Slashdot Mirror
New Worm Installs Sniffer
fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T :
More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users.
The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea).
F-Secure has a copy of the sound file generated by the message."
Then dust free computers for all!
Network Propagation and Exploits
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:
It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:
This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:
It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:
This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:- Admin$\system32
- C$\windows\system32
- C$\winnt\system32
- Ipc$
Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.
Disconnect and self-destruct, one bullet at a time.
The newest MyDoom variant has the author asking for a job...
http://www.vnunet.com/news/1158043
The arnus worm speaks to infected users.
I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".
As demonstrated at DEFCON with "The Wall of Sheep" (stupid name, cool idea) it seems that a lot of people who should know better still don't encrypt their password transmissions.
If you haven't already, it's time to get serious about encryption.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
2. I love the fact that this worm drops itself as BLING.EXE
3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.
4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
- It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
- It attempts to steal CD keys for some games.
- It installs a network sniffer
- It has an interface with 26 commands that the bad guys can use on an 0wned box
- It can log keystrokes
It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.I'm still waiting for the really bad one...
for the "INDUCEd PATRIOT" worm that detects P2P traffic and then promptly shuts down the computer.
"Me fail English, that's unpossible." --Ralphie
my password to asianthumbs.org may have been jepeordized!
Oh no, I have said too much!
Damn you autopr0n, why, why did you have to die!!!
Monstar L
.. if your network smells bad.
This one talks to the infectee through Windows speech interface. Nice!
Life is the leading cause of death in America.
If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer (unless it is also a server). Sadly, I fear that alot of the consumer "switches" on the market do not do proper routing, and have insufficient mac routing tables.
Feed the need: Digitaladdiction.net
"When I read these things it kind of makes me wonder why it took this long."
I often wonder the same thing. With all the different worms that infect unpatced Windows machines, why hasn't someone wrote one that effectively deletes everything on the machine just short of rendering itself unable to propogate?
...or does the term "packet sniffer" remind anyone of someones pet dog?
We need someone to go after these people with the intensity that the RIAA goes after 13 year old girls who don't want to pay for Hoobastank songs. If only the hackers would start going after people like the RIAA instead of trying to screw the everyday person out of their information so they can buy more mods for their Xbox. Then we could air it on MTV as Celebrity Geek Match!
..but I, for one, don't care about our network-sniffing overlords.
At some point he's going to sniff the homes of some of us slashdotters... boy will he be sorry!
Personally, I find this scary as shit. I think virii like this are going to be the reasons to compel a lot of middle-ability users to switch to Linux. Hell, I might cast off Windows now once and for all...
Each other, like dogs at one another's butts. Inside of a week that's all that's going to be out there, and the worms will just be bumping into one another.
BLING BLING. Meet the architecture that's changing everything.
Most networks are switched these days, making this pointless. Why not install a keylogger???
Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.
Pluralitas non est ponenda sine neccesitate
......ran windows update on all infected machines? Would people get pissed?
-Randy
...Afterwards it took me over an hour to unscrew the side of my case to get my nose out...
Since its pretty rare these days to see either a computer attached to a hub (vs a switch) and its also unlikely to see a Windows based router, wouldn't this make the worms payload only applicable in most cases to the computer that gets infects. Also, I note it spreads through several other well known exploits, and you'd think people would have realized to patch and cleanup against these after MSBlast and Nimda.
A typical office machine and many (most?) home networks today involve switches. The brilliance of a switch (as opposed to a hub) is that collisions are avoided by isolating packets away from unrelated interfaces. This means the only traffic the sniffer is likely to see is traffic destined to arrive at the infected host anyhow.
On the other hand, sniffing traffic is likely to be a better (or at leave alternative) means of snarfing up sensitive info than, say, scanning a harddrive...
Still, it would have been far more effective in the early to mid nineties when "broadcast segment" really was a shared medium (for typical LANs) with packets slamming headlong into each other and entirely visible from almost any drop.
Maw! Fire up the karma burner!
Only for a windows operating system.
I guess I would consider MyDoom to be an application. If so, then this version is a job application. What are the odds that the real virus write went to the top of is enemy list rather than putting his own name on the app? If the person on the application can face extradition, I'm betting that the name is phony.
Think global, act loco
The article says
"This in turn enables the attacker to capture unencrypted usernames and passwords, which can be used to compromise additional machines on the network. "
What would one gain looking at unencrypted passwords!?!
