Slashdot Mirror
Sober.P Worm Accounts for 5% of all Email Traffic
destuxor writes "The grave insecurity of the day is the Sober.P worm which is currently pushing nearly 5% of all email traffic at the moment. Unlike previous worms, Sober can disable the Windows Firewall and Symantec Antivirus. Interestingly, patched machines are not vulnerable to the exploits used by this worm. What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?" update percentage corrected.
is that like the anti-tequila worm?
Oh better hurry and update iptables and patch my kernel and emerge sync;emerge -uv world... oh windows, they get all the fun!
Whenever your PC gets infected with a virus or 10 bits of spyware a large foot swings out from under the desk and hits you in the groin. It'd even work on them guys pretending to be women!
I like muppets.
I read that the article refrences that it only comprises 4.65 percent of all email traffic? Where does this article say 25 percent???
My UID is prime is yours?
What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?
Easy. Make it an invite-based system. People take for granted what they can get effortlessly.
Add a cost to it, and people will appreciate and use it more.
From the first line ... 5%, not 25%. Big difference ....
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
Interestingly, patched machines are not vulnerable to the exploits used by this worm.
What is so interesting about that? It would only be interesting if the patched machines were still vulnerable.
Cheers,
RoadkillBunny
A nationwide (USA) TV expose (-ay) of how spam is sent and how "your kids PC is helping terrorists send unsolicited email" would bring that percentage down to 5%.
Ordinary users just have no idea. Many don't enven know about Windows Update.
I think that there are 2 categories:
1. unaware users (like about all my neighbours and friends)
2. Users who do not want to patch their system into a less controlable state (hence SP2 trouble).
I think better filters at mailservers could help:
The content of the mail may be unknown (different headers all the time), but the attachment is known. A simple filter should be able to get rid of it, no need for very expensive antivirus software.
My wife's sketchblog Blob[p]: Gastrono-me
I use a Mac...I have no problems.
I use Linux...I have no problems.
(however, my email box is filled up with these stupid Sober.P-generated messages)
What will it take for people to switch? All of the news reports I've heard this week about Sober.P don't even mention that it ONLY affects MS-based PCs running Outlook. I would think that the news industry would at least do one minute of digging and include this little nugget of information to help its listeners/viewers.
TDz.
It's been my experience that it is almost impossible to get ordinary (read: non-computer) people to update their machines, be it Windows or Norton Virus updates. The only way that most of them will get these updates, ever, is if 1. Someone does it for them, or 2. If it is automated, and does it for them.
Otherwise, they just don't see the reason to, don't have the motivation to, and just plain don't care.
be brainwashed into believing that the computer is an easy to use appliance, like a toaster or TV, and NOT a potentially hazardous tool like a chainsaw.
That this has become the holy grail of huge numbers of Linux afficianados is likely the worst thing there is for Linux. Instead of promoting Linux as the 'thinking man's alternative' most of it's fanbase has bought into the whole 'computer as appliance' mindset.
Give a man a bananna and he might choke on the skin. Teach him to peel and he'll be hell's bells.
That works, until they or a relative disable it.
Most people don't have broadband; Windows Update takes a long time when all you want to do is get your email.
Now, if they graduated from an HTTP download to rsync, the download size would be significantly smaller.
An even better solution would be to have the source code on the computer, and have the machine compile the patches locally from a (much quicker to patch) source code. Of course, they'd need to find a way to securely encrypt the source code so those "evil GPL coders" don't peek.
tasks(723) drafts(105) languages(484) examples(29106)
I get _TONS_ of logs from various ssh-worms roaming around these days.
What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?"
The problem is, MicroSoft went a long way to tell people that no, they can not trust them when it comes to privacy. People from random businesses around here are pretty paranoid now -- I've talked to the CEO of a ~300 employees big company who, albeit a non-technical user himself, went on a long tirade about not letting Windows phone home.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
tasks(723) drafts(105) languages(484) examples(29106)
As much as I'm a Linux fanboy, that's not going to solve the problem.
Setting aside the debatable 'inherently more secure' argument, unless distros start doing something rash like including and starting an 'apt-get update && apt-get upgrade' cron job, they're going to hit the same problems if a nasty worm comes out that affects on or more distributions of Linux (eg. a SuSE worm, etc).
