Slashdot Mirror
New Trojan Threatens Windows XP SP 2
lightdarkness writes "Symantec is reporting about a new virus called Phel (Anagram of 'help') which is a Trojan which spreads via a HTML file. All the user needs to do is go to the page, and it takes advantage of the vulnerability in the IE Help control component files. This allows the attacker to download malicious programs on to the machine. Worst part is, this is one of the exploits that even effects SP2. Microsoft is said to be working to stop the spread, and to release a patch." The exploit is apparently not the same as the help file problems disclosed last week.
Oh... yeah... IE is great... no need to change it until longhorn...
so what exactly processes HTML in windows again? Some third party plugin? No... IE? ahhh... what a shame... and here I thought that there was no need to do anything to IE as it is so perfect...
---
Programming is like sex... Make one mistake and support it the rest of your life.
Microsoft's entire attitude towards its browser competitors can be sum up with: Who Me? Worry?
Well at least I know reading Slashdot will be sa...
Does that mean they're trying to copy IE from the victims?
Upload to...download from.
Isn't Windows Help a virus on its own? I mean, any time I use it is accidental, and I sit there and wait forever while it takes over my hard drive and 2 minutes of my life loading The Obvious, while I swear at it and frantically click the oblivious exit button....grrrrrrrrrrrrr...
:D
My Kingdom For A Windows-Help-Uninstall-Program!
The real path to male liberation
"Upload to" when they're pushing data onto the machine. They're "downloading to" the machine if they make it fetch the data, which is the most likely scenario. But then, you might be convinced you had to upload slashdot to your browser to view this comment.
" Worst part is, this is one of the exploits that even effects SP2."
Oh, it causes SP2? That's absolutely terrible - it must be stopped!
...Microsoft will lose before it manages to put out a new and more secure version of IE (assuming that is even possible ;-)). I keep hearing from friends who work as IT managers that they are systematically blocking access to IE and installing Firefox on their corporate clients (although that doesn't really shut IE down). IE's getting a really bad rap even in those environments where Microsoft marketing used to have more influence than cold hard facts... and if they don't do something decisive about it rather than releasing ad-hoc patches they're going to have a hell of a time restoring confidence in their product. Then again, they've been able to boounce back before... and it's not like they don't have the money to spend on marketing!
Don't use IE.
IE - Internet Exploiter
The day Microsoft makes a product that doesn't suck is the day they make a vacuum cleaner.
Relying on Windows for security is like fighting for peace, or screwing for virginity. 'Nuff said.
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
Sorry, couldn't resist the anagram. Here's the source code for the phel trojan. This trojan is written in a very high level language. By a strange temporal accident involving a singularity, an anagram, and MS's open-door policy, the source code closely resembles a certain song lyric that goes by the same name.
;-)
The lyrics are kinda fitting, don't you think?
[snip]
When I was younger, so much younger than today,
I never needed anybody's help in any way.
But now these days are gone, I'm not so self assured,
Now I find I've changed my mind and opened up the doors.
Help me if you can, I'm feeling down
And I do appreciate you being round.
Help me, get my feet back on the ground,
Won't you please, please help me.
And now my life has changed in oh so many ways,
My independence seems to vanish in the haze.
But every now and then I feel so insecure,
I know that I just need you like I've never done before.
Help me if you can, I'm feeling down
And I do appreciate you being round.
Help me, get my feet back on the ground,
Won't you please, please help me.
[/snip]
- Help by The Beatles
Who says trojans are bad?
You can pull one over your case and stop the spread of windows and aol. Shipping a trojan condom with AOL cds could also help stop the reproduction of aol users. Way to go Trojan! You set a good example for the rest of us. Windows XP std2 is a threat to us all, and with your help, we may just annihilate it yet! Of course, then you are still at risk for penguin gout, and gnu herpes.... but that's a post for a different story(most likely the double posting of this).
"What me, worry?"
or, possibly "Bah, humbug."
