Slashdot Mirror
Another Windows Macro Virus Wreaks Havoc
mbruns wrote in to send us a CNN Story
and a Symantic Bit about
a new Melissa-esque virus that alters users win.ini and
deletes files. Of course, only people who use that "Other"
OS are at risk.
← Back to Stories (view on slashdot.org)
Yet another example to demonstrate that closed code can never be trusted.
Doesn't ecology say that nature abhors a lack of diversity?
--Just coverin' my tush as an AC.
I have read, however, that viruses can in fact be written for UNIX platforms, and have actually read a ten-line example script to show how it could be done.
I've got a two line script virus for you. Run it as root to get the full effect.
#!/bin/sh
/bin/rm -rf /
It could barely be termed a virus...it's a trojan horse. And for anyone so silly to think Linux or any other OS isn't as vulnerable: Pull your head out of the hole. It just happens to be that for anti-social nutcases the Windows market is the most luring victim base.
That's not a "little macro stuff." It uses
MAPI (messaging API) so it doesn't only affect
Outlook like some have claimed.
The real problem here is stupid users running untrusted code from random sources. Not the platform. Malicious code on any platform can do anything that user on platform can do. So on an unprotected platform like Win9x, it can trash everything. On protected systems like NT or Unix, it can trash just the stupid user's files. So you're a little safer running NT or Unix, but not much.
And if Linux was the most popular platform, then the virus writers would write their virii to attack Linux. The real solution is to educate people to not run untrusted code.
do a search on the bliss virus. the main reason these things dont take off on unix platforms is because the average unix user is more weary of these things. most of these same users never get virii on their windows boxes either.
Dude, you have got to be kidding! I don't care if the software on my system gets erased, I can restore that any day. If I lose my creative work product however, be it C/C++ code or Word/Excel/PPT docs, that's a loss of many, potentially very many man-hours of work. (BTW, does Star Office/Word Perfect/Applix or any of the Linux packages create .doc files? If so, you could well have a problem in heterogeneous Linux/Windows LANs, due to issue #2, below. I can imagine a Linux version of this virus too, without too much trouble. File permissions only reduce the scope of damage, not the potential for it.)
My company got bit by this today. There are a couple of things about the way in which files get deleted that make it nastier than you might suspect based solely on reading the news clips.
Not only does it destroy MS Office documents you've created (Word, Excel, PowerPoint), but also:
1) It starts by destroying the most recently created/modified documents; i.e. even if you do backups, it does maximal damage to your work, deleting files you've been working on today and over the last few days first.
2) It deletes files on mapped (LAN network-based) drives, not just on your local C: drive, so it will delete files other people work on and depend on.
The only good part about it is that at least Corporate IT got a warning shot across their bow with Melissa before this one came along.
I wonder if anyone'll get tracked down aggressively and arrested for this...
--G
Here's a question (it's not supposed to be a sarcastivc reply) Does Windows routinely hide file extension suffixes from users? Is this not part of the reason Windows users keep suffering from these outbreaks?
maybe you forget what happend in the late 80's? ppl didnt stop using unix because of it. these types of attacks are not operating system dependent. it would have been very simple for someone to write a small linux program that did almost the same thing. get it through your thick skull and understand how these things work because untill you do you are part of the problem and not part of the solution!
I bet if there was an e-mail attachment virus/trojan that spreads itself by messages with the subject "Virus alert!" with an EXE that "Ensures your system is clean", people would still fall for it.
We got a punch below the belt today from that virus. That's what people get for putting things in "My Documents".
Hit us as well.
I'm sending this as AC because if it gets traced back to who sent it (and thus the company I work for), my ass is on the line.
Dunno if that's the case with any other companies as well, but all the mail servers here (as well as a couple of network drives) are shut down.
Big company (over 5,000 employees). And no-one outside the company is allowed to know that we were affected.
Hmmmmm..........
==========
AC by force, not choice.
Well, maybe it's not that bad, really. For most users, it's just a matter of going to the Recycle Bin and retrieving them. Unless, of course the Recycle Bin is disabled, in which case you're skee-rewed, buddy.
Oh well. I'm just glad I'm not affected as a Linux user. What amazes me is how no one blames M$ for these things. They're at least partly responsible for this damage, having created an OS that makes their creation and distribution extremely simple.
I am being forced to write my masters thesis in .doc files as .do1 files
M$ word. It is only 18 pages long now but already
it is over 10 megabytes (I remember when that was
a good hard drive!) Anyway, to be on the safe side
I think I will save all my
or something. Yes M$ makes it difficult by picking
the extension for you (grrr! doing things automatically
is what I hate worse about M$ word!) but you can get
around it by putting the filename in quotes (I think.)
i doubt many intelligent admins have been looking at *nixes. after all and intelligent admin would realize that replacing an os when the user is the problem isnt going to change anything. this was cause buy ppl executing email attachments not by vulnerabilities in any specific os.
[THWAP] you have been smited by the Clue Stick (tm)
Backups are great (we do nightly ones), but they don't eliminate the impact of the virus:
1) you still lose your own work-in-process from today
2) multiply that by the size of your organization (specifically, a factor based on A) the percentage of people catching/running the virus and B) the number of people working off files on a LAN which can get nailed regardless)
3) with our and many other backup programs, when you files open overnight, they don't get backed-up , raising exposure beyond just today's work
That's what I meant by "many" (i.e. with backups) and "potentially very many" (i.e. without backups).
If I'm exaggerating, I apologize -- I've had coworkers catch it and have to deal with it.
--G
here are replys to your assertions
1.) if there were more users there would be more commercial software so the opensource angle dosent hold water.
2.) again everything you mention has to do with the way current things work with open source software and are wrong for the same reasons i mention above.
3.) basically all you are saying is that on systems with a user/privlages based system would have less damage to system files, but there would be just as much damage to the individual's files. in your opinion which is more important user files or system files? generally an os and the associated programs are alot easyer to replace than the user's data/work. techinally your right but you are emphasizing the wrong thing.
4.) wrong because ignorant users who dont want/need to uderstand how things work will not all of a suddon change their ways because they are forced to use linux. they will be the same as they always will and they will still be the cause of most of these problems.
The most severe Linux virus, one that can even spread to other OSes if users are not careful, is the GPL virus.
It did wipe all the code for win2k.
Alas... there are backups..... but server went down for a few hours.
Why was this off topic troll moderated up to a 2?
By examining closed source Unix's source code?
Umm,
Sounds like it's your job. Sounds like you get paid for doing it. Sounds normal to me. But you sure cop an elitist attitude about it.
Do you refer to them as "your users" like a lot of IT staff do?
Are you just posting to advertise your business?
It sure seems like it.
well duh, its because it was posted by a nick user. havent you realized yet that around here even their shit is sacred?
Because the software is free, and because of packaging systems like Debian's APT which make upgrading easy, it is easy for users of Linux-based OSes to keep current.
Because the software is free, and changes rapidly, it's nearly impossible to get a handle on which software is current, which version is which, and who has had their dirty thumb inside binaries. End users aren't ever going to be encouraged to use advanced packaging mechanisms like Debian's to administer their own machines. At least not in businesses, which is where these virii really strike hard.
Because the Linux security model is more paranoid than Windows's, a Linux-based worm needs to actually exploit a security *hole*, i.e. *bug*
Because, on a Linux system, the security model depends heavily on the concept of a Root superuser account, once a process or user gets root access the whole system is basically defenseless against it. And because Linux is deep down a multi-user system, there is tremendous power granted to processes running inside the machine without user purview. So your arguement doesn't hold much credence.
Finally, if Linux-based systems become established on the corporate desktop, they will come with a change in culture.
Read: an elitist "let the sysadmin do it, you don't need root access to your machine. He'll get around to it next Tuesday" scenario. Great, people will love that.
I run a win box and have over a gig of C++ files.... but I also have backups...
The nice people at Phrack Magazine put this nice article in a while ago. This module (go down to "A practical example") does several things like hide itself from view with lsmod, hide specific files from a directory listing, hide a network sniffer, and drop in a couple back doors. It is designed for 2.0.x kernels but could be adapted to 2.2.x if it doesn't run there already.
My point for mentioning this is to show no matter how "secure" or how "open-source" your OS is, the weakest link is going to be that thing between the chair and the keyboard...
Note: this example is skript-kiddie proofed for obvious reasons.
thank god no Unix product has ever fallen prey to a worm on the internet! hahahahahahahahahahaha i truely feel sorry for you and your ignorance.
Yes, there's something called ulimits in the bash shell, which could limit the damage a single user could do. It's not hard to protect a system against fork-bomb attcaks.
Hey, don't go giving anyone any ideas. I mean, CERT and the
FCC might have to monitor all traffic to this site. How many
unix hackers are there in the world who wouldn't mind doing
this?
I just wonder how secure our AC posts are here at Slashdot.
Is there any way to trace these posts back to a sending
address without reading Rob's database? Does anyone think
THE MAN is keeping tabs on posts here at Slashdot and keeping
a database of likely suspects?
But take Joe/Jo average Linux system and I *bet* you'll find 90% of login time is as root.
Is seems to me that sysadmins working for corporations and
agencies would simply filter all email and delete all email
containing attachments or remove attachments and replace
them with a standard blurb about company policy not allowing
email attachments. If companies don't have such a policy, why
not? The tools to implement it are available and free.
It's different for home users but home users are repeatedly
warned by ISP's and AOL not to open email attachments
from people they don't know, and even then it can be risky
because an email can be sent by the worm or virus itself
without the sender's knowledge, etc.
Windows is incredibly stupid about detecting file types and
usually just goes by the extension, which can be misleading.
Once an attachment is opened, even if it is not treated as
an executable, clicking on it to 'view" it can execute such a
false program.
If companies and individual users insist on using email
attachments on Microsoft systems then they deserve to be
hurt by these trojans and viruses. Serves them right -
especially the stupid sysadmins who allow this. Hope they
spend many hours, days and weeks rebuilding systems and
installing virus updates and lose many hours of sleep.
That's the trick isn't it? Writing sendmail
rules isn't just something most people can do..
Well gee, maybe it is on topic. The ability for macros seems like a feature MS added to sell their softare. And it is humorous...
1) sorry but capitalization dosent ad much to readablitly for me. may i read to much james joyce as a young lad. get over it.
2) the point your missing is that they are not attacking ms and ms users because of the lack of freedom and its bad press, they are attacking it because it is the big dominearing force. it's "the man". it's unavaidable. if linux was as popular as windows they _would_ be attacking it just as much no matter how free and open it is. the thing with rebellion and youth is it usually dosent matter what your rebelling against as long as it is the majority.
a hasty conclusion
this type of attack succedes not because of flaws in an operating system but because of the ignorance of its users...
My! You're even harsher on Winlusers than I am --I would have said the ignorance of its choosers.
