Slashdot Mirror
Microsoft Virus Spam: SoBig.F
If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.
← Back to Stories (view on slashdot.org)
If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif attachments get sent right to /dev/null
I want to delete my account but Slashdot doesn't allow it.
'nuff said.
Just read about about it on the BBC
Here in Norway it seems as "everyone" has got SoBig.F or is getting annoyed with fake emails from someone who has it.
This virus is just a little variation of an older virus, but it differed enough from the older iterations so that anti virus software didn't detect it.
The virus provider Norman reckons that a big organization in Norway has been hit early and that this caused the big numbers here: Norway stands for 36% of the outbreaks of this virus in the world, which is exceptional when you know that only 4 million people live here.
http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.html
NO MORE GOODTIMES!
There's a new virus that will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CD's you try to play.
It will give your ex-girl or boyfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your wine and leave its socks out on the coffee table when there's company coming over. It will put a dead squirrel in the back pocket of your good pants and hide your car keys when you are late for work.
Goodtimes will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girl or boyfriend behind your back and billing the dinner and hotel room to your Discover card.
It will seduce your grandmother. It does not matter if she is dead; such is the power of Goodtimes. It reaches out beyond the grave to sully those things we hold most dear.
It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve.
Goodtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methamphetamine in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower.
Goodtimes will prompt your mother to call on Friday and Saturday nights for two months after you make a new girlfriend/boyfriend. It will place your wallet and keys on an obscure shelf in the basement. It will emulate your face and stare into the neighbor's bathroom window.
Goodtimes has been linked to cancer in laboratory mice. 9 out of 10 dentists recommend Goodtimes.
Goodtimes will make your bloomers shrink two sizes, and it will make you gain 15 pounds. If this results in a wedgie, then Goodtimes will leave a nasty skid mark.
Buy Steampunk Clothing Online!
... there's an ad for MS Small Business Server 2003 at the top of the article.
It's like advertizing space on a blue screen.
This space for rent.
This thing is slamming my mail server. Some of them get stripped of the virus by the time they hit my machine, but having to deal w/ several hundred 100K messages an hour is slowing my machine down.
I should have mentioned this in my last post... if you've got the SoBig.F virus, FSecure has posted a free fix here.
x e
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.e
We certainly got hammered for a good part of today from a university down south who shall remain anonymous. Contacted their IT/infrastructure department and was told that one of their mail servers got used as a relay, and nobody found out about it until a few hours ago. If I were them I would have shut down their MTA and flushed the queue a long time ago, but that's just me...
Look. I hate Microsoft, too.
But what the fudge does this have to do with trustworthy computing? It's just another email worm, and it relies heavily on user stupidity, much moreso than the msblaster worm.
Let's be honest: Microsoft is an evil company, that forces an evil product on people, and some of us are going to cheer when Microsoft gets hurt and people get nudged towards other operating systems -- whether it's Microsoft's fault, or not.
Could you just have written "Hey, anything that discourages Windows use!" after the story? I mean, christ, that's exactly what probably a good 90% of people here are thinking when they read these stories.
into the worm see the network associates
also: I remember a worm (maybe a year and a half ago) which ran directly through outlook (by simply activating an email-without opening the file). Does anyone remember this? if so, please refresh my memory. Thanks.
"this is the gloaming"
radiohead
This is the first time that I've really been bothered by a Windows worm or virus. All servers here are FreeBSD and OS X, and everyone's primary workstation (41 employees) is running OS X 10.2.6 or OS 9.2.2.
/.
I used to laugh when all the M$ weenies had problems... but now it's a real problem when I get users here going bonkers about 50 e-mails from 20 people... and me having to go around blocking mail servers...
Here are some other articles around about it:
C-Net
BBC
Okay, I'm done ranting. Thanks
My name is Aaron Landry, and I approve this message.
I just received one of these today from webmaster@match.com. But I received it on my Hotmail account.
And seeing how Hotmail proudly proclaims on every message:
"Notice: Attachments are automatically scanned for viruses using McAfee Security"
we'll be getting a lot of hotmail users opening it to take a peak
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
Let's not forget that this is a worm. It requires that a user launches the executable so it can infect the system. Let's also not forget that many users are using non NOS's such as Windows Me (I'll admit that was a big mistake, however). Users that receive this worm must actually execute it and, since there is not concept of "administrator" on many flavors of Windows (or perhaps the users are the only user of, say, WinXP and are in the Administrators group) so the worm can do whatever it wants - the user did, after all, execute it as an administrator.
