Slashdot Mirror
SoBig: Worst is Yet to Come
bl8n8r writes "Experts say when vacationers get back to work
Monday, Inboxes will unleash the worms worst attacks.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems.
"
They named a virus after my penis.
If the majority of the cost comes from cleaning the system, I would recommend (in my professional opinion) simply letting the systems remain infected.
lysergically yours
IAALS.
The past 3 days, I've had over 300 Sobig.F messages in my Junk folder (filtered by Mozilla Mail). Other co-workers with Eudora are less fortunate, since they spend better than an hour clearing out all those emails.
-Cyc
/.'s 10 Millionth
I'm so glad that my computer is running Windows 2003, no viruses can affect this system since Microsoft's promise to completely make it secure. ... ...... .. DOH!
It's an open source business model!
1: Write free software.
2: ?
3: Get inbox filled with worms and viruses.
4: Profit!
This article claims that time wasted will cost businesses tens on millions of dollars. It seems to me that no matter how much spam/virus flooding/crap you get in your inbox, you only do so much work everyday. If you take five extra minutes to clean out your inbox, that's five minutes less of surfing slashdot or screwing around. Deadlines don't change for viruses-- people still have to work as much real work as ever.
isn't the lesson here that people shouldn't go on vacation?
Arnie for Governor, Actors Speak Louder Than Words
2 worms (DCOM and Welchia) and a virus variant in less than two weeks.
This should tell investors that they are wasting their money.
This should tell companies that they are wasting their money.
Someone, somewhere, will hopefully get a clue.
FYI-- MacOSXHints.com published a set of filter instructions that would filter out this crap. I prefer some of the strategies in the comments, but for non-vulnerable machines, I guess this is the only thing to do.
SoBig is the worst email virus I've seen -- BY FAR.
Normally, I get about 30 spams per day and a few viruses. Not much harm to a Linux system running `mutt` as an MUA!. Yesterday, I received about 150 SoBig, plus maybe 30 automated msgs saying _I'd_ sent out such nastiness/bloat.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems.
No, most of the problems caused by SoBig involve shitty software.
Karma: The shiznight, mostly because I am the Drizzle.
Wait till infected laptops & workstations start moving back into the dorms!
Our computers aren't getting infected: between virus scan, ZoneAlarm, ancient e-mail client and knowing not to open the stupid attachments, we've not gotten infected.
.procmailrc file, put :0 B /dev/null
But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.
It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.
This was listed in a previous thread, but it's worth repeating:
In a
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
This deletes any message with a pif, exe or scr attachment.
I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.
Design for Use, not Construction!
did anyone see cmdrtaco post "lunis says SCO is smoking crack!"?
So far this week, I've received only seven actual copies of W32/Sobig. However, the number of messages from mailer-daemons and mail server virus scanners has exceeded this by a factor of ten. Some of these rejection messages actually include a copy of the infected .PIF file.
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.
At best, this is collateral damage. At worst, these rejection messages are actually advertising the IP addresses of infected systems. Should a virus drop a back door payload, this would multiply the damage.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
...how is this different than getting rid of all that damn spam in my inbox every day? Would I even notice what the worm does to my inbox?
Be excellent to each other. And... PARTY ON, DUDES!
Only 5 more days until I stop receiving 500 "Returned mail" messages a day in my inbox courtesy of that little header spoofing bastard. Who says Windows viruses don't affect us Linux users?
(Score:-1, Wrong)
Don't complain.
With SoMany.IT.Workers unemployed, SoBig.And.ItsVariants have a strangely positive side effect...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Normally we don't block emails with specific attachments at our post office because it takes too long to scan them. Our company of 100 people averages 14,000 legit email per day in and out, but with this outbreak as bad as it is (and not peaked yet!) the blocking is being instated tonight.
While musing with a programmer here who just moved her daughter into college, we brought up an interesting thought: Hundreds of thousands of college kids are moving back into dorms with huge fat pipes and Outlook style email clients on computers that haven't been patched since April or May. Yikes!
-Shadow
what .. more than 50% of email users were on
vacation last week?
what 'experts' claim this?
wtfever
...for two reasons: IT staff will have had just that many more days to upgrade safety systems, and there are actually fewer people on vacation (at least here in the US) this week of the year than last week. So, the worst is likely behind us...not that the coming weeks will be a picnic.
Okay... so it costs time and money to clean these random virus outbreaks from Windows machines. So did the last big virus problem before this, and the one before it, and so on.
Maybe I'm missing something here, but why do businesses and consumers put up with this stuff?
this is my sig
ok, my turn
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
For those who'd like to see a beowulf cluster of those, just wait until next morning.
I bet there is a conspairacy with virus writers trying to make microsoft plumit to their death...
Design for Use, not Construction!
did a statistically significant portion of the workforce on vacation this week?
that seems like a pretty weak overall premise for an expected resurgence.
now if he said that he expects a steady stream of continued activity into early next month, due to all the people who take vacations throughout august - he might have a point.
but to suggest that these 'vacationers' will unleash the same spam deluge monday that the rest of the unwashed have given us this past week, is a bit shaky.
// "Can't clowns and pirates just -try- to get along?"
SoBig!!!
Ugh...I hate this virus.
In nine years of sending and receiving email, I've only seen one virus, Klez.
I guess it goes to show how wildly unpopular I am.
--
the strongest word is still the word "free"
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field.
The situation is even worse than that: Most (all?) of the virus scanners sending me autoreplies correctly identified the virus as being Sobig -- which always uses spoofed source addresses.
Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).
Tarsnap: Online backups for the truly paranoid
I seem to be getting 1000's of emails from "automatically generated Delivery Status Notification" messages from emails never sent by "us".
Could everyone please nuke the bounces for these emails, they're more annoying than the worm itself, at least I can nuke the worm in my filters, but these DSN's are coming in with all kinds of formats and they are harder to filter because we really do want the legitimate ones.
Ferris Research estimates that spam will cost U.S. businesses more than $10 billion in 2003, and that spam accounts for 15% to 20% of inbound e-mail at U.S.-based corporate organizations.
ATTN: SPAMMERGOD2000
I humbly appeal to you on behalf of the entire internet family to save us from starvation,poverty and srangulation by assisting us to move this money from its location back into our nominated bank accounts where it will be safe,since i cannot read my email now due to the spam imposed on the internet family and i seek your assistance to clear this spam for investment advice as i need your co-operation please.
I watched C-beams glitter in the dark near the Tannhauser gate.
String the last two 'default' headlines together and whaddaya get?
"New Longhorn Screenshots Leaked. Sobig. Worst Is Yet To Come."
Yep. That just about says it all!
This will be used by countless FUDmasters to con Joe Sixpack into things like:
Accepting DRM/TPCA (otherwise unsigned code can run)
Outlawing P2P
Port filtering by ISPs
Accepting blind AutoUpdates
[US]Cheering on the Patriot Act[/US]
'outlawing' Spam
All in the name of 'security'. Insert obligatory Franklin quote: Those who would trade freedom for security will lose both, and deserve neither.
I want to delete my account but Slashdot doesn't allow it.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems rather than the destruction of files or the opening of files to outsiders on the Internet, which can be problems with many computer viruses. Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine.
...
And who is Marc Sunner? he's the CTO of MessageLabs. And what does MessageLabs do, you ask? see for yourself, from the main page at messagelabs.com:
Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security
$500 to $1000 to clean up each infected machine? Right, whatever Marc. And it's obvious you don't have *any* interest in propagating that baloney too. (on second thought, if you hire me to clean your machines, I'll do 5% discount off that price).
Another fine impartial article reposted by Slashdot. (By the way, the word you're looking for is "advertising")
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
She still forwards, still uses AOL, etc. The same applies for my users at work. I mean what the Hell, these people ask me every week about this stuff. Over and over again. I'm getting to the point where I don't even TRY to explain things anymore. I'm just a broken record saying "delete the e-mail". I'm going to start screaming "LART!!!" before long and I won't be gentle >:)
Even if SoBig comes in well below that, at $100 per machine, that's probably going to be $50 million," Pescatore said, using an estimate that 500,000 computers may have been infected already.
