Microsoft Mail Worms Gang War?

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

I would like to point out...

[chrisopherpace]

MyDoom.F does destroy word, excel, access, jpg, and other files.
SARC
This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.

Warnings...

[ackthpt]

I'm getting some forged emails lately, badly forged at that, which look like they're coming from my ISP, "warning viruses being sent from your account", "warning immenent suspension", etc. They have a pif file atteched (which I never open) and have been coming from .lt or .gr servers (my ISP would not likely be using these.) Looks to me like another brand of worm on the rounds and there's a morbid sense of humor behind it.

Re:Warnings...

[Hayzeus]

I doubt humor is involved -- the point is to get people to open the zip and run the archived file -- which you have to go to some trouble to do, given that the zip is password protected (to get by email scanners). I've had a couple of users here contact me about these, but nobody has run them yet. Of course I only have a few users, most reasonably clueful. This would probably suck for larger outfits.

Re:Warnings...

[spydir31]

That's Beagle.K (or Beagle.J, it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
I'm now blocking all encrypted zip attachments via my trusty MailScanner
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)

Re:Turf?

[glen604]

since some of these viruses involve opening back doors, it's a turf war in the sense of who owns more zombie computers, I guess.

latest breed

[A+moron]

What's interesting/annoying is that the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments which has caught quite a few mail gateways and virus companies off guard. Our mail gateway (mailscanner/f-prot/spamassassin) was unable to deal with the encrypted zip attachments and passed them on through.

The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)

Re:latest breed

[RobertB-DC]

Foo: ...the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments [...] The virus companies better hurry the heck up and come up with a solution.

Bar: Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.

What's odd is the grandparent's suggestion that the "virus companies" (I'm not touching that one!) should find a solution.

Solution to what? Clueless users who blindly follow any official-sounding directions they receive in email?

In defense of the clueless users, though, the latest email had halfway decent human engineering. I didn't get it, but our IT Security folks sent a warning about it. Here's the message -- note that site is our corporate web site. If you overlook the obviously broken English ("Pay attention on attached file."), you could almost convince yourself:

From: staff@ site.com [staff@site.com]
To: yournamehere [yournamehere@site.com]
Sent: Tue Mar 02 17:27:52 2004
Subject: Important notify about your e-mail account.

***********************
Warning: Your file, Document.zip/jhlvbpgfu.exe, is password-protected. It was not scanned by InterScan MSS.
***********************

Hello user of site.com e-mail server,

Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Pay attention on attached file.

Attached file protected with the password for security reasons. Password is 50655.

Have a good day,

The site.com team
http://www.site.com

It's real simple people...

[ashitaka]

Put in a mail filter. Dop all .PIF, .EXE, .COM, etc., etc., including (nad this is the clever bit) all .ZIPs.

Either route to holding folder or just drop as we do. The number of legitimate .ZIPs we receive is so low that telling the sender to rename the attachment is feasible. They are also getting hammered by Bagle et al. so they understand.

Other than users who still forward us the defanged emails even after being repeatedly told not to do so, we have had no impact to the firm whatsoever.

Pretty good social engineering this time

[GillBates0]

Date: Wed, 03 Mar 2004 10:03:48 -0800
From: support@xxx.edu
To: me@cc.xxx.edu
Subject: Warning about your e-mail account.
Parts/Attachments:
1 Shown 10 lines Text
2 12 KB Application

Dear user of "xxx.edu" mailing system,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

For more information see the attached file.

Cheers,
The xxx.edu team http://www.xxx.edu

[ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
[ Cannot display this part. Press "V" then "S" to save in a file. ]

------
Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.

actually

Microsoft is in Redmond, which to a Seattle resident, is the East Side.

(that's east side of Lake Washington, for you non-residents).

Re:Server-side filters?

[nautical9]

ClamAV

and/or

AMaViS

Re:Is the probelm really hard to fix?

[liquidsin]

How many people do you know that actually read EULAs, or javascript popups? Everyone that I know seems to look for the escape (clicking "I Agree" on EULAs or "OK" on anything their browser pops up). Hell, these attachments need to actually be executed. The user is already going to the trouble of right-clicking the attachment and either saving it, finding it, and running it, or just running it right from OE. One more popup would only slow them down by half a second.

Or alternately

[stewby18]

A better interpretation might be: "[Are the] Microsoft mailworms [part of a] gang war?". At which point the title goes way beyond the shortening that is generally acceptable for titles.

Re:Server-side filters?

[steveit_is]

It was a typo in my setup, oops. I should have triple checked my setup before I posted. It wasn't scanning inside zip files, hence half of them got through :) I guess ClamAV DOES rock :)

...little damage...

[blunte]

Typically these viruses (or more correctly, worms) do little damage to the infected computer

Yeah most are not too damaging, but here's my story.

Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.

- Last week our AV server downloaded updates at 8am as usual.
- At 11am Symantec released new signature for MyDoom.F.
- At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
- At 8pm automatic backups kick off
- At 11pm backups complete, having successfully backed up ruined shares.
- At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
- At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.

Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.

Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.

Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.

Re:...little damage...

[ElderKorean]

Had same problem with Symantec AV, and had a very similar story to you :-(

Found over 5800 copies of the virus the next day when the signatures were updated. And the little sod had deleted over 8Gb of ducuments, spreadsheets and databases. We had an Access database that had been in use all day, so was ok, but come 5pm and people exited it and go home. One staffer remembers they had still to finish something, and attempts to get back in - nothing left. This was about 3 minutes after last person exited.

But wait there's more.

The very next day (after finding the virus everywhere, and starting to recover through backups), I sent an e-mail out about what had happaned and what people should not do.

I created a new e-mail address (unlike any that we use) and used it to send an exe file to everyone. We put the file within a zip file just like the fun virus that we were still recovering from. The included file was a small program that would e-mail us if it was run, with the name of the user who did it - only thing done on the users computer was bring up a dialog box saying software updated.

This was the text of the e-mail
--
Hi,

I am a qasi e-mail program automatically sending you a freeware virus.
Please open the attached zipped file and double click on the attachment
to receive the virus update.

Have a nice day,
--

go on - guess.

We had a staff member open the message, open the zip, and run the executable...

This was after me sending a message reminding that people should not do any of this!!!!

Thankfully I had many staff that actually e-mailed me a copy that they had received the message, or even called me to let me know.

We'll have another go early next month. I'll try the zip with password trick. Fortunatly because we wrote it in-house there's no way it'll trigger the virus software.

Re:Yeah, it's a gang war alright...

in our small company it's been drilled in from day one:

don't open email attachments, delete them
if you get email from someone you do not know with an attachment delete the email
if you get an email from someone you know with an attachment you aren't expecting delete the email and contact the person who appears to have sent you the email
if you get an email with an attachment you are expecting but it does not look correct - email is poorly written, bad grammar, ambiguous or perhap threatening wording delet the email and contact the IS department.

We even have a special email account set aside so people can forward potentially suspect emails where they can be opened and examined (no, they are not read with any email client)

It's been pretty successful in our small company and easier to acomplish in our small company. It's too bad we were sold to a larger company as I would have been curious to know if we would be able to maintain this level of awareness in the staff as we grew larger. I am only hoping that our people will continue to be aware of the email they are getting and the attachments and that they can teach a few others this deceptively easy thing.

Of course they ras, and should be running up to date antivirus software updated at least weekly, if not more frequently.

procmail recipe for bagle.j

#bagle.j unencrypted
:0 B
* UEsDBAoAAAAAA
/tmp/baglej


#bagle.j encrypted
:0 B
* UEsDBAoAAQAAA
/tmp/baglej

Re:MS Address Book lock down?

[YrWrstNtmr]

err...Outlook2003 and Exchange2000 do exactly that. If a program tries to access the Address Book, it pops up an approval dialogbox. You can't click yes for 5 seconds.

But since these worms also searches in a wide range of other filetypes (.txt,.doc,.html,etc etc) for valid email addresses to send to, it makes little difference.

Re:Of course these viruses are for posturing

[jlechem]

That is so true. Most of it is based from Romania and the previous USSR/Russia. Alot of banking information runs around online and while these little worms get the headlines most of the time it's for identity theft. I work for a major online auction house and we see alot of people loosing lots of money due to viruses and worms that their av software doesn't catch.

f%^ken annoying

[c00kiemonster]

Now this may sound a little over aggressive , but I am a poor sys admin who is getting bombarded with blocked messages every 20 secs or so. Personaly if i ever meet a virus writter, if its this shit or some other virus they have written their head is going to end up in a glass jar in my fridge Be Warned

Re:...unless you know the person!

[clarkcox3]

or the safest of all "Don't open attachments in Outlook, period!"

That's not quite as safe as: "Don't use Outlook, period!"

Re:Server-side filters?

[prandal]

I'll second that, MailScanner is brilliant - but get the current beta 4.28.4 or later which can block password-protected .zips. There's top-notch support in the MailScanner FAQ and via the mailing list.

Re:Yeah, it's a gang war alright...

[TwinkieStix]

That's a lot of work. If you have a Linux mail server, it's a lot more simple for the end user. Just put this into /etc/procmailrc and all of your executable and zip file attachments are toast:

:0 H
* ^Content-Type: multipart
{ :0 B
* .*\/name=.*\.(bat|chm|exe|com|hlp|hta|jar|js|jse|l nk|mdb|pif|scr|shb|shs|vb|vbe|vbg|vbs|wmz|wsf|wsh| zls|dbx|mht|wab|asf|zip)(")?(\ *|\t*)$
{
# LOG="${NL}Possible virus:${NL}Matched Expression = ${MATCH}${NL}" :0 /dev/null
}
}

Re:Aye

[jakupovic]

The problem is that most AVs do not check password protected zipped attachments, because they can't look inside them they are let through. This is supposed to let people send encrypted stuff through your mail gateway and it will not be deleted. Needless to say this default didn't work for us and we had to change it so that it qurantines suspicous attachemnts.