Klez: a closer look

← Back to Stories (view on slashdot.org)

Posted by Hemos on Monday July 8, 2002 @01:57AM from the looking-at-PURE-EVIL dept.

sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!

15 of 196 comments (clear)

Nice article by stevenbee · 2002-07-08 02:01 · Score: 5, Insightful

I appreciate the fact that they acknowledge the role played by social engineering as a vector.
As I have tried to explain to my more gullible user-friends, a little crankiness goes a long way
towards virus protection!
: )

--
Don't read this!
Follow the Yellow Klez road. by tcd004 · 2002-07-08 02:04 · Score: 5, Interesting

Klez has been great for my company! We just classify every copy of Klez we receive as "corporate acquistion of capital" and assign it a monetary value. We've got 6.2 billion in Klez inventory baby!

But seriously...127K seems to be the magic number for Klez.
So couldn't a filter simply be set up to block all emails 127k in size?

tcd004
1. Re:Follow the Yellow Klez road. by jandrese · 2002-07-08 02:11 · Score: 4, Interesting
  
  Maybe we should start doing that for all mail trojans? I know I'd be thrilled to discover that man of various random sizes might disappear at my mail filter because it just happens to be the same size as a worm. Seems to me it'd be better just to block the worm directly...oops, many companies already do this.
  
  --
  
  I read the internet for the articles.
2. Re:Follow the Yellow Klez road. by jd142 · 2002-07-08 04:37 · Score: 4, Interesting
  
  Um, that sort of security is just stupid and provides a false sense of security. If you were being sarcastic, I missed it. What happens when klez mutates into a slightly different size?
  
  True story: I was helping a user send out emails to a group of students. Her subject was "Important message about your scholarship." She kept getting messages back that the mail was infected with the Melissa virus. Well, she wasn't sending any attachments, so I thought we had a variant that piggybacked on outgoing mail messages. I searched her machine. I moved her to a different machine and searched it. Same thing. I re-imaged a machine. Same thing.
  
  I also couldn't figure out where it was being caught. The message wasn't coming from our server because the infected message wasn't the same.
  
  I traced it back to the main university's mail servers. So I called them up and told them that their anti-virus software was catching a virus that we couldn't find and could they tell us what they were using. They said they weren't using anti-virus scanning software.
  
  Turns out some bright bulb had written a perl script that flagged every outgoing message with a subject that contained "Important message" as being infected with the Melissa virus.
  
  A half a day wasted trying to track down a non-existant virus. And as soon as the Melissa virus changed its subject line, the script would let it through. What a joke.
More to do with admin set up. by CountBrass · 2002-07-08 02:07 · Score: 5, Insightful

We use outlook and exchange server where I work. Never, ever, seen a virus in the two and a half years I've worked here. Why ? because the admins know what they're doing and catch all the viruses before they ever get anywhere near us delicate users. I'm not an especial fan of MS (I'm a bastion of Java in a sea of MS where I work) but all the sniping at Outlook is just bs. People target outlook and other MS products because it's popular. I mean, why bother writing a virus that targets some system only a couple of geeks ever run ? The key factor is competent admins, properly configuring and defending the systems they're responsible for.

--
Bad analogies are like waxing a monkey with a rainbow.
1. Re:More to do with admin set up. by autechre · 2002-07-08 02:49 · Score: 5, Informative
  
  Not all of the complaints about Outlook are "bs". Certainly, a lot of people seem to like the interface. This is one point that has probably kept it on users' desktops.
  
  However, it will randomly refuse to work with perfectly functional IMAP servers. Some people have had it delete everything in their inbox. And many aspects of its design make it an easy target for virus writers. Up until recently, even if you knew what you were doing and wanted to, you couldn't prevent Outlook from displaying HTML (and everything associated with it, such as Javascript and Web bugs). It's gotten a bit more difficult to have it automatically execute attachments, but apparently not difficult enough. (In all fairness, it should be pointed out that a large section of the population would simply execute those attachments themselves anyway).
  
  It's easy to say that you're safe at work. You're sitting behind various filters set up by competant administrators. But many people at home don't have that option. If an ISP started filtering out attachments by file type, many would doubtless scream bloody murder. Home users are the main problem here (not that it's necessarily their fault). In an unprotected environment, Outlook still makes it too easy for virus writers, and while I would love to be in a world where everyone was shielded by competent admins (hello big job market for me!), we currently aren't.
  
  --
  WMBC freeform/independent online radio.
2. Re:More to do with admin set up. by Sloppy · 2002-07-08 03:17 · Score: 5, Insightful
  
  People target outlook and other MS products because it's popular.
  
