Slashdot Mirror
Yet Another Windows Worm
kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"
The patch for this was out 2 years ago. No excuse.
.exe file. You should block that. No excuse.
The virus comes in as a
AV dat files have been updated already. No excuse.
We've been filtering this all day.... It's not that hard to protect yourself.
This sucker ripped through our campus like nothing. Heuristics missed it, and the definitions weren't updated until a few hours after a few hundred machines got nailed.
the annoying part is that as complex as you can make software, you can't fix the people who are morons, which is where the real problem lies.
oh well.
If some program tries to open a socket through the Windows TCP/IP stack, and you have configured it (in Internet Options) to dial when needed, Winsock will do so.
This has got nothing to do with this particular worm. It doesn't know wether the line is a t1 or a 33.6 modem line.
How small a thought it takes to fill a whole life
Yeah, because it's a lot of work to set windows to do updates automatically. Just a troll, nothing to see here.
You obviously don't administer servers with Enterprise Level Code. If you did, you'd know that with Microsoft you can't simply use automatic updates. Microsoft Service Packs break systems all the time. If you run ASP.NET and Sql Server code, you get bitch slapped everytime they release a service pack or "security fix". They consistently change functionality, without warning. Then they just post on their website (three months later) that the service pack changed the way some undocumented feature worked, but you weren't supposed to use it that way anyway, so tough shit.
Ha!! Automatic updates my ass.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
nmap -sN -p 1080 AAA.BBB.CCC.*
and
nmap -sT -p 1080 AAA.BBB.CCC.*
Check out the machines with port 1080 open. Then switch to a less infectious OS.
No. A worm is a stand-alone executable, while a virus attaches itself to a pre-existing program. (By analogy: worms are free-living organisms, but viruses hijack the machinery of a cell to reproduce themselves).
The vector is mostly immaterial to the definition.
You don't have to double-click it. It open automatically when you preview.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Sure you can.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Only if you are 2 years behind in your patches.
t in /MS01-020.asp
http://www.microsoft.com/technet/security/bulle
...is one involving how it handles MIME types, especially within IFRAMEs. What happens is, the message headers will say it's one type, such as audio/x-midi, while the payload is really an EXE file, sometimes misidentified as a .bat or a .pif. The unpatched Outlook or OE thinks, "Ah, a MIDI file! Let's play it!" and blithely passes it to the OS, which thinks, "Ah, an executable! Let's run it!".
One more example of why HTML doesn't belong in email, aside from web bugs and other BS.
Oh, no! You have walked into the slavering fangs of a lurking grue!
They patched the outlook bug that this virus uses 2 years ago. Anyone who isn't retarded has already patched their system, and anyone who runs outlook (or ANY email client) on a production server is off their rocker anyway.
Username taken, please choose another one.
This is precisely the reason why I PGP digitally sign all my email. Almost a year ago, someone on a mailing list for one of my University groups got a virus on their computer sending out spoofed email and/or virus. One of them happened to have my name (email address only) on it. I was lucky to not lose any face from it, but it was very unsettling for me. Now I can say if it doesn't have a signature, it aint mine
$cat
Um, this virus does not require the IE hole to spread. Having the IE hole certainly helps it to spread, but patching the hole won't kill the spread of this virus. All it requires is a client that is stupid about downloading and executing attachments. Or a user that does the same thing. I know of at least 3 people who use Eudora who got infected by this.
There is no sig, there is only Zuul.
Just wait until:
a.) Everybody decides to hate Linus.
b.) Linux machines can be counted in the millions.
a. is unlikely. How can anyone hate free software? Oh yeah, it's putting you out of business. Microsoft does an admirable job of astroturfing congressmen and Slashdot, but they have yet to put out a good free software worm. The intersection of people with the skill to write free software worms and the number of people who hate free software is vanishinly small. Competent people like free software, get used to it. Windoze on the other hand is just about universally hated and just as easy to break.
b. Linux machines can be counted in the millions. Desktop machines. If you figure 10% of US desktops are running some form of free software, you get millions of computers. The rest of the world has plenty of free computers as well. Yet I don't see anything breaking down mutt, pine, balsa or even Mozilla's email client. AOL's windowze messenger once had a problem but only on Microsoft platforms. GAIM and others had no peoblems at all.
To sum it all up for you, nothing is as bad as the Microsoft monoculture of poor quality software. Free software is more diverse, of better quality and is universally loved.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
this virus attempts to spread via the LAN.
it is not soley email borne.
liqbase
And once again, those of us who know how to configure our windows systems and aren't stupid enough to (a) have open network shares with no passwords and (b) open random email attachments are safe. (emphasis mine)
Please read the fucking article. Not only is the email attachment not random, because it pretends to be a reply to an email that you've recently sent to an infected person (among other tricks), but it also doesn't have to be opened, because it uses an IE exploit to run itself as soon as it shows up in Outlook's preview window.
