Slashdot Mirror
Top Viruses, Worms and Malware in 2006
An anonymous reader writes "HNS is running an article with a list of those malicious codes which, although they may not have caused serious epidemics, stood out in one way or another. Some of the categories are: the biggest snooper, the most moralistic, the worst job applicant and the most tenacious. From the article: 'The most competitive. Once the Popuper spyware has installed itself on a computer, it runs a pirate version of a well-known antivirus application. Far from trying to do the user a favour, it is actually trying to eliminate any possible rival from the computer. It seems that the fight for supremacy has also reached the world of Internet threats.'"
From TFA:
-The most promiscuous. This title goes without doubt to Gatt.A. This malicious code can infect any platform that it is run on: Windows, Linux, etc.
Syllable 0.62 is here at last!!!
Cleansing home PCs, I've seen some of the more exotic exploits become commonplace, including:
.DLL as a print monitor; .DLL, registered in a CLSID key, warning of SPYWARE!!! from the system tray; .DLL's.
Direct Revenue hiding its core
one lone
launching executables from Group Policy subkeys;
populating subkeys of Winolgon\Notify with self-renaming
Hiding malware so it launches before Explorer (and even before the antivirus app) is sneaky, underhanded, and ensures a steady stream of income so I don't need to get an actual job. Editing the Registry hives from WinPE is the only cost-effective way to remove many of these things, and Suzy Homeuser wull never be ready for that.
So here's to you, scumbag malware writers... and here's to Microsoft for leaving soooo many ways to launch your malware: Thanks for paying my mortgage. Without security holes, and the slimeballs who exploit them, I'd be back selling auto parts.
Apparently it only works properly on Windows... http://www.pandasoftware.com/com/virus_info/encycl opedia/overview.aspx?lst=det&idvirus=122900&sitepa nda=particulares
:wq
Well, you see, there are viruses for linux. However, they don't spread a lot (because if someone uses linux, he has enough knowledge not to open an attachment/install an unknown file.)
And well, saying that WIndows is bad because almost all viruses are designed for them is like saying that houses are bad, because thieves might try to break in...
That's all I got so far.
By your logic we should be seeing dozens of "FIRST VIRUS ON WINDOWS" headlines per year.
- These characters were randomly selected.
Well, that's only part of the truth. There are three reasons why Linux viruses don't get around like Windows viruses; better security, lower population (also encompasses the lack of monoculture in network applications), and more careful users. And none of those reasons is the "real reason", they work in combination with each other to make the difference really really big.
No, Windows is a target because it is widely used and vulnerable.
Windows is bad because there are so many obscure ways to hide malware and restart it on subsequent boots.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Bad analogy. This is more like saying that your wooden house is bad, since it's very susceptible to fire.
My stone house, on the other hand, is not very susceptible to fire. That means it's better.
*Notice that I'm convienently ignoring how difficult it is to run anything through the walls, compared to that wooden house, in addition to how cold the stones get during the winter (and the subsequent lack of insulation), etc.*
Well, the GP said the spyware "monitors whether users access certain web pages with pornographic content". Sexual matters being involved, the expression "voyeuristic tendencies" is appropriate. If I want to know what kind of motor my neighbor has in her car, I'm being "curious", if I want to know what kind of panties she's wearing, then I'm a "voyeur".
It sure seems to have come down to a matter of simple denial with the Windows platform. Vista has barely been released yet, and there are exploits[0] out for it. How can anyone claim to be concerned about system integrity[1] *and* be a windows advocate at the same time? It is a blatant contradiction. There are so many different alternatives with a better overall design that it makes no sense to run Windows unless you have been locked-in to the platform. If you are not yet locked-in, it seems Vista will help you with that[2].
c urity+lacking1 2214
[0] http://www.google.com/search?hl=en&q=vista+virus
[1] http://www.google.com/search?hl=en&lr=&q=vista+se
[2] http://it.slashdot.org/article.pl?sid=06/11/16/01
boycott slashdot February 10th - 17th check out: altSlashdot.org
The time is ripe for a beneficial virus, one that does no harm to the host computer, but acts as a keylogger that will play a very loud annoying buzing noise and kill all open apps if the user types: "misa campo", "made of win", "internets", "begs the question", or any other word or phrase from a list of current phrases used by morons.
