Nasty New Virus Variants

Lucidus writes "Numerous journals, such as Mac Daily News and The Motley Fool, are reporting that the latest versions of the Beagle/Bagle virus can infect users' computers whether or not they open an attachment. Apparently, the simple act of selecting the message activates the code. Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?"

Simple...

Don't use Microsoft products... or use them and have an up-to-date modern Anti Virus scanner.

Re:Simple...

[Sarin]

not a bad idea.

After the latest infection on my parents' computer, though mcaffee was installed and auto-updating and eudora, I decided to choose for the first.
I wiped microsoft from the computer and installed gentoo with kde, firefox and sylpheed-claws and I made it autologin into their kde account.

My parents have never been happier with their computer: 'internet is so much faster now' and 'hey that solitaire game is much more fun' and 'that thing allows you to have multiple virtual screens', it even looks better now and I told them they could click on any email virus they wanted.

Re:Simple...

[Perseid]

People have a tendency to forget that the evil-nasty viruses come out BEFORE the virus-scan developers have a chance to add it to their software. It is very possible to have the newest AV updates and get hit by a virus.

People who hide behind virus scanners as if they solve all of the world's problems are part of the problem themselves.

Re:Simple...

[dustmite]

Yes, it's actually impossible to be protected against the 'latest virus that just came out', because it's impossible that your AV vendor has protection against a brand new immediately (unless the AV vendor wrote it themselves). There always must be a "window" between time of discovery of a new virus and the time that your AV is updated to protect against it during which you are vulnerable, and this is typically anything from a few hours to a few days.

But just try to explain this logic to the damn "if you run an AV and keep your definitions up to date you'll have no problems" crowd ..

Re:Simple...

[Weekly+IT]

I told them they could click on any email virus they wanted

Maybe its just me here, but I think that might be a very dangerous way to think about viruses. Sure there aren't that many viruses know to affect Linux boxes, but one nasty one, possibly written by a Windows geek who's fed up with your kind of thinking, could do a lot of damage. Combined with the simplistic idea that "I have linux, no virus can touch me" and the growing popularity of Linux, I see a growing potential for harm.

Re:Simple...

[LurkerXXX]

And if you don't run your Windows machine as Admin, and you do backups of it, your in the same shape.

The problem is most windows users do run as admin (That's the way it came from the store. They'd run it as 'root' as installed if they had a Linux box. They just don't know better). Most also don't do backups, which is the critical part. Most machines bought these days come with a 'restore' CD that can have the system back to original shape in a hour or two, but the critical thing, the users data is still gone. It doesn't matter if you are on *nix or windows, their is usually a lot more time/value lost in losing the user space files than in simply reinstalling the OS/apps. *nix viruses will do just about as much damage if the user runs something they shouldn't.

It's not an OS thing, it's a user education thing.

Re:Simple...

[SillyNickName4me]

And the problem is that those products are really aimed at non technical people. How are they supposed to know or understand?

Re:Simple...

[doublem]

The problem is, running as anything other than admin isn't always an option because of poorly written applications.

Case in point: Omnipage.

We have an older version of Omnipage. I forget the logic behind not upgrading, but we'll leave that as an aside.

If you run as anything other than an Administrator, the application appears to freeze at startup. What's really happening is that the splash image is concealing an error message. You have to know the windows shortcut keys necessary to either move the error message until it's visible or just hit the "YES." Once loaded it's still a mess, and can't open any files.

Long story short, in order to be able to use a software package that has become critical to our business process, we have to have a bunch of users running as the administrators on their local machines. W2K "Run As" doesn't cut it, as the problems still occur.

Re:Simple...

[cloudmaster]

If you're gonna put that much effort into it, wouldn't it make more sense to put some effort into installing a different email client? :)

Switch!!!

Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?

Well, this one is gonna start a whole slew of flaming and trolling over the virtues of one platform over another as it is kinda a loaded question with a simple answer:

Switch

So let's start right off with a big razz towards Windows users from both the Linux and Macintosh communities.........

Thhhbibibibibbbpt!!!

Seriously though, when are you guys gonna get the picture? Microsoft if chasing a moving target here and they will always be behind the curve, reacting to the latest virus outbreak until they fix what is fundamentally wrong with the Windows architecture. Hopefully this will happen with Longhorn in 2006......or 2007.........or whenever.

Re:Switch!!!

[NemesisEnforcer]

Your solution is to switch to an entirely new OS because their "default" email program is poop?

