Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Virus Spam: SoBig.F

Posted by michael on from the trustworthy-computing dept.

If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.

27 of 557 comments (clear)

  1. Small norway with largest outbreak by joeykiller · · Score: 5, Interesting

    Here in Norway it seems as "everyone" has got SoBig.F or is getting annoyed with fake emails from someone who has it.

    This virus is just a little variation of an older virus, but it differed enough from the older iterations so that anti virus software didn't detect it.

    The virus provider Norman reckons that a big organization in Norway has been hit early and that this caused the big numbers here: Norway stands for 36% of the outbreaks of this virus in the world, which is exceptional when you know that only 4 million people live here.

    1. Re:Small norway with largest outbreak by Arker · · Score: 2, Interesting

      I would, but I don't own them. Good news is the guy that does gives them away for free. He'll give you extra goodies if you pay.

      Bad news is, MS has been laying more and more effort into making his work impossible, so his release schedule definately hasn't kept pace with theirs. So if you're running XP, or 2000 with current SPs applied, you'll have to pay even for a beta. The older version works great with 98, ME, or 2k if you are careful not to apply the wrong SP. Since ME sucks my one remaining Windows box is on 98, using the explorer.exe from 95. It's not *nix stable, by any means, but it runs all the games and stuff, is stable enough (2 weeks+ uptimes on a regular basis) and runs lightning fast on hardware that was 'older' when I bought it... anyway I'm happy with it.

      Enough jawboning, here's the link you're looking for.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    2. Re:Small norway with largest outbreak by Arker · · Score: 2, Interesting

      Surely there is something to what you say, but I would take it with a grain of salt.

      So far I've gotten I think 15 copies of the virus, 2 messages letting me know it spoofed me and the attachment was refused.

      On the other hand I get a lot of spam. A lot. Very likely because several of my addresses are relatively old. It's gotten to the point where I only bother to report the ones that slip through my filter, and I still send around 10 reports a day.

      I have no moral compunction about killing spammers. Torturing them to death in front of their children would be a service to the children, and to humanity.

      I'm only half joking.

      I've gotten a few dozen spammvertised websites removed in my career as a part time BOFH, and my only regret is that the number isn't a lot higher.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    3. Re:Small norway with largest outbreak by Zocalo · · Score: 3, Interesting

      Not for long I suspect! I've received over thirty from an IP block allocated to NASA in the last three hours, and a friend has just emailed to say he's had over two hundred from the same IP block, with over a thousand total. However, the email addresses from the NASA IPs do have a *lot* of .no domains in the email addresses. Hmmm. Maybe the "big organization in Norway" is a NASA observatory or something, it doesn't have to be a native Norwegian company after all...

      --
      UNIX? They're not even circumcised! Savages!
  2. Got hammered... by Vexler · · Score: 5, Interesting

    We certainly got hammered for a good part of today from a university down south who shall remain anonymous. Contacted their IT/infrastructure department and was told that one of their mail servers got used as a relay, and nobody found out about it until a few hours ago. If I were them I would have shut down their MTA and flushed the queue a long time ago, but that's just me...

  3. Editors need to be more honest. by mr_luc · · Score: 4, Interesting

    Look. I hate Microsoft, too.

    But what the fudge does this have to do with trustworthy computing? It's just another email worm, and it relies heavily on user stupidity, much moreso than the msblaster worm.

    Let's be honest: Microsoft is an evil company, that forces an evil product on people, and some of us are going to cheer when Microsoft gets hurt and people get nudged towards other operating systems -- whether it's Microsoft's fault, or not.

    Could you just have written "Hey, anything that discourages Windows use!" after the story? I mean, christ, that's exactly what probably a good 90% of people here are thinking when they read these stories.

  4. This one will probably spread real fast by Judg3 · · Score: 5, Interesting

    I just received one of these today from webmaster@match.com. But I received it on my Hotmail account.

