"Dasher" Worm Brings Christmas Keylogger

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

They do not need to bother

They can just go ask the NSA what is going on.

Impractical amount of data?

[PurifyYourMind]

Wouldn't sifting through data from potentially hundreds of thousands of machines (for popular viruses/worms) be difficult-to-impossible? Or maybe there's a way to determine which account are, e.g. admins on large IRC servers or otherwise useful.

Re:Impractical amount of data?

[Ruff_ilb]

I'm sure writing a program to scan through files for a username/password type of entry wouldn't be difficult at all. Most of the important data (Email addresses, usernames, passwords, credit card numbers, etc) are in static format, so they're easy to distinguish from random typing (like this).

Re:Impractical amount of data?

[Kijori]

That depends on the resources of the group behind the attack. If this is an individul importing all the data into a database, then yes, it would be nearly impossible for them to make any real headway. If, however, it is a government faction running a pseudo-AI program to sift out useless data before passing it onto a few hundred minimum-wage key pounders, then very large scale breaches are not only possible, but likely. Of course, the programming errors alluded to in the summary suggest the former over the latter, but even so we need to consider the possibilities of a well-funded group using a virus like this to hold large companies to randsom or just to disrupt the internet. Should help drive people to Linux though, so there is a good side.

Re:Impractical amount of data?

[Dorceon]

Grep for strings likely to precede useful input, like "myciti.com"

Re:Impractical amount of data?

[tpgp]

Wouldn't sifting through data from potentially hundreds of thousands of machines (for popular viruses/worms) be difficult-to-impossible? Or maybe there's a way to determine which account are, e.g. admins on large IRC servers or otherwise useful.

I think it would be trivial to write a script to go through the data looking for email addresses & credit card / bank account details.

I'm sure thats what the author is after....

Re:Impractical amount of data?

[Xarius]

You think Linux is somehow immune to keyloggers?

Re:Impractical amount of data?

Plus a lot of people press the "Tab" key between their username and password, that's gotta be a good hint.

Re:Impractical amount of data?

[RockModeNick]

actually, I would think the goal is to get passwords to secure goverment computer enviroments - the easiest way to do that is through people making mistakes, not attacking the systems. If you know from automated datasorting that the owner of the computer this data is comming from works for say the FBI, there's an offchance he's ignorant enough to use the same passwords at home and at work - enough of these and you could get into many systems.

Re:Impractical amount of data?

The people who use the mouse to select the next field are the ones who tend to not update in three months.

Re:Impractical amount of data?

[amazon10x]

You think Linux is somehow immune to keyloggers?

It's immune to this keylogger.

Re:Impractical amount of data?

[pj_rutledge]

I maybe wrong but couldn't you get the client side keylogger to filter the info to find credit card numbers and only transmit those back?

Re:Impractical amount of data?

[irc.goatse.cx+troll]

Or to make a keylogger thats smarter than just recording all keystrokes, for example recording an id for every window opened, and showing which windowid was switched to. Then sifting through it becomes infinitely easier -- You could flat out ignore anything in windows of no interest to you(games), but then smart-search through firefox and ie looking for account data.

Re:Impractical amount of data?

[Kijori]

I think you're much less likely to get hit by a keylogger running Linux than Windows, and that you're 100% less likely to get infected by this keylogger. Linux isn't perfect, but the more people use it the better it gets, unlike Windows which just becomes the target of more hackers and virus writers with no associated increase in bug-fixing.

Re:Impractical amount of data?

[toadlife]

Yeah! Let's drive all of the ignorant/apathetic users of Windows over to Linux. Then we can read about Linux worms that infect the millions of unpatched linux boxes.

Re:Impractical amount of data?

[toadlife]

"The more people use it, the better it gets?" I don't get that train of thought. There are only so many people that can hack on Linux code, and most vulnerabilities in any platform are completely unrelated to the kernel anyway. If a bunch of ignorant people used Linux, it seems to me it would only make Linux what Windows is today - a platform with a huge bullseye on it.

Re:Impractical amount of data?

[teslar]

I think you're much less likely to get hit by a keylogger running Linux than Windows, and that you're 100% less likely to get infected by this keylogger. Linux isn't perfect, but the more people use it the better it gets

Mmmm... I can only really agree with you on the 100% point concerning this particular keylogger.

For the rest.... I think it would be pretty easy for me to write a little useful app, which also happens to log all your keystrokes and just release it, maybe package it as a .deb and .rpm and just mass-distribute it. Sure, I'll be found out, but not straight away and I can do a lot of damage in the meantime. The beauty is, I could even release the source of the entire app and the chances that someone will go through it and find the keylogger are pretty slim. I could probably name a couple of files keylogger.c and backdoor.c and it'll go undetected for a lot of people.
The people that do find out will of course spread the word very quickly in their circles, but the people that do not find out are not likely to be in those circles - newbies in particular, running Ubuntu or Suse and not very sure about how all this linux thing works will be a good target. I think on the whole, it would go undetected and unfixed pretty much on a same timescale as a Windows worm. Damages will be limited due to a lesser distribution and not running as root, but they will be there.

The last point you mention, linux getting better as more people use it, I find very hard to believe at all. I see what you mean - linux will get better as more developers, i.e. serious professional programmers who know what they're doing, join but not as more people just use it. I'm pretty willing to bet, that of 10 new linux users, 1 will try to improve it, 3 will have an in-depth interest, unafraid to recompile their kernel or to try things out, but the rest will be your Joe Average, finally convinced by his geek friend that he should use it instead of Windows. He will not change his default configuration that came with his user-friendly distro, he will certainly not know of, or touch any configuration file, and if you say that you have an application which automagically crawls the net for Anna Kurnikova pics, he will download and install it The more people switch to linux, the higher the number of absolutely clueless people will be. This won't make linux worse or better, but it will increase the number of targets for malicious people.

So, in summary, I do think it would be relatively easy to install a keylogger on other people's machines and the more people use linux, the easier it will become to achieve a significant spread.

Re:Impractical amount of data?

[iccaros]

Hmm. While I have to agree, that it would be easy to write, getting it installed is another matter. While you could make the package, the clueless who would just install anything will not use the command line, will not know how to install anything no in the package manager, (is that not why Linux is so hard.. to hard to install software;) so it would have to be included in the stable branch of what ever distribution (ubuntu, suse, mandrake), Fat chance on that.. or walk a person through the process to add your site to their package manager with .. probably not happening.. Stupid people fear the Command line.. as these users use Synaptic instead of apt. So what user could install this source, a knowledgeable user maybe? But not a new unknowing user.. now the better point.. this worm is not installed in windows , by the user, it seeks out random address and installs its self on unprotected systems, this could not happen on a *nix system, unless the person was running as root, on the Internet, reading email, randomly clicks ok to a package manager (even if they are not running it), or misses the big slowdown as software is compiled. So While you could make a keylogger for Linux... it would be really hard to get anyone to install it... even if it did say it could grab porn from the net.. too may steps for most to bother ..

Re:Impractical amount of data?

[toadlife]

"it seeks out random address and installs its self on unprotected systems, this could not happen on a *nix system, unless the person was running as root, on the Internet, reading email, randomly clicks ok to a package manager (even if they are not running it), or misses the big slowdown as software is compiled. So While you could make a keylogger for Linux... it would be really hard to get anyone to install it... even if it did say it could grab porn from the net.. too may steps for most to bother .."

Huh? Root is not required on Linux to run executables or connect out to the Internet, and software does not have to be compiled to run in Linux. If all of that was true, Linux wouldn't be a very appealing choice for a desktop system. A standard elf binary that relies on vanilla, or no libraries, or a simple shell script will run on 99% of Linux systems (and large chunk of BSD systems) out there. All that is required is a large number of users and a vulnerability in a common application or daemon. Buffer overflow vulnerabilities take care of the 'files not executing by default' problem in Linux. One a buffer overflow vulnerability is exploited, a binary can be dropped onto the system and it can set itself to run, in the user's crontab, in the ~/.kde/start folder, or whereever. Also, you should never underestimate the stupidity of computer newbies. If linux had the same number of naive users as Windows, mass email worms where executables are contained inside of archives would be able to propogate.

The malware could easily run under the user's permissions and connect out to random addresses trying to infect other hosts, connect to IRC servers and be a bot, or act as a file server. The possibilities for malware on Linux are as endless.

Re:Impractical amount of data?

[NetRAVEN5000]

Let me ask you this.

Say I'm a hacker, right? And I notice a bug in some open-source code and I notice a bug in MS' new version of IE.

