Slashdot Mirror
'Bagle' Worm Heading For A Windows PC Near You
mrSinclair writes "the 'Bagle' or 'Beagle' worm is expected to hit the U.S. by midweek, probably Tuesday as many employees return from a three-day weekend." He points to this Washington Post story (via Yahoo!), which describes the Windows mass-mailing worm as being transmitted via email as an .exe attachment and as installing "a program that lets attackers connect to infected machines, install malicious software or steal files." The article says Bagle has been detected in more than 100 countries. Other readers have sent in links to coverage at the BBC and at SearchSecurity.com.
So far, I've submitted copies of this to Symantec, and ClamAV, both of which did not detect it in the latest definitions. If anyone else has submitted this to an A/V manufacturer, or knows of an A/V that currently detects this, please post.
Contact Me (got tired of viruses emailing me).
We've already received two of these at work, one as early as 8am yesterday morning, local time. Fortunately our server-based anti-virus filter is on the ball: "Executable DOS/Windows programs are dangerous in email (kraencha.exe)"
As the article text states: "We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it." Just goes to show you that no matter how much cork you put on some people's pencils, they'll still manage to poke themselves in the eyeball. Honestly, who out there is so dumb that they'll run an .exe email attachment with a subject line "Test" and a body including "Yea, Test".
Mandatory computer usage licenses, anyone? ;)
Come on! Outlook hasn't allowed these to be run for years now? How do these things still spread? Little old ladies stuck on Eudora 3.0 or something?
It looks like the writers of the virus DOS'ed themselves (from the aformentioned Yahoo! article):
:)
Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.
Or is it more likely that these servers in Russia and Germany were also hacked and were just being used?
In any rate, this doesn't look so bad. The searchsecurity.com article says that "Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed." Hopefully this one won't be as bad as Sobig.
My blog
It's pretty fucking sad when you now have forecasted virii.
Weather channel, look out!
I do it cuz I hate that lazy fuck who calls himself the sysadmin...
Can I get an eye poke?
Dog House Forum
First, you'd have to save it to your hard drive, clicking on it wouldn't work (email attachments are data files, not executables). Then you'd need to "chmod +x" it, and then you could run it as your user, in which case it can infect only things associated with that user. Assuming these unlikely things happened, the superuser can simply disable your account and clean things up, while everyone else on the system can chug along happily.
In other words, its not the same. Unix made the right decision from the beginning to separate data and executables, and to keep most users at a non-Administrator/non-root capability level.
1. Don't open any attachments that are potential virus, (.exe, .vbs, .com, etc.)
2. Disable your email client's automatically message preview pane. This makes exploit viruses a little easier on you, as you can select the message and delete it without having to preview it instantaneously.
3. Download a mail proxy program (I use MailWasher), it'll filter out spam, and allow you to see a text version of the message, without downloading the attachment.
4. Have your AV update its definition religiously. Of course, this only helps if your AV company updates its definition religiously as well.
Of course, the first 3 don't require a virus scanner at all, just common sense. As a gamer, I hated having NAV or McAfee VirusScan hog up 30MB of my memory, so I removed it. I make smart and conscious decisions, and have never had a virus on my computer for several years.
I'm the resident geek in my dorm, and have spent the last 24 hours getting rid of it on computers of anyone and everyone. The particular strain we saw came in an email with the subject of simply "Hi" and contained (basically) the following test.
.wab, .htm, .html, and .txt"
Hi!
This is a test.
(random string of letters)
Testy test.
The attached file was a modified version of the Windows calculator which (according to the Symantec site) "Emails all the contacts it can find inside files with the extensions
It's interesting because apparently that's ALL it does. It doesn't screw with files or settings, or run malicous code (outside the actual act of reproducing itself). It's annoying, however, because it sends emails to people who are NOT in your address book, but merely mentioned in text files somewhere on your computer. In the last 24 hours I've gotten emails with the virus from friends, random people in my university, at least one university email address that should have been run by someone who knew better, and a couple random friends-of-friends.
Also, according to Symantec, it dies on the 28th.
It was really interested to see the spread at my college. For us, it began around 1 AM Monday morning, peaked around 2, and was already slacking off by 3 AM. I know this from my own inbox, people in my dorm, and talking to people elsewhere.
