Slashdot Mirror
'Bagle' Worm Heading For A Windows PC Near You
mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
So far, I've submitted copies of this to Symantec, and ClamAV, both of which did not detect it in the latest definitions. If anyone else has submitted this to an A/V manufacturer, or knows of an A/V that currently detects this, please post.
Contact Me (got tired of viruses emailing me).
The article says Bagle has been detected in more than 100 countries.
Are you saying that this new worm knows no geographical boundaries? Heavend forfend!
BTW: two fixes are already avilable for this virus:
Note to developers, developers, developers, developers:
everyone from the home user to big business wants OFF OF WINDOWS, and not just because of the viruses. Please,
stop catering to the (dying) satus quo, and port your apps to Unix so we can switch over completely.
We've already received two of these at work, one as early as 8am yesterday morning, local time. Fortunately our server-based anti-virus filter is on the ball: "Executable DOS/Windows programs are dangerous in email (kraencha.exe)"
Are those idiots still running .exe attachments? They deserve to be infected for two reasons: 1) running Windows, PERIOD, and 2) being stupid enough to run any .exe attachments after the last billion e-mail worms. Let it spread. Let only the strong (or in this case, smart) survive.
My beagle has tape worms.. when is a patch expected? If my dog had been using Linux, this would never have happened!!
More appropriately "stop running attachments".
moo
"They attributed the worm's high infection rate to curious home and small office computer users who could not resist clicking on the attachment." -You would think by now even the person with the lowest possible computer knowledge would have picked up on this. Good to see people are getting right on the reporting of this though... now we just have to hope people will update their virus definitions! -olo
If I were using linux, and someone would send me an exectuable file in an attachment, and I would run it. I would get infected. This is not windows fault - its just ignorence (and bad email clients).
I guess this means Beagle has made contact with Earth after all. Perhaps it has to do with Martian hackers who don't like Linux? They can't spell too well though.
As the article text states: "We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it." Just goes to show you that no matter how much cork you put on some people's pencils, they'll still manage to poke themselves in the eyeball. Honestly, who out there is so dumb that they'll run an .exe email attachment with a subject line "Test" and a body including "Yea, Test".
Mandatory computer usage licenses, anyone? ;)
I use windows, why? because my computer time is mostly spent gaming. However I have been virus free for around 3 years, I just dl the security patches, and keep my virus scanner/firewall up to date. People get viruses out of stupidity, and ignorance, not windows.
Why is this one unique? It's just the next worm.
And it replicates by *emailing* itself...
No remote root/admin exploits, no network-clogging mass scanning, no nothing.
Maybe just a few malconfigured mailservers going down, that's it.
yawn, wake me up when we're at threatcom 4
I realize that there are a lot of uneducated computer users out there, but I kind of wonder if a "simple" worm such as this poses that much of a threat nowadays. (By "simple", I mean it requires a lot of work on the part of the recipient.)
Most computer users have been bombarded with messages about "don't click on attachments unless you're expecting them" and so on. Especially people in work environments.
I suspect this won't be as bad as similar worms in the past. I hope I'm right.
Why don't ISPs and mail providers perform quick checks of attachments to see if they compare with known viruses (similar file sizes would be a quick initial check) and then filter out (or at least alert the recipient about) any attachments that they successfully determine are viral attacks, such as this one?
Do any such ISPs or mail providers offer such a service? If not, why not? Surely it's in their interest? After all, these viruses (especially the ones that send themselves on to everyone in the infected machines address book) just add unneccessary traffic to their systems, hurt their users and hurt the reputations of both parties too. Shouldn't ISPs and mail providers be looking to implement such safeguards?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
For Christ's sake, it's the users, stupid.
Not that Windows is blameless here, mind you, but I seriously suspect that I could cococt a shellscript that could do something similar (at least in terms of self-propagating) and send it to all my friends who run UNIX. And then you'd see! Oh, wait, THEY KNOW BETTER THAN TO RUN UNKNOWN CODE.
I've got two windows boxen at home. They've never been infected. My virus scanner doesn't save me -- running them behind a firewall and not executing random content on them does. It's not Windows that's the problem -- it's those damned Windows users.
Now, excuse me while I call my parents to have them update their virus definitions...
Come on! Outlook hasn't allowed these to be run for years now? How do these things still spread? Little old ladies stuck on Eudora 3.0 or something?
I got it this morning, spoofed from a SecurityFocus security mailing list I subscribe to, ironically enough. Current Norton sigs didn't detect it, and it didn't match my spam filters...but Outlook's updated features automatically blocked access to the exe file (not like I would have clicked on it anyways...but it was interesting to see something from Microsoft be the only barricade to stay standing).
For your security, this post has been encrypted with ROT-13, twice.
It looks like the writers of the virus DOS'ed themselves (from the aformentioned Yahoo! article):
:)
Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.
Or is it more likely that these servers in Russia and Germany were also hacked and were just being used?
In any rate, this doesn't look so bad. The searchsecurity.com article says that "Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed." Hopefully this one won't be as bad as Sobig.
My blog
Then people will turn to writing virses for linux, which despite most peoples ignorance does contain security flaws. The reason why not many are about now is because most of the (comparitively few) linux users are clued up as to how to protect themselves.
Internet Security, PC-Cillin, whatever they are calling things these days.
I keep double clicking on the file, "thisisavirus", but it just brings up weird letters! How am I supposed to get infected?
You can't judge a book by the way it wears its hair.
Fix the vehicles using a recall? Pay people with out of court settlements? They elected to do the less costly scenario. Now we have computers: Educate every employee who has access to email? Just grin and bear it? *This is why these worms will never stop.
1888 Franklin St.
Not that Windows is blameless here, mind you, but I seriously suspect that I could cococt a shellscript that could do something similar (at least in terms of self-propagating) and send it to all my friends who run UNIX.
Oh, I've done this. Countless times.. and you're right. Stupid is stupid. Your operating system can only protect you so much.
Sorry it just ironic, ignorence try ignorance. BTW, I modded you up because your statement was nonetheless true.
Anyone who whines about being modded down should be.
"The computer security community recommends that home computer owners never click on attachments unless they are expecting them from a trusted source. They also recommend that PC owners install and run up-to-date anti-virus programs to scan for computer infections".
They could stop sucking up to M$ and also recommend that home users consider another OS.
Or alternatively, when will people learn?
DON'T RUN EXECUTABLES UNLESS YOU KNOW WHAT THEY ARE
The problem is user education. Social engineering, such as that used by virus creators, will be a problem on any OS until users learn of the dangers.
Remember the Slashdot crowd are not typical computer users. We tend to be more computer savvy and literate, and as a consequence more wary of potential problems. It is our job to help educate people about the dangers of the worm and the virus, and how best to minimise the threat.
Seems that this thing fakes e-mail addresses as well. Got several complaints that I was sending viruses, but of course that's absurd, as I am running GNU/Linux. I can only guess that picks an e-mail address at random from some list (address book, mayhaps?) and says it comes from there.
#define DRM chmod 000
I didn't find the worm in my bagle until I was halfway through with it. If patronised a linux coffehouse, I'd have gotten a fresher one.
Why are people still opening attachments?!!