Now I'm a good person, but I don't have access to the IE code. So I can fix the open-source code, but all I can do about IE (or any other MS product) is tell them and hope they'll fix it but many don't since MS doesn't see them as a problem.

The only way to get them to fix it would be to prove to them that it IS a problem.

Sure, there's a lot of bad people who want to do harm, but most of us nerds who know how to code want a secure, stable OS and we can fix the problem as soon as we see it.

"If a bunch of ignorant people used Linux, it seems to me it would only make Linux what Windows is today - a platform with a huge bullseye on it."

Why?

Do you really think that if "a bunch of ignorant people used Linux" we nerds would switch over to something else, just because the average user is now using Linux? There'd still be the same number (if not more) of contributors to Linux, so we'd still get problems fixed at the same speed or faster.

And Windows is "in the crosshairs" (so to speak) because of its gaping security holes. Do you really think that a PROFESSIONAL hacker would want to find YOUR social security number, or YOUR credit card number? Do you really think that an EXPERT hacker would waste his/her time on an individual or small business rather than big corporations that use Unix-based systems, like Yahoo! or DaimlerChrysler? If they're going to do something illegal - and they're good at it - they're going to go for the big stuff. Think about it - if you were real good at stealing cars, would you go for the Neon or the Porsche?

Sure, maybe if they could get lucky enough to hack into Bill Gates' computer, but I'm sure MS has plenty of security systems in place to make sure that doesn't happen.

Re:Impractical amount of data?

[NetRAVEN5000]

"Root is not required on Linux to run executables or connect out to the Internet, and software does not have to be compiled to run in Linux."

You're right, but any program that is run by a non-privileged user (without running su or sudo) can only affect the files and folders that can be modified by that user. Running a virus program as an unprivileged user will only infect that user's files - just delete the user's files, delete the account, create a new account, copy a backup of the user's files, and you're good to go. It might still be a pain in the ass, but it beats completely reformatting and then copying the backups to the user's folder.

"Buffer overflow vulnerabilities take care of the 'files not executing by default' problem in Linux."

If the program is not executed, then how can it take advantage of the buffer overflow vulnerabilities? The virus has to be executed before it can start messing things up.

"Also, you should never underestimate the stupidity of computer newbies. If linux had the same number of naive users as Windows, mass email worms where executables are contained inside of archives would be able to propogate."

That's why most (or at least many) distros have auto-update tools. SuSE has susewatcher, and Red Hat/Fedora has something else, and I'm sure many of the others have their own tools. This helps to ensure that your computer has as few vulnerabilities as possible.

"If linux had the same number of naive users as Windows, mass email worms where executables are contained inside of archives would be able to propogate."

Sure, if you're stupid enough to install a program from just anyone who e-mails you.

People this stupid are rare nowadays, even in the Windows crowd.

"The malware could easily run under the user's permissions and connect out to random addresses trying to infect other hosts, connect to IRC servers and be a bot, or act as a file server. The possibilities for malware on Linux are as endless."

No. It's not as simple as that.

Linux chat clients/e-mail clients/etc. don't have stupid "features" like MS' VBScript (which is what makes Outlook/Outlook Express so vulnerable) that makes them auto-execute code. And, like I said, a user-space infection is a fairly easy fix since it only affects that user's files - yeah, you still better hope you've got a backup, but you don't have to reinstall like you do in Windows.

Re:Impractical amount of data?

[NetRAVEN5000]

"Sure, I'll be found out, but not straight away and I can do a lot of damage in the meantime."

No, you can't "do a lot of damage". How do people find out about a Linux app? They hear about it from the Linux sites where the Linux nerds tear them apart and look at their code to analyze it and learn from it. Sure, some misfortunate user might stumble across your code, but it's not likely that they'll ever hear about it unless you trick them into running it - and even then, they might not know how to run/install it.

Plus, you wouldn't believe how hard it is to make an app capture keypresses that occurred in another app. Of course, it can be done, but it's not just as simple as using GetKey() or something.

"The last point you mention, linux getting better as more people use it, I find very hard to believe at all."

No. If you go to a school - any school - and walk into a computer programming class where they're learning, say, C++ or Java. . . 99% guaranteed they'll be learning to do it on a Windows computer. If more students and schools used Linux, there'd be a much higher chance that they'll be learning to do it in Linux. So in effect you actually would have more people programming in Linux (or at least learning to do so).

"The more people switch to linux, the higher the number of absolutely clueless people will be."

The amazing thing about people is that most of them tend to learn from their mistakes. So, while you could do this, many people would find out and learn the hard way from their mistake. After all, even most Windows users have started to wise up about just clicking anything that appears in their inbox - in fact, a good portion of them have even realized that, hey, the last virus they got, they got from IE so maybe it'd be better if they used Firefox or something else.

Re:Impractical amount of data?

[toadlife]

"Say I'm a hacker, right? And I notice a bug in some open-source code and I notice a bug in MS' new version of IE.

Okaaay.

"Now I'm a good person, but I don't have access to the IE code."

So, why don't you just *report* it to them?

"So I can fix the open-source code, but all I can do about IE (or any other MS product) is tell them and hope they'll fix it but many don't since MS doesn't see them as a problem.

So quit bitching and just tell them about it. If they sit on it, release a POC on the net after 45 days or so. This is a rather flawed argument anyway because it is based on the presumption that A) and open source project would WANT your fix, and B) Open source dev teams never downplay vulnerabilities, abd C) Big coporations allways downplay vulnerabilites. The same ego that leads big corporations like Microsoft and Oracle to downplay vulnerabilities leads OS developers to do the same thing. The Mozilla dev team has done it multiple times since the release of Firefox 1.0.

"The only way to get them to fix it would be to prove to them that it IS a problem. "

The like I said, be nice and report it. If they ignore you force them to act by releasing a POC on the net.

"Why?" [would linux become a target if everyone used it on the desktop]

Because Malware authors today are in it for the money. There is a ton of money to made on owned machines, and peoples' idientities. Weather the dominant platform has a Window a Penquin or an Apple for a mascot means nothing to the people who are out to make money.

"Do you really think that if "a bunch of ignorant people used Linux" we nerds would switch over to something else, just because the average user is now using Linux?

Perhaps. If everyone's grandma started using Linux, it would become a haven for malware, and thus not as appealing as other good free OSs like FreeBSD or Solaris.

"There'd still be the same number (if not more) of contributors to Linux, so we'd still get problems fixed at the same speed or faster."

The speed at which problems get fixed is irrelevant when you throw ignorant users into the mix. Look at some weblogs, and you'll notice that a large percentage of firefox users are still using version 1.05 or earlier, a version for which remote code execution exploit code was released a few days ago. What do you think would happen if 70-90% of web users used Firefox? Do you think adware distributors who are out to make money on ad revenue not target firefox users because it's an open source app? There are remote code execution exploits for earlier versions of firefox too, and many users are still using 1.0. Firefox users are supposedly 'savy' web users yet they continue to click around the net using exteremely vulberable versions. The fact is, many people don't update their software like they should because they simply don't know any better. A recent linux worm is still out in the wild despite the fact that it exploits a couple of fairly old vulnerabilities and the worm itself is over a month old. I run awstats on one of my webservers and updated it at least a month before the worm came out, but it's pretty obvious that many other people didn't.

"And Windows is "in the crosshairs" (so to speak) because of its gaping security holes."

What "gaping security holes" are you speaking of? Do you mean the two months patched vulnerability that the newest windows worm exploits? How exactly are worms like this for linux any different? Windows is in the crosshairs because that's where the money is at.

Re:Impractical amount of data?

[toadlife]

"You're right, but any program that is run by a non-privileged user (without running su or sudo) can only affect the files and folders that can be modified by that user. Running a virus program as an unprivileged user will only infect that user's files - just delete the user's files, delete the account, create a new account, copy a backup of the user's files, and you're good to go. It might still be a pain in the ass, but it beats completely reformatting and then copying the backups to the user's folder."

So what? Malware nowadays doesn't try to delete data, it tries to steal information (hint: a users files!) or use the computer's resources for things like DoS attacks or spam. root is not required for any of these things.

"If the program is not executed, then how can it take advantage of the buffer overflow vulnerabilities? The virus has to be executed before it can start messing things up."

I suggest you go and look up what a buffer overflow is and how they can lead to security breaches.

"Sure, if you're stupid enough to install a program from just anyone who e-mails you.

People this stupid are rare nowadays, even in the Windows crowd."

With all of the major pub email worms have gotten over the past five or so years, you would think so wouldn't you? The unfortunate fact is, people this stupid are still in very high supply. Look at all of the successful email worms today for windows like "Sober", and read up on how they propogate.