  Outlook is targeted because it's the only email client that anyone has ever heard of (probably the only email client in the history of the world) that executed a script mailed to it, without user interaction. (Yes, that has been fixed, but it's still in people's heads.) It's also the only email client I've seen (though probably not the only on in history in history) that will allow a user to execute an attached script just by clicking on it. Traditionally, email clients aren't desktop shells; they might go to the trouble to display static attachments such as pictures, but executing scripts is way over the line. Traditionally, if you want to execute an attachment, you have to save it and execute it seperately. A sane and responsible software designer would never entertain such an idea for more than a few seconds. Microsoft did.
  Outlook's reputation is deserved. You're lucky your mail is so well filtered by good Admins, because as an Outlook user, you would be in unusual danger without those Admins.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Good way to filter UCE by Anonymous Coward · 2002-07-08 02:08 · Score: 4, Informative

Set up an E-Mail address at your domain, called something like:

ignoreme@example.net

and publish it on your webpage, as an address for UCE only, and ask people not to send correspondence to it.

Then, filter all E-Mail received in your other mail boxes, against all of the mail received by ignoreme, and any that matches, delete.
Re:Stupid Address Books by Vanders · 2002-07-08 02:09 · Score: 5, Insightful

Well, yes they could do that. I'm sure everyone will feel safe for a couple of months, until the encryption is broken, or a loophole is discovered. Then it will be back to square one.

It would appear that a more long term solution would be to remove scripting! I have yet to see a use of scripting used within an email that could not be done if Microsoft removed scripting from Outlook. The only thing anyone ever uses is the ability to add buttons to the top of the email. You do not need a turing complete scripting language that can open sockets and read the address book to do that.

Then again, baubles and shiny things make managers with budgets happy, I guess.

--
Syllable : It's an Operating System
Defenition of unpopular... by karot · 2002-07-08 02:10 · Score: 5, Funny

...is when even viruses don't send you mail :-(

Steve ;-)

--
Enjoy Y2K? Roll-on Year 2037!
Hemos, CmdrTaco by Lxy · 2002-07-08 02:13 · Score: 5, Insightful

Silly question:

Whenever Hemos or CmdrTaco posts about a Windows virus, they always end with "yadda yadda 90% of my e-mail yadda...". How is it that you can run the #1 geek news site and still have e-mail viruses infaltrating your inbox? Is it that much trouble to install MIMEDefang? If you'd like, I'll offer up my services as a consultant to install virus scanning software on your e-mail server, since you two obviously can't figure it out, but I hope that isn't neccesary.

--

There is no reasonable defense against an idiot with an agenda
:wq
1. Re:Hemos, CmdrTaco by _xeno_ · 2002-07-08 02:54 · Score: 5, Informative
  
  They still have to download the crap before they can filter it, right? How do you know that they aren't filtering it all out and aren't looking at a report that says "Filtered e-mail: 90% Klez, 9% Spam, 0.45% Troll, 0.45% Flamebait, 0.05% Stupid, 0.04% Real, 0.02% Complaints About Slashdot Math"?
  Maybe Hemos came up with the figure by checking his e-mail and watching as 90% of it was filtered into the bitbucket. Maybe he still filters it by hand - regardless, when a massive collection of your inbox is junk, you still have to watch it go through the filter. (Well, OK, not always - there are filter setups where you don't see it, but let's not get too technical, alright?)
  The bottom line is this: they may filter it, but they still have to deal with the incoming bytes in some way. The "90%" figure probably comes from either a filter report, or from watching the data be filtered if they're using client-based filtering. Just because they know that 90% of their incoming e-mail is crap doesn't mean they manually sort it.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
Question by Mr_Silver · 2002-07-08 02:14 · Score: 5, Informative

Unless I'm misreading this, isn't the major thing about this virus that it runs automatically using an IE exploit?
I mean, that the whole going through your contacts/sent items list and mailing them is all very well, but I can write some perl that does that with your Pine folders easily enough.
I posted an article a while ago on this but it was rejected. It's a Wired article entitled "The Great MS Patch Nobody Uses". Granted it is Microsoft's fault this stupid stupid exploit happened in the first place, but it's also interesting to note that the fix for 80% of these problems have been available for over a year virtually unnoticed.
And finally, if you're running procmail then:
:0 B
* Content-Disposition: attachment
* name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
{
# Stick it somewhere
:0 B:
/home/accountname/mail/viruses
}
does a pretty good job of filtering out that sort of junk.

--
Avantslash - View Slashdot cleanly on your mobile phone.
the forged From: line makes all the difference by frankie · 2002-07-08 02:52 · Score: 4, Informative

Klez is not really such a smart virus, compared to some of the earlier Outlook scripts that would grab a real document off the luser's HD and send it. The thing that makes it a major PITA is the forgery.

The only way to track down a Klez sender is to follow the Received: headers back to the ISP, and ask them to search their RADIUS &/or DHCP logs to figure out which user was at that address at the time the message was sent. Most ISP's that I've contacted would rather not bother, so the infected PCs remain blissfully ignorant.

Alternately, the ISP could require authenticated SMTP, and attach the real user ID to every message in some way. Or install a virus filter on the outbound connection. But once again, they don't want to bother. It's the tragedy of the commons.
New poll! by Webmoth · 2002-07-08 04:16 · Score: 5, Funny

The virus I've had the hardest time getting rid of:

[ ] Nimda
[ ] Klez
[ ] ILoveYou
[ ] Sircam
[ ] Hybris
[ ] Whatever CowboyNeal has

--
Give me my freedom, and I'll take care of my own security, thank you.