Slashdot Mirror
Netsky Worm Variant Attacks P2P Services
ee_moss points out this Washington Post article (via Yahoo!), excerpting "The latest variant of the Netsky worm directing infected computers to launch Web-based attacks against music- and file-trading Web services such as Kazaa, taking down at least one company's Web sites in the process. The worm, the 19th version of a bug that made its debut in February, is also targeting some Web sites that offer computer programs designed to illegally break or bypass copyright controls on software programs."
Anyway, I know this sounds painfully obvious, but why don't folks take the simple step of running an antivirus program? I have McAfee VirusScan and I also have AdWatch running full time. Between the two, I feel fairly well protected from viruses and adware/spyware.
And then you have folks that click on just about any attachment - from the article:
The experts advised people not to click on strange attachments in e-mail, which can activate the worm, and to update their antivirus software frequently to ward off new threats.
I have an agreement with family and friends to embedd a codeword in any document that contains a file attachment. It is usually a fairly esoteric work not likely to come up in casual conversation. However, I have damn near been fooled by a few emails because they seemd very legitimate. Oh, well.
Anyway, I am preaching to the choir....and ranting a bit.
Happy Trails!
Erick
http://www.busyweather.com/
Another virus. Run in circle. Shout. Panic.
The experts advised people not to click on strange attachments in e-mail, which can activate the worm...
Of course, until you can teach people to be intelligent, these types of viruses will continue to circulate through the net.
Wireless News www.DailyWireless
I have a couple relatives who are extremely nontechnical. Their windows installation has already been plagued by 2 worm viruses this year. When they think virus in windows, they think virus in computers. Basically these viruses are giving computers in general a bad reputation.
I have suggested they try linux. But they are nearly at the point of no return. They fear computer, they fear the hassle, virus scans, repair etc. What's the world coming to.
The post doesn't say it, but it definitely insinuates that the nefarious RIAA and possibly the BSA is behind this latest worm. Unfortunately, that kind of knee-jerk reaction is counterproductive to finding the real virus spreaders.
Someone is obviously trying to implicate the content monopolists in this by targetting the sharing networks. It is highly unlikely that the monopolists are doing this themselves because they have too much to lose by carrying out such an attack.
Someone in the computer community is doing this and is hurting everyone in the process. Sometimes the geek community is its own worst enemy.
I have been pwned because my
I've noticed more and more windows users, have to install nearly 1/2 a dozen or so programs th protect thier pc's. Between Ad-aware, Spybot S&D, Norton/AVG/McAfee and a host of others, I ask... Why Bother? It's the reason I went 100% linux at home, no worries about such crap.
Ubuntu- Linux for human beings.
Was the worm written by...
A: The RIAA, to try to take down the P2P services.
B: A disgruntled artist, who blames the P2P apps for why they can't get paid.
C: The owner of unaffected P2P app trying to take down the competition.
D: A random hacker, who doesn't have any interest in the music industry, but just wants to ruin people's fun.
E: SCO. Because they're associated with anything Slashdot hates.
F: Microsoft. Because they're associated with anything Slashdot hates.
G: CowboyNeal, because he's a suspect on all Slashdot polls.
I don't really understand this virus, or more precisely, the people who wrote it. Although I can not speak from experience, I would have to imagine that spreading virii over P2P networks is like shooting fish in a barrel (hotpr0n.mpg.exe would probably take down half the computers on kazaa). So why are they trying to spread it through e-mail? I would think that since there is no challenge involved in spreading it that they would be moralists (like the people who disguise a program that reports people's ip address as warez) but they are not doing it over the networks themselves so they would have a potential for "collateral damage". Is the writer just a random skript kiddie or am I missing something?
_____
Thank you.
Soulseek's been down all day, for example, even though I haven't seen any information specifically saying that this new Netsky targets said network (Kazaa and Edonkey are the two that I frequently see cited, as in the linked article). It's an odd choice of target--it's far smaller than Kazaa/FastTrack--but then again, Edonkey's not too high on the usual radar, either. Some bittorrent sites are also especially wobbly today, but that could be coincidence.
.pif" strategy, but someone must be clicking on these things (verizon seems particularly affected, as every other Netsky spam I get seems to be from that domain).
Fascinatingly, I've also been getting absolute tons of emails infected with this variant of Netsky, many of which pretend to have been scanned for viruses and are "clean." This seems particularly lame as an "innovative" get-the-dupes-to-click-on-"document.doc
Ahh well. Hopefully, this particularly-obnoxious variant will be short lived (so we can, of course, begin the cycle anew in a few weeks' time with a new SoBig or...heck, I dunno, Klez? What letter are they up to there?)
