Slashdot Mirror
Microsoft Virus Spam: SoBig.F
If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.
← Back to Stories (view on slashdot.org)
If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif attachments get sent right to /dev/null
I want to delete my account but Slashdot doesn't allow it.
Hax0rs away!!!!!!!!
These things have been patched months, or years ago. Boo hoo for the people that don't patch their systems.
Iam still getting 1 hit every 10seconds yet MS say they have "thwarted the virus"
you can now commence microsoft bashing below this line
_______________________________________________
Here's a virus, FREE PILLS included4
'nuff said.
Just read about about it on the BBC
Here in Norway it seems as "everyone" has got SoBig.F or is getting annoyed with fake emails from someone who has it.
This virus is just a little variation of an older virus, but it differed enough from the older iterations so that anti virus software didn't detect it.
The virus provider Norman reckons that a big organization in Norway has been hit early and that this caused the big numbers here: Norway stands for 36% of the outbreaks of this virus in the world, which is exceptional when you know that only 4 million people live here.
Considerign that whne the Windows project was started at MS that Unix code was closed off to review and learning from would it be too much to conclude that AT&T's efforts to close Unix(System V) code off so tha tpeople could not learn to write secure OS kernel code might have something to do with the major mistakes made in MS Kernel code in the early 1980s that we are still experiencing?
Don't Tread on OpenSource
But postfix on debian running amavis doesn't seem to have any problems throwing them away for us...
http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.html
NO MORE GOODTIMES!
There's a new virus that will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CD's you try to play.
It will give your ex-girl or boyfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your wine and leave its socks out on the coffee table when there's company coming over. It will put a dead squirrel in the back pocket of your good pants and hide your car keys when you are late for work.
Goodtimes will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girl or boyfriend behind your back and billing the dinner and hotel room to your Discover card.
It will seduce your grandmother. It does not matter if she is dead; such is the power of Goodtimes. It reaches out beyond the grave to sully those things we hold most dear.
It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve.
Goodtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methamphetamine in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower.
Goodtimes will prompt your mother to call on Friday and Saturday nights for two months after you make a new girlfriend/boyfriend. It will place your wallet and keys on an obscure shelf in the basement. It will emulate your face and stare into the neighbor's bathroom window.
Goodtimes has been linked to cancer in laboratory mice. 9 out of 10 dentists recommend Goodtimes.
Goodtimes will make your bloomers shrink two sizes, and it will make you gain 15 pounds. If this results in a wedgie, then Goodtimes will leave a nasty skid mark.
Buy Steampunk Clothing Online!
with the Sobig virus. all quarantined. mostly from faked microsoft.com addresses.
got biv?
... there's an ad for MS Small Business Server 2003 at the top of the article.
It's like advertizing space on a blue screen.
This space for rent.
and spamassassin.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Anyone who is dumb enough to run an executable or script from an unknown source on their machine is a victim of social engineering, not decent virus coding.
Blaster was worthy of a mention because it exploited a hole, not the user, but if we're back to stories about MS email viruses again, it's a little sad. Surely there's something else to report on?
This thing is slamming my mail server. Some of them get stripped of the virus by the time they hit my machine, but having to deal w/ several hundred 100K messages an hour is slowing my machine down.
I should have mentioned this in my last post... if you've got the SoBig.F virus, FSecure has posted a free fix here.
x e
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.e
Looks like i'll be dealing with lots of "broken e-mail machines".
We certainly got hammered for a good part of today from a university down south who shall remain anonymous. Contacted their IT/infrastructure department and was told that one of their mail servers got used as a relay, and nobody found out about it until a few hours ago. If I were them I would have shut down their MTA and flushed the queue a long time ago, but that's just me...
what does the F stand for? i can think of a few canidates that have exactly 4 letters.
I see SCo changed it's strategy.
Now they are targeting MS.
Who took my tinfoil hat?
My email mailbox was full this morning. I was getting 100k attachments every 5 or 10 minutes or so. Like I said, my mailbox was full and it filled up quick. Now, if 20 phonecalls can deter a spammer, I'm sure that many will deter people and corporations from installing that infernal piece of flaming shit that Outlook Express is. Friends don't let friends run Outlook Express.
I've had about a dozen in the last half a hour.
At least now I know why I'm am getting so many, and why there seemed to be some new variety to the messages (and the attachment file names).
Come on michael. Your little quip, as usual, was anything but necessary. Please get back under the bridge.
At work at the moment. Haven't gotten a single valid email all day. Network admin is foaming at the mouth.
There has GOT to be a better way to get these security holes fixed. For chrissakes, this is unacceptable. Even that dubious white hat worm from the other day is a better alternative!
Auto-reply to ACs: "Truly, you have a dizzying intellect."
It seems that i'm missing this my collection.
Can anybody please give me a nice spamserver i can subscribe to so that I may join the fun ?
( I like to run virii in VM's for entertainment + It looks like working to my NON it coworkers! )
Retep
Look. I hate Microsoft, too.
But what the fudge does this have to do with trustworthy computing? It's just another email worm, and it relies heavily on user stupidity, much moreso than the msblaster worm.
Let's be honest: Microsoft is an evil company, that forces an evil product on people, and some of us are going to cheer when Microsoft gets hurt and people get nudged towards other operating systems -- whether it's Microsoft's fault, or not.
Could you just have written "Hey, anything that discourages Windows use!" after the story? I mean, christ, that's exactly what probably a good 90% of people here are thinking when they read these stories.
into the worm see the network associates
also: I remember a worm (maybe a year and a half ago) which ran directly through outlook (by simply activating an email-without opening the file). Does anyone remember this? if so, please refresh my memory. Thanks.
"this is the gloaming"
radiohead
Inundated. Not "barraged." dope.
This is the first time that I've really been bothered by a Windows worm or virus. All servers here are FreeBSD and OS X, and everyone's primary workstation (41 employees) is running OS X 10.2.6 or OS 9.2.2.
/.
I used to laugh when all the M$ weenies had problems... but now it's a real problem when I get users here going bonkers about 50 e-mails from 20 people... and me having to go around blocking mail servers...
Here are some other articles around about it:
C-Net
BBC
Okay, I'm done ranting. Thanks
My name is Aaron Landry, and I approve this message.
I just received one of these today from webmaster@match.com. But I received it on my Hotmail account.
And seeing how Hotmail proudly proclaims on every message:
"Notice: Attachments are automatically scanned for viruses using McAfee Security"
we'll be getting a lot of hotmail users opening it to take a peak
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
Let's not forget that this is a worm. It requires that a user launches the executable so it can infect the system. Let's also not forget that many users are using non NOS's such as Windows Me (I'll admit that was a big mistake, however). Users that receive this worm must actually execute it and, since there is not concept of "administrator" on many flavors of Windows (or perhaps the users are the only user of, say, WinXP and are in the Administrators group) so the worm can do whatever it wants - the user did, after all, execute it as an administrator.