They would anyway be strings of *s only. right!?!?
Or can someone look through these *s as they look through the matrix code!!
But that's just a stupid analogy. Heh.
I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac.
This is usually met with, 'Wha? Really?"
Yup. I'm enjoying the stories of crazy Windows happenings, virus mystery, and constant crashing (Yeah, XP is ok, but not when you have 127 viruses, trojans, spyware and keyloggers all vying for a clock cycle and outgoing port.)
And I'm especially loving not working on Windows boxes.
Seems like the uIP embedded TCP/IP stack would be ideal for this, as it is very small and portable. Also, it apparently already has been ported to and run on laptop keyboard microcontrollers. How about that kind of sniffer virus!
... a new worm installs a network sniffer ... it kind of makes me wonder why it took this long.
What's new about that?
Network sniffers installed on compromised machines is the ENTIRE REASON DMZs were invented - so the network sniffer can only sniff the DMZ, not the LAN behind the second packet-filtering router/bridge.
DMZs have been standard practice for over a decade. If there's anything new about this, it's just that it's the first time a worm in the wild has been identified as installing a sniffer.
But that's hardly surprising. The explosion of professionally-engineered worms is quite recent, as is consumer-level deployment of multi-machine LANs behind firewall+NAT appliances. (I'd expect packet-sniffing cracks aimed at businesses to be more targeted rather than worm-style scatterguns, if only to reduce their chances of discovery.) Seems to me the time became ripe JUST NOW for general deployment of a sniffer-installing Microsoft-exploiting worm.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
People have always been asking "why haven't you put X feature into the software?" It's because the lazy virus writers, who get paid for some ungodly reason, kept on saying "hey, it's open source, someone else implement it." Geez, I thought if anyone could explain why development doesn't get done, it would be you CmdrTaco.
Im suprised noone has written a virus that uses unused sectors on the hard drive, and makes modifications to the MBR and partition table.
I know there are programs out there that do this now, but they are not widespread... hopefully they will never be
Cybie! aka Ralph Bonnell
We could all be doooooooomed!
So where are these worms sticking all this great data they are sniffing? Wouldn't that tend to leave a trail right to the naughty people who made it?
I Am My Own Worst Enemy
And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Cannot check this right now, but wouldn't it be possible to write a Windows executable that writes to the HOSTS file? The file is at a known location, and couldn't you add a line to redirect msn.com and yahoo.com to your own site?
Seems like a fairly simple exploit.
This is strange - I found a bling.exe on a Windows machine at work a while ago, as it was spewwing out 445 if I remember rightly - several weeks. I searched for info on it, and I didn't find anything, which I thought was strange.
I think I must have got hit by an early-adopter version.
Get your own free personal location tracker
He was probably accurate using "packet".
Yeah, I think it is called linux.
WARNING: Viewing This Sig May Cause Blindness.
And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.
It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.
Where does the sniffer send its data to? For someone to benifit from the data, they need to access it. So why don't people follow the data and find out who wrote it?
Come and say hi. http://forum.penpals.com/index.php
Dear Worm Writers,
Please create a worm that will actually destroy the users harddrive that way at work when they call up I can tell them its a hardware problem and we do not support that. Also it will teach everyone a valuable lesson in running windows update and enabling their firewalls.
Thank you
Student worker @ University Helpdesk
At least how I would do it would be to create all sorts of webpages on free servers. Or maybe trade the data on P2P networks. www.geocities.com/James_Sager_PA
God spoke to me.
Yea, actually, a lot of the time the virus writers DO email them to the different antivirus companies. Having your virus added to the weekly virus definition files is part of their bragging rights.
Do you really think there are 55,000 viruses in the wild?
Yea yea, I worked for symantec for a couple of years.
This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.
I've looked everywhere, and TrendMicro's PC-Cillin, McAfee AV, and Norton AV all seem to rank high. Is any one of these really better than the others? Have I left the best one off my list?
Obviously finding virii is paramount, but a low footprint is also welcome.
Thanks!
Go here for teh [sic] funny.
Yes, that would be really easy with NTFS. And of course there's shitloads of space around the MBR.
Mmmm, cos that would prevent the key stroke logger from working. It's probably more dangerous if you are using SSL, as you will have that warm fuzzy feeling that all is well, and you'll tap away all your privatest things.
