Slashdot Mirror
W32.Sobig.E@mm Worm Spreading Rapidly
mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."
just kidding.
"This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th,"
Yuck. The only thing worse than worms are rotten worms.
I have an "early slashdot worm story alert system" built in to my DSL connection. I found out about this around midnight last night, when my DSL connection proceeded to crawl to a slow, and even google was returning results with considerable lag.
Anyone else so lucky to have a system such as mine? This works well on the UTA campus network, also. At least, a worm story has been reported w/in 24 hours of every noticable long slowdown of the net for me...
moox. for a new generation.
expiration date of July 14th
Well isn't this the french national holiday. Maybe somebody is angry because they didn't join the war against weapons of mass.. er, what was that war about again?
All it takes is for one of those spammers with 15 million email addresses to get infected...
"This worm appears to primarily affect Microsoft systems..."
What's this "primarily affect" business? It only affects Microsoft systems, just like every other friggin' virus on the face of the planet.
but can someone please write a good virus for once. :P. So, instead
I mean back in the day virii actually did stuff,
now they just email over and over. Remember when
your computer used to get "Stoned"
of bitching about virii, I just ask, if you're
gonna write one at least make it do something fun.
When these are known as Internet worms and not Microsoft worms........
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
From: Cowboy Neal
To: Cowboy Neal
Subject: Re: Your Mail
Click the attached link - it's great...
Attached file:
www.yahoo.com
[application/octet-stream]
Yahoo! variant! of! Microsoft! support! worm! spreading! rapidly!
.scr and .pif files. Like its predecessors, Sobig-E has a built-in expiry date - in this case 14 July. Click on the infectious attachments and you catch the pox.
.wab, .dbx, .htm, .html, .eml, .txt. This trick is the likely reason behind the worm's rapid rise to prominence.
By John Leyden
Posted: 26/06/2003 at 10:22 GMT
Stop us if you've heard this before, but there's another prolific email worm loose on the Internet today.
Sobig-E differs from its predecessors, the Sobig-B (aka 'support@microsoft.com') and Sobig-C (aka 'bill@microsoft.com') worms, by spreading itself in the form of a ZIP file. This time around infectious emails sent out by Sobig-E pretend to come from support@yahoo.com or another spoofed email address.
The worm is spreading rapidly, with many vendors upgrading the severity ratings they attach to the worm this morning. At the time of writing, managed services firm MessageLabs has blocked 22,156 copies of the worm over the last 24 hours.
Sobig-E normally spreads via emails with randomised subject lines (such as Re: Documents and Re: Re: Movie) and . zip attachments containing infectious
As usual, the worm affects only Windows PCs. Linux and Mac users are immune.
On infected PCs Sobig-E sends email to addresses collected from files with the following extensions:
Sobig-E appears to also have the ability to spread via
network shares and uses its own SMTP mail engine for sending email to further propagate.
So what to do?
Don't run suspicious email attachments and update your AV signature files. Don't allow Rob Malda to have write access to your box. He *will* put illegal gay porn on it, trust me.
It's as simple as that really.
A write-ups of the varmint by Symantec provides more detailed information. ®
Q: Is this alert severe?
A: Yes, it is. Systems that connect to the internet using any Microsoft OS are vulnerable.
Q: When can I get a Service Pack for this?
A: When we include this bug..er, fix in the next Service Pack. We released SP4 yesterday. Six months more, atleast.
Q: Are there any mitigating factors?
A: Yes.. if you run Linux or GNU/Linux or NetBSD, you need not worry.
This bug will disappear by July 14th, and the replacement bug will be announced in Dec 22.
Contrary to Gartner reports, we know that millions of people use Linux on the desktop without much trouble. If you want a permanent solution, install Linux.
Q: How can I protect myself from further attacks?
A: Learn to use a Linux system. Contrary to what Aberdeen says, there are fewer bugs in Linux.
Q: What if I never connect my system to the Internet?
A: Then tell us your address, so we can send you the ServicePack and an invoice for $50.
Q: Are pirated copies of Windows more vulnerable?
A: We like you to think so, yes.
If you keep throwing chairs, one day you'll break windows....
> This worm appears to primarily affect Microsoft systems
<Nelson>
Ha - Haah!
</Nelson>
And now...
