Yet Another Windows Worm

kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"

Alreay run into this...

I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension (why the hell any half-way reasonable person would double-click on a .pif file in their email is beyond me). If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension. If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably would have made some very different career choices--I suppose it's better this way... (Posted anonymously for obvious reasons)

Re:Alreay run into this...

[damiam]

(why the hell any half-way reasonable person would double-click on a .pif file in their email is beyond me)

You don't have to double-click it. It open automatically when you preview.

Re:Alreay run into this...

Only if you are 2 years behind in your patches.

http://www.microsoft.com/technet/security/bullet in /MS01-020.asp

Re:Alreay run into this...

(Posted anonymously for obvious reasons)

What, your lack of cut-and-paste skills?

Re:Alreay run into this...

[malia8888]

"You don't have to double-click it. It open automatically when you preview."

We close the preview pane option on all of our computer repair customer's mail applications to keep the viruses from coming in this way.

Then, we explain this beautiful "preview" feature works with viruses like poking holes in your son's condoms. None of them are too keen on viruses in their computers or in becoming grandparents.

Re:Alreay run into this...

[Thing+1]

Here's an article on disabling windows script hosting.

Pretty simple really; for Windows 2000:

* Open "My Computer"
* Select "Tools/Folder Options"
* Click on File Types tab
* Find VBScript Script File
* Select Delete
* Click OK

For other versions of Windows, click on the link (it has instructions for 95, 98, NT and 2K; I'd imagine XP is similar to 2K but it was written in 2001 prior to XP's existence).

I'm trying to find instructions for modifying the security in Outlook 2000 as well, so it doesn't do anything automatically without a) my approval at the very least, or b) me asking it to run an attachment.

If anyone has pointers/links to articles on Outlook security, please post. Thanks!

Re:Alreay run into this...

[LiquidCoooled]

there are plenty of people out there who are using windows 98 on a modem.
Over the last 2 years they have allowed windows update to drip the updates to them.
Last week Joe's hard drive crashed and he reinstalled.

I cant see him sitting there for the next 8 hours downloading patches - sure, he will run windows update if we are lucky, but he's likely to be getting his other more important (to him) stuff setup to be worrying about critical updates.
Waiting for a mail about college?
Waiting for his girlfriend to get back to him?

Whatever it is, his thoughts at best would be "I'll just quickly check my mails..........."

I dont think its entirely stupidity, its human nature.

Re:Alreay run into this...

Waiting for his girlfriend to get back to him?

This is why Linux users are less suceptible to worms...

Re:Alreay run into this...

[pokka]

there are plenty of people out there who are using windows 98 on a modem. Over the last 2 years they have allowed windows update to drip the updates to them. Last week Joe's hard drive crashed and he reinstalled.

So what? That's Joe's problem. I guarantee you that if I pull out my old Redhat 6.2 discs and do a fresh install, the machine will be cracked before I have time to download the patches. And the same can be said for almost any version of any old, unpatched OS.

The problem here is not the software, it's a person who thinks he's computer literate when he's not. If Joe doesn't know how to properly install software, he should pay someone who's qualified to do so.

Re:Alreay run into this...

[thogard]

I have a friend that has a pc that she brings over for me to "fix" when it gets broken. This tends to happen way too often and years ago after 2nd or third time I rebooted it, I started a "reboot sheet" that hides inside it. Everytime I reboot it while fixing it, I put a mark down. The proecdure now is slap the drive in a real computer, suck down her documents, dd the image back over to the old drive. Reboot, hook it to the cable modem and do the updates while marking every reboot. Once its stable, I copy her files back, mirror the disk over again.

I've rebooted that thing over 200 times. How many people are going to keep doing "windows update" when they have to reboot, run it again, reboot again? Over dial out that would take hours. Whem I'm fixing it, its in my lab and it may take a day or too to get it back running but the real world where people count on these things is a real mess.

Next time it comes in, Its getting a new OS. I wonder if she'll notice.

Re:Alreay run into this...

[darien]

This is an EXE, not a VBScript.

That's OK. Just go into the registry and delete this branch:

My Computer\HKEY_CLASSES_ROOT\.exe

Reboot, and I guarantee that computer won't have a problem with rogue .exe files again.

Re:Alreay run into this...

[Jedi+Alec]

The proecdure now is slap the drive in a real computer, suck down her documents, dd the image back over to the old drive. Reboot, hook it to the cable modem and do the updates while marking every reboot. Once its stable, I copy her files back, mirror the disk over again.

Ehmmm, ever considered using separate partitions for data and OS? Makes life a hell of a lot easier. And yes, you can tell Windows that D:\Stuff is where all the documents go...

Re:Alreay run into this...

[taxman_10m]

And crabs.

Re:Alreay run into this...

[(54)T-Dub]

I don't understand why windows doesn't make a "Update Everything" feature. When I do a fresh install, I'd like to be able to hit a button and walk away. Let the stupid thing reboot 15 times.

I know they do this with the install procedure if your run the install from the command line, i wonder if you can do the same thing with windows update.

Re:Alreay run into this...

[Cromac]

Most users don't see a ".pif" extension, because Windows (at least, for a while) shipped with "hide extensions of known file types" turned on by default. All they see is "documents" (not "documents.pif"), which they probably assume is a ".zip" file or maybe a ".doc" file. In fact, they don't care what it is, they usually don't have to when there's no visible extension.

It's actually far worse than that. Windows will still hide the .pif extension even with file extensions turned on. It's one of a few, 4 or 5 I forget how many, file types that Windows WILL NOT show the extension for.

Try it yourself, turn on show extensions and add a .pif extension to a text file. It won't show the .pif but will change the icon to a shortcut.

Re:Alreay run into this...

[Darby]

What's your CU's IP? I'll double check your bro's work.

295.261.301.955

Thanks, I really appreciate it.

Blah, blah...

[NetJunkie]

The patch for this was out 2 years ago. No excuse.

The virus comes in as a .exe file. You should block that. No excuse.

AV dat files have been updated already. No excuse.

We've been filtering this all day.... It's not that hard to protect yourself.

Re:Blah, blah...

[deadsaijinx*]

I don't know too much about this particular virus, but I have my doubts that it's contained in an exe : "In addition, it uses a particularly nasty flaw in Microsoftâ(TM)s Internet Explorer program and its implementation by Microsoftâ(TM)s Outlook e-mail reader that allows the virus to infect machines whenever a victim simply previews an e-mail message loaded with the program." Maybe I'm wrong, but an exe isn't executed when you just preview the email, but what do I know.

My question, Is Eudora safe?

Re:Blah, blah...

[jdreed1024]

The patch for this was out 2 years ago. No excuse.

Uh... Patch for what? I was unaware I could apply a "patch" that would prevent me from getting viruses. It exploits a user vulnerability (stupidity), not an OS one. And McAfee seems to disagree with you about when this was discovered. See here

Re:Blah, blah...

[cookd]

Well, there are some ways that a malformed header in an email can make the email reader do something stupid automatically, without requiring any action on the part of the user (i.e. execute the attachment). If the user has patched that problem, then they have to actively do something stupid (double click on the attachment and select "Run").

Re:Blah, blah...

[LucidityZero]

I'm sorry, you guys are all wrong. This exploits the relatively new (Well - from November of 2002 - not 2 years in any case) iframe vulnerability in IE.

Re:Blah, blah...

[repetty]

"Uh... Patch for what? I was unaware I could apply a "patch" that would prevent me from getting viruses."

Actually, there are a lot of patches for this problem... Mozilla, Evolution, Safari...

--Richard

Re:Blah, blah...

[stefanlasiewski]

Patch for what? ... It exploits a user vulnerability (stupidity), not an OS one.

Patch, for the exploit in IE.

According to Symantec and McAfee, Bugbear.B uses an IE exploit that was fixed over 2 years ago : "Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020)".

Re:Blah, blah...

[cookd]

If a user is running unpatched Outlook Express, they can get the virus by previewing the email. If they are running an updated (non-vulnerable) Outlook Express or another email reader, they can STILL get the virus by running the attachment.

Exercise for the reader: Explain how this is due to Windows SUCKING. Explain how this would not happen under Linux (assuming the attachment were a Linux executable and not a Windows executable).

Re:Blah, blah...

