Slashdot Mirror
Bugbear Windows Virus Making the Rounds
lysurgon writes "CNN.com is reporting that the "BugBear" virus (Windows/Outlook only) is spreading quickly. Unlike ILovYou-type viri, instead of deleting files or just propagating itself, this animal disables firewall software and opens a port to receive remote commands. The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses. Also worth noting is the puzzlement of anti-virus guys as to why they haven't been able to make the virus spread in the lab. "One of the theories is that this requires an Internet connection in order to spread." Gee, you don't say?"
Probably coded to sit idle if it's domain is symantec.com, etc.
"This isn't a study in computer science, its a study in human behavior"
Get it here
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-020.asp
Blame the admin
Whew! Good thing I don't use any firewall software!
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
Unlike ILovYou-type viri,
A bit off-topic, I know, but here's an interesting link about the word "viri", the alleged plural of "virus": What 's the Plural of 'Virus'?
Use Ctrl-C instead of ESC in Vim!
IMHO Bugbear's spreading relies solely on social engineer. Labs have nothing to do with social-anything. That's why you can reproduce it in there :))
2 workstations at a client of mine caught this bug. The AV system kicked in shortly thereafter, and stopped the spread. (I had to manually clean the machines, though)
Strange symptoms appeared just before we knew there was a virus: All of the printers in the network started printing garbage. I had to reload the print drivers from CD for all the server's printers to stop the effect.
Anyone else seen the virus in a network? Anyone else seen similar print symptoms?
It's pretty impressive that this virus disables anti-virus software, and covers quite a large list of AV/Firewall programs.
tech details
Have any other virii in the past done this, or is this a first?
www.christopherlewis.com
Man, I'm terrified. My mother got this and now a whole series of e-mails I sent to her about 3 years ago are suddenly being sent to almost everyone she has ever e-mailed or received e-mail from. People who were CC:ed on things I sent her are receiving personal e-mails I sent to her.
I'm waiting for the one where I said really terrible things about someone to land in the wrong hands and start causing all sorts of disasters. After this, I'm going to be a lot more careful about what I say in e-mails.
My machine is relatively safe, but I can't vouch for the person I'm sending e-mails to. I wouldn't be surprised if a lot of relationship get screwed up before this is all over.
Eudora - http://www.Eudora.com
Opera Mail - http://www.opera.com
Mozilla - http://www.mozilla.org
Netscape - http://www.netscape.com
I hate to sound callous, but if you're on a standard PPP or SLIP internet connection at home, and you're running Outlook or Outlook Express, then you get what you deserve. If your company is running Exchange Server, then your company is getting what it deserves.
Fool me once, shame on you. Fool me twice, shame on me. Except between Melissa, ILoveYou, Sircam, Klez, and now this, it's what, fool me a dozen times? Do people just enjoy getting kicked in the teeth repeatedly?
Is there a patch for KMail? I'd hate to be caught off guard on this one!
-- Many men would appreciate a woman's mind more if they could fondle it
I learned about this virus *from my mom* an hour before it was posted on Slashdot. If that isn't a sign that this site has jumped the shark, I don't know what is. ;-)
My son received this beauty this afternoon, Norton got it whitout problems.
But that is not the point. His machine resides in our home network, behind a Linux gateway/firewall. My Linux gateway/firewall, mind you. This lousy little Outlook inhabitant has zero chances of disabling our firewall or opening a arbitrary port somewhere. Anything going in or out has a name in rc.firewall. Anything not mentioned there is not going anywhere.
Granted, I don't have much experience with "personal" firewalls and Windows firewall in general. Are they that easy to disable?
The vulnerability that this exploits in Outlook and Outlook Express has been patched since March 29, 2001.
If you run Apache and haven't patched since March 2001, you're vulnerable.
If you run OpenSSL and haven't patched since March 2001, you're vulnerable.
If you run WU-FTPd, Sendmail, or any other numerous programs with vulnerabilities and haven't patched since March 2001, you're vulnerable.
At this point, there is no one left to blame but people who simply never update their computers. It's the same g&^damn hole that this exploits every single time, folks. Outlook 2000's patch has been out for well over a year. Outlook XP doesn't even HAVE this vulnerability!
