Bugbear Windows Virus Making the Rounds

lysurgon writes "CNN.com is reporting that the "BugBear" virus (Windows/Outlook only) is spreading quickly. Unlike ILovYou-type viri, instead of deleting files or just propagating itself, this animal disables firewall software and opens a port to receive remote commands. The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses. Also worth noting is the puzzlement of anti-virus guys as to why they haven't been able to make the virus spread in the lab. "One of the theories is that this requires an Internet connection in order to spread." Gee, you don't say?"

Can't make it work in the lab...

[airrage]

Probably coded to sit idle if it's domain is symantec.com, etc.

Re:Can't make it work in the lab...

[Lazar+Dobrescu]

Yeah I mean even virus software developers are not immune to the "It works on my machine" syndrome...

Re:Can't make it work in the lab...

[quakeroatz]

Probably coded to sit idle if it's domain is symantec.com, etc.

+5 Funny? I don't think this guy is joking.

Re:Can't make it work in the lab...

[Tony-A]

Did anyone else who read this feel like they went a long way and got nowhere?
Personally, I thought he made the point beautifully. And the point applies to both keeping production systems running and the propagation of viruses. It doesn't take much to trip up either.

Removal tool

Get it here

Re:Removal tool

[sharkey]

A couple more:

Lindows
Red Hat

Re:Removal tool

[NineNine]

So then, I guess that I can find the removal tool for the Slapper worm, currently going around Here?

Re:Removal tool

[dodobh]

No. Here. Patch.

There's a patch since March 2001

[swissmonkey]

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-020.asp

Blame the admin

Re:There's a patch since March 2001

[Inthewire]

If you're an idiot, yeah.
Slashcode inserts a space into long strings - this helps prevent page-widening posts. Notice the space in the URL? That needs to be removed in order for the link address to be properly resolved. True, the asshat who posted it could have taken an extra few seconds and made a clickable link, but the fault is not really his and it isn't really Microsoft's. It is the result of abusive (Klerck, I'm looking at you) or ignorant users. If people would refrain from posting long unbroken strings this particular mess could be avoided.
Such is life.
Have a Coke and a smile.

Re:There's a patch since March 2001

[taernim]

404 -- file not found. Gee, that's a handy patch. I think you meant this.

Re:There's a patch since March 2001

[Cpt_Kirks]

From the Things That Sound Dirty, But Aren't file:

if they don't mind legally giving MS the right to root their box

Re:There's a patch since March 2001

[Metrol]

A direct quote from SARC...

The email message can be composed with or without the use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to autoexecute on a vulnerable system. Please go to http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-020.asp for additional information.

Patch or not, this bugger is gonna launch!

Safe and secure

[bytesmythe]

this animal disables firewall software

Whew! Good thing I don't use any firewall software!

Re:Safe and secure

[Peyna]

I doubt it's going to ssh to my linux box and disable all my iptables rules..... That'd be the day.

Re:Safe and secure

[electroniceric]

I'd wait before being quite so sure. There could well be plenty ugly Linux worms before too long, and they may be able to do just that...not to mention that skript kiddies luv Linux as much as any other flavor.

Re:Safe and secure

[Dausha]

You see it! That is exactly what we need. Somebody needs to write an Outlook-based virus that installs a high-quality firewall. Then you'll see the anti-virus companys scramble.

Better still, have it replace Windows when nobody's looking

Re:Safe and secure

[Blkdeath]

Better still, have it replace Windows when nobody's looking

Not so long ago, we almost had that very thing. A tarball and a UMSDOS filesystem and we're good to go.

Re:Safe and secure

[uberdave]

Simply have your worm resolve attackdata.random.attackersdomain.com.

Now if we could only had some means of finding out where attackersdomain.com is, we could nail the suckers!

Re:Safe and secure

[sg_oneill]

Holy cow does it ever.
I .. somewhat stupidly decided to investigate the sucker by launching Zonealarm & clicking on the preview to examine the attachment.... in outlook (9am coffee brain here) and the SLAMBO! The thing autolaunched outa the preview frame (IFRAME vunerability) and instantly smacked zonealarm down and started firing. Gah!
Anyway, it took me all of about 20 seconds to kill it, but I tell ya, that was the first time I've been goofed by a virus since friggin' no_frills_dudley 10 years ago... Time to update those virus patterns I think!.
And yes, kick me. It was a stupid experiment, but I figured I wanted to know just what WAS the junk flooding my email server.

What's the plural of virus?

[thelenm]

Unlike ILovYou-type viri,

A bit off-topic, I know, but here's an interesting link about the word "viri", the alleged plural of "virus": What 's the Plural of 'Virus'?

Re:What's the plural of virus?

[Lxy]

At the very least it's virii, or viruses.

Re:What's the plural of virus?

[iabervon]

There are a number of bits of that page that make it clear that the author doesn't actually know Latin.

And we certainly don't grab for genitive singulars for the plurals when we've started out with a nominative.

Except that viri (from vir, mentioned just above) uses the same thing for the genitive singular and nominative plural, as do all regular 2nd declension masculine nouns that don't end in -ius. For that matter, spoken English doesn't normally distinguish the singular possessive from the nominative plural (written uses an apostrophe, which doesn't affect pronunciation).

As far as how such a noun should work in the plural, there's a perfectly good example: cetus (whale) has a perfectly normal plural ceti, following the masculine pattern despite being neuter, just like virus.

On the other hand, the plural of virus is not attested in any form. The logical conclusion of this fact is that virus is a word like "sheep" or "fish", which doesn't have a distinguished plural form. It makes more sense, anyway, because you're not generally dealing with individual copies; you're dealing with an infection as a whole.

Of course, if you really want a plural that's obviously a plural and refers to multiple different entities, use "worms".

Re:What's the plural of virus?

[dillon_rinker]

-en is a German pluralizer. Don't know what the derivation of "boxen" is, but that could be part of it.

Re:What's the plural of virus?

[heikkile]

It is a latin word, so it uses roman numerals:
1 viri
2 virii
3 viriii
4 viriv
5 virv
6 virvi
7 virvii
8 virviii
9 virix
10 virx

Re:What's the plural of virus?

[sydb]

English and German have common ancestry. English was largely a germanic language until the Norman conquest, and with the adoption of Latin as the lingua franca of the Old World.

In Old and Middle English, which derive from the languages of the invading Angles, Saxons, Jutes, Frisians, etc. in the early centuries AD, plurals include the -n- suffix. Witness kine, plural of cow and oxen, plural of ox, as (archaic) modern remnants.

The idea that Latin is the root of English is a false meme commonly upheld, though we must admit it is certainly a foster parent.

Not that I'm a trained linguist or anything, but I did teach myself some Old English about fifteen years ago.

Re:What's the plural of virus?

[RedWizzard]

If the common usage becomes "viri", no amount of hemming and hawing is going to stop it.

Maybe so, but there's no evidence that "viri" is in common usage, except by geeks who want to sound 1337. It's certainly not the plural used by the medical community, who have been talking about viruses a lot longer than we have.

Re:What's the plural of virus?

[tuxedo-steve]

... with virix being the new Linux distribution that includes a full-featured Microsoft Outlook client?

Re:What's the plural of virus?

[Dirtside]

I would say that "boxen" is a nouveau technical term, specifically referring to multiple computer boxes, rather than box-like things in general. The main reason is that "boxen" is used by people who know that the plural of "box" is "boxes," but as a matter of linguistic playfulness pluralize it the same was that "ox" becomes "oxen." Anyway, I don't think it's wise to use the term "blasphemy" when it comes to language... language is not divinely inspired, it's merely a product of common social agreement ;)

labs... and social engineering

[jukal]

IMHO Bugbear's spreading relies solely on social engineer. Labs have nothing to do with social-anything. That's why you can reproduce it in there :))

My client caught it, Strange symptoms

[reezle]

2 workstations at a client of mine caught this bug. The AV system kicked in shortly thereafter, and stopped the spread. (I had to manually clean the machines, though)
Strange symptoms appeared just before we knew there was a virus: All of the printers in the network started printing garbage. I had to reload the print drivers from CD for all the server's printers to stop the effect.

Anyone else seen the virus in a network? Anyone else seen similar print symptoms?

Re:My client caught it, Strange symptoms

[b0r1s]

We've trapped a few in the email system (prior to infection), but I've been noticing a lot of port 137 activity that I believe is tied to the virus. The main difference between legitimate traffic and the viral traffic is the lack of a broadcast bit (real ms network traffic will be sent broadcast, the virus sends machine to machine), and a source port of 1024-1030 rather than 137.

The junk from the printer is probably due to the random network traffic it sends out.