[Zork+the+Almighty]

They should make a category for this, "Yet Another Windows Nasty", since they're not all worms [ahem].

Re:Blah, blah...

[Monkelectric]

There are ALOT of worms out there that there are no patches for. Everytime I go on IRC (zeerofuzion.net in particular) and I turn off my firewall I end up with a worm. Norton catches the worm dropping viruses/trojans, but obvsiously is unable to catch the worm itself. I am *fully* patched running win2k.

Re:Blah, blah...

[Deathlizard]

Just to add to the "No Excuse" list, If you dont have a virus scanner because it costs money, or your current Virus Scanner is asking you for money to update, uninstall it and get AVG. It's Free and it works.

If you have a PC running windows, Especially XP with all of it's Virus Friendly Features built in, The Question Isn't IF you will get a virus but WHEN

Re:Blah, blah...

[Zork+the+Almighty]

I was thinking more in line with a trashcan, as in, "this is not news, it's more like the weather, it happens every god damn day".

Re:Blah, blah...

[ball-lightning]

If a user is running unpatched Outlook Express, they can get the virus by previewing the email. If they are running an updated (non-vulnerable) Outlook Express or another email reader, they can STILL get the virus by running the attachment.

Exercise for the reader: Explain how this is due to Windows SUCKING. Explain how this would not happen under Linux (assuming the attachment were a Linux executable and not a Windows executable).

I agree, I can't beleive Microsoft actually thinks that the ability to "Execute" and "Open" files is a feature. Lets all switch to Linux, where opening data files and running programs are a thing of the past.


Seriously now, if a User runs a trojan horse, that is in NO WAY the fault of the Operating System. As for the Outlook bug, yes, that was Microsoft's fault, which is what Microsoft Update is for (and don't tell me Linux doesn't need anything like that, either. Almost every day up2date is complaining about X Y Z patch I don't have).

Re:Blah, blah...

[Ashtead]

"Yet Another Windows Nasty" abbreviated "YAWN".

I'm all for that.

Otherwise I think a picture of a trashcan with the legend "This is not a trashcan" would do nicely as a logo.

Re:Blah, blah...

[Monkelectric]

Well, I am not an *expert*, but I know my stuff pretty well ... I have all the certs and the degrees, and was a sysadmin at a major university for 2.5 years (and I dealt with this kind of shit every day).

If you're really interested -- here's my config. I have a linksys firewall/router (befsx41) which I use connecting to an internal lan. When I wanted to DCC, the linksys box has an option called "DMZ" which will allow you to put one computer infront of the firewall.

In addition to the hardware firewall, my computer has a kerio personal firewall and is set to only allow share access to my internal lan (192.168.1.*). I have only the default administrative share "C$" and non-obvious passwords on default accounts.

In addition to these, I have norton installed, Ad-aware running ad-watch, and am running Win2k + SP3 + every update that was avaliable up to yesterday (but not the newt one that was issued today).

So what happens is, I leave the linksys firewall open for a day or two (almost always forget to turn it off). I wake up in the morning and norton has 100 warnins up about viruses just having appeared on my machine (keep in mind there was no one there to run programs or do something stupid). The last time it happened it tried to drop these trojavns/virues "W32.HLLW.Nebiwo", "Backdoor.IRC.Flood.E", "W32.HLW.LOVGATE.G@MM", "W32.Pinfi".

If I reset the machine, the problecm goes away and a virus scan reveals nothing! The first couple times it happened, I reinstalled my machine and I always had the same problem after being on IRC for a couple days.

Another interesting thing -- the worm couldn't/didn't infect any of the machines on my lan, except a virtual (vmware) machine running under Linux. If the VMWARE machine was patched then the machine would just be infected, if the VMWARE machine was unpatched (I have several of them for testing) it actually crashed the linux machine and caused a reboot.

Anyways, there could be some vulnerability on my box I'm not aware of, but its not something dead to rights obvious. I am very open to alternate explinations. I suppose it doesn't have to be IRC either, someone could be randomly probing my subnet. But just the same the room is #rareroms I have the problem with, and my nick is __odie. My solution was pretty simple, use port forwarding so I didnt have to turn the firewall off.

And! Thanks for being polite instead of telling me i'm an idiot like the other folks who replied :)

Re:Blah, blah...

[Alioth]

They could be exploits against your IRC client, especially if you're running a ubiquitous, scriptable one (can you say mIRC?)

Try a different IRC client, such as XChat for Windows, and see if it keeps happening. If it magically goes away you've found the culprit.

Frustratingly typical day in the life of Microsoft

[dtolton]

It's frustrating how many viruses Windows keeps getting slammed with.
There are some people that will point to a Linux worm or virus here
or there, but I run both Windows and Linux servers and there is
simply no comparison with the amount of worms Windows based machines
receive. Some people say it's because Windows is much more prevalent
than the Linux, but there are a lot of servers running Linux now.

The amount of work required to keep up with just doing updates has
finally gotten to me. Last night I noticed my Windows server was
sending packets like mad, suspicious I did a netstat -an, it was
making connections to hundreds of other machines. Tired of this
dance, I decided to just shut the windows server down. Maybe one day
I'll patch it...then again, maybe I'll just leave it shut down for
good.

Interestingly, my GNU\Debian Linux box is happily sitting right next
to it serving up pages. I haven't had to reboot it in ages, I imagine
it will be running until a nifty new kernel comes out that I just
have to have.

See ya Microsoft.

it's a good one!

[thomasmd]

This one spread through my university like wildfire today! It even seems to fake Norton virus definition updating, such that the computer appears to be updating it's virus definitions but isn't. It seemed to spread via hijacked messages that it attached itself to.

Re:it's a good one!

[Cruciform]

It hit us with email showing a fake error response from our Wiki. Only a couple of people got infected, which is typical for our office. Most people have learned not to open attachments they don't recognize.

The scary thing is how much it looked like a valid bug report, combining an infected users previous submission with falsified info that fit the context.

Freakish.

The antivirus software accompanying MDaemon (Win32) didn't catch it, so if you're running that try doing an independent scan with something else.

Re:it's a good one!

[Megane]

I got a bunch of these today too. Looks like it goes through the victim's stored e-mail, picks a message at random, using the headers and a couple hundred bytes of the body, then spits it out with a copy of the worm attached. One of them that I got used the "Welcome to Outlook Express" message that appears in a fresh install of Outhouse.

This is a great way for the worm to get likely seeming messages to fool move victims.

New M$ initiative

[Strudelkugel]

I never have a problem with these worms. I downloaded Windows Robin(TM) a long time ago!

It's a fun one.

[offpath3]

This virus has been hitting a bunch of people over here at Stanford since sometime yesterday. It takes random messages from your inbox and forwards them to random people in your contact list and spoofs the sender. I've recieved a lot of weird emails lately, but some of my neighbors have seen some pretty personal emails sent or recieved by their friends and acquaintences. People hitting on people, people asking their parents for money, rejection letters from companies... the whole works. Our SMTP server has been completely shut down to stop the spread!

Re:It's a fun one.

[ejaw5]

This is precisely the reason why I PGP digitally sign all my email. Almost a year ago, someone on a mailing list for one of my University groups got a virus on their computer sending out spoofed email and/or virus. One of them happened to have my name (email address only) on it. I was lucky to not lose any face from it, but it was very unsettling for me. Now I can say if it doesn't have a signature, it aint mine

Tell me about it.

[Alcimedes]

This sucker ripped through our campus like nothing. Heuristics missed it, and the definitions weren't updated until a few hours after a few hundred machines got nailed.

the annoying part is that as complex as you can make software, you can't fix the people who are morons, which is where the real problem lies.

oh well.

Poor Windows....

[Dr.+Photo]

It's time to face the facts: Windows just isn't ready for the desktop.

How to Fix MS Software

[MBCook]

... and in some cases even attempts to control infected computersâ(TM) modems.

Seems to me that would be the way to get these things fixed permanantly. Make a worm that would call MS tech support on peoples modems. Or any other MS 800 number. Untill something costs them a LOT of money, these will continue to show up.

Re:How to Fix MS Software

[parkanoid]

No, it's like suing ford because the doors in your car don't lock factory-standard, and fixing them requires a professional mechanic and a pile of manuals, and any further repairs to the car might break the door again. And did I mention the gigantic neon sign on the roof stating "ROB ME PLEASE!"?

