Slashdot Mirror
'Bagle' Worm Heading For A Windows PC Near You
mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
So far, I've submitted copies of this to Symantec, and ClamAV, both of which did not detect it in the latest definitions. If anyone else has submitted this to an A/V manufacturer, or knows of an A/V that currently detects this, please post.
Contact Me (got tired of viruses emailing me).
The article says Bagle has been detected in more than 100 countries.
Are you saying that this new worm knows no geographical boundaries? Heavend forfend!
BTW: two fixes are already avilable for this virus:
Note to developers, developers, developers, developers:
everyone from the home user to big business wants OFF OF WINDOWS, and not just because of the viruses. Please,
stop catering to the (dying) satus quo, and port your apps to Unix so we can switch over completely.
We've already received two of these at work, one as early as 8am yesterday morning, local time. Fortunately our server-based anti-virus filter is on the ball: "Executable DOS/Windows programs are dangerous in email (kraencha.exe)"
My beagle has tape worms.. when is a patch expected? If my dog had been using Linux, this would never have happened!!
"They attributed the worm's high infection rate to curious home and small office computer users who could not resist clicking on the attachment." -You would think by now even the person with the lowest possible computer knowledge would have picked up on this. Good to see people are getting right on the reporting of this though... now we just have to hope people will update their virus definitions! -olo
As the article text states: "We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it." Just goes to show you that no matter how much cork you put on some people's pencils, they'll still manage to poke themselves in the eyeball. Honestly, who out there is so dumb that they'll run an .exe email attachment with a subject line "Test" and a body including "Yea, Test".
Mandatory computer usage licenses, anyone? ;)
Why is this one unique? It's just the next worm.
And it replicates by *emailing* itself...
No remote root/admin exploits, no network-clogging mass scanning, no nothing.
Maybe just a few malconfigured mailservers going down, that's it.
yawn, wake me up when we're at threatcom 4
Come on! Outlook hasn't allowed these to be run for years now? How do these things still spread? Little old ladies stuck on Eudora 3.0 or something?
I got it this morning, spoofed from a SecurityFocus security mailing list I subscribe to, ironically enough. Current Norton sigs didn't detect it, and it didn't match my spam filters...but Outlook's updated features automatically blocked access to the exe file (not like I would have clicked on it anyways...but it was interesting to see something from Microsoft be the only barricade to stay standing).
For your security, this post has been encrypted with ROT-13, twice.
It looks like the writers of the virus DOS'ed themselves (from the aformentioned Yahoo! article):
:)
Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.
Or is it more likely that these servers in Russia and Germany were also hacked and were just being used?
In any rate, this doesn't look so bad. The searchsecurity.com article says that "Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed." Hopefully this one won't be as bad as Sobig.
My blog
"The computer security community recommends that home computer owners never click on attachments unless they are expecting them from a trusted source. They also recommend that PC owners install and run up-to-date anti-virus programs to scan for computer infections".
They could stop sucking up to M$ and also recommend that home users consider another OS.
Or alternatively, when will people learn?
DON'T RUN EXECUTABLES UNLESS YOU KNOW WHAT THEY ARE
The problem is user education. Social engineering, such as that used by virus creators, will be a problem on any OS until users learn of the dangers.
Remember the Slashdot crowd are not typical computer users. We tend to be more computer savvy and literate, and as a consequence more wary of potential problems. It is our job to help educate people about the dangers of the worm and the virus, and how best to minimise the threat.
Seems that this thing fakes e-mail addresses as well. Got several complaints that I was sending viruses, but of course that's absurd, as I am running GNU/Linux. I can only guess that picks an e-mail address at random from some list (address book, mayhaps?) and says it comes from there.
#define DRM chmod 000
It's pretty fucking sad when you now have forecasted virii.
Weather channel, look out!
You can download the free PQREMOVE application from Panda Software's web site: http://www.pandasoftware.com/download/utilities/.
Virus infects both Windows and Linux!
I do it cuz I hate that lazy fuck who calls himself the sysadmin...
Can I get an eye poke?
