Slashdot Mirror
Microsoft "Swen" Worm Squiggles Into Sight
greenhide writes "As forecast in this story, a new Microsoft worm has indeed wriggled to the surface. The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch. Earlier viruses have made the claim, but none of them looked this good. It appears to have infected over 1.5 million machines. "
Thats one hell of a virus.
I suggest all Windows users go to http://www.knoppix.net/ and burn the CD.
If you use Linux, please help development of Autopac
It's been flooding my mailbox for more than a day now. Grr...
of those machines seem to ahve sent it to me :(
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
After all these worms and virii are hitting MS boxen from every angle, there still aren't mentions of alternatives from major news sources. The Dallas Morning News, last week, had at least a causal glance by saying in one line "Macintosh users are unaffected".
Why isn't Linux and Macintosh turning this into a big propaganda opportunity? Both OS's can hold up the 'come to us, we've had our shots, we'll never get worms' flags and pray that the big media mentions it.
That's kind of funny, although it seems that this virus requires user interaction in order to spread, so we can't really blame M$ for this one :P
autopr0n is like, down and stuff.
At work, they have duped over 5 of my collegues...even AFTER the email went out saying that it was going around. Well, Make an OS that any idiot can use, and only idiots will use it, I guess...
My problem with all these worms is that it doesn't do anything after it propogates, so no one will really care except bandwidth-concious IT people. It should send itself out, then erase all the FAT tables on a hard drive.
Or deltree the c:\winnt or c:\windows directory (or both).
That would REALLY piss people off, who would demand that they do something to make sure that not happen again...like...I dunno...Linux or OSX?
Just a thought...
All of the big internet 'epidemics' so to speak (I Love You, WBlast, and so forth) have completly missed my system. I've been a Windows user for a long, long time and I don't think I've ever received an email containing a virus. Maybe my ISP just has really good filtering... or maybe the viruses only go after American domains... Weird.
The fake update has made it to Windows Update itself. Here is the name: "Recommended Update for Windows Rights Management client 1.0."
Do not download, it's only there to own your system.
The virus needs user interaction to propagate. Hence it is an e-mail virus. Only programs that propagate automatically are worms. One cannot necessarily expect the Washington Post to get such technicalities right. However, it would be nice if at least /. used proper terminology.
/. we known anymore, would it...
Then again, if it did, it wouldn't be the
On the bright side, deliveries of unrelated spam seem to have fallen due to the worm's load on the internet :-)
I was happy to get this e-mail from Microsoft so I could apply a cumulative patch. I'm usually so bad about patching my system in time, but this time they took the trouble to remind me personally!
No more worries for me!
I was wondering why Microsoft would send an update to me, a Linux user :p This has been crowding my inbox for the last few days
History will be kind to me, for I intend to write it - Sir Winston Churchill
Nobody at my work saw a single sobig email. However we dont run our mail server (not that anybody else did either actually). So now I can Imagine yet another 2 weeks of sending and receiving only have of what is actually being transfered...
In fact just friday I received the tail end of email bounces from a week and a half before.
Five of'em in one day. Of course, the rest will go into the trash automatically, but it was an interesting experience finally catching a taste of the "commoner" internet.
Hypothetical advertisement: "Hey, we're Macs, and we don't have viruses."
I guarantee you that every virus writer and his(/her?) grandmother would flock to OS X and start writing viruses with reckless abandon. Apple, Linux, Amiga, Commodore 64, and whatever other less-used operating system is probably perfectly happy to have its users sitting fat, dumb, and happy and not bragging about it.
"Diplomacy is something you do until you find a rock." --Richard Pound
I can't help but feel that people have accepted the fact that Computers in general get Viruses. People complain about Windows, but Windows, to most people, is the only solution. So for them, the concept that Windows gets hit with so many viruses means that users in general get hit. No matter the OS.
I was explaining the other day to one of my business partners not to install this virus, and to delete it right away if he gets it.
He asked me if my computer was infected, whereby I had to explain once again that running Linux, I generally don't have to worry about things like this.
But the point is, for him, computers just get viruses. And because of that, I believe that most people are thinking: "Hrm, my computer got a virus.", not "Windows let another Virus through."
So the majority of the people that aren't really computer illeterate (the majority), don't really know what to think when people tell them Linux is more secure.
Because for them, it's still running on their computer, and their 'computer' got a virus. It's just their mentality. Of course, this is simply my opinion.
Jason Lotito
You know that if the situation in Terminator 3 (virus spreads over majority of systems) were to ever happen, it would happen as a result of having a massively homogenous computing environment. I really think that we should stop teaching kids how to use Word and Excel in middle school, and start teaching them how to install their own linux systems. We could create an army of informed computer users, something that Microsoft fears the most.
The Ro Factor - Jeep/Linux Weblog
I was waiting for a slashdot story to tell my why I found 500 'patch' emails in my inbox over the weekend.
Microsoft has such a marketshare and such control over the media that to most average people, Windows IS the PC. There is nothing else, if you tell them about Linux they will say "Whats that?"
Kinda like how Apple was the PC in the 80s and no one knew about anything else.
If you use Linux, please help development of Autopac
well as long as you know that msare greedy, you should notice that it's a fake mail, would a greedy company offer a patch or even a virus for two versions that it no longer suports (win 95 & 98) ;)
Solid Splash design
So, I have recieved a number of these (thank goodness I am running OS X) and it appears that the "notification" also contains html. So, examining the html, it appears that it actually references microsoft.com.
If I were microsoft, it appears there is a simple way to defeat this by inserting html in the referenced source that warns recipients of this sort of thing.
Visit Jonesblog and say hello.
Social Engineering + Professionalism + Virus = One Fun Monday Morning
Karma: Can only be portioned out by the Cosmos.
Please don't get me started....
I feel pretty damn safe under Linux, how do you feel worrying about when the next worm will take over your entire machine?
Gee, since I've never been infected by a virus or worm, and I've been using Windows since forever (both client and server side), I don't feel I have that much to worry about. Since I'm pretty confident I know how to use a computer and all its associated software properly, I don't think that Linux is that "magic snake oil" that will solve all my problems.
BTW, I don't use Zone Alarm.
I got a copy last night from 2 diffent senders both were caught by my wonderful ISP who filters for viri and removed the attachments. Seeing how it couldn't affect me since I run Linux I was quite happy anyway they do that. The Microsoft email does look quite good BTW I took a look before it hit the bit bucket. Both Emails were from California (The Bay area.)
As you can see I don't care about my karma.
This is from the creators of Sobig. They are trying to get as many venues to send spam as possible. Once the login/password + smtp info is gathered, it is sent to them and they now have a massive list of credentials to bombard the rest of the world with.
....because they're noticed too quickly. If you destroy your host immediately you're not going to propogate too far, now are you?
Yes, you could make it a little more complex with time-outs or a way to select certain targets as hosts for more sending and others to destroy, but it wouldn't last and last like some of the recent worms, because it's effects would be so noticeable.
This worm looks like a clever attempt at developing a new spam system.
It asks for the infected users name and email address. Great information for sending spam to.
It also asks for the users SMTP server, login name, and password. The spammer who developed this worm is looking for a way to used closed relays.
This worm is missing only 3 features, currently unreported, to be perfect. First, it should log this information and forward it in some anonymous manner (such as sending it to a few thousand people, one of whom is the desired recipient), second, second it should develop not only a list of email addresses, but also a map of who opens email sent to them by whom (so you can be sure the spam gets through), and third it should turn the comprimised computer into a distributed SPAM network relay.
This type of trojan has been around for a while. I've been getting fake MS e-mails for almost a year now. Official Microsoft statement that we give people on the phone "Microsoft never sends you files via e-mail unless you are on the phone with support personel and they specifically say they are e-mailing you something" 99.99999999% of the time, if MS e-mails you it will only direct you to their site to READ about the purpose of the patch and then download it. Also all MS security bulletins are digitally signed.
I've gotten this over 80 times now. It has a few typos though, so falling for it would be dumb, to the point where if you did, you deserve it.
However, this is bad, because it is bogging down the mail servers and the 'net in general, as well as filling up the mailbox and posibly causing ligitimit emails to be kicked back because of a full mailbox.
On a lighter note though, I'm using this as a means to judge how smart my relitives are.
Or he patched it when the vulnerability was originally released, OR he is behind NAT, or any other way the worm wouldn't have a clear shot at 135.
:)
Zone Alarm is not the be all and end all of worm prevention
I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
Network Assocaites has some screenshots of the installer http://vil.nai.com/vil/content/v_100662.htm
It's a very good idea these days to just reject all executable attachments at "the gates" so to speak. I use postfix 1.1 so I added:
/etc/main.cf where the file referenced came from here:
c ks
body_checks = pcre:/etc/postfix/mime_header_checks
to
http://www.securitysage.com/files/mime_header_che
but there are many regular expression filters like this one. Note, with 2.x you need to use the 'mime_header_checks' directive rather than 'body_checks'.
If you want to send someone an executable, send it to them in a zip or tar.gz.
that's how many of these emails i've gotten.... does it send one email to every alphanumeric combination?
Remember this as well most people don't run all that stuff. Also lots on that list are subject to "local" exploits not remote exploits. The ssh exploits are the current baddies. Servers that run console only don't usually install xfree at all certainly not Mahjong and kdebase. It's not like Microsoft where the kitchen sink is installed and it's all enabled.
As you can see I don't care about my karma.
off to microsoft update. i sure hope there's a... oh.
.NET Framework version 1.1", "Root Certificates Update", "Windows Media Player 9 Series*", "Update for Windows Rights Management client 1.0" and some update for "IPSec and L2TP/IPSec."
"There are no critical updates available at this time. However, Windows Update has found other updates for your computer. To browse through these updates and select the ones you want to install, click a category title in the list."
well, lets see here. "Microsoft Windows Journal Viewer", "Microsoft
Well, as it turns out, i am either already patched against this new threat, or i'm hopelessly open to losing it all. yippy!
You are confusing me with someone who cares.
Um no. You could defend against the RPC worm a variety of ways.
1.) Applying the patch
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.
3.) Using a hardware firewall which blocks the RPC port anyway.
The only defense is to stay vigilant and be smart about computers. Just because someone is using linux doesn't make it secure. No matter what Operating System you are on, you have to be somewhat proactive in protecting your computer.
There goes my bandwidth ---- again.
Big Brother Bush is doubleplus ungood.
...Excusemeee? HellLOOO? Virus author guys? Remember the golden glory days of Jerusalem and Eddie/Dark Avenger? Back when the motto was "The smaller the better"? Back when anti-virus makers unceremoniously categorized everything above 8 kilobytes "huge and technically uninteresting"?
Me, here just went over severe headaches of Sobig with its interesting effects on my 50M quota on the mail server... It wasn't nice to delete 20 megabytes of virus spam twice a day. Sheesh.
*sigh* There it goes again. Let's see how many terabytes of this crap I find from my box this time and how many zillions of bogus bounces and "thoughtful" anti-virus failure notes this will generate.
Oh no, this multi talented worm is:
But wait! Theres MORE! It has its own SMTP engine. It attempts to halt anti-virus processes. It alters the registry AND THEN it even disables the ability to edit the registry!
Quite a nasty beasty really. And even for us nice safe Linux/BSD users there are issues. Clogged mailboxes are at least, a nuisance, at worse, a huge bandwidth cost. Those on dialup or liimited broadband access where you pay for d/ls and uploads will notice it!
So even those of us cheerfully NOT patching frantically have consequences. The celebrations of yet another MS problem are a bit premature it seems to me. I'd rather see more outrage that such an inherently insecure and easily manipulated OS is costing ALL of us online.
Nothing - well thats something.
There are several reasons what you said was just plain wrong. There were a lot of ways to avoid the RPC (MSBlast) worm. First, you could have patched when the patch was first released. It pre-dated the worm by several weeks. Second, you could have been running the built-in XP firewall. Third, you could have been running a 3rd party software firewall such as ZoneAlarm. Fourth, you could have been behind a firewall on another box or behind a hardware firewall. Fith, you could be behind a NAT box that is set not to pass incoming connect attempts to LAN side (which is the default setting for the 3 home routers I have owned). Doing any one of these would have dropped the likelyhood of getting the RPC worm to zero or near to it (e.g. it's perfect until and infected machine is hooked up behind the firewall). How are people who took one or several of these steps lucky? I have 3 Win boxen among the computers on my home network, none got infected. Though my router was catching about 5-8 infection attempts a second.
I'm sure there is an equilvent fix for sendmail. If you are running MS Exchange, the best way to fix your server is by taking a knife to its network cable.
-- Will program for bandwidth
The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch.
So..if it pretends to be a fake MS patch, does that make it a real MS patch? Or does it pretend to be an MS patch which doesn't do what it's supposed to? Or...
Sorry, we have had to stop this live edition of talking crap, as Dave's head has exploded
Man, my email box is FULL of this shit. I feel like charging Billy Gates for the next excess bandwidth costs. Seriously, I've received HUNDRES of these fucking things. The only consolation I can take is that it must be fucking SPAMMERS that are getting the virus, because I simply don't have this many friends :)
This has prompted me to uninstall exim, and install sendmail / mimedefang / spamassassin. Lets see the fuckers get through THAT!
Some guy tracked the hidden counter inside the virus and posted the numbers: http://smharr4.dnsalias.net/security/index.html Pretty neat.
And on another issue, where's the button in Windows Update that says, "I don't want to add this patch ever, so stop bothering me!"? Looks like as long as I use Windows Update in the future, I'm going to be stuck having to look at this offered DRM patch, and that I'll always have to remember to refuse it.
I'm generally "Interesting," "Insightful," and even "Funny" here. What the hell happens to me at parties?
