Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Worm Installs Sniffer

Posted by CmdrTaco on from the hope-you're-using-ssl-for-everything dept.

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."

37 of 491 comments (clear)

  1. How much longer? by cbrocious · · Score: 5, Interesting

    How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.

    --
    Disconnect and self-destruct, one bullet at a time.
  2. New worms... by Nos. · · Score: 5, Interesting

    The newest MyDoom variant has the author asking for a job...
    http://www.vnunet.com/news/1158043
    The arnus worm speaks to infected users.
    I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".

    1. Re:New worms... by nettdata · · Score: 1, Interesting

      This userFriendly strip says it all. :)

      --



      $0.02 (CDN)
  3. A few points by Meostro · · Score: 5, Interesting
    1. A Link to Trend Micro's SDBot.UH analysis

    2. I love the fact that this worm drops itself as BLING.EXE

    3. This worm uses carnivore network sniffer and checks for the following strings
    As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.

    4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
    • It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
    • It attempts to steal CD keys for some games.
    • It installs a network sniffer
    • It has an interface with 26 commands that the bad guys can use on an 0wned box
    • It can log keystrokes
    It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.

    I'm still waiting for the really bad one...
    1. Re:A few points by savagedome · · Score: 4, Interesting

      I'm still waiting for the really bad one...

      A really bad one would look for Excel/Word files and modify a couple of data entries in a huge list of numbers.

      Kind of like someone breaking into the house, leaving something obnoxious under the fridge that starts smelling bad really gradually over a period of few months.

      Imagine the look on the PHB's face when 6 months down the line he realizes while doing some entires in the sheet that the p/e ratio is negative!

      --


      Free XBox, PS2
    2. Re:A few points by Elwood+P+Dowd · · Score: 5, Interesting

      The really bad ones are already out in the wild, and they do not damage your data.

      They wait 'till you go to an HTTPS site and then they log your keystrokes. It's about cash money for the villains, and not doing anything to get caught.

      --

      There are no trails. There are no trees out here.
    3. Re:A few points by dasmegabyte · · Score: 3, Interesting

      I saw a few nasty viruses back in college...Empire Monkey was one, wrecked your MBR and just enough data to mean a reinstall was inevitable. One that manipulated the MBR and the lock-up bug on the Pentium processor. Finally, there was a notorious Word virus called Meat Grinder. Did nothing for the first few dozen saves, then overwrote your file on disk with complete gibberish.

      Saw a graduate student reduced to sobbing over that last one...her teacher was a real prick and wouldn't take anything late for any reason and she had not been educated on the importance of multiple backups. It was 2 am the day before it was due and no amount of Norton Disk Doctor was going to save her (luckily, she'd been on a machine the day before and just shut it down, we had 13 of 20 pages autosaved). I had to call him the next day, and he didn't believe me. I wound up refering him to the head of academic computing, who essentially told the guy that this was the worst virus he'd ever seen and it would be utterly heartless not to give the girl an extension. Dr. Wolf was the MAN.

      All of these spread via diskettes and public terminals. Be glad nobody's applied these concepts to an internet worm. We'd be fucked.

      --
      Hey freaks: now you're ju
    4. Re:A few points by bobbozzo · · Score: 2, Interesting

      There was a destructive internet worm recently.
      It attacked PC's via a hole in BlackICE firewall.

      After reproducing for a little while, it began randomly overwriting sectors on the HD. Eventually your OS (and probably a lot of data) would be fubar.

      URL: http://www.f-secure.com/v-descs/witty.shtml

      --
      Nothing to see here; Move along.
    5. Re:A few points by dasmegabyte · · Score: 2, Interesting

      Signs don't help. For many people, it takes an accident to realize how stupid it is to keep the only copy of their 40 page doctoral thesis folded at the bottom of a purse. After that, they get a little nuts. This is where stories are useful. People come in, ask for some help, and while you're helping them out, tell them the Meat Grinder story. Or the story about the lady who lost her disc and closed without saving, meaning the only remaining copy of her thesis was currently printing on a dot matrix printer (which began to come out of alignment at page 5).

      We used to (try) to train people to use their email account and their mainframe storage (which most people didn't even know they had) to save files to. Even set up Samba so users could mount their mainframe space as a drive and save directly to it. The Mainframe, we explained, was backed up incrementally throughout the day and periodically virus scanned. It couldn't be wrecked or stolen. It couldn't be read by other students unless you set it that way. It was like sealing your files in a sterile vault (which, indeed, was where the server was stored) and it was no harder than using a disk.

      But most people just ignored us. After all, what could happen to the disk? It was inside of a little red plastic case with a metal shutter! Never mind that it was stuffed into crummy pockets or inside a backpack along with a collection of rare earth magnets...it was in a PLASTIC CASE!

      --
      Hey freaks: now you're ju
  4. I'm still waiting... by 00Sovereign · · Score: 3, Interesting

    for the "INDUCEd PATRIOT" worm that detects P2P traffic and then promptly shuts down the computer.

    --
    "Me fail English, that's unpossible." --Ralphie
  5. Squawker by swordboy · · Score: 4, Interesting

    This one talks to the infectee through Windows speech interface. Nice!