Modem..

[JohnFluxx]

Can anyone tell me why it bothers to try connecting to the internet so hard?

The article says that an infected machine will try to get on to the internet, and will try dialing the modem if it has to.

Surely the most interesting machines are those with fast good connections - not people on crappy slow modems...

This is from the assumption that the computers would be used for a DDoS.
Has a worm ever been used for anything other than a DDoS?

Re:Modem..

[CausticWindow]

If some program tries to open a socket through the Windows TCP/IP stack, and you have configured it (in Internet Options) to dial when needed, Winsock will do so.

This has got nothing to do with this particular worm. It doesn't know wether the line is a t1 or a 33.6 modem line.

Re:Modem..

[bhtooefr]

They said that it attacked banks (it appears to be a backdoor bank heist worm). Someone said that US banks would probably not be affected, but a lot of third-world banks that do have a 56K could get hit.

Re:Modem..

[General+Sherman]

You obviously just started using computers. Worms can be used for everything, in fact, this one doesn't DDos, it sets up a keylogger to get your passwords and opens back doors, which while possibly for DDos attacks, might not be.

Worms are very good at sneaking around unnoticed until a certain time is hit, then they all do something at the same moment. Very bad for a company if it's infected most of the computers. It can also do more subtle things, such as get your online banking passwords, send them to the creator, and then delete itself, without you ever knowing.

Re:Modem..

[dorko]

Bzzt. Wrong. Thanks for playing.

This worm does try hard to get on the 'net. Copied from Symantec.

If W32.Bugbear.B determines that the default e-mail address for the local system belongs to a banking company, it enables auto-dialing through the registry.
This is accomplished by setting the following value:

"EnableAutodial"="0000001"

in the registry key

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings

The worm contains a large list (over one thousand) of targeted bank domain names from around the world. This is likely in an attempt to steal passwords more effectively. Therefore, banking institutions may be considered to be more at at risk.

Looks like they're trying to obtain passwords to bank specific systems.

Re:Modem..

[Drakonite]

Has a worm ever been used for anything other than a DDoS?

Yes... Lots of things... My old school had an office macro worm spreading across all it's computers (and I'd assume making it's way to student's home as well..) which only had the purpose of screwing up saves and saying some message on a certain day.

After getting hit by that worm personally i made my own benifitial worm to spread across the school's network... which would automagically spread and clean out the bad worm, alert the user of the problem being removed, and IIRC would automagically remove itself after a certain date so it wasn't too intrusive.

See, not all worms are for DDoS ;) Some are actually good things.

Re:and again

[CausticWindow]

A much better solution than b), is to completely remove Outlook. Especially if you're only using it as a mail reader.

Re:Frustratingly typical day in the life of Micros

[TheGrayArea]

Give it time. As Linux permeates industry and business it will start getting more attention from the virus writers. It's all a matter of ROI. Right now, attacking windows has a very high ROI.

Patch Available

[Eberlin]

Quick, get your patch here

Re:Patch Available

[NanoGator]

"Quick, get your patch here"

Crap. It broke my machine. I can't play GTA anymore!

Re:Patch Available

[damiam]

Crap. It broke my machine. I can't play GTA anymore!

Sure you can.

Re:Patch Available

[Kashif+Shaikh]

Crap. It broke my machine. I can't play GTA anymore!

Hurry! Go here to play your games with the new patch!

Conflict of intrest...

[c0dedude]

You know, we should get our information from a reputable and IT source like symantec who provides details on how to remove it rather than a news source owned by the people who make windows, the vulnerable software.

Re:Conflict of intrest...

[bstadil]

Well Symantec is not above Conflict of Interest.

They consistently overplay the danger of computer infections, as the more scared people are the more biz they will make.

Look at their adds and see what scare tactics they use.

Re:Frustratingly typical day in the life of Micros

[dtolton]

Yeah, because it's a lot of work to set windows to do updates automatically. Just a troll, nothing to see here.

You obviously don't administer servers with Enterprise Level Code. If you did, you'd know that with Microsoft you can't simply use automatic updates. Microsoft Service Packs break systems all the time. If you run ASP.NET and Sql Server code, you get bitch slapped everytime they release a service pack or "security fix". They consistently change functionality, without warning. Then they just post on their website (three months later) that the service pack changed the way some undocumented feature worked, but you weren't supposed to use it that way anyway, so tough shit.

Ha!! Automatic updates my ass.

Commercial Idea

[div_2n]

I am surprised Red Hat or some other company doesn't take advantage of heavy Windows worm activity.

"Did you get hit by that new worm?"

"No, I run Linux."

Re:Commercial Idea

[NanoGator]

"Did you get hit by that new worm?"

"No, I run Linux."

"Do you read PC Gamer?"

"No, I run Linux."

Re:Commercial Idea

[clowe]

"Do you have a sex life?"

"No, I run Linux."

Re:Commercial Idea

[Dr.+Photo]

"Do you read PC Gamer?"

"No, I run Linux."

Y'know, the money you save by not buying Windows and Office will more than pay for your 2 game consoles of choice. Or, if your two consoles of choice are out of stock, you could just get an X-box.

Re:Commercial Idea

[_Sprocket_]

Close. I believe the quote actually goes...

"Do you have a sex life?"

"No, I read PC Gamer."

Re:Commercial Idea

[overbom]

"Do you have a sex life?"

"Does porn count?"

This went through my workplace like wildfire today

[Chyeburashka]

I don't know the damage yet, but hundreds of PCs running that other OS were infected. One interesting thing is it opens port 1080, which is normally used by MSN messenger. Try this on your network:

nmap -sN -p 1080 AAA.BBB.CCC.*
and
nmap -sT -p 1080 AAA.BBB.CCC.*

Check out the machines with port 1080 open. Then switch to a less infectious OS.

Re:Frustratingly typical day in the life of Micros

[a_timid_mouse]

Yes, but as with any *NIX, the damage Joe Luser can cause is significantly curtailed to their own userspace. The virus would need to take advantage of a root-level vulnerability to infect an entire machine. Not so with most Windows default configs.

Re:Frustratingly typical day in the life of Micros

[spurious+cowherd]

*tweet*

time out.

any admin who sets production servers to be "automatically updated" deserves to be terminated with prejudice.

you test all patches before deployment.

It's a nasty one

[jdreed1024]

This hit MIT starting this morning. It's quite clever about where it gets the addresses and e-mails from. It knows how to scan the mailbox formats of many common e-mail clients, not just Outlook. It sends itself as an attachment to actual messages from the infected user's inbox. So the body is not something obvious ("I send you this file to have your advice"). I actually thought several of the messages I received were real, since they pertained to recent business around campus. (I didn't open the attachments, of course seeing the .scr extension - not that it does much to an OS X box). It's backdoor runs on a fairly standard port (1080) that's used for plenty of legitimate apps (proxy servers) so scanning your network for open ports won't necessarily find it for you. (as opposed to scanning and seeing that port 31337 is open, or something like that, which obviously "wrong"). The keylogger component is quite scary too. It's one of the more advanced viruses I've seen recently...

On a related note, anti-virus programs is one place where I can actually see a potential useful application of "trusted computing" (no, not necessarily Palladium). If there could be some way to to tell the OS "Look, I don't care if you're the administrator or not: the only programs that are allowed to terminate the anti-virus scanner process are the scanner itself, and, say, Task Manager". By using keys to prove their identity, it _might_ make it a lot harder for virii to terminate anti-virus programs. (Note to slashbots: I'm not saying Palladium is good because it will do this (I don't even know if it does). I'm saying this is one potential application of some as-yet-undeveloped implemenation of "trusted computing".

Re:It's a nasty one

[karlm]

Your proposal is doable on any standard hardware that offers memory protection, no cryptographic keys needed.

If a program was able to tell the OS that it could be shut down by programs signed by keys A, B, and C, that would suffice. You modify the PE or Elf format to include signatures. Mandatory Acess Controls can also prevent one program run by user D from killing another program run by user D.

Making users non-administrators and running virus checkers as seperate users would also prevent some potential problems. Mail clients could use IPC to pass emails to the virus checkers and get a thumbs-up or thumbs-down.

