Pipeline Worm Floods AIM With Botnet Drones

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

i love it...

[0110011001110101]

when I get free trojans... it's so embarassing to buy them in the store...

the internet is a wonderful place

Re:i love it...

[Ana10g]

with the advent of the self checkout, I'm beginning to worry that an entire generation of adolescent males (and post-adolescent slashdotters, heh) will not have to experience that wonderful humiliating experience of purchasing trojans from the grocery store! With no common experiences, I predict a demise in the social structure binding us together! What is this world coming to?

Re:i love it...

[smart.id]

I never understood this. What is so embarassing about someone else knowing that you are fucking somebody?

Re:i love it...

[iPodUser]

Embarassing? How is that embarassing? It's like saying "I'm getting some tonight". More like bragging.

Re:i love it...

[Kesch]

It's not that. It's that he's buying the 'Extra Small' ones. (Sorry, I couldn't help it. It was too good an opportunity to pass up.)

Re:i love it...

That somebody else might be a friend of your [relative] or [other person who you don't want to know].

Perhaps you don't want people to know you buy [0-100] [small/medium/large] condoms.

Seriously, what's it to you?

Not everybody is comfortable acknowledging stuff like that, much less actively talking about it. Mind your own business.

Re:i love it...

[Afrosheen]

True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

Re:i love it...

[sfeinstein]

Heh. And I can't help pointing out that you are most certainly NOT A MARKETER. Can you imagine Trojan or any condom company selling "Extra Small"? Yeah, I'm sure they'd fly right off the shelves.

It would have to be marketed as "Tight-fit Performance Pro" or hidden in with macho words like "Maximum Super-Shrunk Thunderbolt" or something like that!

Re:i love it...

[inviolet]

True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

Ah, the 36-count jumbo box... I believe the name for that sized box is "The don't-have-a-Family Pack".

Re:i love it...

[rthille]

Yeah, when I was first dating my wife, we ran out and I ran to the store and bought 2 12-packs and a couple of bottles of seltzer water (gotta stay hydrated!) and the clerk's response was, "You must be doing pretty well!" And I replied, "based on what I'm buying or the shit-eating grin on my face?"

Re:i love it...

[mackyrae]

Well, if the lady at the counter plays bridge with your grandma, that seems potentially embarrassing. Or if you think the girl at the counter's a hottie, she might think you're a perv or a player or some other type of guy that makes us think you'd be a bad boyfriend, and then you can't hit on her at school the next day.

Re:i love it...

[Dog+Chapman]

Here's a tip - your grandmother has been fucked before

Re:i love it...

[Bing+Tsher+E]

I once brought a package of condoms up to the checkout at a local Walgreens. The cashier, a late-middle-age woman, just left the checkstand and disappeared.

Re:i love it...

Yabut that's just the marketing side....No matter what it is named this is what you get from the blond bimbo on register 3 broadcast throughout the store...

"teeney-peeny-protector price check on 3!"

Re:i love it...

Dude I heard you were fucked! LOL so when they sending you back to Mexico?

Re:i love it...

or the shit-eating grin on my face?"

Woah... too much info there!!!

Re:i love it...

At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks.

A really lucky trojaned zombie will use the computer to store spam and it attacks DOS while playing audio CD from SonyBMG? Got it.

One question: when zombie is trojaned are horses and braiiinss involved someway?

Re:i love it...

[joshetc]

The first time my girlfriend and I had to buy some we somehow managed to get the autistic cashier. Lets just say it was a big deal to him and we found it quite embarassing.

Re:i love it...

[pnutjam]

he must be taking too big a bite...

Re:i love it...

[rthille]

LOL.

Sorry, not intended literally...

And the lesson is...

[d3ac0n]

Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

Re:And the lesson is...

[OECD]

... and keeps our employees from IM-ing with people outside the company.

Which company is that? I just want to be sure to avoid working there ever.

Re:And the lesson is...

[$RANDOMLUSER]

Many, many companies block AIM at the firewall. Ask at your next interview.

Re:And the lesson is...

[Daniel_Staal]

Which company is that? I just want to be sure to avoid working there ever.

Don't worry. I'm sure everyone there has installed AIM on their computers without letting the IT department know.

Re:And the lesson is...

[toleraen]

Any company with an actual IT department. RTFA for an extremely good reason.

Re:And the lesson is...

[tb3]

Oh, random executable installed in your system32 folder, you say?

No the real lesson here is don't use that half-assed excuse for an operating system for anything more than playing video games.

Re:And the lesson is...

[pluther]

Any company with an actual IT department.

Well damn. I wonder if Intel, Motorola, Cisco, Vodafone, or MCI will ever get "actual" IT departments, as they all currently allow employees to IM to people outside the company, through their firewalls.

Re:And the lesson is...

[99BottlesOfBeerInMyF]

Many, many companies block AIM at the firewall. Ask at your next interview.

There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.

The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.

Re:And the lesson is...

[toleraen]

Congrats, you've listed 5 companies who have assessed the risk of their entire network going down, taking the time to clean everyone's computers, make for goddamnedsure that everyone has every update available, etc etc, or they've paid a whole lot to ensure everything is going to be properly blocked (not 100% possible). Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.

My hat is off to them for actually fudging the numbers enough to make it worth it! Steel cajones, that's for sure.

Re:And the lesson is...

[plopez]

size is no indicator of quality.

Re:And the lesson is...

Oh, please do continue... Oh, that's it? Nothing more? No other 'clever remarks from your side of the street? Only the same tried and true excuse over and over, only repeating what others say on a daily basis, if not for the education of others too simple minded not to catch on but for the simple pleasure it derives... Yes my friend, real lesson indeed...

Re:And the lesson is...

[TubeSteak]

Many, many companies block AIM at the firewall.

Are they blocking AIM or are they blocking port 5190?

Most companies are just blocking the port.
Hint: You can change what port AIM uses.

Re:And the lesson is...

Keep telling yourself that.

Re:And the lesson is...

[99BottlesOfBeerInMyF]

Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.

Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.

And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.

Re:And the lesson is...

[toleraen]

They see the propagation behavior as a traffic anomaly on their control panel.
A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to /. every minute. I'm sure CNN is much higher than that.

Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm.
If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.

Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns.
How does it know who's infected? After its started its botnet spamings? That trojan has already forwarded it's link on to dozens of other people by then. You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.

Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations.
At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL? You may as well just shutdown their interface. That means downtime for at least one person, then if anyone is relying on them for information, they've got downtime. Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?

The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.

And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
If IM is just like email, why not just use email? What's wrong with the phone?

So this brings me back to my original reply up top. Any company with an actual IT department...would not allow this to be open. There isn't a 100% way to filter out malicious traffic. Sure, technologies like IPSs are coming along, but they're still a long way off, and rely way too much on signatures. The more possibilities you leave open for attack, the more likely you are going to be attacked. Close everything, then open up as necessary. When you have so many other options for relatively secure communications (phone/email/snailmail), why add the unnecessary risk?

Re:And the lesson is...

[endikos]

It's more than just a port. Some clients dynamically change their port when they detect the one they should be using is not available. The way a company I worked for got around the issue was by finding and blocking the servers used to authenticate all the clients.

Re:And the lesson is...

[crabpeople]

No offense but are you nuts? People should be able to IM at work? Yeah we used to have that here. Then they made me disable all messengers because people chat on them all day long.

Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.

What I have done to combat this problem is block instant messenger with group policy, and change the dns pointing for the web clients.

"technical employees are likely to bypass security by SSH tunneling their IM communications"

bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.