Where did he get $100 per computers from? Did SCO dream up a stupid number like that for him? DOLT! All you have to do is download a patch and keep working. Maybe even run Norton if you're using windows. That costs NOTHING except max an hour of tech time to clean it up - and given the tech work i've done, I never make $100/hr!
Sig & Below
Yuck Fou
According to the article, since SoBig is much more successful against servers that do not have very good spam filters, the excessive SoBig traffic has prevented a lot of spam from being sent since it's eating up the bandwidth usually used by spammers. I'll have to admit that while I've had a LOT of SoBig spam, I have seen a decrease in other spam over the past few days.
So is that the solution to spam? Maybe someone should write a worm that always has the same payload so it can be easily filtered. We never have to see the fake spam messages, the real spammers won't be able to send harder-to-filter messages, and the server owners of those loose servers will have an incentive to clean up their act with the worm eating up all of their bandwidth.
Actually, extending this, maybe the way to fight open machines is to cause the open machines to send themselves excessive traffic, rendering them fairly useless until their operators fix them, but not negatively impacting the rest of the net.
paintball
"Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine."
:)
How much does Windows cost?
I know it's not really Microsoft's fault, since they had a patch and it's not their fault that people try to get email and stuff... But my users are rather annoyed. We all run Macs and either Mac OS X or FreeBSD servers so we're not vulnerable to this virus, but it's getting annoying just deleting the things. I can't imagine having to worry about getting infected on top of having to run Windows
We got almost all of ours (150 to 5 addresses) from one local government office. I emailed them when we narrowed down what machine they were coming from and the flow has stopped. We didn't get a Thank You or anything, but maybe our little government office doesn't want to publicly admit to running insecure systems.
I wonder if this $500 - $1000 per computer will be in the budget next year.
"experts say".... i don't think that there exist any experts for "predicting the time and place that virii will be most destructive".
i predict that people will have a little more common sense before opening a file that's been all over the news.
Once again, i will ask..
How much longer until governments and businesses decide "This will no longer happen", and start turning thier backs to Microsoft Windows.
This is costing them untold time and money.
I'm not expecting an immediate embrace of linux from end to end, but if they would start looking at all the alternatives, be it linux, bsd, apple, sun, ibm....
Surely the money they spend on *any* migration would be made up in a year or two of lesser IT infrastructure woes.
Disclaimer: Yes i understand that they'll still get lambasted and thier bandwidth clogged by crap from the outside, but at least they won't have to worry about it hurting them as much.
do() || do_not();
It's odd. I use Thudnerbird, so I know I'm not infected, but I keep getting messages bounced back to me... and the strange thing is, the mail was sent from what are essentially honeypot addresses for spammers. So, is some spammer infected and sending out mail with me (my domain) in the from header?
I am recieving sobig shit at a rate of 3 to 4 per friggin' hour right now, and you say it will get worse I am supprised it has not crashed the whole net yet! It is time to isolate Microsoft user from the rest of the net! HA HA HA they are a frigging menace.
OH THE SHAME I fell off the wagon and use sigs again!
What I find discouraging is that the lemmings are falling for it despite this being The Week of Teh Worm.
All the hopeful articles that have sited users claiming a new awareness of the risk of worms and virii seem to be pipe dreams.
Dumb users are dumb users and the more infectuous and persistant the virus, the more networks are going to get hammered. Why oh why aren't all pif, scr, exe, com, and vbs attachments just blocked by the MDA. There is no good reason for allowing an end user the huge complexity of choosing whether or not to click on the latest attachment that's come to them from "the internet".
If the lemmings are getting suckered this week... when every news medium is blathering on about viruses worming their way through nuclear reactors and motor vehicle registration offices, what hope is there for when the attention has settled?
Watching the recent virii, email and network slowdowns, this is a pretty good example of why one person or one company should never rely on one method of communication.
.
It sounds like a simple lesson, but for those of us in IT, it's an important one to relay. DON'T just count on email. Count on phone, pager, etc. Occasionally you may look dumb calling someone to see if they got a vital email, or calling up someone who is just finishing an email to you, but its worth the risk, especially iwhen one is unsure of technical reliability.
I've always tried to cultivate the habit of dropping by and seeing people I work with face-to-face if I need to talk to them. It keeps me from being overly reliant on phone messages and email and keeps lines of communication open. Having seen people overly dependent on email, etc., I figure it's a good habit to maintain . .
"The Sage treasures Unity and measures all things by it" - Lao Tzu
If these companies are dumb enough to not have something on the front-end keeping these viruses from reaching their employees' inboxes then they deserve to lose money. We've made it a policy in our department to not allow messages with .pif or .exe attachments through (they can zip the attachment up if they really need to send any executables around).
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
As of this morning, someone's computer has been sending me a 100kb SoBig.F every half hour exactly. That's almost 5mb a day.
Postmaster errors, bounces, virus scanners... they all tell me that my email address is being used as the "from" address by dozens of helpless Windows users' virus-ridden computers. Sigh. I'm deleting about 20-50 messages a minute, and just barely keeping up.
How bloody difficult is it to patch your system? Yeah microsoft does keep coming up with patches all the time.. That's why the automatic update utility is available. It tells you when new patches are available. And how bloody difficult is it to not open attachments in "My Resume" or some other bullshit subject email? Software is bound to have holes (Microsoft has a lot more holes than the rest) and this has been demonstrated repeatedly. Even a basic software firewall like Zonealarm can prevent most infections. There are various options available to protected yourselves. I wish everyone would just stop whining about worms and viruses and trojans and just take a few basic measures to prevent infections.
So the "SoBig" worm is going to keep me from getting my penis enlarger product? Ironic that it would be called "SoBig"...
Go to wallmart and buy batteries and ham radios 'cause next Monday, all the power Plant of the USA will shut down ;)
Who modded this redundant?
It was posted 3 freakin' minutes since the story went live, and nobody above has expressed a similar sentiment.
I M2ed something just like this earlier today.
Did mods figure out that it is a pain in the ass to M2 a redundant mod?
What could your company possibly do that has everyone from the CEO to the temps reading and responding to on average 140 emails per day?
other than a spammer, I cant imagine what sort of business would have that kind of per capita email volume. Not trolling or flaming, just curious...
Worst is Yet to Come
Sounds like the title of a black metal album.
The idea is courtesy from the macosx forum
There are quite a large number of college students coming back to school starting next week. The number of unpatched machines will most certainly be a very large percentage of that number.
The management at my place of business has gone so far as to decommission the staff mailing list as a result of the Merry-Go-Round messages that SoBig is causing.
That's the ticket, security through avoidance...don't bother to update those virus definitions, just get rid of the e-mail's target.
The virii have won!
-R
We haven't seen the virus. But then again, we're admins who know what we're doing...
That's right, we run $CO UnixWare. And since there are only 2 or 3 other copies of $CO UnixWare being used in the world, we don't have to worry about worms and viruses.
Karma: The shiznight, mostly because I am the Drizzle.
ln -s /bin/clue /dev/null
.sig
Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam -- with the corresponding spike in spam volume that would bring.
According to this article:
And Symantec:
Hi, this site is all about Sobig, REAL Sobig. This site is awesome. My name is Robert and I can't stop thinking about Sobig. Sobig is cool; and by cool, I mean totally sweet.
One has to wonder what impact spammers have on viral activity. Here, we have a virus that scans your hard drive for any emails it can find... meanwhile, spammers are collecting email addresses on their hard drives by the tens of thousands, and may be causing viruses like SoBig to spread much more quickly.
Another reason to hate spammers, I suppose....
Does anyone know how to make Mail.app disregard emails based on attachment filenames?
There are no trails. There are no trees out here.
My ping times to www.mit.edu (my personal benchmark, as its on the next POP over and always up) are normally 25ms from home, they grew slowly from about 30 ms Monday morning to as high as 2600 ms yesterday with 2/3 packet drop. But today and especially in the last few hours it's fallen back to about 29 ms with 1/3 packet drop.