It can't be long before e-mail becomes so suspect that self-mailing viruses simply won't spread because everybody is so afraid of their inbox. It will be interesting to see where viruses go then. IM would be my first bet, as well as P2P networks, vulnerabilities in certain *cough* OSes we've already seen, and network shares but there has got to be other methods I'm not thinking of. This could be really interesting to watch. I've never taken the hard line view towards viruses that I see here, I see them as massive experiments with data and as kind of a spectator sport. Of course that could be because I've never really had a problem with them...
I switched P2P networks long ago. I have no silly business of fake files, or dial tones in my songs. There are viruses, but they are fairly obvious as they are often disguised as keymakers. The only thing I have to worry about is french movies not being labeled properly. At least they are the right movie. If only I could translate french on the fly...
Only grandmothers and 10-year olds use KazAA. The unkempt geeks switched networks a while back.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
An antivirus program only finds known viruses, or variants of known viruses that trigger some common rule. They are useless against new viruses, particularly rapidly spreading new viruses.
So, when the virus attacked SCO, all the reporters gleefully reported that it was probably an attack from "the Linux Community." What are the odds that those reporters will automatically jump to the conclusion that the RIAA wrote this virus, and then publish that opinion.
My guess, is that these writers won't be quite so eager to jump to conclusions this time. But it might be worthwhile for those of us who were annoyed by those writers to point that fact out to them.
Remember how quick the media was to turn on the linux community when a worm appeared to be targeted at SCO.
Let's show we are a couple notches above the media here and give this some time, maybe we can take this thing apart and make sure of it's TRUE intended victim. Not to say I'd put it past the RIAA, but we should make sure before flinging accusations.
My feeling is that this won't stop until the virus creators actually start causing damage to individual user's computers, not just the bandwidth hogging and (D)DOS variety of the current crop. When getting hit with one of these bugs means that Joe Luser's stuff gets deleted and his system won't let him logon, you can be sure he will raise a ruckus wherever he can. Turning his box into a spam relay or a DDOS zombie doesn't cause nearly as much visible damage to the computer, other than it being a bit slower to use, another condition with which the average computer user has become too comfortable.
The nagging question in my mind isn't "When will this happen?", it's "Why hasn't it happened yet?" Or possibly, "Will it ever happen?" And that last one makes me very sad.
Is it sooo improbable that this was somehow sponsored by the RIAA ? (or similar)
...
On one hand i dont see it as too likely, on the other, lately my capacity for surprise has been worn down by strange lawsuits and laws (Can-Spam).
and RIAA was, after all, seeking to make their hacking P2P-ers legal
I think things would only change if default setups of Windows were secure against this sort of thing.
Previous versions of NetSky copies itself to any folder containing the word "shared" in it. As in "My Shared Folder." To spread itself via Kazaa and other file sharing programs.
I cant tell you how many computers I've cleaned when people get PIF email attachments and open them thinking they were PDF's.
They will pay me to remove the virus, but they wont buy a email scanning antivirus program, or even figure out that if the icon is the windows logo (double meaning here) Its probably not a good thing!!
Back to the article, With all of the spyware, IE plugins, and other memory hogging garbage associated with these P2P programs, alot of users wont even notice a few extra viri thrown into the mix, they'll just run to techies faster.
MOVE!!! (shameless Nick Burns Reference)
Easy:
Worm = Requires security vunerability in the computer's OS or some running software program to infect said computer.
Virus = Requires security vunerability between the chair and keyboard to infect said computer.
... to just millions of people, a computer is just a TV set with a lot of on demand "channels". That is exactly how they treat it, and why security isn't anything they should do, the "computer" should do it.. and really, it mostly SHOULD "do that".
And there's no reason anymore for new computers to go out the door in any shop without those types of programs installed if they are going to use MS.
shame on MS and shame on the box vendors
And there's even less reason to let MS skate on this issue. They should have been class actioned all the way to the supreme court long ago on useability and security and internet interoperability issues.
That EULA is an abomination. Maybe 20 years ago when desktop computing was really getting going they needed some time to get up to speed on coding, but not today, nope, EULAs that absolve the *seller* of all normal consumer warranty and protection should be stricken down. once and for all.
If ACME front door and lock company made a product that consistantly over the years was shown to A not open or shut correctly and could be counted on to fall off the hinges and needed to be re hung every 6 months, B-which had no credible locking mechanism, and C-caused the purchasers to be invaded in their homes and robbed and inconvenienced for years and years because of A and B, they would have been put out of business.
It's time to REALLY consider this EULA get out of any responsibility card they are allowed to use and profit from. It's absurd.
Methinks a lot more proactive coding on their part over the years might have cost them X-billions more, but they got 50 bill in the bank now, they could have most likely made it a lot more secure and functional and still had many many billions in the bank. There's no excuse anymore beyond pure GREED on their part. I would agree with the assessment nothing can be coded perfect, but really.. there's ways to go about this, they just never did it,not near enough, they were AWARE of the issues just they didn't CARE about the issues enough because it would have cut into "profits". Not eliminate them, it just would have reduced them some. Big deal. they profit, everyone else has to jump through hoops and suffer over their inaction.
