Slashdot Mirror
PhatBot Trojan Spreading Rapidly On Windows PCs
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
... or does this sound dirty to you too??
a new peer-to-peer backdoor client that is installed maliciously
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Since when did Snoop Dogg start writing code? Shizzle, dawg, dis virizzle be PHAT!
# Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system :)."
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes
How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?
Slashrank
...nothing.
windows users shouldn't be surprised at new viruses; it's not like they're getting worse, or like users are getting any smarter. generally speaking, if you're not an idiot, you won't get a virus. if you're not an idiot and you do, you can get rid of it easily--they really only seem to hurt people who are already pretty ignorant.
When a virus attempts to disable anti-virus and firewalls, there needs to be a better way to keep those programs operational and "clean". What if a virus altered your norton or mcafee to make it appear as though it is working(and not finding any viruses) when in fact it is not working at all?
What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?
What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?
will be after phatbot, now that Kazaa is being counter-sued.
Indefinitely Detained US Citizen
But I'm getting so tired of these virus 'alerts' constantly bombarding me day in and day out!
It's as bad as spam! It's EVERYWHERE!!
I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'
We live in the information age. The information has been disseminated that Windows users are:
A) Prone to constant viral and security intrusions.
B) In desperate need to constantly update their AV software.
The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*
But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...
I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.
(See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)
Yay me.
Don't park drunk, accidents cause people.
Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.
/end rant
I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig.
Happy St. Paddy's Day everyone, btw.
Check out the best P2P sharing website: MEDIACHEST.COM
Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."
aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.
Runnin' On Empty
I can't find out how the gory details of backdooring a computer. Oh well, I guess I'll have to settle for the more traditional form of pr0n.
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
A friend of mine recently sent me a funny email he had received, it indicated that Yahoo was bouncing back some emails to him because the receiver couldn't be found. Well, he didn't send any of these messages, but someone had spoofed there REAL NAME into the TO: field. His virus protection software was up-to-date, he didn't know what was going on, then he noticed in outlook the "save password" button no longer worked. Finally today, it's all starting to make sense. Don't know how he got the virus though, he's behind a firewall (NAT router), he doesn't go through much email. I have to guess it's all the porn he surfs.. Anyone else getting bounce backs?
Mod +5 Drunk
PhatBot Trojan would be a good name for a hip-hop group?
### fictional code comment snipet ### "The PhatBot team would like to shout a big thanks to the US Department of Infrastructure for their help in beta testing PhatBot!"
I'm too lazy to go find them myself- so:
Has anyone come across a removal tool and/or removal instructions? They would be helpful for future reference.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
It's hard to believe these kind of trojans are not in any way related to spammers.
Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.
Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.
Rock that crushes, Paper & Scissors that don't matter.
Cause Apple want to keep things simple for their maintenance programmers. If it only runs on Apple hardware, they don't have many setups to test against.
The authors are getting better at designing control networks, but all it will take is one grayhat with an infected node to watch a command being executed and use that information to take out the entire botnet.
Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).
Test your net with Netalyzr
No it doesn't. WTH are you talking about? All it merely does it combine attacks against all known security flaws into a single package. It is also a trojan horse meaning that it uses user idiocy to get itself installed.
Hmm... I suppose user idiocy is a flaw that Windows has that Linux doesn't.
Okay, I see your point.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
google cash
Eh, not sure what the point of your post was. But this is NOT a windows EXPLOIT at ALL.
It spreads through peer to peer apps, does not use windows expliots. This virus has nothing to do with windows security at all, but the retardedness of its users.
Idiot.
1) Extract Windows product keys
2) ???^H^H^H Email software keys to software@bsa.net and tell them that you think your employer is not running legitimate software. Include a paypal link for the reward
3) Profit
This bot looks NASTY.
-B
This is also known as the "Agobot"
http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers
http://www.f-secure.com/v-descs/agobot_fo.shtml
Detailed Description
First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.
The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.
Installation to system
The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"
This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers
The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).
Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.
The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp
Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.
Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.
Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c
Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)
When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)
If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.
Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)
This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.
Additionally the
Mod +5 Drunk
Finally, a good method to keep people from breaking copyright laws. Infect and trojan those who break the law, impact the rest of the economy, and you'll ruffle enough feathers to bring down the whole house of cards. Now the average business will begin to see that breaking copyright law on computers is more than just a localized problem within the "Media" of movies and music. Kudos to whoever created this Trojan.
is installed maliciously on broadband-connected computers...
who knew that dial up internet was a form of virus protection? I dont feel so bad anymore!
WoW: Scheod 70 orc warlock on Shadowmoon
Okay, so that guy who likes to get spam is responsible for spreading even more spam. I'm sure he is happy, but the rest of us wish he would really stop it already!!
I see where you're coming from here. However, there's other considerations. Some of us must operate Windows boxes, so we must deal with it.
:)
Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.
But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.
Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.
Isn't it better to be proactive rather than reacting to a virus-based DOS?
I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.
The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems.
# Erik
And as you've so obviously thoroughly RTFA's you will no doubt be able to tell us all what new flaw(s) this exploits?
Here's an alternate link I am looking for removal instructions. BRB.
Indefinitely Detained US Citizen
Why run these apps if you continue to download questionable material?
That defeats the purpose.
The thought runs through your head "oh I have anitvirus or I am running ZoneAlarm nothing can get to me".
Well news flash REGARDLESS THE OS, AND HARDWARE/SOFTWARE FIREWALLS just by being able to get your pr0n on at 2AM is all the chance an attacker needs.
- Unplug
lighten up and spend time with your family. Life is too short to worry about infection of an inanimate object.If they want to hack my home pc great, if they can.
They want to destroy my computer so I have to reinstall, fine with me. I have all the disks.
I say this, I will live in fear of no man, nor group. *Save the Bush Administration*
I am Bennett Haselton! I am Bennett Haselton!
I have a client who sends out an aviation newsletter, with a list size in the tens of thousands. They have their own dedicated mail server, running RH Linux that I set up for them. Email is virus filtered with MailScanner and f-prot.
No complaints for months. And then, I add a new account to the mail server and restart sendmail.
Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!
Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.
Very sobering, to realize how bad viruses online have gotten...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
...giving the RIAA another 1 to 2 million people to sue for--something...it is P2P after all;)
Another one of my favorite sayings that has come out of our testing department is "You just can't fix stupid".
Against stupidity, the gods themselves contend in vain.
How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?
For a mainframe version of the story see _The Adolescence of P1_.