;)
There are still occasional storms, I guess as a new host gets infected nearby. But things are good compared to the last two days when I couldn't even listen to internet radio and plain old web browsing and e-mail were slow...
BTW I haven't seen any of the e-mails myself do to our spam filter but I have gotten some returned e-mail the virus sent and a non-tech friend who got this one and another friend (who's very non-tech) got last weeks virus. I usually don't personally know the people who get these things, it has been a good week for discussing an OS upgrade to Linux with non-techies
Just a few hours ago I cleaned sobig.F from one machine that was already patched in our 'MSBlaster Clean-sweep' and discovered this.
More annoying than the worm are all the "You are infected" warnings coming from clueless virus software. They make it through the spam filters.
I turned off Sender Notifications for virus stripping ages ago because these things spoof that reply-to. Now I am starting to block domains whose notification messages are clobbering my server. These notification messages are coming in by the thousands and only further confuse the issue. They also annoy my users who aren't at fault in the first place.
To: All Georgia Tech Students
.
The Office of Information Technology (OIT) has detected the following worms and viruses proliferating on the Georgia Tech campus network:
-MS Blaster worm
-DCOM (Nachi) worm
-W32/Sobig-F virus
Successful worm and virus outbreaks impair networks by blocking access or increasing the time it takes to transfer data across a network connection. It is imperative that everyone on campus take appropriate actions to secure their systems from current and future outbreaks.
Overall Risk to Georgia Tech
Infected systems must be cleaned to contain the worm or virus and prevent further proliferation. The time it takes to clean infected systems causes lost productivity throughout the campus community. If an outbreak is not contained, some network services will become unavailable due to "denial of service" events.
Any desktop and server computers with Windows (2000, NT 4.0, XP, and Server 2003) that connect to the Georgia Tech campus network and have not been patched are vulnerable to the MS Blaster and DCOM/Nachi worms. The Sobig-F virus can infect any Windows system (95, 98, NT 4.0, Me, 2000, and XP) via email attachment or Windows file sharing. These worms and the virus do not infect Macintosh computers.
Actions Taken by OIT
OIT has taken these steps to contain the current outbreaks:
-Blocked the ports vulnerable to these worms at the campus network border.
-Notified the technical support community on what to do regarding these worms.
-Temporarily blocked the ports vulnerable to these worms at the ResNet and EastNet routers to prevent un-patched systems of arriving students from damaging the rest of the campus. The effect of this will be that certain services such as file sharing will not be possible from within Resnet/EastNet to the rest of campus. These changes will not prevent access to mail, internet or other campus services.
We are currently working very closely with the ResNet manager to repair ResNet's infected student machines. You can help us by following these actions immediately:
Actions for Students to Take
If your system is currently infected, you must make sure it gets disinfected.
Get assistance from one of the technical support staff members, obtain the fix CD from your RTA, or download the appropriate software tools from the web.
To remove the Blaster worm, obtain the Stinger tool:
http://vil.nai.com/vil/averttools.asp#sting er
Immediately update your computer's security software.
All computers that use the Georgia Tech network should have up-to-date anti-virus and personal firewall software installed. To protect your system from future worms and viruses:
-Download and configure anti-virus (VirusScan) and personal firewall (ZoneAlarm) software from the OIT software distribution web page (http://www.oit.gatech.edu/software/ ).
-Do not open any email attachments from senders you do not recognize.
-Since some viruses and worms send infected messages that appear to come from email addresses that may be known to you, care should be taken before opening attachments that you are not expecting. More information and guidelines can be found at http://www.security.gatech.edu/
If you are running Windows and have not installed the current patches, please go to the Microsoft website and download the Blaster worm security patch.
WinXP:
http://www.microsoft.com/downloads/detai ls.aspx?Fa milyID=2354406c-c5b6-44ac-9532-3de40f69c074&displa ylang=en
Win2000:
http://www.microsoft.com/downloads/det ails.aspx?Fa milyID=c8b8a846-f541-4c15-8c9f-220354449117&displa ylang=en
Win2003:
http://www.microsoft.com/downloads/det ails.aspx?Fa milyID=f8e0ff3a-9f4c-4061-9009-3a212458e92e&displa ylang=en
If you need assistance from the ResNet technical staff:
ResNet site (http://www.res
http://almostsmart.com
The title of this article sounds like it should be the name of a pr0n flick.
-=-=-=-=-=--=-=-=-=-=-=-
What would Yossarian do?
!!!UOY ot liame dnes sesuriV
This is the first time our W2K servers got smashed. Seems our employees weren't smart enough (or trained enough) to know NOT to click on strange unexpected emails. Now we're contemplating blocking ALL internet access to our thin clients to prevent this. Our Linux box and filtering hasn't let a single whippersnapper in yaaay!
Shame on Symantec for not releasing a critical definition that all clients would auto download the night of discovery.
Virii is not a word
Viruses on the other hand is
He may be huge, but his website is fucked up.
I havent got ONE sobig wormmail. Not one.
Boo hoo. Someone send me one, please, I feel left out.
And was it just me, or did that article just wander all over the place? I mean one paragraph its talking about SoBig email worm, in the next Blaster and in the next the overall cost of spam, three completely unrelated items, but put together gave the impression that this email worm was stopping trains from running and costing billions?
I don't need no instructions to know how to rock!!!!
DCOM was patched over a month ago.
This worm is another attachment thing. Not Microsoft's fault. More clueless users.
"Sufferin' succotash."
Am I missing something? What is so important about this week that "so many people are on vacation?"
Honestly why would a user run a PIF attachment anyways? Would you use unknown medication? Why would you run unknown attachments? Simple solution: Server.CreateFilter(attachments, PIF)
-=[ Who Is John Galt? ]=-
I haven't got a single SoBig e-mail yet. I guess our FreeBSD mail server is smacking all those messages down, which means I have to... get... to... work...
Sigh
Are the voices in my head bothering you?
Sobigf / MSBlast on Steroids
MoFscker
puck:~> grep MDLOG /var/log/maillog | grep bad_filename | wc -l /var/log/maillog.Wed | grep bad_filename | wc -l /var/log/maillog.Tue | grep bad_filename | wc -l /var/log/maillog.Mon | grep bad_filename | wc -l
1408
puck:~> grep MDLOG
1606
puck:~> grep MDLOG
1561
puck:~> grep MDLOG
0
Slashdot's usually one of the first places I stop by in a day, but I generally check my e-mail first. Today my account was (again) over-quota due to good old SoBig's messages. I used to only check once a day but if I want to actually get any messages I've had to do it a bit more often. So today as I was going through the cleanup, I thought to myself "Oh well, at least it'll be over soon."
Then I went to Slashdot. Front page, first story there - "The Worst is Yet to Come".
Thanks Slashdot. You really know how to lighten up someone's day.
-Denor
On one end you have Microsoft, building and selling software like crazy.
Right underneath them, you have developers who dont give a shit about what they build and let in bugs like crazy..
Right next to them, you have the marketing goons spread FUD like crazy
On another end, you have companies/people buying Microsoft software like crazy..even after they read day in and day out of worms/bugs/critical flaws and what not..
On this end, you have Sys Admins who do give a fuck and try patching their systems like crazy and still goes under the barrage of worms/viruses
On the other end, you have script kiddies/idiots and people who seriously need to fucking stop and have a life, spewing out nastier and nastier worms/viruses every week
On another end, you have people like us who wish someone somewhere would sue the fuck out of software firms like MS to be held accountable for the tripe they churn out every year
And in another corner, I stand with a big fuckin baseball bat ready..waiting for the next script kiddie and the next spammer coming to ravage my tiny XP boxen tidily hidden behind me..
When would this shit stop?
Rapid Nirvana
"Worst is Yet to Come"..."Inboxes will unleash the worms worst attacks"
/., but dangit guys..
