Slashdot Mirror
Netsky Worm Variant Attacks P2P Services
ee_moss points out this Washington Post article (via Yahoo!), excerpting "The latest variant of the Netsky worm directing infected computers to launch Web-based attacks against music- and file-trading Web services such as Kazaa, taking down at least one company's Web sites in the process. The worm, the 19th version of a bug that made its debut in February, is also targeting some Web sites that offer computer programs designed to illegally break or bypass copyright controls on software programs."
Soulseek's been down all day, for example, even though I haven't seen any information specifically saying that this new Netsky targets said network (Kazaa and Edonkey are the two that I frequently see cited, as in the linked article). It's an odd choice of target--it's far smaller than Kazaa/FastTrack--but then again, Edonkey's not too high on the usual radar, either. Some bittorrent sites are also especially wobbly today, but that could be coincidence.
.pif" strategy, but someone must be clicking on these things (verizon seems particularly affected, as every other Netsky spam I get seems to be from that domain).
Fascinatingly, I've also been getting absolute tons of emails infected with this variant of Netsky, many of which pretend to have been scanned for viruses and are "clean." This seems particularly lame as an "innovative" get-the-dupes-to-click-on-"document.doc
Ahh well. Hopefully, this particularly-obnoxious variant will be short lived (so we can, of course, begin the cycle anew in a few weeks' time with a new SoBig or...heck, I dunno, Klez? What letter are they up to there?)
This one was probably sent out by the RIAA, or Orin Hatch himself.
I think it's more likely to be the mp3 scene itself. And by mp3 scene I mean the releasing groups, couriers, and ftp site ops. They don't like their work getting to P2P networks; they rip music to have something to offer to sites they upload to, in exchange for whatever they want, be it wares or porn or whatever. If their product is not exclusive (e.g. available on P2P), they lose leverage. Ask any "scener" and they'll tell you they think P2P is bad for business.
If they MUST run windows, this is all you have to do:
* Install Mozilla (Firefox and Thunderbird).
* Install Ad-Aware. Pay for the pro version that also has Ad-Watch.
* Install Spybot Destroyer.
* Install a cheap linksys router.
* Install Grisoft/AVG antivirus - or somethign equally as good.
Now, nothing is going to get IN that shouldn't and probably won't get OUT. Even if they're wreckless and download/install everything they ever run across, Spybot Destroyer lets you prevent the installation of *hundreds* of known activex applications and other troublesome installers, lock your hosts file, prevent changing the MSIE start page, etc. And if they're stupid enough to install something after Ad-Watch/Ad-Aware and/or their antivirus software warns them about it, then they deserve what they get.
Additionally:
* Don't give them administrator accounts!
* Set them up with a DynDNS address. This way you can connect to them remotely using VNC when necessary to do administrative tasks.
* Setup regular user accounts for them. Or better - setup limited user accounts so they can't even install any software themselves. Tell them to come up with lists of things they need installed and to call you. Then you can VNC in, fire up the admin account and install them in a few minutes.
It will lock them down, but shouldn't prevent them from doing most things they want to do and will save you a shitload of headache. And if they don't like it, then it should hopefully be enough reason for them to start actually LEARNING about the machine they're using rather than treating it like a god damn TV and then they can assume the responsibility.
Because they're paranoid.
:)
I've run XP for over a year and every once in a while, just for kicks, I install AVG and AdAware.
Last time I ran AdAware 6 with the latest definitions, out of 90000+ items scanned, it found ONE registry key.
And AVG has not once turned up an infection of any kind.
So I ask the other windows users, what the hell are you doing to require this. And I ask all the self-righteous linux users to kindly keep your smart-ass comments to yourselves
Previous versions of NetSky copies itself to any folder containing the word "shared" in it. As in "My Shared Folder." To spread itself via Kazaa and other file sharing programs.
Real geeks who dislike the RIAA and/or want to stick it to The Man use Mute, a free and anonymous filesharing program.