At my work I filter email virus with Anomy Sanitizer, scaning them with an antivirus and even if it don't detect a virus, renaming executable extensions like that ones, defusing active html and dangerous mime types and more. Anyway, today I received copies of Bugbear at a rate that only thinked it would be possible only with an internal infection, and make me doubt of how well it was working. But after checking mail logs, it turned to be just mail coming from outside. I wonder what will happen in the next few days, but in some places could make internet unusable.
Yeah, just imagine if something like Apache gets popular, imagine the havoc people could cause with uptimes on those OS's.
Yes, the server community is different from userland and every piece of software will have its flaws, but popularity is not proportional to the amount of worms and viruses, lack of quality is.
Bad boys rape our young girls but Violet gives willingly.
Pretty simple really; for Windows 2000:
For other versions of Windows, click on the link (it has instructions for 95, 98, NT and 2K; I'd imagine XP is similar to 2K but it was written in 2001 prior to XP's existence).I'm trying to find instructions for modifying the security in Outlook 2000 as well, so it doesn't do anything automatically without a) my approval at the very least, or b) me asking it to run an attachment.
If anyone has pointers/links to articles on Outlook security, please post. Thanks!
I feel fantastic, and I'm still alive.
Backdoor routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
If a program was able to tell the OS that it could be shut down by programs signed by keys A, B, and C, that would suffice. You modify the PE or Elf format to include signatures. Mandatory Acess Controls can also prevent one program run by user D from killing another program run by user D.
Making users non-administrators and running virus checkers as seperate users would also prevent some potential problems. Mail clients could use IPC to pass emails to the virus checkers and get a thumbs-up or thumbs-down.
Now, as far as Palladium goes, I think there's a pretty simple alternative.
Really what I'd like to see is L4 or another nanokernel and a few low-level drivers in the frimware along with a Forth interpreter for OpenFirmware. Your firmware would be a viable but minimalist OS, where before booting you could edit the fingerprintsof PKs allowed to sign kernels. Booting would simply be playing two-kernel-monte with the firmware kernel and a signed kernel off the HD. 1 MB and 2 MB EEPROMs are cheap enough that putting a viable OS in the firmware is looking quite attractive. Imagine having a rescue floppy built into your mobo. The QNX demo floppy shows you can do a hell of a lot in 1,440 KB.
My SGI Indy firmware loads the Linux kernel directly off the HD and directly executes it. The firmware doesn't have a fully functional kernel like LinuxBIOS, but it suffices for a bootloader in firmware. It would be easy to add signature checking to the process, along with a small menu for entering/deleting PK fingerprints. If you ship with the fingerprints from the dozen most common OS vendors, 99.99% of people will not touch the settings or know they're even there, but you still get all of the integrity guarantees of Palladium. You would of course make NVRAM locked out at a hardware level durring the boot process, wich could only be undone by triggering a POST. This solution requires no new harware besides the NVRAM lockout, and the NVRAM lockout really isn't that important if you can assume the OS will prevent writing to NVRAM. The NVRAM lockout could be skipped in the first generation for the sake of easing adoption.
Like I said earlier, my SGI firmware already does most of what's needed, as does LinuxBIOS. Apple and Sun firmware is already quite advanced and I don't imagine adding the required functionality would be that hard. Really the only advantage Palladium adds over current hardware with a BIOS upgrade is DRM. Palldium also carries a lot of baggage. I would love to see AMD come out with an improved x86-64 BIOS that includes most of the bootloader along with signature checking, if not a full nanokernel OS in firmware. Hardware NVRAM locking would also be nice.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
First, run Office Update so you have at least Outlook SP1 (SP2 has been out for a while, in fact). Next, add the following value to the registry:
i on s/Mail
HKCU/Software/Microsoft/Office/10.0/Outlook/Opt
REG_DWORD: ReadAsPlain = 0x01
Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.
Thought I'd share that little tidbit.
The whole root-user argument is completely irrelevant when you're talking about a consumer (read: single-user) install. In many ways I think it might even be a worse situation than Windows on the desktop because obviously it lulls certain people who don't think about the situation deeply enough into a false sense of security.
Who gives a flying crap if your /etc directory remains untouched when ~ (where the irreplacable files are) has been wiped out?
Wrong.