How about all the windows users check out Mozilla Thunderbird. You can keep your nice, friendly OS, and still not have to worry about insanely sad security. http://www.mozilla.org

However, if you're feeling a tad adventurous, then by all means check out the alternative OS choices. Need some names? Check out FreeBSD, Red Hat (Fedora Project), Mandrake, and there are plenty more on distrowatch.

Re:Switch!!!

[golgotha007]

you don't really need to go so far as to switch operating systems. perhaps this is a wake up call for those to switch to different applications that have the same or similar functionality.

i use both windows and linux machines day to day.
on my windows machines, i've activated the built-in firewall and use Mozilla Thunderbird for mail and Mozilla Firefox for web browsing.

i have zero problems with viruses or worms.

The real culprits here are IE, MS Outlook (& Express).

Re:Switch!!!

[Coryoth]

Switching won't really help.

The reason most (or all) viruses are written for Windows is because that's where they'll do the most damage, since most people use Windows.

All fine and well, but it will help you if you switch, because then you'll be joining the happy minority that don't worry about such things.

Of course if everyone switches it will be a problem, but really, what are the odds of that actually happening?

It;s all fine and well to say "If everyone switched we'd still have the same problems with viruses", but realistically, everyone isn't going to switch. A lot of people are heavily locked into their current platform - so, if you can, switch...

Jedidiah.

Re:Switch!!!

[dougmc]

The reason most (or all) viruses are written for Windows is because that's where they'll do the most damage, since most people use Windows.

There is some truth to this.

If everyone switches to Linux or Mac OS then you'll start to see viruses for those operating systems.

Some more truth ...

You should be glad you're in the OS minority. That's what's keeping virus writers away from your system.

That's one small thing that's keeping virii out of my system. But it's only a small thing. Other things?

My mail client (mutt) does not run under an account that has full access to the entire system. Instead, it runs as me, and cannot replace parts of the OS even if it wants to. So it can't do things like replace part of the TCP/IP stack -- a popular Windows worm/virus trick.

My mail client does not automatically execute things sent to it. Instead, it shows me the text included in a file, and if I want to, I can open an external program to view it (like a movie player.) But under no conditions does it execute the email as a program, unless I save it to a file myself and execute that.

... And I know better than to do that unless I trust the source of the file, or can read through it and tell what it does.

Re:Switch!!!

I've never had to worry about such things.

I use Outlook 2003 every day with an up-to-date virus scanner and I maintain my Windows XP with Windows Update regularly.

Every virus I get is automagically snagged by Norton AntiVirus before it can do any harm.

My Windows 2000 server running IIS is fully visible to the public, and it never gets hacked. Know why? Because I can properly configure IPSec and maintain my patches.

Maybe the solution is not "OMG SWITCH TO LUNIX LOLLERS", but rather, educate the Windows users better. Make them more intelligent and clue them in to what they need to do to not fuck up their system.

People often tout Windows as "it's so easy my dead grandmother can do it" but I've learned in my years of sysadmining that Windows takes quite a bit of general knowledge to get working great, and once you do, you will have no problems.

Re:Switch!!!

[ncc74656]

If everyone switches to Linux or Mac OS then you'll start to see viruses for those operating systems.

I'd like to see someone try to write a virus or worm that affects plain-text-only mail readers like Mutt. That would be a clever hack. I also suspect it'd be damn near impossible to pull off. How badly would you have to screw up something that displays plain text for a vulnerability to appear?

The moron who had the "bright" idea to start sending HTML in email needs to be taken out back and shot.

Re:Switch!!!

[KevCo]

Exactly. So many people go on and on about how Linux or MacOS would be hit just as hard as Windows if they had the same market share. So what? The reality is that in the here and now they are safer alternative. If it is because of superior design, or simply insufficent user base to make them juicy targets, the result it the same to the end user.

Re:Switch!!!

[IntlHarvester]

Agreed. And I'm not particuarlly fond of Mozilla using it's full-featured HTML renderer for E-mail either. (Even though there's no known problems.) Ideally, you'd have a mini-render that would only operate on a Netscape v1-level HTML -- fonts and styles only.

As for text clients, there's been a few real world mail-based exploits for Pine over the years. Buffer-overflows in date or MIME parsing isn't exclusive to GUI programs.

one word

[Diclophis]

pine (or mutt)

1 answer.

[numbski]

Use thunderbird, connect to exchange via IMAP4, use the web interface for calendaring.

Re:1 answer.

[tepples]

Unless your IT department cluelessly refuses to turn on IMAP4 "for security reasons."

Aside from...

[ZiZ]

...applying the patch which the article says was out last October?