    And seeing how Hotmail proudly proclaims on every message:
    "Notice: Attachments are automatically scanned for viruses using McAfee Security"
    we'll be getting a lot of hotmail users opening it to take a peak

    --
    Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
  5. It's a worm - blame the users! by ClubStew · · Score: 3, Interesting

    Let's not forget that this is a worm. It requires that a user launches the executable so it can infect the system. Let's also not forget that many users are using non NOS's such as Windows Me (I'll admit that was a big mistake, however). Users that receive this worm must actually execute it and, since there is not concept of "administrator" on many flavors of Windows (or perhaps the users are the only user of, say, WinXP and are in the Administrators group) so the worm can do whatever it wants - the user did, after all, execute it as an administrator.

    The point is - it's the user's fault! Not Microsoft's. Something like this could just as easily happen on a *nix box if the user has sufficient privileges.

    Several of the users at work on the network I manage have gotten such worms before, but because they didn't have sufficient privileges, the worms were ineffective. In most of those cases, the virus scanner picked it up anyway.

    So, if the user doesn't have sufficient privileges, some worms don't work. Sure, this one would because it runs in userland, but the user still executed it! Besides, they should have a virus scanner anyway. Again - it's their fault.

    When it comes down to it, a worm such as a this (trojan horse) requires a stupid user to execute it - so blame the user for once.

  6. Virus notifications are worse by RedHat+Rocky · · Score: 5, Interesting

    I'm not seeing very many messages with SOBIG, as them get filtered at the mail server.

    However, the large number of "Your message to xyz@zyx.com contained a virus" is filling my mail spool faster than any spammer. Seems one of my email addresses is a popular one to spoof.

    CALL TO ADMINS: Please turn off viral notifications to outside addresses. These days most of the envelope addresses are spoofed, you're not doing any good leaving the notification in place.

    And I thought joe-jobbing was bad.

    --
    Anything is possible given time and money.
    1. Re:Virus notifications are worse by damnnicks · · Score: 2, Interesting

      While I tend to assume that the administrators for the sites sending me incorrect "you are infected" messages are not very good at their job, I actually appreciate being told which IPs are forging my domain.

      That way I can at least report the infection to the correct abuse address - I've found that ISPs take virus complaints a lot more seriously than SPAM complaints.

      The end result is less virii ending up in my mailbox (those people know me too), and less damage to my company's reputation.

  7. this one's quick... by bob@dB.org · · Score: 3, Interesting

    i'm one of the moderators of the personal telco project mailing list (list is open to subscribers, non-subscriber posts are verified to limit spam/virus distribution). when i got up this morning (about 13:00 gmt) the moderation queue had 37 infected messages. it also seems to have knocked my isps (online.no) mailserver over for large parts of the day. i didn't manage to get any mail out that way until this evening.

    --
    Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
  8. huge outbreak here by skt · · Score: 4, Interesting

    There has been a very large outbreak here, inside the firewall this morning.. This is probably the largest that I can remember, since we do not use Outlook/Outlook express we seem to dodge the big ones. I didn't even think this looked that bad at first glance, it doesn't really try to exploit any security holes to infect the machine. What got us was that the virus scanners were just old enough not to catch this until it was too late. All it really took was one or two people opening the attachment. The new engine didn't get pushed until at least an hour after the first internal case was discovered. By then though, it had spread so quickly that many other hosts had been infected.

  9. Feh. by American+AC+in+Paris · · Score: 4, Interesting
    I've got a bunch of un-munged addresses floating out there (a lot of my visitors aren't all that tech saavy) all pointing to one box. It's been hitting me since about 8:00 AM EST.

    Fortunately, I use Mail.app, so I can still check my mail with impunity.

    There's a spam/address verificiation message I saw that other day that was pretty clever, though. Some spammers sent a reasonably official-looking letter with Citibank headers, layout, and images telling people to click a link to view and accept a new ToS, or their checking account would be suspended. The link looked something like this:

    http://www.citibank.com:A78F...(random hex crap)...A812@127.0.0.1/cgi-bin/c.pl?user=youraddre ss@yourserver.com

    So they were logging you in as user www.citibank.com to server 127.0.0.1 (changed, obviously) and sending your email address to a verification script. Damn clever.