<Hanz&Franz>
Once again, ha haa! I lauugh at you silly foolz, with your flabby Windowz and your buuggy virus-baiiting Outlook email reader. I sit here with my puuumped-up Linux system, and my maanly Mutt text-only mail reader, and I open up my spam and virus emails and lauugh again because they cannot haarm me!
Ha Haaaah!
</Hanz&Franz>
"Orthodoxy is unconsciousness" - Orwell
This is just another nail in the coffin for email.
.zip attachments being declined by many mail server admins, just as it did with .exe files.
.zip files too...
It will inevitably lead to email with
It will soon be impossible to guarantee that any attachment you put on an email will be received, which so many of us rely on.
Just as your average users are finally starting to understand
A slashdotting - you get the stick first and then the carrot !
Ok, this is a serious question, not an attempt to start a flame war or anything, but why does this always happen to MS systems? I use a Mac and have only had to work with Windows at my college and a few other times here and there. I've NEVER seen a live Mac trojan or worm and have only ever encountered one virus (the 666 one) that wasn't really malicious and only added some extra resources labeled "(Box thingy)666" in an application's resource fork that caused an application to run a little slower. And that was 4 or 5 years ago in OS 7.5 or 8.
Now, I understand the "security through obscurity" theory that basically says Mac's have far fewer virii problems than PCs because not nearly as many people use Macs, but that's sort of a dead idea nowadays. While we don't have nearly the numbers of any MS OS, by Apple's numbers, there are 7 million users of OS X, which makes the current number of users in the OS X community about as large as the populations of Hong Kong (7,303,334) or Switzerland (7,301,994), and about 1 million more people than the pop. of Israel (6,029,529). (Go on, check my numbers.) And just for good measure, add to that the fact we now have a more or less Unix based OS and therefore must have some common ground with numerous other OSes. It's not like we're a tiny little niche to go after, or one that no one knows how to program for. Hell, Apple even gives away developer tools to write out and compile programs. So why don't we ever see any worm, trojan, or virus outbreaks for OS X?
Request: ECM unit, 1000 km fullerene cable, 1 tactical nuclear weapon. Reason: Birthday party for foreign dignitary.
I can't really see how it's microsofts fault. Reading about it, it comes in a zip file, the user has to get the zip, extract it and then execute the payload.
Is it just me or is this more like social engineering than a real problem with the system?
My blog [.net, rants, general IT]
"Linux and Mac users are immune."
:)
If you were writing a virus and wanted to do some harm, why would you even bother trying to infect mac and linux users?
I mean, people make a big deal on "windows is so insecure that's why this happens blah blah".. but in reality it's just because it's so much more popular...
Not that windows isn't insecure and not that microsoft isn't an evilbad company et cetera.. just wanted to make that point..
"Mac and Linux users are immune"
I want to see a really intuitive and effective worm for OS X... all these mac users thinking they are immune.. it could be a problem.. (More likely to click on attatchments) Not that it would make a big impact
Excuse me, I don't mean to impose, but I am the ocean
Wasn't there just a Windows worm story last week?
So, this virus has no payload. It does basically nothing except spreading, and, how sweeet of him, it will stop spreading on July 14th.
Am I the only one to think that the only people getting benefits from such a virus are people selling anti-virus ?
I mean, why would all virus writers suddenly become so nice ? Most of the virus nowadays are doing almost no damage. I can hardly remember a virus back in the 90 that would not at least erase a little file here or there from your system.
I have been trying to do my own retrospective predection :) based on the data available at Internet Traffic Report
As far as I can make out, all the US routers are doing fine (green). The response time seems to have gone up a tad at 2am MST, but other than that I don't see anything unusual.
When I look at Asia, 5 out of the 21 routers are down (red) and the packet loss is up 2%. Does that mean, that the worm has hit Asia hard? I know this worm should clog up mainly mail servers, but I wonder how feasible it is to predict worm arrival/origin/etc based on this easily available information, assuming ofcourse that it's available realtime.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
just set your clock back to May and the virus won't have been released yet!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Be it Linux, Mac or BeOS.. you can run but you cant hide.
The thing that scares me is that because of Microsoft's ongoing disregard to basic security concepts all of the internet is in danger, to say so. Spam, worms, viruses - all those things take their toll. Resources are wasted: bandwidth, sysadmins time and so on.
Requires Postfix be built with PCRE support and is for Postfix 2.x versions. For Postfix 1.x versions you'll have to put that in body_checks.