Oh yeah? So neither bl8n8r nor taco actually *read* the article?
yeah i know, it's just
I had a user that called me because he actually got a copy of SoBig in his inbox. Usually our mail scanners are really good at filtering out even the newest viruses. What I didn't realize is that our AutoUpdate had failed that day, so it didn't have the SoBig update. So I asked him, "Well how the heck did you get SoBig?" and he answered, "From eating so many sandwiches."
Do the virus writers name the virii or is it Antivirus companies?
In any event... Whoever named this doosey has a real... Inferiority Complex. If you get my meaning...
You might say he... Is trying to make up for something... If you get my meaning.
You might even go as far as to say... He has a small penis and named the virus sobig because he is ashamed of it....
Wait...
Maybe I went to far...
Yoho
Would it be a good idea to have consumer pc boxes equipped with cheap builtin hardware firewall/nat?
It could, of course, be turned off by corporate IT folk who don't want to have it, or by the intrepid home user who knows what they are doing, but for the unwashed masses, would just 'be there'.
Anyway, would this provide any actual protection? And could it pass the UI test for the standard user?
Laugh while you can, monkey-boy!
Why are so many mailservers detecting the virus and then bouncing the?
I am receiving almost as many bounce reply emails as I receive actual viruses (of course our open source virus scanner already stripped the executables, so no problem, except to delete them)
The real "Libtards" are the Libertarians!
I just got out of a meeting about this virus and how it's affecting corporate messaging/email. Everyone started whining about their home PC's and of course I had to interject about my virus-free Mac OSX Power Mac at home.
They just looked at me with their open mouths and vacant stare. Meeting adjorned.
The thing I like the most in those "worm reports" it's they say everytime that the worm spread throught mail, but never cite that there is only one email client that allow that kind of stuff and that there are alternatives.
Why can't someone come with something inteligent and say "the worm uses Microsoft's Outlook to spread itself"?
I've got 693 SoBig spams to my obfuscated address: 'web-slashdot@NOSPAM.rangat.org' (I've since updated my DNS to serve an MX for nospam.rangat.org to 127.0.0.1, but it hasn't propagated yet. ) Almost all were from one IP: "Received: from cs24174102-171.houston.rr.com (HELO MARK-TRQBH52QXQ) (24.174.102.171) by bluesky.thille.org with SMTP; 21 Aug 2003 19:59:41 -0000"
Not sure if he's a spammer that got infected, but the 'from' addresses are coming from a huge number of unique and seemingly 'real' addresses.
I finally just setup my mail server to drop connections from that IP.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Linux during a virus epidemic, it's like being out of the country during the blackout.
Your message
;p=avnet;l=AMER100308211910QX6K85V7. html for details. $Revision: 1.134 $Date: 2002-04-21 16:30:40-07
To: [email deleted]
Subject: Your details
Sent: Thu, 21 Aug 2003 08:10:59 -0700
did not reach the following recipient(s):
[email deleted] on Thu, 21 Aug 2003 12:10:13 -0700
The recipient name is not recognized
The MTS-ID of the original message is: c=us;a=
MSEXCH:IMS:Avnet:AMER:AMER10 0 (000C05A6) Unknown Recipient
Message-ID:
From: cmdrtaco@slashdot.org
To: [email deleted]
Subject: Your details
Date: Thu, 21 Aug 2003 08:10:59 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
X-MS-Embedded-Report:
X-Security: MIME headers sanitized on mail.slashdot.org See http://www.impsec.org/email-tools/sanitizer-intro
Content-Type: text/plain; charset="us-ascii"
X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
X-Converted-To-Plain-Text: Alternative section used was text/plain
See the attached file for details
Network Associates WebShield SMTP V4.5 MR1a on amer06 detected virus W32/Sobig.f@MM
in attachment details.pif from and it was Deleted and Quarantined.
Just like each copied CD is worth $100 in revenue to the record industry, each infected computer costs $1000 to fix (which, oddly, is more than it would cost to throw out the entire machine!).
And Linux is $700 a throw too.
This week alone our entire department has been thrown around, manually patching EVERY box on the network. That's around 50,000 computers. Today alone I ran across probably 10 Windows NT boxes that were still running THE FIRST SERVICE PACK!
My point is, I do NOT feel sorry in the least when companies like 3M lose millions of dollars because they don't hire a competent IT department. Hell, out of the 20 guys I work with, only myself and two others graduated from a 4 year college. Whatever. For the last four days when full-timers have been bitching at me while I upgrade their PC because their order-tracking software won't work, I just smile and tell them "you get what you pay for. Tell your bosses to hire a competent IT department and you'll never have this problem again." Then I walk away and sigh because I know it'll never happen. Guess paying a contracting firm $40/hr so they can turn around and pay me $13/hr while they get to save themselves from paying benefits is worth the millions of dollars in downtime.
"Hell hath no fury like a woman scorned for SEGA. ..."
I got like 20 of those emails in the past couple days, most of them this morning. I've never really got that many copies of the viruses that have been floating around.
autopr0n is like, down and stuff.
Your message
;p=GMD;o=Lima;dda:SMTP=cmdrtaco@slashdot.org; on Thu, 21 Aug 2003 ;p=gmd;l=GMDPRBDEX010308211852Q06WV7RQ. html for details. $Revision: 1.134 $Date: 2002-04-21 16:30:40-07
. pif.txt]
To: cmdrtaco@slashdot.org
Subject: Re: Wicked screensaver
Sent: Thu, 21 Aug 2003 08:51:59 -0500
did not reach the following recipient(s):
c=PE;a=
13:52:47 -0500
The recipient name is not recognized
The MTS-ID of the original message is: c=pe;a=
MSEXCH:IMS:GMD:Lima:GMDPRBDEX01 0 (000C05A6) Unknown Recipient
From: cmdrtaco@slashdot.org
To: cmdrtaco@slashdot.org
Subject: Re: Wicked screensaver
Date: Thu, 21 Aug 2003 08:51:59 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report:
X-Security: MIME headers sanitized on mail.slashdot.org See http://www.impsec.org/email-tools/sanitizer-intro
Content-Type: text/plain; charset="us-ascii"
X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
X-Converted-To-Plain-Text: Alternative section used was text/plain
See the attached file for details
[demime 0.98d removed an attachment of type application/octet-stream which had a name of alert_OA951_1061491967_GMDPRBDEX01_3#document_all
1 million dollars per employee? Where are you working at, 'cause I sure wanna get in on this cash cow ;)
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
With the MSBlast worm running rampant right next to the recent re-release of the SoBig virus, it's hard not to be involved in the removal and sanitization of a computer system, especially for the majority of /. readers and participants.
Face it, most of us are in a technical position of some sort, and are looked upon for assistance because of the knowledge we possess.
My question is this: Who pays for our time? Is YOUR company expected to "eat" the costs of paying you for your time to sanitize their network from this malicious traversing code? Should it be the company's fault for utilizing software so prone to public vulnerabilities? Should the creators of the vulnerable software be held liable and accountable for their obvious flaws? Of course, tracking down the creators of the viruses is left up to the law enforcement officials and the persons charged with solving crimes. But, the viruses would not have existed if the vulnerabilities did not exist and were not exploited accordingly.
I understand that the Glock company cannot be held accountable if some person used their weapon to terminate somebody's life. However, in the act of homicide, there is a definitive exchange of decisions. In the case of the virus, the infected party neither intended to receive the virus, nor wanted the problems associated.
Hmm... Nowhere does the article say the only Windows machines are infeccted by and propagate the worm.
The SoBig worm is the latest in an outbreak that began 10 days ago with the so-called "Blaster" or "LovSan" worm which, by some estimates, infected more than 500,000 computers running the latest version of Microsoft Windows, the world's dominant operating system.
That's the only place Windows is mentioned, with regards only to Blaster.
xox,
Dead Nancy
Wal-Mart doesn't sell ham radios, you insensitive clod.
*sigh*. Nobody pays helpdesk people 74k in the US unless they have money to burn. If they do, let me know where I'll stop coding and start working helpdesk. All you need is a level 1 heldesk "dude" who makes about $10 an hour running around with a disk and the fix on it. Never mind if you applied the patch over a network. I have a mixed environment at work of Macs and PC's (and work on both) and the macs are no less crash prone than the PC's.
