third, the ability to write simple English sentences with anything approximating correct spelling and grammar is a dying art.
Fourth, the one word that comes to mind to describe many of the people who ask for help is "innocent" (in the sense of childlike or pure, not in the sense of there wasn't enough evidence to convict them :-)). It pisses me off to see so many innocent people getting hurt by Microsoft's stupidity. If life was an MMORPG, Microsoft would be deep in a dungeon somewhere.
Spreading FUD without regard to reality is easy with M$ products.
...
I wonder what kind of a sweetheart Linus had to work out with the Anti Virus guys to make M$'s shit sound so fuckin' insecure.
I think that Tom Ridge's new department will definitely be using Linux now. (Remember, statistically speaking, he's no brighter than the average PC owner.)
Would YOU trust the fate of the country and its citizens to a sieve? (Might as well build a center for disease control next to a rat infested landfill. You'll certainly have a lot of diseases. Not sure about control though.)
I can sleep easier at night thinking that
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Perhaps somebody has discovered some kind of buffer overruns in some popular library functions used to process the JPEG data.
That has urban legend written all over it.
And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.
I do not run outlook, I run mozilla's client. I do not open garbage attachments. I do run windows though.
The guy next to me at work runs outlook and likes opening attachments "MY WIFE NUDE.JPG.exe" everyday.
Both of us have a share on one of the fileservers mounted; this share has a bunch of executable files (like winzip, acrobat reader install, etc. for times when you do a bi-monthly windows reinstall).
Now, if a virus can propagate both through email and conventional means (infecting executables), which probably exists now, or at least is very trivial to make, then I am toast despite of all my good email practices and not using outlook.
Doh:(
Jobs? Which jobs?
This article really shows the importance the Open Source Community should have in the AV field. Information, Systems and Networks Security should be a field spearheaded by entities which are essentially free from any direct interest in any profit making.
It should be a consortium of geeks from varied industries who get together and build firewall and anti-virus software for every known platform out there. A significant focus of such entity should be on novice users.
In the end, we all get affected by viruses and worms (peek at my journal for tips on coping with nimda), it's guna be up to us to effectively edjookate and protect ppl.
or something.
Extraordinary Vacations. Exceptional Prices
I submitted something along these lines over a year ago:
2001-04-25 22:54:29 Anti-virus software anti-motivated? (askslashdot,money) (rejected)
I guess if a slashdot author writes it then its ok.
AVG is ICSA Certified. Period.
I used to work for the International Computer Security Association, now TruSecure. Go to the Labs, Anti-Virus links to find certified products. They do AV Software testing. I've seen how the testing labs are run and read the certification requirements (very stringent). If a product earns an ICSA certification, it's as good as the rest of the certified products. Everything else between certified brands of AV products is just user oriented bells and whistles.
I buy the cheapest ICSA certified AV product I can find because I know it's as protective as the more expensive ones.
Instead, you went for the "everyone on /. always posts exactly the same thing all the time" ploy.
/. say the exact same thing all the time".
And now I'm going for the "critisizing people who point out that everyone on
Indeed, it is like clockwork.
The enemies of Democracy are
...calligraphy? (sic) Its a process of hiding data into pictures, and lots of it.
You'll be really pissed off what the non-assuming 500k browser-cached picture off the Internet quietly hides a MEGA virus that will toast your entire machine, innocently awaken by a harmless worm you mistakenly opened up elsewhere.
As I read the McAfee press release, it didn't give the virus a severity, just an "FYI" stuff like this will be happening down the road (which it will). I guarantee we will see a virus like this eventually, given the massive amount of images on the web.
No, a stenograph could not be used to transmit a virus. Viruses can't be secret. A program designed to view the "correct" data must be unaware of the stenograph or it has failed.
Let's say I have an old-fashioned bitmap image and I use the least significant bit of every byte to encode one bit code or text. My bitmap viewer will display an image that looks almost exactly the image prior to stenography. Then I widely distribute my bitmap, but only people who know where to look (every 8th bit) will be able to extract the hidden message. When certain people read the file using their Secret Decoder Programs they'll know what the message was.
Stenography is a sophisticated form of security by obscurity for data, not a method for transmitting mobile code.
It doesn't make sense to distribute a virus in two parts. A virus doesn't need to be 30K to be really malicious or destructive. And you'd still have to get the decoder in somehow and have the stenographic data already downloaded. A stenographic encoder or decoder for lossy formats like jpeg or mp3 is rather large by itself. The initial virus would have to include a decoder for the stenographic data, which would probably exceed the size of the code it could hide. It just isn't very feasible.
