Slashdot Mirror
Nasty New Virus Variants
Lucidus writes "Numerous journals, such as Mac Daily News and The Motley Fool, are reporting that the latest versions of the Beagle/Bagle virus can infect users' computers whether or not they open an attachment. Apparently, the simple act of selecting the message activates the code. Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?"
the ISPs need to have some server-side virus scan running. we do through our company's email server, and so far, it seems to work like a champ
Alcohol & calculus don't mix. Never drink & derive.
How about they, PATCH THEIR DAMN SYSTEMS how about they, STOP USEING OUTLOOK how about they, stop useing a unsecure operating system (come on, if you like windows back patch to me, most of these virus's don't work on it)
come comment on the madness at http://slashdot.org/~phreak03/journal/
As per the article (Motley, at least) ... the virus is executed by some malicious HTML in the message, which would be activated if the message is viewed in full or preview(pane) modes. Simply clicking on the message in the list (you -did- turn the preview pane off, didn't you?) won't infect the machine. However, this does mean that similar HTML, from a web browser, might also be dangerous. Anyone have info on that idea? (Malicious websites giving you the virus by visiting the site?)
because it would cost $thousands for companies to switch?
As compared to the $thousands it's costing them already to deal with this kind of crap?
It would be short term pain for long term gain.
a. and b. are not acceptable answers.
I have to use outlook at work, much as I do not like it.
I love the preview pane concept, it makes much more sense with email. I use it with Kmail at home as well. Turning off the preview pane is just treating the symptoms and ignoring the root. Our IT people do a good job of patching and filtering, so I can keep using the preview pane.
OWA sucks to a degree that makes Outlook look good. OK when you are on the road and checking from someone else's computer, but not an acceptable replacement. Once again, a symptom, not a cause.
I think I need a new sig here.
Good job, you've just infected a fresh Windows XP install without even finishing downloading the patches necessary.
Good job, you've just fubared your computer because one of the patches was broken.
Good job, you've just installed Windows Media Player 9 and now you have to figure ANOTHER weird program out.
Doing the Right Thing should not be preempted by making a buck.
If they block 70% of spam, how do they only have a 0.1% false negative? Either they have a 30% false negative or they block 99.9% of spam. Also, 1% false positive is fairly high. Mozilla's built in spam filter does better than that for me. I get a lot of spam (university email account). I also get a lot of mail from people not in my address book (students who don't use their university account to email their TA). I have only had one false positive since september (and it was a bulk email to all grad students). I get about 1 false negative per day, but I can tag them by the subject line/from fields alone (I don't have to preview).
I've also recently switched to this approach using Mozilla mail: view->message body as->plain text. Even for mass mail that I choose to get (news summaries, etc.) it is a lot easier to read the plaintext as opposed to waiting for the images to load, then scanning through all the extraneous junk.
The biggest advantage is that I am immune to coworkers who insist on "personalizing" their mail with colors, fonts, graphics in their sigs, and "stationary" (shudder).
My drive died this weekend, so I wanted to reinstall Windows 2000. Easy task. Normally speaking yes, but as soon as you want to install the windowsupdates and connect your machine to high-speed internet via your cable company you will instantly get infected - like I did.
Yes, I did have NortonAV installed, but of course it's definitions aren't up to date until it connects to the net too.
Fun times - and many hours into the night with manually editing the registry for bad GUIDs I now have a virus free/locked down 2000 machine.
Some of the new worms we even smart enough to mangle Explorer.exe so you couldn't get to the system32 directory. The only way: cmd.exe.
Microsoft just lost my business.
My next OS is linux.
So IIS has had more security issues than Apache and SQL server more than Oracle becuase they are more widely used right? Oh...
There has not been ONE single Linux virus that has propagted in the wild: given the huge nubmer of viruses out there I would have thought someone* would have written and released one for Linux just to show it can be done.
* probably one of those fanatical Windows apologists who think that Linux users are communists** or worse
** despite the fact that it is MS that advocates central planning.
That is more myth than truth. Most virus writers target MS due to simplicity. Read any of the online articles that dealt with interviews of a number of virus writers and you will see that they target not the plentiful system but the easiest.
If nothing else, consider the case on servers. Apache is now fully 2/3 of all servers, yet IIS accounts for the majority of break-ins.
Likewise, if you watch the credit cards that are stolen, they have been nothing but IIS for about 3.5/4 years. The last url to have CC's stolen that was not MS induced was playboy which uses Sun
I prefer the "u" in honour as it seems to be missing these days.
The reason most (or all) viruses are written for Windows is because that's where they'll do the most damage, since most people use Windows.
If everyone switches to Linux or Mac OS then you'll start to see viruses for those operating systems.
You're replying to a reply about the fact that this virus (like several before it, actually) can auto-launch from the preview pane. This is a "feature" specific to Outlook. If you don't use a mail program made by Microsoft, it probably won't affect you.