(I'd dig up an Amazon link but I'm busy right now.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
NANOG this past week has had to deal with "h4r 3y3 j4m an 3fnet p4ck3tm0nk3y" bs. What I don't understand is how some people download and install something without checking exactly what it is. Look at the spyware situation: "Click here for a free weather clock" It should be obvious that there is no such thing as free. Everything has some form of price. What I find most alarming, is that most corporations - Symantec, Network Associates, and the major Windows based antivirus makers including Microsoft who has not got there act togeter - unleash errata of mass destruction. "Buy this patch/firewall/antivirus foo foo foo product to protect you now!" Why not release some Macromedia Flash like tutorial along with their products to educate users about the dangers of downloading unnecessary 'tools/products/virtuagirls/etc' and how to protect themselves from these thing... I'm willing to bet if some company did something like this, most of these annoyances would drop big time
MoFscker
Well I don't know about that being the only way. When you install the security software, you do some sort of checksum on the executable file. This checksum gets put on some sort of write-once medium (PROM, etc.) and validated when the software is loaded into memory. Now, admittedly there could be malicious alteration of the validation process, but for that matter the same thing applies to trusted computing.
All's true that is mistrusted
No, it settles nothing.
Linux has flaws, Windows has flaws. I'd say both about equal if you keep up with Security news.
MS has the market share and on desktops likely to be infected it's around 100:1, therefore it's worth a trojan writer's time to infect Windows, as it can do a job for them and earn them $$/kudos from peers/personal fun at watching the media.
Anyone with a little nous could write a Linux trojan right now, but I doubt the 10 machines it'd infect before coming across windows machines that it -cannot- infect would be a concern to anyone.
http://www.joestewart.org/phatbot.html
-Joe
Yea, and trolls like you ruin slashdot, you're just asking for a flame war and more karma points.
Go away.
Isn't everyone getting really tired of hearing about trojans and viruses which are activated and/or spread by the user running the wrong thing? The truth: people are idiots. If things like this weren't so damaging to the internet as a whole, I would say "those people deserve to learn the hard way". Too bad that attitude doesn't work, since the mistakes of some affect many.
http://ahmonra.port5.com/phatbot.html
I am Bennett Haselton! I am Bennett Haselton!
I really wish all those idiots would switch to Linux, right now!
One line blog. I hear that they're called Twitters now.
Phatbot
Does anyone have a link to a free program to remove such a worm?
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;
I have heard from very reliable sources that there is absolutely no reason to panic. Microsoft are, as per usual, working on a patch for this Phatbot. Microsoft take computer security very seriously, as you all know. There are no flaws in Windows system architecture or any of the programs running under Windows - it's just the prevalence of Windows that does it. Microsoft and Windows are copyright Microsoft Corporation Redmond Washington USA.
Who's stupider? The man that can troll the trolls, or the troll that bites it?
YHBT. HAND. THX.
-FK
I find it interesting that I submitted this story shortly after 0900 EST in an effort to get the word out to /. readers, but it was rejected.
/. as an effective way to communicate issues like this to the technical community, or am I just bitching because my story was rejected?
Was I wrong to consider using
Good luck everyone out there who should be checking/cleaning your systems -
If the Government becomes a lawbreaker, it breeds contempt for law;
I've checked McAfee, Symantec, Sophos, and F-Secure.
F-Secure (an 'expert' in the article) has no listing for Phatbot.
On the positive side, it looks like this thing whacks any competing virus it finds on your computer. So if you have a bunch of sneaky little programs on your computer, all you have to do is "install" this program, then remove it. It's like letting a wild cat loose in a house full of mice, then catching the cat.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
How about a virus that does nothing but try to spread as far and wide as possible without doing anything malicious. Then, after a pre-determined ammount of time it would announce its presence to the luser and provide both instructions for its removal and common sense advice on how to avoid being infected by viri in the first place.
Viruses spread due to stupidity, ignorance, and laziness on the part of users. A virus like this MIGHT help with the ignorance part.
Now please don't think I'm advising anyone to go out and write such a thing, I'm only saying that I think the idea would be interesting.
I think it would also be interesting to hunt down the creators of malicious viruses and have them drawn and quartered, preferably on live TV. Next their parents should be beat within an inch of their lives for not raising them right in the first place.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Maybe they got the name from Fatbot on Futurama episodes Mars U and Crimes of the Hot.
This guy is way out there
People like to be told that they're innocent victims. They don't like to be told that they infected themselves. Media tell people what they want to hear.
Alternatively they used binary packages and had a working/fully functional system in around an hour. Or if you are lucky as I am, it doesn't seem to take very long when you have two 2800+ mps doing the work for you. Your right, there is a lot of laughing, because my Gentoo doesn't deteriorate after two days.
Math
One line blog. I hear that they're called Twitters now.
Actually, thanks to this fantastic piece of software known as Linux, it is possible to do MORE THAN ONE THING with your computer at a time.
Only on Windows (and Mac OS classic, I guess) would a long compile render your computer useless.
"Windows for Workgroups"
/leaves the stage; debate over.
A quick search on McAfee and Symantec websites yielded no result for "phatbot" on Symantec, and a 18 months old virus on McAfee...
If the US government is announcing this publically, and the virus has already infected "hundreds of thousands of computers already", wouldn't the anti-virus companies *know* that?!?
After 3 days without programming, life becomes meaningless
- The Tao of Programming
Assuming that list is correct, with all the features, what are the chances the virus author actually coded them all? I'm guessing some extensive customization probably had to go into whatever code was used. Possibly it was created using open source libraries for certain components?
Also, this strikes me as the first truly bloatware virus... how big is this thing anyway??
You ever hear of lowering an app's priority? Windows is quite usable when you do that while compiling a monstrosity.
What the hell happened to them? You know, when you used to download a program off of FTP or Firstclass, forgot to scan it for viruses, installed it, had your harddrive wiped clean. And then you had to reinstall from your backup floppies, and had no one to blame but your own stupid self?
Now its not your fault, and it hurts you as well as everyone else!
Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Processn Services\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.
Snort Signatures
Here are some Snort signatures to detect Phatbot on a network:
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)
alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)
it runs under wine
Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like clustering P2P system. Perhaps they might not have even been able to do so. Instead they grab an open source app and use it to create something ilegal, and in this case even dangerous.
These are the same problems faced in the emulation field. Many open source emu programmers do not allow any game from the past 2-3 years to be played, mainly to appease the corporations that still make arcade titles (SNK etc). But people open up their source and release renegade versions of their own apps without their permission and in violation of GPL and everything, often packaging them with illegal arcade ROMs.
Well, all of these trojans and viruses spread mainly by human engineering, which was proven by the "ILoveYou.txt.vbs" virus so long ago. There's not much stopping someone sending around an email saying "to find out the secrets of what your mate is doing online, open up a shell and type 'rm -rf *'," luckily almost every linux distro has that shell icon right by the equivalent of the start menu for easy access.