The operating sys in question breeds that kind of user. Because it needs them to replicate. But please, don't blame the victim, the user --it's a lame dodge and it's getting really stale. The people who sign the big checks to Redmond and their advisors really have only themselves to blame. They must own this stupidity and wear it around their necks for everyone to see --it's not like there haven't been warnings.
I have a SecureID card to connect to the machines at work when I need to. Be thankful that it's as secure as it is. We don't need creeps hacking their way in and interfering with the development of Heart Pacemakers.
It will stop when there is meaningful security on the 'net. If it means a point-to-point audit trail for all sent e-mail so be it. We're headed there, and it's because of little turds with anti-social attitudes and great disdain for 'the system.'
Your language is rather strong, but you have a point. E-mail is for text.
We got hits.. stupid IS peoples just loves MS products.
I would honestly like to think so, as *I* have never posted anything illegal or advocated anything illegal here. Wouldn't mind seeing a few geeks nailed who have...
Ever notice how the mass media never seems
to point out that there's a trivial fix
for all these myriad virus problems? All
they have to do is install an operating
system (Linux, BSD, whatever) and this crap
just goes away.
You have over a gig of C++ files? Oh right, it's on a win box. I guess bloatware does take up a lot of space.
In light of this event, Microsoft has even terminated it's intranet gateway to the outside. It is amazing how microsoft "isolates" itself the event of a worm targetted directly against outlook clients. Heh heh.
::
:: krs.
::
::
Call their ITG center for a rather amusing memo.
Ok, agreed, it is not a virus. The point was that
of course someone can write a virus for unix platforms. As long as the recipient is willing to execute the script without taking a look at what it does, then they are at the mercy of the script writer.
Thankfully, on Unix systems, that script wouldn't have permission to do anything, unless either the sysadmin has his head up his ass or you insist as logging in as root. As Linux grows in popularity, I think more viruses, trojan horses, etc... will start showing up because you get more people who aren't as unix savvy, gullible enough to fall for it. How many of these users will actually read through a make file before typing 'make install' as root?
We all know that the user is ultimately responsible for infecting their system with a virus, since they performed some action which allowed the executable to infect their computer in the first place. As the popular GUIs, such as KDE and GNOME, become more popular and hide more of the OS from the user, I think we are going to see more "viruses" for Linux.
well why don't you just make it show extensions all the time?
it's in the little VIEW menu
For the first time on this page I have actually seen someone speak with common sense! Forget OS biases. I'm love computers and fully comprehend that not all people can custom compile kernels, etc. Furthermore, only about 2% of all computer users really give a crap about what OS as long as the bills are paid and there is food on the table. One has to be realistic!
1. It does not infect files
2. It spreads itself out of the system it has infested by itself (not relying on lusers to exchange files)
Now it DOES use MAPI to send itself, but it only uses Outlook databases get the addresses
This is what you get from a monopoly of moronic design
See: A description
-Mashiara
Yes, an option to kill all macro support would be nice.
One switch to shut down all the "intelligent" stuff in Office (spelling correction, capitalization, hyphenation, auto complete, etc.) would make office almost as good as editpad, haha
Bob9113 (dunno password offhand)
c.o.l.a getting a little crowded? :)
http://www.netcra ft.com/cgi-bin/Survey/whats?host=www.hotmail.com
ac.
Just some quick points in response to your comment...
1) More commercial software will be used, sure, but never as much as on Windows. Also, there's more likely to be competition among real live different choices for most common applications, unlike the current MS hegemony (yes, corporations may standardize... but see my other points). Also, the linux community is much less tolerant of shoddily designed software, and will tend to reject the worst examples of poor design.
1.1) It would be close to non-existent, sure, but you seem to be confusing beta software with insecure software. They're related sure, but in linux, if version 0.5a has a security bug, someone notices it immediately and it's gone in version 0.5b (released 3 hours later). Beta is usually more a reference to feature completeness, and the possibility of the existence of bugs; however, bugs are fixed _fast_ once noticed, and with a tool like apt on debian you don't have to worry about keeping track of those updates yourself.
2) Well, dinstall checks the signature, actually -- dinstall being the program that moves programs from the debian upload dir (to which you must be a trusted developer to even have access) to the place where they can actually be accessed by normal users and tools. In other words, you have to go way out of your way to get a package for which the sig hasn't been checked. I dunno how redhat works, but on debian it's automatically checked, and everything is fairly secure. Sure, someone could break into ftp.debian.org, but it's _highly_ unlikely and would be fixed _fast_.
If you want to filter out certain attachments, kill .doc as well. word documents may contain macro viruses.
Actually, at work I have installed a filter that rejects any messages that contain attachments with executable content. This seems to work pretty well, we have had no problem with happy99 (although it was delivered at our gateway several times). It has not yet trapped zipped_files but it would.
Actually, it would have been a lot funnier if
the worm posted certain well picked Word files
to the Internet rather than deleting them. Like
those files than contain strings such as
"Company confidental", or "Do not disclose". Or
that contain long strings of digits that look
like bank account numbers. Just imagine the
havoc such a beast could wreak!
You will be ok with Linux... as long as you don't read your mail with pine!
/current/0094.html
http://www.geek-girl.com/bugtraq
This one ONLY affects Linux... the *BSD systems are safe, but only because pine's locking is broken.
how is it less likely for an attack like this to spread if ppl were using unix instead of windows? i'll give you a clue, it isnt! it would spread just as much with the same users regardless of what os they were using. they _only_ difference would be that with an os with file permissions would not have its system files trashed and win95/98 would but the real problem here is not system files anyways. its the loss of user data which wouldnt be prevented by file permissions.
beeing 26 and a former juvinile delinquent i have to still say that what i said before is true in my experiance. i myself have been and i have known alot of angry and disillusioned ppl in my days and very few of them would ever have actually been able to tell you why they were striking out at who they were strikeing out at, but it almost always was the biggest target around.
At least on a Linux box when Average Joe User runs some milicious code, it does NOT alter core system functionality.
on a personal workstation, system files are the least important think on it. they are relatively easy to replace compared to the user data which might possibly be impossible to replace and is where most of the investment is anyways.
Linux (and UNIX) is inherently more secure than Windows and can do a much better job of protecting the user from his or her own stupidity.
wrong! they only protect the user from damaging the system but not their onw stupidity. users can just as easly accidentally delete their own files under linux as they could under windows. you argument dosent hold water because you dont seem to truely understand the problem.
i could make a program in ms dos batch programming that formats the drive... you can make a bash script that does that too... thats not a virus.
You need to create something that runs and modifies itself and puts itself inside of binary files, then when the binary is run it spreads more.
Unix is just as prone, however i can see it would be easier to write a virus scanner for unix.
| One switch to shut down all the "intelligent"
;)
| stuff in Office (spelling correction,
| capitalization, hyphenation, auto complete,
| etc.) would make office almost as good as
| editpad, haha
You just try to edit a scientific/technical paper with any of that auto-crap on.
Yeah and my VB stuff... Oh, wait, I get all my email through VMS, and VAXmail doesn't support MIME, I'm completely safe.
I wonder, are there any VMS virii? Not too many people use it; maybe there's just no motive: ie, can't piss off a lot of people.
--sam
Wrong. The servers got shut down coz they knew that they *could* get it. So Lockheed figured that they might as shut down, coz with a company that size, you know someone was going to end up getting it. Which is entirely sensible. I heard microsoft shut down for the same reason.
--peace
Fast Choker, too lazy to log in.
No. Email is for text. Look at the RFC.
It's just got embraced+extended. It would have been much better to design a completely new protocol. Everything you send as an e-mail attachment is encoded to text through mime base64 encoding anyway. For historical reasons, e-mail is sent as 7-bit ASCII. Everything that isn't 7-bit ASCII is changed to 7-bit ASCII thorugh one encoding scheme or another. This is inefficient + wastes bandwidth - 8/7 is not a whole number, so to avoid data loss, the data ends up being "padded". You could send a URL to the file in an email, that your boss could just click on. This would wate far less bandwidth.
You'll love this. M$ got smoked by it. Took down half the server's in the freekin company. AC due to I work there.
Yes, we need a slimmed-down "Desktop Distro", in which most server daemons don't run by default. I believe that's what corel is working on - since Debian is so wonderfully flexible, you can give it a whole different "personality" just be installing different packages. If you do a workstation class install in Redhat, that's kindof what you get, but most people seem to install the /entire/ RH distro, and since RH (and debian) assumes that if you install an rpm/deb, you want the service it provides to start at bootup (in general), you end up with a box that had everything from SQL databases to news servers open to anyone.
This is slightly off topic, but I feel I must mention it. I've talked with various people working for companies, and one of them told me the following:
He works for a company that has 60-70 employees that uses Unix for development of various applications, and Microsoft has offered $250,000,000 to this company to switch to an all NT setup. He further stated that he knows of other companies who have been offered this money and switched. His company told M$ to go to hell.
Are these the kinds of practices that are competitive? Is this something the DOJ should hear about?
On a note related to this post, a company I do consulting for is using a Samba/Email, etc. server with netscape clients. The Email server basically strips all executables from e-mail and renames them so they are no longer executable. It also puts word files in a quarantine if they have too much dangerous macro content. We need more servers set up like that to counter attacks like this.
I'd prefer everyone runs different OS's with compatible programs running on open protocols. That way, people can use software the goes along with their needs. The Windows everywhere mentality is what is killing us, and it is something that we should fight.
Can't wait to see the havoc Office 2000 can wreak, with its web publishing enabled from the office suite itself. I bet it could get rather interesting.
I wonder how many more M$ only attacks it will take before people stop believing the Windows everywhere bullshit.
Crackers dont write viri, they're not CRACKING
anything. They're HACKING.
GET IT RIGHT
What about fvwm and all of its derivatives? It would be possible for a bunch of mail clients to be quite similar (all based upon the same foundation code)...
M$ isn't linux. I don't want it to be
If you are sharing any files via samba to a 95/NT
machine and that virus hits those machines, good
bye files on your Linux box!
This is a SIMPLE worm that could be written for
ANY OS, get your head out of your ass. To say
Linux people wont run attachments is just stupid,
THEY WILL. People are stupid no matter what OS
they run.
I dont care, its what 99% of our clients use,
any info would be HELPFULL no matter what you're
views are. Im really surprised MS doesnt have any
info on how to filter files in Exchange on their
web site, so.... Anyone know offhand?
That was great. rofl.
/.
I vote for that message as the best reply since the inception of
Man you are silly. People could just as
easily write this to delete unix stuff. Besides, it is already effecting Unix boxes via Samba
as it is. Unix is getting trashed as I type.
It deletes files on network drives as long as the user has ACCESS. The ONLY way it wont effect anyone via ANY OS is NO ACCESS. Yeah, ok!
GET YOUR HEAD OUTTA YOUR HOLE
Or your code will be deleted if that machine has
permissions to delete files on your Linux box.
"ha ha" indeed.