"Linux chat clients/e-mail clients/etc. don't have stupid "features" like MS' VBScript (which is what makes Outlook/Outlook Express so vulnerable) that makes them auto-execute code. And, like I said, a user-space infection is a fairly easy fix since it only affects that user's files - yeah, you still better hope you've got a backup"

You are living in the 90's dude. Outlook and Outlook express are actually very secure email clients nowadays, and won't do shit by default. Outlook won't even render regular html email by default.

Regardless, features like these aren't needed. If the program accept user input, it has the potential to be exploited. Again, go look up what a buffer overflow is and what they can do.

"but you don't have to reinstall like you do in Windows."

You also don't have to run as an administrator in Windows. I don't. Right now, I could download all of the viruses in the world and run them and they couldn't do shit to my Windows installation because the account I'm logged on as right now doesn't have the rights.

Re:Impractical amount of data?

[NetRAVEN5000]

"The like I said, be nice and report it. If they ignore you force them to act by releasing a POC on the net."

And if they ignore the POC?

"The Mozilla dev team has done it multiple times since the release of Firefox 1.0."

Has the Mozilla dev team ever rejected any fixes to code? That's what really matters. Now that they're in the spotlight and are under pressure to be better than IE, it's perfectly normal for them to prioritize things. However, I'm sure they haven't rejected anyone's working code fixes to Firefox.

"Because Malware authors today are in it for the money. There is a ton of money to made on owned machines, and peoples' idientities. Weather the dominant platform has a Window a Penquin or an Apple for a mascot means nothing to the people who are out to make money."

So if malware authors are in it for the money, why don't they aim at the corporations with the big money?

Could it be because (gasp!) Windows is easier to hack and they're less likely to get caught hacking Windows?

Contrary to what many seem to think here on /., I don't just pull things out of my ass. I do use actual statistics that I've heard of elsewhere. Windows does have more security holes, and hackers don't just hack Windows because of the money but also because there are plenty of tools on the 'Net for "script kiddies" to use.

"Perhaps. If everyone's grandma started using Linux, it would become a haven for malware, and thus not as appealing as other good free OSs like FreeBSD or Solaris."

But I thought you said that other Unix-type systems would also be vulnerable. . .

A Linux virus is a reason to improve Linux, not abandon it.

"Firefox users are supposedly 'savy' web users yet they continue to click around the net using exteremely vulberable versions."

"Firefox users are supposedly 'savy' web users". Where'd you hear that from?

What browser you use doesn't make you any more or less savvy. Most Firefox users are ordinary users who "heard through the grapevine" that Firefox was more secure (which is true - but it does have vulnerabilities, no software is perfect).

"How exactly are worms like this for linux any different?"

Right. Because I'm sure Grandma uses XML-RPC for her PHP server, AWStats, and Webhints on her DESKTOP Linux PC like all the other DESKTOP Linux users.

When I used Windows, I ALWAYS installed all my patches, updated my software, ran regular spyware and virus checks. . . everything. And I still got spyware and viruses.

I've been using Linux for about 5 or 6 years now (for a while I kept Windows just for games but now I'm all Linux) and have been sitting back laughing when everyone else was worried about "Code Red" and "Netsky" and "BugleBoy" and whatever else. So far I've had NO problems with hackers, viruses, spyware, rootkits. . . nothing. And yet Windows users can't even listen to a music CD without worrying about rootkits anymore.

Re:Impractical amount of data?

[NetRAVEN5000]

"You are living in the 90's dude. Outlook and Outlook express are actually very secure email clients nowadays, and won't do shit by default."

No, I'm pretty sure they were exploited in 2000 or 2001. I don't remember exactly when, but it was around when I decided to switch.

" Outlook won't even render regular html email by default."

I bet that looks pretty.

Are you serious? There's a security problem with OE. . . so they disable HTML rendering? Simply not making OE able to handle scripts would've done the trick. But I guess no HTML, no scripts so I guess that's one quick and dirty way to "fix" the problem.

"Regardless, features like these aren't needed. If the program accept user input, it has the potential to be exploited. Again, go look up what a buffer overflow is and what they can do."

The way I understand it, buffer overflows don't even need the user except for him/her to open the file. Any program can have a buffer overflow.

I'm still waiting for one to happen to me, though. If you'd like maybe you could e-mail me some Linux code and we'll see what happens. I've got HTML rendering and "Load images from the Internet" turned on in KMail - it should be interesting to see what happens.

"You also don't have to run as an administrator in Windows. I don't. Right now, I could download all of the viruses in the world and run them and they couldn't do shit to my Windows installation because the account I'm logged on as right now doesn't have the rights."

Depends on how much you're willing to pay. I paid $100 or so for my copy of Windows 98 and it sucked, so I don't see why I should have to pay that much again for XP. That's just too much money if you ask me.

And after all this time, I would certainly hope that they finally got smart enough to not have all users running as admin. Next thing you know, maybe they'll do what the Linux distros do and help them set up an underprivileged account!

Re:Impractical amount of data?

[toadlife]

"So if malware authors are in it for the money, why don't they aim at the corporations with the big money?"

They do, and they succeed sometimes. Did you ever think that perhaps people target home Windows users because they are naive and are apt to fall for social engineering tricks?

"Contrary to what many seem to think here on /., I don't just pull things out of my ass. I do use actual statistics that I've heard of elsewhere. Windows does have more security holes, and hackers don't just hack Windows because of the money but also because there are plenty of tools on the 'Net for "script kiddies" to use."

No, you don't pull things out of your ass - You regurgitate propaganda that's been fed to you. That's even worse, because propaganda always has a partial truth to it and thus can easily be mistaken for fact. Just because some dude at linuxismygod.com told you so, doesn't make it so. Here's an excersize for you. Go to securityfocus.com or some other security site and compare the amount of vulnerabilities found in IIS6 vs the amount of vulnerabilities found in apache (version 1 or 2, take your pick) in the last two years. Then come back and tell me "Windows has more security holes". Or are you trying compare just the Linux kernel with the entire Windows operating system?

"Right. Because I'm sure Grandma uses XML-RPC for her PHP server, AWStats, and Webhints on her DESKTOP Linux PC like all the other DESKTOP Linux users."

But they would use apps like Firefox aned GAIM which from time to time have security flaws. You really missed the point when I made that comparison.

"When I used Windows, I ALWAYS installed all my patches, updated my software, ran regular spyware and virus checks. . . everything. And I still got spyware and viruses."

I'm sorry to hear that. That says more about you than it does about windows. If linux was the dominant OS, my bet is you would still get spyware and viruses. Operating systems can't protect you. They can only give you the tools to protect yourself. Right now, the obscurity of desktop linux is protecting you. Since linux will probably never gain much marketshare on the desktop, you should continue to be safe, so enjoy it.

"I've been using Linux for about 5 or 6 years now

And judging by our conversation, you haven't learned a goddamn thing in all that time.

(for a while I kept Windows just for games but now I'm all Linux)

Yay for you! Would you like a medal? I used FreeBSD as my desktop for about eight months, but I got a TV tuner card that didn't work with it, so I switched back to Windows. *nix is now relegated to web serving and routing in my house. I don't carry an emotional attachment to operating systems, like some others. They are tools, some more useful for certain applications than others.

and have been sitting back laughing when everyone else was worried about "Code Red"

Ahh yes, Code Red. That's that IIS worm that exploited a two month old vulnerability. FYI, there has NEVER been a Windows worm that exploited a zero day vulnerability. Every single one, has exploited vulnerabilities that have already been patched. The worst was SQL slammer. It exploited an eight month old vulnerability. How exactly are the success of these worms Windows' fault?

"And yet Windows users can't even listen to a music CD without worrying about root kits anymore."

Sure they can. They can use a non-admin account to listen to CD's.

Your posts perfectly illustrate your lack of understanding of exactly what computer security is. You think security is running software package (A) instead of software package (B) because software package (A) is better at protecting you. As I said above, software can't protect you.

Re:Impractical amount of data?

[WindBourne]

Immune? no. But if a tank and a car get in an accident, you can generally assume that the tank will come out on top 99.999% of the time. It is possible that there is some design flaw in the tank that will cause it more harm if hit just right. Likewise, *nix are about that immune due to design and build.

Re:Impractical amount of data?