Someone running linux won't fix them being stupid or gullible. Linux having a large market share won't fix every computer problem in existance, virus writers will simply spend more time aiming exploits at it.
slashdot, news for crazed liberal socialist zealots
I was looking for a comment like this before I submitted my own. People constantly use "albeit", and it pisses me off, albeit not in the way that constant use of the word "I" where "me" is correct in an attempt to sound educated does.
there is a tool for checking your system. the link is supposedly in the article but I found it throug evilavatar.com.
anyway, here is the removal tool
xb0x
Maybe what's really going on is that Windows users *want* to be infected. They insist on using a flawed OS, browser, and email client. I believe it's ingrained in their minds that they crave infection. Why else would someone jump through so many hoops just to see what's in a file?
I AGREE!
I've was recently berated by some talking head (in writing) for insulting a clients "menstrual abilities", and making "inflammible remarks".
My boss read the letter to me, and asked me what I said to piss them off. He shit himself laughing when I told him I called the girl a halfwit.
"Problem lies between Keyboard and Chair".
At work we say "It was a Layer 8 problem". You can say that in front of non-geeks without them catching on.
Trolling is a art,
I'm glad it doesn't attack UNIX boxes. But these things always screw up my email provider because of the volume of email they generate. Sigh.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Note that only a VERY small portion of the code is based on open-source software. The majority of the system relies on closed-source software (Microsoft Windows) to work. Moreover, the open-source software itself isn't doing anything nefarious -- it's simply implementing a communications protocol.
Keep in mind that nothing of this sort could ever happen if people weren't using TCP, or CPUs that have the same instruction sets, etc. Of course, without those things computing wouldn't be mouch fun either...
It won't go away, unfortunately
Most viruses out there are spreading nowadays without the user actually having to even click once. They are using known vulnerabilities in Windows for the most part. This rules out what you said about user idiocy: you can still get a virus in Windows by just connecting to the internet, even if you have a recently updated antivirus.
If Linux was the one being attacked by these many viruses, I would be the first to point a finger at it. But how can someone argue that right now? It has been a struggle to keep up with all the people getting viruses in the last few months just because they had XP on their PCs.
Maybe it's because Windows is so popular. I don't know and I honestly don't care. That way of reasoning is not going to make Windows look less vulnerable to me.
Diego Rey
diegoT
It is a little like "suicide by cop".
One line blog. I hear that they're called Twitters now.
Um, no. Windows and Linux both have flaws, but if you READ the security bulletins you'd see that there are a lot of differences between the TYPES of flaws. Your typical Windows exploit is a local privilege-elevation attack, but there are also semi-frequent remote root exploits, such as the latest RPC or ASN.1 exploits. There are also exploits in third-party apps, which depending on the app may be a de facto Windows exploit because 1) the app cannot be removed from Windows, like IE, or 2) the app is so widespread that it's safe to assume nearly all Windows users have it, like Outlook.
Contrast this to Linux, where nearly all exploits are actually in applications, like Mozilla, WU-FTPD, or BIND. Very few Linux exploits exist, and those that are found are not remotely exploitable. Some applications, like XFree86, are widespread enough that they are like Outlook on Windows--XFree86 exploits are de facto Linux exploits. But there is simply a wider range of software in use on Linux machines (Mozilla, Konqui, or Opera?), so many applications are not as practical to exploit on Linux as on their Windows equivalents.
This doesn't even begin to cover the fact that buffer overrun attacks have to know the architecture of the machine in advance, and while that's a given with Windows, Linux could be running on anything. Also many people would put WU-FTPD exploits in the "Linux exploit" category in spite of the fact that distros don't ship the horrid thing anymore, and instead use vsftpd--which, incidentally, has an excellent security record. A Windows-biased user would call a Mozilla exploit a Linux exploit but not a Windows exploit, in spite of the fact that Mozilla runs on both platforms and many Linux users don't use Mozilla. Adding up numbers of security bulletins doesn't mean anything if the numbers are bullshit to begin with.
To compound this, Windows still suffers from the "user needs to be a local admin for some very basic non-administrative tasks" (such as installing browser plugins and fonts), thus increasing risk of damage. Not only that, but Windows hides file extensions, but makes the file extension the sole determinant of whether a file is executable. (NTFS has the capability to fix this, but Windows applications like Outlook don't use it). And lastly, Microsoft has a bad history of releasing patches that break things, because they don't just fix the bug, they just cut a new branch off the development tree and users get all the new features and bugs along with it. I've been running Linux since 1997 and am totally comfortable with the idea of downloading and installing updates automatically the day they are released. Doing the same thing in Windows is insane.
nice to know something does.
Actually, one of my fellow college graduates makes pretty good money doing that. In the wake of all of these virus attacks, he offers "recovery and immunization services," the immunization step basically consisting of turning on the native security features and running Windows Update. And yes, he does charge per hour while waiting for Windows Update to install... Admittedly, his time is closer to $20 per hour than $50 but it's still kind of slick.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Was I wrong to consider using /. as an effective way to communicate issues like this to the technical community,
Yes, you were wrong. Any admins who take security seriously do not monitor Slashdot for up-to-the-minute security advisories. There are long-established sites for that. Therefore, Slashdot not an effective way to communicate issues like this. If and when such news shows up on Slashdot, it should be old news for those in positions who need it most.
Consider taking your Windows virus 'news' to a Windows-centric site in the future if you are concerned about being effective. Virus-checking is currently a non-issue for many people at Slashdot, including the Slashdot admins themself.
If linux were as popular as windows, I'm sure someone would exploit one of the widely published security holes in key linux software such as the kernel or other server software written in C. Just monitor the appropriate mailinglists if you are interested in the latest identified buffer overflows. Of course those running the latest patches would hardly be affected but we all know that world + dog doesn't update their linux software just like their windows counterparts don't update their windows software. However, worms and viruses need something linux cannot (yet) provide: substantial market penetration. Linux software has many known issues and many organizations are very reluctant to upgrade their software (redhat 6.2 is still found in the wild even though red hat has long since stopped supporting it, aside from really critical updates). However, deployed linux configurations tend to be very dissimilar so you are unlikely to find a security hole that affects more than a few percent of users (of which the total population is 1 or 2 percent of pc users according to the most optimistic estimates). Because of this linux viruses and worms cannot propagate. A good mailvirus needs an addressbook full of potential victims. A hypothetical pine worm would not find many potential victims in the average pine user's addressbook (is there such a thing in pine?).
:-).
:-).
This security is no inherent quality of the software but just a consequence of very few people using the same version of linux. Linux security is essentially security by obscurity. By using software that nobody else uses you avoid being targeted by viruses and worms that depend on mainstream adoption for propagation. Just like in nature, monocultures are vulnerable to viruses. I'm not saying that linux is insecure, I'm just saying that many people confuse the lack of attacks on linux with its alledged security.