Now, as far as Palladium goes, I think there's a pretty simple alternative.

Really what I'd like to see is L4 or another nanokernel and a few low-level drivers in the frimware along with a Forth interpreter for OpenFirmware. Your firmware would be a viable but minimalist OS, where before booting you could edit the fingerprintsof PKs allowed to sign kernels. Booting would simply be playing two-kernel-monte with the firmware kernel and a signed kernel off the HD. 1 MB and 2 MB EEPROMs are cheap enough that putting a viable OS in the firmware is looking quite attractive. Imagine having a rescue floppy built into your mobo. The QNX demo floppy shows you can do a hell of a lot in 1,440 KB.

My SGI Indy firmware loads the Linux kernel directly off the HD and directly executes it. The firmware doesn't have a fully functional kernel like LinuxBIOS, but it suffices for a bootloader in firmware. It would be easy to add signature checking to the process, along with a small menu for entering/deleting PK fingerprints. If you ship with the fingerprints from the dozen most common OS vendors, 99.99% of people will not touch the settings or know they're even there, but you still get all of the integrity guarantees of Palladium. You would of course make NVRAM locked out at a hardware level durring the boot process, wich could only be undone by triggering a POST. This solution requires no new harware besides the NVRAM lockout, and the NVRAM lockout really isn't that important if you can assume the OS will prevent writing to NVRAM. The NVRAM lockout could be skipped in the first generation for the sake of easing adoption.

Like I said earlier, my SGI firmware already does most of what's needed, as does LinuxBIOS. Apple and Sun firmware is already quite advanced and I don't imagine adding the required functionality would be that hard. Really the only advantage Palladium adds over current hardware with a BIOS upgrade is DRM. Palldium also carries a lot of baggage. I would love to see AMD come out with an improved x86-64 BIOS that includes most of the bootloader along with signature checking, if not a full nanokernel OS in firmware. Hardware NVRAM locking would also be nice.

Fools!

[displaced80]

Any readers in the UK with Sky Digital, switch to channel 268.

Overnight, the channel plays a Flash-based word game, where viewers SMS in answers. It's running on a Windows PC, and the screen currently being broadcast to 7 million homes is....

McAfee dialog box: 'bugbear.b High Virus Advisory....'

Hmmm.

(wandering OT - the channel, 'Friendly TV' is apparently being run by students on work experience. A nightly live-broadcast show is 'Girl Talk', where... girls... talk... about... things. Whatever comes into their heads. Oh, and they get progressively more drunk as the evening progresses, which no doubt helps.)

ugh

[JanusFury]

Am I the only person who's tired of hearing about the latest way for idiots to screw up their computer and infect dozens of other computers used by similarly idiotic people? I mean, come on... Haven't there been patches and security measures around for years that prevent viruses like this one from infecting your PC?

I guess it is helpful for admins to see virus warnings on slashdot though.

Re:This went through my workplace like wildfire to

[i+am+lose+cannon!!]

MSN Messenger normally connects to remote port 1863. It doesn't listen on any local ports, and the local port it connects from is usally random (and definitely not 1080).

this is why..

[cfscript]

you know..

for the longest time, i've been attempting to defend windows ever since 2k stopped being the 'absolute junk' syndrome. i read about this earlier in the day, and started ranting in irc.

well, since it's easier to bitch than act, i decided to act. i went directly to the local apple store and bought an ibook.

i have -never- been happier. this is literally the best of breed machine i have ever used. all the benefits of unix without the hassle of windows.

so, this is totally offtopic, but as a govt. employee who deals with this sort of thing every day, my old home pc is now strictly a local lan CF/oracle development box, and every damn machine i buy from now on will be apple.

Re:this is why..

[zuhl]

Welcome to the Land of "Everything Just Works"

You know, it's interesting, I bought my wife a Canon S400 digital camera for her birthday last month and after we had used it for about a week, she came downstairs with the box and a disk or two in it. She said, "Did you already install this software on the iMac." I said, "Nope, didn't need to."

Which got me thinking. Having been a Mac guy for a long time, I have come to expect things like digital cameras and whatnot to "just work" without much fuss or muss. My wife said, "so you mean you just plugged in the camera and it worked?" Me, "Yep." She, "Amazing." Certainly Windows has software like iMovie and iPhoto, but nothing seems to beat what Apple has churned out in the last few years.

Apple is NOT the savior of the universe, by any means. Be prepared to be somewhat exhasperated on occasion, but mostly they make nice hardware and have a set of software on the machine that really is great. Thousands of great mainstream apps (Photoshop, MS Office, a "smattering" of games, etc.) + amazing development enviroment a free download away + UNIXy goodness is a great combo. You'll never look back. Promise.

And again....

[NetJunkie]

If your ocmpany got hit go ask your network admin why they aren't blocking ANY executable email attachment. Then go ask their boss.

IT'S NOT HARD PEOPLE.

For some value of "interesting," maybe

[Motherfucking+Shit]

The article says that an infected machine will try to get on to the internet, and will try dialing the modem if it has to. Surely the most interesting machines are those with fast good connections - not people on crappy slow modems...

No, the most interesting machines are those which aren't connected to the public network at all. The servers at your bank which track your balance, those mysterious "power grid" servers that HomeSec keeps spreading cyberterror FUD about, military computers with Top Secret documents, etc.

These machines are unlikely to be interfaced with a public net at all, especially not sitting on a fat pipe; but many of them have to network _somehow_. Regular modems, ISDN, etc. aren't quite dead yet.

Educate the user

The people that open these attachments aren't system admins. They aren't network programmers. They aren't even computer literate half the time. Most of the time they treat the computer like a magical device that mysteriously allows them to type and send mail very fast. My mom doesn't even know what a zip/exe/jpg file is. I think it is hard for us to imagine not knowing what we know about computers, but the fact is, that most people using computers don't know a fraction as much as anyone reading slashdot. In fact, most of these "virus" are technically trojans. They are all exploiting the ignorance of the user to mass infect others. There is nothing any operating system can do to stop this. If we were all running Linux, more people would be tricked into running as a SuperUser or Root or some other exploit virus programmers would find. In the end, it's not which is it the right operating system, but have we educated the person behind the machine.

Re:Educate the user

[Thomas+Wendell]

I work at a local school district, where most of the teachers are appropriately computer literate. (By that I mean that they know how to do the things they need to do, but they don't have any burning need to spend a significant portion of their lives learning the inner workings of their computers.)

Most of them are using Windows, but there are a few who are still using their old Macs. When the ILOVEYOU virus was making the rounds, the email servers were crushed by the volume of mail generated by people who fell for the joke. Despite messages from the IT folks to not open attachments, people kept doing it. In fact at least one Mac user complained to the tech support group that they couldn't open the ILOVEYOU attachment in an email message.

After this fiasco, the IT folks were talking about having the email servers filter out ALL attachments. I successfully argued that they should only filter the types that have been exploited to carry malicious code. Since they implemented filtering the obvious file types, there hasn't been another infestation.

After that I was no longer sure which was worse: clueless end users or clueless IT people.

MS irony....

[Vaughn+Anderson]

From the MSN report...

In addition, it uses a particularly nasty flaw in Microsoftâ(TM)s Internet Explorer program and its implementation by Microsoftâ(TM)s Outlook e-mail reader that allows the virus to infect machines whenever a victim simply previews an e-mail message loaded with the program.

Yet (as of this post) CNN mentions nothing of the fact that this is another virus that takes advantage of a Microsoft flaw...

And at the bottom of the MSN page"MSN - More Useful Everyday"

ah the irony of having your own news company...

Once you've gone hack, you'll never go back

[Phronesis]

What do you mean? Linux is my sex life!

The Outlook exploit...

[SIGBUS]

...is one involving how it handles MIME types, especially within IFRAMEs. What happens is, the message headers will say it's one type, such as audio/x-midi, while the payload is really an EXE file, sometimes misidentified as a .bat or a .pif. The unpatched Outlook or OE thinks, "Ah, a MIDI file! Let's play it!" and blithely passes it to the OS, which thinks, "Ah, an executable! Let's run it!".

One more example of why HTML doesn't belong in email, aside from web bugs and other BS.