Sorry to break it to Your Wrongness, but Mozilla and Eudora are no less suceptable to this worm than a fully patched Outlook. It knows how to read many different mailbox formats and comes with it's own SMTP server.
Welcome to the Land of "Everything Just Works"
You know, it's interesting, I bought my wife a Canon S400 digital camera for her birthday last month and after we had used it for about a week, she came downstairs with the box and a disk or two in it. She said, "Did you already install this software on the iMac." I said, "Nope, didn't need to."
Which got me thinking. Having been a Mac guy for a long time, I have come to expect things like digital cameras and whatnot to "just work" without much fuss or muss. My wife said, "so you mean you just plugged in the camera and it worked?" Me, "Yep." She, "Amazing." Certainly Windows has software like iMovie and iPhoto, but nothing seems to beat what Apple has churned out in the last few years.
Apple is NOT the savior of the universe, by any means. Be prepared to be somewhat exhasperated on occasion, but mostly they make nice hardware and have a set of software on the machine that really is great. Thousands of great mainstream apps (Photoshop, MS Office, a "smattering" of games, etc.) + amazing development enviroment a free download away + UNIXy goodness is a great combo. You'll never look back. Promise.
In recent Mozilla versions, from the View menu while in Messenger, you can choose Message Body As/Plain Text. Works like a charm...
Oh, no! You have walked into the slavering fangs of a lurking grue!
So many of you are way off on your understanding of this worm.
I ran into this early today. I recognized it as a bugbear virus but inoculateit wouldn't detect it as anything. I reimaged the machine and then loaded up a web browser and noticed an article on yahoo about a bugbear varient running wild..
To get this you do not need to open an attachment. Opening the message is enough. Supposedly there is a patch that was out 2 years ago that should have fixed that bug. I decided to test it with an image running the latest patches on office/outlook 98 and win 98.. It also had the latest of all the windows update patches. Still it was able to autorun. Anyone know what's going on and if there is really any truth to a working patch existing?
Some people were saying to block attachments of those types. Sure, blocking scr files may not be a bad idea but a lot of people send exe files, at least in the windows world. It's useful. Of course we could rename files but why do that? We have a virus scanner that should be watching out for these problems.
Some people also tried saying nobody should use outlook. Welcome to the real world. Outlook with it's calender sharing, tasks, email, etc is a standard that many people expect. Nobody likes change. We are stuck with it. I'd get rid of it and all the windows servers if I could, but that's not going to happen any time soon.
I should note inoculateit/CA finally released new definitions a few hours after I got infected today.. At least that should solve the problem for the future.
Some people were saying that nobody should be stupid enough to have unpassworded shares. You've never been an NT admin in the real world. A lot of older DB applications require shares to be writeable by everyone. Access is granted based on appropriate domain account access without any extra passwords. Unpassworded file shares are a commonly required..
I tried to bait this virus with a samba system with debugging on level 2 to watch what it would do. I set up a mini network, mapped the drive, copied files back and forth, let it sit, rebooted, etc.. The infected machine never once connected on it's own.
Does anyone have any real technical details about this worm? I'm tried of all the crap going around. It seems to me like a lot of things are being blown out of proportion.. It's time to look at some actual code or a real technical artical rather than listening to non-technical people try regurgitating some information that they don't even understand.
This patch for 2-month-old Windows Server 2003 "to fix a vulnerability that could let malicious sites run damaging code on the server."
Hilarious excerpt: "ALTHOUGH SECURITY EXPERTS â" even those at Microsoft itself â" had pointed to the companyâ(TM)s latest server OS as the first test of the software giantâ(TM)s massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices. 'It actually highlights positive progress in trustworthy computing,' said Microsoftâ(TM)s U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows."
It begs some questions: if this is progress... if this is hardened... what's he smoking?
Help stamp out iliturcy.
How does one go about removing Outlook Express from XP?
:-)
I'll try to not be "witty" and post something about a Linux distribution that's NOT what you were asking for.
This is the best I could find to help. The article is for 2000, but since XP is esentially just a revised 2000 with a new look, it could apply to XP as well. Especially since it's about the same software (Outlook Express 6).
The usual about being careful with the registry editing applies.
Beware: In C++, your friends can see your privates!
In this case, other sites that covered this week's pair of Microsoft worms first -- and they'll cover next week's first, and so on. ZDNet, eWeek, Infoworld, Reuters, the Register and others covered it first. ZDNet has the bad habit however of sliding stories that reflect badly on MS quickly off the top pages and into obscurity.
