Slashdot Mirror
Nasty New Virus Variants
Lucidus writes "Numerous journals, such as Mac Daily News and The Motley Fool, are reporting that the latest versions of the Beagle/Bagle virus can infect users' computers whether or not they open an attachment. Apparently, the simple act of selecting the message activates the code. Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?"
AntiVir might be a good, free choice.
I has served me well. Catches a lot of the spyware that my favorite pr0n sites try to push me, too.
The mime-type bug has been known for a long time. Microsoft has corrected it (twice :-)). I know this because my parents' computer was infected between their first and second attempts to fix the problem.
.exe, and it was executed.
In a nutshell, Microsoft uses the filename extension, not the mime type, to decide how to open a particular file. On the other hand, Outlook uses the mime type to decide whether or not to automatically launch images, sound files, etc. So all you had to do was to send a mail with an embedded image with a filename ending in
It has been more than a year since Microsoft crippled^H^H^H^H^H^H^H^Hfixed IE/OE sufficiently to remove this vulnerability.
I must concur with previous posters that the best approach is to avoid these software products.
I've said it before, and I'll say it again: people need to start being responsible for THEMSELVES. It's not Outlook's fault that the user didn't patch their system.
I'm sure that if someone wanted to take the time and analyze the source for Thunderbird, they could easily write the same type of worm/virus. However, you won't get the same type of media coverage that the others written for mainstream products will get. And yes, MS does write some exploitable code.
Most users who aid in the spread of these viruses/worms are ignorant. Time after time, news report after news report, they CONTINUE to fail to keep their systems up to date.
What's funny is each and every mainstream worm has been written AFTER the patch has been released.. and it's not like the day/week after, it's 5-6 months after. That's sad.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
the ISPs need to have some server-side virus scan running. we do through our company's email server, and so far, it seems to work like a champ
/dev/null.
This is so true...unlike spam, it's quite possible to detect 100% of known viruses with no false positives. That's because every virus must contain essentially the same payload. Viruses simply can't vary their content as much as spam can, because it has to result in executable code, plus some MIME trick or IE/Outlook exploit, either of which have no legitimate use and could be detected easily.
I started running ClamAV on my mail server a couple of weeks ago (after seeing a recommendation for it on Slashdot) and since then I have seen my viruses go down from 500 a day to 1 a week. I manually looked through thousands of the held messages and found no false positives, so now anything that ClamAV scans goes directly to
I have no idea why all ISPs don't use ClamAV! Obviously they don't need to throw messages away, just in case - advanced users might prefer that messages probably containing viruses just be quarantined instead - but that would eliminate the problem for most people.
My company outsources email virus protection to a dedicated service (Star Internet) which checks and forwards.
Its pretty cheap, and I've not had to worry about any email virii for years.
I'd (personally) like to see more companies (or even ISPs) going this sort of route as not only does it take the hassle away from sysadmins
(so you don't have to drive in at X in the morning to apply a patch), but it consequently helps reduce the rate of spread.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
Except these worms now are not in attachments, they are part of the email message itself. It uses an activex vulnerability amoung others to attack the computer.
If people patched their computers, the virus would not have an effect on the computer. Atleast not this one.
Just what is an executable attachment these days? It used to be possible to say that Word files could never carry a virus, but ever since the Word Macro engine grew up into a full power Visual Basic for Applications that's not so true anymore.
It used to be possible to say an e-mail with no attachments was safe, but today's virus of the day is proving that wrong... just using an IE bug in an HTML e-mail is enough to cause trouble.
So, really... nothing's safe. I'm sure somebody will find a buffer exploit for plaintext mail in Outlook someday...
I have no idea why all ISPs don't use ClamAV! Obviously they don't need to throw messages away, just in case - advanced users might prefer that messages probably containing viruses just be quarantined instead - but that would eliminate the problem for most people.
;-) and, if for some reason you get a *real* email that happens to have a virus attached, you can still read it just fine. Remember, back in the old days, when viruses were first learning to use email, and they'd just attach themselves to whatever outgoing messages you'd send? I'll bet there's one or two of those still floating around...
My school's mail server, after getting slammed very hard by er... one of them a couple months ago (I can no longer keep up with which virus is which), installed something that I think is called Vscan. What it does is sends you an email which informs you that you were sent a message with a virus attached, and gives you a link with a generated username (usually the "from" email address) and password to view the message... if you really want to.
I like this system, because it's soooo much easier to filter those messages as Junk than all the random stuff that might be thrown together by a virus
Don't you wish your girlfriend was a geek like me?
AV solutions can and do break. Our's did at my provider. We still haven't got it back online. Our users have had to endure the full brunt of infected email for far too long.
No single AV solution can be up-to-date at all times. For starters we can't update our virus definitions within minutes of a newly discovered virus. It just doesn't happen. AV companies couldn't afford the bandwidth without raising our costs beyond what's considered reasonable. Free solutions such as ClamAV certainly couldn't afford it. Also, not all AV companies discover viruses at the same time. F-Prot might find the latest version of MyDoom before Symantec does. The fact that they found it means it's already in the wild as someone has had to analize it, create a patch for the defs to match this virus, get the patch through Q&A, and get it approved for the next release. There could be numerous hours between the virus getting into the wild, being discovered, being analyzed, and being caught in the latest virus defs.