I dislike the empire as much as anyone, but thinking that people are writing virii/trojans/worms for Windows just because it IS windows is niave. They want to effect the greatest amount of people they can and get the press. In a few years when Linux is the consumers choice...I think you will be seeing just as many virii/trojans/worms being spread around targeting Non-MS products.
I could easily write a perl script that would delete a users $HOME directory.
/home noexec and disables auto-executing mime-types for mailers which support such sillyness. Which the admin should.
Sure, unless the admin mounts
Of course, people imbued in the "single-user on steroids" world perpetuated by WinNT and the like aren't used to that sort of thinking.
Several thousand known virii for MS Windows.
Which one do you want to contract today?
I just love it!
Though it does seem to have the Windows weenies in a bit of a panic.
It'd be a much nastier worm if it modified the data within the files rather than deleting them; changing the words here and there in word documents and presentations, changing numbers in spreadsheets.
It's much more difficult to recover from corrupted data than simply deleted data, you may not even notice it's been corrupted.
Oh what those Windows users must be looking forward to...
Umm.. doesn't this also describe Enlightenment?
I too will be graduating CS in a year, and will not consider working for MS. And the sentiment is the same for a lot of my friends, despite the recruitment MS does on campus. Their promo video made Redmond look like a geek utopia. The only people who are going to work for MS from here are the un-informed ones, the CS majors who got thru by copying code from the top students.
I wonder if MS considered this when designing their shoddy work and making those agressive business moves.
Give the guy a break. He (or she) probably does care.
But their solutions are to add more bloat because they've locked themselves into an architecture which is the complete opposite of the "large collection of small tools" model.
I think you are missing the point. You are correct on one level that the problem is not caused by the operating system.
However, I feel that, due to the type of behaviour these applications encourage, the creators of them bear a large amount of the responsibility for creating a culture where this kind of attack can be so devastating.
Let me explain. As the Internet became popular through the mid '90s, a trend developed of taking estabilished standards and "decorating" them in a way which I personally believe amounts to vandalism. This started with the new thing on the scene, HTML with Netscape. First they added things like background images, the blink tag, etc. which had no place in a content markup language, and added nothing but eye-candy. What made the Netscapeisms so insiduous, however, was that people simply couldn't resist the urge to use this stuff and brutalise their web pages with all kinds of rubbish. The widespread adoption of the Netscape extensions to HTML played right into Netscape's hands, becuase eventually you could only view them in their browser; the things they ultimately added weren't just extras, they were required to see the page (frames and Javascript, for example).
I think the Netscape example was the first major use of the "embrace and extend" tactic in the mass market, as it's seen today.
When Microsoft started producing Internet stuff, and stopped playing catchup, we saw the same tactics. This time they were applied to email, and Netscape were all too happy to join in. Microsoft and Netscape, IMO, were asking for this kind of virus attack as a logical consequence of their abuse of MIME encoded mail in what I can only thin k was (and still is) an attempt to corner the market by taking the "commodity" of email and making it into a proprietary system in the same way Netscape abused HTML in the first place.
It started when Windows mail clients started turning mail into HTML or RTF without the user even knowing this was going on, or understanding what it meant. This meant that anyone on a "traditional" mail system couldn't read mail sent from these systems, and like the Netscape extensions to HTML, this tatcic suceeded due to superficially appealing eye-candy, such as the ability to use multiple fonts and different colours in an email which should have been sent as plain text in the first place. The next step was even worse - Word was integrated into the mail system giving the user even more eye-candy.
So now email has been embraced and extended. People who don't know better use insiduous software which sends what should have been plain old ASCII text as a Word document. This document is now 10 times the size it should be, and contains nasties such as previously deleted text (fast save is a *major* security hole) and macro viruses. The user doesn't understand what's going on, they're just using the Internet software in the way Microsoft apparently intended to send documents which only users of Microsoft software can easilly read.
So history repeats itself. Now you can't read your boses email in your original mailer anymore, because it's in Word format. It's hard to read it on a UNIX workstation. A terrific job has been done by Microsoft of making the world dependent on their tools for email. However, in abusing the existing system for sending text messages which provides no practical benefit most of the time by layering all this proprietary stuff on top, they have created an environment in which these viruses can thrive. Evolution does the rest of the job, and it is now *inevitable* that the type of email environment Microsoft has helped create will suffer from these kind of attacks.
A simple text message which would have been sent as plain old ASCII 5 years ago is now sent via a system cobbled together from various applications and file formats which are primarilly designed for other things (not email, i.e. HTML, DOC, etc.). The ASCII message was harmless, but the new message, whilst containing *nothing* of interest to the user that the original didn't have, comes equipped with vast gobs of metadata in which there are countless gaps to hide viruses and trojans.
Someone once coined a great acronymn - KISS (Keep It Simple, Stupid!). Microsoft didn't follow this advice, and we are now seeing the natural consequence of the unecessary complexity they pushed into everyday email.
If they didn't want this sort of thing to happen, why did they write software which *encourages* it for no good technical reason?
Ahhh. you think I jest....
;-p
Get this: win2k is on slm source control requiring all developers on the project (hundreds of them)to map a drive to the source code file server with read/write access permissions enabled. Anyone who gets infected with this virus who has a mapped drive to the root directory on the file server will nuke it. Not far fetched that a company with rampant internal emails all done with MAPI could infect a single developer on the project. It did. Server was pulled, missing files replaced from backup, and everyone is happy once again. I may be AC, but I'm not full of BS.
but buy saying that you are implying that it is more difficult to write a virus for unix than it is for windows, it's not. you cant use many of the same tricks but there are many different ones that work quite well.
This is goes against my experience in large "Microsoft" shops. Users always kept important documents backed up on diskette or network server (which was backed up at least weekly).
your saying that in your experiance most big microsoft shops care more about the system files instead of the user data? this really makes no sense especially since you then say that they backup the user data and not the system files. if the system files were more important wouldnt they be more likely to back them up instead of the user data?
The real problems happened when workstations crashed becuase of failed harddrives or virii. It took hours or days to get them back to a workable situation.
then they have bigger problems than failed harddrives or virii, problems like incompatant support ppl. frankly if one person cant get a single machine reformated and reinstalled with all the extra software in a few hours then they shouldnt be doing what they are doing. few places i have ever worked would have allowed such a person to getby for very long.
Ouch! I guess this hit where it really hurts. You don't honestly expect us to believe Windows is as secure as UNIX...
where did i ever come close to saying that?
the problem is that many ppl here in this discussion seem to have their head up their ass in thinking that this could never happen in a unix environment. they are wrong. it is just as easy for a user to delete there own files on windows as ot is on linux. hte problem is only slightly lessend on unix because it is less likely that the system files will be comprimised but reinstalling a system is much easyer than replacing lost data.
First of all this most recent virus is NOT a macro virus:
This most recent virus takes advantage of only one security hole, and that is human carelessness. I can tell you right now that if someone created a similar version to come in through unix mail servers with a binary executable attached, and you voluntarily executed it, that file could wipe anything you had write access to, which is essentially what this virus did to Windows machines.
On Macro Viruses:
Windows provides simplified scripting capabilities to simplify the user's life. Generally these "security holes" as you call them are features that are to allow administrators to provide advanced functionality. Please do not say that the fact that Windows allows extra macroing in its advanced office applications is a "security hole". As soon as developers begin to write serious corporate office applications for unix systems, you will see similar "security holes" popping up simply because USERS WANT THOSE FEATURES. If a user wants to be able to make a macro that spawns multiple other files, generates mailing lists, prints those mailing lists, then deletes those same files, then the macro can do that. That macro requires write/delete access to the drive. Your apparent definition of "safe" is basically no user customizable advanced functionality. In reality I think that most of the UNIX people just hate Microsoft and will take any cheap shot they can. This is not only tacky, but it makes your own OS look like junk because you cannot find a REAL discrepancy to debate about how UNIX *is* superior.
Thanks,
Marksman
It can also wipe out files on *nix system via Samba
Sorry, had to get that one in. Good luck on your next launch.
If Linux had 90% of the market, there would be PLENTY of viruses.
.exe files. A co-worker got the message about The Worm virus, 15 minutes latter his system was down because he clicked on the .exe. What an idiot.
Then again almost all viruses fall prety to idiots who click on these blatent
All of my windows users pull their mail from a Linux mail server. I was wondering if anyone has spliced together a virus pattern matcher that sendmail could use that would check all attachments for assorted virus and other wee beasties and on finding one have it stripped off and sent to the admin. One that could read the patterns from say Nortons virus definition file.
Just Pondering
tOdd
The first widely reported Internet worm incident, resulting from a program written by Robert Morris in the late 80's, primarily disabled UNIX systems...because that's the OS most Internet-connected platforms ran in those days. Today, it is logical that a worm would target Windows, because that is what most Internet nodes are running now. Platform details are irrelevant to a worm writer -- the only thing that counts is the size of the target. It is worth noting, though, that the Morris worm exploited, among other things, buffer-overruns, which were enabled Morris' access to the SENDMAIL source code.
E-Mail is for text. Period. If you want to share files, use FTP. Poor assholes. Perhaps this will teach them a lesson.
It took down every server at Redhat.com, too.
If you believed the last post, you should believe this one too.
the best day at work.. no e-mail from bosses. :-)
I do not agree that running a macro from an email program is a good idea given the level virus infestations out there. It would be better to require all documents to be saved to a disk.
They should require action on the part of the user
make them executible.
Office macros should be limited in scope to prevent a program deleting files. I agree that that it must have seemed like a good idea to do this originally but really the security issue was clearly not thought out.
Now that KDE and GNOME are fully embracing the idea of corba connections between components, I hope that the issue of security won't be over-looked.
Regarding MS and it's employees being "evil", actions speak louder than words. It appears to many of us that MS's motto is "if it's good enough to take a lot of users" we'll destroy the company. Or MS needs a new revenue stream, make sure new office documents are not backwards compatible. That way people have gotta upgrade.
But mostly it is the basic idea of "join with us - it is much easier that way". We don't want to be consumed!
What is so bad about your brainchild is that it *allows*, even *invites* the user to do things with files other than saving them somewhere.
.EXE attachment, but the user is just someone you and your collegues have tought to double-click on any pictogram they get in sight, "because something interesting might happen".
You take the easy way out with "but the user should be aware of the dangers". That is not fair. As a designer you know what might happen when you double-click on a
Presenting dialog boxes whenever a user does something that might have disastrous effects even worsened the situation. The users have gotten accustomed to this, and now they think "when this is going to do anything bad, it is going to warn me".
Sure it might have seemed a nice idea to have all this functionality in the mailer, but you should have thought of the consequences and have rejected the idea. Implementing it and blaming the user for the consequences is what you get flamed for.
I do not work for Microsoft. I am not a programmer. I am just a user and I daily use Solaris, Linux, Win95 and sometimes a Mac.