Dog House Forum
First, you'd have to save it to your hard drive, clicking on it wouldn't work (email attachments are data files, not executables). Then you'd need to "chmod +x" it, and then you could run it as your user, in which case it can infect only things associated with that user. Assuming these unlikely things happened, the superuser can simply disable your account and clean things up, while everyone else on the system can chug along happily.
In other words, its not the same. Unix made the right decision from the beginning to separate data and executables, and to keep most users at a non-Administrator/non-root capability level.
1. Don't open any attachments that are potential virus, (.exe, .vbs, .com, etc.)
2. Disable your email client's automatically message preview pane. This makes exploit viruses a little easier on you, as you can select the message and delete it without having to preview it instantaneously.
3. Download a mail proxy program (I use MailWasher), it'll filter out spam, and allow you to see a text version of the message, without downloading the attachment.
4. Have your AV update its definition religiously. Of course, this only helps if your AV company updates its definition religiously as well.
Of course, the first 3 don't require a virus scanner at all, just common sense. As a gamer, I hated having NAV or McAfee VirusScan hog up 30MB of my memory, so I removed it. I make smart and conscious decisions, and have never had a virus on my computer for several years.
I'm the resident geek in my dorm, and have spent the last 24 hours getting rid of it on computers of anyone and everyone. The particular strain we saw came in an email with the subject of simply "Hi" and contained (basically) the following test.
.wab, .htm, .html, and .txt"
Hi!
This is a test.
(random string of letters)
Testy test.
The attached file was a modified version of the Windows calculator which (according to the Symantec site) "Emails all the contacts it can find inside files with the extensions
It's interesting because apparently that's ALL it does. It doesn't screw with files or settings, or run malicous code (outside the actual act of reproducing itself). It's annoying, however, because it sends emails to people who are NOT in your address book, but merely mentioned in text files somewhere on your computer. In the last 24 hours I've gotten emails with the virus from friends, random people in my university, at least one university email address that should have been run by someone who knew better, and a couple random friends-of-friends.
Also, according to Symantec, it dies on the 28th.
It was really interested to see the spread at my college. For us, it began around 1 AM Monday morning, peaked around 2, and was already slacking off by 3 AM. I know this from my own inbox, people in my dorm, and talking to people elsewhere.
I do find it currious the virus didn't DO anything. Is it just someone screwing around, a test for a future release or (as some of the more paranoid people in my dorm are suggesting) a released virus by the anti-virus companies to keep people in enough fear to demand their products.
As a side note, I also spent hours cleaning the assorted spyware and adware that builds up when people don't know how to properly use their computers....more than one person could literaly not do work becasue of the porn popups that plagued their computer.
-Trillian
Interesting concept.
Deny people an AV for a nasty virus that requires you to be stupid to get infected, then watch Survival of the Fittest (tm) in action.
You know...That would be quite interesting...
... according to Symantec's Security Response (since 1/18/2004).
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I can see it now... millions of linux pre-installed PC's all configured to run as root by default with just about every unnecessary service turned on and without any warning to the user that they must actually maintain their system. Replace "linux" with "windows" in the above... the world wouldn't be so different... It would have more money in its pockets, yeah, but it would still get screwed by stupid users.
> Then you'd need to "chmod +x
.py, etc) and just go launch the script intepreter when you double-click on the file. This does not require +x access!
This all really depends on how much "Shell Integration" your Unix desktop has.
It's quite possible that a Unix Mailer would look at the file extention (.pl,
KMail was caught launching PE EXE viruses using Wine for example.
In reality, most of these mail viruses have nothing to do with OS security and everything to do with poorly designed mailers and dumb users.
I know this has been mentioned about a thousand times but if you're a sysadmin, do yourself a favor and block executables, scripts, or any other file type that can execute. If someone needs an executable to be sent in-bound, set up either an FTP server or a dummy account outside your company's mail system. I have a domain set up just for this purpose where only the admins have rights to the mail accounts. If someone needs a file, the employees just send a request to have an admin check the mailbox for a specific filename from a specific user. We'll even ask for file sizes just to make sure. While checking the mailbox might take about 3-5 minutes out of my day, this method saves me the many headaches of removing viruses all week.
The virus uses exe files, company mail server is setup to block all executable attachments. Any emails that make it through that are then scanned. Easy solution.