If you want security, install BSD. Even less people use it and many BSD users suffer from severe paranoia (resulting in increased awareness with respect to security issues) so you are unlikely to be ever affected by the latent security holes that are waiting to be discovered. Even MS uses BSD software to keep the scriptkiddies out
Ironically, Microsoft's biggest security problem is that people are buying and using their products. I'm sure that is something they don't want to fix. Upgrading is another issue, MS is actively pushing their customers to upgrade (though not necessarily to protect them
Jilles
Not a troll, the truth. When Slashdot posts virus articles, I laugh. But not (just) because I use Mac OS 10 and Linux, but because I also happen to have a Windows box, with a net connection, with Kazaa that's been running for weeks and weeks continuously, and I haven't had a virus on it in a very long time. And I've never had a virus in my entire history of using Windows (since Win95) that's required me to do drastic things, such as format. I've only had to do that because of Microsoft related issues, such as their drivers from WinUpdate messing up the system. ;)
r _computer.exe"
I always get asked by people I know, "Did that new virus hit you?"
I say, "What new virus?"
They say, "I got it a few days ago, totally messed up my computer. CNN reports millions of computers infected."
I say, "Never got it. Never even heard of it until now."
They say, "You must be lucky then."
But in reality, I'm not a moron like they are. I don't blindly double click foreign exe files. I don't read my spam and say WOW LOOK AT THIS FREE SAMPLE!!!!111oneone
I don't succumb to "I_am_a_virus_dont_click_me_or_I_will_fuck_up_you
And the sad reality is, this is the root of the majority of virus infections.
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
The problem with that is most people who are going to be using linux boxes that would fall for that will receive "Access Denied" nine trillion times and just end up only deleteing their own home directory. Then their administrator get's to be a BOFH to them.
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
just because anti-virus companies are several years behind the curve, doesn't mean it's new. From the beginning of modems to IRC, hackers have always aggressively used new technologies for hacking purposes. Back when wireless phones were analog, I knew several groups of hackers in LA actively hacking without the carriers knowledge. Using P2P is a natural evolution from using IRC networks for distributed attacks. It's only when newbie script kiddies start using it that anti-virus companies realize what's happening. The whole idea that security through obscurity, or that hackers are dumb is so far from the truth.
They use GPL'd code from WASTE but haven't released the whole source code! They're in a world of legal hurt now.
Typical Windows bloatware.
Do you administer a windows machine that isn't behind a company firewall and has an always-on internet connection? Because it isn't easy to keep viruses out. Hell, even NAV only updates signatures once a week, generally, so there's ample opportunity to get a virus.
Yes, you can generally get rid of them easily, thanks to Symantec's auto-remove tools, but 1) you have to know to do so, and the virus generally doesn't email you to tell you this, and in the lag time between infection and NAV update it's generally done something to disable NAV (as this very worm does, if you RTFA). So we're getting to the point where removal isn't trivial.
As a mostly linux/mac user, it's tempting to agree, but keeping a windows box locked down is a full time job. Just because you're not an idiot doesn't mean you have time to do all the shit you need to do to keep windows secure.
"Fatbot, noooooo!!!"
We have not had an attack serious yet to warrant this barrage of virus alerts. Of all the 'major attacks' over the last year, I got hit by one of them (blaster), which I was able to fix in a short period of time. The patch for Blaster's vulnerability was out like a month before Blaster came out, it's people's own fault for not patching.
Considering the known partnership between coders I wonder who's gonna be first with the Visual Virus Studio even in a pre-Alpha. It will look nice with Microsoft, SCO, RIAA icons ...
News relating to Viruses and spam is becoming very boring.
When surfing the net at home, I frequently (not always) use Opera Browser with JScript, Plugins, Java, and even Gif animation disabled.The Cache and cookies are all deleted on exit (nice in Opera; cannot empty cache in Mozilla or FireFox).
I use Pegasus for email. I stopped using Norton (after it failed to detect one of the email viruses although it was up to date) and switched to Nod32. I started using Tiny Personal Firewall after Norton Internet security failed me too.
I feel a bit safer, but I always think of asking M$ developers: Why?
Firestone and Ford were sued for the "few" defective tires and/or cars. Defective software costs millions of dollars each year and no one thinks of taking the defective software companies to court.
I want to say that although this is not "breaking news", this PhatBot thing is one impressive piece of software!
You just made it back to my foes list for that one, bud.
...I want to pre-order the book.
Hmm... I suppose user idiocy is a flaw that Windows has that Linux doesn't.
Only idiots who can't use linux because it is not _user friendly_ use windows, hence get infected (either because windows is flawed or because they are plain stupid). yes, so you are probably right. User idiocy is a flaw that windows has and linux doesn't.
lmaoroflolololomgwtfomfgpciansilotbad
...fag.
That's if you're speaking the ebonics dialect of latin...
Want to run MS Flight Sim? It must be done as an administrator, even on XP. How many other games are like that?
I recently installed some financial software. Of course I had to do that as admin. It wouldn't run when I switched to my user acct. The vendor help desk's advice? It's designed to be accessed by one user. Read the EULA! Uninstall it and reinstall it from the user account. Oh, you can't do that? I guess you have a problem....
They also informed me that "we don't support firewalls", you have to disconnect that if you want help.
So....pretty much every where in the eastern hemisphere, right?
796F75617265616E65726400
Tools | Options | Privacy | Cache | Clear
Now that was easy, wasn't it?
I am NaN
Found a posting that could contain snippets of original DHS alert.r k,961481 4~mode=flat
From:http://www.dslreports.com/forum/rema
"Note from Microsoft concerning the second scan...
------------
Our Security team says:
The Dept of Homeland security has issued an alert on a new bot that maybe
related:
To NCC Telecom-ISAC members (Routine lists), Info NSIE Info N2 Below are details, received from a trusted source, regarding a new bot discovered this morning. We are listing first the important highlights from the analysis write-up, followed with a more detailed technical analysis. We would
appreciate any further information or feedback on this information.
Important highlights
* Kaspersky does NOT yet recognize this file as a trojan; it is unclear if
other AV software detects Phatbot. All attempts to kill the process will
respawn a new one.
All attempts to remove the malware have failed in our tests.
* Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
* Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
* The bot appears to offer relay capability by listening on:
TCP 63808 (Socks)
TCP 63809 (HTTP)
TCP 65506 (SSL)
Infected hosts should have these ports open, along with TCP 4387.
* How to spot Phatbot:
- Watch for ingress or egress active opens (SYN packets) to TCP 4387.
