Slashdot Mirror
Nasty New Virus Variants
Lucidus writes "Numerous journals, such as Mac Daily News and The Motley Fool, are reporting that the latest versions of the Beagle/Bagle virus can infect users' computers whether or not they open an attachment. Apparently, the simple act of selecting the message activates the code. Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?"
Right-click
err...
One word, hyphenated.
I don't know. Webmail, one of the numerous non-vulnerable email clients for Windows, maybe give up email entirely?
This flies in the face of science.
As per the article (Motley, at least) ... the virus is executed by some malicious HTML in the message, which would be activated if the message is viewed in full or preview(pane) modes. Simply clicking on the message in the list (you -did- turn the preview pane off, didn't you?) won't infect the machine. However, this does mean that similar HTML, from a web browser, might also be dangerous. Anyone have info on that idea? (Malicious websites giving you the virus by visiting the site?)
Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?
place 2 other junk emails around it, select the top 1, hold shift, select the bottom one.... DELETE.
d. Read your mail on someone else's computer
Sheesh, evil *and* a jerk. -- Jade
AntiVir might be a good, free choice.
I has served me well. Catches a lot of the spyware that my favorite pr0n sites try to push me, too.
... using email software which doesn't render HTML, and instead shows it as plain text without images?
... well the program has a link so you can view it in your default browser, if you really have to.
Yes, I wrote it. I wrote it because 99% of the messages I receive in HTML format are advertising. Most of those use dinky little images with referrer IDs to verify your email address is valid. The 1% I really need to see in HTML
I know it's going back to the dark ages, but maybe NOT running javascript, html, etc is actually GOOD when it comes to emails.
I'm not advertising this thing, it's freeware anyway. I was a moderately happy Outlook Express user for years, but the lack of spam torturing implements drove me to write my own. Yes, I tried Mozilla, Eudora, etc etc. I think Thunderbird looks interesting too, and I recommend it. But personally I can't do without my POP3 preview window with colour tagging for spam, valid mail, blocked senders, ignored, etc. And deleting stuff before download. And bayesian filtering. And anything else I feel like adding, whenever I want to.
Hal Spacejock: Science Fiction with Nuts
> But as there are way too many deployments of Outlook as it is, and because it is Outlook/IE that is being exploited, the first solution would be to increase diversity in that field.
IMO e-mail viruses don't result from monoculture; they result from bad software design. Namely, e-mail clients that execute attachments.
We'd have Linux e-mail viruses in a minute if the popular e-mail clients added support for automatic execution of attachments. (Assuming anyone was foolish enough to use them.)
Sheesh, evil *and* a jerk. -- Jade
I pity you so :'( tsk tsk
Proud user of Pine since 1994. Thank you, Univ. of Washington!
? HELP - Get help using Pine
C COMPOSE MESSAGE - Compose and send a message
I MESSAGE INDEX - View messages in current folder
L FOLDER LIST - Select a folder to view
A ADDRESS BOOK - Update address book
S SETUP - Configure Pine Options
Q QUIT - Leave the Pine program
Copyright 1989-2003. PINE is a trademark of the University of Washington.
? Help P PrevCmd R RelNotes
O OTHER CMDS > [ListFldrs] N NextCmd K KBLock
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
The mime-type bug has been known for a long time. Microsoft has corrected it (twice :-)). I know this because my parents' computer was infected between their first and second attempts to fix the problem.
.exe, and it was executed.
In a nutshell, Microsoft uses the filename extension, not the mime type, to decide how to open a particular file. On the other hand, Outlook uses the mime type to decide whether or not to automatically launch images, sound files, etc. So all you had to do was to send a mail with an embedded image with a filename ending in
It has been more than a year since Microsoft crippled^H^H^H^H^H^H^H^Hfixed IE/OE sufficiently to remove this vulnerability.
I must concur with previous posters that the best approach is to avoid these software products.
I've said it before, and I'll say it again: people need to start being responsible for THEMSELVES. It's not Outlook's fault that the user didn't patch their system.
I'm sure that if someone wanted to take the time and analyze the source for Thunderbird, they could easily write the same type of worm/virus. However, you won't get the same type of media coverage that the others written for mainstream products will get. And yes, MS does write some exploitable code.