$ echo "ceci n'est pas une pipe" | sed -Ee 's/(eci n|pas )//g'
Worm Triggers Attacks on File-Trading Services
Sat Apr 10,10:23 AM ET
By Mike Musgrove, Washington Post Staff Writer
The latest variant of the Netsky worm is directing infected computers to launch Web-based attacks against music- and file-trading Web services such as Kazaa, taking down at least one company's Web sites in the process.
The worm, the 19th version of a bug that made its debut in February, is also targeting some Web sites that offer computer programs designed to illegally break or bypass copyright controls on software programs.
Sharman Networks, owner and distributor of Kazaa software, said in a statement that the attack had "no disruptive effect" on its site.
But Jed McCaleb, lead programmer for eDonkey file-sharing software, said the worm temporarily knocked out the company's two main Web sites. A third site run by the company remained up and all were working late yesterday.
McCaleb said does not know why his sites were attacked. "It's strange to me that these people are virus writers and pointing their fingers at others," he said in a phone interview yesterday. "Obviously they don't have the highest morals if they are hurting people's computers."
McCaleb said that the three-year-old service has 5 million users worldwide.
Antivirus experts said they were unsure whether the author of the 19th version of the Netsky worm is the same as the author of previous versions. A 20th version of the worm that has been circulating on the Web is scheduled to attack a similar group of file-sharing sites between April 14 and April 23.
The experts advised people not to click on strange attachments in e-mail, which can activate the worm, and to update their antivirus software frequently to ward off new threats.
Amen, brother!
I honestly don't know the answer. Ignorance? Stupidity? A false sense of security? All of the above, possibly.
I deal with this every day at work. We have about 40 computers, all protected by Symantec's corporate edition, and this setup usually works. However, after all the worms and viruses that we see, and after all the times I've talked to people about it, I still see people opening infected attachments, then, when I tell them they've been infected, saying, "I don't think so. I didn't see it do anything." My response is, "Yes, it did something. Just because you didn't see anything doesn't mean it didn't. I'll be up there in a minute to clean it up." Then, I lose a half hour of my workday dealing with scanning their system to make sure Symantec stopped whatever it was they ran and telling them once again not to open every e-mail they get, and if they're not sure about something they receive, then, for God's sake, call me and ask before they do anything with it.
I think I want to hold an office-wide meeting on this stuff. Need to run that by the Administrator...
But anyway, there are some good, free resources out there that I think everyone ought to be using.
For quick scans and cleanups of computers without any AV app installed, I like Trend Micro's free scanner at http://housecall.trendmicro.com.
For a free AV program, you can't beat AVG Anti-Virus, available at http://www.grisoft.com.
For firewall software, ZoneAlarm still does the trick nicely. http://www.zonelab.com I just wish they didn't go through such great effort to make the free download hard to get at. I wonder if Real designed their site.
And we can't forget Microsoft in all this. One of the best things they've done lately is to finally get somewhat on the ball with their Windows security site at http://www.microsoft.com/security/protect. You can even get free or discounted AV software by following links in the section on antivirus software. And the free Windows Security Update CD is a must-have for anyone who has to mess with computers owned by the, shall we say, less informed among us.
Finally, and this is the thing that is really starting to piss me off, we have way too many ISPs out there who don't seem to give two shits about getting infected PCs off their networks after they've been reported to them numerous times. How hard is it to call a customer who's been reported, tell them they're infected, and tell them they have 24 hours to clean it up, and if they get another report after then, the connection will be shut off? But I guess that would negatively impact the bottom line, and we can't have that.
Or you could get AVG Anti-Virus from www.grisoft.com for free, and you'd have a greater measure of protection than you do now.
As careful as you may be, it's still possible that you can slip up. Anyone can, sooner or later. And if you allow someone else to use your system, just for a few minutes, you could get hit.