Re:Frustratingly typical day in the life of Micros

[Osty]

And if they didn't repell attacks, that would be almost good too.

Because there's nothing quite like a 100,000 machine-strong DDoS network of Redhat machines on cable modems. I hope you meant that if machines are not repelling attacks, then that would prompt bug fixes. However, as you see in the Windows world, most attacks are targetted at already-fixed issues. The machines that get infected are the ones that didn't stay up to date (or in lots of cases a few years ago, were running software they shouldn't be running, like personal Redhat machines running BIND because it was installed and started by default in an "install everything" scenario, the installation option used by most newbies because they're afraid of missing something during the initial install and not knowing how to install it later).

No, successful virus/worm/hax0r infections are never desired. Better for the issues to be found by competent and moral ("moral" being that they don't use the exploit maliciously) people before a major virus or worm is written. There are excellent patch distribution channels for both Windows and Linux these days. People really should use them. And for production servers that don't use them because they need to do validation before deploying the fix, they need to get off their asses and do the validation. There's no excuse for a 2 year old bug causing issues now. That's 1 year, 11 months, and 3 weeks of laziness (assuming it takes about a week to do a validation and deploy the fix and any resulting changes).

JDBGMGR!!!!!

[simetra]

I knew that damn little teddy bear icon in my windows directory was up to no good!!!!!

Come on people, patch your OS's

[stefanlasiewski]

You can fix the OS, but you can't fix the users. People who get hit by this have nobody to blame but themselves (or their Windows administrator).

Microsoft fixed this vulnerability more then 2 years ago. Why do people not update their software?

According to Symantec, Bugbear.B "uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability".

Re:This went through my workplace like wildfire to

[MeanMF]

One interesting thing is it opens port 1080, which is normally used by MSN messenger

Sounds like you're using a Socks server to connect to MSN - 1080 is the default Socks proxy port, not MSN messenger.

Just in time...

[gmuslera]

... to reply to mi2g claims that Linux is more hacked than Windows. Now you have hundreds of windows computers in your near vicinity waiting to be hacked thru port 1080. I think that at the rate of infection of this last worm, in very few days (sunday?) will be the most widely distributed computer worm ever.

Re:Woah....

[mrjohnson]

download the removal utility.

Re:Reread that again.

[jdreed1024]

Um, this virus does not require the IE hole to spread. Having the IE hole certainly helps it to spread, but patching the hole won't kill the spread of this virus. All it requires is a client that is stupid about downloading and executing attachments. Or a user that does the same thing. I know of at least 3 people who use Eudora who got infected by this.

old bullshit.

[Erris]

Ah, there's no troll like an old troll, "Free software does not get worms because no one uses it and no one hates it." As you phrased it,

Just wait until:
a.) Everybody decides to hate Linus.
b.) Linux machines can be counted in the millions.

a. is unlikely. How can anyone hate free software? Oh yeah, it's putting you out of business. Microsoft does an admirable job of astroturfing congressmen and Slashdot, but they have yet to put out a good free software worm. The intersection of people with the skill to write free software worms and the number of people who hate free software is vanishinly small. Competent people like free software, get used to it. Windoze on the other hand is just about universally hated and just as easy to break.

b. Linux machines can be counted in the millions. Desktop machines. If you figure 10% of US desktops are running some form of free software, you get millions of computers. The rest of the world has plenty of free computers as well. Yet I don't see anything breaking down mutt, pine, balsa or even Mozilla's email client. AOL's windowze messenger once had a problem but only on Microsoft platforms. GAIM and others had no peoblems at all.

To sum it all up for you, nothing is as bad as the Microsoft monoculture of poor quality software. Free software is more diverse, of better quality and is universally loved.

Re:old bullshit.

[nathanh]

Yet I don't see anything breaking down mutt, pine, balsa or even Mozilla's email client.

Pine has had a number of problems with maliciously coded attachments. These were real-world exploits, not theoretical ones.

Linux isn't immune from viruses - email or otherwise - even though in practise it suffers less. The troll before you was telling a half-truth when he claimed that Linux is safer because (a) everybody loves Linux even though (b) nobody uses it. Those two factors are real and they do contribute; it's silly to deny it. However there are dozens of other factors, eg:

• Less integration between desktop apps means fewer unexpected side-effects. Expect this to change for the worse as KDE and GNOME add more features.
• Better designed server apps: I believe that in general Linux (and UNIX) have server apps that were designed with security in mind. Though there are always exceptions.
• Greater diversity in hardware and software platforms; makes it much harder to write a UNIX virus and it's much harder for a poorly written virus to spread.
• ...

Protecting Linux against viruses is one of those "eternal vigilance" things. Don't get smug because Linux is relatively free from problems today while Windows is copping a flogging. Yes, I think Microsoft brought most of it on themselves and yes, I think Linux (and UNIX) is more immune by design. However I think it's naive to think that things will stay like this forever. Linux viruses are on their way. Be ready to eat your words in 5 years time when Linux becomes more popular and Linux viruses become commonplace.

Re:Frustratingly typical day in the life of Micros

[LiquidCoooled]

this virus attempts to spread via the LAN.
it is not soley email borne.

Re:and again

[DarkZero]

And once again, those of us who know how to configure our windows systems and aren't stupid enough to (a) have open network shares with no passwords and (b) open random email attachments are safe. (emphasis mine)

Please read the fucking article. Not only is the email attachment not random, because it pretends to be a reply to an email that you've recently sent to an infected person (among other tricks), but it also doesn't have to be opened, because it uses an IE exploit to run itself as soon as it shows up in Outlook's preview window.

Re:Not just a .exe

[gmuslera]

At my work I filter email virus with Anomy Sanitizer, scaning them with an antivirus and even if it don't detect a virus, renaming executable extensions like that ones, defusing active html and dangerous mime types and more. Anyway, today I received copies of Bugbear at a rate that only thinked it would be possible only with an internal infection, and make me doubt of how well it was working. But after checking mail logs, it turned to be just mail coming from outside. I wonder what will happen in the next few days, but in some places could make internet unusable.

The Fun Of Reading Other People's E-Mail

[KU_Fletch]

Our University is being hit hard, especially because almost all classes and departments have these massive listservs and the listserv software is so archaic that it doesn't have viral replication blocking. Oh well, at least I get the personal enjoyment of reading other people's e-mails that get cloned. So far I've got 2 that involve people talking about me behind my back. There's always a golden lining people.

Re:The Fun Of Reading Other People's E-Mail

That's not exactly golden; Sounds like a consensus is forming that you are a shit.

Re:Frustratingly typical day in the life of Micros

[nolife]

Yeah, just imagine if something like Apache gets popular, imagine the havoc people could cause with uptimes on those OS's.

Yes, the server community is different from userland and every piece of software will have its flaws, but popularity is not proportional to the amount of worms and viruses, lack of quality is.

In defense of the users.

[U2BG]

I'm not going to defend Microsft, but I will defend the users. This worm sends emails that look VERY much like ones that a user has sent or received. It really is a well designed "social engineering" virus.

Since our users had not had a virus hit their desk for 2 years, thanks to NOD32, they were really not expecting this one!

Cheers, Ben.

This is amazing

[nihilogos]

The entire physics department here got an email with the subject line "Re: hep-lat 020711 daily received" with the pif attachement.

hep-lat is the Los Alamos eprint Archive subject code for high energy physics on lattice models. The email refers to a paper on "A new proposal for the fermion doubling problem" which is supposedly attached (instead you get the .pif file)

The subject line is matched amazingly well to the recipient list. I thought "that looks interesting, I might have a look even though I probably wasn't supposed to get it."

An Idea?

[eonblueye]

handy little solution that has been around for a while.. (jpeg image file)

Re:windows vs *nix

[Parinioa]

The main reason why *nix boxes don't have anywhere near the number of virii infect them is because the average *nix user has had to set the box up themselves and had to go through the learning curve that is involved in that. Anyone who has got enough knowledge to set up a *nix box (and in reality most people that accually are able to install windows) have enough general computer sence to not catch virii. I personally hate virus scanners as they just take up my resources. Periotic scans let me know that I am not just overconfident that I am invoulnerable, but infact paying enough attention to what I do on a regular basis to delete the emails with attachments like 'happy99.exe' even though I don't in truth _know_ that it is in fact a virus. *nix isn't really a safer OS from virii, it just has a better trained user base.