Bad encryption is worse than no encryption.
Get your own free personal location tracker
A lot of /.'ers have pointed out that most networks are switched nowadays; however, there are still plenty of networks out there that aren't.
Every mid-level enthusiast home network I've known was just running a dumb hub, and I'm also familiar with a university that ran hubs per floor in the dorms (you couldn't get floor 8's data on floor 9, but as for everyone on floor 9...). This worm still has a plenty big playground.
If other reasons we do lack, we swear no one will die when we attack
why do you hope so?
:D
it can be hacked by anybody and chinese hackers are not better or worse than anybody.
This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.
Take your pick: *BSD, SuSE, Red Hat...
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Fact - People who refer to computers as "boxen" are idiots.
Especially if it gives warning messages, like:
"It is time to empty the litter box."
or
"Please do your laundry."
or
"Are you really sure you want to eat that leftover pizza?"
or
"For the love of god, please try deodorant. Any deodorant."
Of course, there are also downsides, like your stash of coke always vanishing.
paintball
I'm waiting for a virus that greps all your documents for each name in your address book.
If a document contains a person's name, email it to them.
I can see it now, salary spreadsheets and confidential memos flying around to the very people who are not allowed to see them...
your sickening cavalier arrogance
Dude, it's a joke. Lighten up.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Good times, good times...
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
I'm still looking forwarding to a mutanting evolutionary worm
With the current number of interconnected computers we would be handling a very large population, that could be almost unstopable if evolving correctly
How does it Normally spread? .. or its variants??
What windows vulnerabilities is it using?
is it an email attachment? what is the attachement called
For christ sake...
Love, Zaq
2004-09-13 18:56:06 Virus 'talks' to victims (Index,Security) (pending) :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Banking info is going to be using SSL. Sniffing SSL traffic isn't going to get you any interesting data. It would be better to use an old fashion key logger.
The most interesting part of this virus is the ability to easily intercept IM and e-mail conversations. I think it's killer app would be identity theft rather than credit card or banking fraud.
Now we established the worm sniffs out sensitive data, but does it leave a trace of the ip this said data goes to?. I mean it has to get to the worm owner somehow to be useful. If it does leave a trace, I say we find the fuxxor and cause a scene worse than being in a turkish prison!
Perhaps it took this long because the bad guys were busy installing keystroke recorders so that they could defeat encrypted network traffic. Also, switched networks help keep the impact of the sniffing to the infected computer -- unless the network terminates at an infected computer -- thus making this less as threat to large organization using 100% switched networks...
-- @rjamestaylor on Ello
I vote for Norton, but that's probably because its what I've used for a long time. McAfee tends to run background scans (at least in implentations I've seen) while Norton runs in the foreground. Obviously, both do realtime protection as well, but I prefer foreground virus scans that I can schedule when I'm not using my computer, like at 3:37 am.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
I expect version 2.0 will do ARP poisoning.
Un-encrypted as in NOT encrypted
The wording should have been more clear.
Like boot sector viruses? You know, back in the days when everybody booted from floppies, all viruses were of that kind. I have a few of those lying around somewhere ... for the Commodore-Amiga.
This means the only traffic the sniffer is likely to see is traffic destined to arrive at the infected host anyhow.
Yes, but it is possible to trick a switch with arp & mac spoofing into sending you traffic that should go somewhere else.
Most unmanaged switches can be fooled. Many (most?) managed switches can prevent this.
Parent isn't flamebait. Ever try removing the GRUB bootloader? It's impossible.
Support the First Amendment. Read at -1
Caviller dude, not cavalier. Very different meaning.
Why your switched network isn't secure.
>but a low footprint is also welcome.
NOD32
I imagine pretty much every virus scanner watches the MBR like a hawk and warns you if something tries to modify it. It's even built into the BIOS on some machines.
I'm still waiting for a virus that installs Linux on the target machine. It could import the user's settings from Windows and install the equivalent software. In fact the user probably wouldn't even know anything had happened.
Back orifice was always a sniffer trojan. There have been many others. Attacks that install sniffers and attacks that install keyboard loggers have both been going on for years.
I don't remember the particular worm, but there were a bunch that looked for telnet and ftp sessions and then watched for the username/password transactions.