Now what makes you think all those programmers working for IBM, Yahoo, etc and working on OS projects are so poorly paid that they can't afford their own apartments? You're kinda weird. Especially for knocking cold pizza for breakfast.
That being said, AV software is *exactly* the sort of thing that OS is not good for, because AV software is not really a product, it's a service. Services need to get paid for.
Expanding a vast wasteland since 1996.
I think I read somewhere that most of the new virus defs are submitted by the "whitehat" virus writers (you know, the ones that write them for educational purposes and the virus is usually one step away from being actually functional). In addition, I'd be shocked & amazed if the AV ppl didn't have some programmers writing new virii. As a preemptive measure (but good for FUD, too).
jred
I'm not a mechanic but I play one in my garage...
Think about it. McAfee and Symmantec LIVE on FUD. While I believe they do offer a useful product, they profit greatly on inflating the danger level and inflaming the imagination. Marketing 101, not Email 101, teaches that principle. Create a Need, Sell a Product.
Even more importantly, I believe their FUDmongering (maybe I should patent that word...) only creates a "market" for all the virus-writers. If viruses didn't get the hype and attention, there would be far fewer scriptkiddies out there hacking away.
--Brandon / Split Infinity Music
If you are using Windows or Outlook
... then stop using Outlook. No, I'm not kidding. Outlook uses the same HTML rendering code that Internet Explorer does, doesn't it? That makes it vulnerable to many of the frequently discovered, slowly patched security holes that IE has run across over the last few years.
People need to be taught not to run untrusted executable files, true... but what good does that do when they can be vulnerable to a system compromise by just looking at the preview pane of an infected email?
Yeah, I'm running AVG also. I'm much happier with it since the latest update though. The previous version I tried seemed a little "rough around the edges" with the way it popped into a DOS screen to perform some of the scanning and then brought you back into a Windows GUI at every boot-up.
A program with an unchecked buffer can be exploited by maliciously crafted data. Yes, this is true. But this is a problem with the program, not the data format. The program is not supposed to interpret the data as code, but because of a bug in the program, it did. So while this exploit of a program bug may result in becoming infected with a virus, I would not call it a virus itself, from the standpoint that this is something you fix not with anti-virus software, but by patching the buggy program. But regardless, this is a tangential issue to the article.
This release is claiming that jpegs themselves are dangerous. Without mentioning a single program containing a vulnerability that might be exploitable by an "infected" image file. Saying a jpeg can infect you with a virus is as idiotic as saying that reading email can infect you with a virus -- until such time as some idiot decides jpegs/emails should be able to contain code.
When it is discovered that IE has a buffer overflow exploitable by a malformed URL, does the press release say "Internet URLs contain viruses; AV vendors promise updates soon" No, it says "IE Vulnerability discovered, MS promises update soon".
This is nothing more than the Good Times hoax, propogated by a supposedly (and formerly, as far as I'm concerned) respectable software vendor.
The enemies of Democracy are
McAfee Manufactures Virus Threat
And that's really it. If you don't run Windows, you're safe
You people really DON'T review these submissions anymore, do you? This article claims that these companies are purposely manufacturing fear. That there is no legitimate threat out there. This guy is an uniformed idiot. How soon the first cross platform virus is forgotten. Or maybe you don't know how many machines I get to fix are infected with Klez.
"Potentially no file type could be safe" -Is there anything NOT true in this statement? Gven the tenacity of some of the crap out there, it's not only true, but the fear IS FULLY JUSTIFIED.
"That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said." -This is not sensasionalism!!! It's the damn truth! Ask any Admin whether they want you playing around with attatchments on an unsecure system!
"They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email." -How many people are AOL users? That alone should tell you there are people who simply DON'T know anything about email, hacking or viruses. The Novices and viruses exist and THAT is why companies like McAfee exist. If everybody was a pro like this person thinks everybody should be, they would have gone bankrupt years ago. It's like that guy down the hall who is the resident SQL Server pro and therefore expects everybody to have his level of knowledge.
In the end, this guy is right, it is fear driving the market. But it's legitimate; for that one day one of your users will somehow (and it always happens) circumvent your safties and downloads a virus. It's a need driving the market, not foundless fear, you dumbass.
You need a FREE iPod Nano
You've not found a flaw in capitalism, my friend. You've found a business opportunity.
I had something similar show up at home a few days ago. IIRC, Klez grabs the subject line for its mail from a random (?) message in your inbox, so it must've gotten lucky to go out identifying itself as something that'd remove itself. (I think my copy called itself a Nimda removal tool.)