People always wonder why I filter large attachments off at the server level as to avoid clogging up my machine and connection. So far I've never seen the virus payload hit my Inbox, being on Linux means it won't hurt but still annoying Of course with Wine it might be a differenet story Rus
CPanel + Root from $35/mo - 10% off with discount code SLASHDOT
It's pretty fucking sad when you now have forecasted virii.
Weather channel, look out!
You can download the free PQREMOVE application from Panda Software's web site: http://www.pandasoftware.com/download/utilities/.
Virus infects both Windows and Linux!
If everyone stops using Windows and starts using Linux and OSX. The viruses will be designed for them. Let the rabble use unpatched and open Windows and we can stay safe behind our firewalls and different OS's
We tend to become like the worst in those we oppose. --Bene Gesserit Coda--
1. Don't open any attachments that are potential virus, (.exe, .vbs, .com, etc.)
2. Disable your email client's automatically message preview pane. This makes exploit viruses a little easier on you, as you can select the message and delete it without having to preview it instantaneously.
3. Download a mail proxy program (I use MailWasher), it'll filter out spam, and allow you to see a text version of the message, without downloading the attachment.
4. Have your AV update its definition religiously. Of course, this only helps if your AV company updates its definition religiously as well.
Of course, the first 3 don't require a virus scanner at all, just common sense. As a gamer, I hated having NAV or McAfee VirusScan hog up 30MB of my memory, so I removed it. I make smart and conscious decisions, and have never had a virus on my computer for several years.
Trend's pc-cillin displayed a popup of this several hours ago. This is why I use pc-cillin, windows needs a condom.
Oh yes they are! Microsoft chose to store the "executable flag" metadata right into the filename. In *nix world, you can't simply execute foreign binary by double clicking because this metadata is not transmitted via email attachment or simple file transfer.
I'm the resident geek in my dorm, and have spent the last 24 hours getting rid of it on computers of anyone and everyone. The particular strain we saw came in an email with the subject of simply "Hi" and contained (basically) the following test.
.wab, .htm, .html, and .txt"
Hi!
This is a test.
(random string of letters)
Testy test.
The attached file was a modified version of the Windows calculator which (according to the Symantec site) "Emails all the contacts it can find inside files with the extensions
It's interesting because apparently that's ALL it does. It doesn't screw with files or settings, or run malicous code (outside the actual act of reproducing itself). It's annoying, however, because it sends emails to people who are NOT in your address book, but merely mentioned in text files somewhere on your computer. In the last 24 hours I've gotten emails with the virus from friends, random people in my university, at least one university email address that should have been run by someone who knew better, and a couple random friends-of-friends.
Also, according to Symantec, it dies on the 28th.
It was really interested to see the spread at my college. For us, it began around 1 AM Monday morning, peaked around 2, and was already slacking off by 3 AM. I know this from my own inbox, people in my dorm, and talking to people elsewhere.
I do find it currious the virus didn't DO anything. Is it just someone screwing around, a test for a future release or (as some of the more paranoid people in my dorm are suggesting) a released virus by the anti-virus companies to keep people in enough fear to demand their products.
As a side note, I also spent hours cleaning the assorted spyware and adware that builds up when people don't know how to properly use their computers....more than one person could literaly not do work becasue of the porn popups that plagued their computer.
-Trillian
and crash and burn.
Can I get an eye poke?
Dog House Forum
glad I'm not in the Windows paddock
There was an unknown error in the submission.
Oh yes,
Like if everyone stopped running IIS and started using Apache then Apache will see more server exploits.....
... according to Symantec's Security Response (since 1/18/2004).
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I can see it now... millions of linux pre-installed PC's all configured to run as root by default with just about every unnecessary service turned on and without any warning to the user that they must actually maintain their system. Replace "linux" with "windows" in the above... the world wouldn't be so different... It would have more money in its pockets, yeah, but it would still get screwed by stupid users.
Trusted computing will fix this when longhorn debuts in 200X. People will buy it thinking their computer is safe and they won't be in the position they are now to fuck their computer up with the click of the mouse.
I just spent hours running ad-aware and pc-cillin on my roomates computer to remove dozens of spyware programs. I have no idea how they got on there and it would do me no good to ask him. Face it, not everyone cares enough to learn how to protect their computer from this shit. They won't care and we should just accept it instead of trying to force good habits on them. Think of all those old english ladies that just gave up years ago to make the rest of us sensable human beings.
I know that the only attatchments I click on are ones I get at work. If I can't trust my admin to block this stuff off (and, obviously, I do) who can I trust?
I know this has been mentioned about a thousand times but if you're a sysadmin, do yourself a favor and block executables, scripts, or any other file type that can execute. If someone needs an executable to be sent in-bound, set up either an FTP server or a dummy account outside your company's mail system. I have a domain set up just for this purpose where only the admins have rights to the mail accounts. If someone needs a file, the employees just send a request to have an admin check the mailbox for a specific filename from a specific user. We'll even ask for file sizes just to make sure. While checking the mailbox might take about 3-5 minutes out of my day, this method saves me the many headaches of removing viruses all week.
The virus uses exe files, company mail server is setup to block all executable attachments. Any emails that make it through that are then scanned. Easy solution.
When new viruses comes out, me not worried.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
This "new" method of spreading by scalling all kinds of documents for e-mails makes it look like it might be yet another test for "new ways to spam even more people by being even more annoying".
Opus: the Swiss army knife of audio codec
Personally, I am waiting for the Hurd to be stable enough. When I move to free software, I am gonna go all the way.
NTFS has an executable flag -- but it's set to ON by default for virtually the entire hard drive!
This would actually be a very easy issue for Microsoft to fix.
Thank you, I totally agree, and *I* use Linux. That doesn't give me unrealistic expectations though. Just IMHO the greatest security gains to be had there will be in the apps, and sane defaults for newbies.
C|N>K
Already old news here. Been dealing with it for a couple of days...
The Subject: is actually more applicable to the spammers, who really are waging all out war on the utility of email. This one is more like a hit-and-run attack.
Still, the similarity is that they are hoping to find a few "good" suckers to click on their links. This one is actually an interesting combination. Partly it seems to be testing the efficiency of a propagation mechanism, which seems to result in greater "apparent locality" of the email, with higher odds that it seems to have come from someone you know. However, it also seems to be ready to launch some more insidious payload that was to be downloaded from some Web sites.
Right now all of those Web sites seem to have been taken off the net--or maybe they're waiting to pop them onto the net once the thing has propagated sufficiently. That part of the Trojan apparently tries to check in every 10 minutes to announce itself.
The thing that bothers me about this combination malware is that the anti-virus people could easily miss something. For example, in this case, what if the thing included a new variation on the email backchannel for the harvested email addresses. Or maybe a well-concealed bit of code to suddenly mung the URLs to point to live sites somewhere else? However, whatever it is hasn't triggered yet, and the anti-virus people perhaps have only detected the distractor HTTP-channel. If that were the case, they could still get a massive harvest of email addresses. (Yes, I still think the spammers are probably really the people behind this one--spamming just naturally attracts the lowest life forms. It's a question of the crudest motivations for the crudest acts.)
