Slashdot Mirror
Yet Another Windows Worm
kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"
I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension (why the hell any half-way reasonable person would double-click on a .pif file in their email is beyond me). If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension. If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably would have made some very different career choices--I suppose it's better this way... (Posted anonymously for obvious reasons)
The patch for this was out 2 years ago. No excuse.
.exe file. You should block that. No excuse.
The virus comes in as a
AV dat files have been updated already. No excuse.
We've been filtering this all day.... It's not that hard to protect yourself.
It's frustrating how many viruses Windows keeps getting slammed with.
There are some people that will point to a Linux worm or virus here
or there, but I run both Windows and Linux servers and there is
simply no comparison with the amount of worms Windows based machines
receive. Some people say it's because Windows is much more prevalent
than the Linux, but there are a lot of servers running Linux now.
The amount of work required to keep up with just doing updates has
finally gotten to me. Last night I noticed my Windows server was
sending packets like mad, suspicious I did a netstat -an, it was
making connections to hundreds of other machines. Tired of this
dance, I decided to just shut the windows server down. Maybe one day
I'll patch it...then again, maybe I'll just leave it shut down for
good.
Interestingly, my GNU\Debian Linux box is happily sitting right next
to it serving up pages. I haven't had to reboot it in ages, I imagine
it will be running until a nifty new kernel comes out that I just
have to have.
See ya Microsoft.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
This one spread through my university like wildfire today! It even seems to fake Norton virus definition updating, such that the computer appears to be updating it's virus definitions but isn't. It seemed to spread via hijacked messages that it attached itself to.
I never have a problem with these worms. I downloaded Windows Robin(TM) a long time ago!
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
This virus has been hitting a bunch of people over here at Stanford since sometime yesterday. It takes random messages from your inbox and forwards them to random people in your contact list and spoofs the sender. I've recieved a lot of weird emails lately, but some of my neighbors have seen some pretty personal emails sent or recieved by their friends and acquaintences. People hitting on people, people asking their parents for money, rejection letters from companies... the whole works. Our SMTP server has been completely shut down to stop the spread!
This sucker ripped through our campus like nothing. Heuristics missed it, and the definitions weren't updated until a few hours after a few hundred machines got nailed.
the annoying part is that as complex as you can make software, you can't fix the people who are morons, which is where the real problem lies.
oh well.
It's time to face the facts: Windows just isn't ready for the desktop.
Seems to me that would be the way to get these things fixed permanantly. Make a worm that would call MS tech support on peoples modems. Or any other MS 800 number. Untill something costs them a LOT of money, these will continue to show up.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
A much better solution than b), is to completely remove Outlook. Especially if you're only using it as a mail reader.
How small a thought it takes to fill a whole life
Give it time. As Linux permeates industry and business it will start getting more attention from the virus writers. It's all a matter of ROI. Right now, attacking windows has a very high ROI.
This space for rent.
They said that it attacked banks (it appears to be a backdoor bank heist worm). Someone said that US banks would probably not be affected, but a lot of third-world banks that do have a 56K could get hit.
Quick, get your patch here
Yeah, because it's a lot of work to set windows to do updates automatically. Just a troll, nothing to see here.
You obviously don't administer servers with Enterprise Level Code. If you did, you'd know that with Microsoft you can't simply use automatic updates. Microsoft Service Packs break systems all the time. If you run ASP.NET and Sql Server code, you get bitch slapped everytime they release a service pack or "security fix". They consistently change functionality, without warning. Then they just post on their website (three months later) that the service pack changed the way some undocumented feature worked, but you weren't supposed to use it that way anyway, so tough shit.
Ha!! Automatic updates my ass.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
I am surprised Red Hat or some other company doesn't take advantage of heavy Windows worm activity.
"Did you get hit by that new worm?"
"No, I run Linux."
Yes, but as with any *NIX, the damage Joe Luser can cause is significantly curtailed to their own userspace. The virus would need to take advantage of a root-level vulnerability to infect an entire machine. Not so with most Windows default configs.