But if you slashdot the Sober.P worm, who wins?
I have tried using windows update on several machines over the years ever since it came out. All I ever receive in return are page script errors, stalled connections and general frustration of all kinds. I especially hate waiting for it to do something after god knows how long only to have it error out and start all over again. I gave up on windows update long ago which is fine because I generally follow and advise others to follow hte rule of 'if it ain't broke then don't fix it'.
I dunno. Maybe we should stop running all those stories about how evil WindowsUpdate is, and how Microsoft is spying on your computer?
And proclaiming to the heavens that <insert my linux distro> doesn't need updates because it's secure?
Isn't life is full of little surprises!
*blinking cursor*
Rsync isn't really an option for updating windows since the patch usually changes few dlls to different ones.
Most people don't have broadband, but most people don't have fast computers either, it might take long time to compile the source distributed update.
And your average joe won't have compiler on their machine anyway.
I'd remove compiler from linux workstations too. The normal user, who surfs and reads email on the machine, won't have any need to compile things.
If local patches were used, I wouldn't worry about gpl coders peeking the code. I'd worry about worms patching the source code and creating new holes through modifying patch sources.
There are no atheists when recovering from tape backup.
"a potentially hazardous tool like a chainsaw."
last time i severed my leg with my computer, i was reminded of this fact.
The object of linux SHOULD be to make the computer as easy to use as possible, because the people who care about how their computer actually works are a stastical minority of computer owners. The reason thses viruses spread is that people REFUSE to be educated. If your goal is to become a mainstream OS [which I'm not convinced yours is, but it seems to be the goal of the majority of the linux community], your job is to offer more noticeable features [e.g. less slowdown due to viruses, etc] than windows without addint any more required user input.
joe blow doesnt want to think about his computer. he just wants it to play deer hunter 2005 faster.
It doesn't have to be in the same high-level languge the OS was written in; it could be a compiler-specific intermediate language, like GCC's SSA.
Such an arrangement offloads some of the compiling process to Microsoft's servers, and obfuscates the patch.
The compiler included with the OS doesn't even have to support any other language. And it can require a signed certificate from Microsoft to accept the code.
tasks(723) drafts(105) languages(484) examples(29106)
Non-computer-oriented users have no idea what is possible or what is necessary or, usually, even that their system is compromised and is spamming the crap out of their neighbors. As long as it puts up the pretty desktop and does the few things they have always understood, why should they do something they don't understand that will have no obvious benefit (to them) and might make it stop working?
Brackets contain world's first nanosig, highly magnified:[.]
Windows Update downloads in the background, and allows other programs the bandwith they need. It should never be a problem, even over dial-up. If you didn't have the patience to wait out the download of SP2 over a slow connection, you could mail order it on CD from Microsoft, no charge, even for postage.
If virus writers ever changed their tactics from one of "sneak in and just borrow their CPU cycles and bandwidth for my bot-net" to one of "let's infect, spread, then kick them in the nuts" people would take notice once again.
Several years ago there was a virus that went around replacing jpegs with copies of itself (or something). My friend had a struggling web-hosting business where he hosted websites for about 100 different small mom-and-pop shops. Even though I warned him about the risks of viruses and that he should run his site with Linux/Apache he didn't listen. That virus wiped him out.
No, he didn't have up-to-date backups. But guess what? He keeps meticulous backups now and keeps his computers patched with up-to-date virus software and only connects to his web server via ftp (no mounted shares any more).
Alas, he still hasn't embraced Linux or OS X, but at least he's not part of the problem any more.
Just think what would happen if a virus spread around and just looked for .xls files and quietly changed all the 3's to 7's? How far back would companies have to go into their backups to be sure they had a known-good copy? D'ya think they might take viruses and security more seriously then?
The last major hassle we had with a worm was primarily due to the enormous amount of traffic it generated, bringing our networks to their knees. That was an annoyance to management, but they saw it as a network problem - not a virus/worm/security problem.
One of these days some one or some group is going to unleash a virus that really IS going to do real damage. Maybe then people will realize that they aren't sitting in front of an internet toaster, but sophisticated computing device that has a tremendous impact on many aspects of all of our lives.
"terrorism" and "pedophilia" are the root passwords to the Constitution
That won't work. Irresponsible users will always be irresponsible, no matter what OS they are using.