The point is - it's the user's fault! Not Microsoft's. Something like this could just as easily happen on a *nix box if the user has sufficient privileges.
Several of the users at work on the network I manage have gotten such worms before, but because they didn't have sufficient privileges, the worms were ineffective. In most of those cases, the virus scanner picked it up anyway.
So, if the user doesn't have sufficient privileges, some worms don't work. Sure, this one would because it runs in userland, but the user still executed it! Besides, they should have a virus scanner anyway. Again - it's their fault.
When it comes down to it, a worm such as a this (trojan horse) requires a stupid user to execute it - so blame the user for once.
I'm not seeing very many messages with SOBIG, as them get filtered at the mail server.
However, the large number of "Your message to xyz@zyx.com contained a virus" is filling my mail spool faster than any spammer. Seems one of my email addresses is a popular one to spoof.
CALL TO ADMINS: Please turn off viral notifications to outside addresses. These days most of the envelope addresses are spoofed, you're not doing any good leaving the notification in place.
And I thought joe-jobbing was bad.
Anything is possible given time and money.
i'm one of the moderators of the personal telco project mailing list (list is open to subscribers, non-subscriber posts are verified to limit spam/virus distribution). when i got up this morning (about 13:00 gmt) the moderation queue had 37 infected messages. it also seems to have knocked my isps (online.no) mailserver over for large parts of the day. i didn't manage to get any mail out that way until this evening.
Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
There has been a very large outbreak here, inside the firewall this morning.. This is probably the largest that I can remember, since we do not use Outlook/Outlook express we seem to dodge the big ones. I didn't even think this looked that bad at first glance, it doesn't really try to exploit any security holes to infect the machine. What got us was that the virus scanners were just old enough not to catch this until it was too late. All it really took was one or two people opening the attachment. The new engine didn't get pushed until at least an hour after the first internal case was discovered. By then though, it had spread so quickly that many other hosts had been infected.
I work for a small private university in the midwest as a student helpdesk consultant. Our phones are ringing off the hook as fauclty, staff, and students are getting upwards of 30 emails every few minutes of this worm. We're trying to contain it here, but of course people are always eager to open up email attachments from anyone they know... even if the filetype is unkown and there is no actual personal information in the email. Oh, the stupidity.
Fortunately, I use Mail.app, so I can still check my mail with impunity.
There's a spam/address verificiation message I saw that other day that was pretty clever, though. Some spammers sent a reasonably official-looking letter with Citibank headers, layout, and images telling people to click a link to view and accept a new ToS, or their checking account would be suspended. The link looked something like this:
http://www.citibank.com:A78F...(random hex crap)...A812@127.0.0.1/cgi-bin/c.pl?user=youraddre ss@yourserver.com
So they were logging you in as user www.citibank.com to server 127.0.0.1 (changed, obviously) and sending your email address to a verification script. Damn clever.
Obliteracy: Words with explosions
I have one machine I leave outside the firewall and never patch to serve as a virus cesspit! I've got quite a little ecosystem going on there!
I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.
In Soviet Russia...michael would be rotting in Siberia!
OTOH, we could replace the Bill-as-Stephen-Hawking with the bug icon, and no-one would care ;-)
When I am king, you will be first against the wall.
Your admins aren't worth the money they're being paid...
they should be pushing the updates out to your machines overnight using SUS [http://www.susserver.com/]
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I know this is anti-Microsoft land but I have been searching all morning and have found nothing, so I'll ask you.
Is there any free software that will filter attachments in Exchange 5.5 and let me block emails with attachments such as *.vbs, *.pif and so on? I have not had much luck finding out how to do this without buying Norton or some other such thing and I can't afford to do that right now.
I know I could set up a relay / filtering box in front of it, but I don't have the time or resources to do that today and this latest virus outbreak is driving me nuts.
My company requires me to run an Exchange server, mainly because our execs love Outlook and the calendering features. I have to run Exchange. I can't change it. I would love to run something else but I can't. Please don't suggest I do.
Thanks for any helpful answers you have.
Maybe you're the guy contributing the crappy code, seeing you type like your fingers are wrapped in chicken wire.
Sobig.B appeared on 2003 May 19 and was programmed to deactivate on May 31.
Sobig.C appeared on 2003 June 01 and was programmed to deactivate on June 08.
Sobig.D appeared on 2003 June 18 and was programmed to deactivate on July 02.
Sobig.E appeared on 2003 June 09 and was programmed to deactivate on July 14.
