New Worm Installs Sniffer

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."

How much longer?

[cbrocious]

How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.

New worms...

[Nos.]

The newest MyDoom variant has the author asking for a job...
http://www.vnunet.com/news/1158043
The arnus worm speaks to infected users.
I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".

A few points

[Meostro]

1. A Link to Trend Micro's SDBot.UH analysis

2. I love the fact that this worm drops itself as BLING.EXE

3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.

4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm

• It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
• It attempts to steal CD keys for some games.
• It installs a network sniffer
• It has an interface with 26 commands that the bad guys can use on an 0wned box
• It can log keystrokes

It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.

I'm still waiting for the really bad one...

Re:A few points

[savagedome]

I'm still waiting for the really bad one...

A really bad one would look for Excel/Word files and modify a couple of data entries in a huge list of numbers.

Kind of like someone breaking into the house, leaving something obnoxious under the fridge that starts smelling bad really gradually over a period of few months.

Imagine the look on the PHB's face when 6 months down the line he realizes while doing some entires in the sheet that the p/e ratio is negative!

Re:A few points

[Elwood+P+Dowd]

The really bad ones are already out in the wild, and they do not damage your data.

They wait 'till you go to an HTTPS site and then they log your keystrokes. It's about cash money for the villains, and not doing anything to get caught.

Re:A few points

[dasmegabyte]

I saw a few nasty viruses back in college...Empire Monkey was one, wrecked your MBR and just enough data to mean a reinstall was inevitable. One that manipulated the MBR and the lock-up bug on the Pentium processor. Finally, there was a notorious Word virus called Meat Grinder. Did nothing for the first few dozen saves, then overwrote your file on disk with complete gibberish.

Saw a graduate student reduced to sobbing over that last one...her teacher was a real prick and wouldn't take anything late for any reason and she had not been educated on the importance of multiple backups. It was 2 am the day before it was due and no amount of Norton Disk Doctor was going to save her (luckily, she'd been on a machine the day before and just shut it down, we had 13 of 20 pages autosaved). I had to call him the next day, and he didn't believe me. I wound up refering him to the head of academic computing, who essentially told the guy that this was the worst virus he'd ever seen and it would be utterly heartless not to give the girl an extension. Dr. Wolf was the MAN.

All of these spread via diskettes and public terminals. Be glad nobody's applied these concepts to an internet worm. We'd be fucked.

I'm still waiting...

[00Sovereign]

for the "INDUCEd PATRIOT" worm that detects P2P traffic and then promptly shuts down the computer.

Squawker

[swordboy]

This one talks to the infectee through Windows speech interface. Nice!

I dont even get the purpose....

[stickystyle]

Most networks are switched these days, making this pointless. Why not install a keylogger???
Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.

What if someone made a worm that just........

[ARRRLovin]

......ran windows update on all infected machines? Would people get pissed?

Re:Encrypt!

[koreth]

That won't help you if you're infected by this worm, which does keystroke logging. You can encrypt your password six ways from Sunday and it will still have been intercepted before it ever reaches your encryption software.

Not that I'm against encryption or anything. But it won't necessarily stop your passwords from being stolen.

One reason I quit fixing Windows

[teamhasnoi]

is that it's a never-ending job, when the user is at the keyboard, doing things that I would never do.

I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac.

This is usually met with, 'Wha? Really?"

Yup. I'm enjoying the stories of crazy Windows happenings, virus mystery, and constant crashing (Yeah, XP is ok, but not when you have 127 viruses, trojans, spyware and keyloggers all vying for a clock cycle and outgoing port.)

And I'm especially loving not working on Windows boxes.

SSL for everything

[Matt+Perry]

from the hope-you're-using-ssl-for-everything dept.

Why aren't we using SSL for everything? Why aren't we building strong encryption into everything? I started wondering this several months ago when I had to run VNC on a windows box and had no way to secure it. Sure, under linux you can tunnel it over SSH, but that wasn't an option on a windows machine.

And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?

A machine on one of our networks....

[caluml]

This is strange - I found a bling.exe on a Windows machine at work a while ago, as it was spewwing out 445 if I remember rightly - several weeks. I searched for info on it, and I didn't find anything, which I thought was strange.
I think I must have got hit by an early-adopter version.

Worms are just like any other software

[ChiralSoftware]

Remember back to the days of MS-DOS? Everything was very minimal and non-bloated, but still, things were slow. As computers got faster, software didn't get faster. It just got more bloated to take advantage of all that new speed and memory available. Today I have dozens of windows open, a media player, and IDE, mail reader, etc, and you need 256mb to run Linux or Windows XP. That's bloat. But, they do a lot more than they used to. Much much more.

And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.

It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.

Re:yep!

[f8free]

I've always wondered about that kind of thing... most especially, what's to stop the antivirus companies from writing their own virii?

Not that they'd need to do it at this point, but talk about your perpetual business model...

Re:yep!

[One+Louder]

...what's to stop the antivirus companies from writing their own virii?

The competition.

Imagine the publicity if an anti-virus software vendor were able to prove that a virus was produced by one of its competitors.

Re:Encrypt!

[dasmegabyte]

I used to use an encryption program that attempted to get around keystroke loggers...by remapping your keyboard when you were in the password box. A keystroke logger would see gobbeltygook...granted, it was a simple cipher, but since there isn't enough information in a single 16 character password to generate a key for such a cipher, it was still pretty secure.

I stopped using it when I got my mac, because built in AES-128 is just easier than mucking about with encrypted disk drivers and suchlike. I don't have that much to keep secure anyway...just some receipts, beer recipes and incriminating photos

Re:yep!

[f8free]

That would be the biggest risk, to be sure. But tracking down the source of a virus is quite difficult, and that's when it's the work of a single (or just a few) hacker(s). Imagine if some corporate muscle were applied in burying the source. I'd worry about whistleblowers, too. Were I an ethically challenged antivirus company CEO, that is.

Not the first talking virus

[Beryllium+Sphere(tm)]

nVIR on the early Macintoshes would use the Macintalk speech engine to say "Don't Panic". One source says nVIR got discovered in January 1987.