Some stats for people who like numbers:

1944 viruses ( 18 different strains ) found since Sat, 31 Aug 2002

Virus: W32/Klez-H found 1603 times (82 %)
Virus: W32/Yaha-E found 166 times (8 %)
Virus: W32/Sircam-A found 93 times (4 %)
Virus: W32/Bugbear-A found 23 times (1 %)
Virus: W32/Magistr-B found 20 times (1 %)
Virus: W32/Nimda-D found 7 times ( Virus: W95/CIH-10xx found 5 times ( Virus: W32/Yaha-D found 5 times ( Virus: W32/Klez-E found 5 times ( Virus: W32/Nimda-A found 4 times ( Virus: W32/Hybris-B found 4 times ( Virus: VBS/Redlof-A found 2 times ( Virus: W32/Cervivec-A found 1 times ( Virus: W32/Hybris-C found 1 times ( Virus: W32/Weird-10240 found 1 times ( Virus: W32/Klez-Fam found 1 times ( Virus: WM97/Marker-Fam found 1 times ( Virus: W32/Magistr-A found 1 times (

Re:My client caught it, Strange symptoms

[Theatetus]

We had one get into our network. It didn't disable NAV on the machine and it was pretty easy to remove (just clear out the "Startup" folder in %root_drive%:\Documents and Settings\%username%\Start Menu\Programs, reboot and backup to a known-good registry. You keep a known-good registry backup, right?... If not, delete any keys in HKLM->Software->Microsoft->Windows->RunOnce)

Also, run Task Manager and kill-9 (or whatever the Windows equivalent is) any random 3- or 4-letter processes after you've cleared the Run Once keys and Startup folder.

I think the executable is printing its own binary when it tries to infect a printer.

As always, patched machines should do OK; the one that got through only did because it was still running IE 5 without any updates. YMMV.

Re:My client caught it, Strange symptoms

[tubabeat]

Accoring to the analysis by Sophos

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

Judging from the questions I've had over the past two days (from users, about incoming emails which have been 'disinfected') its also worth noting...

the worm can spoof the From and Reply To fields in the emails it sends. [Like Klez & YaHa do]

We use MailScanner along with a Sophos engine to filter our incoming mail - and we've caught dozens of this worm in the last two days. Remembering the trouble from Nimda last year I'd recommend MailScanner to everyone, its free & can be used with a variety of engines. [I'm not associated wuth the MailScanner project BTW]

Re:My client caught it, Strange symptoms

[sootman]

I have, in my hand, 2 reams of garbage, starting with a few characters, then "This program cannot be run in DOS mode." 2 reams with 1-15 lines at the top of each page, some of it overprinted. At least my 10-year-old won't run out of drawing paper before college. (Don't know where it came from, it was just sitting by the printer this morning. It actually might not be BB, it's just my guess based on timing and what I've heard.)

Re:My client caught it, Strange symptoms

[ninthwave]

From what I have read on the virus it does more than the cnn article goes into quotes from the symantec faq on the virus. We have two machines isolated at work now that I have to check on Monday for this. Off network and turned off waiting for me to get through my weekend. It is a pretty interesting read on what it does. It seems to be a klez variant with some extra functionality. So like klez it trys to disable antivirus software and it has added more processes to kill read symantec read on it. Though I believe sometimes symantec overstates virus threats, this one seems to do a lot in a little package.

The keyboard logging and the open port 80 makes it very interesting to see if it is waiting for a cracker to come along or if it is waiting for other payload from another infected machine or from a variant.

http://securityresponse.symantec.com/avcenter/ve nc /data/w32.bugbear@mm.html

"Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22."

"The third thread that the worm creates is a backdoor routine. It opens port 36794 and listens for commands from the hacker. The commands permit the worm to perform the following actions:

Delete files.
Terminate processes.
List processes and deliver the list to the hacker.
Copy files.
Start processes.
List files and deliver the list to the hacker.
Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on).
Deliver the system information to the hacker in the following form:

User:
Processor:
Windows version:
Memory information:
Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics

List network resourses and their types, and deliver the list to the hacker.

If the operating system is Windows 95/98/Me, the worm attempts to obtain access to the password cache on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others. This is done using an officially undocumented function-- WNetEnumCachedPasswords--that exists only in Windows95/98/Me versions of the Mpr.dll file.

One of the commands permits the Trojan component to deliver data using HTTP port 80. The results of the backdoor activity may be represented in the form of HTML pages. This gives a hacker a convienient way to browse the compromised computer resources.

The fourth worm thread replicates across the network. To do this, the worm lists all of the resources in the network. If it locates open administrator shares, it attempts to copy itself to the Startup folder of the remote computer. This leads to the infection of the compromised network computers as soon as they are restarted.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality."

Re:My client caught it, Strange symptoms

[sharkey]

All of the printers in the network started printing garbage.

Sure it was a virus? Maybe the Marketing department has a big project.

Re:My client caught it, Strange symptoms

[sw155kn1f3]

Did it print "Follow the white rabbit?" :)

Re:My client caught it, Strange symptoms

[Software]

If not, delete any keys in HKLM->Software -> Microsoft -> Windows -> RunOnce

Also, run Task Manager and kill-9 (or whatever the Windows equivalent is) any random 3- or 4-letter processes after you've cleared the Run Once keys and Startup folder.

The reg key is ... -> Windows -> CurrentVersion -> RunOnce (sorry, had to nitpick).

I disagree with your second recommendation. There are several services (smss.exe,for example) that run as part of a normal Windows installation. Killing them is ill-advised.

Re:My client caught it, Strange symptoms

[dildatron]

Nah. If it were marketing, it would be on 11x17" paper in full color on the expensive color laser printer.

Re:My client caught it, Strange symptoms

[Dausha]

Hmm based on what it allows the remote user to do--are you sure this isn't actually a Microsoft Windows XP installer?

Re:My client caught it, Strange symptoms

[bmajik]

haha

if you succeed in killing smss.exe, the machine goes away :)

similarly, if csrss.exe exits, smss.exe bluescreens the machine.

lsass is the local security agent subsystem server. (i always read this is "ls ass"

SMSS is the session management subsystem. it spawns Csrss.exe (Client Server Run Time SubSystem - the Win32 layer on top of NT)

If you have a suitably old smss.exe, it also spawns the OS/2 1.x layer or the POSIX layer. If you have Services for UNIX, there is a new posix.exe layer and psxrun.exe servers that you'll also see.

Re:My client caught it, Strange symptoms

[sootman]

So did ours-- out of 6 trays, only 1 has letter, it holds 1 ream, and there are at least 2 kinds of paper here. (Slightly different colors.) *sigh*

Re:My client caught it, Strange symptoms

[ananke]

According to sophos, this virus/worm/whatever_you_want_to_call_it tries to spread itself over the network shares, etc. One of the thing it does it tries to connect to printers, and all you get is the bugbear trying to print out itself :)

Anyway, kudos to sophos. I use their anti-virus with mailscanner on our linux e-mail server. We used the mailscanner's auto-update script, which we set to contact sophos once an hour, and download the latest IDE's for our scanner. This way, when on September 30'th I received e-mail alert from sophos about bugbear spreading like fire, I checked our server, and guess what - it already had the IDE files. Makes my life as a sys admin much easier :). As a side note, we didn't get any bugbear hits until October 4th.

I know that scanning e-mail attachements, etc, is not the total protection [we also use av software on each desktop], but it surely helps a lot. In addition to using sophos to scan our e-mail, we use it to scan all the shared samba drives, which reside on another box. Overall, i can sleep better.

ps) I think sophos also released some cleaning tool for bugbear.

Re:My client caught it, Strange symptoms

[Lizard_King]

its been awhile since a /. comment made me lol

cheers

Re:My client caught it, Strange symptoms

[Jetson]

It opens port 36794 and listens for commands from the hacker.

This I've gotta see.

Re:My client caught it, Strange symptoms

[mpe]

The junk from the printer is probably due to the random network traffic it sends out.

One of the methods it uses to spread is by copying to network shares. Presumably the programmer was not sure how to deal with printer shares.

Re:My client caught it, Strange symptoms

[mpe]

Yup at around 11am the printer started to print garbage immidiately i knew it was bug bear cause i sent en email wednesday to all my users to update the corporate anti-virus software & i attached the update and i posted links to the various bugbear reports.

Ideally corporate AV software would be updated centrally. But not all the anti virous producers appear to have got a good handle on this.

Virus that disables anti-virus software?

[Christopher_G_Lewis]

It's pretty impressive that this virus disables anti-virus software, and covers quite a large list of AV/Firewall programs.

tech details

Have any other virii in the past done this, or is this a first?

Re:Virus that disables anti-virus software?

[afidel]

been done for a long time, and I believe its even in 2 of the more common virus creation kits roaming around.

Re:Virus that disables anti-virus software?