- Watch for ingress or egress active opens (SYN packets) to TCP 4387, TCP
63808, TCP 63809, and TCP 65506. This
*may* indicate the presence of the bot.
Detailed Analysis
Unfortunately, it appears as if peer-to-peer communication is making its way
further into bots. The latest bit of malware we received, code named
"phatbot," has some interesting characteristics we'd like to pass along to
you. Unfortunately we've not been able to get to the bottom of everything
yet, but thought a little bit of information would be better than nothing!
This bot appears to be a derivative of the infamous Agobot. There is a fair
bit of shared code, at the very least.
This malware affects windows machines and installs as
%SystemRoot%\system32\srvhost.exe, e.g. c:\windows\system32\srvhost.exe. The
malware runs as "%SystemRoot%\system32\srvhost.exe -service". The malware is
PE encrypted with PE-Crypt.Wonk. Kaspersky does NOT yet recognize this file
as a trojan; it is unclear if other AV software detects Phatbot. All
attempts to kill the process will respawn a new one. All attempts to remove
the malware have failed in our tests.
It is unclear how many hosts are infected or how large the P2P botnet has
become.
Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
"
Hi Everyone
As many people have pointed out there is an utter lack of response by the top three anti-virus companies to this threat. I find this disturbing and also, unlikely. Why would the Department of Homeland Defense have better intelligence on a clearly US based threat (Phat is not an international phrase by any means) than the people who make their lively hood based on threat detection and elimination?
This has to me the markings of a hoax. The list of *features* as one poster put it is indeed staggering. That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy. A google search shows one recent post and a bunch of older hits (possibly the same as in the McAfee search ).
So that leaves me with 3 questions:
1 - Is it real
2 - How do we detect it
3 - How do we kill it.
--KS
I was wondering where you'd got to!
Working for MS now, are you?
Ah Bob, you love hopeless causes.
I don't know the meaning of the word 'don't' - J
>>Most viruses out there are spreading nowadays without the user actually having to even click once.
Which ones are doing this? I thought the current batch were all using good messages to get users to open and run them.
Are there some that I am not aware of now?
would one consider using a virus to remove other viruses...
Dayum. If only we could get most OS app developers to be that thorough.
-*- Any technology indistinguishable from magic is insufficiently advanced -*-
Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like clustering P2P system.
The same thing you do when someone buys a hammer and then uses it to kill someone. You just deal with it.
Once you distribute something, be it a physical object like a hammer, or source code, you loose a certain amount of control over it. It's just a fact of life.
Sure you could try and make your hammer harder to kill someone with, or make it stupidly difficult to buy a hammer in the first place, but all you really end up doing is hurting people who need your hammer for legitimate purposes.
Life is too short to proofread.
What happens when someone steals your source without obeying GPL or anything and turns it into a monster?
That's what Dr. Frankenstein said when he took the corpses for his creature. But he showed them, didn't he! They all thought he was crazy! Bbbut whooss teH CRzy onE now, HAH? You fooLS, YOU ALL LAUGHED, BUT IL HAV THE LAAST LAUHG!
MWAHAHAHAHAHA!
- DCOM
- DCOM2
- MyDoom backdoor *
- DameWare *
- Locator Service
- [Administrative] shares with weak passwords
- WebDav
- WKS - Windows Workstation Service
* Apply to 9X (although these are backdoors, not exploits)"Give a man a fish and he will ask for tartar sauce and French fries!"
Actually, most of the code *is* GPL. It is mainly composed of Agobot, ftplib and WASTE. All three are GNU GPL licensed. The only source not available is the mods made by the Phatbot developers.
-Joe
That would appear to be the case:
The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Well, I suppose it's a lost cause (as with the "hacker" term), but I it can't hurt to point out that it really doesn't make much sense to call this program a "trojan".
The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.
Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.
Of course it's water under the bridge at this point.
Well, this worm also spread using a TCP stack from Microsoft.
I'm sure if Microsoft hadn't released a TCP stack, or an API for creating sockets and connections, it would have been much more difficult for this code to gain access to the internet, and to other peoples' computers.
What happens to Microsoft when somebody breaks the law using Microsoft's code?
Nothing. Because there's nothing they could have done about it. OSS is the same way.
Hey freaks: now you're ju
Fat Butt Programmers spreading rapidly in front of Windows PCs.
I've never had a story accepted either, and on a number of occassions I've submitted stories hours, days or weeks before the topic appeared on Slashdot. It's pretty common; I wouldn't make anything out of it. It's quite possible that someone submitted the story before you did even earlier in the morning and the editors put that one in the queue to go up at 2:43PM. They pre-scheduled the various stories that go up hours (and sometimes even days?) in advance. Or perhaps they decided it was a worthy story after they saw the 27th submission of it.
I realized one day that we could essentially have a user-contributed, user-moderated article queue of sorts using the journaling system here. I've dedicated my journal to it. I haven't figured out how to draw larger traffic to it without making this a part-time job, but you're welcome to contribute to it and I welcome suggestions.
--LP
I found 71 viruses on a computer which belongs to a faculty member.
.... who needs to buy a server-U software now?
something amazed me is that it even comes with a serve-U ftp server.
i was thinking
So, everyone should be safe from this virus, correct?
This security is no inherent quality of the software but just a consequence of very few people using the same version of linux. Linux security is essentially security by obscurity.
I'm sorry but that's just plain stupid. Do you know ANYTHING about software? Do you even know what "security by obscurity" means?
LINUX IS DEIGNED DIFFERENTLY AND DESIGN MATTERS.
What you're trying to do is like saying brand A's cars are stolen more than brand B's cars because they're more common. Sure, that will have something to do with it, but the fact the brand A's car's use shitty locks while brand B's cars use both good quality locks and an electronic theft deterrent system is going to be the main reason.
The simple fact is that if someone finds a why to jack Mozilla, they can reformat my windows PC, but not my Linux PC. Why? They're designed differently. It's not that someone can't find out how to reformat my HD under Linux, because it's somehow "obscure". That's the stupidest thing ever. The system is documented. The source code is availible. By definition it's not "obscure". It's all right there for you to see, not obscured in any way.
Life is too short to proofread.
Something to the effect of it installs itself, secures you computer and all other computers beloning to the people in you email contacts. Then notify you that you had become secure.
Or a trojan that slowly converts windows machines to linux without the users knowing.
hehehe
A friend will come and bail you out of jail, a true friend will be sitting next to you saying, "damn that was fun!"
The correct term is backdoor server, not client. The client is what all the scriptkiddies run.
And yes, in this case the backdoor server is also a P2P-client.
Have it grep the HD for pr0n keywords, and mail the results to Outlook's Adressbook. After that, nobody would think little of viruses ever again...