The severity of the virus, the spread of the virus, and the stupidity of the users necessary for the the first two.
The few viruses (they were actually non self-replicating trojans -- most were modified versions of Opener) that affected people on rumour forums required people to give the trojan/script admin (sudo) privileges. I'm sorry, but no matter what OS you're on, giving a virus sudo means game over.
The real litigious bastards...
That bit of malware is installed on users machines without their knowledge of what it really means.
It may monitor what you are up to, We don't really know yet.
It may pop a message onto your computer suggesting that you go to a certain website and pay money to some questionable organisation.
A new version is reputed to disable your computer if you do not submit to its blackmail...
I'll see your Constitution and raise you a Queen.
"I notice there's no mention of ANY of the Apple viruses/worms or malware out there"
. shtml
Where are the reports of thousands of OS X desktops being compromised and bank accounts being emptied.
http://www.macobserver.com/editorial/2003/08/29.1
was Re:A bit of bias from the press?
davecb5620@gmail.com
I see a lot of machines with multiple infestations, but I rarely rebuild 'em.
.DLLs (hint: sort the list by Manufacturer)
My usual algorighm:
Start up in Safe Mode
Use AutoRuns.exe to identify most of the offenders; delete those that don't self-reinstall
Open IE and then System Information; look at Loaded Modules to find the vx2
Boot to Windows PE; back up and load the Software and System hives & clean them up; do the same with the user hive(s)
Boot into Windows and check for stragglers.
Lots of fun, especially for $1.25/minute.
"The first time someone's running as root and downloads an untrustworthy file..."
.44 one by one.
But that's not really an issue is it? What Linux distribution has the default user as Root these days? In fact, it's more difficult to run as root in some distributions instead of as a normal user, in that the "root account" is never enabled. Attempt to login to (X,K,Ed)Ubuntu as root at the login screen and it won't work.
How to get a Windows computer infected:
Connect to the 'net without a firewall or run IE and visit a bad page. Or, run OE (interesting that Outlook Express has the same initials as "Operator Error") for your mail. Or run p2p software and download a "song" that doesn't play (but is instead an executable file). In fact, I've got a friend whose daughter did exactly the latter, and I'm going to fix it after the weekend. I beginning to think that these days, that's the most common vector of infection, as I see it time and time again.
Windows gives execute permission based on the file name extension. For this utterly stupid idea held over from the frickin' CP/M days, users are being hosed left, right, up, and down. This bogosity should have died with Windows 3.1 or at least after Bill Gates discovered the 'net and put out Win98. However, the concept is still with us in Vista, so techs everwhere are going to be guaranteed a paycheck for at least the next 5 years.
How to infect a Unix or Linux machine:
Automatically through mail? Impossible to do without user interaction, since everything that comes down the pipe doesn't have the execute bits turned on. Anyone who writes an MUA that does that autmatically will be taken out back and hit with the clue bat.
Visit a web page? There's no such thing as a drive-by install. The user has to download the file and manually set the execute bits high again, through chmod or by right-clicking on the file.
Use p2p? Everything downloaded has no execute bit. What data file _ever_ deserves an execute bit? Indeed, I have yet to ever receive a file from the wire that has execute bits turned on except when they're contained within an installation package, and for that to work, I need to pause and use root permission if it's an install for the whole machine and I still have to unpack it even if it's going in my home directory.
In fact, the simple act of user interaction, even if it's the typing of the current user's password (OS/X) prevents a whole lot of evil. It's that short pause that gives the user the chance to _think_, if even for half a second, and say _no_ to random malware. If you're a malware writer and you give your victims the chance to think, your bit of evil goes nowhere. There are only so many times that people are going to install a fucking purple gorilla.
This ignores the population that will run silly "cupholder" executables and trojan filled "free screensavers," at every opportunity whether in Linux, Unix, or Windows, but then real stupidity trumps artificial intelligence every time. You can only do so much if a user is determined to blow each toe off his foot with a
If this means that Unix and Linux are more difficult, (as if typing the current user's password is complex) so bloody what? It's damn inconvenient when a computer gets infected, isn't it?
--
BMO
"Yeah, sure, millions of them.
I read this lie for many years and never seen any true virus for Linux"
Hear hear!
I have to expound on this a little.
One of the reasons that the Windows apologists say that Linux has poor virus propagation is because of the geek ratio, and that Linux geeks "know what they're doing."