[rmadmin]

Conspiricy theory here:
Who would know how to disable AV/Firewall software better than AV/Firewall software makers??? Hrm... job security eh?

Re:Virus that disables anti-virus software?

[br0ck]

Klez did this as well. Also, Melissa turned off Word's security protection.

Re:hah

[frodo+from+middle+ea]

The last time i tried one of those BIG-NAME ntivirus soultions. (name withheld in fear of a defamation suit), It completely crashed my OS, my Hard Disk and my motherboard. If you want a much cleaner solution try a free Anti-virus from grisoft. Or better still use linux like i do :-) -- using linux with root account is more dangerous than using windows. don't believe me . just do "rm -rf /"

The relationship destroyer

[Pedrito]

Man, I'm terrified. My mother got this and now a whole series of e-mails I sent to her about 3 years ago are suddenly being sent to almost everyone she has ever e-mailed or received e-mail from. People who were CC:ed on things I sent her are receiving personal e-mails I sent to her.

I'm waiting for the one where I said really terrible things about someone to land in the wrong hands and start causing all sorts of disasters. After this, I'm going to be a lot more careful about what I say in e-mails.

My machine is relatively safe, but I can't vouch for the person I'm sending e-mails to. I wouldn't be surprised if a lot of relationship get screwed up before this is all over.

Re:The relationship destroyer

[Pedrito]

I just noticed the "Windows/Outlook Only" part of the post. Maybe Windows, but not Outlook only. My mother uses Netscape mail (at least a 3 year old version), and it's obviously quite compatible with the virus.

Re:The relationship destroyer

[Sloppy]

Don't worry. As long as those other people don't have your mother's PGP key, everything will work out just fi-- what? You didn't encrypt? Well, sheesh, you were sharing your email with the whole world anyway.

Re:The relationship destroyer

[tag]

I'm waiting for the one where I said really terrible things about someone

You need to learn what my dad drilled into us as kids:
"Never put anything in writing you wouldn't want to read aloud in open court."

Re:The relationship destroyer

[Loligo]

Don't most mail readers have a "delete" function?

-l

Why is anyone running outlook anymore?

[RailGunner]

Unless your company forces you to connect to an Exchange Server, why would anyone purposely run Outlook or Outlook Express as their mail client? Especially when there's several free alternatives.

Eudora - http://www.Eudora.com
Opera Mail - http://www.opera.com
Mozilla - http://www.mozilla.org
Netscape - http://www.netscape.com

I hate to sound callous, but if you're on a standard PPP or SLIP internet connection at home, and you're running Outlook or Outlook Express, then you get what you deserve. If your company is running Exchange Server, then your company is getting what it deserves.

Fool me once, shame on you. Fool me twice, shame on me. Except between Melissa, ILoveYou, Sircam, Klez, and now this, it's what, fool me a dozen times? Do people just enjoy getting kicked in the teeth repeatedly?

Re:Why is anyone running outlook anymore?

[gblues]

Unfortunately, people who use MSN as their ISP are forced to use MS LookOut as their e-mail client because the SMTP servers require "Secure Password Authentication" support, and none of the clients you have listed support it.

Score one for vendor lock-in!

Nathan

Re:Why is anyone running outlook anymore?

[SirSlud]

I agree.

People seem to dislike this attitude, but its true. Why should anyone deserve sympathy for driving a car thats already rolled over 3 times ...

Eventually its up to the user to practice safe computing.

Re:Why is anyone running outlook anymore?

[RailGunner]

Well, I'd say that's a good reason not to use MSN. Though I could have sworn Eudora or Mozilla or both supported SPA..

OK folks, any volunteers to add SPA support to Mozilla Mail? Let's free the MSN users from the shackles of Outlook.

Re:Why is anyone running outlook anymore?

[Osty]

why would anyone purposely run Outlook or Outlook Express as their mail client?

I can't personally speak for OE, as I've not used it in years, but I use Outlook XP because it's the best mail client I've found. I've never been infected by a virus in Outlook XP, because by default it strips malicious attachments (no, I'm not confusing that with an Exchange or mail server stripping those attachments -- we do that at work, sure, but I use Outlook at home with my postfix setup, and I know I'm not stripping attachments there, yet Outlook XP still strips the dangerous attachments). Out of the box, Outlook XP requires you to screw around to shoot yourself in the foot -- it warns you when you try to open an attachment, it'll tell you when there's possibly malicious script in a message and not let you view it in the preview pane, and so on. In short, you actually have to take action to get infected by a virus if you're using Outlook XP.

Just to clear up any possible misconceptions, Outlook and Outlook Express are two completely different products, with completely different codebases, developed by two completely different teams. The only thing they share is the word "Outlook".

Re:Why is anyone running outlook anymore?

[jfroot]

The reason we use Outlook 2002 is because it does IMAP and Extended MAPI. There are NO OTHER email clients that run on Windows, do IMAP and support extended MAPI. We need extended MAPI for integration into Maximizer (crm type thing).

Re:Why is anyone running outlook anymore?

[RailGunner]

Nope, sorry, I hate to disappoint, but I'm not trolling, this is my honest opinion. I'm tired of my Inbox being flooded by a bunch or virus messages because morons are using Outlook and Outlook Express.

And the easy solution to these Outlook Worms is to QUIT USING OUTLOOK.

Re:Why is anyone running outlook anymore?

[killmenow]

Granted: Some people are morons.

That aside, Outlook is not the real problem. (OE...maybe...)

Our office uses Outlook because it's a nice e-mail system overall. The group calendar thing is still not there in the solutions you mention.

At any rate, we use Outlook...and nobody here has been infected by this virus, NOR WILL THEY BE.

How is it I can say this? Because of this nifty patch Microsoft put out oh...about two years ago, called the "Outlook Security Patch" that lets my server automatically block these attachments. You can't open them if you want to.

The fact of the matter is, I've personally received the BugBear virus attached to more than one e-mail...so somebody I know has been hit. But I won't get the virus...because when I open it, there's this nifty little text at the top of the window that says "Outlook blocked access to the following potentially unsafe attachments: whatever.jpg.pif"

Re:Why is anyone running outlook anymore?

[Amazing+Quantum+Man]

Tell that to my corporate IT department.

Re:Why is anyone running outlook anymore?

[huge]

And the easy solution to these Outlook Worms is to QUIT USING OUTLOOK.

At home, pine is enough for me, but at the office it's a different thing.

There are lot's of companies out there who are using Outlook just because they are using MS Exchange. They are using exchange because it has 'nice' group calendar (which isn't that bad, though I cannot say the same about Exchange itself) and there aren't that many good mail/calendar solutions available.

Agreed, part of the problem are IT managers who think world is revolving around windows, and they cannot see any other non-M$ solutions.

Re:Why is anyone running outlook anymore?

[md17]

What about Ximian Evolution as a secure Outlook replacement?

It can even talks to Exchange servers.

Oh-yeah, it runs on Linux, so I guess that rules it out as an Outlook replacement for you windows people.

Re:Why is anyone running outlook anymore?

[txsable]

If Outlook and Outlook Express are so unrelated, why are you REQUIRED to have Outlook Express installed to run Outlook 2000?

Been there, tried this. There is NO way around having to have OE installed to run Outlook2K.

(The only reason I use any MS emailer is because my office uses it. I actually had to convince someone here that using OE to pop our one email account that is allowed to receive attachments was a Bad Idea, and finally got him to change to Eudora...)

Re:Why is anyone running outlook anymore?

[cscx]

I don't see a regular user editing the registry. Unless you edit a key in the registry, you are not allowed to view executable (exe, bat, com, vbs, shs, etc) attachments. Period. It doesn't allow you access, unless you edit the registry. Want to send an executable? Tell the sender to ZIP it.

Re:Why is anyone running outlook anymore?

[cscx]

Sorry, Mozilla developers are busy working on skinning and other worthless features (read: ChatZilla). They might want to work on an integrated spell checker first. I'll stick with Outlook XP, thanks.

Re:Why is anyone running outlook anymore?

[GarryOwen]

Outlook 2k uses outlook express as the news client. It is possible to install outlook 2k with OE but its a bitch. but you can always uninstall OE after the outlook 2k install.

Re:Why is anyone running outlook anymore?

[Dalcius]

Sounds pretty restrictive and annoying to me.

And no, I'm not being two faced...

Writing a secure client beats putting pop-ups that warn you that the client is insecure.

I'll admit I'm generalizing it a bit, but the point sticks...

Re:Why is anyone running outlook anymore?

[Dalcius]

Enjoying your new EULA? =)

Oh, and BTW, just because you don't happen to have any friends (who have you in their mailing list -heh) who end up inadvertantly sending you viruses doesn't mean your client isn't an insecure piece of trash.

Re:Why is anyone running outlook anymore?