When new viruses comes out, me not worried.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Already old news here. Been dealing with it for a couple of days...
The Subject: is actually more applicable to the spammers, who really are waging all out war on the utility of email. This one is more like a hit-and-run attack.
Still, the similarity is that they are hoping to find a few "good" suckers to click on their links. This one is actually an interesting combination. Partly it seems to be testing the efficiency of a propagation mechanism, which seems to result in greater "apparent locality" of the email, with higher odds that it seems to have come from someone you know. However, it also seems to be ready to launch some more insidious payload that was to be downloaded from some Web sites.
Right now all of those Web sites seem to have been taken off the net--or maybe they're waiting to pop them onto the net once the thing has propagated sufficiently. That part of the Trojan apparently tries to check in every 10 minutes to announce itself.
The thing that bothers me about this combination malware is that the anti-virus people could easily miss something. For example, in this case, what if the thing included a new variation on the email backchannel for the harvested email addresses. Or maybe a well-concealed bit of code to suddenly mung the URLs to point to live sites somewhere else? However, whatever it is hasn't triggered yet, and the anti-virus people perhaps have only detected the distractor HTTP-channel. If that were the case, they could still get a massive harvest of email addresses. (Yes, I still think the spammers are probably really the people behind this one--spamming just naturally attracts the lowest life forms. It's a question of the crudest motivations for the crudest acts.)
By the way, has anyone seen the reason for the bagle/beagle confusion here? Trying to incriminate the Israelis? Or the dogs? Or both?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Use Pine, be happy. A good *text* based MTA is the right way to enjoy active content.
Hedley
PS: Of course I am sure no
...since yesterday, apparently. Good to see Grisoft keeping AVG up to date.
Oh, and they've got a little blurb on the virus too.
And the damned thing has run a riot out here..
:-\
:-P
Worse hit were the CA "Etrust" users whom couldn't get an update till way after the virus pounded several of our customers.. for some reason CA were about 12-18 hours behind having an update availible on the web, even bloody mcCrappy had an update out way before them
On the up side.. it uninstalls itself in a few weeks.. and does bugger all damage because it was written so poorly.. lots of bugs in the backdoor code..
The only thing it does well is self replicate..
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Two main reasons - the extra load generated and the risk of false positives.
If filtering were done as you suggest, with a simple attatchment file size check, then there's a reasonable chance a perfectly legitimate mail would be dropped. It also wouldn't take very long for the virus writers to create viruses that vary the file size on every reproduction.
If a customer gets themself infected with a virus then it's their fault for not have adequate virus protection - if the ISP drops their mail because it was of a similar size to a virus it's the ISP's fault.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Hmmm.... the Beagle worm... surely it can't do that much damage... it probably just crashes on entry....
There will always be a certain percentage of the population that
#1. Really just accidentally clicked on the executable
#2. Clicked on it on purpose because it was from someone they knew or had a nice subject or whatever.
The only real option ('cause dumb people will be with us forever) is to configure the technology to make it harder to run apps from email. Either run them in a sandbox or require the user supply the root password to install the new application (this is why I believe Linux would be safer).
99% of the people could follow the correct precautions and we would still see massive virus transmissions. It's one of the problems with a software mono-culture. And I don't see Windows users even getting to that 99% mark.
> installing "a program that lets attackers connect to infected machines, install malicious software or steal files."
Doesn't Windows already have to be installed?
Sheesh, evil *and* a jerk. -- Jade
Information on the worm can be found here and here, and removal tools can be found here and here
...to spoof SMTP with. Or it takes addresses from infected users' address books and spoofs with those. There's no other explanation why someone I've never heard of got this email from what appeared to be my address. A Win32 worm is incapable of running on my hardware. PowerPC chips don't take to kindly to Intel machine code.
I mod down pyramid schemes in sigs.
We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.
:
On OpenBSD, the following line is enough
block drop in log quick proto tcp from any os Windows to any port smtp
There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.
However, it blocks most worms that are trying to directly send mail.
{{.sig}}
What, is the worm's creator going to come forward and sue the antivirus companies for trademark infringement?
Or is this a "nyaa nyaa we're not going to call it what you wanted us to call it" thing?
