Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Worm Installs Sniffer

Posted by CmdrTaco on from the hope-you're-using-ssl-for-everything dept.

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."

37 of 491 comments (clear)

  1. Non-malicious worms by MisterP · · Score: 4, Insightful

    "When I read these things it kind of makes me wonder why it took this long."

    I often wonder the same thing. With all the different worms that infect unpatced Windows machines, why hasn't someone wrote one that effectively deletes everything on the machine just short of rendering itself unable to propogate?

    1. Re:Non-malicious worms by Anonymous Coward · · Score: 2, Insightful

      Like any good natural virus, it wants to remain as long as possible so that it may continue spreading. If it deletes noticeable things, people will take action to remove it. If it stays mostly hidden, just spamming/monitoring/etc and spreading, it will be far more successful.

  2. Scary by StevenHenderson · · Score: 3, Insightful

    Personally, I find this scary as shit. I think virii like this are going to be the reasons to compel a lot of middle-ability users to switch to Linux. Hell, I might cast off Windows now once and for all...

    1. Re:Scary by DogDude · · Score: 3, Insightful

      Personally, I find this scary as shit. I think virii like this are going to be the reasons to compel a lot of middle-ability users to switch to Linux.

      The only thing that Linux has got going for itself right now is security through obscurity. If Linux ever becomes popular as a desktop platform, I'm willing to bet my life that we'll start seeing worms targeting it, too.

      --
      I don't respond to AC's.
    2. Re:Scary by Greyfox · · Score: 3, Insightful
      Yeah, but the average user doesn't care about security. If they did, they'd have actually run Windows update and patched their systems against the vulnerabilities that this worm exploits. Same said users would move over to Linux, never patch their systems and have their systems taken over the next time a remote exploit is found.

      In fact, the average user either got a copy of Windows with their computer and never upgraded it, or they pirated a version of Windows and are not able to download updates. They always say the same thing too. "Oh, I'm just one computer out on the net! They'd never notice my computer out there!"

      That's why I think Internet usage should require a license. If you connect to it without knowing what you're doing, you're putting everyone in danger. Potentially at least as much danger as broadcasting on a ham radio without knowing what you're doing.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    3. Re:Scary by SCHecklerX · · Score: 2, Insightful
      nowadays, most linux distros ship with most services disabled by default, with the option of enabling iptables as part of the install. True, there could be a daemon that could propagate a worm, but it is not as likely to be running on an end user workstation.

      Compare this to windows, which has no easy way to disable dcom, rpc, and such.

  3. Re:How much longer? by einhverfr · · Score: 3, Insightful

    I think it took this long because it took this long for viruses to become a tool of organized computer crime. Stay tuned for more.....

    --

    LedgerSMB: Open source Accounting/ERP
  4. Use of switches? by chrispyman · · Score: 2, Insightful

    Since its pretty rare these days to see either a computer attached to a hub (vs a switch) and its also unlikely to see a Windows based router, wouldn't this make the worms payload only applicable in most cases to the computer that gets infects. Also, I note it spreads through several other well known exploits, and you'd think people would have realized to patch and cleanup against these after MSBlast and Nimda.

  5. Re:What if someone made a worm that just........ by Anonymous Coward · · Score: 1, Insightful
    ......ran windows update on all infected machines? Would people get pissed?


    Just the ones that have their software/hardware stop functioning due to the updates screwing around with system settings.
  6. A question... by here4fun · · Score: 2, Insightful

    Where does the sniffer send its data to? For someone to benifit from the data, they need to access it. So why don't people follow the data and find out who wrote it?

    --

    Come and say hi. http://forum.penpals.com/index.php

  7. SSL wouldn't help with a key stroke logger by caluml · · Score: 2, Insightful
    hope-you're-using-ssl-for-everything

    Mmmm, cos that would prevent the key stroke logger from working. It's probably more dangerous if you are using SSL, as you will have that warm fuzzy feeling that all is well, and you'll tap away all your privatest things.

    Bad encryption is worse than no encryption.

    --
    Get your own free personal location tracker
  8. the bad one by Clover_Kicker · · Score: 5, Insightful

    I'm waiting for a virus that greps all your documents for each name in your address book.