Only few of these holes are remotely exploitable, moreover if you have a firewall, you will probably only suffer from ssh leaks, maybe also from apache/PHP leaks. Sendmail should - to my mind - be replaced by qmail/postfix except in certain, special circumstances.
Most linux holes are local exploits, that means, someone has to have already an account and can use these security holes to gain root privileges. For most users this is not that dangerous. But nevertheless patches for local exploits should be installed.
If you were using XP and you didnt get infected by the RPC worm you were lucky. The only way you could defend against it is Zone Alarm.
Lucky? Zone Alarm?? Well, at least you were able to show that you really don't know much about Windows (or at least not as much as you think you do).
-- Kircle
and it says it on the page as well... "Thank you for using Microsoft products". :):):):):)
I know...it's a little mean :) That's one reason i'm on a Mac.
I don't understand how people think this virus looks professional. The text is filled with typos and garbled and confusing to an experienced computer user like myself, it must come across as utterly incomprehesible to an inexperienced computer user. A presitgious software developer like Microsoft would never design such a crappy interface!
I motion that we start prefacing with the word "Microsoft" ALL worms and viruses that use Microsoft software vulnerabilities.
A little reading comprehension would help, guys. There's a big difference between an annoying virus that gives you lots of email and a worm that takes out the internet.
Seriously, I didnt get a single lovebug, or andythign like that. The only thing I've ever got is one copy of sircam.
I've had 350 of this bugger though. So much for being unnafected running linux - 50MB in 24 hours is arround 600bytes per second. I feal for the dialup user.
Sure I can filter them, but only after they get to my inbox.
Mah-Jong? Somebody can take down my Linux box through Mah-Jong?
If you get all the retards that will install anything they receive my email onto Linux, it will happen there too, no different.
Give a man a fish, he'll eat for a day, but teach a man to phish...
Disable DCOM?.
But this thing is not a worm, but a virus. It can't survive without the naivete of the clueless user. That problem might be solved by providing a leaflet for buyers of new computers, which will contain information such as:
And it's not the first virus that fakes MS advisories. There was at least another one that I received. It looked like a real advisory and even included a link to the IE advisory page ("for more information..")Slashdot community, please notice: I am looking for a girlfriend.
Nave H. Weiss
Comment removed based on user account deletion
follow up with several clever FAKE bounced
e-mails also containing it. I've been getting
about 10 per day (total) for the last 3-4 days
now, at an e-mail address I use to sell on eBay.
The "patch" e-mail looks very real, but of
course I'm not stupid, and the e-mail address
is obviously fake. I NEVER open e-mail any way
but as straight ASCII text, no matter who it is
from. And I NEVER open attachments, from ANYONE!
I wonder what the return IP address on the mail is... wouldn't users be able to see the SMTP headers so that they would know that M$ did not send it to them?
What about before the vulnerability was released? He was still vulnerable to it back then.
I'm not saying I've never been caught with my pants down, the recent ssh bug caught me with my pants down, I'm just saying patching is not a way to secure your machine, you need to do a bit more than that.
I've managed to not get hacked/infected even when I didnt patch in time because I know how to secure my machine in other ways.
If you use Linux, please help development of Autopac
So, what happens when the user gets an email that looks like it came from support@apple.com and it tells them to install a binary file?
Same damned thing.
You can't patch the vulnerability that sits between the keyboard and the chair.
Although Microsoft has tried. Anyone running a version of Outlook released in the past 2 years can't open the binary attachment that this worm sends. If that was attempted elsewhere people would be crying bloody murder.
Fortunately, I am covered on three accounts - I use OS X on the client, I use Linux as a mailserver, and I run SpamAssassin on that server.
Bloody irritating though.
Cheers,
Ian
In the last few hours I started receiving a new one I believe. This one attempts to autorun in outlook using the html view flaw.
Got Code?
The article said just viewing the email infects you.
Knowing Microsoft and their bugs in their mail client, the best way to secure your machine is to stop using Microsoft products. I dont use IE, I dont use anything Microsoft but their Windows OS itself. I remove as much of their junk as I can and I run my own stuff like Mozilla.
In Linux everything is open source so at least I can look at the code and know what software not to run, dont run poorly written software and dont run servers.
If you use Linux, please help development of Autopac
Has Linux based Virus scanner that can update itself to scan hard drives for known viruses. That way if Windows goes Wonky, boot to Knoppix and do a virus scan to see if you got infected.
That way you won't risk running an infected machine on the Internet and infect others.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
But this isn't exactly biological evolution we're talking about here; if one worm "goes extinct" by wiping the hard drives on it's fifty million hosts, there will still be crackers waiting to use new code (or the same code patched for a new exploit) for the next worm.
And even if the theory that destructive worms wouldn't spread as fast as non-destructive worms is true, it's not an explanation for why we haven't been seeing non-destructive worms. It's not as if criminals initially tried to exploit the RPC hole with a destructive worm and failed; the non-destructive worm was the only one written to begin with. I'd be very curious to know why - system crackers with a conscience?
With operating systems as complex as they are today, I don't think it's necessarily fair to target Microsoft in the way many Slashdotters do. The major reason for viruses targetting Windows has to do with its dominance. Sure, MS often makes some boneheaded decisions, such as the data=program in email philosophy, but then the worm described today is based on social engineering, other than specific technical, as opposed to philosophical, bugs. If Red Hat, or SuSE, or Mandrake, or Gentoo, or Xenix, ever become the dominant OS, you can expect every mistake the FOSS community makes to be punished as much as Microsoft's.
You are not alone. This is not normal. None of this is normal.
But they claim that it is really a virus. So how can you differentiate between the two?
Comment removed based on user account deletion
It depends on your security patches and whatnot -- Me, I open every email I get, and I haven't received a single virus infecting my Windoze box.
Maybe that's just me.
Give a man a fish, he'll eat for a day, but teach a man to phish...
..that pretends to be a fake Microsoft patch
:)
There's something patently wrong in this sentence, but I can't quite put my finger on it...
Maybe it just confuses me on so many levels
Bot Assisted Blogging
Gee, since I've never been infected by a virus or worm, and I've been using Windows since forever...
So what you're saying is that you've never connected a Windows machine to the Internet.
The cover letter is expertly crafted and damn convincing.
Please explain to me how someone new to Linux couldn't be successfully conned in much the same way.
"I feel pretty damn safe under Linux, how do you feel worrying about when the next worm will take over your entire machine? How do you feel about viruses, hows that Zone Alarm treating you?"
How do you feel when you walk into Electronics Boutique?
"Derp de derp."
Comment removed based on user account deletion
"I feel pretty damn safe under Linux..."
You shouldn't. You have to keep it patched too. I built an Apache server and it was rooted within 2 weeks. (Note: I'm a Linux newb who didn't know any better.)
Persuade your ISP to use IMAP (or pay for the service yourself), and you don't need to download messages you don't care about. Plus, moden clients like Mozilla mail and KMail can even download partial messages, so attachments are not downloaded unless you actually open them.
as are those of you, who use somewhat intelligent clients.
...
I have one account that's on the receiving end of this worm, and I can only access it via webmail. A slow webmail. When I only have 20 messages (in all) it takes 35 seconds to load the page; when I have 472 unread messages it takes waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay too long to load the page.
Oh, yeah - it gets better. I actually need this account, as it's the main communication with the rest of the school. Oh, yeah - a bunch of administrators who don't give a rats ass about this, and don't see the need to do a virus scan on the server - even though the university has 15,000 users, 5,000 computers (~4,000 running windows), hot spots in all buildings and gigabit internet. I can't wait for just one computer to get infected and set off a violent chain reaction.
Oh - just to spice things up - the university lent a helping hand in knocking the root servers off the internet a while back, but hey - that's okay - it's not a problem for the administrators, because "we're using unix, so we aren't in harms way", which was an actual response, when I called and gave them a heads up yesterday morning, when I received 124 emails in an hour
We do not live in the 21st century. We live in the 20 second century.
W32.Swen is really aggrevating me over here. In the past few days I've received over 1000 copies. And I'm not terribly happy about it. I'm probably averaging at least 100 per hour during the day, and about 300 at night (when my primary e-mail system is offline).
The really irritating part? My _entire_ network consists of one OS/2 box (the e-mail client machine), and three Linux boxes. Not a single one can be infected by this virus, and not a single one could propogate it (unless I explicitly wanted to do so, which I don't).
Now thankfully I'm on a pretty decent cable modem service here (really good speed), bogofilter was quickly trained to detect and toss these messages into a SPAM folder (where they quickly get deleted), and my mail client (PMMail/2) has a remote control feature that allows me to scan message titles on the server and delete the messages without downloading them.
But still -- imagine if this weren't an immune OS/2 machine, but one of the Windows machines that could be infected. I could very well be propogating these as well. But because of my good choices in OS's, I don't.
Thus, I think I'm doing a public service by _not_ running Windows and propogating these viruses, but instead act as a sink to prevent them from propogating. My machine is the end-of-the-line for these viruses -- even though getting thousands of e-mail is highly annoying, my machine (in effect) "kills" the ones I receive, causing their propogation lines to end.
I think Windows users on the Internet owe those of us who run other operating systems, and they owe us big. They can start paying up by PROPERLY PATCHING THEIR SYSTEMS!!! (Stopping sending me $^&*%^&!! hundreds of copies of W32.Swen would be really helpful as well).
Yaz.
Microsoft Ease + Linux Secure = Mac OSX
Apple should be advertising this!
-- As soon as I have an interesting sig, you'll be among the first to know!
No, it's not just you. Same here. Me too!!! I open every e-mail and run every attached executable, even if I don't know who it is from. And I've never had my computer affected with any virus or worm or trojan or whatever. Sure it crashes now and then, but all computers do, and sometimes I can't find my files... I probably didn't save them right in the first place or forgot where I put them. When it all gets really bad, the kid next door comes and fiddles with it, re-installs my system.. or something like that.. but that's just normal too.. windows has always been like this for me. And it's the best OS around, so thank god I don't have something worse.. like one of those hobby play operating systems!
For me, though, linux can't eliminate the big problem for me: my email inbox reaches its quota pretty fast, and it takes a while for POPfile to junk all the virux emails.
"Classified as a worm because of its ability to copy itself without infecting host files..."
What a bunch of morons!
Lets look at what distinguishes a Virus from a Worm: .exe and .doc files so that when they are launched or opened the virus will then spread further.
A virus requires user interaction to spread. A virus can be a self standing executable (such as Swen) or it can infect other files such as
A Worm is self propagating and does not require any user interaction to spread. Worms rely on holes that exist in the underlying operating system to inject their code into applications already running in memory. Once they have infected the target machine, the worm will then self propagate to other similarly unpatched machines.
With this simple definition, where do they get off calling swen a worm, when the swen virus clearly requires some dumb schmoe to click on the executable file that is included as an attachment in an email? Once the genius launches the bogus.exe file, it then searches the newly infected machine to harvest email addresses to send itself to. There is no 'automatic execution' of code here.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Seems to me that certain moderators don't have any idea what security means.
Windows has a lot of viruses because it is so easy to execute a program and infect the operating system.
The more restrictions you put on that access, the more difficult you make it for a virus to spread.
Unless you're running a root, 99% of Linux users have nothing to worry about from viruses. The viruses cannot effectively spread themselves. That is why the "Linux viruses" you see are only in the labs of the anti-virus vendors.
It doesn't matter how many people are writing how many viruses.
All that matters is whether a virus can infect and spread.
A well designed operating system security model will prevent the infection.
If the infection is prevented, the virus cannot spread.
"After all these worms and virii are hitting MS boxen from every angle, there still aren't mentions of alternatives from major news sources."
It's not up to the news media to mention alternatives, they're supposed to report the facts. Likewise, when they report the recall of, say, Ford Explorers, they don't report Cheverolets and Hondas as alternative cars. They can mention alternatives in editorials, and last I looked, they do.
Dear Microsoft,
Thank you very much for sending my the patch by e-mail, it saved me having to download it. But I tried to install it and it didn't work. I even tried it as root, I saved the attachment to file and double clciked it, then I ran it from the shell, but I just got errors. A friend told me it's windows format, not linux format, so could you please re-send me the patch, but this time in linux format?
many thanks
The reason I want to get on my knees and send thanks to the almighty (bruce or whoever) is because I am sitting infront of my Mac Powerbook running OSX. I have been receiving on avergae one of these fucking Microshit fakes things every five minutes, which my Mac has been fortunately been a)immune to, and b)been able to filter into the trash can after a couple of iterations.
I think there must have been about 300 to 400 of these messages in my trash before I deleted it. I can imagine the fun I would have been having with if I'd still have had my PC with Outlook (ya ya, I know, can be patched yadda yadda yadda)
Someone at Microsoft has a sense of humor. The correct title (as lasted on windowsupdate.microsoft.com) is "Rights Management Services" (RMS).
A lot of people wil blame it on "dumb" end-users. However, the scary thing is that just by an end-user clicking on the attachment in the email, they could hose their system. Even if an end user executed an attachement under Linux, it would only run as an that user, not Administrator or root. The worst that would happen is the users home directory being deleted. This is why MS Windows security is so bad IMO. Every user runs as Administrator out-of-the-box. This is the only reason ms windows is said to be "user friendly". Take a user out of Administrator mode and it is not any more user friendly then Linux. MS picked user friendly over security. Sure there are some tech savvy ms windows users that can secure their boxes much better then the masses. However, for the average user, MS gave them a friendlier environment to work in with no regards to the value of their data.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
If your mail server is *NIX based and you can log in and modify your .procmailrc file, this page will help you filter out all of those annoying ass emails. Click here.
Hope this helps.