If that is your case, consider the user's responsibility and skills.
If he has no computer skills at all, just change his settings without him knowing.
If he thinks he has lots of computer know how, but really is some inexperienced (and irresponsible) n00b, I suggest tricking him into doing theing securely appealing to his 133tness ("Only ordinary mortals use IE6, we hackers use IE7 firefox edition", the firesomething extension might be useful in that case).
If he's responsible, but reluctant to change, wait for him to screw up, make him feel bad for screwing things up (just letting him know how much effort it takes to reinstall a workstation usually works) and them offer him a chance to do things securely. If doing things securely is not a hassle (activating windows update, for example), he will not change back either because the same inertia will make him stay secure, or because he sees the benefit of doing things securely.
There are more things to consider, but that should be a rough guide. Some people do not know how to use a general purpose machine, and would be happy with a "web browser" (or other) appliance. You cannot let these people loose with root priviledges.
GPG 0x1B479C78
We all know microsoft has alot of money. Why dont they just send out a s*** load of Patch CD's just like what AOL does.
Also keep a numbering system on the CD's that any moron can keep track of.
Hell im sure you could get away with putting them in common places.. like bestbuy, wallmart, Safeway, etc.
No, it really wouldn't, seeing as the Windows source takes days for a full build. The install size alone difference would make this a fucking retarded solution.
So why doesn't MS offer a monthly CD update subscription? Why aren't there CDs at Best Buy, Circuit City, WalMart, etc. that have SP2 and updates on it? Heck, AOL can get their CDs there to get people to sign up for service.
I can't imagine many take advantage of the SP on CD option from MS now, I don't think many more would sign up for a monthy update cd at a minimal cost ($10/yr to cover shipping,etc?) either.
If you install XP today and SP2 from a cd/whatever, you still need over 20mb of downloads to get up to date on your updates, and god forbid if you don't have SP2 around on some sort of media or local archive. How long do you think that will take on a modem? What was that average time to infection for an unpatched machine plugged into the 'net?
Don't blame me, I voted for Kodos
What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?
From what one can read on online forums and personal experience, many people are afraid to use windows update because they do not have a valid serial, or in other words, they're using windows illegally. Unlicensed copies keep windows monopoly, but it is also giving it bad fame because people are afraid to update their system.
It's not hard to lock down a mailserver, and it's not hard to make it scan all incoming/outgoing mail for spam and for viruses. Hell, it's free if you use Postfix/Mailscanner/ClamAV/Spamassassin.
No ISP should be running an SMTP server that doesn't scan for viruses. It's just irresponsible. There are a few viruses that setup their own SMTP server on the users machine, yeah, but that's easily solved by blocking outgoing connections to port 25 on the network, except from the ISP's own mailserver. If all ISPs did those 2 simple things, e-mail viruses would almost be wiped out.
It's basic stuff, and it drives me nuts that precious few ISPs do any of it.
... not a problem?
have you actually... you know.. tried upgrading to sp2 over dialup that costs per minute, like what the dialup is in most of the world?
of course it wouldn't be a problem if you were online on that dialup 24/7... but very few people are.
world was created 5 seconds before this post as it is.
It's interesting because it means that there are still enough unpatched machines out there for a worm to gain serious traction without uncovering new technical vulnerabilities. Worms that hit patched machines are technologically interesting, but those are problems that can be fixed (eventually) by patching. A technological problem with a technological solution.
But it appears that even if a putative Service Pack 3 were flawless, there would still be massive worm activity in those who haven't patched. And if they haven't patched by now, they're not gonna, and that means we're going to be dealing with this problem for a long time to come.
It's a non-technological problem, so there may not be a technological solution. (Me, I'd like to see ISPs start throttling infected users, but that's a whole separate can of worms.)
What is to stop a worm from modifying the code that checks the signature so it thinks any code is valid? While cracking modern encryption is not practical, cracking the if-then statement that only allows the code to be compiled if it has a valid signature is relatively easy. Many of the cracks for manual checks in old games worked this way, they replaced the if 'word_correct=1 then rungame else abort' code with 'if word_correct=1 then rungame else rungame' so that anything could be entered when it asked for a word from the manual.