The only advantage to a mac is you don't have to worry about viruses for it because it's market share is so small no virus writer would be bothered with writing one. It makes more sense to hire a network admin who is halfway decent, updates virus protection etc than to change over to mac. Not to mention the costs involved with retraining people to use a mac.
If everyone followed your plan and switched over, do you really think that you wouldn't see more viruses and worms on the mac? I think mac users are a bit naive to assume they don't get worms/viruses because "mac is better". It's because virus writers for the most part don't know and don't care about mac.
If a virus is from known spoofing virus then the autoreply to the sender is NOT sent. Now if everyone had a decent virus scanner at their server...
The scariest part is that CSX is using windows to run the trains.
What if the viruses do what you do? The viruses will just zip up their files and send them along, except now it will have more of an impact upon newbie users. All the (decently) smart newbie users have been told not to open .exe files, then suddenly, they'll see a .zip file and think "Doh, well that's not harmful" and they'll go open up the zip file and open up a can of worms.
Absolutely no sign of ANY of the MS viruses in the past few weeks.
AND, did I mention, I'm on the LARGEST (300,000+)windows network/domain in the world ?
don't know how they did it.
Reading the review of sobig.f, it doesn't match what i'm seeing right now in my inbox...
Subject: I Love You ^_^ I sent you a beautiful Love Card
application/x-msdownload attachment (BlueMountaineCard.pif)
The greatest costs of this virus are most likely not incurred by IT departments, but by the tens of millions of non-technical workers who have to take the time out of their work day to clean their inboxes out.
On the bottom of the /. screen is this quote from the day:
"A few hours grace before the madness begins again. "
How very very true...
So rise up, all ye lost ones, as one, we'll claw the clouds.
With a reference to So Big, worst to come and windows, all in one article, I was sure that it was referring to the previous article about Longhorn :)
First Falcon-1 to orbit, then Falcon-9. Then I can die a happy man.
Sux don't it!
No, they'll patch their server and leave the relay open. We're talking about morons here.
Religion is the opium of the people. Evolution is the opium of scientists.
2003 is the Year of the Sheep.
;)
Sheep, for all those people still running windows
*ducks*
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
So why don't you ban M$ computers? Surely, you have better things to do with your time and school money than support Microsoft's broken shit. With the kind of time and resources you have, you could have every one of those computers running Debian in a week. Yes, I imagine one peroson can sit over 3 or 4 hand installs an hour, just like I can. Practice makes perfect and you are sure to get better than that. Oh well, good luck.
Friends don't help friends install M$ junk.
Actually, you would think that after all the trouble people keep having with Micrsoft shit, that people would dump Microsoft. Wallstreet did and others are too. We can only hope that upper management everywhere gets the message: M$ is broke and it is not getting better.
Friends don't help friends install M$ junk.
Here is a compelling agrumement for diversity of systems. The impact of these virus' would be much less by the simple fact of people using different operating systems. Never mind issues of which has better security just the fact that their are a variety of systems in use.
I see the situation as rather similar to a population relying on one type of potatoe to feed the whole population. Get a bug in the tattie and the whole of Ireland starves...
How about mandating that critical systems (such as Nuclear Power alarm systens) have back-ups on completely seperate platforms?
-- Free software on every PC on every desk
Of course, why would anyone do that. It would require cross-platform server abilities, no CALS, and MS to "push" the security updates rather than leaving users and admins wasting time hunting for them. It would reduce MS POWER & CONTROL what bill's buying with his $$$. MS won't release such a monster for FREE to clean up THEIR mess, and the OSS people could care less because it makes MS look even worse--why help them out!
Actually, I don't understand this statement. From what I know, the SoBig virus has its own SMTP code (multi-threaded) and sends the emails directly. How is it using bandwidth on any open relays if this is the case?
The fact that the infected PC sends the emails is how we tracked down some of them in other parts of our overall network.
radio:/usr/exim/exiscan/virusmails# ls -l | grep Aug | wc -l
5853
When can I get some sleep?
I've identified one of the computers that has been sending me the virus.
I think they still owe me money for a programming job I did a couple years ago.
After having gone around to all of our Windows machines, installing latest service packs, IE, hotfixes, Spybot S&D, etc., the rotten sodding buggers at Microsoft release an IE hotfix yesterday. Now I got to do it all over again! Bastards!!
I propose we bill Microsoft for our time wasted screwing around with their crappy software. Would make us rich and them totally broke.
The highest company costs for me is the time it takes explaining to people who are getting "undeliverable message - may be infected..." that no, they are not infected, the virus forges the email address. Then there are other companies that are too stupid to look at the header info of the messages and yell at me for infecting their systems when mine are all patched and virus free.
---
Lousy rotten karmic retribution.
It's a virus, still. Notice how they misspelled Mountain (there's no ending "e" in the word mountain) The real company wouldn't have done that.
I've already had to help a few people remove SoBig from thier systems and found that SARC has a removal tool that cleans up SoBig quickly and effortlessly by: 1. Terminating the W32.Sobig.F@mm viral processes. 2. Deleting the W32.Sobig.F@mm files. 3. Deleting the dropped files. 4. Deleting the registry values that the worm added. For those who need it it can be found at http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.removal.tool.html
I put together a new computer last night and between the time I installed outlook, imported my old pst files, and did my first email check. I had apparently been infected with sobig and had gotten 5 replies form mail sevres saying they blocked some emails with the virus in it.
I was like, whoa thats was fast
Yeah, real insightful. The best way to fight spam would be to not use email. If spam mail won't get through, how many legitimate emails do you never get? Wasting lots of bandwidth is not the way to fight spam.
Its the bandwidth usage that is the real problem with spam, any ok email client should catch most of the penis extending email anyway.
Interesting...spoof a bunch of e-mails to the postmaster@ address on the open relay, that are also *from* the postmaster@ address, send enough to fill the mailbox, then they would get into an infinite bounce loop of trying to e-mail postmaster@, finding a full mailbox, bouncing back to postmaster@, finding a full mailbox...
According to a swedish newspaper (I'm sure others run the story as well by now), anti-virus programmers have now finally cracked the 20 IP addresses SoBig will get its updates from this weekend. It's now a race against time to shut those IP addresses down. The IP addresses are located in USA and Canada.
The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.
The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.
Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.
Beware: In C++, your friends can see your privates!
On a somewhat related note, Microsoft gives out software for use on your own servers to act as a mirror of WindowsUpdate. You can configure the clients to automatically connect to that mirror and download updates from there. Look for Software Update Services on their website.
--
hecubas
Hecubas
In addition to what this article covers, in the next 3 weeks there will be massive influx of freshmen across the country, many who have new computers, never had their machine on the internet before, or were infected and never noticed.
I think the only way this mess will get the general publics attention is if one of these variants includes a partition scribbler or other malware. Clearly few apply patches to either the OS or the virus signatures. They use insecure mail apps and click on attachments.
If you had a million PC's drop off the net one week with destroyed partition tables I would wager the general public might be curious as to why that happens and what they can do to prevent it.
Hedley
In SOVIET RUSSIA You infect the worm!
You sir have exhibited good judgement and stated an logical point of view. This will not be tolerated. Please turn off your computer and kill yourself.
Thanks, and have a nice day!
Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)
perhaps this is how the new one got launched into the wild???
if anyone's interested, the message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups. This might help those trying to trace the culprit though. If anyone needs more info, I've archived a copy of the warning I sent out in reply to it.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Comment removed based on user account deletion
I'm currently being hammered with ICMP echo requests, out of the last 400 packets dropped 339 of them were echo requests, suprisingly over 100 of them had the same sequence number 6193 and another 100 had the sequence number 5937, the majority of requests are from my local isp network.
Is there any current virus that attempts to find hosts using echo requests before attempting infection?