Sobig.F appeared on 2003 Aug 19 and was programmed to deactivate on Sept 10.
It seems like the Sobig release schedule is more consistent and on-time than ... well ... the software release schedules of a major company we love to hate ;-)
How does a virus with the name "SoBig" spread???
;)
Maybe I have a dirty mind, but I gotta think that most Spam filters would catch that one.
I find it funny that once again a virus is being blamed on Microsoft. The only way to spread this is to open the attachment and run it. How is Microsoft supposed to stop people from opening attachements? If you use MS Outlook you are actually immune to this virus, as Outlook blocks most executable attachments. Please explain to me why a user running a file (which then opens it's open SMTP server and emails itself to people) is Microsoft's fault? This same thing could happen on Linux, there is nothing stopping a Linux user from running a file attachment. This isn't a MS problem, it is a user education problem.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Alright Michael! Way to blame MS for a user issue.
Seriously, there are competant NT admins in the world.
This should be a no-brainer, but if you run MS systems and you often have problems with worms or virii:
1. Keep your virus definitions current. This goes double for any laptop users with broadband at home.
2. More often then not, MS has already released a patch for a security hole before a worm or virus hits. Keep your systems up to date! Again, this goes double for laptop users with broadband.
3. If you're behind a firewall, and you really should be, Only allow outgoing SMTP from your mail server(this keeps the worm from spreading FROM your organization).
4. If you think you don't have time to do these things, make time. You'll waste a lot more time putting out fires than you will doing some fireproofing.
We eat the pig and then together we BURN!!!
I'm sorry, that didn't make any sense at all. Could you please replace your keyboard with one that has periods and commas on it?
I got 436 hits this morning in 2 hrs for my compan's email (~500 employees). I already had *.pif files blocked (I'll give any of my users a free beer if they could even tell me what a *.pif files was used for, more or less why they should be receiving it). In 2hrs a dial-up ISP in california, the University of New Hampshire, the Indiana University of Pennsylvania, Piglet.DisneyOnline.com, a verizon DSL node, and an adelphia cable modem node had all been shut down and cleaned. Soon as I recognized what was coming in, I traced the source IPs, called the contacts, and talked to their IT people. With the exception of Disney, all were quite co-operative, had their machines down with-in minutes of notification, and back up after cleaning the virus.
... 'tart'
The nature of these Sobig virii/viruses are that they repeatedly hit the same addresses. Take a few seconds, look at the header, get the IP, look up the DNS, get the contact name, call and explain and you'll save yourself (and countless others) a lot of unnecessary hell.
-Ab
ps. that also explains why some of my posts this morning were a little bit
Nothing fails quite like prayer.
I just got a bounce message (with the e-mail below attached) from an automated domain mail admin because it believed I was the sender of a so.big payload (to a user who has a full e-mailbox).
a u@HP> /. post]; Wed, 20 Aug 2003 04:09:52 +1000 /.-- it was my valid email address]
n g: base64
I don't use windows, so it's not coming from any of my boxes.
Here's the header and body text:
-----
Received: from HP ([141.154.241.155]) by mta02.mail.mel.aone.net.au
with ESMTP
id [20030819180952.SWCW5855.mta02.mail.mel.aone.net.
for [removed for
From: [removed for
To: [likewise removed]
Subject: Re: That movie
Date: Tue, 19 Aug 2003 14:10:02 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00FA8C46"
Message-Id:
This is a multipart message in MIME format
--_NextPart_000_00FA8C46
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Please see the attached file for details.
--_NextPart_000_00FA8C46
Content-Type: application/octet-stream;
name="your_document.pif"
Content-Transfer-Encodi
Content-Disposition: attachment;
filename="your_document.pif"
-----
The your_document.pif was a binary of about 100k.
The best way to do is to be.
Here is HouseCall - Their online free virus scanner.
Anyone without an antivirus program seriously needs to get one:
McAfee
Symantec (Norton)
Trend Micro
Just to name a few...
"No I don't."
Because of course they're running anti-virus software. And of course the definitions have never ever been updated.
These same people decide when their PC is two years old that it's just "too screwed up" and go buy and brand-spanking-new one with the same flaws which they will proceed to bugger up in a month in a half.
I wouldn't last a week in tech support.
NAV for gateways is an excellent program if you set it up as you external mail relay it will scan and filter all e-mails before you shoot it through your firewall. Then per your specifications you can have the relay delete the attachments or the whole e-mail. You can also use it for file extension filtration. I've found the best setup to be one internal, and one external to pass all of your e-mail traffic through the firewall. It works well in high traffic situations too, my organization has about 9000 users passing tens of thousands of e-amils daily. Anyway, just my two cents.
