Microsoft "Swen" Worm Squiggles Into Sight

greenhide writes "As forecast in this story, a new Microsoft worm has indeed wriggled to the surface. The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch. Earlier viruses have made the claim, but none of them looked this good. It appears to have infected over 1.5 million machines. "

Wow

[HanzoSan]

Thats one hell of a virus.

I suggest all Windows users go to http://www.knoppix.net/ and burn the CD.

Re:Wow

[gl4ss]

dude, that knoppix cd will be useful when the windows installation gets kicked up a notch, it's really handy to have a cd like that to retrieve the really imporant data out there.

it's also good enough to keep you on 'net while you're trying to figure out wtf went wrong.

unless you got an as good a windows running livecd system?

Re:Wow

[NanoGator]

"I suggest all Windows users go to http://www.knoppix.net/ and burn the CD."

I know this is marked as funny, but Knoppix is pretty damn useful. I've never particularly liked Linux, but I can tell you that my respect for that OS went way up after trying Knoppix out. I burned a couple of copies to keep around the office in case something like a worm lays waste to the network.

On a side note, it'd be nice if other Linux distros paid more attention to how Knoppix works. It auto-detects everything and doesn't require an install. Just pop in the disc, have it copy a few files over as read-only, and reboot. System corrupt? No prob, just copy the disc over again.

Re:Wow

[binarybum]

??

In case you turned stupid and ran a fake patch that was emailed to you?

Re:Wow

[wang33]

actually the worm exploits an outlook security flaw to run itself. Thats how i got infected at work :-( damn outlook and your wonderful autopreview feature.

wang33

Re:Wow

[lseltzer]

You're referring to a flaw that was patched 2.5 years ago. What kind of moron is running a version of Outlook without this patch? That would be you I guess.

Re:Wow

[dakryx]

Would you believe that some people don't have administrative priveledges on their computers at work? That means they can't patch it themselves, don't go calling people names all willy nilly.

Re:Wow

[Geek+of+Tech]

> What kind of moron is running a version of Outlook without this patch?

Tell me 'bout it. Ever since I started using the patch I haven't even had a single craving to use OE. Yep, just stopped. Just put the patch on in the mornin and.....

oh wait, you mean a security patch....... right.....

Re:Wow

[Geek+of+Tech]

Thanks Overly Critical Guy (663429)!

+1 (Informative) for catching the goof in the summery.
-1 (Troll) for not reading the article. According to it (of course, they could be wrong)... "Swen represents a high level of sophistication in its ability to execute code automatically"... and "Users whose PCs are not patched against the Microsoft flaw this worm exploits will be infected just by viewing the message, as will protected users who click on the e-mail attachment"....

For an overall +/- 0.

Re:Wow

[lxs]

you are very cynical. Next you will tell me that penis enlargement pills do not work... ...Ahh I have no time for you! I hear the postman coming up out street and I'm expecting a cheque from that nice Nigerian gentleman.

Re:Wow

[lseltzer]

Like I said, 2.5 years. Somebody here isn't doing their job and blaming their problems on Microsoft.

I hate this virus

[Free+Bird]

It's been flooding my mailbox for more than a day now. Grr...

And all 1.5 million

[robochan]

of those machines seem to ahve sent it to me :(

Re:And all 1.5 million

[Merk]

I know how you feel. I was getting them at a rate of 1 or 2 every 10 minutes. Ugh. If you happen to be running SpamAssassin, I've got rules that seem to take care of it. Luckily for you, but unluckily for me, I was hit starting on Thursday, so I've had days to tweak the rules.

Check them out at my web site. Feel free to add comments and tweaks there. Oh, and in case you're using maildrop, you can apparently choose not to deliver the message by using if ($MAIL_IS_SPAM) { exit }

So now my own server is spam free, but unfortunately even though I use Linux at work, the mail server is an Exchange server so... *sigh*

Fascinating isn't it?

[Afrosheen]

After all these worms and virii are hitting MS boxen from every angle, there still aren't mentions of alternatives from major news sources. The Dallas Morning News, last week, had at least a causal glance by saying in one line "Macintosh users are unaffected".

Why isn't Linux and Macintosh turning this into a big propaganda opportunity? Both OS's can hold up the 'come to us, we've had our shots, we'll never get worms' flags and pray that the big media mentions it.

Re:Fascinating isn't it?

> After all these worms and virii ...

VIRUSES!

(Score:-1, Perpetuating Imaginary "Latin")

Re:Fascinating isn't it?

[ramzak2k]

and say what ?
"Use Mac have no viruses affect you " ?

The users will sue apple to glory when they do come across Mac worms. Lets face it, worms will exist as long as there are worm writers. Unless ofcourse Mac and Linux blocks all incoming attachments (which is what my outlook express coincidentally did after a patch) you can't guarantee anyone against worms and ignorant people that will open them. Now security flaws in windows - thats an entirely different subject.

Re:Fascinating isn't it?

[M.+Silver]

When is the last time your car mechanic told you that you couldn't drive your vehicle because you are an idiot? Does your plumber forbid you from using your faucets?

I can't speak to the plumber situation, but if you've ever listened to mechanics behind the scenes, they sound *exactly* like computer techs. Sometimes they really *do* wish they could tell people they shouldn't drive a vehicle because they're idiots. (I'm betting body shop folks do even more of that sort of griping...)

Re:Fascinating isn't it?

[arkanes]

Well, in at least one of the copies I recieved, the virus exe was a big scary looking demon head in my email client (no, not outlook). You'd think someone who spends the time crafting an email like this wouldn't put a demon head icon in the exe, but whatever.

Re:Fascinating isn't it?

[ProtonMotiveForce]

Hey, nerd. This is an email virus, hence it's not exploiting an OS bug.

If people mailed clueless Linux users and said "this is from Linus, run it" I'm sure people would be dumb enough to run it.

So here're a few hints for you:

1. Bugs that depend on the idiocy of the user don't have anything to do with your OS wars. People chose to use Microsoft because, umm, everyone runs a MS OS. Nobody (comparatively) runs Linux.

2. If you're going to make an OS issue, at least wait for a MS RPC bug or something. Then I can point to the litany of Mandrake/Debian/Redhat bugs for the week.

Re:Fascinating isn't it?

[NanoGator]

" Why isn't Linux and Macintosh turning this into a big propaganda opportunity? Both OS's can hold up the 'come to us, we've had our shots, we'll never get worms' flags and pray that the big media mentions it. "

The cost of switching for that reason alone isn't necessarily worth it on a massive scale. You switch because you're worried if your computer stops working, right? Well if the cost of the switch is that your games and some other apps stop working, then you've traded one failure for another.

I wouldn't call that a great marketing opportunity. It's one thing to draw attention to those OS's being 'virus free', it's another to urge people to switch over it. Besides, if somebody does cause that kind of havoc on either of those machines, then you'd have a lot of unhappy peeps.

It may not be worth drawing attention to that aspect of those machines. All you need is for an inexplicably popular app to have an exploit in it, and millions of people using it. (Kazaa, ICQ, Winamp, you name it.) There's not a bean that Linux or Mac can do to stop that.