They could have had BOTH, profitability plus more secure and functional design, they chose NOT TO. It was high level executive decision making that caused that, it was done on purpose. It wasn't that important to them as long as they could bully their way into mass acceptance and get away with it.
Class action suit, I am surprised it has never happened yet.
Well, there are uses for running a virtual machine ala Virtual PC or VMWare.
You can take your downloaded keygen or whatever and run it completely seperated "in a bottle" so to speak, so you can use it without any fear that it will wreak havok on you. Disable networking support, COM ports, and any shared access to harddisks and you're safe.
Very handy.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
I spent a 24 hour block at work on Thursday fighting an undetectable to McAfee/Norton/Trend version of Polybot/Gaobot/SDBot.
...it'll also stop you from fixing anything remotely too.
The *bot line of worms spreads two ways. It uses both the RPC exploit (patched last year) and by using a laundry list of username/password combinations. While I'll be the first to admit that a STRONG local administrative password and 100% patched boxes would have evaded *this* worm, it won't be a defense against the next one that targets RPC-like-flaw-v2.0 or that includes our "strong" local administrative password in its list of passwords to try.
The *bot series of worms is also pretty "neat" in that it immediately updates the HOSTS. file of infected machines to redirect all major AV update sites to 127.0.0.1, and it spawns a double-process that each iteration of itself checks constantly to ensure that the other instance of itself is still running, and that all of its restart values are still in place. Tricky indeed.
Sure, lock the HOSTS. file too you say, but we've got more than one VPN solution in-house that changes HOSTS. when executing.
Use VNC on our desktops? As soon as it includes domain authentication instead of weak passwords stored plaintext in the registry. (Yes, there are updated versions, yes the source is available, but "use VNC" isn't as simple as it sounds. -- From a security standpoint, VNC just isn't "secure.")
Up-to-date AV? Useless against new threats.
Turn off the SERVER service you say! That'll fix 'em...
Anyway, rambling aside, we deployed a fix (with a tool that, ironicly would be caught by many AV programs as "dangerous" and blocked -- since our fix included a copy of PSKILL) to our machines through our automated software deployment agent, and we'll be cleaning up HOSTS. files later this week.
There is no "do this and you will be protected" blanket statement. If there was, I'd be out of a job.
how many people have jobs because of spammers and computer infections?
The Kruger Dunning explains most post on
You consider virus writers to be part of the "computer community"? Like rapist are part of the "dating community" and burglars are part of the "domestic community"?
Ceci n'est pas une signature
Because someone who didn't know better opened the attachment.
I've been getting delivery failure e-mails over the last few days because my e-mail addy is in their address book. And believe you me, I checked every conceivable virus scanner on the web.
The specific worm in question is Worm.SomeFool.Gen-2 , according to the last dozen or so messages.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
I hate Norton and Mcafee because they each run like 6 different processes when the system boots up. Who needs a virus when they have an anti-virus utility that causes more load and overhead than everything else combined. Not to mention their scare tactics to get people to spend more money. I think AVG and AVPE are fine solutions, just most people don't know they exist.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
What truely surprises me is the fact that this is the 19th incarnation of the Netsky virus, and the can be really quite revealing about how much "Joe and Jane Blow" really try to protect their computer, even after all the repeated assaults from multiple virii in recent times. I am sure some blinded, elitist geeks out there will point out that 'Joe and Jane Blow are too stupid so they get loads of virii instead of moving to Linux' before moving to the next discussion whih can sprout a pro-Linux, anti-Microsoft thread. Believe me, I do know a lot of Joe and Jane Blows, and if you do not then simply forget about your elitist argument, because for the most part they are not simple or stupid. They want to surf the Internet, check their e-mail, play some games and perhaps download music -- they do not want to program a database engine, do not own a Linux box for a hobby, do not start counting lists from '0' and think anyone who thinks learning Pi should perhaps see a doctor.
So, they ask you for help because they think they have a virus or are feeling a slowdown. You do everything they should have done, that is install Ad-Aware, update it, scan for spyware -- and find some truckload of the bloatware eating up disk and registry space (and I'm not going to start on the RAM). That done, you download AVG Grisoft, update it, scan for virii -- and find several hundred files contaminated by virii, and that is quite a lot to clean up. Finally, you install a firewall -- preferably ZoneAlarm or Kerio Personal Firewall -- and set it up for them, so no more Blasters et al sneaking through some obscure system ports. The best option, on the long term at least, is to be sure to install a firewall with preconfigured program access rights (and I think Kerio Personal Firewall has this feature), and I shall tell you why: it may seem simple for any of us to simply check a checkbox for the firewall to remember to allow Half-Life Launcher to attack the Internet, and I truely thought this was the case for anybody -- after all, all the firewall does is ask a simple question, at least what seems like a simple question for most of us. Then, my grandma, who has barely touched a computer all her life, tried the new one she had bought to have a pastime during her six weeks' inability to walk. And the result was pretty surprising, to say the least. A new icon on the desktop, or even a pop-up, can get her panicking. So can you imagine this kind of non-techie, new user getting a firewall pop-up every minute for every program this user launches? This is why a preconfigured program access rights list is something good to have.