From the article, it seems that the worm: 1)Exploits a vulnerability in IE for which a patch was released 2 years ago 1)Tells the user to run an executable file 2)Asks the user to enter their EMAIL, and associated USERNAME and PASSWORD. Well gee. I'm not going to suspicious of any of that. After all, it's impossible for anyone other than Microsoft to make official-looking emails/alerts, right? Honestly, I can't imagine how this worm has any chance of spreading, and yet it has spread to more than 1.5 million systems. Anyone care to explain why?
I'm really hating Microsoft. I've never used Windows and my last and only Intel PC was a 286 runinng some version of MS-DOS 3. I've just always thought there was something better. If the Mac wasn't around, I'd be using Linux.
;o)
Anywho, I've always just shook my head and wondered why people put up with MS shiite but it's never directly affected me (indirectly, yes) until now. I am simply sick of seeing virus infected emails, emails from my ISP saying I had an email with a virus, emails from friends warning me about the latest worm even though I don't use Windows and reading stories of Mac and Linux users losing services at universities because the staff is too busy patching f*ing Windows boxes.
As most of us do, at work we use Windows. I had a project that needed to go out this week and we were pulling files over the WAN. The bandwidth was nearly zero. IT eventually found out it was a bunch of desktops in a completely unrelated office that were SMSing the remote server I was accessing to death but they didn't have time to fix it because they were too busy fighting virii on the west coast. Project gets delayed.
I hate them. I want to see Linux kill Microsoft. Their ill-gotten reign must end. The Penguin must draw and quarter Bill & Co. and burn their remains. I am tired of having to be bothered by Windows and their sheep-like user-herds. I want to use my Mac without having it affected by the crap that spews out of Redmond. I want to know why people aren't looking at Macs and Linux more seriously. I want to know why Apple and IBM are siezing the moment and using this time to educate the masses. I want to know why the MCSE monkeys continue to be blind to the failure of thier preferred OS.
BTW, as you know, I really want Linux to annihilate MS, just don't kill Apple in the process, I like them
So far, I estimate I've received a total of 2000 to 2500 of these swens...it's gotten to the point where I've had to set up a pre-fetch procmail session to run on the Linux box from which I fetchmail my mail (in addition to the one I run on my desktop Linux box to sort it into mailboxes) just to keep my download bandwidth from being swamped. Anyone who claims that Windows viruses "don't affect" Linux users is dead wrong in my book. They don't infect, maybe, but my bandwidth is definitely being affected.
And a brief side note: did anyone notice that those pictures of the virus mail were "copyright F-Prot"? As far as I know, under American copyright law, the copyright for a work resides with the creator unless he explicitly releases it. So F-Prot is actually infringing the virus author's copyright by claiming ownership.
(Not like the virus writer's going to come forward to claim infringement, but just thought it was amusing.)
Editor Emeritus and Senior Writer, TeleRead.org
No, because Linux by default does not put every user into the administrator group. If you run a malicious attachment, it will be pretty much harmless to the machine. It may be able to wipe out your home directory, but that is about it. Plus, I haven't heard of any Linux mailer that will execute an attachment for you, it usually only saves it for you, or maybe display it if it is an image. If MS would not make every user an administrator by default, then most of these viruses would be stopped cold. However, the user friendliness of MS Widnows would drop considerably and not be much easier to use then a Linux desktop.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
6 months ago, my wife had the need of a laptop (she actually its on a little town with no computer expertise, i can say that maybe she its the only person on that small town who has a computer, yes, its a small town on a remote place in Oaxaca Mexico).
I get her an ibook (she only uses it to surf the web and email me).
Thanks god, thanks god, thanks god, because if for some dumb reason i had got a Windows based computer for her, oh god. I just imagine the problems.
BTW: i liked so much her ibook that i also bought one for me and its the machine that i use today. (no windows here, 1 OS X laptop, 1 Linux server/gateway/nat, 1 FreeBSD squid server, life its good).
Unix its simple, but sometimes it takes a geniuos to understand the simplicity -- Dennis Ritchie
Woo hoo!!
This virus does not exploit any OS weakness. It exploits STUPID FUCKING USERS. The same STUPID FUCKING USERS would download an SSH patch from a random goatse.cx web server if someone on Slashdot told them to, as witnessed by last week's SSH hole.
All you assholes snickering about yet another Microsoft hole should take a good look in the mirror.
XP doesn't make users administrators by default, but alas, the system isn't userfriendly unless users have control over their own systems.
Give a man a fish, he'll eat for a day, but teach a man to phish...
This seems like a reasonably creative effort, but then again someone could try coding up something like this I think they overrate the real effectiveness of such a system in the description, but it certainly would be nasty if it actually coordinated its spread as effectively as they claim is possible.
Jedidiah
Craft Beer Programming T-shirts
No troll, I'm dead serious.
I wish people took more interest in the things that they use every day and take for granted. Everything is so completely fascinating. I think that there is no better pursuit in life than to learn the hell out of everything. The way people learn one thing and then get all arrogant about it is, in my opinion, the worst behavior of all.
There are tons of things that I don't know, I don't look down on people for not knowing things. It does bother me when they refuse to learn, though.
People do awful things to their computers and people do awful things to their cars (and their plumbing!). If people took a little more time to appreciate the things that they take for granted, many of our problems would be gone.
I didn't mean for this to end up all preachy, but I don't remember where I was going. If I hadn't already typed so damn much, I'd just quit now, but hell...
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
You have to open the attachment.
Microsoft never e-mails patches or provides a direct, embedded link to an upgrade or patch. Open Source projects like 7-Zip do, I received one this morning, so don't get too cocky, you could be sucked in real easy.
If popularity is what makes Windows insecure, then why is IIS being hit many more times than Apache even while Apache runs 60% of the websites out there?
He is Ollie, you are Swen.
He is Ollie, you are Swen.
"We can confirm that Debian does *not* ship the version with the trojan horse. Our version predates it." [CA-2002-28]
Dear $name:
We, at Microsoft, understand that the Internet is crowded with viruses and we'll help you to make it safer. You certainly have heard of a thing called "dll hell" -- it's called like that because most viruses disguise themselves as .dll files. Just follow these simple steps and enjoy safe surfing:
Do not forget to forward this message! Only knowledge will stop those heinous viruses!!!
Greetings. You have been infected with GNU/Swen, a worm brought to you by members of the linux community. In order to get this worm to infect your system properly, you will need to use wget to download gnuswen-config-2.4.6 from one of the usual mirrors. Be careful; this version of the worm is not compatible with versions of gnuswen-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./config, make, make install), you can configure the worm from any directory simply by typing sudo gnuswen-config -ort [your login id] [full path to your email client]. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/gnuswen and all your config files are stored at ~/.gnuswen.
Anyone else notice that? I'd downloaded the nightly build yesterday (2003091704), but hadn't bothered installing it yet. I middle clicked (open in new tab), and it spun for a bit then locked up hard. I went 'ooh, bug', installed the new one, and this time it locked up and crashed! I had to read it in IE. *sigh*
Can anyone else read that page in Mozilla? If it's just me I'll shaddup.
--Rob
Schlock Mercenary.
If the user isn't patched, they are screwed because the email will have the permissions necessary to mess up their system. If the user is patched and unclued enough to click on the attachment, it doesn't matter and they are screwed. Hmmmmmmmmm. At what point do people wake up and realize that it's a permissions problem?
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
The kid down at the Radio Shack set me up to pay a whole $20 a month for this Intarweb Online Servar thingie or whatever so I naturally I did my part to help clean it up. You bet I turned on the upgrade right off.
I'm still waiting, though, because after 'xfs' rendered all the fonts required for ShowLetter.exe, 'top' shows that the process 'wine' just took up 100% cpu time for the last couple hours or so.
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
1005 dtm 14 0 1020 1020 844 R 4.3 1.2 0:00 top
768 dtm 14 0 22460 5612 2772 S 1.7 98 1:23 wine
$ killall -9 wine
$
The worm's cover letter is a con, a form of "social engineering," if you like. There is no fundamental reason why it couldn't be re-written and sent out under OpenOffice.org's logo or Mozilla's.
one stupid son-of-a-bitch to fall for that. I am amazed how stupid people can be about e-mails.
True. This can happen in Linux too, though. I seem to recall Lindows gives users root by default, and from my small experience with SuSE, they seem to have something similar with being able to "save" your run-as-root permissions for apps.
All's true that is mistrusted
He says that this attachment will prevent viruses from working on your computer. If it crashes your machine, it will, and that's thereby true, I suppose.
He says thanks for using Microsoft products. You're very welcome. Anything I could do to make your job easier.
The first Swen.A infected email arrived on my server at about 10:00 UTC0 on Thurs 18 Sept. About 4 hours later, F-prot released an updated AV database which included a signature for this virus, by which time another half-dozen instances had been received. The volume steadily increased with time, and by Thursday evening had reached about 60/hour. By Friday evening, the volume had peaked at around 120-150/hour.
I'm surprised that this story has not appeared on Slashdot until now, however as far as I can tell the main victims of this email-bombing (who were not necessarily infected by the virus) have been active posters to various Usenet newsgroups.
My Debian distro as well as my Mac laptop will be OK I think. The soul still burns.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
Lets be honest here, anyone dumb enough to think updates come in the mail (even on linux) would most likley happily comply when it spits out "you must be root to apply this patch."
I will agree with you that windows takes ease-of-use over security, though XP and 2003 have taken steps to prevent that. One thing that does cheese me off about windows though, is the fact that programs often have more power than the users that run them. Personally, I don't believe anything should have free run of the registry to dump any of its crap in there.
They need to learn to spoof email headers so it does not appear to come from a .ms domain.
It's good thing symantec got a patch out before the virus started making it's rounds. Kudo's to them!
And I posted this fricking story yesterday. Grumble.
.exe; even outlook doesn't automatically run executables. It might be able to infect other boxes once it's running (crawling the network share, etc), but as I am a) smart enough to be running linux and b) not dumb enough to double click any .exe that pops into my mailbox, I don't really know first hand what it does.
At ANY RATE, the file that came with the email was a simple
The email did look kick ass though. Doens't surprise me that people are blissfully clicking away.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Download a virus on Linux
Download a virus on Windows
Click on them both.
See a difference? You need mark a program as executable on Linux.
Besides which, as it's common to partition your hard drive with Linux anyway, it's pretty easy to set aside the home directory as a partition and mount it with noexec,nosuid . That in itself would make me feel a lot more secure. I'd say Linux by its nature is more secure, but it's up to the person setting up the system to decide how secure - which could easily be no security at all, but at least Linux makes it pretty simple to tighten a system with little effort.
Just because *you* have no regard for the content these people have on their computers doesn't mean they don't have it. Friends and Colleauges of mine have been infected with these virii that have years of data on systems - just because you think that they should be more computer savvy is a real shitty argument.
I mean, what if every time you got sick because you didn't wash your hands, the Medical solution was to amputate your arm so that you couldn't propogate infection? Don't be such an asshole.
Sheesh... How sad is it when someone on Slashdot, bastion of MS haters everywhere, is too much of a pussy to sign their name to a post bashing MS?
3000+ comments meta-modded. 0 mod points awarded.
Lesson for other meta-suckers: Don't believe the hype!
Seems like this is an attempt at creating a network of spam zombies. I mean, think about it... it asks for your email information and LOGS INTO YOUR ACCOUNT. (Symantec has a good writeup, with screenshots about it)
Maybe this is the culmination of all the "research" using SoBig? Aren't there rumors that those worms/viruses were used to "research" making a spam network? Interesting indeed...
And whoever wrote this one did a helluva job, it really looks authentic.
There are only 10 kinds of people in this world... those who understand binary and those who don't
I've gotten quite a few in my Yahoo/SBC account. What amazes me is that Yahoo has a Norton file scanner that you can run on files, but you have to manually. If you don't run it, you'd never know it was infected with a virus and it lets you happily download/execute the file!
If they have Norton and Norton knows it's infected, WHY DOES IT LET ME DOWNLOAD THE FILE!? At the very least you could argue that I still want to download it and try to disinfect it myself. Fine, but it would be nice if it would at least tell novices the damn file is infected!
And while I'm at it, who in their right mind runs a computer connected to the Internet without decent AV software and a firewall?! Apparently over 1.5 million people I guess.
Apparently, if you haven't patched explorer it CAN run itself. Windows is the filthy crack whore of the OS world. "Oooo, that program looks pretty, let me JACK IT INTO MY BRAIN!"
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
If you run an app and it does that, then it is a "trojan". No operating system will ever be free of trojans.
But trojans have trouble spreading themselves. Anyone can write a Linux trojan (cd ~ ; rm -R), but it will not spread far. While you may think that the damage is bad because it happened to your machine, you represent less than 1/10,000,000'th of the total.
More people will have lost data because of hard drive failure than lose data because of Linux viruses or trojans.
Yes, if a hole is found in pine or mutt or Evolution that allows email viruses such as you describe is found, then email viruses such as you describe can be written for that application.
But an exploit for pine would not affect someone running mutt or Evolution.
Linux has a better designed security system than Windows does.
A hole in one application will only affect those people running that application and it will have to find some way of spreading to those people.
Without the means of spreading, the virus will be contained.
Without the ability to infect machines it has contact with, the virus will be contained.
Which is why there aren't any Linux viruses in the wild. Not because people aren't writing them. But because they cannot spread the infection.
This morning, while feeding the kids their Saturday ration of mindless TV, we caught a rerun episode of Pokemon. Our hero Ash opened up a bunch of windows (like five or so) on his computer screen, and it crashed hard. His sidekicks ridiculed him for causing the crash.
Not that it would help, I pointed out to the kids (aged 3, 6, 9, and 12) that with any reasonable OS if you truly opened "too many" windows or otherwise exceeded a resource limit, it should simply refuse the request, not crash.