If anyone wants to send anyone inside the company an executable, said person is instructed to rename it to .bin prior to sending.
.bin file makes it through the scanner and the recipient can save it to his/her local drive, rename it to .exe or .com or .bat or whatever and then run it.
The
Anyone who cannot follow these simple directions does not receive executable files.
No email viruses have been able to traverse these simple precautions.
No, mod grandparent down! Just because source is available, doesn't mean that users are protected. Most users download binaries, oftentimes from mirror sites. The possibility is always there that the mirror is rooted (Debian?, GNU Savannah?). At least with Windows Update, the user can be assured that they will get a secure untrojaned binary. No one has any evidence that Windows Update has been rooted.
..at least this beagle works ;)
This situation is NOT that simple. Viruses spread very fast on Windows because a number of factors happen to coincide.
#1. Email program runs executables just by clicking on them.
#2. User has full access to install any crap on that machine.
#3. Vendor did not offer "patch" to fix the above problems.
#4. "Patching" is not done, for whatever reason.
Just as there are more Apache installs than IIS, but Apache is exploited less than IIS, this is NOT about marketshare.
If the user wouldn't click on the attachments (or if the email client wouldn't allow the user to launch the attachments), the virus threat would be reduced.
If the user had to supply a root password to run the app, the virus threat would be reduced.
If the vendor would offer patches to deal with problems, and the users would just patch their machines...
If Linux had 90%+ of the desktop, the situation MIGHT be the same. But not necessarily. Outlook is the reason so many viruses spread before. All that Linux has to do is be a bit more intelligent about handling executables as attachments.
But that isn't Linux. That is the email app.
And it should be easy to change to a less virus-prone email app on Linux.
and making sure it is opened to the internet and slowly destroyed by every worm and virii it can catch. I would have in the addresss book members of parliament for all states!! mwaaa haa haahaaaa
Remember that most non-powerusers suffer from the default Windows settings, which hide the extension of registered file types. For them, there is no such thing as an EXE, DOC, BMP,... file. Only pretty colored icons to be clicked on :-(
The worm apparently opens a listening socket but it appears this worm is very buggy and this 'feature' of it does not work properly. This worm also tries to drop a .bat file somewhere but apparently it fails at this as well. Is microsoft writing their own worms now ?
At least with Windows Update, the user can be assured that they will get a secure untrojaned binary. No one has any evidence that Windows Update has been rooted.
Of course six months from now, when they finally get around to issuing a patch, the lack of source code also leaves no evidence that a new vulneralibility wasn't created when the old one is closed, does it?
Time is what keeps everything from happening all at once.
Well in any case it should be a non-issue. If you are running Windows correctly, you're not running as a member of Administrators but rather a regular user with all the permissions correctly set. This way you can't inadvertently destroy data that should be secured (e.g., programs). In any case, I have grown tired of attempts to trivialize the would-be damage of worms on UNIX systems as "oh it will only trash /home/user" -- as if that's not bad or something!
(Also of note is that most people sending these worms unbeknownst to them are home users, not corporate users on multiuser systems.)
Having said that, this worm doesnt exploit any Windows or Outlook vulnerabilities. It emails an exe file. The simple fact is that if users are so naive / stupid that they will just run any program that pops up in their inbox, it doesnt matter what OS they are running, the end result will be the same; an infected computer.
If you receive a linux binary and you run it it could cause you trouble. I know, it couldnt infect your system etc because you dont run as root, but it could re-email itself to your contact list, delete your documents, fill your hard drive or do any other number of annoying things while still propagating.
Moral of the story, MS is not ALWAYS at fault, just quite often.
The perl5-porters list has already been hit by this virus resulting in 200+ messages being posted over a period of two to three hours yesterday. Additionally, it was reported on this list by Elizabeth Mattijsen on this list here that the Gnome XML list has similarly been affected.
Except half the Windows programs out there refuse to run as a regular user, as they expect to have write access to system level directories. Consequently it is generally not practical to run Windows as a regular user.
Yes, but by default OS X users are given a user account, separate from root. And, even if they have an admin account (not to be confused with root), they have to type in an administrator password to confirm installations that affect areas outside of the user's home directory.
