Slashdot Mirror
'Bagle' Worm Heading For A Windows PC Near You
mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
So far, I've submitted copies of this to Symantec, and ClamAV, both of which did not detect it in the latest definitions. If anyone else has submitted this to an A/V manufacturer, or knows of an A/V that currently detects this, please post.
Contact Me (got tired of viruses emailing me).
The article says Bagle has been detected in more than 100 countries.
Are you saying that this new worm knows no geographical boundaries? Heavend forfend!
BTW: two fixes are already avilable for this virus:
Note to developers, developers, developers, developers:
everyone from the home user to big business wants OFF OF WINDOWS, and not just because of the viruses. Please,
stop catering to the (dying) satus quo, and port your apps to Unix so we can switch over completely.
We've already received two of these at work, one as early as 8am yesterday morning, local time. Fortunately our server-based anti-virus filter is on the ball: "Executable DOS/Windows programs are dangerous in email (kraencha.exe)"
My beagle has tape worms.. when is a patch expected? If my dog had been using Linux, this would never have happened!!
More appropriately "stop running attachments".
moo
"They attributed the worm's high infection rate to curious home and small office computer users who could not resist clicking on the attachment." -You would think by now even the person with the lowest possible computer knowledge would have picked up on this. Good to see people are getting right on the reporting of this though... now we just have to hope people will update their virus definitions! -olo
I guess this means Beagle has made contact with Earth after all. Perhaps it has to do with Martian hackers who don't like Linux? They can't spell too well though.
As the article text states: "We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it." Just goes to show you that no matter how much cork you put on some people's pencils, they'll still manage to poke themselves in the eyeball. Honestly, who out there is so dumb that they'll run an .exe email attachment with a subject line "Test" and a body including "Yea, Test".
Mandatory computer usage licenses, anyone? ;)
Why is this one unique? It's just the next worm.
And it replicates by *emailing* itself...
No remote root/admin exploits, no network-clogging mass scanning, no nothing.
Maybe just a few malconfigured mailservers going down, that's it.
yawn, wake me up when we're at threatcom 4
I realize that there are a lot of uneducated computer users out there, but I kind of wonder if a "simple" worm such as this poses that much of a threat nowadays. (By "simple", I mean it requires a lot of work on the part of the recipient.)
Most computer users have been bombarded with messages about "don't click on attachments unless you're expecting them" and so on. Especially people in work environments.
I suspect this won't be as bad as similar worms in the past. I hope I'm right.
Why don't ISPs and mail providers perform quick checks of attachments to see if they compare with known viruses (similar file sizes would be a quick initial check) and then filter out (or at least alert the recipient about) any attachments that they successfully determine are viral attacks, such as this one?
Do any such ISPs or mail providers offer such a service? If not, why not? Surely it's in their interest? After all, these viruses (especially the ones that send themselves on to everyone in the infected machines address book) just add unneccessary traffic to their systems, hurt their users and hurt the reputations of both parties too. Shouldn't ISPs and mail providers be looking to implement such safeguards?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
For Christ's sake, it's the users, stupid.
Not that Windows is blameless here, mind you, but I seriously suspect that I could cococt a shellscript that could do something similar (at least in terms of self-propagating) and send it to all my friends who run UNIX. And then you'd see! Oh, wait, THEY KNOW BETTER THAN TO RUN UNKNOWN CODE.
I've got two windows boxen at home. They've never been infected. My virus scanner doesn't save me -- running them behind a firewall and not executing random content on them does. It's not Windows that's the problem -- it's those damned Windows users.
Now, excuse me while I call my parents to have them update their virus definitions...
Come on! Outlook hasn't allowed these to be run for years now? How do these things still spread? Little old ladies stuck on Eudora 3.0 or something?
I got it this morning, spoofed from a SecurityFocus security mailing list I subscribe to, ironically enough. Current Norton sigs didn't detect it, and it didn't match my spam filters...but Outlook's updated features automatically blocked access to the exe file (not like I would have clicked on it anyways...but it was interesting to see something from Microsoft be the only barricade to stay standing).
For your security, this post has been encrypted with ROT-13, twice.
It looks like the writers of the virus DOS'ed themselves (from the aformentioned Yahoo! article):
:)
Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.
Or is it more likely that these servers in Russia and Germany were also hacked and were just being used?
In any rate, this doesn't look so bad. The searchsecurity.com article says that "Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed." Hopefully this one won't be as bad as Sobig.
My blog
ummm actually... you wouldnt be able to run a .exe under *nix... unless you were running a windows emulator.
The security holes in windows is what is being exploited, though though the problem is the people who open the door (click on attachments) and inviting the problem.
I keep double clicking on the file, "thisisavirus", but it just brings up weird letters! How am I supposed to get infected?
You can't judge a book by the way it wears its hair.
Not that Windows is blameless here, mind you, but I seriously suspect that I could cococt a shellscript that could do something similar (at least in terms of self-propagating) and send it to all my friends who run UNIX.
Oh, I've done this. Countless times.. and you're right. Stupid is stupid. Your operating system can only protect you so much.
Sorry it just ironic, ignorence try ignorance. BTW, I modded you up because your statement was nonetheless true.
Anyone who whines about being modded down should be.
"The computer security community recommends that home computer owners never click on attachments unless they are expecting them from a trusted source. They also recommend that PC owners install and run up-to-date anti-virus programs to scan for computer infections".
They could stop sucking up to M$ and also recommend that home users consider another OS.
Or alternatively, when will people learn?
DON'T RUN EXECUTABLES UNLESS YOU KNOW WHAT THEY ARE
The problem is user education. Social engineering, such as that used by virus creators, will be a problem on any OS until users learn of the dangers.
Remember the Slashdot crowd are not typical computer users. We tend to be more computer savvy and literate, and as a consequence more wary of potential problems. It is our job to help educate people about the dangers of the worm and the virus, and how best to minimise the threat.
Seems that this thing fakes e-mail addresses as well. Got several complaints that I was sending viruses, but of course that's absurd, as I am running GNU/Linux. I can only guess that picks an e-mail address at random from some list (address book, mayhaps?) and says it comes from there.
#define DRM chmod 000
I didn't find the worm in my bagle until I was halfway through with it. If patronised a linux coffehouse, I'd have gotten a fresher one.
People always wonder why I filter large attachments off at the server level as to avoid clogging up my machine and connection. So far I've never seen the virus payload hit my Inbox, being on Linux means it won't hurt but still annoying Of course with Wine it might be a differenet story Rus
CPanel + Root from $35/mo - 10% off with discount code SLASHDOT
It's pretty fucking sad when you now have forecasted virii.
Weather channel, look out!
You can download the free PQREMOVE application from Panda Software's web site: http://www.pandasoftware.com/download/utilities/.
Virus infects both Windows and Linux!
If everyone stops using Windows and starts using Linux and OSX. The viruses will be designed for them. Let the rabble use unpatched and open Windows and we can stay safe behind our firewalls and different OS's
We tend to become like the worst in those we oppose. --Bene Gesserit Coda--
I do it cuz I hate that lazy fuck who calls himself the sysadmin...
Can I get an eye poke?
Dog House Forum
First, you'd have to save it to your hard drive, clicking on it wouldn't work (email attachments are data files, not executables). Then you'd need to "chmod +x" it, and then you could run it as your user, in which case it can infect only things associated with that user. Assuming these unlikely things happened, the superuser can simply disable your account and clean things up, while everyone else on the system can chug along happily.
In other words, its not the same. Unix made the right decision from the beginning to separate data and executables, and to keep most users at a non-Administrator/non-root capability level.
1. Don't open any attachments that are potential virus, (.exe, .vbs, .com, etc.)
2. Disable your email client's automatically message preview pane. This makes exploit viruses a little easier on you, as you can select the message and delete it without having to preview it instantaneously.
3. Download a mail proxy program (I use MailWasher), it'll filter out spam, and allow you to see a text version of the message, without downloading the attachment.
4. Have your AV update its definition religiously. Of course, this only helps if your AV company updates its definition religiously as well.
Of course, the first 3 don't require a virus scanner at all, just common sense. As a gamer, I hated having NAV or McAfee VirusScan hog up 30MB of my memory, so I removed it. I make smart and conscious decisions, and have never had a virus on my computer for several years.
Trend's pc-cillin displayed a popup of this several hours ago. This is why I use pc-cillin, windows needs a condom.
Oh yes they are! Microsoft chose to store the "executable flag" metadata right into the filename. In *nix world, you can't simply execute foreign binary by double clicking because this metadata is not transmitted via email attachment or simple file transfer.
