Slashdot Mirror
The Origin Of Sobig (And Its Next Phase)
MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.
Please see the attached file for details.
Well....next time it will do something really bad, I swear!
Visualize the world of wine
Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.
The Television Wiki
An expiration date was actually coded into the worm? Seems pretty ironic.
How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?
These worms amaze and worry me all at once. They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned. Its major shock-horror time when one happens. That's not to say people should take them lightly though.
They worry me because of the fact they do all the above. These things are just a little power trip for all concerned. Microsoft's latest idea of forcing Windows Update could stop this - but only with the new versions of windows. We're going to have older versions kicking around for years to come.
Ultimately, could Microsoft be blamed for these viruses? After all, if they didn't miss these bugs, the viruses wouldn't have a mechanism to run on. But should we blame the guys producing Apache when a flaw is found in that? Personally, I think its unfair to blame MS for all of this.
Am I the only one who's a little bummed that this virus may have been stopped dead in it's tracks here? I mean, my inbox got slammed with crap just like everyone else's, but because nearly all of my systems are running relatively secure operating systems, I've just kinda chuckle each time another dozen mesages shows up automatically routed to my "Junk/virii" folder.
It is pure, gleeful schadenfeude for me to think of all the hapless PHBs and MSCSE CIOs who are finally being given a little hint as to just how vulnerable they've left their companies. In the short term yes, many people will be inconvenienced and possibly some critical systems knocked out. But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.
The whole summary sounds like some Matricesque (sp?) movie with little plot twists thrown in there for good measure.
1) Right click the clock on your taskbar,
2) click adjust date and time,
3) set date to 11/09/2003, click OK
4) ???
5) No more worm! (Just have to use an external clock to keep track of the time until the REAL 11/09/2003 comes around)
Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.
I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.
Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!
Celebrate Steak and a Blowjob Day!
How long till the straight marketeers catch on with worms to move hits over their sites?
IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix
Some drink at the fountain of knowledge. Others just gargle.
They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned.
How long until we see more organized worms that communicate with each other to achieve a goal (such as cracking an RSA key)? It seems that stealthy worms could already be out there, slowly infultrating and lodging themselves into message handlers or whatnot...
BTW: Yes, I do think we can blame MS... Their software does make this stuff possible.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Direct users to an internet porn site? What? Tell that to our IT department and our DDoS'd network.
But willing to risk the flames for an answer that is not ten pages long.
What's the difference between a worm and a virus?
http://wwwi.reuters.com/images/sobig_virus_graphic .gif is a really stupid diagram that isnt correct and is ambiguos probably causing many misconceptions in cnet readers and reuters readers.
The Television Wiki
Its called "W32/SitePostedOnSlashdot"
It's been a busy week. I see a lot of people confusing the different worms/viruses running around.
SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.
Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.
Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.
Come on, if you're going to write a worm, do it right.
Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who infected you, and trade connections randomly).
Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.
Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).
In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.
Tarsnap: Online backups for the truly paranoid
I don't have any friends so I don't really get any e-mail.
As i understand it, SoBig was written by some spammers (this according to something I read a few days ago). If this is true, it only reinforces my belief that the Sobig worm was written for the purpose of weakening Bayesian filtering schemes for spam email, thus making it easier for spammers to send spam mail in the future.
How?
Simple. you are getting sobig emails apparently (but probably not really) from people who you may ordinaly receive ham from. If you (as many of you will) flag the SoBig messages as spam, your bayesian filter will remember that spam comes from trustedfriend@ham.com and lo and behond false positives increase.
Think this is ridiculous? I began out of habit flagging my sobig emails as spam before it dawned on my what i was doing. Yes, my filtes caught the sobig, but i did some tests soon to find exactly the behaviour that i described.
This further underscores the FACT that spam is a SOCIAL, not a technological problem. No bullshit, just good legislation.
I am a small businessperson with a legitimate web based business on the web now for 8 years. Three acounts now receive 4500 spam per day, or roughly the equivalent of one 56k modem whose full time job is to receive spam. While we have followed best practices with email addresses, over 8 years and thouands of customers, these things get around.
Antiviral software is virtually a must to avoid the myriad of malware that circulates the WWW. People who don't keep upgrading to the most recent version of Windows/related applications leave us all open via their vulnerability. A closer look is necessary at providing services like P2P and binary downloads via e-mail or Usenet, which are responsible for nine out of ten infections (the rest being worms that automatically exploit bugs in networked computers without user intervention).
At some point, all software should be vetted for buffer overflows and certified by a trusted entity before being permitted for use on an open network. Only then can we stem the tide of attacks on our greatest electronic resource from these malcontents.
They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.
But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.
It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.
I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.
I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?
WARNING!!! (from zidane.cc.vt.edu)
The following message attachments were flagged by the antivirus scanner:
Attachment [2.2] application.pif, virus infected: W32/Sobig-F. Action taken: deleted
If nothing else, put together a script that will log the IPs of machines that connect for further instructions and send a message to their responsible ISP asking them to have the users clean up their system.
I"ve already got a prototype set of scripts if anybody's intersted.
Free Software: Like love, it grows best when given away.
This is why worms need to be open source. Proprietary worms do a disservice to the worm community!
Which porn site was affected? I need to find out for er... damage control, yeah!
Hate me!
A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.
