Slashdot Mirror
Yet Another Windows Worm
kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"
It's frustrating how many viruses Windows keeps getting slammed with.
There are some people that will point to a Linux worm or virus here
or there, but I run both Windows and Linux servers and there is
simply no comparison with the amount of worms Windows based machines
receive. Some people say it's because Windows is much more prevalent
than the Linux, but there are a lot of servers running Linux now.
The amount of work required to keep up with just doing updates has
finally gotten to me. Last night I noticed my Windows server was
sending packets like mad, suspicious I did a netstat -an, it was
making connections to hundreds of other machines. Tired of this
dance, I decided to just shut the windows server down. Maybe one day
I'll patch it...then again, maybe I'll just leave it shut down for
good.
Interestingly, my GNU\Debian Linux box is happily sitting right next
to it serving up pages. I haven't had to reboot it in ages, I imagine
it will be running until a nifty new kernel comes out that I just
have to have.
See ya Microsoft.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
Can anyone tell me why it bothers to try connecting to the internet so hard?
The article says that an infected machine will try to get on to the internet, and will try dialing the modem if it has to.
Surely the most interesting machines are those with fast good connections - not people on crappy slow modems...
This is from the assumption that the computers would be used for a DDoS.
Has a worm ever been used for anything other than a DDoS?
A much better solution than b), is to completely remove Outlook. Especially if you're only using it as a mail reader.
How small a thought it takes to fill a whole life
Give it time. As Linux permeates industry and business it will start getting more attention from the virus writers. It's all a matter of ROI. Right now, attacking windows has a very high ROI.
This space for rent.
You know, we should get our information from a reputable and IT source like symantec who provides details on how to remove it rather than a news source owned by the people who make windows, the vulnerable software.
Since when has this country used intellectual elite as a pejorative term?
"It's frustrating how many viruses Windows keeps getting slammed with."
Just wait until:
a.) Everybody decides to hate Linus.
b.) Linux machines can be counted in the millions.
The safest platform to be on is the obscure one with few people using it.
"Derp de derp."
I am surprised Red Hat or some other company doesn't take advantage of heavy Windows worm activity.
"Did you get hit by that new worm?"
"No, I run Linux."
Yes, but as with any *NIX, the damage Joe Luser can cause is significantly curtailed to their own userspace. The virus would need to take advantage of a root-level vulnerability to infect an entire machine. Not so with most Windows default configs.
*tweet*
time out.
any admin who sets production servers to be "automatically updated" deserves to be terminated with prejudice.
you test all patches before deployment.
Time flies like an arrow, fruit flies like a banana.
Am I the only person who's tired of hearing about the latest way for idiots to screw up their computer and infect dozens of other computers used by similarly idiotic people? I mean, come on... Haven't there been patches and security measures around for years that prevent viruses like this one from infecting your PC?
I guess it is helpful for admins to see virus warnings on slashdot though.
using namespace slashdot;
troll::post();
Not really a good comparison.
On a server the vulnerability would have to target an exploit in a daemon that accepts network connections.
On the desktop the vulnerability, more often than not, is the user's tendency to execute anything that claims to contain pr0n or similar. These viruses make up the bulk of Windows-targetting viruses. The virus gains entrance through the user and then runs amok from there.
Proof of this is in the prevalence of viruses called "Amish viruses." These aren't actually viruses at all. They're simply chain letters that read something to the effect of, "hey, found this virus by the name of better delete it and pass this on to all of your friends!" And the user, not the CPU, carries out the malicious instructions.
So, if Linux wishes to avoid this issue on the desktop, where users will both likely have permissions way too high (i.e. Lindows with root) and be willing to run arbitrary binaries, they better take notes now. They also better invest into antivirus technology. Sure, maybe you can keep up with the relevant patches to keep your server secure, but it's hard to make the desktop world foolproof when fools are so ingenious.
Oh, and P.S., since you mentioned running Debian, have you made sure that you've patched all 87 security vulnerabilities announced so far for the year 2003?
If your ocmpany got hit go ask your network admin why they aren't blocking ANY executable email attachment. Then go ask their boss.
IT'S NOT HARD PEOPLE.
