Evaman Worm Attacks Email Servers

An anonymous reader writes "CoolTechZone is reporting that the mail servers of various popular email services such as Hotmail and Yahoo to be bogged down with a new worm, code-named Evaman. The headings are common to the ones users encounter everyday in their inbox - "Failed Transaction" or "Delivery Failure". This worm has the potential to take control over Windows 95, 98, ME, 2000, XP, NT, and Windows Server 2003."

Sweet Zombie Jesus

[linzeal]

This is not a Microsoft exploit, just a trojan that targets MS products. What is the world coming to when I can't get my machine rooted without the work of logging into a free email service to check my pr0n mail?

Re:Sweet Zombie Jesus

[sploo22]

Not only that, but despite the headline, it doesn't attack the email servers in any way whatsoever, other than sending itself through them like every other email worm.

Re:Sweet Zombie Jesus

[ComaVN]

What's more, I'm pretty sure it's not a worn, but a worm. Sheesh, didn't the submitter get ANYTHING right?

Re:Sweet Zombie Jesus

[brunokummel]

..well im not so sure about that since a DoS is a form of attack.
Consider the following situation:
1- one user logs into his mail server and naively executes britneynaked.gif.exe and starts spreading the worm to all of his contacts.
2- now, if all users that receive the worm do the same thing, the serve will start to bog his way down.
3- Some users will not be able to connect to the server since it is to busy processing millions of worms going back and forth.
4- The server has ben attacked.

All worms are potentially dangerous to servers!

Re:Sweet Zombie Jesus

4- The server has ben attacked.

That must be awful for Ben. . .

Re:Sweet Zombie Jesus

[StormReaver]

"This is not a Microsoft exploit, just a trojan that targets MS products."

That isn't the best logic I've ever read.

The trojan worm (new term, I know; get over it) targets a Microsoft application, which encourages malware distribution through a well known entry vector caused by a well known defective Microsoft design, running on a Microsoft operating system. How exactly is this not a Microsoft exploit?

Re:Sweet Zombie Jesus

[G-funk]

If it requires a user to run an executable they get in their email, then it's not a microsoft exploit. It's a dumb user exploit. Just because said dumb user is running microsoft software, doesn't make it their fault.

Better Version

[BenBenBen]

If you want the Symantec release re-written by someone who knows what they're talking about, look here.

"Evaman occupies a false email address" doesn't fill me with respect for CoolTechZone's credentials.

Re:Better Version

[pedantic+bore]

They lost me in the first paragraph, with "a new worn" In fact the English is uniformly stilted throughout.

Upon more investigation -- noting that every article on the page is written by the same person, and that person is the person who registered the domain, and nearly every article contains the same info (and sometimes the same text) as available from other widely known sources -- I wonder whether this site exists only to generate ad revenues from people who trip over it. Well, thanks to SlashDot, it's payday for Mr. Hora.

Re:Better Version

[darkmeridian]

The trojan horse uses a false email address to generate messages with the usual attachment that carries the code. If users are dumb enough to open the attachment, their PC will be turned into a zombie sending out dozens of new messages.

Oh, the utter disdain for the end-user. The Inquirer *must* know what they are talking about!

Re:Better Version

[node+3]

They lost me in the first paragraph, with "a new worn"

They meant "a new worm".

Hope that helps.

Re:Better Version

[pedantic+bore]

What I meant is that they lost my attention after they failed to proofread their lead paragraph.

Hope that helps.

Re:Better Version

For a pedantic bore, you don't have much of a sense of humour.

Re:Better Version

[RevDobbs]

Don't be so pedantic, the guy was being funny.

Oh, wait...

Re:Better Version

i cant belive u r giving us the link to The INQ. everyone knows tht site cant be trust for anything except gossips. wht a stupid link.

Re:Better Version

ah, and here I thought it was that elusive "Write Once, Read Never" technology...

Re:Better Version

I think they meant "a newly worn"...

HTH,

Tels

Re:but not me

[it0]

Why are you laughing you don't get email?

A clearer description of Evaman

[ofdm]

Rather than reading a journalists munged interpretation of what Symantec said, you can look at Symatec's original statement

been getting a lot of these for a few days now

[chegosaurus]

Also been seeing lots of those "MS Security Update" mails too. Anyone know if the two are related?

Re:been getting a lot of these for a few days now

[isorox]

Yes, microsoft have helpfully emailed the patch to all it's customers, all you need to do is run the program and you'll be safe.

Re:been getting a lot of these for a few days now

[FireFury03]

You mean they're not really security updates? bugger - I just installed 5 of them. :)

Re:been getting a lot of these for a few days now

[bairy]

The MS Security update crap has been going around for probably close to a year now. I don't know why the servers don't just put a filter on them as they're a standard size and contain exactly the same text (apart from the year). But nah, the two probably aren't related.

As for the MS one, it's certainly a bugger. At one point I was getting 15 of them an hour.

So, windows is affected by a worm?

[thenextpresident]

Again...can't be just start posting a weekly news post on /. to the affect of "Somewhere, someone created another virus for Windows?" Wouldn't that be equally effective, and still truthful?

I just can't wait to read the posts from the Window's defenders who claim to have never gotten a virus, and never suffered a problem with Windows. Right...sure. I'll believe that when DNF comes out.

Re:So, windows is affected by a worm?

I have never been afflicted by a virus while running MS Windows. But I'm very careful : I use Mozilla and/or Fire(bird|fox). Using MS products is like walking on thin ice. I guess I've been lucky so far.

Re:So, windows is affected by a worm?

When I had Windows 98, I never had a virus. It was before I was connected to the internet. Then I asked for a DSL connection and BEFORE I got connected, I installed Linux and removed Windows forever!

Re:So, windows is affected by a worm?

[darkmeridian]

I run XP extensively because SofTest and TimeMatters isn't available for Linux yet. = ) I have never been directly infected by a worm or virus because I have Windows Update automatically update itself every week, as well as LiveUpdate for Symantec 2004.

The truth is that the OS is only as safe as the user. The people using Linux are that much more advanced than those using Windows, so that is why there aren't that many Linux bugs (as well as the marketshare argument.)

Yes, Linux is more secure by design, but Debian had its server rooted a few months ago, didn't they? And they presumably know what they are doing.

It's kind of like driving a car. You can buy the safest car on the road, but if you are going to change lanes without checking out your blind spot, well, it doesn't matter, does it?

Re:So, windows is affected by a worm?

[thebes]

C'mon mods. This is not interesting or insightful. This is at best flamebait. If a Windows user replaced Window's (which by the way, is not punctuated correctly) with Linux, this would be marked flamebait.

At least don't let it get more points than it already has.

Re:So, windows is affected by a worm?

[thegrommit]

Again...can't be just start posting a weekly news post on /. to the affect of "Somewhere, someone created another virus for Windows?" Wouldn't that be equally effective, and still truthful?

Getting the news out in a timely manner is better than leaving people exposed. If you're not interested, you can always uncheck that slashbox labelled "security". After all, you're using Linux? Right?

Having said that, Symantec have the gory details.

Re:So, windows is affected by a worm?

[kahei]

Well, I don't see myself as a 'Windows Defender' but I've never gotten a virus/worm/trojan on windows, and I _do_ use IE, for many years, on many machines, on many kinds of network.

There is some sort of parallel 'windows world' in which all windows machines are worm-riddled and uptimes are measured in days if not hours and commercial software randomly crashes and free software is not available, and clearly a number of slashdotters live there. But there's also the rest of the world in which windows stuff mostly is available and works.

Disclaimer: The firewall remains the most important part of a network :)

Re:So, windows is affected by a worm?

Ha! I've never had a virus, and I've been running Windows since Windows for Workgroups 3.11. Ha! Windows Rules!

Re:So, windows is affected by a worm?

[SpooForBrains]

The truth is that the OS is only as safe as the user. The people using Linux are that much more advanced than those using Windows

I'm not so sure about that. Been to #linux on any of the big three networks lately?

Re:So, windows is affected by a worm?

[isorox]

as well as the marketshare argument.

Which falls flat on its face when you compare IIS and Apache

Re:So, windows is affected by a worm?

[Gaima]

Again...can't be just start posting a weekly news post on /. to the affect of "Somewhere, someone created another virus for Windows?" Wouldn't that be equally effective, and still truthful?

Not that you were actually saying /. *shouldn't* post articles about new worm/viruses, but I for one hope the editors continue to do so.

Quite a simple reason really, I'm too lazy/busy to check anti-virus sites to get a heads up on what's happening, but I do read /. almost religiously :)

Re:So, windows is affected by a worm?

[shish]

I hate windows, and I've never had a virus :/

I use the windows kernel when I have to (98, in this case), but then I have firefox, apache, thunderbird & openoffice running on it; When someone sends me an email saying "ZOMG!!! RUNING TIHS PROGGY W1LL 3NLARGE UR PENIS!!!!! [attached, penis.exe]", I don't run it, and I'm fine...

Re:So, windows is affected by a worm?

I've never had a virus on my Win95, Win98, or Win2000 box. All it takes to avoid most infections is the intelligence of spoon.