Most users who aid in the spread of these viruses/worms are ignorant. Time after time, news report after news report, they CONTINUE to fail to keep their systems up to date.
What's funny is each and every mainstream worm has been written AFTER the patch has been released.. and it's not like the day/week after, it's 5-6 months after. That's sad.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
the ISPs need to have some server-side virus scan running. we do through our company's email server, and so far, it seems to work like a champ
/dev/null.
This is so true...unlike spam, it's quite possible to detect 100% of known viruses with no false positives. That's because every virus must contain essentially the same payload. Viruses simply can't vary their content as much as spam can, because it has to result in executable code, plus some MIME trick or IE/Outlook exploit, either of which have no legitimate use and could be detected easily.
I started running ClamAV on my mail server a couple of weeks ago (after seeing a recommendation for it on Slashdot) and since then I have seen my viruses go down from 500 a day to 1 a week. I manually looked through thousands of the held messages and found no false positives, so now anything that ClamAV scans goes directly to
I have no idea why all ISPs don't use ClamAV! Obviously they don't need to throw messages away, just in case - advanced users might prefer that messages probably containing viruses just be quarantined instead - but that would eliminate the problem for most people.
you don't really need to go so far as to switch operating systems. perhaps this is a wake up call for those to switch to different applications that have the same or similar functionality.
i use both windows and linux machines day to day.
on my windows machines, i've activated the built-in firewall and use Mozilla Thunderbird for mail and Mozilla Firefox for web browsing.
i have zero problems with viruses or worms.
The real culprits here are IE, MS Outlook (& Express).
My company outsources email virus protection to a dedicated service (Star Internet) which checks and forwards.
Its pretty cheap, and I've not had to worry about any email virii for years.
I'd (personally) like to see more companies (or even ISPs) going this sort of route as not only does it take the hassle away from sysadmins
(so you don't have to drive in at X in the morning to apply a patch), but it consequently helps reduce the rate of spread.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
My mail client (mutt) does not run under an account that has full access to the entire system. Instead, it runs as me, and cannot replace parts of the OS even if it wants to. So it can't do things like replace part of the TCP/IP stack -- a popular Windows worm/virus trick.
My mail client does not automatically execute things sent to it. Instead, it shows me the text included in a file, and if I want to, I can open an external program to view it (like a movie player.) But under no conditions does it execute the email as a program, unless I save it to a file myself and execute that.
So IIS has had more security issues than Apache and SQL server more than Oracle becuase they are more widely used right? Oh...
There has not been ONE single Linux virus that has propagted in the wild: given the huge nubmer of viruses out there I would have thought someone* would have written and released one for Linux just to show it can be done.
* probably one of those fanatical Windows apologists who think that Linux users are communists** or worse
** despite the fact that it is MS that advocates central planning.
Except these worms now are not in attachments, they are part of the email message itself. It uses an activex vulnerability amoung others to attack the computer.
If people patched their computers, the virus would not have an effect on the computer. Atleast not this one.
might I also add that closing off the bold tag is usually a good thing too :-\
Just what is an executable attachment these days? It used to be possible to say that Word files could never carry a virus, but ever since the Word Macro engine grew up into a full power Visual Basic for Applications that's not so true anymore.
It used to be possible to say an e-mail with no attachments was safe, but today's virus of the day is proving that wrong... just using an IE bug in an HTML e-mail is enough to cause trouble.
So, really... nothing's safe. I'm sure somebody will find a buffer exploit for plaintext mail in Outlook someday...
I have no idea why all ISPs don't use ClamAV! Obviously they don't need to throw messages away, just in case - advanced users might prefer that messages probably containing viruses just be quarantined instead - but that would eliminate the problem for most people.
;-) and, if for some reason you get a *real* email that happens to have a virus attached, you can still read it just fine. Remember, back in the old days, when viruses were first learning to use email, and they'd just attach themselves to whatever outgoing messages you'd send? I'll bet there's one or two of those still floating around...
My school's mail server, after getting slammed very hard by er... one of them a couple months ago (I can no longer keep up with which virus is which), installed something that I think is called Vscan. What it does is sends you an email which informs you that you were sent a message with a virus attached, and gives you a link with a generated username (usually the "from" email address) and password to view the message... if you really want to.
I like this system, because it's soooo much easier to filter those messages as Junk than all the random stuff that might be thrown together by a virus
Don't you wish your girlfriend was a geek like me?