(Of course, I run qmail and mutt instead of Exchange and Lookout, so Klez has been little more than an inbox-filling annoyance for me.)
20 January 2017: the End of an Error.
Actually, there was an interesting thread on one of the SecurityFocus mailing lists a few days ago (forget exactly which list). The thread was about 'spoofing' PGP/GPG signatures on messages.
Basically, the core of the argument was that most people don't bother to verify the signature, either because they don't have PGP/GPG, or because 'it looks authentic'. Essentially, it's quite easy to social engineer ANY message so that it looks 'authentic' (whether you're faking PGP signatures, or a virus-scan message, etc).
This is all just a (potential) advanced form of social engineering.
- Jester
On the Mac a decade or so ago there was an anti-virus application, don't remember it's name. It vetted each application that ran against a set of actions that it was allowed to do. Who choose which program had what rights? Why the user did.
If you made a dangerous choice, it would warn you, but it would also allow you to proceed anyway. Worked pretty well, and took up a lot less of the CPU cycles than a scan everything before you open it virus checker does now.
So resedit, e.g., was allowed to change anything, but I had it set to read only, and only the user was allowed to alter that setting.
I think the guy may have a valid point. This process was later replaced by innoculations, which were a bit faster, and still pretty secure. (innoculations: Checksum the application at a time when it is known to be good. Checksum the application again whenever you run the program.)
Now, a lot of this used the Mac's resource fork, so it would need to be adapted for use on a file system that didn't have one. But that doesn't seem to be to be a difficult thing to emulate.
I think we've pushed this "anyone can grow up to be president" thing too far.
It's been said before, but if you look at Exchange and Outlook as just being an email server and client, you're missing the point. Of course, most people who run Exchange and Outlook never use the other stuff, but that's not the fault of the programs.
.H variant of Klez doesn't use other subjects...it has a list of subject structures, some of which are indeed designed to trick the user into thinking it is a protection/removal tool.
The
What I think is great is the sender address spoofing...I've got a journalist friend who, by nature of his work, has his email address plastered on a lot of his articles. He gets 15-20 automated messages a day, telling him that he sent a Klez-infected message. The downsides of (not very big) fame, I suppose...
"That's Tron. He fights for the Users."
Yes, the L stands for Language, a markup language, not a programming language. English is a language too, but that dosn't mean it will run on a computer
Even with ECMA script, a web site should never be able to exicute native code on the system, but sometimes they can due to software bugs.
It's true that JPEGs don't contain any code to exicute, if there was a bug in a jpeg rendering library, then it might be possible to create a virus using this bug.
autopr0n is like, down and stuff.
You know, not all viruses will damage your system, some are just intent on spreading, and stay hidden from the user.
And I disagree that it's like using a condom. A condom is a physical thing that actively prevents anything from going through. Actually, antivirus software is more like spermicide. Anyway
"pull out before cumming" or "only do it after your wife was on the rag" are general practices you can follow for not getting a woman pregnant, just like Michael's general practices for avoiding a virus. It might lower the risk, but it won't actually stop a virus that works around those
There could be viruses for Linux out there, someone could find a hole in Eudora; a virus could come with 'regular' software (look at the vs.net article above), etc. None of those things would help you if you came across such a virus.
autopr0n is like, down and stuff.
Memory fades over time. So I might have this wrong - feel free to correct me if so. But as I remember it...
McAfee is one of those success stories that would have been unlikely without the Internet. They offered their AV product for a free download. However, if you wished to get updates, you had to subscribe. The Internet allowed widespread downloads (and easy updates). And McAfee managed to add a new twist to the "razor and blades" model to make anti-virus more a service than product.
At least, that's what got them going. They grew. They were bought out. They changed.
Of course, this means that all your desktop icons will have .ink extensions, but so what?
Tech Public Policy stuff
Here's a better solution: Only open attachments that you are EXPECTING. If Accounting from the San Diego office sends you an earnings report every week, fine. But if someone sends you a screensaver from out of the blue saying "I expect you would like it," then guess what...it's a fucking virus!
But if you are a copywriter and someone sends you an email out of the blue with a Word attachment saying "Please send back comments by the end of the day."? You may work with a few different client companies marketing/PR firms and don't recognize the name. You can't tell if it's legit or not. You're not EXPECTING it but heck, you get 5-10 attachments per day that you don't expect and have to deal with as part of your job. If you had to call and leave a voice mail to check the validity (because no one evers answers the phone) of each attachment you'd never get your job done. And what if it's a virus that fakes the sender and it IS from someone you know? It's virus time, and please don't try to blame the user (or anyone except for the virus writer) in this situation.