Use Mozilla, install updates, use an anti-virus if you'd like, and if you use broadband get a good router. By no means is it perfect security, but all 4 of the machines in my house have either Windows 2000, or Windows XP on them. Never had an issue yet.

Sure, Windows has it's problems, but so does Linux. I'd rather have ease of use for my everyday use computers, which Linux is still lacking in my opinion.

So as you sit there criticizing those who defend Windows, we sit here seeing you as yet another Slashdot moron with nothing but 'witty' insults to contribute.

Re:So, windows is affected by a worm?

[DrSkwid]

I'm not a defender but I have never had a windows virus or any significant problems with windows. I've been using it since version 2 through to XP and been a windows 3.1/NT developer.

Statistically, motorbikes are dangerous to ride but I know motorcyclists who have never had an accident.

Believe what you like but it is just predjudice.

Re:So, windows is affected by a worm?

[FireFury03]

It's kinda sad though that you've been infected by the time you managed to download the security update...

I've got an idea - Microsoft can start letting the magazines ship the patches on cover CDs again... or even better - they should be legally required to ship a CD containing the patches to every registered user.

Re:So, windows is affected by a worm?

[darkmeridian]

IIS and Apache are administered, hopefully, by IT professionals. In these situations, we can see the "greatness" of the software. But with Linux systems run by "end-lusers", there will be more worms and viruses in Linux than we now see because these people are not patching their software.

Re:So, windows is affected by a worm?

[fcw]

Statistically, motorbikes are dangerous to ride but I know motorcyclists who have never had an accident.

Well, I have several friends who ride motorbikes, and most of them have been in an accident that wasn't their fault (according to the police), where their bike was wrecked, and where they required hospital treatment and surgery.

So while, like you, I can say that I know bikers who haven't been in an accident, my friends' experience doesn't encourage me to ride a motorbike myself.

Re:So, windows is affected by a worm?

[darkmeridian]

I always enable the ICF firewall that comes with WinXP, update, reboot, update, reboot...repeat as necessary and then disable the firewall. Never got infected this way.

Then I realized that I could download all the updates, and then chain them together in one batch file and then pull them off the server which is behind a real firewall (not just a NAT). When I install, I just filter off the new computers (no Internet access for you!) and then install the patches. Works much slicker and you can simply update the central server.

Re:So, windows is affected by a worm?

The firewall remains the most important part of a network

Thanks to Internet Explorer and Outlook, your firewall doesn't mean squat anymore. Viruses and malware abound, ready to perform a drive-by infection that your firewall can't stop. A firewall will only stop a virus spreading after it has infected you. There are stil destructive viruses out there that will damage your data, and your firewall will not help you.

Of course if you don't use Internet Explorer or Outlook, keep Windows Update running 24/7, regularly update your AVS and firewall software, run AdAware at least once a week...you stand a chance of not being infected. With the speed that some viruses spread though, waiting 6 hours for your AVS company to issue an updated definitions file might be too late.

Re:So, windows is affected by a worm?

[FireFury03]

Seems strangely like far too much work to me.

Re:So, windows is affected by a worm?

[darkmeridian]

Then you can enable the automatic update service. I am a little bit more paranoid than most because these upgrades may break production systems, but should be no problem for home end-users.

Any system administration is going to need some work. It's like, a half-hour a week, at most. Like emerging sync with Linux...

Re:So, windows is affected by a worm?

>> as well as the marketshare argument.
>>
> Which falls flat on its face when you compare
> IIS and Apache

Which itself falls flat on its face when one realizes that "Apache" refers to two major forks that run on a wide variety of systems on a wide variety of operating systems. When one says "Apache" it refers to a collection of hundreds if not thousands of different variations. When one refers to "IIS" they're refering to one of two possible versions that all run on the same platforms (x86) and the same OS (W2K or W2K3).

So as you can see the "Apache versus IIS" rebuttle if specious at best.

Re:So, windows is affected by a worm?

...The truth is that the OS is only as safe as the user. The people using Linux are that much more advanced than those using Windows, so that is why there aren't that many Linux bugs (as well as the marketshare argument.)...

Actually no, I work with lots of people with little tech knowledge who do not get viruses because they use Macs. You can argue all day about whether Macs have no viruses because they are inherently secure or because they have small market share. The fact remains, there are no known viruses for Mac OSX.

Re:So, windows is affected by a worm?

[Wtcher]

I don't know about you, but I run Windows (2000 these days), keep it updated, I recently installed a firewall, I use Firefox instead of IE, I use Pegasus Mail and occasionally run Ad-Aware. Also, I haven't had a virus scanner installed since 1999.

I've never had a problem with a viral infection (although I admit Blaster scared me). I ran an online virus checker - twice - in the past month, and it found nothing despite my never having used it before on my personal desktop system(s). I guess I'm just incredibly lucky or something, right? ;p

Windows isn't a blackhole for viruses as some people like to overemphasize it as. Windows is a blackhole for people who do silly things like run ridiculous software or click on attachments when they shouldn't.

Re:So, windows is affected by a worm?

[Spl0it]

Your virus free? worm free? how bout adware and spyware I'd bet money you have some! http://www.earthlink.net/spyaudit Let us know how things are.
Planning a full switch to linux after being emailed about mono this morning! :)

Re:So, windows is affected by a worm?

I love linux, but still, what you say is true. One argument (that may be reversed with XP sp2) is that a default install of linux is far more secure than a default install of any Windows platform.

Of course in reality any server can be cracked, and any software on any system can end up having vulnerabilities that require patching.

But you don't see my mom, who's using linux, fighting off a torrent of adware-generated pop-ups, Windows Messenger spam, viruses, and worms. Her web browser is far more secure than IE, her e-mail client doesn't auto-run viral script, and even if she opens an unknown Word document, AbiWord isn't going to let it infect her computer. Worst case, even if she did run a viral program manually, the worst it can hose is her home directory. It's much more pleasant to set up a single user again, rather than having to do a full system reinstall.

So yeah, what i was getting at is that a well-configured system should do OK regardless of what operating system it is on. It just so happens that Windows is very vulnerable to viruses on a default install, as is most other commonly used Microsoft software (IE, Word, Outlook). You don't see such gaping holes in other software products, not even for Windows (Firefox, Abiword, Thunderbird, all available for windows).

Re:So, windows is affected by a worm?

[thinkninja]

Uh huh.

It's not kind of like driving a car. Other drivers don't crash into you just because you're driving a Punto. No one releases huge robots on to the highways that are programmed to crush Fords, then make new Ford crushing robots out of the scrap.

Car analogies suck.

Debian Investigation Report

This was an attack by mounted by an actual blackhat...who initally sniffed a password. The operating system is irrelevant if your password is stolen.

So, yeah, that was a human error exploited by an unscrupulous individual but do you leave your house unlocked because only theives would break in anyway? It's best not to tempt people.

And, again, that analogy sucks too.

It's more like innoculization. You're protecting yourself against the most common diseases (0-day Windows exploits). Yeah, it's not much good if someone decides to break your legs with a baseball bat or you have unprotected sex -- and the shot can be painful -- but, on balance, it's better for you.

Or something. What do I care for your 'health' anyway?

Re:So, windows is affected by a worm?

[wkitchen]

... or even better - they should be legally required to ship a CD containing the patches to every registered user.

Be careful what you wish for. MS itself might back such a law if they can be sure that anyone distributing a free OS is forced to meet the same requirement. Bye-bye free Linux downloads and cheap Linux CDs.

Re:So, windows is affected by a worm?

[FireFury03]

I haven't paid for Linux, infact I didn't even get any CDs from a shop - I downloaded it over BitTorrent - I don't expect any service level. If I had spent over a hundred pounds (sometimes several thousand) for a product I would expect some kind of service level.

Re:So, windows is affected by a worm?

So I should install this 200K program and trust that EARTHLINK won't install spyware?

Re:So, windows is affected by a worm?

[SillyNickName4me]

> Be careful what you wish for. MS itself might back such a law if they can be sure that anyone distributing a free OS is forced to meet the same requirement. Bye-bye free Linux

Hmm, when you 'buy' a Microsoft product, you in fact buy certain very limited rights with regards to usage of a piece of their software, some level of support and depending on your contract, a distribution medium. The license functions as a form of contract here.

When you buy a Linux CD, you do not buy any 'rights', you merely buy a distribution medium possibly including some level of support.
The mostly unrestricted rights you get are due to a license that merely gives the person you buy the CD from the right to sell you that CD, this license is however not a form of contract between you and the provider of the software.

You'd have to make a very warped bit of law to let such a requirement apply to both.

Re:So, windows is affected by a worm?

[Wolfrider]

> It's kinda sad though that you've been infected by the time you managed to download the security update...

--It's not "kinda sad" - it's completely unacceptable! Especially considering that the only "easy" way to download the updates is by using Winblows Exploder!!**

** Windows Explorer, but I'm kinda PO'd. :P

Re:So, windows is affected by a worm?

[ChilyWily]

Well I agree and disagree with your post :)

I agree that informed users who look before they click are much better off than the ones who will install crap without a clue.