I'm not saying this to single out Windows users. Most non-professional Mac users are the same way. It's just that Windows is used by people who use what everyone else uses because they feel safe in doing so. They may not know how their computers work, but they're more afraid of looking deviant than having technical malfunctions.
The subconscious refrain of Windows users around the globe is, "Well, at least I'm not the only one with this problem."
Those Windows users who actively try to prepare themselves against the almost daily barrage of new worms, viruses, vulnerabilities, and other Windows annoyances still have a difficult time keeping up with it all. Even experienced Windows power users frequently find themselves overpowered by the ongoing war against malicious code.
So the solution to this vulnerability is simple. But when you look at the situation in context, the potential for widespread havoc is a lot greater.
Read the EFF's Fair Use FAQ
AV solutions can and do break. Our's did at my provider. We still haven't got it back online. Our users have had to endure the full brunt of infected email for far too long.
No single AV solution can be up-to-date at all times. For starters we can't update our virus definitions within minutes of a newly discovered virus. It just doesn't happen. AV companies couldn't afford the bandwidth without raising our costs beyond what's considered reasonable. Free solutions such as ClamAV certainly couldn't afford it. Also, not all AV companies discover viruses at the same time. F-Prot might find the latest version of MyDoom before Symantec does. The fact that they found it means it's already in the wild as someone has had to analize it, create a patch for the defs to match this virus, get the patch through Q&A, and get it approved for the next release. There could be numerous hours between the virus getting into the wild, being discovered, being analyzed, and being caught in the latest virus defs.
Finally no defense of any kind should ever be one layer thick. One layer thick means you have no backup plan. No backup plan means you have no contingency for failures. No contingency for failures means your DRP (disaster recovery plan) has either been written fraudulently or you don't have one. In today's business world that means you'd better start updating your resume. A provider's mail system should not be the only line of defense from email-based viruses. Every single end-user desktop should have an up-to-date AV tool scanning all mail ahead or as a companion to the MUA. This is the *only* acceptable means of defense. You have to have end to end protection.
Many AV company's licensing scheme take both mail system users and desktops into account. Read the wording carefully because you may very well be able to use the end-user license to cover that user's part of the mail system....
Well, actually, I do well helping out joe sixpack with exactly this sort of thing. Not everyone is a programmer.
and you might be interested in these articles
Eric Raymond's rants: Part Onet ml
http://www.catb.org/~esr/writings/cups-horror.h
Some follow-ups:e ux.html
http://www.catb.org/~esr/writings/luxury-part-d
And mind you, I really don't like bill gates, either. So your criticism might be slightly off base. have a beer or take a pill, please
"It is a greater offense to steal men's labor, than their clothes"
Bad software design can emerge from a monoculture. Linux et al. is mostly virus-free because there is no Linux Inc. who writes email clients that auto-execute attachments simply because some corporate customers like it that way. The design goals and objectives of FOSS are capable of being highly secure because there is no central management ensuring that something else takes priority at all costs.
Nothing worth doing is worth doing today.
>c. Stop using Outlook/Outlook Express
I dont know why slashdot posted this particular fact-free article and with the "what are users supposed to do?" tagline.
The patch is six months old, people. This isn't some major zero-day exploit that is tearing the internet apart.
I use firefox/tbird on windows, but still, lets be sensible here. People can use the IE/OE combo without too much fear as long as they keep auto-update running.
I love Linux and have used it since 1996, but I don't love half-truths. Mods, do what you must:
1. Unless you have a special 'l00s4h' account for running network programs, you can lose anything owned by your normal account. Typically that's all your data (norp, zeraw, 3PMs, financial data, etc). You're saying losing all that stuff is _better_ than losing the core OS, which you can replace over HTTP in 10 minutes?
2. Even with 'l00s4h', if your kernel has priviledge escalation bugs, bad guys can still get r00t. Linux had two of these in the past six months.
3. You've personally audited mutt for overflow issues? How about the 1GB mozilla codebase?
4. You trust Debian? Gentoo? GNU? Even though they don't always cryptographically sign binaries and even though their servers were 0wned a few weeks back?
5. apt-get, emerge, etc don't typically use SSL, so how do you know you aren't being man-in-the-middled when you run it (as root)?