Yeah, it's just a dumb cartoon, but it shows how far Microsoft crap has infested pop culture. Everyone including little kids and cartoon writers assumes that computers just crash unpredictably and for no good reason. They assume random downtime is a fact of life. It's crazymaking for me--having been raised in a VMS shop, where they planned reboots weeks ahead of time and the guy who found a way to crash the VAX with a user-level program became a legend.
I, for one, welcome our new Windows overworms.
Escher was the first MC and Giger invented the HR department.
1.) Applying the patch
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion.
But it isn't your only protection.
3.) Using a hardware firewall which blocks the RPC port anyway
4.) disable dcom with start -> run -> dcomcnfg
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
The art of the con is to play on the familiar, the expected, the predictable response; how many times have you entered a password without giving it a second thought?
A window pops up saying that a function failed and it needs the root password or something like that?
That means that the file has already gotten to your machine.
How did it get there? Did you just launch a file that someone sent you?
That's a trojan. It requires that a person give it the root password.
Trojans will always be with us.
Linux viruses and worms are rare because of Linux's security system.
I got my first set of copies (7 different versions) a week ago. I tried looking on google and Symantec's web site to see if this was a virus. I ran strings against the binary, and it looked pretty good - but as a Linux ascii email ser, I didn't get to see the pretty screen until later. I tried to report it to Symantec, but they don't have a way to report a virus :-(
/var file system :-(
In the last 48 hours, I've received over 500+ copies of the virus, and have filled my
"Software is the difference between hardware and reality"
So the measure of the security of an OS is whether or not they make security patches available? Balderdash!
OS X, or any Unix-derived OS, is vastly more secure than Windows. Part of it's the design: you can't easily override the permissions inherent in a *nix system; with Windows; you're free to nuke or alter almost any file in the system. Part of it's the design of the applications: Outlook's ability to auto-open attachments for you, for example. How convenient!
Why try to kill the machine?
Rather, change a dozen or so random numbers in every Excel spreadsheet that can be reached.
Corrupt the data, leave the machine.
It could be years before some of the damage is noticed.
The other day I got a Linux email virus. It was this perfectly innocent looking message, with the subject line reading "Important!". So I opened it, and inside I found the following:
"This is an email virus for Linux users. It works on the honor system. Upon receipt of this message, you should manually forward it to everyone in your address book, then login as root and randomly delete a bunch of files. Thank you!"
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Shilling for Zone Labs, I see.
After installing any system it's an excellent idea to use Norton Ghost (free with Soyo and possibly other MBs) to image the system. Then, if anything bad happens or if you just want to move the OS to a new drive, you just blast it over and 30 minutes later or less you're up and running as though nothing changed.
My 2000 system was on an old 2GB drive that was about to fail and with ghost I was up and running much faster on a 13GB drive in less than an hour. I also have an image of my web-server's OS/app drive in case it ever fails.
Knoppix and what I do is basically what prebuilt system manufacturers have been doing for years. It's just that HP, et al, add a lot of crap to the image.
Ben
Work Safe Porn
Greed, lies from anti-virus software vendors, lies from ISP, Slashdot hatred, ...
Again, nobody wants to point to out that it's not the virus that is transmitted in the e-mail It is an executable file, which gets transmitted in the email using any intermediate SMTP server to any e-mail client. I have received over 300 these fake messages with exe attachments since the Friday evening. My local ISP (Sympatico.ca) is telling me that they don't have possibility to block messages with executable attachments.
I know that it is hard to believe, but it is possible to have a Windows machine connected to the internet without ever getting a virus. I've never had a virus infect my work PC, which has been connected to the internet since 1997. It's a matter of using common sense: Don't open email from people you don't know (mostly spam). Don't open email in a reader that will automagicly execute whatever it opens (ie: unpatched outlook). Download files from trusted sources, don't run every app that comes your way, keep up to date on the patches, and run your computer behind a firewall. If you do that, you might not even need to have a virus scanner running all the time. (Though I don't recommend this if your running any sort of business, or routinely let unknown computers connect to your network)
At home I don't have a virus scanner installed on any of my computers. Every once in a while, I'll download the latest dats from mcafee and run the command line scanner, but so far its been a waste of time, as it hasn't caught anything yet. At work, I have the corporate mandated Norton, and have yet to receive an infected file, but the risk at work is more then at home, so it makes sense.
I do fully realize that I am running a risk at home, and with the latest round of viruses, I am tempted to get a virus checker going on the old home PCs, just to be on the safe side. Like most people I'm a firm believer in it can't happen to me
Three security updates since _JUNE_!?!? Red Hat up2date pestered me until I installed 3 (sets) of updates on the machines this WEEK.
That's one thing that has me thinking about the "dominate OS" argument. Even if one accepts it, and I think that is very arguable, how about the maxim that "The pioneer gets the arrows"? Linux can work out its security issues in greater obscurity.
Thanks, Microsoft, for being the 800 lb. target!
If it were a real Microsoft patch, it would have executed without you knowing about it. Only these rogue virii actually *ask* you to run it.
There's one revolutionary concept that windows hasn't yet caught: have one "account" called, for instance, "root", which will be the only one that can install things in the system. Have users run under "non-privileged" accounts. In this way, unskilled users will not be able to thrash the whole system. Simple, yet very effective. That's why there are no viruses or worms for the non-stupid systems, such as VMS or the many unix-like systems.
here's a little bit of info about the myth of Security through Obscurity
The reason OS X and other *nix OSes do not get attacked more often is not because of its low market share...
The worst that would happen is the users home directory being deleted.
That is always the worst thing that can happen. If a virus wipes out my System32 directory, big deal, I reinstall Windows. It's a pain but I haven't lost anything. If it wipes out my home directory, that has all of my financial data, electronic reciepts, business invoices, contacts, etc.
Don't get me wrong, your email client shouldn't have admin privilages, but I consider my machine hosed when my home directory is hosed. Linux is no more secure in this regard.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Sorry, I guess I should have added or indicators. I know it's possible, but at the same time, it's seemingly rare.
Works under wine
Browse at -1, because trolls are often the most creative part of
Yes it does. When you do a new install and create user names, they are all in the administrators group, which gives you total control to the system.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I agree, I got this email about 10 times. Though I am on Linux, I still find it hard to believe that 1.5 million people would run the "update". These are probably the same AOL users that sent their credit card numbers over AIM because someone said they work for AOL.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
The "Swen" worm arrives in an official-looking e-mail message that appears to be from Microsoft. Users whose PCs are not patched against the Microsoft flaw this worm exploits will be infected just by viewing the message, as will protected users who click on the e-mail attachment.
clearly requires some dumb schmoe to click on the executable file
No. "Requires some dumb schmoe to open up Outlook."
No capitalization and a missing article, both in the first sentence. Am I the only one for whom that spoils the illusion?
Share and Enjoy: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I'm not sure if this still works, but about ten years ago I was developing a Motif program and found that if the paint callback was an infinite loop it would get all of the CPU. It seems that the callback was run at a rather high priority, regardless of the user.
And it's the best OS around, so thank god I don't have something worse.. like one of those hobby play operating systems!
What you described is already far worse than the system I use. I have used Red Hat Linux for four years, and I never had to reinstall. And your system crashes now and then. Mine was booted sep 1 when I got home from a vacation, which means it has been running for almost three weeks straight without crashes. The previous reboot was aug 21 when a new kernel was released. That actually means I never had any crash with the kernel version I'm using at the time. Thank god I'm not using one of those windows systems that some people need to play computer games and have to reinstall all the time. I know people reinstalling Windows more often than I reboot my computer.
Do you care about the security of your wireless mouse?
I'd guess many if not most legit OS patches would need to be installed as root.
Of course no legit OS patch would be sent unrequested via email, so in the end, I agree it's a user education issue.
Yup, Lindows is crap. Lindows would be open to all sorts of attacks if it ever became popular. As far as SuSE goes and Red Hat as well, they prompt you for the root password when you need to run certain programs as root. This doesn't work with just any program, only a few administrative type programs. It also does not "save" the root password, it caches that you successuflly entered the password and won't prompt you again for 2-5 minutes, similar to sudo. Though agian, this is only for a handful of administrative programs so a user can admin their PC without needing to log in as root.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Maybe microsoft should take the plunge and block this worm from hotmail - or do they not have any technology that can do this reliably?
I know they usually put the email I receive from workmates and relatives into the "junk mail" folder, so their filtering software is obviously rubbish.
Very true. Though I personally do not think it is a real security flaw to get a virus. I think it is a bad design choice on the part of MS. Very few apps should run as administrator/root. And the ones that do need to be carefully programmed. Under MS Windows, everything the user runs is running as administrator out-of-the-box, and it just opens up the possiblility for all kinds of attaks.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
That statement is loaded. Linux isn't secure. The ptrace-kmod vulnerability is still present in the two most common kernel branches. The most common network services and applications likely to be moving data on the Internet all have had multiple, major vulnerabilities over the past couple years. These include Apache, Sendmail, OpenSSH, OpenSSL, and PHP. You may not all one of these, but the majority of Linux sites serving up content do.
There may not be worms, but that isn't because it can't be done. There is sufficient automation in the existing crack tools for Linux. Someone need only take it to the next level and have the cracking tool upload and start a network scanning worm.
Fred
"A fool and his freedom are soon parted"
-RMS
Whats wrong with Linux? Linux isnt the operating system with a new worm coming out for it every week.
Linux isn't the operating system with 95% of the users.
I feel pretty damn safe under Linux, how do you feel worrying about when the next worm will take over your entire machine? How do you feel about viruses, hows that Zone Alarm treating you?
8 years using Windows. 0 viruses and worms. No virus scanner, no firewall software. Just some common sense and WindowsUpdate set to notifiy me when there are critical updates.
And that's having used Outlook and IE up until Mozilla Firebird / Thunderbird came out.
Honestly, zealots love to say how awful Windows is, but most people get infected because of social engineering - like the one this article's about. You can't do anything about someone who compulsively opens all attachments - whether they're using Windows or Linux (barring banning them from attachments at the mail server, of course).
I can't stop laughing....
// file: mice.h
#include "frickin_lasers.h"
Saw this coming this morning. I don't even have to read CERT, or SANS, or /. anymore to know when the 'Microsoft Worm-O-The-Month' has hit the Windows boxen near me. My net connection slows to a crawl, I can no longer get to most of the sites I frequent, and I can't get to my IMAP server.
To add insult to injury I haven't run an MS OS since about 1998 - only Linux, OBSD, & OSX.
I've had to deal with the effects of *others* carelessness and ignorance for *years* now. Lost productivity (I telecommute), the inconvenience, all my extra time having to tweak my firewall, and all the bandwidth that was rightfully mine that was stolen, the load on my mail server. That times the 100M (or whatever it is) people on the net.
If Ford made a car that was this poorly made consumers could sue them. At the very least the Feds would step in and force a recall.
So why haven't the Feds forced a Microsoft recall? Why have there been no class action suits for repeatedly defective products?
If Windows really does have 92-95% of the desktop market then it's a critical resource and should be treated as such. The Feds would never allow a phone system to continue if it crashed every month, or a rail system that had a major accident every month. It goes against national security.
If MS has that much market-share then they should be treated as a critical system just like phones or rail and held to the same standards.
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" - BF
With 1200 of these filling my inbox every day now, its nice to get .procmailrc
k |bat|com)
rid of them, adding the following to
:0 B
* ^Content.*(file)?name=.*\.(hta|vbs|exe|scr|pif|ln
/dev/null
Does ofcourse have the sideeffect of nuking every mail with an attachment that ends in one of hta|vbs|exe|scr|pif|lnk|bat|com , but I havnt found any use for such files in the past couple of years.
GET http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacil lus&width=6&set=cnt006 HTTP/
1.0
ww2.fce.vutbr.cz
The first was a counter. At the time I checked it had well over a million hits and was going up FAST. At the time I'd been hit by about 20 copies of the virus. The next morning the counter was taken down and replaced with a warning. At that time I'd been "hit" over 70 times by the virus.
There seems to be variations to the emails that contain the virus. The main one is a 160K email that contains an attachmentwith a content type of Application/X-MSDOWNLOAD. The second is about 148K is size and the attachment has the content type of Audio/X-WAV. There are some emails that are 16K in size but the attachment is a zero length file. I've also been getting emails claiming to be "bounces" from Yahoo and other ISP's saying I'm trying to send a virus infected email to someone. But the Received lines show the the email is not from Yahoo. So far I've received over 170 of these damn things.
Then there are all of the real ISP's who are not helping the problem. I keep getting warnings claiming that someone I don't know tried to send me an email with a virus. Thank you, but your anti-virus software just sent out a useless email and just accomplished one of the goals of swen, to clog up email servers. Send an email to the moron who is currently infected and stop sending out thousands of emails telling everyone else about it.
This may sound harsh, but I'm really hoping the next big Microsoft worm or virus will disable the infected comupters.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
one that looked like a returned sender address for a 140 kb midi file (exe extension ;P)
and an email from micrsoft with an "msn.net" address (I didnt know updates came from there)
I think the virus has an internal name too, looked at it in a hex viewer, it was either the name of the inventor or some shit, I forget the name now.. it had a beta symbol in it.
Thank god for linux, huh?
If you run a malicious attachment, it will be pretty much harmless to the machine. It may be able to wipe out your home directory, but that is about it.
/home is the most valuable part of the system! You can re-install Linux in under an hour, and recover /usr, /var, and pretty much everything else (with a slight exception of changed to /etc, but that's not important). If you lose /home, you are, simply put, FUCKED. Big time. Try reconstructing that data in under an hour. You can't. If you could back up *anything* on your system (assuming you had a choice), that choice should be /home.
That is the *biggest* crock of shit ever, but I hear it time and time again on Slashdot.
Why on earth would would you care if your applications got borked? It's the data that's important.
