LovSan Clone Let Loose

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

Cloning..

[Stalus]

Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

Re: Cloning..

[Black+Parrot]

> Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

The scary part is that if they mutate and interbreed we could end up with a virus with four asses.

Re: Cloning..

[couch_potato]

I think we all agree that outside or a research environment, virus/worm writing is the lowest form of geekery.

Wrong. It's still a step above Star Trek conventions.

Re: Cloning..

[Black+Parrot]

> Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically.

Maybe some of them do do that, and the A-V firms haven't caught on yet.

Seriously, IMO the kind of worms we've seen so far are child's play compared to what we can expect when someone wants to do some serious damage. In the future we'll have stealth worms that just flip a few bits on your system and then erase themselves after propagating to another computer or two, worms that work as a genetic algorithm to optimize effectiveness and continually feed new variants into new "ecological niches" of the internet, worms that are mathematically optimized for the fastest spread, or conversely for the broadest under-the-radar spread, etc.

The future is bleak, IMO.

Re: Cloning..

[Satan's+Librarian]

Uhm - they've been doing that for years. Early types were called polymorphism, an idea pioneered by the 'Dark Avenger'. Search for "MtE Dark Avenger" on the net. Old stuff.

Basically, the concept is that an encryptor is built up in memory randomly, while the inverted code (e.g. add vs. sub, rol vs. ror) is built up in reverse. The virus is encrypted with the encryptor, and the decryptor is prepended.

There were a ton of them in the early 90's. There are polymorphic Word viruses that use different techniques - running their script through a randomizer for variable names and such. Some viruses have also mutated their own opcodes as you suggest, although it's less common - but its been done.

Detecting such viruses is challanging, but usually there are static bytes with known (although possibly variable) distances between them. One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus, or just blast any existing crypto around the body and look to see what's there. If the virus just flips between equivalent opcodes, then just scan with a regular expression that includes each equivalent as an alternative. Another method is analysing the opcodes - if an exe's entry point is at the end of the file where you have a 1k decryptor right before 2k of garbage, and all the decryptor's opcodes fall within what one virus can produce, chances are....

There are a lot more complex and hybrid techniques for it -those are just a few that can be described quickly.

Re: Cloning..

[Doomdark]

The French intelligence services work very closely with French businesses.

And, to be fair, US intelligence service works occasionally closely with US corporations (there were some cases related to airplane industry where EU was investigating how come US company had found out what some european company was bidding).

Point being that perspective certainly matters, like you say, but also that few government agencies if any are completely above using illegal and/or immoral practices to help "their" companies, anywhere in the world.

Open democracies, and especially free press lessen likelihood of such stunts (by retroactively uncovering them, usually leading to scandals... which act as deterrent in the long run). Unfortunately those 'antidotes' are being threatened especially in US, by latest legislations (from "Patriot" act to DMCA).

Feeling left out

[cesman]

I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.

Re:Feeling left out

[alonsoac]

No seriously, I once was regarded by friends and family as the guy who could fix their computers. Now they call like crazy saying their PC is rebooting and I don't know what the hell they are talking about. Then I read about the virus and tell them what to do but of course I wouldn't know if it will work (or why it didn't work) since I dont have an infected machine to try it. This has made me look like an idiot plus I'm here working all day while my friends enjoy a couple days of forced vacations while someone has time to fix their machines. Grrrr..

Re:Feeling left out

[anubi]

Oooh man, tell me about it. I don't know what I'm missing, I suppose.

I had been working on my CAD system on my home machine running WIN95 and DOS. I wasn't even aware anything was amiss until I logged onto Slashdot to see whats new. I was wondering why it was so slow. My firewall responded in a bit and told me I was getting a helluva lot of connect attempts on port135. So, I go look up the log file and it looked like SQL slammer all over again. Almost a megabyte of infection attempts. I wondered at first if I had made an enemy on a dialup??? In 4 hours??? Why did the whole world seem determined to wax me off the web? Damm, it seemed like everyone in the world was wanting my port135.

Ok.. so I continue to read Slashdot and the story finally loads about this new LoveSan virus making the rounds. Hmmm. When I think of how much work would have been lost had something came in and messed up my machine, I shudder. But then, I don't run my machine wide open to the net. I try to practice secure techniques - such as never allowing any programs to run that I have not verified their intentions, and don't run anything that allows embedded executables ( read: javascript and later things post DMCA that haven't been "cleared" by what I consider trusted groups - which are mostly the groups the DMCA was aimed at in the first place. )

Sure, there are a lot of websites that I can no longer see. I can not even access the Southern California Edison site, nor many business sites - as they require these embedded-executable technologies as a requisite to viewing their content.

So, I sit here, with a pretty fast system, as its pretty simple. I have no virus scanning going on, as I am not running just anything I get in. I do have an integrity monitor running, which does a quickie on startup to see if any critical files are amiss ( it just calculates an MD5 on my key executables and compares to what they should be. ).. if so, booting to GUI is aborted and I drop to DOS to straighten it out - but its never happened outside a test situation.

I keep getting all these people telling me I should upgrade and be current with the times. I would gladly upgrade if the later stuff was actually better and more robust than the earlier stuff - but thats not what I see.

Oh yes, the "presentation skills" are definitely better on the new stuff, but I see the new systems much like a stunningly beautiful secretary that I can't trust, and spends a helluva lot of time doing her makeup.

I try to tell these business people what they are getting into by running software that hasn't been verified for trustworthiness, but they seem happy to go ahead and do it anyway as long as there is someone else to blame if things go amiss. I hoot till I'm blue in the face about these businessmen who put content on the web that can only be viewed with proprietary readers, whose underlying trojan motives, if any, can no longer be legally ascertained as a result of the DMCA.