I don't get any of the viruses thanks to SpamAssassin and whatever else our fine Admins have put on the mailserver, but what I do end up getting is about 200 autoreplies from dumb MTAs who believe I have sent them a virus when in fact it's the virus/worm/whatever spoofing itself off as me.
Despite the fact that I didn't actually send a virus-infected email from mta3.someserver.pl to a nonexistent address, I still get the helpful autoreply that tells me that the user at that nonexistent address does indeed not exist.
...that just because you're not using Outlook or Outlook Express, you still may be vulnerable to worms or email viruses?
All it takes is one user to click the attachment who has an LDAP-enabled address book of the entire company, and poof! you're screwed.
The only sensible way to kill these worms is to block them at the mail server. If you block them at the mail server, you don't have to try to train people or keep hundreds of anti-virus clients up-to-date. Do yourself a favor and set up XWall if you have Exchange (this is about the coolest spam-blocker/email filter program I have ever used, BTW) or SpamAssassin/MailScanner if you have Linux/UNIX. This will save you a ton of headaches in the future, and won't require you to worry about hundreds of clients being up-to-date as much as focusing on whether a few email servers are up-to-date. (Block the standard Microsoft "bad executable" list and you should be fine.)
Seriously, in the year 2003, there's no excuse for "But my 400 clients weren't up-to-date!" Block these things at the server, which is something you as the network administrator should have complete control over, and which is where the worms should have been blocked to begin with.
Simpli - Your source for San Jose dedicated servers and colocation!
And in other news... Microsoft announced today that, thanks to a Bill Gates Declaration From On High (tm), every line of code in every Microsoft product, dating back to the company's foundation, has magically, spontaneously, and retroactively fixed itself. This has rendered all of Microsoft's code absolutely secure and error-free. And thanks to the mystical nature of these fixes, end users and sysadmins don't have to patch their systems!
Grow up, Michael.
This sig intentionally left blank.
I'm sure most people here assume the opposite, but Outlook 2002 and 98/2000 with the security update applies are completely immune to this attack. They automatically strip executable attachments. Very recent Outlook Express versions also do this, although I'm not sure this is the default setting.
Think about how long it's been since there has been a large Outlook attack. It's been at least a couple of years. This tells me that the people spreading Sobig not only have no antivirus protection, they're using ancient and unpatched software.
I've gotten 320 infected messages today. I'm actually going to be looking forward to getting back to generic viagra ads in a couple of days when this dies down.
The Glass is Too Big: My Take on Things
Yay for trustworthy computing.
MS jokes aren't innovative, but can still be fun, but not as fun if they aren't trying to relate to the truth very much. Read up about trustworthy computing and learn how it is a process that has barely taken off today, but is an effort that will show up more in Longhorn, etc. DRM and NGSCB are two technologies that have a lot to do with trustworthy computing that aren't even implemented in today's versions of Windows.
At 2002, MS said:
"It may take us ten to 15 years to get there, both as an industry and as a society."
Trustworthy computing is in many ways only at the concept stage this far.
Sure, one might wonder what's making them think it will take a time period as long as an outrageous 15 years to get these things straight and one might think DRM is Bill Gates' worst idea ever, but then one should comment about this instead. This may seem that I'm defending Microsoft, although I'm in this case just being annoyed by a joke I've seen numerous times before, and that must have been made up by some uninformed person.
Beware: In C++, your friends can see your privates!
Its an executable that requires someone to run it. People need to learn to stop clicking on every damn executable they get in their email. Hell Outlook even displays a warning that attachments can contain virii or have malicous intent, but people still click on them.
Have you ever been to a turkish prison?
Here is a decent procmail rule, probably not perfect.
:0 B hfi| movie)[0-9]*\.zip"?l l|thank|screensaver|movie)[0-9]*\.zip"?c /data/w32.sobig.e@mm.html"
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
* ^Please see the attached zip file for details.
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|document_Fa
| formail -A "X-Content-Security: [$HOST] NOTIFY"
-A "X-Content-Security: [$HOST] QUARANTINE"
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/ven
}
I'm using Thunderbird. I didn't need to train it or make any rules or anything. It's automatically taking care of lots of "mail contained virus" notifications.
I tried SpamBayes a few days ago. I had to wait to build up a database of good and junk mail, and then it made a false-positive with a university email even though I'd trained it with several uni emails.
