Slashdot Mirror
SoBig: Worst is Yet to Come
bl8n8r writes "Experts say when vacationers get back to work
Monday, Inboxes will unleash the worms worst attacks.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems.
"
They named a virus after my penis.
If the majority of the cost comes from cleaning the system, I would recommend (in my professional opinion) simply letting the systems remain infected.
lysergically yours
IAALS.
It's an open source business model!
1: Write free software.
2: ?
3: Get inbox filled with worms and viruses.
4: Profit!
This article claims that time wasted will cost businesses tens on millions of dollars. It seems to me that no matter how much spam/virus flooding/crap you get in your inbox, you only do so much work everyday. If you take five extra minutes to clean out your inbox, that's five minutes less of surfing slashdot or screwing around. Deadlines don't change for viruses-- people still have to work as much real work as ever.
isn't the lesson here that people shouldn't go on vacation?
Arnie for Governor, Actors Speak Louder Than Words
2 worms (DCOM and Welchia) and a virus variant in less than two weeks.
This should tell investors that they are wasting their money.
This should tell companies that they are wasting their money.
Someone, somewhere, will hopefully get a clue.
Wait till infected laptops & workstations start moving back into the dorms!
Our computers aren't getting infected: between virus scan, ZoneAlarm, ancient e-mail client and knowing not to open the stupid attachments, we've not gotten infected.
.procmailrc file, put :0 B /dev/null
But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.
It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.
This was listed in a previous thread, but it's worth repeating:
In a
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
This deletes any message with a pif, exe or scr attachment.
I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.
Design for Use, not Construction!
So far this week, I've received only seven actual copies of W32/Sobig. However, the number of messages from mailer-daemons and mail server virus scanners has exceeded this by a factor of ten. Some of these rejection messages actually include a copy of the infected .PIF file.
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.
At best, this is collateral damage. At worst, these rejection messages are actually advertising the IP addresses of infected systems. Should a virus drop a back door payload, this would multiply the damage.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Don't complain.
With SoMany.IT.Workers unemployed, SoBig.And.ItsVariants have a strangely positive side effect...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Normally we don't block emails with specific attachments at our post office because it takes too long to scan them. Our company of 100 people averages 14,000 legit email per day in and out, but with this outbreak as bad as it is (and not peaked yet!) the blocking is being instated tonight.
While musing with a programmer here who just moved her daughter into college, we brought up an interesting thought: Hundreds of thousands of college kids are moving back into dorms with huge fat pipes and Outlook style email clients on computers that haven't been patched since April or May. Yikes!
-Shadow
...for two reasons: IT staff will have had just that many more days to upgrade safety systems, and there are actually fewer people on vacation (at least here in the US) this week of the year than last week. So, the worst is likely behind us...not that the coming weeks will be a picnic.
Okay... so it costs time and money to clean these random virus outbreaks from Windows machines. So did the last big virus problem before this, and the one before it, and so on.
Maybe I'm missing something here, but why do businesses and consumers put up with this stuff?
this is my sig
I can't say that I don't give a fuck. I've just run out of fuck to give.
Design for Use, not Construction!
did a statistically significant portion of the workforce on vacation this week?
that seems like a pretty weak overall premise for an expected resurgence.
now if he said that he expects a steady stream of continued activity into early next month, due to all the people who take vacations throughout august - he might have a point.
but to suggest that these 'vacationers' will unleash the same spam deluge monday that the rest of the unwashed have given us this past week, is a bit shaky.
// "Can't clowns and pirates just -try- to get along?"
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field.
The situation is even worse than that: Most (all?) of the virus scanners sending me autoreplies correctly identified the virus as being Sobig -- which always uses spoofed source addresses.
Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).
Tarsnap: Online backups for the truly paranoid
String the last two 'default' headlines together and whaddaya get?
"New Longhorn Screenshots Leaked. Sobig. Worst Is Yet To Come."
Yep. That just about says it all!