Disclaimer: Use at your own risk. I *believe* this'll work, but, strangely enough, I haven't received any to be rejected yet!
ok, it seems that many of you put out your argument against microsft again...
but, before you do so, think twice, is this worm (or others) really have to do with microsoft? i mean, is the fault lies in microsoft? My opinion on this is that the fault lies on user this time, it is because the worm does not use exploit or other bugs in the OS itself, but exploit the lack of knowledge which normal computer users suffer from.
If the fault is on the user side, why should we blame Microsoft on this? If all a sudden Linux become so accessible to user that all people on this planet knows how to use it, and then they received a email with a shell script containing rm -rf / (assuming the user runs as root :)), should we blame on Linux?
I think we should take more effort to educate more computer user than to blame microsoft everytime. (yea, I know sometimes we should blame on Microsoft, but not everytime)
Sobig.E first hit Wednesday, a couple of copies got in before I warned the huddled masses to not open any .ZIP attachments until CA got their act together which they did a couple of hours later. A full scan of the Exchange store cleaned everything off and anything new is getting cleaned on the way in.
NOW, late this afternoon I get a couple of emails from the lawyers say they are appearing again, just as one pops up in my Inbox.
CA did update their signature again late in the day which opens up two possibilities:
1) The latest signature broke the ability of CA's software to catch Sobig.E or
2) This is a new variant (Sobig.F?)
If you don't want to repeat the past, stop living in it.
As the parent poster said, a malicious person trying to do maximum damage would write for Windows. The Mac is the next best choice because, like Windows, you don't have big binary compatability problems.
Linux is tougher to write this kind of thing for because it would require that the user perform so many steps. First the user would have to extract the tar file from the gzip file. Then he would have to expand the tar archive onto his hard drive, which would put the source there. Then the user would cd to the location where the source extracted. Then he would probably have to set various environment variables. Then he would have to run gmake. Then he would need to interpret the error messages to determine why the build didn't work. Then he would have to find and add various development tools and libraries to his system, adding any environment variables that they needed. Then he could try building again. When he finally got the build to work, he could then run the resulting executable, which would tell him to to type "man {trojan/worm name}. The man page would show various command line switches for specifying the e-mail client being used and various network options. Then the user would construct the proper command line to run the program and WHAM! Just like that, his system is infected.
I may have left out a few steps or so, but you get the idea...
The mathematics of the spread of viruses is the same as the mathematics of the spread of disease or the mathematics of a nuclear fission chain reaction - if the expected value of the number of hosts any given infected host can infect is greater than one, the reaction will go supercritical. If the expected value is one, the reaction will be critical and will continue. If the expected value is less than one, the reaction will damp out.
Filtering viruses at the servers is like lacing a reactor with cadmium - the servers with scanners absorb the "neutrons" (infected emails) and prevent hosts from being infected.
However, too damn many sites refuse to deploy virus scanners on their email servers. I have been receiving a constant stream of viruses from Israel's main ISP, Netvision (netvision.net.il) as well as the University of Durban-Westville in South Africa. I have repeatly contacted both sites. Neither has done anything about this - they don't want to install virus scanners because it will cost THEM cycles on their mail server (ignoring the cycles that handling a flood of viruses costs).
And of course, when you try to go to their upstream providers, the upstreams do a fine Sgt. Schultz impression - they see nothing, NOTHING! And since usually the upstreams are Bastard Backbone Baboons, there is little you can do about it.
Were ISPs to be held accountable for taking action - were continuing to allow infected mails to be sent grounds for getting port 25 blocked at their upstream, and IF failing to institute such a block were legally actionable (since that is the only way to force a BBB to take action), then the rate at which these infections would drop to close to zero. And with there being no egobo to writing this crap, the trolls^Wvirus writers would get bored and go find some other way to increase the entropy of the universe.
www.eFax.com are spammers
1. There are far less Mac's out there in the world than PC's with Windows on them. Therefore when you're writing a worm which has the sole goal of infecting as many people as possible (which is what writers aim for these days) then you go for the majority.
This argument is a myth, and has been used by Microsofties to try and downplay the vastly superior security of both *BSD and GNU/Linux. Mac OS X is a FreeBSD derivative in many respects, and vastly better designed from the ground up than Microsoft windows, for whom things like networking and security were afterthoughts cobbled together in an ad-hoc frenzy of featuritis and catch-up. Such an ad-hoc approach to design will never yield acceptable security, as Microsoft's shoddy products have demonstrated so dramatically in recent years, time and time again...and once again today, with this irritating worm.