*tweet*
time out.
any admin who sets production servers to be "automatically updated" deserves to be terminated with prejudice.
you test all patches before deployment.
Time flies like an arrow, fruit flies like a banana.
On a related note, anti-virus programs is one place where I can actually see a potential useful application of "trusted computing" (no, not necessarily Palladium). If there could be some way to to tell the OS "Look, I don't care if you're the administrator or not: the only programs that are allowed to terminate the anti-virus scanner process are the scanner itself, and, say, Task Manager". By using keys to prove their identity, it _might_ make it a lot harder for virii to terminate anti-virus programs. (Note to slashbots: I'm not saying Palladium is good because it will do this (I don't even know if it does). I'm saying this is one potential application of some as-yet-undeveloped implemenation of "trusted computing".
There is no sig, there is only Zuul.
Any readers in the UK with Sky Digital, switch to channel 268.
Overnight, the channel plays a Flash-based word game, where viewers SMS in answers. It's running on a Windows PC, and the screen currently being broadcast to 7 million homes is....
McAfee dialog box: 'bugbear.b High Virus Advisory....'
Hmmm.
(wandering OT - the channel, 'Friendly TV' is apparently being run by students on work experience. A nightly live-broadcast show is 'Girl Talk', where... girls... talk... about... things. Whatever comes into their heads. Oh, and they get progressively more drunk as the evening progresses, which no doubt helps.)
What's the frequency, Kenneth?
you know..
for the longest time, i've been attempting to defend windows ever since 2k stopped being the 'absolute junk' syndrome. i read about this earlier in the day, and started ranting in irc.
well, since it's easier to bitch than act, i decided to act. i went directly to the local apple store and bought an ibook.
i have -never- been happier. this is literally the best of breed machine i have ever used. all the benefits of unix without the hassle of windows.
so, this is totally offtopic, but as a govt. employee who deals with this sort of thing every day, my old home pc is now strictly a local lan CF/oracle development box, and every damn machine i buy from now on will be apple.
Are you MORE than your SPINAL COLUMN?
These machines are unlikely to be interfaced with a public net at all, especially not sitting on a fat pipe; but many of them have to network _somehow_. Regular modems, ISDN, etc. aren't quite dead yet.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
The people that open these attachments aren't system admins. They aren't network programmers. They aren't even computer literate half the time. Most of the time they treat the computer like a magical device that mysteriously allows them to type and send mail very fast. My mom doesn't even know what a zip/exe/jpg file is. I think it is hard for us to imagine not knowing what we know about computers, but the fact is, that most people using computers don't know a fraction as much as anyone reading slashdot. In fact, most of these "virus" are technically trojans. They are all exploiting the ignorance of the user to mass infect others. There is nothing any operating system can do to stop this. If we were all running Linux, more people would be tricked into running as a SuperUser or Root or some other exploit virus programmers would find. In the end, it's not which is it the right operating system, but have we educated the person behind the machine.
What do you mean? Linux is my sex life!
...is one involving how it handles MIME types, especially within IFRAMEs. What happens is, the message headers will say it's one type, such as audio/x-midi, while the payload is really an EXE file, sometimes misidentified as a .bat or a .pif. The unpatched Outlook or OE thinks, "Ah, a MIDI file! Let's play it!" and blithely passes it to the OS, which thinks, "Ah, an executable! Let's run it!".
One more example of why HTML doesn't belong in email, aside from web bugs and other BS.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Because there's nothing quite like a 100,000 machine-strong DDoS network of Redhat machines on cable modems. I hope you meant that if machines are not repelling attacks, then that would prompt bug fixes. However, as you see in the Windows world, most attacks are targetted at already-fixed issues. The machines that get infected are the ones that didn't stay up to date (or in lots of cases a few years ago, were running software they shouldn't be running, like personal Redhat machines running BIND because it was installed and started by default in an "install everything" scenario, the installation option used by most newbies because they're afraid of missing something during the initial install and not knowing how to install it later).