    --

    Life is the leading cause of death in America.
  6. And they'll sniff... by Power+Everywhere · · Score: 1, Interesting

    Each other, like dogs at one another's butts. Inside of a week that's all that's going to be out there, and the worms will just be bumping into one another.

    --

    BLING BLING. Meet the architecture that's changing everything.

  7. I dont even get the purpose.... by stickystyle · · Score: 4, Interesting

    Most networks are switched these days, making this pointless. Why not install a keylogger???
    Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.

    --
    Pluralitas non est ponenda sine neccesitate
  8. What if someone made a worm that just........ by ARRRLovin · · Score: 5, Interesting

    ......ran windows update on all infected machines? Would people get pissed?

    --
    -Randy
    1. Re:What if someone made a worm that just........ by wiggles · · Score: 2, Interesting

      It's been done. See this writeup for the Welchia virus.

      This thing actually caused more problems at my site in the form of network saturation than the blaster worm it was written to eradicate!

  9. Re:More technical details by fitten · · Score: 2, Interesting

    How does Windows XP SP2 Data Execution Prevention handle this? or does it? (sounds like all those buffer overrun/overflow exploits should be stopped)

  10. Re:Encrypt! by koreth · · Score: 4, Interesting
    That won't help you if you're infected by this worm, which does keystroke logging. You can encrypt your password six ways from Sunday and it will still have been intercepted before it ever reaches your encryption software.

    Not that I'm against encryption or anything. But it won't necessarily stop your passwords from being stolen.

  11. One reason I quit fixing Windows by teamhasnoi · · Score: 3, Interesting
    is that it's a never-ending job, when the user is at the keyboard, doing things that I would never do.

    I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac.

    This is usually met with, 'Wha? Really?"

    Yup. I'm enjoying the stories of crazy Windows happenings, virus mystery, and constant crashing (Yeah, XP is ok, but not when you have 127 viruses, trojans, spyware and keyloggers all vying for a clock cycle and outgoing port.)

    And I'm especially loving not working on Windows boxes.

  12. SSL for everything by Matt+Perry · · Score: 4, Interesting
    from the hope-you're-using-ssl-for-everything dept.
    Why aren't we using SSL for everything? Why aren't we building strong encryption into everything? I started wondering this several months ago when I had to run VNC on a windows box and had no way to secure it. Sure, under linux you can tunnel it over SSH, but that wasn't an option on a windows machine.

    And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  13. A machine on one of our networks.... by caluml · · Score: 4, Interesting

    This is strange - I found a bling.exe on a Windows machine at work a while ago, as it was spewwing out 445 if I remember rightly - several weeks. I searched for info on it, and I didn't find anything, which I thought was strange.
    I think I must have got hit by an early-adopter version.

    --
    Get your own free personal location tracker
  14. Re:Use of switches? by MachineShedFred · · Score: 2, Interesting

    Switches are all well and good, but you forget about cable modems. While downstream traffic is only sent to the modem, all upstream traffic using QAM encoding techniques is a shared medium, so a sniffer on that wire could get some interesting traffic.

    Packet sniffers are not a good thing to have just running, but an auto-propogating one is even worse, and should not be taken lightly.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  15. Worms are just like any other software by ChiralSoftware · · Score: 4, Interesting
    Remember back to the days of MS-DOS? Everything was very minimal and non-bloated, but still, things were slow. As computers got faster, software didn't get faster. It just got more bloated to take advantage of all that new speed and memory available. Today I have dozens of windows open, a media player, and IDE, mail reader, etc, and you need 256mb to run Linux or Windows XP. That's bloat. But, they do a lot more than they used to. Much much more.

    And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.

    It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.

    1. Re:Worms are just like any other software by megaversal · · Score: 2, Interesting

      Not to be incredibly pro-MS, but the reason it's so easy to write all these viruses is because MS tried to make it easy to do all sorts of things with your system. VBScript can be and is used for automating administration tasks all the time, yet someone can use it to write some pretty complex worm in very few lines. Not elegant, but easy.

      I see the problem being Windows, by default, letting you run as an administrator, instead of a normal-level user, so that when a virus hits, the damage is far less if it can't change certain files, and run with a certain level of power.

      It's still not as easy to run as an everyday user, switching to Administrator whenever you need to perform an admin task, as it is on *nix to switch back and forth, at least in my experience. And I admin a primarily Windows network everyday, but use *nix only on a personal level.

      So I like the idea that MS gives you all this ability to create and play using technologies that aren't as hard to master as assembly (in the practical sense.. it's harder to write a simple Windows app in assembly than it is in VB), but they're still working on (in my opinion) getting users away from running as admin/root the whole time.

      --
      Sig!
  16. Best AntiVirus? Help... by Iscariot_ · · Score: 1, Interesting

    This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.

    I've looked everywhere, and TrendMicro's PC-Cillin, McAfee AV, and Norton AV all seem to rank high. Is any one of these really better than the others? Have I left the best one off my list?

    Obviously finding virii is paramount, but a low footprint is also welcome.

    Thanks!