On the other hand, there _definitely_ is a parallel world of worm infested windows boxes - e.g., A friend of mine shared his laptop with his significant other - within a week she had installed useless screen savers, crappy 'instant messengers' and a whole boat load of unidentifiable crap - An ad-aware scan revealed 140 spam/spyware bots alone!

But apart from that windows itself is pretty fragile - deviate (or wish to deviate) off the windows 'wizard' model of configuration and you're bound to get hosed. A good example of this is trying to turn off those useless services that windows has on by default - then see how stable windows is without them.

If you stay within the windows 'user experience' and have a sharp IT group or are in the know yourself then you'll be stable - but then one has to wonder, is that really a reflection on windows being 'more' stable or just the user being less capable and more paranoid?

Re:So, windows is affected by a worm?

[isorox]

Well diversity is what you get with open source, no one suggests eveyone should run just linux, or just bsd, or just exim or just sendmail or whatever.

Point is there are more holes per installation in IIS then in apache 2.0.4 with linux 2.4.24, or other combinations of open source software. Whether this is because of a monogenus attitude or shoddy programming is irelevent

Re:So, windows is affected by a worm?

[badriram]

which again falls falt when you compare IIS6 and Apache 2. with IIS6 having no holes, and Apache2 having, well look it up yourself. http://www.apacheweek.com/features/security-20

Re:So, windows is affected by a worm?

[Geoffreyerffoeg]

We've got a firewall, NAT, and HTTP content filter (blocka IE malware) at the school board office, and it works well. I think the last time my computer science teacher's NT server went down is when she hit the wrong button on her UPS.

Maybe two or three machines run Linux, and a couple are ancient beige Macs not yet found by the phaser-outers. Our web page even uses old IIS. There have only been a few viruses as far as I saw, and all of them easily containable.

Re:So, windows is affected by a worm?

[kahei]

Hrm, so because I may have spyware I should download and run a random 200k program off the web :)

I tried it on a sandbox machine (fresh install) and it said the machine had some spyware that was only named with random hex numbers -- perhaps Earthlink are being less than direct with us in some way.

Hype

[Lumpish+Scholar]

The article says, "The security firm, Symantec, has given this worm a critical warning and states that this worm could be as as dangerous as the MyDoom virus." Funny, Symantec's description isn't nearly so dire: "Threat containment: Easy; Removal: Moderate."

Re:but not me

[linuxpyro]

It's a good feeling. I too don't rely on XP much, now that my main workstation just runs Fedora Core 1 (and has, as a matter of fact, never run Windows except inside of VMware a few times). What I worry about is the mail server I'm running off of my cable modem. It's a Linux box too, but my ISP leaves port 25 open (even after blocking port 80), and the last thing I need is for them to start putting the axe on more ports...

Re:but not me

[Pharmboy]

um, since the new bug is likely to take over windows operating systems (per the article), and I finally migrated over fully to Linux here at work on Friday, its not going to affect ME. Screw everyone else ;)

Also, I run my own mail servers, so I can filter out most of the bugs for the other users on this network.

Low Profile According to McAfee...

[pdaoust007]

Some good additional available here

Great ad campaign.

[Gordon+Bennett]

Microsoft will do anything to get in the news :oP

Not to worry...

[ObsessiveMathsFreak]

We should be OK. The virus requires people to open the attachement on the mail in order for it to work. So unless people are stupid enough to open attachements after we've been telling them for years and years and after countless virus plauges not to we should all be fine... .......

Oh God!! We're all DOOOOOMED!!!!!

Re:Not to worry...

[xmple]

so true, I just have to keep telling my parents NOT to open those e-mail attachments, but do they listen, NO...

"But it is from someone I know, how could it be dangerous?"

sigh

Re:Not to worry...

hey!
be nice to the idiots^H^H^H^H^H^Husers!

Re:Not to worry...

Do not worry, no matter how many times someone says "Do not, under any circumstances, open an attachment from somebody you do not know," people will still do it. Perhaps there is no sense in telling people this if they are unwilling to listen to such advisories.

Re:Not to worry...

[EzInKy]

hey!
be nice to the idiots^H^H^H^H^H^Husers!

That's right! If only idiot lusers would quit using computers programmers and technicians would have no problems at all.

Re:Not to worry...

[bairy]

Perhaps what we should do is the opposite.
Tell them to open every single attachment ever invented, even if it's named ThisIsAVirus.exe .. that way they get virused quicker and might finally learn the hard way.. but at least they'll learn, well, hopefully.

(note: this is a joke)

Re:Not to worry...

[Dreadlord]

So unless people are stupid enough to open attachements after we've been telling them for years and years and after countless virus plauges not to we should all be fine

You must be new here...

NetSky and MyDoom both require people to open attachments.

Re:Not to worry...

[Tony-A]

"But it is from someone I know, how could it be dangerous?"

If I'm going to send out something bad, I'm not going to put my name on it. I'm going to put your name on it.

you forgot some

[rozz]

This worm has the potential to take control over Windows 95, 98, ME, 2000, XP, NT, and Windows Server 2003.

i'm using Windows 3.1, you insensitive clod.

Re:you forgot some

[StarWreck]

I'm using Windows 1.4 you insensitive clod!! *Attempt to open Paint followed by crash and ear-piercing beeping* AAAAAH!!

Re:you forgot some

This worm has the potential to take control over Windows 95, 98, ME, 2000, XP, NT, and Windows Server 2003.

I prefer to be explicit when telling people which software it affects.

This worm has the potential to take control over Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows ME, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT, and Microsoft Windows Server 2003.

You see my point?

Can anybody tell me why executing programs people send you by email is a desirable feature anyway? Which users does it actually benefit? It seems to me there are more users that would benefit from ancient Egyptian heiroglyphic spell-checking than executing programs recieved via email without having to save them and mark them as executable first.

Re:you forgot some

[mobby_6kl]

From Symantec Security Response:

Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x

You are safe, for now. =)

Re:you forgot some

[TubeSteak]

It seems to me there are more users that would benefit from ancient Egyptian heiroglyphic spell-checking

Those aren't hieroglyphics* they're called Wingdings and yes, Microsoft Word (and Open Office I'd imagine) will both spellcheck it for you.

*(you switched the ie with ei, but close)

Re:you forgot some

[DrEldarion]

Phew, I'm safe. I'm using MS-DOS 5.0

Nothing to see here, time to get back to editing autoexec.bat and config.sys to try and eek out another couple K of conventional memory...

Re:you forgot some

[NaDrew]

Nothing to see here, time to get back to editing autoexec.bat and config.sys to try and eek out another couple K of conventional memory...

What, you're not using QEMM? Just tell me you're not doing MemMaker, for god's sake...

((very) ex-QDeck Tech Support)

Re:you forgot some

I was a conventional memory guru in my day. I think my best was around 625K free with all drivers (mouse, CD-ROM) loaded. Done by hand.

Oh the memories of LH and himem.sys and B000-B7FF.

Re:you forgot some

[MikeDX]

Ah, I'm safe then, I'm using office 97

Re:you forgot some

[RetroGeek]

Novell Netware

Which is really quite funny, as NO ONE uses Netware as a client. This is a Network Operating System and AFAIK has no email client.

Who wants to use a server as a workstation anyways?

A great little twist

[foidulus]

is that the mail(at least the variant that I receieved) has a fake little message about the attatchment being scanned for viruses. Are people that gullible and/or stupid? I would hope people would be smart enough to realize that it's really easy to type a message saying that something has been scanned for viruses.
Ugh, it's not even like you have to be computer savvy to figure these things out. Do people open their houses to random drifters who say they work for the city and need to do some work without at least checking for ID?
Actually, yeah, they do, oy.,,what a world...

Re:A great little twist

[Halo1]

Many people are like that. One day, my landlady thought I had missed a payment. She called me and when I told her I just checked using the online interface to my bank account that the payment was really made, she asked me to print a copy of the receipts as "proof". Simply the date of the transfer was not enough for some reason.

It took me quite a while to explain to her that I could save the html ("But surely you can't edit the web pages of your bank, can you?"), type in anything I wanted to, print it and send it to her. After I went through all this trouble to explain how I could cheat her, she seemed to assume I was telling the truth and that I did pay it.

Re:A great little twist

[rasjani]

Writing email saying its been virus checked is just a simple form of "Social Engineering" ...

Re:A great little twist

[Bobb+Sledd]

Well, there is always some way you can cheat. You could print phony receipts, you could forge a bank statement... but what matters is that every business transaction you make involves some level of trust. You trust that when you pump gas in your car that it isn't water, and the guy at the counter trusts that the credit card is yours and that is really your ID (if he checks it). I don't think it's necesssarily a bad thing, either. I think a healthy society needs to be able to trust each other.

Re:A great little twist

[Sycraft-fu]

And man does SE work well. I remember one of the worms receantly that claimed to be from computer support, or something of the like. Man did we get a lot of people fall for that one. Each time we asked them if we EVER told them to run things through e-mail. Of course we never do, if we need something run on a system, we walk ourselves over there and run it. However they'd claim "well I though maybe you changed how you do things".

I was amazed at how effective this bit of SE was, espically since we support a university CE department, meaning we are literally supporting peopel with PhDs in computers.