By the way, has anyone seen the reason for the bagle/beagle confusion here? Trying to incriminate the Israelis? Or the dogs? Or both?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
they inherited the "executable" syntax from cpm and qdos.
Use Pine, be happy. A good *text* based MTA is the right way to enjoy active content.
Hedley
PS: Of course I am sure no
...since yesterday, apparently. Good to see Grisoft keeping AVG up to date.
Oh, and they've got a little blurb on the virus too.
with the exec[1] flag set. That has nothing to do with the permissions of individual files.
[1]actually, you'd normally see that only in reverse: a drive mounted noexec, meaning nothing can execute from that drive.
And the damned thing has run a riot out here..
:-\
:-P
Worse hit were the CA "Etrust" users whom couldn't get an update till way after the virus pounded several of our customers.. for some reason CA were about 12-18 hours behind having an update availible on the web, even bloody mcCrappy had an update out way before them
On the up side.. it uninstalls itself in a few weeks.. and does bugger all damage because it was written so poorly.. lots of bugs in the backdoor code..
The only thing it does well is self replicate..
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
"They could stop sucking up to M$ and also recommend that home users consider another OS." Yes, because obviously a different OS would stop a user from manualy executing something they shouldn't.
Someone who considers installing an antivirus "wasting time" (which is most windows users I know) is SERIOUSLY not going to install a new OS. Particulary not a text-based one like Linux.
So, the security industry makes reccomendations that are more realistic. and it's more realistic to ask someone to *not* do soemthing, than to it is to ask them to go far, far out of their way (which installing and running linux would be).
Hmmm.... the Beagle worm... surely it can't do that much damage... it probably just crashes on entry....
There's reasons why viruses will not spread as rampantly with Linux and OS X. The fact that only people who know what they're doing run as root is the biggest one. I have to explain to my girlfriend the difference between her hard drive and her gigabytes, but her XP laptop runs under Administrator. This is not to mention protected memory, kernel space, and the fact that there are no Linux mail clients that automatically run attachments, that I know of.
I mod down pyramid schemes in sigs.
There will always be a certain percentage of the population that
#1. Really just accidentally clicked on the executable
#2. Clicked on it on purpose because it was from someone they knew or had a nice subject or whatever.
The only real option ('cause dumb people will be with us forever) is to configure the technology to make it harder to run apps from email. Either run them in a sandbox or require the user supply the root password to install the new application (this is why I believe Linux would be safer).
99% of the people could follow the correct precautions and we would still see massive virus transmissions. It's one of the problems with a software mono-culture. And I don't see Windows users even getting to that 99% mark.
This Bagel won't get through my Lox!
-- You are in a maze of little, twisty passages, all different... --
> installing "a program that lets attackers connect to infected machines, install malicious software or steal files."
Doesn't Windows already have to be installed?
Sheesh, evil *and* a jerk. -- Jade
Information on the worm can be found here and here, and removal tools can be found here and here
...to spoof SMTP with. Or it takes addresses from infected users' address books and spoofs with those. There's no other explanation why someone I've never heard of got this email from what appeared to be my address. A Win32 worm is incapable of running on my hardware. PowerPC chips don't take to kindly to Intel machine code.
I mod down pyramid schemes in sigs.
We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
grep From: $MAIL | cut -f2 -d\ | { while read addr; do uuencode virus.sh | mail $addr -s "Here's a cool shell script I wrote" ; done }
I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.
:
On OpenBSD, the following line is enough
block drop in log quick proto tcp from any os Windows to any port smtp
There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.
However, it blocks most worms that are trying to directly send mail.
{{.sig}}
What, is the worm's creator going to come forward and sue the antivirus companies for trademark infringement?
Or is this a "nyaa nyaa we're not going to call it what you wanted us to call it" thing?
Just click here to solve all your windows vulnrabilities
So people who have the brains to study at a university are sufficiently stupid to start an executable attachment advertised by a text alike "This is a test"?
;-)
Wow. I scrap my opinion of "reading and writing skills required to attend university"
If anyone wants to send anyone inside the company an executable, said person is instructed to rename it to .bin prior to sending.
.bin file makes it through the scanner and the recipient can save it to his/her local drive, rename it to .exe or .com or .bat or whatever and then run it.
The
Anyone who cannot follow these simple directions does not receive executable files.
No email viruses have been able to traverse these simple precautions.
We had about a couple of hundred in the last 2 Years..
-NULL Sig Exception, end of post -- 1337poll.tk - check it out!
..at least this beagle works ;)
Quick. Man the Life Boats.
Everyone update with SP2 beta asap.
Women and children first!
I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.
:
On OpenBSD, the following line is enough
block drop in log quick proto tcp from any os Windows to any port smtp
There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.
However, it blocks most worms that are trying to directly send mail.
Yes, but you also blocked access for your users to send email to their regular SMTP relay.
Think carefully about firewall rules.
No, because there's a pass in quick for the local network interface before.
{{.sig}}
For games? What rock do you live under?
Yeah, i'm still anti-windows and rah-rah go Linux and all that - but until I can play the majority of my collection of games on Linux, there is no way in hell i'm switching.
Like the original poster said, its not impossible to run Windows cleanly. A decent amount of smarts, and an honest attempt at keeping your system/anti-virus/firewall up to date, and you'll have no security problems. Its really no different than a competant admin lording over their Linux domain. Reasonably intelligent users don't have as many problems as idiots, no matter what OS they use.
That said, Windows can still be a major pain in the ass. But as much as i'd love to (try to) hop the fence, Linux just doesn't offer me what I need. Which is funny, y'know, because theres a whole friggin sea of people out there that would love to ditch Windows but won't, because Linux lacks something they need. Hopefully one day the floodgates will open, but until then, a good chunk of us will be chained to M$' ankle, just waiting for someone to come save us.
If you install something like Fedora 1, go along with standard setting. Configure the first mail client you get to (Mozilla Mail or Evolution), you don't end up with huge whole in your security (cf Windows + Outlook), and you don't form part if a chain of virus distribution. Whilst current Microsoft Windows (2000 and XP) might be simpler to install, Linux is at the standard Windows 3.1 / 95 was in terms of configuration - the only difference is that with Internet support + Google, it's far easier to solve you Linux problems than it was to work out (in the early 90s) why the particular hardware configuration you had didn't work. In which case, given the rapid growth in open source performance, it will take less than the 10 years it took M$ to get to todays auto-installation level. If poeple coped with Windows in the 90s, they can certainly cope with Linux today.
yes yes, lets recommand our custermers to switch to a platform where there is no need for us... by the way McDonalds is now renaming the big mac to "i want to be a big fat slob" meal....
Well, as blocking email at the server level may cause legal problems (withholding mail!), we took a different route - we forward all the mail, but the mail clients cannot open or even preview any mail containing one of the following file extensions: .reg, .vbe, .vbs, .pif, .scr, .bat, .eml, .com, .js, .jse, .shs, .swf, .ceo, .cmd and .exe
;-) ), and has saved us on many similar occasions.
This saved us from getting problems in the past (e.g. when the Mgmt. Assistent complained that she couldn't open a mail "from her boss" - try axplain sender forging and header reading skills to a secretary
Thank god for the stupidity of M$! If I had to analyse each and every file instead of just blocking by filename extension, it would be a much heavier burden...