I thought I'd point this out, because chances are even some people on slashdot don't know this:
Microsoft has never has and never will issue security updates through email.
It's that simple. Anything that you get claiming to be from MS is some kind of fraud, worm, virus, spam, etc. I'm sure most of you around here knew that already, but I saw this asked on some mailing lists (e.g. Dshield) when these emails first started appearing.
Use this opportunity to remind anyone you know that may not be as computer illiterate as you. This worm, in addition to ANYTHING claiming to be updates from MS, are not real.
There is a Win95 livecd, but they're not sharing.
First, mailers under Linux do not auto-open attachments and run them. Second, even if a user saves the file and double-clicks it, nothing would happen, the file needs to be marked as an executable. Just because a file ends in .exe doesn't make it an executable as it does under MS Windows. I do agree that the email look very officail. Third, if the user saves it, marks it as an executable and runs it, it would only run as that user and NOT administartor/root, unless of course you use crappy Lindows, and keep loggin in as root. Then yes, it could do just as much damage.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I have now received this worm 616 times since 9pm last night. That is 616 in one day, making this about ten times worse than any previous worm,
Seems the same machines go on, and on, and on. A number appear from the same machines (as shown by sending IP). This could be very very annoying.
I guess it has been said before... who has not patched their machine for two years? Grannies? They do not have broadband. Groan. Maybe we need a "PC license", like a "driving license".
Michael
---
BDOS ERR ON A:>
Mine was booted sep 1 when I got home from a vacation, which means it has been running for almost three weeks straight without crashes.
Current uptime on my XP box: six weeks.
Thank god I'm not using one of those windows systems that some people need to play computer games and have to reinstall all the time.
Uh, when I install a computer game I don't have to reinstall it after that. If you mean reboot - well, I just installed Homeworld 2 and it didn't even suggest a reboot.
Try using a recent version of Windows before you spout off about how awful it is.
You forgot to add Tiffany's pricing : )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
See a difference? You need mark a program as executable on Linux.
Maybe I'm misunderstanding you, but you've gotta do that on Windows too. Double clicking a virus renamed *.txt isn't going to infect your computer. It's gonna have to be an executable - *.exe, *.vbs, etc.
Even if an end user executed an attachement under Linux, it would only run as an that user, not Administrator or root. The worst that would happen is the users home directory being deleted.
First off, the home directory is the important thing. I could care less if gcc gets deleted - I'll just fix that. If some virus goes through and deletes all my e-mail, my documents, etc., though, I'm gonna be pissed.
Not only that, but I seem to remember a node on everything2 describing a couple steps to get root access on a Linux box. It's not impenetrable.
Not that you don't raise an excellent point (although it gets more to backup strategy than anything), but part of why this particular aspect of Linux security gets raised is the history of Linux as part of the Unix family. When you have more than one user on a machine, preventing any one user from trashing everyone's /home directory or a key system binary is vital. Even so, in a single user environment, you might be able to clobber a single user's data, but installing an undetectable rootkit? Not so easy. Now, which would you rather have (if you were a virus/worm writer): a few deleted letters to Mom and pictures of the dog or a vast army of zombie systems waiting to do your bidding?
I do not have a signature
Its really going to be funny when someone finds a vulnerability in the Windows Updater so that we can all have viruses automatically placed on our computers every 15 minutes.
I have been getting it since before the last /. news item about the "prediction" of the next Windows worm... It's annoying. I've gotten about 200 worm emails and 150 "undeliverable" emails in my inbox since then. Damned annoying.
There's never anything wrong with a desire to learn how to do more things! The fact is, though, not all of us are motivated by more than one or two things in life that really grab our attention and keep it.
I know myself, I like cars and have always been willing to spend a big chunk of my paychecks on them, relative to my other expenses. I really *tried* to learn how to be a decent mechanic, even taking the "power tech" classes offered in my high-school and joining several car clubs over the years since then.
Ultimately though, I've found it's just not the thing for me. Yes, I've upgraded a car or two to a higher performance cat-back exhaust, changed a set of spark plugs, and done some car stereo installations - but beyond that, I always find it unenjoyable, and too laborious. A job that seems to take other guys 20 minutes takes me a whole afternoon of fighting with stuck bolts that don't want to come loose, parts I can't get back together properly, and whatever.
So, too, with most home improvement/repair tasks. I've bought the books, and I've succeeded in doing some of the small things (fixing broken flushers on toilets, hanging new curtain rods for drapes, and even re-tiling a bathroom once, with some help from my wife). But ultimately, I again find this sort of work uninteresting, and usually tedious + frustrating. I'm not good at sawing things along straight lines. I'm horrible at painting without making a huge mess to clean up afterwards. It's just not for me.
Computers, however, I took to like a fish to water since I got my hands on my first one - a Timex/Sinclair 1000, years ago. I know I'm good at working with them, and they've held my interest continuously for over 12 years. Arrogance is never really a good trait, but hey - some folks do earn a right to it. I had one friend, in particular, who everyone immediately labeled as "pompous" and "arrogant" about computers and computer security, but you know what? He was almost never wrong when I heard him give advice or suggestions, review a piece of software or hardware, or troubleshoot problems.
Sort of like that line in one of Kid Rock's songs, "It ain't bragging if you can back it up!"
As things get more and more complex, there's also a real danger in becoming "jack of all trades, and master of none". I've met a lot of these people, who seem to know just enough to be dangerous at all sorts of trades and skills - but I'd never want to hire them for any of the things they claim to "know how to do".
However data files can be restored from the backups...you do back up don't you?
There are alot more sinister things that viruses can do above deleting files, but to do those things higher priviliges are generally required.
This is where Windows (original) security model falls down. I have to admit that they are getting better with XP Pro and even XP Home...but running as a non-administrative account is still a pain for alot of people in Windows due to some applications poor design.
Anyways...just thought to point out that you have to think bigger than just deleted files.
"linux is only free if your time has no value" - Jamie Zawinski
After so many "outbreaks" like this, I wonder how could MS not have long ago updated Outlook with a built-in filter that displays a big red warning whenever any file with a .exe or other non-Big 3 extension shows up in an email messsage? (Whew mod -1 for run-on sentence)
With all the "We know how you should run your computer" couldn't they have a small DMZ/virtual machine that runs an .exe or .pif or whatever to judge what is wants to do? I guess this should be what anti-virus software does, but seems not to be.
Glad to be running OS X, fwiw.
the future is here, it is just not evenly distributed - w. gibson
That's because you rely on the pretty eye-candy junk MS provides for idiots. Dump XP Home in favor of XP Professional. Disable that stupidass welcome screen and use the Computer Management console to create your new users. Hell, forget disabling the welcome screen, just use the damn console and you can create users that AREN'T Administrators by default.
I said no operating system is secure, and that OS X, amongst others, isn't a perfect OS with a perfect trackrecord either. I proved that by demonstrating that Apple has had to release at least three security related bug fixes in the last few months.
Now sure, you could argue that having released those three fixes, there are no more bugs. OS X is an entirely secure OS. OS X can no longer be compromised. Steve Jobs has personally found out how those bugs occured, and has shot the programmers responsible. Not only shot them, but brutally and painfully tortured them too. OS X is hence bug free, it will never, ever, ever, again have a bug, still less a root level compromise bug.
Yeah right.
You've probably never used OS X, but actually OS X is pretty liberal on what you can do too. It's not as liberal as Windows, but permissions on, say, the equivalent of Program Files, and some of the major configuration files, are fairly open. I can install programs just by dragging them to a particular folder for the most part, but see below.Even so, it doesn't matter. All that's needed is either a root exploit, which is what two of the three above security updates dealt with (the other being a bug in the screensaver password box), or a social engineering exploit. And lo, it turns out the subject of this story is an example of both! Indeed, anyone fooled by the social engineering aspect of the current virus can and will run such a program as root, and do so easily, under OS X, given an equivalent that doesn't use a bug. Despite the lack of necessity, for the most part, of implementing it this way, many OS X installers can and do ask users for administrator rights to install the programs they're installing. This is exactly what you'd expect a "Security Path from {Insert Vendor Here}" to ask for. So a social engineering exploit along the lines of Swen would indeed work under OS X.
Anyone who believes they're secure because they run a non-Microsoft OS needs their head examining. Both OS X and Linux, the latter having a disparate and non-standardized update mechanism, the former being vulnerable to social engineering and being not 100% secure (because such a thing is not possible) are vulnerable, and it's the fact that they're not on the majority of desktops that keeps them "secure". Security by obscurity is not, as time has constantly told us, a sure-fire system. Rather than advise people to switch OS to avoid viri, it is better to encourage prevention.
You are not alone. This is not normal. None of this is normal.
a) How many of my fellow infectees are getting your usenet contact addresses hammered, but not other accounts? I know that out of all of my accounts, only the two that I've used to post to the newsgroups are getting this crap.
b) What, if anything, did Verisign's asinine "added feature" have to do with not being able to filter this crap?
Come to the University of Mars! Classes starting soon!
I think email clients and web browsers should also temporarily change uid to "nobody" when processing the data received.
The problem is that you can't do that currently unless the email client itself is run as root (or have CAP_SETUID). Of course you may have the setuid bit set on the email client executable, but then local security becomes harder to manage, and many useful functionality (core dumping and LD_PRELOAD'ing, etc.) are lost. Maybe we should have a "trusted uid" idea, so that user "foo" can have another uid "foonobody" that has as little priviledge as "foo" wants, and when the euid is "foo", "foonobody" is seen as the same user when determining priviledges, so a program running as "foo" can access foonobody's files, do setuid(foonobody), chmod a file owned by foonobody, chown a file to foonobody (they are the same user, so the usual chown-as-root restrictions shouldn't apply), and so on (but not vice versa). Then an email client runned by "foo" can setreuid to "foonobody" (according to a config file) when processing the HTML/attachment, and setreuid back when done (the real uid was still "foo" --- but the more secure solution is to end the thread after processing is finished).
One problem is left though. The attachment processing probably shouldn't be running in the same thread (otherwise malicious programs may corrupt the part owned by "foo"), and if the processing result needs to be communicated back to the email program, the email program will have to do a lot of verification. HTML renderers can be made to render in an X window directly though.
On my Linux system there is my /home and the /home for my wife. If my wife got hit with some Linux virus, then ONLY here data is borked, not mine. This is not the situation under MS Windows. Also, I do a simple backup of both home directories every nite and put it in a directory ONLY readable/writable by root. So the data is safe. Since the virus did not wipe out the OS, I am back up and running with a simple rsync command. Again, this isn't the case under MS Windows where a virus can wipe out the data for ALL users AND destroy the OS.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
...but running as a non-administrative account is still a pain for alot of people in Windows due to some applications poor design.
Doesn't a similar problem exist w/Linux? Isn't this why Lindows runs as root or something almost as powerful?
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
I have been receiving dozens of copies of this virus in my inbox over the last two days. They look pretty in my kmail spam folder. I usually delete spam from the folder, but they are so pretty I have decided to archive a few of them...
I read many comments by windows users who say they have used it for so many years and never had a virus, because they are sensible users who patch their OS and never open attachments...
It may be they are lucky too...
My brother wrote me yesterday to tell me that his XP box got infected and that of my father too. With both computers, he tried to reinstall XP and go straight to download the patch but, so he tells me, with both computers he got re-infected within 3 minutes of reinstalling the OS. He never got a chance nor the time to download the patch...
I am sure that my brother didn't open any attachment with any fucking v***us (oops, I meant f***ing virus) within three minutes of installing XP.
There must be something right that virus writers are doing... and MS must be doing something wrong.
Meanwhile, POPFile carries on marking those nice looking emails as viruses which Kmail then happily filters out of my way...
http://www.masquilier.org/republic/election/ Condorcet, Plurality voting and alternative voting enabled bulletin board.
...and yet Slashdot is breathlessly announcing this as a new "Microsoft worm."
Right. An executable that the misinformed user is running is now a Microsoft worm.
"Sufferin' succotash."
It's very important not to assume that one bug in an OS makes it less secure than another. It doesn't matter how many remote root level exploits two OSes have, if both of them have at least one, they're equal. Remember, my response to Hanzo concerned his advice that everyone just switch to Linux. It will not work. If OpenBSD had been on 95% of desktops last year, we'd be moaning about the "bone headed" decision to put a powerful command line in the OS, and have it accessable via daemon running on port 22 by default. And that's the most secure Unix we have.
You are not alone. This is not normal. None of this is normal.
It's not.
"Sufferin' succotash."
Whats wrong with Linux? Linux isnt the operating system with a new worm coming out for it every week.
Remember that ssh vulnerability the other week? If Linux were the mainstream OS, there would have been a worm for that. I wonder if Slashdot would be breathlessly reporting about it as a new "Linux hole?"
This entire discussion is stupid considering the alleged new "Microsoft worm" is really a social engineering attachment users are running. What is Microsoft going to do, run door to door and slap people on the wrists? I've never seen such spin on Slashdot before.
Slashdot just needed another Microsoft-bashing article. It's sad so many people fall for it.
"Sufferin' succotash."
What the heck are you talking about? I didn't get infected by no stinkin' RPC garbage, and I don't use Zone Alarm or anything like it. It's called:
- Being up to date with WindowsUpdate
- Not allowing those ports access to the internet through the router
Please, Zone Alarm the only way? Riiiiight.