(Note: Please don't read that as "Kazaa, ICQ, and Winamp have exploits." I just meant that they're really popular.)

Re:Fascinating isn't it?

[Afrosheen]

Your point is invalid.

The fact that Windows is so exploitable is the reason it's exploited, not the fact that it's the most widespread.

Free/OpenBSD and linux/unix have been around for quite awhile, and both are getting more usage daily. Both are on the net all over the place. Yet they're still not a target or at the very least, an unsuccessful target. Why? Security and built-in holes are kept to a minimum and usually patched in a timely manner. Some people get rooted once in awhile but it's usually their own fault or the fault of the admin that forgot to apt-get a new fixed daemon or library.

Just face it, Windows was never designed with security in mind, and all the patching in the world may never make it more secure. Once again let me reiterate: Windows is a target because it's too easy.

Re:Fascinating isn't it?

[mraymer]

Pretty much everyone has their own area of expertise, but elitists in any field should not be tolerated...

It's a lot easier to get an elitist attitude than it is to be patient with others, but understand this: while a person may look like an idiot to you for not knowing this isn't a legit update, that same person might think you are an idiot in is world of expertise, and you very well might be.

Ralph Waldo Emerson once said, "In my walks, every man I meet is my superior in some way, and in that I learn from him."

If this was true for him, isn't it a thousand times more true for the rest of us?

Heh

[autopr0n]

That's kind of funny, although it seems that this virus requires user interaction in order to spread, so we can't really blame M$ for this one :P

Re:Heh

[ctid]

That's kind of funny, although it seems that this virus requires user interaction in order to spread, so we can't really blame M$ for this one :P

Why not? Why make an email system that allows an unskilled user to run an untrusted executable? Seems bizarre to me.

Re:Heh

[Moridineas]

So you're saying you WANT trusted computing from microsoft?? ;)

Oh yeah...

[JoeLinux]

At work, they have duped over 5 of my collegues...even AFTER the email went out saying that it was going around. Well, Make an OS that any idiot can use, and only idiots will use it, I guess...

My problem with all these worms is that it doesn't do anything after it propogates, so no one will really care except bandwidth-concious IT people. It should send itself out, then erase all the FAT tables on a hard drive.

Or deltree the c:\winnt or c:\windows directory (or both).

That would REALLY piss people off, who would demand that they do something to make sure that not happen again...like...I dunno...Linux or OSX?

Just a thought...

Whew!

[dupper]

That's one good looking worm. Great UI and user friendly, too! There goes the whole 'Linux advocates create these worms to embarass MS' arguments.

/troll

Weird

[Tidal+Flame]

All of the big internet 'epidemics' so to speak (I Love You, WBlast, and so forth) have completly missed my system. I've been a Windows user for a long, long time and I don't think I've ever received an email containing a virus. Maybe my ISP just has really good filtering... or maybe the viruses only go after American domains... Weird.

Virus Warning

[Henry+V+.009]

The fake update has made it to Windows Update itself. Here is the name: "Recommended Update for Windows Rights Management client 1.0."

Do not download, it's only there to own your system.

It's not a worm, it's a virus

[Telcontar]

The virus needs user interaction to propagate. Hence it is an e-mail virus. Only programs that propagate automatically are worms. One cannot necessarily expect the Washington Post to get such technicalities right. However, it would be nice if at least /. used proper terminology.

Then again, if it did, it wouldn't be the /. we known anymore, would it...

Re:It's not a worm, it's a virus

[prandal]

It uses the exploit described in MS01-020. Reading it or viewing in in Outlook's "Preview Pane" will execute it on vulnerable systems. I've had about 20 copies reach my home email address - that's the worst I've ever seen.

Worm Load

[m.dillon]

There were over 4500 attempted deliveries of this 150K+ worm through my mail server overnight, and they are still coming. Easy to filter, but this is by far the worst worm load I've seen to date on my little server.

On the bright side, deliveries of unrelated spam seem to have fallen due to the worm's load on the internet :-)

Sweet!

[endeitzslash]

I was happy to get this e-mail from Microsoft so I could apply a cumulative patch. I'm usually so bad about patching my system in time, but this time they took the trouble to remind me personally!

No more worries for me!

it also mines usenet

[poptones]

I have never had a virus sent to my home machine because I jealously protect my email domain (every individual gets an email address and if it leaks they never hear from me again). Most commercial sites even seem to respect this. But I made a "junk" address for groups.google.com and, although I have only posted through there a couple of times many months ago, the virus found this address. Apparently it is also crawling usenet, or at least the groups served by google.

Five of'em in one day. Of course, the rest will go into the trash automatically, but it was an interesting experience finally catching a taste of the "commoner" internet.

...Not a Good Idea (R)

[thermopile]

I should think it would be exceedingly hard for a marketing community to market its 'immunity' to virii -- even a marketing staff as highly trained as whatever Apple hires -- without setting itself up as the next target.

Hypothetical advertisement: "Hey, we're Macs, and we don't have viruses."

I guarantee you that every virus writer and his(/her?) grandmother would flock to OS X and start writing viruses with reckless abandon. Apple, Linux, Amiga, Commodore 64, and whatever other less-used operating system is probably perfectly happy to have its users sitting fat, dumb, and happy and not bragging about it.

Accepted as the norm now?

[thenextpresident]

I can't help but feel that people have accepted the fact that Computers in general get Viruses. People complain about Windows, but Windows, to most people, is the only solution. So for them, the concept that Windows gets hit with so many viruses means that users in general get hit. No matter the OS.

I was explaining the other day to one of my business partners not to install this virus, and to delete it right away if he gets it.

He asked me if my computer was infected, whereby I had to explain once again that running Linux, I generally don't have to worry about things like this.

But the point is, for him, computers just get viruses. And because of that, I believe that most people are thinking: "Hrm, my computer got a virus.", not "Windows let another Virus through."

So the majority of the people that aren't really computer illeterate (the majority), don't really know what to think when people tell them Linux is more secure.

Because for them, it's still running on their computer, and their 'computer' got a virus. It's just their mentality. Of course, this is simply my opinion.

Skynet is here

[JonnyRo88]

You know that if the situation in Terminator 3 (virus spreads over majority of systems) were to ever happen, it would happen as a result of having a massively homogenous computing environment. I really think that we should stop teaching kids how to use Word and Excel in middle school, and start teaching them how to install their own linux systems. We could create an army of informed computer users, something that Microsoft fears the most.

Re:Skynet is here

[Llurien]

It's interesting to draw a parallel to the biological world. When you are growing monoculture crops, and one disease comes along that really likes the stuff you are growing, then your entire crop might be lost. Same goes for our current habit of breeding livestock that often originates from only one or a few successful parents. Here in Europe for instance we've had pig's plague, bird's plague, mad cow disease, all in the past couple of years. Each of those caused massive damage. Secondly, it's also interesting to observe that the most successful computer viruses are those that do relatively little damage to the host system. Obviously, thats because they go unnoticed longer, and when noticed, less effort is taken to eliminate them, because "it's not really doing any harm". This is strangely similar to real life, where the most successful virus ever may be the common cold. It does just enough to make you sneeze copies of the virus all over the place, but not enough to make you stay at home.