Re:windows vs *nix - un-informed is un-informed

[Soko]

that's not really true though, since there are holes in windows that have been there since windows version 1. Sure there are holes in any program, but at least most of the unix/linux/macos viruses don't cause the computer to crash. In almost every case, unix/linux/bsd viruses are really just exploiting a single program.

The point being...? Really, you have done nothing to assist our underinformed cyrax777. Let me help, please.

First, causing the box to crash or not is irrelevant, as is what program allowed the compromise - a compromised machine is no longer yours. Time to re-install the whole machine.

The reason *nix is much harder to infect in the first place is users run with user privileges, as do all the child processes that they create. Thus, the e-mail client cannot over-write any system files since it lacks the autority to do so. This is where "rooting" the box comes from - you need to elevate your normal privs to super user status in order to do any real damage. You can tell most *nixes that "This user account can never elevate it's priveleges", and it likely never will. System services, like say the Apache HTTP server, are usually set up to run as under-priveleged users as well, so compromising them leads to even more difficulty controlling the whole machine - there's very few opennings in the *nix security armour. In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs. IIS on NT/Win2K is the same way - out of the box it runs under the SYSTEM account. If one of these is compromised, it's not your machine anymore. Now you know where a lot of the issues with Windows security lie.

This reflects one of the design philosophies of *nix: only give users the privileges they need, and have a huge, well defined wall between them and the system. Windows seems to come from the other end - give it all, and try to take away what's dangerous. IMHO, that's where Windows fails - miserably.

Soko

Re:Frustratingly typical day in the life of Micros

[afidel]

Sorry but enterprise level and MS do not belong anywhere near each other despite what MS wants you to believe. I'm an MCSE and I can't imagine running critical services on the MS platform, user authentications, file sharing, and printing sure, but as an application platform windows server is just too bug ridden.

Re:Frustratingly typical day in the life of Micros

[SN74S181]

Here's a secret you might not know:

On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.

So the whole notion that trojans/worms etc. can't hurt the systems that 'mere users' will be using as there is more and more of a push to Linux desktop systems is just plain nonsense. If it wipes out an employee's whole writeable diskspace, it's done all the damage it could possibly do. Nobody cares that everything that rolled off the Install CD is still there and might even be pristine.

Re:and that will work how?

[Kris_J]

do the users know that openme.doc.scr is more likely to be a virus than flowerbox.scr?

Which is why all .pif, .scr, .exe files are blocked at the email server, in or out. And why anything with double-barreled extensions (.doc.pdf) are also killed, or anything with heaps of whitespace in the name. The message is in place of the attachment.

Strangely, our business can continue to operate without problems or delays even if the staff can't email screensavers to their friends.

LookOut, end users, and mad cash.

[Lord+Prox]

Note: Not a flame to parent post...

now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension

I have had it up to here (pointing to head) with all this BS with email worms/virii and the media. They are not email worms, they are Outlook worms. I could sell someone an attachment stripping solution but that is irritating. For every bug it strips out it will strip out a legitmite file as well.

I just don't know what to do with people... Every time one of these god damn things coms out, my phone starts ringing off the damn hook, hell I can't even get a straight 8 hrs sleep... (one dis-advantage of home office) and every time I tell people the same damn thing. Outlook is a worm/virus magnet. Don't use it. There are many others. Bad people target Outlook for a reason, don't give them the oprunity to hit you. Its that simple. And always check attachments before running them regardless of what email client you are useing or who it came from. But they just don't listen. Do they think I am full of BullSchnitt or is being used to infection and calling me easier than learning a new mail client.
Does anyone have an idea of why end users use the software they use in the face of all the reasons/reccomendatios not to?

Came with machne so it must be good?
Everyone else uses it?
What?!?!

On The Other Hand..... I wil be making lots of cash in the next week... so mabey I should not be complaining :)

For every person that finds the silver lining of that cloud, there are 100 that just died from lightning

Re:LookOut, end users, and mad cash.

[dcmeserve]

It's always so entertaining to me when one of these things starts spreading around. I use a text-only email client (mutt) on a linux system. True, I do have to explicitly save attachments to files and then go view them with the appropriate separate program, but that's actually a rare occurence. 99% of the time it's bare text anyways, and mutt is a really fast way to scan through them all -- no slogging around with a mouse. And I don't have to worry about looking at an email that might be spam either.

Of course, I know the majority of people will never want to do this. Which means I can maintain my air of smug superiority indefinitely. Ha!

SOCK server (or Bugbear.B ) on port 1080

[Chyeburashka]

OK, maybe you're right, but according to symantec:

Backdoor routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:

• Delete files.
• Terminate processes.
• List processes and deliver the list to the hacker.
• Copy files.
• Start processes.
• List files and deliver the list to the hacker.
• Deliver intercepted keystrokes to the hacker in an encrypted form. This action could release confidential information typed on a computer (passwords, login details, and so on).
• Deliver the system information to the worm's creator in the following form:
  • User: <user name>
  • Processor: <type of processor used>
  • Windows version: <Windows version, build number>
  • Memory information: <Memory available, and so on>
  • Local drives, their types (for example, fixed/removable/RAM disk/CD-ROM/remote), as well as their physical characteristics.
• List the network resources and their types, and deliver the list to the worm's creator.

How to permanently disable HTML mail in Outlook XP

[cscx]

First, run Office Update so you have at least Outlook SP1 (SP2 has been out for a while, in fact). Next, add the following value to the registry:

HKCU/Software/Microsoft/Office/10.0/Outlook/Opti on s/Mail

REG_DWORD: ReadAsPlain = 0x01

Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.

Thought I'd share that little tidbit.

Re:Frustratingly typical day in the life of Micros

[Blkdeath]

Well then, any admin who runs outlook (or any email client, or browser, or ANYTHING that could potentially be comprimised) on a production server that absolutely can't stand to have any downtime needs to be terminated as well.

I think I've seen about enough of this particular strawman.

Nobody has to run anything on these servers; all they require is network connectvity. These worms propagate via network shares as well as e-mail. All it takes is one infected machine with a persistent connection to any production server in a trust network to cause headaches.

Re:windows vs *nix - un-informed is un-informed

[PenguiN42]

In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs.

What's your point? The login screen saver logs users in, so it makes sense that it has some sort of advanced privileges. (Maybe it doesn't need all of SYSTEM, true...)

And the screen saver is well protected in winnt, believe it or not. It runs in a separate secure desktop, just like the ctrl-alt-del desktop does.

Now I agree that the security architecture of windows has flaws, but c'mon, there's got to be a better example than login.scr...

Re:Frustratingly typical day in the life of Micros

[Blkdeath]

Give it time. As Linux permeates industry and business it will start getting more attention from the virus writers. It's all a matter of ROI. Right now, attacking windows has a very high ROI.

Which is exactly why so many worms target Apache rather than IIS.

Batting down strawmen for 12 years and counting ...

Re:Frustratingly typical day in the life of Micros

[Blkdeath]

On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.

I don't know about you, but I administer systems with hundreds or thousands of users. It's *their* data I wish to protect, not that of the irresponsible schmoe who ran untrusted binary code.

<OBSIMOM>
But if they ask me nicely, maybe I'll keep that backup tape away from the degausser.
</OBSIMON>

Re:Ya know

[Anonymous+Struct]

The fact that the large majority of webservers out there are running Apache (many on linux) and have been for a long time suggests otherwise. Sure bugs exist and there will always be exploits for all platforms, but somehow the Apache team is dodging those problems far better than Microsoft. With even MS themselves admitting that their emphasis was never on security in the past, you're probably one of the few people left in the world trying to defend their record.

So don't complain too much about the zealots around here -- you're just as much one as the rest of them, and one of the more vehement that I've seen.

Even simpler in Mozilla

[SIGBUS]

In recent Mozilla versions, from the View menu while in Messenger, you can choose Message Body As/Plain Text. Works like a charm...

virgin control

[More+Trouble]

Microsoft Service Packs break systems all the time. If you run ASP.NET and Sql Server code, you get bitch slapped everytime they release a service pack or "security fix". They consistently change functionality, without warning.