Re:And the lesson is...

[canuck57]

Many, many companies block AIM at the firewall.

Should that not be "Many, many companies think they block AIM at the firewall."

Nuff said if your security people think they have it all plugged it all up.

Re:And the lesson is...

[mibus]

People should be able to IM at work?

We allow it here (20 people, so there's no real management issue).

It works well, we use MSN and Jabber between employees, and out to associates/clients/friends/family.

Personally, I've always been of the opinion that if an employee is spending too much time on IM, then it's time to talk to the employee, not block access for everyone.

Re:And the lesson is...

[ktappe]

Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid.

You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?

-K

Re:And the lesson is...

[freakmn]

Why would an employer give a credit card to someone who they think might give it out? If they were going to give it out on IM, they would be untrained enough to write the number on a napkin, or tell it to someone over their cell phone while in a public restaraunt. It's not the tools, but the users.

Re:And the lesson is...

[AmberBlackCat]

Can't you just not click on the link?

Re:And the lesson is...

[elBart0]

Blocking AIM is usually what happens at two kinds of companies

Make that three kinds of companies. The third being companies in a litigious line of business (finance, banking, pharma, etc), where almost anything, on any user's machine (but especially an executive's machine) is discoverable in a lawsuit. IM logs listing a conversation between two employees is just as discoverable as an email trail. It doesn't have to sit on a server for it to be found.

While your desire to chat with your buddies during work may seem important to you, what would you pick: IM for everyone, or a job to go to?

Don't get me wrong, I use IM at work as well, and I think it can be very useful, but, in the absence of some sort of policy (i.e. if installed, it is for personal use only, or some such), in some industries, it brings more risk than its worth.

Re:And the lesson is...

[djradon]

Yeah, if an employee had the card info and the willingness to pass it on, lack of IM is not going to deter him. But there are legit reasons for wanting to block AIM. For one, your unwitting users, some of whom are probably administrators on their local machines, could be exposing sensitive information stored on their local hard drives. I'm going to send a friendly reminder to my AIM/Trillian userbase this morning:

There's another AIM worm "on the loose" this morning:

http://blog.spywareguide.com/2006/09/aim_pipeline_ worm_uses_modular.html

Please don't click on IM links, even if they appear to come from your friends unless you know for certain that you're not talking to an automated process.

In this particular instance, you might get a message like "hey is it alright to put this picture of you up on my egallery album?" Clicking could induce a continuing "cycle of infections" that would be unseemly given our upcoming Sarbox audit.

Thanks!

BTW, Does anyone know a way to block automated hyperlinking of URLs?

Re:And the lesson is...

[G-funk]

Then they made me disable all messengers because people chat on them all day long.

Who gives a crap? If they're not working, then get rid of them because they're not working. If they're still producing an amount you're happy with, then who gives a shit if they're also talking to their girlfriend? Either way, banning IM doesn't help.

Re:And the lesson is...

[Damastus+the+WizLiz]

I work for a major american bank in one of their call centers. As someone with an account at said bank I am glad they disable outside IM clients as well as out of company email. I have to trouble shoot for these phone agents and I am quite sure they are just as capable of accidentaly handing out the personal information of customers through plain stupidity as they are through malicious intent.

Re:And the lesson is...

[daem0n1x]

If people have enough time to be chatting all day long, then they are not being well managed. We use IM as a working tool, with some success. My team has lots of projects abroad, there are always 2 or 3 co-workers in foreign countries, working. And IM is a lot cheaper than international phone calls. I have my Gaim clients disconnected most of the time because, even when I'm flagged as "busy", friends of mine come at inappropriate times for some cheap talk, and I have to be kinda rude rude and tell them: I'M WORKING! WE'LL TALK LATER!

Re:And the lesson is...

[skiman1979]

I have my Gaim clients disconnected most of the time because, even when I'm flagged as "busy", friends of mine come at inappropriate times for some cheap talk, and I have to be kinda rude rude and tell them: I'M WORKING! WE'LL TALK LATER!

That's what I like about how I have Trillian configured. When a user IMs me, the only thing that happens on my desktop is I get a flashing notification icon in my buddy list. The IM window is hidden completely, and only shows when I click that notification icon. We use AIM at work to talk both in-company and with friends/family. If I'm busy at work, I can put up an away message and minimize Trillian. That way I don't even know I'm getting an IM unless I restore Trillian or happen to notice the tiny flashing icon in the systray.

Re:And the lesson is...

[99BottlesOfBeerInMyF]

Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.

I'm not sure I understand what you're getting at. Do you mean to say you think it is a good idea to move more services to port 80 within your network (with or without your knowledge), rather than having them on individual ports where you can properly administer and monitor them?

bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.

So your company hires incompetent people and you think this qualifies you as the model of how things should work? Okay then. Just don't expect to be able to attract good employees with policies that are authoritarian for no good reason.

Re:And the lesson is...

[99BottlesOfBeerInMyF]

A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to /. every minute. I'm sure CNN is much higher than that.

Well, it is grabbing a .exe file in this case, not a picture, but if it is in your signature database requests to that host will show up as that worm traffic. If not, then the series of repeated requests to a series of servers as this runs its chain of attacks and then starts talking on a control channel, on several different hosts will certainly show up as a probable worm propagation on a good IDS.

If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.

I'm talking about a good IDS, such as many enterprises run, including at least two of those mentioned in the list above. The one we use here, works to catch propagation traffic very well, and this is a classic match for that pattern.

How does it know who's infected? After its started its botnet spamings?

If you don't have tools that let you grab a list of hosts whose traffic over the last 2 days have matched this signature of downloads from particular servers then opening a port and starting an IRC connection to a control channel, and you work at a major company like those listed, then your security guys should be fired today.

You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.

Yes you're reacting, but quickly enough to stop major damage, while at the same time, not working on a policy of "security by DoSing ourselves and disabling communication channels out of fear." A few infections is enough for detection. Before it hits more than a few, you should have automatically isolated those hosts and filtered this worm traffic to stop it hitting any more.

At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL?

Your IDS automatically generates an ACL to remove the worm traffic, which is forwarded to the routers that divide your network segments. That ACL is constructed to not block your vital business connection, which you've predefined and which are based upon learned, normal traffic.

Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?

If it hit 100 hosts, you've reacted slowly, but even then it is a lot better to have an IT guy waste a month cleaning them, then to lose a multimillion dollar sale because the other company was IM'ing the buyer on his PDA while you were waiting on e-mail.

Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.

It is better than overly restrictive policies that make it harder to get work done and less pleasant for employees whose happiness is vital to your success. More importantly it does not motivate those employees to work around your security, opening up more serious and harder to track down holes.

If IM is just like email, why not just use email? What's wrong with the phone?

IM is just like e-mail in that it is a common communication mechanism, ideal for some kinds of communication. It is faster and more interactive than e-mail. Unlike phone calls it allows a user accessible record to be kept, long strings of numbers to be easily copied and pasted, files to be transferred, and you can easily carry on multiple IM conversations at once. That is to say, it is superior to the phone or e-mail for some communications, especially sales in some markets.

So this brings me back to my original reply up top. Any company w

Re:And the lesson is...

[99BottlesOfBeerInMyF]

You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?