This situation is NOT that simple. Viruses spread very fast on Windows because a number of factors happen to coincide.
#1. Email program runs executables just by clicking on them.
#2. User has full access to install any crap on that machine.
#3. Vendor did not offer "patch" to fix the above problems.
#4. "Patching" is not done, for whatever reason.
Just as there are more Apache installs than IIS, but Apache is exploited less than IIS, this is NOT about marketshare.
If the user wouldn't click on the attachments (or if the email client wouldn't allow the user to launch the attachments), the virus threat would be reduced.
If the user had to supply a root password to run the app, the virus threat would be reduced.
If the vendor would offer patches to deal with problems, and the users would just patch their machines...
If Linux had 90%+ of the desktop, the situation MIGHT be the same. But not necessarily. Outlook is the reason so many viruses spread before. All that Linux has to do is be a bit more intelligent about handling executables as attachments.
But that isn't Linux. That is the email app.
And it should be easy to change to a less virus-prone email app on Linux.
You make a good point. Now if you would just point me to to offending Microsoft code... so what file does the vulnerability lay? I would be more than happy to edit a line or two of source if it would make my system more secure tonight.
Time is what keeps everything from happening all at once.
#!/bin/sh
#
# This is a unix e-mail attachment virus.
#
# To infect your machine, please save this file
# in your home directory with the name
# "virus.sh" and execute the following commands:
#
# cd
# chmod 755 virus.sh
# sh virus.sh
mail someuser@somedomain <$0
rm -rf $HOME
and making sure it is opened to the internet and slowly destroyed by every worm and virii it can catch. I would have in the addresss book members of parliament for all states!! mwaaa haa haahaaaa
Better: Only allow access to certain SMTP servers Even Better: Block incoming connection on the virus's port, duh! Best: Don't let Windows users on your network
If you like what I've said here, and want to read more, go to http://www.krillrblog.com
anything wouold be better than diss?
A 100% success rate means that the concept is flawed.
The scanner is a useless piece of crap because every single virus attack is stopped at the scanner.
Parenthetically, the MTA you may be using when running Pine just might be a Microsoft mail server... so beware.
Links: Pine, Elm, Postfix, qmail. Might as well throw Lynx (web) and BitchX (irc) out there for you oldschool turbo C shell users. Home this gets me some karma :)
Glad there are some people out there not using GUIs for simple purposes like these. I hate the mouse.
well at least this beagle works
The worm apparently opens a listening socket but it appears this worm is very buggy and this 'feature' of it does not work properly. This worm also tries to drop a .bat file somewhere but apparently it fails at this as well. Is microsoft writing their own worms now ?
Actually, there's an assload of corporate mail running off Windows. Hope you weren't looking for a job.
are the mods a bit sadistic today?
"Boxen" is NOT A WORD. Please do not ever say it again. Thank you.
Having said that, this worm doesnt exploit any Windows or Outlook vulnerabilities. It emails an exe file. The simple fact is that if users are so naive / stupid that they will just run any program that pops up in their inbox, it doesnt matter what OS they are running, the end result will be the same; an infected computer.
If you receive a linux binary and you run it it could cause you trouble. I know, it couldnt infect your system etc because you dont run as root, but it could re-email itself to your contact list, delete your documents, fill your hard drive or do any other number of annoying things while still propagating.
Moral of the story, MS is not ALWAYS at fault, just quite often.
The perl5-porters list has already been hit by this virus resulting in 200+ messages being posted over a period of two to three hours yesterday. Additionally, it was reported on this list by Elizabeth Mattijsen on this list here that the Gnome XML list has similarly been affected.
Darn, so that's why Beagle didn't answer, the green virii writers on Mars infected it!
RHCE, ITIL, LPIC-2, LCE, NACP
Hrm.. i dont think the logic for another OS is very sound.. If more people used linux they'd be loads more linux viruses.
Linux is not secure out the box. A home user would run a linux box as insecurely as they currently run a Windows box. The choice of operating system makes no difference - education, however, does!
Simon.
I would rather they reccomend installing firewalls, an OS with permissions- any OS; linux, Win2k, Solaris, BSD, WinXP (shudder, switch from IE to Mozilla, etc. That would be satisfactory to me. They say the same old crap over and over again and their is proven and old practices out there that they never bother to recommend. Considering another OS outright is drasitc and won't necessarily solve the problem. That pesky 90% needs to learn some basic administration first.
ipfw add allow tcp from any to legit.mailhost.com 25
ipfw add allow tcp from any to legit2.mailhost2.com 25
ipfw add reset tcp from any to any 25
This cuts off SMTP except for (e.g.) 2 legitimate servers. Since most worms have their own SMTP engine these days and spread the "direct-to-MX" way, they get stopped dead. You could add more entries prior to the reset rule if you use more than one SMTP server.
XP has protected memory and kernel space.
You don't HAVE to run as admin, teach her to use a limited user for log on and use RunAs for any troublesome apps.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
she's going to get you/give yoiu a twist?
The Bagle has landed.
--
Yes, but by default OS X users are given a user account, separate from root. And, even if they have an admin account (not to be confused with root), they have to type in an administrator password to confirm installations that affect areas outside of the user's home directory.
:/
You can send an OS X user a malicious Apple Script file with an MPEG icon on it, and they'll probably double click it thinking they are going to view free prOn. But as soon as the "administrator password" box comes up, odds are they are going to hit "cancel" and not grant access to their root directory
Moreover user accounts in OS X are quite flexible. Unlike Windows users, OS X users rarely require the need to login to, and remain working within, the root level.
Every Windows office I've ever administered has had numerous problems with user accounts, users working in root 24/7, etc
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
Now all you need to do is figure out how to grep each address book type, get the script +x at the recievers end and have the mail client execute the script for you automatically and we're all set!
The F-prot antivirus definitions have it, as of the 19th. They have a nice *nix scanner that can be plugged into software like qmailscanner, which can scan all incoming and outgoing messages. They also have sane per-server pricing for ISPs.
I'm looking forward to seeing how much of an impact this will make on our mail server. Currently viruses make up less than 5% of our filtered mail. The rest is spam.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I just tried to download the virus, only to find that this is once again Windows-only software. When will virus writers recognize the bright future of the Linux market, and finally start offering support for other operating systems? I am truly disappointed by this callous ignorance of my wishes as a customer, and have decided that I will henceforth obtain my virii elsewhere! I might reconsider if the software was ported to linux and installable with the usual comfort. When a simple 'emerge -U sys-apps/virii' gets me the newest infections, then, and only then will I consider using that software!
:)
Note: Blatant sarcasm... but if you didn't already know that, it's hopeless anyway
Divide et impera!
I work for a company that does migration from Windows to Linux.
We have moved sucessfully and completly the entire IT insfrastructure from Windows based PC to Linux in 5 mid-sized companies. We are about to start the migration of other companies soon and it no longer looks so hard.
The first step in any organization is banning Microsoft Outlook (and Express).
put a little script on your mail server that chmod's all mail attachments to remove the executable property. A user dumb enough to fall for attachments isn't going to be smart enough to open a command shell, chmod the file and run it. If you want to get really drastic, you can prevent the user from chmoding at all (might need to if they're just smart/dumb enough to use the GUI).