    --

    Obliteracy: Words with explosions

  10. Re:Thank you Spamassassin by vrone · · Score: 5, Interesting

    I wish Mozilla Mail had some setting for this too. It's statistical filtering is great after it's been trained, but it did me no good this morning. By the time I got to work, my inbox had over 5000 new messages. Sure, it's trained now, but I spent over an hour this morning deleting them since I didn't want to delete legit mail too.

    So how did I get 5000 new messages? I know I'm not in the address books of that many people who got infected, so this one must be doing dictionary addressing as well as address book addressing. Since my email address is of the format [first initial][lastname]@[a large company].com, and my last name is very common, I got pummelled. Maybe I should switch to a more obscure address. :)

  11. Bug? by Zog+The+Undeniable · · Score: 5, Interesting
    Shouldn't we have a new /. icon for viruses? They're not bugs, because they generally - Blaster DoS URL cock-up notwithstanding - do exactly what they're supposed to.

    OTOH, we could replace the Bill-as-Stephen-Hawking with the bug icon, and no-one would care ;-)

    --
    When I am king, you will be first against the wall.
  12. Re:Interesting Thing about Sobig... by joeykiller · · Score: 2, Interesting

    Just wondering... Why are viruses programmed to deactivate?

  13. Re:Interesting Thing about Sobig... by Jucius+Maximus · · Score: 5, Interesting
    "Just wondering... Why are viruses programmed to deactivate?"

    Built in obsolescence? Maybe the writer always wants you to have the latest version or something. This also reminds me of the recent musings of a software company we love to hate ;-)

  14. How about Trustworthy System Administration? by FilthPig · · Score: 4, Interesting

    Alright Michael! Way to blame MS for a user issue.

    Seriously, there are competant NT admins in the world.

    This should be a no-brainer, but if you run MS systems and you often have problems with worms or virii:

    1. Keep your virus definitions current. This goes double for any laptop users with broadband at home.
    2. More often then not, MS has already released a patch for a security hole before a worm or virus hits. Keep your systems up to date! Again, this goes double for laptop users with broadband.
    3. If you're behind a firewall, and you really should be, Only allow outgoing SMTP from your mail server(this keeps the worm from spreading FROM your organization).
    4. If you think you don't have time to do these things, make time. You'll waste a lot more time putting out fires than you will doing some fireproofing.

    --
    We eat the pig and then together we BURN!!!
  15. I Use NAV For Gateways by opiatepipedream · · Score: 2, Interesting

    NAV for gateways is an excellent program if you set it up as you external mail relay it will scan and filter all e-mails before you shoot it through your firewall. Then per your specifications you can have the relay delete the attachments or the whole e-mail. You can also use it for file extension filtration. I've found the best setup to be one internal, and one external to pass all of your e-mail traffic through the firewall. It works well in high traffic situations too, my organization has about 9000 users passing tens of thousands of e-amils daily. Anyway, just my two cents.

  16. Outlook is actually the answer by lseltzer · · Score: 3, Interesting

    I'm sure most people here assume the opposite, but Outlook 2002 and 98/2000 with the security update applies are completely immune to this attack. They automatically strip executable attachments. Very recent Outlook Express versions also do this, although I'm not sure this is the default setting.

    Think about how long it's been since there has been a large Outlook attack. It's been at least a couple of years. This tells me that the people spreading Sobig not only have no antivirus protection, they're using ancient and unpatched software.

  17. Thunderbird works perfectly for me by rokzy · · Score: 2, Interesting

    I'm using Thunderbird. I didn't need to train it or make any rules or anything. It's automatically taking care of lots of "mail contained virus" notifications.

    I tried SpamBayes a few days ago. I had to wait to build up a database of good and junk mail, and then it made a false-positive with a university email even though I'd trained it with several uni emails.

    Conclusion: Thunderbird is absolutely amazing. I'm going to recommend it to friends.

    Plus, having Firebird and Thunderbird icons in quick launch looks much better than IE and OE.