It's old hat.
That bigger trojans are now practical across larger bandwidth allows for more fully-featured exploits is evolutionary not revolutionary.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Um ... I THINK that was an attempt at humour ... HACKED BY CHINESE was the tagline appearing on web servers infected with Code Red ... IIRC, that is.
And it would do this how, considering that any bank in the world using online account stuff also uses SSL?
Please help metamoderate.
What are you trying to replace it with?
Windows 95/98: fdisk
Windows XP: from a recovery console, use fixmbr
Linux: if you want to completely remove it: dd if=/dev/zero of=/dev/hda bs=512 count=1
There are some viruses that already exploit the HOSTS file and blocks anti-malware websites, among others. Google for it.
would be if, say, after 8 straight hours of SOF2, (I've done it too) the sniffer would send a desktop message like, "I am your sniffer. Jon, you stink. Put the game down and take a shower. Oh, ok, just one more game." That would be great.
"Patience is not a virtue, it's a waste of time."
You did remember to save your MBR before you overwrote it, right?
Set the blocksize to 446 if you don't want the partition table.Now you can restore the MBR with:
Again, set bs to 446 if you didn't save the partition table.If you want to create a new Windows MBR, try one of the following:
On Windows 95/98/ME use a boot disk, and then type:
On Windows 2000/XP boot the OS CD, select, "recovery console", and type:Show me on the doll where his noodly appendage touched you.
While background scans appear useful, any good virus in the future is going to disable the antivirus software as it is installed, or otherwise evade detection indefinately. I mean, if it wasn't caught initially, what's going to catch it later after it has control of the computer?
Saskboy's blog is good. 9 out of 10 dentists agree.
Switched lans still dont prevent overall network sniffing. Arp poisoning still works like a charm. Heres how it works:
1) Send the computer you wish to sniff's MAC Address as your own to the switch.
2) Now route all traffic you recieve with spoofed source addresses to the target machine. so it thinks the data came from the switch....
3) Enjoy sniffing on a switched lan.
There's programs to do this... I'll let the kiddies find them themselves.
Sometimes the majority just means all the morons are on the same side.
We need a MS platform for interoperable virii. What if a machine is infected with multiple competing virii - there needs to be a middleware to arbitrate the flood requests, the MAPI calls, and the registry accesses. And what if the virii authors try to use the same registry locations to get their exploits to run at bootup.
.IOWNYOUR.NET technologies.
I think a new Virus API - VAPI32 is required. Maybe introduced into the
Virus: "Shall we play a game?" User: Yes, let's play global thermo-nuclear war
http://shit.slashdot.org/article.pl?sid=04/09/13/2 024234
Uh, what?
Linux: if you want to completely remove it: dd if=/dev/zero of=/dev/hda bs=512 count=1
Please don't do that. You'll nuke your partition table.
Reference
--Phillip
Can you say BIRTH TAX
I'm'a make one that says "Hello, Dave. Shall we continue our game?" and then shuts the computer down.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
...and counts how many times you type the word "Playboy", "Osama", and sends the info off to the illuminated ones.
Haven't they had this for a few years now?
I'd have to recommend AVG. It's free for home use, and so are the (daily) virus definitions. You can set it up to download the latest definitions and do a full scan at any time of day. It comes with some more advanced stuff, like inbound/outbound email scanning, which I've disabled but some folks might like.
You're right. The latest and greatest virus are going to disable just about any useful AV once the virus gets loaded into memory. However, file system scans are still useful for detecting virii that may be dormant on your system. Have you ever copied a file and not immediately opened it?
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
My vote is for Sophos. Small footprint. Aren't pissed they aren't MS (ala Norton), don't add a lot of crap to their program (ala McCaffe).
Saved my ass more times than I can count.
You can beat keystroke loggers by entering your password a few letters at a time in random order, using the mouse to place the cursor at the correct location in the half-finished password. I don't think there's a keystroke logger that is able to work out where you clicked in the password entry box.
Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I'm still waiting for a worm that installs Linux on the infected computer.
Propogation:
Scan random IP addresses, use multiple Windows exploits, etc. This part has been done a thousand times before, no need to reinvent the wheel.
Payload:
1. The worm itself
2. Grub for Dos
3. The contents of a network install disk
Behavior:
1. Upon infection, the worm will install Grub for Dos, and copy the contents of the network boot disk into c:\boot, but will not modify the boot.ini file.