I'm the resident geek in my dorm, and have spent the last 24 hours getting rid of it on computers of anyone and everyone. The particular strain we saw came in an email with the subject of simply "Hi" and contained (basically) the following test.
.wab, .htm, .html, and .txt"
Hi!
This is a test.
(random string of letters)
Testy test.
The attached file was a modified version of the Windows calculator which (according to the Symantec site) "Emails all the contacts it can find inside files with the extensions
It's interesting because apparently that's ALL it does. It doesn't screw with files or settings, or run malicous code (outside the actual act of reproducing itself). It's annoying, however, because it sends emails to people who are NOT in your address book, but merely mentioned in text files somewhere on your computer. In the last 24 hours I've gotten emails with the virus from friends, random people in my university, at least one university email address that should have been run by someone who knew better, and a couple random friends-of-friends.
Also, according to Symantec, it dies on the 28th.
It was really interested to see the spread at my college. For us, it began around 1 AM Monday morning, peaked around 2, and was already slacking off by 3 AM. I know this from my own inbox, people in my dorm, and talking to people elsewhere.
I do find it currious the virus didn't DO anything. Is it just someone screwing around, a test for a future release or (as some of the more paranoid people in my dorm are suggesting) a released virus by the anti-virus companies to keep people in enough fear to demand their products.
As a side note, I also spent hours cleaning the assorted spyware and adware that builds up when people don't know how to properly use their computers....more than one person could literaly not do work becasue of the porn popups that plagued their computer.
-Trillian
Interesting concept.
Deny people an AV for a nasty virus that requires you to be stupid to get infected, then watch Survival of the Fittest (tm) in action.
You know...That would be quite interesting...
and crash and burn.
Can I get an eye poke?
Dog House Forum
glad I'm not in the Windows paddock
There was an unknown error in the submission.
Oh yes,
Like if everyone stopped running IIS and started using Apache then Apache will see more server exploits.....
"Unix made the right decision from the beginning to separate data and executables, and to keep most users at a non-Administrator/non-root capability level." -SnowZero Agreed. I bounce between winxp and mandrake myself.
... according to Symantec's Security Response (since 1/18/2004).
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I can see it now... millions of linux pre-installed PC's all configured to run as root by default with just about every unnecessary service turned on and without any warning to the user that they must actually maintain their system. Replace "linux" with "windows" in the above... the world wouldn't be so different... It would have more money in its pockets, yeah, but it would still get screwed by stupid users.
Except they don't suffer nearly as much as the ISPs spending buku bucks on bandwidth to carry the viruses... and the poor sysadmins trying to save their POP3/SMTP servers from the crapflooding.
#define DRM chmod 000
Trusted computing will fix this when longhorn debuts in 200X. People will buy it thinking their computer is safe and they won't be in the position they are now to fuck their computer up with the click of the mouse.
I just spent hours running ad-aware and pc-cillin on my roomates computer to remove dozens of spyware programs. I have no idea how they got on there and it would do me no good to ask him. Face it, not everyone cares enough to learn how to protect their computer from this shit. They won't care and we should just accept it instead of trying to force good habits on them. Think of all those old english ladies that just gave up years ago to make the rest of us sensable human beings.
I know that the only attatchments I click on are ones I get at work. If I can't trust my admin to block this stuff off (and, obviously, I do) who can I trust?
> Then you'd need to "chmod +x
.py, etc) and just go launch the script intepreter when you double-click on the file. This does not require +x access!
This all really depends on how much "Shell Integration" your Unix desktop has.
It's quite possible that a Unix Mailer would look at the file extention (.pl,
KMail was caught launching PE EXE viruses using Wine for example.
In reality, most of these mail viruses have nothing to do with OS security and everything to do with poorly designed mailers and dumb users.
Though I should add: Windows has made some good progress recently, but it has been a long time coming.
I know this has been mentioned about a thousand times but if you're a sysadmin, do yourself a favor and block executables, scripts, or any other file type that can execute. If someone needs an executable to be sent in-bound, set up either an FTP server or a dummy account outside your company's mail system. I have a domain set up just for this purpose where only the admins have rights to the mail accounts. If someone needs a file, the employees just send a request to have an admin check the mailbox for a specific filename from a specific user. We'll even ask for file sizes just to make sure. While checking the mailbox might take about 3-5 minutes out of my day, this method saves me the many headaches of removing viruses all week.
The virus uses exe files, company mail server is setup to block all executable attachments. Any emails that make it through that are then scanned. Easy solution.
When new viruses comes out, me not worried.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
This "new" method of spreading by scalling all kinds of documents for e-mails makes it look like it might be yet another test for "new ways to spam even more people by being even more annoying".
Opus: the Swiss army knife of audio codec
Thank you, I totally agree, and *I* use Linux. That doesn't give me unrealistic expectations though. Just IMHO the greatest security gains to be had there will be in the apps, and sane defaults for newbies.
C|N>K
Already old news here. Been dealing with it for a couple of days...
The Subject: is actually more applicable to the spammers, who really are waging all out war on the utility of email. This one is more like a hit-and-run attack.
Still, the similarity is that they are hoping to find a few "good" suckers to click on their links. This one is actually an interesting combination. Partly it seems to be testing the efficiency of a propagation mechanism, which seems to result in greater "apparent locality" of the email, with higher odds that it seems to have come from someone you know. However, it also seems to be ready to launch some more insidious payload that was to be downloaded from some Web sites.
Right now all of those Web sites seem to have been taken off the net--or maybe they're waiting to pop them onto the net once the thing has propagated sufficiently. That part of the Trojan apparently tries to check in every 10 minutes to announce itself.
The thing that bothers me about this combination malware is that the anti-virus people could easily miss something. For example, in this case, what if the thing included a new variation on the email backchannel for the harvested email addresses. Or maybe a well-concealed bit of code to suddenly mung the URLs to point to live sites somewhere else? However, whatever it is hasn't triggered yet, and the anti-virus people perhaps have only detected the distractor HTTP-channel. If that were the case, they could still get a massive harvest of email addresses. (Yes, I still think the spammers are probably really the people behind this one--spamming just naturally attracts the lowest life forms. It's a question of the crudest motivations for the crudest acts.)
By the way, has anyone seen the reason for the bagle/beagle confusion here? Trying to incriminate the Israelis? Or the dogs? Or both?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Use Pine, be happy. A good *text* based MTA is the right way to enjoy active content.
Hedley
PS: Of course I am sure no
...since yesterday, apparently. Good to see Grisoft keeping AVG up to date.
Oh, and they've got a little blurb on the virus too.
And the damned thing has run a riot out here..
:-\
:-P
Worse hit were the CA "Etrust" users whom couldn't get an update till way after the virus pounded several of our customers.. for some reason CA were about 12-18 hours behind having an update availible on the web, even bloody mcCrappy had an update out way before them
On the up side.. it uninstalls itself in a few weeks.. and does bugger all damage because it was written so poorly.. lots of bugs in the backdoor code..
The only thing it does well is self replicate..
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
"They could stop sucking up to M$ and also recommend that home users consider another OS." Yes, because obviously a different OS would stop a user from manualy executing something they shouldn't.
Someone who considers installing an antivirus "wasting time" (which is most windows users I know) is SERIOUSLY not going to install a new OS. Particulary not a text-based one like Linux.
So, the security industry makes reccomendations that are more realistic. and it's more realistic to ask someone to *not* do soemthing, than to it is to ask them to go far, far out of their way (which installing and running linux would be).
Hmmm.... the Beagle worm... surely it can't do that much damage... it probably just crashes on entry....
> First, you'd have to save it to your hard drive, clicking on it wouldn't work (email attachments are data files, not executables). Then you'd need to "chmod +x" it, and then you could run it as your user, in which case it can t only things associated with that user.
All it takes is some kind of $Moron to write an e-mail client that does all that for you when you click an attachment.
> Assuming these unlikely things happened, the superuser can simply disable your account and clean things up, while everyone else on the system can chug along happily.
Yes, on a multi-user system.
Sheesh, evil *and* a jerk. -- Jade
There's reasons why viruses will not spread as rampantly with Linux and OS X. The fact that only people who know what they're doing run as root is the biggest one. I have to explain to my girlfriend the difference between her hard drive and her gigabytes, but her XP laptop runs under Administrator. This is not to mention protected memory, kernel space, and the fact that there are no Linux mail clients that automatically run attachments, that I know of.
I mod down pyramid schemes in sigs.