The point is - it's the user's fault! Not Microsoft's. Something like this could just as easily happen on a *nix box if the user has sufficient privileges.
Several of the users at work on the network I manage have gotten such worms before, but because they didn't have sufficient privileges, the worms were ineffective. In most of those cases, the virus scanner picked it up anyway.
So, if the user doesn't have sufficient privileges, some worms don't work. Sure, this one would because it runs in userland, but the user still executed it! Besides, they should have a virus scanner anyway. Again - it's their fault.
When it comes down to it, a worm such as a this (trojan horse) requires a stupid user to execute it - so blame the user for once.
I'm not seeing very many messages with SOBIG, as them get filtered at the mail server.
However, the large number of "Your message to xyz@zyx.com contained a virus" is filling my mail spool faster than any spammer. Seems one of my email addresses is a popular one to spoof.
CALL TO ADMINS: Please turn off viral notifications to outside addresses. These days most of the envelope addresses are spoofed, you're not doing any good leaving the notification in place.
And I thought joe-jobbing was bad.
Anything is possible given time and money.
i'm one of the moderators of the personal telco project mailing list (list is open to subscribers, non-subscriber posts are verified to limit spam/virus distribution). when i got up this morning (about 13:00 gmt) the moderation queue had 37 infected messages. it also seems to have knocked my isps (online.no) mailserver over for large parts of the day. i didn't manage to get any mail out that way until this evening.
Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
There has been a very large outbreak here, inside the firewall this morning.. This is probably the largest that I can remember, since we do not use Outlook/Outlook express we seem to dodge the big ones. I didn't even think this looked that bad at first glance, it doesn't really try to exploit any security holes to infect the machine. What got us was that the virus scanners were just old enough not to catch this until it was too late. All it really took was one or two people opening the attachment. The new engine didn't get pushed until at least an hour after the first internal case was discovered. By then though, it had spread so quickly that many other hosts had been infected.
What in the blue hell does this have to do with trustworthy computing, shit for brains?
Trustworthy computing doesnt exist yet, it's in development.
God I hate michael and his dipshit, uninformed comments. He does more to make this site look like 12 year old zealot idiocy than anyone else, and is worse than all the trolls and crapflooders combined.
Begin the Flaming now.
yay for unbiased slashdot!
The Only Person Willing to be Me is ME!
I work for a small private university in the midwest as a student helpdesk consultant. Our phones are ringing off the hook as fauclty, staff, and students are getting upwards of 30 emails every few minutes of this worm. We're trying to contain it here, but of course people are always eager to open up email attachments from anyone they know... even if the filetype is unkown and there is no actual personal information in the email. Oh, the stupidity.
Im sitting here reading this while I wait for Win 2000 SP4 to install, which takes forever. This is the 34th computer I've had to do this to today. Why? Because every person in my company who knows anything about computers has been drafted into Helpdesk today to fight Nachi and Welchia viruses that have brought our mega-corportation to its knees. My whole development team is on this today - that's a lot of 70-80K people being paid to run patches. Not like we aren't days behind schedule on our real life projects. Happy happy joy joy!
Vonnegut was right: Of all the words of mice and men, the saddest are, "It might have been."
Fortunately, I use Mail.app, so I can still check my mail with impunity.
There's a spam/address verificiation message I saw that other day that was pretty clever, though. Some spammers sent a reasonably official-looking letter with Citibank headers, layout, and images telling people to click a link to view and accept a new ToS, or their checking account would be suspended. The link looked something like this:
http://www.citibank.com:A78F...(random hex crap)...A812@127.0.0.1/cgi-bin/c.pl?user=youraddre ss@yourserver.com
So they were logging you in as user www.citibank.com to server 127.0.0.1 (changed, obviously) and sending your email address to a verification script. Damn clever.
Obliteracy: Words with explosions
I have one machine I leave outside the firewall and never patch to serve as a virus cesspit! I've got quite a little ecosystem going on there!
in the past 2 hours i've deleted about 100+ emails from my university account.
I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.
In Soviet Russia...michael would be rotting in Siberia!
I trust all my MS software to get worms. I expect no less of it.
Outdoor digital photography, mostly in New Engl
for a bit over an hour now. I just created a new rule in my OS X Mail.app, and I have them automatically transfered into my Trash file. I wish I had thought about that before. I think I received maybe 50 of them before I created the rule.
No matter where you go... there you are.
I'm just asking...
I know U Tenn has shut down their mail servers for the time being.
OTOH, we could replace the Bill-as-Stephen-Hawking with the bug icon, and no-one would care ;-)
When I am king, you will be first against the wall.
Another link, although they don't mention sobig.f by name.
http://www.fortwayne.com/mld/newssentinel/6568352. htm
I know this is anti-Microsoft land but I have been searching all morning and have found nothing, so I'll ask you.
Is there any free software that will filter attachments in Exchange 5.5 and let me block emails with attachments such as *.vbs, *.pif and so on? I have not had much luck finding out how to do this without buying Norton or some other such thing and I can't afford to do that right now.
I know I could set up a relay / filtering box in front of it, but I don't have the time or resources to do that today and this latest virus outbreak is driving me nuts.
My company requires me to run an Exchange server, mainly because our execs love Outlook and the calendering features. I have to run Exchange. I can't change it. I would love to run something else but I can't. Please don't suggest I do.
Thanks for any helpful answers you have.
Sobig.B appeared on 2003 May 19 and was programmed to deactivate on May 31.
Sobig.C appeared on 2003 June 01 and was programmed to deactivate on June 08.
Sobig.D appeared on 2003 June 18 and was programmed to deactivate on July 02.
Sobig.E appeared on 2003 June 09 and was programmed to deactivate on July 14.
Sobig.F appeared on 2003 Aug 19 and was programmed to deactivate on Sept 10.
It seems like the Sobig release schedule is more consistent and on-time than ... well ... the software release schedules of a major company we love to hate ;-)
How does a virus with the name "SoBig" spread???
;)
Maybe I have a dirty mind, but I gotta think that most Spam filters would catch that one.
Now that's funny: I always thought KDE with its 30MB per application memory need and ugly I-wanna-look-like-a-windowsxp-n00b-themes was the environment that has ever since prevented Linux from being taken seriously on the desktop.
But thinkig of Havoc Pennington, who is now actively trying to destroy Gnome, you could be right,
Yeah, so here you are sitting on your fat ass bitching about it on slashdot.