--- Egads, I glow in the dark!
if this is what they meant with "extensible platform": http://slashdot.org/article.pl?sid=04/12/30/185323 2&tid=113
Quite frankly, I can't understand why people get "impressed", I mean, let's look at history for a while... it isn't something new -- for the past probably, let's say 7 years Microsoft has been making the same mistakes over and over. It's nothing new that every vulnerability that is found affect their "benevolents" Service Packs, happened with Service Pack 1 and now 2 in Windows XP, happened with all the Service Packs on NT, and then Windows 2000... seriously. All I have to say is, Microsoft is like a teenage girl -- you never know what you're gonna get --JR.
WARNING: DO NOT LET DR. MARIO TOUCH YOUR GENITALS. HE IS NOT A REAL DOCTOR!
Yes, I was thinking he might mean What- me worry?
No reason to lie.
...how many working worms/viruses affecting Mozilla/Firefox have been written already?
How many for MSIE?
What's the ratio?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
nope, Firefox is not at threat to Internet Explorer .. Internet Explorer is a threat to Internet Explorer!
Knoppix ?
*/me ducks and run for cover*
I am a REAL American from Canada , not a wanna-be from the country , self called "last remaining superpower" "of America
Microsoft SUCKS!
Reminds me of Faxanadu:
"If you're going to see the king, take this ring."
It would be cool if it didn't suck.
The problem is, the end users who will visit these types of sites, especially in IE (the same users who will open e-mails for free Vioxx or Rolex watches)
Microsoft is working to forensically analyze the malicious code in Phel and will work with law enforcement agencies to identify and bring to justice those responsible for the malicious activity, he said.
They always want to catch the bad guys but Microsoft itself is never held responsible fot the damages their crippled software causes.
As a software developer myself, I know it's almost impossible to make a big software product 100% bug free but come on... Microsoft's software is becoming ridiculous!
Man , Wizard ! How many time do I have to tell you ? Windows XP CD is an OS its not a doughnut , stop eating it with your coffee and milk in the morning , shisssh ;-)
I am a REAL American from Canada , not a wanna-be from the country , self called "last remaining superpower" "of America
yes, plus XP SP2 is installed as well.
Trojans in IE counts as news still? Its like someone throws us a surprise party every three months and we feel obliged to keep acting surprised.
"A man is but the product of his thoughts what he thinks, he becomes." -Mahatma Gandhi
...I thought security WAS a feature
There would be a fix by now if it where an OSS , Gnu/Linux project.
I am a REAL American from Canada , not a wanna-be from the country , self called "last remaining superpower" "of America
shouldn't it read "an HTML file" :D?
Good for you! But with all these vulnerabilities and resulting spyware bogging down your Windows install, the shit creeping in before you manage to download & install the latest patches, I am really impressed you actually get any work done (and managed to make this Slashdot post).
I don't consider yet another worm 0wning my box and handing it over to a spammer, a little thing. But okay, YMMV.
XPLite to remove the darn thing !
>> Techflock-flock onto the best bits of technology
http://www.mozilla.org
Don't Tread on Me
Browsers are meant to browse , separate the instant instalation from the browsing , and voila ! No kidding , I hope Microsoft release a LiveCD for Browsing ! this way your sure you system is not compromised , I am on sp2 and the number of time I hear ba bling trying to warn me from something that whant to instal is astronomical.
I am a REAL American from Canada , not a wanna-be from the country , self called "last remaining superpower" "of America
Leprosy
All my skin is falling off of me
I'm not half the man I used to be
Oh, how did I get leprosy
Syphilis
It all started with a simple kiss
Now it hurts to even take a piss
Oh, how did I get syphilis
Why her box was sick
She didn't say
Now, my dripping dick won't get thick
Like yesterday
Yesterday
My cock was always coming out to play
Now it needs two weeks to hide away
Oh, I believe in yesterday.
You probably meant Gandhi. Try to say the 'd' while making the 'h' sound as in "hale", just as some people pronounce "when" as "hwen." This way you will never forget that it is Gandhi and not Ghandi.
You mean you're still using IE? Well maybe it'll convince you to switch this time.
A: PHEL
Q: What do you say when you call 119?
Wouldn't MS just be better off writing a new browser instead of wasting all this time trying to fix IE? Surely they relise this..
I like muppets.
Since this is so easy to catch, someone needs to write and distribute a version of this that installs a P2P client, to give the people that are being sued by the *AA's an 'out'...
Posting Anonymously, for obvious reasons...