    If a document contains a person's name, email it to them.

    I can see it now, salary spreadsheets and confidential memos flying around to the very people who are not allowed to see them...

    1. Re:the bad one by superpulpsicle · · Score: 1, Insightful

      Well if it's using "grep", then this has to be a unix virus.

  9. As usual these useless virus alerts lack info. by zaqattack911 · · Score: 5, Insightful

    How does it Normally spread?
    What windows vulnerabilities is it using?
    is it an email attachment? what is the attachement called .. or its variants??

    For christ sake...

    Love, Zaq

  10. Why did it take this long? by rjamestaylor · · Score: 5, Insightful

    Perhaps it took this long because the bad guys were busy installing keystroke recorders so that they could defeat encrypted network traffic. Also, switched networks help keep the impact of the sniffing to the infected computer -- unless the network terminates at an infected computer -- thus making this less as threat to large organization using 100% switched networks...

    --
    -- @rjamestaylor on Ello
  11. Re:More technical details by AvitarX · · Score: 2, Insightful

    or that they are on dialup and can't keep up (home users, a little under half anyway).

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  12. Re:Worms are just like any other software by Anonymous Coward · · Score: 1, Insightful

    Operating systems shouldn't allow viruses and worms to exist.

    How does an OS distinguish between a viral program and a non-viral program? How can you prevent one from executing (or downloading) and not the other?

    The biggest security hole on any system is the user. How do you fix that?

  13. Re:A few points by Amiga+Lover · · Score: 2, Insightful

    It attempts to steal CD keys for some games.

    This was part of my argument for the ridiculousness of a developer making an app delete a user's home directory when a pirated key is found.

    1. user buys shareware. one of the honest 1%, if statistics can be believed.
    2. user loses unique use of the shareware key to worm/keygen
    3. shareware key spreads, and is labelled a pirate version
    4. original user updates their shareware app, shareware app nukes their home folder.

  14. Re:One reason I quit fixing Windows by SilentChris · · Score: 1, Insightful

    "is that it's a never-ending job, when the user is at the keyboard, doing things that I would never do.
    I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac."

    That's funny, because remember that exploit Apple had a few months back: the one where you click a disk image and it automatically ran?

    We have only 4 Mac users, and 2 of them clicked disk images on the net. *2 of them*. Half of the staff. Both got weird variants of a program that basically hosed their Applications directory.

    Now, if my PC users had that batting average (.500), I'd be pulling my hair out. Fortunately, we only have 1 or 2 people do stupid things monthly.

    Mac is really no better, and I think if virus writers actually targetted the thing we'd see an "anti-resurgance". Personally, no OS is secure unless I can see the code.

  15. Re:What if someone made a worm that just........ by still_sick · · Score: 4, Insightful

    ......ran windows update on all infected machines? Would people get pissed?

    Would people get pissed? HELL YES.

    I recall one particularly annoying weekend when my computer DVD player stopped working. Something screwed up or something - whatever it was, the damn video was not being decoded properly.

    Tried everything I could think of. New Drive, New Drivers, endless newsgroup searching, blah blah blah to no avail.

    Then it occured to me that between the time that my DVD player last worked and then did not, I had installed Win2k SP4.

    So just as a test I went and uninstalled the bastard, everything worked FINE after that - with the original HW/SW configuration.

    So now I'm not installing SP4 because it BREAKS MY SYSTEM - not because I'm unaware of it, or too stupid to install it.

    I don't need nor want some dumbass "I'm smarter than you, and doing this for your own good" 1337 prick trying to install SP4 for me.

    --
    ...Also, I didn't know Buggalo could fly.
  16. Re:One reason I quit fixing Windows by selderrr · · Score: 3, Insightful

    Personally, no OS is secure. Period.

    Your argument against OSX hold against linux/BSD/whatever open source OS. As soon as the number of users reaches critical mass, it becomes "profitable" for virus writes. More so as zombie macines are being used as bulk mailers. And you can bet the farm that in a few years, those zombies will be used for much more stuff than simple spamming. How about al-qaeda brute-forcing entry to a big bank by using 100.000 PCs to crack the password, and then simply start transfering tiny amounts of cash around. It would take days before someone noticed, and by then practically impossible to restore from backup.