Sounds to me like they don't use support branching in their revision control system. If they want to release a fix for old code, rather than branch at the release and make a fix, they give you all of the "goodness" that they've been working on in the meantime.

So, add bad version control to buggy, insecure code...

:w

Re:How to permanently disable HTML mail in Outlook

[Darby]

add the following value to the registry:

HKCU/Software/Microsoft/Office/10.0/Outlook/Opti on s/Mail

REG_DWORD: ReadAsPlain = 0x01

Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.


And people claim that Linux (UNIX, whatever) is hard to handle.

MS Security Chief:Highlights advances in TCI

[symbolset]

The report on MSNBC is truly insightful.
This patch for 2-month-old Windows Server 2003 "to fix a vulnerability that could let malicious sites run damaging code on the server."

Hilarious excerpt: "ALTHOUGH SECURITY EXPERTS â" even those at Microsoft itself â" had pointed to the companyâ(TM)s latest server OS as the first test of the software giantâ(TM)s massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices. 'It actually highlights positive progress in trustworthy computing,' said Microsoftâ(TM)s U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows."

It begs some questions: if this is progress... if this is hardened... what's he smoking?

Changing e-mail clients won't do anything.

[Sycraft-fu]

This particular wrom knows how to use other e-mail clients as well. However, suppose that suddenly everyone switched to Mozilla. Same stuff would happen. Why? Because if you send someone an executable and they run it, it will infect them regardless of the e-mail client they use. IF a different client was the most popular, it would simply be the most popular target. When something like a worm relies primarly on user stupidity to spread, it will hit stupid people, regardless of what software they use.

Re:Changing e-mail clients won't do anything.

[Christianfreak]

How is this insightful? Last I checked Mozilla's mail client (and many others) don't have any kind of scripting enabled by default. You have to click attachments to get them to do anything, and by default it asks you to Save rather than open. So even if someone clicks on it and then Clicks OK, they just saved it somewhere.

Even cookies are off by default in the mail client. And you can turn off images.

So yeah I suppose people could "try" and target mozilla but I honestly don't think there is a whole lot of damage they could be allowed to do. The stuff that could potentially cause harm is off by default and the and people smart enough to turn it on are smart enough not to execute worms and viruses!

Re:Frustratingly typical day in the life of Micros

[Sycraft-fu]

Windows is the same way. IF people run with user rights (not admin) they are prevented from hitting anyone else. They can even be prevented from running software the admin didn't install for that matter. Problem is, most people run as admin. IT is their box after all, they'll do as they please.

YOu'd have the same problem with Linux. First you have brilliant distros like Lindows that run as root by default. Then you'll have tons of people who log in as root all the time for dumb reasons like "I get sick of chainging users to do something" or "It's my system, I should be in complete control.

Linux does not have the ability to control stupid users, unfortunately. A good Linux system run by a competent admin sure can, but then so can any OS with good security controls. PRoblem is most home computers AREN'T run by a competent admin.

BugBear then goes searching for a modem

[t0qer]

I disagreed with one point the article made.

BugBear then goes searching for a modem, enables it, then tries to get the computer to dial out, probably to reach the virus author. âoeHe really wanted to get into those machines,â Kuo said. U.S. financial institutions probably arenâ(TM)t at risk from this technique, Kuo said, because most donâ(TM)t have modems attached to their critical computers any more.

Today I was at fry's electronics, and I saw a Quickbooks POS (point of sale, not peice of shit) system on display for small to medium business. This started getting me thinking back to my earlier days of consulting.

One of the companies I did work for had a retail chain of mall stores. At night the registers would dump their management reports to our AS/400 machine and someone would make neat reports out of them. It wasn't a huge amount of data, so each store would just phone home on those really nice $300 courier modems.

Most of our store managers kept in touch with us via outlook/exchange server.

Now another interesting side note is veriphone uses POTS lines for nearly %100 of their credit card processing. Tons of small stores have networks in them now, managers reading e-mail and such.

So which of these financial institutions has its shit so well together that they don't need modems? I just wanted to point out the author of the article is a stupidhead. Boo!

Re:Patches…Oh Patches

[cujo_1111]

If you truly want to be worm-free, the same advice goes for all E-mail clients: Be well-informed, and update often.

Or don't connect to the internet... Some people forget that it is a real option, maybe not for slashdotters though :)

Re:windows vs *nix - un-informed is un-informed

[bellings]

This reflects one of the design philosophies of *nix: only give users the privileges they need, and have a huge, well defined wall between them and the system.

You're smoking a huge crack pipe, my friend. In unix, I need suid to change my password, 'fer christ's sake.

I mean, it's painfully obvious that you have no unix experience whatsoever. It's just sad that you got modded up on a site like slashdot, which used to be moderated by geeks.

Outlook is still badly designed

[FCKGW]

As long as Outlook uses IE to render HTML mail, it will be vulnerable. This integration bullshit from Microsoft has made vulnerablilities in one program affect many others. If Outlook was secure, it would have an option to turn of HTML mail rendering. If it was turned on, it would only be able to format text and layout, and download and display images (while checking to make sure that they really are images and not viruses/worms/trojans). And images could be turned off. This all seems like common sense to me, but apparently it's not common sense at MSFT, which makes it easy for worms like this to spread.

Sure, I use Windows. But it's the only MS product I use on a regular basis. I use Calypso 3.3 to read mail, which has HTML rendering turned off by default (and I keep it off). I'm typing this in Mozilla 1.3.1. They're both well designed programs that don't do stupid things like Outlook. Did I mention I've never gotten a virus? Well, I haven't. Ever. Sure, I've had the occasional Outlook worm mailed to me, but I'm not so dumb as to open the attachment (which has no way to auto-execute on my machine, by the way). Part of the virus/worm problem is stupid users, but another part is badly designed software, and most Microsoft software has historically been badly designed when it comes to security.

however

[Trepidity]

You'll see that the parent poster specifically said Desktop systems.

The point here is that we're urging people to switch their home computers over to Linux because it's "more secure." But it's still insecure enough that a common user would be vulnerable to things at least remotely like this if Linux was popular enough among home users to be worth the effort to target.

And in any case, your point isn't Linux-specific: if I was running a multi-user WinXP system and a user without admin priviliges runs untrusted code, he can't mess up the other users' stuff either.

Re:Frustratingly typical day in the life of Micros

[davesag]

PRoblem is most home computers AREN'T run by a competent admin.

all the more reason to use a Mac :-)

Seriously, as a Mac user since 1984 I have *never* had one of my macs infected with a software virus. I've seen other macs infected with the WDEF virus circa 1989, but that's about it. Even though Virex on OSX is total crap (why does it need to rescan all files - even ones that have not changed? takes hours and thus no-one bothers), I am yet to hear on anyone running OSX cop a virus. I get virus-spam that's annoying but I have not yet been infected. Not in almost 20 years.

Mac's are easy to admin, easy to keep up to date and apple are damn good at releasing security patches in a timely manner.

Re:Woah....

[Jugalator]

How does one go about removing Outlook Express from XP?

I'll try to not be "witty" and post something about a Linux distribution that's NOT what you were asking for.

This is the best I could find to help. The article is for 2000, but since XP is esentially just a revised 2000 with a new look, it could apply to XP as well. Especially since it's about the same software (Outlook Express 6).

The usual about being careful with the registry editing applies. :-)

Re:and again

[Beryllium+Sphere(tm)]

>Please read the fucking article

You must be new here! Welcome to Slashdot :-)

Good sources instead of product placement

[SgtChaireBourne]

I realize the editors are obligated to plug MS, including MSNBC, in any way, shape, or form that they can, but that only lends them credibility. Most of the articles are edited from wire feeds like Reuters, API, UP, AFP (usch), BBC, and so on. Please use those.

In this case, other sites that covered this week's pair of Microsoft worms first -- and they'll cover next week's first, and so on. ZDNet, eWeek, Infoworld, Reuters, the Register and others covered it first. ZDNet has the bad habit however of sliding stories that reflect badly on MS quickly off the top pages and into obscurity.

Worms like sobig and bugbear only affect products with design flaws. Brian Valentine, senior vice president in charge of Microsoft's Windows development, said it best:

Our products just aren't engineered for security.