[NetRAVEN5000]

"No, you don't pull things out of your ass - You regurgitate propaganda that's been fed to you. That's even worse, because propaganda always has a partial truth to it and thus can easily be mistaken for fact. Just because some dude at linuxismygod.com told you so, doesn't make it so. Here's an excersize for you. Go to securityfocus.com or some other security site and compare the amount of vulnerabilities found in IIS6 vs the amount of vulnerabilities found in apache (version 1 or 2, take your pick) in the last two years. Then come back and tell me "Windows has more security holes". Or are you trying compare just the Linux kernel with the entire Windows operating system?"

Actually, contrary to what many believe on /., I DON'T go to Linux propaganda sites, and I have actually never heard of linuxismygod.com. The closest things to a "propaganda site" that I visit are /. and www.linux.org which is actually a Linux news site which is really just a Linux news site that puts Linux news and reviews, both for and against Linux. And Apache is for ALL OS's, isn't it? Plus, a LOT of web servers run Apache, both Linux and otherwise - don't you think that if there was some HUGE vulnerability - for all those exploits of IIS like Code Red and others - SOMEONE would've made a virus for Apache?

Sure, Windows and Linux both have holes, but from what I've seen, Linux holes seem to get fixed a lot quicker.

"But they would use apps like Firefox aned GAIM which from time to time have security flaws. You really missed the point when I made that comparison."

You know what, it's strange, though, that even though Firefox now has - what is it, 10%? - of the browser marketshare -- making it the second most popular browser next to IE -- I still don't think I've heard of more than one actual exploit, and that exploit also affected IE (and was Windows-only). And GAIM users - though GAIM uses the same networks as MSN and AIM - don't get the viruses that people who use MSN Messenger and AOL Instant Messenger do.

"I'm sorry to hear that. That says more about you than it does about windows. If linux was the dominant OS, my bet is you would still get spyware and viruses. Operating systems can't protect you. They can only give you the tools to protect yourself. Right now, the obscurity of desktop linux is protecting you. Since linux will probably never gain much marketshare on the desktop, you should continue to be safe, so enjoy it."

You know, you really piss me off. You seem to assume that I actually downloaded the viruses I got or something. I didn't, I got them through IE. I figured, well, my patches are installed, Norton is updated, I'm good to go. But no.

What do you want me to do, never browse the Web? I wasn't downloading stuff when I got infected. One day I ran my routine Norton scan, it found a virus, I told it to clean it, it said I needed to reboot, and then I rebooted and poof. All gone.

And what's this about the "obscurity of desktop linux" protecting me? Didn't you say earlier that a single shell script or ELF executable would run on almost all Linux/Unix systems?

"Yay for you! Would you like a medal? I used FreeBSD as my desktop for about eight months, but I got a TV tuner card that didn't work with it, so I switched back to Windows. *nix is now relegated to web serving and routing in my house. I don't carry an emotional attachment to operating systems, like some others. They are tools, some more useful for certain applications than others."

Why are you getting so angry? I was stating a mere fact.

My bias against Windows didn't just one day appear, you know. I used to run Windows, too, and liked it. It would crash a bit, but you'd reboot and it'd be okay for a while. And then once the Internet became more common there were all sorts of viruses and stuff. I was perfectly fine with Windows (not perfectly happy with it, but it was OK) until I found out about Linux and discovered how

Re:Impractical amount of data?

[toadlife]

It sounds like the last Windows you ran was Win9x series. To base all your arguments against windows based on a 7 year old version which didn't even *have* security is silly. That's like me saying desktop linux sucks because when I tried slackware 96 it took me an hour just to get my serial mouse to work, and even longer just to get the vesa driver to work with XFree86.

"Kinda made me mad that I had paid quite a bit of money for something that crashed more. The only thing I missed was the games."

Well now there are a few games that run on Linux. ;) Not exactly a huge selection, but they do exist.

"And if software can't protect you from viruses, then why do Windows users run antivirus suites? Surely securely-designed software must be useful for some level of protection."

Because all of the computer viruses target Windows. In a good security plan, anti-virus is a last line of defense. If you practice other more important security practices (good ole' common sense goes a long way) then your AV should never detect anything. Mine hasn't in years. If some other OS had the marketshare that windows did, all of the computer viruses would be written for that OS, and everyone would still be running AV. Back when Macs has a 15% marketshare their were viruses for Mac and lots of Mac users ran antivirus. That's the only real comparison I can give you because in the history of home computing, those are the only two platforms that have ever had a sizeable amount of marketshare.

"Because Windows is meant so that even an idiot could use it, Therefore MS must expect that idiots WILL use it. Idiots don't know how to set up auto updates or that they should often check up on the latest security alerts. Microsoft should have it do their patches automagically."

There is catch-22 here. I agree 100% that Windows should come automatically update itself out of the box, but if it did, millions of people would bitch and moan about it. People want to have their cake and eat it too. They want their computer to be secure, but they want total control over their computer too. That means being able to choose weather or not they update it, and being able to run any untrusted code they want. Microsoft has found a middle ground by adding the 'security center' in XP that bugs you constantly if your auto updates is turned off, but you'll find that people even complain about *that*. You can't please EVERYBODY, but that's the thing Microsoft is forced to TRY to do...because EVERYBODY uses their operating system.

"But if it doesn't play without the rootkit, then how do you listen to it without installing the rootkit?"

I would return the CD to the store, and if they wouldn't give my money back I would sue Sony. If you read around I'm sure you've noticed that there are multiple lawsuits against Sony regarding this matter. The fact is tons of people run as admin in windows because that how Microsoft made it by default. Sony is evil for doing what they did and the blame lies on them, not the operating system that their "DRM" installs on. Lets say that Microsoft shipped XP back in 2001 and it created limited users account by default instead of admin accounts. Sony's CD would simply say "You must enter your administrator password to view the special feature on this CD", and you can bet that most people would blindly do it, not realizing (or caring about) the potential consequences.

"No vulnerabilities were exploited the day they were found out. Whoop de doo. Great. So they attacked an unfixed vulnerability from earlier. That's what you're saying. So what if they're attacked after the hole has been known a while? If that means no patch was released all this time, who cares?

Also, a simple Google search begs to differ. Right on the first page, what do I see? "Zero-day Microsoft Excel flaw for sale on eBay", "Zero-Day Exploit Targets IE", "Microsoft Promises to Quickly Solve a Zero-Day Vulnerability". . .

Re:Impractical amount of data?

[NetRAVEN5000]

"That's like me saying desktop linux sucks because when I tried slackware 96 it took me an hour just to get my serial mouse to work, and even longer just to get the vesa driver to work with XFree86."

If you ask me, it's not. I paid good money for both Win98 and Win98 SE, both of which claimed to be made with the Internet in mind and claimed to be secure. If they had the Internet in mind and made it secure, why did they make it with so many Internet security holes?

Linux never claimed anything to me except higher security and more stability. To this day my Linux box has never been hacked, and both whole-system freezes and single-program freezes are very rare. Plus, if you ask me, this comment shows how much Linux has progressed - as a four-year-old product, you were already willing to give Linux a shot, and for me, when it was a nine-year-old product, I thought it was good enough to switch over. When Windows was thirteen years old (Windows was first released as Interface Manager back in 1985), it still sucked and lacked good security - so much that they had to release two separate versions in the same year because of all the problems, and so much that some people thought even a FREE OS could have better security.

"millions of people would bitch and moan about it. People want to have their cake and eat it too. They want their computer to be secure, but they want total control over their computer too."

First of all, IMO if you want total control over your PC you should be using an open-source system, where you can change every little detail to your heart's desire.

Second of all, MS could just show people how to turn it off. They've expected people to know how to turn it on all this time, can't they just tell people if they don't want auto updates they can turn it off?

"The fact is tons of people run as admin in windows because that how Microsoft made it by default."

My point exactly. And if they allowed you to install programs WITHOUT admin's password (in Linux any program can be compiled and installed by any user - you only need the root password if you want to install it for all users), then maybe people would be a little more cautious when a program requires them to supply admin's password. If most apps could be installed by the user and only needed the admin's password to be installed for ALL users, you might not have this problem since most people only use one account on their computer (and even if they did, they could just install the program on demand). This would be perfect for the completely computer-illiterate people who use Windows.

"Sony's CD would simply say "You must enter your administrator password to view the special feature on this CD", and you can bet that most people would blindly do it, not realizing (or caring about) the potential consequences."

It wouldn't be too hard to make the OS tell you if the program's trying to change important system files, would it? If you have antivirus programs, they will tell you if another program is modifying your boot sector; why can't Windows tell you that a program isn't simply installing itself and needs the admin password to make it so that all users can use the program, and that it's actually trying to modify crucial system files that may cause your PC not to work if they're corrupted or missing.

