Slashdot Mirror


Nasty New Virus Variants

Lucidus writes "Numerous journals, such as Mac Daily News and The Motley Fool, are reporting that the latest versions of the Beagle/Bagle virus can infect users' computers whether or not they open an attachment. Apparently, the simple act of selecting the message activates the code. Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?"

15 of 1,050 comments (clear)

  1. protecting from viruses by bendsley · · Score: 4, Interesting

    the ISPs need to have some server-side virus scan running. we do through our company's email server, and so far, it seems to work like a champ

    --
    Alcohol & calculus don't mix. Never drink & derive.
    1. Re:protecting from viruses by slamb · · Score: 5, Interesting
      The first time my ISP has a false positive and blocks a legitimate email, I'm going to be pissed. This is probably why they don't do it - they can't risk false positives.

      False positives aren't that bad if you handle them well. The trick is to never silently discard an email. It's much better to send a friendly error message like:

      • "Appears to be W32/Sobig virus. If this is a legitimate message, please change the subject line and resend." (They can easily do so.)
      • "Attachment name "$1" ends with ".$2", which I've disallowed because of worms filling the mail queues. Please arrange an alternate way to send this file." (If nothing else, they can send an email saying 'tried to send you a ZIP file; it didn't work' and I can temporarily relax the rule.)

      I do this with a 5xx rejection during the SMTP session. So what happens is:

      • if their client connects directly to my mailserver, they get an error message before the compose window has even gone away. They can make the necessary changes and resend easily.
      • if their client connects indirectly, the other mailserver will generate a bounce from this message. The sender will get their original as an attachment, so they can modify it even if they don't keep sent messages.
      • if a virus or worm connects directly (the most common case), it receives an error message and gives up. No bounce is sent to the owner of the "From" address. That's good because the address is forged; said owner has nothing to do with the infected machine. No point in filling their mailbox with bounces.
      • if the virus connects indirectly, the owner of the "From" address does get a bounce. Undesirable but not devastating. This seems to happen rarely. Maybe only when there's a transparent SMTP proxy along the way or something.
    2. Re:protecting from viruses by Isomer · · Score: 3, Interesting

      One idea I've had is to hold anything that has an attachment that starts with the letters "MZ" (which are the "magic" for .EXE files) for 24 hours, then rerun the virus scanner over them. 24 hours is more than enough time for virus checkers to be updated and the virus hopefully will be dropped then. People who are legitimately (?!) sending executables around in email, just get a 24h delay.

    3. Re:protecting from viruses by boaworm · · Score: 3, Interesting

      .zip is vicious too. I've seen several copies of a virus that tries to look like its being sent from the staff of your domain, and says that you have to unlock your email account because of abuse. The instructions are in a .zip archive and the mail provides you with a password to "unlock" the archive.

      Dont have any spare copies of the virus to cut'n'paste for you, but, beware of .zip to.

      --
      Probable impossibilities are to be preferred to improbable possibilities.
      Aristotele
    4. Re:protecting from viruses by tverbeek · · Score: 3, Interesting
      Eliminating all ".zip" attachments, and also ".dll", ".exe", ".scr", ".pif", ".com", and ".bat" seems to do the trick.

      If your local Powers That Be won't allow you to take this (IMHO sensible) precaution, you can still provide a measure of id10t-proofing by mangling the extensions of these attachments. For example, this procmail script will rename an attachment from PATCH.EXE to PATCH.DEFANGED-EXE, requiring the recipient to save the file (giving the anti-virus software a chance to check it) and rename it before executing it.

      My policy (before I got laid off and ended up in a non-policy-setting job elsewhere) was to simply not deliver messages containing SCR/PIF/COM/BAT/DLL, on the grounds that these are never legitimate attachments. (For a while I delivered the message but stripped the file; after several months with no false positives, I just stopped delivering them altogether.) For EXE/DOC/ZIP attachments (which were occasionally legit) I'd mangle the filename.

      --
      http://alternatives.rzero.com/
  2. Not just clicking on it by Unordained · · Score: 5, Interesting

    As per the article (Motley, at least) ... the virus is executed by some malicious HTML in the message, which would be activated if the message is viewed in full or preview(pane) modes. Simply clicking on the message in the list (you -did- turn the preview pane off, didn't you?) won't infect the machine. However, this does mean that similar HTML, from a web browser, might also be dangerous. Anyone have info on that idea? (Malicious websites giving you the virus by visiting the site?)

  3. Re:How about.... by big+tex · · Score: 3, Interesting

    a. and b. are not acceptable answers.

    I have to use outlook at work, much as I do not like it.

    I love the preview pane concept, it makes much more sense with email. I use it with Kmail at home as well. Turning off the preview pane is just treating the symptoms and ignoring the root. Our IT people do a good job of patching and filtering, so I can keep using the preview pane.

    OWA sucks to a degree that makes Outlook look good. OK when you are on the road and checking from someone else's computer, but not an acceptable replacement. Once again, a symptom, not a cause.

    --
    I think I need a new sig here.
  4. Re:Switch!!! by the_womble · · Score: 5, Interesting
    The reason most (or all) viruses are written for Windows is because that's where they'll do the most damage, since most people use Windows.

    So IIS has had more security issues than Apache and SQL server more than Oracle becuase they are more widely used right? Oh...