Have you tried Google News or blocking by subject(i.e. caldera)?
I am used to junk in my mailbox, I get about 200 spam per day.
This thing, however, is unbeliavable. I get about 300 of them per hour. Granted, I have a bunch of email addresses all over the web, so I'm a prime target.
Funny thing is that when the flood started, our network admin glanced at the thousand or so specimens and said that since they all seem to originate from 10 to 20 infected computers, he'd simply block these on the mail server. Five minutes later the emails stopped. He wasn't finished patting himself on the back when a trickle started again, and 20 minutes after that it was worse than ever.
My spamfilter has quickly learnt to filter this crap but I now I also have to deal with the whiplash: my email addresses are also used as spoofed senders, so I am getting a ton of helpful "message undeliverable", "you might be infected with a virus", "message rejected due to virus" emails from all over the Internet.
You would have thought people have learnt by now not to open these f*king attachments.
Well, I'm not questioning them. I'm encouraging them. The tagline they put after this latest SCO story was pretty great -- 'SCO is simply lying'. *POW!*
/. is, that's some pretty plain talkin'. ;)
More like *that*, man! More like THAT! For a news source as widely read as
I find it funny that once again a virus is being blamed on Microsoft. The only way to spread this is to open the attachment and run it. How is Microsoft supposed to stop people from opening attachements? If you use MS Outlook you are actually immune to this virus, as Outlook blocks most executable attachments. Please explain to me why a user running a file (which then opens it's open SMTP server and emails itself to people) is Microsoft's fault? This same thing could happen on Linux, there is nothing stopping a Linux user from running a file attachment. This isn't a MS problem, it is a user education problem.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
The mail includes a .pif file around the size of 100k.
I got it 9 times from the same IP with different From: lines.
Nasty for I am a 56k dialupper.
Shouldn't the "Trustworthy" in '"Trustworthy" Computing' alwasy appear in quotes, sort of like the "Organization" in 'Government "Organization"'?
Alright Michael! Way to blame MS for a user issue.
Seriously, there are competant NT admins in the world.
This should be a no-brainer, but if you run MS systems and you often have problems with worms or virii:
1. Keep your virus definitions current. This goes double for any laptop users with broadband at home.
2. More often then not, MS has already released a patch for a security hole before a worm or virus hits. Keep your systems up to date! Again, this goes double for laptop users with broadband.
3. If you're behind a firewall, and you really should be, Only allow outgoing SMTP from your mail server(this keeps the worm from spreading FROM your organization).
4. If you think you don't have time to do these things, make time. You'll waste a lot more time putting out fires than you will doing some fireproofing.
We eat the pig and then together we BURN!!!
Re: Approved
Re: Wicked Screensaver
Re: That movie
Re: Details
Re: Your application
Re: Thank you!
Yikes, usually I never get spammed with these virus mails. Suddenly I have about 10 in my mailbox.
I got 436 hits this morning in 2 hrs for my compan's email (~500 employees). I already had *.pif files blocked (I'll give any of my users a free beer if they could even tell me what a *.pif files was used for, more or less why they should be receiving it). In 2hrs a dial-up ISP in california, the University of New Hampshire, the Indiana University of Pennsylvania, Piglet.DisneyOnline.com, a verizon DSL node, and an adelphia cable modem node had all been shut down and cleaned. Soon as I recognized what was coming in, I traced the source IPs, called the contacts, and talked to their IT people. With the exception of Disney, all were quite co-operative, had their machines down with-in minutes of notification, and back up after cleaning the virus.
... 'tart'
The nature of these Sobig virii/viruses are that they repeatedly hit the same addresses. Take a few seconds, look at the header, get the IP, look up the DNS, get the contact name, call and explain and you'll save yourself (and countless others) a lot of unnecessary hell.
-Ab
ps. that also explains why some of my posts this morning were a little bit
Nothing fails quite like prayer.
I just got a bounce message (with the e-mail below attached) from an automated domain mail admin because it believed I was the sender of a so.big payload (to a user who has a full e-mailbox).
a u@HP> /. post]; Wed, 20 Aug 2003 04:09:52 +1000 /.-- it was my valid email address]
n g: base64
I don't use windows, so it's not coming from any of my boxes.
Here's the header and body text:
-----
Received: from HP ([141.154.241.155]) by mta02.mail.mel.aone.net.au
with ESMTP
id [20030819180952.SWCW5855.mta02.mail.mel.aone.net.
for [removed for
From: [removed for
To: [likewise removed]
Subject: Re: That movie
Date: Tue, 19 Aug 2003 14:10:02 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00FA8C46"
Message-Id:
This is a multipart message in MIME format
--_NextPart_000_00FA8C46
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Please see the attached file for details.
--_NextPart_000_00FA8C46
Content-Type: application/octet-stream;
name="your_document.pif"
Content-Transfer-Encodi
Content-Disposition: attachment;
filename="your_document.pif"
-----
The your_document.pif was a binary of about 100k.
The best way to do is to be.
Counting all of them I think I've recieved over 3000 today...
Can anyone recomend a nice online service that filters emails through spam and virus filtering and then sends back to a different mailbox?
I've been looking for something like this for a LONG time. Messagelabs seems nice, but they don't deal with one person.
- bram
Our support address is widely published and as such we've received about 40 of these virus already today. And I suddenly though all hell had broken loose
Rus
Cheap UK and US VPS
Here is HouseCall - Their online free virus scanner.
Anyone without an antivirus program seriously needs to get one:
McAfee
Symantec (Norton)
Trend Micro
Just to name a few...
How does a virus with the name "SoBig" spread???
by users that are So.Stupid
If everyone ran linux they would still want email right?
You would still have all the idiots who click on every attachment right?
So this exact situation could happen on linux.
I didnt have any issues with blaster either because I keep my systems patched and firewalled.
Except that the current Windows kernel was started in conjunction with IBM, who had the rights to UNIX at that time.
Which means that Microsoft is not just a supporter of SCO -- they're also a potential target.
"No I don't."
Because of course they're running anti-virus software. And of course the definitions have never ever been updated.
These same people decide when their PC is two years old that it's just "too screwed up" and go buy and brand-spanking-new one with the same flaws which they will proceed to bugger up in a month in a half.
I wouldn't last a week in tech support.
I have been spammed by microsoft itself...
.NET Messenger Service " asking me to upgrade my MSN Messenger ,all morning...
I have been getting mails about "Important Security Update for the
After many years of trying to make do with myself, I have also finally given up. Yes that's right, I've switched to Windows XP.
I find that so far I am easier to use, and now have more time for the lady kernels.
Let's go trollerize!