I am especially puzzled by business's perception of proper etiquette. Would they hire a sales rep that constantly interrupted a customer in mid-question with comments on his grammar or spelling? Or worse yet, rudely hangs up on customers if they don't understand something? Is not a corporate web-site their sales-rep in cyberspace? Why would a business hire such rude representatives that coin their own protocols and chide the customers relentlessly for not adhering to their latest incarnations of the communications protocol "standard"?

At the risk of redundancy, I'll say it again. I do not like these proprietary unverifiable protocols. I consider them very risky - to me. I really don't care if YOU get hit with a virus, but I don't want any part of it.

Ok.. I just had to get this off my chest. It might cost me a bit of karma, but I had to say it in public in the hopes that someone in management that makes the decisions will hear my plea.

Re:Feeling left out

[Steve+G+Swine]

People who store pornography on their computers deserve to get their data wiped.

And in some cases, their keyboards.

Re:And while you all get easy 5, funnies.

[NanoGator]

"Linux has its own problems. But you mod them -1 under the rug until the fsf site gets hax0red. troll but true. "

That was true like a year or two ago, but since this has come up I've been amazed at how things have changed here. It's not that it's turning pro-Microsoft, but the "Everything Linux does is perfect" attitude has settled back down to realistic levels.

I agree with you, though, Linux is a root password away from being ssh'd to hell.

Re:Ugh, lazy patchings

[Doppler00]

Actually, I'm wondered why the heck RPC service is allowed to be exposed to the internet interface in the first place. There is absolutely no good reason for Microsoft to design it this way. Sure, I could understand it being useful for corporate networks, but to leave it on and not allow you to turn it off is ridiculous.

This isn't so much about security as it is poor design on the part of microsoft leaving so many useless services exposed to the internet.

Well some are safe from it...

[3seas]

Those in the US north east and south east Canada.....

MS Worm & Power Cuts

OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.

News Flash

[ReyTFox]

SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.

MS Releases Network Scanning Tool

[MacrosTheBlack]

Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
Download
Network admins have fun.

Re:And while you all get easy 5, funnies.

Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.

So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.

Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.

culpability

[negacao]

This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.

Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.

Re: a deep dark thought....

[Black+Parrot]

> i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story? somethings smells here.

I've always wondered whether someone planning a criminal break-in somewhere might not release a virus as a cover, so that the victim would shrug off any anomalies on their system as side effects of the virus, and think the virus fix was end-of-story.

Re:the average user reaction...

[Un+pobre+guey]

I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems?

Most common "problem" I have seen is that people do the following:

1)Get a computer, with OS and some software installed

2)Use the computer

3)If buy commercial software, install it, hitting OK every time it appears

4)If download arbitrary software from the net, install it, hitting OK every time it appears

5) If computer seems sluggish or something seems wrong, do one or more of the following:

• Go to the Program Files directory (of course it's Windows) and delete one or more directories containing programs you recall having installed recently
• Hunt around the hard disk and delete things that don't look right
• Buy software that supposedly fixes your system, and run it several times consecutively, choosing different options each time
• Reboot
• Re-install the operating system

6) Go to 2)

This algorithm is run continuously for several years.

Re:It's a little fishy

[WHudson]

I always wondered if the anti-virus companies have some programmers in their payroll who work on developing viruses -- either to predict things before they hit, or to keep product updates coming and profitable.

Is *nix that much more secure?

[sanx]

OK - maybe this is a -5 Flamebait here, but here's a couple of my thoughts.

The desktop world is ruled (by numbers, anyway) by Microsoft. Any potential malware s'kiddie can knock together some malware in a few hours, dump it into some unsuspecting newsgroup somewhere or email it to his Outlook-using mates and start an epidemic relatively easily. The sheer number of vulnerable machines makes that easy.

The installed base of Windows boxes also means that, despite MS not opening up their code to anyone (except governments and universities willing to sign away their first-born as insurance against breaking the NDA), large numbers of people spend vast tracts of time throwing McValue Meal-sized URLs at web-servers and mutant packets at RPC interfaces.

Lots of people x Lots of time x Lots of machines = lots of vulnerabilities found...

Now consider *nix. It has a number of advantages straight off the block:

1. It's open source. Code that finds its way into the kernel goes through the best peer-review system available; public scrutiny.
2. Generally, the people who run *nix are more tech-savvy than an average Joe Blow.
3. Any vulnerabilities that are found get acknowledged and fixed very quickly.

But what would happen if *nix had the sort of desktop penetration that Windows does? How quickly would the kind of person that thinks a computer case is called a 'hard drive' apply a *nix security patch? If *nix was that popular, how many more people would devote vast tracts of time to finding obscure security holes and vulnerabilities?

Just a thought. Now flame away ;)

Re:That's media reporting for ya

[Pharmboy]

Well, to be honest, if it didn't sell, the media wouldn't report it that way. People LOVE catastrophe and doomsday predictions, for some odd reason.

On a similar not, I am witnessing tv hype disaster now. All the power is out in NY, and people have been calmly walking down the street to leave town. Others are "volunteering" to direct traffic, and people are obeying. People are out together in the street with candles, checking on neighbors, almost everyone is calm, even tho with the power out, getting news in was slow and difficult (like 9-11, but much milder). Sure, some will take advantage of the situation, but burglaries happen every night. On the whole, I am pleasantly surprised at how well organized it is, and how well its going so far. Its a success story on dealing, again.

Yet the news channels are TRYING to make it out to be worse than it is. They are saying how people are mad and want to know why this happened, but they can't SHOW someone saying that, they just report that its true. fox/cnn all the same.

The real irony is how calm everyone is, how they are seem to have a "oh well, can't help it, no reason to freak out" attitude even while the news reporters are almost trying to get them to.