There will always be a certain percentage of the population that
#1. Really just accidentally clicked on the executable
#2. Clicked on it on purpose because it was from someone they knew or had a nice subject or whatever.
The only real option ('cause dumb people will be with us forever) is to configure the technology to make it harder to run apps from email. Either run them in a sandbox or require the user supply the root password to install the new application (this is why I believe Linux would be safer).
99% of the people could follow the correct precautions and we would still see massive virus transmissions. It's one of the problems with a software mono-culture. And I don't see Windows users even getting to that 99% mark.
This Bagel won't get through my Lox!
-- You are in a maze of little, twisty passages, all different... --
> installing "a program that lets attackers connect to infected machines, install malicious software or steal files."
Doesn't Windows already have to be installed?
Sheesh, evil *and* a jerk. -- Jade
Information on the worm can be found here and here, and removal tools can be found here and here
...to spoof SMTP with. Or it takes addresses from infected users' address books and spoofs with those. There's no other explanation why someone I've never heard of got this email from what appeared to be my address. A Win32 worm is incapable of running on my hardware. PowerPC chips don't take to kindly to Intel machine code.
I mod down pyramid schemes in sigs.
We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.
:
On OpenBSD, the following line is enough
block drop in log quick proto tcp from any os Windows to any port smtp
There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.
However, it blocks most worms that are trying to directly send mail.
{{.sig}}
What, is the worm's creator going to come forward and sue the antivirus companies for trademark infringement?
Or is this a "nyaa nyaa we're not going to call it what you wanted us to call it" thing?
Just click here to solve all your windows vulnrabilities
If anyone wants to send anyone inside the company an executable, said person is instructed to rename it to .bin prior to sending.
.bin file makes it through the scanner and the recipient can save it to his/her local drive, rename it to .exe or .com or .bat or whatever and then run it.
The
Anyone who cannot follow these simple directions does not receive executable files.
No email viruses have been able to traverse these simple precautions.
We had about a couple of hundred in the last 2 Years..
-NULL Sig Exception, end of post -- 1337poll.tk - check it out!
..at least this beagle works ;)
Quick. Man the Life Boats.
Everyone update with SP2 beta asap.
Women and children first!
As a college student, one who has been one of the resident techs(geeks) who go around fixing peoples computers - How smart a person is doesn't always have to do with how smart they are when it comes to computers. I have met some 4.0 students who i swear had trouble booting their computers. People learn different things. (My girlfriend being one of these) Yes most people these days should be smart enough not to click on attachments - but the fact that this virus is spreading... shows that many are not.
in which case it can infect only things associated with that user
/usr which can be restored off the OS CD in a matter of mintutes, or the irreplacable data under /home/user???
This is one of the weakest re-used arguments backing UNIX. Let me ask you, what is more important, the programs in
No, because there's a pass in quick for the local network interface before.
{{.sig}}
For games? What rock do you live under?
Yeah, i'm still anti-windows and rah-rah go Linux and all that - but until I can play the majority of my collection of games on Linux, there is no way in hell i'm switching.
Like the original poster said, its not impossible to run Windows cleanly. A decent amount of smarts, and an honest attempt at keeping your system/anti-virus/firewall up to date, and you'll have no security problems. Its really no different than a competant admin lording over their Linux domain. Reasonably intelligent users don't have as many problems as idiots, no matter what OS they use.
That said, Windows can still be a major pain in the ass. But as much as i'd love to (try to) hop the fence, Linux just doesn't offer me what I need. Which is funny, y'know, because theres a whole friggin sea of people out there that would love to ditch Windows but won't, because Linux lacks something they need. Hopefully one day the floodgates will open, but until then, a good chunk of us will be chained to M$' ankle, just waiting for someone to come save us.
Well, as blocking email at the server level may cause legal problems (withholding mail!), we took a different route - we forward all the mail, but the mail clients cannot open or even preview any mail containing one of the following file extensions: .reg, .vbe, .vbs, .pif, .scr, .bat, .eml, .com, .js, .jse, .shs, .swf, .ceo, .cmd and .exe
;-) ), and has saved us on many similar occasions.
This saved us from getting problems in the past (e.g. when the Mgmt. Assistent complained that she couldn't open a mail "from her boss" - try axplain sender forging and header reading skills to a secretary
Thank god for the stupidity of M$! If I had to analyse each and every file instead of just blocking by filename extension, it would be a much heavier burden...
This situation is NOT that simple. Viruses spread very fast on Windows because a number of factors happen to coincide.
#1. Email program runs executables just by clicking on them.
#2. User has full access to install any crap on that machine.
#3. Vendor did not offer "patch" to fix the above problems.
#4. "Patching" is not done, for whatever reason.
Just as there are more Apache installs than IIS, but Apache is exploited less than IIS, this is NOT about marketshare.
If the user wouldn't click on the attachments (or if the email client wouldn't allow the user to launch the attachments), the virus threat would be reduced.
If the user had to supply a root password to run the app, the virus threat would be reduced.
If the vendor would offer patches to deal with problems, and the users would just patch their machines...
If Linux had 90%+ of the desktop, the situation MIGHT be the same. But not necessarily. Outlook is the reason so many viruses spread before. All that Linux has to do is be a bit more intelligent about handling executables as attachments.
But that isn't Linux. That is the email app.
And it should be easy to change to a less virus-prone email app on Linux.
You make a good point. Now if you would just point me to to offending Microsoft code... so what file does the vulnerability lay? I would be more than happy to edit a line or two of source if it would make my system more secure tonight.
Time is what keeps everything from happening all at once.
and making sure it is opened to the internet and slowly destroyed by every worm and virii it can catch. I would have in the addresss book members of parliament for all states!! mwaaa haa haahaaaa
Siggy Sig Sig? Where is the sig?
If the system keeps running then replacing data from backups is fairly trivial... You do keep backups right?
Remember that most non-powerusers suffer from the default Windows settings, which hide the extension of registered file types. For them, there is no such thing as an EXE, DOC, BMP,... file. Only pretty colored icons to be clicked on :-(
A 100% success rate means that the concept is flawed.
The scanner is a useless piece of crap because every single virus attack is stopped at the scanner.
Parenthetically, the MTA you may be using when running Pine just might be a Microsoft mail server... so beware.
Links: Pine, Elm, Postfix, qmail. Might as well throw Lynx (web) and BitchX (irc) out there for you oldschool turbo C shell users. Home this gets me some karma :)
Glad there are some people out there not using GUIs for simple purposes like these. I hate the mouse.
well at least this beagle works
The worm apparently opens a listening socket but it appears this worm is very buggy and this 'feature' of it does not work properly. This worm also tries to drop a .bat file somewhere but apparently it fails at this as well. Is microsoft writing their own worms now ?
are the mods a bit sadistic today?
Well in any case it should be a non-issue. If you are running Windows correctly, you're not running as a member of Administrators but rather a regular user with all the permissions correctly set. This way you can't inadvertently destroy data that should be secured (e.g., programs). In any case, I have grown tired of attempts to trivialize the would-be damage of worms on UNIX systems as "oh it will only trash /home/user" -- as if that's not bad or something!
(Also of note is that most people sending these worms unbeknownst to them are home users, not corporate users on multiuser systems.)
Having said that, this worm doesnt exploit any Windows or Outlook vulnerabilities. It emails an exe file. The simple fact is that if users are so naive / stupid that they will just run any program that pops up in their inbox, it doesnt matter what OS they are running, the end result will be the same; an infected computer.
If you receive a linux binary and you run it it could cause you trouble. I know, it couldnt infect your system etc because you dont run as root, but it could re-email itself to your contact list, delete your documents, fill your hard drive or do any other number of annoying things while still propagating.
Moral of the story, MS is not ALWAYS at fault, just quite often.
The perl5-porters list has already been hit by this virus resulting in 200+ messages being posted over a period of two to three hours yesterday. Additionally, it was reported on this list by Elizabeth Mattijsen on this list here that the Gnome XML list has similarly been affected.
Darn, so that's why Beagle didn't answer, the green virii writers on Mars infected it!
RHCE, ITIL, LPIC-2, LCE, NACP
Hrm.. i dont think the logic for another OS is very sound.. If more people used linux they'd be loads more linux viruses.
Linux is not secure out the box. A home user would run a linux box as insecurely as they currently run a Windows box. The choice of operating system makes no difference - education, however, does!
Simon.
I would rather they reccomend installing firewalls, an OS with permissions- any OS; linux, Win2k, Solaris, BSD, WinXP (shudder, switch from IE to Mozilla, etc. That would be satisfactory to me. They say the same old crap over and over again and their is proven and old practices out there that they never bother to recommend. Considering another OS outright is drasitc and won't necessarily solve the problem. That pesky 90% needs to learn some basic administration first.
