Slashdot Mirror
Microsoft Virus Spam: SoBig.F
If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.
← Back to Stories (view on slashdot.org)
Michael troll? Never. Everything he says is fair and balanced.
As for the concept of "fair and balanced," in practice this means, "whatever supports my views." Conservatives don't like CNN or the New York Times because they are mainly liberal; Fox News is mainly conservative, which seems to conservatives fair and balanced. National Public Radio, which is mainly liberal, seems fair and balanced to liberals. If there were a revanchist krypto-Trotskyite anti-cosmopolitan news channel, and it ran a report saying that secret councils of European bankers ruled the world, all revanchist krypto-Trotskyite anti-cosmopolitan viewers would consider that fair and balanced.
So, Michael is far and balanced to most slashbots.
This is the first time that I've really been bothered by a Windows worm or virus. All servers here are FreeBSD and OS X, and everyone's primary workstation (41 employees) is running OS X 10.2.6 or OS 9.2.2.
/.
I used to laugh when all the M$ weenies had problems... but now it's a real problem when I get users here going bonkers about 50 e-mails from 20 people... and me having to go around blocking mail servers...
Here are some other articles around about it:
C-Net
BBC
Okay, I'm done ranting. Thanks
My name is Aaron Landry, and I approve this message.
I work for a small private university in the midwest as a student helpdesk consultant. Our phones are ringing off the hook as fauclty, staff, and students are getting upwards of 30 emails every few minutes of this worm. We're trying to contain it here, but of course people are always eager to open up email attachments from anyone they know... even if the filetype is unkown and there is no actual personal information in the email. Oh, the stupidity.
And just what security hole is it exactly?
There isn't a hole in Outlook if you've patched, and it can be set up to not run scripts. The route of the problem in your case is not patching. If you get this version, chances are you were also still vulnerable to other SoBig variants; the difference is in the mailing engine being multithreaded, not the way the virus attacks.
The problem with email viruses is a social one; if an executable got dumped to any computer system with a note saying click me, some dumb user - Windows, Linux, OSX or otherwise - would fire it up. At that point, it isn't about holes, it's about a valid, running program that's spewing out emails all over the goddamn place.
Your admins aren't worth the money they're being paid...
they should be pushing the updates out to your machines overnight using SUS [http://www.susserver.com/]
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Yeah, so here you are sitting on your fat ass bitching about it on slashdot.
Have you tried Google News or blocking by subject(i.e. caldera)?
I find it funny that once again a virus is being blamed on Microsoft. The only way to spread this is to open the attachment and run it. How is Microsoft supposed to stop people from opening attachements? If you use MS Outlook you are actually immune to this virus, as Outlook blocks most executable attachments. Please explain to me why a user running a file (which then opens it's open SMTP server and emails itself to people) is Microsoft's fault? This same thing could happen on Linux, there is nothing stopping a Linux user from running a file attachment. This isn't a MS problem, it is a user education problem.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
the user is under the impression it is not an executable.
--
world was created 5 seconds before this post as it is.
"No I don't."
Because of course they're running anti-virus software. And of course the definitions have never ever been updated.
These same people decide when their PC is two years old that it's just "too screwed up" and go buy and brand-spanking-new one with the same flaws which they will proceed to bugger up in a month in a half.
I wouldn't last a week in tech support.
I don't get any of the viruses thanks to SpamAssassin and whatever else our fine Admins have put on the mailserver, but what I do end up getting is about 200 autoreplies from dumb MTAs who believe I have sent them a virus when in fact it's the virus/worm/whatever spoofing itself off as me.
Despite the fact that I didn't actually send a virus-infected email from mta3.someserver.pl to a nonexistent address, I still get the helpful autoreply that tells me that the user at that nonexistent address does indeed not exist.
Won't work. Dumb people are incapable of a realistic self-evaluation. Here's why.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
...that just because you're not using Outlook or Outlook Express, you still may be vulnerable to worms or email viruses?
All it takes is one user to click the attachment who has an LDAP-enabled address book of the entire company, and poof! you're screwed.
The only sensible way to kill these worms is to block them at the mail server. If you block them at the mail server, you don't have to try to train people or keep hundreds of anti-virus clients up-to-date. Do yourself a favor and set up XWall if you have Exchange (this is about the coolest spam-blocker/email filter program I have ever used, BTW) or SpamAssassin/MailScanner if you have Linux/UNIX. This will save you a ton of headaches in the future, and won't require you to worry about hundreds of clients being up-to-date as much as focusing on whether a few email servers are up-to-date. (Block the standard Microsoft "bad executable" list and you should be fine.)
Seriously, in the year 2003, there's no excuse for "But my 400 clients weren't up-to-date!" Block these things at the server, which is something you as the network administrator should have complete control over, and which is where the worms should have been blocked to begin with.
Simpli - Your source for San Jose dedicated servers and colocation!
that's just the thing.
.exe so the user doesn't except it to be an executable because as you say 'but users are used to the whole 8.3 format where executables end with ".exe"'. some even use holes to hide the payload in files that wouldn't normally have executable code at all.
this like others uses other extension from
showing the mimetypes/what the email reader is going to _do_ with it would be much more useful than just displaying the name of the file and telling the user to click on it.
they're educated usually alright, mis-educated.
world was created 5 seconds before this post as it is.
But what the fudge does this have to do with trustworthy computing?
Everything. Aside from the concerns that trustworthy computing is doublespeak for restricted computing, even if you assume that MS is talking about the *right* kind of trustworthy computing, this virus is the latest in a well-populated freakin' pantheon of examples of their failure to be able to provide anything of the sort.
In other words, this is one more chance to ask yourself: why should you trust microsoft?