If a student or member of faculty comes in with malware problems for the first time, I fix it for them and I give them a Gentoo Linux install CD to go away with. If they come back with viruses/spyware a second time, I tell the luser to stop bothering me, and that I gave them the solution to install last time.
Remind me not to hire you after you (maybe) graduate.
Even though I've visited Slashdot for what seems like 7 years now, this is the first time I'm commenting. I'm commenting because this article couldn't come at a more prime time.
.zip files, to no avail... it seems to still slip on thru for some odd reason. As much as I tried to get our server's host to help us curb the problem, they would push their current marketting ploy.
The organization I work with got the Sober worm, filling up our mailboxes expontentially. Even though we are primarily a Mac house, some indidividuals probably accessed our mailserver with Windows based mail clients (at home?) and perhaps facilitated the spread of this virus.
It sure is a nasty one. I wrote a procmail recipe to block out
I'm kinda lost, with a growing procmail folder with the isolated emails (roughly 4gb in size now) -- and some like (100 emails a day) slipping thru. I've emailed all users suggesting removal tools like Stinger but still!
Anyone have some proactive suggestions? Would ClamAV prevent this from perpetuating on the server-side?
We are currently wasting bandwidth and people time to indugle ourselves in a server side solution.
Anthropology.net - Beyond bones and stones.
Really? That must be so nice. I can't wait to tell my parents (over dialup) and my roomie's parents (over dialup in a dinky village in Wales) how cool it is to download all of SP2 over a slow connection. The mail order bit is sensible, but your suggestion of Windows Update not being a problem over dial-up is a load of bollocks.
It can and often will break your machine's current state and render multiple applications inoperative.
I've had a lot of Windows patches kill applications. Most notably Adobe Premiere, Internet Explorer, Visual Studio, and a load of older third party shareware/freeware apps. Often enough a reinstall of the application fixes it, sometimes... not.
The biggest problem isn't a lack of patches being applied although it is a big problem. The biggest problem is that people still insist on using e-mail as a way of conveying web-like information without regard to its origin or nature. I know a lot of people, some family, who would never ever visit shady porn sites and the like who nevertheless, display all their e-mails in full HTML format with Active X, Javascript, and the rest turned on full blast. Then they select each e-mail in turn, opening it by default in the preview pane of MSOE and just to make sure it really is spam, will also click on the attachments as well.
Of course, I was seeing this same thing more than seven years ago in corporate offices never mind home PCs. Absolutely nothing has changed. Any time a user allows code to run, they take the chance that code will be designed to undo their protective shields including anti-virus, anti-spyware, and firewall services. Those services are not designed to act like viruses themselves and resist deactivation (with the exception of NAV which acts that way by an idiot structural flaw rather than purposeful design) at all costs. Oops.
What Microsoft could do is create a bootloader that worked from a separate partition and scanned the as yet not activated main OS partition for rootkits and viruses and removed them before the OS could be started along with them. Problem is, we can't ever know that MS didn't fark the system up with spyware of their own to check that DRM wasn't messed with, that we weren't using warez'd MS products, or even working on behalf of the *AA agencies to root out and destroy MP3s and so on.
Another solution is to make all web applications including and especially MSIE work only inside a virtual machine within Windows where it was quarantined from outside system interaction and had to pass a fine-grained security checkpoint to interact in any way with the outside short of mere audio-visual output. In other words, scripting that was doing something with a web page would generally work, something that wanted to browse the file structure would have to be signed, the user would have to constantly say yea or nay and enter a password. Anything to slow down the interaction, log it, control it.
I seriously doubt we will ever see it of course.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
"I work at a University IT helpdesk, and after far too many malware problems from far too many dumb lusers (and many of them repeat visits), I've adopted a new policy. If a student or member of faculty comes in with malware problems for the first time, I fix it for them and I give them a Gentoo Linux install CD to go away with. If they come back with viruses/spyware a second time, I tell the luser to stop bothering me, and that I gave them the solution to install last time."
Let me guess - all those stereotypes about antisocial computer geeks seem to have originated in your general vicinity, am I right?
#DeleteChrome
Write a virus that will infect unpatched machines, then patch their machines for them. (and set their homepage to www.windowsupdate.com while its at it. They wont know how to change it back so they will have to visit it more often)
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
Someone should write a white-hat worm that brings the machines up-to-date with security patches, turns on auto-update, sanitizes the computer and reboots...