No, successful virus/worm/hax0r infections are never desired. Better for the issues to be found by competent and moral ("moral" being that they don't use the exploit maliciously) people before a major virus or worm is written. There are excellent patch distribution channels for both Windows and Linux these days. People really should use them. And for production servers that don't use them because they need to do validation before deploying the fix, they need to get off their asses and do the validation. There's no excuse for a 2 year old bug causing issues now. That's 1 year, 11 months, and 3 weeks of laziness (assuming it takes about a week to do a validation and deploy the fix and any resulting changes).
They consistently overplay the danger of computer infections, as the more scared people are the more biz they will make.
Look at their adds and see what scare tactics they use.
Help fight continental drift.
This worm does try hard to get on the 'net. Copied from Symantec.
Looks like they're trying to obtain passwords to bank specific systems.You can fix the OS, but you can't fix the users. People who get hit by this have nobody to blame but themselves (or their Windows administrator).
Microsoft fixed this vulnerability more then 2 years ago. Why do people not update their software?
According to Symantec, Bugbear.B "uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability".
"Can of worms? The can is open... the worms are everywhere."
One interesting thing is it opens port 1080, which is normally used by MSN messenger
Sounds like you're using a Socks server to connect to MSN - 1080 is the default Socks proxy port, not MSN messenger.
download the removal utility.
Just wait until:
a.) Everybody decides to hate Linus.
b.) Linux machines can be counted in the millions.
a. is unlikely. How can anyone hate free software? Oh yeah, it's putting you out of business. Microsoft does an admirable job of astroturfing congressmen and Slashdot, but they have yet to put out a good free software worm. The intersection of people with the skill to write free software worms and the number of people who hate free software is vanishinly small. Competent people like free software, get used to it. Windoze on the other hand is just about universally hated and just as easy to break.
b. Linux machines can be counted in the millions. Desktop machines. If you figure 10% of US desktops are running some form of free software, you get millions of computers. The rest of the world has plenty of free computers as well. Yet I don't see anything breaking down mutt, pine, balsa or even Mozilla's email client. AOL's windowze messenger once had a problem but only on Microsoft platforms. GAIM and others had no peoblems at all.
To sum it all up for you, nothing is as bad as the Microsoft monoculture of poor quality software. Free software is more diverse, of better quality and is universally loved.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
And once again, those of us who know how to configure our windows systems and aren't stupid enough to (a) have open network shares with no passwords and (b) open random email attachments are safe. (emphasis mine)
Please read the fucking article. Not only is the email attachment not random, because it pretends to be a reply to an email that you've recently sent to an infected person (among other tricks), but it also doesn't have to be opened, because it uses an IE exploit to run itself as soon as it shows up in Outlook's preview window.
Our University is being hit hard, especially because almost all classes and departments have these massive listservs and the listserv software is so archaic that it doesn't have viral replication blocking. Oh well, at least I get the personal enjoyment of reading other people's e-mails that get cloned. So far I've got 2 that involve people talking about me behind my back. There's always a golden lining people.
It's not stupid. It's advanced.
Yeah, just imagine if something like Apache gets popular, imagine the havoc people could cause with uptimes on those OS's.
Yes, the server community is different from userland and every piece of software will have its flaws, but popularity is not proportional to the amount of worms and viruses, lack of quality is.
Bad boys rape our young girls but Violet gives willingly.
The entire physics department here got an email with the subject line "Re: hep-lat 020711 daily received" with the pif attachement.
.pif file)
hep-lat is the Los Alamos eprint Archive subject code for high energy physics on lattice models. The email refers to a paper on "A new proposal for the fermion doubling problem" which is supposedly attached (instead you get the
The subject line is matched amazingly well to the recipient list. I thought "that looks interesting, I might have a look even though I probably wasn't supposed to get it."