2 ounces of commen sense, and, yes, as you mentioned, good, updated virus protection will solve a lot of the virus problems. But not all.
My point is only that it's impossible to make hard and fast "Don't open" rules when it comes to random emails and attachments. And it bugs the heck out of me when those types of rock solid edicts come out of the IT department with a "and if you open them even after we told you not to, it's all your fault, don't come crying to us!" closing. It just burns my butt and smacks of a cover-your-ass mentality. Life goes on- business goes on- and things happen. Mimimize the problems by working with the users and realizing what they have to do LEGITIMATELY with unsolicited emails and attachments to get their job done.
And string the rest of the dopey users who can't resist the screensaver, joke and bowling elves emails up on a wall as an example to all...
According to the McAfee entry, you need not only the payload in the jpeg file (that sounds reasonable) but an extractor to be on the computer already (also reasonable). But it's also ridiculous design. All the payloads in the world will be useless without the extractor, and that's the 'real' virus here - as long as you protect / remove the extractor, the payloaded jpegs will lie there just being slightly stranger jpegs. Nobody's said so far if the jpegs are simply inserted, meshed, or even one-bit stego'd with the payload - that would render a slightly - maybe imperceptibly - altered jpeg - the entry says the jpegs they saw were 11K bloated with the payload. I remember basically not being able to discern a pretty substantial stash of data in PICT files with the old Stego program on the Mac.
I still have a question with them seeming to have a harem of virus authors who send them stuff - hoping this is a collection of trusted white hats. But if you wanted to employ a stable of kiddies who can think up some pretty far-fetched schemes like this one to keep you rolling in definition updates, it would look a lot like this.
Sure, jpegs are all over the place in the web, but that's negated by the sheer number of different images - the reliability of getting a particular jpeg to deliver your particular payload are astronomical, and without doing the math, the delivery method can seem very close to moot. IMHO this is a real stretch in terms of eventual effectiveness as a virus. But it's late on a friday - braver souls might do the math and correct all these conjectures.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
BMP format is so simple that you wouldn't normally look for a vulnerablity there. But there's a BMP subformat which contains run-length-encoded 8-bit color mapped images. The decoder is in the NT kernel (dumb), and can be induced to do a kernel level buffer overflow.
I reported this years ago; I don't know if it's still in NT 4 or later Microsoft operating systems.
IMHO, it offers an AFAIK new method of supplying instructions to a trojan/backdoor like program, and using the viral aspect of infecting other (generally unsuspected and un-inspected) images, as a worm-like method of distributing your instructions. All it needs is the trojan (here called "the extractor"), which would do nothing more then executing the code that some image provides.
Looking at it that way, then yes, the extractor is the weak point, the point to intercept and disable this thing. But we all know that there will always be machines that can be infected. And the infected machines then offer a general entry point for different sets of malicious instructions. It may be different code for each infected image you receive, it only needs one well crafted 'extractor'.
I do realise that this is not a very efficient way of doing evil things. There is no guarantee if or when your commands will be executed. There is still the task of getting your infected image file to enough systems that you can be reasonably sure that some of them will have been infected with the extractor. But... for some evil things there is no need for immediate results, for some things this method might not be very efficient, but only just efficient enough.
Is it revolutionary? No, I think not. There is still the extractor executable to intercept, which would be just another entry to the virus signature database. But the virus/trojan/worm combination possibility is at least interesting. Discuss.
karma capped
It's simpler than that, don't use Outlook. Try Balsa, Pine, Mutt, Mozilla or exim. They all do the job.
I resent your presumption and the way you blame the user. At work I've had several Outlook viruses autoexecute with NO ACTION ON MY PART. Would you call me a stupid user? In fact, you should never call any user stupid because their software screwed them. It's the program's fault that it can be broken not the users. The programer should consider all possible user actions and have well defined error code responses to them, especially when they are going to sell the silly code as a non modifiable binary.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
So what's your point?
You need a FREE iPod Nano
I've never heard of a virus company, much less had one do anything nice for me. Come to think of it, I've never had any comercial software company do anything for me.
You do understand the nature of AV makers and the futility of bothering them. Telling Norton, McGaffe, and who ever to behave is about as good as telling M$ to stop making buggy code.