This is not one of those things that happens to Windows just because it's the easiest thing to pick on. This is one that specifically happens because a feature that is massively insecure was still included, just because one user in a thousand might find Outlook easier to use because of it.
Don't you wish your girlfriend was a geek like me?
Wearing a condom won't really help.
The reason most (or all) AIDS infections happen through unprotected sex is because that's where the virus will do the most damage, since most people have unprotected sex.
If everyone switches to wearing condoms or practicing abstinence then you'll start to see AIDS mutations that jump through the air or something.
You should be glad you're in the minority that practices safe sex. That's what's keeping the AIDS virus away from your system.
Seriously, is this like the most pointless argument or what??
If you use a Mac or Linux TODAY you will not get these viruses. Period. End of discussion.
Let's say in 5 years, everybody will switch to Mac and start getting Mac viruses. Wouldn't you like 5 years without viruses??
no offense but Linux has been refered to as the least secure OS lately, behind Microsoft, if I recall well, about 80% of all attack made on Linux box were succesfull according to a test made by a UK firm (I know I'm lazy but I do not feel like fetching the link). Linux people seem to believe their OS is secure as hell but thorough testing does show otherwise, the only thing making Linux very secure is the general ignorance from people toward this platform...
Maybe Microsoft should re-code Outlook so that the incoming-email-handling-and-viewing code runs in some sort of Java-style untrusted sandbox mode. That way even if there is some problem like this, the damage would be contained to that one process and wouldn't subvert the rest of the system.
I don't care if it's 90,000 hectares. That lake was not my doing.
MS stuff was never really designed to be hooked to the internet.
Well, sometimes, it seems like it was *too* designed to be hooked to the internet... after all, aren't a lot of these worms based on exploits in code that is designed to allow remote access to your machine?
Don't you wish your girlfriend was a geek like me?
The problem only exists between the chair and the keyboard because the software allows it to exist -- there is nothing that says email software HAS to let the user execute viruses contained in incoming email. Or if you insist that there must be such a feature, there is nothing that says the executed code must be run with the sorts of privileges necessary to allow viruses to spread. I can certainly imagine a system where security was designed in from the start, such that even the most clueless user wouldn't be able to shoot himself in the foot. (Note that Linux is not that system)
I don't care if it's 90,000 hectares. That lake was not my doing.
You missed a step;
. Save to file
. Set executable (chmod +x)
. Execute (and by default it's not in your path either!)
BUT when Linux gets as popular as Windows, most users are likely to be running something broken like Lindows that does everything as root. And sooner or later someone _will_ write a mail client for Lindows that can automagically run executable attachments because the sort of people who send greeting cards and flash jokes to each other will _ask_ for that functionality.
Linux/freeBSD are safe because they're not generally run by morons; Windows is perfectly safe as long as you know what you're doing. Have a good firewall, replace IE/OE with TB/FF or Moz, be a little careful about what you download, and NEVER run stuff that gets mailed to you! Plus keep backups and be prepared to nuke-and-pave if necessary.
455fe10422ca29c4933f95052b792ab2
They try to push spyware on your computer, and yet they remain your favorite sites? Ok...
Turning off the preview pane isn't enough sometimes. Why take a chance that a message that looks like it might either be from a trusted contact, or a virus/spam?
In Outlook Express, you can right-click on a message, properties, and view the headers in the Details tab. If that's not enough info for you, hit the Message Source button and you'll be treated to a beautiful non-rendered view of the entire message, including any html code. If it's unreadable there, then you have got a virus, spam, or (even worse) an AOL user.
I'm too lazy to set up a filter, so I manually scan for spam like this.
I have had received more than a few patches from Microsost which:
a) Failed to solve the problem in the first place,
b) Caused another problem to appear in a seemingly unrelated application, resulting in significant time spent debugging, uninstalling, and otherwise wasting time for something I had no control over,
c) Ended up adding significantly to the amount of unusable space on my Windows XP system,
d) Added considerably to the bloat of the System Registry.
I moved our entire company off Windows to SuSE Linux after one of our primary public facing servers became infected with a worm which enterprising hackers used to store (and later serve) German porn movies. This despite our sysadmin religiously installing patches.
That is a big part of the reason why I no longer find the argument that Windows is just simply the largest target even remotely accurate. My sysadmin also does some coding work, and every patch that needs to be uploaded reduces his profitable time; to have something that compromises the integrity of our system in such an egregious manner is not acceptable.
I would rather have a good sysadmin that knows what he's doing maintaining a secure Linux system than having a less competent sysadmin maintaining a Windows system because the system tools are easier to use, even if it means paying more to the Linux admin.
It's astonishing that you can do anything useful in it, let alone write a virus in it.
I spent a large part of my last job writing custom Excel applications in VBA. Most of them were for engineers who wanted an easy yet flexible way to input and summarize data. Excel provides an interface they're already familar with, and I provided a few bits of VBA code to make complicated tasks easy. Sure, I could have written a custom application for each task, but that would have been overkill, not to mention a waste of my time and my employer's money.