[Dalcius]

I'm probably talking out of my ass here as I'm not exactly sure if it'll fit what you need, but the closest solution I've seen is Evolution from Ximian. It's very popular these days.

IMO, sometimes being close and using Linux is better than being all the way and not.

Re:Why is anyone running outlook anymore?

[Dalcius]

I get a virus on my Linux system. It has permissions to my files, so it infects every file I have. My user gets b0rked, I log on as root and wipe my user.

I get a virus on my Windows box, pre 2K or I'm logged on as admin (seems like most 'normal' users do this anyway). Oops, it has write access to my entire system. Bye bye!

I get a virus on my Windows box post 2K. It has permissions to more than just my files and ends up infecting the majority of the system. How to clean it? I guess a $50 virus scanner.

Yes, there is not a huge and drastic difference. But you can't assume because Linux isn't used by the masses that people who really pay attention can't predict how secure it is. Of course there will be things that are missed. Of course when (yes, when) a very large chunk of people switch to Linux there will me more bugs discovered more often.

But to imply that this is all "normal" because outlook is used the most is ridiculous. There is a very legit reason to complain.

Re:Why is anyone running outlook anymore?

[rnd()]

Recent versions of OE are actually very strong and do the same things that you describe. The only oddity is that it thinks files that end in .zip are dangerous. :)

Re:Why is anyone running outlook anymore?

[SLot]

I use Evolution when possible (ie, home) and I'd probably get more people in the office interested in switching to a different OS if it had all the functionality of the product they currently use.

Lack of shared calendars is a *big* showstopper for them.

Re:Why is anyone running outlook anymore?

[twitter]

I use Outlook XP because it's the best mail client I've found

You need to keep looking.

Re:Why is anyone running outlook anymore?

[Znork]

That's exactly why you should never ever use any mail client that encodes or archives mail in a nonstandard format, unless it can easily export it to mbox format or something.

I've been using email for more than a decade, and 5 or 6 mail readers during that time, not to mention various automation tools that need to access the mail.

I've never ever had to even think about 'converting' mail. My first recieved email ever is still in the same format as the one recieved ten minutes ago.

It's much easier to avoid pain if you dont set yourself up for it in the first place.

Re:Why is anyone running outlook anymore?

[Dalcius]

--I get a virus on my Linux system. It has permissions to my files, so it infects every file I have. My user gets b0rked, I log on as root and wipe my user.

"You say that because you naturally assume that a linux user with any common sense won't surf web/read mail as root."

True. However I find it easier to admin my box while still using my user name. Run an admin tool and it asks you for root password. Or just use 'su'. Or open up a nested window with an entirely new logon. In my experience, Windows isn't so friendly.

---
--I get a virus on my Windows box, pre 2K or I'm logged on as admin (seems like most 'normal' users do this anyway). Oops, it has write access to my entire system. Bye bye!

"Here you assume "most" "normal" windows users surf web/read mail as Administrator."

Don't put words into my mouth. I said it seems like. And I'm not assuming what I've seen, either -- these are people I know in my personal life.

---
"Though I have to agree they have no choice on 95-98-Me systems"

That was the main point of that statement.

---
"(NT4, which is pre-2K, already supported unprivileged users)"

As a fun side note, this was also one of the buggiest and security problem prone OSes known to man.

---
they don't have to do that on recent windows OSes.

I understand this, that should have been obvious in my post.

---
And they can be just as stupid and always use a linux system as root.

Of course when you make a system idiot proof, they develop a new type of idiot. That's true. However, I find that during my RH install, it is well explained what "root" is and that you should use your own user. You're warned if you log onto the desktop as root that it can be very dangerous. While this won't prevent a determined user, it helps. Not to mention my above point that (to me), Linux seems easier to admin without initially logging on as root.

---
So it's not really the superiority of the OS that is the culprit here, it's the common sense of the user.

I'll agree again. However, just because the driver of a car determines how safe he is on the road, that doesn't mean that a faulty car is necessarily as safe as a well manufactured one. This goes for any tool. Comparing the history of the two operating systems (Windows and Linux) and their related tools, if you claim that Microsoft is just as good, you obviously don't know your history. This is not a biased threat or flame or troll -- this is historial and statistical fact. If you can't admit that, you don't deserve to debate about it. I'm being stern here, I'm not trying to be harsh.

---
--I get a virus on my Windows box post 2K. It has permissions to more than just my files and ends up infecting the majority of the system. How to clean it? I guess a $50 virus scanner.

"If it has (write) permissions to more than just your files, then :
1) you're Administrator, and clearly you shouldn't, or
2) the permissions of your filesystem are screwed."

Now I could be wrong on this. I should have said this first-off. I am an ex-Windows user who still uses a partition running 98 (now 2K) for games. From everything I recall of my system, I have access to more than just files of my creation. I'm not refering to files in c:\winnt.

---
My point is, everyone using linux knows letting /usr/bin writable by the users group is just plain silly. Why don't windows users consider the ramifications of having "Everyone" with "Full Control" access on \Progra~1 or \WINNT ? We're talking about common sense again here.

I agree, however you have to look at the inherent security of a system. If the locks on your cars are faulty, who cares if you use them or not? If the car manufacturer makes it much easier to not use those locks, that's also a downside.

---
Flame away,

You take me for a troll?

---
do consider that some ppl are just not ready to use *NIX systems, and to them Windows is just the right thing.

I know plenty of them. I recommend 2K to folks who need Windows. I also know folks who like Linux who don't know much of anything about computers: my parents, family friends and personal friends alike.

The bottom line is that, yes, user stupidity will always be the key factor until someone makes an OS in which the user is limited. I won't speculate on who that might be.

However, it's between the tool and the user, and the slowest runner sets the pace. Some tools are just inherently better than others.

Re:Why is anyone running outlook anymore?

[WNight]

There's an even better Outlook patch, it's the only guaranteed one. Unplug the network cable. It's about as effective as the patch you mention. Unplug the power cable and Windows will stop crashing too!

Fug, disabling the capability to send attachments instead of fixing the client to not be swiss-cheese. What a useless fix.

Re:Why is anyone running outlook anymore?

[Osty]

Not a flame but.. I can't figure out why people would use POP instead of IMAP.. because if you're using IMAP you wouldn't be using Outlook but Pine, which is the greatest thing since sliced bread if you use IMAP and email a lot. Especially the remote config/address book files which allow you to use e-mail from anywhere without ever reconfiguring it. (except maybe smtp servers ;) )

Funny. I use IMAP (over SSL, even), and I use Outlook. And things work! Oh my god!

If you have to write a mailing virus...

[vidnet]

In addition to the following list of subjects, the worm can create a new message as a reply to or forward of an existing message on the infected system.

Get 8 FREE issues - no risk!
Your Gift
Get a FREE gift!
150 FREE Bonus!
25 merchants and rising
New bonus in your cash account
etc..

If you have to write a mailing virus that relies on people opening it, why would you make it use spam-like subjects?

Patch for KMail

[croftj]

Is there a patch for KMail? I'd hate to be caught off guard on this one!

Re:hah

[Da+VinMan]

Amen to that! I use the free version of AVG all the time, and it's done a nice job. It even plays well on my wife's older laptop. At 233Mhz, it doesn't have a lot of speed to spare. AVG hasn't caused problems even once yet.

Full marks for timeliness

[Weasel+Boy]

I learned about this virus *from my mom* an hour before it was posted on Slashdot. If that isn't a sign that this site has jumped the shark, I don't know what is. ;-)

Crazy Printer

[imevil]

The virus has a "bug": when it does its filthy things with window shares it also does something with shared printers, so if one morning you find a stack of paper on the printer with one line of gibberish per sheet (and something about a DOS program not being able to execute) it could be BearBug. Or someone who printed out and exe file from notepad.

Re:Crazy Printer

[Zakabog]

Actually, that's because the virus looks for shares on the network. It finds a share and sends data to it something like this -

Virus: Hey anyone out there shared?
Printer: Yo
Virus: Here's a copy of myself for you to run, too much work to check if you're actually a computer
Printer: *starts printing the data getting sent to it*

Most worms that spread over shares will print on shared printers because they don't check if it's a printer, only if it's shared.

Disables firewall? Open ports?

[Pac]

My son received this beauty this afternoon, Norton got it whitout problems.

But that is not the point. His machine resides in our home network, behind a Linux gateway/firewall. My Linux gateway/firewall, mind you. This lousy little Outlook inhabitant has zero chances of disabling our firewall or opening a arbitrary port somewhere. Anything going in or out has a name in rc.firewall. Anything not mentioned there is not going anywhere.

Granted, I don't have much experience with "personal" firewalls and Windows firewall in general. Are they that easy to disable?

Re:Disables firewall? Open ports?