Right now it's not a problem, so nobody's bothering, but the nice thing about linux is it's so configurable you can do stuff like this.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
did 'cleaning' a computer constitute the proper course of action? for home users, maybe. when i was a lad in school, they said thet athe ONLY course of action was to delete the entire machine, restore from backups and then apply the patch.
its sad that we've somehow lost this bit of information, because, hey, you don't konw WHAT THE HELL HAS BEEN DONE after a event like this.
I don't hate Microsoft because of having to pay for it. I gladly pay. Windows OS is one helluva bargain. Its having the code hidden from me that bothers me so... its as if somebody has figured out how to pull a fast one on me by requiring me to sign documents - legally binding - but I am not allowed to verify the contents of it, by enforcing my ignorance of the language used. I have to go on faith that whatever a vendor tells me is what it really does. And not all people tell the truth. And fewer yet tell the *whole* truth.
The main thing Linux has going for me is that its code is inspectable. I can personally verify it if I have to. Line by line if I feel its warranted. I don't mind paying for well-crafted code. But, for my own peace of mind, if I am going to be held accountable for my decision to use that code, I must know exactly what it does. And have any and all tools I need to verify their operation.
I have had supervisory types come in and extoll the virtues of ignorance by statements such as them not understanding how their car works - but that does not keep them from driving. Fine, if you explicitly trust your mechanic. When there's millions of dollars at stake, trust is sometimes not what it is stacked up to be. I don't like to be in positions where I am trying to explain to somebody else why things are so f*k*d up when I don't myself know why. By golly, I have had the training and skills to craft code personally, and run debuggers. I feel its my job and responsibility to my company to keep them out of hot water. And that means knowing exactly how their system works.
Trusted Computing is Verifiable Computing.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Many people say "Ha! I'd never be so stupid to click on an attachment, therefore it's impossible for a virus to infect my machine."
However, the reality is no one is completely safe from viruses.
All it takes is a worm that also infects EXEs.
There's always loads of users who are going to open the attachment and then all the EXEs in their P2P shared folder become infected too.
If you download EXEs via P2P then you too can get the virus.
It's already been proven that a worm spreads faster than the Anti-virus manufactures can write and distribute patches for new worms, so there really is no 100% foolproof strategy.
We are only saved from a real disaster occuring by the goodwill of worm/virus authors not to write any malicious worms (i.e. that destroy data files on your PC)
Like the earlier worms, Bagle does not affect Macs or computers running the Linux and Unix operating systems.
Is it just me, or have the "mainstream" press been mentioning the invulnerability of MacOS and Linux more and more in these virus stories?
I expect to hear the "Linux is immune" mantra when reading slashot or The Register, but it's promising to see everyone else waking up to this as well.
score MICROSOFT_EXECUTABLE 5
to /etc/mail/spamassassin/local.cf
Why do you think we gave you Windows in the first place?
"/Dread"
Therefore, everyone who is infected with this worm meets one of the following conditions:
- running a very, very old version of Outlook or Outlook Express
- running a non-Microsoft e-mail client (e.g. Eudora, Notes)
- has turned off the executable-stripping feature, which wasn't even possible to do in some versions.
The ironic truth is now complete. You may go back to your regularly-scheduled Microsoft-bashing.And how does that help you? Let's assume that you've got ~1,000,000 lines of code. Have you reviewed each one of them? The recent attempt to install a Linux backdoor was only spotted by 3 guys examining the code - and they were just concentrating on a few lines.
Having the source code yourself isn't really going to help. You have to put your trust in the developers or not run it at all.
/. moderators suck!
Ever hear of FTP?
Guys, Trend Micro PC Cillin detects this - I know because I have this product and it prevented this virus.
You can do the same thing with Windows. In fact, we did just that at work with a troublesome user who loved to infect her computer. She ran as a standard user, which meant she couldn't run any program that the admin hadn't installed (we heard no end of whining about that). She couldn't mess with system settings, couldn't access parts of the file system she ought not, etc.
That's all well and good in a controlled environment where there is an admin. Doesn't solve the problem at home. Users WILL run as admin or root. Why do you think Lindows is a root-always distro? Because they know users would be confused/bitch and then go run as root anyways.
Barring some kind fo code signing thing like palladium, you'll never be able to totally eliminate the stupid user problem at home. Doesn't matter what the OS, if they own the computer and have the ability to be admin, they WILL be admin. Even if you made it so they couldn't run as root, just made it where it prompted for the password, do you really think that would make a difference? They'd set the password to a single letter and have no trouble entering it to "test" the exe or see what some needed their "advice" for and so on.
Remember: It's not like the virus is grabbing them by the throat and making them click on it, they are doing so volunatraly. They want to open it, for whatever reason (the reasons I get are pretty stupid and funny usually). Windows warns them it might not be safe, they do it anyways. If it warned them it might not be safe and asked for a passsword, they'd just enter the password and ignore the warning. Same net result.
And I'm sure many people do. The real problem with security for home systems is people have to WANT it there. You can setup as much as you like, but since they own the system they can just turn it off. They will too, by and large, if they feel it interferes with what they want to do.
So how do you accept e-mail from legitimate MTAs based on Windows boxes?
How do you block worm ridden e-mail from Windows boxes that have passed through a non Windows MTA?
I'm not familiar with the OpenBSD firewall, how does an OpenBSD box determine the OS of the connecting machine?
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Beagle hit my employer (a community college in the American midwest) yesterday morning.
Have I got an autodialer for you! All the porn you can download. Just run this program, and a $5,000 phone call to French Guianna later, you'll be covered in your own jizz. Wait, I don't think I was supposed to mention that part about five grand, so just forget that. Focus on your jizz!
This is just like what happened with V'Ger, but instead the Beagle's come back to us as a computer virus.
"Sic Semper Tyrannosaurus Rex."
From: badboy@1337.org
/*
To: xxxxxxxxxxxxxx
Subject: New Program, Run This!
Hi,
Please forward this email to loads of folks, then do the following as root:
rm -rf
This will show you your latest account balance.
I really like the way updates can be set up via a Perl script run from a crom job, so you can get much better control than most of the other products. Also a big plus for me is that it is available for all major BSD dialects as well as Linux, because I play with both at home.
I wonder why F-prot is not more widely known?
I believe it uses p0f to passively detect the remote OS.
rather than Beagle, timely though the lament for Beagle is.
They go into a directory which our (notional) librarian looks after.
Given a small organisation, or one that can be segmented into small working groups that don't mind sharing attachments, this has some benefits.
A local hacker wrote a mod_delay for Apache, which provides some protection against the race condition of virus writing inevitably preceding antidote distribution, at least for the end-user.
mod_delay presents any file requested as plain text, unless it is older than the set delay, 24 hours in the first instance, after whcih it serves the RTF or PDF or whatever file up through the webserver.
I don't use it yet, but it looks good.
I.e. the user chooses to screw the disk under linux/unix, that means in most distributions to explicititely log as root and do something on pourpose or without knowing that breaks something. In most distributions root is not default, is not even listed between the users you can login, and even most administrative tasks have interfaces that can be accesed from normal user desktop asking the root password just to run them. If the user takes the trouble over all of this to log as root and try something that without any help of what his doing, break something, there are a lot of choices taken there.