Of course, anyone can go without an antivirus by simply installing a firewall and knowing what comes in their e-mail -- or, for those who grasp the technology a bit more, just block the ports manually; but Joe and Jane Blow have much more simple needs and don't want to have to learn loads of techniques simply to avoid virii and spyware, malware which they do not notice most of the time. In my opinion, the best way to prepare Mr. and Mrs. Blow against all this malware is to set up their software so at best, they can surf around and write emails totally unconscious of this protection, since in this case the software updates itself and does its job automatically. You can also give the user further tools against malware, such as replacing their browser and e-mail clients with Mozilla/Firefox and Eudora or Thunderbird. You should also set them simple guidelines, such as to always refuse anything whatsoever from a source they do not trust. Try and get them to buy commercial software (Norton Internet Security or McAfee Internet Security) as in general it offers better protection and a bit more tools that shall make everyone a happy bunny. Joe and Jane Blow want to know that they are protected against virii and spyware, but do not want to know how, and you'd be rather stubborn to get, what in their opinion is an extra worry, on the
"Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect" -- Linus Torval
That is my question and one have to answer that before one start bashing clueless users. In my opinion every OS out there should be as secure as possible out of the box. I dont like how windows has every feature known to man on by default as little as i like how linux dists keep having deamons started by default. The OS should be locked down and demand user intervention to be opened up. Not that it should be difficult to start things, thats not the goal. The goal should be that the user is not supposed to secure the machine they use, it should be secure by default and then opened up by the user if that is demanded.
As linux becomes more used by newbs who hasnd any interest in locking it down it should be as secure as possible by default. That way if the box get hacked because of bad settings you can atleast put the blame on the one unsecuring it. Blaming a user who just installed it and never secured it is impossible and doesnt fly, thats why i dont listen to the people who say "they should have installed whatnot". Thats what the OS should do, provide basic services like security etc. If an OS demand an antivirus addon and adaware and things, maybe something is wrong in the OS?
I hope linux gets proactive and riddens itself of the same bad decisions as MS have done. Dont trust the user to secure things bacause we have seen in the case of MS Windows that thats not going to happen.
HTTP/1.1 400
Great explanation of just how irresponsible certain software manfacturers are being.
Are lot of the reply's you're getting are in the vein of:
"But you don't have to agree to the EULA"
and "What about OSS"
Okay guys, here's the difference:
A MS EULA is like me going out, buying a house, and after closing on the house I come home to find a big sticker on the door that says,
"by breaking this seal you agree to the following terms:
-You do not really own this house, you're actually leasing it from us.
-We are not responsible if this house turns out to have numerous major problems that we didn't tell you about.
-You may only use this house for purposes X, Y and Z, any other use is strictly prohibited.
-etc, etc, etc
It's clearly stupid and not a legally binding contract. I can rip that sticker of my door without a worry in the world. The same needs to be true for software.
A good example is disclaiming any and all warranty:
This needs to be done BEFORE I give you my money.
It's like a car manufacturer trying to sell a new car with absolutely no warranty by sticking a note in the glovebox when you're driving it off the lot.
The deal is already done. The note means nothing. The manufacturer is still responsible for all normal, implied warranties.
Now what about OSS?
First off, I'm going to talk only about the GPL. (Other liscenses are typically very similar.)
Now the key thing is that there are some very big differences with GPL'ed software:
1) It's free. Free things are typically not legally required or assumed to carry warranties. There also don't seem to be many laws about disclaiming liability when I give you something for free. There's nothing that says the item must be provided in any form other than "as-is", unlike commercial/retail sales. I can give you a car with rusted out brakes for free and not have to fix them for you. If I was a car dealer, charging you money, I might have to fix those brakes (unless there was some agreement made about them at time of sale).
2) The GPL is not a EULA. You do not have to agree to the GPL to use a GPL'ed program. A lot of people have trouble understanding this one. There are even programmers who make the GPL pop up when you run their program and force you the check "I agree". These people are all wrong. The GPL only governs redistribution. As such, it's not trying to get rid of any rights that you would normally have. In order to gain a right that you wouldn't normally have (redistribution of someone else's copyrighted work), you must agree that this new right is subject to a set of conditions. If you do not agree, you do not get those rights, not because to GPL says you don't, but because copyright law says you may not redistribute other's work without their permission.
Life is too short to proofread.