In short, there's nothing you can do to improve your security except upgrade to a different client: Mozilla or Opera instead of MSIE, Eudora or others instead of OutLook, OpenOffice.org or WordPerfect instead of MS-Office. Usually by upgrading you get better functionality, ease of use in addition to stability.

Actachments

[0xA]

For every bug it strips out it will strip out a legitmite file as well.

That's bullshit. You'll notice these things don't just use any old extension, they use executable extensions. If you setup your mailserver to strip .pif, .scr, .vbs etc you'll be in a much better world.

When was the last time you got a legitimate email with a .pif attachment? Never, that's when. I setup this on all of my clients networks and have yet to have grabbed a single legit email.

Re:Actachments

[walt-sjc]

Why is this modded as a troll? It's the truth.

I've been running a filter on email for about 5 years. Not ONCE has any of the email transmitted viruses / worms made it through, even to unpatched outlook and OE users.

See John Hardin's procmail filter for a Very good example of how to do this.

If you are running a corporate meail server and are not filtering for known executable extensions, you are a fucking idiot. Period. There is just no excuse to EVER allow unfiltered mail through. Would you put your corporate LAN on the internet with no firewall at all? Of course not, but by not filtering email, you have a hole the size of Yankee Stadium in your protection. It's like wearing a condom with the end cut off.

The problem with anti-virus software is that it relies on the vendor to create and distribute filter definitions. It can take DAYS or WEEKS for vendors to identify a new virus, and create a definition, and for people to download the new rule set. This lag time is deadly. Antivirus software is a LAYER of security on email, but to rely on it alone is not enough.

Security is a process, and a mindset. Everyone who knows anything at all about software knows that every program has bugs. All you can do is minimize exposure, and you do that with many layers of security. These layers don't have to be intrusive, but you need them to reduce your vunerabilities.

Hey, if you want to bury your head in the sand and refuse to participate in security, that's fine with me. I charge by the hour.

Re:Why does Outlook allows to open executable file

[pe1chl]

The answer is quite simple: because the operating system allows it. In the explorer, when you click on an exe, it runs. So in a mailer, when you click on an exe, it runs. That is the same handler.

Of course, it is insecure. So in later versions, extra checks are installed that at least present some dialogue box (or in even later versions completely prevent running executables from mail).

Unfortunately, the whole mapping from "type of file" to "handler" in Windows is a big mess, and thus many bugs have existed in this area.
(the most famous one is the specification of an audio file in the mime-type and then passing a .exe file as the data. the mailer checks, it is an audio file, so fine, pass it to the OS, this sees the extension, knows it is a program not an audio file, and just runs it. BOOM!!)

Re:Frustratingly typical day in the life of Micros

[cfan]

On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.

You can do a daily backup simply putting something like this in your crontab or in cron.daily:

tar -cjf /var/backup.tbz2 /home

But if someone get the root privileges, even the backup can be destroyed.

Moreover, root has more power then a simple user: he can set promiscuous-mode, he can bind socket on ports below 1024, he can use more resources, and so on, so if a worm| virus | trojan get superuser powers, he can do more dameges at the net, and not only at a single computer.

So, even if the computer is used as a desktop, you can limit the dameges done by a virus, simply not logging as root and being a little smart (doing backups).

Re:How to permanently disable HTML mail in Outlook

[darien]

Yeah, except - when you actually browse to that registry branch, this entry isn't there! You have to create it before you can turn it on. Who knows what other useful things you might be able to do if you only knew what registry keys to create??

So yes, you can often find a program's settings in the registry - but this is a lot less helpful than it sounds.

Re:How to permanently disable HTML mail in Outlook

[SiChemist]

At least, if I make a mistake editing one of those Linux text files I am unlikely to completely hose up the machine. Whose bright idea was it to make an OS (Windows) dependent on a single (easily corrupted) binary database to boot up? A database that is modified practically every time a setting is changed or a program is installed. A file that keeps growing the longer you own your computer and as a consequence slows your machine more and more.

Re:Frustratingly typical day in the life of Micros

[kiwimate]

Sorry but enterprise level and MS do not belong anywhere near each other despite what MS wants you to believe. I'm an MCSE and I can't imagine running critical services on the MS platform...as an application platform windows server is just too bug ridden.

So either you've bought into all the FUD or you're speaking from experience, in which case I call PEBCAK (Problem Exists Between Chair And Keyboard). Either way, you don't know what you're doing.

We have (at last count) approximately 270 Windows Servers (as well as all our Linux and AIX servers), including DCs, file servers, print servers, etc., etc., and many application servers. We are a 24x7x365 operation, and the vast majority of those servers have been up for months or years. Most of our unplanned outages are due to hardware errors -- blown motherboards, generally, as we have redundant hardware where ever possible.

I can look at some of my servers right now and see uptimes which are pushing a year. Some of my servers are in constant use by 700 users during the day and 30 to 50 users during the night. Up until March, they had 100% availability. In March the application hung due to a bug in the vendor's application -- totally unrelated to running on MS. (Incidentally, it was fixed by restarting a service -- no need to reboot the server.)

We use firewalls and virus protection software and patch our servers (carefully -- some MS patches can break things), and don't get hit by these problems. Want to know why? Because we are expected to keep things going so we do, and we know what we're doing! If stuff breaks, people get fired. So we build servers the right way the first time, and then, remarkably, they seem to be rather robust.

We wouldn't be nearly so happy if we had to keep running to the server room all day, by the way. NT 4 was a lot more difficult to manage, but Windows 2000 allows me to do virtually everything from my desk, which is efficient and just all-round desirable. So don't believe the FUD that you can't remotely manage a Windows server, either.

For what it's worth, I'm also an MCSE. I got mine because I'd been working with MS products for several years and knew how they worked, what was wrong with them, and how to fix them. Some of my colleagues in the past have been paper MCSEs. Guess whose servers tend to be flakier?

I know what's wrong with MS products -- they're by no means a magical company, and I've learned the hard way (NT 4 service packs that broke and also modified the SAM, or horribly painful Exchange 4.0 information store recoveries, and on and on). Hey, maybe that's got something to do with it -- I worked my way up, I gained my technical knowledge by fixing things when they borked and building systems from the ground up, and in the process became intimately familiar with the products' strengths and weaknesses. What do you think?

Re:Frustratingly typical day in the life of Micros

[afidel]

I can look at some of my servers right now and see uptimes which are pushing a year.

So you are behind on how many critical patches which require a reboot?? MS patches which affect SQL server or IIS etc and are labeled critical and have admin level exploitation potential come out every couple of months. It's people who try to run MS boxes like they are UNIX machines that end up getting hit by slammer or worms like this. You NEED to apply patches and reboot every couple of months at a minimum, uptimes of over 3 months ususally mean there is some critical patch you missed which leaves you vulnerable. You can have fine availability with a cluster most of the time, but some patches have to be applied to the whole cluster simultaneously because of the way they change things, the different parts of the cluster can not be on differing patch levels or data corruption can occour. Like I said I have no problem with windows for non-critical roles, and with server 2003 maybe even for web serving (IIS 6 finally has a sane default install), but for things that are typically labeled enterprise applications (large DB, CRM, ERP, financials etc) there is no way I would build them on the MS platforms, the alternatives are too stable to really even consider it.

Re:Frustratingly typical day in the life of Micros

[Osty]

That's simply not true. If it were then I'd accuse windows newbies as well of doing the same thing by installing IIS.

Except that newbies have done that as well. They installed Windows 2000, and for some reason installed IIS (because they were playing around in the optional components install, or something like that). Then, when Code Red, Nimda, et al hit big, they got hammered because they weren't up to date. They weren't up to date because they didn't know they were running IIS.

You problem is with newbies, not the mythical "everything install" that no newbie uses that I've ever seen.

I hang out in EFnet's #Linux on occassion. I've been there for years. Several years back, it was quite common to see a newbie say, "I chose to install everything, because I didn't know what the other options did," or, "I didn't want to miss something, because I don't know how to install new software yet, so I chose to install everything." My problem isn't with newbies. They don't know any better. My problem is (well, "was" until some distros got their heads out of their asses) with distros that have stupid defaults. Something like BIND should only be started if it's specifically requested. The act of installing BIND is not necessarily a request to run it. (replace "BIND" with any other software that most people have no need to run, if you think I'm picking on BIND too much)