This will be used by countless FUDmasters to con Joe Sixpack into things like:
Accepting DRM/TPCA (otherwise unsigned code can run)
Outlawing P2P
Port filtering by ISPs
Accepting blind AutoUpdates
[US]Cheering on the Patriot Act[/US]
'outlawing' Spam
All in the name of 'security'. Insert obligatory Franklin quote: Those who would trade freedom for security will lose both, and deserve neither.
I want to delete my account but Slashdot doesn't allow it.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems rather than the destruction of files or the opening of files to outsiders on the Internet, which can be problems with many computer viruses. Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine.
...
And who is Marc Sunner? he's the CTO of MessageLabs. And what does MessageLabs do, you ask? see for yourself, from the main page at messagelabs.com:
Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security
$500 to $1000 to clean up each infected machine? Right, whatever Marc. And it's obvious you don't have *any* interest in propagating that baloney too. (on second thought, if you hire me to clean your machines, I'll do 5% discount off that price).
Another fine impartial article reposted by Slashdot. (By the way, the word you're looking for is "advertising")
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
According to the article, since SoBig is much more successful against servers that do not have very good spam filters, the excessive SoBig traffic has prevented a lot of spam from being sent since it's eating up the bandwidth usually used by spammers. I'll have to admit that while I've had a LOT of SoBig spam, I have seen a decrease in other spam over the past few days.
So is that the solution to spam? Maybe someone should write a worm that always has the same payload so it can be easily filtered. We never have to see the fake spam messages, the real spammers won't be able to send harder-to-filter messages, and the server owners of those loose servers will have an incentive to clean up their act with the worm eating up all of their bandwidth.
Actually, extending this, maybe the way to fight open machines is to cause the open machines to send themselves excessive traffic, rendering them fairly useless until their operators fix them, but not negatively impacting the rest of the net.
paintball
"Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine."
:)
How much does Windows cost?
I know it's not really Microsoft's fault, since they had a patch and it's not their fault that people try to get email and stuff... But my users are rather annoyed. We all run Macs and either Mac OS X or FreeBSD servers so we're not vulnerable to this virus, but it's getting annoying just deleting the things. I can't imagine having to worry about getting infected on top of having to run Windows
We got almost all of ours (150 to 5 addresses) from one local government office. I emailed them when we narrowed down what machine they were coming from and the flow has stopped. We didn't get a Thank You or anything, but maybe our little government office doesn't want to publicly admit to running insecure systems.
I wonder if this $500 - $1000 per computer will be in the budget next year.
What I find discouraging is that the lemmings are falling for it despite this being The Week of Teh Worm.
All the hopeful articles that have sited users claiming a new awareness of the risk of worms and virii seem to be pipe dreams.
Dumb users are dumb users and the more infectuous and persistant the virus, the more networks are going to get hammered. Why oh why aren't all pif, scr, exe, com, and vbs attachments just blocked by the MDA. There is no good reason for allowing an end user the huge complexity of choosing whether or not to click on the latest attachment that's come to them from "the internet".
If the lemmings are getting suckered this week... when every news medium is blathering on about viruses worming their way through nuclear reactors and motor vehicle registration offices, what hope is there for when the attention has settled?
So the "SoBig" worm is going to keep me from getting my penis enlarger product? Ironic that it would be called "SoBig"...
plus maybe 30 automated msgs saying _I'd_ sent out such nastiness/bloat.
Yeah, I've seen this too. And I *know* I'm not infected. I'm trying to figure out if the worm is making emails it sends look like bounced messages, or if it is spoofing my email address. Actually, I'd like to see some better research (or reporting) done on this. Initial reports I read made it sound like it would only spoof 'well-known' domain names such as ibm.com or microsoft.com. I have seen it coming from friends of mine (who may or may not have been infected), as well as places like halliburton.com. I've seen the 'Wicked Screensaver' variation more than anything else.
Maybe partying will help...