I don't know. Webmail, one of the numerous non-vulnerable email clients for Windows, maybe give up email entirely?

Monoculture is bad

[lavalyn]

The viruses have mutated in the wake of developed resistance (slightly more educated users). It's an evolutionary battle being fought...

But as there are way too many deployments of Outlook as it is, and because it is Outlook/IE that is being exploited, the first solution would be to increase diversity in that field. Other mail clients, such as Thunderbird, or Eudora, will thrive while Outlook continues to succumb to these new diseases.

Oh who am I kidding, Outlook will continue to wreak its wrath upon the Net and cause us to all suffer as a result.

Re: Monoculture is bad

[Black+Parrot]

> But as there are way too many deployments of Outlook as it is, and because it is Outlook/IE that is being exploited, the first solution would be to increase diversity in that field.

IMO e-mail viruses don't result from monoculture; they result from bad software design. Namely, e-mail clients that execute attachments.

We'd have Linux e-mail viruses in a minute if the popular e-mail clients added support for automatic execution of attachments. (Assuming anyone was foolish enough to use them.)

Re: Monoculture is bad

[bgarrett]

Bad software design can emerge from a monoculture. Linux et al. is mostly virus-free because there is no Linux Inc. who writes email clients that auto-execute attachments simply because some corporate customers like it that way. The design goals and objectives of FOSS are capable of being highly secure because there is no central management ensuring that something else takes priority at all costs.

how to fix

[AnonymousCowheart]

How to fix this? Install mozilla!
Anyway, according to this article here,
"Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk."
If you run an MS machine, and don't know that you have to update regularly, you need your head checked. Besides, updating an MS machine really is easy.

Download Email Headers Only

[Boyceterous]

One feature of MS Outlook that is missing from most other email clients is the ability to download just email headers. I use this feature to review sender/subject and I can identify all spam just from that.

Actually, I use my own program to download headers, score them for likely spam, delete the garbage emails(without ever downloading the actual content), then start outlook to get the real ones.

Obviously, if a legit sender transmits a virus, it's a problem, but I guess that's why I pay Symantec.

Re:How about....

[photon317]

Mozilla Thunderbird is a great lightweight email client replacement for Outlook. Your average home user who has an imap or pop account from an ISP really has no good excuse not to uninstall Outlook from their machine and switch. Corporate users on the other hand are a little more screwed, since many of them use Exchange servers that don't have OWA turned on and/or aren't Exchange 2000/2003, which precludes using Evolution's commercial plugin to get calendaring integration and whatnot. However corp users that do meet those server-side requirements can do so. Or if you don't use or need the calendaring part in your organization and the exhcnage server has IMAP, then you can also go Thunderbird there too.

Re:protecting from viruses

[prat393]

Many of them DO... but these variants have been coming out so often lately that they're hard to catch up with.

How about...

[Spacejock]

... using email software which doesn't render HTML, and instead shows it as plain text without images?

Yes, I wrote it. I wrote it because 99% of the messages I receive in HTML format are advertising. Most of those use dinky little images with referrer IDs to verify your email address is valid. The 1% I really need to see in HTML ... well the program has a link so you can view it in your default browser, if you really have to.

I know it's going back to the dark ages, but maybe NOT running javascript, html, etc is actually GOOD when it comes to emails.

I'm not advertising this thing, it's freeware anyway. I was a moderately happy Outlook Express user for years, but the lack of spam torturing implements drove me to write my own. Yes, I tried Mozilla, Eudora, etc etc. I think Thunderbird looks interesting too, and I recommend it. But personally I can't do without my POP3 preview window with colour tagging for spam, valid mail, blocked senders, ignored, etc. And deleting stuff before download. And bayesian filtering. And anything else I feel like adding, whenever I want to.

All you poor poor Outlook users

[GillBates0]

I pity you so :'( tsk tsk
Proud user of Pine since 1994. Thank you, Univ. of Washington!

? HELP - Get help using Pine

C COMPOSE MESSAGE - Compose and send a message

I MESSAGE INDEX - View messages in current folder

L FOLDER LIST - Select a folder to view

A ADDRESS BOOK - Update address book

S SETUP - Configure Pine Options

Q QUIT - Leave the Pine program

Copyright 1989-2003. PINE is a trademark of the University of Washington.
? Help P PrevCmd R RelNotes
O OTHER CMDS > [ListFldrs] N NextCmd K KBLock

Re:How about....

[pyite]

And it costs MORE not to switch. Unfortunately, most companies can't see past their nose as far as technology costs are concerned.

