Slashdot Mirror
Netsky Worm Variant Attacks P2P Services
ee_moss points out this Washington Post article (via Yahoo!), excerpting "The latest variant of the Netsky worm directing infected computers to launch Web-based attacks against music- and file-trading Web services such as Kazaa, taking down at least one company's Web sites in the process. The worm, the 19th version of a bug that made its debut in February, is also targeting some Web sites that offer computer programs designed to illegally break or bypass copyright controls on software programs."
Soulseek's been down all day, for example, even though I haven't seen any information specifically saying that this new Netsky targets said network (Kazaa and Edonkey are the two that I frequently see cited, as in the linked article). It's an odd choice of target--it's far smaller than Kazaa/FastTrack--but then again, Edonkey's not too high on the usual radar, either. Some bittorrent sites are also especially wobbly today, but that could be coincidence.
.pif" strategy, but someone must be clicking on these things (verizon seems particularly affected, as every other Netsky spam I get seems to be from that domain).
Fascinatingly, I've also been getting absolute tons of emails infected with this variant of Netsky, many of which pretend to have been scanned for viruses and are "clean." This seems particularly lame as an "innovative" get-the-dupes-to-click-on-"document.doc
Ahh well. Hopefully, this particularly-obnoxious variant will be short lived (so we can, of course, begin the cycle anew in a few weeks' time with a new SoBig or...heck, I dunno, Klez? What letter are they up to there?)
I think it's more likely to be the mp3 scene itself. And by mp3 scene I mean the releasing groups, couriers, and ftp site ops. They don't like their work getting to P2P networks; they rip music to have something to offer to sites they upload to, in exchange for whatever they want, be it wares or porn or whatever. If their product is not exclusive (e.g. available on P2P), they lose leverage. Ask any "scener" and they'll tell you they think P2P is bad for business.
If they MUST run windows, this is all you have to do:
* Install Mozilla (Firefox and Thunderbird).
* Install Ad-Aware. Pay for the pro version that also has Ad-Watch.
* Install Spybot Destroyer.
* Install a cheap linksys router.
* Install Grisoft/AVG antivirus - or somethign equally as good.
Now, nothing is going to get IN that shouldn't and probably won't get OUT. Even if they're wreckless and download/install everything they ever run across, Spybot Destroyer lets you prevent the installation of *hundreds* of known activex applications and other troublesome installers, lock your hosts file, prevent changing the MSIE start page, etc. And if they're stupid enough to install something after Ad-Watch/Ad-Aware and/or their antivirus software warns them about it, then they deserve what they get.
Additionally:
* Don't give them administrator accounts!
* Set them up with a DynDNS address. This way you can connect to them remotely using VNC when necessary to do administrative tasks.
* Setup regular user accounts for them. Or better - setup limited user accounts so they can't even install any software themselves. Tell them to come up with lists of things they need installed and to call you. Then you can VNC in, fire up the admin account and install them in a few minutes.
It will lock them down, but shouldn't prevent them from doing most things they want to do and will save you a shitload of headache. And if they don't like it, then it should hopefully be enough reason for them to start actually LEARNING about the machine they're using rather than treating it like a god damn TV and then they can assume the responsibility.
Because they're paranoid.
:)
I've run XP for over a year and every once in a while, just for kicks, I install AVG and AdAware.
Last time I ran AdAware 6 with the latest definitions, out of 90000+ items scanned, it found ONE registry key.
And AVG has not once turned up an infection of any kind.
So I ask the other windows users, what the hell are you doing to require this. And I ask all the self-righteous linux users to kindly keep your smart-ass comments to yourselves
Previous versions of NetSky copies itself to any folder containing the word "shared" in it. As in "My Shared Folder." To spread itself via Kazaa and other file sharing programs.
Real geeks who dislike the RIAA and/or want to stick it to The Man use Mute, a free and anonymous filesharing program.
$ echo "ceci n'est pas une pipe" | sed -Ee 's/(eci n|pas )//g'
Well, there are uses for running a virtual machine ala Virtual PC or VMWare.
You can take your downloaded keygen or whatever and run it completely seperated "in a bottle" so to speak, so you can use it without any fear that it will wreak havok on you. Disable networking support, COM ports, and any shared access to harddisks and you're safe.
Very handy.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
So I ask the other windows users, what the hell are you doing to require this. And I ask all the self-righteous linux users to kindly keep your smart-ass comments to yourselves :)
Well here are some of the answers I received after cleaning up systems that were infected:
1. I just wanted to install a game (about 18 spyware programs found)
2. I thought the email was from the IT department (bagle ZIP encrypted virus)
3. Internet Explorer prompted me to install something, I said yes (spyware, again..)
4. I don't know (spyware, viruses, you name it..)
5. Someone else used the computer..
Needless to say, spyware and viruses are such a large problem that for most people, they are unable to determine where it comes from or how to prevent it from getting on their systems without something protecting them (antivirus, antispyware programs).
Annoying, definitely, preventable with a little bit of knowledge? definitely.
I spent a 24 hour block at work on Thursday fighting an undetectable to McAfee/Norton/Trend version of Polybot/Gaobot/SDBot.
...it'll also stop you from fixing anything remotely too.
The *bot line of worms spreads two ways. It uses both the RPC exploit (patched last year) and by using a laundry list of username/password combinations. While I'll be the first to admit that a STRONG local administrative password and 100% patched boxes would have evaded *this* worm, it won't be a defense against the next one that targets RPC-like-flaw-v2.0 or that includes our "strong" local administrative password in its list of passwords to try.
The *bot series of worms is also pretty "neat" in that it immediately updates the HOSTS. file of infected machines to redirect all major AV update sites to 127.0.0.1, and it spawns a double-process that each iteration of itself checks constantly to ensure that the other instance of itself is still running, and that all of its restart values are still in place. Tricky indeed.
Sure, lock the HOSTS. file too you say, but we've got more than one VPN solution in-house that changes HOSTS. when executing.
Use VNC on our desktops? As soon as it includes domain authentication instead of weak passwords stored plaintext in the registry. (Yes, there are updated versions, yes the source is available, but "use VNC" isn't as simple as it sounds. -- From a security standpoint, VNC just isn't "secure.")
Up-to-date AV? Useless against new threats.
Turn off the SERVER service you say! That'll fix 'em...
Anyway, rambling aside, we deployed a fix (with a tool that, ironicly would be caught by many AV programs as "dangerous" and blocked -- since our fix included a copy of PSKILL) to our machines through our automated software deployment agent, and we'll be cleaning up HOSTS. files later this week.
There is no "do this and you will be protected" blanket statement. If there was, I'd be out of a job.
Actually, viruses do install themselves.
... you run an infected program (note: not the virus itself, an otherwise useful program that happens to be infected) and it installs itself in other program or you boot off an infected floppy, it infects your hard disk boot sector, and then starts infecting more floppys. These actions (running a program, or booting your machine) are entirely normal things to do, you do them because you can't get anything done with a computer without doing them.
These 'email viruses' that require a user to click on them aren't really viruses, they're trojans. They don't have a means to copy themselves into another program, they just send off a bunch of mails and hope somebody activates them. They have a propogation mechanism that depends on human stupidity. I would call them 'self replicating' but they have a rather uninteresting replication mechanism.
A real virus
Which brings us to worms, which are self replicating, but actively break into other machines and directly cause copies of themselves to start executing.
As far as viruses go, people install and run infected programs because they want the functionality of an uninfected program and do not know the infection (the 'undesired behavior') is there. Hence the need to scan for viruses before you install any program.
Code or be coded.
Fixed link
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.