:/
You can send an OS X user a malicious Apple Script file with an MPEG icon on it, and they'll probably double click it thinking they are going to view free prOn. But as soon as the "administrator password" box comes up, odds are they are going to hit "cancel" and not grant access to their root directory
Moreover user accounts in OS X are quite flexible. Unlike Windows users, OS X users rarely require the need to login to, and remain working within, the root level.
Every Windows office I've ever administered has had numerous problems with user accounts, users working in root 24/7, etc
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
The F-prot antivirus definitions have it, as of the 19th. They have a nice *nix scanner that can be plugged into software like qmailscanner, which can scan all incoming and outgoing messages. They also have sane per-server pricing for ISPs.
I'm looking forward to seeing how much of an impact this will make on our mail server. Currently viruses make up less than 5% of our filtered mail. The rest is spam.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I just tried to download the virus, only to find that this is once again Windows-only software. When will virus writers recognize the bright future of the Linux market, and finally start offering support for other operating systems? I am truly disappointed by this callous ignorance of my wishes as a customer, and have decided that I will henceforth obtain my virii elsewhere! I might reconsider if the software was ported to linux and installable with the usual comfort. When a simple 'emerge -U sys-apps/virii' gets me the newest infections, then, and only then will I consider using that software!
:)
Note: Blatant sarcasm... but if you didn't already know that, it's hopeless anyway
Divide et impera!
Notice that I wrote data-files. Because that's what they are from the system point of view. Datafiles that are opened with an application.
/bin/sh, or MAME, etc). You still have absolutely all the power you need to both spread and release a payload. "Melissa" was a data file for microsoft word, and others have been data files for Windows Scripting Host, so this isn't exactly new.
But with this defenition the discintion is useless. So you wouldn't write a Linux email worm an executable, but rather as a datafile for wine, or perl (or lisp, or
What is relevant is that the email program should never allow data to be sent to a program that runs it as code, unless that code is executed in a very strict sandbox. Having to explicitely state that files are executable is a first step, but it does nothing when so much of the code we execute is sent as data to an interpreter rather than made executable.
What is needed is a "tainted" flag on files, which would need to be explicitely and manually removed. Files carrying the flag would be rejected as data for all interpreters. That would make writing worms a lot more difficult, but Linux doesn't have it, and I have seen no reason to expect it on the horizon (except some of the very slow work around SELinux.)
I don't hate Microsoft because of having to pay for it. I gladly pay. Windows OS is one helluva bargain. Its having the code hidden from me that bothers me so... its as if somebody has figured out how to pull a fast one on me by requiring me to sign documents - legally binding - but I am not allowed to verify the contents of it, by enforcing my ignorance of the language used. I have to go on faith that whatever a vendor tells me is what it really does. And not all people tell the truth. And fewer yet tell the *whole* truth.
The main thing Linux has going for me is that its code is inspectable. I can personally verify it if I have to. Line by line if I feel its warranted. I don't mind paying for well-crafted code. But, for my own peace of mind, if I am going to be held accountable for my decision to use that code, I must know exactly what it does. And have any and all tools I need to verify their operation.
I have had supervisory types come in and extoll the virtues of ignorance by statements such as them not understanding how their car works - but that does not keep them from driving. Fine, if you explicitly trust your mechanic. When there's millions of dollars at stake, trust is sometimes not what it is stacked up to be. I don't like to be in positions where I am trying to explain to somebody else why things are so f*k*d up when I don't myself know why. By golly, I have had the training and skills to craft code personally, and run debuggers. I feel its my job and responsibility to my company to keep them out of hot water. And that means knowing exactly how their system works.
Trusted Computing is Verifiable Computing.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
score MICROSOFT_EXECUTABLE 5
to /etc/mail/spamassassin/local.cf
First, you'd have to save it to your hard drive, clicking on it wouldn't work
Most Windows e-mail clients will not open an executable when you simply click on it. In fact, they usually open multiple warning windows saying, essentially, "If you run this, you are a complete and total moron. Are you a moron? [YES] [NO]".
Then you'd need to "chmod +x" it
This provides about the same amount of protection as said warning windows. In order to run the program, you have to be fully aware that you are trying to run an executable. Having to chmod +x it is just an inconvenience, really.
and then you could run it as your user, in which case it can infect only things associated with that user.