Maybe I should have elaborated. My home network runs only Linux. If my wife got hit with some Linux virus her /home and ONLY her /home could be borked. My data and the OS is still fine. Next, I run a simple backup every night that just copies our files to another directory that is readable/writable by root ONLY. The data is now safe. A quick cp -a or rsync command and I am back in business. With MS Windows it is not even close. The virus can wipe out ALL users data as well as the OS. That is the problem by having every Joe user running in the Administrator account. I am not trying to say that Linux is the best for security. Every OS will have holes because it is just impossible to design a comupter system without them. I just think that Linux and Unix have a better secutiry model to stop a virus from destroying all data and doing as much damage. I personally don't blame this latest virus entirly on MS. Part of it is their fault for a poor choice to sacrifce security for usability. While the other fault is because of the "AOL" type user that happily runs any crap they are sent. My grandfather-in-law has sent me tons of viruses without knowing. I bet he is one of the 1.5 million people that fell for this virus/trojan.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
That was actually my entire point. Thank you :)
You are not alone. This is not normal. None of this is normal.
I personally don't use any MS OS at my home. I am talking about the millions of average Joe users that will do it that way. You may have the technical know-how to not be in the Administrators group by default, however the millions of people out ther running XP Home or XP professional or any version of MS OS will be part of the Administrators group by default.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
-install XP -ok
-reboot
-install SP1 and after patch -ok
-reboot
-install ATI all in wonder drivers -ok
-reboot
computer farked to death...
so:
-install XP -ok
-reboot
-setup the video driver to "standard vga adapter"
-install ATI All in Wonder drivers (ati version not microsoft)
-install SP1 and after patch -ok
-reboot
-update ATI all in wonder drivers -ok
-reboot
-install battlefield 1942
-update battelfield
-install road to rome
-update road to rome
-install Thrustmaster tactical board driver
-reboot
-computer screwed...
go back to line one, changed order advitam eternam...
Maybe one day I will be able to play this game... seemed to be nice on the pictures of the box...
Actually i'm having a lot of fun with the GBA... insert cartdrigde... oups, remove cartdridge flip over and insert cartdridge in the good direction, turn on, play... eat chips, drink coke, and watch tv at the same time...
By the way, having an uptime of six weeks on an XP box means you didn't patch it for 6 weeks, which is between irresponsability and plain stupidity... have fun while you can, stop trolling and remove your keyboard from the TV, you're not funny anymore.
Ironically, out of the five or so email addresses that I use, only one of them have been hit -- and the one that is having problems is the one that I use for web communications. All the others are perfectly fine.
God bless Micro$oft
The views expressed are mine own and do not express the views of my employer.
So the virus is WINE-compatible?
How nice of the virus authors to remember those of us who don't totally bow to the Dark Lord.
(It's a joke, duh)
"Evil will always triumph because good is dumb." -- Dark Helmet
This is not the situation under MS Windows.
/home and your whole security system has just gone down the tubes.)
That's a false statement. I guess you haven't heard about the concept of NTFS file permissions, which have been around since, oh, 1993.
Again, this isn't the case under MS Windows where a virus can wipe out the data for ALL users AND destroy the OS.
Again, another false statement. Why do you, obviously good with Linux, automatically assume you know everything about Windows when it's pretty obvious you haven't a clue?
Windows is just as secure as Linux, as the reverse is true -- it all depends on who is securing the machine. (Do a chmod -R 777
You know what? People beaming with pride that their OS isn't affected is like praising your computerized toaster for also not being infected. You're not the major target of this worm, so of course you're just seeing side effects and not infection.
Give Linux the Windows marketshare and enjoy worms that exploit things like last week's ssh vulnerability.
"Sufferin' succotash."
I have been trying to get them to do something about this. I have mozilla so I am ok in regards to infections but the damn emails keep coming...250 in one day. Earthlink has these indian call center people who are completely clueless. Their people think "spaminator" will stop it. Spaminator only shunts it to the webmail box, it still fills up their 10mb capacity because their "suspect" emails count against capacity. I can control it while I am online because Ive trained mozilla to send all of things to the junk box.
There is one way to control it somewhat. The swen virus has a 150k payload if you tell your computer to screen out all emails larger than 50k that might do it.
Actually, I rather thought it pretended to be a REAL Microsoft patch.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Newsflash: if you shoot out the tires of any vehical that is in motion, the car will go out of control.
I guess we should recall all cars, in that case.
Please stay off the internet.
-- 'The' Lord and Master Bitman On High, Master Of All
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
You might wanna check MSFT's Office update:
a spx
http://office.microsoft.com/OfficeUpdate/default.
except that in linux a file name is neither needed nor is it suffecient to make a file executable. you need to set the permissions on it. by default all windows files are executable. by default all linux files are not executable.
That which is done from love exists beyond good and evil
I'm not so sure--if, for example, that user ever uses the root password (e.g., ever uses su--probably pretty common on a home machine that has only one or two users in practice), it'd be pretty trivial to get root access.
--Bruce Fields
see: chmod 755
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
A major problem is a bunch of programs only run correctly when you have administrative privledges when there is no reason other than not making an attempt at making it run for a normal user. See thats the catch if microsoft made it so you're not administrator by default that would make the usability go down big time for a large chunk of people.
No it wouldn't. The program would still need to crack the root password. Just becaue you ran su or sudo doesn't mean any program could then run as root.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
What the fuck are these people doing with their e-mail addresses, displaying them on the fucking jumbotron at the Super Bowl?
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Here's an idea. How about someone writes a worm that actually will patch windows systems with the latest patches (maybe even get the latest virus definitions) so all those people who are propogating these worms with unpatched machines stop wasting bandwidth, etc.
On the other hand, some people really are stupid. Some guys I know that got infected run pirated copies of some Windows OS. How likely is it that Microsoft sends patches to people that they don't have a contract with, that they don't even know about? And how likely is it that they'll send 30 mails with varying senders and subjects? (I had about 700 Swen mails when I first saw them, from about one day. I really think it's unlikely that anybody only has gotten one, although it could of course happen.)
Programming can be fun again. Film at 11.
I wonder why haven't antivirus companies produced updates for mail server antivirus programs that promptly stamp out any messages that contain the executable to spread the virus. If that had been in place the propagation of this virus would have slowed down very quickly because email servers would reject any message that contains the specific executable file.
Yes the email looks perfect, but even if I believed it Norton comes to the rescue:
"Norton AntiVirus removed the attachment: Qz.exe.
The attachment was infected with the Worm.Automat.AHB virus."
Ho hum.
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.
Agreed. I have found that Kerio Personal Firewall has been great. It's also free for non-commercial use.. good stuff. Everyone should use a firewall as it really would protect them from just about every one of these worms.
But, if we are using Joe User as the example I will bet they end up running as root more often than you think. Why? Because they are Joe User. They will be lazy and not want to sudo to do things (or su). I've also seen posts to my local Linux User's Group mailing list stating that a handful of people run as root all the time, this from people who probably aren't even Joe User if they are bothering to hang out on a local LUG list.
So while you and I understand that running as local admin (or root) all of the time is not the best idea, Joe User doesn't. As Linux becomes more mainstream I am certain we will see similar issues of people running as root all the time.
Assuming you occasionally visit a Microsoft web site, receive an Office newsletter or run Windows Update, chances are you've been warned that Microsoft never distributes software directly via e-mail.
My e-mail server has been getting hit by this thing for the past couple of days now. Last count I had hundreds of these e-mails associated with e-mail rejection errors, all in reference to mail I didn't send. Depending on what time of the day it was they were either are comming .mx .pl .ro .nl ox.com and so on.
/.ed
The e-mail is very deceptive and looks like real e-mail sent from Microsoft. Other than being a pain in the ass it's almost as fun as being
"I bow to no man" - Riddick
I'd mod up you up as funny if I had the points. But sadly, what you put isn't so far from the truth. I've personally seen several XP systems (full, not upgrade) get hosed just by installing SP1. That God for Knoppix so I can get at the user's data.
It's at the point where I won't install SP1. I don't want to take responsibility for it. And yes, I know that leaves vulnerabilites open, but at least *I* didn't hose the computer.
Yes, the virus scan happens at the smtp, so I don't generate bounce messages that hit an innocent bystander. Of course, the mta of a worm doesn't care that I send a 'bugger off' message back to it.
-- Will program for bandwidth
I started getting the worm in my mailbox Friday morning. By Friday night I had already copied CERT's incident notice to my company's network status web page. (Not that anyone is actually going to read it until after they have a problem.)
that I'll know when the slashdot "empire" has fallen when some unexplained computing anomaly (i.e. Verisign, weird entries in logs, bogus patents and CoD letters) goes unaddressed by the readership on the front page within a week on the frontpage (to allow for a slashback), or 5 days within someone's journal. Like the Roman post. Can I take this analogy any further? :-)
Whenever I see something that makes me go "hmmm...", I always come here first by instinct. Then, if I don't find anything, I try to muster up the courage to submit a story. I hardly ever get accepted, but I know it goes a long way in getting something noticed. It usually shows up the next day.
Fuck Beta. Fuck Dice
Hmmm....no mention on the front page.
Clicked the link on the front page for the security updates, no mention there.
Clicked the privacy policy link - no mention there.
The point is this - why would a first time user who just bought a brand new machine suddenly know that they need updates, should not open attachments on emails plausibly addressed from friends, or not trust email that purports quite plausibly to come from Microsoft?
After all, I never have to take a new car to the repair shop immediately after buying it, and the letters I subsequently get from the car dealership don't give me smallpox.
Why do we label quite reasonable new user behavior *stupidity*?
--
By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
Holy Christ of a flying goddamn crutch!
I've gotten at least four goddamn thousand copies of the fucking thing in the last 72 hours.
it really says something, when a post about raising an army of geeks to take on Microsoft is labeled 'Insightful'. Oh, what a world ;)
This is the IE 5 MIME header flaw which was patched two years ago.
.. never trust a Windows email that says it will improve your security.
Bitter and proud of it.
> YOUR OS IS NOT A FASHION STATEMENT.
It isn't?
> USE WHAT YOU WANT FOR TECHNICAL OR AESTHETIC REASONS.
Funny, that's what I do with clothes. Guess clothes aren't a fashion statement either. Nor cars. Nor really stupid, inane postings.
Your computer is what you want it to be, and what you use and how you use it reflects a lot about you, just as does the fact that you have a 15 volt cordless Makita instead of some piece-of-junk black-and-decker that cost 1/3 as much. For example. Or the fact that you choose to drive a Jaguar (costs a lot, amazingly failure-prone, but very, very pretty) or a Honda (mostly not especially pretty, costs a fair bit, amazingly reliable) or a Kia (you figure it out).
Get over yourself, man. You're not the first who had the 'you're not your computer' insight. It's one way of looking at the situation. Be bright enough to figure out that it's not the only way.
Sheesh.
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
If you, just as an amazingly simple example, installed an alias in that user's .blahrc file for 'su' and a file in their bin directory called 'su' which read in the password typed after the su, printed 'Incorrect password' or whatever, and then erased itself, you'd have the root password.
You think too much like a math geek and not enough like a psych geek.
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
Your opinion quite frankly is not very worthwhile. First, losing a home directory under any OS is a _Very_ bad thing. You can't reinstall your home directory from a CD.
Second, every user does not run as Administrator out of the box in 'MS Windows Security'.
In XP this isn't true, in Server 2003 this isn't true, in Windows 2000 this isn't truee, in Windows NT this isn't true.
In MS-Dos this is true, in Windows 95 this is true. In windows 98 this is true, and in Windows ME this is true.
See a distinction? Ok, so lets consider you meant "in Windows ME". Fine, yes users run with full permission in ME. And those same users, if they were in Linux would not be using Linux. Because they couldn't figure out how to install it. If they did manage to get Linux on their box, and setup their mail client, I doubt they'd be much more secure. Why? Because _they_ are still the risk. They will execute the ".sh" file attached to the mail message. The script will alias some worthwhile commands and wait for the user to give it the root password. Or, it may just ask them, after all, the users ARE the WEAK link. So why not just pop up an important looking window (or console prompt) and say something like "fsck detected faulty partition data on ext2/blah/bah/bah at offest 00345678 code word DELTA. Please enter root password so that kernel.bot may correct this problem".
Get my point? It _IS_ the "dumb" user. Switching them to a different operating system won't protect them (unless of course you _Don't_ give them root access or password, and then that would be a trusted environment and they wouldn't be running Windows ME, they'dbe running win2k or XP or 2003 or Linux or BSD or some other securable operating system).
hope that helps,
-malakai
-Malakai
A Dragon Lives in my Garage
It offers multiple modes of infection, including email and Usenet (as a trojan), but also as a self-propogating worm via fileshare, Kazaa, and IRC.
RTFVD
What part of "gestalt" don't you understand?
Half of the mail I got yesterday was the virus (and I'm on a Mac, so nyah) and the other half was Norton AntiVirus saying somebody I didn't know had tried to send me an infected email. I forwarded every one of them to abuse@symantec.com, telling them to fix their software to not do that.
Do you honestly believe that if one of these so called Joe Users decided to run Linux instead, that he wouldn't log on as root at all times? Really?
It's very simple. Put a Joe User in charge of a computer, that computer will have vulnerabilities. It doesn't really matter what OS he's running.
At least with XP, it's getting much better. Auto updates for security patches are great for that type of user. Also, the firewall is enabled by default if you answer the setup wizard questions correctly (ie. "are you connected directly to the internet, or do you have a home network?" if you choose directly, firewall is on).
I feel much safer having my mom using an XP box that I configured. I know it's always up to date on both critical updates and virus signatures, and she uses yahoo mail exclusively, which stops most email viruses before she even sees them. Guess what? Not a single issue with that computer in 2 years.
Carpe Cerevisi - Seize the Beer
Let me know if anybody wants a copy of this "patch" for further analysis.
... (GIFs and stuff) ...
---
FROM: "Program Security Division"
TO: "Customer"
SUBJECT: microsoft pack
MS Customer
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to help protect your computer
from these vulnerabilities, the most serious of which could
allow an attacker to run code on your system.
This update includes the functionality of all previously released patches.
System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and later
Recommendation: Customers should install the patch at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.