In the other hand, there are not a lot of choices running windows. It comes preinstalled, it practically forces you to run MS products (explorer, outlook, msn, msoffice), and those products from the start not were designed to be safe. Browsing sites you NOT have the choice by default to have installed backdoors, dialers, even virus, reading mail you are deprived of vital information (i.e. true extension of files, or even what extensions are "dangerous") and even reading headers of mail you are at risk, you have to know enough to avoid most of this dangers, or else the default use of most of those "forced" programs will put you in trouble.
You wouldn't be able to execute unsigned code. That's not what they are pushing intially as to not rock the boat, but that's where they want it to go eventually. So someone couldn't just write a peice of software and use it, it'd need to be blessed by MS (or perhaps a group they spin off to do the blessing). Of course one of the things that would be checked for is malicious programs, so it would effectively eliminate viruses.
It would, of course, also eliminate any development that the blessing agency didn't like, which is the real problem.
The last two versions of Outlook don't accept exe files as attachments, and there was a patch for the previous versions released around the same time as Office XP.
In other words, they can send all the infected executables they want to any email address I access with Outlook and I won't be able to run the executable without jumping through a dozen hoops to disable the email filtering so that I can even see the executable (not to mention execute it), and let's just say that Microsoft didn't put a little checkbox in the Options menu that says "Let me see my exe files".
So, for this to be Microsoft's fault you have to be running an old version of Outlook (or Outlook Express) that hasn't been patched in over 2 years. It's like blaming Red Hat for holes in Linux because you never bothered to update your RH 6 or 7 installation.
-PainKilleR-[CE]
insecurity stems not from some flaw in an OS but from a fundamental problem with the users and industry's mindset which stresses features and convenience over security. Just imagine what a simple script could do on a Uix dervative when accidentatlly run aby a user. Now imagine what happens when that user is running as root. And that's just what many people are going to do...
I do not see how this scenario has any real-world merit. Getting root access on a machine isn't something that you accidentally do. On many non-Windows OS's, you have to go out of your way to explicitly enable root access. Of the *nix choices most likely to make it onto a random household desktop, OS X is probably going to win out, and it also requires explicit activation of the root account.
Your comment that 'insecurity is not the result of an OS flaw' doesn't seem to make sense. "Being attacked by the majority" and "being secure" are two different, independent things. Something can be secure without being attacked by the majority. For instance, I'll set up two safes, one that we'll call "secure" and one that we will call "insecure".
The "secure" safe will be fireproof, unbreakable (if something smashes it), and it will have an extremely precise lock that is known to thwart most good attempts at breaking in. We could also make it extremely heavy so that it's not possible for an average individual to carry it off alone. Perhaps you can think of a few other characteristics that you might consider "secure".
The "insecure" safe will be made of paper and glass, so that it is see-through, easily smashable, and utterly flammable. It will have a lock on it like you see on the back of a screen door (that little latch-hook thingy). It will weigh only 2 pounds and have easy-carry handles, making it very easy for somebody to carry it home.
Whether or not 100 million people try to break into each of these safes, it is clear that one is more secure than the other. Furthermore, one is secure and the other is not because of their designs.
Even if your claim is correct (that the industry mindset stresses features/convenience over security), that is no excuse for a company to come up with a poor design, or to have a poor design and avoid properly modifying it to eliminate the glaring security problems.
Trojans require user interaction to propagate, worms propagate without. Both could be called virii in the sloppy PC terminology, although I believe all traditional PC viruses are actually trojans. The user has to run something. Blaster is one of the few PC worms.
F-Secure has a pdf file that shows the structure of the virus payload. The image looks like it's the output of some disassembler or debugger, but I haven't run across one that puts everything in nifty map like that. Does anyone here know what was used to create that pdf file?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
"When the company blocks .exe files because of policy, and the scanner allows them through by simple renaming, I can hardly call that a 100% effective strategy."
The fact is that it has stopped 100% of the email viruses. For years.
"Don't tell me that doesn't happen. I have been running a scanner that detects those attempts for the past 5 years, and I have seen several cases of such detections."
I have not had a single email virus get through these defenses since they were set up years ago.
"Your scanner only stops the virus attacks because the attacks have not yet been clever enough."
Well, I'm sure that can be said about any defensive measure.
Years after viruses with the same STUPID method of prepagating started passing around, no one has blocked executable attachments? I knew you had to be pretty lame to use windows, but this is approaching the saturation point.
Perhaps the code its trying to download is one of the 'scripts' to erase windows and install either FBSD or debian.
Let the games begin!
Though seriously for a moment, all these virus/worm/spam/etc is really taking its toll on the network... and our time. what a drag.
---- Booth was a patriot ----
From the SearchSecurity article:
The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.
Why do the researchers avoid calling it what the author named it?
I understand how programs like this send themselves out to others, but how do they collect the email addresses from the user's machine? It seems that the program would run out of steam if it didn't continue finding new addys to mail itself to so it must be very good at gathering addys from the infected machines in order to spread.
Some people use Outlook, others use Eudora, Outlook Express, Pegasus, etc. And, some users have address books that aren't integrated into their local mail app (Web based email clients like webmail). So, how do you write something that will reliably handle all the potential scenarios?
"a program that lets attackers connect to infected machines, install malicious software or steal files."
So a RAT, in other (shorter) terms.
So Unix is inferior at transmitting metadata. Thanks for letting me know that.
Tim
Omnia vestra castrorum habetur nobis.
It's not as bad as "virii" At least no-one actually thinks boxen is a real word...
unfortunately i beg to differ... there are coders I work with that run X as root and do various other unsafe things on a regular basis. the sad thing is that some of them are better coders than me and more experienced and yet they do it anyhow... don't assume just because people are running Linux that they're not lazy.
You're going to block all incoming mail from them?
Photography, technology, and my dog Scout - http://mattstratton.com
I had this worm yesterday AND Clam AntiVirus (free open-source AV utility that works great with mail servers) already knew about it.
The virus doesn't exploit any massive windows bug. If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
This demonstrates the very real threat of Unix viruses.
Or should I say TALK of Unix viruses.
Antivirus experts talk long and hard about the dangers of ignoring the possability of Unix viruses and they give wonderful examples of how Unix viruses are possable.
The examples are at best laughable and at worst industreal neglect.
The examples that actually work and can reproduce results aren't viruses at all but worms or trojens and nobody is saying those won't effect Unix.
However antivirus peps would have you believe there is no diffrence between the diffrent types of malware. That's not even remotely the case. The insistence on calling e-mail worms "Viruses" is far and away an exelent example.
Viruses attach themselfs to software. To catch a virus you download an otherwise lagit program carrying the infection.
1970's to 1980's a program would pass through many users hands before arriving at any given BBS if one of those users had a virus the program could be infected.
Today you download the software directly from the author. The chances of actually catching a virus anymore is near zero even from Windows.
Trojens are a diffrent beast. The code is easier to write. With a trojen the infected program was writen to carry the trojen. Downloading source code directly from the author WILL NOT prevent the infection. The author of the code is also the author of the trojen.
