First StarOffice Virus Sighted

Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."

it's still basically a OS security issue

[yagu]

First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

OTOH, while it is getting better in Windows, there are still far too many users set up with admin privileges, and we're a long way from sufficient education and reconfiguration such that a typical Windows user has safe access so exploits succeed in only local impact.

Macros in documents are almost evil, I hate that everything sent somehow has to have its own life-force, but in properly configured systems, they're manageable. (I don't object to macros, I use them all the time, but to make them "required" to get the full effect of e-mail is annoying.)

Re:it's still basically a OS security issue

[Otter]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

Re:it's still basically a OS security issue

[anagama]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

For me, the system is the least valuable area. I have system cds and if it gets borked, I can reinstall and reconfigure. A hassle "yes", end of the world "no". What concerns me is all the irreplaceable content in my home directory. In my home dir, I have all the privileges I need to ruin it all. Now, I keep backups because I know that all computers always fail (at some point in time), but most people are pretty cavalier about backing up stuff. Of course, when I backup, I only backup my data because really, the system is stupidly easy to replace. A person who loses all their baby pics due to a malicious macro isn't really going to care that their printer config is still good.

Re:it's still basically a OS security issue

[I'm+Don+Giovanni]

"People who don't backup /home every night deserve everything they get."

But even if you did backup every night, what if some malware corrupted some documents in /home? Maybe changed some vital data in a spreadsheet? Maybe the change would be too subtle to notice, and you're spreadsheet would start producing incorrect calculations due to the incorrect data, unbeknownst to you. And when you did your nightly backup, guess what, the corrupted spreadsheet gets backed up as well, so now your backup store is corrupt.

Re:it's still basically a OS security issue

[chill]

If I lose /, I can just download a clean distro. If I lose /home, I'm screwed. /home is infinitely more important on a single-user system.

Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as /home is a separate partition. And, of course, you have some skill with the system.

I don't, nor do I known anyone that does, back up their /home folder daily. I do back it up weekly to a DVD-R, but nightly? The process is too much of a PITA. *CRITICAL* files are backed up, but there is so much that isn't critical, I don't bother.

What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but .deb or .rpm for the non-Slackware types) and back THAT up to a CD-R on a regular basis. Then, I can do a reinstall -- skipping /home if possible -- from clean distro disks in maybe 20 minutes. Follow that up with a quick "upgradepkg /mnt/cdrom/updates/*.tgz" and I'm right back to where I was before disaster struck.

I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.

I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in /etc and user configs in ~. The #1 complaint I had from people restoring Windows from scratch was that they had to waste so much time going back and tweaking the configs on all the software they use. Very, very time consuming.

  -Charles

Missing the best part.

What? No link to the "adult content?"

Virus!?

[Kesch]

It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.

I don't call that a virus, I call it a feature.

Hopefully the next version will allow you to enter keywords to guide the image downloader.

Re:Virus!?

[Jim+Hall]

What, no screenshots?

virus?

[gEvil+(beta)]

It downloads an image file with adult content from the Internet and opens that file in a new document

That's no virus, that's a productivity tool!

A Virus

[CastrTroy]

Is this really a virus. It downloads and displays and image with adult content, and displays it. It doesn't run any malicious code, doesn't touch your file system, and doesn't leave any trace after it has run. Sure, you may get in trouble at work, if it downloads the single image, but I think that most IT departments would understand, and wouldn't be able to do much for you for downloading a single image with adult content.

Re:A Virus

[Golias]

A "Proof of concept" malware example for a non-Microsoft product, such as StarOffice or OS X, is demonstrated in a controlled lab: Big news!

An actual virus which utterly cripples Windows PC's is discovered in the wild: Business as usual.

That's pretty much all you need to know about Windows and MS-Office.

Learning period

[suv4x4]

The more open source products get used, the more their authors will realize that it's not enough to be l33t to write a secure product.

It will also require tough and down-to-the-ground tough work such as researching the worms out there and patching the product out.

Another thing is: you can never "fix" the user, there will always be the guys to run attached executables that promise hot porn and FREE MONY!.

Why go through the trouble?

[MagicM]

If you want to trick someone into viewing an image, why not just embed the image in the document?

Where is the "proof" (and the "virus") in this "proof of concept virus"?

Re:Why go through the trouble?

[sidfaiwu]

The point is that the image is downloaded and displayed without the user doing anything other than opening the document. The 'proof' is that the code executed even if the user did not want it to. The download-and-display-an-image code could easily be replaced with more malicious code. That is the 'virus' part.

Bypass mechanism

[16K+Ram+Pack]

Not enough specifics. Does this bypass the "do you want to run macros?" because if so, it's a virus, if not, it's a stupid user virus.

I'm all for protecting users from their own stupidity, but in the end, there's a point where people stop having any power at all.

Proof of Concept to infect the planet

[packetmon]

I've floated the idea of a multicast based worm capable of infecting anyone who is accessing a multicast stream. I came up with this idea after some CCNP studies while doing some multicast tests. For those who need a briefer on how multicast works: What is Multicasting ? Multicasting is a technique developed to send packets from one location in the Internet to many other locations, without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed in the network to reach as many end-users as necessary.

In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.

Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.

Erh... no, boss, erh... no, that wasn't me

[Opportunist]

Me? Looking at porn at work? Noooo, sorry, must be that virus goin' round.

A heartfelt THANK YOU to the autor!

Thanks!

[Chris+Bradshaw]

"proof-of-concept"

Cool... Thanks for the idea!

Respectfully Signed,
Anonymous Redmond Washington Resident

Losing data is always the real problem.

[khasim]

If you're in a company and a "virus" takes out one of the system files on one of your servers ... but the data is safe, you have less of a problem than if a "virus" leaves the server intact, but deletes all of your data.

It's always about the security of the data.

Which is why part of the OS's job is to restrict the ability of regular users as much as possible.

When all that is in danger is your personal home directory, that's really as good as the OS can be.

If we're talking single user/home machines ... the risk is greater that your hard drive will fail before you get a "virus" on your Linux box. With a failed hard drive (and no backup), you've lost all your data. At some point, it is up to the admin (the user in this case) to back-up his/her data. There is a point at which the OS/app's responsibility ends and the admin's begins.

Is this really a virus?

[xutopia]

Pardon me for asking but doesn't the definition of a virus include duplication? All I hear is that some code can download a picture. How does it "reproduce" itself and infect other stations?

goatse

[EccentricAnomaly]

What? No link to the "adult content?"

be careful what you wish for... the 'adult content' could be goatse

No need to worry

[sootman]

Both StarOffice users have been contacted and were warned to be careful.