Well, let's take a look at OS/X. OS/X has a higher population of non-geeks that just want to get things done. Indeed, it's got the highest ratio of fashion conscious and arty-types of any user population. Yet OS/X has the same amount of viruses as Linux in the wild (none). It's not because of popularity. It's not about technical experience of the users.
It's about design. Out of the box, OS/X, Linux, Solaris, BSD are all more secure and orders of magnitude easier to keep secure. Windows apologists who ignore that are simply lying.
--
BMO
They say that Gatt.A can infect any platform like "omg noes Linux and Mac!" but according to http://www.pandasoftware.com/virus_info/encycloped ia/overview.aspx?IdVirus=122900&sind=0 the IDA (which it exploits) is present on multiple platforms, but there are other things about windows that made the virus function.
I don't know about everyone else, but this damages the credibility of the article for me.
How to infect a Unix or Linux machine:
Automatically through mail? Impossible to do without user interaction, since everything that comes down the pipe doesn't have the execute bits turned on. Anyone who writes an MUA that does that autmatically will be taken out back and hit with the clue bat.
Unless there's a bug in your libpng implementation, and your MUA automatically displays images.
Coming soon - pyrogyra
For anyone who wants to see the original article, which is without ads, and with links, there's always the original site:
Panda Software Virus Yearbook 2006
"I just use my Dell."
When I was the alpha geek on a four-geek Help Desk, we had to ask each caller for the computer name (we later used bginfo for that). We would ring a bell every time we got the answer "Dell," then patiently explain that the computer is a Dell, but the computer has a name on the network, and we need to figure out what that is...
one woman interrupted me: "Trinitron?"
I slapped the mute switch just in time, and ROTFLMAO.
"I don't see why privilege separation should help. There is no need to run that spambot as root."
.profile? How do you hide it? Unless you're root, you can't modify logs, netstat, or ps. And once you've got root privs, it's stupid to run the bot in userland anyway. So you're wrong. Priv separation matters.
Because if a spambot is running as an ordinary user, it's ridiculously easy to kill and remove. A userland spambot is next to useless, because it will have a very short life. Where does it get launched? In
Fer crissakes, I can run Bagle in Wine, but then all I have to do is kill the process, which doesn't hide from me like it does in Windows. Poof. Gone.
But it's not just privelege separation alone, it's combined with the fact that stuff imported into a system from outside doesn't have _execute_ permission in the first place. Windows attaches execute permission to files because they have the supposed correct extension, and this sin is doubled because _windows hides file extensions by default_ so as to "not confuse the user".
I'm sorry, but that is just stupid.
Explain to me why it's beneficial to the user to hide extensions, to hide processes, and to hide files with attributes instead of simply putting a dot before the filename? EXPLAIN TO ME WHY AN OUTDATED CONCEPT FROM CP/M RESIDES IN WINDOWS? WHY DETERMINE THAT A FILE IS A PROGRAM SIMPLY BECAUSE IT ENDS IN THREE MAGIC LETTERS LIKE 'COM' OR 'EXE' OR THE REST OF THE EXECUTABLE FILE EXTENSIONS, OF WHICH THERE ARE TOO MANY?
Gah...
Whatever. Vista will continue to use filename extensions to determine executability, so Windows users are hosed for yet another 5 or so years until Microsoft gets its freakin' act together, if ever.
The security biggies:
1. Privelege separation
2. Frugal execute permissions.
3. User interaction in granting executability and privelege escalation.
4. No hidden processes.
You cannot have security until you have all four. If you give execute permission willy-nilly, a file that shouldn't have execution turned on can exploit a buffer overflow and now you've got privelege escalation and a process that can hide itself. If you take away user interaction, you have drive-by installs, as seen all over the Windows world. If you take away privelege separation, everyone is administrator, and we've seen where that's gotten us. If you hide processes, like is done in Windows easily, how do you even know if a bit of malware is running or not? Indeed, since Microsoft has bent over for the entertainment industry, we'll be seeing more Windows rootkits because they'll be using the same hooks that DRM uses to hide itself from the user and system administrator. Good luck with that.
Windows has done a piss poor job of implementing security in any shape or form. It's about time Microsoft got off its collective ass and done something responsible instead of shoring up its dubious hegemony.
--
BMO