Actually, the thing that bugs me most about most of the automatically generated virus warnings that I'm seeing is that they almost never provide info on the originating IP address. If I at least have that, I can try to warn people if I recognize a particular address...
The idea is courtesy from the macosx forum
We haven't seen the virus. But then again, we're admins who know what we're doing...
That's right, we run $CO UnixWare. And since there are only 2 or 3 other copies of $CO UnixWare being used in the world, we don't have to worry about worms and viruses.
Karma: The shiznight, mostly because I am the Drizzle.
ln -s /bin/clue /dev/null
.sig
Aren't you lucky. Here's what our email server cought since Monday:
237 W32/Yaha-E
235 W32/Klez-H
009 W32/Sircam-A
004 W32/Bugbear-B
003 Dial/PecDial-B
002 W32/Yaha-K
002 Troj/Peido-B
001 W32/Sobig-F
001 W32/Klez-E
001 W32/Bugbear-Dam
Only one Sobig so far... But Klez and Yaha numbers have been high for months. Too many of our users have front-facing email addresses (posted on our corporate website).
Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam -- with the corresponding spike in spam volume that would bring.
According to this article:
And Symantec:
My ping times to www.mit.edu (my personal benchmark, as its on the next POP over and always up) are normally 25ms from home, they grew slowly from about 30 ms Monday morning to as high as 2600 ms yesterday with 2/3 packet drop. But today and especially in the last few hours it's fallen back to about 29 ms with 1/3 packet drop.
;)
There are still occasional storms, I guess as a new host gets infected nearby. But things are good compared to the last two days when I couldn't even listen to internet radio and plain old web browsing and e-mail were slow...
BTW I haven't seen any of the e-mails myself do to our spam filter but I have gotten some returned e-mail the virus sent and a non-tech friend who got this one and another friend (who's very non-tech) got last weeks virus. I usually don't personally know the people who get these things, it has been a good week for discussing an OS upgrade to Linux with non-techies
More annoying than the worm are all the "You are infected" warnings coming from clueless virus software. They make it through the spam filters.
I turned off Sender Notifications for virus stripping ages ago because these things spoof that reply-to. Now I am starting to block domains whose notification messages are clobbering my server. These notification messages are coming in by the thousands and only further confuse the issue. They also annoy my users who aren't at fault in the first place.
To: All Georgia Tech Students
.
The Office of Information Technology (OIT) has detected the following worms and viruses proliferating on the Georgia Tech campus network:
-MS Blaster worm
-DCOM (Nachi) worm
-W32/Sobig-F virus
Successful worm and virus outbreaks impair networks by blocking access or increasing the time it takes to transfer data across a network connection. It is imperative that everyone on campus take appropriate actions to secure their systems from current and future outbreaks.
Overall Risk to Georgia Tech
Infected systems must be cleaned to contain the worm or virus and prevent further proliferation. The time it takes to clean infected systems causes lost productivity throughout the campus community. If an outbreak is not contained, some network services will become unavailable due to "denial of service" events.
Any desktop and server computers with Windows (2000, NT 4.0, XP, and Server 2003) that connect to the Georgia Tech campus network and have not been patched are vulnerable to the MS Blaster and DCOM/Nachi worms. The Sobig-F virus can infect any Windows system (95, 98, NT 4.0, Me, 2000, and XP) via email attachment or Windows file sharing. These worms and the virus do not infect Macintosh computers.
Actions Taken by OIT
OIT has taken these steps to contain the current outbreaks:
-Blocked the ports vulnerable to these worms at the campus network border.
-Notified the technical support community on what to do regarding these worms.
-Temporarily blocked the ports vulnerable to these worms at the ResNet and EastNet routers to prevent un-patched systems of arriving students from damaging the rest of the campus. The effect of this will be that certain services such as file sharing will not be possible from within Resnet/EastNet to the rest of campus. These changes will not prevent access to mail, internet or other campus services.
We are currently working very closely with the ResNet manager to repair ResNet's infected student machines. You can help us by following these actions immediately:
Actions for Students to Take
If your system is currently infected, you must make sure it gets disinfected.