Microsoft Product Support Services and Knowledge Base articles can be found on
+the Microsoft Technical Support web site.
http://support.microsoft.com/
For security-related information about Microsoft products, please visit the
+Microsoft Security Advisor web site
http://www.microsoft.com/security/
Thank you for using Microsoft products.
Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable to respond to
+any replies.
The names of the actual companies and products mentioned herein are the
+trademarks of their respective owners.
Copyright 2003 Microsoft Corporation.
Content-Type: application/x-msdownload; name="update9352.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment
We've got an Exchange box running behind a firewall, with a machine (also behind the firewall, but with a couple open ports) that accepts mail, virus-checks it, spam-checks it, and then forwards it to the exchange box. And we've got a VPN set up so that people can get to the Exchange box to get their email.
A whole lot of work, just so that our CEO can use the 'shared calendar' function on Exchange, huh?
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
This guy has a filter for viruses. Pretty good, took out the Swen virus with some modifications (added bat and com extensions)
Je ne parle pas francais.
This virus does not exploit any OS weakness.
.wav file around half the time.
Firstly I must disagree about your first point. It does try to run itself automaticly by presenting itself as a
But you are quite right when you say:
It exploits STUPID FUCKING USERS.
I'm amazed just how dumb a lot of so called technical staff are. The fucking -security manager- where I work ran the attachment on the last fake microsoft mail -TWICE-. UNIX guys I work with were running it too! They said it was an attachment so they had to run it to see what it was. How do these people get though life when they are so easily conned??
OK, Ignorant office staff might run this thing, but technical staff? Security staff?
This is indeed a problem caused by -STUPID- -FUCKING- -USERS-.
Thanks for listening.
From: Linux
Subject: Install this OS for better security
This is the latest version of Linux kernel, the "September 2003, Cumulative Patch update" which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as four newly discovered vulnerabilities.
Install now to help protect your computer from these vulnerabilities, the most serious of which could allow an malicious user to run executable on your computer.
Recommendation: Customers should install the OS at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.
Thank you for using Linux products.
Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.
The names of the actual companies and products mentioned herein are the trademarks of their respective owners.
Copyright 2003 Linux International.
<<<attachment: qmdywb.exe>>>
The simplest way to harm much while not preventing the virus spread is to only destroy what is necessary for the system to boot (partition table is a good choice). Because the virus can spread as long as the system isn't turned off, but to turn it on again, you'll need the install CD. This means the virus would have one full day to spread on most typical home computers. And since mostly everything you install on windows forces you to reboot, there are chances that installing the AV software would be the last thing the computer does.
So I think that nowadays, windows users are REALLY LUCKY that virus writers are not vicious yet.
It's not a WORM, since it needs user interaction to spread. It's a VIRUS. A worm does not need any idiot to spread.
It might be a good idea to use an alternate OS (I use a Mac for email), but when nobody else does and I wind up getting about 400 of these little buggers a day, it's not really much use is it.
I got this in my webmail inbox - And I managed to run it using WINE (!!) i got the message box telling my my outlook box was damaged (hahahaha I don't even use that program!) and I had to re-enter my details. And it kept popping up every few seconds or so, until I finally killed the wineserver process. Of course, Linux is totally immune to this worm :)
-- Fuck Beta
The last two months have been bloody hell on the internet. Between SoBig, Blaster, this new one, VeriSlime it's just getting too much to fucking bear. What used to be fun and enjoyable is becoming a chore after worm after worm sprays gigabytes of malware at my system.
This latest one put 100MB in my mailspool in less than 24 hours. I was getting several of these worms _per minute_ at about 150K each. Since I run the MX, I put yet another anti-malware measure: not only do I have to waste time installing and keeping SpamAssassin up to date, I now have to add Exim system filters to reject all Windows executables (even though I can't run them) because the sheer level of traffic is getting overwhelming.
Email has become a useless burden.
The time has come for change. I think the following needs to be done.
1. All operators of mail exchangers - anyone who runs an MTA should be licensed.
2. MTAs should only accept mail from other MTAs being run by a licensed operator. Mail from unlicensed MTAs should be rejected. Instantly kills the problem of malware being spread by non-MTA computers.
3. The MTA operator should risk having their license suspended or revoked if they allow spam to be sent via their MTA.
4. Licensing should consist of a course of education in non-MTA specifics (i.e. the principles of running an MTA, the laws, what traffic you should allow, what traffic you should reject) rather than be courses for particular pieces of software. It will be up to the licensed MTA operator to figure out their particular software, just like it is up to a car owner to figure out their new car. The fact that they can lose their MTA license should mean that operators will be very careful about learning about their specific software and setting it up correctly.
5. It is the operator's sole responsibility to keep their MTA secure. Bug in sendmail and you didn't hear about it/patch it? Tough shit. Your MTA operator's license gets suspended. Your MTA is configured so it will let worms/viruses out from people at your ISP or your user group? You get your license suspended. That will be a good incentive for MTA opers to do everything in their power to stop malware and spam.
I admit that I don't know a good way to go around the implementation specifics (who is the licensing authority? National governments? The people in charge of the TLD you want to have an MX in?) but this free-for-all MUST end.
In the short term, it would be good if *all* ISPs blocked outbound port 25, and blocked Windows executable attachments at their MTA to slow this shit down. The Internet quite frankly has gone from being fun, and a medium where anyone can publish for pennies to a swirling cesspit of shite. These last two months have been the _worst_ I've ever seen since first being on the internet in 1991.
Oolite: Elite-like game. For Mac, Linux and Windows
It's because it's too hard to get anything done on a Windows box as a normal user.
Btw, 'run-as' is little more than a half-assed ripoff of 'su'. Try to install a program sometime using 'run-as'. Whose permissions does the installer use? Where do the registry settings go? Why doesn't anything work?
I, and many others, are tired of fighting with half-completed MS 'features' that don't live up to the hype. Maybe, one day, Windows will have finally managed to implement all of the useful features that were designed into the UNIX and Mac OSes. Then I might consider using it. At MS' current rate of ignoring basic functionality in lieu of marketing buzzwords, though, that day will never come.
"I assumed blithely that there were no elves out there in the darkness"
I think he was uh, being sarcastic.
I don't understand sarcasm that time of the day.... uh I mean night.
Do you care about the security of your wireless mouse?
Wrong. Wrong. More wrong.
Maybe you should try using a recent version of Linux before bashing it.
Most (RH, MDK, Debian) make you install a normal user account during install. All (except Lindows) include dire warnings about using the root account for normal activities.
Lots of programs refuse to work when run as root (as opposed to Windows programs, which won't run as anything *but* admin). Any KDE app that needs root access asks for a password; Joe User doesn't need to touch a command line. He does, however, need to know the importance of layered priviledges enough to enter the root password when needed. Besides, *nothing* is easier than su, except maybe the link on my app menu that says "Terminal- Super User Mode".
Regarding the composition of LUG's, I wouldn't be suprised if they *are* Joe User. The local LUG is often the first place Joe User goes for help.
If anything, your entire post seems to fault Linux for bad user habits that are taught and reinforced by *Windows*.
"I assumed blithely that there were no elves out there in the darkness"
It is not safe to run these worms / viruses on wine.
http://www.winehq.org/hypermail/wine-devel/2003/08 /0488.html:
That old mail is refering to sobig, but you can replace "sobig" on text with "swen".
The only time getting a regular user account is different to getting root is when a box is cracked which is already secured with multi(untrusted)user access in mind, e.g. web host, which does not apply to most home boxes.
The point is that Linux (as well as Mac OS X) out-of-the-box has no users running as root
Unless you're running a default Mandrake install or similar.
and in linux e-mail viruses are useless, you can't execute anything directly from the e-mail
That which is done from love exists beyond good and evil
DOH! Now I get to spend three weeks fixing this motherfucker. And we're still digging out from under MSBLAST. Oh well, that God they sold my job to India or I might have to care 4 months from now :)
I only post twice a year, who needs a sig?
While I agree that Microsoft really shouldn't have most users as Administrator by default, it's also in large the fault of the programmers that develop software for Windows that make Microsoft decide to keep it that way..
I work in a computer lab and try hard to lock everything on the drive down before letting students have at it. Ever try running MusicMatch (any version) without being administrator? I could only get version 5 to do it, and that took a serious amount of hacking to it's registry settings + hex editing one of it's data files, even then the program could only play music, not rip or burn. Photoshop 6.0? Worked but had issues. Almost all the pre-Macromedia MX software had issues and didn't quite function properly if you were not an administrator with full rights to the program files directory. Premiere 6 wouldn't even function if a user didn't have full rights to one preference file in the Adobe folder, and if they delete that file the program won't work because it can't recreate it (Delete inhibit works yes, but Premiere is one of those programs that suffers from constant preference corruption). After Effects up to version 5.0 required full rights to a folder in program files. All current AVID software is a great example of software not written properly to be used unless you're an Administrator, and as they've been trying to push themselves into education I have no idea why they haven't fixed this problem since version 2.5 of AVID DV. Games requiring Administrator rights for anything unless you've got program files locked down is also beyond me. Only a few companies actually make their games properly as to not require Administrator rights, and I'm pretty sure it's companies own laziness and not Microsoft when some games like Quake and Unreal not only don't need administrator access, they can survive an OS reinstall and being moved between drives or computers without failing.
Hardware insecurity causes burning software to require administrator access *or* the software alters a few policy security settings (Roxio doesn't even tell you it's doing it, where Nero requires a separate tool to even activate non-administrator burning) allowing direct access to the SCSI/IDE chain, allowing arbitrary commands used just right to bypass Windows security and do small things like read files they shouldn't have access to or to just wipe out the file table. I believe this is more Intel's fault than Microsoft's, though from the way's I've heard the issue described by Nero, but I could be wrong.
So while you can blame Microsoft for trying to keep compatibility with current software and for leaving stupid things on by default (file sharing/NetBIOS) and not having on the built in firewall on XP/2003 Server it is also the fault of programmers who write for Windows who can't figure out how to use the system designated user folders instead of their own random place on your drive. All of Adobe & Macromedia's software is finally working properly at most recent versions as a restricted user (though Macromedia Dreamweaver MX at least requires DLL launching access from user directories, blah).
Blame does live in Microsoft though when it comes to holes during installation. Unless you take time to learn how to script your own install and inject hot fixes manually into the CD, there is absolutely no way you can install XP/2003 on a machine while on a large LAN without risking someone or a virus breaking in through a hole that should not have been there at all before I choose to open that service. I was pretty amazed when I saw that 2003 Server didn't have netBIOS/IP sharing off and firewall on by default when that would have saved XP pre-sp1 (and now pre-sp2 with the recent RPC holes) from being taken over. Especially for a non-home targeted product, that was just backwards thinking.
K.
In the long run, the results of this virus and Windows Updates are the same, kerplunk.
Hmm.
Using Mandrake 8.0, I never had to set permissions on any executables that I can remember.
I'm aware of chmod, but the only time I've needed to do that is when installing CGI scripts on a remote web server.
When I untarred Mozilla to my home directory in Mandrake 8.0 it ran without any need to change permissions that I can remember.
MushMouth wrote: Then the plural would be vira, there is no second I to get the Nomanative plural. Virii is wrong no matter what.
:)
http://www.perl.com/language/misc/virus.html discusses the question in more detail. Second-declension neuter in -um has a plural in -a, but it's far from undisputed that the same would apply to words in -us. In fact, according to that page, it's far from undisputed that virus was even second-declension. Classical writers were so inconsiderate not to leave us footnotes about that sort of thing.
But also from that page: Virii is still completely silly, so don't do that; otherwise, everyone will know you're just a blathering script kiddie. You won't find any disagreement from me there. The English plural is 'viruses', and that's the end of the matter, or should be. But you'll note that the (originally incorrect) plural 'octopi' *has* made it into dictionaries, which does give it some veneer of acceptability. It's possible that 'virii' could end up going the same way, though I do hope not. I'll still frown on both of them, but I doubt that'll change anything.
My, that's more Latin than I thought I'd remember.
when you intall any kind of app (like an SMTP server) in OS X, the system won't let you do it unless there's user interaction. You have to enter a password. You have to be an admin to be able to install an app. Windows will run any script, even pre packaged executables without letting the user know it's gonna do it. attach it to an email and outlook runs it.
I've worked with several recent versions of Linux. You have missed my point. I never said that various distros didn't make you create a non-admin user account for the system. I SAID most Joe Users will end up running as root more than one thinks. Why? Becuase they will tire of typing passwords for sudo or su to do things on their system. This has nothing to do with whether a particular distro has you create a non-admin user or not.
And before you think I am bashing Linux (which I am not) I think su and sudo are great (as I think run as in Windows is great). They let you run as a normal user day to day while providing a facility to run adminstrator type tasks as needed.
Yeah, go ahead and lump ALL Windows programs together. The vast majority of users on my network are not local admins on their machines, yet they are fully productive workers for our company and able to run all the applications necessary to be productive.
Remember who we are talking about here, Joe User. Not you, not I or three quarters of the Slashdot crowd. Nothing easier than su, eh? These are the same people that can't grasp using Automatic Update to keep their machines updated.
This virus has been out for a few days now. I don't understand why the major ISPs haven't caught it. The messages could be easily filtered without affecting other mail. It seems most ISPs do little or nothing about spam anyway...
It doesn't need any of those privileges, but Linux has no mechanism to protect you on that level
/etc/shadow from everyone (even root) *except* /bin/login, who has read-only access.
Obligatory reference to LIDS. LIDS lets you specify exactly which users and applications have any combination of an extensive list of privileges, including read or write privileges at the file level and opening sockets. A common example would be hiding
My old quote used to be "can't get root if there is no root", but you weren't claiming that Linux suffers from multiple privilege escalation vulnerabilities. All told, you are right about native Linux, but there is at least one fix.