I wouldn't risk it, especially when you can get better protection for free.
And consider this. If other, less experienced computer users see you using antivirus software, they're more likely to do the same, since they'll see you as a person to look to in such matters. And these are the people who really need to be running AV software.
Well, there are uses for running a virtual machine ala Virtual PC or VMWare.
You can take your downloaded keygen or whatever and run it completely seperated "in a bottle" so to speak, so you can use it without any fear that it will wreak havok on you. Disable networking support, COM ports, and any shared access to harddisks and you're safe.
Very handy.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
So I ask the other windows users, what the hell are you doing to require this. And I ask all the self-righteous linux users to kindly keep your smart-ass comments to yourselves :)
Well here are some of the answers I received after cleaning up systems that were infected:
1. I just wanted to install a game (about 18 spyware programs found)
2. I thought the email was from the IT department (bagle ZIP encrypted virus)
3. Internet Explorer prompted me to install something, I said yes (spyware, again..)
4. I don't know (spyware, viruses, you name it..)
5. Someone else used the computer..
Needless to say, spyware and viruses are such a large problem that for most people, they are unable to determine where it comes from or how to prevent it from getting on their systems without something protecting them (antivirus, antispyware programs).
Annoying, definitely, preventable with a little bit of knowledge? definitely.
I spent a 24 hour block at work on Thursday fighting an undetectable to McAfee/Norton/Trend version of Polybot/Gaobot/SDBot.
...it'll also stop you from fixing anything remotely too.
The *bot line of worms spreads two ways. It uses both the RPC exploit (patched last year) and by using a laundry list of username/password combinations. While I'll be the first to admit that a STRONG local administrative password and 100% patched boxes would have evaded *this* worm, it won't be a defense against the next one that targets RPC-like-flaw-v2.0 or that includes our "strong" local administrative password in its list of passwords to try.
The *bot series of worms is also pretty "neat" in that it immediately updates the HOSTS. file of infected machines to redirect all major AV update sites to 127.0.0.1, and it spawns a double-process that each iteration of itself checks constantly to ensure that the other instance of itself is still running, and that all of its restart values are still in place. Tricky indeed.
Sure, lock the HOSTS. file too you say, but we've got more than one VPN solution in-house that changes HOSTS. when executing.
Use VNC on our desktops? As soon as it includes domain authentication instead of weak passwords stored plaintext in the registry. (Yes, there are updated versions, yes the source is available, but "use VNC" isn't as simple as it sounds. -- From a security standpoint, VNC just isn't "secure.")
Up-to-date AV? Useless against new threats.
Turn off the SERVER service you say! That'll fix 'em...
Anyway, rambling aside, we deployed a fix (with a tool that, ironicly would be caught by many AV programs as "dangerous" and blocked -- since our fix included a copy of PSKILL) to our machines through our automated software deployment agent, and we'll be cleaning up HOSTS. files later this week.
There is no "do this and you will be protected" blanket statement. If there was, I'd be out of a job.
Actually, viruses do install themselves.
... you run an infected program (note: not the virus itself, an otherwise useful program that happens to be infected) and it installs itself in other program or you boot off an infected floppy, it infects your hard disk boot sector, and then starts infecting more floppys. These actions (running a program, or booting your machine) are entirely normal things to do, you do them because you can't get anything done with a computer without doing them.
These 'email viruses' that require a user to click on them aren't really viruses, they're trojans. They don't have a means to copy themselves into another program, they just send off a bunch of mails and hope somebody activates them. They have a propogation mechanism that depends on human stupidity. I would call them 'self replicating' but they have a rather uninteresting replication mechanism.
A real virus
Which brings us to worms, which are self replicating, but actively break into other machines and directly cause copies of themselves to start executing.
As far as viruses go, people install and run infected programs because they want the functionality of an uninfected program and do not know the infection (the 'undesired behavior') is there. Hence the need to scan for viruses before you install any program.