Hi, I'm also a proud Canadian, and I agree that it's silly for a nation to call itself 'America' (a group of continents!) as if it was the only country IN America. BUT, I don't agree with your 'real' American bit. Don't make the same mistake with which we're unhappy. And also, if you're going to make radical statements, make sure your grammar and spelling are correct, otherwise, your message loses all credibility.
I just pooped your party.
Apparently, not only does Duke suck, but USC does as well.
Customers in the U.S. who believe they have been attacked should contact their local FBI office or post their complaint online at www.ifccfbi.gov
Non MS users should contact the FBI and tell them we don't want our tax dollars to go to phel. Let Microsoft deal with it.
That's good, blame the victim. Just what sites are those? Where's the big list of sites you shouldn't visit? We might know where to avoid, but how is Joe User going to know?
Typical MSFT response. Instead of fixing their busted ass software they blame the victim. How's the weather in Redmond today?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
New years present from Microsoft
I use firefox instead of IE. I'm never using IE anymore.
Subzerorz
More Articles
How in the hell is this modded informative? I mean, come on.
Besides, trojan condoms are extremely ironic. The trojan horse was something that let men get into an enemy town and then break open and hundreds of men rushed out from it.
Wheel in the sky keeps on turnin'.
This is a good example of why "IE only looks bad because it has the most market share" is at best dubious, and why IE is going to continue to struggle with problems that don't affect other browsers.
In particular, here we have problems in a scriptable ActiveX control for presenting Windows Help files. It's nice to have that available for Windows integration, and maybe for intranet Web applications (though regular Web pages are fine for the vast majority of online help), but people don't need it for regular Web surfing. There have been tons of flaws in these preloaded ActiveX controls, but Microsoft seems unwilling to change its policy to reduce this attack surface.
I don't consider yet another worm 0wning my box and handing it over to a spammer, a little thing. But okay, YMMV.
But to Windows users and Microsoftie trolls, apologists, and astroturfers, having your system 0wned by a sp@mmer and infecting 10,000 other computers with the latest Microsoft Worm, Virus, or Trojan is just a little thing. Hardly worth mentioning, often beneath their notice.
No one likes having their stupidity pointed out to them
The Future of Human Evolution: Autonomy
This sounds like a browser vulnerability such that you'd be safe if you were using Opera or Firefox, for example. Everything in the articles says it's an OS vulnerability, though. What I want and need to know is: Am I safe if I'm using Firefox as my default browser?
-Rich
Why do they always try to make this sound difficult?
Hey everybody, I've got pictures of Natalie Portman naked!
Good bye Windows! I am enjoying Linux alot and those of my friends who were still using Windows are now really fed up with it and are either buying Macs or installing Linux. If you had asked me a year ago I would not have thought that Linux is becoming a mainstream desktop OS that quickly. My girlfriend also became a big Linux fan and I even installed Gentoo Linux on our notebook - it rocks!
Considering that ever since SP2 all Windows Updates "fail" to install for me. The fun never stops.
2. Mount dev/hda
3. Run this command as root;
Bingo no more trojans virii or XP trouble period.
Luckily for Internet Explorer suicide is not a crime anymore.
For those interested, check out this source code. Virus and Trojan problems seem to just gravitate toward Microsoft products. So, Microsoft is the problem.
Click here or here.
1) the list of FORMER competitors of MS is a long one..anyone remember DR-DOS, which always got better reviews in the trade journals ? Lets add borland, lotus, star office, etc etc. A rationale person has some humility and or fear when confronted with a proven champion, regardless of the methods the champion uses.
/. readers can supply many other examples of companies that died when there single flagship product was late or buggy; only MS can live to fight another day, with its cash flow and monomply posistions.
/. and firefox cause they are playing the wrong game. I don't think he cares a flying f*ck about technical superiority, or bloat or stuff like that; he cares about market share. For all we know, he may be happy that the 10% of the market consisting of geeks is distracted by linux and firefox - it never makes economic sense for a biz to care about more then 80% of the market.
2) Unlike other companies, MS can survive a disaster - (either DOS 4 or 5) was a dog that would have killed any other company; MS survived to fight another day (eg, borland died when they were late with one product). I'm sure
3) IMHO, MS has developed an unusual corp ability - the ability to throw money at a problem and solve it. IF gates and ballmer were really interested, they could release a new IE next year.