  18. Re:Unix History by gujo-odori · · Score: 3, Interesting

    Umm, no.

    1) BSD predates any 32-bit version of Windows; how do you think BSD code wound up in the first version of Windows NT?

    2) Microsoft had a UNIX license and sold its own proprietary version (Xenix) way before it embarked on any Windows project. Yes, before any Windows project, including the original Windows which ran on XT and AT-class PCs and was followed by Windows 286 and Windows 386.

    3) At that time, people who had never seen a line of Unix source were nevertheless writing code that was at least as secure as Unix and possibly moreso, for a variety of platforms. Seeing Unix code is not a prerequisite to writing good code. The security problems that plague Windows mostly result from architectural decisions made by Microsoft, combined with (in some cases) poor coding practices and the inevitable slips that tend to happen in a code base that is both huge and not peer-reviewed.

  19. Re:1 every 10 seconds? by Doom+Ihl'+Varia · · Score: 2, Interesting

    Pif files are shortcuts to DOS executables as opposed to the Lnk files used for shortcuts to Win32 executables in Windows. The only instance you would ever recieve one is if somebody wanted to send you the tweaked settings to get a certain DOS program to work. Pif files have a bunch of settings such as what memory manager Windows should fake and what quantity of memory that. It can also change the look of the terminal the program runs in and disable shortcut keys and screensavers while the program is running. So.... When do I get my free beer? Oh, any of your users? Rats.

  20. Re:Ever get one of these... by cgreuter · · Score: 2, Interesting

    These same people decide when their PC is two years old that it's just "too screwed up" and go buy and brand-spanking-new one with the same flaws which they will proceed to bugger up in a month in a half.

    Don't complain. Buy their old computers for twenty bucks each, then sell them to other such people as "reconditioned" systems for a couple of hundred (plus the old system as a trade-in.)

    I mean, if these people are going to throw their money away, they may as well send some of it your way.

    As an aside, a nearby computer store was, sometime back, charging CDN$50 a pop for virus removal.

    Really.

  21. Turn off the viral notifications. by Anonymous Coward · · Score: 1, Interesting

    Yes, please turn them off. For some reason my address is often spoofed. The "your message contained a virus" stuff is a waste of bandwidth.

    Nothing to add, only to say I agree. Lets keep repeating this and it might just happen ...

  22. Re:You miss the point. by ratfynk · · Score: 2, Interesting
    Yes by deliniating a protected mode from an install mode, and making surfing the web and using e-mail just that. Any web content that pops something up with you need to install this to view, hear or save content should be treated with contempt and the .NET web authors and software writers should be shot. Why does MS not include a pdf reader? Because they are trying to .NET screw them! That last worm was rediculous and a direct result of the windows UI .NET stupidity! Any kind of .exe file should not be alowed to run instantly if it addresses registry, and the windows core sys directories wihout authorisation, and hides itself.

    These rules could easily be encorporated into the Windows OS but are not because MS is counting on Communist style computing with the future processor encoded web content controls! This will effectively be used to screw the Adobe acrobat web content system and create a non competitive web content creation advantage. Morons in businesses that post nothing but MS enbcoded file formats to the web will rule the day perminently. All web content will eventually only accessable and usable through the MS OS. Completely defeating the real value of the net, unless you use Windows. That is the .NET strategy just go to the MS web site and look at the hype you will catch on.

    --
    OH THE SHAME I fell off the wagon and use sigs again!
  23. Re:irony. by Mr_Silver · · Score: 2, Interesting
    No one is imune to Microsoft polution.

    The people actually causing the pollution are those that blindly open attachments without understanding what they are.

    Had you not used the words "Microsoft pollution" and used say, "the problems that Microsoft caused in trying to make PC's easy to use" then you'd have come across less like a raging anti-MS zealot and I'd have given you a mod point.

    However, Slashdot is full of people who blindly mod up anti-MS posts however incorrect, so you can count on them for your +5.

    --
    Avantslash - View Slashdot cleanly on your mobile phone.