:wq
handy little solution that has been around for a while.. (jpeg image file)
+++ David Watts 5495 0.0 0.5 1888 884
The main reason why *nix boxes don't have anywhere near the number of virii infect them is because the average *nix user has had to set the box up themselves and had to go through the learning curve that is involved in that. Anyone who has got enough knowledge to set up a *nix box (and in reality most people that accually are able to install windows) have enough general computer sence to not catch virii. I personally hate virus scanners as they just take up my resources. Periotic scans let me know that I am not just overconfident that I am invoulnerable, but infact paying enough attention to what I do on a regular basis to delete the emails with attachments like 'happy99.exe' even though I don't in truth _know_ that it is in fact a virus. *nix isn't really a safer OS from virii, it just has a better trained user base.
that's not really true though, since there are holes in windows that have been there since windows version 1. Sure there are holes in any program, but at least most of the unix/linux/macos viruses don't cause the computer to crash. In almost every case, unix/linux/bsd viruses are really just exploiting a single program.
The point being...? Really, you have done nothing to assist our underinformed cyrax777. Let me help, please.
First, causing the box to crash or not is irrelevant, as is what program allowed the compromise - a compromised machine is no longer yours. Time to re-install the whole machine.
The reason *nix is much harder to infect in the first place is users run with user privileges, as do all the child processes that they create. Thus, the e-mail client cannot over-write any system files since it lacks the autority to do so. This is where "rooting" the box comes from - you need to elevate your normal privs to super user status in order to do any real damage. You can tell most *nixes that "This user account can never elevate it's priveleges", and it likely never will. System services, like say the Apache HTTP server, are usually set up to run as under-priveleged users as well, so compromising them leads to even more difficulty controlling the whole machine - there's very few opennings in the *nix security armour. In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs. IIS on NT/Win2K is the same way - out of the box it runs under the SYSTEM account. If one of these is compromised, it's not your machine anymore. Now you know where a lot of the issues with Windows security lie.
This reflects one of the design philosophies of *nix: only give users the privileges they need, and have a huge, well defined wall between them and the system. Windows seems to come from the other end - give it all, and try to take away what's dangerous. IMHO, that's where Windows fails - miserably.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Sorry but enterprise level and MS do not belong anywhere near each other despite what MS wants you to believe. I'm an MCSE and I can't imagine running critical services on the MS platform, user authentications, file sharing, and printing sure, but as an application platform windows server is just too bug ridden.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Here's a secret you might not know:
On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.
So the whole notion that trojans/worms etc. can't hurt the systems that 'mere users' will be using as there is more and more of a push to Linux desktop systems is just plain nonsense. If it wipes out an employee's whole writeable diskspace, it's done all the damage it could possibly do. Nobody cares that everything that rolled off the Install CD is still there and might even be pristine.
Strangely, our business can continue to operate without problems or delays even if the staff can't email screensavers to their friends.
Note: Not a flame to parent post...
:)
now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension
I have had it up to here (pointing to head) with all this BS with email worms/virii and the media. They are not email worms, they are Outlook worms. I could sell someone an attachment stripping solution but that is irritating. For every bug it strips out it will strip out a legitmite file as well.
I just don't know what to do with people... Every time one of these god damn things coms out, my phone starts ringing off the damn hook, hell I can't even get a straight 8 hrs sleep... (one dis-advantage of home office) and every time I tell people the same damn thing. Outlook is a worm/virus magnet. Don't use it. There are many others. Bad people target Outlook for a reason, don't give them the oprunity to hit you. Its that simple. And always check attachments before running them regardless of what email client you are useing or who it came from. But they just don't listen. Do they think I am full of BullSchnitt or is being used to infection and calling me easier than learning a new mail client.
Does anyone have an idea of why end users use the software they use in the face of all the reasons/reccomendatios not to?
Came with machne so it must be good?
Everyone else uses it?
What?!?!
On The Other Hand..... I wil be making lots of cash in the next week... so mabey I should not be complaining
For every person that finds the silver lining of that cloud, there are 100 that just died from lightning
Backdoor routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
First, run Office Update so you have at least Outlook SP1 (SP2 has been out for a while, in fact). Next, add the following value to the registry:
i on s/Mail
HKCU/Software/Microsoft/Office/10.0/Outlook/Opt
REG_DWORD: ReadAsPlain = 0x01
Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.
Thought I'd share that little tidbit.
In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs.
What's your point? The login screen saver logs users in, so it makes sense that it has some sort of advanced privileges. (Maybe it doesn't need all of SYSTEM, true...)