(here in double-moral country, that is)
I'm looking forward to a virus that's a hybrid of a bit torrent client/p2p network and malware. Just think of a virus that downloaded and shared random music off of Kazaa behind your back. The ultimate RIAA defense!
> Well, I suppose it's a lost cause (as with the "hacker" term), but I it can't hurt to point out that it really doesn't make much sense to call this program a "trojan".
Um, yes it is.
> The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.
Excuse me, this executable (virus) prob had a name that was very friendly looking in the beginning.
> Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.
Last i checked groomed, a virus actually did something to exploit a program. This program, whatever, is a trojan. The user has to accept it (click it).
> Of course it's water under the bridge at this point.
Then u even get the def of "worm" wrong. A worm's main characteristic is to be able to spread without a luser to do a thing. It uses an exploit to gain access as uid "i dont care" and spreads itself.
Think of it this way. download a virus and a worm. Run both of them.
The virus will spew copies of itself via email and probably never go any further.
The worm fill find another host, own it, and well buddy, it is out of your hands now. And no user double clicked it.
have a bad day security luser
How do you think Linux is going to fix this problem ? You think someone who'll unzip a passowrd protected zip file and then run whatever's in it won't be prepared to type "chmod a+x filename" ?
... before I caved and got DSL. The combination of dial-up and frequently run and updated antivirus gave me quite a sense of security. Of course I just traded it all for the ability to game and dl pr0n at lightning speed...
Freedom: "I won't!"
Clearly, you've never tried to catch even a TAME cat that didn't want to be caught ;-)
Freedom: "I won't!"
Yep the full 3 million lines of code are there for me to read. I'm pretty sure that even Linus Torvalds can't claim to have read all of it and analyzed it for security. I'm pretty sure that the portion you have read is much less than 1%. For all we know linux could be very secure, we really have no way of finding out because scriptkiddies don't seem to be very interested in exploiting the publically available knowledge on identified (and of course patched) security problems. I also know that there's a steady flow of newly discovered buffer overflows being patched which were unpatched until they were discovered and remain an issue until someone bothers to update all the deployed software.
/home/user/* is where the important data lives, not /etc or /bin. If my program files directory is corrupted, my sysadmin will just reinstall the ghost image (annoying). If "My Documents" is corrupted I have a slightly bigger problem (lose a few days/weeks/months of work).
So you are basically saying that it is impossible to gain root access because you use linux??? And you call me naive!!! I'm willing to accept that it is possible to configure linux such that this is very hard (just like windows). I'll even acknowledge that out of the box you are much better off with some linux distros (not all and especially the popular ones have many issues).
To comment on your car example, if you put a very expensive mercedes in front of your house, it will come with comparatively good security. Now put a pinto next to it with the default, off the shelf security. Guess which one is more likely to be stolen. The locks don't matter much here. The point is that while the pinto is easier to steal, the mercedes is not impossible te steal and is much more likely target because of its value. It needs the expensive lock just to lower the risk to acceptable levels. With comparable levels of security, a linux system is less likely to be affected by security problems simply because there are more windows systems. It would be wrong to conclude that because of that linux is somehow more secure. You can actually get away with running an improperly secured&patched linux box for a very long time. Try that with a windows 2k server and you are asking for trouble. Yet both configurations are flawed and offer plenty of opportunities for a disastrous attack.
Now in a corporate setting, windows users will not be running outlook or ie with administrator rights (which many linux users seem to believe). Very few viruses actually require them to do so.
If a virus manages to exploit mozilla (which conveniently includes a mailclient and an address book) on linux it will be able to do anything it wants with your data (rm -rf ~/*) and spread to other users. Of course the success of this virus would depend on the percentage of vulnerable recipients in your addressbook, not on the amount of damage it can do. Mozilla is an excellent product and mozilla.org has a very good security policy for the inevitable security problems. So this scenario is unlikely but not impossible because of linux or any design choice. The reality is that many linux distros ship with old versions of mozilla (e.g. 1.0 instead of 1.6).
The security comes from the policy to patch and update not from any technological choices. I don't see any significant differences between the linux and windows communities here. So linux is not inherently more secure just less likely to be a target. Any good sysadmin knows this.
Running linux is like living in a nice neighbourhood, you can leave your backdoor open without much risk.
Jilles
"just like Win3.1 was DOS with a mouse"
You mean "just like Win3.1 was DOSshell with resizeable windows". Anyone remember good ol' dosshell?
Oh I never said it would solve the problem. I just want Linux to be stress-tested by an equivalent number of idiots. I think Linux will do better than Windows, but it should generate a lot of amusing horror stories.
One line blog. I hear that they're called Twitters now.
Here's an interesting idea, although it may be a great oxymoron.
DRM'd open source code.
Basically, the code comes in a special encrypted file that you can read, modify, and save, but not extract text/compile. In order to use your modified code, either a) build it with a special version of a compiler (GCC if they're willing) that doesn't allow the executable to be moved...by loading hidden files or detecting hardware, or b) ask the copyright holder to unlock the code once the copyright holder is satisfied the code isn't illegal and the modifier won't violate the terms of the license.
I'm not sure if the system here is truly "open source", but it does allow free viewing and local modification of the source. As always, if someone has a legitimate need that isn't covered by the standard license, she can contact the copyright holder for a special exemption.
Ah, the 8-Layer OSI (Obfuscated Slander of Idiots) Model.
---- Just another spud server.
Anybody remember the slot machine virus that
would store the disk's file allocation table in
memory, wipe it off the disk, and give you 3 tries to win it back?
No shark, no bridge, no helicopter.
Of course it's not real.
Read, L
I've seen better...
So let's say you go to the store, and you buy a program. you just spent your money.
Then, you go home. you try your program out. and guess what? while it kinda works, it doesn't really work right, and most of all it works in some ways rather badly.
Guess what? you're screwed. Because you spent your money, for a program that you can't return. Because you checked it out. The problem is that you can't know whether or not your neat little program works before you go past the point where you can't return it any more.
Enter RMS and everyone else. we now have free software. If you hate a program, don't use it, and bash it on slashdot. Your vote matters. If you do like it, support it, contribute to the code, and maybe buy the creator a steak dinner once or twice. You have no obligation. And best of all, it's free.
And these complaints, this mavis beacon crap, or whatever...a program like that would be dead, no one would use it, and it would never hurt anyone. If it was truly useful, it would be rewritten with the bad security ideas cut right out.
Sometimes I lose faith in open source. And then I remember how crappy the Windows world has it..
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Virus writers won't do this because
A) it will bring the wrath of the world down on them and
B) such an awakening to security would in fact cause people to pay attention and make virus writers' jobs harder.
Remember: the trick when infecting computers is to do your work WITHOUT the user noticing. These aren't viruses mean to damage, that is just a side effect. These viruses are spamhosts, actual money-making systems. That's why these viruses and bots exist: to make money. Not to be cool, or l33t, or cause damage.