Frankly, I'm amazed at how many poeple recieve these. While I know a lot of computer illterate people, and recieve on the border of 10 to 15 pieces of spam each day on my ISP email adress, I never recieved a single email containing the "I love You", SoBig or any other virus from poeple I know or don'y. And I'm not a social recluse either, so my email is in a lot of adress book. Funny thing is, I have always been wondering why I never received these viruses by email. After all, I'm a pretty easy target. I run Outlook Express and when I started roaming the web 8 years ago, people didn't really mind giving their ISP email adress for anything from Amazon.com to Real Media to Microsoft back then, and I didn't mind either. Since then I've been burned by some of these companies and must have sold my email adress to some penis enlargment company or porn site.
So just to be sure, I have Norton Antivirus fully updated, and it has flagged only one or two pieces of mail in the past month as having a virus in them and while I try to keep up with the recent virus outbreaks, the name didn't ring a bell, so it must have been pretty benign or rare.
So, the question is, what did you people do to get these? I should be the one receiving them, and I never got a single one high-profile virus. As for the obvious answer how NOT to recieve these, well there is none, since even if you do run Linux, you'll still receive them, even tough they won't affect you at all.
I guess just an idea (that seems useful and maybe I'll think about more later) is why not actively hunt virii. There was this big collective effort with SETI a few years back, why couldn't there be some big servers hunting for the cracks on the backbone. Maybe just a group of people, or a coalition to produce a virus in the wild that goes after viruses. Maybe try to infect servers clandestinely with patches if it becomes known that a user is spouting out bad email. Why niot actively hunt spammers too? It seem like that was sort of the code of the hackers.. Or at least the myth back in the old days (94-96) when I was keeping track of things more (or at least listening to people rant on usenet about such things as kookery). What are the big time hackers (or is it crckes or some other new term nowadays) doing? Are they being anonymous, or testing the waters before something "big" is put out. Maybe I'm just blowing steam, but considering the power a virus can harness to replicate itself and search for new ports to infect.. It seems that the government/military or rogue hackers/(paramilitary) could make more of presence on the scene than seems viewable from the public eye. Are virii the only big claim to fame to people who know how to mess with big systems? Couldn't we have avanging angels against spam/virii instead? Well just my 4 cents.
At most places, it's time to pack your bags when things go this way.
Friends don't help friends install M$ junk.
Here is the actual proof.
From excellent karma to terible karma with a single +5 funny post...
We run a mixed shop... about half of our boxen are linux, and half are winblows. And yet still, we have never had a virus/worm problem unless it was a stupid user that brought a diskette from home that was infected.
We use iptables firewalls. We watch traffic on the outside and in the DMZ with snort. We FORBID the use of Outlook, Outlook Express, and all other similar email clients on our internal machines. We lock down absolutely everything other than those services we have a business need to permit to enter our DMZ.
Maybe we are just very lucky... but I don't think so. I think that company networks that go down with these problems (there have been 2 VERY LARGE corporations near by me with serious issues today), go down just simply because of stupidity. Those that get the virii deserve what they get. It is the law of consequences... if you sleep around, don't blame somebody else if you get an STD.
Even if the world at large would only just take Outlook, and throw it out the window (pun intended), cyberspace would be so much better for it.
Is it really that tough of a decision??????? Unprotected computer use can kill your box.
********
Reality is Relative
i'm a current student at Carnegie Mellon Univ. and about a week before everyone's slated to return, computing services sent out a letter saying that they were scanning the network for this worm and if found were removing machines from the network. If your machine has been removed, you gotta patch it and request it be re-allowed.
it seems like a pretty good way to go about preventing it from spreading, and even non-techies at my school will jump on the patch once they read the part about getting kicked off the net (read: AIM/Kazaa/email)
Also, a .pif is that goofy file Microsoft created so you could give DOS programs running under Windows 3.1 their own environment.
Seems to me that pretty much any .pif file remaining these days is bad and oughta be deleted. Maybe MS will remove .pif support at some point in the future? I mean, who's still running 16-bit DOS apps? and why?
Either you don't have a real job, or you are Astroturfing. The time wasted is rebuilding a computer that no longer works. You are right about deadlines though, they don't change. That means many people will be spending that much more overtime. This is bad for businesses that actually pay overtime, bad for people who don't get paid for it or have better things to do and bad for everyone with work to do.
Friends don't help friends install M$ junk.
Sobig is not really Microsoft's fault. I mean that if 90% of people used Linux and Mozilla instead of Windows and IE, Sobig would still be a problem. If someone is foolish enough to execute an attached file, that file could still replicate itself, read web caches and address books, and spoof addresses even under Linux. The key problem is that people are opening these attachments. That's just foolish.
300 is nothing. I've recieved over 3,500! And it's not slowing down at all! It's a damned good thing my ISP runs a virus/spam filter or I'd be up my eyeballs in this crap.
Boobies never hurt anyone. - Sherry Glaser.
Exactly. There probably are admins who "coulda dunnit" but didn't, but I think there are a lot of us folks out there who can't install the latest patches because of corporate policy (sometimes it's even a good reason). Likewise, I'm not sure I know many (or even any) "IT guy" paid $74k/year to clean up this mess. I know I sure get paid a lot less than that.
Well, I hope that all good CTO's are doing
their jobs and factoring the cost of all this cleaning up into the TCO of their chosen computer system.
- Muggins
The evil side in me says machines like that should all be wiped by the worm on a certain date, and then display a message to the user in every language to secure their damn computers.
Nothing to see here; Move along.
Um, what is this thing you call "vacation"? I keep hearing people talk about going on "vacation" but I've yet to experience this phenomenon.
We can argue until we're blue in the face about responsibility but frankly it doesn't matter. Make anyone vaguely connected (and catchable) responsible and the problem will be solved. Make MS responsible and they'll tighten up their OSes. Make users responsible for sending viruses from their computers and they'll soon put pressure on MS for better OSes and keep their virus checkers up-to-date. Make the PC vendors responsible and I'm sure we'll get imporvements too. But as it is we have a situation where nobody is held accountable and that means it's simply never going to be fixed.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
I did the same about my Win2k Pro machine at home...Troll
Everybody dies frustrated and sad and that is beautiful
http://www.f-secure.com/v-descs/sobig_f.shtml "The worm will also attempt to download additional components when certain conditions are met. The condition, in this case, is that the time which is obtained from one the NTP servers (which addresses it has hard-coded inside its code) is Friday or Sunday (regardless of the week) between 19:00 and 22:00 UTC time. The worm will perform this test every hour. When the condition meets, it will attempt to retrieve further information from a predefined list of 20 master hosts. "
Most corporate systems have filtering through subject lines or if they don't the client end sure does. Here are the subject lines you need to filter. A good admin can take care of this in very little time. No need to throw out the baby with the filthy virus infected bathwater.
One of my coworkers "fixed" an infected computer twice. Both times, the network connection was shut back off. I sit down at the computer, find blast and welchia both active (not SoBig, at least), the antivirus definitions a week old, and the RPC vuln. patch installed. I don't understand how you forget steps one and two in removing this thing, but remember to apply the patch...
Linux: The world's best text-adventure game.
Sounds like a hot breakfast cereal.
I have to deal with this with my IBM AS400. It can't run viruses or worms, but all my users store files on it. Thru the wonders of Mapped drives lovely worms still write their naughties to it and it happily accepts them. So you still have to clean it up with something or reinfect the whole shop again.
I would be really cool/horrible if someone could create a true cross-platform bug via tcp/http calls or maybe java, php, or perl that all the big unices have. Not that I'm for the virus writers, but from a purely academic POV it would be cool...but only just once.
What I would be keen to know is how many government "experts" spotted these problems under their suppa duppa shared source programs? It's not like the code is new, hell, looks like most of it comes from Win3.1 or before, so please post (anonymously if you wish) if you personnaly protected your government from these virus'.
-- Free software on every PC on every desk
Today is the day you should unsubscribe from all mailing lists if you know what is good for you. see attached file for details. I'll give you details you dirty #$%@^!
Meet new people, and kill them.