Finally

[CGP314]

I was waiting for a slashdot story to tell my why I found 500 'patch' emails in my inbox over the weekend.

html

[BWJones]

So, I have recieved a number of these (thank goodness I am running OS X) and it appears that the "notification" also contains html. So, examining the html, it appears that it actually references microsoft.com.

If I were microsoft, it appears there is a simple way to defeat this by inserting html in the referenced source that warns recipients of this sort of thing.

Wow.

[Nexzus]

Social Engineering + Professionalism + Virus = One Fun Monday Morning

Re:Huh?

[cscx]

Please don't get me started....

I feel pretty damn safe under Linux, how do you feel worrying about when the next worm will take over your entire machine?

Gee, since I've never been infected by a virus or worm, and I've been using Windows since forever (both client and server side), I don't feel I have that much to worry about. Since I'm pretty confident I know how to use a computer and all its associated software properly, I don't think that Linux is that "magic snake oil" that will solve all my problems.

BTW, I don't use Zone Alarm.

Sobig

[dr+ttol]

This is from the creators of Sobig. They are trying to get as many venues to send spam as possible. Once the login/password + smtp info is gathered, it is sent to them and they now have a massive list of credentials to bombard the rest of the world with.

Vicious worms don't survive

[IncohereD]

....because they're noticed too quickly. If you destroy your host immediately you're not going to propogate too far, now are you?

Yes, you could make it a little more complex with time-outs or a way to select certain targets as hosts for more sending and others to destroy, but it wouldn't last and last like some of the recent worms, because it's effects would be so noticeable.

The SPAM Connection

[CedgeS]

This worm looks like a clever attempt at developing a new spam system.

It asks for the infected users name and email address. Great information for sending spam to.

It also asks for the users SMTP server, login name, and password. The spammer who developed this worm is looking for a way to used closed relays.

This worm is missing only 3 features, currently unreported, to be perfect. First, it should log this information and forward it in some anonymous manner (such as sending it to a few thousand people, one of whom is the desired recipient), second, second it should develop not only a list of email addresses, but also a map of who opens email sent to them by whom (so you can be sure the spam gets through), and third it should turn the comprimised computer into a distributed SPAM network relay.

Old idea new spin

[Stonent1]

This type of trojan has been around for a while. I've been getting fake MS e-mails for almost a year now. Official Microsoft statement that we give people on the phone "Microsoft never sends you files via e-mail unless you are on the phone with support personel and they specifically say they are e-mailing you something" 99.99999999% of the time, if MS e-mails you it will only direct you to their site to READ about the purpose of the patch and then download it. Also all MS security bulletins are digitally signed.

80+

[craig2787]

I've gotten this over 80 times now. It has a few typos though, so falling for it would be dumb, to the point where if you did, you deserve it.

Re:Huh?

[revmoo]

Or he patched it when the vulnerability was originally released, OR he is behind NAT, or any other way the worm wouldn't have a clear shot at 135.

Zone Alarm is not the be all and end all of worm prevention :)

The installer looks genuine too

[Stonent1]

Network Assocaites has some screenshots of the installer http://vil.nai.com/vil/content/v_100662.htm

Reject Executable Attachements

[KidSock]

It's a very good idea these days to just reject all executable attachments at "the gates" so to speak. I use postfix 1.1 so I added:

body_checks = pcre:/etc/postfix/mime_header_checks

to /etc/main.cf where the file referenced came from here:

http://www.securitysage.com/files/mime_header_chec ks

but there are many regular expression filters like this one. Note, with 2.x you need to use the 'mime_header_checks' directive rather than 'body_checks'.

If you want to send someone an executable, send it to them in a zip or tar.gz.

Re:Reject Executable Attachements

[ummit]

It's a very good idea these days to just reject all executable attachments...
If you want to send someone an executable, send it to them in a zip or tar.gz.

All this does is moves the problem around. It's not a very good idea at all (though unfortunately it's a compelling one).

1. Soon enough, executable malware will shroud itself in a .zip wrapper (some of it already does), and at the same time, "for convenience", new idiot-aligned (made by and for) email software will make it easy to open attachments inside zip attachments.

2. Meanwhile, it becomes harder and harder for the rest of us to use e-mail at all, as the number of proscribed message attributes grows and grows. I'm a Unix user, I want to send a fellow Unix user a script which I've placed in a file which I unthinkingly gave a name ending in ".scr", and though the file is not dangerous to me or my recipient or anyone else, it's filtered out on behalf of people who use an operating system which neither I nor my recipient use. Bleah.

The referenced header checks disallow 53 different filename extensions, all of which I now presumably have to remember to avoid using. (The problem is of course exacerbated by Windows' stubborn insistence that extension === file type.)

Re:Huh?

[WhiteBandit]

Um no. You could defend against the RPC worm a variety of ways.

1.) Applying the patch
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.
3.) Using a hardware firewall which blocks the RPC port anyway.

The only defense is to stay vigilant and be smart about computers. Just because someone is using linux doesn't make it secure. No matter what Operating System you are on, you have to be somewhat proactive in protecting your computer.

Its not just an email worm!

[timelady]

Oh no, this multi talented worm is:

• Mailing itself to recipients extracted from the victim's machine
• Copying itself over network shares (mapped drives)
• Sharing itself over the KaZaa P2P network
• Sending itself via IRC

But wait! Theres MORE! It has its own SMTP engine. It attempts to halt anti-virus processes. It alters the registry AND THEN it even disables the ability to edit the registry!

Quite a nasty beasty really. And even for us nice safe Linux/BSD users there are issues. Clogged mailboxes are at least, a nuisance, at worse, a huge bandwidth cost. Those on dialup or liimited broadband access where you pay for d/ls and uploads will notice it!

So even those of us cheerfully NOT patching frantically have consequences. The celebrations of yet another MS problem are a bit premature it seems to me. I'd rather see more outrage that such an inherently insecure and easily manipulated OS is costing ALL of us online.

Learn First, Post Second

[DonnarsHmr]

The only way you could defend against it is Zone Alarm.

There are several reasons what you said was just plain wrong. There were a lot of ways to avoid the RPC (MSBlast) worm. First, you could have patched when the patch was first released. It pre-dated the worm by several weeks. Second, you could have been running the built-in XP firewall. Third, you could have been running a 3rd party software firewall such as ZoneAlarm. Fourth, you could have been behind a firewall on another box or behind a hardware firewall. Fith, you could be behind a NAT box that is set not to pass incoming connect attempts to LAN side (which is the default setting for the 3 home routers I have owned). Doing any one of these would have dropped the likelyhood of getting the RPC worm to zero or near to it (e.g. it's perfect until and infected machine is hooked up behind the firewall). How are people who took one or several of these steps lucky? I have 3 Win boxen among the computers on my home network, none got infected. Though my router was catching about 5-8 infection attempts a second.