Code or be coded.
Do yourself a favour, and use webmail instead of your own pop client. Let M$/Yahoo pay Norton and keep their virus clients up to date. I have never felt the need to use Outlook, Outlook Express. At home, I've never needed to store many e-mails, plus Yahoo has 6MB, and Hotmail has 2.
I've got 10MB on my ISP's mail server, and if I don't delete messages off the server I run out of room in two weeks. I get very little spam. I also don't delete any email from my mail client. Never know when I'll need to grep for something sent in an email. So those webmail services aren't for me.
I've just upgraded from Win98 to XP Prof. Now also using ZoneAlarm in conjunction with XP's built-in firewall, and also the multiple users feature which *nix users have been able to use forever(i.e. browsing the web from an account which has 'limited' access and not Admin. And that means that for the last 10 yrs at least, I've been totally virus free...
I found ZoneAlarm to be quite a hit on my machine's performance. I also didn't like having to deal with 10 prompts everytime I opened a net-using program. Not to mention that it seems like you're jumping through quite a few hoops just to make sure you don't get anything.
See, I run behind a NAT router and that stops 90% of all net-based attacks. The only reason it doesn't stop more is because I have a few ports open. After that, Linux does the rest for me. Just by not being compatible with the viruses themselves, I stop 99% of the attacks that get through NAT. What about the other 1%? Well, haven't been infected yet. Last virus I got infected by was the old SCA virus on the Amiga...
What's a good solution for you isn't a good solution for everybody. I get lots of email with valuable information in it, and I can't even begin to count the hours saved by being able to grep my email for information stored in it. My mail folders currently take up 100MB of my home directory and store about 3 years worth of email, incoming and outgoing. It's probably less than 1% spam and other commercial emails that I *did* ask for. I use browsers that aren't normally targetted by any viruses, and the ones that do target Mozilla from time to time still don't affect Linux boxes. So I'm pretty safe, in general. If I feel the need to implement a firewall, well I've got machines laying around doing nothing that could run a great firewall for me, just stick it between the NAT router and the cable box. Nothing to it. Virus scanning? When viruses on Linux can't be dealt with just by running as a normal user and keeping permissions under control, then I'll think about it. Until then, no reason to waste a moment thinking about it...
Like what I said? You might like my music
Fixed link
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
I use Avast, it works just as well and is free. I switched from Norton after not wanting to pay every year. It catches all the virii my girlfriend manages to get into the computer (about 2 a week lately).
Another useful program is Mailwasher (there is also a non-pro version). Shows all your mail on the server, including the virii (which it labels) so you can delete them without downloading them into your inbox (it is also great for spam, but turn off the 'bounce' function).
I use Pc-Cillin it is subscription based but it doesnt take up as much memory or processor as mcafee or norton
Does anyone actually use kazaa anymore? Seriously, after the RIAA, the viruses, (not just this latest one either) the fake files, the silly repeating songs, the cursed songs with phone tones in them, and the overall spyware nature of Kazaa (and don't mention kazaa lite please)
Why don't you want me to mention Kazaa Lite? As far as RIAA & fake files, the Bad IP Updater takes care of them, MP3 Shield for those who've already been tricked.
Who actually uses Kazaa anymore?
2.8 million people today. That's the clincher for me. The software may have problems (lack of error checking being a big one), but what's the point of a fancy network if you're the only person on it?
What are you smoking? This is FUD. I am a gamer. I don't even notice the impact of running Norton. I did a quick 3DMark test way back and there was no difference between running it with NAV and without. Well, less than 30 marks on 3DMark 2000, but this easily falls within the standard deviation of repeated runs of 3DMark.