Preview Pane Virii are not New

[kwpulliam]

It has been STANDARD practice for quite some time to not use the "Preview Pane" feaute in Outlook. Since html code is displayed as if it were in a browser, this has been open to malicious attacks for quite some time.

This is not New.
This is not News.
This doesn't even matter.
This is not even accuratly portrayed. Selecting an email isn't the problem, displaying it is the problem.

Generic Rant

[_Potter_PLNU_]

<Insert Generic Windows Rant Here>

<Insert Generic Praise about Linux/Mac Here>

<Submit knowing that anyone that has the problem will never see it here>

Re:Not hard

[catch23]

Easy for casual email users, but not for corporate people like myself. All meetings are scheduled via Outlook and if I don't promptly respond to meeting requests, I get rough verbal feedback from my boss. Even though I do most of my development in Linux, I still need a windows machine to use Outlook 2003. You're lucky if your company doesn't force you to use Outlook for all the meeting/appointment scheduling. But unfortunately there is no solution here. Even Evolution is not a solution since it doesn't quite support calendaring very well. Would you care to offer more useful advice? Thanks!

Yes They Are Sexually Transmitted

[amigoro]

One could argue that most of these viruses appeal to the base elements of the human psyche. For example, how likely are you to open an email with a topic like:
Re: My Photo by Cindi
Re: Hi Sweetheart by Melissa
Re: From you Secret Admirer by Linda Lovelace

etc.

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

Block the email on server

[richard_za]

The following can be done to stop the spread of this Beagle/Bagle worm:

• scan all email for virus/worms/malware when they enter the email server, such software is available for Linux/Unix/MacOS X/Windows etc.. This software has to regularly download virus definitions.
  
• if your email is at kept your isp, or email passes through them before it reaches you, make sure that your isp offers this service.
  
• do not use the ubiquitous outlook client, I have found Novell Ximian Evolution to be an excellent alternative
  
• Make sure you patch your operating system, against known security flaws, most operating systems now have a automated way of doing this
  
• pressure your bosses/university/school to not use software with a poor security record - outlook, internet explorer etc.
  
• lay a charge with law enforcement officials when you are damaged by a worm/virus attach.
  

Re:protecting from viruses

[cs]

And ISP filtering can readily be a PITA depending on the lists you read. Example: I'm on several Yahoo lists. Naturally the odd virus (or virus-looking) email gets onto one of the lists and (apparently) my ISP bounces it (even though I've got "no filtering please" chosen with them). Anyway, the bounce is an SMTP 553 bounce. Yahoo considers this a "hard" bounce (which it is) and TURNS OFF ALL MY YAHOO DELIVERY. Very very very annoying.

Now, one side of this is that SMTP needs (and lacks) a "this particular message will always be refused" error code. That would work well for virus filters, since the delivering system (eg Yahoo) could them just discard that message and continue with everything else.

The real fix is not to use these buggy mail clients. Like M$ LookOut!

And, though it's not applicable to the outright-buffer-overflow viruses like this one, not to use systems with the vile design flaw of letting users click on attachments and execute stuff. For example, my mutt mail reader has a mailcap that drives its attachment handling. Every clause runs a viewer. If I get a .exe I get told its size or offered an opportunity to save it to disc. It does not offer or try to run it. This core distinction is the weakness in the windows mail world: no attachment should have executable power. An explicit user driven install ritual should be needed to get such a thing into a context where it can be run. i.e. it should be a safe action for a user to double click any attachment - that act should always invoke a viewer of some kind.

Re:protecting from viruses

[afidel]

Just strip all executable attachments. We do this and haven't had a single virus hit our network since implementing this simple step. Of course some worms have been distributing themselves inside of zips but that still takes more steps and hence more chances for the user to think about what they are doing, plus MS email clients can't auto-execute them (most people run Groupwise client on the Citrix farm but some do run Outlook via POP).

Linux is the solution? I don't buy it.

[Brightest+Light]

That's funny, I'm typing this on a Windows 2000 machine, and I've yet to get infected with the virus/worm/trojan of the week. Maybe its because i use a mail client that isn't riddled with security holes and an anti-virus program. Might I also add that I encrypt/sign all of my email, and I don't open attachments unless I've confirmed the veracity of the email (either by decrypting it (if the sender is clueful) or by talking to the person that "sent" the email (if they aren't)).

I've said this before, SWITCHING FROM WINDOWS TO LINUX WILL NOT ELIMINATE THE PROBLEM.
If a user does not know how to run a windows machine (keeping up to date on patches, running antivirus software, etc) then please explain to me how they'll be able to admin a linux machine. The truth of the matter is, they can't and they won't. The ranting of *nix fanbois aside, the problem exists between chair and keyboard. The email viruses that require you to open a password-protected .zip file prove that.