These machines are unlikely to be interfaced with a public net at all, especially not sitting on a fat pipe; but many of them have to network _somehow_. Regular modems, ISDN, etc. aren't quite dead yet.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
The people that open these attachments aren't system admins. They aren't network programmers. They aren't even computer literate half the time. Most of the time they treat the computer like a magical device that mysteriously allows them to type and send mail very fast. My mom doesn't even know what a zip/exe/jpg file is. I think it is hard for us to imagine not knowing what we know about computers, but the fact is, that most people using computers don't know a fraction as much as anyone reading slashdot. In fact, most of these "virus" are technically trojans. They are all exploiting the ignorance of the user to mass infect others. There is nothing any operating system can do to stop this. If we were all running Linux, more people would be tricked into running as a SuperUser or Root or some other exploit virus programmers would find. In the end, it's not which is it the right operating system, but have we educated the person behind the machine.
In addition, it uses a particularly nasty flaw in Microsoftâ(TM)s Internet Explorer program and its implementation by Microsoftâ(TM)s Outlook e-mail reader that allows the virus to infect machines whenever a victim simply previews an e-mail message loaded with the program.
Yet (as of this post) CNN mentions nothing of the fact that this is another virus that takes advantage of a Microsoft flaw...
And at the bottom of the MSN page"MSN - More Useful Everyday"
ah the irony of having your own news company...
Because there's nothing quite like a 100,000 machine-strong DDoS network of Redhat machines on cable modems. I hope you meant that if machines are not repelling attacks, then that would prompt bug fixes. However, as you see in the Windows world, most attacks are targetted at already-fixed issues. The machines that get infected are the ones that didn't stay up to date (or in lots of cases a few years ago, were running software they shouldn't be running, like personal Redhat machines running BIND because it was installed and started by default in an "install everything" scenario, the installation option used by most newbies because they're afraid of missing something during the initial install and not knowing how to install it later).
No, successful virus/worm/hax0r infections are never desired. Better for the issues to be found by competent and moral ("moral" being that they don't use the exploit maliciously) people before a major virus or worm is written. There are excellent patch distribution channels for both Windows and Linux these days. People really should use them. And for production servers that don't use them because they need to do validation before deploying the fix, they need to get off their asses and do the validation. There's no excuse for a 2 year old bug causing issues now. That's 1 year, 11 months, and 3 weeks of laziness (assuming it takes about a week to do a validation and deploy the fix and any resulting changes).
a.) Everybody decides to hate Linus.
Not likely to happen. Linus is a genuinely decent and nice person. While there will always be the odd person who hates everyone or who hates someone for some obscure reason, its unlikely that a significant number of people will ever have a reason to hate Linus.
b.) Linux machines can be counted in the millions.
They already are, even if you just count the number of servers sitting out there attached to the internet.
The difference is that Linux is generally more resistant to attack to begin with, especially in the default installs of recent versions. There are a number of inherent design flaws in Windows and a number of historical anachronisms endemic to the typical Windows environment which make it more prone to viruses, worms and trojans than a *nix like OS. Linux is also more likely to be installed and administered by people with a clue than Windows is, and that makes a huge difference. If a huge number of the typical lamers that mindlessly use Windows start using Linux, then it may start to have a few more problems, but I suspect still far less than Windows does.
The safest platform to be on is the obscure one with few people using it.
A bad assumption. Security through obscurity is not valid in practice. The platform still has to be secure even if it is obscure, because unless you are the only user of all the relevant code it runs, you can't depend on someone else not being able to find a weakness. Even that isn't a guarantee, since crackers could still probe from the outside and possibly find vulnerabilities.
and yeah, it can be done.. what you all have now is a false sense of security through obscurity
I'm sorry, you must be thinking of Windows.
Well then, any admin who runs outlook (or any email client, or browser, or ANYTHING that could potentially be comprimised) on a production server that absolutely can't stand to have any downtime needs to be terminated as well.
Username taken, please choose another one.
If a user is running unpatched Outlook Express, they can get the virus by previewing the email. If they are running an updated (non-vulnerable) Outlook Express or another email reader, they can STILL get the virus by running the attachment.
Exercise for the reader: Explain how this is due to Windows SUCKING. Explain how this would not happen under Linux (assuming the attachment were a Linux executable and not a Windows executable).
Time flies like an arrow. Fruit flies like a banana.
