Slashdot Mirror


'Bagle' Worm Heading For A Windows PC Near You

mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.

16 of 606 comments (clear)

  1. Re:Windows is not to blame !! by SnowZero · · Score: 4, Insightful

    First, you'd have to save it to your hard drive, clicking on it wouldn't work (email attachments are data files, not executables). Then you'd need to "chmod +x" it, and then you could run it as your user, in which case it can infect only things associated with that user. Assuming these unlikely things happened, the superuser can simply disable your account and clean things up, while everyone else on the system can chug along happily.

    In other words, its not the same. Unix made the right decision from the beginning to separate data and executables, and to keep most users at a non-Administrator/non-root capability level.

  2. Re:Windows is not to blame !! by Anonymous Coward · · Score: 5, Insightful

    > Then you'd need to "chmod +x

    This all really depends on how much "Shell Integration" your Unix desktop has.

    It's quite possible that a Unix Mailer would look at the file extention (.pl, .py, etc) and just go launch the script intepreter when you double-click on the file. This does not require +x access!

    KMail was caught launching PE EXE viruses using Wine for example.

    In reality, most of these mail viruses have nothing to do with OS security and everything to do with poorly designed mailers and dumb users.

  3. Re:Mail server blocks executable attachments by pe1chl · · Score: 4, Insightful

    I do this as well.
    Of course you must make sure you use a valid detection mechanism.
    Many commercial scanners use the extremely naive approach of checking the file extension!
    This means that .exe files can be sent through these by renaming the file (e.g. to .jpg), then adding a comment "please rename the file to .exe".

    You would not believe it, but even the most well reknowned scanners use this stupid method. I have seen countless examples of "funny programs" being blocked on the mailscanner, and then the same file arriving half an hour later, renamed to .jpg or .gif, and with the added guidance for the receiver. Of course it was again blocked by my scanner, but apparently this method works on the commercial scanners and the users know the workaround.

    There even has been one trojan that uses this method by packing the program in a .zip and telling the user to unzip and then run the program.

  4. Re:ISP/mail provider virus scanning... by phaze3000 · · Score: 4, Insightful

    Two main reasons - the extra load generated and the risk of false positives.

    If filtering were done as you suggest, with a simple attatchment file size check, then there's a reasonable chance a perfectly legitimate mail would be dropped. It also wouldn't take very long for the virus writers to create viruses that vary the file size on every reproduction.

    If a customer gets themself infected with a virus then it's their fault for not have adequate virus protection - if the ISP drops their mail because it was of a similar size to a virus it's the ISP's fault.

    --
    Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
  5. Hah Hah That's Insightful... by Greyfox · · Score: 5, Insightful
    But if you move the users over to Linux or OSX they'll still execute attachments. The solution is to set their mouse up so that whenever they open an attachment, they get a shock. The more they open attachments, the more they get shocked. Eventually the problem will go away (Either when they stop opening attachments or when the shocks become fatal...)

    We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  6. Use your firewall to protect against Windows virus by chrysalis · · Score: 4, Insightful

    I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.

    On OpenBSD, the following line is enough :

    block drop in log quick proto tcp from any os Windows to any port smtp

    There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.

    However, it blocks most worms that are trying to directly send mail.

    --
    {{.sig}}
  7. Re:Antivirus Company Submissions by ajs318 · · Score: 5, Insightful
    If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
    Yeah, probably; only, thanks to something called "privilege separation", they would never get transmitted anywhere. At least, not on a well-set-up system ..... Even on a slightly-badly-set-up system, there will be log files kicking around to show what sort of thing was happening.
    The virus doesn't exploit any massive windows bug.
    Well, maybe I have a warped sense of priorities, but I'd regard running everything as the equivalent of "root" as a pretty massive bug .....
    running unknown code is NOT a good idea on ANY operating system.
    Agreed -- which is why I insist to have the source code for every piece of software I run.
    --
    Je fume. Tu fumes. Nous fûmes!
  8. Re:Antivirus Company Submissions by Ed+Avis · · Score: 4, Insightful

    The virus exploits the massive Windows bug that clicking on an attachment is enough to run an executable with full user priveleges (root privileges, often) and that there is no safe mechanism to _open_ a file without the risk of _running_ it.

    --
    -- Ed Avis ed@membled.com
  9. Re:Antivirus Company Submissions by originalTMAN · · Score: 5, Insightful

    You could create a priveledged system since NT. Heres a scenario for you, Linux comes preinstalled on every new computer sold and is the dominant OS. Do you think resellers would setup non-root/non-rootlike accounts for the user? It's not like they couldn't do that with 2k or XP. And what about the bagillion possible daemons that the reseller might turn on just to make things even easier for the user? do you think the reseller would educate the buyer on the importance of actually maintining a system or firewalls? *nix (as much as I love it) is not the be all, end all to this little annoyance. Education is. If people were educated on how to actually use their machine, this problem wouldn't exist.