[electroniceric]

Any firewall is easy to disable if you have adequate permission and knowhow- you either kill the process or unload the library. These days the knowhow is transmitted by the script, so that leaves the permission issue.

Aside from the issue that XP users normally un as root, if you can root the box, then you can disable a firewall - on Linux or Windows, all of which leaves us back at the same weakest link problem as always.

Re:Disables firewall? Open ports?

[dasunt]

You have to realize, everything on Win9x effectively runs as root. (As well as a lot of things on NT, but that's a different story). Last time I checked, IP Tables and any personal firewall software out there does port filtering/blocking, it doesn't try to prevent itself from being killed. No matter if its windows or linux, if its running on the machine with the right privileges, it can kill the firewall.

Now there are a lot of viruses out there that will try to disable anti-virus software, and more then a few will try to evade it by using obscure methods of accessing the system. From what I understand of win32 'real-time' virus scanners, for performance and complexity reasons, they can't monitor all system activities. They try to monitor the most common and the most exploitable. There is also a method of attack that tries to introduce enough delay in the realtime scanning so that the virus can disable the AV software before the AV software realizes something is wrong. Therefore, we see viruses that tend to be rather effective at disabling AV software. (Solution, btw, is to boot off a floppy and run antivirus software that way - F-Prot works well for that purpose).

Anyways, like the *Nix world, the solutions are not to run unneeded services, and to PATCH PATCH PATCH. AV shouldn't be your only line of defense.

Re:Disables firewall? Open ports?

[ColaMan]

How is the second motherboard "running" if its BIOS socket is empty? How can you plug another flash chip in if the socket is already occupied?

You boot the second motherboard, yank the chip and plug in the erased one. You can then reprogram the chip as per usual. The BIOS on a system is pretty much non-functional after boot.
Just as long as it's not one of thos PLCC chips that sit flush inside their socket they are a pain to get out without shorting something if you don't have the proper tools.

I *did* do this once with a Compaq Smart Array RAID controller, which got it's bios scrambled from a buggy upgrade released by Compaq - with the card in it's slot, the server wouldn't boot. Ring Compaq - "Hmmm. Better send that card in for repair. Oh, hangon - it's two months out of warranty - that'll be $500"

Needless to say, you don't use your $10,000 server to do stunts like this - in my case I had another (faulty but bootable) RAID card and another (old) PC to plug it into.

Re:Disables firewall? Open ports?

[digitalsushi]

Someday I'm sure there will be some default Samba using SWAT configuration that "just makes things easier" by doing a little "Administrator=root" alias (you can already do this). Someone will make yet another virus that respawns itself, and in the firewall deactivation, it'll have some clever SMB discovery tool with a list of default vendor configs, and that coupled with some obscure linux kernel bug, well... I just don't feel like it's TOO far a stretch that someone could take down a linux firewall protecting your LAN. The way I see it, if it's exploitable, accessable, and has a default configuration, you can make a virus that'll have a chance at hacking it. *shrug* A bit of a stretch but the point is to say merely "you never know".

Because the patch has been out for ALMOST 2 YEARS!

[SlashChick]

The vulnerability that this exploits in Outlook and Outlook Express has been patched since March 29, 2001.

If you run Apache and haven't patched since March 2001, you're vulnerable.

If you run OpenSSL and haven't patched since March 2001, you're vulnerable.

If you run WU-FTPd, Sendmail, or any other numerous programs with vulnerabilities and haven't patched since March 2001, you're vulnerable.

At this point, there is no one left to blame but people who simply never update their computers. It's the same g&^damn hole that this exploits every single time, folks. Outlook 2000's patch has been out for well over a year. Outlook XP doesn't even HAVE this vulnerability!

Stop whining about what programs other people choose to run, and encourage them to learn how to patch their systems. No matter what OS you run, patching it is going to be important. Windows XP, Mac OS X, Debian, and Red Hat all make it incredibly easy to patch your system. People spreading this crap around no longer have an excuse.

To The Person Who Controls The Bugbear-ed Machines

[JohnMunsch]

While everybody else speculates about how to get rid of the virus, why it won't spread in the lab, etc. I'd like to address the person who shipped this in the first place.

Have you taken the time to carefully consider your DDOS targets? For example, is the RIAA on your list (http://www.riaa.org/)? What about the MPAA (http://www.mpaa.org/)? Fritz Hollings, Senator from Disney (http://hollings.senate.gov/)? Adobe, Blizzard, or anyone else abusing the DMCA? Microsoft?

When you've got a dangerous weapon in your hands, use it wisely...

I've always wondered...

[Schnapple]

...who is it that sends in these virus discoveries? I mean, I think we've all had weird things happen to us and most of my BSOD experiences I've chalked up to random occurences. Sure, if I found my hard drive wiped out tommorow I'd probably think a virus was afoot, but who is it that says "I think I have a virus" and is right?

On the other side of the spectrum though have to be those who think everything that goes wrong is a virus. I can't find my document, it's a virus! (no it's not, you saved it somewhere else, doofus) I can't highlight this word in Excel - it's a virus! (no, you just need to RTFM) I'm getting spam, so I must have a virus! (sigh...)

It's true - getting some people online is a Sisyphean ordeal. My parents bought a Dell because of the kid in the commercials...

Re:I've always wondered...

[TheLink]

Anybody can.

Once I got a suspicious attachment which was not flagged by my antivirus software (was fully updated). I looked at it in a hexeditor (hiew) and it looked very fishy, so I sent it to the antivirus vendor (they probably prefer it zipped and password protected).

They'll take a look at it and update the signatures if necessary.

And yeah it was a trojan/virus.

Damn users....

[Cervantes]

It's been a bad day, so - ::begin true it-happened-to-me BOFH-style rant:: ::Sorry for the length, but I feel better now::

Yanno, I've been telling my users for years now that the easiest way to stay safe is to keep updating. I even (choke cough sputter) turned on "Automatic Update" in Windows, just so it would keep them up-to-date. They disabled it, claiming "Every once in a while things would get slow for a bit, but now it's fine" or my favorite "I got funny messages". (PS: Also had to reimage 7 machines because somebody decided he was a geek and he could just copy his registry between machines).

So I capitulated, and started sending everyone reminders by email when they had to update. I included the URL to windowsupdate and copious instructions. "It's too hard, I don't know what to do", they whined. I tried sending them the enterprise update exe's. They downloaded them, alright... put them right on their desktop, and forgot about them. I rewrote the reminder emails to include a script to do everything for them. It worked, for a bit... then I started noticing machines not being updated, and virii floating around that shouldn't. Turns out they'd started sending my emails right to the trash. "It didn't seem to do anything", they said, "it just popped up some box and then went away, so I figured I didn't need it." The box, of course, said "PERFORMING AN IMPORTANT UPDATE ON WINDOWS, PLEASE WAIT."

Exasperated, I set up the NT login script to push the updates to the user (which I'd been avoiding, it involved actually getting the NT server working). It seemed to work fine, until one day I browsed the network by accident (hit the wrong button), and noticed that I had 65 computers in the group in an office of almost 200. Turns out some genius had found his way into Network properties and changed the setup to skip login to the NT server. "It was really annoying", they said, "I'd start up my computer in the morning, and then I'd have to wait for, like, a whole minute or two! Sometimes it wasn't even done when I got back from getting coffee! This is so much easier, we just hit 'escape' when the login screen comes up. Why didn't you do this in the first place?". It was at this point that I found out no-one was using the network drives either ("We have a network? Like an internetwork?"), thereby rendering pointless my copius virus scans and backups and RAID setup that I'd blown my monthly budget on. Fine, I say to myself, I'll show these buggers.

So I set up a dummy machine, with which to do nothing but keep running perfectly and with all updates and latest drivers installed. I burned a bootable CD image from it, and whenever someone called in with a virus complaint, I'd go to their machine, pop in the CD, reboot, and go for an extended coffee break. The image had a boot virus scan to clean everything else up. Happy, was I, as I noticed the drop in virus calls. Soon, they dried up. I was actually starting to feel good, untill one day the VP called me in to find out why we were sending no less than 9 different virii to our clients every day. Their excuse? "When you did that thingy with the thingy, it made all our games disappear, and I've almost gotten to the second level!" Yes, indeed, they were just ignoring the virii now, even though they were getting messages from the antivirus program. Seems they believed clicking "Quarantine" would mean that I'd take their computers away and lock them in the server (clean) room for a while.

So I tried locking down with PolEdit and SysEdit. They brought in their own windows CD's and reinstalled, because "something was broken and it wasn't letting me do what it used to". I pulled the CD drives (no use for them here anyways, except for games), and came out of the IT room late one night to find one of the file clerks studiously pulling hard drives from the cases to reimage at home and return the next morning. I drilled holes in the side panels and put a padlock on them. The users started bringing in laptops to do their work on from home, which even made the problem worse. I screamed bloody murder, demanded to know what the source of these problems were. Everyone played dumb. I felt my brains rotting and leaking out of my ears.