There's a good answer on Broadband Report Forum, or you could try Google.
Who said Freedom was Fair?
Compared to all the 'Thank you!', 'Wicked screensaver' and 'My details' messages I hardly notice the SPAM I get. Since I get a new virus e-mail about every 2 minutes at 100 kb a piece, I only how I won't go over the monthly 5 Gigabyte transfer limit of my internet connection :-/
What I don't understand is all the 'Disallowed attachment', 'Mail delivery failed' and 'Failure notice' mails I get. Almost every virus spoofs the sender. Why would anti-virus software even bother to try to send a message back?
Worms are programs that make new copies of themselves and then destroy the originals. In essence, they move from place to place rather than spreading the way a virus would.
Of course, a lot of people have been confused over the last decade or so because of the Morris worm, which was intended to function like a virus 5% of the time (although it actually did so 95% of the time, due to a one character bug).
But we're SlashDot readers, and we aim to be tech-savvy, so let's get our terminology right, even if C|Net doesn't.
OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments.
So if this gets worse and worse, and hypothetically more people start running linux or mac or whatever as their desktop OS (which I think could happen in dribs and drabs now -- a shitload of folks I know HATE microsoft right now), what's to stop them from ignoring system security all over again? You have the whole Lindows run-as-root thing still, for example. I know there aren't nearly as many worms and shit written to exploit non-MS OS's, but that doesn't mean folks won't start, and I'd just like to know what would/could happen, and what exploits would then be available, if they do.
I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.
Don't put salt in your eyes.
I wonder who owns these sites. if they are privately owned then someone, maybe a slashdot person, could actually implement this by talking to the site owner.
of course an even more humourous outcome would be to have the downloaded patch simply install Lindows :-). again perfectly legal and ethical.
since the virus will keep going back for the rest of the month its not too late to implement this.
No, actually the mailservers at vt.edu scan for virii, they flagged it and deleted the attachment. I ran FixSobig-F.exe just to make sure, virus free.
Visualize the world of wine
Yeah, it's pretty ridiculous... Government agencies should get rid of Windows.
At work, the mail is scanned for viruses first, then it is handed off for classification as ham or spam.
Anyone who bothers to send a virus through a spam filter deserves whatever he gets.
Yeah, baby: YEAH!
It's time to wake up to a reality!!!
It's time to wake up to English grammar!!!
Nice spam, but I would argue that those Boeing 747s did not in fact bring the nation to it's knees. It just pissed off some drunken rednecks and gave them an excuse to steal the rest of the worlds oil and call anyone against their plot of world domination an unpatriotic yankee.
Visualize the world of wine
Whew! Aren't trolls usually posted anonymously?
Justin
Run properly, WinXP is just as secure as any of the OS's you mentioned. Like everyone else, I've been bombarded by virus-infected e-mails and attempts by worms to infiltrate my systems, but thanks to a hardware firewall, anti-virus software, and an appropriately cautious approach to file attachments, I got off without a scratch. In fact, I've NEVER had a virus or worm on any system I've controlled, going back to 1979.
Next stage will be when the sobig virus targets the stability software on oil tankers... and Angelina Jolie will rescue us with her superfast laptop running a huge *28.8 modem*...
Ahh... nostalgia for things that have only just happened - that's what I love about being a science fiction fan!
Is why any virus writers ever get caught.
Unless they're messing with the virus and accidently release it (either completely accidentally or just prematurely, whatever) then they simply have to go down to their local library and/or cyber cafe wearing a wig and makeup, stick the floppy in, click, then leave, what's the problem?
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
Justin baby. Are you the one who is trolling?
Could that expiration date (Sept. 10) have been chosen out of sheer respect for the incident that happened on September 11, 2001?
Touché!
Keep your Latin out of my American!
Is the address of the NTP server hardcoded? ^_^
Internet, and we'd all be better off if some degree of diligence was mandated legally or as a term of service by each ISP before it became possible to connect a system to everybody else's.
Why should this burden be on the indivual users? A person can't get on the internet without the aid of an ISP so why doesn't ISPs work to filter out obvious viruses from all email and block unneeded port to the end user. Many viruses and other hack/cracks would be halted by this practice. If you have need for a port you can request that it be allowed.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
I was hoping there'd be a few more good viruses laying about prepairing to nail other windows systems. Give CEO's a month or two of grief and they'll begin to see it the linux way.
We'll never know what the hackers true intent was, however. It's suspicious that blaster and the sobig virus were thrown out almost one right after the other. It all may be a distraction. For all we know there could be another virus lurking around infecting machines slowly, 1 by 1 until a doomsday date at which they deliver their payload.
Candy-Coated Knowledge
Folks blame Microsoft for their failures to prevent the bugs that allow these virii and worms, and I don't disagree. However, there is a deeper root cause. C and C++ are poor tools for any programming above the level of device driver (and perhaps compiler construction). "Programming without a Net", indeed!! (sorry, couldn't find the original of that quote.)
Programming in C/C++ is directly equivalent to having to get out of your car to check the lugnuts at every red light. I mean - buffer overflows? Segfaults? Library conflicts? This is the stuff of the Dark Ages!! (with the possible exception of the libraries...) If Microsoft (along with everyone else) worked in an actually productive environment, these types of errors would be impossible in nearly all cases. (Of course, I'm not saying bugs in general would be impossible...)