Truthfully, I'd much rather you allowed IM and provided an official IM server for a number of reasons. First, this will let you monitor IM traffic and perhaps even look for CC numbers in the outgoing messages. Second, if someone is IM'ing large amounts of data, I'd rather it was on a separate port you can monitor, rather than hidden on port 80 amidst all the Web traffic. Third, if you employee feels he is trusted, he is a lot less likely to betray that trust and sell my info. Fourth, I'm not confident your facility is sufficiently locked down that said employee can't e-mail the info out, or copy it into a Web blog or print it on paper, or transfer it to a USB drive, or take a pic with their phone. Given that they have so many mechanisms to transfer the data, I'd rather they felt that they were breaking a good employer's trust by doing so, rather than succeeding in their struggle against an oppressive company that has no trust in them and whose relationship to them is impersonal and adversarial.

But I take a more holistic view of security that does not ignore the human element and is designed to get results, not to appear to be due diligence when I'm sued.

Re:And the lesson is...

[IT071961_nurashikin]

i hv exprience where in my office not allow us to have messenger..AIM or YM or msn..they also block it and allow certain website to be view..it just a suck life..life without messenger..like disconnected from outsider..but we use DGDR HERMES to communicate with our click at the department and using meebo to on ym, msn and also AIM..i not sure IT department know or not..but hopefully not..

I am sorry if I don't yawn

[aepervius]

QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

Re:I am sorry if I don't yawn

[TubeSteak]

Seems to me that the main problem is between the keyboard and the chair.

Re:I am sorry if I don't yawn

[$RANDOMLUSER]

...downloads the image18.com file (disguised as a jpeg). Running the file...

User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".
Sounds perfectly sane to me.

Re:I am sorry if I don't yawn

[mrbcs]

hmm, Windows problem again? Seems to me that since the dot-con bubble burst, Microsoft is single-handedly reviving the tech industry. What would all the little computer shops do if they didn't have to fix worms and trojans all day long?

Re:I am sorry if I don't yawn

[The+MAZZTer]

Yeah this is an old trick, there've been file.txt.exe files with a notepad icon for a while now.

What I do is always force file extensions on (except for shortcuts) and I sort/group by file type, so if I download an image/text file and it doesn't get stuck in the image/text file group, I know something's up.

Re:I am sorry if I don't yawn

[megaditto]

MacOS 7+ used to do that, but it was a bitch to send a resource fork properly over the Internet (though possible).

Of course with Mac OS X you need to convince the user to set the execute bit to run the 'picture.jpeg' file: not trivial for a typical OSX user.

Re:I am sorry if I don't yawn

[CTho9305]

XP provides methods to mark a file as coming from an untrusted source. Ever tried to run an executable downloaded through IE? You get a warning dialog. It's the AIM client's fault for not noting the source of the file in the alternate stream used for security info.

Re:I am sorry if I don't yawn

[rawtatoor]

you should be able to mod something +1 sad

Re:I am sorry if I don't yawn

[drsmithy]

User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".

I guess you must mean OS/2, because Windows sure as hell doesn't do this.

Simple risk mitigation

[LinuxIsRetarded]

1- Don't run as an administrator.
2- Back up your profile regularly.

If you ever get bitten by something like this, it's easy to recover from.

Re:Simple risk mitigation

[EmbeddedJanitor]

Try explain that in terms that the average user will be able to understand.

Re:Simple risk mitigation

[russ1337]

Try explain that in terms that the average user will be able to understand.

CLICK HERE

Re:Simple risk mitigation

[(54)T-Dub]

1- Don't run as an administrator.

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

Re:Simple risk mitigation

[Pacifist+Brawler]

The only reason this attack wasn't launched against Linux was (1) that for every one computer running Linux there are a hundred running Windows and (2) if you installed Linux odds are you have good enough computer habits that you wouldn't fall for this anyway. Seriously, we don't accomplish anything by being high-and-mighty when someone starts beating on the average Windows user. Yeah, the average user with Ubuntu was safe this time, we usually are. Still, attacking AIM is isn't aimed at the people who install Linux -- it's aimed at the average user who wants their system to behave like everyone else's.

Re:Simple risk mitigation

[pe1chl]

Easy: use this method. when a given piece of software does not run, complain at its supplier. ask your money back. remove it from the system. spread the word far and wide.

Software that requires an admin account is soooooooooo 1995. it should be considered obsolete.
When its supplier does not want to fix it, he deserves to go out of business.

Re:Simple risk mitigation

[uolirod]

Uh, anybody smart enough to do that wouldn't find themselves in that predicament, now would they?

Re:Simple risk mitigation

[theRiallatar]

Programs which require Admin can be fixed with a quick round of cacls to fix write permissions to the install directory in question (if it's Program Files) and to the appropriate Registry keys, without opening you up to full-write to program files, system32 and the registry.

Learn some basic sysadmin skills and you don't have to worry about programs not running more than once. The other, lazy option is to just create a shortcut with the Run As.... property. Give it an admin account and password and save it for that program. Everything else runs as standard user this way.

Re:Simple risk mitigation

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Is a year and 3 months long enough?

Re:Simple risk mitigation

[tchuladdiass]

Not always an option, if you want to keep your wife and kids happy.
In my case, there is one system that runs windows (the main "family" computer). After the last couple of infections (even with no one logging in as administrator), I've found a way to nip it at the source.
The two major malware infection routes were AIM and Web (they don't do much email on that machine). So, I've got Wine set up on my Linux server with AIM and IE. Windows box has the appropriate icons linked to a Cygwin script that launches a local X server rootless (if it isn't already running), then remotely executes AIM or IE from my server. Net result is that it looks like they are running locally, no one knows the difference, but any malware attacks will only be able to see the Wine container in the server (running under a restricted account). Problem solved.

Re:Simple risk mitigation

[Buran]

The only reason this attack wasn't launched against Linux was

(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.

Re:Simple risk mitigation

[Kaenneth]

Running an application that requires you to run as Admin for no good reason is like buying a wallet with a chip that voice announces at random intervals how much cash you have on you.

Re:Simple risk mitigation

[russ1337]

[Ubuntu is] Not always an option, if you want to keep your wife and kids happy..... I've got Wine set up on my Linux server with AIM and IE. Windows box has the appropriate icons linked to a Cygwin script that launches a local X server rootless (if it isn't already running), then remotely executes AIM or IE from my server.

I'm not sure why you went to all that trouble... I just switched our family computer to Ubuntu and loaded chat tools etc. They are fine with it as the icons are there for all the tools they use, and it suits everybody just fine! I just check it once-in-a-while to see if it needs updates, and that is the limit of my involvment/support! Since i've swiched over to Ubuntu I've had more time for BF:2, and less time fixing the bloody computer.

Re:Simple risk mitigation

Nice solution, beats RDP/VNC. Mind sharing the Cygwin script (with sensitive information obfuscated)?

Re:Simple risk mitigation

[99BottlesOfBeerInMyF]

Learn some basic sysadmin skills and you don't have to worry about programs not running more than once.

The sad thing is, on the world's most popular operating system people have to learn obscure methods that the average user will not comprehend or bother with in order to just run programs. Worse yet, on a consumer desktop where most people want to run executables they don't trust, there is no way to easily run them in an untrusted mode that does not give them default access to the entire user account. It is almost as though innovation had been stifled for the last decade due to some crazy subversion of capitalist market forces... like a monopoly.

Re:Simple risk mitigation

[pe1chl]

Programs which require Admin can be fixed with a quick round of cacls to fix write permissions to the install directory in question (if it's Program Files)

I know that, but:

1 - I consider those programs broken, and so does Microsoft

2 - I think the end-user should not be bothered by this, but the programmer should fix it or find a more adequate occupation.