And the screen saver is well protected in winnt, believe it or not. It runs in a separate secure desktop, just like the ctrl-alt-del desktop does.
Now I agree that the security architecture of windows has flaws, but c'mon, there's got to be a better example than login.scr...
The following sentence is true. The preceding sentence was false.
Which is exactly why so many worms target Apache rather than IIS.
Batting down strawmen for 12 years and counting ...
BD Phone Home!
Shameless plug. Like you weren't expecting it.
I don't know about you, but I administer systems with hundreds or thousands of users. It's *their* data I wish to protect, not that of the irresponsible schmoe who ran untrusted binary code.
<OBSIMOM>
But if they ask me nicely, maybe I'll keep that backup tape away from the degausser.
</OBSIMON>
BD Phone Home!
Shameless plug. Like you weren't expecting it.
In recent Mozilla versions, from the View menu while in Messenger, you can choose Message Body As/Plain Text. Works like a charm...
Oh, no! You have walked into the slavering fangs of a lurking grue!
add the following value to the registry:
i on s/Mail
HKCU/Software/Microsoft/Office/10.0/Outlook/Opt
REG_DWORD: ReadAsPlain = 0x01
Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.
And people claim that Linux (UNIX, whatever) is hard to handle.
I disagreed with one point the article made.
BugBear then goes searching for a modem, enables it, then tries to get the computer to dial out, probably to reach the virus author. âoeHe really wanted to get into those machines,â Kuo said. U.S. financial institutions probably arenâ(TM)t at risk from this technique, Kuo said, because most donâ(TM)t have modems attached to their critical computers any more.
Today I was at fry's electronics, and I saw a Quickbooks POS (point of sale, not peice of shit) system on display for small to medium business. This started getting me thinking back to my earlier days of consulting.
One of the companies I did work for had a retail chain of mall stores. At night the registers would dump their management reports to our AS/400 machine and someone would make neat reports out of them. It wasn't a huge amount of data, so each store would just phone home on those really nice $300 courier modems.
Most of our store managers kept in touch with us via outlook/exchange server.
Now another interesting side note is veriphone uses POTS lines for nearly %100 of their credit card processing. Tons of small stores have networks in them now, managers reading e-mail and such.
So which of these financial institutions has its shit so well together that they don't need modems? I just wanted to point out the author of the article is a stupidhead. Boo!
>Please read the fucking article
:-)
You must be new here! Welcome to Slashdot
In this case, other sites that covered this week's pair of Microsoft worms first -- and they'll cover next week's first, and so on. ZDNet, eWeek, Infoworld, Reuters, the Register and others covered it first. ZDNet has the bad habit however of sliding stories that reflect badly on MS quickly off the top pages and into obscurity.
Worms like sobig and bugbear only affect products with design flaws. Brian Valentine, senior vice president in charge of Microsoft's Windows development, said it best:
In short, there's nothing you can do to improve your security except upgrade to a different client: Mozilla or Opera instead of MSIE, Eudora or others instead of OutLook, OpenOffice.org or WordPerfect instead of MS-Office. Usually by upgrading you get better functionality, ease of use in addition to stability.Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
That's bullshit. You'll notice these things don't just use any old extension, they use executable extensions. If you setup your mailserver to strip .pif, .scr, .vbs etc you'll be in a much better world.
When was the last time you got a legitimate email with a .pif attachment? Never, that's when. I setup this on all of my clients networks and have yet to have grabbed a single legit email.
How is this insightful? Last I checked Mozilla's mail client (and many others) don't have any kind of scripting enabled by default. You have to click attachments to get them to do anything, and by default it asks you to Save rather than open. So even if someone clicks on it and then Clicks OK, they just saved it somewhere.
Even cookies are off by default in the mail client. And you can turn off images.
So yeah I suppose people could "try" and target mozilla but I honestly don't think there is a whole lot of damage they could be allowed to do. The stuff that could potentially cause harm is off by default and the and people smart enough to turn it on are smart enough not to execute worms and viruses!
The Anti-Blog