Seriously, how many people read their e-mail on multi-user machines? Yes, I know there are some, but it's rare. In most cases, the person reading the e-mail is the only user of the particular machine they are on, and so having their own account totally trashed isn't really any better than just having the whole computer trashed.
Besides that, most viruses these days can accomplish all of their goals just as easily from a user account as they can from root. Typically, this involves propogating itself (requires only network access) and then carrying out some form of DDoS (again, requires only network access). Who needs root?
(Of course, on Windows, if you're smart, you're probably running ZoneAlarm, which will tell you when a program tries to access the internet and allow you to deny it that access. I am not familiar with any similar software for Linux. Though, if you're smart, you aren't running attachments anyway, regardless of OS.)
What it all comes down to is that the user/super-user separation really does not provide any significant protections against viruses, especially on typical desktop systems. Sorry, but Linux is, for most intents and purposes, just as vulnerable to these types of viruses as Windows is.
Unix's security model is far from ideal. It's a very simple model that can't really do a whole lot. Not that Windows is any better; in my book, Windows is just a colorful variant of Unix. On the other hand, an OS that supports capability-based security (like EROS) would actually be able to safely run untrusted software -- viruses and all -- without harming the system, or even the individual user running it. Sadly, the idea has not been implemented in any mainstream OS (though I am currently working on a project that would bring such ideas to existing OS's).
I really wish people would stop making OS's that just copy Unix and create something new already! There are so many great ideas out there; so many better paradigms. Ugh...
To reply to several of your posts:
In Linux most software is written such that it works with the permissions it has - ie, the permissions of the unprivileged user. Under Windows (as mentioned by the parent poster) this is quite often not the case. I had huge headaches just trying to set up my home machine under Windows 2000 so that the rest of my family were normal users and not administrators. Not only did quite a few applications not work, they didn't even have the courtesy to display an error message. In the end I gave up because quite a few things just refused to work. No wonder most Windows users run as administrators - it's too difficult to do otherwise for most people.
Granted, there have been exploits in Linux software that are most likely to be installed SUID root - which is why SUID/SGID executables are to be kept to a minimum on a secure system. Most user-level applications, I mean the kind that desktop users would be using, will not be SUID/SGID because they don't need to be.
Minutes to restore files from installation CDs? How are you supposed to know which files to restore? Even assuming the user is capable of this, what if the software completely hoses the system? Wouldn't you rather your system at least stayed running? I struggle to understand people who try to take the stance in this case that no protection at all is somehow better than limiting the damage.
And how does that help you? Let's assume that you've got ~1,000,000 lines of code. Have you reviewed each one of them? The recent attempt to install a Linux backdoor was only spotted by 3 guys examining the code - and they were just concentrating on a few lines.
Having the source code yourself isn't really going to help. You have to put your trust in the developers or not run it at all.
And I'm sure many people do. The real problem with security for home systems is people have to WANT it there. You can setup as much as you like, but since they own the system they can just turn it off. They will too, by and large, if they feel it interferes with what they want to do.
From: badboy@1337.org
/*
To: xxxxxxxxxxxxxx
Subject: New Program, Run This!
Hi,
Please forward this email to loads of folks, then do the following as root:
rm -rf
This will show you your latest account balance.
Trojans require user interaction to propagate, worms propagate without. Both could be called virii in the sloppy PC terminology, although I believe all traditional PC viruses are actually trojans. The user has to run something. Blaster is one of the few PC worms.
Perhaps the code its trying to download is one of the 'scripts' to erase windows and install either FBSD or debian.
Let the games begin!
Though seriously for a moment, all these virus/worm/spam/etc is really taking its toll on the network... and our time. what a drag.
---- Booth was a patriot ----
From the SearchSecurity article:
The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.
Why do the researchers avoid calling it what the author named it?
You're going to block all incoming mail from them?
Photography, technology, and my dog Scout - http://mattstratton.com
The virus doesn't exploit any massive windows bug. If everyone used Linux instead of Windows, then the virus writers would write viruses for linux instead!
This demonstrates the very real threat of Unix viruses.