Side note: I've had several acquaintances attempt to commiserate with me in the last week about various windows viruses. But I don't feel the pain. I'm using Win XP, but a good firewall helps with most of the problems, and you know, Thunderbird is a good email client and a nice way to avoid the Outlook viruses that people erroneously call email viruses.
Tweet, tweet.
Its an executable that requires someone to run it. People need to learn to stop clicking on every damn executable they get in their email. Hell Outlook even displays a warning that attachments can contain virii or have malicous intent, but people still click on them.
Have you ever been to a turkish prison?
MS was found to have a monopoly in the OS market. It is not illegal to have a monopoly. They were found guilty of violating anti-trust laws which only a company that has a monopoly can violate. There is no such thing as "monopolistic business practicies." If MS had performed any of the actions they were found guilty of while not being a monopoly it would have been perfectly legal. Get it straight.
Never, huh?
Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I may really be naive about this, but if MS was serious about "Trustworthy" computing, then you'd see "MS AntiVirus" on their products page.
... it looks like they're going to do it after all?
Then again... who'd use it? It'd let 1/2 the viruses through.
Haha. Then again... I spoke too soon... google: 'ms antivirus'
Friends don't help friends install M$ junk.
using Win XP, but a good firewall helps with most of the problems
Your firewall helps with this? What, by blocking the mail port? Or does your firewall parse SMTP and block viruses (hint: if it did, it might be called a mail filter or something)?
Thunderbird is a good email client and a nice way to avoid the Outlook viruses that people erroneously call email viruses.
This one has nothing to do with an Outlook vulnerability. It's an e-mail trojan horse. Unless your mail client is unabled to receive files with certain extensions, virus checks them, or executes them under a different permission level (unlikely under Windows), then it's vulnerable.
You represent the most dangerous class of computer users - confident and uninformed.
Let's not stir that bag of worms...
Haven't actually seen the virus itself, but I've been getting barraged by notices from various server installations of "Declude Virus" telling my that my server sent them an infected e-mail. They then proceed to include the original headers which clearly show the offending e-mail came from somewhere else. They suggest, "If this virus did originate from one of your users, you may want to consider adding virus protection to your mailserver." Uh, I won't be installing their software, that's for sure.
I'm a firm believer in security through obscurity, USED AS PART OF A SECURITY PARADIGM. (sorry for all the shouting)
I do agree that security through obscurity ALONE is nearly worthless.
Absurdity: A statement or belief manifestly inconsistent with one's own opinion. -- Ambrose Bierce
We occasionally get an important message with an executable attached. We can either let executables through and hope nobody clicks on them, or send a message back to the supposed sender letting them know it didn't go through. Deleting a message without telling anyone is not an option, even though most of those notifications aren't going to valid addresses, whether it's from Spam or Viruses.
:-)
Those notifications are just a way for a company to save themselves a lot of work, at the expense of others. So, we take the risk so we don't have to pollute the 'net with (almost always) useless notifications. So I would say the call to admins should be tweak your filters and educate your users, and then turn off the notifications. Becasue you know the first important message to an officer of the corp that gets deleted without any notification is going to get someone fired, and they're not going to take that risk.
I feel your pain - I'm getting swamped myself. But at least I'm getting an idea of how many viruses are going out in my name.
As far as I'm concerned, you can blame all of this on the spammers. Look at the schedule of these SoBig releases and deactivations. I believe this is a response to more and more open relays getting shut down. These viruses are the new open relays, and the only way to stop them is to stop Spam itself - by beating the living crap out of anyone you know who buys anything from a spammer
666-607: 6th floor apartment of the beast
I got a dozen, here in Portland. It seems like everyone and their goddamn kid brother has it.
I've only received 2 bounce messages from it, which is a first. I usually get several coming in. I have family who works in the internet based customer support business, they woke to 12,000 viruses waiting and several thousand bounces. I'm in Portland, too, and apparently it decided to pass me over for the most part.
In typical webizen fashion, I warned everyone about it via blog, and told them not to use Outlook for a while.
I gave up trying to get people to not use Outlook. When Mozilla popup blocker came out, a few people listened and said, "Hey... email.. woo" but most people just don't care. Unless the virus destroys their computer, they don't give a damn.
Dacels Jewelers can't be trusted.
When will the various mail server vendors get a clue? Allow honeypot checking to stop viruses. For example, in your company's global/LDAP/Exchange/Whatever address book put in random bogus (honeypot) addresses. One for every letter of the alphabet would be good.
Then have the mail server check every outgoing message to see if it is being sent to the honeypot addresses. If it is, the sender most likely has a virus. You have tried to send to a bogus account, so therefore I think you are infected with a virus. Automatically disable the account and send the account and email to contact IT ASAP because they probably have a virus. Worst case scenario is that 5% of your users get sent the virus before the honeypot was hit.
This would work on any virus, even new ones that the antivirus vendors haven't detected yet. Because now you are looking at behavior, not content.
You open source zealots our there listening? Put your talents where your mouth is and give us some good open source plugins for the various email daemons to do this! It's time for mail servers to start looking at behavior, not content.
That's the difference though. Yes you have permission to access your own files on a *nix system (at least a personal *nix system, in many cases I don't give users permissions to modify their home directory). But you cannot execute a file without knowing your executing it. On windows an uninformed user can execute a program without knowing the consequences and without knowing the difference between the executable and other types of files. On a *nix system these concepts are handled in a such a way that there is a clear distinction.
The user who doesn't know the difference wouldn't be able to figure out HOW to execute it.
- most of these would be surprising to me to find in an email.
- DO* Word Documents and Templates
- URL Internet Shortcut (Uniform Resource Locator)
- POT PowerPoint Templates
- PPT PowerPoint Files
- XL* Excel Files and Templates
Yeah, who'd ever expect to receive one of those as an attachment?-- @rjamestaylor on Ello