Don't allow dangerous attachments

[rossz]

If you are running Exim 4.x, get the Exiscan patch and configure it to refuse (at the connection) dangerous attachments. Here's what to add to your acl_smtp_data section:

# First unpack MIME containers and reject serious errors.
deny message = This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

# Reject typically wormish file extensions. There is almost no
# sense in sending such files by email.
deny message = This message contains an unwanted file extension ($found_extension) that is commonly used to send viruses and worms. If this file is expected and desired by the receipient, you must put it in a zip or other standard archive format.
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp\
:hta :inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst\
:pcd:pif:reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:ws f:wsh

The advantage to refusing attachments here is you won't generate a bounce message that will almost always end up going to an innocent third party since the viruses/worms usually forge the headers.

I'm sure there is an equilvent fix for sendmail. If you are running MS Exchange, the best way to fix your server is by taking a knife to its network cable.

W32Swen infection rate

Some guy tracked the hidden counter inside the virus and posted the numbers: http://smharr4.dnsalias.net/security/index.html Pretty neat.

Lucky?

[Kircle]

If you were using XP and you didnt get infected by the RPC worm you were lucky. The only way you could defend against it is Zone Alarm.

Lucky? Zone Alarm?? Well, at least you were able to show that you really don't know much about Windows (or at least not as much as you think you do).

What do you mean professional?

[GabrielF]

I don't understand how people think this virus looks professional. The text is filled with typos and garbled and confusing to an experienced computer user like myself, it must come across as utterly incomprehesible to an inexperienced computer user. A presitgious software developer like Microsoft would never design such a crappy interface!

Uhh, this was *NOT* forecast

[menscher]

The story was forecasting a worm that would infect Windoze boxen via a second RPC DCOM vulnerability. Swen is an email virus, and, while nasty, is nothing like the worm that was being forcasted.

A little reading comprehension would help, guys. There's a big difference between an annoying virus that gives you lots of email and a worm that takes out the internet.

Re:Huh?

[riscthis]

Disable DCOM?.

Re:Notice they aren't calling it DRM

[StarHeart]

In classic Microsoft style it is hidden under a non-obvious name. Try Personalize Windows Updates. I just learned about it the other day from a co-worker.

Re:Huh?

[HanzoSan]

The article said just viewing the email infects you.

Knowing Microsoft and their bugs in their mail client, the best way to secure your machine is to stop using Microsoft products. I dont use IE, I dont use anything Microsoft but their Windows OS itself. I remove as much of their junk as I can and I run my own stuff like Mozilla.

In Linux everything is open source so at least I can look at the code and know what software not to run, dont run poorly written software and dont run servers.

Re:Notice they aren't calling it DRM

[dissy]

> And on another issue, where's the button in Windows Update that says, "I don't
> want to add this patch ever, so stop bothering me!"?

On the windows update page after it scans for files to download, on the left hand side is a link called "Personalize windows update"
In there it lists all patches not yet installed but listed.
Turn off the checkbox for any of them you dont want to see.

Have fun.

Special Knoppix Boot CD needed

[Orion+Blastar]

Has Linux based Virus scanner that can update itself to scan hard drives for known viruses. That way if Windows goes Wonky, boot to Knoppix and do a virus scan to see if you got infected.

That way you won't risk running an infected machine on the Internet and infect others.

Re:Special Knoppix Boot CD needed

[jonadab]

> NTFS, which has readonly support

Indeed. IMO, read/write support for NTFS is one of the top three most
overdue features the Linux kernel needs. A versioned filesystem (a la
what VMS has, but built from the ground up for Linux) is another. I'm
sure there's a third feature as long overdue as these two, but I don't
know what it is.

Re:Huh?

[squiggleslash]

Linux is secure for the same reason as Mac OS X is secure: it's not the dominant OS. I feel pretty happy that my Mac isn't going to get hit by a virus or worm any time soon, but not because the OS itself is any more secure: I've had to download three security updates since June:

Thursday, June 26, 2003 19:19:26 US/Eastern: Installed "Security Update 2003-06-09" (2.0)
Wednesday, July 16, 2003 21:00:41 US/Eastern: Installed "Security Update 2003-07-14" (1.0)
Wednesday, August 20, 2003 21:49:47 US/Eastern: Installed "Security Update 2003-08-14" (1.0)

I also run GNU/Linux, and know that ease of update is entirely distribution dependent. It's a good OS, but nothing is secure.

With operating systems as complex as they are today, I don't think it's necessarily fair to target Microsoft in the way many Slashdotters do. The major reason for viruses targetting Windows has to do with its dominance. Sure, MS often makes some boneheaded decisions, such as the data=program in email philosophy, but then the worm described today is based on social engineering, other than specific technical, as opposed to philosophical, bugs. If Red Hat, or SuSE, or Mandrake, or Gentoo, or Xenix, ever become the dominant OS, you can expect every mistake the FOSS community makes to be punished as much as Microsoft's.

It Appears to be a MS Patch Update

[Herkum01]

But they claim that it is really a virus. So how can you differentiate between the two?

Re:The Viruses Will Follow

[IshanCaspian]

Yeah, but a virus running as root (e.g. any application on windows) is going to do a helluva lot more damage than something running at user level.

Windows users owe the alternative OS "sinks" big.

[Yaztromo]

W32.Swen is really aggrevating me over here. In the past few days I've received over 1000 copies. And I'm not terribly happy about it. I'm probably averaging at least 100 per hour during the day, and about 300 at night (when my primary e-mail system is offline).

The really irritating part? My _entire_ network consists of one OS/2 box (the e-mail client machine), and three Linux boxes. Not a single one can be infected by this virus, and not a single one could propogate it (unless I explicitly wanted to do so, which I don't).

Now thankfully I'm on a pretty decent cable modem service here (really good speed), bogofilter was quickly trained to detect and toss these messages into a SPAM folder (where they quickly get deleted), and my mail client (PMMail/2) has a remote control feature that allows me to scan message titles on the server and delete the messages without downloading them.

But still -- imagine if this weren't an immune OS/2 machine, but one of the Windows machines that could be infected. I could very well be propogating these as well. But because of my good choices in OS's, I don't.

Thus, I think I'm doing a public service by _not_ running Windows and propogating these viruses, but instead act as a sink to prevent them from propogating. My machine is the end-of-the-line for these viruses -- even though getting thousands of e-mail is highly annoying, my machine (in effect) "kills" the ones I receive, causing their propogation lines to end.

I think Windows users on the Internet owe those of us who run other operating systems, and they owe us big. They can start paying up by PROPERLY PATCHING THEIR SYSTEMS!!! (Stopping sending me $^&*%^&!! hundreds of copies of W32.Swen would be really helpful as well).

Yaz.

Re:Huh?

[azzy]

No, it's not just you. Same here. Me too!!! I open every e-mail and run every attached executable, even if I don't know who it is from. And I've never had my computer affected with any virus or worm or trojan or whatever. Sure it crashes now and then, but all computers do, and sometimes I can't find my files... I probably didn't save them right in the first place or forgot where I put them. When it all gets really bad, the kid next door comes and fiddles with it, re-installs my system.. or something like that.. but that's just normal too.. windows has always been like this for me. And it's the best OS around, so thank god I don't have something worse.. like one of those hobby play operating systems!