;-)
You were saying that these virii/torjan/whatever explore the lack of information of the user rather than weeknesses of the OS. But Microsoft designs software for the user, not for the pro coder. So it must be aware that 95% (or 98%) of its userbase is computer-illiterate. It is therefore a design flaw to allow them to do things for which they are not prepared or trained for, especially when that can harm them and the machine they are using. IT IS THE FIRST RULE OF ENGINEERING, man. It is like putting a kid inside a car with auto gears. Real easy to drive to hell.
Software engineering is not only about software, it is also about engineering. Ever heard of bulletproofing?
A.
Your attitude deems very inappropriate.
You're a worker bee, unlikely to make any significant changes to how the company operates. There is little you can do or can do about people's attitude about Microsoft. We do not blame you for the fault. Did we say xxxx name is stupid. We said Microsoft is stupid and arrogant to release buggy products when they can spend just a bit more time and money to make it stable and good.
I apologize that you may have hurt in the process, but any worker bees like you at Microsoft has little in terms of how they promote their business model.
This is a market questions. Little do I care about how you feel or what you do. Just that Microsoft need to maintain a higher standard because over 90% of users use their software. Since you stated users are "stupid"; then it is your creation of Outlook that should help them, but you come back and slap them in the face and say they are "stupid".
Flame me. I'm bored.
Kent
newyen@hotmail.com
As for your points about being offended about peoples poor opinion of Microsoft, I'm a little surprised. I'm about to graduate with a CS degree and I'm looking at potential employers. I am disgusted by Microsoft's monopolistic behavior in the past in areas such as:
But it boils down to the following two points:
I would not want to work for such a company that has these flaws as I don't think that they treat me well. The only counter argument that I've heard is that the pay is good.
enjoy your 30 pieces of silver, but don't bitch when people have repugnance for such a dishonorable and dishonest company.
--sam
The fundimental problem here is neither Outlook or Windows per say, but the same problem one finds with monoclonel agriculture. That is, I do not think the same company should produce and force it's single standard version of everything on everyone. Simply put, there should never have been an Outlook group at Microsoft in the first place. Microsoft's own efforts to control the marketplace by leveraging a single code base and it's dominent platform into the application market, and by integrating the OS and applications directly in an often undocumented manner to make competitive products less desirable and making non microsoft solutions difficult to use either from undocumented file formats or undocumented extensions and modifications to commodity protocols, is what makes this possible by locking users into a single and very hetrogeneous environment at all levels from the OS itself to all the applications.
Certainly, a problem like this could occur on any platform. But a problem that only attacks Linux users with Netscape would spread far less even if Linux was 90% of the marketplace because in that Linux is an open and competitive platform for third party products AND distributions, there will never be a single mail client and single distribution for such a virus, worm, or trojan to depend on.
please reread it. anybody who executes the binary will have files deleted, anybody can recieve it regardless of what mail client they use. it only uses the outlook api to resend itself and most ppl will have the outlook api even if they dont use outlook as their main email client.
I work for Microsoft. I work on Microsoft Outlook. I work on security in Microsoft Outlook. Do you all genuinely think that we dismiss fiascos like this with an airy wave of the hand? That simply is insulting. We are hard working people, and we do give a damn no matter what the guy at the terminal next to you says around bites of his twinkie. Hell, some of our own servers were down today as a precaution against this - you think we take that kind of productivity hit lightly?
I read slashdot because I have immense respect for the geek community and I'm a part of that community. But how do you suppose it feels to know that most of you despise me purely for the name of my company? There are 20,000+ geeks who work for Microsoft. All evil clones?
Let's establish a few hard facts about the "security holes" that allowed Melissa and this worm.
1) In both cases the attack was made through Outlook. In the case of Melissa, the attack was *entirely independent* of the OS. If Outlook were ported to Linux (assuming it could supply our browser needs, which judging from Netscape's half-@$$ attempt at S/MIME I sorely doubt) the e-mail servers would have been just as clogged. In the case of today's worm, the executable could very easily have deleted the user's *.c, etc files outright rather than installing itself somewhere. Why? Because...
2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture. And if you are such a novice as to run the "zips" we alert you that running unsigned exe's is dangerous as they "may include viruses or scripts". There's a similar warning when Melissa starts its mailings. You have to click OK to proceed. Microsoft can do a lot in the way of security, but we can't cure willful dumbness. The user doesn't read the caution and it's our fault? What do you want us to do? Say it twice?
3) The exploited aspects our our program were not "holes" in the sense that locking up when you receive a malformed packet would be a "hole". Every aspect of these viruses can be and is used in a positive way by people in the field. Face it, some businesses want more out of their e-mail client than plain text and remote calls to vi. Power can always be abused. The power to cut down a fifty-foot oak is the power to conduct the Texas Chainsaw Massacre as well. If somebody you don't know hands you a chainsaw and tells you to hold the blade while you turn it on, and if you do it despite the warning labels, then don't blame the manufacturer when you lose your frickin hand!
It makes me tired to read posts from people who obviously have never even seen Outlook's splash screen let alone written a VBA scriptlet. If you want to use elm, well whatever. But don't pretend you know what you're talking about when you so obviously do not.
Unix-like systems are vulnerable, just like any other system, but it tends to be more difficult for virii to propagate than on something like DOS because virii are (should) only be able to do bad things that the user they're running as could do anyway. Virii and Stupid User Syndrome can kill a user's files, but it can't kill the whole system unless root is affected with S.U.S too or if there's buggy privlidged software on the system.
http://www.microsoft.com/info/pr ivacy_security.htm
404 as of about 11:30am EDT.:)
--------------------------
Your Favorite OS Sucks.
^D
The only real way to prevent local DOS attacks is to keep a close eye on system resources and a cattle-prod at your desk.
--
What about the (in)famous Internet Worm? That infected and traveled through a lot of different flavors of UNIX. Something like that happening again is not impossible.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Incorrect. Since there are security holes in the OS, an unchecked program can still do damage in your "secure" environment. For example, up until about a year ago, any program could make itself suid root by exploiting an X security flaw (since X was set suid root in most cases).
Sure, Linux/UNIX is more safe when running unchecked programs, but it is still incorrect to say that it is a completely secure environment to run unchecked code in. Unchecked code is dangerous, no matter what OS you're running.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
But do we really have software diversity? Most major mailservers run Sendmail - a new serious Sendmail security flaw (in addition to the hundreds already in existance) could make it very easy to compromise a large majority of mail hosts. If a worm can compromise even 5% of the systems, it'd be able to cause serious damage.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Duh. That's not a virus. Where's the spreading code? At best, that's a trojan.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Posted by Dr Evil:
... wait, I already have it! coooool!)
I think even with the popularity of windows, Macintosh has 800x as many viruses. Its just too easy:
1) no memory protection.. you can alter anything in memory if you want.
2) toolbox- interrupt-driven drawing and system code with a patchable table.. I want to make the text drawing functions say 'iM 'lEEt' instead of what you want it to say
3) no file protection.. you can easily destroy sytem files as well as user files
Shoot, they have viruses that are SO creative for the mac (like the oscar virus) that people purposely install them because they are so coll. How is that for ironic?
(Whoaa, that is cool, can I get a copy of
-David
Posted by Dr Evil:
funnily enough, spammers never seem to give me
their real email addresses when spamming me.. you
cannot ask them to stop, but you also couldn't
buy the thing they are advertising IF YOU WANTED
TO..
*grin*
Posted by Dr Evil:
..
you have to understand that my users have a child-like understanding of the evils of the world... "Oh look, didn't the administrator say something about running executabelle.. somethings? Oh well, the icon is sooo cute, all nice and shiny,
(Speaking from my admin days)
-David
Posted by Dr Evil:
just, luckily because I run linux, I am not ignorant.
Posted by The Incredible Mr. Limpett:
My guess...Microsoft.
HAHAHAHAHA That would be sweeeeeet!
----
"Wars, conflict, it's all business. One murder makes a
villain. Millions a hero. Numbers sanctify."
I use a program called amavis that replaces procmail. It supports multiple scanners (I use uvscan with a cronjob to update the info every day). If there's a virus attached to the message, it's bounced back and a warning is sent to root. I haven't seen it in action except for a virus test pattern since my mailserver only has 2 users, but it seems pretty good :)
F0 07 C7 C8
When everyone stops using Windows. Maybe 2004.
--
Get your fresh, hot kernels right here!
mh ...
...
if you did "find . -type f -exec grep "@" {} \;" though
I don't wholly agree with you here. Yes, users are the core problem w/virus replication. Anyone dumb enough to open an attachment in email that they weren't expecting is going to get infected eventually....but isn't the mere fact that it's so easy to WRITE a virus for Windows part of the problem too?
Werd.
You read mail as root?
This will stop when clueless users finally learn that there's a REASON you're not supposed to just run things that come in the email.
Or we could solve it using a Darwinian approach. To: all From: info@nih.gov Subject:Health hazards of email
Warning, reading email is hazardous to your health and can cause life threatening brain blockage. Anyone who frequently reads email should stick their tongue in a lamp socket at least twice daily as a protective measure.
>I could easily write a perl script that would delete a users $HOME directory.
With the Windows port of Perl most likey so if Windows had $HOME directorys. With the Linux/Unix/BSD Perl ports? Not so fast. How would you get the Perl script to obtain the root privages it would need to delete the users's $HOME directory if you don't have root acess?
>The worm then searches the local file drive for the following file >types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp,
Really looks like this thing could've been written by one of those former temps that Microsoft tried to screw over doesn't it?
After all revenge is a dish best servered cold....
You're kidding right? Someone could quite trivially cook up something like zippped_files.exe that would work across diverse Unixen nevermind just Linux.
Bourne shell can be used as a cross-Unix system testing enviroment. There is nothing stopping someone from doing the same thing for trojans.
It would actually be EASIER as Unix is built for autamation.
A Pirate and a Puritan look the same on a balance sheet.
That doesn't replicate...
.* | sed 's/^.*.*$//g' | sed 's/^.* .*$//g' | sort -u
cd ~/Mail
grep "@"
For which mail clients would this not produce a useful list of new victims?
A Pirate and a Puritan look the same on a balance sheet.
Actually, that's fairly bloody malicious to the people who have their data in those files.
Phil Fraering "Humans. Go Fig." - Rita
(currently testing something about signatures here)
See? owv
http://www.news.com/News/Item/0,4,37687,00.html
>The real problem here is stupid users running untrusted code from random sources.
Exactly. Under Linux, I can run unchecked programs as user=jailbird'/group='playpen' and not worry about my kernel being hacked.
Under DOS/Win31/Win9x, I CANNOT RUN ANY PROGRAM IN A SECURE ENVIRONMENT. This is what the M$ supporters Just Don't Get(tm).Where everyone is a God, no one is safe. When everyone is the superuser, no computer is safe.
I see a lot of Windows usersand defenders claiming that if Linux dominated the corporate desktop, that the virus situation would be no better than it is for Windows now. I think this is fallacious, not to say FUD. Here's why:
1. The majority of Linux software is free (speech) software, which means that it has a lot of eyes looking at it for bugs. Further, it's also free (beer) software, meaning that its developers are less likely to be under pressure to ship a product which is not up to professionally dignified standards. Hence, fewer security holes get into released (non-beta) products..