Your appreciation of makers of obsolete garbage, however, is mystifying. No one needs windows, so no one needs anti virus software. I don't need Windows, nor does my wife. If we can get along without it, anyone can. Advertising dollars spent promoting Windoze and the AV it requires are pure waste, the last thrashing of a dinosaur that's evolved in all the wrong ways.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
What do you mean "Darn... and I just updated my anti-virus software"?? You should be doing it every day -- sometimes twice a day. At work we're hooked into F-secure's auto-update with a server/client system running. At home, my PC automatically checks for updates every time I dial into my ISP. Updating is a constant process, not one you only bother about when someone issues a press release.
And this is the precise problem I have with AV companies. They're reactive.
Every day a new virus will come out and slip through the AV nets until a new definition is released. It should be the case that the virus software could recognise a virus before it's known.
In the olden days a lot of heuristic engines were developed to do this; but they tended to be poor because they couldn't deal with highly polymorphic assembly language very well.
Whilst I accept that recognising a code is equivilent to the halting problem it should be reasonably trivial to recognise one of these modern day 'mail viruses'. After all it should be just a case of looking for applications which contain their own SMTP server.
Perhaps you could cobble together a quick n dirty (tm;) AV program just by adding some rules to one of the freeware firewall applications which are common under windows. Remove the GUI and just recognise a virus as something which does nslookups + port 25 connections ...
This is NOT a hoax, or FUD. There IS FUD in the A/V industry, but this isn't it. The press release does a bad job of explaining why the JPEG virus is a big deal. However it DOES say (clearly) that this virus is not a danger in itself - it's a proof of concept. Without going into more detail than would be prudent, *please* believe me when I say that there are significant reasons (a) why this PoC virus is significant, and (b) why virus writers will be exploiting concepts from this virus to make Very Bad Malware. Hey , why should it bother me, I run Linux! Well *i* run Linux too, in fact I develop my code on Linux; it will affect us when the world's NSP backbones are choked with worm scans, ARP requests and buffer-overflowing HTTP requests. This IS going to happen. And, whatever Sophos would like you to believe, this is NOT a case of NAI/McAfee whipping up a hype over nothing. I can't say anything more, but I'm going to take the chance of losing my job by not posting anonymously in order to emphasise how much I mean this.
It's sooooooo frustrating knowing things about this and not being able to talk about it...
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Who give these events the most credibility... They're the ones who run every attachment in e-mail, and don't even know how to enable the "show known extensions" feature in their folder properties, and often run attachments with hidden shortcut properties (such as picture.jpg.pif, et al, which exectutes the viral code)... The antivirus folks are capitalizing on this, of course...
Frankly, it's getting to the point where requiring people to take a one year course and get a license to operate a computer seems all the more feasable and even nessesary...
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
As we know Unix based systems are basicly virus resistant.
As it is this leaves Windows and Palm Os. Take the precaution of turnning off the IR on your plam and your reasonably safe. Leaving Windows on desktop, PDA and server the only virus security risk.
Microsoft will eventually have to adress the problem rather than ignore it...
Probably with some silly half considered system.
But viruses aren't the unstopable all powerful programs pretended to be in TV shows and movies. Even a sloppy effort is good enough.
Chances are Microsoft already has this system laied out. They aren't in any hurry as it's not a big consern right now.
But they know it could be.
Big anti-virus companys however don't have it so easy. If Unix systems dominate the market or if Microsoft kills the viruses on the Windows famaly they are out of business.
I don't actually exist.
...and much more effective than any certification.
Got time? Spend some of it coding or testing
I run Linux. I forwarded a copy of a virus message to a (Linux) mailing list one day - the text was amusing - and forgot to strip off the infected attachments. Needless to say, the fact that the message `originated' from a non-virus-running Linux box didn't help the 4 or 5 Windows users who didn't have up-to-date virus scanners running at the time.
Got time? Spend some of it coding or testing
LindowsOS runs as root and is now being sold with some WalMart computers. Oops.
Got time? Spend some of it coding or testing
It's been said before, but if you look at Exchange and Outlook as just being an email server and client, you're missing the point. Of course, most people who run Exchange and Outlook never use the other stuff, but that's not the fault of the programs.
If all you need are an email server and client, then that's sort of the point.
And if all you need are an email server and a client, then you're better off getting tools that do one job and do it well.
Luckily I haven't been exposed to Bloats apart from horror stories.
As a techdesk monkey at like local college, I can say that Klez is a bitch to get rid of.
Actually, www.sarc.com provides a free klez removal tool, which will fix all executables, etc. which were infected by klez.