"Sorry, I never said there weren't any zero day exploits for Windows. There have been (and will be) zero day exploits for every operating system until the end of time. I said there have not been any *worms* that have exploited zero day exploits."

Sorry, but Google says otherwise. First item on the page - New Version of MyDoom Worm in Zero-Day Attack.

"The main difference between Windows and other operating

Re:Impractical amount of data?

[toadlife]

A few points....

Microsoft never claimed any of the Win9x series of OS's to be secure. They specifically said that if you wanted security in their products to use NT. There was no security model at all in the 9x series of OS's, so 'security' as we know it today was not possible.

It would be nice if everyone was so forward thinking, but hardly anyone is. With Windows 95, Microsoft got caught with their pants down in regards to the internet and security, as right around the time windows 95 was released, internet usage started to explode. The first ever computer worm, "morris" afected unix machines running sendmail, and it took down virtually every unix machine on the 'internet' back when it was accidentally released. The scenario that led to morris was very similar to the one that led to all of the security problems with Windows. People just weren't very concerned about security back then and didn't see the potential security pitfalls that connecting a bunch of computers together could bring.

The comparison of the age of windows the age of linux isn't very fair. Linux has been a 32 bit operating system since it's birth in 1991 an it's overall design (a unix type OS) has not changed. Windows started being a true 32 bit OS with NT 4.0 which was released around 94 I believe, ad has absolutely nothng to do, in regards to it's core design, with any of the Windows 9x versions. All of your experience with Windows is with the 9x series which sole purpose was to transition customers over from a DOS based OS's to NT based OSs without breaking compatibility with legacy DOS programs. Obviosuly the transition was a rough one for many, for history has shown (read: Apple's transition from the Apple IIe to the Macintosh) that completely abandoning legacy technology and trying to force your customers straight into a new and improved technology without providing any legacy support is market suicide.

The reason XP was shipped making users admin by default was not because Microsoft didn't understand the security implications of it. It was a backwards compatibitly issue. Windows had a massive amount of old software written for Windows 95 and 98 and breaking compatibility withn them would be very very bad. Windows XP fully supports the installation of programs by regular users...*IF* the program is written with that in mind. When Microsoft shipped Windows 2000 and then XP, they tried to get windows developers to start coding their programs with security model in mind, but for the most part programmers ignored Microsoft's advice and continued to code their programs assuming that the end users would have admin rights.

"It wouldn't be too hard to make the OS tell you if the program's trying to change important system files, would it? "

No it's not hard at all. Windows has done it for ages by saying "access denied". All joking aside, Windows has had the capability of prompting you for admin rights when a properly written installer is launched under a non admin account. The problem is developers don't write their installers properly to take advanatge of this feature. I have the distinct feeling you're thinking of Mac OSX's ability to prompt for admin password when users try to install something. The reason this works so well in Mac OSX has tiny amount of software avaiable for it compared to Windows, and thus a much smaller pool of developers. Getting a group developers to all do something is akin to herding cats. Apple's "herd" is a hundred time smaller than Microsoft's "herd".

"Sorry, but Google says otherwise. First item on the page - New Version of MyDoom Worm in Zero-Day Attack."

This is not what I was talking about when I said "worm". I'm talking about things that replicate without user input. Something that spreads via an Intenet Explorer exploit requires user to go to a specially crafted web page to get infected. It's still bad, but IE has a very long history of being repeatedly exploited, much like sendmail in the 80's

Re:Impractical amount of data?

[NetRAVEN5000]

The way I recall it, MS said that MOST users should use Win9x and that for HIGHER security purposes such as servers you should use NT. Although I can understand them wanting compatibility with DOS programs, they certainly could've done a better job.

While it is too bad that Unix had "Morris", let's not forget that the Internet was still not a very common thing back then and was a much different place than it is today (reminds me of Dave Chappelle's "What if the Internet was a Place" skit :) ). Before the 90's the Internet was still mainly just for universities and research facilities and was a fairly small community. People trusted each other on the Internet more and probably thought that no one would ever even dream of attacking their servers.

"The comparison of the age of windows the age of linux isn't very fair. Linux has been a 32 bit operating system since it's birth in 1991 an it's overall design (a unix type OS) has not changed. Windows started being a true 32 bit OS with NT 4.0 which was released around 94 I believe, ad has absolutely nothng to do, in regards to it's core design, with any of the Windows 9x versions."

What I was doing was trying to project an idea of how much progress has been made. Before Linux, open-source was little more than some guy's idea of how the computer world should be. Now open-source has become a business model for many software companies and is seen to have some real potential.

Open-source programs are made and improved by the people who use them - meaning that they weren't made by a big corporation, but rather by an individual or group of individuals who knew how to code and decided to write a program that suits their purposes. Now, for whatever reason, these groups of hobbyist programmers are giving professional code-writers a run for their money. Which really says something about the inferiority of closed-source and big corporations when they're put up against a group of motivated individuals, many of which aren't even getting paid for their hard work. They may be open-source zealots or groupies or whatever, but they're giving MS a run for its money. And that doesn't seem right that a group of "weekend warriors" is on close to the same level as a high-paid, big-business software company, but it seems like that's the case.

"All of your experience with Windows is with the 9x series which sole purpose was to transition customers over from a DOS based OS's to NT based OSs without breaking compatibility with legacy DOS programs. Obviosuly the transition was a rough one for many, for history has shown (read: Apple's transition from the Apple IIe to the Macintosh) that completely abandoning legacy technology and trying to force your customers straight into a new and improved technology without providing any legacy support is market suicide."

The problem I had. . . was that I had no problem. I didn't need to be babied. I probably could've gotten used to NT just as easily as I got used to 98 - I had been used to Win3.1 and Win95 (I never owned a PC with 95 but I had used them). I used DOS before but by the time I got Win98 all my programs were Windows. I never even heard of NT until later on after I got 98 and the Internet, and I thought that since 98 was newer it was supposed to be better until I heard about the future releases of Win2k and WinME, and why two releases for the same year are somehow different and why one works and one doesn't.

"Something that spreads via an Intenet Explorer exploit requires user to go to a specially crafted web page to get infected. It's still bad, but IE has a very long history of being repeatedly exploited, much like sendmail in the 80's and 90's, so the security conscience probably not even be using it, would they?"

First of all, the exploit probably could have been put into text ads that might appear on "trustworthy" sites - which would then infect you with the virus. Also, people could have put the code into their signatures on user groups a

Re:Impractical amount of data?

[toadlife]

"Problem is that infection after infection after infection seems to keep happening to the Windows users and they just put up with it. If they started switching to Mac or Linux - or even if some of them wanted to give other alternatives like OS/2 or something a try, or whatever. . . then MS would lose its marketshare and clean up its act"

Rule #1: Functionality trumps everything else.

Windows offers the most functionality. Not because it's designed better, but just because of how many people use it. As I said, people are naturally inclined to form monocultures. Perhaps that is an effect of humans tendency to imitate each other? I have no doubt that if it wasn't Windows, it would be some other OS, and we'd all be discussing the virus problems with it today instead.

Occasionally I do side work on people's computers, and for the "problem people", the types who ALWAYS seem to screw up their computers, I allways suggest they consider buying an Apple instead of a PC. I managed to convince one person, so don't accuse me of not trying to help! :)

Re:Impractical amount of data?

[NetRAVEN5000]

That's what I'm saying - personally I like Linux, but if people want to try Mac or anything else. . . fine by me. There's just too many people sticking with Windows even though it's given them TONS of trouble. If they were to just TRY something else - learn on a friend's Mac, download a Knoppix CD, whatever - they'd be better off because at least then they'd know that there are other possibilities if they don't like Windows (and I know many people who don't - that's part of the reason why I mentioned the "I only used Windows for games" thing - there are plenty of people who use their PCs mostly for games, and if that's all that's keeping you back, you can install two OSes if you want - and I believe OSX comes with its own emulator).

It doesn't matter what OS they switch to so long as they switch (or at least give another OS a try).

Re:Impractical amount of data?

[Jewberry]

It's possible that it is immune to this key logger and many others, as most are coded to work on Windows.

It could always be worse...

[Ruff_ilb]

Most of the desktops that I know that run Win2k are run by schools, universities, etc. I haven't seen someone's PC running win2k yet. Also, these desktops (the ones run by schools, at the library, etc) are usually either (A) very secure or (B) no one expects them to be secure. So this could be worse, I think.

This could be a major problem if it infected SP2 computers.

Re:It could always be worse...