From Symantec report the file extensions are just .pif and .scr. Filtering "executable" extensions at mail server (i.e. renaming normal executables like exe to _exe.renamed and removing/putting in quarantine not normal executable extensions like pif, scr, sys, etc) in addition to scanning with antivirus (with a combination like Anomy Sanitizer and a good antivirus) avoid me all of the troubles with this one.
On a lighter note, our whole University has been preoccupied with trying to shut this bitch down. Today I am reminded of why I am happy to NOT be IT.
Can I bum a sig?
NAV for gateways is an excellent program if you set it up as you external mail relay it will scan and filter all e-mails before you shoot it through your firewall. Then per your specifications you can have the relay delete the attachments or the whole e-mail. You can also use it for file extension filtration. I've found the best setup to be one internal, and one external to pass all of your e-mail traffic through the firewall. It works well in high traffic situations too, my organization has about 9000 users passing tens of thousands of e-amils daily. Anyway, just my two cents.
ARRRRGGGHHH!!!! I don't even use Windows and Bill's shitty software still fucks me over...my inbox is filling up with viruses sent from other people, AND the virus is forging headers with my email address. The penalty for being a script kiddie really should be amputation of both hands.
Actually, I was trying to be Insightful, not Funny.
I don't get any of the viruses thanks to SpamAssassin and whatever else our fine Admins have put on the mailserver, but what I do end up getting is about 200 autoreplies from dumb MTAs who believe I have sent them a virus when in fact it's the virus/worm/whatever spoofing itself off as me.
Despite the fact that I didn't actually send a virus-infected email from mta3.someserver.pl to a nonexistent address, I still get the helpful autoreply that tells me that the user at that nonexistent address does indeed not exist.
China is banning Microsoft, and all other software that isn't home grown... maybe it will cut down on virus for the Chinese ?
PAYS to be a socially-inept hole dweller sometimes... only one email today, and that was already known to be coming anyways. ;)
.unsigged
So Big is from the children's book "Pat The Bunny"
How big are you?
SO BIG! (lifts hands in the air)
If you aren't part of the solution, there is good money to be made prolonging the problem
...that just because you're not using Outlook or Outlook Express, you still may be vulnerable to worms or email viruses?
All it takes is one user to click the attachment who has an LDAP-enabled address book of the entire company, and poof! you're screwed.
The only sensible way to kill these worms is to block them at the mail server. If you block them at the mail server, you don't have to try to train people or keep hundreds of anti-virus clients up-to-date. Do yourself a favor and set up XWall if you have Exchange (this is about the coolest spam-blocker/email filter program I have ever used, BTW) or SpamAssassin/MailScanner if you have Linux/UNIX. This will save you a ton of headaches in the future, and won't require you to worry about hundreds of clients being up-to-date as much as focusing on whether a few email servers are up-to-date. (Block the standard Microsoft "bad executable" list and you should be fine.)
Seriously, in the year 2003, there's no excuse for "But my 400 clients weren't up-to-date!" Block these things at the server, which is something you as the network administrator should have complete control over, and which is where the worms should have been blocked to begin with.
Simpli - Your source for San Jose dedicated servers and colocation!
The virus would be an itching or painful mass of dilated veins -- and Microsoft would be the swollen anal tissue.
Take it easy? I'll take it anyway I can get it . . .
You can be logged in as guest and still screw the system up if it was installed on a FAT32 drive (most of the people who upgrade to WinXP from 98.. etc.. end up keeping their stuff at fat32..) *shrug*
I don't think you can really compare that to a *nix box where users are "jailed" into keeping their files in their home..
Just when you make it idiotproof, some idiot builds a better idiot.
And in other news... Microsoft announced today that, thanks to a Bill Gates Declaration From On High (tm), every line of code in every Microsoft product, dating back to the company's foundation, has magically, spontaneously, and retroactively fixed itself. This has rendered all of Microsoft's code absolutely secure and error-free. And thanks to the mystical nature of these fixes, end users and sysadmins don't have to patch their systems!
Grow up, Michael.
This sig intentionally left blank.
Wow...longest run on sentence in Slashdot history...
But anyway, I don't know how much this closure of the code is to blame more than the "just barely good enough" practices of Microsoft's software development teams. I tend to put more stock in the latter...
Rule #1 -- Politics always trumps technology.
It seems like every day my company is postying flyers warning of virii, having us install patches.
Is this something we're just going to have to learn to live with on a daily basis, like:
1980's IRQ conflicts, MFM/RLL vs IDE
1990's hard drive partitioning, DOS/4Gw
2000's spam, popups, virii
i hate computers. but i love them.
https://www.accountkiller.com/removal-requested
How many millions of Mac boxes are connected to the internet?
How many millions of BSD boxes are connected to the internet?
How many millions of Unix boxes are connected to the internet?
When you combine all the viruses/worms/trojans/etc that can successfully attack those systems, how many times has a malware episode propagating from those operating systems effectively hurt the performance of the whole internet?
I'll tell you:
ZERO! Not once. Never.
Yet it happens to M$ crap every other week it seems.
that is so funny, please make more penis jokes
In other words, there's pleanty of blame to go around.
I'm sure most people here assume the opposite, but Outlook 2002 and 98/2000 with the security update applies are completely immune to this attack. They automatically strip executable attachments. Very recent Outlook Express versions also do this, although I'm not sure this is the default setting.
Think about how long it's been since there has been a large Outlook attack. It's been at least a couple of years. This tells me that the people spreading Sobig not only have no antivirus protection, they're using ancient and unpatched software.
hostages.
.asps, the need for sympathy goes DOWn. although the kingdumb refers to recent onslaught of BugWear(tm) eXPloits, as a non-event, we wonder whois paying for the DOWntime, lost commerce, etc... not the hostages/end users/stock holders AGAIN?
we know that's a big angrIE crowd, but we honestly feel sorry for everIE won of you, up to a poiNT. as you appear to insist on leaving your headers up fuddles
back on task.
you gnu/hobbyist/software folks are to be commended. we'd be nearly doomed by now without y'all. the check's in the mail again.
meanwhile... for those yet to see the light.
don't come crying to us when there's only won channel/os left.
nothing has changed since the last phonIE ?pr? ?firm? generated 'news' brIEf. a lot of good folks/innocents are being killed/mutilated daily. if anything, the situations are continuing to deteriorate. you already know that.
the posterbouys for grand larcenIE/deception would include any & all of the walking dead who peddle phonIE stock markup payper to millions of hardworking conservative folks, & then after stealing/spending/disappearing the real dough, pretend that nothing ever happened. sound familiar robbIE? these fauxking corepirate nazi larcens, want us to pretend along with them, whilst they continue to squander yOUR "investmeNTs", on their soul DOWt craving for excess/ego gratification. yuk
no matter their ceaseless efforts to block the truth from you, the tasks (planet/population rescue) will be completed.