  10. Re:MOD PARENT UP! by EzInKy · · Score: 4, Insightful

    At least with Windows Update, the user can be assured that they will get a secure untrojaned binary. No one has any evidence that Windows Update has been rooted.

    Of course six months from now, when they finally get around to issuing a patch, the lack of source code also leaves no evidence that a new vulneralibility wasn't created when the old one is closed, does it?

    --
    Time is what keeps everything from happening all at once.
  11. Re:Windows is not to blame !! by cscx · · Score: 4, Insightful

    Well in any case it should be a non-issue. If you are running Windows correctly, you're not running as a member of Administrators but rather a regular user with all the permissions correctly set. This way you can't inadvertently destroy data that should be secured (e.g., programs). In any case, I have grown tired of attempts to trivialize the would-be damage of worms on UNIX systems as "oh it will only trash /home/user" -- as if that's not bad or something!

    (Also of note is that most people sending these worms unbeknownst to them are home users, not corporate users on multiuser systems.)

  12. Re:Antivirus Company Submissions by Animaether · · Score: 5, Insightful

    So basically it exploits user stupidity. Thanks for putting it so eloquently :)

  13. Re:Antivirus Company Submissions by Ewan · · Score: 4, Insightful

    Why? you can easily write a userspace smtp client for linux, which is what this virus is. add it to .bash_rc or similar and away you go, each time the user logs in they start hammering away with copies of itself. Then, after 2 weeks, have it wipe out every file it can on the system - sure the OS will survive but plenty of what the user considers vital information will be lost.

    Backups are just as required in Linux as they are in Windows.

    Ewan

  14. Re:Antivirus Company Submissions by NemoX · · Score: 5, Insightful

    Yeah, but how much time do you spend trying to make sure you don't get anything? Searching for viruses on my 2.8GHz SATA 150 through less than 30GB of data on a RAID 0 drive takes HOURS. Then another 5-10 minutes everytime you install a program to make sure it's not kitted with spyware and such crap. Besides even normal users can install stuff in linux (contained to their home directory, only), whereas you cannot in windows, which forces Windows' users to Admin up EVERY time , which GREATLY increases the virus' accessibility. Plus the file structure is alot more accessable to normal users in Windows. Remember, the UNIX backbone has been around WAY before Gates stole DOS from that poor guy. If Windows users didn't have to admin up so much, they would be less inclined to log in as root all the time. I mean, even the "Run as.." function is hidden in windows! you have to hold the Shift key down while right mouse clicking to get it! If they can't figure out how to run as/su without jumping through hoops, of cource they are going to login and run everything as admin. I NEVER run Linux as root, I ALWAYS run windows as admin. It's just too much of a pain in the @ss in windows. Does the world need better PC education, or a better OS? I think we need both.

  15. Re:Antivirus Company Submissions by number6x · · Score: 4, Insightful
    "If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!"

    If everyone repeats this refrain enough people may actually start to believe it, and that would be good in counteracting that old 'many eyes make all bugs shallow' phrase we keep hearing about open source.

    Taken at face value the statement seems reasonable, but I'm a scientist and I like to hold theories up to the light of reality and see how they do. I know that testing theories annoys people because it makes them question their deepest held beliefs, but hey I'm an annoying guy anyway.

    We could test the statement by finding an Open Source project that has much more market share than a closed source project, then compare the rates of exploit. Hmmmm... how about Apache vs. MS IIS?

    According to Netcraft Apache has about 67% of the market and Microsoft's IIS has about 21% of the market. The often quoted FUD says that Apache is used by so many more people it must have many more exploits.

    We can search the CERT website for the terms 'Apache' and 'Microsoft IIS' clicking on the boxes for :

    Advisories

    Incident Notes

    Security Improvement Modules

    Vulnerability Notes

    'Apache' gives 180 results.

    'Microsoft IIS' gives 830 results.

    Wait! That means that just because something is used much more widely than another thing it does not result in more attacks! That proves the statement that if Linux were used more it would have more viruses is a false statement! It could be that open source actually does produce more secure code after all!

    If Linux had 60% or 70% market share, there would probably be more viruses written for Linux than there are now. But, as we can see with the real world example of Apache and Microsoft IIS, the open source development model produces more secure software.

    Sorry to step on that often quoted line about linux and viruses, but I like reality.

  16. Re:Antivirus Company Submissions by Politburo · · Score: 4, Insightful

    As a scientist, I'd think you'd know that only using one data point is not 'holding it up to the light'. I'm not saying the OP is correct, but you haven't proved anything, except that IIS has more reports on CERT than Apache does.