Swen is NOT A WORM

[JRHelgeson]

From the article:
"Classified as a worm because of its ability to copy itself without infecting host files..."

What a bunch of morons!

Lets look at what distinguishes a Virus from a Worm:
A virus requires user interaction to spread. A virus can be a self standing executable (such as Swen) or it can infect other files such as .exe and .doc files so that when they are launched or opened the virus will then spread further.

A Worm is self propagating and does not require any user interaction to spread. Worms rely on holes that exist in the underlying operating system to inject their code into applications already running in memory. Once they have infected the target machine, the worm will then self propagate to other similarly unpatched machines.

With this simple definition, where do they get off calling swen a worm, when the swen virus clearly requires some dumb schmoe to click on the executable file that is included as an attachment in an email? Once the genius launches the bogus.exe file, it then searches the newly infected machine to harvest email addresses to send itself to. There is no 'automatic execution' of code here.

How did that get mod'ed "insightful"?

[Population]

Seems to me that certain moderators don't have any idea what security means.

Windows has a lot of viruses because it is so easy to execute a program and infect the operating system.

The more restrictions you put on that access, the more difficult you make it for a virus to spread.

Unless you're running a root, 99% of Linux users have nothing to worry about from viruses. The viruses cannot effectively spread themselves. That is why the "Linux viruses" you see are only in the labs of the anti-virus vendors.

It doesn't matter how many people are writing how many viruses.

All that matters is whether a virus can infect and spread.

A well designed operating system security model will prevent the infection.

If the infection is prevented, the virus cannot spread.

Re:How did that get mod'ed "insightful"?

[Patrick]

Unless you're running a root, 99% of Linux users have nothing to worry about from viruses. The viruses cannot effectively spread themselves.

I've heard that argument before, but it's still wrong. A program running as you has the ability to delete your email and data files and the ability to send out email to propagate itself. Who cares if it can mangle /bin/ls? I care much more that it can mangle /home/patrick/important_document.tex. Being root has nothing to do with anything.

That is why the "Linux viruses" you see are only in the labs of the anti-virus vendors.

No, that's because most virus writers and most victims are running Windows. Why write viruses for a desktop that only 1% of end users (and the 1% most likely to keep their systems patched) are running?

A well designed operating system security model will prevent the infection.

Your statement is true. Your implication that Linux's security model is well designed is not. Your email program can, if hijacked, execute programs, open network sockets to arbitrary hosts, and delete files. It doesn't need any of those privileges, but Linux has no mechanism to protect you on that level. All Linux can do is keep your email client from mangling /bin/ls -- so what?

Linux isn't prone to floppy-borne, executable-modifying viruses. But it certainly could be prone to email viruses if anyone finds a buffer overflow in pine, mutt, or Evolution.

Re:How did that get mod'ed "insightful"?

[pod]

A well designed worm (or a virus for that matter) can pop up an important looking window saying something bad has happened on the system, please supply the root password to fix it. Haw many casual Linux users (if there are an?) do you think would fall for that? When you're running KDE or Gnome as a regular user, you'll get prompted for the root password when performing many system-type tasks. A smart worm could even wait for you to click on something before popping up, so that it doesn't appear as if it came out of nowhere.

No system is immune by design. Stupid or careless users are always crafty enough to bypass even the best security.

Re:How did that get mod'ed "insightful"?

[Vellmont]

In a proper environment a virus can't delete your email on the IMAP server. It can try to connect, but it doesn't know the password; and the MUA isn't scriptable for this very reason.

That's true of any environment. If a windows computer uses IMAP and doesn't store the password locally it can't delete your mail either.

The virus also can't email itself because the SMTP host on the network requires TLS and authorization to do that, and the virus is not in posession of the login credentials.

Who said you had to use the SMTP host on the network? Any old program that knows how can speak SMTP and mail itself out to the next victim. In fact from what the article says this virus knows how to speak SMTP. For an external MTA it's pretty hard for it to only accept SMTP sesions that use TLS as TLS is poorly supported across the internet. I know all my machines running an MTA don't have secure SMTP setup (I really don't like paying the $100 a year blood money to the damn certificate authorities).

I will agree that unix machines tend to be better administered, and are more likely to be patched better simply because the OS is less tied together and inter-dependant like windows is (and thus the huge service packs MS puts out). Take the latest openSSH patch for example. The changes were all back-ported to the version of OpenSSH running on a distribution+version. We also know exactly what changed (2 or 3 lines of code), and they're fairly simple changes. Vigourous testing of the patches isn't as pertinent as it is in the case of MS products, so patches will be applied more often.

It's not the news media's job

[bug-eyed+monster]

"After all these worms and virii are hitting MS boxen from every angle, there still aren't mentions of alternatives from major news sources."

It's not up to the news media to mention alternatives, they're supposed to report the facts. Likewise, when they report the recall of, say, Ford Explorers, they don't report Cheverolets and Hondas as alternative cars. They can mention alternatives in editorials, and last I looked, they do.

Re:Huh?

[AstroDrabb]

A lot of people wil blame it on "dumb" end-users. However, the scary thing is that just by an end-user clicking on the attachment in the email, they could hose their system. Even if an end user executed an attachement under Linux, it would only run as an that user, not Administrator or root. The worst that would happen is the users home directory being deleted. This is why MS Windows security is so bad IMO. Every user runs as Administrator out-of-the-box. This is the only reason ms windows is said to be "user friendly". Take a user out of Administrator mode and it is not any more user friendly then Linux. MS picked user friendly over security. Sure there are some tech savvy ms windows users that can secure their boxes much better then the masses. However, for the average user, MS gave them a friendlier environment to work in with no regards to the value of their data.

Linux and OS X users get shafted too

[wazzzup]

I'm really hating Microsoft. I've never used Windows and my last and only Intel PC was a 286 runinng some version of MS-DOS 3. I've just always thought there was something better. If the Mac wasn't around, I'd be using Linux.

Anywho, I've always just shook my head and wondered why people put up with MS shiite but it's never directly affected me (indirectly, yes) until now. I am simply sick of seeing virus infected emails, emails from my ISP saying I had an email with a virus, emails from friends warning me about the latest worm even though I don't use Windows and reading stories of Mac and Linux users losing services at universities because the staff is too busy patching f*ing Windows boxes.

As most of us do, at work we use Windows. I had a project that needed to go out this week and we were pulling files over the WAN. The bandwidth was nearly zero. IT eventually found out it was a bunch of desktops in a completely unrelated office that were SMSing the remote server I was accessing to death but they didn't have time to fix it because they were too busy fighting virii on the west coast. Project gets delayed.