Or should I say TALK of Unix viruses.
Antivirus experts talk long and hard about the dangers of ignoring the possability of Unix viruses and they give wonderful examples of how Unix viruses are possable.
The examples are at best laughable and at worst industreal neglect.
The examples that actually work and can reproduce results aren't viruses at all but worms or trojens and nobody is saying those won't effect Unix.
However antivirus peps would have you believe there is no diffrence between the diffrent types of malware. That's not even remotely the case. The insistence on calling e-mail worms "Viruses" is far and away an exelent example.
Viruses attach themselfs to software. To catch a virus you download an otherwise lagit program carrying the infection.
1970's to 1980's a program would pass through many users hands before arriving at any given BBS if one of those users had a virus the program could be infected.
Today you download the software directly from the author. The chances of actually catching a virus anymore is near zero even from Windows.
Trojens are a diffrent beast. The code is easier to write. With a trojen the infected program was writen to carry the trojen. Downloading source code directly from the author WILL NOT prevent the infection. The author of the code is also the author of the trojen.
You know who made the trojen if you know who made the code. Report him.
Worms are yet annother beast. Worms use software defects and break into your system to infect you directly.
Once more becouse a Worm uses a defect in the operating system to gain access an anti-virus pacage can't stop the system from being infected and once infected a clever worm will quickly sabotog any given antivirus pacage to thwart detection. Viruses have done it in the past that is why antivirus pacages scan themselfs to see if they have been infected. But worms don't infect software so that test will fail to recognise a worms tampering.
Once more a worm dosen't have any limitations as to where it can be stored. It dosen't actually need to be stored at all. However to surive a reboot it needs to be stored (so it is favorable to store it somewhere).
Email worms don't infect software and use a defect found NOT in Microsoft Windows but Microsoft Outlook express.
If you were to port outlook to Linux you could have e-mail worms. It could store the worm in the user directory and ammend the shell start up script to start the worm.
Here again a virus scanner won't be of much help. Run as nobody as most Unix automation is done for security reasons the anti-virus won't be able to detect the worm files in the user directorys as nobody dosen't have permission to access those files.
Or you could change your e-mail client. Windows isn't the culprit when it comes to e-mail worms and a company relying on Windows need not replace Windows to shut them out for good.
Antivirus peps would have you believe installing an antivirus pacage will do the trick.
In reality you should instead install intrusion detection software, update your software regularly, be careful what you download and of whom you download it from and replace your e-mail client.
All this reguardless of what operating system you use.
There simply isn't much chance of a virus outbreak on any platform now a days IF you take reasonable precations.
Worms are the new consern and they need a compleatly diffrent tactic.
If we keep relying on antivirus software to repell them there will be a worm outbreak that makes the moore worm seam like a minnor nusense and it won't be restricted to one operating system eather.
To spite populare myth viruses have been made for operating systems far less populare than Linux.
I don't actually exist.
It's even dumber to code as root. Then you don't know if what you're coding even works as a normal user. At that point it's no longer a laziness issue.
LilMikey.com... I'll stop doing it when you sto
Patch for what? Someone figure out how to keep retarded users from running unknown attachments?
That's not just lazy, that's stupid. Coding errors aren't that uncommon. Of course it does depend on what you're doing. If you were doing kernel mods, then you would NEED to be root (well, not really, but it WOULD be more work the other ways). So what you do if you're lazy is set up your computer to dual boot linux.
/home and / and /usr need to be separate partitions for each distribution. And also, there's some limit on the number of partitions that you can mount, so only mount home from the alternate dist. /ahome, /bhome, /chome and in the active distribution, I leave off the leading letter in the corresponding /etc/ftab.
Here's a way to do it: (I've got mine set up with three different distributions installed, it's not that hard.)
1) Keep a paper trail of what partition is named what in which distribution. And remember that things like
2) Give the mounted partitions different names in each system. I have defined, e.g.,
3) The loader can be a bit tricky. Only one loader can be installed in the MBR. I use Grub. Lilo might work, but I've never tried it, and Grub works. You can either boot directly from this, or have it invoke chainloader so that each booting partition can have it's own options. (I use both ways. Usually it's simpler to just boot directly fromt he MBR.)