Intelligent Life on Earth
This is all from runas
Old news I get since days (3 or so) 5-7 mails a day of it. /:
It sucks and I wondered anyway why nowhere was anything claimed about it.
bye
I didn't read mail saturday, Sunday my new mail file was over 270MB, too big for Emacs (my mail client) to read. I hadn't had that happen before.
I actually ended up using mailx (a good old command-line mailreader) to delete alle the virus mail, just in order to be able to read the handfull of non-virus mail.
You're not doing anything "better" than you would if you were completely computerless. Your machine is the end of the line? Your machine isn't even on the line! Oooh, so you happen to be one of the people in the infected persons mailbox, 'causing it to send out yet one more of these annoying mails. You're not in any way holding up the spread.
Based on the fact that this virus/worm/whatever has so much sophistication and polymorphs itself, does anyone have a good procmail rule that will catch these? I have tried egrepping the body for Patch[0-9][0-9][0-9][0-9].exe but I am worried that I may lose emails from security groups that I subscribe to. What's more, the filename may change.
Why not forward all this shit to microsoft headquarters and jam THEIR goddamn mail system?
Why wouldn't it be under your home directory? If you have it anywhere else, then other people can access it... Ohhhh! You naught boy! What's your IP address?
(Score: -1, Stupid)
Not if you installed the Outlook Security Patch from a touch over three years ago. And recent versions of Outlook Express allow you to prohibit access to dangerous attachments. (Tools | Options | Security)
;)
If this thing was patched, how did SoBig propagate and spread like wildfire? Some systems were never patched for one reason or another, so the patch didn't really do much, huh? Oh well, As long as your system is secure, that's great. It's one less system to spread viruses and trojans.
That is the *biggest* crock of shit ever, but I hear it time and time again on Slashdot. /home is the most valuable part of the system!
/home is important, but I also suppose that it takes little effort to back up home to some other partition each evening. If my /home directory is trashed by some process with user privileges, then I still can restore it, since that process can't hose my backup.
I suppose that losing
Phiwum's law: anyone that names an obvious law after himself and then puts it in his own sig is just pathetic.
then you obviously don't write shell scripts. or save individual files off the internet. Tar can set permisisons, as can install, the program that actualy copies the files when you run make install. Files are not executable by default. something has to make them that way. you may be being confused though because cp often perserves permissions. try running vi myfile.sh and type up a shell script. it won't run unless you chmod it.
That which is done from love exists beyond good and evil
Disabling DCOM on Win2000 requires SP 3. If you don't want to edit the registry to manually create the key used to Enable/Disable it, use Steve Gibson's DCOMbobulator:
http://grc.com/dcom/
Pain is merely failure leaving the body
Tell me, are you the person responsible for the equally innane AC post I was responding to? If you aren't, shut your trap and move along, because it seems to me that this post just doesn't apply to you. The guy is acting like choosing an OS is some choice where what people will think about you should weigh highly in your mind when choosing. That's a load of trash. I took the opportunity to broaden it to send a message to every shmuck who thinks buying an AMD will make you a better person than buying an Intel, or buying an Nvidia will make you cooler than buying an ATI(or vice versa). If you make technical decisions like that, where stupidity like that can override a sound technical decision, perhaps you shouldn't be using computers. Maybe you should be collecting stuffed animals or something instead, so you don't have to suffer when you make a stupid decision because the alternative "isn't cool enough".
It's been a long time.
I see THREE different e-mails of the same virus, and NAV caught them all (daily updates are great for stopping stuff like this). NOT that I would be stupid enough to run it, AND it wouldn't have autoran anyway - I'm running Eudora.
*email*
"Hi! I'm your new patch!"
Do you see why this has worked so well?
Do you see why this is an absolutely fatal flaw, on the social engineering side? You simply cannot browbeat people to patch patch patch blindly and without asking questions, and expect them to be properly skeptical when a virus comes along that's really well disguised as a patch. It's hopeless. From this point on, the biggest viruses are likely to do two things:
Game over. That route is now useless, and it's counterproductive to harangue people to patch at this point- you're only setting them up to be exploited by a virus. The stronger their drive to patch, the more likely they are to slip up and try to do it in the wrong situation.
Look at Swen and what's happened. Call them idiots if that makes you feel better. Fine, you've called them a name. Now what?
Actually, I do have a solution, but I don't know if it's quite time for it- some people might object. On the bright side, it would work.
All mail transfer agents from now on are to auto-strip all, repeat all, attachments to email.
You wait- the time may come when the world does that. Practically, it would only require some backbones or maybe a quarter of the MTAs out there to be doing this to seriously clean up the state of affairs.
I would like to see it happen tomorrow.
At that time, PC viruses weren't so much of a problem. But as the home PC market exploded, viruses grew along with it, and there soon came a point where no one in their right mind so much as DIR'd a floppy without scanning it first.
Similarly, in the era when shared floppies were the primary infection vector, and the average PC ran plain old DOS, nearly all PC viruses targeted either the boot sector or ordinary DOS executables. Now, when hardly anyone uses floppies but everyone uses the net (mostly via vulnerable Windows apps/script engines), the internet has become the major transmission vectors, while boot sector/file infector/DOS-based viruses have fallen out of fashion.
Point being, viruses are written primarily for mass-market platforms and utilize mass-market vectors, and it really doesn't matter what that platform or vector IS. Virus targets shift right along with the consumer market. After all, there is an ego factor involved: who wants to be known as the lamer who infected three XTs and a Mac, when they could be known as the [perjorative] superhacker [/perjorative] who infected 10 million PCs worldwide??
~REZ~ #43301. Who'd fake being me anyway?
This is NO different then a basic install of Red Hat. NO user is in the Administrator/root account. A default fire wall is turned on, and automatic update are downloaded through Red Hats up2date RHN network. The one thing that make the security tigher under Linux is that the user is NOT running in the Administrator account where as I bet your Mom is running a user that is part of the Administrator accout, or do you have her running runas all the time to instll software?
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Umm no. Mandrake does NOT put you in the root account. There is only ONE root user. I know that Mandrake, SuSE and Red Hat do not have the user login as root. Most of them also change the back ground to some scary red image when you log in as root and also warn you when you first log in that it is not safe. The ONLY brain dead flavor of Linux I have heard of that does this is Lindows. And if Lindows ever gets big, they will pay dearly for it.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I agree 100%. It really is an idustry problem. Though I feel that MS was the root cause of this problem by making things this way in the first place. However, now the industry expects things to be this way and when you do try to lock down an MS windows desktop, the user friednly experience is gone. This is why Linux gets complaints that it is not as user friendly as MS Windows. I personally think this is a good thing because it forces all Linux users to at least know some BASIC computing skills. No one is saying you need to be a uber computer geek to use Linux. Just some basic skills like you need to su - to the root user to install software or change system wide config files. This is why at the fortune 500 company I work for the 1,000 of MS desktop users are given local admin to their PC's. It was a nightmare for the admins to constantly run around to install/unistall and configure stuff for a restricted desktop. It is much easier to give the 1,000 of users a network share for personal files and just ghost a PC that gets too hosed. With the network segmented enough and plenty of firewalls, the internal network stays pretty clean.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
As I stated before. I don't use MS Windows at all in my home network. However, at work, it was a nightmare to try to run 1,000 of desktops with restricted access. The vast majority of applications just WOULD NOT run. MS has always had the environment where user have total control and the vast majority of software out there takes that as a given. It has been far easier for the admins where I work to segment the network well, use plenty of firewalls, give each user their own network share for personal files, and to use ghost to fix any machie that gets too hosed then to try to configure 100's of applications to run in a locked down MS Windows 2000/XP desktop environment. Now, the Linux desktops run great in a locked down environment since that is how it has been under Linux since day one. Any user specific data is just handled in the users $HOME direcotry and no root access is needed.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
She's a regular user, and she doesn't (and can't) install software on her own. I either do it for her when I'm there, or I connect through remote assistance and do it that way.
Carpe Cerevisi - Seize the Beer
How many people are going to run what they think is a fake Microsoft patch?
bits and peace
Nicholas Daley
I just received an email from my mail server saying it had blocked an email containing "Worm.Gibe.F". :-)
It's got a text version of the exact update notice in this article.
Good to see that my server admin is keeping the virus sigs updated.
When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
Err, that should be " or indicators".
Oops.
You can always slipstream your XP iso so that SP1 is already installed.
Ever heard of 'Enable VGA mode'? (when you've installed bad video drivers)
XP supports changing video drivers without restarting; I have no expierence with ATI drivers, but the others I have used don't even ask for a restart when switching from 'Standard VGA.' It depends on the old driver being able to stop nicely.
You are including game updates in the Windows installation?
At the end of 2nd list, ever heard of 'Safe Mode'?
Patching doesnt always mean restarting.
There is little reason to patch if your system is secluded, at home, behind a good firewall.
> Gee, since I've never been infected by a virus or worm, and I've
> been using Windows since forever (both client and server side),
> I don't feel I have that much to worry about.
Well, 99% of all Windows worms aren't Windows worms per se, but worms
that impact software that only runs on Windows (usually Outlook, IIS,
or MS SQL Server, but sometimes it's something else). There are the
occasional worms that really do attack Windows itself, like the one a
couple weeks back (that attacked around the same time as SoBig; I
forget what it was called), but many of these can't infect you if you
are up-to-date on your security updates, and most of the rest will be
stopped by any half-decent firewall. So yeah, with safe computing
practices you can run a secure network with Windows systems. That
said, at work I just finished putting all the Windows systems behind
an IP Masq gateway, because it seemed easier than keeping track of all
the security measures I would have to take otherwise. (The NAT of
course does not protect against client vulnerabilities, but I don't
permit Outlook on my network, which helps a LOT; there are easily
ten times as many Outlook malwares as there are security exploits
for Windows itself. This latest is just the most recent.)
Cut that out, or I will ship you to Norilsk in a box.
Yeah, add this ACL your profile, or better yet- everything in 'Documents and Settings':Everyone-Execute File-Deny.
Linux execute flag = NT execute file privelege, only with ACLs you can be more specific about just who can run what.
Besides, compared to your steps, I wont suck up yet another partition on my hard drive.
> Don't open email in a reader that will automagicly execute whatever
> it opens (ie: unpatched outlook)
They say Outlook is patched for this. Yeah, whatever; a specific
case has been patched. It's been patched many times before, and it
will be patched again, and still it will automatically execute
certain types of attachments and *hope* the authors have now finally
thought of all the bad things such content could do and specifically
prevented each of them. Only, they obviously haven't yet because
the rate at which new ones are discovered has not diminished in the
slightest.
Bah. Save yourself a lot of trouble: don't use Outlook at all.
Cut that out, or I will ship you to Norilsk in a box.
The registry has ACLs too, and even defaults protect the local machine (as opposed to current user) registry from normal users. /etc.
Besides, apps are supposed to put all of their settings under \software\company name\program name. It's not Mirosoft's fault if some third party designer doesn't follow the rules, and it's not any worse than programs dumping random config crap into
Um no. You could defend against the RPC worm a variety of ways.
Like hell Macintosh and Linux users are unaffected. I've been getting hundreds of copies of these little motherfuckers per day for the past few days. The spamassassin mailing list has been deluged with requests and suggestions of rules to block the damned things (along with the usual idealist whining that viruses/worms are not spam and therefore outside spamassassin's scope-- sorry guys, but it's both prodigious and unwanted, therefore it's spam, albeit not of a commercial nature).
F-Secure's detailed write-up of Gibe/Swen includes examples of several of the worm's canned subject lines and body phrases (not only does the worm pretend to be a security patch from Microsoft, it also pretends to be a message being 'returned' to you in other copies). Bah. Outlook must die.
Over the weekend, my work id received over 420 messages as a result of these worms. Each one was over 140k - the spam by itself was 58 meg. That's besides all the normal spam I get.
People who are stuck using yahoo, hotmail, and the other free mail accounts with 4, 6, 10 or whatever meg limits are finding that they no longer are able to get legit mail due to the swamping of mail boxes by this trash.
URL: http://xanga.com/lvirden > Quote: Saving the world before bedtime. Even if explicitly stated to the contrary, n
It's already illegal to write a malicious worm your fucking idiot
-- 'The' Lord and Master Bitman On High, Master Of All
I actually infected my winblows machine with this out of curiousity. I had my backups in place and I was intrigued to find that Norton Antivirus didn't detect it. (yes, after updating definitions and a trip to Windows Update.) It came in a nice HTML email faking Microsoft's cartooney XP look and had links to Microsoft's site and everything. There was only one spelling mistake (not very joke, huyuyuyuyuy) and the email address came from a bogus address. Why they didn't forge that is beyond me.
Anyway, the virus runs a process, puts itself in your startup, messes with your registry so you can't edit it. It pops up this fake email error thing asking for your mail server, username, password, full name, etc. every 5 minutes. It also stops Norton Antivirus and Firewall from getting into memory once you reboot. And when you do shut down, it hangs a little while the hard drive churns... I'm not sure what it's doing back there.
Can anyone tell me if transgaming is any good? I'd love to replace my windows gaming machine with a Linux gaming machine.
Gee, since I've never been infected by a virus or worm, and I've been using Windows since forever
Amazing, you are the only one.
Have you got your LWN subscription yet?
I do fully realize that I am running a risk at home, and with the latest round of viruses, I am tempted to get a virus checker going on the old home PCs, just to be on the safe side. Like most people I'm a firm believer in it can't happen to me.
;-)
You are probably already trojaned, and being used as a mail relay
Have you got your LWN subscription yet?
You have to open the attachment.
No, you're wrong. This worm can use a two-year-old bug that lets the executable run whether or not you open the attachment
Have you got your LWN subscription yet?