[lordsid]

I use 2k because XP sucks ass in the way only a porn star can.

Re:It could always be worse...

[Tony+Hoyle]

*Lots* of businesses run Win2k (It still appears to be the majority, looking at the customer lists I've got, but 2003 is catching up fast. XP is nowhere...). Home users can afford to upgrade every time MS decides to release an OS patch.. business can't.

Re:It could always be worse...

[ZakuSage]

I happen to run Windows 2000 on a seperate partition, mainly for when I absolutely need windows applications.

zaku@sage # fdisk /dev/hdb

The number of cylinders for this disk is set to 6232.

There is nothing wrong with that, but this is larger than 1024,

and could in certain setups cause problems with:

1) software that runs at boot time (e.g., old versions of LILO)

2) booting and partitioning software from other OSs

(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help):

Command (m for help): d hdb2

Partition number (1-4): 2

Problem solved. :)

Re:It could always be worse...

[petermgreen]

umm 2K3 and XP aren't even competing with each other one is a server product one is a desktop product!!!!!!!!

That's about 80% of people out there

[patcito]

As most people haven't upgraded to SP2 yet I guess most XP users are potential victims.

Convenient?

[Jynx97]

Didn't I just read somewhere that Microsoft was upset with the penetration of SP2 for Winxp?

The next day an article comes out saying that only SP2 will save you!

Re:Convenient?

[yattaran]

You're entirely correct. That article was posted yesterday. I was thinking the exact same thing as you when I read this post.

Re:Convenient?

[DogDude]

What's your point, exactly? Of course people should patch to SP2. Of course MS wants them to patch their machines. Hell, I want people to patch their machines so that mine don't get hammered by worm attempts.

Re:Convenient?

[ImaLamer]

I don't see how people miss that it is ironic that this worm is apparently from China while most machines without SP2 are also from China. Earlier there was a story that said we should be aware/afraid of cyber attacks by the Chinese.

I think the worm originated in Fort Meade, the stories originated from the Pentagon. That or the Chinese are targeting each other, not us.

Watch out

If Fox News finds out some people are calling it a Holiday Keylogger, there could be hell to pay.

Re:Watch out

Dude, the 'War on Christmas' is like sooo 48 hours ago. We've all moved on to the 'War on the Holidays'. How dare they try to replace our Holy Days!

(With apologies to the Colbert Report...)

but the advisory says...

[erikus]

SP2 is affected too.

From the advisory link:
Affected Software:

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update

...

Re:but the advisory says...

[TubeSteak]

What's more important to me is: Can this worm find me behind a NAT router.

I am

1. running SP1
2. using NAT
3. virus/trojan/worm free
4. loving it

"OMG Ur CrAzY!!1"
Well, I run a virus scan every now and then, I check my outgoing traffic for anything suspicious, etcetera etcetera etcetera. So calm down.

Re:but the advisory says...

[slashbob22]

Then this goes quite well to increase the amount of penetration in XP SP2. Not by the number of installs but in the number of exploits.

Re:but the advisory says...

[secolactico]

I think the MSTDC or somesuch (the cause for the vulnerability) is off by default on SP1. I think. And you being behind NAT will only protect you if noone else is behind the same NAT. Say, your friend with his infected laptop drops in for a visit. Plugs his machine into your switch and out goes the virus.

Re:but the advisory says...

[1u3hr]

I read TFAs, but they are either extremely technical and over my head, or extremely dumbed down and useless ("click to install the patch"). I'd like to know what the service is, and which port(s), that this comes over (I did gather it's not through a browser or email); so if I have a firewall that default blocks probes, am I safe? (I do run Win2k, which I gather is vulnerable in default setup.) I know MS liked (maybe less so now) to activate odd services listening on odd ports to allow administrators (or, in practice, script kiddies) to do stuff automatically without troubling the user by asking his permission. I ask this because it seems most vulnerabilities announced are actual risks only if you are running IE without a firewall.

Oh What Fun

[MrNonchalant]

A holiday keylogger called Dasher. Could we call whoever wrote this a scrooge? Howbout a grinch? The cuteness doesn't stop here folks!

Re:Oh What Fun

[sgt_doom]

This post causes one to contemplate why and when parents stopped naming their sons Ebenezer?????

Re:Oh What Fun

I'm not looking forward to the forthcoming Donner and Blitzen keyloggers.

My answer to Key loggers

I write some PERL using Vim

Keylog THAT if you dare

Re:My answer to Key loggers

[cursion]

nah, write some brainfuck using ed.

Re:My answer to Key loggers

[JackDW]

vi is the only surviving editor that has a protocol instead of a user interface. The datastream moving from your brain to the file on disk is about as compressed as it can be. All the commands are minimalist (most are single-key), you never need to use the mouse, there's built-in regex support... No wonder programmers like it: the editor doesn't require you to switch context.

Unfortunately the datastream produced by vi is very easy to examine - just pipe it into another copy of vi, and there you go. Easier than examining the keystrokes of someone typing in a lesser editor, anyway, as their editing will be punctuated by mouse-clicks and menu events, making analysis tricky.

Fortunately, if you're able to use vi, you are perfectly able to (a) patch your OS, or (b) use a sensible OS, or (c) both, so who cares?

Re:My answer to Key loggers

[WindBourne]

Well, if you are using vi, then you are on a *nix system and therefor do not have to worry about this. If you are using vim, then it is possible to use it on a system that is easily cracked.

Re:My answer to Key loggers

[Hosiah]

Keylog THAT if you dare

Ha! I got it! I have the logfile for the Perl code session! It's...no, wait...no, sorry, it's just line noise from my bad internet connection.

As I thought...

[macsox]

The Grinch uses a Mac.

Programming errors

[High+Hat]

FTFS: "... The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. ..." Offshoring gone wrong?

Re:Programming errors

that doesn't mean the trojan was written in china.. a rogue wireless AP combined with a laptop running tor could make me pretty damn anonymous too. its the bragging that will probably get the author nabbed. remember, only the stupid criminals get caught.

It just hit me

[Stan+Vassilev]

Looks like viruses (spread by infecting exe files) are mostly non-existant today, replaced by network-propagated worms..

And it just hit me that we'd never get any of this if we were not on-line all the time.. Few years ago when the first internet worms were appearing I was like "ahah, just don't stay connected all the time you idiots".

Now I and the majority of folks around the world are "converted" and hopelessly tied to on-line, making us vulnerable to those attacks.

How many minutes can you spend offline, before the reflex kicks in and you try to google up some info you need?

Re:It just hit me

[Scoth]

I remember not that long ago my cable went down. It was literally every couple or three minutes I'd come up with something I'd need to google or look up and get as far as loading FF before remembering. It's really amazing just how much we use online these days. Directions, movie times, random tidbits googled at will, communications.... just about everything.

On another topic, FF just blocked a popup from here. I'm not on my normal computer so I guess it could be adware, but popups on Slashdot? Hmm...

Re:It just hit me

Oh, .exe infected viruses are very popular today, except we never see them. The single biggest source are foreign porn sits, or compromized porn sites. They automatically download a trojan+dialer on some browsers, or prompt you to download them on more secure browsers. Run that, and you're screwed, even if you have firewalls and stuff. Sometimes they even subscribe you to worm botnets, if you haven't been infected via the more traditional route.

I'd say exe viruses are more wide spread and popular today than they have ever been, just by sheer number of infections.

Re:It just hit me

[SheeEttin]

And that's yet another reason I have stuck with 50.6 kb/sec dialup.

Re:It just hit me

[Sebilrazen]

How many minutes can you spend offline, before the reflex kicks in and you try to google up some info you need?

What is this 'offline' of which you speak?

Re:Could be worse...Is worse than u think...

[RealisticCanadian]

While this still could be worse, you are correct on one thing: Win2k in schools.

Spent the summer working at a local university. There was superfluous opportunity to embezzle a lot of money; as we were instituting their absolutely awful new HR software--which also meant I got to see how much all the bigwigs and upper-administrators (read: idiots puffed full of their own self importance) made off of hard-working students. (I was brought on as a Data Technician; not support or PC repair or what-have-you)

When the machines in our semi-secret office (All W2K) were infected with a virus (Don't ask me, I no longer remember, but I went & read the writeup @ symanted then, which told me it was able to cross-propogate through the network once it landed on one machine) I of course decided to quarantine the bastard myself first... I then realized what I had most feared--that these machines were all set up to Track who was using them; but not to actually restrict Anyone from Anything. Thats right, Joe Schmoe user could do anything he wanted; from registry-hacking to whatever your heart desired.