Before everyone starts screaming that you can't release a white-hat worm, please consider the situation we are in today; Hundreds of thousands, if not millions of zombie machines are sitting out there doing the bidding of criminals to extort money from sites that fear DoS, fill our inboxes with Spam, spread virus and trojans that install keyloggers, attempt to get access to your financial and other accounts, etc.. etc..
On the one hand, we have total anarchtic hacker mayhem (today) and on the other, a sanitized Internet at the cost of using the techniques employed by the shadowy side of society.
I really doubt that many people would have issue with this. Hell, it should be done in the name of national security. Really... And anyway, if your machine is susceptible to a white hat worm, it is equallyt susceptible to the bad stuff, which means it is pretty much guaranteed that you already have a bunch of nasty stuff installed on it. A white hat worm will provide some relief.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Installed XP. Connected to network to install updates (On 100Mbit internet connection) It got a virus within 60 seconds of connecting, while it was still downloading the updates. :P (This happened around the time SP1 was released)
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
Damn, I was about to moderate, but I couldn't resist this...
Sure, Ford should be liable if your new F150 kills your neighbor by launching missiles at him when you turn it on. But they should not be liable if you new F150 kills your neighbor because you ran over them.
Most computers are reasonably safe, at least as much as the average car. But most computer users nowadays are the equivalent of drunk drivers. You don't blame Ford when their car didn't automatically stop someone from driving over someone else. You blame the drunk driver.
So, you don't blame Microsoft too much when an unpatched Windows box kills ten other unpatched Windows boxen. You fine the user who didn't patch the fucking box.
Don't thank God, thank a doctor!
The open source community should do this.
Step 1: Develop the ultimate virus/worm platform -- include a bytecode engine, polymorphism, have it jack into something Freenet-like so users could manually update the network.
Step 2: Get lots of press for your examples of honeynets completely nuked, and how long it took. Show estimates of how long it would take to destroy every computer on Earth with Internet access (including flashing the motherboard, etc.) and predict a Y2K-like apocalypse if terrorists ever get their hands on this and there's tons of unpatched Windows machines.
Step 3: Watch the news media declare vulnerable platforms like Windows and OSX to be "unpatriotic". Watch thousands of developers and hardware vendors and, yes, even end-users rush to put everything on something actually secure, like Linux or BSD.
Remember: Linux IS more secure now, because would-be terrorists (all the teenage hackers of the world) have an incentive to fix Linux instead of try to break it.
Step 4: If Step 3 fails, watch someone, somewhere, sometime, actually finish the job. In a matter of hours, every insecure box in the world goes down, hard, never to rise again. Hard drives wiped, firmware flashed... It'd be a massacre. Then, when the world finally wakes up, watch Step 3 again.
Remember, if I implemented this plan, I'd never actually pull the trigger. I wouldn't be doing anything illegal. That is, unless Congress decided to pass some DMCA-like laws to prevent the development of anything which could be used to 0wn people...
Don't thank God, thank a doctor!
When will people learn to stop running as admin? Limited users cannot disable the firewall. Just running as a limited user restricts these things. If you have apps that require admin righrs, right-click on it and choose "runas". Google for Aaron Margosis and use some of his advice.
I work at a University IT helpdesk, and after far too many malware problems from far too many dumb lusers (and many of them repeat visits), I've adopted a new policy.
If a student or member of faculty comes in with malware problems for the first time, I fix it for them and I give them a Gentoo Linux install CD to go away with. If they come back with viruses/spyware a second time, I tell the luser to stop bothering me, and that I gave them the solution to install last time. Linux is an OS immune to these kinds of problems.
Let's hope you get fired sometime soon.
Seriously, that's no "help" to them. You're not fulfilling the role of a "help desk". Maybe you'd like to take the support calls that Windows-only software isn't working anymore (nor under WINE)? Windows isn't a completely worthless OS.
And I suspect the reason you're giving them Gentoo is a) you're too stupid to know how to secure a Windows machine. Believe me, it's very possible. and b) you're too stupid to pick a reasonable distribution. Gentoo install is not quite what a "luser" needs if they want Linux. Try Knoppix next time, if you really want to continue your anti-Windows crusade.
And do you think you're really converting anybody? You're just turning people away from the helpdesk and sending them to friends who actually know the answer.