Finally no defense of any kind should ever be one layer thick. One layer thick means you have no backup plan. No backup plan means you have no contingency for failures. No contingency for failures means your DRP (disaster recovery plan) has either been written fraudulently or you don't have one. In today's business world that means you'd better start updating your resume. A provider's mail system should not be the only line of defense from email-based viruses. Every single end-user desktop should have an up-to-date AV tool scanning all mail ahead or as a companion to the MUA. This is the *only* acceptable means of defense. You have to have end to end protection.
Many AV company's licensing scheme take both mail system users and desktops into account. Read the wording carefully because you may very well be able to use the end-user license to cover that user's part of the mail system....
Well, actually, I do well helping out joe sixpack with exactly this sort of thing. Not everyone is a programmer.
and you might be interested in these articles
Eric Raymond's rants: Part Onet ml
http://www.catb.org/~esr/writings/cups-horror.h
Some follow-ups:e ux.html
http://www.catb.org/~esr/writings/luxury-part-d
And mind you, I really don't like bill gates, either. So your criticism might be slightly off base. have a beer or take a pill, please
"It is a greater offense to steal men's labor, than their clothes"
>c. Stop using Outlook/Outlook Express
I dont know why slashdot posted this particular fact-free article and with the "what are users supposed to do?" tagline.
The patch is six months old, people. This isn't some major zero-day exploit that is tearing the internet apart.
I use firefox/tbird on windows, but still, lets be sensible here. People can use the IE/OE combo without too much fear as long as they keep auto-update running.
The strength of VB is really in the fact that it really makes using ActiveX to boss around other programs very easy, and also the ability to make system-level DLL calls. VBA adds the extra damage of being able to hide code in a file format that some people might not expect to be executable.
VBA doesn't actually have anything much missing from the VB6 command set. The only thing it's really missing is the ability to make compiled executables, that VBA programs can only be embeded in certain MS filetypes. It's a much bigger power tool than most people expect...
New Outlook Hole Found
http://radsoft.net/news/roundups/luv
May 8, 2000 0:00 AM UTC
This is getting ridiculous. An email appears in Outlook's inbox, and even before the user does anything, a message pops up on the screen. 'Had this been a real virus, you would not be happy', it reads. The relieved user clicks 'OK' and another box pops up.
'Deleting hard drive now... Just kidding!'
It was written by Leigh Stivers of DP Technology, who is trying to draw attention to a hole in Outlook that is far more dangerous than the ones ILOVEYOU found - this hole allows any email to be loaded invisibly with a destructive program that could go as far as deleting an entire hard drive.
Unlike viruses like ILOVEYOU or Melissa, these programs have no attachment and give no indication that they are anything other than ordinary email.
And with Outlook's factory defaults, this program - which might have been set to wipe your entire hard drive clean - can start running without you having to click a thing, before Outlook even tells you mail is there.
'The script can do almost anything', said Stivers. ''We were amazed to see how open everything was in house here, and we take security pretty seriously.'
You shouldn't have been amazed, Mr. Stivers. But thanks for the tip. We shall now visit the C|net link and read the article and within 30 minutes be running a better email client - for this writing on the wall is surely enough for even the lamest Outlook user?
http://news.com.com/2100-1001-240189.html
Joking aside, be careful that you check the exact exit code that you need to determine whether ClamAV found a virus or not. I was using a script called clamfilter.pl that someone else wrote. Since I was in a hurry, I went ahead and stuck it in my procmailrc without checking into it much. It seemed to work for quite a while. When one of the MS virus storms hit, I started sending all the viruses to /dev/null like you are. This turned out to be a mistake.
At some later point, we had a hard drive disaster that left most of /usr unreadable. However, the mail server was still running, and still using clamav to filter mail. Due to one of clamav's files becoming unreadable, clamav started exiting with a nonzero exit code, but not because it was finding a virus in the mail. Hence ALL mail went to /dev/null for a few days while the system was being rebuilt, and we didn't discover it until afterwards. I filed a bug with the clamfilter forum, but up till now the author hasn't fixed his (IMO dangerous) code that he is offering for general use.
The moral of the story is, if you are sending mail to /dev/null in ANY case, be damn sure that you are properly checking clamscan's exit code.
LRC, the best-read libertarian site on the web
Don't use Microsoft products... or use them and have an up-to-date modern Anti Virus scanner.
Don't forget that the Witty is entirely memory resident so most (if not all) virus scanners will miss it...
And that's why I've always had the Preview pain switched off. And switched on View as Plain Text as soon as it was available. And use CTRL-F3 to view the "source" of email from people I don't know. If you have to use MS products, you've got to be on your toes because they are out to get you!
One line blog. I hear that they're called Twitters now.