Then, salvation. The VP mentions that he's seen alot of people emailing lately, and he wants to make sure that it's all company business. Would I monitor employee email usage, he asks? I try to suppress my snoopy-dance of joy as he gives me the escape clause from the moral dilema I'd been facing about finding out what the problems were. I monitor, I read, I find out who's sleeping with who (including a schedule for a tryst in the closet behind my server room. I consider installing a hidden camera), but most importantly, I find out the source of my headaches. An industrious middle manager has discovered the joys of wholesale computer warehouses, and has been joyously selling the employees games to play at work, and later, the laptops they brought in. I wonder how exactly he managed to charge people $25 to "upgrade their L4 cache so their games go faster". I admire his inginuity, but I know he must go. I feel good about this decision, mostly because I know he's screwing around with my computers, but also because I can justify it as "doing the best thing for the company". That, and productivity has gone in the tank, and everyone is blaming their computers, and at his direction, me. I'll make BOFH yet, I tell myself.

That was a long time ago, at least in computer years. Once he left, things bounded back up to normal. People started doing what they should, not avoiding security so they could play games all day long. Why do I tell you this long story? Because that is my experience with users, and that is the pain that is caused when they don't do what they're told to. So, as someone who's told users for years to do their updates, I feel no sympathy for users hit by this particular (and moderately ingenious) virus. If they were good users, they would do their updates like their SysAdmin tells them to. They are bad users, users like the ones from above, and so I say "No PC for you!". I wouldn't feel like this, except the story specifically states that this virus takes advantage of known vulnerabilities. I don't see it as a bad thing, I see it as a chance to see who listens to me, and who'll get "upgraded" to a new 486 next month. I'm in a BOFH mood today, can you tell?

In closing, I reflect on my outing of the middle manager. I printed out his more venemous emails regarding me, along with copies of invoices for illegally imported computer components and computer games charged to his expense account. I wrote a touching resignation letter for him to sign, explaining how he was leaving for "personal reasons". I left these on his desk as he was out to lunch, pointed his desklamp at them, turned it on, and turned off the room light. On top, I left a short note:

It is dark.
You are likely to be eatten by a grue.

Re:Damn users....

[Dr+Caleb]

ROFLMAO.

If there is such a thing, I think you should be nominated for BOFH of the Month.

And if you don't mind, I'm going to use a few of those tips...

Re:Damn users....

[Cervantes]

I tried dumb terminals for the telephone POS team. It didn't work out, for a number of reasons, the most notable being that when their request for a monitor colour other than "amber" was denied, they started using coloured markers to make it interesting shades of baby-diaper brown ("The amber hurts my eyes."). When I put "goop" on it (an anonymous, 20 year old bottle of something, picked up from a high school, used to keep the kids from drawing on the screens. No ink sticks to this crap), they tried holding unshielded speakers to the monitor to get it to change colour ("It works at home!"). Even when I spent the time to explain the intricate details of CRT tubes and colour guns, they still tried again when I left.

These are the same people who ***COMPLAINED**** when the latest drive image came with Clippy turned off. How frightening is that?

I should be nice to them and mention that the previous sysadmins stance was "If you don't like it, fix it yourself", and the only way for users to get service was for them to hammer their machines to the point where the didn't work anymore, and then complain to their supervisor. It was bad, really bad, but even their warnings to me when I took the job didn't scratch the surface of the evilness this place has.

My current favorite user recently regaled me with the story of how her new TV's remote had died, and therefore she poured water down the back of it until it sparked. She was very sure to point out *HOW SMART!* she was to let the water dry before she returned it to the store to get an exchange, and she's very happy with her new, functional remote.

The deep, stabbing pain in my head rose to new levels as I commented that it was odd for the batteries in a new remote to die that quickly, and she said "What batteries?"

Re:Damn users....

[molo]

Dear god.

Two BOFH rants in one day. You should make a website. You are officially on my Friends list. Keep writing!

-molo

Re:Damn users....

[gmhowell]

The sad thing is, I don't know if you are just a funny guy, or telling the truth, or both.

Not a single thing you mentioned is outside the realm of possibility.

Re:Funny

[The+Bungi]

Would that perhaps be because this one is a Windows exploit and the last two were Linux/Apache exploits, by any chance, just possibly?

Of course not. This is Slashdot, after all.

Oh, wait...

Mantra: E-Mail is Data...Treat It As Such

[EXTomar]

The big problem with MS's application is the idea that data can tell programs what do to. THIS IS A BAD BAD BAD IDEA.

How foolish is this? How many people would open an email that said:

Hey here is a perl script with my message in it. Go ahead and run it to see what I have to say.

You'd be a fool on any system to execute what ever it really is but MS wants this behavior by default. The moment you let data run the program you get this bad stuff. Word document with macros that destroy files. A whole slew of Outlook nastiness. Heck nearly all buffer overruns in networked programs are based on the idea that sending bad data to gain control.

Why does MS continue to cling to this idea that they can make data behave like programs?? It just isn't sound...I wish they would abandon it.

Re:Mantra: E-Mail is Data...Treat It As Such

[GigsVT]

Yeah but Java/Javascript/ActiveX at least had some forethought about security. Hacking Outlook to execute VBS code seemed to be an incredibly stupid move, only something that a braindead company like MS would do.

Bugbear Blues....

[Tsali]

haiku

my baby's left me,
from secret lover email...
Thanks, unpatched Outlook.

/haiku

Re:Because the patch has been out for ALMOST 2 YEA

[Tracy+Reed]

Unless you run SE Linux. SE Linux will prevent the Apache/OpenSSL/WU-FTPd/Sendmail exploits from working.

DDoS attacks it's not the only use.

[TrixX]

The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses.

This is only one possibility. Some warez communities use this kind of backdoors (specially code red) to install FTP servers in infected machines, and upload illegal software there. Then they distribute the IP addresses of this "stash" PCs.

In that way, they have essentially a big farm of servers to provide content to their users. Obviously, the real owners of this servers don't know about that.

Somebody showed me this some time ago. The guy was receiving warez access in exchange for doing some "work" for the warez admins. I talked to him and he didn't even know that this "IIS scanner" he was running for them was used for cracking into other PCs.

Obligatory D&D Joke

[dswensen]

So is the Bugbear's frequency Common, then?

Bugbears on the loose!?!

[geekoid]

well, I gues I need to dust off my +3 sword, call up my magic-user, and cleric friends, and go kick some ass.

whew, I thought I'd be 8th level forever!

Lissen here, son

[Maledictus]

If I'd had kids when I was first married, my oldest child would be in college right now. I know women programmers who have grandchildren. So maybe it's getting so that it's not so unusual for mom to know best.

"Son! Didn't I tell you to download the latest virus protection? Isn't that on your chore list? But you didn't, did you... Now your sister has to do it and furthermore, you're grounded!"

Re:Internet connection.

[Lionel+Hutts]

That shocked me, too, but I'm pretty sure our correspondent's "this virii" was meant to be "these virii," not "this virus."

Re:Funny

[GigsVT]

The OpenSSL exploit (and the slapper worm that used it) and the apache chunked exploit were all on the front page. Front page stories were run on Lion/Ramen/etc also.

You apparently don't read Slashdot enough if you think they don't cover Linux worms in some attempt to make Linux look more secure than it is.

Funny that pretty much any "bash slashdot" post can get modded up, even if it is completely (and provably) false.

http://apache.slashdot.org/apache/02/06/28/18123 1. shtml?tid=148
http://slashdot.org/article.pl?sid= 02/09/25/121024 7&mode=thread&tid=148
http://apache.slashdot.org/ article.pl?sid=02/09/13 /2315246&mode=thread&tid=172
http://developers.sl ashdot.org/article.pl?sid=02/0 7/30/1323226&mode=thread&tid=128

Security through Obscurity

[zoombat]

I don't have anything to worry about, my computer is completely secure. I run linux with lynx. Who's going to write a virus for that?? That's too obscure, so I know I'm secure.

Can't get it working....

[McCall]

No matter what I do, I can't get it working. How do I get this thing to run under Wine?

mccall@indigo:~> wine bugbear.exe
wine: cannot find 'bugbear.exe'
mccall@indigo:~>

Nope, nothing....

A funny one...

[M1000]

Some guy out there have his Outlook wronly configured.

I was infected, and the virus sent itself to MANY people... with a wrong email addresse in the FROM...

not his address, but MINE. dammit...

I'm now swimming in spam AND auto-reply from Email Scanning software and people telling me that i'm infected...

So, don't think your safe, even if you're running Linux as I am !