I was fortunately able to work entirely without C for the last 10 years or so, and managed to go the entire time without a segfault, and was easily 10 times as productive as I ever have been in C. (Using myself as an example removes any programmer skill issue - one can presume same level, both cases.) This included some large projects, including a complete web-enabled GIS system with live maps and integration with corporate inventory & personnel databases.
Recently I had to return to the C++ environment, and was astonished at how painful, and inefficient the process is. And, of course, code written for one linux platform had to be modified for another, and then again for Solaris. In a simple 300 line program there is no common version that works on all three platforms, even though all used GCC. So I'm now faced with the prospect of building and testing three versions simultaneously or going through the meta-agony of setting up an autoconf build (tho I admire autoconf greatly - autoconf is arguably a key factor in the success of open source.)
And the various IDEs (for pretty much any language) are just glorified outliners, not engineering tools and certainly not CAD in any useful sense of the word. It is time for software to become engineering. Imagine designing a nuclear plant entirely using text - no drawings, no CAD, no piping analysis, no dynamic stress analysis. A large programming project has a similar complexity, yet we are still stuck writing prose - this is software literature, not software engineering! CAD has transformed every engineering discipline except one. Why do we insist on remaining stuck in the Dark Ages?
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Admit it.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
hehe- Couldn't resist: Today's userfriendly strip is perfect :)
But the remaining 95% of the computing world that had their desktops connected to the internet proceeded to geenrate millions of messages sent to their friends & family who were dumb enough to continue to read things sent to them even when they've been warned hundreds if not thousands of times....
As a rock-in-roll Physicist once said, No matter where you go, there you are.
I set up a rule filtering out .scr and .pif files last night at 10pm. Since then, under a 24 hour period, I have recieved 48 emails.
I have a mac so it is not really a problem but just annoying
Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)
The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.
Perhaps that was it???
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Comment removed based on user account deletion
My guess is that the virus-writer, realizing from the online news that his/her precious 20 IP numbers were being decoded and chased down, went around to all of those machines that were still online and switched in that porn-site target, to avoid disclosing further strategy.
With a lot of luck, maybe forensics on the first few machines taken offline will yield the real download address, and we can see what that clown was really up to.
Who cares? You got the point. It's not like we are writing the great american novel, it's slashdot. Do you check your post-it notes for grammar and spelling errors too?
Oh dear Jesus, who cares? You got the point. It's not like we are writing the great american novel, it's slashdot. Do you check your post-it notes for grammar and spelling errors too?
A sends mail to B
B gets SoBig
B send virus mail to C from A
In your scheme A is seen as the virus sender, subsequently deserving whatever he gets.
The only headers you can trust in SMTP mail are the ones your MX adds. These are usually the IP address of the machine making the SMTP connection to your MX. This IP won't necessarily be the IP address of the originator as mail, like other traffic, is routed.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
YOU STOLE MY FLAME
Visualize the world of wine
> OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments. [...] I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.
At some point someone with a misguided sense of "ease of use" will write a *n*x e-mail client that executes attachments at a click, and then the fun will begin.
This is an engineering problem - a failure to account for the human element in the process. The whole point of engineering, in any discipline, is to take precautions against the predictable stuff that will fux0r your system. The relevant behavior here is fully predictable, ergo it is an engineering error.
I plead with FOSS developers not to make the same mistake.
Sheesh, evil *and* a jerk. -- Jade
i am curious how they figure out the sources of viruses WITHOUT VIOLATING THE FOURTH AMENDMENT...
It's only a matter of time before this butthead is detained indefinitely without trial
Ah, refreshing! :-)
Unselfish actions pay back better
Ok, I may be falling into a trolling trap, but take a look at the 4th amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures How is it unreasonable to search the computer/network of an individual who is suspected it of nearly bringing the windows community to its knees? If you didn't write any malware then you have nothing to hide - its not unreasonable to eliminate someone from a case by proving that they had no part in it is it?
He should have had this virus download a copy of the linux kernel from the SCO web site and save it to the system. SCO would have loved this as they could have then sold a Unix Ware license to the entire world. Oh hell we could have even shown that SCO infact distributed the linux kernel to every PC in the world.
Got Code?
Awwe...I was kinda hoping the smiley face would walk across the screen. :-/
Anyway...our mail server at this small public school system has blocked 7,998 copies of the virus since 10:43am Tuesday morning. I had updated the signature files at about 9:45am...so talk about a close call.
I don't know who created this virus (or any other evil virus for that matter), but I hope they are at least caught, tarred, and feathered.
The best thing we can do now is attempt to anticipant the next breed of mass-transfer virus.
From boot sectors, to exe files, to e-mail, to internet worm.
What's next?
I'm thinking nasty viruses/worms:
Examining ACLs for more privileged users to transfer to (mail, worm).
Navigate ExchangeServer's Organisation chart to target top 20 execs and send nasty e-mail on their behalf.
Break through the firewall! A lot of companies only secure the site perimeter using a firewall. With the growth of VPNs, Remote dial-ins, portable computers, it seems there might be more than just a firewall to secure. A virus could sit dormant until it detects a private network connection (192.168.x.x, 172.16-31.x.x etc..) and then activates. I really do wonder how many MS computers living in private subnets are patched further than standard SP on the CD.. It could be blaster all over again!