Except half the Windows programs out there refuse to run as a regular user, as they expect to have write access to system level directories. Consequently it is generally not practical to run Windows as a regular user.
ipfw add allow tcp from any to legit.mailhost.com 25
ipfw add allow tcp from any to legit2.mailhost2.com 25
ipfw add reset tcp from any to any 25
This cuts off SMTP except for (e.g.) 2 legitimate servers. Since most worms have their own SMTP engine these days and spread the "direct-to-MX" way, they get stopped dead. You could add more entries prior to the reset rule if you use more than one SMTP server.
XP has protected memory and kernel space.
You don't HAVE to run as admin, teach her to use a limited user for log on and use RunAs for any troublesome apps.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
So just run those apps as a sudo, or... ahem... "Run as..."
They "chose" not to change this through DOS, Win 3.1, Win 9x, WinNT... when it has been apparent for over 10 years, with the commercialisation of the Internet, that this was reckless.
And when those apps happen to be the same ones with holes big enough for jumbojet to fly trough, they'll happily give their "Run as" administrator rights to the exploit.
The Bagle has landed.
--
Yes, but by default OS X users are given a user account, separate from root. And, even if they have an admin account (not to be confused with root), they have to type in an administrator password to confirm installations that affect areas outside of the user's home directory.
:/
You can send an OS X user a malicious Apple Script file with an MPEG icon on it, and they'll probably double click it thinking they are going to view free prOn. But as soon as the "administrator password" box comes up, odds are they are going to hit "cancel" and not grant access to their root directory
Moreover user accounts in OS X are quite flexible. Unlike Windows users, OS X users rarely require the need to login to, and remain working within, the root level.
Every Windows office I've ever administered has had numerous problems with user accounts, users working in root 24/7, etc
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
You mean like the tons of Unix and Linux apps set to run suid root that have been exploited over the years? ;)
Searched the web for local root exploit setuid linux. Results 1 - 10 of about 15,400.
If you think such problems are limited to Windows, you are sorely mistaken.
The F-prot antivirus definitions have it, as of the 19th. They have a nice *nix scanner that can be plugged into software like qmailscanner, which can scan all incoming and outgoing messages. They also have sane per-server pricing for ISPs.
I'm looking forward to seeing how much of an impact this will make on our mail server. Currently viruses make up less than 5% of our filtered mail. The rest is spam.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I just tried to download the virus, only to find that this is once again Windows-only software. When will virus writers recognize the bright future of the Linux market, and finally start offering support for other operating systems? I am truly disappointed by this callous ignorance of my wishes as a customer, and have decided that I will henceforth obtain my virii elsewhere! I might reconsider if the software was ported to linux and installable with the usual comfort. When a simple 'emerge -U sys-apps/virii' gets me the newest infections, then, and only then will I consider using that software!
:)
Note: Blatant sarcasm... but if you didn't already know that, it's hopeless anyway
Divide et impera!
I work for a company that does migration from Windows to Linux.
We have moved sucessfully and completly the entire IT insfrastructure from Windows based PC to Linux in 5 mid-sized companies. We are about to start the migration of other companies soon and it no longer looks so hard.
The first step in any organization is banning Microsoft Outlook (and Express).
put a little script on your mail server that chmod's all mail attachments to remove the executable property. A user dumb enough to fall for attachments isn't going to be smart enough to open a command shell, chmod the file and run it. If you want to get really drastic, you can prevent the user from chmoding at all (might need to if they're just smart/dumb enough to use the GUI).
Right now it's not a problem, so nobody's bothering, but the nice thing about linux is it's so configurable you can do stuff like this.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Notice that I wrote data-files. Because that's what they are from the system point of view. Datafiles that are opened with an application.
/bin/sh, or MAME, etc). You still have absolutely all the power you need to both spread and release a payload. "Melissa" was a data file for microsoft word, and others have been data files for Windows Scripting Host, so this isn't exactly new.
But with this defenition the discintion is useless. So you wouldn't write a Linux email worm an executable, but rather as a datafile for wine, or perl (or lisp, or
What is relevant is that the email program should never allow data to be sent to a program that runs it as code, unless that code is executed in a very strict sandbox. Having to explicitely state that files are executable is a first step, but it does nothing when so much of the code we execute is sent as data to an interpreter rather than made executable.
What is needed is a "tainted" flag on files, which would need to be explicitely and manually removed. Files carrying the flag would be rejected as data for all interpreters. That would make writing worms a lot more difficult, but Linux doesn't have it, and I have seen no reason to expect it on the horizon (except some of the very slow work around SELinux.)
Wrong!!!! My Linux user account is not root or Administrator.
If you are using a non-corporate workstation loaded with windows, your account is most likely the administrator.
Please tell me how to click on an mail atachment in linux. The fact is I can not. I first have to save it to disk. Little things like this either mean that Linux is more secure. Or that it is Windows Fault
Get a free ipod.
I don't hate Microsoft because of having to pay for it. I gladly pay. Windows OS is one helluva bargain. Its having the code hidden from me that bothers me so... its as if somebody has figured out how to pull a fast one on me by requiring me to sign documents - legally binding - but I am not allowed to verify the contents of it, by enforcing my ignorance of the language used. I have to go on faith that whatever a vendor tells me is what it really does. And not all people tell the truth. And fewer yet tell the *whole* truth.
The main thing Linux has going for me is that its code is inspectable. I can personally verify it if I have to. Line by line if I feel its warranted. I don't mind paying for well-crafted code. But, for my own peace of mind, if I am going to be held accountable for my decision to use that code, I must know exactly what it does. And have any and all tools I need to verify their operation.
I have had supervisory types come in and extoll the virtues of ignorance by statements such as them not understanding how their car works - but that does not keep them from driving. Fine, if you explicitly trust your mechanic. When there's millions of dollars at stake, trust is sometimes not what it is stacked up to be. I don't like to be in positions where I am trying to explain to somebody else why things are so f*k*d up when I don't myself know why. By golly, I have had the training and skills to craft code personally, and run debuggers. I feel its my job and responsibility to my company to keep them out of hot water. And that means knowing exactly how their system works.
Trusted Computing is Verifiable Computing.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
score MICROSOFT_EXECUTABLE 5
to /etc/mail/spamassassin/local.cf
First, you'd have to save it to your hard drive, clicking on it wouldn't work
Most Windows e-mail clients will not open an executable when you simply click on it. In fact, they usually open multiple warning windows saying, essentially, "If you run this, you are a complete and total moron. Are you a moron? [YES] [NO]".
Then you'd need to "chmod +x" it
This provides about the same amount of protection as said warning windows. In order to run the program, you have to be fully aware that you are trying to run an executable. Having to chmod +x it is just an inconvenience, really.
and then you could run it as your user, in which case it can infect only things associated with that user.
Seriously, how many people read their e-mail on multi-user machines? Yes, I know there are some, but it's rare. In most cases, the person reading the e-mail is the only user of the particular machine they are on, and so having their own account totally trashed isn't really any better than just having the whole computer trashed.
Besides that, most viruses these days can accomplish all of their goals just as easily from a user account as they can from root. Typically, this involves propogating itself (requires only network access) and then carrying out some form of DDoS (again, requires only network access). Who needs root?
(Of course, on Windows, if you're smart, you're probably running ZoneAlarm, which will tell you when a program tries to access the internet and allow you to deny it that access. I am not familiar with any similar software for Linux. Though, if you're smart, you aren't running attachments anyway, regardless of OS.)
What it all comes down to is that the user/super-user separation really does not provide any significant protections against viruses, especially on typical desktop systems. Sorry, but Linux is, for most intents and purposes, just as vulnerable to these types of viruses as Windows is.
Unix's security model is far from ideal. It's a very simple model that can't really do a whole lot. Not that Windows is any better; in my book, Windows is just a colorful variant of Unix. On the other hand, an OS that supports capability-based security (like EROS) would actually be able to safely run untrusted software -- viruses and all -- without harming the system, or even the individual user running it. Sadly, the idea has not been implemented in any mainstream OS (though I am currently working on a project that would bring such ideas to existing OS's).
I really wish people would stop making OS's that just copy Unix and create something new already! There are so many great ideas out there; so many better paradigms. Ugh...