I hate them. I want to see Linux kill Microsoft. Their ill-gotten reign must end. The Penguin must draw and quarter Bill & Co. and burn their remains. I am tired of having to be bothered by Windows and their sheep-like user-herds. I want to use my Mac without having it affected by the crap that spews out of Redmond. I want to know why people aren't looking at Macs and Linux more seriously. I want to know why Apple and IBM are siezing the moment and using this time to educate the masses. I want to know why the MCSE monkeys continue to be blind to the failure of thier preferred OS.

BTW, as you know, I really want Linux to annihilate MS, just don't kill Apple in the process, I like them ;o)

Re:Huh?

[AstroDrabb]

No, because Linux by default does not put every user into the administrator group. If you run a malicious attachment, it will be pretty much harmless to the machine. It may be able to wipe out your home directory, but that is about it. Plus, I haven't heard of any Linux mailer that will execute an attachment for you, it usually only saves it for you, or maybe display it if it is an image. If MS would not make every user an administrator by default, then most of these viruses would be stopped cold. However, the user friendliness of MS Widnows would drop considerably and not be much easier to use then a Linux desktop.

Uninterested?

[chihowa]

I'm a mechanic (ASE and all that crap) as well as a computer dork. I can (and do) fix my own plumbing, do my own carpentry, and am learning to adequately use a loom (which I made) to make clothes. I grow a substantial amount of my own food. I'm posting this from a browser that I wrote myself.

No troll, I'm dead serious.

I wish people took more interest in the things that they use every day and take for granted. Everything is so completely fascinating. I think that there is no better pursuit in life than to learn the hell out of everything. The way people learn one thing and then get all arrogant about it is, in my opinion, the worst behavior of all.

There are tons of things that I don't know, I don't look down on people for not knowing things. It does bother me when they refuse to learn, though.

People do awful things to their computers and people do awful things to their cars (and their plumbing!). If people took a little more time to appreciate the things that they take for granted, many of our problems would be gone.

I didn't mean for this to end up all preachy, but I don't remember where I was going. If I hadn't already typed so damn much, I'd just quit now, but hell...

Re:Huh?

[westlake]

The article said just viewing the email infects you

You have to open the attachment.

Microsoft never e-mails patches or provides a direct, embedded link to an upgrade or patch. Open Source projects like 7-Zip do, I received one this morning, so don't get too cocky, you could be sucked in real easy.

That's absurd.

[Alethes]

If popularity is what makes Windows insecure, then why is IIS being hit many more times than Apache even while Apache runs 60% of the websites out there?

Re:That's absurd.

[squiggleslash]

Because webservers are not the dominant platform either. Clients are. You might just as well ask why AmigaDOS isn't being targetted, given it's the most popular OS for Amigas.

Windows is the most "popular" OS, period. If the majority of Windows users ran Apache, but everything else stayed the same, you'd see more viri for Apache than IIS. You wouldn't, however, see that same viri for Linux (unless it was chronically easy to do)

the Linux version

[commodoresloat]

Greetings. You have been infected with GNU/Swen, a worm brought to you by members of the linux community. In order to get this worm to infect your system properly, you will need to use wget to download gnuswen-config-2.4.6 from one of the usual mirrors. Be careful; this version of the worm is not compatible with versions of gnuswen-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./config, make, make install), you can configure the worm from any directory simply by typing sudo gnuswen-config -ort [your login id] [full path to your email client]. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/gnuswen and all your config files are stored at ~/.gnuswen.

Re:the Linux version

[glenstar]

I think you are being too easy. The virus would come as as a shar file, require you to install kde-libs (and all dependencies), recompile your kernel (don't forget to apply the latest patches from kernel.org!), and reboot. Luckily, FreeBSD users can cvsup their ports and do a sudo make install -f /usr/ports/virii/swen, gentoo users can do emerge virii/swen and debian users can do apt-get swen, whereas the Hurd user (yes, singular) must fire up emacs, type in 1500 lines of code, and compile.

Re:Huh?

[Theatetus]

MS picked user friendly over security.

True. This can happen in Linux too, though. I seem to recall Lindows gives users root by default, and from my small experience with SuSE, they seem to have something similar with being able to "save" your run-as-root permissions for apps.

Re:Huh?

[Poofat]

Lets be honest here, anyone dumb enough to think updates come in the mail (even on linux) would most likley happily comply when it spits out "you must be root to apply this patch."

I will agree with you that windows takes ease-of-use over security, though XP and 2003 have taken steps to prevent that. One thing that does cheese me off about windows though, is the fact that programs often have more power than the users that run them. Personally, I don't believe anything should have free run of the registry to dump any of its crap in there.

That is a "trojan".

[Population]

If you run an app and it does that, then it is a "trojan". No operating system will ever be free of trojans.

But trojans have trouble spreading themselves. Anyone can write a Linux trojan (cd ~ ; rm -R), but it will not spread far. While you may think that the damage is bad because it happened to your machine, you represent less than 1/10,000,000'th of the total.

More people will have lost data because of hard drive failure than lose data because of Linux viruses or trojans.

Yes, if a hole is found in pine or mutt or Evolution that allows email viruses such as you describe is found, then email viruses such as you describe can be written for that application.

But an exploit for pine would not affect someone running mutt or Evolution.

Linux has a better designed security system than Windows does.

A hole in one application will only affect those people running that application and it will have to find some way of spreading to those people.

Without the means of spreading, the virus will be contained.

Without the ability to infect machines it has contact with, the virus will be contained.

Which is why there aren't any Linux viruses in the wild. Not because people aren't writing them. But because they cannot spread the infection.

Re:Huh?

[Pros_n_Cons]

1.) Applying the patch
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion.
But it isn't your only protection.
3.) Using a hardware firewall which blocks the RPC port anyway

4.) disable dcom with start -> run -> dcomcnfg

Linux virus

[Kazymyr]

The other day I got a Linux email virus. It was this perfectly innocent looking message, with the subject line reading "Important!". So I opened it, and inside I found the following:

"This is an email virus for Linux users. It works on the honor system. Upon receipt of this message, you should manually forward it to everyone in your address book, then login as root and randomly delete a bunch of files. Thank you!"

Norton Ghost

[KalvinB]

After installing any system it's an excellent idea to use Norton Ghost (free with Soyo and possibly other MBs) to image the system. Then, if anything bad happens or if you just want to move the OS to a new drive, you just blast it over and 30 minutes later or less you're up and running as though nothing changed.

My 2000 system was on an old 2GB drive that was about to fail and with ghost I was up and running much faster on a 13GB drive in less than an hour. I also have an image of my web-server's OS/app drive in case it ever fails.

Knoppix and what I do is basically what prebuilt system manufacturers have been doing for years. It's just that HP, et al, add a lot of crap to the image.

Ben

Re:Norton Ghost

[berzerke]

Norton Ghost is not Free Software. Are there not any OSS alternatives to Ghost??

Well, there is partimage. However, I still find I prefer a tar gz ball. This way different partition sizes don't matter as they do with ghost and partimage. More work on the setup though. BTW, ghost has the same NTFS problems partimage does. Knoppix includes partimage.

Re:Huh?

[A+Naughty+Moose]

So what you're saying is that you've never connected a Windows machine to the Internet.