Irony? Or something sinister?

[Artifex]

I first heard about this virus in the last few days in the form of spam that came to my box, proclaiming that Bugbear was a new virus on the loose.

The fact that a spammer knows about this virus way before Slashdot indicates he's either very fast moving, or he may have some relationship with whoever created it. Unless, of course, Slashdot is just behind.

Simple Fix

[rossz]

Run sendmail with the mime-filter (included with the commercial version, Sendmail Switch). Reject email with any file attachments of the dangerous type: exe, bat, scr, vbs, pif. Additional suggestion, filter html email (evil!) through a filter to convert it to standard email or reject it outright.

Re:Funny

[Seclusion]

I'll tell you why these stories should be on /. every time a new outbreak happens. So we the informed tech community remind the majority who run Windows to practice safe internet/pc habits. Meanwhile you may score some brownie points with friends/family/coworkers by guiding them toward the fixes they need.

IT BOFHs forcing software upgrades badly

[billstewart]

My organization runs almost entirely on laptops, and while most people work in the office some of the time, we also work from home on dialup, from the road, etc. Often the IT Central Planners are good about making sure their upgrades that require more than 1-2MB only get run on fast connections, but not always. It's really annoying to be on a dialup connection and have your computer want to download 10MB of antivirus definitions, even when you're not out visiting a customer. You *have* to give the user a choice. Unfortunately, yes, this means you need to get creative with a lot of these things.

PGP or GnuPG your mail

[kaladorn]

If your mail was encrypted, even if it got sent out to someone, they would not be able to decrypt it as they wouldn't have the key to do so.

Another good argument for ubiqutious encryption.

There are some handy groupware features too

[kaladorn]

We use the common public folders to trigger all sorts of neat things - as a gateway to our PHP-wrapped software library, as a gateway to many intranet document repositories, as a gateway to our IT requesting system, etc.

Outlook with Exchange has a lot of function that most people don't use (since they tend to just use mail and calendar).

For the record, I use Opera and (not liking Opera Mail) Pegasus at home. I really don't _like_ outlook, but every company I've worked at has used it.

Re:Internet connection.

[Foogle]

Still... It's pretty weird to use BOTH "viruses" and "virii" in the same post. At least pick one.

Hmm. . .

[stevarooski]

Unlike ILovYou-type viri. . .

Sounds suspiciously like we're talking about STDs. Just where has your computer been?

Aha! But...

[CyberDruid]

Now, I'm not even a native English speaker, but isn't it true that when talking about several different species of fish, the plural is still "fishes"?
Similarly, when "viri" is used, the plural form often denominates several kinds of viri, and not several copies of the same virus (or "one infection").
The matter seems still unresolved to me.

Re:Aha! But...

[Myco]

Close. It's actually "fishies."

Re:Aha! But...

[Alien+Being]

It's actually "fishies."

Did they teach you that in school?

Re:Aha! But...

[iabervon]

Your example is good (I thought of it, but only a while later). The trick, though, is that Latin doesn't do this, which means that "virus" can only be pluralized in English, not in Latin. English words don't pluralize with the Latin rules (which is why the plural of "suffix" is not "suffices"); they can only be borrowed from Latin with both the singular and plural forms. In this case, you can only borrow the singular, so you'd get "viruses".

Latin would probably use, for that situation, genera viri ("kinds of virus"), where viri is the singular genitive ("of virus"), not a plural; Latin tends to use extra words rather than the odd syntax we use in English, probably because it does so much with endings and it's hard to put on extra endings.

Of course, since computer jargon uses the archaic Germanic plural ending "-en" (e.g. "Linux boxen"), there's no reason it shouldn't use archaic Latin endings as well. So the standard English plural of "virus" is "viruses", which applies to the biological but not the computer kind, just like "boxen" applies to the computer kind but no others (you don't say, "Why does software come in such large cardboard boxen?").

(Note on "suffixes": "suffix" actually is from Latin, but the Latin word is actually suffixum, and its plural would be suffixa; having ditched the singular ending, English applies the English plural, not either the original Latin plural or the Latin plural which would go with the end of the English word.)

Re:hah

[Jucius+Maximus]

"The last time i tried one of those BIG-NAME ntivirus soultions. (name withheld in fear of a defamation suit), It completely crashed my OS, my Hard Disk and my motherboard."

That would be the Macaffee anti-virus, I believe. It's a pretty common story. I've rescued a few clients' machines that were hosed by that piece of junk.

If you are looking for an anti-virus to pitch to your boss who believes that no-cost == no value then I suggest you look into F-Prot Antivirus which has detected BigBear since 2002 Oct 03 and has FreeBSD, Linux, DOS and Windows versions. It is a non-lame anti-virus program that does NOT hose systems.

Come on, be a little realistic.

[theLOUDroom]

There are serious differences here.
You can just act like every OS is as secure as then next.
I'll take unpatched OpenBSD over unpatched Win2k any day.
To make informed statements, you have to conside the severity of a security flaw. Ex: a buffer overflow, vs a string formatting error. One theoretically allows you access, if you are a skilled assembly programmer, the othermakes it trivially easy to get access.
Patching your boxes is important, but so is security by design.

Re:hah

[AKAImBatman]

NT uses del /s (/s means search).

Re:Funny

[_Sprocket_]

It doesn't matter if it's Slashcode or Apache or SSH.

And this would be... because Slashcode is commonly bunded with Linux? Wait. No. It isn't. Huh.

If it's that easy ...

[twitter]

... why don't you have a handy dandy link to the patch? Is it that much easier to blame the user? You say:

At this point, there is no one left to blame but people who simply never update their computers. It's the same g&^damn hole that this exploits every single time, folks. Outlook 2000's patch has been out for well over a year. Outlook XP doesn't even HAVE this vulnerability!

XP, if it really is imune to this one, is sure to have a host of other problems. It was included in the Symantic list of exlploitable platforms. What, did'nt read the link? This virus is what you get when you patch up a userless security model and try attaching it to the internet. How many more demonstrations of M$ flaws do you need to see?

The closed development model based on pushing adverts and upgrades does not work. What M$ has done is to try to force people to buy a new OS every 2 years. In case you did not notice support for Win95 has been dropped and 98, w2k, me etc are close to being dropped. So where are the stinking patches again? In the real world, users of these older OS do not feel like shelling out $250 for newer M$ O$ which are more restrictive and less useful to them. When their M$ machine meets it's inevitable breaking point, the user puts the same old CD back into the drive and has the same old shit. Compare this to the free software world where any computer can be brought up from a year old CD with a few megs of downloads and two or three text line commands.

apt-get update and upgrade work for me and it can work for you, up2date is more combersome for me. The windoze "smart update"? Yeah good luck.

Who would trust an "updater" from a company that demands the ability to scan you computer for "copyright" infringing material, says you can't use their FrontPage editor to say bad things about them and has sent shell organizations to shake down public school systems? They've got the morals of drug dealers, leadership fit to run a Soviet, and code unsupassed in failure.

But you blame the user. The user is only at fault for using software from a proven monopolist. That monopolist has done everything in its power to make switching as painful as possible - from incompatible closed file formats to screwing hardware vendors into making hardware impossible to make drivers for.

Re:This data is interesting.

[LinuxHam]

data is increasingly treated as a singular nown

Dump your dictionary. Its wrong about "data" and its definitely wrong about "nown". And the what the HELL is "the data is from the forms from a keyboard"?? That doesn't even make sense!!

rc.script IS NOT DATA

[EXTomar]

Right. That's why Unix-ish systems don't have rc scripts and such...

Read my post again: scripts are "executable" and NOT DATA. Exactly what "data" are you hoping to store in rc scripts? None.

Why DDoS?

[Nishi-no-wan]

Why is it that whenever some new virus/worm sets up a backdoor to receive commands that everyone thinks they're for DDoS attacks? Judging by the huge number of formmail scans I get from computers that, according to DShild, appear to be infected, they're being used to scan for open formmail.[pl|cgi] relays and send spam.

Viruses aren't just for script kiddies any more. The spam industry needs these infected machines to better cover their tracks in hopes of not getting sued into oblivion.

I'm a windows user

[forgoil]

and a big fan. Yet I would never touch outlook. They need to put in a "I don't want anything but pure text emails and NO support for anything running on its own, thank you" checkmark for me.

And, no, I would never be as dumb as to run or look at anything that comes from someone I don't know. After all, how many of you fellow pine users would save a file called big_tits.sh from an email and then happily run it? But it is a bit scary that it would be enough to look (or even recieve) at the email to get code running. Bad Microsoft, bad bad bad!

Why not an evolutionary virus?

[Oestergaard]

What just puzzles me, is why noone has yet written a truely evolutionary virus.