4) Gates is laughing at
5) there is something kinda pathetic and geekish and teenagerish in this constant gloating about bugs in MS products. Maybe worm writers don't write for *nix because that is not where the market is - if you r interested in making money, an not tech bragging writes, why wd u care about the geeks using linux. no money and hard to cheat - just not a soft target (the same principal by which "insurgents" choose unarmored Iraqis over armored mobile americans.
Untill there is some reasonably similar user base, any comparision of worms or bugs or whatever you want to call them, between nix and ms, is meanignleess. Its sort of like comparing gas mileage between GM and solectra. Just not a comparison that has meaning in the real world of sales and market share.
6) Since the game gates is playing is market share and sales and PROFITS, maybe he is not that interested in the OS or the browser - maybe they think OSs and Browsers will become commodity objects, and the money is in apps.
think about ibm selling its pc division - companies exist to make money, not technically superior produdts. Sometimes you can win on technical superiority; sometimes not
/begin{Sarcasm}
You know, when I found out that Microsoft would no longer develop IE for Macs, I was so sad.
\end{Sarcasm}
Having done so much with so little for so long, I now can do anything with nothing at all.
First of all, that would do diddly shit for people like LokiTorrent. Secondly, the people being sued have BROKEN THE LAW. Whether or not you agree with the law or think it is unjust is irrelevant. As it stands, "sharing" copyrighted works without permission is a civil offense (probably a criminal offense soon). If you don't want to get sued, don't share copyrighted shit without permission. At least not by the gigabytes.
To me, what you suggest is akin to someone pleading temporary insanity to murder (although murder is obviously much worse than copyright infringement). Sure, some minority of those people might have truely been temporarily insane, but the majority of them are just trying to reduce their sentence. Similary, some minority of users might have truely been affected by this virus, but the majority of them know what they are doing is illegal (at least questionably illegal), and pleading "it was teh virus" is just a weak attempt to save their ass.
eye-opener worm (RFC):
.xls and .doc for
1. Do the usual spreading (outlook address book has proven effective)
2. Perform the usual tricks to knock out active virus scanners
(I have seen that work on McAfee and AntiVir with my own eyes)
3. Incrementally scramble files on all available network-drives;
every hour or so go and seek the oldest 100 [by access-time] files that
haven't been scrambled yet and overwrite parts of them somewhere in the
middle. Overwrite instead of unlinking ensures the files cannot easily be
"undeleted". Make sure to overwrite with a random pattern (use a *fast*
homegrown RNG, just using localtime() should suffice) to make it a little
harder for virus scanners to identify corrupted files.
The n least accessed files are chosen in order to go undetected for
as long as possible. You may increase the rate of destruction to something
like "pick the last 1000 files" when the system clock says "it's Saturday".
3a. Send some of the files via E-mail to random recipients from
the address book every now and then. Prefer
broadcasting. Send the scrambled version (no free backups here) or
implement a very simple version of antiword to extract the meat and
send as plain ascii.
4. Start performing the same procedure on the local harddrive only after the
network volumes have been >50% done with. Only go for "My documents" and
such, do not scramble system files in order not to kill your host.
5. Last stage (when done with everything) would be the great haikiri -
overwrite local drives.
The various mechanisms would ideally be balanced out so that complete
obliteration of a company network happens in approx. 4 days.
The worm would be set free on a friday night (EST) in multiple
locations.
This description was only for educational/research purpose and I do not encourage anyone to do such a malicious thing.
I would like to take this moment to accept the apologies of all the assholes who said things like, "windows is secure, just upgrade to sp2." I'm sure that all of you feel much better after saying that you are sorry and admitting that you were wrong.
The Farewell Tour II
No, you look like a moron. Someone can effect change (there's effect used as a verb) or have a disagreeable affect. (affect used as a noun)
Won't this also occur in email with Outlook and Outlook Express? They use the same control that IE does to process the html.
This could make for a much worse case than having to visit a web site. Just have the preview pane open with these apps and get a spam than contains the exploit.
http://www.opera.com/
;-)
Yeah, yeah, I know... "Oh no, it's not freeware, run!"
It's actually a decent browser too.