Stop whining about what programs other people choose to run, and encourage them to learn how to patch their systems. No matter what OS you run, patching it is going to be important. Windows XP, Mac OS X, Debian, and Red Hat all make it incredibly easy to patch your system. People spreading this crap around no longer have an excuse.
Simpli - Your source for San Jose dedicated servers and colocation!
While everybody else speculates about how to get rid of the virus, why it won't spread in the lab, etc. I'd like to address the person who shipped this in the first place.
Have you taken the time to carefully consider your DDOS targets? For example, is the RIAA on your list (http://www.riaa.org/)? What about the MPAA (http://www.mpaa.org/)? Fritz Hollings, Senator from Disney (http://hollings.senate.gov/)? Adobe, Blizzard, or anyone else abusing the DMCA? Microsoft?
When you've got a dangerous weapon in your hands, use it wisely...
Sigs are for people who started using the net _after_ '86.
It's been a bad day, so - ::begin true it-happened-to-me BOFH-style rant:: ::Sorry for the length, but I feel better now::
Yanno, I've been telling my users for years now that the easiest way to stay safe is to keep updating. I even (choke cough sputter) turned on "Automatic Update" in Windows, just so it would keep them up-to-date. They disabled it, claiming "Every once in a while things would get slow for a bit, but now it's fine" or my favorite "I got funny messages". (PS: Also had to reimage 7 machines because somebody decided he was a geek and he could just copy his registry between machines).
So I capitulated, and started sending everyone reminders by email when they had to update. I included the URL to windowsupdate and copious instructions. "It's too hard, I don't know what to do", they whined. I tried sending them the enterprise update exe's. They downloaded them, alright... put them right on their desktop, and forgot about them. I rewrote the reminder emails to include a script to do everything for them. It worked, for a bit... then I started noticing machines not being updated, and virii floating around that shouldn't. Turns out they'd started sending my emails right to the trash. "It didn't seem to do anything", they said, "it just popped up some box and then went away, so I figured I didn't need it." The box, of course, said "PERFORMING AN IMPORTANT UPDATE ON WINDOWS, PLEASE WAIT."
Exasperated, I set up the NT login script to push the updates to the user (which I'd been avoiding, it involved actually getting the NT server working). It seemed to work fine, until one day I browsed the network by accident (hit the wrong button), and noticed that I had 65 computers in the group in an office of almost 200. Turns out some genius had found his way into Network properties and changed the setup to skip login to the NT server. "It was really annoying", they said, "I'd start up my computer in the morning, and then I'd have to wait for, like, a whole minute or two! Sometimes it wasn't even done when I got back from getting coffee! This is so much easier, we just hit 'escape' when the login screen comes up. Why didn't you do this in the first place?". It was at this point that I found out no-one was using the network drives either ("We have a network? Like an internetwork?"), thereby rendering pointless my copius virus scans and backups and RAID setup that I'd blown my monthly budget on. Fine, I say to myself, I'll show these buggers.
So I set up a dummy machine, with which to do nothing but keep running perfectly and with all updates and latest drivers installed. I burned a bootable CD image from it, and whenever someone called in with a virus complaint, I'd go to their machine, pop in the CD, reboot, and go for an extended coffee break. The image had a boot virus scan to clean everything else up. Happy, was I, as I noticed the drop in virus calls. Soon, they dried up. I was actually starting to feel good, untill one day the VP called me in to find out why we were sending no less than 9 different virii to our clients every day. Their excuse? "When you did that thingy with the thingy, it made all our games disappear, and I've almost gotten to the second level!" Yes, indeed, they were just ignoring the virii now, even though they were getting messages from the antivirus program. Seems they believed clicking "Quarantine" would mean that I'd take their computers away and lock them in the server (clean) room for a while.
So I tried locking down with PolEdit and SysEdit. They brought in their own windows CD's and reinstalled, because "something was broken and it wasn't letting me do what it used to". I pulled the CD drives (no use for them here anyways, except for games), and came out of the IT room late one night to find one of the file clerks studiously pulling hard drives from the cases to reimage at home and return the next morning. I drilled holes in the side panels and put a padlock on them. The users started bringing in laptops to do their work on from home, which even made the problem worse. I screamed bloody murder, demanded to know what the source of these problems were. Everyone played dumb. I felt my brains rotting and leaking out of my ears.