I think forced updates and WindowsUpdate Proxy server might be a good thing
Although google doesnt archive those groups, they did archive this message posted by the virus author in alt.alt.test 9 minutes before the virus was posted elsewhere.
(You can compare to the message included here from easynews)
(2,3-Benzopyrrole)
I love how the caricature of the worm in that graphic is smiling and bug-eyed. Reminds me a bit of Clippy...
You neglected to mention the newsgroup was alt.binaries.erotica.fetish.wetandmessy.cary.colem an and the picture isn't even of gary coleman!
hehe none of the others were me
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Those that did were merely redirected to a porn site, no damage done.
No damage done! My dear poor mother got redirected to goatse.cx! The psychiatry bills alone will cost a quarter of a million dollars.
A Government Is a Body of People, Usually Notably Ungoverned
The article mentions that the worm "spread from usenet", and was uploaded to usenet from an account obtained with a stolen credit card.
.pif file in some random post?
Here's what I don't get:
1. How does a worm "spread from usenet"? Are there really people who are saavy enough to use usenet and are willing to click on a
2. Why bother with the stolen credit card thing? Can't you use Google News to make postings for free?
Why does Microsoft security and Windows Update keep coming up in this? This is an e-mail worm. People keep running the damned attachment like morons. It's their fault. Hell, my ISP doesn't even let .scr or any other sorts of files get through without specific permission from the user. Outlook won't run executables unless I tell it to.
"Sufferin' succotash."
Unfortunately, the headlines seem to vastly overstate the success of the investigation so far. "Tracing" the virus to a hacked computer and a stolen credit card does not really establish the real "Origin" of that virus.
I'll be satisfied with the investigation when I see a picture of the person who wrote it (preferably in a body bag, with the fingernails ripped out & a broom handle sticking from his/her ass).
This reminds me of the movie brazil where the "terrorists" broke into government systems and fixed them to work better, causing all sorts of confusion.
Makes perfect sense. Everyone (including myself) forgot that the web site wasn't in any of the 20 machines until the last moment. I expect SoBig.g to not make the same mistake.
So some of these infected machines have had proxies installed so that the people running the show can whore them out to spammers. They essentially gain the ability to resell access to computers that are infected. Cute.
Open proxies let a spammer connect in and use it as a puppet to create a TCP connection that's essentially anonymous. They connect to it, it connects to the victim's machine, and they pull the strings to make it deliver mail for them. That's simple enough.
My question is: why is it installing a proxy and not something more like a mail server? I'm sure the spammer would much rather connect to the compromised box, spew out the recipients and data, then disconnect. Let the infected system worry about connecting to the mail exchangers of the recipients. That leaves the spammers free to do other things rather than babysitting all those proxied TCP connections.
I guess these guys only know one thing: "we want more proxies!", and they never actually stop to think about what they're really doing. Duh.
I work in a (non-IT) dept of a satellite campus of a large Australasian university. That varsity's ITSS dept is currently being invaded and overrun by hordes of new, low-paid, low-skilled, all-but-no-experience Indian staff, most of whom are about to begin, or are actually in the midst of, MCSE courses.
They do almost nothing, and know even less, and it shows in the state of the systems and networks, e.g. we are running unpatched versions of IE 5.0 on most of the University's PCs. Naturally the network got hammered by the latest round of worms. None of these guys had bothered to patch any of the machines, including their own. Maybe they didn't even know how to. They did manage to issue one of my coworkers with a new M$ Outhouse password. It was the same as her login. No paranoia about security issues around here, dude, nyuh-uh.
Two of them came out to my dept to install SP4 on the win2k computers. We are off-campus, and connected via the World's Worst 2Mb WLAN link. We have been complaining about it to IT for a year. It falls over every 5-15 minutes and is down for an hour or so. Even when it's functioning, it crawls. So what do these two clowns do? They crash every machine by trying to upgrade them all simultaneously with the 132 MB patch over this shitty connection.
Earlier in the week another guy had been out to install a scanner driver. He spent two hours trying to do it. Apparently staring at a monitor with a 'duh!' expression for a long time will accomplish this. In the end he installed a scanner driver for Win98, then NT, then installed a Win 3.1 (!) version, before even trying the win2k driver. By then he'd made such a mess, he felt obliged to reformat and reinstall the OS. For some reason, he then decided he needed to do this on ALL our dept's PCs. So, in order to get a scanner working we are left with tons of lost data and no-longer-functioning apps.
Not too long after, another guy came out to install some extra RAM in our slowest machines. Why he needed to pull-apart ALL the PCs in the building has still to be answered, but he mixed up the mouse and keyboard plugs/sockets on EVERY SINGLE PC. Of course, he never thought to check all was well -- or even finished -- before departing, so we had to do it for him. One result was that the only decent monitor in the place was damaged when it was dropped by a middle-aged female librarian when it slipped from her grasp.
Later this guy's boss (also Indian) called trying to locate him, as he was ignoring his pager and cellphone. We couldn't assist there, but we did hear later that the guy had left early to have a meeting with some other Indian IT cronies to discuss yet another of the get-rich-quick "eBusiness" ventures they were plotting.
I miss the days when IT was a geek calling, and not just a "good career move" for people with no talent for the work.
Well I reported this > 24hrs ago.