So; I managed to isolate this guy and the three other viruses that were wandering through the War-Room (thats what we called it); but I didn't purge, at this point I was too intrigued, so I summoned the IT guys.

4 hours later ONE guy (who looks like a plumber, and not even Mario) shows up, and begins, well, piddling (there's no other word for it.... he threw in an admin password and started checking completely unnecessary settings, then attempting to read the reports that their Tracking software creates, presumably to get to the root of the problem) with the machines after pretending he doesn't need me to tell him what I've done so far. His expression gets more and more bored, and after about another hour and a half, he tells my boss (one of them aforementioned admin-types) that he can't find anything wrong, and she should watch 'that new guy'.

I'm pretty sure they heard my jaw hit the floor on the other side of campus. A week later I had recieved the job offer I'd been counting on from the local cable service provider; and I headed for the hills, washing my hands of the whole situation, and terribly glad the only records tying my name to the lpace were strictly paper-based.

I checked in on it with a friend of mine who's a student there. He moved here from China, and is still a little unpolished with his english, but I heard this loud and clear: "Oh my FUCKING GOD man! Half the computers on campus are FUCKED!"

I can only assume that Mr. Plumber did not get anyone to look into the virus.

I have no idea how much that mistake cost the University; but I do know that once it was cleaned out, nothing changed. They are merrily running the exact same sytems setup the exact same way; probably every one of em mapped off the mirror sitting in the IT department.

So yes, I do believe that this could have MUCH wider-effect than you believe.

maybe it's santa!

[cursion]

maybe it's really from santa and his IT dept is testing out new ways of seeing who is naughty and nice and checking on what we really want. i mean, imagine getting about 6 billion emails and/or snail mails saying "i want this!".

sing along now...
"He knows when you've been sleeping. He knows when you're awake. He knows what you're typing. ..."

Re:maybe it's santa!

[XFilesFMDS1013]

"...he's the NSA..."

Not quite...

[DogDude]

I know that all of my home machines, and all of our business machines are all Windows 2000. I know that a *lot* of businesses stopped with Windows 2000 because there's no real compelling reason to go to XP. Although, since it was fixed more than two months ago, there's really no reason for anybody not to have installed that patch by now.

Bugs?

[bsdluvr]

...the first version of this worm, which apparently was crippled by programming errors...

Worms with bugs?

Re:Bugs?

[slashbob22]

I wonder if there is a patch? Dasher SP2 perhaps?

Re:Bugs?

Dashing through the snow... doh! What was I replying about again?

Easily filtered

[Valdrax]

Well, if it's from China, it might be an attempt to get sensitive government info. If that's the case, then you could start by filtering down to only keystrokes from .gov & .mil domains. Then it's a matter of looking for short, 6-12 letter words separated by mouseclicks or presses of the enter of tab keys. For the good stuff, look for words that contain a non-alphabetical characters.

This won't get you into systems with multi-factor identification (like a Secure ID-based password), but it can get you the financial and personal data for government workers who might be subvertible as spies through blackmail, extorsion, or just through a simple offer to help them through a financially difficult time. (This is one reason why your credit history is an important part of getting security clearance.)

Of course, if you're just looking for financial data to rob people indiscriminately instead of something far more sinister, you can look for sections of text starting with people entering URLs for banks and so on. It's not that hard to write scripts to troll through this sort of data using simple shell scripting or Perl. As someone who works at a telecom company, let me just say that grep'ing through gigs of text data for particular strings (like a phone number in a transaction record) only takes a matter of a few minutes. It's something for which you open up Slashdot to read a single article and then come back.

No, sifting through this kind of data wouldn't be a technical or resource challenge in the slightest. Receiving and storing it would be the hardest part of the whole operation after actually writing the code to take advantage of the exploit. Extracting data from text files is monkey work.

Re:Easily filtered

[TubeSteak]

Something i don't get is why hex editors and winrar's view button can open massive files in seconds, while pretty much any MS (and other) products take forever to load whatever it is I'm trying to open

Re:Easily filtered

[JFitzsimmons]

Probably because just about everything else has to actually *do* stuff with the data that it is loading?

Re:Easily filtered

[aaronl]

Hex editors don't load the whole file, and this is likely true for WinRAR, too. They are filling a small view buffer, and have to read from the file when you move to a different position in the stream.

Most text editors will load the full file into memeory, and then load it into an editing window. So you need at least as much memory as file size. You need even more if you're loading something like XML.

Re:Easily filtered

[tsu+doh+nimh]

RTFA from the Washingtonpost.com. He's saying most keyloggers used by the bad guys don't record everything you type, contrary to popular perception:

Many people may have the impression that keyloggers record everything a victim types on their keyboard. While a few keyloggers in use do that (usually the commercial variety designed to help parents spy on their kids' home computer use), the bad guys generally aren't interested in reading reams of IM chat conversations and silly e-mails. Plus, that's a huge amount of data to be sending out of an infected machine.

Rather, a keylogger employed by viruses and worms usually works off a predefined list of financial and e-commerce sites. The keylogger program lies in wait until the victim visits one of those sites, at which time it intercepts any information entered into credit card and other personal data fields and transmits the information back to attackers.

Another Scam?

[nurb432]

Just another scam to 'prove' you need to pony up the cash and upgrade?

Re:Another Scam?

[Kuciwalker]

To SP2? That costs, what, $0?

Re:Another Scam?

[nurb432]

From 2000 pro to XP ( with sp2 )

From 2000 server to 2003 + current sp

Of course...

[Skiron]

... the big question is why haven't people patched?

Well I will tell you. They don't as Microsoft NEVER EVER release just a `fix' patch. It is bundled with other patches that break lots of things. So people either:

a) Can't as it fubars their system.

or

b) Too scared what it breaks. [I still get very nervy at work when applying these patches to servers - you never know - nor guarantee - if it will ever come back up again or just get BSOD.]

It is about time MS started to just issue a patch to fix ONE of their flaws instead of loading it with other `upgrades' the users doesn't want or need - or even just do 'one at a time'.

Re:Of course...

If you don't like it, then don't buy their products. If you work somewhere that uses thier products and you don't like it, find another job.

I am tired of people whining about windows and MS. They suck, no doubt. Just don't use/buy thier stuff and your life gets better by leaps and bounds.

Quit touching the oven it's hot.

Re:Of course...

[deaddrunk]

You mean like hotfixes?

Re:Of course...

[Skiron]

Hotfixes do not address one issue - they bundle 'other fixes' into them as well, all usually undocumented.

Re:Of course...

[MtViewGuy]

... the big question is why haven't people patched?

Actually, if you install Windows XP Home/Professional SP2, the setup gives LOTS of warnings about having Automatic Updates active. I run Automatic Updates in Warning mode so as soon as the updates are available I can download and install the updates quickly.

What am I missing?

[lip_spork]

The worm posts data collected to a specific server. Isn't that kind of evidence that could be used to determine who's responsible for it?

Re:What am I missing?

[tftp]

Not if that is an NNTP server...

That's not the answer

[bradleyland]

Spending less time online is not the answer. That's like seeking to decrease the number of car accident related deaths by requesting that people drive less. This latest worm, like many before it, exploits a service that is tied to... wait for it... IIS and MS SQL server. These two services:

A) Have virtually no use to most users (I guess some software uses MSDE *puke*)
B) Should not be exposed on a public IP (a.k.a. you should be running a firewall)

A $55 firewall would significantly impede the spread of worms like this.

IMO, responsible ISPs should distribute network devices that at least perform NAT when issuing IP addresses to computers behind their connection. In FL Bellsouth DSL issues a Westell router/modem. It's a pretty decent little device. It handles DHCP, NAT, offers bridged ethernet mode, and has decent support for port forwarding. You can connect it to a $15 5-port switch and connect up to four computers with zero additional configuration. Cable providers seem to be the worst about issuing modems that pass the public IP on directly to the device connected to it.

To make a long story short, we don't need to spend less time online, we (and ISPs) just need to be responsible about how we connect.

I think MS just wants folks to upgrade to SP2

I agree that XP users should upgrade to SP2, But something makes me think that Dasher really does effect SP2 and Microsoft is just trying to get people to upgrade to SP2 regardless... "Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Either way, I hope they get this fixed soon, thats a little scary that they thought they had this exploit fixed :P

Irony

[TeknoHog]

You're safe from keyloggers if you use Dasher.

Well it is a keylogger

[SmallFurryCreature]

IF you have the most primitive form of keylogger then all it will indeed do is capture ALL the keystrokes. It is/was/should be possible however to also record WHERE the keys are being entered, wich window. Now still not exactly easy BUT you got one huge advantage. Computers LOVE searching through endless amounts of text data for specific strings.