Conclusion: Thunderbird is absolutely amazing. I'm going to recommend it to friends.
Plus, having Firebird and Thunderbird icons in quick launch looks much better than IE and OE.
Programming can be fun again. Film at 11.
what does the F stand for? i can think of a few canidates that have exactly 4 letters.
It stands for the letter after 'e', dumbass.
Umm, no.
1) BSD predates any 32-bit version of Windows; how do you think BSD code wound up in the first version of Windows NT?
2) Microsoft had a UNIX license and sold its own proprietary version (Xenix) way before it embarked on any Windows project. Yes, before any Windows project, including the original Windows which ran on XT and AT-class PCs and was followed by Windows 286 and Windows 386.
3) At that time, people who had never seen a line of Unix source were nevertheless writing code that was at least as secure as Unix and possibly moreso, for a variety of platforms. Seeing Unix code is not a prerequisite to writing good code. The security problems that plague Windows mostly result from architectural decisions made by Microsoft, combined with (in some cases) poor coding practices and the inevitable slips that tend to happen in a code base that is both huge and not peer-reviewed.
Never, huh?
Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I may really be naive about this, but if MS was serious about "Trustworthy" computing, then you'd see "MS AntiVirus" on their products page.
... it looks like they're going to do it after all?
Then again... who'd use it? It'd let 1/2 the viruses through.
Haha. Then again... I spoke too soon... google: 'ms antivirus'
Friends don't help friends install M$ junk.
Wow, this must be an old virus if it is written in Fortran.
Instead of deleting them by hand, you can train the filter with several of them and then from menu bar -> Tools -> Run Junk Mail Controls on Folder.
Alternatively you can set up a message filter (from the Tools menu too) and then run it on your inbox.
Good luck.
Haven't actually seen the virus itself, but I've been getting barraged by notices from various server installations of "Declude Virus" telling my that my server sent them an infected e-mail. They then proceed to include the original headers which clearly show the offending e-mail came from somewhere else. They suggest, "If this virus did originate from one of your users, you may want to consider adding virus protection to your mailserver." Uh, I won't be installing their software, that's for sure.
"Just wondering... Why are viruses programmed to deactivate?"
Built in obsolescence? Maybe the writer always wants you to have the latest version or something. This also reminds me of the recent musings of a software company we love to hate ;-)
Nope. Some government is behind this, either U.S. or China is my guess. The goal is to sharpen cyber warfare skills. Neither country wants to cause significant harm on the other unless there is a real war, in light of the fact that we are dependent on each other economically.
http://clamav.elektrapro.com/
Work for me, has for several months now...
When will the various mail server vendors get a clue? Allow honeypot checking to stop viruses. For example, in your company's global/LDAP/Exchange/Whatever address book put in random bogus (honeypot) addresses. One for every letter of the alphabet would be good.
Then have the mail server check every outgoing message to see if it is being sent to the honeypot addresses. If it is, the sender most likely has a virus. You have tried to send to a bogus account, so therefore I think you are infected with a virus. Automatically disable the account and send the account and email to contact IT ASAP because they probably have a virus. Worst case scenario is that 5% of your users get sent the virus before the honeypot was hit.
This would work on any virus, even new ones that the antivirus vendors haven't detected yet. Because now you are looking at behavior, not content.
You open source zealots our there listening? Put your talents where your mouth is and give us some good open source plugins for the various email daemons to do this! It's time for mail servers to start looking at behavior, not content.
These rules could easily be encorporated into the Windows OS but are not because MS is counting on Communist style computing with the future processor encoded web content controls! This will effectively be used to screw the Adobe acrobat web content system and create a non competitive web content creation advantage. Morons in businesses that post nothing but MS enbcoded file formats to the web will rule the day perminently. All web content will eventually only accessable and usable through the MS OS. Completely defeating the real value of the net, unless you use Windows. That is the .NET strategy just go to the MS web site and look at the hype you will catch on.
OH THE SHAME I fell off the wagon and use sigs again!
That's the difference though. Yes you have permission to access your own files on a *nix system (at least a personal *nix system, in many cases I don't give users permissions to modify their home directory). But you cannot execute a file without knowing your executing it. On windows an uninformed user can execute a program without knowing the consequences and without knowing the difference between the executable and other types of files. On a *nix system these concepts are handled in a such a way that there is a clear distinction.
The user who doesn't know the difference wouldn't be able to figure out HOW to execute it.