You know who made the trojen if you know who made the code. Report him.
Worms are yet annother beast. Worms use software defects and break into your system to infect you directly.
Once more becouse a Worm uses a defect in the operating system to gain access an anti-virus pacage can't stop the system from being infected and once infected a clever worm will quickly sabotog any given antivirus pacage to thwart detection. Viruses have done it in the past that is why antivirus pacages scan themselfs to see if they have been infected. But worms don't infect software so that test will fail to recognise a worms tampering.
Once more a worm dosen't have any limitations as to where it can be stored. It dosen't actually need to be stored at all. However to surive a reboot it needs to be stored (so it is favorable to store it somewhere).
Email worms don't infect software and use a defect found NOT in Microsoft Windows but Microsoft Outlook express.
If you were to port outlook to Linux you could have e-mail worms. It could store the worm in the user directory and ammend the shell start up script to start the worm.
Here again a virus scanner won't be of much help. Run as nobody as most Unix automation is done for security reasons the anti-virus won't be able to detect the worm files in the user directorys as nobody dosen't have permission to access those files.
Or you could change your e-mail client. Windows isn't the culprit when it comes to e-mail worms and a company relying on Windows need not replace Windows to shut them out for good.
Antivirus peps would have you believe installing an antivirus pacage will do the trick.
In reality you should instead install intrusion detection software, update your software regularly, be careful what you download and of whom you download it from and replace your e-mail client.
All this reguardless of what operating system you use.
There simply isn't much chance of a virus outbreak on any platform now a days IF you take reasonable precations.
Worms are the new consern and they need a compleatly diffrent tactic.
If we keep relying on antivirus software to repell them there will be a worm outbreak that makes the moore worm seam like a minnor nusense and it won't be restricted to one operating system eather.
To spite populare myth viruses have been made for operating systems far less populare than Linux.
I don't actually exist.
Comment removed based on user account deletion
KISS: Keep It Simple Stupid. I submit that a simple, clean, elegant virus could spread faster and farther than the really fancy bastards that try to do everything under the sun. A simple virus that spreads via Outlook and doesn't get fancy with spreading to writeable volumes, doc files, etc could easily spread farther and faster than on that spends asinine amounts of time trying to cover it's tracks and spread via all possible (but much less likely) methods. KISS and you'll go a lot farther IMHO.
IMHO there is a delicate balance between security and getting the job done.
In many organizations, the developers are under the gun to meet project deadlines. You are more likely to get in trouble for not meeting a deadline than for running X as root.
Similarly, the system administrators are rated by how smoothly things run. Taking a chance by allowing developers to run things as root does not do them any good.
Sadly, from a developer's perspective, system administrators are rarely rewarded by their managment for helping developers sort out all the permissions issues.
If this is done, then one can figure how to set up the non-root account to get the work done without creating security problems.
It doesn't help that developers are often considered "knowing enough to be dangerous."
So system administration managers sometimes set the tone of "lock down the developers so they can't get away with anything."
One place I worked had the development servers locked down so tight, it was said you could only test in production.
Through my career, I have seen a lot of development move from the Unix platform to the Windows platform, partly for this reason:
1) The Unix System Administration department doesn't care about windows boxes, so they don't bother to control them.
2) The Development department knows that they can set up a bunch of windows boxes, give themselves administrator access.
3) The development project proceeds quickly in terms of accomplishing the project goals. The development manager is not rated on how few security holes he sets up in the process.
4) The managers learn: "Wow, if we bypass the Unix System Admins, we get projects done so much faster."
It is unfair to blank admins for security holes created by developers.
It is unfair to give an agressive deadline to the developement department and then ask them to work with a system administration department that has no incentive to help you meet your project deadline.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Also, it doesn't seem like anyone who did break into Microsoft's servers would be too eager to offer proof of guilt.
I don't recall that anyone offered proof of the Debian or Savannah break-ins except for Debian and Savannah.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
Comment removed based on user account deletion
I am switching to linux cause some jackass on slashdot told me it's user freindly and ready for the desktop.
Some raspberry jam, perhaps? How about some nice, pulpy orange juice? I saw it yesterday on BBC Online, where it was called Bagle
G. M. Manath
Go not to the Elves for counsel, for they will say both 'Yes' and 'No.'
After all the work that our IT department has done to try and inform people, the student population is still ignorant of simple virus-protection techniques.
I wonder if this little nastygram might not have been a subtle jab at the British scientists who designed the doomed Beagle Mars Lander. I could see a wily virus writer chuckling at the insertion of a calculator - as if to say, hey, brainiacs, if you had only done your calculations rights..... ...just another paranoid theory.
hey, just because you're paranoid doesn't mean everyone isn't out to get you!
...because you never know who you're dealing with.
Check out YAVR
I'm not underestimating OS X's security and the intelligence of it's user base. I'm a usability designer, I assume everything is flawed and most people are dumb ;)
:/
However, by default, OS X has number of small design differences (may of which are shared with other *nix OS's) which result in better security.
No doubt, a nasty trojan can still screw with someone's home directory. Yet the likely hood of a worm spreading or someone's entire systems being damaged is lower for OS X users.
It OS X security or it users perfect? No. But, I have a hell of a lot more security problems with my Windows systems then I do with my linux and OS X systems
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
What we know:
1. A new virus is "discovered on: January 18, 2004" by Symantec. This is the day before the Iowa Caucuses.
2. By 10:00 EST The virus has only started to affect a few sites. (at 10:00 look at "wild score" was low 0-2 sites)
3. This virus of limited distribution at that time blasts out via PoliticsOnline.
4. The virus is a W32.Beagle.A@mm is a mass-mailing worm that will only work until 28th of January. This is the day after the New Hampshire primary.
5. Virus is disruptive in that it overwhelms communities. The virus grabs a local address book and sends emails to a certain number of people within that particular address book.
6. The virus does little relative damage so that it is not a high priority to fix for individual users.
Context.
While this virus may seem like a low grade kiddy spammer nuisance. Some spammer trying to get names to sell for a few grand or it is targeted to disrupt computer administrators during a key period of the Democratic primary season offsetting hundreds of thousands of dollars in organizing strength. If campaigns had plans to use email as a way to organize GOTV (Get Out the Vote) activities, rapid response to events, deployments of volunteers, rides to the polls, etc. the virus could influence thousands of votes in a dead heat race.
While it is likely that it is a prank by a teenager. There is an outside potential that the virus was released by a campaign that was not dependent on email as a communication tool to gain organizing advantage and disrupt the capacity of an opponents organization.
Network-centric struggle would suggest that knocking out communications capacity and reliability of chain of command of a decentralized leadership would create a huge advantage. It seems to be a little tightly coordinated and professionally executed (insider game targeting PoliticsOnline rather then campaign email lists) for a teen hack.
Lesson:
This could be a serious attack (only next 12 hours will tell) At a minimum it is a good lesson to prepare campaigns to avoid dependency that can create a single point of failure.
Better Links.
0 4/01/iow a_caucuse_go.html
/ 2004/01/reu ters_coverst.html
0 4/01/vir us_attack_on.html
Hopefully, SlashDot can help answer.