As for the ads, well, let's just say my hosts file is just a few lines bigger.
Actually, (and I'm just being technical here) we call ourselves "The United States of America". People use the term "America" as shorthand, like "United States" or just "The States". The name America was taken from a great Italian navigator by the name of Amerigo Vespucci: Google for him, it's an interesting bit of history.
... it's "hypocrisy." But hey, there's no accounting for taste.
But I agree with your comment about the parent poster. Interestingly, a number of people seem to think the way he does. There's one word I can think of (again, I'm just being technical) that applies here
The higher the technology, the sharper that two-edged sword.
And the user would have to download an .html to their machine.
In other words, this trojan requires you to download content from the internet. That's a lot higher bar than just typing in a random URL.
This allows the attacker to download malicious programs on to the machine.
Does anyone use the word "UPLOAD" anymore?
Trying to use sarcasm in text-based forums does not work.
The above link has been slashdoted.
The government which is strong enough to protect you from everything is strong enough to take everything from you.
And M$ thought they could slay all their security problems with one silver bullt, Data Execution Protection. Ha, security is more then silver bullets and magic pixy dust, its an all encompassing effort.
Our buddy Amerigo must be rolling in his grave when he looks down and sees the "modern" version of the Vespa.
"Flyin' in just a sweet place,
Never been known to fail..."
Number of infections 0-49
Number of sites 0-2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Virus Definitions: (Live Update) Dec 29
Payload: Exploits system vulnerabilities and may degrade performance.
I hope you'll pardon me for saying that this rates as something less than headline news, even over a long holiday weekend.
Isn't this supposed to be some kind of news forum? ..." /. ain't what it used to be.
"trojan threatening windows
What's new about that ???
Guess
It is simply difficult to keep a Windows based machine secure, no matter how diligently a person visits Windows Update.
Yesterday I updated DirectX on my w2k machine. So I went to Windows Update and first downloaded all the new critical updates. So now my machine is "secure" (as far as MS is concerned). So I proceed to have Windows Update install DirectX 9.1. So now I have a secure box with the latest DirectX, right? Nope. I just happened to go back to Windows Update searching for something else, and see a new critical update has appeared - to patch the DirectX I just installed! Doesn't MS have the resources to pre-patch something like DirectX?
If that's too much work for them then shouldn't they at least notify the user that the software they are installing has known security issues?
Now I can understand that security issues will be discovered after a product has been released, however to distribute software with known security problems, without at least warning the user, should open the door for some lawsuits.
Dan East
Better known as 318230.
Your acronym building abilities (or lack thereof) are horrible... in both English and Canadian French. Yuck.
According to Symantic, all three metrics it uses for threat assessment (Wild, Damage, and Distribution) are low.
I don't have any specific knowledge of the 1st and 3rd metric, but from reading Symantec's own description of the Damage component:
# Payload: Downloads and executes remote files.
How could this rate low??? What could possibly be more damaging than a trojan that downloads and executes remote code?
Oh come on, Canadas not even a real country.
This is what is known as a "negative external" in economic lingo.
Basicaly, Microsoft does not care about the costs of security because it does not effect it's bottom line. The costs are "external" to MS.
So, why does the government (meaning we, the people...) allow MS to cost industry, government and citizens billions of dollars without sanction? If this was Exxon spilling oil all over baby seals they would have to pay (a fraction) of the clean up costs and get all sorts of bad PR. With MS it's just Busines as Usuall.
Kind Regards
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
A tip for the law enforcement is to look for the evil hacker somewhere in scandinavia. Besides being an anagram for help, "phel" is also swedish hacker dialect for the word "fel" (which means error). It's a clever name for a virus exploiting an error in windows help.
I'm pretty tight with my money, and considered very frugal by my friends (read cheap), but I'm still enjoying my iMac DVSE from 1999. A G3 that is able to run my photoshop, movies, music, golive, web, email, and play starcraft. Granted most of my software is from 1999 as well. I bought a second one for the office for a steal. Check out the Apple store... I was recently tempted by a G4 eMac w/ a dvd burner for $799 refurbished. I think I'll wait and see if the budget Apple computer rumor is true though. Don't get me wrong, I'd love a G5, but I'll take whatever their base to medium computer is, and use it until it becomes unreasonable(such as my Macintosh classic became once the web replaced bulletin boards).