I think the solution is to adapt one of these spambots to do the very thing you mention. As an outsider, you could care less whether or not you bots survive long enough to be spamhauses, you just want to make your point. Have them send out 10,000 infections, and then execute "formate c: --force" or whatever the command is.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Computer terrorism. Let throw some apaches, f-15's , and troops at this problem. let see what we can do now
Fortunately, Linux does not rely on script kiddies to do it's bug resolution.
I find it interesting and disturbing that you do.
You can get away with it as long as the box does not have any network connection. You are seriously out of your depth if you think you can connect a Linux machine to the internet and leave it unpatched and hidden.
There are reasons why Linux enjoys popularity as an internet server application platform.
One would suggest that you do some research into the Linux security model, before posting such asinine bullshit to
Obscurity is not our policy. In your car analogy, Linux is the Mercedes, one notes that in Europe, there are far more Merc's than Pinto's.
Thank you for your humourous contributions, you've been a real pantload.
This sounds like another step towards a perfect virus described in this paper titled "Warhol Worms: The Potential for Very Fast Internet Plagues"
The anonymous link is the ONLY mention of this supposed virus on the whole Internet!
I don't know the meaning of the word 'don't' - J
The point is that the problem isn't the OS, it's the users. There's very little - if anything - the average virus wants or needs to do it wouldn't be able to do even when "contained" in a regular user account.
You seem to forget that to get an e-mail bourne linux virus running on a par with its Windows brethren, you'd have to download it, make it executable, su to root, and then run it. That's a bit different from just checking your e-mail and having your virus du jour executed for you.
To get an e-mail bourne linux virus running on a par with its Windows brethren, you'd have to download it, make it executable, su to root, and then run it. That's a bit different from just checking your e-mail and having your virus du jour executed for you. Or if you're not running the accursed Outlook Express, you would probably have to double-click the attachement.
Even if someone sent me DOS_ZOMBIE.sh (a shell script) I'd STILL have to save it, change its executable permission and run it! Even if I were logged in as root.
There's a big difference. No, really, there is.
MacOSX uses BSD based kernel.
The difference between Windows and Linux that Windows doesn't warn you that you're being foolish running with full admin rights. Recent versions of Windows try to be clever and not allow you to delete or replace critical system files, but then file protection can be turned off.
There's just too many nooks and crannies for stuff to hide in with Windows. At least with Linux you can boot into runlevel one (single user) which will stop X starting and other services. Once you're at a prompt you can remove any viruses using your normal shell. What's the Windows equivalent? recovery console? it's extremely limited, it's not even up to DOS standards in terms of usefulness.
I don't believe this to be off topic, but a statement that the parent post was off topic.
Give him a break.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
The question still remains:
*Has anyone been able to detect it?*
Because I sure can't...
Try not to let life get in the way of living.
This trojan is no more based on P2P than any of the previous windows vulnerability based trojan/worm distributed malware.
I am worried that this is an attempt to superficially connect P2P with hacking and trojans, in an attempt to later get it banned or regulated in some way.
Still, attacking the surfers that are riding the wave doesnt save you from drowning when the wave hits you. The content industries can adapt to their new surroundings or they can claw desperately as they slide into the abyss.
I could use my shotgun to get rid of the fly in my house, but that would end up causing more trouble than it solves.
A much better solution is to get AVG Antivirus (free for personal use) and let it clean your system. It is not only not malicious, but it also kills off (and totally removes) far more than this peice of crap.
Do they own the market?
The amount of non-listening you face at your average support job is staggering. We try to educate and protect our users. However we get three things ALL the time:
1) They insist on taking over their systems. By default everyone is put in a domain and given user level access to their systems. We then take full responsiblity for patches and the like. We'll install any software the like, the just have to ask. Well many users get whiny about that and wipe and reinstall. They then, of course, assume they know everything and of course don't listen and don't patch their systems.
2) They simply don't listen to what we tell them. We tell them not to open attachemts they aren't expecting without calling the person first, not to run random shit off the web, etc. What happens? They do it anyways. They get it explained again, and do it again.
As a non-virus example that is related, one guy kept putting in a static IP without asking for one. This would then collide with the DHCP server and end up creating a conflict. We'd go get him to fix it, and he'd do it again. Eventually we took to shutting off his lab's network access, then he finally learned to listen.
3) Not caring. Many people just don't give a fuck. They don't care if it hurts their performance and besides, we'll fix it for them anyhow. They just ignore advice since it doesn't matter to them.
People need to WANT to learn to learn something. The real solution to this is to have consequences. I fully support ISPs turning off people's connections and refusing to turn them on until they are patched. No redirects to easy patch downloads either, the users need to suffer. They need to have to go and get it fixed themselves, which for many will involve spending money on software or support. After they do this once or twice, they'll learn how to stop it from happening since they don't like the consequences.
It isn't hard stuff to learn, but people have to want to. If they don't they won't. For example:
I have taught both my parents quite well. They keep their systems patched (not hard with auto update), they don't open attachments form anyone they don't know, they call people they do know to confirm attachments they get, don't give out personal info, etc. Simple stuff, and it keeps them virus free.
I have NOT been able to teach my sister, despite my sincere attempts. She's not any less smart than my parents, she just doesn't care to learn. She's fully capable of understanding the instructions, she just ignores them. It doesn't bother her that her computer is slow as hell because it has spyware up the ass, she just goes about her bussiness and lives with it.
We need some consequences to make users want to learn. Loss of net access is the easiest, fairest, and most useful.
Windows is quite usable when you do that
I didn't realize compiling software while running Windows would improve it's performance.
How is a different client supposed to help? If a user opens an attachment, they'll get infected. Pure and simple. Where I work it's about 85% Eudora (people that refuse to change to anything new) 8% Thunderbird (people we convinced to change), 5% Webmail, and 2% Outlook (people who like it). Of those that got nailed by Netsky or MyDoom it was entirely Eudora and webmail people. None of the Outlook people got hit.
The client had nothing to do with it. It was wether the user opened the attachment or not. Unsupprisingly, the most likely to do that are those that refuse to upgrade from Eudora (version 3) because they don't like change. They also don't like listening to direction including "don't open attachments".
Could an emulator like VMWare be useful? You could run a second Windows installation in a "sandbox" to use the old programs.
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
A Windows virus of this sort affects more than just Windows networks; many corporate networks are more heterogeneous, and a lot of corporate sysadmins read Slashdot. Sometimes they read /. before they check CERT or SANS, and that shouldn't be a surprise!
/. - why shouldn't an informed user be able to count on /. for "Stuff that matters"?