Re:Simple risk mitigation

[jandrese]

Basic? How in the world is someone supposed to figure out what ACLs they need to set when the application just spits out a "permission error" and quits? Oh, maybe it'll be in the system log? (checks) Nope, by law no useful information is allowed to be put in the system log. If a program wants to write something to the log, it must be of the form "error: Everything is OK" or "error: giving up" and must be repeated 100 times a second.

My experiance is that if a Windows application dies due to permission trouble, unless you have some sort of diagnostic that no regular user has ever heard of hooked to the application, your chances of figuring out exactly what permission it's having trouble with is nill.

Re:Simple risk mitigation

[gutnor]

OK I have been running in non-admin account for over 5 years ( at home since Win2000 with its magic RunAs command ( I know this is sad to think of a su-like command as magic :-) ) )
The rest of my family have happily used it for well over 2 years. No incident, no malware crap on their pc. Basically their pc run as new (no windows rotting) and they almost never need any support.

It is true that several years ago it was a real nightmare to setup. Especially with all the program designed for Win95. But after the release of WindowsXP every major suite have been "ported" to run nicely in normal user account. It took a little more time for sharewares ( and strangely multiplatform opensource software ... god knows why )

Basically if a user is a Mac-like user: buy a nice little machine, run software from major vendors or well known shareware. There is no problem to setup the Windows machine as normal user. And you hear from them much less past the first few days. My rule of thumb is, if you think you can migrate this user in Ubuntu, MacOS or anything like that, that means this user is also ready to run Windows as a normal user. (Setting up the beast requires a little use to - not neat and pretty out of the box like MacOS)

The only 2 problems: first if you configure the machine for a gamer/poweruser wannabe since most games, tweaking/system utilities still sucks and requires a little "training". Second problem: if you have "typical"(as in AOL/MySpace) windows user that install tons of shit, care about nothing and don't want to enter his admin password to install NudeBritneySpear.exe. There is nothing you can do for them and unfortunatly they represent the vast majority of computer users. If you install them MacOS or Ubuntu, they will think this system sucks because it doesn't fit their need (FreeSmileys doesn't run). Sad reality.

Re:Simple risk mitigation

[cortana]

If you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

Re:Simple risk mitigation

[EXrider]

Actually Filemon and Regmon can help very much with troubleshooting permissions. I used them to get Great Plains 7 (which is a fucking M$ product btw) running under regular user accounts, extremely time consuming, but worth it in the end.

I agree though... lots of shitty legacy software to deal with. So true on the Event Log LOL.

Re:Simple risk mitigation

[Software]

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Yep, do it all the time. Even taught the wife how to do it. See http://blogs.msdn.com/aaron_margosis/archive/2005/ 03/11/394244.aspx for details, but the basic idea is to run a batch file when you want to be an admin. The batch file gives you admin privileges, starts a process (usually iexplore.exe file:///c:/ , which gives you a normal Windows Explorer), then takes away your admin privileges. Here's the file:

setlocal
set _Admin_=%COMPUTERNAME%\Administrator
set _Group_=Administrators
set _Prog_="C:\Progra~1\Intern~1\iexplore.exe file:///c:/"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
runas /savecred /u:%_Admin_% "%~s0 %_User_%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %1 to group %_Group_%...
net localgroup %_Group_% %1 /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /savecred /u:%1 %_Prog_%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %1 from group %_Group_%...
net localgroup %_Group_% %1 /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal

Instead of iexplore.exe, you can use Quicken.exe, for example. The advantages of using iexplore.exe is that you can launch other processes, such as installation programs, easily. Don't forget PrivBar, either, to show you what your current privilege level is.

Re:Simple risk mitigation

[Deanalator]

1. Its not hard in windows to go from user->admin if you are executing arbitrary code
2. Its not hard to infect backups

Re:Simple risk mitigation

[99BottlesOfBeerInMyF]

you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.

Re:Simple risk mitigation

[cbhacking]

First, there's the Run As... option. Annoying, but not significantly more so that Linux.*
Second, ther's the option to install a virtual machine (VirtualPC is free these days) for prorams needing admin access
Third, there's Vista and UAC... be admin when, and only when, you need it. Nearly painless too, especially in RC1.

* Write a batch file that starts msiexec.exe with elevated permissions for installing .msi packages

Re:Simple risk mitigation

[cortana]

You do not have to set up another user account. The default option is to run the selected program without permissions to access your documents and settings, just as I said.

Re:Simple risk mitigation

[Al+Dimond]

But Linux (along with just about any Unix system) does allow non-root users to modify their .profile, which runs every time you log in. Desktop users don't frequently start their computers without logging in. The things that are really important on single-user desktop systems are the things that aren't owned by root. OS and programs can be easily reinstalled.

Re:Simple risk mitigation

[uolirod]

Quite simply put most average windows users don't have the slightest idea what half the options in any given context menu will actually perform. Nor would they think to use them.

Re:Simple risk mitigation

[cortana]

None of which has any bearing on the fact that if you intend to complain about the inadequacies of an operating system, you should make sure you actually know what you are talking about!

Re:Simple risk mitigation

[tchuladdiass]

Simple fact is that the family uses lots of windows-only programs. The wife will come home from an accounting class, and needs to download excel spreadsheets from the college web site (which is IE centric, and has little annoyances under Firefox), these spreadsheets will then need to be used under Excel, because last time I had her use it under Openoffice something didn't quiet work right and caused probems when she sent it back to her instructor.
The kids will often need to use MyJal to download ringtones into their Nextel's. Could probably get this working under Wine, but haven't tried yet.
And everyone uses Pogo games, some work under Firefox but some don't.
But slowly I'm getting everyone switched over. I've already set up a thin client (LTSP-based) system using an old cyrix system, which runs a desktop off the main server. Everyone will use this secondary system when the Windows box is "acting stupid" as they put it. So far, it is working for almost everything, but not quiet there yet.

Re:Simple risk mitigation

[tchuladdiass]

Here's the one used for Aim

<tt>
export PATH=$PATH:/usr/bin:/usr/local/bin:/usr/X11R6/bin
export DISPLAY=192.168.1.15:10
# check to see if an X server is running, if not start one
if ! xtest
then
run XWin :10 -multiwindow -clipboard -silent-dup-error &
xhost +
fi
ssh -x someuser@192.168.1.4 'export DISPLAY=192.168.1.15:10; nohup bin/aim </dev/null >/dev/null 2>&1 &'
</tt>

The shortcut icon then calls this script (r-aim.sh) via the cygwin "run" command (see the example shortcuts for the various X utilities that are shipped with the current version of cygwin-x). Note, the program "xtest" is a small binary that just tries to connect to the X server, and will return an error code if none exists. I'm not sure if there is already an accepted method of doing this, so I put xtest together real quick:

<tt>
include <X11/Xlib.h>
#include <stdlib.h>
#include <assert.h>
#include <unistd.h>

main()
{
Display *dpy;
dpy=XOpenDisplay(getenv("DISPLAY"));
if (dpy == 0)
exit(1);
else {
XCloseDisplay(dpy);
exit(0);
}
}
</tt>

Re:Simple risk mitigation

[Pollardito]

noooooo! don't run it, it's the Slashdot Pipeline Virus!

Re:Simple risk mitigation

[5plicer]

I think you mean /etc/profile

Re:Simple risk mitigation

I think he means .profile. Or .bash_profile, or .bashrc, or...

Re:Simple risk mitigation

[rawtatoor]

I think the scales have tipped the other way.
It used to be a cardinal sin to be incompatible with MS Windows. That lead to a culture of catching up feature wise with MS.