Get assistance from one of the technical support staff members, obtain the fix CD from your RTA, or download the appropriate software tools from the web.
To remove the Blaster worm, obtain the Stinger tool:
http://vil.nai.com/vil/averttools.asp#sting er
Immediately update your computer's security software.
All computers that use the Georgia Tech network should have up-to-date anti-virus and personal firewall software installed. To protect your system from future worms and viruses:
-Download and configure anti-virus (VirusScan) and personal firewall (ZoneAlarm) software from the OIT software distribution web page (http://www.oit.gatech.edu/software/ ).
-Do not open any email attachments from senders you do not recognize.
-Since some viruses and worms send infected messages that appear to come from email addresses that may be known to you, care should be taken before opening attachments that you are not expecting. More information and guidelines can be found at http://www.security.gatech.edu/
If you are running Windows and have not installed the current patches, please go to the Microsoft website and download the Blaster worm security patch.
WinXP:
http://www.microsoft.com/downloads/detai ls.aspx?Fa milyID=2354406c-c5b6-44ac-9532-3de40f69c074&displa ylang=en
Win2000:
http://www.microsoft.com/downloads/det ails.aspx?Fa milyID=c8b8a846-f541-4c15-8c9f-220354449117&displa ylang=en
Win2003:
http://www.microsoft.com/downloads/det ails.aspx?Fa milyID=f8e0ff3a-9f4c-4061-9009-3a212458e92e&displa ylang=en
If you need assistance from the ResNet technical staff:
ResNet site (http://www.res
http://almostsmart.com
Also keep in mind that refilling the washer fluid in your car will not prevent you from getting a flat tire.
Just this morning I changed a flat tire on a car that had a full tank of washer fluid and discovered this.
Honestly why would a user run a PIF attachment anyways? Would you use unknown medication? Why would you run unknown attachments? Simple solution: Server.CreateFilter(attachments, PIF)
-=[ Who Is John Galt? ]=-
Applying the patch will also not prevent you from spewing Dr. Pepper all over your laptop keyboard. I have just discovered this.
who are those slashdot people? they swept over like Mongol-Tartars.
SO why wasn't getting a properly managed virus scanning client on every workstation part of your departments 'MSBlaster Clean-sweep'? Why are reports on windows worms still getting on the front page... its a waste of our time. We all know windows is continually going to have vulnerabilities to atack by malicious hackers/script kiddies and virii. We all also know that following best practice as an administrator will turn the possibility of attack into a moot point. So Jucius, was the failure to prepare your machines for the next round of attack your fault or the short-sightedness of your manager?
Fnord.sig
If you're a company and it's going to cost you the money to clean worms, get a mail scanner. We haven't been infected with a single email worm for as long as I've been here at the company. (2 years) and we have 1400 users. I think a kink in the budget for scanmail once was a kickass investment in that we have been immune to every single worm (we actually patched everyone in time for the d-com worm as well, so we didn't get that one) If you're going to use windows, get a mail scanner, and deploy your patches via Group Policy before you hear about the exploits. And no, we don't have windows automatic updates enabled either, that's definately not the answer to anyone's problems, at least not in the corporate world. It may be good for people at home, unless they have dialup, then they're f'd, and shouldn't be trusting their computers to microsoft software. May I suggest a preventative approach: NTBUGTRAQ.com has a nice mailing list that seems to keep at least a few days ahead of the exploits. Russ Cooper has saved us more than once.
Speak for yourself.
You don't need to wonder -- just read the news:
It's long overdue for law enforcement to prosecute spammers for cracking (evasion of antispam filters, relay-raping, disseminating viruses to create zombie spamboxes, etc). Many of the people that do get prosecuted for cracking do less damage and target fewer victims (by several orders of magnitude) than the typical spammer./. If the government wants us to respect the law, it should set a better example.