Then, salvation. The VP mentions that he's seen alot of people emailing lately, and he wants to make sure that it's all company business. Would I monitor employee email usage, he asks? I try to suppress my snoopy-dance of joy as he gives me the escape clause from the moral dilema I'd been facing about finding out what the problems were. I monitor, I read, I find out who's sleeping with who (including a schedule for a tryst in the closet behind my server room. I consider installing a hidden camera), but most importantly, I find out the source of my headaches. An industrious middle manager has discovered the joys of wholesale computer warehouses, and has been joyously selling the employees games to play at work, and later, the laptops they brought in. I wonder how exactly he managed to charge people $25 to "upgrade their L4 cache so their games go faster". I admire his inginuity, but I know he must go. I feel good about this decision, mostly because I know he's screwing around with my computers, but also because I can justify it as "doing the best thing for the company". That, and productivity has gone in the tank, and everyone is blaming their computers, and at his direction, me. I'll make BOFH yet, I tell myself.
That was a long time ago, at least in computer years. Once he left, things bounded back up to normal. People started doing what they should, not avoiding security so they could play games all day long. Why do I tell you this long story? Because that is my experience with users, and that is the pain that is caused when they don't do what they're told to. So, as someone who's told users for years to do their updates, I feel no sympathy for users hit by this particular (and moderately ingenious) virus. If they were good users, they would do their updates like their SysAdmin tells them to. They are bad users, users like the ones from above, and so I say "No PC for you!". I wouldn't feel like this, except the story specifically states that this virus takes advantage of known vulnerabilities. I don't see it as a bad thing, I see it as a chance to see who listens to me, and who'll get "upgraded" to a new 486 next month. I'm in a BOFH mood today, can you tell?
In closing, I reflect on my outing of the middle manager. I printed out his more venemous emails regarding me, along with copies of invoices for illegally imported computer components and computer games charged to his expense account. I wrote a touching resignation letter for him to sign, explaining how he was leaving for "personal reasons". I left these on his desk as he was out to lunch, pointed his desklamp at them, turned it on, and turned off the room light. On top, I left a short note:
It is dark.
You are likely to be eatten by a grue.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
The big problem with MS's application is the idea that data can tell programs what do to. THIS IS A BAD BAD BAD IDEA.
How foolish is this? How many people would open an email that said:
Hey here is a perl script with my message in it. Go ahead and run it to see what I have to say.
You'd be a fool on any system to execute what ever it really is but MS wants this behavior by default. The moment you let data run the program you get this bad stuff. Word document with macros that destroy files. A whole slew of Outlook nastiness. Heck nearly all buffer overruns in networked programs are based on the idea that sending bad data to gain control.
Why does MS continue to cling to this idea that they can make data behave like programs?? It just isn't sound...I wish they would abandon it.
haiku
/haiku
my baby's left me,
from secret lover email...
Thanks, unpatched Outlook.
This space for rent.
The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses.
This is only one possibility. Some warez communities use this kind of backdoors (specially code red) to install FTP servers in infected machines, and upload illegal software there. Then they distribute the IP addresses of this "stash" PCs.
In that way, they have essentially a big farm of servers to provide content to their users. Obviously, the real owners of this servers don't know about that.
Somebody showed me this some time ago. The guy was receiving warez access in exchange for doing some "work" for the warez admins. I talked to him and he didn't even know that this "IIS scanner" he was running for them was used for cracking into other PCs.
So is the Bugbear's frequency Common, then?
well, I gues I need to dust off my +3 sword, call up my magic-user, and cleric friends, and go kick some ass.
whew, I thought I'd be 8th level forever!
The Kruger Dunning explains most post on
If I'd had kids when I was first married, my oldest child would be in college right now. I know women programmers who have grandchildren. So maybe it's getting so that it's not so unusual for mom to know best.