I'm certainly not trying to hold up windows as the platform of choice, because it sure as hell isn't mine; but regardless of your operating system of choice, if you're clueless you're clueless; and unless you fix that first, you're not going to fix the overall problem.

Re:Wow, people love to blame Outlook.

[lone_marauder]

I'm sure that if someone wanted to take the time and analyze the source for Thunderbird, they could easily write the same type of worm/virus.

The virus writers have the source code for Outlook? No wonder there are so many viruses for it!

The solution is easy, but...

[Infonaut]

The fact of the matter is that we're dealing with Windows. Most Windows users just want to use their computer and know as little as they can about how it actually works. They don't know the meaning of terms like "dialog box", "alert message", "preview panel" and so on.

I'm not saying this to single out Windows users. Most non-professional Mac users are the same way. It's just that Windows is used by people who use what everyone else uses because they feel safe in doing so. They may not know how their computers work, but they're more afraid of looking deviant than having technical malfunctions.

The subconscious refrain of Windows users around the globe is, "Well, at least I'm not the only one with this problem."

Those Windows users who actively try to prepare themselves against the almost daily barrage of new worms, viruses, vulnerabilities, and other Windows annoyances still have a difficult time keeping up with it all. Even experienced Windows power users frequently find themselves overpowered by the ongoing war against malicious code.

So the solution to this vulnerability is simple. But when you look at the situation in context, the potential for widespread havoc is a lot greater.

Re:Two Words:

[hallucination]

How can you get a 0.1% false negative rate when 30% of spam is getting through?

He isn't saying that 30% of spam is getting through.... He is saying that they are blocking 70% of their incoming mail as it is spam. That means that 30% is determined to be real mail.

Even lesser-used apps

[0x0d0a]

Even if you don't switch to a client that's more secure, switching to one that's *less used* will work equally well. How many viruses are going to target, say, Pegasus Mail, even if it's riddled with overflows? Not a hell of a lot. I can understand interoperability issues with Word, Excel, etc, but this is *email*. All the clients out there work fine together, and it's not as if it takes long to learn an email client. The main concern in such a switch would be moving old stored email, and I would guess that any major Windows-based email client would provide Outlook import.

Email is also a good candidate for a piece of software to be written in eiffel or ocaml or some other safe language (Java might use too much memory, but there are safe languages that aren't as RAM-intensive). An email client does very little that's computationally expensive.

Devil's Advocate

[EventHorizon]

I love Linux and have used it since 1996, but I don't love half-truths. Mods, do what you must:

1. Unless you have a special 'l00s4h' account for running network programs, you can lose anything owned by your normal account. Typically that's all your data (norp, zeraw, 3PMs, financial data, etc). You're saying losing all that stuff is _better_ than losing the core OS, which you can replace over HTTP in 10 minutes?

2. Even with 'l00s4h', if your kernel has priviledge escalation bugs, bad guys can still get r00t. Linux had two of these in the past six months.

3. You've personally audited mutt for overflow issues? How about the 1GB mozilla codebase?

4. You trust Debian? Gentoo? GNU? Even though they don't always cryptographically sign binaries and even though their servers were 0wned a few weeks back?

5. apt-get, emerge, etc don't typically use SSL, so how do you know you aren't being man-in-the-middled when you run it (as root)?

Linux can be made more secure than d0ze--but don't delude yourself, or others.

Re:.NET

[Rick+Zeman]

It's called the .NET runtime, and when Longhorn comes out and EVERYTHING including Windows itself is running on .NET libraries, you're going to have some damn secure systems. What will Slashdotters find to bitch about next? There's always something--it's impossible to satisfy people around here. The friggin' sky is always falling.

Color me cynical, but didn't MS tout the absolute security of W2k3? And Win2k before that? Sorry, with their record they're guilty until proven innocent.

Preview Pane

[Jace+of+Fuse!]

Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?

Disable the Preview Pane (Pain).

It's a stupid feature anyway, it's unsafe by design, and the last thing on earth I want is my computer opening my e-mails without my input.

This is OLD news. The Preview Pane shouldn't even exist until Microsoft can find some way to totally secure it, which probably won't ever happen as long as harmfull tricks can be planted in e-mail.

I've NEVER used the Preview Pane, and I don't miss it one bit. Maybe more so called "computer experts" should stop carrying stupid misconceptions and actually learn the truth behind the stupid ideas they so firmly hold onto.