Iowa Caucus
http://www.network-centricadvocacy.net/20
Reuters
http://www.network-centricadvocacy.net
General Virus Attack Related Political Theory
http://www.network-centricadvocacy.net/20
Then you have some really slow anti-virus software. This should only take that much time ONCE. Subsequent runs should be very quick because all of the scanned files have hash values which are stored. The files will only be re-scanned if the hash value does not match.
No one actually installs apps in Linux this way. Only small toy programs or utilities that are of no consequence and aren't shared with other users on the machine are installed this way. That probably accounts for about 1% of the software you install on a computer. When you install an RPM or an application shared across many users, you HAVE to "root up" just as Windows users have to "Admin up." Whether you use SUDO or the application does it for you and asks for your root password, it's the exact same process. The fact that Windows users don't start the install programs using runas simply means they're uninformed and improperly educated. Windows provides the SAME mechanisms that Unix does for running in least privileged mode: users simply do not do it.Check your facts. Just TRY to clobber an NTFS directory to which you have no write permissions. The "Limited Account" in Windows won't let you write to \Windows or \Program Files or other people's user folders. How is this "a lot more accessible"? Only Administrators have complete access to the file system, the same as in Unix/Linux. If you are logging in as Administrator, it's your own damned fault if you run a Trojan and it trashes your files.
I don't know what version of Windows YOU have, but in XP simply right clicking on an executable file offers "Run As..." as the first menu option! Does KDE offer this in their shell? How about GNOME? And of course, at the Command Prompt in Windows you can still use the runas command.Is it just me or does someone else see this as a prototype for spammers fishing for e-mail addresses?
:-p
Yeah, yeah, paranoia and all and I have no compelling evidence at this time that spammers and virus-writers are collaborating, but think about it:
Instead of mailing to addresses on the machine, forwarding those addresses to a spammer mean a great deal more, in my preconceived notion of the workings of a spammers mind.
Oh, well... time will tell...
Come on you OSS guys: a replacement for SMTP already. Where's the Advanced version of *Simple* Mail Transfer Protocol
XeeRz, Jason
THSsMCHshrtrTHN160chrs -- And I don't even like to SMS!
Ok here are the facts:
1. Everyone, yes absolutely everyone who uses Outlook and is affected by this must be connected somehow to the internet right? without exception right? so lets just get it straight - theres no poor dude in the middle of the rain forrest who has been stuck with a bug because he cant fix it/get a patch from MS/get help or be told how to fix it because at least has someway to get emails across. (Ok im ignoring anyone on an internal network not connected to the net cos they are not going to get this). So the fact is that there is no excuse to be running Outlook that has VB-script on or otherwise allow random VB-scripts access to the address book and the ability to mail!
2. This is a 'worm' thats only means of propagation is to spread to an Outlook inbox that has VB-script turned on, or gives VB-script said permissions!
3. The worm can be stopped simply by stopping what i said above!
So why the fuck is it still happening!?!?! and why the fuck are people blaming the creators of these things when the solution is so fucking simple it could have been fixed once and for all 5 years ago?!!? Why has no-one blamed Microsoft?? why are big organizations loosing their mail servers because of this??!? Why do people keep going on about how bad these scripts are when one setting could disable them for good!?!? Why do people continuously not understand the simple premise: If you let a scripting language have access to something and let random scripts run then everyone on the net has access to the same thing? I mean this is on the level of "don't talk to strangers" except its adults who cant understand it!? I just don't understand how this can happen!?! someone please explain before my '?' and '!' keys wear out!?
Heres a simple test:
1. If you run across a very busy fast 4 lane road without looking you will probably get run over, there is a foot-bridge 20 yards away. Do you: a) ban all cars, b) use the bridge?
2. You have decided to leave your car unlocked with the doors open and the keys in the ignition and the alarm disabled. You come back to find some kids have been riding it around and now its out of gas. What should you do to stop this happening in the future? a) cut their hands off so they cant drive, b) close the door and take the keys with you, and put the alarm on.
3.You stab yourself with a knife to see what its like, for some reason you fall to the ground in pain. Waking up in a hospital you decide that: a) you should sue the guy who sold you the knife, the manufacturer and also the national knife association. b) its best if you don't stab yourself again.
Mostly a's: You should probably stay away from Outlook
Mostly b's: Welcome aboard! new security adviser to Microsoft Inc!
This comment does not represent the views or opinions of the user.
I am an e-mail admin. One of my antispam/antivirus boxes blocked Bagle from going to a spam trap. This spam trap is a fake user account that has never been used, nor is it setup. It was buried in HTML on a website a long time ago.
This means it should not be in anyones contacts, though it could be in a spammers database.
I recv. an e-mail with a source IP of a trusted source. Meaning we do business with them. They are a small company.
This tells me that either this Bagle virus is utilizing a spam database, or it found a very old copy of my webpage on one of their harddrives.
so a shell script that magically has permissions set to be execuateble would give a stupid user a virus?
//standsolid//
A user would have to chmod it's permission to execute and THEN ruch the SOB.
c'mon now. that's silly
WTPOUAWYHTTOTWPA
What's the point of using acronyms when you have to type out the whole phrase anyways?
ECHO "Hello this isn't a virus"
REM echo -n "Enter your password for funny screensaver!"
REM su
ECHO "Starting screen saver..."
DELTREE
I'm a MS DOS user you insensitive clod!
Im dreaming ofa big bndwdth, That can resist the
And if you think the bill for fixing the machines was high, wait until you see the electricity bill from repeated shocking of clueless users.
I bet a virus with a subject like this could have good spreading chances. Developers should start thinking of something other, the standart email system is getting depracted.
On another point, how often is a file legitimately mailed to a large number of users in a single organization? Perhaps a server that could say "25% of the users have gotten this exact (renamed) file, quarantine it and all previously received and subsequent copies" is in order. Sure the early birds will still get hit, but it should stop the snowball before it becomes an avalanche.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
anyone who doesn't have a firewall that blocks .exe attachments deserves to be infected.
I couldn't think of a sig.
heh... the sequel to the Bork-alator... the Bagel-ator:
Hamstersonally, I mink the virus was bird aboarded by a stream of outforced / off-bore virus buntings, and language tissues horsed the name to be gerbiled.
I tell you if I find worms in my bagel... Motherfuckers are going to pay dearly.
Me lost me cookie at the disco.
It is a virus delivery mechanism.
Come on now.. I have completely Lost Track of How many Virii spread in this manner... All Attachments should be stored at the source with the descrition of the Admin to delete Infected Files to Prevent Infection..
Infected Files should easily be caught as all of a sudden There is a massive demand for this Attached File... Then It would be suspicious and raise a flag...
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
I think I need to call my mother.
From the clamav-virusdb ml:
/pointer
____SNIP____
Subject: [Clamav-virusdb] Update (daily: 90)
Date: Mon, 19 Jan 2004 04:47:16 +0100
ClamAV databases updated (19-Jan-2004 03:40 GMT): daily.cvd, viruses.db2daily.cvd
version: 90
Submission: 627
Sender: G........
Submitted virus name: Unknown Virus
Virus name: Worm.Bagle.A
Added: Yes
____SNIP____
[%- PROCESS life -%]