I know that it is hard to believe, but it is possible to have a Windows machine connected to the internet without ever getting a virus. I've never had a virus infect my work PC, which has been connected to the internet since 1997. It's a matter of using common sense: Don't open email from people you don't know (mostly spam). Don't open email in a reader that will automagicly execute whatever it opens (ie: unpatched outlook). Download files from trusted sources, don't run every app that comes your way, keep up to date on the patches, and run your computer behind a firewall. If you do that, you might not even need to have a virus scanner running all the time. (Though I don't recommend this if your running any sort of business, or routinely let unknown computers connect to your network)

At home I don't have a virus scanner installed on any of my computers. Every once in a while, I'll download the latest dats from mcafee and run the command line scanner, but so far its been a waste of time, as it hasn't caught anything yet. At work, I have the corporate mandated Norton, and have yet to receive an infected file, but the risk at work is more then at home, so it makes sense.

I do fully realize that I am running a risk at home, and with the latest round of viruses, I am tempted to get a virus checker going on the old home PCs, just to be on the safe side. Like most people I'm a firm believer in it can't happen to me ;)

Re:Huh?

[tshak]

The worst that would happen is the users home directory being deleted.

That is always the worst thing that can happen. If a virus wipes out my System32 directory, big deal, I reinstall Windows. It's a pain but I haven't lost anything. If it wipes out my home directory, that has all of my financial data, electronic reciepts, business invoices, contacts, etc.

Don't get me wrong, your email client shouldn't have admin privilages, but I consider my machine hosed when my home directory is hosed. Linux is no more secure in this regard.

Re:Huh?

[AstroDrabb]

Yup, Lindows is crap. Lindows would be open to all sorts of attacks if it ever became popular. As far as SuSE goes and Red Hat as well, they prompt you for the root password when you need to run certain programs as root. This doesn't work with just any program, only a few administrative type programs. It also does not "save" the root password, it caches that you successuflly entered the password and won't prompt you again for 2-5 minutes, similar to sudo. Though agian, this is only for a handful of administrative programs so a user can admin their PC without needing to log in as root.

Sigh. Alright, where are the Feds?

[Jack+Auf]

Saw this coming this morning. I don't even have to read CERT, or SANS, or /. anymore to know when the 'Microsoft Worm-O-The-Month' has hit the Windows boxen near me. My net connection slows to a crawl, I can no longer get to most of the sites I frequent, and I can't get to my IMAP server.

To add insult to injury I haven't run an MS OS since about 1998 - only Linux, OBSD, & OSX.

I've had to deal with the effects of *others* carelessness and ignorance for *years* now. Lost productivity (I telecommute), the inconvenience, all my extra time having to tweak my firewall, and all the bandwidth that was rightfully mine that was stolen, the load on my mail server. That times the 100M (or whatever it is) people on the net.

If Ford made a car that was this poorly made consumers could sue them. At the very least the Feds would step in and force a recall.

So why haven't the Feds forced a Microsoft recall? Why have there been no class action suits for repeatedly defective products?

If Windows really does have 92-95% of the desktop market then it's a critical resource and should be treated as such. The Feds would never allow a phone system to continue if it crashed every month, or a rail system that had a major accident every month. It goes against national security.

If MS has that much market-share then they should be treated as a critical system just like phones or rail and held to the same standards.

Re:I actually got that stupid email

[cscx]

Actually the latest Outlook doesn't even allow you to save an .exe unless you turn the filtering off (setting in the registry).

Swen

[tiny69]

I first saw the virus on the evening of the 18th. Running 'strings' on the attachment turned up two URL's.

GET http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacil lus&width=6&set=cnt006 HTTP/ 1.0
ww2.fce.vutbr.cz

The first was a counter. At the time I checked it had well over a million hits and was going up FAST. At the time I'd been hit by about 20 copies of the virus. The next morning the counter was taken down and replaced with a warning. At that time I'd been "hit" over 70 times by the virus.

There seems to be variations to the emails that contain the virus. The main one is a 160K email that contains an attachmentwith a content type of Application/X-MSDOWNLOAD. The second is about 148K is size and the attachment has the content type of Audio/X-WAV. There are some emails that are 16K in size but the attachment is a zero length file. I've also been getting emails claiming to be "bounces" from Yahoo and other ISP's saying I'm trying to send a virus infected email to someone. But the Received lines show the the email is not from Yahoo. So far I've received over 170 of these damn things.

Then there are all of the real ISP's who are not helping the problem. I keep getting warnings claiming that someone I don't know tried to send me an email with a virus. Thank you, but your anti-virus software just sent out a useless email and just accomplished one of the goals of swen, to clog up email servers. Send an email to the moron who is currently infected and stop sending out thousands of emails telling everyone else about it.

This may sound harsh, but I'm really hoping the next big Microsoft worm or virus will disable the infected comupters.

Re:Huh?

[cscx]

If you run a malicious attachment, it will be pretty much harmless to the machine. It may be able to wipe out your home directory, but that is about it.

That is the *biggest* crock of shit ever, but I hear it time and time again on Slashdot. /home is the most valuable part of the system! You can re-install Linux in under an hour, and recover /usr, /var, and pretty much everything else (with a slight exception of changed to /etc, but that's not important). If you lose /home, you are, simply put, FUCKED. Big time. Try reconstructing that data in under an hour. You can't. If you could back up *anything* on your system (assuming you had a choice), that choice should be /home.

Why on earth would would you care if your applications got borked? It's the data that's important.

Re:Swen IS TOO a worm

[JRHelgeson]

I did RTFA! I also Wrote TFA on Swen alerting our customers to the Swen VIRUS. Would you like to see Swen's source code?

Swen runs as a program, a malicious program. That is what makes it a virus.

Swen does not rely on a vulnerability to spread. It does not require Microsoft Outlook to spread, (although outlook certainly helps), as it spreads just as well if you're using Outlook, Eudora, Netscape, Hotmail, Yahoo, WHATEVER!

All you must be doing is running an MS operating system.

There is no patch for stupidity.

Swen is a virus that relies on user stupidity to spread. The fact that this virus spreads to network shares is typical virus activity. If it copies itself to a startup folder, or modifies a registry string to launch the virus when a computer reboots, it is launching as an APPLICATION, a malicious application - which means virus to the slo folk and reporters that are reading this.

If Swen were to make a direct connection to a persons IP on port whatever, performs a buffer overflow which injects code into a running application thereby opening up a backdoor by which the worm can then infect the machine - THEN it would be a worm.

Re: Microsoft Ease + Linux Secure = ???

[AstroDrabb]

You forgot to add Tiffany's pricing : )

Re:Huh?

[squiggleslash]

So the measure of the security of an OS is whether or not they make security patches available?

Er, no. You'd have to a complete ------- ----- to read that into my message.

I said no operating system is secure, and that OS X, amongst others, isn't a perfect OS with a perfect trackrecord either. I proved that by demonstrating that Apple has had to release at least three security related bug fixes in the last few months.