the lights are coming up now.
you can pretend all you want. our advise is to be as far away from the walking dead contingent as possible, when the big flash occurs. you wouldn't want to get any of that evile on you.
as to the free unlimited energy plan, as the lights come up, more&more folks will stop being misled into sucking up more&more of the infant killing barrolls of crudeness, & learn that it's more than ok to use newclear power generated by natural (hydro, solar, etc...) methods. of course more information about not wasting anything/behaving less frivolously is bound to show up, here&there.
cyphering how many babies it costs for a barroll of crudeness, we've decided to cut back, a lot, on wasteful things like giving monIE to felons, to help them destroy the planet/population.
no matter. the #1 task is planet/population rescue. the lights are coming up. we're in crisis mode. you can help.
the unlimited power (such as has never been seen before) is freely available to all, with the possible exception of the aforementioned walking dead.
consult with/trust in yOUR creator. more breathing. vote with yOUR wallet. seek others of non-aggressive intentions/behaviours. that's the spirit, moving you.
pay no heed/monIE to the greed/fear based walking dead.
each harmed innocent carries with it a bad toll. it will be repaid by you/us. the Godless felons will not be available to make reparations.
pay attention. that's definitely affordable, plus you might develop skills which could prevent you from being misled any further by phonIE ?pr? ?firm? generated misinformation.
good work so far. there's still much to be done. see you there. tell 'em robbIE.
Normally I get around 100 spams every day but I've been getting 30-50 every five minutes for the last six hours. I even installed MailWasher to deal with them because my other virus checker (Spam Weasel) had to either (a) download them to check if they were spam or not, or (b) just let them through. Not much good.
Note that I'm *assuming* these spams are a result of the virus discussed in the News.com story, although the subject lines and attachments are very different from the ones mentioned.
So what happens now? Does this thing just go on and on until September 10th? Right now my business and personal e-mail accounts are pretty much useless, and at 100k+ per spam, one of my mailboxes is in danger of filling up unless I sit here constantly deleting all the junk.
Trustworthy Computing has nothing to do with you trusting your computer or operating system!
Trustworthy Computing is about whether the operating system, vendor, media companies, etc. can trust YOU!
Reading Slashdot is ruining my spelling and grammar.
Everyone download and run SoBig.E again to immunize your computer against the new version. :)
I've gotten 320 infected messages today. I'm actually going to be looking forward to getting back to generic viagra ads in a couple of days when this dies down.
The Glass is Too Big: My Take on Things
apparently they hit the netherlands too. I get about 2 a minute. These are some of the subject lines :
Re : Approved
Re : My Details
Re : Thank you
Returned Mail: (quite a good one, actually)
oh, and besides the standard aol and hotmail accounts a lot seem to come from rutgers.edu (although they probably don't)
It's time to readjust those filters, I guess. Unfortunately, mine still works manually.
In either Mozilla or IE 6 on Win XP, it appears to just start the download of an exe file that you can save. Now whether you would want to do this or not is a different question.
The price of freedom is eternal litigation.
Yay for trustworthy computing.
MS jokes aren't innovative, but can still be fun, but not as fun if they aren't trying to relate to the truth very much. Read up about trustworthy computing and learn how it is a process that has barely taken off today, but is an effort that will show up more in Longhorn, etc. DRM and NGSCB are two technologies that have a lot to do with trustworthy computing that aren't even implemented in today's versions of Windows.
At 2002, MS said:
"It may take us ten to 15 years to get there, both as an industry and as a society."
Trustworthy computing is in many ways only at the concept stage this far.
Sure, one might wonder what's making them think it will take a time period as long as an outrageous 15 years to get these things straight and one might think DRM is Bill Gates' worst idea ever, but then one should comment about this instead. This may seem that I'm defending Microsoft, although I'm in this case just being annoyed by a joke I've seen numerous times before, and that must have been made up by some uninformed person.
Beware: In C++, your friends can see your privates!
Its an executable that requires someone to run it. People need to learn to stop clicking on every damn executable they get in their email. Hell Outlook even displays a warning that attachments can contain virii or have malicous intent, but people still click on them.
Have you ever been to a turkish prison?
We're getting sent the worm every couple of minutes. First from one source, then a second. Really pissing me off. Tracking it down has convinced me that it's a relative of the boss's wife who's a primary source for us, but noone will return my f*cking messages so I can't get this crap brought down.
Hey, I'm staying on the clock until they call me back. Damaging or not, this is gonna be one expensive worm.
"You're never ready, just less unprepared."
Here is a decent procmail rule, probably not perfect.
:0 B hfi| movie)[0-9]*\.zip"?l l|thank|screensaver|movie)[0-9]*\.zip"?c /data/w32.sobig.e@mm.html"
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
* ^Please see the attached zip file for details.
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|document_Fa
| formail -A "X-Content-Security: [$HOST] NOTIFY"
-A "X-Content-Security: [$HOST] QUARANTINE"
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/ven
}
I'm using Thunderbird. I didn't need to train it or make any rules or anything. It's automatically taking care of lots of "mail contained virus" notifications.
I tried SpamBayes a few days ago. I had to wait to build up a database of good and junk mail, and then it made a false-positive with a university email even though I'd trained it with several uni emails.
Conclusion: Thunderbird is absolutely amazing. I'm going to recommend it to friends.
Plus, having Firebird and Thunderbird icons in quick launch looks much better than IE and OE.
The sender appears to be someone from a recognized domain name, such as ibm.com, zdnet.com or microsoft.com. The subject line typically says "Re: Details," "Resume" or "Thank you."
Oh yes, this is a good technique, because I often get emails from people at those domains.
("YEAH RIGHT")
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
I haven't seen this virus in my mailbox, but my ping time went way up and bandwidth way down at home. I guess there are some Windows users sharing my ISP with me. It didn't happen with last weeks virus though. Is this one especially prolific at e-mailing?
Although I see that blaming MS directly for may not be appropriate. They have certainly contributed heavily to enabling the mechanisms of these worms/virii.
For e.g., not showing the extension of a file by default. If you could train users not to double-click attachments with suspicious extensions, most of these e-mail virii would be non-existent. Executing an attachment, when a user double-clicks it, is definitely a foolish idea. Allow attachments to be data, which can be read by external programs; require the user to change a configuration setting if the file itself has to be executed.
Ease of use you say? How many of the people spreading these virii, actually have a legitimate need to be sending each other executable files? In Evolution for e.g., you can open the attachment with an external program, but not run the attachment. I have never found this to be a problem.