Sometimes these "successfull" viruses come up, people don't bother to patch the vulnerabilities that let them in, but the virus still dies because AV software catches up. I think (but may be wrong) that it should be simple for a virus to work around that.

Let's say someone writes a virus. Now when the virus propagates, it copies itself (one way or another) to the new machines it infects. Why do viruses still make verbatim copies of themselves??

If the virus is written in VB, it should be a fairly simple matter to include in the virus, a routine which transforms VB source code. It should not do an equivalent transform, rather it should take numbers and change them, routines or single lines of code and flip them around. It could exclude lines of code. Or take existing lines of code, transform them and insert them at random places.

"But then some of the copies will not work" - yes, you are right. But if each virus spreads it's transformed offspring to 10 other hosts, it doesn't matter if 5 of the "children" are not viable. All in all, the "predators" (the AV software) will not be able to recognize the offspring just a few generations down the line.

Some of the offspring may stop propagating, or propagate more slowly. Some of it may propagate faster. Which is more beneficial, is something that will depend on how the AV software reacts to the spread.

In fact, calling any software a virus before it has the most basic functionality of it's biological equivalent is rediculous in my oppinion :)

I gave an example in VB. But certainly this can hold for machine executable code as well. It's just a little more tricky to determine which transforms are "reasonable", so that one doesn't end up with 99% nonviable offspring.

Just my 0.02 Euro on that one...

Probably bad management.

[TheLink]

Actually it's often a sign of bad management if something like this happens.

Employees who repeatedly screw up company property should get verbal warnings, show cause letters, and if they still persist unfortunately they have to be sacked.

It's a disciplinary and management issue. You should have backing from your management to enforce reasonable policies.

If employees keep breaking the rules and getting away with it, it's bad management.

If you don't get backing from management, then it's also bad management. It's bad to have responsibility without power. You get the blame, it's not your fault and you can't do anything about it.

But if you did have management support, then it's probably your fault things things went that way.

Link.

mamas don't let your babies grow up to use windows

[i0lanthe]

Hm... I'm glad my mom uses pine. ;)

Re:This data is interesting - Still a fanatic.

[LinuxHam]

But what gives you the right to say this dictionary is wrong

I happen to agree that the vernacular drives dictionaries' content, and not the other way around. Language is dynamic and dictionaries always have to change in order to stay current. But I still don't know anyone who uses "data" in the singular.. either as "data" or as "datum". Hence, the traditional definition stands.

"Where's the data?" pl.
"Send me the data." pl.
"The data seems to imply...." pl.
"Some of the data" pl.
"Pieces of data" pl.

Just in general..
"the data" pl.

Just one of /.'s many nit-wars (if you want to call it that) :)

Re:Because the patch has been out for ALMOST 2 YEA

[mpe]

It is these damn people who never update a damn thing that spreads these viruses. Unfortunately, this seems to include the majority of home PC users.

Updating software is not something home users are in the habit of doing. Most domestic appliances don't need anything similar, the likes of set top boxes and digital video recorders update automatically.
Something like Windows Update requires a lot of user input. This can be just as much a problem in corporate settings.

DON'T KNOCK CLIPPY!

[sg_oneill]

Hey man! I complained when I lost my clippy!
Well.. kinda....
I had the damn thing scripted up via a python Comm script to turn on @ 5pm And threaten to launch porn windows all over my screen if I didn't stop what I was doing, turn the machine off, go home and have a beer.
On the other hand, Clippy did actually suck. I just kinda tweaked it to suck less.

Re:I doubt it

[CyberDruid]

English is indeed hard. In this case, for instance, you are simply wrong. "[T]he lake has nearly a dozen species of fish in it" is not proper English. Do a google search on "fishes".

The first three matches:
Coral Reef Fishes
Division of Fishes - Ichthyology, Fish
A CATALOG OF THE SPECIES OF FISHES

Why the user needs control

[billstewart]

I've been sysadmin and I've been a user. While it's important for sysadmins to occasionally bully users into doing things they're too lazy to do otherwise, it's also important to realize who works for whom, which is that the sysadmin works for the user. In some companies the relationship is close enough to be obvious, while in other companies it's indirect - the sysadmin works for the company, and the user works for the company, but the company hires the sysadmin to LET THE USERS GET THE USERS' WORK DONE. (I'm shouting because I've been in too many environments where this isn't obvious.)

Virus updates are critical - the other posting by A.C. indicates that he sets up the machines on his net to update them frequently, and in a LAN-based environment, that's usually not a bad policy, though updating at boot time sometimes can interfere with what a developer is doing, or with somebody installing new hardware or software that requires reboots, or whatever. But I'm in a company that has people working out in the field, and while it may be important to get a virus update today, a 10 megabyte data file update on a 56kbps dialup line takes a long time - and if I'm out at a customer site trying to show their CIO how our really cool web site can help them make money, or I'm in the airport trying to send an important email before getting on a plane, I can't wait an hour for the latest virus update to download - that can wait till I'm back at the office.

Microsoft Outlook's integration of calendar, incoming mail, and storage of old mail, all in one big system, makes this particularly critical. The other day I needed to get on a conference call, and had the phone number in my Outlook Calendar, and dialed up 15 minutes before the call to get any relevant emails (and my Palm Pilot battery had run out the other day so I hadn't copied the schedule to there.) Somebody in Marketing had decided to mail 10 MB of glossy viewgraphs to everybody, and while it was downloading, I couldn't access the old messages to find the website for the slides for the call. The older antivirus software used to have similar behaviour - it insisted on doing its updates at boot time, before anything else could run, whether the user needed it right then or not. The newer stuff is often sufficiently well-behaved that it just dogs down the network connection rather than totally preventing you from working, but it's still a problem.

Re:Because the patch has been out for ALMOST 2 YEA

[_Sprocket_]

The vulnerability that this exploits in Outlook and Outlook Express has been patched since March 29, 2001.

Very true - and a good point. But it ignores one of the more underlying issues. Outlook is fundamentally flawed.

One of the most infamous "email viruses" was the Good Times Virus. It was the first email virus to be more social than technical - the warning message being relayed time and time again being more a virus than what it supposedly warned against. Good Times played on the fears of a vast body of new users who weren't aware of how email worked. It warned against a virus that spread by messages entitled "Good Times" and that reading the message did harm to the user's system (if not spread the virus). At the time, the idea that simply reading a message was enough to activate malicious code was preposterous.

Outlook has made this concept a reality.

But this is not a reference to this one specific vulnerability. Outlook has been the subject of numerous previous vulnerabilities - many of which can be exploited by an email that is viewed either by opening the message or via the message preview panel. Sure, they have been patched too. But the same concept keeps surfacing.

This doesn't even touch on how Outlook tends to hide the nature of file attachments, allowing malicious code to disguise code to appear as benign data. Microsoft's solution was not to make the nature of file attachments more defined... but to strip out "dangerous" types. Thus, they completely ignored the actual issue. While this is a minor point... it does show the mindset that has created an email client rife with security problems.

Stop whining about what programs other people choose to run, and encourage them to learn how to patch their systems. No matter what OS you run, patching it is going to be important.

More good advice. It has been said that bits don't rot. Software does not decay. But we have since found that over time, we discover mistakes in the creation of software. Thus we are faced with having to maintain the digital system with as much dedication as a mechanical system.

But again, this misses an important point.

Sometimes systems are created that have fundamental flaws. No matter how well maintained, these systems will always fail. And while even the best systems may fail eventually, these flawed systems will fail in spectacularly bad ways.

It is wise to advocate constant maintenance. But it is also just as worthwhile to point out systems that are flawed.

And Outlook IS flawed.

Re:Because the patch has been out for ALMOST 2 YEA

[WNight]

Face it, he's got a point and you missed it.

You can't blame an OS for the services a user installs on it. Windows comes with Outlook, it's standard. If there's a bug in outlook, there's a bug in *EVERY COPY OF WINDOWS* until it's fixed. Even after it's patched, broken systems are still around.

I haven't patched Apache on Linux but I'm not vulnerable. Know why? Because I didn't enable it.

Windows users don't have to enable Outlook (Express) or IE, they're there by default. A hole in one of those is a pretty big flaw.

Had IIS never been installed by default, MS wouldn't have gotten half the flack for Code Red that it did. But most of the CR sources are some unpatched box in a closet, or on someone's desk, where nobody realizes it's running IIS.

Half of the security flaw in MS products is the lousy code, the other half is MS themselves.

btw, re your sig. You haven't got any ideas what real usage number are. Right now I'm counting as a hit for IE6.0 in XP, but I'm really using Mozilla in Linux with the prefbar addon to spoof user-agents. Most Linux users do something like this because so many sites are intentionally crippled to look for IE specifically. And polls are notoriously stuffed by trolls like you who love to point out the results as if they meant any more than a Florida election.