To reply to several of your posts:
In Linux most software is written such that it works with the permissions it has - ie, the permissions of the unprivileged user. Under Windows (as mentioned by the parent poster) this is quite often not the case. I had huge headaches just trying to set up my home machine under Windows 2000 so that the rest of my family were normal users and not administrators. Not only did quite a few applications not work, they didn't even have the courtesy to display an error message. In the end I gave up because quite a few things just refused to work. No wonder most Windows users run as administrators - it's too difficult to do otherwise for most people.
Granted, there have been exploits in Linux software that are most likely to be installed SUID root - which is why SUID/SGID executables are to be kept to a minimum on a secure system. Most user-level applications, I mean the kind that desktop users would be using, will not be SUID/SGID because they don't need to be.
Minutes to restore files from installation CDs? How are you supposed to know which files to restore? Even assuming the user is capable of this, what if the software completely hoses the system? Wouldn't you rather your system at least stayed running? I struggle to understand people who try to take the stance in this case that no protection at all is somehow better than limiting the damage.
Why do you think we gave you Windows in the first place?
"/Dread"
Therefore, everyone who is infected with this worm meets one of the following conditions:
- running a very, very old version of Outlook or Outlook Express
- running a non-Microsoft e-mail client (e.g. Eudora, Notes)
- has turned off the executable-stripping feature, which wasn't even possible to do in some versions.
The ironic truth is now complete. You may go back to your regularly-scheduled Microsoft-bashing.This is only because no one wrote an "outlook-express" style mail client that runs on linux. I would be very easy to write such an application that will enable you to run attachments by clicking on them.
And how does that help you? Let's assume that you've got ~1,000,000 lines of code. Have you reviewed each one of them? The recent attempt to install a Linux backdoor was only spotted by 3 guys examining the code - and they were just concentrating on a few lines.
Having the source code yourself isn't really going to help. You have to put your trust in the developers or not run it at all.
Can't see what justification there was for moding that post down.
I can only imagine it's some one who likes to proclaim that only stupid users ever get infected by viruses
I don't know of any Windows app that needs to be *run* as admin - even most services can be run as a defined user without admin rights.
Almost all of them require admin rights to be installed but that is as it should be.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
You can do the same thing with Windows. In fact, we did just that at work with a troublesome user who loved to infect her computer. She ran as a standard user, which meant she couldn't run any program that the admin hadn't installed (we heard no end of whining about that). She couldn't mess with system settings, couldn't access parts of the file system she ought not, etc.
That's all well and good in a controlled environment where there is an admin. Doesn't solve the problem at home. Users WILL run as admin or root. Why do you think Lindows is a root-always distro? Because they know users would be confused/bitch and then go run as root anyways.
Barring some kind fo code signing thing like palladium, you'll never be able to totally eliminate the stupid user problem at home. Doesn't matter what the OS, if they own the computer and have the ability to be admin, they WILL be admin. Even if you made it so they couldn't run as root, just made it where it prompted for the password, do you really think that would make a difference? They'd set the password to a single letter and have no trouble entering it to "test" the exe or see what some needed their "advice" for and so on.
Remember: It's not like the virus is grabbing them by the throat and making them click on it, they are doing so volunatraly. They want to open it, for whatever reason (the reasons I get are pretty stupid and funny usually). Windows warns them it might not be safe, they do it anyways. If it warned them it might not be safe and asked for a passsword, they'd just enter the password and ignore the warning. Same net result.
This way you wouldn't need to mess with extra backup hardware, and your data would be safe(ish) from this kind of attack.
Installed the Bubblemon yet?
And I'm sure many people do. The real problem with security for home systems is people have to WANT it there. You can setup as much as you like, but since they own the system they can just turn it off. They will too, by and large, if they feel it interferes with what they want to do.
So how do you accept e-mail from legitimate MTAs based on Windows boxes?
How do you block worm ridden e-mail from Windows boxes that have passed through a non Windows MTA?
I'm not familiar with the OpenBSD firewall, how does an OpenBSD box determine the OS of the connecting machine?
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Beagle hit my employer (a community college in the American midwest) yesterday morning.
This is just like what happened with V'Ger, but instead the Beagle's come back to us as a computer virus.
"Sic Semper Tyrannosaurus Rex."
From: badboy@1337.org
/*
To: xxxxxxxxxxxxxx
Subject: New Program, Run This!
Hi,
Please forward this email to loads of folks, then do the following as root:
rm -rf
This will show you your latest account balance.
That is just it. No one will write that type of mail application for Linux. If they do the community will love it as much as they love Lindows.
Get a free ipod.
I really like the way updates can be set up via a Perl script run from a crom job, so you can get much better control than most of the other products. Also a big plus for me is that it is available for all major BSD dialects as well as Linux, because I play with both at home.
I wonder why F-prot is not more widely known?
I believe it uses p0f to passively detect the remote OS.
rather than Beagle, timely though the lament for Beagle is.
They go into a directory which our (notional) librarian looks after.
Given a small organisation, or one that can be segmented into small working groups that don't mind sharing attachments, this has some benefits.
A local hacker wrote a mod_delay for Apache, which provides some protection against the race condition of virus writing inevitably preceding antidote distribution, at least for the end-user.
mod_delay presents any file requested as plain text, unless it is older than the set delay, 24 hours in the first instance, after whcih it serves the RTF or PDF or whatever file up through the webserver.
I don't use it yet, but it looks good.
I.e. the user chooses to screw the disk under linux/unix, that means in most distributions to explicititely log as root and do something on pourpose or without knowing that breaks something. In most distributions root is not default, is not even listed between the users you can login, and even most administrative tasks have interfaces that can be accesed from normal user desktop asking the root password just to run them. If the user takes the trouble over all of this to log as root and try something that without any help of what his doing, break something, there are a lot of choices taken there.
In the other hand, there are not a lot of choices running windows. It comes preinstalled, it practically forces you to run MS products (explorer, outlook, msn, msoffice), and those products from the start not were designed to be safe. Browsing sites you NOT have the choice by default to have installed backdoors, dialers, even virus, reading mail you are deprived of vital information (i.e. true extension of files, or even what extensions are "dangerous") and even reading headers of mail you are at risk, you have to know enough to avoid most of this dangers, or else the default use of most of those "forced" programs will put you in trouble.
This is only because no one wrote an "outlook-express" style mail client that runs on linux. I would be very easy to write such an application that will enable you to run attachments by clicking on them.
Evolution on Linux looks and works very much like Outlook. Clicking on an attachment brings up an *open with* menu that allows you to start word processors and such. You cannot "run" (execute) an attachment because the file permissions on attachments are not executable, nor does Evolution offer you that option.
You wouldn't be able to execute unsigned code. That's not what they are pushing intially as to not rock the boat, but that's where they want it to go eventually. So someone couldn't just write a peice of software and use it, it'd need to be blessed by MS (or perhaps a group they spin off to do the blessing). Of course one of the things that would be checked for is malicious programs, so it would effectively eliminate viruses.
It would, of course, also eliminate any development that the blessing agency didn't like, which is the real problem.
The last two versions of Outlook don't accept exe files as attachments, and there was a patch for the previous versions released around the same time as Office XP.
In other words, they can send all the infected executables they want to any email address I access with Outlook and I won't be able to run the executable without jumping through a dozen hoops to disable the email filtering so that I can even see the executable (not to mention execute it), and let's just say that Microsoft didn't put a little checkbox in the Options menu that says "Let me see my exe files".
So, for this to be Microsoft's fault you have to be running an old version of Outlook (or Outlook Express) that hasn't been patched in over 2 years. It's like blaming Red Hat for holes in Linux because you never bothered to update your RH 6 or 7 installation.
-PainKilleR-[CE]
You cannot "run" (execute) an attachment because the file permissions on attachments are not executable, nor does Evolution offer you that option.
And you can't receive most executable file types in an up-to-date version of Outlook, either, so what's the point of this whole discussion? If I want someone to send me an executable on a system running Office XP or 2003, or an SP2+ Office 2000, I have to ask them to put it into a compressed file, uncompress it, and then run the executable.
Beyond that, no one I'm aware of (besides myself) has the admin passwords for my Windows box at home, any more than they have the root passwords for the other boxes. It gets rather old having to handle all of the installation tasks for my girlfriend (especially since you have to have admin access to install applications onto her iPaq), but it's better knowing that she can't install something that shouldn't be on the system.
-PainKilleR-[CE]
insecurity stems not from some flaw in an OS but from a fundamental problem with the users and industry's mindset which stresses features and convenience over security. Just imagine what a simple script could do on a Uix dervative when accidentatlly run aby a user. Now imagine what happens when that user is running as root. And that's just what many people are going to do...