2. The worm process will run in the background, and attempt to propogate itself.
3. At a predefined interval, the worm will pop up a window that says: "Your computer has been infected by the so-and-so worm. To install Linux and prevent this from ever happening again, click OK." (This worm should be socially responsible. We don't want to force Linux on the masses, just gently persuade them using Windows lack of security as a tool.)
4. Continue to propogate as long as the user clicks "Cancel".
5. When the user clicks "OK":
5a. ping a mirror list to find the fastest mirror
5b. write a kickstart to the boot directory to use that mirror.
5c. modify the boot.ini file to boot Grub.
5d. reboot the machine, and it shall be cleansed!
This is incorrect information. Yes, they only route between the inside and outside, that's normal behavior. However, the four ports on the inside could be a hub, but are more likely an unmanaged switch. All the manufacturers advertising switches in their routers (dlink, linksys, smc, belkin, etc.) DO SWITCH. As others have mentioned switch!=hub!=router.
Mod the parent down and find something really informative to mod up.
I don't use Windows!
The MP3 downloading virus is going to come out.. er .. I mean "I think I have an MP3 downloading virus"
Join the Slashcott! Feb 10 thru Feb 17!
This is correct information, the GRANDPARENT is INCORRRECT.
AVG if you're cheap, or NOD32 for some dollars. Both are very low on footprint, and NOD32 has one of the best detection rates around. NOD also has one of the only interfaces that doesn't suck. *cough* kaspersky *cough*
:-)
McAfee is slow, and Norton is equally as bad unless you get the corporate edition. Of course, most of the AV companies provide trial versions, so be sure to give a bunch of them a try (NOT all at once) and pick whichever YOU believe is the best one.
I'm still waiting for a worm that installs Linux on the infected computer.
Propogation:
Scan random IP addresses, use multiple Windows exploits, etc. This part has been done a thousand times before, no need to reinvent the wheel.
Payload:
1. The worm itself
2. Grub for Dos
3. The contents of a network install disk
Behavior:
1. Upon infection, the worm will install Grub for Dos, and copy the contents of the network boot disk into c:\boot, but will not modify the boot.ini file.
2. The worm process will run in the background, and attempt to propogate itself.
3. At a predefined interval, the worm will pop up a window that says: "Your computer has been infected by the so-and-so worm. To install Linux and prevent this from ever happening again, click OK." (This worm should be socially responsible. We don't want to force Linux on the masses, just gently persuade them using Windows lack of security as a tool.)
4. Continue to propogate as long as the user clicks "Cancel".
5. When the user clicks "OK":
5a. ping a mirror list to find the fastest mirror
5b. write a kickstart to the boot directory to use that mirror.
5c. modify the boot.ini file to boot Grub.
5d. Reboot the machine, and it shall be cleansed!
All that we see or seem is but a dream within a dream.
nVIR on the early Macintoshes would use the Macintalk speech engine to say "Don't Panic". One source says nVIR got discovered in January 1987.
Avast is very good. You may like the cost. Other than that Panda is the best. Mcafee/Norton are getting worse as they expand their product line.
would you like to
Get a free ipod.
[secure@root ~]$figlet dont_peak.txt | figlet
symetric figlet encryption... never defeated.
Oh, and sure, I use tcsh- wanna make somethin' of it?
At least in the eyes of my clients.
Two words: Limited Users.
Two more words: Hardware Firewall.
I know, -1 redundant, -1 overrated, -1 troll. Guess what, folks? They work.
These things combined stop every virus, worm, trojan, spy ware, key logger, etc etc etc on company networks. Add to that attachment blocking in Outlook and macro blocking in Word and Excel, all included since MS Office 2000, and I don't waste client time dealing with garbage from the net.
Use Evolution instead of Outlook? Bewa
You need Girlfriend 1.0. A word of warning though. Upgrading to Wife 1.0 is a very expensive decision.
These posts express my own personal views, not those of my employer
I expect they will make a hell of a techno song using samples from that .wav soundbyte soon :)
Previous work from LMOM includes the famous All Your Base song, and The Terrible Secret of Space. Here is the ICQ prank that started it.
That probably helps PHBs a lot now that they have an excuse for making bonehead decisions.