Re:A great little twist

I think a healthy society needs to be able to trust each other.

No, a healthy society adheres to the "trust, but verify" principle.

Which is why we have things like double-entry bookkeeping, audit trails, and alternate forms of identification / authentication.

Re:A great little twist

Well, that's just because you are geek and aren't in touch with reality. Welcome, hope you enjoy your (short) stay.

Re:A great little twist

[Gogo+Dodo]

That isn't a new twist. It's been done before by one of the Netsky or Bagle variants if I remember right.

Wow.. monday already?

[TheLoneCabbage]

This would be the windows catastrophie of the week huh?

Can someone please, please, please write a decent Unix worm so we can get some interesting headlines?

And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers (and more than that if your only counting the DMZd webservers). It's the code stupid.

Re:Wow.. monday already?

No - Windows runs most of the *desktops* though in the world. This virus targets the actual desktop machine, not the server at all.

Re:Wow.. monday already?

[FireFury03]

Please don't give them ideas...

Re:Wow.. monday already?

[OneDeeTenTee]

It's the code stupid.

It's the administration also.

People who know what they are doing have few problems with windows viruses, worms, and whatnot on thier personal machines.

There are far more unwary people running windows than there are unwary people runing Linux.

Re: Wow.. monday already?

[Black+Parrot]

> This would be the windows catastrophie of the week huh?

It's only Monday; let's wait a few days before deciding.

Re:Wow.. monday already?

And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers

This vulnerability essentially targets end user systems. Hopefully people aren't using server systems to read e-mail. But then I wouldn't expect people to continue opening e-mail attachments either.

Re:Wow.. monday already?

[Richard_at_work]

And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers

Yes SERVERS. Servers dont tend to have stupid users with email clients on them running whatever they are told to by the email message, which is exactly how this (and many before it) spread. Thats the difference here.

(Yes I know Linux is more proactively secure, but its security still doesnt protect from user stupidity. And before anyone says that users wouldnt be stupid to chmod permissions or untar a tgz with permissions retained, think about the recent worm that required users to enter a freaking password to unzip and run it. That one got around fairly well.)

Re:Wow.. monday already?

Heh. Windows catastrophe of the week versus Unix catastrophe of the decade.

Re:Wow.. monday already?

[gmuslera]

So? The Witty worm exploited a vulnerability in some particular vendor commercial firewall, with only those computers infected made enough trouble, and made into headlines. And probably there are more linux users (or if you want, more mandrake, suse, debian or redhat. pick just one distribution) than users of that particular firewall

Re:Wow.. monday already?

[pandrijeczko]

Can someone please, please, please write a decent Unix worm so we can get some interesting headlines?

If you're going to attack UNIX/Linux insecurities, please do some homework first.

1. If someone writes a worm virus, it has to spread via an insecurity in a very specific application.
In Windows, most people run an Outlook-engine-based email client and/or probably have IE installed (because MS bundles it with the OS)- those are points of attack for worms particularly with ActiveX, VB Macros, etc.
Perhaps you would like to tell me what single application is run on 95% of the world's UNIX/Linux boxes that becomes a similar point of attack for a UNIX worm?
Answer: None. Apache web server is probably the most common cross-UNIX app, it gets run on servers but generally not on desktops - that's the closest you'll get.

2. If you're a sensible UNIX sysadmin, then you never run any Internet services as the root user anyway. (This is not the same as in Windows where many apps have full system access whenever they need it.)
Therefore, even if a worm or virus exploits a UNIX box, it'll get in and do limited damage at a user - but it still needs root access to do real damage.

Just so I'm not seen to be biased, here's how you attack a UNIX box:

1. Port scan it to find what services it is running.

2. Interrogate it further to find out what versions of FTP, web, email, etc servers it runs.

3. Work out an exploit that does a buffer overflow against one of those specific daemon versions and get to a shell prompt. If it was running as "root" you then have a root shell and you can do what you like...

Sure, UNIX and Linux have insecurities but attacks on those OSes are always localised and targetted at very specific applications running on very specific servers. That's the difference...

Re:Wow.. monday already?

[pandrijeczko]

Heh. Windows catastrophe of the week versus Unix catastrophe of the decade.

Hmmm. 1988, huh? That would have been before the proper commercialisation of the Internet when mainly military and university machines were on the ARPANet network. A time when most machines were VAXes, running very specific versions of VMS where servers were not really secured anyway because everyone trusted each other.

Oh, and Robert Morris was not an intruder on that network but a user within that network...

It's a credit to UNIX the fact that the only occasion people can recall a UNIX work was 16 years ago!!!

Re:Wow.. monday already?

[drsmithy]

Can someone please, please, please write a decent Unix worm so we can get some interesting headlines?

First we need a sufficient concentration of dumb/ignorant users on Unix - easily 5 years away.

And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers (and more than that if your only counting the DMZd webservers). It's the code stupid.

35 - 40% of the world's servers (which sounds ridiculously high, but anyway) is still an insignificant proportion of all the computers out there. Not to mention a server is the *least* likely machine to be targeted or exploited.

Re:Wow.. monday already?

[TheLink]

"Perhaps you would like to tell me what single application is run on 95% of the world's UNIX/Linux boxes that becomes a similar point of attack for a UNIX worm?"

Actually the worms are mainly exploiting human ignorance and stupidity not Windows or MS stuff.

It's a _fact_ that MANY windows users were actually willing to _unzip_ a password encrypted worm and then run it, means that the corresponding apps for Linux could be: tar, gunzip and make. Anyway, most Linux and *BSD systems have sshd running, and openssh has not had such a great track record itself.

Heck, an obfuscated perl script that does something clever in addition to spreading itself would work too.

Most people are ignorant of these sort of things and you can't expect them not to be. And there's plenty of stupid people around too.

Most other popular O/Ses would be JUST as vulnerable to the same users given similar functionality. Lock up users in a green screen and they won't use the PC much and so there'll be "fewer probs", "fortunately" Gnome,KDE etc are working hard to bring MS style stuff to Linux. If Linux Desktop is ready AND accepted by the masses, the masses will not disappoint us - there'll be tons of Linux trojans spreading the net. Think about it - once "Greeting Cards", "Cool Screensavers", "Animated Cartoons" and their ilk run on Linux, and users get used to running "Fun/Cool" stuff, guess what will happen.

So far most popular operating systems by default run programs with the full privileges of the controlling user. If they by default ran programs with restricted privileges then things would be harder. On my present system, IE runs as a separate user with fewer privileges than the normal user account I use for other stuff. This way it is harder for an exploit in IE to affect the rest of my system. You can partition things from each other in Windows and Linux, but it is not as seamless and not part of the default configuration. Good luck doing it in a way that allows Joe Average to easily get things done and still not shoot his foot.

Of course there'll still be people who'd be easily tricked into running the program with full privileges. These people need an operating system that allows them to easily rollback to various savepoints. Every time _they_ (and not the O/S) manually launch an unrecognized app and say "Yes I want to do this", a savepoint is made. This doesn't have to be slow. This is actually possible - since these people often don't need gigabytes of space, so a 250GB HDD should be fine for them for quite some time. Every 3 months or 500 power cycles or when they run low on space, they send the system in for servicing by a pro, who cleans stuff out, removes no longer needed snapshots and so on.

Of course someone has to figure out how to stop a trojan run by the user from corrupting the disk at a low level. And it still doesn't stop the trojan from affecting OTHER systems before the rollback happens.

even gmail is slower

[ghum]

or at least it seems to take around a nanosecond longer to load. Maybe it's other network traffic or sth.

Re:but not me

at the risk of being modded troll....

windows - security through patches

linux - security through smugness

surely it's just a matter of time before someone writes a devastating linux virus? i know the system is laid out differently to help avoid this - but isn't the feeling this community lives by "if someone can make it, i can hack it / un-make it"?

that applies to linux too

and yes, all you smug people sitting in front of a mac too... as your operating systems gain market share, then surely they will become more of a target?

i'm not bashing linux / mac / or even (*shock*) windows - but the attitude of "it's only windows users - i'm safe" really irriates me - it seems shortsighted to say the least

Re:but not me

[BlueArchon]

It will affect you. It spreads by email. You recieve email. It's disguised as delivery failure notifications, which are a pain to filter, unless you want to keep the legtimate ones.

w00hoo

[grahagre]

wierd, my gmail account is untouched... it must suck to not have one...

so i found this code to create a gmail invite link (dont know if it works)...
look at this

Re:w00hoo

[TubeSteak]

So i checked out your creator link seems like you're just randomly changing http://gmail.google.com/gmail/a-5ce404a8e1-c4c0ffc 281 the last combination of alphanumerics.

I've recieved and given two total invites. a-505ae7202b-fdaa58a202 and a-ed9e42f50e-f1d1115d05

I only bothered because yes, like an idiot, I was clicking it for a minute.

Re:w00hoo

[grahagre]

glad to see it worked for you, tell the others!

Re:w00hoo

[Shachaf]

A GMail invitation link is made up out of the following parts:
1. http://gmail.google.com/a-
2. Ten hexadecimal digits which represent the account the invitation is coming FROM.
3. Ten hexadecimal digits which represent the specific ID of the invitation.