    IMHO, the real evil on the net still has to rise. The virii and script kddies you see today are just the scouts of the first reconaissance divisions of the army of the black lord.

    --
    When will I end this grieving ? When will my future begin ?
  17. Re:yep! by returnoftheyeti · · Score: 2, Insightful

    Cure for Cancer - Nope reseachers out of jobs
    Electric cars - Nope, oli companies go bust
    Cigarettes outlawed - Nope, that would kill the Cancer industry, the ashtray industry, the fire estinguisher industry, and the government would lose a lot of tax income.
    Peace in the Middle East, Nope -Bush would be out of a job

  18. Re:yep! by funk49 · · Score: 2, Insightful

    There was a lot rumors floating around the BH and anti-viral community abou CodeRed being written by the Chief Hacking Officer at eEye, Marc Maiffret. I've always suspected that is what the companies do. That's how ISS justifies it's subscription model for sigs...X-Force creates craploads of major 0days.

  19. Re:Encrypt! by Anonymous Coward · · Score: 3, Insightful

    Yes, if you're running Windows you can get infected with this or any of the myriad other worms, some of which install keyloggers. The unique thing about this is that it installs a NETWORK SNIFFER and not a keylogger on the box, meaning that other machines on the same network can get "sniffed" even if they're not infected.

    The upshot is that all of those people who normally ignore virus alerts because they run Linux [Slashdot audience] need to confirm they encrypt everything and then go about ignoring these alerts again. ...either that or convert that one last "compatibility" machine from Windows to Linux.

  20. Re:A few points by Anonymous Coward · · Score: 1, Insightful

    As soon as your comment was posted, a dozen hackers got to work on a virus that does exactly what you describe.

    No they didn't, but don't tell your boss. You should thank "savagedome"... that excuse might just work now!

    "Gee, no boss, that's not my porn on there. Must be a virus!"

  21. Re:What if someone made a worm that just........ by Telastyn · · Score: 2, Insightful

    And no offense, but if your machine is exploitable enough for someone to remotely patch it, a broken dvd player is the least of your worries.

  22. Re:Hackers Vs RIAA by dasmegabyte · · Score: 2, Insightful

    The RIAA is doing the only thing that copyright owners CAN do to protect their copyrights: they're pursuing legal damages for material copied without permission. They don't know whether it's 13 year old girls or the fucking mafia...all they have is a list of IP addresses of people serving one or more copyrighted songs. What are they supposed to do when it turns out that some of these file sharers are young kids or grand parents or the handicapped? Say, "oops, sorry, you're allowed to infringe however you like, it's only infringement if you're a healthy white male aged 18-35?"

    The RIAA is doing what I'd do if I saw a threat to my business: they're trying to curb the threat with the only means available to them by law. Complain about the cost if you like, or the tactics, or the copyright laws themselves, but you can't complain about them trying to protect their business in a legal way. That's ridiculous.

    Just about as ridiculous as wishing for them to be inconvenienced by hackers, really. I mean, what you're talking about is called a protection racket in the Real World(tm), and it's fucking illegal.

    --
    Hey freaks: now you're ju
  23. Re:yep! by numark · · Score: 2, Insightful

    I think researchers would be less worried about losing their jobs over a cancer cure (which isn't even guaranteed...there's always something else to research) and more worried about protecting their own health and the health of their families. Doesn't help you in the end if you have a job and die of cancer before you even have a chance to retire. They have as vested an interest in finding a cancer cure as any one of us.

    --
    Want Slashdot headlines on your site? Try SlashHead
  24. Re:One reason I quit fixing Windows by FuzzyBad-Mofo · · Score: 2, Insightful

    As soon as the number of users reaches critical mass, it becomes "profitable" for virus writes.

    Market saturation is only one element toward attracting malware. Another is security. If a system is popular enough, no doubt malware will be created for it, at least as a proof of concept. However, malware will never spread in the wild unless the system has insufficient security (by definition). I'm not claiming that any of today's operating systems has perfect security, but some are better than others.