Worms like sobig and bugbear only affect products with design flaws. Brian Valentine, senior vice president in charge of Microsoft's Windows development, said it best:
In short, there's nothing you can do to improve your security except upgrade to a different client: Mozilla or Opera instead of MSIE, Eudora or others instead of OutLook, OpenOffice.org or WordPerfect instead of MS-Office. Usually by upgrading you get better functionality, ease of use in addition to stability.Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
That's bullshit. You'll notice these things don't just use any old extension, they use executable extensions. If you setup your mailserver to strip .pif, .scr, .vbs etc you'll be in a much better world.
When was the last time you got a legitimate email with a .pif attachment? Never, that's when. I setup this on all of my clients networks and have yet to have grabbed a single legit email.
The answer is quite simple: because the operating system allows it. In the explorer, when you click on an exe, it runs. So in a mailer, when you click on an exe, it runs. That is the same handler.
.exe file as the data. the mailer checks, it is an audio file, so fine, pass it to the OS, this sees the extension, knows it is a program not an audio file, and just runs it. BOOM!!)
Of course, it is insecure. So in later versions, extra checks are installed that at least present some dialogue box (or in even later versions completely prevent running executables from mail).
Unfortunately, the whole mapping from "type of file" to "handler" in Windows is a big mess, and thus many bugs have existed in this area.
(the most famous one is the specification of an audio file in the mime-type and then passing a
"Nobody cares that everything that rolled off the Install CD is still there and might even be pristine"
I care. I care A LOT when my backup utilities still
work. So i can restore the BACKUPS I made of USER DIRECTORIES!
m.
Sorry but enterprise level and MS do not belong anywhere near each other despite what MS wants you to believe. I'm an MCSE and I can't imagine running critical services on the MS platform...as an application platform windows server is just too bug ridden.
So either you've bought into all the FUD or you're speaking from experience, in which case I call PEBCAK (Problem Exists Between Chair And Keyboard). Either way, you don't know what you're doing.
We have (at last count) approximately 270 Windows Servers (as well as all our Linux and AIX servers), including DCs, file servers, print servers, etc., etc., and many application servers. We are a 24x7x365 operation, and the vast majority of those servers have been up for months or years. Most of our unplanned outages are due to hardware errors -- blown motherboards, generally, as we have redundant hardware where ever possible.
I can look at some of my servers right now and see uptimes which are pushing a year. Some of my servers are in constant use by 700 users during the day and 30 to 50 users during the night. Up until March, they had 100% availability. In March the application hung due to a bug in the vendor's application -- totally unrelated to running on MS. (Incidentally, it was fixed by restarting a service -- no need to reboot the server.)
We use firewalls and virus protection software and patch our servers (carefully -- some MS patches can break things), and don't get hit by these problems. Want to know why? Because we are expected to keep things going so we do, and we know what we're doing! If stuff breaks, people get fired. So we build servers the right way the first time, and then, remarkably, they seem to be rather robust.
We wouldn't be nearly so happy if we had to keep running to the server room all day, by the way. NT 4 was a lot more difficult to manage, but Windows 2000 allows me to do virtually everything from my desk, which is efficient and just all-round desirable. So don't believe the FUD that you can't remotely manage a Windows server, either.
For what it's worth, I'm also an MCSE. I got mine because I'd been working with MS products for several years and knew how they worked, what was wrong with them, and how to fix them. Some of my colleagues in the past have been paper MCSEs. Guess whose servers tend to be flakier?
I know what's wrong with MS products -- they're by no means a magical company, and I've learned the hard way (NT 4 service packs that broke and also modified the SAM, or horribly painful Exchange 4.0 information store recoveries, and on and on). Hey, maybe that's got something to do with it -- I worked my way up, I gained my technical knowledge by fixing things when they borked and building systems from the ground up, and in the process became intimately familiar with the products' strengths and weaknesses. What do you think?
How is this insightful? Last I checked Mozilla's mail client (and many others) don't have any kind of scripting enabled by default. You have to click attachments to get them to do anything, and by default it asks you to Save rather than open. So even if someone clicks on it and then Clicks OK, they just saved it somewhere.
Even cookies are off by default in the mail client. And you can turn off images.
So yeah I suppose people could "try" and target mozilla but I honestly don't think there is a whole lot of damage they could be allowed to do. The stuff that could potentially cause harm is off by default and the and people smart enough to turn it on are smart enough not to execute worms and viruses!
The Anti-Blog
It's actually far worse than that. Windows will still hide the .pif extension even with file extensions turned on. It's one of a few, 4 or 5 I forget how many, file types that Windows WILL NOT show the extension for.
Try it yourself, turn on show extensions and add a .pif extension to a text file. It won't show the .pif but will change the icon to a shortcut.