So, when you wrote this, you probably got a GMail invitation, saw that the link started with a certain 10-digit combination, tried replacing it with another, and got an error. So you decided that the first ten hexadecimal digits must be the combination you had. But, this will only work for invitations sent from the account that invitation came from, and only after they are sent and before they are used.

Re:w00hoo

[grahagre]

oh, well looks like i messed up on that one ;-P

Re:w00hoo

[B2382F29]

gmail is cool?

well it is cool if by that you mean to have gmail-generated ads INSIDE of your daily spam.

Old school virus?

[holgie]

Can anyone tell me why it uses an smtp server?
I mean - modern vira all include a built in smtp server. Makes them much better distributed...

I hate sloppy virus writers! :p

Better Versions

[TubeSteak]

If you want the Symantec release re-written by someone who knows what they're talking about, look here.

"Evaman occupies a false email address" doesn't fill me with respect for CoolTechZone's credentials.

And in the spirit of good journalism, wouldn't you think CoolTechZone would want to link to Symantec or directly to the advisory. And not just CoolTechZone, but CmdrTaco too. Was the news that CoolTechZone reported this, that Symantec reported this or that there's a new worm out? As the news spreads, so does the crummy reporting, this time from The Inquirer. They don't link to Symantec either & have winning lines like " If users are dumb enough to open the attachment".

Okay, fine, users are dumb. How how about we give them a slight break in this case? Failed deliveries are far enough out of most people's 'normal' e-mail experience that i can understand why they'd read the message. No it doesn't excuse opening anything with .scr, but txt.scr, html.scr, outlook.scrtxt.exe might dupe your avg users.

Anyways, here's a better article linked by McAfee and The Article That Started It All from the Sydney Morning Herald. Perusing the summaries off of Google News makes it seem like this will either be "unlikely to have a major impact on Australian businesses." or (now this is really crazy because it's from the same website, but a different article) "clog mail servers, cause severe slowdown and wreak financial damage as it spreads rapidly around the world when businesses return to work today"

I love that everyone can quote the Sydney Morning Herald to report that the sky is falling, or that things will mostly be okay. how do two journalists end up with such completely different viewpoints? They both quote Tim Hartman

"Tim Hartman, senior technical director at the security firm Symantec, said Evaman had the potential to be "every bit as bad as MyDoom. It's really shaping up like that. Mr Hartman estimated the virus would spread at an uncontrollable rate as people returned to work"

and/or

"We don't think it's going to be a major outbreak... most businesses had been able to filter out the affected emails" Mr Hartman said.

/Rant

Re:Better Versions

I think The Inqwell is lost on a lot of people. It's called "informal".

Re:Better Versions

there is link to the symantec for Evaman.

it is the first word in a slightly light blue color. very hard to see...

No!!

[ScouseMouse]

No! your not serious!! surely it cant attach Windows 2003, Bill PROMISED me it was more secure.

now COULD he do such a thing.

Thats it, i want a divorce.

:-)

Re:No!!

surely it cant attach Windows 2003

I certainly hope not, that would be a friggin huge attachment!

Re:but not me

[MadChicken]

...or get a free one from Novell... ...or download the ISO and almost upgrade to pro without having to wait for the mail... :)

Re:but not me

[Pharmboy]

It will affect you. It spreads by email. You recieve email. It's disguised as delivery failure notifications, which are a pain to filter, unless you want to keep the legtimate ones.

I filter my email at the SERVER not at the client, so its trivial to filter since I can write my own rule sets. I am not talking about yahoo/hotmail which I don't use.

not a problem for me

[Chuck+Bucket]

I quit using my yahoo email b/c of spam, but I took a look to see if I had said worm. Unfortunately all I have is the usual:

PAIN MEDS.. FILL and SHIP Directly to Your DOORSTEP *
Special Offer Claim 250 Full-Color
Business Cards FREE!
©ÉT ±d©ÊÍ ^_^
The Career News
Finding a job on the internet . . .
My Home Finance Direct Homeowners $ave Money Now
Pet Care Make Your Pets Happy
Visit Our City Win a Dream Summer Vacation

Of course running Linux/Mac at home I needed worry (as much) about viruses.

PCBCW$E

Re:but not me

[Pharmboy]

I am not saying that Linux is boolit proof, its just not the target. That said, there are some fundamental differences in the two that make it easier to secure a Linux box. Both can be made as insecure as each other, its just easier to make Linux secure because of the way permissions are done. This is true of any Unix like OS.

Also, I block all traffic incoming and outgoing on port 25 on the router, and use webmail for the company, so infected boxes can't spread the love even IF they get infected. Yes, with a Linux router ;)

long term solution

[ajs318]

I see the real long term solution to the problem of unwanted software execution being a form of public-key cryptography at the hardware level -- effectively, for every processor to have its own unique instruction set, so that only code compiled for that particular processor can be run on it. (Maybe there would need to be a compatibility-mode switch, to install a kernel and a compiler just to get you going; but please let it be something like a jumper on the motherboard which you have to put on -- certainly there should be no way that software could subvert this security feature.) Also, the installation of new software should require a conscious action on the part of the user, and involve a hardware operation -- such as operating a normally-concealed switch. If you bought a new computer, you would have to recompile all your software from source, but that's a small price to pay. Alternatively, you could allow the user to flash the thing with a new key pair; so you could just give your new computer the same instruction set as the old one. Or a corporation with many desktops to administer need only give all their machines the same keys, and then compile application software once to run on any of them.

The average user won't really notice much. They will simply see an extra step taking place after downloading and before installing, as an automatic configure and make are performed. And they will have to validate the install, but I can't see how anybody would think that unusual: if it can affect the way your computer works, you damn well should have to tell it you're sure you want to go ahead.

Since every piece of downloaded software would have to include the source code, it would be much simpler to chase up infections if they occurred. And if every software installation required users to validate it, drive-by downloads -- arguably a form of virus infection -- would become a thing of the past.

It would still be possible to sell closed-source software; but you would either have to insist that users programmed their machine to a key pair you specified {which is great for locking out your competitors, but rather defeats the entire point of personalised instruction sets} or supply you with the public key of their machine so you can compile software for it {a little more secure for the user, but very expensive to implement}.


BTW, why is anti-virus software closed-source? What don't the likes of Symantec want us to know?

Re:long term solution

BTW, why is anti-virus software closed-source? What don't the likes of Symantec want us to know?

That the anti-virus industry is deathly afraid of secure operating systems, because widespread adoption will cut into their monstrous profits? The above notwithstanding, where do you think the viruses (the "proof of concept" ones anyway) come from?

-1 AC, +1 Paranoid, +2 Industry Insider

Re:long term solution

[buss_error]

I see the real long term solution to the problem of unwanted software execution being a form of public-key cryptography at the hardware level -- effectively, for every processor to have its own unique instruction set, so that only code compiled for that particular processor can be run on it.

I can't see Microsoft allowing their source code out, even if encrypted in source form. Even very complex keys can be extracted, given time and enough power. It is very likely that MS source would be considered high enough value that it would be attempted. Also, with that many copies of the source around, all identical except for the encryption, key attacks are much easier. If MS compiles it, then the question is how many years are you willing to wait for your copy to be compiled?

If you run a 30,000 node network, how do you manage all 30,000 unique copies of the OS, productivity, and all the batch files used to mange all 30,000 systems?

And what would keep mal-ware writers from inserting their malware at the comple-the-source stage for each and every processor? Can you imagine how long it would take a P4 400Mhz to compile Windows XP? (If each and every CPU has it's own unique key, then each and every system will need to compile the OS. Also, what about SMP systems? Do the CPUs in that system each get their own key? That would mean the OS would have to be compiled for each cpu in that box!)

No, adding a layer of encrypition isn't the answer. It adds complexity and possible vectors without really addressing the problem.

Like spam, viruses are not a technical problem. It's a human problem.

Oh, and you can get open source A/V software. Clam A/V.

Re:long term solution

[nyseal]

Wow, you're asking a lot from the average user. Oh well, Slashdot has its avearage users too.

Re:long term solution

[ajs318]

You, as the owner of the box, would obviously get to create the public and private keys required to run software on it. The source code would not be encrypted; it would be in the clear. It would be the compiled code that would be encrypted. Ordinarily you would do the encryption during compilation, because you would be the one in the best position to compile all the software your box ran. Otherwise you would have either to send your public key to Microsoft for them to encrypt against, or change your private key to one supplied by Microsoft.

If you run a 30,000 node network, how do you manage all 30,000 unique copies of the OS, productivity, and all the batch files used to mange all 30,000 systems?

You manage 30 000 copies of an OS by making sure they are all encrypted to the same key. Or 1000 copies each encrypyed to one of 30 keys, or something like that ..... at least any infection can be contained.

And what would keep mal-ware writers from inserting their malware at the comple-the-source stage for each and every processor?