I had a user that called me because he actually got a copy of SoBig in his inbox. Usually our mail scanners are really good at filtering out even the newest viruses. What I didn't realize is that our AutoUpdate had failed that day, so it didn't have the SoBig update. So I asked him, "Well how the heck did you get SoBig?" and he answered, "From eating so many sandwiches."
Would it be a good idea to have consumer pc boxes equipped with cheap builtin hardware firewall/nat?
It could, of course, be turned off by corporate IT folk who don't want to have it, or by the intrepid home user who knows what they are doing, but for the unwashed masses, would just 'be there'.
Anyway, would this provide any actual protection? And could it pass the UI test for the standard user?
Laugh while you can, monkey-boy!
The thing I like the most in those "worm reports" it's they say everytime that the worm spread throught mail, but never cite that there is only one email client that allow that kind of stuff and that there are alternatives.
Why can't someone come with something inteligent and say "the worm uses Microsoft's Outlook to spread itself"?
I've got 693 SoBig spams to my obfuscated address: 'web-slashdot@NOSPAM.rangat.org' (I've since updated my DNS to serve an MX for nospam.rangat.org to 127.0.0.1, but it hasn't propagated yet. ) Almost all were from one IP: "Received: from cs24174102-171.houston.rr.com (HELO MARK-TRQBH52QXQ) (24.174.102.171) by bluesky.thille.org with SMTP; 21 Aug 2003 19:59:41 -0000"
Not sure if he's a spammer that got infected, but the 'from' addresses are coming from a huge number of unique and seemingly 'real' addresses.
I finally just setup my mail server to drop connections from that IP.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Linux during a virus epidemic, it's like being out of the country during the blackout.
This week alone our entire department has been thrown around, manually patching EVERY box on the network. That's around 50,000 computers. Today alone I ran across probably 10 Windows NT boxes that were still running THE FIRST SERVICE PACK!
My point is, I do NOT feel sorry in the least when companies like 3M lose millions of dollars because they don't hire a competent IT department. Hell, out of the 20 guys I work with, only myself and two others graduated from a 4 year college. Whatever. For the last four days when full-timers have been bitching at me while I upgrade their PC because their order-tracking software won't work, I just smile and tell them "you get what you pay for. Tell your bosses to hire a competent IT department and you'll never have this problem again." Then I walk away and sigh because I know it'll never happen. Guess paying a contracting firm $40/hr so they can turn around and pay me $13/hr while they get to save themselves from paying benefits is worth the millions of dollars in downtime.
"Hell hath no fury like a woman scorned for SEGA. ..."
1 million dollars per employee? Where are you working at, 'cause I sure wanna get in on this cash cow ;)
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
With the MSBlast worm running rampant right next to the recent re-release of the SoBig virus, it's hard not to be involved in the removal and sanitization of a computer system, especially for the majority of /. readers and participants.
Face it, most of us are in a technical position of some sort, and are looked upon for assistance because of the knowledge we possess.
My question is this: Who pays for our time? Is YOUR company expected to "eat" the costs of paying you for your time to sanitize their network from this malicious traversing code? Should it be the company's fault for utilizing software so prone to public vulnerabilities? Should the creators of the vulnerable software be held liable and accountable for their obvious flaws? Of course, tracking down the creators of the viruses is left up to the law enforcement officials and the persons charged with solving crimes. But, the viruses would not have existed if the vulnerabilities did not exist and were not exploited accordingly.
I understand that the Glock company cannot be held accountable if some person used their weapon to terminate somebody's life. However, in the act of homicide, there is a definitive exchange of decisions. In the case of the virus, the infected party neither intended to receive the virus, nor wanted the problems associated.
Hmm... Nowhere does the article say the only Windows machines are infeccted by and propagate the worm.
The SoBig worm is the latest in an outbreak that began 10 days ago with the so-called "Blaster" or "LovSan" worm which, by some estimates, infected more than 500,000 computers running the latest version of Microsoft Windows, the world's dominant operating system.
