Klez: a closer look

sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!

Nice article

[stevenbee]

I appreciate the fact that they acknowledge the role played by social engineering as a vector.
As I have tried to explain to my more gullible user-friends, a little crankiness goes a long way
towards virus protection!

: )

More to do with admin set up.

[CountBrass]

We use outlook and exchange server where I work. Never, ever, seen a virus in the two and a half years I've worked here. Why ? because the admins know what they're doing and catch all the viruses before they ever get anywhere near us delicate users. I'm not an especial fan of MS (I'm a bastion of Java in a sea of MS where I work) but all the sniping at Outlook is just bs. People target outlook and other MS products because it's popular. I mean, why bother writing a virus that targets some system only a couple of geeks ever run ? The key factor is competent admins, properly configuring and defending the systems they're responsible for.

Re:More to do with admin set up.

[Sloppy]

People target outlook and other MS products because it's popular.

Outlook is targeted because it's the only email client that anyone has ever heard of (probably the only email client in the history of the world) that executed a script mailed to it, without user interaction. (Yes, that has been fixed, but it's still in people's heads.) It's also the only email client I've seen (though probably not the only on in history in history) that will allow a user to execute an attached script just by clicking on it. Traditionally, email clients aren't desktop shells; they might go to the trouble to display static attachments such as pictures, but executing scripts is way over the line. Traditionally, if you want to execute an attachment, you have to save it and execute it seperately. A sane and responsible software designer would never entertain such an idea for more than a few seconds. Microsoft did.

Outlook's reputation is deserved. You're lucky your mail is so well filtered by good Admins, because as an Outlook user, you would be in unusual danger without those Admins.

Re:Stupid Address Books

[Vanders]

Well, yes they could do that. I'm sure everyone will feel safe for a couple of months, until the encryption is broken, or a loophole is discovered. Then it will be back to square one.

It would appear that a more long term solution would be to remove scripting! I have yet to see a use of scripting used within an email that could not be done if Microsoft removed scripting from Outlook. The only thing anyone ever uses is the ability to add buttons to the top of the email. You do not need a turing complete scripting language that can open sockets and read the address book to do that.

Then again, baubles and shiny things make managers with budgets happy, I guess.

Hemos, CmdrTaco

[Lxy]

Silly question:

Whenever Hemos or CmdrTaco posts about a Windows virus, they always end with "yadda yadda 90% of my e-mail yadda...". How is it that you can run the #1 geek news site and still have e-mail viruses infaltrating your inbox? Is it that much trouble to install MIMEDefang? If you'd like, I'll offer up my services as a consultant to install virus scanning software on your e-mail server, since you two obviously can't figure it out, but I hope that isn't neccesary.

Some geeks actually have jobs...

[cnelzie]

...that require semi-regular contact with many people. Personally, I am the IT Manager and Corporate Buyer for the company that I work for.

Small company, so I wear a few hats. Anyway, I have a fairly decent sized Address book that contains virtually all of the vendors that I have to deal with, business contacts at both client sites as well as my geek contacts that let me bounce ideas off of them.

Sure, if you are a "house-geek" or a college geek, you probably only have a small number of people to E-mail. (Mostly your 3733t friends and such.) However, once you hit the "real" world you find that your boundless memory actually has a few boundries.

-.-

Re:Stupid Address Books

If Microsoft would just do good encrypting on the address book, and update it every once and a while for new encryption, stuff like this wouldn't happen because the virii wouldn't be able to get the addresses of every person using Outlook. At the least, this would slow a virus down.

Ummm... If anyone updated Outlook and IE within the last year or so this thing wouldn't spread at all. One of the primary vulnerabilities exploited was patched in March of last year, and Outlook itself filters out the worm if it's been updated to sp2 for Outlook2k or the default install for OutlookXP.

The Difference In Receipt Rates Is In the User

[RhettLivingston]

My wife and I both use Outlook for all of our email. Neither of us have ever been infected by the virus because we've kept up with updates to Outlook that block you from opening programs (and we know better).

She receives several copies a day of the Klez virus. I've never received it despite having about the same overall email traffic.

I think that the difference lies in who we know. I'm a Computer Engineer and she's a counselor. Thus, the average individual with my email address is a lot more computer savvy than those with her email address.

Re:Stupid Address Books

[Vanders]

Nearly. It doesn't go far enough, IMHO. Active Scripting is still there, but Microsoft have increased the security restrictions, and done some of the more obvious stuff (Like adding warning dialog boxes under certain circumstances, stripping obviously infected attachements etc.)

Scripting is still there, however. How much do you trust that there is not Yet Another Security Loophole in there somewhere?

The fact remains that if there is no scripting at all in Outlook, it will make it impossible for worms to spread themselves via. Outlook.

Re:What would it take

[SpelledBackwards]

These are nicknamed "White Worms" (like white magic, which is a helpful form of magic), but the problem is that they're still viruses/worms that exploit security holes and waste companies' bandwidth (remember how Nimda and CodeRed really put a strain on lots of servers?) If you wrote one of these and spread it, companies would still try and sue you, and law enforcement agencies would still prosecute you.

Re:Question

[Your_Mom]

Granted it is Microsoft's fault this stupid stupid exploit happened in the first place, but it's also interesting to note that the fix for 80% of these problems have been available for over a year virtually unnoticed.

Oh, it has been noticed. But unfortunately, it breaks more then it fixes, 'normal' (as in /real/ normal, not this "open up the word document in the e-mail thing") attachment use is broken beyond belief. Attachments get randomly locked, certain file associations get wiped out across the system. The reason why no one downloads it is because it breaks more then it fixes. I rolled it out on two machines as a test run and they had nothing but complaints, jst to see how bad it was I downloaded it onto my machine and i nearly pulled all my hair out trying to repair what I had before that this nasty patch wiped out. Not fun. I had to reinstall Lookout on every machine that got it and applied their "lite" version of their patch included in the Office Service Pack which had most of the anal restrictions removed.