2. Because the software is free, and because of packaging systems like Debian's APT which make upgrading easy, it is easy for users of Linux-based OSes to keep current. Further, because of freedom and an Internet-centric distribution model, developers can release patches quicker. This means that once a security hole is found, it has a shorter "useful life" to a cracker.
3. Because the Linux security model is more paranoid than Windows's, a Linux-based worm needs to actually exploit a security *hole*, i.e. *bug*, rather that using the inherent misdesigns of the system in the way Melissa does. (Read the Melissa source, if you can find it. It does not use any buffer overruns or other holes; it uses *only* standard APIs in standard ways.)
4. Finally, if Linux-based systems become established on the corporate desktop, they will come with a change in culture. Like any artifact, WIndows exemplifies and reinforces certain philosophies, ideas, and cultural roles. Linux-based OSes follow different ones. While I can't promise (nor even expect) that Linux dominance would come with radically greater user empowerment and desire on the part of the user to *learn* rather than to *fear* the system, I can only hope that it would teach the users *something*. Not to run untrusted executables, maybe?
I work for a hospital. Do we cause people to get sick when revenues go down? That's the dumbest conspiracy...
And yet the Department of Justice still needs to prove that Microsoft's business practices are harming consumers?
Sure, viruses can be (and are) written for Unix systems; just like Windows viruses, they prey on weaknesses in the system caused by software bugs or poor administration. The difference is that the typical owner of a Unix box tends to be more knowledgeable about security than the typical owner of a Windows system, and Unix tends to have fewer security holes than Windows by virtue of having a better-developed permissions system and by having been around longer.
It's not fair to say that a ten-line script can infect a Unix system -- the mere fact that there is such a wide range of flavors of Unix available is enough to guarantee that a single ten-line script won't work on more than a small percentage of Unix systems out there. Besides, with Linux, holes are patched and patches are distributed as quickly as they're found -- often within hours of the dicovery of a security hole.
If there were as many flavors of Windows as there were of Unix, if Windows vendors had to continually compete to make their systems faster and leaner and more stable and more secure, I guarantee you that you wouldn't see viruses and trojan horses such as this one proliferate nearly as much.
"ExploreZip is known as a worm, not a virus, because it can't replicate itself. Computer viruses such as Melssa, which appeared in March, are written with the capability to reproduce through automation."
The appropriate Hacker's Dictionary sections:
Virus
"Unlike a {worm}, a virus cannot infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends (see {SEX})."
Worm
"A program that propagates itself over a network, reproducing itself as it goes. Compare {virus}. Nowadays the term has negative connotations, as it is assumed that only {cracker}s write worms."
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Maybe he actually thought he could hit the Microsoft campus. I could see the headline "XYZ virus destroys Windows 2000!".
Why not didn't Mitnick do the same to solaris?
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
I remember a writeup of the Melissa virus in a decidedly non-techie UK Sunday paper, which hit the nail on the head saying "In computing as well as in biology, monocultures are a bad thing"
I'm wondering why the authors of these type of attacks bother with all of the social engineering that they do. They bother to name the file Zip_files.exe, and tell the (l)user that "these are the files you requested", etc.
I'm wondering why they waste all that effort.
Just name the file molest_my_hard_drive.exe and put in the message:
Please open this file. I'm an aspiring virus writing script kiddie and really want this to get spread far and wide so that I can get arrested. It would really help my self esteem, and might even make me feel 31337. Don't forget to let it run for a few hours before calling your MIS department.
I guarantee that it would have the exact same effect.
I always recommend that UNIX/Linux folk read the IDG book, 'The Unix-Hater's Handbook', for a scathing discussion of UNIX's security model. Lots and lots of the comments apply mainly to UNIX circa 1991 and are obviated by things like Perl, Ptyhon, and Java, but there's a lot there that will improve your perspective on things.
For all that Microsoft made mistakes in NT, and for all that NT has had less time to mature than UNIX has, and for all the times that Microsoft acts like the company that brought CP/M and single-user computing generally to the masses, elements of the NT security model are actually superior to the stock UNIX model in many ways, the lack of a necessarily all-powerful root account and setuid scripts/files being one of them.
The biggest protection Linux has from viruses is that it is not an effective monoculture the way that Windows/Office is, and that there isn't the rampant cross-application integration/incest that Windows depends on.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
It might be interesting to read this.
It seems that the virus is also found in mails from some engineers from microsoft which might mean that this virus is constructed to hit Microsofts source.
I'm not such an conspiracy believer, but this could explain why this virus is explicitely hitting code files, which is not anything normal windows users would have a lot on it's disk
"This will stop when people quit using a worthless excuse for an OS like Windows, and probably not before... :\"
Keep in mind that the original research of virii was done on IBM and Honeywell mainframes. Despite the generally high level of security on those systems, the researchers doing the work did manage to write virii (probably would be called worms today) that successfully infected their targets.
It happens today that the vast majority of computers in use are Wintel, and for a number of reasons which I am sure you can fill in the bad guys therefore focus most of their efforts on Wintel. And indeed, Win(x) does have serious vulnerabilities. But if the bad guys ever turn their focus to Linux/*nix, then you will see more Linux/*nix attacks of this type. Perhaps fewer will make it into distribution, perhaps fewer will succeed. But if so the ones that do make it will be that much more destructive.
Disagree if you wish, but before turning on the flamethrower remember that arrogance it the surest path to a security breach.
sPh
You know that the typical user will just run everything they get.
You know that they will click the OK button without reading the dialog boxes.
These points have been demonstrated over and over again. They cannot be disputed.
So you should set the defaults so that they don't get a chance to run the executable unless they have specificly enabled that ability. And you shouldn't prompt them to change that default. If they don't know that they can change it, and they don't know how to go about changing it, it should stay turned off.
The people who want to use it can then turn it on, and the rest of the lusers won't be hurt by this feature that they aren't using anyway.
Why should you do this? Because you're credibility is on the line. Because the world is watching MS products delete user files, and they don't find it very funny. They aren't going to care that the users all pressed the okay button. They are going to ask why it was so easy. And if there is a way to turn off that warning, if users can say they didn't get that warning this time, it will be worse.
Take a clue from something simple like the setup/config for pine. You have to turn things on if you want to use them. If you don't know to look at the setup/config you might never know about them. Until they are turned on, you are never prompted for them. They just aren't there.
Does anyone know how to filet out .exe attachments in sendmail? Are there any other extensions that should be filtered out besides .exe, .com, .bat?
Actually, the ten line script I was talking about DID self-propigate. It was designed to hide itself in one of the system rc.* files, and work surreptitiously. Part of the execution from within the host file (which would have been run with root permissions) made for propigation to other machines.
I always get a chuckle out of these stories, to me viruses represent one of the prime deficiencies in Windows design (or lackthereof) and a capital argument for holding a company responsible for its product flaws.
I have read, however, that viruses can in fact be written for UNIX platforms, and have actually read a ten-line example script to show how it could be done. This inspite of the security structures built into UNIX's multi-user environment. It was rather frightening. There's not a whole lot of literature on this subject that is easily found, what do Slashdotters know about it?
It's an executable.
agree
hany
maybe.
MSO2000 supposedly contains new "features" to exploit too.
p.s.: if something is supposed to correct broken thing, i do not call it feature but bug-fix or patch or update. so you better say "... supposedly contains patches to macro-virus hole."
hany
i just want to add, that running untrusted executables is maybe common about windows users BUT it's silly/bad/dangerous/.... are those people handling EACH piece of mail like that? i.e. they receive something which says "run me" so they run it (they want make their job faster, ...). so if they receive something saying "do not read me and sign me" will they do that (skip reading what they are signing just to perform it quicker)???
some things can't be optimised for speed because something else is more important (like eating - you have to eat good stuff and have time to eat it; making children - it's not just fuck, it's up-bringing too; lending a lot of money - you can make it quick, but then you can lost them; backuping your work - you can make it quick and do not check, but then you can damage/destroy all your work; ...)
hany
same applies to nature: nature is mainaining variety even amongs same kinds to minimise effects of disasters.
when peole realize that?
unification leads to great risks (i.e. high eventuality of one disaster destroing everything).
hany
but those file permissions are set the way that almost everyone can write/delete everything (at least at default, but if you take a time and correct this i would like to know which apps keeps running).
hany
what you write is refinment: not only outlook users can be affected but anybody reading e-mails on windows system.
hany
but IMHO for a long time we will be still using Internet without that so some midd-solution would be appreciated.
i think, this midd-solution is education: teach the people that running untrusted code is like signing something they did not read.
and some sand boxes for such code would be nice too.
hany
/ - everyone change (at least annoying while anobody can make mess in root directory)
/winnt - everyone full access (-"-)
/winnt/explorer.exe - everyone read (uff, at least something)
/winnt/notepad.exe - everyone full access
/winnt/system/system.drv - everyone full access (that's driver, isn't it?)
/winnt/system32/format.exe - everyone read (OK)
/winnt/system32/ipconfig.exe - everyone change
/winnt/system32/setup.exe - everyone change
/winnt/system32/user.exe - everyone change
/winnt/system32/winlogon.exe - everyone read (OK)
/program files - everyone full access (somebody can "spoof" apps - upload trojan here and others thinks it's regular app installed by admin)
/program files/microsoft office/.../winword.exe - everyone full access (huh?!)
i'm not expert on NT security (or security as whole) but after very quick search through c:\ i found few programs i can change/modify and wait 'till admin (or user with admin rights) execute it (some .drv, winword.exe, setup.exe, ipconfig.exe, ...). and do not forget that a LOT of NT users have admin rights because without them it is pain-in-the-ass to use them
those are not holes but DOORS!
of course only if i do not know about all those GET_ADMIN utilities :)
hany
Yeah, not counting MS Office macro virii which are pretty much cross platform (although they can rarely cope with the Mac as there are different files located in different places....) there are somewhere between 30 - 50 Mac virii since 1984, IIRC.
Most of those don't work anymore either, as they exploited holes in System 6, and most of that code was rewritten when they made System 7. Thank god for the Blue Meanies, eh? heh
We *have* been getting a pretty nasty one called AutoStart recently. Apple foolishly set up an option in QuickTime 3 by which a program on a CD will automatically run when the disc mounts. The option is on by default, and you're in little danger of picking up this worm with it off, but that's really the nastiest thing in the past year or two. We've gone for several years at a time with no new virii at all.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
| Fairly clear what that CNN reported recognises ... never mind that it might
:)
| as valuable data
| actually delete something valuable like source
For most people, Excel files, Word files, etc. *are* the valuable data. If you're not a programming shop, you'd likely not give a rat's ass about C source files. On a Windows box, you'd probably not even have any.
-- Rick
It's not the users fault either. NT needs a facility for granting adminstrative privileges on a temporarly basis without requiring the user to logout first.