SCO, simply bitching
the fact is that the only crimminals that get caught are the stupid ones. hence if you try to infer that crimminals are stupid based on only the sample that were caught you will come to the wrong conclusion. It's like proving that birds cant actually fly by counting only the ones you find on the ground. the smart crimminals dont get caught so you dont know they exist.
Some drink at the fountain of knowledge. Others just gargle.
I ranted on about SoBig being on steroids with a down and dirty analysis on what having Windows is costing someone along with concepts of SoBig disconnecting a backbone along with a program to test that concept
MoFscker
I totally disagree with your conclusions, although I agree with your initial statement.
The very idea of legally mandating some sort of level of Internet security is unworkable, and just a bad idea all around. For starters, you bring govt. dangerously close to taking the next logical step that comes after it - issuing Internet licenses. (Only a govt. licensed individual could run any type of Internet server, perhaps?) Scary thought....
But besides that, what sort of improvements would you visualize coming about from it? ISP's already have terms of service agreements that pretty well cover this. If you spam people or use their service to promote any sort of illegal activity, they can terminate your account. It doesn't mean they can magically stop these behaviors before they happen, a la "Minority Report". Same problem if you mandate some sort of degree of due diligence. People writing virii generally try to do so anonymously. They already know their actions break laws - but they're planning on not getting caught.
Forced Grid computing, hrrm.
What would be pretty cool would be if they used a virus to run the Protein Folding at Home project and use a Virus to help cure a Virus!
la la la.
still waiting for a genuinely destructive virus, randomly mailing out microsoft office files was probably one of the more interesting and malicious viruses of recent years.
In the beginning, it was barely detectable... ...then it became SoTiny... ...then SoDammSmall... ...then SoLittle... ...then SoAverage... ...then So-So... ...then SoUnusuallyGreat... ...then SoBig.
Wicked?? Is this virus writer from Boston or 1986?
You say self-important egomaniac like it's a bad thing. - Peter Dragon
Microsoft finally must return all license fee back to owners of all infected computers. The must be written in a way that it is not possible to be infected. Period. If OS is written differently, than the OS vendor must return money back to customers - Microsoft did not earn that money.
Another punishment would be good if all Microsoft products being sold in their cartoon boxes would have half of the box's (and CD's as well) face busy by yellow-red color warning: "The usage of this product may lose all your data, hurt other people, bring you to the jail and even fail all our national economy!". Exactly in a same way as many goverments forced tobaco manufacturers to print on cigaret packs. I think that many people will think twice before buying such boxes. Unless they are physically addicted to Microsoft products...
Less is more !
There's really only one User Friendly comic
Heh. I love this. I can just imagine it. Two acne'd basement dwellers are waiting for an interview at the sign of the Golden Arches...
AC1: Of course, this isn't my real job. I'm just waiting for a gig as a sys admin to come along.
AC2: Hmm. I don't suppose you read Slashdot, do you?
AC1: Why yes, from time to time.
AC2: What account name do you post under?
AC2: Oh, I don't bother logging in...
AC1: Aieeeee! Die, motherfucker...
AS USUAL THE FUNNIEST FUCKING SHIT THAT IS HILARIOUS AS A MOFO IS NOT MODDED +5 FUNNY BUT IS SOME BIZARRE POST AT THE TOP IN THE TROLL ZONE OF THE COMMENTS.
FUNNIEST SHIT ON SLASHDOT IN A MINUTE WORD SON.
# Try to reply to other people's comments instead of starting new threads.
# Read other people's messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
# If you want replies to your comments sent to you, consider logging in or creating an account.
Problems regarding accounts or comment posting should be sent to CowboyNeal.
How did the FBI get the ip address of the computer that uploaded the virus when the privacy policy for easynews specifically states that is should be impossible for such a thing to happen:
We do not keep HTTP access logs
We do not keep NNTP access logs
We do not use IP addresses to link to personally identifiable information. IP addresses are used for administrative purposes only to ensure the Web site is running smoothly.
Here's a link to the complete policy: Privacy Policy
Hee!!
However, as recently as the late 1980's COBOL was by an order of magnitude the most popular language in terms of lines written each year. And RPG, according to an article (somewhere) I read a month or so ago, is still the standard language for the small IBM hardware - evidently it's quite powerful and easy to use. I don't really know, for myself - I've avoided that world.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Subject: To-do list for your products:
This comment does not represent the views or opinions of the user.
Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.
Linux X applications by and large aren't as stable as Windows shareware (ie. KMail silently dies when the disk is full, etc.). The Linux kernel *is* crashable - try hot-swapping an ISA card in an old clunker. [grin]
As for worms, well, once on my KDE box, I clicked on a virus while I was showing off Linux to a friend. "Look at how immune I am to e-mail virii... [click-click]... Oh shit... Look at how well Windows applications are supported!"
Red Hat 7.3, shipping with Windows binaries associated to Wine. Yup, I got my Linux box infected with a Windows e-mail virus. Dangerous default file associations are not a problem exclusive to Windows, and it's only a matter of popularity before e-mail virii are being written to exploit bugs in Linux apps.
Fire and Meat. Yummy.
For starters, you bring govt. dangerously close to taking the next logical step that comes after it - issuing Internet licenses. (Only a govt. licensed individual could run any type of Internet server, perhaps?) Scary thought....