    There has not been ONE single Linux virus that has propagted in the wild: given the huge nubmer of viruses out there I would have thought someone* would have written and released one for Linux just to show it can be done.

    * probably one of those fanatical Windows apologists who think that Linux users are communists** or worse

    ** despite the fact that it is MS that advocates central planning.

  5. Re:Switch!!! by WindBourne · · Score: 4, Interesting
    The reason most (or all) viruses are written for Windows is because that's where they'll do the most damage, since most people use Windows.

    That is more myth than truth. Most virus writers target MS due to simplicity. Read any of the online articles that dealt with interviews of a number of virus writers and you will see that they target not the plentiful system but the easiest.

    If nothing else, consider the case on servers. Apache is now fully 2/3 of all servers, yet IIS accounts for the majority of break-ins.

    Likewise, if you watch the credit cards that are stolen, they have been nothing but IIS for about 3.5/4 years. The last url to have CC's stolen that was not MS induced was playboy which uses Sun

    --
    I prefer the "u" in honour as it seems to be missing these days.
  6. Re:Switch!!! by Anonymous Coward · · Score: 3, Interesting

    Wearing a condom won't really help.

    The reason most (or all) AIDS infections happen through unprotected sex is because that's where the virus will do the most damage, since most people have unprotected sex.

    If everyone switches to wearing condoms or practicing abstinence then you'll start to see AIDS mutations that jump through the air or something.

    You should be glad you're in the minority that practices safe sex. That's what's keeping the AIDS virus away from your system.

    Seriously, is this like the most pointless argument or what??

    If you use a Mac or Linux TODAY you will not get these viruses. Period. End of discussion.

    Let's say in 5 years, everybody will switch to Mac and start getting Mac viruses. Wouldn't you like 5 years without viruses??

  7. Re:Switch!!! by Jeremi · · Score: 3, Interesting

    Maybe Microsoft should re-code Outlook so that the incoming-email-handling-and-viewing code runs in some sort of Java-style untrusted sandbox mode. That way even if there is some problem like this, the damage would be contained to that one process and wouldn't subvert the rest of the system.

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
  8. Re:Switch!!! by zcat_NZ · · Score: 3, Interesting

    You missed a step;

    . Save to file
    . Set executable (chmod +x)
    . Execute (and by default it's not in your path either!)

    BUT when Linux gets as popular as Windows, most users are likely to be running something broken like Lindows that does everything as root. And sooner or later someone _will_ write a mail client for Lindows that can automagically run executable attachments because the sort of people who send greeting cards and flash jokes to each other will _ask_ for that functionality.

    Linux/freeBSD are safe because they're not generally run by morons; Windows is perfectly safe as long as you know what you're doing. Have a good firewall, replace IE/OE with TB/FF or Moz, be a little careful about what you download, and NEVER run stuff that gets mailed to you! Plus keep backups and be prepared to nuke-and-pave if necessary.

    --
    455fe10422ca29c4933f95052b792ab2
  9. Re:Wow, people love to blame Outlook. by kurt_cagle · · Score: 5, Interesting

    I have had received more than a few patches from Microsost which:
    a) Failed to solve the problem in the first place,
    b) Caused another problem to appear in a seemingly unrelated application, resulting in significant time spent debugging, uninstalling, and otherwise wasting time for something I had no control over,
    c) Ended up adding significantly to the amount of unusable space on my Windows XP system,
    d) Added considerably to the bloat of the System Registry.

    I moved our entire company off Windows to SuSE Linux after one of our primary public facing servers became infected with a worm which enterprising hackers used to store (and later serve) German porn movies. This despite our sysadmin religiously installing patches.

    That is a big part of the reason why I no longer find the argument that Windows is just simply the largest target even remotely accurate. My sysadmin also does some coding work, and every patch that needs to be uploaded reduces his profitable time; to have something that compromises the integrity of our system in such an egregious manner is not acceptable.

    I would rather have a good sysadmin that knows what he's doing maintaining a secure Linux system than having a less competent sysadmin maintaining a Windows system because the system tools are easier to use, even if it means paying more to the Linux admin.

  10. VBA is useful by Fred+Ferrigno · · Score: 3, Interesting

    It's astonishing that you can do anything useful in it, let alone write a virus in it.

    I spent a large part of my last job writing custom Excel applications in VBA. Most of them were for engineers who wanted an easy yet flexible way to input and summarize data. Excel provides an interface they're already familar with, and I provided a few bits of VBA code to make complicated tasks easy. Sure, I could have written a custom application for each task, but that would have been overkill, not to mention a waste of my time and my employer's money.

    The virus writers started to piss me off when we switched to Office XP. XP automatically sets your macro security to maximum, and it became a big hassle to tell my users to lower their security. Anymore, they don't trust any macros, even from someone in the same company. (In anticipation of someone mentioning signed macros: setting up my cert on every computer is no easier than setting the macro security to medium.)

  11. Re:.NET by Doctor+Crumb · · Score: 3, Interesting

    Yeah right. The other day I saw a programmer write a .NET aspx page that provided a command shell, with full permissions on his computer. Very scary, especially since he just used a built-in library and no hacks. .NET is not going to suddenly make people write good code. Windows will continue to have exploitable holes for the foreseeable future.

    In the meantime, I'm running clamAV, Amavis, and spamassassin on my mail servers and haven't been happier.