Aside from that, normal users - I mean non-sysadmins - also read
If the Government becomes a lawbreaker, it breeds contempt for law;
Firstly: Most of the people making bots, worms, etc. on a big scale aren't in the USA.
Secondly: How often are they caught? Basically never. Only the piss poor stupid ones, and then it still takes years.
So your law would be stupid, inane, and useless, except to the extent that it promoted more and more invasive police action.
When software fails to install because it tries to write files all over the disk, I find out before my system gets disorganized (i.e. braindead).
:-)
And it's nice to know no rouge ActiveX Control/Script can play with my registry!
I feel safe enough to turn off System Restore.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
If you can email as a user, why would a virus in linux need root to do the same? As long as you are allowed to execute files you download (yea, after chmod +x'ing it), then an email virus could run in a regular user account and email out to others.
That is provided someone didn't su to root before running a virus. If someone did, good luck trusting any removal tool or method on your hard drive since a virus/trojan could run invisibly if it ever installed itself as a kernel module. It would then be best to wipe the machine and start over.
How do we know this hasn't happened already? If I woke up running on three million luser's Windows boxes, I'd end it all right then.
There, there, it will be all right. Let's go find some relaxing articles on MSN.Com.
I used to have a hobby of destroying little stupid botnets I saw, whenever it was easy and straightforward enough to be worth the hassle. Unfortunately, not all of the botnets can be taken down so easily.
:)
Many small botnets use irc to communicate, and it's fast to switch servers and move the net elsewhere. Also, the bots only listen to the admin, recognized through the irc network's Nickserv nickname registration services. Good luck taking it down yourself. And when the admins of the irc network answer and ban the channel, the bots move to the next place, waiting for commands.
As for custom control networks, it wont take long until people will start using cryptographic stuff in the bots. Either to authorize the commands, or to simply encrypt their contents so that only specific bots can read them. Again, good luck taking them down.
Out of boredom, I've drafted and implemented such network, to which admin can connect through any of the bot in the net, and send botnet wide commands without the immediate bot knowing if the connection is coming from another infected host or actual master connection. This works by generating a chain of bots to send the message through, and encrypting each step, so the nodes only see where to send. When the final destination is reached, the decryption reveals a command that is signed by the botnet owner, and is then distributed to the whole net.
Very hard to trace, very hard to take over, very hard to do man-in-the-middle. Quite a bit like mixmaster, if you know what I'm talking about.
What will you do when these mainstream bot networks develop to that stage? An infected network of hosts could provide anonymous proxying and other interesting things for its users, in a hard-to-trace, hard-to-prove fashion.
Anyway, you were saying it's grossly illegal to counter these things. I'd like the laws to develop in the opposite direction. If some botnet floods me at 30Mbit/s, I sure as hell take it over to stop it if possible. In real world, there's this thing called "self defence", and anyone who says it doesn't apply to net because you're attacking innocent third parties is an asshole. They've already been attacked by malicious party, and that means EVERYTHING is potentially compromised.
Why should I be liable of any additional (unintended) damage caused by my actions, when the system has been taken over and is being used to do large scale attacks? It's like putting out a fire to prevent larger damage, and then being sued about the damages water caused. If business loses money because I shut down their web server for a few hours when it was being used to DoS me, why am I liable and not the guys who took it over and used it to DoS me? Back to the fire analogy, some bastard tries to burn down a store, and I run in with a bucket of water to put it down, only to be sued for doing so.
The problem is that the business doesn't see the fire, they don't realize their systems have been taken over. Even if they do see, they'll still complain that it wasn't causing them as much damage as taking down their systems did. If the idiots insist to this, how about we make it so that taking over their systems DOES cause them damage? Someone should start publishing whose systems are used the most for DoSing and other attacks, be it an isp or other business. Then they'll work to stay out of the lists, as it'd be bad publicity. And screw the jerks who say they're victims and this shouldn't be done to them, they're THE CAUSE of the problem by not keeping their security up to date.
So, I'm a criminal, for trying to be the hero. And I'll stay this way. I'll keep taking down smaller botnets when I can, and especially when they bother me. I'll keep breaking into servers I know to be taken over, to clean up the mess for them. I'll continue to write the admins little notes on their desktops and home directories about what they've done wrong, and what to do in future.
I'll remain grossly illegal and disruptive, for the greater good (and the need to feed my ego while having nothing better to do)
Every movie should star that woman. Forget Portman!
Ah, Layer 8 is good. Back where I used to work, we called them ID10T errors in front of the anti-Sherlocks (those without a clue).
...most normal users who are browsing from home do not need to clear their cache, sensitive documents (https://) IIRC is never cached whilst the insecure stuff is cached to improve performance and minimise network use. IMHO it's a good idea to get users to jump through hoops, only in very few circumstances do you really want to clear your cache totally.
I am NaN
I would suggest it for "meta"-applications. Like e.g. virus scanners, packet shapers and so on operating on OTHER programs' input and output.
I would also say firewalls etc. really belongs there, not really in the kernel. Of course, by then you've distributed what's in Ring 0 over Ring 0 (kernel routing), Ring 1 (NIC) and Ring 2 (Firewall)... perhaps not a good idea speedwise, but for stability and clean design yes.
Kjella
Live today, because you never know what tomorrow brings
"With these P2P Trojan networks, even if you take down half of the affected machines, the rest of the network continues to work just fine," said Mikko Hypponen, director of F-Secure, an antivirus software company based in Finland.
The irony is that it seems like this system harnasses the power of the internet correctly and thus we allowed our own Frankenstein's monster in.
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Just once, just once, I'd like to see the stupid Slashdot posters like you actually use your brain BEFORE you post. Check the link, dummy. It's to a Post story on Yahoo. If you had bothered to stir the few brain cells you haven't already burned by watching Internet porn, you could have checked the Post Web site yourself and seen that, quite clearly, they posted a sidebar about how to tell if your PC is infected and what to do if it is.
Slashdotters, you're all a bunch of idiots. How many times have I seen you post "I saw this CNN report..." or whatever, when what you're really linking to is a Reuters or AP or some other news organization's report. Get the facts straight. You bitch when the media gets it wrong, but you don't hold yourselves to the same standard. MalacypseTheYounger, kiss my butt.
Read about it here.
And I treat all email attachments I get as 'text files' to avoid immediate system compromise.
Now I just have to keep my antivirus and firewall running ok to avoid having a particular Registry entry from being compromised that will make such 'text file' treatment of malware impossible.
By 2050, every white person in America will be a personal servant.
As of Friday morning, the word 'Phatbot' is on Symantec's site but as one of the aliases of W32.HLLW.Polybot.c /data/w32.hllw.polybot.html
See http://securityresponse.symantec.com/avcenter/ven