While I agree with you, it's ironic to point out that prior to 1991, this was exactly the case. The NSF's acceptable use policy mandated that the then "Internet" (NSFNET) could only be used for academic and research purposes. Many people pine longingly for those days...
My Bayesian spam filter has caught every SoBig.F virus after the first one -- but it's not catching the 100-and-counting "Your email contained a virus!" autoresponses. I can't classify them as spam because bounces are usually important.
I should buy some cement.
Since everyone is updating their computers will there now be either one of two realities?:
-A long lag before another 'big' virus/worm
-Will the Internet now run more effeciently? there must be quite a few fixes that would improve network performance, and I'm sure that these virii/worms have been a low level hit for some time now. Since word is getting out, and everyone is fixing what has needed to be fixed for a while, shouldn't we eventually be better off than we were?
That's what I did. 100-200 viruses/hour now sit harmlessly in a directory, where they can be wiped every few days if no-one screams about recent lost mail. If every admin had done this, the problem would be gone hours after it appeared.
All this "brought down to its knees" bullshit => excuses from poor sysadmins, or from their CIO's not giving them room to do their job.
October 24 of last year ... now this ...
I think this is probe #2 of a 2-3 year viability study on Information Warfare.
Just imagine *WHEN* the worms are coded to do lookups on ARIN so that everything in a select region/industry/state/country alone gets nailed.
WE NEED TO WAKE UP. These are probes. And we're on the losing side of 'em.
Why not just wardrive around town, find an open network, then launch the virus. There is NO WAY you can get cought. Just wipe your drives with 0s five or more times, and nuke the wireless NIC you used (because of the traceable MAC address as evidence. It's not that hard. And if you do get cought, it's because you opened up your big fat flapping jaw for bragging rights.
Life is not for the lazy.
Person A is not an employee of my company.
Person B is not an employee of my company.
Person C is an employee of my company.
A sends mail to B.
B sends mail to A.
B sends mail to C.
C sends mail to B.
B becomes infected.
The virus sends mail from B's machine to C that appears to be from A.
That message is checked for viruses.
The virus is found.
The virus is removed.
Simple and proven effective in a real world environment (the office I work at).
Now, if I were to go back and grab all of those infected messages and then run them through SpamAssassin's learning function as spam, then I would deserve whatever I got. That is because I would have knowingly polluted my SpamAssassin system with non-spam.
The spam filtering system is not the same as the anti-virus system. Even though they run on the same box.
The suspected spam messages are not handled in the same fashion as the suspected virus messages. Even though they are handled on the same box.
Spam is not a virus.
A virus is not spam.
Do not confuse the two.
You mean to tell me that outlook express will open filename.jpg.exe and run it with image preview set on?? Not even realizing that it's not an image?
Sheesh..
Spoon not. Fork, or fork not. There is no spoon.
Mods?
A formatted computer is a dead computer (and an un-infected computer when it comes back to service, probably with current anti-virus software). An infected computer is a cracker proxy, a spam relay, a DDOS slave.
Also, for a lot of users, it's more damaging to leak information than to destroy the computer. Think of all the bank, credit card, and brokerage passwords that are available by logging the keystream. And, more relevantly, it's far more profitable to the virus writer to receive leaked information than to know that someone's drive was formatted.
Microsoft is producing defective products. The fantasy that the EULA prevents them from being taken to court is all that keeps them from being held responsible for the faulty products they sell. They will stop making defective products when they start having to pay up in legal actions from the bugs and crashes that people endure. Why do people think that an EULA is some magical spell that protects the vendor from the consequences of their actions?
Microsoft also has a history of producing service packs which install more bugs than they fixed. Remember the rule of thumb about even numbered service packs suck? That rule of thumb came from NT4. It holds so strongly that MS won't produce SP2, just things like SP1a.
The real issue is that all these viruses and worms are caused by the operating system monoculture we are stuck with.
My cable modem has been too slow to use for the last two days, i'm running linux, have no viruses and never have.
Everybody else on this segment of cable seems to have something, as i've called Time Warner telling them about it, they said sobig is saturating their network causing slow internet.
Its to the point that i can no longer access any site from my modem. I get lost packets to the closest router. Thankfully some friendly fellow left their wireless up on a different cable segment so i can beam this message directly to you.
Very insightful and interesting theory.
The government should be knocking at your door soon... hehehe ;-)
Nazi Germany killed over 50 million. 20+ million perished in the Soviet Union itself.
Operating System, Browser, Mail client all desperately want to hide the gory details from the EU.
End Users who dutifully believe that if they aren't seeing it it isn't happening.
Maybe I've just got better trained users. No anti-virus software. (Well, some that's rather old and unupdated that nobody bothers to run) I have to clean up something maybe once or twice a year. I mean seriously, look at them. They are booby traps designed to catch boobies.
If Internet did not exist, or if I lived in a country w/o internet, then I would have a ham license.
But as it stands, isn't ham radio kind of pointless?
The unofficial
What virus do you want today?
Don't believe the parent.
I'm wondering how long 'til such viruses use content-anonymizer networks like freenet to download malicious code (20 hardcoded IP addresses is hardly effective)
The Raven
If we know the 20 IPs, why not just put a version of the uninstall virus on each one? Modifed to mitigate the other problems it's caused...
With a baseball mitt.