    --

    Go here for teh [sic] funny.
  17. Not a big deal by Anonymous Coward · · Score: 1, Interesting

    Banking info is going to be using SSL. Sniffing SSL traffic isn't going to get you any interesting data. It would be better to use an old fashion key logger.

    The most interesting part of this virus is the ability to easily intercept IM and e-mail conversations. I think it's killer app would be identity theft rather than credit card or banking fraud.

  18. Re:yep! by f8free · · Score: 5, Interesting

    I've always wondered about that kind of thing... most especially, what's to stop the antivirus companies from writing their own virii?

    Not that they'd need to do it at this point, but talk about your perpetual business model...

  19. Re:Proper switches will defeat the sniffer by dtperik · · Score: 2, Interesting
    If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer...
    And then the next version uses technology like ettercap which can sniff on switched networks.
  20. Re:Need one that does some damage by bluewee · · Score: 2, Interesting
    Although this is marked funny, I have considered doing this to a lesser extent. My plan would be to write a virus that used the back doors of other worms, virus(virii) and get onto the system and break the TCP/IP stack, and change the Background image to a link that would have all the information on how to clean up their computer.

    Even though this has legal implication, I think that people would be happy to know that their computer has been infected, and how to fix it.

    --
    [blue] - The Ministry of Information approved this message...
  21. Re:yep! by UranusReallyHertz · · Score: 2, Interesting

    I had the same thought about spam-control companies. They have no interest in actually stopping spam because that would put them out of business.

    --
    Smoking is an expensive, slow, and unreliable method of suicide.
  22. Re:More technical details by AC-x · · Score: 2, Interesting

    Still I'd be interested to know if SP2's Data Execution Prevention would have stopped this if the holes hadn't been patched.

    Doing proactive fixes like this should be better the reatively fixing holes as they appear so it would be interesting to know how well this latest feature works.

    Also I never really understood why there are always so many buffer overrun problems in software, I know it's a bit more complex then
    while(readdata() && bufferlimit--){}
    but still...

  23. Re:yep! by One+Louder · · Score: 5, Interesting
    ...what's to stop the antivirus companies from writing their own virii?
    The competition.

    Imagine the publicity if an anti-virus software vendor were able to prove that a virus was produced by one of its competitors.

  24. Re:Encrypt! by dasmegabyte · · Score: 4, Interesting

    I used to use an encryption program that attempted to get around keystroke loggers...by remapping your keyboard when you were in the password box. A keystroke logger would see gobbeltygook...granted, it was a simple cipher, but since there isn't enough information in a single 16 character password to generate a key for such a cipher, it was still pretty secure.

    I stopped using it when I got my mac, because built in AES-128 is just easier than mucking about with encrypted disk drivers and suchlike. I don't have that much to keep secure anyway...just some receipts, beer recipes and incriminating photos

    --
    Hey freaks: now you're ju
  25. Re:yep! by f8free · · Score: 3, Interesting

    That would be the biggest risk, to be sure. But tracking down the source of a virus is quite difficult, and that's when it's the work of a single (or just a few) hacker(s). Imagine if some corporate muscle were applied in burying the source. I'd worry about whistleblowers, too. Were I an ethically challenged antivirus company CEO, that is.

  26. Re:Best AntiVirus? Help... by Anonymous Coward · · Score: 2, Interesting

    AVG if you're cheap, or NOD32 for some dollars. Both are very low on footprint, and NOD32 has one of the best detection rates around. NOD also has one of the only interfaces that doesn't suck. *cough* kaspersky *cough*

    McAfee is slow, and Norton is equally as bad unless you get the corporate edition. Of course, most of the AV companies provide trial versions, so be sure to give a bunch of them a try (NOT all at once) and pick whichever YOU believe is the best one. :-)

  27. Not the first talking virus by Beryllium+Sphere(tm) · · Score: 3, Interesting

    nVIR on the early Macintoshes would use the Macintalk speech engine to say "Don't Panic". One source says nVIR got discovered in January 1987.

  28. Organized Crime no, misguided activism yes by Oriumpor · · Score: 2, Interesting

    Perhaps organized crime could benefit from this, but in most cases electronic abuses when it comes to fraud/extortion etc seem to face a harsher penalty. I'm not too worried about criminals as much as I am a more driven and dedicated set of humanity.

    I would fear fanatics. Punishment is not necessarily even considered by a driven individual. If there was a file corruption worm on the scale of Codered/Blaster the cost could escalate from the tens of Millions to the Billions quickly. Anarchists, extremists, and environmentalists often try to destroy property to equate a cash cost for organizations for their wrongdoings.

    Heh, picture the credit agencies all exploding at the end of fight club.

  29. Re:More technical details by Jace+of+Fuse! · · Score: 2, Interesting

    Duh! They made it themselves of course!

    I know that was probably meant to be funny but really it's a little disturbing because it seems like it's actually the case.

    Very frequently the major players in the Antivirus market are either having the viruses "before they show up in the wild" or less than "hours" before people start reporting initial infection.

    It doesn't take a paranoid individual to conclude the obvious.

    --

    "Everything you know is wrong. (And stupid.)"

    Moderation Totals: Wrong=2, Stupid=3, Total=5.