That's the only place Windows is mentioned, with regards only to Blaster.
xox,
Dead Nancy
*sigh*. Nobody pays helpdesk people 74k in the US unless they have money to burn. If they do, let me know where I'll stop coding and start working helpdesk. All you need is a level 1 heldesk "dude" who makes about $10 an hour running around with a disk and the fix on it. Never mind if you applied the patch over a network. I have a mixed environment at work of Macs and PC's (and work on both) and the macs are no less crash prone than the PC's.
The only advantage to a mac is you don't have to worry about viruses for it because it's market share is so small no virus writer would be bothered with writing one. It makes more sense to hire a network admin who is halfway decent, updates virus protection etc than to change over to mac. Not to mention the costs involved with retraining people to use a mac.
If everyone followed your plan and switched over, do you really think that you wouldn't see more viruses and worms on the mac? I think mac users are a bit naive to assume they don't get worms/viruses because "mac is better". It's because virus writers for the most part don't know and don't care about mac.
If they've got 100 employees and they're producing 14,000 messages a day, they're a pretty ineffective spamhaus. :)
Why?
I've already had to help a few people remove SoBig from thier systems and found that SARC has a removal tool that cleans up SoBig quickly and effortlessly by: 1. Terminating the W32.Sobig.F@mm viral processes. 2. Deleting the W32.Sobig.F@mm files. 3. Deleting the dropped files. 4. Deleting the registry values that the worm added. For those who need it it can be found at http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.removal.tool.html
According to a swedish newspaper (I'm sure others run the story as well by now), anti-virus programmers have now finally cracked the 20 IP addresses SoBig will get its updates from this weekend. It's now a race against time to shut those IP addresses down. The IP addresses are located in USA and Canada.
The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.
The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.
Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.
Beware: In C++, your friends can see your privates!
On a somewhat related note, Microsoft gives out software for use on your own servers to act as a mirror of WindowsUpdate. You can configure the clients to automatically connect to that mirror and download updates from there. Look for Software Update Services on their website.
--
hecubas
Hecubas
I guess just an idea (that seems useful and maybe I'll think about more later) is why not actively hunt virii. There was this big collective effort with SETI a few years back, why couldn't there be some big servers hunting for the cracks on the backbone. Maybe just a group of people, or a coalition to produce a virus in the wild that goes after viruses. Maybe try to infect servers clandestinely with patches if it becomes known that a user is spouting out bad email. Why niot actively hunt spammers too? It seem like that was sort of the code of the hackers.. Or at least the myth back in the old days (94-96) when I was keeping track of things more (or at least listening to people rant on usenet about such things as kookery). What are the big time hackers (or is it crckes or some other new term nowadays) doing? Are they being anonymous, or testing the waters before something "big" is put out. Maybe I'm just blowing steam, but considering the power a virus can harness to replicate itself and search for new ports to infect.. It seems that the government/military or rogue hackers/(paramilitary) could make more of presence on the scene than seems viewable from the public eye. Are virii the only big claim to fame to people who know how to mess with big systems? Couldn't we have avanging angels against spam/virii instead? Well just my 4 cents.
i'm a current student at Carnegie Mellon Univ. and about a week before everyone's slated to return, computing services sent out a letter saying that they were scanning the network for this worm and if found were removing machines from the network. If your machine has been removed, you gotta patch it and request it be re-allowed.
it seems like a pretty good way to go about preventing it from spreading, and even non-techies at my school will jump on the patch once they read the part about getting kicked off the net (read: AIM/Kazaa/email)
Um, what is this thing you call "vacation"? I keep hearing people talk about going on "vacation" but I've yet to experience this phenomenon.
We can argue until we're blue in the face about responsibility but frankly it doesn't matter. Make anyone vaguely connected (and catchable) responsible and the problem will be solved. Make MS responsible and they'll tighten up their OSes. Make users responsible for sending viruses from their computers and they'll soon put pressure on MS for better OSes and keep their virus checkers up-to-date. Make the PC vendors responsible and I'm sure we'll get imporvements too. But as it is we have a situation where nobody is held accountable and that means it's simply never going to be fixed.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
So why don't you ban M$ computers? Surely, you have better things to do with your time and school money than support Microsoft's broken shit.