First they don't even care if they leave Windows vulnerable, then they screw up our power grid. What next they might even stop buying our junky software anymore. Time to invade, this time they won't have enough Iroquios to stop us like in 1812! Take no prisoners.
OH THE SHAME I fell off the wagon and use sigs again!
I'm amazed that someone doesn't take the time to create a virus that would really go gung-ho. You know its possible.
Ya know, something that exploits as many vulnerabilities in as many operating systems as possible, manifests itself in hundreds of ways (replacing real data with itself), deletes important files, does everything it can to prevent its removal (overwriting a/v software,
blocking fix provider websites, disabling ways people get knowledge about it), spread itself like crazy (via every means possible), and then launch huge and frequent DDoS against as many targets as you can fit in a little black book. Not to mention, systematically downloading more UPDATED AND MORE DANGEROUS copies of itself via an unstoppable self-created P2P network using local, seed, and broadcast hosts.
These virus makers aint' shit! So far...
"Why does a mosquito bite your ear? And who cares. The answer is simple, call an exterminator."
In other words delete the damned thing and be done with it.
Zoombies. Some IPS's could'nt be bother'd.
Time to invade, this time they won't have enough Iroquios to stop us like in 1812!
Well they might not have any Iroquois but they can sure as hell find some willing Iraqis. =P
Ooh I know but I couldn't resist it.
What they mean by not keeping logs is logs of who READ an article, not who wrote it.
Most articles posted to usenet have the complete chain of every machine that forwarded the message on its path to you right there in the headers.
You will find that the zombies are mostly of the dot kind! And will defend Inet servers to the death with band-aid patches and ductape. Just like anywhere else that there are MS servers, with pimple faced newly certified sysadmins, running the show.
OH THE SHAME I fell off the wagon and use sigs again!
I read the article, and it really startled me. I live in BC and have an Easynews account, and I've been getting Sobig in the mail constantly for the last couple of weeks.
I never open those messages, natch, never use the preview pane, and have an active firewall, but I still had to check my Visa account to make sure.
I suspect that I'm not the only one who was scared by this, and that, in the final analysis, is a Good Thing.
www.kitchengeek.com -- Nosh for
Send a message to test.net@abuse.net and follow the instructions to sign up for the abuse.net service.
You can then send a message to swbell.net@abuse.net and they'll do a lookup of the best address to send spam complaints to (this would more or less qualify).
If you're not willing to do that, then you can always use the default of : abuse@swbell.net. Most sane domains will have some sort of respnse from abuse@thatdomain.com (it's specified in a couple of RFCs).
Free Software: Like love, it grows best when given away.
Microsoft writing their own software. Most of the software they put on the market is purchased. The only commercial code is "glue" to the various pieces of technology they've bought.
I Browse at +4 Flamebait
Open Source Sysadmin
I dont use antivirus software I just go to work to find out whats out there, and what's roaming around the net. If there is a worm or a virus someone with in our company will open it, or it will get through what ever crap they use for a firewall.(I am a low level employee of a major tech company that is a spin off of another major tech company--think big merger within in the last year for a clue). We have lost production a couple of times this year -Slammer, Blaster. If I can open my E-mail, my mail box is usually full of the nets lastest and greatest. See its fun to go to work for $11.00/hr. I am just glad we have 80k+ engineers at our company that can offset my antivirus costs.
I'm glad I didn't use slashdot tradition and use it as an excuse to insult you as well
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Well said, but perhaps this isn't about making a high quality lock, how would the anti-virus folks make any money if everyone had really good "locks"?
A massive outbreak of nasty worms and virii every couple months gives them tons of free advertising and must help out sales by a nice amount. Hell, it probably doesn't cost much to have a 'good' virus written, especially if your quarterly reports need a nice boost...
I don't even get any spam.
Radiation isn't a problem with current nukes...
In the past, there was a spammer which used our domain's name as fake From: header to send some ammounts of spam - he was shutted down, but that fake mailadres remained in thousands computers. Then came the Sobig.F, digged for adresses, and now we're getting about 2000 hits per hour from various MXs trying to deliver Sobig to this adress. Few days ago i thought that spamfilters could be definitive solution to spam. Well, not really.
People who like this sort of sig will find this the sort of sig they like.
Is this the next "all your base" ?
"It is a good divine that follows his own instructions" - Portia, The Merchant of Venice
Ok, I'll say it, I'm proud of Sobig...well not really, really I'm pissed but I am impressed. This is the first one to get to my no spam secret mailbox. I never get email from virus, spammers, etc. because I've been very carefull to to hand out my mail to anyone but friends and to only use it for personal correspondence. I then have a spam trap address that gets everything else. Sobig defiled me though and I now get 100 emails a day. NOt only that but I get bounced from emails of SoBig that neither me nor any of my computers sent (I checked my poor work and games computer (only wintel machines I've got thoroughly after receiving them). So although I hate you whomever you are and think your license to life, liberty and the pursuit of happines ought to be revoked even if you are Canadian, I am impressed by the shere evilness of this bitch.
FLAG THIS as CONSPIRACY THEORY, but these worms are written so well, and do so many behind the scenes things, and the ANTIVIRUS programs stop them SO WELL....
Has anyone actually stopped and thought that maybe, JUST MAYBE, the antivirus software companies are WRITING, or playing a part in creating (i.e. hiring people willing to write the virus if they release the source code to the ANTIVIRUS sofrware company beforehand) these worms, viruses, etc?