Furthermore, I'll pull the CPU time figures from task manager. This is NAV Corp. edition 8.0 on XP:
Cumulative uptime: 201:53:00 (system idle process)
rtvscan.exe: 00:00:04 (real time scanning service)
vptray.exe: 00:00:01 (virus protection tray applet)
For reference:
aim.exe: 00:00:47 (been running less than a day)
Symantec products became increasingly good at hogging system resources a few years ago. Prior to that, I was a big fan of theirs. Give AVG (www.grisoft.com) a shot. I've been running it for awhile and haven't experienced any noticeable slowdowns whatsoever.
My Tech Posts on Twitter
Sorry for adding to your growing pile of Anonymous Coward posts.
.exe file, and you pass that to a friend and he runs it, your friend is now infected. A very common type of virus is a macro virus, which puts executable code in say, a word document. Melissa is an example of a macro virus.
A worm is usually a virus that uses some sort of flaw in the user's software to spread over the internet. They also send copies of themselves to others via email, and you must run the attachment to have it spread. It's like a trojan horse, but a trojan horse must be spread manually.
A virus spreads a different way, by infecting the person's files. Say the virus infects a
Hope this did a good job of explaining!
I hate Norton and Mcafee because they each run like 6 different processes when the system boots up. Who needs a virus when they have an anti-virus utility that causes more load and overhead than everything else combined.
...And the reason that I uninstalled McAfee? Version 8.0 for home users appears to have a slight bug in it where for some reason it appears to go into some kind of infinite loop or something and basically keeps eating up system resources and slowing your system to a crawl until you kill the process. I've actually got one screenshot showing McAfee has consumed ~380MB physical memory and ~720MB virtual memory. I've seen it higher, but the system was so slow to respond at that point that I was unable to get a screencap.
I totally agree with you on that one. I was having issues with McAfee at one point, so I uninstalled it for a while. I couldn't believe how much faster my computer was starting up. Now, I'm sure that some of the slowdown had to do with McAfee doing some scanning on bootup, but it was amazing nevertheless.
As you said, who needs viruses when you have virus software that harms your computer worse than a virus.
If Murphy's Law can go wrong, it will.
You haven't heard about the new Intellimouse worm? Does the scroll wheel sometimes act up a bit? Thought so.
(j/k)
Seriously though, I haven't had any trouble opening RTF files with Open Office. In fact, Open Office opens Word files that Word won't even open. I've never needed to resort to Wine for things like that. (although I suspect if there are macros in those documents they won't run in Open Office....on the other hand do you really WANT macros to run in a document when you open it?)
"Antivirus software has become so beloated these days. I run Norton Antivirus on my Windows machine and it turns it into a lag terminal."
....and no, I have no affiliation with AntiVir, I just think it's the best and least bloated antivirus app out there (and it happens to be free which is a great bonus!)
Norton certainly behaves this way. when I visit a client that has Norton on their machine, I recommend that to speed up their machine, they uninstall Norton and install the freeware antivirus checker called AntiVir:
www.free-av.com
They are always amazed at how getting rid of Norton Antivirus suddenly speeds up their system about 200%.
NAV used to be really good back in '99 or so, but recent versions have been bloatware hogs like nothing else I've ever seen!
Give AntiVir a try - you may be similarly amazed!!
Visceral Psyche Films
This may be getting off-topic a little, but I learned this tip when I was in charge of my lab's PCs. One huge difference I noticed in Norton AV is under the advanced settings for real time file protection, there are two options: "Scan on modify (create)" and "Scan on Accessed or modify (create, open, move, copy or run)". For a while when I would install a new copy of Norton the second was the default setting, and it made a world of difference switching to the first. I have no benchmark numbers to back it up, but qualitatively I would say I couldn't tell the difference in performance between the first option and not having Norton installed at all, while checking the second option it was pretty easy to see the effect. It just kills any program that accesses data files and settings files as it goes because it interupts and scans the files every time they are needed. I assume the first option is sufficient to protect against downloading a new virus, while the second may actually help with damage control if you're already infected, but at some point you do have to decide the performance hit just isn't worth it.