I do find it currious the virus didn't DO anything. Is it just someone screwing around, a test for a future release or (as some of the more paranoid people in my dorm are suggesting) a released virus by the anti-virus companies to keep people in enough fear to demand their products.
As a side note, I also spent hours cleaning the assorted spyware and adware that builds up when people don't know how to properly use their computers....more than one person could literaly not do work becasue of the porn popups that plagued their computer.
-Trillian
BTW: two fixes are already avilable for this virus:
Free, but worth thousands more: FreeBSD, Linux, and more...
Pricey, but worth every penny: Mac OS X
We have moved most of our lab machines from Windows to OS X in the past few months and the time I have spent having to patch, test patches, roll back updates due to problems with Windows has been reduced drastically. I can't mention how successful this migration/switch has been in terms of productivity gains, peace of mind, etc... With OS X, you plug stuff in and it works.
Its true that OS X costs more money than say Linux installed on our previous machines, but OS X is a true desktop OS that allows one to keep all of their UNIX apps as well as provides the slickest desktop OS around allowing for use of popular apps such as Office (yes, Microsoft Office for OS X is actually quite nice, so stop your whining), Photoshop, Filemaker etc... while allowing for our compute intensive work on scientific apps as well.
Visit Jonesblog and say hello.
... according to Symantec's Security Response (since 1/18/2004).
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
> Then you'd need to "chmod +x
.py, etc) and just go launch the script intepreter when you double-click on the file. This does not require +x access!
This all really depends on how much "Shell Integration" your Unix desktop has.
It's quite possible that a Unix Mailer would look at the file extention (.pl,
KMail was caught launching PE EXE viruses using Wine for example.
In reality, most of these mail viruses have nothing to do with OS security and everything to do with poorly designed mailers and dumb users.
I know this has been mentioned about a thousand times but if you're a sysadmin, do yourself a favor and block executables, scripts, or any other file type that can execute. If someone needs an executable to be sent in-bound, set up either an FTP server or a dummy account outside your company's mail system. I have a domain set up just for this purpose where only the admins have rights to the mail accounts. If someone needs a file, the employees just send a request to have an admin check the mailbox for a specific filename from a specific user. We'll even ask for file sizes just to make sure. While checking the mailbox might take about 3-5 minutes out of my day, this method saves me the many headaches of removing viruses all week.
Already old news here. Been dealing with it for a couple of days...
The Subject: is actually more applicable to the spammers, who really are waging all out war on the utility of email. This one is more like a hit-and-run attack.
Still, the similarity is that they are hoping to find a few "good" suckers to click on their links. This one is actually an interesting combination. Partly it seems to be testing the efficiency of a propagation mechanism, which seems to result in greater "apparent locality" of the email, with higher odds that it seems to have come from someone you know. However, it also seems to be ready to launch some more insidious payload that was to be downloaded from some Web sites.
Right now all of those Web sites seem to have been taken off the net--or maybe they're waiting to pop them onto the net once the thing has propagated sufficiently. That part of the Trojan apparently tries to check in every 10 minutes to announce itself.
The thing that bothers me about this combination malware is that the anti-virus people could easily miss something. For example, in this case, what if the thing included a new variation on the email backchannel for the harvested email addresses. Or maybe a well-concealed bit of code to suddenly mung the URLs to point to live sites somewhere else? However, whatever it is hasn't triggered yet, and the anti-virus people perhaps have only detected the distractor HTTP-channel. If that were the case, they could still get a massive harvest of email addresses. (Yes, I still think the spammers are probably really the people behind this one--spamming just naturally attracts the lowest life forms. It's a question of the crudest motivations for the crudest acts.)
By the way, has anyone seen the reason for the bagle/beagle confusion here? Trying to incriminate the Israelis? Or the dogs? Or both?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
...since yesterday, apparently. Good to see Grisoft keeping AVG up to date.
Oh, and they've got a little blurb on the virus too.
I do this as well. .exe files can be sent through these by renaming the file (e.g. to .jpg), then adding a comment "please rename the file to .exe".
.jpg or .gif, and with the added guidance for the receiver. Of course it was again blocked by my scanner, but apparently this method works on the commercial scanners and the users know the workaround.