Hiding files which MS 'thinks' need not be seen, is another irritation. I had a friends' Win 98 computer, which had a few hidden directories in Windows/Temp Files, having around 600MB of his browser cache. The only way of getting to those directories was to use the command line to list hidden directories, and then use the directory name to get there.
Sorry if this came off as a bit of a rant, but absolving MS of all blame, when clearly it would be much more difficult for virus writers if they hadn't made things so easy is ridiculous.
All bow to his Noodliness!! His Noodle Appendage has touched me!
What I keep wondering is how come there are no open source virus scanners? I'd like to add a simple procmail rule that scans incoming mail for viruses using a free program. There are plenty of tools out there but they all use commercial virus scanners on the backend.
:(
I guess the main problem is dealing with virus updates... I suppose it would be illegal to reverse engineer a NAV dat file for use in an open source program.
We got the first virus today at about 13:00 (MET +2) and we are now getting about 10 viruses every second:
graph
I'd think all the major ISPs (AOL, MSN, Earthlink, Charter, etc.) could setup proxies and just filter all email traffic. I mean, isn't that the only realistic way to stop the madness?
I mean I guess it would cost them a lot of manhours and resources to do such a task, but it seems like it is the responsible thing to do.
As long as it's not abused of course. Strictly filter out viruses.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Never, huh?
Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
... you insensitive clod!
paintball
Exactly what I thought when I read that sentence. Look, Microsoft is a convicted monopolist and I need no other reason to be displeased them as a company at this time. You may keep your quips to yourself, if you don't mind; they don't add anything to the newsworthiness of this story (or lack thereof).
Thank you.
- Leo
You don't use science to show that you're right, you use science to become right.
I'll give you that - if you're going to knock off a desktop theme, why in God's gname would you do winXP? At least give gnome credit - knocking off MacOSX at least yields a more attractive result.
-Looking for a job as a materials chemist or multivariat
Most users who are victims of this VIRUS are not computer experts. They use computers at work or home, in the course of their job or recreational pursuits. They are not into computers, or computing. Their ability to configure depends on default installs and clicking "next." Therefore, if the default installs are open to security exploits, it is NOT their fault.
It is a software problem. Filter on x-mailer: outlook express and see if ONE SINGLE virus message is received. No other mail program seems to be affected.
Now. Tell me again how this is the fault of the user and not software?
Since the virus spoofs the address of the sender, who it says it comes from is probably not where it came from.
Just FYI.
Ceci n'est pas une pipe.
1980s: 640k, EMM386.EXE.
I may really be naive about this, but if MS was serious about "Trustworthy" computing, then you'd see "MS AntiVirus" on their products page.
... it looks like they're going to do it after all?
Then again... who'd use it? It'd let 1/2 the viruses through.
Haha. Then again... I spoke too soon... google: 'ms antivirus'
$20 fine added to your student accounts receivable everytime you open an attachment that screws with the network.
Education through the wallet always works better.
paintball
Friends don't help friends install M$ junk.
... ugh ... it's not Microsoft's fault that it's users are too stupid to apply patches. It's as simple as loading up http://windowsupdate.microsoft.com/ and and clicking scan... "problem" solved - woopyidydoo.
... idiots that have perfected the drama-queen act to a T.
Slashdot
Wow, this must be an old virus if it is written in Fortran.
Instead of deleting them by hand, you can train the filter with several of them and then from menu bar -> Tools -> Run Junk Mail Controls on Folder.
Alternatively you can set up a message filter (from the Tools menu too) and then run it on your inbox.
Good luck.
Haven't actually seen the virus itself, but I've been getting barraged by notices from various server installations of "Declude Virus" telling my that my server sent them an infected e-mail. They then proceed to include the original headers which clearly show the offending e-mail came from somewhere else. They suggest, "If this virus did originate from one of your users, you may want to consider adding virus protection to your mailserver." Uh, I won't be installing their software, that's for sure.
"Just wondering... Why are viruses programmed to deactivate?"
Built in obsolescence? Maybe the writer always wants you to have the latest version or something. This also reminds me of the recent musings of a software company we love to hate ;-)
Nope. Some government is behind this, either U.S. or China is my guess. The goal is to sharpen cyber warfare skills. Neither country wants to cause significant harm on the other unless there is a real war, in light of the fact that we are dependent on each other economically.
The only ones who will bitch if MS changed their OS are script kiddies, they would effectively be castrated. Now the solution that is coming with trusted computing is to not alow the user to make any critical choices. Typical MS treat people as stupid, then control their usage marketing. It will most likely work at first till someone cracks the processor encoding shit and starts to take down MS users big time! Do not fool yourself it will happen the more we think cyber attacks can be stopped by an encoding system the more the real crackers will work to whack it. The only way to protect ones self is to know how to hit stop buttons and be aware of the activity you and your computer are doing! Good example is hiding winipcfg in win 98, from users, then making people think that you need to go to your local MS crap/business college to learn how it works. Bullshit!
OH THE SHAME I fell off the wagon and use sigs again!
Nuff said!
Got Code?
... got the virus.
They've posted a free fix here: http://www.linuxiso.org
I work in IT for a large company and we have been cleaning this virus crap off our computers for a week now. Talk about job security at the lower level. Menacing work it is, but it's WORK. And it pays for overtime too.
Yes, please turn them off. For some reason my address is often spoofed. The "your message contained a virus" stuff is a waste of bandwidth.
...
Nothing to add, only to say I agree. Lets keep repeating this and it might just happen
If you use postfix, there is a nice feature that you can use to simply reject any mails originating from Outlook. /etc/postfix/ directory.
In main.cf look for "header_checks". That file is just filled with regular expressions and results. There is a sample in your
Tonight, after getting over 100 of these critters, I am very seriously contemplating using it.
According to a survey made by Made Up Company, Inc., 62.5% of all mails with the "X-Mailer: Microsoft Outlook.*" header are virus mails, 12.8% are spam, 7.3% are bullshit from morons nobody wants to talk to anyways, and 15.4% are from people who wouldn't use Outlook anyways if they had a choice (e.g. me at work). That leaves 2% mails you would miss, and they're from your grandma.
Our e-mail virus gateway has stopped 21189 of these messages today alone... there are infected computers all over the place... its interesting to see where the computers are that are sending these.
People, listen up. If you wanna hate someone, fine, but do it for the right reasons.
1. MSBlaster is NOT microsoft's fault. They released the patch over 3 weeks ago and none of the users installed it. How many of you are running out of date RedHat boxes and don't have a CLUE how to update them? Microsoft has "Windows Update" on the startmenu, and it reminds you in the system tray... can't get much simpler than that.
