Slashdot Mirror

← Back to Stories (view on slashdot.org)

First StarOffice Virus Sighted

Posted by ryuzaki0 on from the batten-down-the-hatches-maties dept.

Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."

4 of 166 comments (clear)

  1. it's still basically a OS security issue by yagu · · Score: 3, Interesting

    First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?

    Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

    OTOH, while it is getting better in Windows, there are still far too many users set up with admin privileges, and we're a long way from sufficient education and reconfiguration such that a typical Windows user has safe access so exploits succeed in only local impact.

    Macros in documents are almost evil, I hate that everything sent somehow has to have its own life-force, but in properly configured systems, they're manageable. (I don't object to macros, I use them all the time, but to make them "required" to get the full effect of e-mail is annoying.)

    1. Re:it's still basically a OS security issue by chill · · Score: 4, Interesting

      If I lose /, I can just download a clean distro. If I lose /home, I'm screwed. /home is infinitely more important on a single-user system.

      Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as /home is a separate partition. And, of course, you have some skill with the system.

      I don't, nor do I known anyone that does, back up their /home folder daily. I do back it up weekly to a DVD-R, but nightly? The process is too much of a PITA. *CRITICAL* files are backed up, but there is so much that isn't critical, I don't bother.

      What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but .deb or .rpm for the non-Slackware types) and back THAT up to a CD-R on a regular basis. Then, I can do a reinstall -- skipping /home if possible -- from clean distro disks in maybe 20 minutes. Follow that up with a quick "upgradepkg /mnt/cdrom/updates/*.tgz" and I'm right back to where I was before disaster struck.

      I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.

      I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in /etc and user configs in ~. The #1 complaint I had from people restoring Windows from scratch was that they had to waste so much time going back and tweaking the configs on all the software they use. Very, very time consuming.

        -Charles

      --
      Learning HOW to think is more important than learning WHAT to think.
  2. Why go through the trouble? by MagicM · · Score: 3, Interesting

    If you want to trick someone into viewing an image, why not just embed the image in the document?

    Where is the "proof" (and the "virus") in this "proof of concept virus"?

  3. Proof of Concept to infect the planet by packetmon · · Score: 4, Interesting

    I've floated the idea of a multicast based worm capable of infecting anyone who is accessing a multicast stream. I came up with this idea after some CCNP studies while doing some multicast tests. For those who need a briefer on how multicast works: What is Multicasting ? Multicasting is a technique developed to send packets from one location in the Internet to many other locations, without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed in the network to reach as many end-users as necessary.

    In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.

    Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

    Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.

    --
    Infiltrated dot Net