Linux can be made more secure than d0ze--but don't delude yourself, or others.
The strength of VB is really in the fact that it really makes using ActiveX to boss around other programs very easy, and also the ability to make system-level DLL calls. VBA adds the extra damage of being able to hide code in a file format that some people might not expect to be executable.
VBA doesn't actually have anything much missing from the VB6 command set. The only thing it's really missing is the ability to make compiled executables, that VBA programs can only be embeded in certain MS filetypes. It's a much bigger power tool than most people expect...
New Outlook Hole Found
http://radsoft.net/news/roundups/luv
May 8, 2000 0:00 AM UTC
This is getting ridiculous. An email appears in Outlook's inbox, and even before the user does anything, a message pops up on the screen. 'Had this been a real virus, you would not be happy', it reads. The relieved user clicks 'OK' and another box pops up.
'Deleting hard drive now... Just kidding!'
It was written by Leigh Stivers of DP Technology, who is trying to draw attention to a hole in Outlook that is far more dangerous than the ones ILOVEYOU found - this hole allows any email to be loaded invisibly with a destructive program that could go as far as deleting an entire hard drive.
Unlike viruses like ILOVEYOU or Melissa, these programs have no attachment and give no indication that they are anything other than ordinary email.
And with Outlook's factory defaults, this program - which might have been set to wipe your entire hard drive clean - can start running without you having to click a thing, before Outlook even tells you mail is there.
'The script can do almost anything', said Stivers. ''We were amazed to see how open everything was in house here, and we take security pretty seriously.'
You shouldn't have been amazed, Mr. Stivers. But thanks for the tip. We shall now visit the C|net link and read the article and within 30 minutes be running a better email client - for this writing on the wall is surely enough for even the lamest Outlook user?
http://news.com.com/2100-1001-240189.html
Joking aside, be careful that you check the exact exit code that you need to determine whether ClamAV found a virus or not. I was using a script called clamfilter.pl that someone else wrote. Since I was in a hurry, I went ahead and stuck it in my procmailrc without checking into it much. It seemed to work for quite a while. When one of the MS virus storms hit, I started sending all the viruses to /dev/null like you are. This turned out to be a mistake.
At some later point, we had a hard drive disaster that left most of /usr unreadable. However, the mail server was still running, and still using clamav to filter mail. Due to one of clamav's files becoming unreadable, clamav started exiting with a nonzero exit code, but not because it was finding a virus in the mail. Hence ALL mail went to /dev/null for a few days while the system was being rebuilt, and we didn't discover it until afterwards. I filed a bug with the clamfilter forum, but up till now the author hasn't fixed his (IMO dangerous) code that he is offering for general use.
The moral of the story is, if you are sending mail to /dev/null in ANY case, be damn sure that you are properly checking clamscan's exit code.
LRC, the best-read libertarian site on the web
False positives aren't that bad if you handle them well. The trick is to never silently discard an email. It's much better to send a friendly error message like:
I do this with a 5xx rejection during the SMTP session. So what happens is:
People have a tendency to forget that the evil-nasty viruses come out BEFORE the virus-scan developers have a chance to add it to their software. It is very possible to have the newest AV updates and get hit by a virus.
People who hide behind virus scanners as if they solve all of the world's problems are part of the problem themselves.
Don't use Microsoft products... or use them and have an up-to-date modern Anti Virus scanner.
Don't forget that the Witty is entirely memory resident so most (if not all) virus scanners will miss it...
Yes, it's actually impossible to be protected against the 'latest virus that just came out', because it's impossible that your AV vendor has protection against a brand new immediately (unless the AV vendor wrote it themselves). There always must be a "window" between time of discovery of a new virus and the time that your AV is updated to protect against it during which you are vulnerable, and this is typically anything from a few hours to a few days.
But just try to explain this logic to the damn "if you run an AV and keep your definitions up to date you'll have no problems" crowd ..
And that's why I've always had the Preview pain switched off. And switched on View as Plain Text as soon as it was available. And use CTRL-F3 to view the "source" of email from people I don't know. If you have to use MS products, you've got to be on your toes because they are out to get you!
One line blog. I hear that they're called Twitters now.
And that's why I've always had the Preview pain switched off.
That's such an apt mis-spelling.
"Our interests are to see if we can't scale it up to something more exciting," he said.