But sorry; those days are over. Microsoft realizes full well that they must be transparent to other OS's. And this holds true for any organization I don't care who it is.

There is no excuse for incompatability like that to exist.

Re:Simple risk mitigation

[drsmithy]

(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.

Neither does Windows.

Re:Simple risk mitigation

[drsmithy]

This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.

No, this is because computers are fundamentally devices that do what you tell them to do, not what you want them to do.

A computer does not know what you mean by "don't do anything bad" unless you actually tell it what "bad" equates to.

Re:Simple risk mitigation

[drsmithy]

Have you ever done this on a windows machine for an extended period of time?

Yes. For about ten years now.

Some programs don't even run unless you are administrator.

Which is why you have "Run As".

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

True to an extent, but this is the application's fault, not Windows'.

Re:Simple risk mitigation

Yes, at my last gig as a network admin, I ran as an unpriviledged user on my desktop machine for 5 years. What's the problem?

Thankfully I no longer have to use Windows at all.

Re:Simple risk mitigation

[russ1337]

Further to my last post, have you considered using Ubuntu on your family machine and running your essential Windows aps in a Windows OS under VMWare? This provides all the security of the Linux machine (host), with a VM running Windows.

VMWare gives you the option to not save across sessions, this ensures any changes made are lost. (You can save across sessions if you want to, but for security you may chose otherwise). It ensures each and every time your family use the machine, it is stable, virus free and repeatable... and should reduce instances of it 'acting stupid' as your family put it.

VMWare performance is pretty good. Its 'very close' in performance to running the OS natively. I've been running Ubuntu and FreeBSD, and a couple of other obscure OS's on my Windows machine and can vouch that its pretty damn good. I've run the Ubuntu within Ubuntu just for kicks, and its performance is great.

You can try the free VMware player here. You can try the free browser appliances to get the feel for what it offers. I'd be interested in hearing what you have to say, if you try it out.

Re:Simple risk mitigation

[jandrese]

Which is great except that most systems I run into that have this problem are classified/protected systems so there's no way I'm installing any third party applications on them. You gotta use what the OS comes with.

Re:Simple risk mitigation

[EXrider]

"classified/protected" systems running Windows is a scary thought in itself. Assuming they're attached to any public networks.

Re:Simple risk mitigation

[Raideen]

It's true that it's (usually) a poorly designed piece of software that needs to run with administrative privileges but it does stem from Windows' history. Still, it's no excuse for any updated or new piece of software not to work properly in a restricted user environment (except for the fact that even VSS needs local admin rights so the programmer has to flip back and forth or has to switch to a test environment every time). Also, I guess you haven't seen the various applications that I've seen that won't run with "Run As". Also, giving an office user the ability to use "Run As" kind of defeats the purpose, although it does provide some layer of security against things like casually running a program or a hole in IE that executes a program automatically.

Re:Simple risk mitigation

[99BottlesOfBeerInMyF]

A computer does not know what you mean by "don't do anything bad" unless you actually tell it what "bad" equates to.

True these are called, sane defaults (like no access to the e-mail address book unless you're the pre-installed e-mail client) and asking the user in plain English and with a good UI when an aberration occurs. "Computers are too stupid" is a cop out for programmers don't want to do it right because it is hard and we have a monopoly so giving customers a good product does not matter.

Re:Simple risk mitigation

[99BottlesOfBeerInMyF]

You do not have to set up another user account. The default option is to run the selected program without permissions to access your documents and settings, just as I said.

It doesn't work for me, right now. Right clicking gives me options of other user accounts, but no default that I see.

Of course this does not matter, since almost all users are running an admin account since that is what the Windows installer prompts them to make and no non-techie understands that adding a non-admin user on a single user machine is needed in order to run software pseudo-safely.

Re:Simple risk mitigation

[Buran]

Neither does Windows.

Yes. But your average Linux user isn't forced to run with root-level privs. Windows blindly forces this and in fact creates the first user account (which is the most many people use) as an admin! OS X and other UNIXes don't do this. You get a non-admin account that can only do root-level things by using sudo.

Re:Simple risk mitigation

[cortana]

You don't see the dialog box at http://www.codeproject.com/tips/runas/runas-shot.p ng? The 'Protect my computer and data from unauthorized program activity' is what I'm talking about. You do not need to add an additional account.

More info at http://blogs.msdn.com/aaron_margosis/archive/2004/ 09/10/227727.aspx.

Re:Simple risk mitigation

[99BottlesOfBeerInMyF]

You don't see the dialog box...

The top option is greyed out on my machine.

Re:Simple risk mitigation

[cortana]

Ah, Windows. Every day it finds novel ways to aggravate and frustrate its users.

Re:Simple risk mitigation

[jandrese]

It happens. The NSA has this 200 page book on how to lock systems down. Needless to say once you're done with all of the lockdown proceedures almost nothing works anymore on the box.

Re:Simple risk mitigation

[LinuxIsRetarded]

except for the fact that even VSS needs local admin rights

This isn't my experience- I have a limited user account and have no problems accessing SourceSafe (I'm using 6.0d) Perhaps you don't have write privileges to the database directory.

Also, I guess you haven't seen the various applications that I've seen that won't run with "Run As".

I haven't witnessed this either. Do you have a list?

Also, giving an office user the ability to use "Run As" kind of defeats the purpose

You should never need to give the typical office user an administrative account. I've worked in many different environments with office users having a wide array of modern applications that all function properly with limited privileges. There were a few cases where poorly written software attempted to write to a protected directory or registry key, but modifying the ACLs solved the problem. I have still yet to encounter an office application that requires administrative privileges to function.

Re:Simple risk mitigation

[drsmithy]

True these are called, sane defaults (like no access to the e-mail address book unless you're the pre-installed e-mail client) [...]

So no mail merge then ?

[...] and asking the user in plain English and with a good UI when an aberration occurs.

The problem is they'll still do it.

"Computers are too stupid" is a cop out for programmers don't want to do it right because it is hard and we have a monopoly so giving customers a good product does not matter.

No, "computers are too stupid" is the *truth*. The reason they're too stupid is because it's pretty much impossible to programmatically detect the difference between "good" and "bad" with any sort of reliability.

Re:Simple risk mitigation

[drsmithy]

It's true that it's (usually) a poorly designed piece of software that needs to run with administrative privileges but it does stem from Windows' history.

Well, that's true in a kind of academic sense, but Microsoft has been telling people to write non-Admin-friendly software for a good eight years now and had the OS infrastructure to support it.

I'd have to say applications that only ran in Administrator accounts ceased being something that could be reasonably blamed on Microsoft back around 2000.

Also, I guess you haven't seen the various applications that I've seen that won't run with "Run As".

No, actually, I haven't. I sure do hear about them a lot on Slashdot, but I can't say I've ever actually seen one.

Also, giving an office user the ability to use "Run As" kind of defeats the purpose, [...]

Indeed it does, but "office users" are not "home desktop users". "Office users" should be in a managed environment and have an IT department capable of setting the appropriate file and Registry ACLs so that those broken applications work *without* having to hand out access to an Administrator account.