I think it's /etc/mail/aliases to configure that, but I could be wrong.
You'd best read your root mail somehow - cron misfunctions, or people warning you about problems with your system, are often things you don't want to ignore.
Unix users seem to have a sense of invincibility based on Unix's invulerability to boot sector viruses, floppy viruses, and similar things that require a simple OS kernel and an "every user is root" security model.
/etc/mailcap to delete $HOME, how much better are you going to feel because /usr was untouchable?
That invulnerability doesn't apply to worms (like this, like Melissa). All you need for a worm to work is a homogenous network environment to infect and an exploit to use for the infection. Maybe Unix users are really more savvy and won't fall for trojan horses (the easy "exploit"), but there was a worm created that spread via the imapd hole last year, and any similar exploit allowing so much as a "nobody" shell to be opened on your system could be used for the same purposes.
Do you know what services are running on your Linux box, and have you shut down the ones you don't need? Do you subscribe to bugtraq, redhat-watch-list, or whatever security mailing list is kept up for your distribution?
These were good ideas before, to prevent single crack attempts when exploits were found. Now they're much more important good ideas, as any cracker above the "script kiddie" level is going to be using self-propagating code to start forest fires of attacks.
Maybe the majority of those attacks will be stupid "email attachment" worms like those currently plaguing Windows, and thus incapable of harming system files... but if someone exploits the backticks in
For school & work Linux systems I created a preconfigured freshrpms package which includes a cron job to regularly check the redhat errata, download any updated packages, and mail root when something new appears. It's a step in the right direction - Linux is a secure system because bugs are so quickly found and fixed, but it won't be publically perceived as a secure system if security-unconscious newbies never see or apply those fixes.
ExploreZip is an executable. Melissa was a macro. This worm will work on a system that doesn't have MS Office; Melissa won't.
Not to be overly pedantic, but isn't an executable file technically a macro for execution on an x86 Von Neumann virtual machine? It just has less levels of indirection. :) (I'm using 'virtual machine' in the pure CS sense, i.e. anything which can take in instructions and perform actions based on them.)
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
Postulate a bogus user 'sandbox', with no login password. You can run an untrusted exe safely as follows:
su - sandbox -c untrusted_exe
It can't touch your files, and it most certainly can't take down your system. On the downside, I don't see a way of letting it open windows in X without compromising security.
Any ideas?
Steve 'Nephtes' Freeland | Okay, so maybe I'm a tiny itty
on a personal workstation, system files are the least important thing on it.
This is goes against my experience in large "Microsoft" shops. Users always kept important documents backed up on diskette or network server (which was backed up at least weekly).
The real problems happened when workstations crashed becuase of failed harddrives or virii. It took hours or days to get them back to a workable situation. Of course this is comming from the perspective of a support tech. We would always tell a user to back up data becuase a HD always seems to crash at the worst possible time.
Documents and important data can be backed up. System files usually aren't.
> Linux (and UNIX) is inherently more secure than Windows
wrong! they only protect the user from damaging the system but not their own stupidity. users can just as easly accidentally delete their own files under linux as they could
under windows. you argument doesnt hold water because you dont seem to truely understand the problem.
Ouch! I guess this hit where it really hurts. You don't honestly expect us to believe Windows is as secure as UNIX...
I'd just like to point out that even with NT's vaunted "security", users are still "super users" most of the time, with (by default) FULL write access to %systemroot% and %systemroot%\system32.
Moreover, admins cannot make the system data read-only, since so many brain dead windoze apps want to write user data in the system area.
Micros~1 Windows is FUCKED.
So the virus will screw them too.
support gun control: take guns from cops
There is no concept of this in windows and this problem will only get worse.
It is very important for people to realize that for Micros~1 to solve this they would break ALL windows applications (including their own) - hence they will never fix it. Hence windows will always have this problem. It cannot be fixed.
Unix's security problems tend to revolve around it's "openess", whereas windows security problems tend to underscore its inherently stupid and single user design. At least unix is fixable. Windows is not.
support gun control: take guns from cops
Sorry, but if someone doesn't keep back ups of the stuff and stores her/his programs in RCS, CVS, or some such, its about time for a virus to hit the HD.
Chilli
-=- Just a random lambda hacker
The report I read on wired also mentioned that it deletes files matching *.c *.cpp *.h and *.asm.
There is no honor amongst virus authors.
Well at least my Java, Perl and Prolog source are safe (not that I have any on a MICROS~1 machine).
I've seen a lot of comments here comparing this new worm to Melissa. THEY AREN'T THE SAME. The only thing the two have in common is the method of propagation: looking through the inbox or address book for email addresses.
ExploreZip is an executable. Melissa was a macro. This worm will work on a system that doesn't have MS Office; Melissa won't.
While I don't like MS Office's security problems any more than the next person, it is not to blame for this attack.
Regards,
Regards,
-scott
At minimum, I do a thorough skimming and grepping before I kick off ./configure. Something insanely huge like gcc, I obviously couldn't do the whole thing, but I try to get a good look, and grep for exec() and system() at least.
There are a lot of folks who are even more paranoid than I, certainly about particular packages -- i.e. ones that they have some interest in developing.
So, while I suspect the majority of people do not in fact look at the source of the OSS app they install, it doesn't really matter; compared to CSS, there are AT LEAST several hundred times more people scrutinizing the source code, a good number of which are not affiliated with the original author. That increases my comfort level a lot.
So what if OSS doesn't reach 100% eyeball utilization? The fact is that compared to any other approach, OSS consistently gets the maximum number of eyeballs, period.
That being said, I do strongly encourage those that aren't reading source already but can to take more of an interest in the security of your system. Take the time to peruse the source you download. It benefits us all, and it's often a good opportunity to learn all kinds of things, too!
---
DNA just wants to be free...
Run a nested X server as the sandbox user.
---
DNA just wants to be free...
Yes, I know this is stupid and immature, but I just have to say it:
;)
ha ha!
Now if you'll excuse me I'll get back to coding under Linux
The reason Morris' worm was so effective is that it was released in an effectively mono-cultured environment. The Windows viruses and security holes of today are testament to the fact that source code access != system access. Rather, it's more like "if all the systems are the same, I only need to crack one to crack them all."
The primary bug that Morris' worm relied on, if I recall correctly, was a buffer overrun in the VAX version of finger , not in SENDMAIL. The finger daemon effectively did a system("/bin/finger luser") to get the local user's finger info, and the worm overwrote the /bin/finger bit with his own commands. (I think it just called "/bin/sh".) Since the finger daemon called this command with the network connection hooked to stdin and stdout, it could easily download itself to the new machine once it had a shell prompt.
From what I recall (though I could be recalling incorrectly), most accounts of Morris' worm development note that its development was more of an intellectual curiosity than a malicious "Gee, lets take down ARPANET today."
There are plenty of Unix-related trojan horses and exploits out there, and as Unix-based and Linux-based platforms become more common, we are likely to see a surge in the number of Unix-related viruses going around. But, since Unix and Linux still have a very large, diverse application base (rather than one dominant "Office Suite" that might as well be burned on the CD with the OS), the idea that a single VBScript prank like Melissa* and her friends could take down a whole corporation's email in an hour or two seems absurd. (After all, how are you going to infect vi, emacs, WordPerfect, etc. etc. etc...)
Also, there's the small fact that with the source code in-hand for the affected programs, the fix can be put together in those same couple of hours and deployed over the following couple days, rather than the virus making headlines on CNN for a week.
(* Note: No offense to the lovely ladies of the world named Melissa. It's a pity there's a virus that shares your name. :-) )
--Joe--
Program Intellivision!
And not so evil to go for harmless users just doing their work like they get paid to do?
Many people use programs that won't run on non windows operating systems. And no one wants to boot into another OS just so they can use 1 program. 'Get a different program' you say? No can do. All of the researchers here use software for data analysis and information management that isn't available for anything except windows.
Windows is secure enough for simple office environments if precautions are used. Antivirus programs, user education, backups in case something does happen, etc. Linux, as good as it may be, is only as secure as it is set up to be. And most setups are not secure. So, even with linux, the users are back in the same position. More weight should fall onto the shoulders of the IT workers and admins for not securing their network. I admin a very small, 30 computer network and I tell my users that if they aren't sure about an attachment or they didn't request a file from someone to contact me immediately. Antivirus programs are set up on all computers as well as the server and there are daily backups. That has been enough to keep anything bad out so far.
In the end, user education on safe computing is key to any effective security policy.
I work for a medical research place. So, would you consider it to be funny if a researcher was set back in important research because they happen to use ms office? They're doctors, not techs. I don't consider anyone who destroys data to be 'doing us all a favor'. The guy is an asshole, plain and simple.
Something funny to do would be to delete ms office itself, not the associated files.
Why do so many of you feel the need to laugh at the ms office users and defend the virus writer? Most people in an office environment have no computer experience beyond doing normal office work. They're not educated by their IT department on the dangers of opening attachments. They just want to do their work so they can feed and clothe their kids. I don't think it's funny or cool that some guy wrote a virus that will destroy the work of others. Would you like it if mechanics started kicking your windows in and slashing your tires because you don't know how to overhaul your engine? Afterall, you're not elite and smart in the ways of cars, so you have no right to be driving.
Just because someone doesn't know what you consider to be common sense isn't a reason to hurt them. New users need to be educated and computer security policies need to be implimented. It's not the users' fault that they use MS Office. It's what they were told to use, so they happily use it, unaware of the bugs in it. And they don't care. They just want to finish up a presentation or a word document and get on with their lives. Not everyone's life revolves around computers. Some people work away from monitors for long periods of time.
Or, to put it another way, if you ask me 20 times a day "Are you SURE you want to do that?", the 21st time, I'll click YES before I've even read the message. Even if this was the one case in which I was making a mistake. ahh... but ... the same might be said of "rm -i" or just "rm" ... does all good learning have to be by burning oneself?
There are macro-enabled suites on Linux (e.g. StarOffice and WordPerfect) - however, apart from the smaller market share, there are 2 reasons why Office macros are so prevalent:
1. Office bundles the macros with the document - rather than a separate macro file, which I know some competing suites use.
2. Office enables the AutoStart macro by default - without this, macro viruses would simply not exist, and businesses could still use other types of macro safely.
I wouldn't say he was doing a favor, from those extensions, it looks like he is targetting office workers, students, and developers. probably an antisocial person who feels like striking back at those he thinks are 'repressing' him, in a most juvenile way. swords + war(literary device, not literal) don't make lasting friends.
Linux (and UNIX) is inherently more secure than Windows and can do a much better job of protecting the user from his or her own stupidity.
i wouldn't say that, more like '.. better job of protecting the system from the users own stupidity' if an idiot users runs a trojan, it can delete all their files. but unless they have 'root' it can't affect the system files, so in the end, just the users files are affected.
for anyone not subscribed to bugtraq, there was an interesting post that included a bit more info than the news articles seem to have:
m l
http://www.geek-girl.com/bugtraq/1999_2/0710.ht
The username and password changing every few minutes is most likely via a product called "secureID" which if used correctly is near uncrackable... but most people who use them write down thier l/p on paper right next to the secureID client and thus destroy any benifit.
