First StarOffice Virus Sighted

Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."

Virus!?

[Kesch]

It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.

I don't call that a virus, I call it a feature.

Hopefully the next version will allow you to enter keywords to guide the image downloader.

virus?

[gEvil+(beta)]

It downloads an image file with adult content from the Internet and opens that file in a new document

That's no virus, that's a productivity tool!

Learning period

[suv4x4]

The more open source products get used, the more their authors will realize that it's not enough to be l33t to write a secure product.

It will also require tough and down-to-the-ground tough work such as researching the worms out there and patching the product out.

Another thing is: you can never "fix" the user, there will always be the guys to run attached executables that promise hot porn and FREE MONY!.

Proof of Concept to infect the planet

[packetmon]

I've floated the idea of a multicast based worm capable of infecting anyone who is accessing a multicast stream. I came up with this idea after some CCNP studies while doing some multicast tests. For those who need a briefer on how multicast works: What is Multicasting ? Multicasting is a technique developed to send packets from one location in the Internet to many other locations, without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed in the network to reach as many end-users as necessary.

In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.

Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.

Re:it's still basically a OS security issue

[Otter]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

Erh... no, boss, erh... no, that wasn't me

[Opportunist]

Me? Looking at porn at work? Noooo, sorry, must be that virus goin' round.

A heartfelt THANK YOU to the autor!

Re:it's still basically a OS security issue

[anagama]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

For me, the system is the least valuable area. I have system cds and if it gets borked, I can reinstall and reconfigure. A hassle "yes", end of the world "no". What concerns me is all the irreplaceable content in my home directory. In my home dir, I have all the privileges I need to ruin it all. Now, I keep backups because I know that all computers always fail (at some point in time), but most people are pretty cavalier about backing up stuff. Of course, when I backup, I only backup my data because really, the system is stupidly easy to replace. A person who loses all their baby pics due to a malicious macro isn't really going to care that their printer config is still good.

goatse

[EccentricAnomaly]

What? No link to the "adult content?"

be careful what you wish for... the 'adult content' could be goatse

No need to worry

[sootman]

Both StarOffice users have been contacted and were warned to be careful.

Re:it's still basically a OS security issue

[chill]

If I lose /, I can just download a clean distro. If I lose /home, I'm screwed. /home is infinitely more important on a single-user system.

Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as /home is a separate partition. And, of course, you have some skill with the system.

I don't, nor do I known anyone that does, back up their /home folder daily. I do back it up weekly to a DVD-R, but nightly? The process is too much of a PITA. *CRITICAL* files are backed up, but there is so much that isn't critical, I don't bother.

What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but .deb or .rpm for the non-Slackware types) and back THAT up to a CD-R on a regular basis. Then, I can do a reinstall -- skipping /home if possible -- from clean distro disks in maybe 20 minutes. Follow that up with a quick "upgradepkg /mnt/cdrom/updates/*.tgz" and I'm right back to where I was before disaster struck.

I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.

I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in /etc and user configs in ~. The #1 complaint I had from people restoring Windows from scratch was that they had to waste so much time going back and tweaking the configs on all the software they use. Very, very time consuming.

  -Charles