.zip and telling the user to unzip and then run the program.
Of course you must make sure you use a valid detection mechanism.
Many commercial scanners use the extremely naive approach of checking the file extension!
This means that
You would not believe it, but even the most well reknowned scanners use this stupid method. I have seen countless examples of "funny programs" being blocked on the mailscanner, and then the same file arriving half an hour later, renamed to
There even has been one trojan that uses this method by packing the program in a
Two main reasons - the extra load generated and the risk of false positives.
If filtering were done as you suggest, with a simple attatchment file size check, then there's a reasonable chance a perfectly legitimate mail would be dropped. It also wouldn't take very long for the virus writers to create viruses that vary the file size on every reproduction.
If a customer gets themself infected with a virus then it's their fault for not have adequate virus protection - if the ISP drops their mail because it was of a similar size to a virus it's the ISP's fault.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Hmmm.... the Beagle worm... surely it can't do that much damage... it probably just crashes on entry....
> installing "a program that lets attackers connect to infected machines, install malicious software or steal files."
Doesn't Windows already have to be installed?
Sheesh, evil *and* a jerk. -- Jade
We had the same executable attachment problem back when I was in school in the late '80s. Our VM Mainframe E-Mail system got shut down because of some christmas card program that remailed itself to everyone in your address book. Sound familiar?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I don't know whether it applies to that one, but a _very_ efficient way to avoid the annoyance of Windows email worms is to use your firewall block all incoming traffic from a Windows machine to port 25.
:
On OpenBSD, the following line is enough
block drop in log quick proto tcp from any os Windows to any port smtp
There is really not a lot of legacy mail exchangers running Windows so it doesn't hurt.
However, it blocks most worms that are trying to directly send mail.
{{.sig}}
What, is the worm's creator going to come forward and sue the antivirus companies for trademark infringement?
Or is this a "nyaa nyaa we're not going to call it what you wanted us to call it" thing?
I sense a palladium ad here around those same lines. "No untrusted code can execute"
:)
Ironically, the only code I might trust is that which was NOT signed by Microsoft.
At least with Windows Update, the user can be assured that they will get a secure untrojaned binary. No one has any evidence that Windows Update has been rooted.
Of course six months from now, when they finally get around to issuing a patch, the lack of source code also leaves no evidence that a new vulneralibility wasn't created when the old one is closed, does it?
Time is what keeps everything from happening all at once.
Well in any case it should be a non-issue. If you are running Windows correctly, you're not running as a member of Administrators but rather a regular user with all the permissions correctly set. This way you can't inadvertently destroy data that should be secured (e.g., programs). In any case, I have grown tired of attempts to trivialize the would-be damage of worms on UNIX systems as "oh it will only trash /home/user" -- as if that's not bad or something!
(Also of note is that most people sending these worms unbeknownst to them are home users, not corporate users on multiuser systems.)
Yes, but by default OS X users are given a user account, separate from root. And, even if they have an admin account (not to be confused with root), they have to type in an administrator password to confirm installations that affect areas outside of the user's home directory.
:/
You can send an OS X user a malicious Apple Script file with an MPEG icon on it, and they'll probably double click it thinking they are going to view free prOn. But as soon as the "administrator password" box comes up, odds are they are going to hit "cancel" and not grant access to their root directory
Moreover user accounts in OS X are quite flexible. Unlike Windows users, OS X users rarely require the need to login to, and remain working within, the root level.
Every Windows office I've ever administered has had numerous problems with user accounts, users working in root 24/7, etc
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
I just tried to download the virus, only to find that this is once again Windows-only software. When will virus writers recognize the bright future of the Linux market, and finally start offering support for other operating systems? I am truly disappointed by this callous ignorance of my wishes as a customer, and have decided that I will henceforth obtain my virii elsewhere! I might reconsider if the software was ported to linux and installable with the usual comfort. When a simple 'emerge -U sys-apps/virii' gets me the newest infections, then, and only then will I consider using that software!
:)
Note: Blatant sarcasm... but if you didn't already know that, it's hopeless anyway
Divide et impera!
Save the attachment, su, ./configure && make && make install
I wish you will enjoy it!