The virus writers started to piss me off when we switched to Office XP. XP automatically sets your macro security to maximum, and it became a big hassle to tell my users to lower their security. Anymore, they don't trust any macros, even from someone in the same company. (In anticipation of someone mentioning signed macros: setting up my cert on every computer is no easier than setting the macro security to medium.)
Unfortunately it's simply someting approaching irresponsible of you to think that people are going to be "responsible" for themselves in this sort of situation. And you probably know it.
I just got an email forwarded from my own father in law asking me if this trick someone forwarded him will work. The email encourages everyone to create an "AAAAA@AAAAAA.AAA" entry in their outlook address book: they go on to explain that the worms will try this first and when it fails they will quit.
By the extreme number of angle brackets on the left side of this forwarded message... i'd say there's a lot of people with AAAAAA@AAAAAA.AAA in their outlook address book at this moment.
I think you are asking too much of these people to have them actually understand about patching, updates (btw, my father in law dials up via a not-too-fast modem... and lives somewhat out int he country), HTML exploits, etc etc.
If everyone switches to Linux or Mac OS then you'll start to see viruses for those operating systems.
This is not the whole story. Microsoft's mail programs are just one big security disaster. There are clever people writing Linux attacks, but almost all Linux mail programs are inherently more secure than Outlook.
Some people in this thread have suggested that ISPs block virus-loaded mail in their servers. This is nonsense, and violates the basic concepts underlying the Internet, but it does illustrate how bad Outlook is. Essentially it's saying that Outlook is so insecure it can't even be exposed to raw email messages.
The problem is with the mindset of most endusers.
I've enabled automatic updates friends' and co-workers' computers and they still don't go through installing patches even with ballon reminders. And MS does not even have automatice update for Office products.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Yeah right. The other day I saw a programmer write a .NET aspx page that provided a command shell, with full permissions on his computer. Very scary, especially since he just used a built-in library and no hacks. .NET is not going to suddenly make people write good code. Windows will continue to have exploitable holes for the foreseeable future.
In the meantime, I'm running clamAV, Amavis, and spamassassin on my mail servers and haven't been happier.
1. Backup.
2. Sad but true, but as always, keep your system updated. Enforce strong user passwords.
3. Hopefully enough people do.
4. I run Slackware and keep it updated with swaret. All packages are pgp-signed by Patrick Volkerding.
5. See point 4.
Linux can be made more secure than d0ze--but don't delude yourself, or others.
Good point...
-K
No matter how secure your system is, backups are required. If it is really important or secure, users should have to sign in through another box via some secure, encrypted method first. The account is usually "nobody" or named after the process like "apache". You are correct - a remote unpriviledged exploit plus a priviledge escalation exploit equals a remote root exploit - but that still requires *two* unpatched exploits. Correct, these programs cannot be trusted, ergo they should not be running on servers, client machines should be firewalled preventing connections from outside the intranet. All the source packages and RPM's we get come with MD5 sums. emerge and red-carpet both automatically check for a correct sum before installing. Any backdoors or virii that are contained in the packages would also exist when they were archived/created by the maintainers. emerge downloads it's MD5 sums via the portage tree, completely independently of the source packages. once again the greatest vulnerability is in the human element. As long as you trust the maintainers, you can be *reasonably* sure that everything is OK.
An unpatched Linux box and an unpatched Windows server are both extremely vulnerable, but for me the bottom line is a single observation. We apply Linux patches as soon as they become available, both red-carpet and portage are entirely capable of resolving most dependency problems. Windows patches on the other hand usually get trialled for up to a week until we can ensure that we know all the programs that they break and have found all the required workarounds, unless it's a catastrophic vulnerability in which case we just roll it out and hope for the best.
In the end though there is no such thing as a perfectly secure system, all you can do is stack the deck in your favour, keep your eyes on the security lists and stay vigilant for unusual behaviour.
I know someone who was booted off their dial-up ISP for running windows update.
No, Im not kidding.
She was downloading some massive 30 meg update (or something like that) and was getting extremely slow transfer rate. 2k down. So, she left the computer online for a few hours, and walked away to do something else. When she came back she was disconnected, the download was incomplete and calls to the ISP accused her of illegally downloading pirated materials.
She said she was simply running windows update (and the ISP didnt know what that was)
She got a better ISP after this.
Apparently he is too young to know about VMS. And don't forget AOS/VS as well.
They make a good product, but just because they are the current market leader, makes them a big target. The problem is not Microsoft, it is the loose nut behind the keyboard, in laymans terms, the user. We have worked to train our users to be cautious of opening any e-mails, even from people they know. I have even done the impossible, trained my family. If we all work to training the users on how to pick out the trash or actually filter the mail, the problem will be fixed. If you have a good virus scanner such as Norton or Trend, it will help as well. We are never going to stop these variants, so the best we can do is train our people and use every tool we have to prevent them from being able to get through 99.9% of the time. Anything that gets through should be caught by your virus scanner if you have it up to date and set on a high enough setting. Josh