Even if you have the most primitive and complete of keyloggers you can roughly say this about how a login/password pair should appear. A string of characters, usually no spaces, followed by a tab, followed by a string of characters+numbers no spaces followed by an enter. Yup that is the way you fillin an online login.

The kind of sites you are intrested in usually require a number to be part of the password and very few "real" words have numbers in them. Provided you are not keylogging a script kiddie it should be easy to filter out passwords.

Sure attacking them to somewhere to use requires something more especially with this virus where you have no idea what the user is doing unless you also log that. But that should be too hard. Keylogger just sounds nice but if you can install that you can also install a url logger and active window logger.

Why should you believe what I said? Because I once experimented with a setup like this, stricly on my own machine of course, because like you I wondered how practical it was. It quickly became clear that it was very easy to filter out passwords entered to access the local network from emails I typed. Even code was no problem when I realised that most passwords will not start with a $ (unlike variable names) and the login-tab-password-enter combo stands out like a sore thumb to a regex engine.

Remember one other things, this is not about capturing the launch codes to a nuclear arsinal. Get it wrong and all you get is a access denied error. It doesn't have to be perfect same as email harvesters don't have to be perfect or spam randomizers have to be.

It is like those virusses that try to find game keys, they are extremely primitive and often twarted by such dastardly schemes as not installing in C:\Program Files BUT lets say they are only 0.1% effective. With millions of infected pc's that still gives you thousands of keys.

This keylogger virus (if it works) will probably infect a lot of machines that simply have no intresting info to steal. But if they get a thousand working bank accounts. BINGO!

OK...

[Skiron]

Have a laugh...
http://support.microsoft.com/kb/905915

WTF?

Update rollup 905915 includes the cumulative security fixes that are documented in security bulletin MS05-054. The update rollup also includes hotfixes for Microsoft Internet Explorer that were released after the release of security bulletin MS04-004 and of security bulletin MS04-038.
If update rollup 873377, update rollup 889669, or an Internet Explorer hotfix that was released after security bulletin MS04-038 are not installed, and if you want to install the hotfixes that are included in update rollup 905915, you must follow the instructions in Microsoft Knowledge Base article 897225. Otherwise, all Internet Explorer hotfixes that you have installed are removed.
897225 How to install hotfixes that are included in cumulative security updates for Internet Explorer 6 Service Pack 1
The update rollup 905915 installer verifies whether one or more of the files that are being updated on the computer have previously been updated by an Internet Explorer hotfix. However, the installer detects only hotfixes that were released after security bulletin MS04-038, after update rollup 873377, or after update rollup 889669. Therefore, if you have installed update rollup 873377, update rollup 889669, or an Internet Explorer hotfix that was released after update rollup 873377, the update rollup 905915 installer automatically installs the hotfixes and the security updates that are included in update rollup 905915.

As I said, no wonder people don't apply patches.

Re:OK...

[deaddrunk]

I sit corrected :)

Finally

Someone put Christ back into network security.

Patch bundling

[Craig+Ringer]

I hear people claim that MS bundle up multiple fixes and updates in patches, and I'm yet to see evidence of it. In fairness, I haven't really gone looking, but it also doesn't seem logical.

If MS was to bundle other (security) fixes in a patch, they would quickly be identified by reverse engineering the patch and used to exploit as-yet-unpatched systems. There are people who look over these patches in extreme detail, both "white hat" and "black hat" types.

If they bundled other fixes / changes, their business customers would get really, really pissed in a major hurry. Microsoft does NOT want to piss these people off, even with the lock they have on the market. Remember that Microsoft's whole sales pitch right now is about "total cost of ownership."

Given this, I'm inclined to belive the "MS bundles other crap with patches" rumour to be most likely outdated. It could also be something that grew out of a misunderstanding of the difference between security patches, hotfixes, and service packs. I'm more inclined to attribute breakage to a combination of (a) imperfect patch QA and (b) badly written software / malware replacing or patching system DLLs/installing drivers that end up being incompatible with "clean" versions of some of those DLLs installed by a patch. Breakage also used to be common causes of breakage in win9x ... which was a horrific mess you could break by looking at it funny.

I've personally never had issues patching an NT-derived system. I ensure they're clean before patching, and I don't use shoddy software ( in so far as is possible ). In fairness, my only Windows server is NT4 (ugh); I'm speaking mostly about the XP desktops I admin at work and the older win2k machines I've run.

That's not to say that things don't go wrong for anybody, of couse... just that in my own experience they don't tend to do so. Perhaps I'm just lucky not to use $BLAH_POPULAR_DATABASE that likes to patch ntfs.sys, or whatever other ghastly hack people might perpetrate.

Re:Patch bundling

[David+Rolfe]

If they bundled other fixes / changes, their business customers would get really, really pissed in a major hurry. Microsoft does NOT want to piss these people off, even with the lock they have on the market. Remember that Microsoft's whole sales pitch right now is about "total cost of ownership."

I can't believe I'm compelled to say this...

Don't you mean total cost of 0wnership :-D

Re:Bugs? Ever heard of parasites on bugs?

[davidsyes]

worms with bugs:

http://www.google.com/search?q=worms+with+bugs&ie= UTF-8&oe=UTF-8

parasites on insects:

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe =UTF-8&q=parasites+on+insects&btnG=Search

Brood Insects:

(pick your favorite hated OS maker...)

www.cals.ncsu.edu/course/ent425/tutorial/carnivore s.html

Now, what happened to Slapper? Is slapper "slappin' ass" somewhere?

We're really in trouble if "Gasher" arrives and actually gouges random chunks of memory or disks.

Funny tho that Dasher was not named "Stroker": It keySTROKES ya; it gives you a STROKin' (where you least hope); and it gives you a STROKE...

Now, if Stroker starts strokin' Dasher, Dasher will be a CRASHER and HEAD straight for the ground like a real ground-pounder... Ground deer, anyone?

(How funny: word image is: "crawler"... how "creepy"...)

Re:Irony Irony-2

[davidsyes]

You could be safe from keystrokin', too, I suppose, but...

You have to feel a little sorry for Microsoft

You know you have to feel a little sorry for Microsoft, I mean true it is their OS that has the bugs and other problems in it but if all of the morons in the world would simple run Windows Update MOST of these problems would be eliminated or at least greatly contained. I wish that somehow we could fine people for the damages that their computers cause for not being updated.
And again just to clarify I am not saying that Microsoft gets their patches out quick enough to eliminate all of these bugs but they for exampel have definitely had this one out long enough that this shouldn't be a problem.

Password Safe

[mslinux]

http://www.schneier.com/passsafe.html

Why not make keystroke loggers useless? I love this software. Just copy and paste passwords ;)

Re:Password Safe

[Slashcrap]

http://www.schneier.com/passsafe.html

Why not make keystroke loggers useless? I love this software. Just copy and paste passwords ;)

What? Do you really think it's difficult to modify a keylogger to capture the contents of the clipboard too?

It's been done before. And while I'm not a programmer, I'd be surpised if there wasn't a Win32 API for doing exactly that.

If your system is compromised by a worm then you have to assume that it is completely compromised. Have a look at the Metasploit vulnerability scanner - one of its most interesting features is a VNC server that can be used as a payload to an exploit. It wouldn't be hard to build that into a worm - no password saving app is going to help you if the attacker can see your desktop and clipboard contents.

Re:Could be worse...Is worse than u think...

[Neoprofin]

I did some volounteer service this summer for the local State Historical Society and one of my duties was to sift through and file all the mail that one particular department head had recieved during the past year. Most of it was just superfluous, letters between states, letters to magizines and replies, billing and the like. The one intereting piece that I came accross was notifications from the overseers of account numbers for trust funds and expenditure accounts with money stored in them in the hundreds of thousands of dollars as well as employee social securiity numbers and personal information.

I'm not a dishonest person, but asking someone to sort though information like that unsupervised with absolutely no background check or even proof of identity may one day come back to haunt them.

Re: Just Step Away

There are 1000s of reasons to stay away from Linux.

Just hug that WinBox and have a nice day :)

QONQR (tm)

Reindeer games?

[mrjackson2000]

Now Dasher! now, Dancer! now, Prancer and Vixen!
On, Comet! on, Cupid! on Dunder and Blixem!

great

[suezz]

a new drm business model for the MPAA and RIAA.

Oh crap ...

[David+Rolfe]

Oh crap ... I meant to post that anonymous. Apologies to everyone ;-)