Because they are students computers. When you start going to college, you'll understand this.
With the kind of time and resources you have, you could have every one of those computers running Debian in a week. Yes, I imagine one peroson can sit over 3 or 4 hand installs an hour, just like I can. Practice makes perfect and you are sure to get better than that. Oh well, good luck.
College. Students. They don't give a fuck about Linux. Why is it so hard for you to understand that some people like Windows?
Dacels Jewelers can't be trusted.
"Microsoft has pushed the idea that not only can you be an idiot and own a computer, that you should be one, too. That they will handle everything for you, and you should just be click-happy. It is this atmosphere that is most damaging."
'Scuse me? And you're saying Macs are better?
Isn't this philosophy exactly why people buy Macs (Windows machines are too complex, so buy a Mac instead?).
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Why the hell would I use wine to open e-mail under linux? Linux is not spreading this shit the MS UI is. Get your facts strait. The fault is entirely MS they are counting on this kaos so that they can step forward with the ultra secure win 2003 server and then the Longhorny security solutions. Your are spreading fluff and fud! Yes everyone is going to rush and secure their computers with Longhorny. But as Ben Franklin said "Those who sacrifice freedom for security will gain neither."
OH THE SHAME I fell off the wagon and use sigs again!
Hmm, here's my numbers... this on a site that pushes about 9,000,000 messages/month. Oh, these numbers are since the 18th, and only include the ones for which any significant numbers have been recieved.
91673 | W32/Sobig-F
1460 | Bad File Pattern
1062 | Very Bad Header Pattern
1039 | W32/Sircam-A
960 | W32/Yaha-P
365 | W32/Bugbear-B
280 | W32/Klez-H
240 | W32/Mimail-A
223 | W32/Yaha-K
124 | W32/Bugbear-Dam
122 | W32/Dumaru-A
14 | W32/Magistr-B
9 | W32/Yaha-A
Recently experienced a corporate "upgrade" to Exchange.
By default, every folder had "Preview Pane" enabled (1st bad sign).
All new folders have "Preview Pane" enabled by default (2nd bad sign).
No global control for "Preview Pane" to be disabled (3rd bad sign).
Coworker has 60 virus-laden e-mails this morning.
Friday shutdown because of Blaster.
The switch is going to save us how much????
"Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems."
My experience with this virus may be abnormal, but I have to completely disagree with that statement. As a dispatch tech for a large state university, I've been up to my eyes in emails related to the virus, but have only found However, the amount of email traffic on campus has been mind-boggling -- it even took down our mail servers a few times. And less than 10% of the emails were from the virus. Most of them were f*cking auto-notification emails from other servers that someone had sent the damn virus, which thanks to the spoofing feature, was almost never true. Why don't server admins turn off such notifications when dealing with a mass-mailer/spoofer virus? All these assorted servers managed to do was clog up our mail server with these meaningless "you have sent us a virus" emails that do nothing but contribute to any damage the does!!
IMHO, the REAL cost of dealing with this virus was bearing the burden of 100,000 stupid auto-generated emails that other servers were sending us, in response to emails that didn't even come from us.
The points above are well taken: I intend on spiffing up my procmail recipes, but only as I am able to understand them.
The enhancements suggested above are simple to implement, but are still crude band aids. While I doubt I would ever *really* want to receive an executable attachment (heck -- most places won't even let me SEND it, let alone receive it), I might want to
(a) log it
(b) bounce a 'hey stoopid' message back a legit senders to tell them that if they need to send me something, it shouldn't be an executable (that's why god made ZIP)
There are some more complex procmail filters out there that specifically target certain worms. Is that more effective? I don't know. I can't understand them yet. I will soon. None of the procmail FAQs and "getting started" docs describe all those messy flags and things. I've got some more reading to do.