This is definitely not good at all. My server is being bombarded pretty heavily now, hard to imagine what is to come.
Funny Pics
I have some ideas on how we might be able to track down the source of these things..
* E-mail honey pots
You set up a vast array of e-mail boxes with their addresses well publicized in various forms. You collect data on the vires/worm propagation.
Encourage people to donate old domains to the honey pot project. Publish instructions on remapping the MX record for domains that are no longer used. Direct them to various nodes in the honey pot array.
* Collect information on earliest occurances of the vires/worms in order to track the source. Publish a web site which lists the earliest known date/time of the worm propagation to encourage others to beat it with their own submissions. Offer some incentive to whoever provides the evidence that leads to the author.
The thing is, this type of service should not be managed by any company in the virus/worm removal industry. Companies like Mcaffee and Symantec, while being in the ideal position to collect details, have an inherent conflict of interest due to the fact that the more the vires/worms spread, the more money they make.
One thing that could really expedite the trapping of the vires/worms is to get Microsoft to add a specific entry to the address book of all new installations of Outlook. Normally the e-mail wouldn't be used or even visible, but would be accessible to worm programs that seek Outlook's address book for propagation sources. I'm sure theres a way of obfusicating the entry to thwart smarter worms that avoid using the honey pot e-mail entry.
And the amount of virus warning everybody's gotten is enough to reduce the percentage who click on the stupid attachment from 10% to 1% so the thing won't propagate as fast.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This won't always work, depending on the hardware - sometimes you'll need to use a different disk and type in "LILO".
And if an "Unhappy Mac" icon appears on the screen when you boot, then remove the duct tape and the Knoppix disk, and rebooting will work just fine too.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems."
My experience with this virus may be abnormal, but I have to completely disagree with that statement. As a dispatch tech for a large state university, I've been up to my eyes in emails related to the virus, but have only found However, the amount of email traffic on campus has been mind-boggling -- it even took down our mail servers a few times. And less than 10% of the emails were from the virus. Most of them were f*cking auto-notification emails from other servers that someone had sent the damn virus, which thanks to the spoofing feature, was almost never true. Why don't server admins turn off such notifications when dealing with a mass-mailer/spoofer virus? All these assorted servers managed to do was clog up our mail server with these meaningless "you have sent us a virus" emails that do nothing but contribute to any damage the does!!
IMHO, the REAL cost of dealing with this virus was bearing the burden of 100,000 stupid auto-generated emails that other servers were sending us, in response to emails that didn't even come from us.
Sorry for posting again, but another thought just hit me. When anti-virus programs send their auto-notification junk emails, is there something common to all of them so the servers could filter them out? Like, is there a special flag that is set up?
I'm really kind of new to web servers.
No.
It should read:
You may want to consider installing OpenBSD on your computer to help you avoid this problem in the future.
Damn Linux goons...
That idea isn't politically correct, but it may be the ONLY way to get people to pay attention to the fact that their computer can cause huge amounts of problems if it's neglected.
In some states, if you leave a firearm unlocked and someone steals it and uses it to commit a crime, you can be charged with the crime of "Failure to Secure a Firearm."
For example, Massachusetts General laws Chapter 140-131L requires that firearms MUST be secured in a locked container or equipped with a tamper resistant mechanical lock. Failure to secure a large capacity weapon is a felony with a minimum of one year imprisonment and/or $1000 fine. Failure to secure a non-large capacity firearm is misdemeanor.
Granted, we're not talking about life/death stakes here, but such unprotected systems can cause HUGE damages through denial of service attacks, as well as points of launch for worms and e-mail viruses. The lost time and productivity around the globe usually adds up to a significant amount of $$. That alone should be worth at LEAST a misdemeanor or citation with a fine!
The points above are well taken: I intend on spiffing up my procmail recipes, but only as I am able to understand them.
The enhancements suggested above are simple to implement, but are still crude band aids. While I doubt I would ever *really* want to receive an executable attachment (heck -- most places won't even let me SEND it, let alone receive it), I might want to
(a) log it
(b) bounce a 'hey stoopid' message back a legit senders to tell them that if they need to send me something, it shouldn't be an executable (that's why god made ZIP)
There are some more complex procmail filters out there that specifically target certain worms. Is that more effective? I don't know. I can't understand them yet. I will soon. None of the procmail FAQs and "getting started" docs describe all those messy flags and things. I've got some more reading to do.
Meanwhile, this one lets me get work done other than downloading and deleting SOBIG messages. A few other worms will slip through, but at least it's manageable.
Design for Use, not Construction!
I am, so fuck you. I use the VDM to run old Infocom text adventures, and ocassionally WordPerfect 5.
The file isn't really a "PIF", btw -- the file extention is just to fake Windows into running it.
Heh - just wait. If you read a description of Sobig.F, you'll see that all the Sobig variants are capable of running arbitrary code after receiving instructions via UDP. This has most often been used to set up proxy servers on users' machines.
/written/ by spamming criminals and their ethics-free paid crackers.
Spam is going to get worse very soon, because this worm was
We do this... as soon as the first packet with the signature of a known worm is transmitted from a computer, the IP that it originated from is block at the main router and very shortly after the port of the switch it is plugged into is shut off... it is amazing how fast a user responds when they have ZERO net access...
Here's an idea - just send the open machines MSBlaster, that will make them crash and take them off-line, but isn't that what has been happening anyway?
Oh well, what the hell...
of the type "your message could not be delivered", obviously related to Sobig. Does this mean the guy who signed me up to all those stupid mailing lists got infected, or is this the next stage of the virus? (most send back the attachment, a great way to clog a mailserver).
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
"Software Update Service" it is called.
It does work as advertised, note however that you must do some trickery (regedit) to get it to work on every PC, or use Group Policies or other stuff. (Those things make it less useful for small networks that are not likely to be doing group polices, etc.)
With high bandwidth connections though, I found it easier to just sneak in and make it auto install the updates directly from MS.
But I think Windows users paying for it now should smile when they remember that they saved $200 instead of buying the rock solid Mac with OS X. A small irritation such as SoBig has to be worth the money saved, don't you think?
Hmm, at my work (big bank) 8 people getting paid $25,000/year cover 13 buildings with over 5000 desktops.
Then again, we run virus-protection at the gateways, and the whole LAN is proxied-out, and we can push software updates to the users with ZenWorks instead of running out to machines manually.
If you're paying techs $70K+/year, they should have deployed patches and virus updates WAY before anything broke out. Seriously, I could script up something to do that in 15 minutes, and I work for $19,500/year!
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Now I'm now Windows guru but all the .pif files I've seen are about 1kB in size. This virus tells Outlook that it's got a 78kB .pif and Outlook thinks that it's cool to run it. Is there no bounds checking at all going on here? SCO isn't the only software company smoking crack.
-- I have a private email server in my basement.
This is where procmail comes to the rescue! Add this rule:
N
/dev/null. And if you get a NEW strain, just take an encoded body sample from it and make a new rule!
# Ignore W32/Sobig.f@MM
:0 B
* ^vZgwXohhqrN4MDHpZfjXC6Aye4uyh5TU7soFb85wpJILzujH
/dev/null
This matches the worm on a base64 encoded line from its body. This is on the current variant I got flooded with; redirect the suckers to
Microsoft e-mailed me a patch yesterday, and again today. It contained an attachment called patch.exe, and the following message:
Subject: Use this patch immediately!
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
The return address was security@microsoft.com, so I know this patch is safe. I'm so glad Microsoft security is looking out for me!
Switch to Lotus Notes EMail! In addition to bomb-proof security you'll also get an exellent platform for developing web and groupware applications. Domino supports a wide range of industry standards for COM to Java.
Why won't somebody write a virus that runs through Outlook and destroys the entire address book, turns off address learning, and thus eliminates 98% of the spam fired off by the next worm ???