I do not see how this scenario has any real-world merit. Getting root access on a machine isn't something that you accidentally do. On many non-Windows OS's, you have to go out of your way to explicitly enable root access. Of the *nix choices most likely to make it onto a random household desktop, OS X is probably going to win out, and it also requires explicit activation of the root account.
Your comment that 'insecurity is not the result of an OS flaw' doesn't seem to make sense. "Being attacked by the majority" and "being secure" are two different, independent things. Something can be secure without being attacked by the majority. For instance, I'll set up two safes, one that we'll call "secure" and one that we will call "insecure".
The "secure" safe will be fireproof, unbreakable (if something smashes it), and it will have an extremely precise lock that is known to thwart most good attempts at breaking in. We could also make it extremely heavy so that it's not possible for an average individual to carry it off alone. Perhaps you can think of a few other characteristics that you might consider "secure".
The "insecure" safe will be made of paper and glass, so that it is see-through, easily smashable, and utterly flammable. It will have a lock on it like you see on the back of a screen door (that little latch-hook thingy). It will weigh only 2 pounds and have easy-carry handles, making it very easy for somebody to carry it home.
Whether or not 100 million people try to break into each of these safes, it is clear that one is more secure than the other. Furthermore, one is secure and the other is not because of their designs.
Even if your claim is correct (that the industry mindset stresses features/convenience over security), that is no excuse for a company to come up with a poor design, or to have a poor design and avoid properly modifying it to eliminate the glaring security problems.
Trojans require user interaction to propagate, worms propagate without. Both could be called virii in the sloppy PC terminology, although I believe all traditional PC viruses are actually trojans. The user has to run something. Blaster is one of the few PC worms.
F-Secure has a pdf file that shows the structure of the virus payload. The image looks like it's the output of some disassembler or debugger, but I haven't run across one that puts everything in nifty map like that. Does anyone here know what was used to create that pdf file?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
"When the company blocks .exe files because of policy, and the scanner allows them through by simple renaming, I can hardly call that a 100% effective strategy."
The fact is that it has stopped 100% of the email viruses. For years.
"Don't tell me that doesn't happen. I have been running a scanner that detects those attempts for the past 5 years, and I have seen several cases of such detections."
I have not had a single email virus get through these defenses since they were set up years ago.
"Your scanner only stops the virus attacks because the attacks have not yet been clever enough."
Well, I'm sure that can be said about any defensive measure.
Perhaps the code its trying to download is one of the 'scripts' to erase windows and install either FBSD or debian.
Let the games begin!
Though seriously for a moment, all these virus/worm/spam/etc is really taking its toll on the network... and our time. what a drag.
---- Booth was a patriot ----
From the SearchSecurity article:
The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.
Why do the researchers avoid calling it what the author named it?
I understand how programs like this send themselves out to others, but how do they collect the email addresses from the user's machine? It seems that the program would run out of steam if it didn't continue finding new addys to mail itself to so it must be very good at gathering addys from the infected machines in order to spread.
Some people use Outlook, others use Eudora, Outlook Express, Pegasus, etc. And, some users have address books that aren't integrated into their local mail app (Web based email clients like webmail). So, how do you write something that will reliably handle all the potential scenarios?
"a program that lets attackers connect to infected machines, install malicious software or steal files."
So a RAT, in other (shorter) terms.
So Unix is inferior at transmitting metadata. Thanks for letting me know that.
Tim
Omnia vestra castrorum habetur nobis.
unfortunately i beg to differ... there are coders I work with that run X as root and do various other unsafe things on a regular basis. the sad thing is that some of them are better coders than me and more experienced and yet they do it anyhow... don't assume just because people are running Linux that they're not lazy.
You're going to block all incoming mail from them?
Photography, technology, and my dog Scout - http://mattstratton.com
I had this worm yesterday AND Clam AntiVirus (free open-source AV utility that works great with mail servers) already knew about it.
The virus doesn't exploit any massive windows bug. If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
This demonstrates the very real threat of Unix viruses.
Or should I say TALK of Unix viruses.
Antivirus experts talk long and hard about the dangers of ignoring the possability of Unix viruses and they give wonderful examples of how Unix viruses are possable.
The examples are at best laughable and at worst industreal neglect.
The examples that actually work and can reproduce results aren't viruses at all but worms or trojens and nobody is saying those won't effect Unix.
However antivirus peps would have you believe there is no diffrence between the diffrent types of malware. That's not even remotely the case. The insistence on calling e-mail worms "Viruses" is far and away an exelent example.
Viruses attach themselfs to software. To catch a virus you download an otherwise lagit program carrying the infection.
1970's to 1980's a program would pass through many users hands before arriving at any given BBS if one of those users had a virus the program could be infected.
Today you download the software directly from the author. The chances of actually catching a virus anymore is near zero even from Windows.
Trojens are a diffrent beast. The code is easier to write. With a trojen the infected program was writen to carry the trojen. Downloading source code directly from the author WILL NOT prevent the infection. The author of the code is also the author of the trojen.
You know who made the trojen if you know who made the code. Report him.
Worms are yet annother beast. Worms use software defects and break into your system to infect you directly.
Once more becouse a Worm uses a defect in the operating system to gain access an anti-virus pacage can't stop the system from being infected and once infected a clever worm will quickly sabotog any given antivirus pacage to thwart detection. Viruses have done it in the past that is why antivirus pacages scan themselfs to see if they have been infected. But worms don't infect software so that test will fail to recognise a worms tampering.
Once more a worm dosen't have any limitations as to where it can be stored. It dosen't actually need to be stored at all. However to surive a reboot it needs to be stored (so it is favorable to store it somewhere).
Email worms don't infect software and use a defect found NOT in Microsoft Windows but Microsoft Outlook express.
If you were to port outlook to Linux you could have e-mail worms. It could store the worm in the user directory and ammend the shell start up script to start the worm.
Here again a virus scanner won't be of much help. Run as nobody as most Unix automation is done for security reasons the anti-virus won't be able to detect the worm files in the user directorys as nobody dosen't have permission to access those files.
Or you could change your e-mail client. Windows isn't the culprit when it comes to e-mail worms and a company relying on Windows need not replace Windows to shut them out for good.
Antivirus peps would have you believe installing an antivirus pacage will do the trick.
In reality you should instead install intrusion detection software, update your software regularly, be careful what you download and of whom you download it from and replace your e-mail client.
All this reguardless of what operating system you use.
There simply isn't much chance of a virus outbreak on any platform now a days IF you take reasonable precations.
Worms are the new consern and they need a compleatly diffrent tactic.
If we keep relying on antivirus software to repell them there will be a worm outbreak that makes the moore worm seam like a minnor nusense and it won't be restricted to one operating system eather.
To spite populare myth viruses have been made for operating systems far less populare than Linux.
I don't actually exist.
Comment removed based on user account deletion
KISS: Keep It Simple Stupid. I submit that a simple, clean, elegant virus could spread faster and farther than the really fancy bastards that try to do everything under the sun. A simple virus that spreads via Outlook and doesn't get fancy with spreading to writeable volumes, doc files, etc could easily spread farther and faster than on that spends asinine amounts of time trying to cover it's tracks and spread via all possible (but much less likely) methods. KISS and you'll go a lot farther IMHO.
IMHO there is a delicate balance between security and getting the job done.
In many organizations, the developers are under the gun to meet project deadlines. You are more likely to get in trouble for not meeting a deadline than for running X as root.
Similarly, the system administrators are rated by how smoothly things run. Taking a chance by allowing developers to run things as root does not do them any good.
Sadly, from a developer's perspective, system administrators are rarely rewarded by their managment for helping developers sort out all the permissions issues.
If this is done, then one can figure how to set up the non-root account to get the work done without creating security problems.
It doesn't help that developers are often considered "knowing enough to be dangerous."
So system administration managers sometimes set the tone of "lock down the developers so they can't get away with anything."
One place I worked had the development servers locked down so tight, it was said you could only test in production.
Through my career, I have seen a lot of development move from the Unix platform to the Windows platform, partly for this reason:
1) The Unix System Administration department doesn't care about windows boxes, so they don't bother to control them.
2) The Development department knows that they can set up a bunch of windows boxes, give themselves administrator access.
3) The development project proceeds quickly in terms of accomplishing the project goals. The development manager is not rated on how few security holes he sets up in the process.
4) The managers learn: "Wow, if we bypass the Unix System Admins, we get projects done so much faster."
It is unfair to blank admins for security holes created by developers.