Re:Simple risk mitigation

[Raideen]

Interesting.. perhaps it was the version of Visual Source Safe. I have to admit that I didn't spend a lot of time on it. (It was a developer house anyway and they decided that they wanted full admin rights.) I can't list any of the programs that I couldn't get running properly with Run As since I only saw it as part of my experimentation to run Windows 2000 Pro without local admin rights. Obviously it was something that I had that would've included StarCraft/Broodwars, Diablo, Diablo II (with and without the expansion), one of my CBT exams, or something else that I haven't used in ages. I think that problem was with the installation of some programs as opposed to running the applications. I wish I could remember what they were. I still see that problem on occasion but in those cases, I just log in with a user with local admin rights and make sure that it runs without local admin rights. The one program that I never got working properly by modifying the ACLs is WinFax Pro 10. I've gotten every poorly written educational program, inventory system, and accounting system to work without admin rights (among those that I've tried) but WinFax Pro 10 has managed to mystify me. If you have any tips on that, I'm all ears. Of my customer sites that are locked down, I have one that is an office of 40 that has 1 user with local admin rights because of WinFax Pro.

is this really a worm when user interaction is req

It seems this is no different then someone sending you
an executable via smtp and the user clicks on it..

imagine a person sending you a link in a msg box,
you click it and another box pops up asking if you
want to run this program...

sounds like a silly thing to me that deserves little attention
from a security standpoint and has more to do with user education.

Good thing it's AIM ...

[(54)T-Dub]

... because it's a well known fact that most AOL users have higher than average internet savvy.

Now I have more reason than ever to install trillian/gaim on newb computers.

Re:Good thing it's AIM ...

[fr175]

... because it's a well known fact that most AOL users have higher than average internet savvy.

Me too!

Re:Good thing it's AIM ...

[fr175]

Now I have more reason than ever to install trillian/gaim on newb computers.

AOL silliness aside, according to (my understanding of) TFA (and, yes, I am new here), this worm spreads by getting users to run a .com file which is disquised as a .jpg. The .com then infects the users System32 directory and the magic happens. Wouldn't GAIM and Trillian both be vulnerable to this, if they are running on Win machines?

Re:Good thing it's AIM ...

[toleraen]

You'd still be vulnerable, but you likely wouldn't spam the linked virus to everyone on your list using gaim/trillian. I would assume that the virus is programmed to expect AIM running, and it probably wouldn't interface with other programs. Then again, IANAP.

Re:Good thing it's AIM ...

When I click on a .jpg URL, Firefox handles it. Why would Windows let a .jpg fuck me over if I'm not using IE?

Re:Good thing it's AIM ...

Windows, by default, hides exensions of files in explorer. It also allows anything with the extension of ".exe" to be executed. Name a file "hotpron.jpg.exe," explorer will hide the extension, leaving "hotpron.jpg," while still executing the file when the user clicks on it.

Re:Good thing it's AIM ...

[russ1337]

This worm spreads by getting users to run a .com file which is disquised as a .jpg.

I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:

www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Re:Good thing it's AIM ...

GAIM FTW. Even though in order to connect to MSN I have to run a beta it still kicks ass.

Re:Good thing it's AIM ...

What were you doing looking at doggy porn?

Oh wait, you said dodgy... :-P

Re:Good thing it's AIM ...

[OverlordQ]

dollars to dohnuts that that is just tracking info for what picture was downloaded where and how much. Keep in mind, just because it says .jpg/foo/bar/baz/quux doesn't mean that there's a picture instead of CGI sitting there returning the content to you

Re:Good thing it's AIM ...

[ben+there...]

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Yeah man, check this one out:

http://images.slashdot.org/slashdotlg.gif?picture. jpg_/session_ID=2383/www.dodgywebsite.com

Crazy stuff. Don't click it!

Snore....

[Farfnagel]

Wake me up when this crap can affect my Linux comnputer.

Not to Worry

[Aqua_boy17]

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Re:Not to Worry

[revery]

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Senator Ted Stevens responds:
Yes, but you see, the tubes are connected to pipes, and those pipes are connected to larger pipes, and then there are canals, and dams and reservoirs, and other things that are even more complex and convoluted. So you can see by my use of the words "complex" and "convoluted", that it's all terribly complicated. But you are right about one thing: thank God it's not a tube-line attack - I don't know if that's the right word or not - but the tubes, they are the most important part of all the Internets, because that's where we access them, and by "we", I mean me and you.

Next question?

Damn spotlight!

Sometimes I hate Spotlight, I'm trying to find that folder so I can look for unwanted executables but it's coming back with no results. Did the OP spell it correctly?

Why this is important.

[AltGrendel]

You probably understand how this works, but I'm sure you can think of someone in your family that you might want to call and warn about this. Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?

And if you don't guess who they'll call first about how their computer has gotten SLOW again.

Re:Why this is important.

[fotbr]

My family has figured out that I don't do tech support.

Re:Why this is important.

[Rob+T+Firefly]

Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?

I love them a tiny bit less every time I have to do a PC rescue because "it was from someone who would never send me a virus!"

Re:Why this is important.

[protohiro1]

With friends and family who ask me for computer advice I have a new policy. When they tell me they are thinking of getting a new computer and ask for advice I always recommend a Mac Mini or Macbook. When they tell me that a dell or something is cheaper I tell them my new policy: no free support for Windows, sorry. (I'm not a mac zealot either...I don't use any macs anymore, but my wife, sister and parents do because of this policy)

Re:Why this is important.

[Technician]

And if you don't guess who they'll call first about how their computer has gotten SLOW again.

After the second rebuild in 6 months, I put Ubuntu on my kids computer. End of problem. The kids like the uptime.

using aim

[thedrunkensailor]

using aim is like being kicked in the balls

Re:using aim

[Architect_sasyr]

Oh come on, don't lie on /.

Being kicked in the balls is simpler and much more enjoyable. PLUS you can tell what the person who is doing the kicking is saying to you without a translation tool...

I know who wrote it!!! Desolator144 did!!!

Desolator144 wrote it!

Just make sure you don't have the .Net framework installed, and if you happen to see any worms trying to download it, turn your computer off.

Of course, he "The Best Programmer in the World", so we're probably all screwed.

And the lesson is, don't use omnipod, use jabber

[spun]

It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

Does it run

on Linux?

Re:Does it run

[madcow_bg]

Not yet, but if we keep up the good work of Linus(http://linux.slashdot.org/article.pl?sid=06/ 04/18/2046203), we'll have it running in no time!

Tubes Dammit!

[GillBates0]

It's TUBES dammit not PIPES!!11!

And the definition of Tubeworm probably needs to be rewritten.

Re:And the lesson is, don't use omnipod, use jabbe

[d3ac0n]

Actually, jabber was one of the options I explored. We didn't go with it because omnipod was already in use by one of our larger branches, and it was simpler to just extend the use of the product. No servers to setup, no additional hardware needed, and low licensing costs. Omnipod worked great for us. For others it might not work so great, but it was our best option.

Oh, and yes, AIM (and YIM, MSN, ICQ and IRC) is blocked at the firewall. Most IM clients are also prevented from being installed by AD policy. I also regularly audit the PC's for unauthorized software.

Our users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

I love these kinds of attacks

[JoeyJoeJo]

I'm a student employed by the university to fix students' computers in my dorm building. Everyone will click on these links, some more than once. But why do I love these attacks? The hot chicks that will inevitably click the link. I love this job.

Re:I love these kinds of attacks

because 'hot chicks' ALWAYS fall for the geek fixing their computer

...i wish

Re:I love these kinds of attacks

[JoeyJoeJo]

Dear Penthouse, I never thought it would happen to me....

Re:I love these kinds of attacks

The hot chicks that will inevitably click the link. I love this job.

Make sure you port your stream from their webcam to a URL that WE can see... don't hog it!