It occurs to me every time one comes out. Otherwise, what do people get out of this?
JIM: HAH! I brought the internet to it's knees and caused countless IT people HOURS Of work! THAT will teach my IT GUY to not let me have AIM installed on my WS!
MIKE: THAT'S NOTHING! I wrote a virus that sends itself to everyone in your address book! It should keep sending itself to infinity! THAT will teach little-girls.net to cancel my account!
I mean, unless the antivirus software companies are involved, it has to be SOMETHING pathetic like the conversation above....what do you get out of it?
Dude, you just scored +5 Flamebait, forget Darl, you're my new hero!
It's a bit like this URL, which represents a Google query returning 0 hits today, but after posting this message, http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF -8&q=%2B%22Late+Binding+Virus%22&btnI=I%27m+Feelin g+Lucky">The author of this message can dynamically change the action.
-- The author
My thoughts about possible "improvements", from my yesterdays post:
Too bad for the virus that it depended on this list of servers to update. However, there are reports that it also contains a backdoor enabling updating it. Here is my worst case scenario what could happen further:
1. The authors of worm quickly release new worm, which uses same methods to propagate and which main purpose would be to scan IP's for already infected computers and update them to new version.
2. New versions of worm contain a strong encryption key to recognize next updates. They also contain a block of "secret", encrypted payload code, key to which is contained in update. This way this block can be instantly run right after getting key in update, without waiting to download whole update, speeding things up.
3. New versions do not depend on fixed port numbers for communications, which can be easily blocked in routers. Instead they listen on number of random ports and/or intercept commonly used ports which cannot well be blocked globally.
4. IP of previous computer in infection chain is kept by infected computer, also it actively scans ports for other infected hosts and keeps a list of found IP's. This list is also encrypted, with key coming in next update. When next update comes, list is decrypted and update quickly forwarder to all computers in it with previous version. This distributed network is similar to current p2p networks and makes global updates very, very fast and impossible to track beforehand.
5. New versions will continue to use email scams and windows security holes to continue spreading.
So now we have global network of infected computers that can be quickly updated by its controllers to stay ahead of any countermeasures that security people may think of, all continuing to spread and containing a secret payload which could be triggered even faster than update.
(cue final scenes from Terminator 3)
I dont think even most of the posters really get the GRAVE SERIOUSNESS of the current situation.
Because of unexistant security in most widespread OS used on computers, general cluelessness of its users and poor design of the Internet protocols themselves, we have a situation where very large percentage of hosts on Internet, essentially THE Internet, could be TOTALLY CONTROLLED by one person, and nothing to be done about it.
Im saying it again, and Im not a alarmist type of person - but these could be the LAST DAYS OF INTERNET as we know it.
Most dangerous attitude Ive seen on the forums here is "I run Linux/BSD/Whatever and it does not affect me". Cant you realize, that once this kind of control is gained on the net, IT DOES NOT MATTER which OS you run when the Internet itself will not run anymore?
This is the time for all of us who understand the problem, to go and explain it to everyone we can, before propaganda from Microsoft inreversible dooms the net, by making automatic updates(read: obligatory security hole) a requirement in its OS.
Also strong pressure should be put on abandoning current email protocol and converting to some saner, more efficient and more secure system. There are several proposed.
That would make the virus writer much easiler to track down, becuase he has to recieve that data somehow. And with the hefty jail sentences being threatened, I think covering your trail is the #1 priority for any virus writer.
I would say the most damaging thing a virus can do is destroying the user's documents
...the frustration of working for a company whose IS department refuses to do a good job. Once in awhile I send them an e-mail about security concerns and the like...and I'm pretty much ignored... They don't even let us change the date/time on our computers...and they always miss daylight savings...
I just logged on and saw that I received three SOBIG viruses. The funny part was, one email didn't have the .PIF attachment, but was the SOBIG virus in every other way. One email was allegedly from major-domo@cert.org!
I don't make grammatical or spelling mistakes on my post-it notes, because I'm not an illiterate fuckwit. I do make typos on keyboards every so often, and so I check for them, because I take pride in what I write. My opinion is worth something, so I make it look like it's worth something.
The problem is that that you'll be running the virus junk through the spam system and polluting your corpus.
If that's what you want to do, then you'll get what you deserve.
Actually, considering the antitrust trials, backstabbing of partners etc., they have probably stolen most of it, not bought it.
First geek to start on "Blame Canada" gets bitch slapped with an CAT5 patch cable...
im glad im not an American
i had a hollywood moment the other day.
/a" to abort the shutdown. i then googled for more info, found the critter and removed it from her machine.
at home i run a couple of apple machines, so i normally don't pay much attention when there's another "virus will end the world" news article, but i did read an article about blaster.
i was on a client site last week, sat with a customer working at her laptop when the "shutting down in 60 seconds" box popped up!
immediately, i started thinking about the article. "you've got blaster" i said, and tried to remember what the article said about stopping the shutdown. it was like one of those movies where the guy has to cut the right coloured wire against the clock! with about 10 seconds to go, i remembered what to do and popped up the command prompt and entered "shutdown
of course, their admin guy blamed my (patched) laptop for infecting their network (which was totally beside the point that she'd had 4 viruses in the past 3 months and a guy in the next room had 2 in the week that i was there!)