PHB's boss: What were you thinking! Do you know that it's not possible for the mass to be a complex number!
PHB: Ummm... virus??!?
PHB's boss: OK. How about a raise?
Never did see the point in announcing that you have just infected a pc.
..
That gives the victim a chance to clean
---- Booth was a patriot ----
"How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye"
AMAZING. The first virus that has the capacity to destroy not only the victim's computer, but his BRAIN as well. I swear, these guys need to start hiring professional comedians to do their dirty work, or we're all screwed.
You need a FREE iPod Nano
If you're using Linux, just run and look for the string "PROMISC".
If, however, you're using Windows, you need to get a utility called PromicDetect. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.
Source: Computerworld
This sig is umop apisdn.
Those were the days. The kids these days, they have no style, no artistry, no sense of the absurd.....
"It is a greater offense to steal men's labor, than their clothes"
From MS:
By default, software-enforced DEP only protects limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
--
I'm guessing MS runs its own software NX because it knows what memory these system binaries should and shouldnt be using. So even if it worked for DCOM/RPC it probably wouldn't work with the SQL server hole.
Hardware DEP is a whole different story.
Short and sweet thread on DEP here.
Actually, you can enable software DEP for all programs. There's a button you can click on in system properties under advanced. Might be fun playing with to see if it breaks anything. Might be good to leave on if it doesnt.
Someone wants to talk to me!
can you set it up to auto-update these days? that was my biggest gripe with it last time I tried it out, I always had to manually tell the software to update its definitions.
I sent you this file to have your advice.
Nuff said.
--- Hot Shot City is particularly good.
If you're liberal on the pronunciation of the last syllable, 'hamsi' is also a transliteration for Arabic numeral 5 (which most Turks also know via Islam.) Also the countdown starts with 5. No big significance there either, might as well be a fish.
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT
If you want something for free:
http://www.clamwin.com/
It's not the fastest scanner on the market but it seems comprehensive and in this day and age not requiring registration, etc is a godsend. It downloads new virus definitions periodically and all that.
Mad props to the clamav/clamwin developers. I'd like to very humbly state "Keep up the *great* work... you guys rock"
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
dose this affect athlon 64 systems with no execute enabled?
Macintosh user since 1997. Not one virus problem, ever. Bad RAM, flaky CD drive, broken floppy drive, half-dead monitor, blasted speaker, toasted modem, yeah - but no virus problem at all! Now, come to think about it, that old 6500/225 lasted quite a bit...
Circumcision is child abuse.
On several computers, I have noticed this worm starts as "Microsoft Personal Firewalls = bling.exe". How obvious is that?
delpart completely cleans off GRUB. After writing the partition table, I'd run delpart again to make sure it's clear.
Why doesn't someone write a virus to destroy other viruses? Maybe hackers could have wars with each others viruses instead of deleting my important data(porn).
Perhaps organized crime could benefit from this, but in most cases electronic abuses when it comes to fraud/extortion etc seem to face a harsher penalty. I'm not too worried about criminals as much as I am a more driven and dedicated set of humanity.
I would fear fanatics. Punishment is not necessarily even considered by a driven individual. If there was a file corruption worm on the scale of Codered/Blaster the cost could escalate from the tens of Millions to the Billions quickly. Anarchists, extremists, and environmentalists often try to destroy property to equate a cash cost for organizations for their wrongdoings.
Heh, picture the credit agencies all exploding at the end of fight club.
Can I wash your Windows for you? Would you like me to wipe your screen for you? Do you want me to clean out your cache register? Let me dust your disk drives today? Would you like me to clean up your s&g checker?
""Hamsi" is a small fish, like an anchovy, found in the Black Sea)"
Fish still live in the Black Sea?
"Waste not one watt!" - CZ
Well, there are some that already mail local documents/mails to whoever is in your address book. The documents are taken from the Windows "My Documents" folder for example.
I've always regarded the ones that do this as the most dangerous, as your personal privacy is at risk. Consider how this can be an easy and sure way to get out of the closet if you're gay? How about sensitive company data?
Getting your machine hosed by a virus is one thing (you probably have a backup?), but having your data made public? How do you restore that?
Something to keep in mind when weighing the risks and estimating the potential damages.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
What I'm waiting for is a virus that replicates the front end of major scanners. Everything looks fine, no viruses found, etc.