It is unfair to give an agressive deadline to the developement department and then ask them to work with a system administration department that has no incentive to help you meet your project deadline.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Also, it doesn't seem like anyone who did break into Microsoft's servers would be too eager to offer proof of guilt.
I don't recall that anyone offered proof of the Debian or Savannah break-ins except for Debian and Savannah.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
Comment removed based on user account deletion
Some raspberry jam, perhaps? How about some nice, pulpy orange juice? I saw it yesterday on BBC Online, where it was called Bagle
G. M. Manath
Go not to the Elves for counsel, for they will say both 'Yes' and 'No.'
After all the work that our IT department has done to try and inform people, the student population is still ignorant of simple virus-protection techniques.
I wonder if this little nastygram might not have been a subtle jab at the British scientists who designed the doomed Beagle Mars Lander. I could see a wily virus writer chuckling at the insertion of a calculator - as if to say, hey, brainiacs, if you had only done your calculations rights..... ...just another paranoid theory.
hey, just because you're paranoid doesn't mean everyone isn't out to get you!
...because you never know who you're dealing with.
Check out YAVR
I'm not underestimating OS X's security and the intelligence of it's user base. I'm a usability designer, I assume everything is flawed and most people are dumb ;)
:/
However, by default, OS X has number of small design differences (may of which are shared with other *nix OS's) which result in better security.
No doubt, a nasty trojan can still screw with someone's home directory. Yet the likely hood of a worm spreading or someone's entire systems being damaged is lower for OS X users.
It OS X security or it users perfect? No. But, I have a hell of a lot more security problems with my Windows systems then I do with my linux and OS X systems
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
What we know:
1. A new virus is "discovered on: January 18, 2004" by Symantec. This is the day before the Iowa Caucuses.
2. By 10:00 EST The virus has only started to affect a few sites. (at 10:00 look at "wild score" was low 0-2 sites)
3. This virus of limited distribution at that time blasts out via PoliticsOnline.
4. The virus is a W32.Beagle.A@mm is a mass-mailing worm that will only work until 28th of January. This is the day after the New Hampshire primary.
5. Virus is disruptive in that it overwhelms communities. The virus grabs a local address book and sends emails to a certain number of people within that particular address book.
6. The virus does little relative damage so that it is not a high priority to fix for individual users.
Context.
While this virus may seem like a low grade kiddy spammer nuisance. Some spammer trying to get names to sell for a few grand or it is targeted to disrupt computer administrators during a key period of the Democratic primary season offsetting hundreds of thousands of dollars in organizing strength. If campaigns had plans to use email as a way to organize GOTV (Get Out the Vote) activities, rapid response to events, deployments of volunteers, rides to the polls, etc. the virus could influence thousands of votes in a dead heat race.
While it is likely that it is a prank by a teenager. There is an outside potential that the virus was released by a campaign that was not dependent on email as a communication tool to gain organizing advantage and disrupt the capacity of an opponents organization.
Network-centric struggle would suggest that knocking out communications capacity and reliability of chain of command of a decentralized leadership would create a huge advantage. It seems to be a little tightly coordinated and professionally executed (insider game targeting PoliticsOnline rather then campaign email lists) for a teen hack.
Lesson:
This could be a serious attack (only next 12 hours will tell) At a minimum it is a good lesson to prepare campaigns to avoid dependency that can create a single point of failure.
Better Links.
0 4/01/iow a_caucuse_go.html
/ 2004/01/reu ters_coverst.html
0 4/01/vir us_attack_on.html
Hopefully, SlashDot can help answer.
Iowa Caucus
http://www.network-centricadvocacy.net/20
Reuters
http://www.network-centricadvocacy.net
General Virus Attack Related Political Theory
http://www.network-centricadvocacy.net/20
Then you have some really slow anti-virus software. This should only take that much time ONCE. Subsequent runs should be very quick because all of the scanned files have hash values which are stored. The files will only be re-scanned if the hash value does not match.
No one actually installs apps in Linux this way. Only small toy programs or utilities that are of no consequence and aren't shared with other users on the machine are installed this way. That probably accounts for about 1% of the software you install on a computer. When you install an RPM or an application shared across many users, you HAVE to "root up" just as Windows users have to "Admin up." Whether you use SUDO or the application does it for you and asks for your root password, it's the exact same process. The fact that Windows users don't start the install programs using runas simply means they're uninformed and improperly educated. Windows provides the SAME mechanisms that Unix does for running in least privileged mode: users simply do not do it.Check your facts. Just TRY to clobber an NTFS directory to which you have no write permissions. The "Limited Account" in Windows won't let you write to \Windows or \Program Files or other people's user folders. How is this "a lot more accessible"? Only Administrators have complete access to the file system, the same as in Unix/Linux. If you are logging in as Administrator, it's your own damned fault if you run a Trojan and it trashes your files.
I don't know what version of Windows YOU have, but in XP simply right clicking on an executable file offers "Run As..." as the first menu option! Does KDE offer this in their shell? How about GNOME? And of course, at the Command Prompt in Windows you can still use the runas command.> I don't know of any Windows app that needs to be
> *run* as admin - even most services can be run
> as a defined user without admin rights.
We had to go through hoops here to get ICQ to run as a Power User instead of an Administrator. There are a few applications like that.
Still, it is a valid position to state that any program that requires to be root in order to run normal user type tasks should be simply counted out as an installable option.
--
-JC
coder
http://www.jc-news.com/parse.cgi?coding/main
OH and stupid users are going to know how to configure a UNIX machine securely and correctly?
Is it just me or does someone else see this as a prototype for spammers fishing for e-mail addresses?
:-p
Yeah, yeah, paranoia and all and I have no compelling evidence at this time that spammers and virus-writers are collaborating, but think about it:
Instead of mailing to addresses on the machine, forwarding those addresses to a spammer mean a great deal more, in my preconceived notion of the workings of a spammers mind.
Oh, well... time will tell...
Come on you OSS guys: a replacement for SMTP already. Where's the Advanced version of *Simple* Mail Transfer Protocol
XeeRz, Jason
THSsMCHshrtrTHN160chrs -- And I don't even like to SMS!
Ok here are the facts:
1. Everyone, yes absolutely everyone who uses Outlook and is affected by this must be connected somehow to the internet right? without exception right? so lets just get it straight - theres no poor dude in the middle of the rain forrest who has been stuck with a bug because he cant fix it/get a patch from MS/get help or be told how to fix it because at least has someway to get emails across. (Ok im ignoring anyone on an internal network not connected to the net cos they are not going to get this). So the fact is that there is no excuse to be running Outlook that has VB-script on or otherwise allow random VB-scripts access to the address book and the ability to mail!
2. This is a 'worm' thats only means of propagation is to spread to an Outlook inbox that has VB-script turned on, or gives VB-script said permissions!
3. The worm can be stopped simply by stopping what i said above!
So why the fuck is it still happening!?!?! and why the fuck are people blaming the creators of these things when the solution is so fucking simple it could have been fixed once and for all 5 years ago?!!? Why has no-one blamed Microsoft?? why are big organizations loosing their mail servers because of this??!? Why do people keep going on about how bad these scripts are when one setting could disable them for good!?!? Why do people continuously not understand the simple premise: If you let a scripting language have access to something and let random scripts run then everyone on the net has access to the same thing? I mean this is on the level of "don't talk to strangers" except its adults who cant understand it!? I just don't understand how this can happen!?! someone please explain before my '?' and '!' keys wear out!?
Heres a simple test:
1. If you run across a very busy fast 4 lane road without looking you will probably get run over, there is a foot-bridge 20 yards away. Do you: a) ban all cars, b) use the bridge?
2. You have decided to leave your car unlocked with the doors open and the keys in the ignition and the alarm disabled. You come back to find some kids have been riding it around and now its out of gas. What should you do to stop this happening in the future? a) cut their hands off so they cant drive, b) close the door and take the keys with you, and put the alarm on.
3.You stab yourself with a knife to see what its like, for some reason you fall to the ground in pain. Waking up in a hospital you decide that: a) you should sue the guy who sold you the knife, the manufacturer and also the national knife association. b) its best if you don't stab yourself again.
Mostly a's: You should probably stay away from Outlook
Mostly b's: Welcome aboard! new security adviser to Microsoft Inc!
This comment does not represent the views or opinions of the user.
so a shell script that magically has permissions set to be execuateble would give a stupid user a virus?
//standsolid//
A user would have to chmod it's permission to execute and THEN ruch the SOB.
c'mon now. that's silly
WTPOUAWYHTTOTWPA
What's the point of using acronyms when you have to type out the whole phrase anyways?