I'm not going to defend Microsft, but I will defend the users. This worm sends emails that look VERY much like ones that a user has sent or received. It really is a well designed "social engineering" virus.
Since our users had not had a virus hit their desk for 2 years, thanks to NOD32, they were really not expecting this one!
Cheers, Ben.
Pine has had a number of problems with maliciously coded attachments. These were real-world exploits, not theoretical ones.
Linux isn't immune from viruses - email or otherwise - even though in practise it suffers less. The troll before you was telling a half-truth when he claimed that Linux is safer because (a) everybody loves Linux even though (b) nobody uses it. Those two factors are real and they do contribute; it's silly to deny it. However there are dozens of other factors, eg:
Protecting Linux against viruses is one of those "eternal vigilance" things. Don't get smug because Linux is relatively free from problems today while Windows is copping a flogging. Yes, I think Microsoft brought most of it on themselves and yes, I think Linux (and UNIX) is more immune by design. However I think it's naive to think that things will stay like this forever. Linux viruses are on their way. Be ready to eat your words in 5 years time when Linux becomes more popular and Linux viruses become commonplace.
The main reason why *nix boxes don't have anywhere near the number of virii infect them is because the average *nix user has had to set the box up themselves and had to go through the learning curve that is involved in that. Anyone who has got enough knowledge to set up a *nix box (and in reality most people that accually are able to install windows) have enough general computer sence to not catch virii. I personally hate virus scanners as they just take up my resources. Periotic scans let me know that I am not just overconfident that I am invoulnerable, but infact paying enough attention to what I do on a regular basis to delete the emails with attachments like 'happy99.exe' even though I don't in truth _know_ that it is in fact a virus. *nix isn't really a safer OS from virii, it just has a better trained user base.
that's not really true though, since there are holes in windows that have been there since windows version 1. Sure there are holes in any program, but at least most of the unix/linux/macos viruses don't cause the computer to crash. In almost every case, unix/linux/bsd viruses are really just exploiting a single program.
The point being...? Really, you have done nothing to assist our underinformed cyrax777. Let me help, please.
First, causing the box to crash or not is irrelevant, as is what program allowed the compromise - a compromised machine is no longer yours. Time to re-install the whole machine.
The reason *nix is much harder to infect in the first place is users run with user privileges, as do all the child processes that they create. Thus, the e-mail client cannot over-write any system files since it lacks the autority to do so. This is where "rooting" the box comes from - you need to elevate your normal privs to super user status in order to do any real damage. You can tell most *nixes that "This user account can never elevate it's priveleges", and it likely never will. System services, like say the Apache HTTP server, are usually set up to run as under-priveleged users as well, so compromising them leads to even more difficulty controlling the whole machine - there's very few opennings in the *nix security armour. In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs. IIS on NT/Win2K is the same way - out of the box it runs under the SYSTEM account. If one of these is compromised, it's not your machine anymore. Now you know where a lot of the issues with Windows security lie.
This reflects one of the design philosophies of *nix: only give users the privileges they need, and have a huge, well defined wall between them and the system. Windows seems to come from the other end - give it all, and try to take away what's dangerous. IMHO, that's where Windows fails - miserably.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Here's a secret you might not know:
On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.
So the whole notion that trojans/worms etc. can't hurt the systems that 'mere users' will be using as there is more and more of a push to Linux desktop systems is just plain nonsense. If it wipes out an employee's whole writeable diskspace, it's done all the damage it could possibly do. Nobody cares that everything that rolled off the Install CD is still there and might even be pristine.
Note: Not a flame to parent post...
:)
now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension
I have had it up to here (pointing to head) with all this BS with email worms/virii and the media. They are not email worms, they are Outlook worms. I could sell someone an attachment stripping solution but that is irritating. For every bug it strips out it will strip out a legitmite file as well.
I just don't know what to do with people... Every time one of these god damn things coms out, my phone starts ringing off the damn hook, hell I can't even get a straight 8 hrs sleep... (one dis-advantage of home office) and every time I tell people the same damn thing. Outlook is a worm/virus magnet. Don't use it. There are many others. Bad people target Outlook for a reason, don't give them the oprunity to hit you. Its that simple. And always check attachments before running them regardless of what email client you are useing or who it came from. But they just don't listen. Do they think I am full of BullSchnitt or is being used to infection and calling me easier than learning a new mail client.
Does anyone have an idea of why end users use the software they use in the face of all the reasons/reccomendatios not to?
Came with machne so it must be good?
Everyone else uses it?
What?!?!
On The Other Hand..... I wil be making lots of cash in the next week... so mabey I should not be complaining
For every person that finds the silver lining of that cloud, there are 100 that just died from lightning
I think I've seen about enough of this particular strawman.
Nobody has to run anything on these servers; all they require is network connectvity. These worms propagate via network shares as well as e-mail. All it takes is one infected machine with a persistent connection to any production server in a trust network to cause headaches.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Which is exactly why so many worms target Apache rather than IIS.
Batting down strawmen for 12 years and counting ...
BD Phone Home!
Shameless plug. Like you weren't expecting it.
I don't know about you, but I administer systems with hundreds or thousands of users. It's *their* data I wish to protect, not that of the irresponsible schmoe who ran untrusted binary code.
<OBSIMOM>
But if they ask me nicely, maybe I'll keep that backup tape away from the degausser.
</OBSIMON>
BD Phone Home!
Shameless plug. Like you weren't expecting it.
If a user is running unpatched Outlook Express, they can get the virus by previewing the email. If they are running an updated (non-vulnerable) Outlook Express or another email reader, they can STILL get the virus by running the attachment.
Exercise for the reader: Explain how this is due to Windows SUCKING. Explain how this would not happen under Linux (assuming the attachment were a Linux executable and not a Windows executable).
I agree, I can't beleive Microsoft actually thinks that the ability to "Execute" and "Open" files is a feature. Lets all switch to Linux, where opening data files and running programs are a thing of the past.
Seriously now, if a User runs a trojan horse, that is in NO WAY the fault of the Operating System. As for the Outlook bug, yes, that was Microsoft's fault, which is what Microsoft Update is for (and don't tell me Linux doesn't need anything like that, either. Almost every day up2date is complaining about X Y Z patch I don't have).
The fact that the large majority of webservers out there are running Apache (many on linux) and have been for a long time suggests otherwise. Sure bugs exist and there will always be exploits for all platforms, but somehow the Apache team is dodging those problems far better than Microsoft. With even MS themselves admitting that their emphasis was never on security in the past, you're probably one of the few people left in the world trying to defend their record.
So don't complain too much about the zealots around here -- you're just as much one as the rest of them, and one of the more vehement that I've seen.
Sounds to me like they don't use support branching in their revision control system. If they want to release a fix for old code, rather than branch at the release and make a fix, they give you all of the "goodness" that they've been working on in the meantime.
So, add bad version control to buggy, insecure code...
Well then, any admin who runs outlook (or any email client, or browser, or ANYTHING that could potentially be comprimised) on a production server that absolutely can't stand to have any downtime needs to be terminated as well.
Perhaps you might be able to explain how to remove IE from windows then?
Keep in mind, it loads at boot.
This particular wrom knows how to use other e-mail clients as well. However, suppose that suddenly everyone switched to Mozilla. Same stuff would happen. Why? Because if you send someone an executable and they run it, it will infect them regardless of the e-mail client they use. IF a different client was the most popular, it would simply be the most popular target. When something like a worm relies primarly on user stupidity to spread, it will hit stupid people, regardless of what software they use.
This reflects one of the design philosophies of *nix: only give users the privileges they need, and have a huge, well defined wall between them and the system.
You're smoking a huge crack pipe, my friend. In unix, I need suid to change my password, 'fer christ's sake.
I mean, it's painfully obvious that you have no unix experience whatsoever. It's just sad that you got modded up on a site like slashdot, which used to be moderated by geeks.
Slashdot is jumping the shark. I'm just driving the boat.
As long as Outlook uses IE to render HTML mail, it will be vulnerable. This integration bullshit from Microsoft has made vulnerablilities in one program affect many others. If Outlook was secure, it would have an option to turn of HTML mail rendering. If it was turned on, it would only be able to format text and layout, and download and display images (while checking to make sure that they really are images and not viruses/worms/trojans). And images could be turned off. This all seems like common sense to me, but apparently it's not common sense at MSFT, which makes it easy for worms like this to spread.