  25. Re:SSL for everything by MightyYar · · Score: 2, Insightful
    Hey! I'm a pretty solidly geeky dork, and all my passwords for work are on a sticky. Why?

    • At last count, I have at least 7 passwords: email and network, customer page, unix login, bugs database, data modeler, applications database, code review process. I'm probably missing some, I'd have to check the sticky.
    • The passwords are not changed at the same time, so they are all different. They may have abandoned trying to make us change them periodically - I'm not sure, the schedule was so erratic.
    • All the systems have different rules about what format the password must take. They definitely don't do a dictionary check, because sometimes I use things like "fuckyou" or "screwit". Juvenile, I know.
    • Even though they do not seem to care what your password is, they DO check to make sure that it is different than the last six times. This leads to passwords like: kilroy, kilroy1, kilroy2, killroy3, etc.
    • My IT department actually had a file on the server with everyone's plain text password for at least two of the systems. It was in Excel and was accessible to anyone with a login. Morons - why does such a file even exist??? Apparently they were doing something to everyone's PC and so they put it on the server so their support guys could reference it while they went from PC to PC, then forgot to take it back down. The list was very enlightening. Many people simply used their first name as the password, appending a 1 or 2 whenever they had to change it.

    Anyway, I'm using a sticky because it really doesn't matter.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  26. Re:What if someone made a worm that just........ by mikeg22 · · Score: 3, Insightful
    I don't need nor want some dumbass "I'm smarter than you, and doing this for your own good" 1337 prick trying to install SP4 for me
    A worm like this would only be able to get into computers that are unprotected, so assuming you're a security concious fellow, you wouldn't have to worry about it. Now, if your computer was vulnerable, wouldn't it be better that your computer gets patched (and possibly screws up your dvd player) than having an unprotected machine waiting to get hosed by some hacker?

    I'm actually sypathetic to the belief that a vulnerable computer connected to the internet is a hazard to the internet as a whole, as it can easily become a DDOS/Spam zombie, and therefore somebody is in the right to patch the hole, through nefarious means if necessary.
  27. Re:A few points by Guido+von+Guido · · Score: 3, Insightful
    I have a friend who just got her M.A. My advice to her was to print her thesis (or the new portions of it) at least once a week until she was done with it.

    Yeah, it would have been hell to type it all over again, but it would have beat having to rewrite it from scratch.

  28. Re:Request for virus writers: by st3v · · Score: 2, Insightful

    Bad Idea: A person might think they would be able to keep their old documents and programs and install Linux. After they have no idea where their documents went and how to use their "cleaned" system, the reputation of Linux would be tarnished in their eyes as a virus.

  29. Re:yep! by OblvnDrgn · · Score: 2, Insightful

    Not to mention being part of the research team that found the Cure for Cancer (capital letters, it's a Wonder of the World) would probably be enough renown to live on for the rest of your life. Think Watson and Crick touring the university circuit for decades.

  30. Re:Beating keystroke loggers by anti-trojan · · Score: 4, Insightful

    Once you know the characters that the password consists of, the possible combinations are very limited. You can try every combination in a few seconds.

    --
    Virus infects both Windows and Linux!
  31. Re:More technical details by KDR_11k · · Score: 2, Insightful

    The SP2 CD came out long after those exploits were first used, you need to apply the patches the day they come out to prevent an infection. Supplying less critical patches via an SP CD is acceptable, but these exploits will get you if you patch too late.

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  32. Re:yep! by AgentSmith · · Score: 2, Insightful

    Will all you shitbats stop arguing about what the plural of virus is?!!!!

    Every fucking time a virus story comes up, the same (if not similar) group of pedantic twits posts about this. If the world didn't get it the first fucking time you posted it, they aren't going to understand it now!!!

    I declare now once and for all time this will be the word for the plural of virus: Viruses

    There. Is everyone fucking happy now? Can we now get back to discussing the topic and living our lives in a new blissful age now that the plural is definitively known?

    It's a new world people!