2. "Trustworthy Computing" means that only media and programs that are digitally signed as being trustworthy can be used/viewed/ran. Trustworthy computing is not yet in place. If it were, all these virii would not be a big deal, as they are not trustworthy.
Trustworthy computing would FIX a lot of virii problems, but it would also cause a lot more problems than I think it's worth (ie: once you give them permission to control your media, controlling thoughts and actions isn't far off).
Cut it out with the fucking mindless MS bashes.
no comment
That would help other countries in this special case too.
We are Turing O-Machines. The Oracle is out there.
I've come to the conclusion, after dealing with several such outbreaks in the last four years, that people are dumb. You could send out an email with a subject of "New Virus," a body that reads "If you run the attached program it will set your computer on fire, destroy your corporate network, open a gaping black hole under your chair, mail itself to everyone in your address book, post a message on USENET saying your an idiot, and finally download child porn to your computer and notify law enforcement that you're a child pornographer," and some dipshit is going to run it.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
...of this: 1. MS are consistent. About *what* is unfortunate, but they do have that going for them 2. One should always appreciate nostalgia. Oh, SoBig, how we loved you so the first time. Maybe we can make like the horror movies and have a SoBig vs. Nimda thang. 3. In seriousness, it does provide an excellent test for the veracity of the MS "Trustworthy" computing initiative.
Imagine how bummed I am right now. My connection has seemed a little slow lately, come to think of it.
Mailsmith is so great.
Slapper, Adore, Lion and Ramen are all Linux-only.
Please do not confuse UNIX or GNU with Linux.
When will the various mail server vendors get a clue? Allow honeypot checking to stop viruses. For example, in your company's global/LDAP/Exchange/Whatever address book put in random bogus (honeypot) addresses. One for every letter of the alphabet would be good.
Then have the mail server check every outgoing message to see if it is being sent to the honeypot addresses. If it is, the sender most likely has a virus. You have tried to send to a bogus account, so therefore I think you are infected with a virus. Automatically disable the account and send the account and email to contact IT ASAP because they probably have a virus. Worst case scenario is that 5% of your users get sent the virus before the honeypot was hit.
This would work on any virus, even new ones that the antivirus vendors haven't detected yet. Because now you are looking at behavior, not content.
You open source zealots our there listening? Put your talents where your mouth is and give us some good open source plugins for the various email daemons to do this! It's time for mail servers to start looking at behavior, not content.
"block this at the receiving server" only works if:
* the receiving mailserver can handle the inbound load generated by the virus well enough to scan each mail
* the virus doesn't fill the circuits into the receiving server
This stuff shouldn't be leaking out onto the public internet to start with.
We've got a T1 dedicated to mail service and it's full of virus bits. We can't even get them to the server to filter them.
Admins, get your acts together and act responsibly to help the community. Either fix your damn clients or block/filter outbound port 25 from your networks --- there's absolutely no good reason the average user's desktop can connect to port 25 on my mail server.
Just read through the new material and saw that you are right - the beta doesn't do what you want yet. :(
Still leaves me wondering whether or not you really have to have XP, and if so, it still sounds like he's only weeks away from having what you want, and the price will be a lot lower than the time to do it yourself is worth.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I'll admit ignorance here and ask what would probably amount to a really stupid question.
Would a regular (non-root) Linux user be affected by a similar worm or will the "inherent security" be enough to make sure it doesn't run wild querying nameservers and sending oodles of mail?
I guess what I'm getting at is the whole argument that Windows is targeted for maximum effect. If it could be demonstrated (at least in this instance) that Linux wouldn't have been affected by a similar attack (using linux binaries, of course), I'd have a better argument for when I discuss MS vs. Linux with other people.
While I'm at it, are there any good solid "Linux is more secure" articles that enumerate positives beyond "Linux users are generally more computer savvy" and "With many eyes all bugs are shallow?"
Comment removed based on user account deletion
Comment removed based on user account deletion
I have been blacklisting attachments based on extension with a procmail recipe, but now I'm thinking it would be easier just to create a whitelist of the few things I'd let it (images, zips, etc).
Any thoughts on what a whitelist of extensions should have besides those?
Comment removed based on user account deletion
the large print giveth and the small print taketh away
Hell, as I type this my email intray is getting blasted by this f'n virus. Fortunately, between Norton and Pegasus Mail, it's hard for the virus to affect me.
And based on the headers I'm seeing here, my bad karma list now includes a certain Mr S*****y at an unnamed Texas based university...
One impact, that strangely no one noticed here, is the amount of bandwidth this worm consumes from buzy smtp servers. My company provides email support to hundreds of thousands of users, so our addresses are in their address books.
My 2 t1 connections were overloaded a few hours after the worm got in the wild ! i had to work for about 10 hours to design a dynamic firewall filter to block infected systems from hammering my server, since these clients try to send their mail over and over to the same email adresses.
People intested in the filter description can find it in the postfix-users mailinglist - look for the messages "Battling SoBig.f induced bandwidth problems ". I only pity these who do not have the flexibility of a good *Nix based mail server - no way you can do that with Exchange
The MS bashing is justified. Blaming admins for not keeping up with the patch/week is a non-starter. MS itself got hit with this. The MS patch download web server was itself compromised by the Code Red worm. If they can't afford the talent to get it done, the scope of the task is unreasonable.
They wrote shitty software, they implemented stupid designs. And we have to clean up after them. I have things I'd rather be doing, like furthering the goals of my employer.
any html file loaded off a local drive is considered by ie to be in the "my computer" security zone the privilages on this zone cannot be changed and are sufficiant to load unsigned activex controls need i say more...
From my hm account: From my Hm account: (spanish , means important security update for the... ) HealthyHelp Weekly N... Gain Length And Mass 19 ago 2k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 19 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 18 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 18 ago 1k .NET Messenger Servi... Actualizacion de seguridad importante para el... 18 ago 1k
LOPARDO Look- penisenlargement pill that works 18 ago 2k
what is more annoying penis enlagement spam or M$ one??
And now for something completely different. A man with three buttocks!
I keep getting nailed with them, all to webmaster@_______.com. Guess that's what I get with a popular site and my email posted on there. At least they all end up filtered with PINE. Feel bad for the suckers using Outlook (no I don't actually, because it's their fault I'm getting all this crap).
Fucking brilliant. Wel as /.'s credibility goes into the shithole and takes O.S. with it, I hope you really end up where you wanted to go...
I have not gotten a single one of these. (Mailscanner/f-secure?) My office mate however has been getting tons of them - they don't have the virus though - someone's machine has been scanning, cleaning, and then sending them on.
Hilarious.
I've had 4 infected emails in the last 10 minutes here in Sydney. The attachment is always "details.pif", but the spoofed sender is different each time.
It appears to contact our mail server directly, judging by the email headers.