ECHO "Hello this isn't a virus"
REM echo -n "Enter your password for funny screensaver!"
REM su
ECHO "Starting screen saver..."
DELTREE
I'm a MS DOS user you insensitive clod!
Im dreaming ofa big bndwdth, That can resist the
And if you think the bill for fixing the machines was high, wait until you see the electricity bill from repeated shocking of clueless users.
On another point, how often is a file legitimately mailed to a large number of users in a single organization? Perhaps a server that could say "25% of the users have gotten this exact (renamed) file, quarantine it and all previously received and subsequent copies" is in order. Sure the early birds will still get hit, but it should stop the snowball before it becomes an avalanche.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
heh... the sequel to the Bork-alator... the Bagel-ator:
Hamstersonally, I mink the virus was bird aboarded by a stream of outforced / off-bore virus buntings, and language tissues horsed the name to be gerbiled.
And you can't receive most executable file types in an up-to-date version of Outlook, either, so what's the point of this whole discussion?
"Most executable file types"? Those are good weasel words. Well, it's pretty obvious that a lot of people do receive such attachments and do execute them. So, apparently, you missed the point or are trying to change it. Who is being affected by email malware, Evolution users or Outlook users? (*Hint* It's not the Evolution users or Kmail users or any users of the other *nix email clients.)
I was a MS supporter in denial for some years myself, but there comes a time when you have to take off the blinders and question whether just being bigger means it's better, and the answer is no, duh. Better is better.
I tell you if I find worms in my bagel... Motherfuckers are going to pay dearly.
Me lost me cookie at the disco.
It is a virus delivery mechanism.
Come on now.. I have completely Lost Track of How many Virii spread in this manner... All Attachments should be stored at the source with the descrition of the Admin to delete Infected Files to Prevent Infection..
Infected Files should easily be caught as all of a sudden There is a massive demand for this Attached File... Then It would be suspicious and raise a flag...
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
I think I need to call my mother.
"Most executable file types"? Those are good weasel words.
I use those words specifically because I cannot guarantee that every executable file type is blocked by default. I am about 99% sure that every executable file that would execute on Windows and has carried a virus in the past is covered, while, on the other hand, Office documents (which can carry a macro virus) are not (though the default security levels of Office won't let a macro run).
Well, it's pretty obvious that a lot of people do receive such attachments and do execute them. So, apparently, you missed the point or are trying to change it. Who is being affected by email malware, Evolution users or Outlook users? (*Hint* It's not the Evolution users or Kmail users or any users of the other *nix email clients.)
From the looks of it, it's quite possible that it's Outlook Express users or users of very old versions of Outlook (98 and previous). They could be using any email software that allows them to access the file in any way, even if they have to save the file to disk before executing it, since the worm doesn't depend on Outlook or Outlook Express to spread.
I was a MS supporter in denial for some years myself, but there comes a time when you have to take off the blinders and question whether just being bigger means it's better, and the answer is no, duh. Better is better.
I simply support using the software that's right for the job and avoiding misinformation. There's nothing about this worm that requires Outlook, and anyone using Outlook XP, 2003, or 2000SP2 that hasn't deliberately disabled executable blocking (through a registry change) isn't going to get it through that client.
Maybe we should blame Windows because the worm launches calc.exe to distract the person that clicks on it.
-PainKilleR-[CE]
From the clamav-virusdb ml:
/pointer
____SNIP____
Subject: [Clamav-virusdb] Update (daily: 90)
Date: Mon, 19 Jan 2004 04:47:16 +0100
ClamAV databases updated (19-Jan-2004 03:40 GMT): daily.cvd, viruses.db2daily.cvd
version: 90
Submission: 627
Sender: G........
Submitted virus name: Unknown Virus
Virus name: Worm.Bagle.A
Added: Yes
____SNIP____
[%- PROCESS life -%]
From the looks of it, it's quite possible that it's Outlook Express users or users of very old versions of Outlook (98 and previous).
Well, yeah, of course, and the point is? Since you're making the distinction, I should probably have used "Outlook Express", but most users simply refer to it as *Outlook* (and I will continue to refer to both that way). The last stats I saw indicated over half the people accessing the 'net are still using Windows 98 or older. It's a safe bet that 99 percent of those people are using Outlook (Express) as an email client - it's the default.
They could be using any email software that allows them to access the file in any way, even if they have to save the file to disk before executing it, since the worm doesn't depend on Outlook or Outlook Express to spread.
"The" worm? I've been talking about email malware in general (and said so), and many of them depend on the Outlook address book in order to spread. There is enough effort involved in detaching an attachment, opening a console window, changing the file permissions, and running the executable that removes it from the clueless click-and-spawn category.
I simply support using the software that's right for the job and avoiding misinformation. There's nothing about this worm that requires Outlook, and anyone using Outlook XP, 2003, or 2000SP2 that hasn't deliberately disabled executable blocking (through a registry change) isn't going to get it through that client.
Yes, yes, we've heard it hundreds of times: Anyone who has the latest version of *whatever* and knows how to admin a Windows box is relatively safe. Well, that description doesn't fit most folks, and it has nothing to do with my original comment. The OP said that if there was a Linux email client like Outlook, then Linux users would have the same problem. I pointed out that there is an Outlook look-alike/work-alike called Evolution that has been around for years, and Linux users do not have the same problem.
I pointed out that there is an Outlook look-alike/work-alike called Evolution that has been around for years, and Linux users do not have the same problem.
Evolution was developed to work and look like Outlook, not Outlook Express, and the reason for that is obvious: Outlook is the primary email client used in business, and Evolution was designed as a replacement for business email (especially in a setting where Exchange is used as the server).
Yes, yes, we've heard it hundreds of times: Anyone who has the latest version of *whatever* and knows how to admin a Windows box is relatively safe. Well, that description doesn't fit most folks, and it has nothing to do with my original comment.
So you think it's perfectly ok to continue blaming Microsoft for mistakes they made in the past, and not give them credit for fixing the problems? What happens if Linux does manage to gain some space in the desktop and you get people using the OS as root, do we get to blame Linus or whoever developed a particular portion of the system when computers start going down because of 5-year-old security holes? Windows has automatic updates which also handles updates for Outlook Express, but in order for people to even have that feature they have to have updated their system at some point in the last 4 years, so I guess we can't expect people to protect themselves, we should find some other way, like banning them from the networks.
In any case, I'm used to at least seeing the occasional message straggle through with blocked attachments (usually blocked by the mail server long before they get to me) when one of these worms runs wild, but so far Bagle/Beagle has been a no-show. Perhaps the IT department finally started targeting people that perpetuated these things on our network for training and forced updates.
-PainKilleR-[CE]
Evolution was developed to work and look like Outlook, not Outlook Express, and the reason for that is obvious: Outlook is the primary email client used in business, and Evolution was designed as a replacement for business email (especially in a setting where Exchange is used as the server).
As a former Outlook EXPRESS user, I can say that Evolution works just the same as an email client. I am not using it in any way as a business email client, so I still fail to see any point.
So you think it's perfectly ok to continue blaming Microsoft for mistakes they made in the past, and not give them credit for fixing the problems?
Okay, you're taking this even further off-topic, but, yes I blame MS for making *business decisions* that helped the bottom line at the expense of not only MS customers but internet users world-wide. Fixing the problem in later versions only helps the most recent victims, er, customers.
What happens if Linux does manage to gain some space in the desktop and you get people using the OS as root, do we get to blame Linus or whoever developed a particular portion of the system when computers start going down because of 5-year-old security holes?
As a Linux user, I am responsible for my system. I get Linux for free with no guarantees. (note: I'm not ignoring Lindows - I dislike the concept and think it should be abolished.) MS promised the world (literally) to customers for a price with no regard for the dangers they were unleashing and no recourse for injured customers. It included an EULA that absolved MS from all responsibility. Have you seen the latest MS TV ads with ecstatic MS users sliding down the hall in a group hug because someone used a MS product? Is MS responsible for the software it SELLS or not? Should MS be allowed to make billions of dollars in profit at the expense of millions of people and companies world-wide who don't even use Windows?
. . . so I guess we can't expect people to protect themselves, we should find some other way, like banning them from the networks.
MS has done all it can to be the solution that *just works* and markets itself that way. Why would unsuspecting customers worry about their *be happy* OS or updates? Hey, if banning outdated MS OSs from connecting is a workable solution, I'm all for it.
Quite a few online games insist on patching themselves every time they're run.
Ironically, this is one of the groups that needs this sort of protection the most. A cracked PC can cost hundreds of hours of effort.