While it's possible to distribute malware in source form, it would be unfeasible. Bear in mind that "good guys" outnumber "bad guys", and it would soon be found out. Imagine a breakfast cereal that listed "Amanita phalloides" in its ingredients ..... as soon as anybody with any savvy sees what's in it, the company have effectively sold the last box. Of course, they probably wouldn't want to do that if they didn't have to, but think of a regime that made it next to impossible not to declare your ingredients ..... or where everyone has a pocket-sized mass spectrometer ..... in fact, I wouldn't be surprised if the Japs start building them into phones sometime soon.

The "installation requires a conscious act" feature means that you have to know about any software you install. Of course it's possible that this could be bypassed (a piece of software that was allowed to run could act as a crude emulator, doing things depending on the contents of disk/memory locations where normally non-executable data would reside) but still there would be some kind of audit trail.

Like spam, viruses are not a technical problem. It's a human problem.

IMHO, the greater part of the problem is that people are too willing to run software on their machine that was compiled by someone else and never checked.

Re:long term solution

[gmuslera]

You are talking there as the only possible worm/virus are binary, mean to be run directly by the processor.

But you are forgetting:

• macro virus
• scripting-language based worms (well, that is an extension of the above)
• Not remember one of the latest "successful" worms for linux/unix, but what it did was to download the worm code into /tmp, compile it and run, exploiting a vulnerability not remember if in ftp server or something like that
• The most important part of latest worms is the social engineering one. It "forces" the user to run attachments, uncompress crypted zip files, and could be some that even ask the user to rename the file and run it to prevent extension blocking. Asking to compile a program is just a step forward

Re:long term solution

[buss_error]

IMHO, the greater part of the problem is that people are too willing to run software on their machine that was compiled by someone else and never checked.

Windows, for instance.

Sorry, but your idea simply isn't workable. First, get Joe Six pack, who can install a copy of Office now, do the same for a copy he has to compile. Oh, that's right, Windows doesn't come with a compiler. Well, add in the cost of a compiler to the OS. In fact, intergate it. Next, since a machine can't boot source code, somewhere you're going to need a kernel to boot. Next, you have to authinticate against something somewhere that the code you think you are booting is actually the code you are booting....

What you describe is a trusted computing base. See "Trusting trust" for more insight.

Adding complexity of the nature you propose does noting to protect against idiot users.

Re:long term solution

[ajs318]

First, get Joe Six pack, who can install a copy of Office now, do the same for a copy he has to compile.

I think you're assuming compilation would be a more or less interactive process; I'm assuming it would be completely non-interactive. After all, properly-managed packages search for and download any missing essentials, so they can just compile without you having to do anything. A less kind person than myself would say forget your bad experience with RPM and try something like FreeBSD Ports.

Oh, that's right, Windows doesn't come with a compiler. Well, add in the cost of a compiler to the OS. In fact, intergate it.

Just like every unix-ish system then ..... seriously, a compiler already has been written, so it isn't going to cost anything; and its source code is widely available, so it is to some extent trustworthy (if it's compiled by trustworthy methods).

Next, since a machine can't boot source code, somewhere you're going to need a kernel to boot. Next, you have to authinticate against something somewhere that the code you think you are booting is actually the code you are booting....

This is indeed the sticking point. My proposed solution is a hardware switch that would allow running of arbitrary, unsigned code -- sort of a "dangerous mode" if you will -- while it was active, and for the user to compile their initial bootstrap loader and kernel after booting from a read-only disc in dangerous mode.

What you describe is a trusted computing base. See "Trusting trust" for more insight.

But unlike Microsoft's plan, I'm proposing that the owner of the machine should have the ability to control the keys. You are right, though, that you can only trust everything as far back as the last thing that happened in "dangerous mode" (whether or not "dangerous mode" was selected with your blessing -- hence a hardware switch). The real point is that you can't trust anything you didn't build yourself. For that matter, could someone have nobbled you -- by drugs, hypnosis or whatever -- into building in certain "special" features you didn't really want? After all, anything is possible in tinfoil territory. Perhaps I should move into a shack in the woods with no electricity, and grow my own food ..... but maybe that's just what they want me to do .....

Adding complexity of the nature you propose does noting to protect against idiot users.

Adding complexity has one effect, in that it forces people to think just that little bit harder about what they are doing. Of course, if users actually had a clue then none of it would be necessary.

In fact, that just gave me a blinding flash of inspiration. The real question we should be asking is, who gets fat off keeping users clueless?

Poor Windows 95 users

[DrugCheese]

Rendered useless at just the age of 9. Windows98 won't even make it that long. I wonder when they'll stop support for WindowsXP and some bug will come out that renders it pointless to use. ... or is it already pointless ..

Re: but not me

[Black+Parrot]

> windows - security through patches

> linux - security through smugness

Linux is patched quite frequently, actually.

> surely it's just a matter of time before someone writes a devastating linux virus?

Surely. But it's going to take rather more than one to make Linux look as bad as Windows does.

> i'm not bashing linux / mac / or even (*shock*) windows - but the attitude of "it's only windows users - i'm safe" really irriates me - it seems shortsighted to say the least

Statistically speaking, Linux and Mac users are much safer than Windows users.

Heh

[TubeSteak]

oh. that would explain things wouldn't it?
It's a touch sad though, because people start quoting news sources like the inquirer who're in turn quoting another article as their source of info.

I guess this And the sky shall turn red, the sea will turn to jam and so on should have raised a red flag or two, but honestly, news articles are so dubios that i've become jaded. I don't bother to do much more than scan for content because i know i'll read another article saying/spinning things in a completely different fasion.

Anonymous reader?

[zonix]

I wonder whether this site exists only to generate ad revenues from people who trip over it.

Interesting. The story was submitted by an "anonymous reader".

z

What, me worry?

[shokk]

Yahoo and Hotmail are being protected by these puppies from Ironport. They use Brightmail to filter to the Bulk folder and Sophos for AV. Hopefully they turned on both features.

spelling

[Zims+Manson]

The word "worm" is spelled wrong ("worn") in the story description.

and in other news

[raind]

the article linked contained absolutely no real information....

vira?

Whoa, a new invented plural to attack!

For gods sake!!!!!

Jesus crist! Why do people bother submitting these kind of stories?

Can somebody name a time there HASN'T been one of these kinds of viruses in the wild? That would be NEWS, not this shit.
No, you can't? What a surprise... This happens 24 hours a day, 365 days a year.

Not only does it happen constantly, there's thousands and thousands of these viruses about. Heck, I could write 50 different ones right now, when each one gets reported to symantec, will you post a story about it?

Get some real news and stop wasting our time. There's nothing that annoys me more than news which isn't news at all (well, that's a form of ignorace.. which is what actually annoys me the most).

Re:For gods sake!!!!!

[brainiac]

My email account has been saturation bombed with messages containing those subject lines for well over a year. I am thinking the virus attack they are reporting is very old and they are just getting to reporting it now (?)

Re:For gods sake!!!!!

[It'sYerMam]

This is just the way many email worms propagate - "We couldn't deliver it. Email contained in attachment."

Looks perfectly legitimate, and so people are likely to open the attachment.

"Selects an SMTP server ..."

[WoodstockJeff]

Selects an SMTP server from the following hard-coded list:

The security advisory then lists a dozen or so popular multi-stage relays, from some major ISPs. This explains why my system was being hit by Verizon servers over a thousand times this weekend, targeting a non-existant address.

And here I thought it was just their normal "ignore the 550 response code, just retry endlessly" configuration! Turns out, it was just their "Relay anything for anyone" configuration!

No kidding

[Sycraft-fu]

Never ceases to amaze me how people will continually open attachments. We warn them at work verbally, we send out memos, we post cheezy posters, we alter default mail client behaviour to make it harder. STILL some users insist on opening executable attachments. I will never understand what compells them to do so. I understand the first time, you don't know, and it is a nasty supprise, no problem. However after the third time a computer support person has chewed you out, you've AGAIN gotten the memo, etc, people still insist on doing it.

The really scary thing is we have a virus scanner running on our mail server to filter this. However it is only updated once a day max, and the company (Sophos, not what we want but it's a government contract) isn't always on the stick with the updates. So people will do this within the first 48 hours of a new worm comming out. I hate to think what it would be like without filtering.

Re:No kidding

[netringer]

The really scary thing is we have a virus scanner running on our mail server to filter this. However it is only updated once a day max, and the company (Sophos, not what we want but it's a government contract) isn't always on the stick with the updates. So people will do this within the first 48 hours of a new worm comming out. I hate to think what it would be like without filtering.

How about if your "virus scanner" just deleted ANY file with a name like "report.doc.pif?" There is NEVER a legit file that has two .xyz.xyz extensions. There is never a legit message from Postmaster@* that has an executable attachment.

Could it be that something that simple in the scanner would catch many of tomorrow's worms even when you don't pay a fortune for the signature update subscription? Once they have you in the "We'll detect what got you today in tomorrow's signature file" cycle you keep thinking the risk is bad enough to keep paying for updates? Can't be.

Re:No kidding

[E-Rock]

Yea, good idea, but it screws people up. The heuristics filtering on the software we use at work does this. Anything with two extensions gets borked. We didn't notice until our UNIX developers started bitching that their messages were being blocked.

Really the servers should be blocking pifs and scrs at all times. Unfortunately after that got common, they started zipping the viruses. The idiot users still got infected after they unzipped and ran the program.