Any OS that alows root (administrator) to be hacked from a visable hash table is security junkware. With windowsxp it is a simple as a script which will trigger esc-p, do not know if anybody has written an effective escape macro yet but like 'fdisk /mbr' it will get out of the bag. Security through obscure secrets is just plain stupid and MS has got to learn this. That is why I refuse to run anything past win98 or NT4, if it gets trashed who gives a shit. Just reinstall my complete clean backup and run it till the next big windows scare. I am not going to pay for insecure junkware I only use Linux for e-mail and I hose and clean my windows C partition whenever they get covered in bug shit! Symantec and MS can go to hell.
OH THE SHAME I fell off the wagon and use sigs again!
Are you refering to ANSI macro exploits? If so, you should be aware that they affect several UNIX terminal programs as well! See for example this story Getting Hacked Through Your Terminal
I'm not here to apologize for Microsoft's security gafes, only to warn you that Linux has its own set of security issues. You must keep up with the patches and security fixes on a Linux box just as surely as if you were running Windows box.
So, let the games begin. How many messages did you receive? I'll double dare you! My personal records stand at :
1.5 per minute for 24 consequtive hours (on wednesday)
and
1 per second in the last half an hour (!)
Today I'll be leaving for a few days, but I won't dare to power off my computer, since my ISP's emailbox will become flooded in a few hours this way... aargh
(oh, and I use linux, so no, it is not my own fault). My ISP does have a spambox, but they don't delete attachments, so what's the use?
Thanks for the info I do treat Slackware as a disposable OS install, I guess I have gotten too good at installing and configurating OSs. Come to mention it I once did get an email with an .exe that I was suspicious of so I checked it out in Wine rather than MS. Funny as hell it crashed my X server in Redhat 8! I checked to see if it had done anything else to the kernel but the diff came up clean so that was not the reason. Turned out it just made a funny call to the X server that caused a crash. I use e-mail for just that and nothing else, I know better. Yes I do keep Slackware up with the latest patches, but I do not worry as my inet logs tell me if there is any unusual shit going on. It is sure nice to take a pico at my pinging ports wonderland logs without using X first. Thats why I dumped Redhat, I never just boot into X!
OH THE SHAME I fell off the wagon and use sigs again!
Why? Because I wrote a particular piece of open-source software.
See www.ka9q.net/worm for the gory details. There are some interesting plots at the end.
Outlook/OE can't open or save ".doc" files. Does anyone know a decent word-processor that saves files in a format suitable for attaching to email?
And even if you check preferences to say show all file extensions, Windows still hides a couple of executable extensions (for shell scrap objects). You have to delve deep into the registry to say "show all file extensions. Including that one. Yes and that one too."
Y'know, it's smug assholes like you that make me want to pick up a few books on OS X and write a virus for it. Were the whole world running OS X, most people would still be exploited by viruses, as that's the most common denominator. People who have been taught good security practices, on the other hand, will be unaffected, regardless of the platform they're running. My cousin, for example, is a computer novice, but at the same time, has been taught to check for security updates regularly, and more importantly, to treat all links and attachments as suspect and not to view them. If it's not worth creating as a webpage, it's not worth propogating.
Marxism is the opiate of dumbasses
Even with OpenBSD, you are still fcked if every other packet thrown at you by your ISP is an attempted exploit. The attack may not get further but it won't help your connection!!!
See my journal, I write things there
A new patch out from MS? Can we just stick it on? Nope. We need to test in depth, we need to formally do a performance qualification, and we need to document all this to the nth degree: this is medical data, and you can't take chances that a patch might affect it.
Result? You don't rush out and patch stuff.
After this a lot of sites will just start blocking all external email including any attachment.
Many will start blocking MIME encoded emails.
It's a lot simpler than dealing with each new email problem as it arises.
How about that?
Sorry about mucking up the thread with a correction, but I didn't want to give undue credit
Speak for yourself.
i know there's more then computers, but it strikes me odd that the boss of a comapny acctually opens attachemnts that are not safe and then fires the IT staff? then again in the beginnng there was this IT-staff briefing for all emploies telling them about pros and cons of attachments and which are safe and which not ... no idea. so the boss has competance to hire and fire but has to trust the guy he hires for his computer-protection ... somthing/wierd.
I wonder how much more damage will it bring to any major national economy, like US one, untill a goverment will bring Microsoft to the court for the class action?
Let's face it. In many countries half of the cigaret pack face is busy by the warning about a potential death from the smoking. Where is such a warning on the face of every Microsoft product box warning that the use of any Microsoft products may bring the whole economy down?
Less is more !
...This is Slashdot, nobody RTFAs so no advertising. ;)
http://tinyurl.com/ku3u
August 22, 2003 07:38 AM US Eastern Timezone
A Potentially Massive Internet Attack Starts Today; Sobig.F Downloads and Executes a Mysterious Program on Friday at 19:00 UTC
SAN JOSE, Calif.--(BUSINESS WIRE)--Aug. 22, 2003--F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today.
Windows e-mail worm Sobig.F, which is currently the most widespread worm in the world, has created massive e-mail outages globally since it was found on Tuesday the 18th of August -- four days ago. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. Total amount of infected e-mails seen in the Internet since this attack started is close to 100 million.
However, the Sobig.F worm has a surprise attack in its sleeve. All the infected computers are entering a second phase today, on Friday the 22nd of August, 2003. These computers are using atom clocks to synchronize the activation to start exactly at the same time around the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).
On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea.
"These 20 machines seem to be typical home PCs, connected to the Internet with always-on DSL connections," says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "Most likely the party behind Sobig.F has broken into these computers and they are now being misused to be part of this attack."
The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines download a program from this address -- and run it. At this moment it is completely unknown what this mystery program will do.
F-Secure has been able to break into this system and crack the encryption, but currently the web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyse it and come up with countermeasures," says Hypponen. "So apparently their plan is to change the web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."
Right now, nobody knows what this program does. It could do damage, like deleting files or unleash network attacks. Earlier versions of Sobig have executed similar but simpler routines. With Sobig.E, the worm downloaded a program which removed the virus itself (to hide its tracks), and then started to steal users network and web passwords. After this the worm installed a hidden email proxy, which has been used by various spammers to send their bulk commercial emails through these machines without the owners of the computers knowing anything about it. Sobig.F might do something similar -- but we won't know until 19:00 UTC today.
"As soon as we were able to crack the encryption used by the worm to hide the list of the 20 machines, we've been trying to close them down," explains Mikko Hypponen. F-Secure has been working with officials, authorities and various CERT organizations to disconnect these machines from the Internet. "Unfortunately, the writers of this virus have been waiting for this move too." These 20 machines are chosen from the networks of different operators, making it quite likely that there won't be enough time to take them all down by 19:00 UTC. Even if just one stays up, it will be enough for the worm.
The advanced techniques used by the worm make it quite obvious it's not written by a typical teenage virus writer. The fact that previous Sobig variants we're used by spammers on a large scale adds an element of financial gain. Who's behind all this? "Looks like organized crime to me," comments Mikko Hypponen.
F-Secure is monitoring the
Now I gotta go home.
But thanks. That was fucking hilarious!
McAfee has a great tool for their AV. I set one PC [any PC with McAfee AV!] to "mirror" the files to a location daily, then point the updaters on the rest of the PCs to that location and they get what they need. Nice and simple--but no McAfee control over my sholder every time!
The worst is yet to come. I work at a college and next week is when all professors will return back for the fall semester. Not only do we at computer services have to worry about (more) staff getting infected with the sobig virus, but we also have to worry about the older virii that have been waiting for them on our mail server for the past few months.
Nice flame, dipshit. I've got a BA and a BS I can show you, but I'd rather fold them into sharp corners and ... well, you know. I also know that trolls like you generally recomend restrictions on student computing. Well, when you are not filling up the world with useless Israeli/Plaestinian posts.
College. Students. They don't give a fuck about Linux. Why is it so hard for you to understand that some people like Windows?
People who don't care generally can't tell the difference between Windoze and KDE. Very few people actually like Microsoft. Most people put up with it because that's what their PC came with. Anyone who's used free software for any length of time knows windoze blows.
Friends don't help friends install M$ junk.