"Son! Didn't I tell you to download the latest virus protection? Isn't that on your chore list? But you didn't, did you... Now your sister has to do it and furthermore, you're grounded!"
Consigned to flames of woe.
The OpenSSL exploit (and the slapper worm that used it) and the apache chunked exploit were all on the front page. Front page stories were run on Lion/Ramen/etc also.
3 1. shtml?tid=148= 02/09/25/121024 7&mode=thread&tid=148/ article.pl?sid=02/09/13 /2315246&mode=thread&tid=172l ashdot.org/article.pl?sid=02/0 7/30/1323226&mode=thread&tid=128
You apparently don't read Slashdot enough if you think they don't cover Linux worms in some attempt to make Linux look more secure than it is.
Funny that pretty much any "bash slashdot" post can get modded up, even if it is completely (and provably) false.
http://apache.slashdot.org/apache/02/06/28/1812
http://slashdot.org/article.pl?sid
http://apache.slashdot.org
http://developers.s
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I don't have anything to worry about, my computer is completely secure. I run linux with lynx. Who's going to write a virus for that?? That's too obscure, so I know I'm secure.
I first heard about this virus in the last few days in the form of spam that came to my box, proclaiming that Bugbear was a new virus on the loose.
The fact that a spammer knows about this virus way before Slashdot indicates he's either very fast moving, or he may have some relationship with whoever created it. Unless, of course, Slashdot is just behind.
Get off my launchpad!
There are serious differences here.
You can just act like every OS is as secure as then next.
I'll take unpatched OpenBSD over unpatched Win2k any day.
To make informed statements, you have to conside the severity of a security flaw. Ex: a buffer overflow, vs a string formatting error. One theoretically allows you access, if you are a skilled assembly programmer, the othermakes it trivially easy to get access.
Patching your boxes is important, but so is security by design.
Life is too short to proofread.
Why is it that whenever some new virus/worm sets up a backdoor to receive commands that everyone thinks they're for DDoS attacks? Judging by the huge number of formmail scans I get from computers that, according to DShild, appear to be infected, they're being used to scan for open formmail.[pl|cgi] relays and send spam.
Viruses aren't just for script kiddies any more. The spam industry needs these infected machines to better cover their tracks in hopes of not getting sued into oblivion.
Actually it's often a sign of bad management if something like this happens.
Employees who repeatedly screw up company property should get verbal warnings, show cause letters, and if they still persist unfortunately they have to be sacked.
It's a disciplinary and management issue. You should have backing from your management to enforce reasonable policies.
If employees keep breaking the rules and getting away with it, it's bad management.
If you don't get backing from management, then it's also bad management. It's bad to have responsibility without power. You get the blame, it's not your fault and you can't do anything about it.
But if you did have management support, then it's probably your fault things things went that way.
Link.
Virus updates are critical - the other posting by A.C. indicates that he sets up the machines on his net to update them frequently, and in a LAN-based environment, that's usually not a bad policy, though updating at boot time sometimes can interfere with what a developer is doing, or with somebody installing new hardware or software that requires reboots, or whatever. But I'm in a company that has people working out in the field, and while it may be important to get a virus update today, a 10 megabyte data file update on a 56kbps dialup line takes a long time - and if I'm out at a customer site trying to show their CIO how our really cool web site can help them make money, or I'm in the airport trying to send an important email before getting on a plane, I can't wait an hour for the latest virus update to download - that can wait till I'm back at the office.
Microsoft Outlook's integration of calendar, incoming mail, and storage of old mail, all in one big system, makes this particularly critical. The other day I needed to get on a conference call, and had the phone number in my Outlook Calendar, and dialed up 15 minutes before the call to get any relevant emails (and my Palm Pilot battery had run out the other day so I hadn't copied the schedule to there.) Somebody in Marketing had decided to mail 10 MB of glossy viewgraphs to everybody, and while it was downloading, I couldn't access the old messages to find the website for the slides for the call. The older antivirus software used to have similar behaviour - it insisted on doing its updates at boot time, before anything else could run, whether the user needed it right then or not. The newer stuff is often sufficiently well-behaved that it just dogs down the network connection rather than totally preventing you from working, but it's still a problem.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks