Slashdot Mirror
Yet Another Windows Worm
kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"
I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension (why the hell any half-way reasonable person would double-click on a .pif file in their email is beyond me). If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension. If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably would have made some very different career choices--I suppose it's better this way... (Posted anonymously for obvious reasons)
This one spread through my university like wildfire today! It even seems to fake Norton virus definition updating, such that the computer appears to be updating it's virus definitions but isn't. It seemed to spread via hijacked messages that it attached itself to.
This virus has been hitting a bunch of people over here at Stanford since sometime yesterday. It takes random messages from your inbox and forwards them to random people in your contact list and spoofs the sender. I've recieved a lot of weird emails lately, but some of my neighbors have seen some pretty personal emails sent or recieved by their friends and acquaintences. People hitting on people, people asking their parents for money, rejection letters from companies... the whole works. Our SMTP server has been completely shut down to stop the spread!
Seems to me that would be the way to get these things fixed permanantly. Make a worm that would call MS tech support on peoples modems. Or any other MS 800 number. Untill something costs them a LOT of money, these will continue to show up.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
They said that it attacked banks (it appears to be a backdoor bank heist worm). Someone said that US banks would probably not be affected, but a lot of third-world banks that do have a 56K could get hit.
On a related note, anti-virus programs is one place where I can actually see a potential useful application of "trusted computing" (no, not necessarily Palladium). If there could be some way to to tell the OS "Look, I don't care if you're the administrator or not: the only programs that are allowed to terminate the anti-virus scanner process are the scanner itself, and, say, Task Manager". By using keys to prove their identity, it _might_ make it a lot harder for virii to terminate anti-virus programs. (Note to slashbots: I'm not saying Palladium is good because it will do this (I don't even know if it does). I'm saying this is one potential application of some as-yet-undeveloped implemenation of "trusted computing".
There is no sig, there is only Zuul.
Any readers in the UK with Sky Digital, switch to channel 268.
Overnight, the channel plays a Flash-based word game, where viewers SMS in answers. It's running on a Windows PC, and the screen currently being broadcast to 7 million homes is....
McAfee dialog box: 'bugbear.b High Virus Advisory....'
Hmmm.
(wandering OT - the channel, 'Friendly TV' is apparently being run by students on work experience. A nightly live-broadcast show is 'Girl Talk', where... girls... talk... about... things. Whatever comes into their heads. Oh, and they get progressively more drunk as the evening progresses, which no doubt helps.)
What's the frequency, Kenneth?
MSN Messenger normally connects to remote port 1863. It doesn't listen on any local ports, and the local port it connects from is usally random (and definitely not 1080).
you know..
for the longest time, i've been attempting to defend windows ever since 2k stopped being the 'absolute junk' syndrome. i read about this earlier in the day, and started ranting in irc.
well, since it's easier to bitch than act, i decided to act. i went directly to the local apple store and bought an ibook.
i have -never- been happier. this is literally the best of breed machine i have ever used. all the benefits of unix without the hassle of windows.
so, this is totally offtopic, but as a govt. employee who deals with this sort of thing every day, my old home pc is now strictly a local lan CF/oracle development box, and every damn machine i buy from now on will be apple.
Are you MORE than your SPINAL COLUMN?
Has anyone ever pondered this before?
Over the past few years, technology has advanced greatly in area of computer security. There was a point in time not very long ago where the word "virii" was just another ancient, arcane computer term that gathered dust on the history books.
It was not long after that I noticed several companies like Norton and McAfee begin to develop and release extemely enhanced versions of their anti-virus products to the home and business PC market without any reason whatsoever.
A few months after that...BOOM!! The Internet was virutally TEEMING with all kinds of new, weird bugs the likes of which had not been seen before. Magically, the before mentioned companies Norton and McAfee had patches and updates that seemed to erradicate the problem.
Let's face it, it seems to me that the very source of virus activity today are the very companies that offer the solutions. Has anyone ever thought this before? -- companies that hire hackers, supply them with all the info they need to exploit well-known weaknesses in computer systems that the average hacker may not even know about, and then allow these same people to release their creations and allow them to go on a rampage for a few days before the corporation swoops in like Superman to save the day.
Think about it.
This worm does try hard to get on the 'net. Copied from Symantec.
Looks like they're trying to obtain passwords to bank specific systems.Has anyone else been getting TONS of e-mails with random subjectlines lately claiming to be from "support@microsoft.com" containing (one assumes) some kind of virus in an SCR file?
What virus is that, anyway?
You can fix the OS, but you can't fix the users. People who get hit by this have nobody to blame but themselves (or their Windows administrator).
Microsoft fixed this vulnerability more then 2 years ago. Why do people not update their software?
According to Symantec, Bugbear.B "uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability".
"Can of worms? The can is open... the worms are everywhere."
Yes... Lots of things... My old school had an office macro worm spreading across all it's computers (and I'd assume making it's way to student's home as well..) which only had the purpose of screwing up saves and saying some message on a certain day.
After getting hit by that worm personally i made my own benifitial worm to spread across the school's network... which would automagically spread and clean out the bad worm, alert the user of the problem being removed, and IIRC would automagically remove itself after a certain date so it wasn't too intrusive.
See, not all worms are for DDoS ;) Some are actually good things.
Shoot Pixels, Not People!
One interesting thing is it opens port 1080, which is normally used by MSN messenger
Sounds like you're using a Socks server to connect to MSN - 1080 is the default Socks proxy port, not MSN messenger.
... to reply to mi2g claims that Linux is more hacked than Windows. Now you have hundreds of windows computers in your near vicinity waiting to be hacked thru port 1080. I think that at the rate of infection of this last worm, in very few days (sunday?) will be the most widely distributed computer worm ever.
Microsoft is a shit company for putting out crappy insecure products in the first place, but my main beef is with the stupid fucking morons who use those Microsoft products and don't maintain their computers.
A patch for this hole was out two years ago.
Fixes for Nimda and Code Red have likewise been out for a long time.
Ditto fixes for SQL Slammer.
But guess what I still see in my firewall logs? Let's take a look at some excerpts, shall we?
6/3/03 3:24:04 Trigger IP Addr: 195.199.65.173 TCP Port: 80 Svc: Nimda 3600 secs
6/5/03 17:46:47 Trigger IP Addr: 66.117.200.191 TCP Port: 80 Svc: Code Red 3600 secs
6/5/03 22:04:55 Trigger IP Addr: 63.79.176.247 UDP Port: 1434 Svc: ms-sql-m 7200 secs
These are just the most recent occurrences, but my logs are jam-packed with them. 132 Slammer hits in just the last week. Still plenty of Nimda and Code Red. And I won't even mention the thousands upon thousands of hits in my log from machines looking for exposed Windows shares on port 137.
There are ALOT of worms out there that there are no patches for. Everytime I go on IRC (zeerofuzion.net in particular) and I turn off my firewall I end up with a worm. Norton catches the worm dropping viruses/trojans, but obvsiously is unable to catch the worm itself. I am *fully* patched running win2k.
Religion is a gateway psychosis. -- Dave Foley
The entire physics department here got an email with the subject line "Re: hep-lat 020711 daily received" with the pif attachement.
.pif file)
hep-lat is the Los Alamos eprint Archive subject code for high energy physics on lattice models. The email refers to a paper on "A new proposal for the fermion doubling problem" which is supposedly attached (instead you get the
The subject line is matched amazingly well to the recipient list. I thought "that looks interesting, I might have a look even though I probably wasn't supposed to get it."
:wq
Sorry but enterprise level and MS do not belong anywhere near each other despite what MS wants you to believe. I'm an MCSE and I can't imagine running critical services on the MS platform, user authentications, file sharing, and printing sure, but as an application platform windows server is just too bug ridden.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Strangely, our business can continue to operate without problems or delays even if the staff can't email screensavers to their friends.
I work at a local school district, where most of the teachers are appropriately computer literate. (By that I mean that they know how to do the things they need to do, but they don't have any burning need to spend a significant portion of their lives learning the inner workings of their computers.)
Most of them are using Windows, but there are a few who are still using their old Macs. When the ILOVEYOU virus was making the rounds, the email servers were crushed by the volume of mail generated by people who fell for the joke. Despite messages from the IT folks to not open attachments, people kept doing it. In fact at least one Mac user complained to the tech support group that they couldn't open the ILOVEYOU attachment in an email message.
After this fiasco, the IT folks were talking about having the email servers filter out ALL attachments. I successfully argued that they should only filter the types that have been exploited to carry malicious code. Since they implemented filtering the obvious file types, there hasn't been another infestation.
After that I was no longer sure which was worse: clueless end users or clueless IT people.
How about when "Mafiaboy" used thousands of slave Linux boxes to DDoS yahoo.com and ebay.com off the Internet for a couple days?
Before Up2date and similar tools, consumer Linux installs were the #1 hacker attack platform. Remember the t-shirt "My other computer is your Linux box"?
In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs.
What's your point? The login screen saver logs users in, so it makes sense that it has some sort of advanced privileges. (Maybe it doesn't need all of SYSTEM, true...)
And the screen saver is well protected in winnt, believe it or not. It runs in a separate secure desktop, just like the ctrl-alt-del desktop does.
Now I agree that the security architecture of windows has flaws, but c'mon, there's got to be a better example than login.scr...
The following sentence is true. The preceding sentence was false.
Crap. It broke my machine. I can't play GTA anymore!
Hurry! Go here to play your games with the new patch!
Windows is the same way. IF people run with user rights (not admin) they are prevented from hitting anyone else. They can even be prevented from running software the admin didn't install for that matter. Problem is, most people run as admin. IT is their box after all, they'll do as they please.
YOu'd have the same problem with Linux. First you have brilliant distros like Lindows that run as root by default. Then you'll have tons of people who log in as root all the time for dumb reasons like "I get sick of chainging users to do something" or "It's my system, I should be in complete control.
Linux does not have the ability to control stupid users, unfortunately. A good Linux system run by a competent admin sure can, but then so can any OS with good security controls. PRoblem is most home computers AREN'T run by a competent admin.
I disagreed with one point the article made.
BugBear then goes searching for a modem, enables it, then tries to get the computer to dial out, probably to reach the virus author. âoeHe really wanted to get into those machines,â Kuo said. U.S. financial institutions probably arenâ(TM)t at risk from this technique, Kuo said, because most donâ(TM)t have modems attached to their critical computers any more.
Today I was at fry's electronics, and I saw a Quickbooks POS (point of sale, not peice of shit) system on display for small to medium business. This started getting me thinking back to my earlier days of consulting.
One of the companies I did work for had a retail chain of mall stores. At night the registers would dump their management reports to our AS/400 machine and someone would make neat reports out of them. It wasn't a huge amount of data, so each store would just phone home on those really nice $300 courier modems.
Most of our store managers kept in touch with us via outlook/exchange server.
Now another interesting side note is veriphone uses POTS lines for nearly %100 of their credit card processing. Tons of small stores have networks in them now, managers reading e-mail and such.
So which of these financial institutions has its shit so well together that they don't need modems? I just wanted to point out the author of the article is a stupidhead. Boo!
You'll see that the parent poster specifically said Desktop systems.
The point here is that we're urging people to switch their home computers over to Linux because it's "more secure." But it's still insecure enough that a common user would be vulnerable to things at least remotely like this if Linux was popular enough among home users to be worth the effort to target.
And in any case, your point isn't Linux-specific: if I was running a multi-user WinXP system and a user without admin priviliges runs untrusted code, he can't mess up the other users' stuff either.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
If you're really interested -- here's my config. I have a linksys firewall/router (befsx41) which I use connecting to an internal lan. When I wanted to DCC, the linksys box has an option called "DMZ" which will allow you to put one computer infront of the firewall.
In addition to the hardware firewall, my computer has a kerio personal firewall and is set to only allow share access to my internal lan (192.168.1.*). I have only the default administrative share "C$" and non-obvious passwords on default accounts.
In addition to these, I have norton installed, Ad-aware running ad-watch, and am running Win2k + SP3 + every update that was avaliable up to yesterday (but not the newt one that was issued today).
So what happens is, I leave the linksys firewall open for a day or two (almost always forget to turn it off). I wake up in the morning and norton has 100 warnins up about viruses just having appeared on my machine (keep in mind there was no one there to run programs or do something stupid). The last time it happened it tried to drop these trojavns/virues "W32.HLLW.Nebiwo", "Backdoor.IRC.Flood.E", "W32.HLW.LOVGATE.G@MM", "W32.Pinfi".
If I reset the machine, the problecm goes away and a virus scan reveals nothing! The first couple times it happened, I reinstalled my machine and I always had the same problem after being on IRC for a couple days.
Another interesting thing -- the worm couldn't/didn't infect any of the machines on my lan, except a virtual (vmware) machine running under Linux. If the VMWARE machine was patched then the machine would just be infected, if the VMWARE machine was unpatched (I have several of them for testing) it actually crashed the linux machine and caused a reboot.
Anyways, there could be some vulnerability on my box I'm not aware of, but its not something dead to rights obvious. I am very open to alternate explinations. I suppose it doesn't have to be IRC either, someone could be randomly probing my subnet. But just the same the room is #rareroms I have the problem with, and my nick is __odie. My solution was pretty simple, use port forwarding so I didnt have to turn the firewall off.
And! Thanks for being polite instead of telling me i'm an idiot like the other folks who replied :)
Religion is a gateway psychosis. -- Dave Foley
On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.
You can do a daily backup simply putting something like this in your crontab or in cron.daily:
tar -cjf /var/backup.tbz2 /home
But if someone get the root privileges, even the backup can be destroyed.
Moreover, root has more power then a simple user: he can set promiscuous-mode, he can bind socket on ports below 1024, he can use more resources, and so on, so if a worm| virus | trojan get superuser powers, he can do more dameges at the net, and not only at a single computer.
So, even if the computer is used as a desktop, you can limit the dameges done by a virus, simply not logging as root and being a little smart (doing backups).
I can look at some of my servers right now and see uptimes which are pushing a year.
So you are behind on how many critical patches which require a reboot?? MS patches which affect SQL server or IIS etc and are labeled critical and have admin level exploitation potential come out every couple of months. It's people who try to run MS boxes like they are UNIX machines that end up getting hit by slammer or worms like this. You NEED to apply patches and reboot every couple of months at a minimum, uptimes of over 3 months ususally mean there is some critical patch you missed which leaves you vulnerable. You can have fine availability with a cluster most of the time, but some patches have to be applied to the whole cluster simultaneously because of the way they change things, the different parts of the cluster can not be on differing patch levels or data corruption can occour. Like I said I have no problem with windows for non-critical roles, and with server 2003 maybe even for web serving (IIS 6 finally has a sane default install), but for things that are typically labeled enterprise applications (large DB, CRM, ERP, financials etc) there is no way I would build them on the MS platforms, the alternatives are too stable to really even consider it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.