Re:No kidding

[Wolfrider]

--Easy fix:

$LUSER receives memo and verbal chewing-out from $SYSADMIN not to do this EVER again.

$LUSER deliberately opens an infected attachment for the SECOND TIME.

$LUSER is IMMEDIATELY FIRED and escorted from the building for:

1) Incompetence
2) Ignoring established and reasonable safety precautions
3) Causing damage/downtime to the company's daily operations.

--Make a VERY PUBLIC example of this idiot, explain WHY they were fired and that it WILL happen again if somebody else is stupid enough to follow in their footsteps. Repeat as necessary.

Re:No kidding

[Alioth]

When's the last time you got a Windows executable by email that wasn't a worm/virus?

Just have your mail server reject all email with executable attachments. It fixes the problem without having to worry about antivirus scanner updates.

Re:No kidding

[Sycraft-fu]

I don't know why we don't do that (I'm not the one that runs the mail server). Either Sophos doesn't support it or, more likely, there is politics involved. I do support for a university department so we can't just do things, we have to get them cleared with the faculty first. Thus there are some security things we'd really like to do, but simple are not allowed to.

Also, as others have noted, some of the new ones have taken to zipping the files. Hell, some even zip and encrypt the files, and provide the key in the e-mail. People really do go through the trouble to save the zip, open it, entry the key, get the exe and run it. It blows my mind, but it happens.

Re:No kidding

[Sycraft-fu]

In this case $LUSER is a tenured professor. You can't fire them for ANYTHING short of sexual harassment or something like that.

While it's nice to think that tech guys rule the world and can make policies like that, it's not true in many cases.

Like management of systems. We mangage most, but not all, of the computers in the building. Manage meaning have root/admin, have them joined to the domain/NIS, and take care of patching/updates. Most users are happy with this, since the only inconvinenece is you have to ask us to install new software, which really shouldn't be that often (they are for research, not playing around).

Well, some professors insist on managing their own labs (or rather having an incompetent grad student do so). Huge supprise, those are what get infected all the time. When Phatbot came around, all the systems we managed were fine. We had them patched and up to date, and the admin passwords were strong, so Phatbot wasn't a threat. However several we didn't manage got infected, mostly due to stupidly weak passwords.

Now the simple solution, and the one we'd like, is that no one gets to manage their own system. We manage all computers period, no argument. However, the faculty won't allow that. They have to be allowed to manage their own computers if they want. Nothing we can do, since the department head and dean agree.

Re:No kidding

[E-Rock]

Yea, short of your boss stepping up to the plate and working with your dean/vp to set up a policy that the faculty have to adhere to.

Working at a University myself, I know that there's phat chance of that unless someone broke in and stole research or something public, embarasing and destructive. Even then you may only get a knee-jerk reaction, but no real change.

With some groups and some organizations, you can't do much more than strongly suggest.

Re:but not me

[R.Caley]

surely it's just a matter of time before someone writes a devastating linux virus? i know the system is laid out differently to help avoid this - but [...]

Please use the shift key, going out of your way to make your posting hard to read is VERY rude.

It's not a question of layout, but of sanity. Windows is very vulnerable because it is used by people who don't understand the tools they are using, who run with administrator priveliges (they used to have no choice, more recently M$ just made running as a normal user a pain in the arse) and who run badly designed mail clients and web browsers which will execute code recieved in email or froma web server at the click of a button.

With linux based systems becoming more widespread, the same syndrome will become more and more widespread there too. People running as root. People running brain damaged, but pretty, mailers. People not knowing that this is a Really Bad Idea.

Personally I don't trust any mail client which understands MIME or HTML, and I only read root's email with `less'.

Like driving a car

It's kind of like driving a car. You can buy the safest car on the road, but if you are going to change lanes without checking out your blind spot, well, it doesn't matter, does it?

Standard issue cars are more equal than OS's, currently.

This is a case more like the dude pulled over on the highway by a cop for weaving. Turned out he wasn't drunk, even buzzed, just that he had no steering wheel, instead he was using vice-grips clamped directly onto the steering column.

As far as M$ and use of its software on the Internet go, there have been several small children shouting that the emporer has no clothes. And now that I mention it, why, yes. It does appear that the emperor has no clothes.

Don't let your ideology bit you on the head, drop M$ and move on.

except for

[zogger]

your quote

"Windows isn't a blackhole for viruses as some people like to overemphasize it as. Windows is a blackhole for people who do silly things like run ridiculous software or click on attachments when they shouldn't."

So my response would be, except for the untold millions of people who ARE running a windows blackhole machine that sucks in every virus, worm, trojan, malware and spyware out there. Which is most of them. They are by far the largest users demographically on the internet, and it goes across national boundaries, and inside practically all businesses out there. It's a HUGE problem, it destroys the global economy to the tune of billions a year, it causes no one really knows how many wasted man hours of effort to try and keep it cleaned up. It is not a minimal problem because a relatively few people comparatively speaking are able to keep their machines organized better.

I think it's just time to admit reality. Windows as designed is just not a good choice for use on the internet. It is acceptable for use on closed intranets and as a standalone work machine or game machine that is not connected to the net.

Despite the availability of updates, patches, service packs,third party programs, thousands of news articles, advisories, etc, to attempt to divert or stop all the various insecure functions related to MS products in general,going to all the windows users out there through generation after generation of windows products, it is still broken for the purpose of being on the internet. You CANNOT just dismiss verifiable anecdotal data, nor can you dismiss the fact that human beings run this stuff, which means this stuff gets run with normal human levels of ability and interest.

Running pure windows now has negated the entire concept of "easy to use, fun, profitable, useful for this purpose" that they push and definetly imply (although their legal disclaimer claims otherwise, I call that a pure outright lie) their software as, because any joe random user now has to become a part time security guru, when that just shouldn't be necessary, not in 2004 it shouldn't.

Same as linux was not a suitable OS for joe everybody when it required being an unix command line guru just in order to run it. It was useful for a very small number of people in specific applications back when. that's true, too, it wasn't for joe everybody. Windows is pushed good for joe everybody, true, it's fine..just not on the internet. Time to just face facts and move on with it, it doesn't pay to cling to what in essence, and not meant to flame just to state a fact, the fantasy that MS is a practical choice if your computing requires being on the internet, personal or business, not if all you want to do is be on the internet and not be a semi professional security expert. It's just broken for that purpose, generally speaking. pointing out individual examples of where it isn't does nothing to take away the reality that in millions and millions of cases it is in fact, a blackhole, except with a definition twist, it sucks them in like a blackhole analogy, then multiplies them exponentially, then spits them back out again.

For every incredibly secure windows installation out there, there are huge numbers of totally broken and insecure examples, that's the real bottom line, and this despite years and years of efforts to make that "not so". I would guess it it is at least 100 to 1, insecure to secure, or some such huge lopsided number like that. Might even be 1000 to 1, no one really knows. It's huge though. And every new version iof the OS and browser and email thingee and SP was supposed to "fix that" and it never has really. It's because of how human beings use computers, and most human beings are not, and will not become, full time or significant part time, security gurus. If this reality is not admitted to, the problem will always exist, and just get worse, not better.

Re:except for

[brainiac]

I am working on a thesis and will probably want some contributors to help. The internet is committing suicide and Microsoft is always part of the equation. It started with Microsoft not embracing TCP/IP (remember the Clarkson drivers). Then Microsoft really screwed up and didn't support the internet for about a year after the ball got rolling because they wanted the entire planet to use MSN. Finally they realized that the entire planet was probably not going use MSN exclusively and they jumped on the internet bandwagon. From then on the things they did seemed to only destory what was good. Email suddenly became HTML based. They tried to hijack IRC with Microsoft Comic Chat. They tried desperately to torpedo java and had limited success. They tried to hijack HTTP/HTML with Microsoft crap like Frontpage. Fast forward to 2004 and we have millions and millions of Microsoft zombie pc's completely wreaking havoc on the net. Is it possible it is all part of a master plan ? I can see where in the future they could proclaim the only safe way for people to be networked is if everyone was on MSN because they can rigorously control how everyone's pc works and what it does. For example they would get rid of SMTP, HTTP, IRC, etc and replace it with "safe" Microsoft protocols and software.

In short, is Microsoft the Al-Qaeda of the networking world ? It sounds screwy but if you write a chronology of the internet and Microsoft side by side you will notice that almost everytime something bad happens in the internet world Microsoft is right there playing a major role. The vast majority of Microsofts contribution to the internet is leading to its destruction. I wonder if somehow they are behind the other internet scourge: pencil necked geek know-it-all bullies on newsgroups, slashdot, and irc that in reality could have their a**es kicked by little girls. Bah.

Re:except for

[Wolfrider]

+1 Conspiracy Theory

Re:except for

[zogger]

al queda? I don't think it's a good analogy. Don Coreleone and his business partners is more like it. Any crime is OK to make money. anyone not in the family is a legiot target for a crime. any underling in the family must submiot to orders to stay in the family. Co opt and coerce governmental employees. Make sure your business rivals fail, and fail hard, no matter if your business is a worse deal for the neighborhood. Be ruthless. Lie to get ahead. Cheat and steal to get ahead. Don't do any legit busines if there's more profit in illegitimate or unethical business.