Or an implementation of the Curious Yellow whitepaper.
Not a sentence!
Would cable modems or ADSL connections be vulnerable to the sniffing at the local connection?
Please take this opportunity to call your local District Attorney and request that his office begin prosecuting computer tampering cases. In most states, each instance of the installation of a worm on a machine carries a criminal sentence of 1-3 years in prison. These are serious felony crimes that can be prosecuted in state and federal court.
One spammer, caught with a list of zombie PCs and evidence he has been using these PCs could be sent to jail for a long time IF the authorities would get off their asses and start prosecuting these cases.
Anyone in law enforcement needs to do nothing more than set up an unpatched copy of Windows and wait 30 minutes to catch someone, then start documenting who exploits their systems and nail them.
The first time someone goes to jail for this, we'll see a major drop in the propagation of these worms.
We all know this activity is mainly being perpetrated in the US by US citizens. They may be contracting with Indians and foreigners for design work, but their tracks can be traced. We all know it - explain this to the DA and the Federal Attorneys we want these cases prosecuted. Right now they blow off these cases.
Call your District Attorney and let him know that you will not tolerate the apathy they've exhibited towards bringing these criminals to justice.
...but a caterpillar?
JeR
"How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."
:-)
I know my Turkish isn't great, but I've been there on holidays enough to know that the pronunciation of "Gule Gule" was hysterically awful. Come to think of it, the English was pretty poor too
It reminds me when, at Uni', we used to try to put "The Hunting of the Snark" through an early voice synthesiser. It made an absolute mess of the job.
Open Source Software
Just a slight nitpick, the icon/image that's used for the "Worm" stories is in fact a caterpillar and not a worm.
I guess this might lead to new types of security threats. You get infected by a caterpillar (like some parasitic wasps) and it eats your PC from inside until it cocoons (or not) and emerges out of your PC into the rest of the world as a wasp/butterfly (e.g. screen saver?).
Hmmm...
Its a real good way to advertise our country. Even while we break tourism records...
Ilgaz
Istanbul
yeah, does it by default every 15 days or so. I've been using it for a couple years (3?) and don't recall ever having to do it automatically.
The freeware files are damn near impossible to find on their site though - google for "avg freeware". Their latest version is a bit bloated too, the older ones tend to be better.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Well, it could be worse.
Did I ever tell you about the man who taught his asshole how to talk?
a horrible place
Type the phrase into a text-to-speech encoder. "turkiye" is pronounced "turkey." If you use Text-to-Speech for any length of time (especially in ambiguous english) you end up having to do a LOT of substitutions so that things sound correctly.
I guess the motivation for writing these things has changed or something. I don't understand the mentality, but apparently it's not about being destructive these days. There were some truly evil old-school MSDOS viruses, i.e. fumble and dbase.
Maybe all the "talented" guys are actually making money from their spambots, and don't want to kill the goose that lays the golden egg or something. Still, it would only take one anarchist, I'm amazed it hasn't happened yet.
which is also known as "breaking the system".
If something works fine and you install Service Pack X and it doesn't work anymore then Service Pack X BROKE the system. It fucked something up that was working fine and I believe even Merriam Webster defines that as broken.
Dream as if you'll live forever.
Live as if you'll die tomorrow.
~Anonymous~
Completely remove.... means... COMPLETELY REMOVE.
99% of the time when you're trying to get rid of Grub, you've already decided that you don't want to use Linux. This would make your drive perfectly suitable to run Windows again.
Every time I've heard someone complain about Grub not disappearing was after removing their linux installs and try to re-install Windows, while finding that Grub still wants to load.
Parent was a joke, not flamebait. I know "funny" and "flamebait" both start with "f", but please moderators, look closely at the mod you're chosing from the drop down box.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
While Slashdot continues to posts more and more stories about malware outbreaks, why not stop said outbreaks 'for good.'
Once this is done, something can be done about malware sent via TCP/IP connections and not by email. Properly configured and resilient firewalls will stop these attacks leaving only unprotected computer systems to be compromised. In the past, it has been suggested that internet users who have their 'b0xen 0wned' like this are placed in a 'sandbox' when they go online after their system is compromised. All that would be available to them would be a tiny sandbox version of the internet containing webpages, email messages, and usenet posts that alert the user that their system has been compromised and tell them to fix the problem before they go online for real again.