The system is basically composed of a pager-type tool that the dial-up users carry which has a numeric display on it that changes at the same time it changes on the server side. Then when they dial up they need thier normal l/p + the secureID number. Its a nice system.
It would seem that Microsoft got hit really hard.
:)
I can't even get into HoTMaiL at the moment (yeah
sue me, we're firewalled badly at work).
All it says is it could not validate my login.
I somewhat doubt I've mistyped that login 4 times
so far
Even if they are taking precautions, this garbage
is starting to get annoying.
Cute.
My IS loves M$ products too. Maybe this will make them think.... Naaww, now they will finally invest in a better Anti-Virus system. Probably McAfeee Blech!
If you think the discussion is over because root is sacred, you should look into how these kinds of viri work.
In an NT system, the virus can only delete the files for which the user has write access. There is no comprimise of "system" security.
The fault lies with poor design on Microsoft's part. The fact that there is no Linux equivalant only proves that noone has a macro-enabled Office suite running on Linux.
Well - look out - here comes Corel Office. Can you execute malicious viruses there? Nobody really knows because they only have like 2% of the market. Although, it might be worth it to someone to teach Linux users a lesson or two.
--
Business. Numbers. Money. People. Computer World.
Office 2000 (released just now) supposedly contains features which prevents Macro viruses. Perhaps this was unleashed by some unnamed party to speed up Office 2000 deployment.
(All of you paranoid Microsoft haters should feel ashamed that you didn't think of that first!)
--
Business. Numbers. Money. People. Computer World.
Find an NT box and look at the stock permissions. There's holes for sure, but your post is largely FUD.
--
Business. Numbers. Money. People. Computer World.
The point needs to be made somehow. You are arguing the elitists' case for us: "They're not educated by their IT department on the dangers of opening attachments." What better a way to educate them then to expose their ignorance--maybe both user and sysadmin will learn from the experience.
It's not okay for mechanics to start kicking windows out (unless they are MS Windows) but it shouldn't take more than one break-down on the interstate to teach people to maintain their vehicles properly.
Viruses are not always totally evil and harmful--if it takes a virus outbreak to educate people, then these "viruses" serve an important purpose.
So what did we learn from this little prank?
1. If you value your documents, don't store them on a machine with a Microsoft operating system installed.
2. If you value your documents, don't open attachments, even if they are from people you know.
3. If you value your documents, grit your teeth and LEARN A LITTLE BIT about that $1500 machine in front of you!
You would think with the wasted billions on the military in the past that MAYBE they could have funneled some of theat into creating a working OS and communication system. I mean really, it's the military, you would think they could do better than Windows for security. Maybe their own BSD version or something like that. I don't feel very safe knowing my military relies on Windows.
I'm a loner Dottie, a Rebel.
Iomega even makes an automated backup utility for it's Zip now. It runs in the background on Windows and will back up choosen directories at intervals you set. I wish more people would use stuff like this.
I'm a loner Dottie, a Rebel.
1. Don't worry about CERT or the FCC, they don't do that sort of thing.
:). Let's just say only a fool taunts the US Government, they may be dumb but man do they have resources.
2. Traffic analysis is not a concern, few who are capable care.
3. If the FBI shows up on Malda's doorstep they are getting the access log, period.
4. Don't be stupid, ie regardless of whether you are posting anonymously or not, don't declare your intention to write the macro virus to end all macro viruses. It's just common sense.
The first point is many people spend far to much time worrying about who is monitoring their traffic when the truth is the people who actually have the resources to do it really don't care.
Theres a further point relating to the rash of web page defacements and the FBI but that's even more offtopic
Perhaps an explanation for the inclusion of *.c, *.cpp, and *.asm eh? :)
As much as I am against destruction of anyone's work, oh how it would be dripping with irony.
X apps should be only executable by members of a specific group (such as xusers). This follows for other notoriously insecure groups of apps. You have to carefully screen just what users can run.
If you're smart you could run untrusted apps in a chroot jail but make sure they cannot obtain root within that jail (ie no fscking suid/sgid available).
Everybody STOP using the same computing platforms.
./configure ; make ; make install).
This sort of thing will always happen as long as one XXX box can be infected the same as any other.
Quite simply, this problem will be solved when people are using Intel x86, Merced, Alpha, M68K, PPC, ARM and every other platform in similar quantities depending on their specific needs. The same binary executables cannot be run on all of these very easily (Yes emulators, yes bytecode, but No, native binary).
It can further be strenghtened if everyone does NOT run the same O/S on all these computers. Right now different versions and distributions of Linux are possible (not much different, but it's a start), and *BSD is an alternative.
You can easily see that this leads to the conclusion that distributing binaries for anything will become a nightmare, meaning that distributing the source becomes the only sane way of doing things (with a
You might complain *oh no, everything will be incompatible* but that's what Apple said about others producing their computers and see how successful the IBM style PC is? There are a million different variations for every component, most of which can be used together successfully, and the status quo is that for every component there are a couple of standards one of which most things follow, and generally everything works. It may be a bit of a pain, but this sort of heterogeniety is a good security method.
Computer software should follow this model for maximum security, giving me a real choice of software, but knowing it will work with everything else, and I see this model being slowly being developed.
People have said above that this (worm) could happen to Linux users, but this is not wholly true - maybe all x86 linux users who ran the program could be affected, but for it to work on any other platform, it would have had to be a script, and though people might still run it, it would be possible for others (more sensible ppl) to find out what the script does by being able to look at it, instead of having to blindly run it. (For example, at work I routinely recieve random executable files from friends, which do amusing things, which I just run. There is not way for me to tell what a program does without running it, which I'd class as a security flaw.)
I say we need more computing choice.
Not to start any flames, but do you ever wonder if a *nix fan wrote this virus to persuade people away from Windows systems? It's a fucked up thing to do, but I'm sure more than a few admins have started looking at *nixes after the recent flood of Windows-specific viruses...
I asked Rob myself because I made a stupid AC post earlier. The answer was no.
BTW, conspiracy theory #2: Do Symantec and McAfee write viruses to boost up sales? Hmm...
The worm does not send itself to users on address book as Melissa did, but instead will monitor the inbox of infected system for incoming mail. Once a message is received, Worm.ExplorerZip will then send an auto-reply to the sender of the message with the message above. Clearly, the author of the worm was very unhappy about the last dozen *MAKE MONEY FAST*'s he'd gotten.
Out of the 80K windows viruses out there, how many are open source? I refuse to run any virus unless I can compile it myself.
Gates' Law: Every 18 months, the speed of software halves.
--neil
--neil
This afternoon here at the helpdesk of Edwards Air Force Base, the phones and radios were booming with distress from this slick virus. We were there late running through all our buildings checking systems and either telling them they were ok or having the burden of informing them that their Office documents may be gone.
I think it is a good wake up call for the base here too. Many users are told over and over to back up their critical data and they never get it. We have users that keep all their important documents within their email client! We have many users that look at their hard drive as invincible and unfailing. I can't think of how much data I have seen lost from careless handling by users.
In addition, the US military decided last year to standardize on MS Exchange/Outlook as their world-wide email system. We had just finnished standardizing the base to Groupwise when the decision was made. I can understand the need for standards but why such a BAD standard? Even the cheezy magizines that blantantly schmooze Microsoft products will admit that Groupwise is a better product -not that that would have prevented this problem. I think this whole incident will force users and managers to think a lot differently about their data the the handling of it.
Reportedly Boieng has shut down their mail servers until they could find a fix. Also hit M$ accordingly. heh, just going to get worse and worse isn't it...
"I have a cunning plan..."
Well, maybe it's not that bad, really. For most users, it's just a matter of going to the Recycle Bin and retrieving them.
That is not correct. From ZDnet...
When executed, the worm searches drives c: thru z: and selects files to destroy by making them zero bytes long, thus wiping out the data.
"I have a cunning plan..."
If Cindy is dumb enough to run executables sent via eMail, she is a fool. Especially if mail headers show it didn't originate from her trusted friend and infact was forwarded. People must learn these things! I have hope...users have been succesfuly taught to SAVE before turning off the computer...they can be taught these skills as well.
Blar.
Really people...you've learned (on windows) to save often lest your machine crash and work be lost. So.....backup every day. Are there ZIP drivers for Linux? Hell use floppies and a script to GnuZIP your work directories and dump them to floppies. It is easy when you get in the habit. It is very much worth your while....trust me on this.
Blar.
Um, .c, .cpp and .asm files are hardly Microsoft Office files, unless you happen to have source...
:-)
.xls, not .sls, is the usual Excel file extension, but that's probably a typo.)
They are, respectively, C program, C++ program, and assembler program source files. Not nice at all.
But my Java programs are safe
(Oh, and
-- Alastair
The ZDnet Story has more info about it, hopefully CERT will get moving on it soon.
---
Tim Wilde
Sysadmin, Dynamic DNS Network Services
Lockheed Martin got slaughtered by it, their entire mail system got shut down again, just like with Melissa, but I bet it was worse this time because of the malicious aspect. Woohoo. When will this stop?
---
Tim Wilde
Sysadmin, Dynamic DNS Network Services
It is not difficult to see why a good fork-bomb attack preys upon the kernel's multitasking code, thus escaping ulimits. Instead of spending time trying to ensure new processes start, a good attack program will simply attempt to spawn 2 new processes then exit as fast as it can. The program uses very little time as measured by the kernel, while actually forcing the kernel to work furiously on the process starts and stops.
I tried a simple attack like this on my own Linux box and everything came to a halt within a few seconds. There was no possibility of trying to stop the processes since the pid's changed every few milliseconds and it was hard enough to get the machine to do anything else at all. REBOOT!
More relevant to the original topic: As Linux and other OS's enter more into the mainstream, we run the risk of people using it with broken security. Windows, for all its flaws, has some braindead security because of the simple fact that for the most part you can't telnet into it. *nix boxes being run by ignorant users who use only the root password are actually far more vulnerable IMHO. The major Linux distributions need something to keep people from making mistakes like that.
I'd like to see an accurate result of this question. (Rob, if ya reading this???) Frankly, I think many people take logging on with root for granted. I always use a user account.
Studies have shown that far more accidents occur at 6pm then at 6am. Well that's because there are FAR more cars on the road at 6pm.
There are FAR more viruses on Windows based systems because there are FAR more Windows based users. That's just reality, I'm no microsoft wannabe.
Viruses spread easier on Windows systems because of the added convenience of email with attachments, macro capable documents, etc... I will say that Outlook is FAR more powerful then ANY unix based mail client. But with that power comes the ability to abuse it. There's a tradeoff to everything.