They seem to fit bettee there than with an al queda description. al queda has a political agenda, not a money agenda.

Frankly, all I see when I look there at redmond is a huge monopoly that has never cared very much at all about it's products, compared to how it's products got marketed and what the markup was and the black over the red. They never had any interest in conducting business fairly, just to do whatever it took to dominate. Whenever caught up in a falsehood or a discrepency, they change the subject and blame the consumer for it, or anyone else but admit they screwed up on anything. Quality and functionality have always been way down the list of priorities, especially if it would cost them any profits. It is the clearest example of criminal corporate greed ever, dwarfs even haliburton or enron.

I feel sorry for the folks stuck working there. I doubt there's that many people who really enjoy it or who are mising the realities of it. I think at the top levels they are crooks, down lower, they just have workers with not many options for employment in their chocen fields, so they stick with it, because they are stuck. there are probably a few who enjoy it immensely, but I doubt they are in any sort of majority there, hence, i feel just as sorry for them as joe consumer users with the bug of the day on his machine.

Re:except for

[brainiac]

To be honest I didn't spend much time on the slogan is Microsoft the Al-Qaeda of the network. There are some reasons it is a good comparison and many reasons why it is a bad comparison.

I am not even proposing what I am saying is true, but it is interesting that if you investigate the matter fully one possible outcome is that Microsoft has a master plan of entirely dominating every computer on the planet, and the internet is a gigantic wall to this alledged conspiracy. There are numerous other examples of this behaviour, for instance they attempted to hijack DNS in the past unsuccessfully. There is also potential mischief in there well established pattern of trying to eradicated the common languages used by computer users to be replaced by software in which they invented and are trying to propogate, and this software generally only runs on Microsoft machines by the way.

It is also kind of shocking how easy their machines are to hijack. I could see if there were maybe a few hundred incidents over the span of a few years, but if you illuminate the situation in one light it becomes apparent Windows is actually designed to be hijacked. If it isn't I propose Microsoft patent operating systems which are specifically designed to be taken over by people who are not responsible for a system fiscally or operationally. They are officially becoming the flagship company of software with this revolutionary new approach to computing.

As mentioned before, I am serious about opening an "open source" project in which the target is exhaustive analysis of Microsoft in regards to how it's products have affected the current computing world. I am able to document quite alot of history myself, and it would be fun to have other people collaborate on something like this. Specifically I want to see a concise chronology of events like this: (example dates, etc) .. .. Please help with pre-windows networkign ..computing
1988 Clarkson packet drivers emerge allowing networking cards (mainly token ring and ethernet) to operate in a TCP/IP environment.

1988.3 Microsoft makes aggressive changes to NETBIOS to make it more competative with TCP/IP

1989 Microsoft finally releases official TCP/IP drivers for networking devices.

1995 Microsoft releases "comic chat" with an unorthodox mode of operation in which unofficial/unapproved "extensions" to the IRC protocol are broadcast in the channel and interpretted in a special way by the new Microsoft Comic Chat client.

1998 Most Microsoft Comic Chat users are immediately banned from all servers globally when they enter a channel.

1999 Microsoft officially buries Comic Chat when it is no longer shipped with the OS.

2025 Antichrist officially declares Microsoft the official software of the empire and anyone not using it is beheaded.

Re:except for

[zogger]

hehehehehehehe

probably true, that last one
but ya, they always want it "their" way. That's pretty obvious.

Easy...

[BrokenHalo]

Just train your filter to can anything with "delivery failure" or "failed transaction" in the header.

The likelihood of non-junk mail falling into this category these days is virtually zilch by comparison with the typical offerings from the various spam-hausen.

pathetic

Some of u r so pathetic. Many articles have the original link, dunno why not this time.

who cares if the articles r written by the same person and the domain is owned by the same person.........tht doesnt say anything expect tht the guy is probably work hard on his little site [seems as though u never heard of it].

btw, at one point symantec did hve the warning level to critical. maybe u should check ur sources. once the journalists posts a news, they dont' keep on editing it because the original source changed their results.

i personally could care less about ad revenue. don't be so jeaolous.

Re:but not me

[linuxpyro]

How is it in terms of stability? My machine is running dual AMD MP 2800s, and FC1 freezes up once in a while. I'm pretty sure it has something to do with the SMP kernel, but I'm not too sure.

Is there a low latency kernel available for it? I do recording with Ardour and Jack. Currently I use the Planet CCRMA kernel, which seems to work out well. Maybe I'll give it a shot, seeing as I've heard a lot aout SuSE's multimedia capabilities.

Re:but not me

[downbad]

Suse 9.1 ships with 2.6 by default, does it not? If so, it's vulnerable to this horribly pathetic security hole that has existed in the entire 2.6 series.

So much for the "many eyes" approach to security, eh? Don't get me wrong, I'm installing Gentoo on my laptop as I type this, but every OS has it's problems. Even Linux.

Re:but not me

[Pharmboy]

I have not tested it well enough for the information you need. I still suggest what I always suggest, if you have a few extra dollars:

go to computergate, get a couple of IDE drive frames (less than $10 each for ata100 now, for internal and external frame combo!) and install in a spare CD space on your box. This way you can swap out your main drive for a different main drive, and test it out without losing your current setup. Then shutdown, swap out drives, and reboot to change back. Its really worth the few bucks it costs, and allows you to test different os's on the exact same hardware, without a screwdriver (well, after the initial install).

I know that I was shocked at how much software came with 9.1 pro for recording, music, etc., and on the desktop everything seems to work veery smooth, but I have not tried any recording with it. As for stability, it seems to be fine so far ( using 9.1 for only a few weeks, it is new) You should be able to use any 2.6 kernel you want, Suse or not.

I installed EVERY window manager on the disk, which you might find useful for recording. When I do graphics or any single task, i prefer something like icewm or twm, because there is NO eye candy and it boots from the login in 1 second. I am wanting to say it comes with almost a DOZEN window managers, really. This has to speed up tasks like recording. You can also install Gnome, which defaults to a very 'mac'ish interface. And another that is a virtual windows 95 clone.

I will still use Fedora for servers, since I know RH inside and out and it is quite stable. On my desktop, I am more worried about usability and features, not mega tweaking, so SuSe was a significantly better choice for me. I had not considered replacing my WORK computer operating system, until 9.1 came out.

Re:but not me

[Pharmboy]

Suse 9.1 ships with 2.6 by default, does it not? If so, it's vulnerable to this horribly pathetic security hole that has existed in the entire 2.6 series.

During the install process of Suse 9.1, it will connect you to the server for updates before you even finish, or you can choose not. Not bad.

Keep in mind, EVERY kernel ever made has terrible flaws, except the current one ;)

Hmmmm. Everyone has an angle

[titzandkunt]

Everyone has an angle.

Including Earthlink. Their check said I was riddled with Alexa toolbar + A load of tracking cookies.

Problem was, Both Ad-Aware & Spybot S&D (latest definitions) said otherwise: Clean as a whistle.

I bet if I download the Earthlink Toolbar (same page as the free spyware check) these problems would go away?

T&K.

REMEMBER FOLKS

[ShadowRage]

this doesnt mean windows is any less secure or vulnerable than its evil insecure unix counterparts ;P

http://slashdot.org/article.pl?sid=04/07/05/1530 25 3

and just because those systems dont get as many virii as windows doesnt mean they're secure, just shows they're incompatible with the latest virus technology!

Hands up: Who isn't blocking attachments by type?

[gfecyk]

*yawn* not again. Caught more than two years before the fact. By Outlook itself (yes, as in Outlook 98, Outlook 2000, 2002, 2003, Outlook Express 6 SP1). No?

Hands up all you sysadmins who aren't keeping your users' mail programs up to date. OK, Users: Avoid these people like the plague and hire yourselves some real consultants.

Re:but not me

[Alioth]

It's utterly *trivial* to filter. Just reject email with Windows executables. Most companies are doing that now; my mailserver does it - it's not even hard. I have never got a legitimate email with a Windows executable attached to it.

WHY IS PARENT MODDED DOWN?

man, people on slashdot suck.. the true hurts eh?

To: undisclosed recipients; spam

This explains that jx54p24@yahoo.it spam I've been getting, with no subject, no body, just "To:undisclosed recipients"

maybe

Re:but not me

"I am not saying that Linux is boolit proof,"

He's definitly not American...

Users are sheep.

I remember a couple of years ago in after hours chat with a guy who ran IT for a major company. He got in for work an hour before everyone else as one of his jobs was to 'wake up' the network. Checking the tech bulletins he found that a major virus/worm was circulating (it has been a while, forget which one) and proceeded to set up a loggin message effectively says "DO NOT OPEN 'X' ATTACHMENT, IT IS A VIRUS".

20 minutes after the bulk of employees arrived, a full 2/3rds of the network was infected.

Oh... BTW, I've never been infected. My Win* box sits behind an OpenBSD firewall. And I only open attachments that I am previously expecting. Otherwise... "Hello? Did you send me an attached file? What is it?". I don't care if it is long distance, I will know what it is before I open it.