Re:I love these kinds of attacks

[Shadyman]

I, for one, welcome our new-user chick overlords

Re:I love these kinds of attacks

[wakingrufus]

I did this at my college. You meet lots of chicks that way. They will never sleep with you, but you meet lots of chicks.

Re:I love these kinds of attacks

Maybe not with you, but sooner or later one of them will sleep with me.

At least part of the fault is MS'

[Kadin2048]

Not totally true. Almost all of these exploits revolve around getting the user to click on an executable file which is disguised as something else.

For example, you take an executable ("TROJAN.COM") and rename it ("FUNNY.JPG") and for reasons that have never been clear to me, the brainiacs at Microsoft designed their OS so that it will execute the latter file when you double-click on it. This seems pretty retardate; clicking on a file shouldn't imply "open or execute," it either means "open," or it means "execute," but rarely does it mean "do either one." Whether the user is trying to open the file or execute it, is pretty easy to determine from context. If the GUI is displaying "JPG" at the end of the file name, it shouldn't be executed -- period. If they really want to execute it, they can change the file name.

The best solution would just be to make the system to refuse to execute code that's not identified in the filesystem as being an executable, say with the suffix and a special icon. A MacOS-style warning the first time any executable is run would also be helpful.

On Linux, you could pretty easily create these safeguards using the execute bit, and linking that to a visible flag in the GUI on the file, and by making all files download by default with the execute-bit set off. It still wouldn't prevent PEBKAC vulnerabilities completely (because if people think there are naked pictures of Angelina Jolie inside, they're going to override any warning you give them), but it would be a big improvement.

At least part of the fault for these exploits lie squarely with Microsoft and the tendency of Windows to coddle users one instant and then throw them to the wolves the next.

Re:At least part of the fault is MS'

[AnyoneEB]

Minor correction: the file is named "funny.jpg.exe" and Windows by default hides the ".exe" and just shows "funny.jpg". It is properly reacting to the file extension, it just is quite stupidly not displaying it. I disable that on every computer I use, but most people do not even know about that option. Personally, I do not know why such an option would exist.

Re:At least part of the fault is MS'

[drsmithy]

It is properly reacting to the file extension, it just is quite stupidly not displaying it. I disable that on every computer I use, but most people do not even know about that option. Personally, I do not know why such an option would exist.

Because to most people, file extensions are meaningless gibberish at best and confusing computer stuff at worst.

Re:At least part of the fault is MS'

[AnyoneEB]

Odd, everyone I know understands that a .jpg is an image. Otherwise the file name would just be "hot p1x.exe" (shown as "hot p1x") not "hot p1x.jpg.exe" (shown as "hot p1x.jpg"). They may not understand exactly what the extensions mean, but seeing the .jpg, to them, confirms that it really is an image.

AIM threat

[allfunandgames]

Um...This won't affect my Mac one bit :P *yawn* I kinda feel bad for PeeCee users though. Well not really. You get what you pay for. It's just unfortunate that you chose the cheap route. It's kinda like eating at McDonald's and expecting to stay healthy.

Re:AIM threat

[thehfctech]

WOW! And I was just going to say something cool like, "Hey buddy, do us all a favor and get a Mac!" Flaming has reach new levels.

Re:And the lesson is, don't use omnipod, use jabbe

[Buran]

Apparently you don't allow people to have social lives. Apparently, you think all your workers need to be mindless drones while at work. Guess what -- people work better when they can let their minds wander a bit when they need to during the day.

I guess that's against corporate policy, too, then, since it's quite possible to block file transfers while still allowing people to socialize.

But then, it's so much easier to use "security" as an excuse to clamp down on imagined "productivity threats".

Re:And the lesson is, don't use omnipod, use jabbe

[spun]

Well, in your case it makes sense to use omnipod, if a large part of your company is already using it. I guess it would also make sense for firms that don't have the time, inclination, or technical know-how to do it themselves. I'm not that much of an open-source zealot that I can't see there is a place for other solutions. I just finished setting up jabber where I work, so I'm kinda on a jabber kick is all. Instant messaging is really a great thing for business. Many time people have a really quick question that doesn't warrant a phone call but email would take too long. IM is perfect. After setting it up here, everyone I've talked to says they use it on a daily, if not hourly basis.

Too much like Battlestar Galactica?

These types of stories make me think of the new Battlestar Galactica. One "infection" in the wrong place, and everything important gets taken over. Unfortunately, we don't need to be seduced a hot blonde, just a link to something that we find interesting from somebody we think we can trust. You have to wonder if the real world result might be the same as the show......

Re:And the lesson is, don't use omnipod, use jabbe

[99BottlesOfBeerInMyF]

ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.

I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.

oldversion.com

You must've not heard of http://www.oldversion.com./ I use version 5.1.3036 myself.

Re:oldversion.com

[thedrunkensailor]

Hmm? you actually use AOL license software (albiet "old" versions)? if you're going to do it at least use GAIM you heretic.

Solutions

[Beryllium+Sphere(tm)]

Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.

Re:Solutions

[Raideen]

Normal: There are programs that will not run properly using "Run As". Also, you lose access to network resources (drive mappings and printers in the local profile) that way. Also, giving regular users the ability to run things as an administrator doesn't keep them from willingly installing junk on their computers. Users at home should obviously be able to install software when needed, however "Run As" doesn't really work as advertised, which is the problem. Being able to install software as a regular user (by providing an admin level password) would also be nice. Temporarily elevating privileges while retaining ownership would prevent the problems with programs that want to write data to where they're installed. It's really the fault of the software that's still being written to Win95 standards. They've had years to fix such problems but I still see new releases of software that says "administrative privileges are required to run this software." Expert: I've used RegMon and FileMon to fix issues with poorly designed software. (Why is educational software among the worst offenders?) A lot of business software does work properly without being a local admin so I've been able to setup new business computers without giving users local admin rights. Sometimes, there is still that piece of legacy software that won't run properly even if you give full control to the file system and to HKEY_LOCAL_MACHINE. It has to do with the internals of Windows so the only thing that you can do is give the users local admin rights. Again, properly engineered software would fix this, but that doesn't help the legacy situation.

Ubuntu actually kind of has this

[michaelwigle]

I don't know all the file types this does and doesn't work for but I know that if the execute bit is turned on for an open office document I get the following message:
"Do you want to run "Daily notes and messages.doc", or display its contents?" - "Daily notes and messages.doc" is an executable text file.
Quite handy. I just click on "Display" instead of "Run" and it's all good. Even with PEBKAC the user wants their pr0n "displayed" and they might hit the right button. If the execute bit is off then it just opens in OOo. This doesn't work for all files (I tried with a gif and it opened without prompting about executing) so I don't know how much protection this affords but it's in the right direction at least.

When you go through several cartons a week...

[zstlaw]

Being their pastor / guidance councilor might make the situation awkward. We often have unrealistic expectations that these people will remain pure in thought. Also going through several cases a week during sex-education seminars might give a bad impression.

(I am not a pastor/concilor but a close relative ran an STD clinic that went through a couple cases a week. A bit awkward at times, especially in the bible belt. As a female people assume that you are a prostitute if you buy in that kind of bulk.)

And Still

[Beefslaya]

Microsoft insists that Users should have access to key system files...to maintain functionality.
ugh..

Re:And Still

No...MS doesn't insist that. They actually insist that users SHOULD NOT be using the Admin account, therefore no access to key system files.

Wake up please!