Sure, I use Windows. But it's the only MS product I use on a regular basis. I use Calypso 3.3 to read mail, which has HTML rendering turned off by default (and I keep it off). I'm typing this in Mozilla 1.3.1. They're both well designed programs that don't do stupid things like Outlook. Did I mention I've never gotten a virus? Well, I haven't. Ever. Sure, I've had the occasional Outlook worm mailed to me, but I'm not so dumb as to open the attachment (which has no way to auto-execute on my machine, by the way). Part of the virus/worm problem is stupid users, but another part is badly designed software, and most Microsoft software has historically been badly designed when it comes to security.
It's an operating system, not a religion.
all the more reason to use a Mac :-)
Seriously, as a Mac user since 1984 I have *never* had one of my macs infected with a software virus. I've seen other macs infected with the WDEF virus circa 1989, but that's about it. Even though Virex on OSX is total crap (why does it need to rescan all files - even ones that have not changed? takes hours and thus no-one bothers), I am yet to hear on anyone running OSX cop a virus. I get virus-spam that's annoying but I have not yet been infected. Not in almost 20 years.
Mac's are easy to admin, easy to keep up to date and apple are damn good at releasing security patches in a timely manner.
I used to have a better sig than this, but I got tired of it
The proecdure now is slap the drive in a real computer, suck down her documents, dd the image back over to the old drive. Reboot, hook it to the cable modem and do the updates while marking every reboot. Once its stable, I copy her files back, mirror the disk over again.
Ehmmm, ever considered using separate partitions for data and OS? Makes life a hell of a lot easier. And yes, you can tell Windows that D:\Stuff is where all the documents go...
People replying to my sig annoy me. That's why I change it all the time.
Yeah, except - when you actually browse to that registry branch, this entry isn't there! You have to create it before you can turn it on. Who knows what other useful things you might be able to do if you only knew what registry keys to create??
So yes, you can often find a program's settings in the registry - but this is a lot less helpful than it sounds.
At least, if I make a mistake editing one of those Linux text files I am unlikely to completely hose up the machine. Whose bright idea was it to make an OS (Windows) dependent on a single (easily corrupted) binary database to boot up? A database that is modified practically every time a setting is changed or a program is installed. A file that keeps growing the longer you own your computer and as a consequence slows your machine more and more.
God is imaginary
Why is this modded as a troll? It's the truth.
I've been running a filter on email for about 5 years. Not ONCE has any of the email transmitted viruses / worms made it through, even to unpatched outlook and OE users.
See John Hardin's procmail filter for a Very good example of how to do this.
If you are running a corporate meail server and are not filtering for known executable extensions, you are a fucking idiot. Period. There is just no excuse to EVER allow unfiltered mail through. Would you put your corporate LAN on the internet with no firewall at all? Of course not, but by not filtering email, you have a hole the size of Yankee Stadium in your protection. It's like wearing a condom with the end cut off.
The problem with anti-virus software is that it relies on the vendor to create and distribute filter definitions. It can take DAYS or WEEKS for vendors to identify a new virus, and create a definition, and for people to download the new rule set. This lag time is deadly. Antivirus software is a LAYER of security on email, but to rely on it alone is not enough.
Security is a process, and a mindset. Everyone who knows anything at all about software knows that every program has bugs. All you can do is minimize exposure, and you do that with many layers of security. These layers don't have to be intrusive, but you need them to reduce your vunerabilities.
Hey, if you want to bury your head in the sand and refuse to participate in security, that's fine with me. I charge by the hour.
Except that newbies have done that as well. They installed Windows 2000, and for some reason installed IIS (because they were playing around in the optional components install, or something like that). Then, when Code Red, Nimda, et al hit big, they got hammered because they weren't up to date. They weren't up to date because they didn't know they were running IIS.
I hang out in EFnet's #Linux on occassion. I've been there for years. Several years back, it was quite common to see a newbie say, "I chose to install everything, because I didn't know what the other options did," or, "I didn't want to miss something, because I don't know how to install new software yet, so I chose to install everything." My problem isn't with newbies. They don't know any better. My problem is (well, "was" until some distros got their heads out of their asses) with distros that have stupid defaults. Something like BIND should only be started if it's specifically requested. The act of installing BIND is not necessarily a request to run it. (replace "BIND" with any other software that most people have no need to run, if you think I'm picking on BIND too much)