Now sure, you could argue that having released those three fixes, there are no more bugs. OS X is an entirely secure OS. OS X can no longer be compromised. Steve Jobs has personally found out how those bugs occured, and has shot the programmers responsible. Not only shot them, but brutally and painfully tortured them too. OS X is hence bug free, it will never, ever, ever, again have a bug, still less a root level compromise bug.

Yeah right.

OS X, or any Unix-derived OS, is vastly more secure than Windows. Part of it's the design: you can't easily override the permissions inherent in a *nix system; with Windows; you're free to nuke or alter almost any file in the system.

You've probably never used OS X, but actually OS X is pretty liberal on what you can do too. It's not as liberal as Windows, but permissions on, say, the equivalent of Program Files, and some of the major configuration files, are fairly open. I can install programs just by dragging them to a particular folder for the most part, but see below.

Even so, it doesn't matter. All that's needed is either a root exploit, which is what two of the three above security updates dealt with (the other being a bug in the screensaver password box), or a social engineering exploit. And lo, it turns out the subject of this story is an example of both! Indeed, anyone fooled by the social engineering aspect of the current virus can and will run such a program as root, and do so easily, under OS X, given an equivalent that doesn't use a bug. Despite the lack of necessity, for the most part, of implementing it this way, many OS X installers can and do ask users for administrator rights to install the programs they're installing. This is exactly what you'd expect a "Security Path from {Insert Vendor Here}" to ask for. So a social engineering exploit along the lines of Swen would indeed work under OS X.

Anyone who believes they're secure because they run a non-Microsoft OS needs their head examining. Both OS X and Linux, the latter having a disparate and non-standardized update mechanism, the former being vulnerable to social engineering and being not 100% secure (because such a thing is not possible) are vulnerable, and it's the fact that they're not on the majority of desktops that keeps them "secure". Security by obscurity is not, as time has constantly told us, a sure-fire system. Rather than advise people to switch OS to avoid viri, it is better to encourage prevention.

Re:Huh?

[mad+flyer]

-install XP -ok
-reboot
-install SP1 and after patch -ok
-reboot
-install ATI all in wonder drivers -ok
-reboot
computer farked to death...

so:

-install XP -ok
-reboot
-setup the video driver to "standard vga adapter"
-install ATI All in Wonder drivers (ati version not microsoft)
-install SP1 and after patch -ok
-reboot
-update ATI all in wonder drivers -ok
-reboot
-install battlefield 1942
-update battelfield
-install road to rome
-update road to rome
-install Thrustmaster tactical board driver
-reboot
-computer screwed...

go back to line one, changed order advitam eternam...
Maybe one day I will be able to play this game... seemed to be nice on the pictures of the box...
Actually i'm having a lot of fun with the GBA... insert cartdrigde... oups, remove cartdridge flip over and insert cartdridge in the good direction, turn on, play... eat chips, drink coke, and watch tv at the same time...

By the way, having an uptime of six weeks on an XP box means you didn't patch it for 6 weeks, which is between irresponsability and plain stupidity... have fun while you can, stop trolling and remove your keyboard from the TV, you're not funny anymore.

Huh?

[sharkey]

its professional looking email advertisement that pretends to be a fake Microsoft patch

Actually, I rather thought it pretended to be a REAL Microsoft patch.

Re:Huh?

[IceCat]

excerpt from your link... So a virus like SoBig can infect a Windows machine and e-mail itself out, to everyone in the user's address book, without the user realizing it. No Mac e-mail program allows this, so Mac users would have to spread a virus like SoBig manually by intentionally mailing it other users -- not a likely scenario.

The guy doesn't even understand how SoBig worked and I am supposed to believe him when he says OS X is more secure? Viruses haven't used the old email everybody in your address book for quite some time. They are now come pre-packaged with their own SMTP server and scan the file system for email addresses. How is OS X not allowing this?

Big Deal. Norton Handles It Fine

[serutan]

Yes the email looks perfect, but even if I believed it Norton comes to the rescue:

"Norton AntiVirus removed the attachment: Qz.exe.
The attachment was infected with the Worm.Automat.AHB virus."

Ho hum.

Re:Big Deal. Norton Handles It Fine

[taustin]

Now click that "OK" button four thousand times.

Ho hum.

Re:Huh?

[DJayC]

2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.

Agreed. I have found that Kerio Personal Firewall has been great. It's also free for non-commercial use.. good stuff. Everyone should use a firewall as it really would protect them from just about every one of these worms.

My e-mail server

[Nonillion]

My e-mail server has been getting hit by this thing for the past couple of days now. Last count I had hundreds of these e-mails associated with e-mail rejection errors, all in reference to mail I didn't send. Depending on what time of the day it was they were either are comming .mx .pl .ro .nl ox.com and so on.

The e-mail is very deceptive and looks like real e-mail sent from Microsoft. Other than being a pain in the ass it's almost as fun as being /.ed

Senior Programmer Analyst?

[malakai]

The worst that would happen is the users home directory being deleted. This is why MS Windows security is so bad IMO. Every user runs as Administrator out-of-the-box

Your opinion quite frankly is not very worthwhile. First, losing a home directory under any OS is a _Very_ bad thing. You can't reinstall your home directory from a CD.

Second, every user does not run as Administrator out of the box in 'MS Windows Security'.

In XP this isn't true, in Server 2003 this isn't true, in Windows 2000 this isn't truee, in Windows NT this isn't true.

In MS-Dos this is true, in Windows 95 this is true. In windows 98 this is true, and in Windows ME this is true.

See a distinction? Ok, so lets consider you meant "in Windows ME". Fine, yes users run with full permission in ME. And those same users, if they were in Linux would not be using Linux. Because they couldn't figure out how to install it. If they did manage to get Linux on their box, and setup their mail client, I doubt they'd be much more secure. Why? Because _they_ are still the risk. They will execute the ".sh" file attached to the mail message. The script will alias some worthwhile commands and wait for the user to give it the root password. Or, it may just ask them, after all, the users ARE the WEAK link. So why not just pop up an important looking window (or console prompt) and say something like "fsck detected faulty partition data on ext2/blah/bah/bah at offest 00345678 code word DELTA. Please enter root password so that kernel.bot may correct this problem".

Get my point? It _IS_ the "dumb" user. Switching them to a different operating system won't protect them (unless of course you _Don't_ give them root access or password, and then that would be a trusted environment and they wouldn't be running Windows ME, they'dbe running win2k or XP or 2003 or Linux or BSD or some other securable operating system).

hope that helps,
-malakai

Re:Huh?

[benjamindees]

It's because it's too hard to get anything done on a Windows box as a normal user.

Btw, 'run-as' is little more than a half-assed ripoff of 'su'. Try to install a program sometime using 'run-as'. Whose permissions does the installer use? Where do the registry settings go? Why doesn't anything work?

I, and many others, are tired of fighting with half-completed MS 'features' that don't live up to the hype. Maybe, one day, Windows will have finally managed to implement all of the useful features that were designed into the UNIX and Mac OSes. Then I might consider using it. At MS' current rate of ignoring basic functionality in lieu of marketing buzzwords, though, that day will never come.