[cortana]

http://lists.freedesktop.org/archives/xdg/2006-Apr il/008012.html
http://lists.freedesktop.org/archives/xdg/2006-Apr il/008025.html
http://lwn.net/Articles/178411/
http://lwn.net/Articles/178409/

fuckers stole my system32 folder

[quonsar]

lessee... /, bin, boot, debootstrap, dev, etc, home, initrd, lib, media, mnt, opt, proc, root, sbin, srv, sys, tmp, usr, var - nope, it's GONE!

Re:fuckers stole my system32 folder

[giorgosts]

Oh, there it is, /usr/lib/win32

Re:fuckers stole my system32 folder

[Rysc]

/opt is for losers!

The question I shouldn't ask was

[towsonu2003]

do the viruses run on linux? or should we file a bug report for that?

Eh?

[carrier+lost]

you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder.

I've looked everywhere - is the system32 folder in /etc or /usr/local? :)

MjM

Re:Eh?

[Mattintosh]

It's in /dev/null where it belongs.

uuddlrlrba

[Deanalator]

Boyd likened the technique to the fight combos common in martial arts video games.

Now all we need is a nice graphical interface and a joystick control system, and the fun can really begin :-)

OS specific then

[smoker2]

At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks.

What if you don't run DOS (or any derivatives)?

Ha ha, it's a joke. I set up a linux box for my sisters kids to use, and kept an eye on the logs. One of the first things they tried to install was AIM. Ooops, too bad. Some kind ***soul was even trying to help them to do it while chatting though GAIM. Which is kind of funny as there is a plugin for AIM in GAIM.

Easy way around any AIM worm

[nascarguy27]

Don't click on any links in AIM unless you asked for the link yourself. Then check the link and make sure it is from a trusted domain name. I think I'm telling the wrong crowd though. /. users should know this.

Re:Easy way around any AIM worm

[Sloppy]

A better way around it is to not run AIM, and instead, run an app where it's always safe to click on things, because the programmer decided that messenger apps do not need to also function as program launchers.

firefox/trillian

Doesn't firefox prevent install on demand? and I mean trillian instead of aim...

Re:And the lesson is, don't use omnipod, use jabbe

[dballanc]

Social lives, mind wandering = not at work.

I'd welcome my employees to take 30min off for a walk, take a nap, whatever. A break will help productiviy. This doesn't include chatting through a typical messenger client, or taking more than about 5 or 6 personal calls each day. Work isn't the place for socializing with anything other than fellow employees. Do that on your own time.

Re:And the lesson is, don't use omnipod, use jabbe

[Buran]

Social lives, mind wandering = not at work.

Funny, I thought that when I was sitting at my desk, I was at work. What I'm actually doing at my desk has nothing to do with whether or not I am at work.

Oh, and by the way, open your eyes and read this:

What's Next: Stupid Productivity Tricks

You say you don't care if people walk around for a bit? Eat your words:

"recreational Web surfing has become a kind of mental floss for workers who spend their days sucking in a stream of work-related data that now comes in at a firehose pace--it's the information age equivalent of a walk around the block."

Easy (free) Live filesystem for recovery??

[RobertLTux]

Does anybody have a suggestion on a *nix based livefilesystem that can be used to clean up after this mess
(drill would be yank the net cable shutdown the system and reboot using a Rom)

it of course would need proper NTFS support and an antivirus/anti#deleted#ware program and a way to update the pattern files (kind of like Puppy Multisession)

send suggestions to name at googles mail domain

Re:Studies

[xiang+shui]

I would love to read these studies you speak of.

But WHICH keyboard and chair?

[Sloppy]

Seems to me that the main problem is between the keyboard and the chair.

Yes, at some developer's desk.

Some brilliant programmer asked: What if the user of my messenger application, clicks on something? And his answer was: well, if it's a URL, download the file. [Ok, so far, so good. A little risky, but not totally stupid at first glance.]

Then the followup question was: what if the file turns out to be an executable program? And his answer was: execute it, of course! Oh, and with the same privileges as the user.

?!?! A problem between keyboard and chair, indeed.

Re:But WHICH keyboard and chair?

[Fred_A]

For the (apparently) few of us that haven't ever used AIM, are you saying that like the email clients of old, the IM client automagically executes any program it downloads ?

If that's it, it's indeed completely braindead and whoever wrote it should be taken out and shot.

OTOH, it has been shown time and time again that most IM users are more than willing to download EatMyC0mpu7eR.exe and click on it all by themselves...

Use one of Linux's lightweight containers.

It's not paticularly easy at this point, but any experianced Linux geek should be able to figure it out in a evening. Use a lightweight VM.

Not like Xen of VMware, but a lightweight container virtualization system like Linux-jail, Vserver, or OpenVZ.

1. So setup a chroot jail or one of those OpenVZ or whatnot.
http://www.gentoo.org/doc/en/vserver-howto.xml for example.

2. Install Debian Testing via Debootstrap. A minimal install is about 250 megs or so. You can reduce it further.
Here is how to install Debian from any Linux distro, this guide is for AMD64 in paticular, but it'll be about the same for any support arch.
http://d-i.alioth.debian.org/manual/en.amd64/apds0 3.html

2b. If you want a 'deleteable' setup use UnionFS (ala Knoppix) to setup a read-only file system and then a layered rw file system over that. Setup everything on the Read-only portion how you like it then just purge the rw version periodicly.
http://www.am-utils.org/project-unionfs.html

3. Install all your favorite apps and such that you use to interact with the internet, browser, email, IM, etc in your deb install.

4. start up the VM container, setup ssh keys so you can ssh in without a password (but obviously you don't want to be able to ssh back out without a password.

4b. Setup a shared folder like ~/Downloads so you can access files from your container outside of that container. Maybe use mount --bind to do that.

5. Run your internet-accessing applications from that a ssh session in a xterm, or from scripts from application launchers.

The worst a hacker could do would be to take over that VM and maybe setup a file server or whatnot as a user, or maybe issue a fork bomb to try to DOS your system. A purge of the 'rw portion' will fix that.

Re:And the lesson is, don't use omnipod, use jabbe

It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company.

For the record, Omnipod uses SSL3/TLS encryption, so bored sysadmins can't read the traffic even if they wanted to.

This rings a bell

[Bostik]

From the article: What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files!

The basic idea of using multiple, completely unrelated vulnerabilities and attacks to achieve total control is not exactly that new. In fact, the ideas that feel so obvious to us today were quite novel back in the turn of the century. Michael Zalewski described a worm prototype that worked in somewhat similar manner more than six years ago.

On the occasions that I get to give lectures about computer security, I try to illustrate these very ideas. The rule #1: There are no local exploits; All vulnerabilities are remote, some may just require a piggy-bag step of first delivering extra code via other holes.

Didn't pass the filter

[Phaid]

A quick glance at the headline and stuff like this stands out: At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Excessive use of capitalized jargon like that always indicates that it's going to be a nothing story, and sure enough, that's exactly what it is. Although, if you think the fact that your PC can be compromised by something you download on purpose is news, you're probably the right target audience for this story.

Re:Studies

[99BottlesOfBeerInMyF]

I would love to read these studies you speak of.

Do some research on corporate psychology, particularly on motivation and you'll find plenty of research. There are several good books out. Or, for a quick and dirty statistics for the layman, pick up the book "Freakonomics" and read the chapter on honesty in the workplace. It will take you all of five minutes and give you the basic concepts.

Free Stuff!!

[074326]

Hey, on the bright side, you get to spam your contacts without even trying! And you get new things installed everyday! :p

Re:Studies

[xiang+shui]

Cool, thanks.

AIM Pipeline Worm

[pk075842]

make sure to installing the needed and invulnerable software to avoid the attacker attack our pc