If you didnt know that Microsoft makes an alternative to XP called Windows Server 2003, now is your time to find out.
It is the most no-nonsense version of Windows I've seen since 2000, perhaps more so.
Security has to be part of the initial design, you can't retrofit it.) .
A motorcycle will always be inherently less save than a volvo, no matter what else you do to it. (sure, a safe rider can be safer than an idiot in a volvo).
The design decisions that went into IE make it impossible to secure, no difficult, not expensive, but IMPOSSIBLE.
ActiveX is the most obvious example where functionality/usability/ease-of-use totally overrode security in the design. You can't fix that, just like you can't make a motorcycle safe by adding seatbelts (more here: http://sans.org/rr/whitepapers/awareness/1509.php
Saying it's the users fault is like giving someone a book of matches in a dynamite factory and saying "it's your fault for lighting the match".
IE is a wonderful inTRAnet explorer, filling out timesheets in a low-risk network. Using it on the inTERnet is like entering a demolition derby on a motorbike.
To whom it may concern:
It has come to our attention that the following copyright work(s):
"Help", by Lenon/Macartney in ASCII format
has appeared on your website without relevant approval or authorization. Please remove the offending page immediately, or Michael Jackson will get really cross and hold his breath until he turns blue.
Well?
We're waiting...
He can't hold his breath forever, you know!
I went to the FBI site quoted above and I can't find any Federal request for help on this.
u ri ty/holes/story/0,10801,98636,00.html
"Computerworld" (an IDG company(Symantec)) are the ones who are requesting that people contact the FBI.
http://www.computerworld.com/securitytopics/sec
So if I go to the FBI website and make a comment that they should use our money "more wisely" (as in not supporting a buggy OS/Browser)... will they know what the fsck I'm talking about?
cheers
front
"...the MacOSX help system could also be manipulated remotely to execute arbitrary bash scripts..."
Which is of little practical use, since it the exploit has to be run from a local file that has been specifically mapped to be opened by the help viewer (which means no serving from PCs). From memory that particular exploit was fixed within two weeks of notification.
"...though not as root."
Which means at worst the user's home folder could be deleted without warning or a couple of binaries might be installed (though not executed); the system would remain untouched.
So what you're saying is that Apple provided a timely fix for a minor flaw that was near impossible for anyone not actually in front of the machine to exploit. And this compares to Microsoft...how exactly?
I found this code with the help of pail. We did warn listservs and microsoft of this early. See www.michaelevanchik.com
I will not disclose a 0 day again I will not disclose a 0 day again I will not disclose a 0 day again I will not disc
is this suprising - they just keep doing the same crap over and over and over and over and over and over and over and over. can't wait till longhorn so I can laugh at all the fricken CEO's , Marketers , and other managers that force Microsoft's crap software on companies just in the name of getting their job done and have to hire all those expert MCSE's to help clean it up - meanwhile I still be running my linux servers doing the real work like DNS, DHCP, and the applications that actually run the business. Maybe someday these ceo's will realize what a scam microsoft actually is.
This ZINS variant is essentially a keystroke logger used by those infiltrating bank sites via stolen passwords and logins'. The point is that this new variant came out right after the 1st of the year, and was found by a F/OSS built for windows spybot finder. According to Symantec this changes settings in the ever wonderful microsoft master list *aka - the registry (gawd I hate it).
...could be! But upon performing a search of said registry I sure enough found it. It was in the "google" search entries!!! Oh, great.
And Symantec gives intructions where to look and how to remove it. Funny thing though, it wasn't there. Could this spyware progie be kludged?
It only took "one" time, "one" use, in a windows environment to get attacked on this level. I do online banking from time to time -nothing fancy. I "almost" always do so in Linux using Konq or Moz, and for just such reasons than to avoid what happened. But being a musician that discovered DAWS systems with programs that only run in windows systems I have to keep a dual boot system. Well, I get careless (aka "stupid) and I use windows (firebird in win, FYI) one time to visit a "secure" bank site and BOOM!
Essentially, from and end-users point of view with a modicum of knowledge about computers, Microsofts patches mean didly! All I can say is...
Ya, OK. That was fun.