Meanwhile, this one lets me get work done other than downloading and deleting SOBIG messages. A few other worms will slip through, but at least it's manageable.
Design for Use, not Construction!
Well, as long as you're going to go the BSD route, you may as well just spring for a shiny new Mac with OS X and be done with it. Although we Mac owners are certainly not immune to virii and their broader effects, we are certainly less frequently directly infected. This is one instance where small market share proves beneficial.
Incidentally, the first infection I ever had on a Mac was the old Macro Virus which appeared shortly after I first welcomed Microsoft (via Office) onto my machine. Ah Microsoft!
"...all the labours of the ages, all the devotion, all the inspiration, all the noonday brightness..." yada yada
The price of security is eternal vigilance, and it's a pain in the neck.
This is where procmail comes to the rescue! Add this rule:
N
/dev/null. And if you get a NEW strain, just take an encoded body sample from it and make a new rule!
# Ignore W32/Sobig.f@MM
:0 B
* ^vZgwXohhqrN4MDHpZfjXC6Aye4uyh5TU7soFb85wpJILzujH
/dev/null
This matches the worm on a base64 encoded line from its body. This is on the current variant I got flooded with; redirect the suckers to
A new patch out from MS? Can we just stick it on? Nope. We need to test in depth, we need to formally do a performance qualification, and we need to document all this to the nth degree: this is medical data, and you can't take chances that a patch might affect it.
Result? You don't rush out and patch stuff.
http://tinyurl.com/ku3u
August 22, 2003 07:38 AM US Eastern Timezone
A Potentially Massive Internet Attack Starts Today; Sobig.F Downloads and Executes a Mysterious Program on Friday at 19:00 UTC
SAN JOSE, Calif.--(BUSINESS WIRE)--Aug. 22, 2003--F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today.
Windows e-mail worm Sobig.F, which is currently the most widespread worm in the world, has created massive e-mail outages globally since it was found on Tuesday the 18th of August -- four days ago. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. Total amount of infected e-mails seen in the Internet since this attack started is close to 100 million.
However, the Sobig.F worm has a surprise attack in its sleeve. All the infected computers are entering a second phase today, on Friday the 22nd of August, 2003. These computers are using atom clocks to synchronize the activation to start exactly at the same time around the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).
On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea.
"These 20 machines seem to be typical home PCs, connected to the Internet with always-on DSL connections," says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "Most likely the party behind Sobig.F has broken into these computers and they are now being misused to be part of this attack."
The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines download a program from this address -- and run it. At this moment it is completely unknown what this mystery program will do.
F-Secure has been able to break into this system and crack the encryption, but currently the web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyse it and come up with countermeasures," says Hypponen. "So apparently their plan is to change the web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."
Right now, nobody knows what this program does. It could do damage, like deleting files or unleash network attacks. Earlier versions of Sobig have executed similar but simpler routines. With Sobig.E, the worm downloaded a program which removed the virus itself (to hide its tracks), and then started to steal users network and web passwords. After this the worm installed a hidden email proxy, which has been used by various spammers to send their bulk commercial emails through these machines without the owners of the computers knowing anything about it. Sobig.F might do something similar -- but we won't know until 19:00 UTC today.
"As soon as we were able to crack the encryption used by the worm to hide the list of the 20 machines, we've been trying to close them down," explains Mikko Hypponen. F-Secure has been working with officials, authorities and various CERT organizations to disconnect these machines from the Internet. "Unfortunately, the writers of this virus have been waiting for this move too." These 20 machines are chosen from the networks of different operators, making it quite likely that there won't be enough time to take them all down by 19:00 UTC. Even if just one stays up, it will be enough for the worm.
The advanced techniques used by the worm make it quite obvious it's not written by a typical teenage virus writer. The fact that previous Sobig variants we're used by spammers on a large scale adds an element of financial gain. Who's behind all this? "Looks like organized crime to me," comments Mikko Hypponen.
F-Secure is monitoring the