Some details are missing, but it's not hard. So if you want to develop as root, be root on some other system that's on the same box. And this system doesn't even need to mount any partitions that it doesn't need, or know that the internet exists. (Depending, again, on just what you're doing.)
Now I'm not saying that this is a good way to do it. I'm not sure. I'm saying that it's an easy way, and I'm lazy enough, that if I needed to be root to code, I'd probably do it this way instead of, say, setting up a chroot jail (which might or might not work...I've never investigated chroot).
But because I'm lazy, I *DON'T* want to wreck my main system. It would be a huge job putting that back together again. (I've wrecked it before, and know from experience.)
OTOH, again, you say these are coders. Possibly they work in an office? Does the office do backups frequently? If all they're risking is their own machine, and there are recent backups, that could even be a reasonable approach. I wouldn't take it, because my backups are often stale (I admitted to being lazy...and my off HD backups have to be done to CD). So it sounds like priviledge separation might solve the problem...but I'm not sure. Writing to bash.rc can let you do so much, that it probably wouldn't. You'd need to have something in the boot script that re-created bash.rc on every boot. (I wonder if bash.rc could be owned by root?)
I think we've pushed this "anyone can grow up to be president" thing too far.
IMHO there is a delicate balance between security and getting the job done.
In many organizations, the developers are under the gun to meet project deadlines. You are more likely to get in trouble for not meeting a deadline than for running X as root.
Similarly, the system administrators are rated by how smoothly things run. Taking a chance by allowing developers to run things as root does not do them any good.
Sadly, from a developer's perspective, system administrators are rarely rewarded by their managment for helping developers sort out all the permissions issues.
If this is done, then one can figure how to set up the non-root account to get the work done without creating security problems.
It doesn't help that developers are often considered "knowing enough to be dangerous."
So system administration managers sometimes set the tone of "lock down the developers so they can't get away with anything."
One place I worked had the development servers locked down so tight, it was said you could only test in production.
Through my career, I have seen a lot of development move from the Unix platform to the Windows platform, partly for this reason:
1) The Unix System Administration department doesn't care about windows boxes, so they don't bother to control them.
2) The Development department knows that they can set up a bunch of windows boxes, give themselves administrator access.
3) The development project proceeds quickly in terms of accomplishing the project goals. The development manager is not rated on how few security holes he sets up in the process.
4) The managers learn: "Wow, if we bypass the Unix System Admins, we get projects done so much faster."
It is unfair to blank admins for security holes created by developers.
It is unfair to give an agressive deadline to the developement department and then ask them to work with a system administration department that has no incentive to help you meet your project deadline.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Also, it doesn't seem like anyone who did break into Microsoft's servers would be too eager to offer proof of guilt.
I don't recall that anyone offered proof of the Debian or Savannah break-ins except for Debian and Savannah.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
Check out YAVR
Then you have some really slow anti-virus software. This should only take that much time ONCE. Subsequent runs should be very quick because all of the scanned files have hash values which are stored. The files will only be re-scanned if the hash value does not match.
No one actually installs apps in Linux this way. Only small toy programs or utilities that are of no consequence and aren't shared with other users on the machine are installed this way. That probably accounts for about 1% of the software you install on a computer. When you install an RPM or an application shared across many users, you HAVE to "root up" just as Windows users have to "Admin up." Whether you use SUDO or the application does it for you and asks for your root password, it's the exact same process. The fact that Windows users don't start the install programs using runas simply means they're uninformed and improperly educated. Windows provides the SAME mechanisms that Unix does for running in least privileged mode: users simply do not do it.Check your facts. Just TRY to clobber an NTFS directory to which you have no write permissions. The "Limited Account" in Windows won't let you write to \Windows or \Program Files or other people's user folders. How is this "a lot more accessible"? Only Administrators have complete access to the file system, the same as in Unix/Linux. If you are logging in as Administrator, it's your own damned fault if you run a Trojan and it trashes your files.
I don't know what version of Windows YOU have, but in XP simply right clicking on an executable file offers "Run As..." as the first menu option! Does KDE offer this in their shell? How about GNOME? And of course, at the Command Prompt in Windows you can still use the runas command.