Its 10:20ish now.. he usually gets home at 6:00 or 6:30... but tonite he's still trying to clean up their network. all because 1 person brought it in with 1 infected e-mail.
John Hancock
Power required: 1.21 gigawatts
Threshol velocity: 88 mph
- White Knight of the Order of Mihoshi Enthusiasts
How is this Offtopic, and the parent and other replies about trustworthy computing were interesting? I'm not saying it deserved an interesting, but it seems pretty on-topic.
Many people (even the dumb ones) might spot an .exe file but I wonder how many fail to realise that .com isn't just a generic commercial TLD but also the extension of an MS executable?
Attachment: Yahoo.com 74K
I opened a pif out of curiosity in my pet gvim, it appeared harmless .. i mean it didn't reboot me or anything .. what risk are you people talking about? :P
When a post becomes too insightful, it often becomes funny.
They're up to the f release - looks like it's evolving - they patch, they prod, the thing just gets better - I"ve gotten 30 e-mails from strangers.
Will there be people in 2100? Will they be real skinny? vote : the_real_38@yahoo.com
I did not quite get 5000, however I just came home to see over 180 messages. The real ironic/confusing thing is that *every* single one of them were to the address I use to post on slashdot. I get occasional spams by however spammers lift the address from this board, however I do not see how or why this virus would be sent to me so many times.
I have never received any emails from a human to my slashdot address (not even responses to my comments), so I don't see how my address would be in anyone's Outlook book. I wonder if a spammer got infected and their spam lists got used as a target.
I thought the email addresses associated with our profiles were hidden in some way to prevent spam harvesting. Quite confusing.
Cave, wreck, and deep diver.
All I know is that it got me out of work for a day, again.
Someone hates these cans.
Before being hammered by this virus, my sites were heavily scanned by a bot from hinet.net. Besides having virus attempts made to my lists (I have code that blocks it), I've gotten a few thousand sent to an address that exists ONLY as a hidden link on my webpages. Is there a connection? Was the bot collecting email addresses for the virus? How did the virus get an address that is not used by people.
The news.com article mentioned that the virus reads the cache. Does this mean it has a parsing engine that reads all the cached HTML pages that someone has visited for email addresses? If so, then the hinet.net scanning may be unrelated. Of course, others have seen the scanning as well and made the connection but it may just be two unrelated events.
Anyone have an informed comment?
Michael Dinowitz House of Fusion http://www.houseoffusion.com
"The virus grabs e-mail addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends e-mails to each one. The virus also forges the source of the message using a randomly selected e-mail address so that the infected message appears to come from someone else."
How long before this this kind of shit happens in Inet content itself. I understand that 99.9% of web content created by trusted computing software users will be doing precisely what it proports to do. I am sure that your web content is not malicious. Can you tell me that in the future without having processor lock and key systems you will be safe on the net using Windows? Microsoft counts on the fact that very soon no one that doesn't use trusted computing tech keys and locks will be safe. This is the only way they will be able to impliment secure computing, just that it can screw web content other than signed trusted stuff is an added bonus. Read between the lines of what they are really doing, it is just another monopoly ploy and has precious little to do with real security.
OH THE SHAME I fell off the wagon and use sigs again!
If you're reading this, why don't you send the next version of Sobig in a message that says somethig to the effect of "DO NOT OPEN THE ATTACHMENT, IT CONTAINS A VIRUS" with the virus itself named virus.EXE and contained in a file called virus.zip.
You have enough proxies as it is, surely you can "trow away" one batch. You know, just for the hell of it.
Ha! That's just Star Trek technobabble!
You almost had me fooled. :-)
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
I tried to run my copy of sobig.f, that the nice young man in Rhode Island was so kind enough to send me. But it won't run in Winex3. Damn.
mail2world cancelled my lifetime email account after the first hour or so (300 messages about evenly divided "from" me and "to" me). The account is/was a simple forwarding account... Hopefully they will restore it sometime.
Oh joy so now the f'ing cause of this shit is going to become for ever frozen in time! Sounds like Longhorn will be the only way to actually fix this bullshit. Well you morons go out and pay the idiots that created this mess more money my main box on moz in slack 9 is getting pounded with .pifs of this shit, all from x outlook source. Interesting that some of the worst spam bot morons are now easy to track. Now I have a clean certain record of the semi pro spammers trying sell me penis enlargement pills. Amazing some are stupid enough to use the auto address in MS outlook, rather than the pro tools that you can hide with. But then again the tool would have to pay for the tools. So I guess some the persistent spammeres are not that smart afterall. Watch out you are about to find yourselves in dos hell until you change ISPs again!
OH THE SHAME I fell off the wagon and use sigs again!
Will you please update your software so that it does not generate bounce messages when it finds instances of viruses that fake the sender's address? Why would you not have this feature in your software already?
News sources are saying it's an indication that the writer of the virus knows what s/he is doing and is not planning on stopping releasing new versions soon.
$ echo "ceci n'est pas une pipe" | sed -Ee 's/(eci n|pas )//g'
Let's say that user's computer gets infected with W32.Sobig.F@mm. Well, the worms starts sending
(See Symantec description.)
It's reading your "hidden" address from browser caches on infected machines of people who've visited your web pages.
Well the sobig.f worm seems to have been contained, AV companies believe it could not connect to any of its list of 20 servers for a update.
They still dont know what the update was to be.
Too bad for the virus that it depended on this list of servers to update. However, there are reports that it also contains a backdoor enabling updating it. Here is my worst case scenario what could happen further:
1. The authors of worm quickly release new worm, which uses same methods to propagate and which main purpose would be to scan IP's for already infected computers and update them to new version.
2. New versions of worm contain a strong encryption key to recognize next updates. They also contain a block of "secret", encrypted payload code, key to which is contained in update. This way this block can be instantly run right after getting key in update, without waiting to download whole update, speeding things up.
3. New versions do not depend on fixed port numbers for communications, which can be easily blocked in routers. Instead they listen on number of random ports and/or intercept commonly used ports which cannot well be blocked globally.
4. IP of previous computer in infection chain is kept by infected computer, also it actively scans ports for other infected hosts and keeps a list of found IP's. This list is also encrypted, with key coming in next update. When next update comes, list is decrypted and update quickly forwarder to all computers in it with previous version. This distributed network is similar to current p2p networks and makes global updates very, very fast and impossible to track beforehand.
5. New versions will continue to use email scams and windows security holes to continue spreading.
So now we have global network of infected computers that can be quickly updated by its controllers to stay ahead of any countermeasures that security people may think of, all continuing to spread and containing a secret payload which could be triggered even faster than update.
(cue final scenes from Terminator 3)