Why is the numerical argument a myth? Because the truth is that, on the internet backbone, more than half the servers are a variant of Linux, *BSD, or Unix. And servers are the real prize for system crackers looking to take control of a system or cause significant harm. Yet these systems, which present a far more tempting target in terms of power and potential harm, and their derivatives (such as Mac OS X), remain unaffected by the plethora of worms that strike the internet. These worms are almost always exclusively Microsoft worms, affecting Microsoft operating systems exclusively. Not because there are more Microsoft desktops than anything else (for, once again, servers are the real prize, and most of them are not Microsoft), but because Microsoft's operating system design is so rife with security issues that it makes a profoundly easy target, and a decent chunk of servers can be affected with very little effort on the part of the malicious cracker.
It isn't about numbers. It is about design, and everyone in the industry, with the exception of Microsoft, has taken security seriously and designed their systems appropriately.
[Excellent examples of poor design by Microsoft leading to security issues removed for brevity]
4. Generally there are far more tech savvy people using OS X or Linux than Windows who don't blindly open unknown attachments.
This is true for GNU/Linux and *BSD. It isn't true for OS X (unless the knowledge to avoid Microsoft's shoddy products is considered being "tech savvy", an argument you could make that I wouldn't dispute, except to say that (a) I don't think that is what was meant and (b) most people understand something a little more comprehensive when defining someone as more "tech savvy", so while I might grant you that point on a technicality, I would dispute the implication). A lot of OS X users are as capable, and incapable, as their Microsoft using counterparts. They do click on unknown attachments, they do download plugins without a thought, etc. BUT, they have the good fortune of using a relatively secure and very well designed system, and are thus protected from their foolishness in ways Microsoft, even with its competition-destroying Palladium, will likely never achieve.
Contratry to popular Slashdot belief, the fact that it's easy to get details of your contacts in your address book is not a major reason why worms propogate so frequently. I can write a perl script to extract the details from Pine or most other UNIX mail programs just as easily - the actual problem is getting the virus launched on the victims PC in the first place.
Absolutely right. And as you describe so well, doing so is trivial on Microsoft systems, and difficult or impossible on virtually every other system.
The Future of Human Evolution: Autonomy
1) Had an e-mail from a ".mil" domain (forget the actual address)
2) Having recently mailed some questions to some government research agencies, I assumed this was a response to one of them, so, I opened the e-mail (I use Mozilla).
3) No message in the e-mail, just an attachment called "your_application.zip". This was a tad suspicious so I copied the file and scanned it with a corporate edition of Norton Anti-Virus last updated on June 18th.
4) Virus scan came up clean so I opened the file. After seeing that it was only a ".pif" file, I started to get concerned, tried to edit the file by right-clicking and the edit option didn't show. At this point, I'm pretty sure it's a virus.
5) Examined the header information from the e-mail and discoverd that it actually originated from another office computer and the "from" address was spoofed. Now, I'm all but certain it's a virus.
6) Went to the Symantec website and, sure enough, the virus information is there along with notification that the patch was only available since June 25th.
7) Downloaded their fix tool and checked all computers in our office for evidence of infection. Was able to clean them all.
So, even though I was relatively careful, I was still able to get infected. Primarily because:
a) The "From" address was an expected source.
b) I do occasionally get legitimate e-mails that are only an attachment with no text.
c) This particular virus was so new that my virus scanner was not sufficiently up to date.
FYI, I guess...
A goal is a dream with a deadline
Why be subtle about it?
I went to a seminar yesterday wherein a security guy from Microsoft (stop laughing, its not funny yet) extolled the virtures of Windows Server 2003. They have learned their lesson about security and ease-of-use being the only development consideration... guess where they learned it from? All the best practices they have implemented for Server 2003 comes from Linux, Unix, and the Open Source world. "Free How-Tos"! What an innovation!
Now if only someone can teach the MS admins and users to apply the goddamn patches that Microsoft releases! (for an example of what I'm talking about, see anything about the SQL Slammer specifically)
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
I'm starting to think of these worms and virii as a form of QA for Microsoft. As a developer, if I found a horrible buffer overrun or general API bug with Microsoft's products, and I wanted it fixed, I could
a) Pay $300 to have someone look at it and, eventually, tell me it's not really a bug
b) Write a worm, and make sure it gets fixed within a few days.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.