And another thing, people seem to think that viruses can't harm Unix systems because of the permissions on system files. Um, get a real job. System files don't mean crap, its the data that's contained on them that's important. If you lose your system files, big deal, just reinstall them. Data files must be backed up from old copies or in the worst case, months of work are down the drain. The system files aren't important, it's the data. And EVERY user will have permissions to their own data.
Luckily, I'm a coder, and generally I don't have to deal with this sort of thing. However, I have done sysadmin work, and more importantly I've worked with a very experienced admin at a former job, so I have at least an inkling of what you are going thru.
:)
:)
I suggest that this would be a good time to inform users as to how these macro viruses work, and when/how they are harmful. Since they've recently been bitten (or at least have been scared) by a couple viruses, they are probably ammenable to hearing about what they should be doing about them.
Namely: don't run executables/view documents that aren't trusted. Sure there's more to it than that, but it's your job to tell them.
It'll probably cut down on the general hysteria, and make your job easier in the future. And, with any luck, give a few folks a clue. BTW, let them know that this wouldnt have happenned if they were runing *nix (not entirely true, but hey, spread the word, brother
Hold a departmental meeting, or have someone (technical) in a sufficiently high position call such a meeting. You might be suprised what comes from it.
Mail me your results from the experiment
Up the Irons
The more users Linux will get the more people will write worms or trojan horses for Linux.
We need to:
1)try to improve the security in order to not have obvious security bugs
2)teach users (especially new user, since they will be more and more non-techie) not to open attachments without a confirmation from the sender.
and we must not wait until there is a widespread trojan under Linux to teach them. We must do it now. It also apply for windows users.
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
From "The Top-Secret Microsoft Plan for World Domination (don't tell the DOJ":
23.1.7: Application features
Applications that have a lot of features sell better than ones that have few features. However, there is little or no correspondence between the quality of said features and the profitability of an application. Thus, programmers should concentrate on creating many new features as quickly as possible. If the features don't actually work, customers will simply have to avoid using them.
That's "Mr. Soulless Automaton" to you, Bub.
It's been a long standing accusation to all industries that fix stuff - that they break things to make money from fixing them.
We all know the appliance repairman who charges for new parts and then just tightens a nut. However one employee would not gain from realising a virus.
One that thought, they really wouldn't gain all that much, save from those who don't allready own anti-virus software. Because the competition anti-virus vendors would benefit just as much.
Dude, it doesn't just move them to the Recycle Bin. It does a CreateFile with the FILE_TRUNCATE flag and then does a CloseHandle. Net effect? 0 length files. Not only that, but it also seems to go out on the LAN do random IPC connects and delete things on shares that have read/write access. This thing is a nasty little bugger. I had two source files deleted (they were checked out of source control), and that was my only damage. I can assure you there are many developers here who want to draw and quarter the guy who did this.
Haha, microsoft got screwed by their own crap... maybe now they'll fix things...
Opinionated Law Student Strikes Again!
"The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp, thereby deleting Microsoft Word, Excel, and PowerPoint files. "
:) Seems pretty evil to go after programmers like that.
Glad I use cc/hh/gas files...
-- Virtual Windows Project
I use the exim MTA, and it has excellent filtering capabilities. I have trapped several melissa and happy99 messages this way. Since the Worm.Explore virus is an email attachment, it must have a mail header with information about the attachment. For example it might have a header like:
... from file 'zipped-files.exe'
Content-description:
I could search the message body for the reported body text, but this is much more time consuming. I would be easy if I could just look at a certain header.
OK, let the flames begin.
I want to thank whoever wrote the virus as I was infected by this and had my .doc and .xls files zapped. The recovery was easy enough and since I don't use those programs all that much I wasn't a major loser in this.
1. I now have an even greater incentive to get the tape drive I should have gotten long ago to back my system up.
2. I now also have an even greater incentive to De-windows my machines and make the move to Linux. So, I signed up for the Linux Basic Course at TMCC here in Reno that will be given by Jay at Aztech and Sam at USAWorks!, the bigwigs at our local LUG. They've been gently prodding me for long enough now anyway.
I got the virus from someone at one of our military installations and I can only imagine that it's run quite ramapantly through the US Federal Goverment as almost all our government installations use MS exclusively. Whoever wrote that it affected only MS Outlook users was wrong. I don't use Outlook or MSIE, I use NN4.6 and the virus did share the negativity with me. However, it is true that only MS Outlook users can resend it.
Anyway, thanks again, anonymous programmer, you did me a favor.
I'll also add that this book also discusses countermeasures and methods of prevention.
By Monday the newest item on the Linux feature list will be: "It prevents MS Outlook and Office from running."
I am an avid Linux user, at home and work. However, I have no illusions that Linux/Unix security is better at preventing viruses from infecting a machine. According to "A Short Course on Computer Viruses" (see below book info), the smallest virus which only reproduces was a bourne shell script of 8 characters. Though you need about 5 lines for one which will replicate, evolve, do data diddling for damange and work on most Unix systems. I am no expert on viruses, but from what I have read, viruses easily cross user bounderies and security levels. The problem is that no modern OS's have any sort of mechanism to maintain integrity of files. This is usally handled by 3rd party add on applications, like virus scanners, tripwire, etc...
Anyhow, for those of you who wish to read more about viruses, and interesting/sneaky things which can be done with them, check out:
A Short Course On Computer Viruses
Dr. Frederick B. Cohen
ISBN 0-471-00769-2
1. Someone finds a bug in IIS/Win2000 that allows a malformed web request to run arbitrary code delivered by the attacking system.
2. A virus/worm is written that delivers itself to the victim system via this expoit. I imagine a small bit of seed code would exploit a buffer overflow or some such, and would then download the entire package from a web page on the attacking system.
3. The main package runs and sets up a similar web page on the new system, and then starts a process that probes for other NT systems that it can attack.
Something like this could sweep like wildfire through the Internet, taking down every single NT web server. Scary thought. If I were an NT admin, it would keep me up at night.
Now keep in mind that I have no knowlege that such a bug exists, nor am I advocating its exploitation if it does. But given MS's track record with security and the closed source nature of Windows, this kind of thing very well COULD exist.
I think I'll be sticking with Linux.
Thad
The Bolachek Journals
While it is true that this type of attack depends heavily on the unwitting participation of the victim, it is also true that Windows leaves itself much more open to exploitation. At least on a Linux box when Average Joe User runs some milicious code, it does NOT alter core system functionality.
Linux (and UNIX) is inherently more secure than Windows and can do a much better job of protecting the user from his or her own stupidity.
Thad
The Bolachek Journals
On the contrary, I understand the problem all too well. I have administered large networks of Windows PCs and UNIX workstations. With UNIX, the worst the user can do is nuke their own files... then I have to restore them from backups. On a windows PC, they hose the entire OS to the point that it must be reinstalled, allong with all of their apps and data. This would happen all too often! The same argument holds true for home systems. In most families I've talked to, there is one person who acts as *system administrator* and the others are just users. I'm the sysadmin for my family (even though it is scattered all over the country), and believe me, I wish they were all running Linux. Windows eats its own head way too easily. I've spent long hours talking relatives through problems that would never occur on Linux.
Thad
The Bolachek Journals
If we were really lucky it would of wiped out all the code for Windows 2000, Office 2000, and the like. But I doubt we were that lucky.
The dangers of using a product of the evil empire.
we lost an NT member server at 1 of our data centers, our entire network and e-mail system have been shut down since 9 o'clock this morning and 20,000 + users have been affected
This kind of mentality is what destroys networks, it isn't really dependent on the OS being used.
cputime -- default unlimited
filesize -- default unlimited
datasize -- default unlimited
stacksize -- default unlimited
coredumpsize -- default unlimited
memoryuse -- default unlimited
descriptors -- default 1024
memorylocked -- default unlimited
maxproc -- default 256
openfiles -- default 1024
I agree, it's a very bad idea for Linux users to crow over this.
.basrc or other file that is routine executed on the user's behalf.
All in all, it's probably likely that Unix is a better target for worms simply because its easier to program for. You got bundles of wonderful file utilities all ready to be glued together maliciously. Probably the only saving grace is that in Linux (as under NT), if you don't log in as root (or a user with admin privs), your operating system can't be infected with a worm.
However your files (which are ultimately more important than the OS) can be deleted and the worm could install itself in your
While there is no completely satisfactory fix, other than total paranoia or making the systems unprogrammable for the end user (horrors), I'd suggest that e-mail programs and other programs which receive potentially executable content from a network should be run in a chroot jail, and not be runnable with root privs. It should be easy to gin up wrappers for these applications that do this.
Under this approach, you could wipe the entire sandbox clean, but not affect the real data of the user, until he leaves the e-mail system and moves the content back into his normal work area. The only additional improvement on this scheme I could think of is to actually have the chroot jail on a virtual file system not accessible by normal utilities and applications, this would prevent users from storing files they receive in the chroot jail area but executing them from outside (bad idea). This could be a good application for vmware -- read your e-mail on the virutal machine running in non-persistent disk mode, and ftp the information you want back up to the real machine.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
If the originator was hoping to set back the Win 2K release, he was doubly foolish.
(1) MS no doubt has Win2K source in a source code control system, and in all likelihood code fragments are stored in an RDBMS not directly accesible through file sharing. In that case, even if you could take the RDBMS media down, they could go to a back up and play the transaction logs forwared and recover everything up to the last second. I know I manage my source code this way.
(2) MS doesn't need any help in delivering Win 2K late.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
> real problem here is not system files >anyways(sic).
> its(sic) the loss of user data
Yes, but the point that was made that if the 'system' files are compromised then the entire system, including the data of _all_ users who use that system, is _instantly_ compromised. This is because the system files have special priviledges as they are responsible for maintaining the entire system - a virus that can infect these files can bypass all security restrictions on that system.
If a users data/exe's are compromised, then in a *NIX or secured NT box, that user will not have 'rights' to other users private files, settings, and exe's. Therefore even though one users account is compromised, the other users are not directly affected.
In many cases a user will have their account cleaned before they spread it to another user, especially if there is little sharing of executables between users. Even if the virus does spread, it will spread much slower, possibly giving admins time to eradicate it.
We use GNU/SunOS.
The primary bug that Morris' worm relied on, if I recall correctly, was a buffer overrun in the VAX version of finger ..
Actually, it was the BSD version of fingerd, but the rest is substantially correct. The one lesson that should have been learned from that whole fiasco is that gets() is a function that should never, ever be used; it provides no way to prevent a malicious program from overwriting its input buffer. Of all of the functions in the standard C library, gets() is probably the only one that can be blamed for billions of US dollars in collective damage over the years. It was certainly the primary culprit in the Morris worm.
It's interesting to note, however, that you still see books and even production code making use of gets(), and therefore encouraging its use! This must be stamped out immediately. Therefore, if you use gets() in production code, especially in mission-critical production code that's supposed to be secure, you are an utter, drooling imbecile. A decade after the Worm, you'd think there would have been some lessons learned, but as Heinlein wrote: "History teaches us that we learn nothing from history."
We're going down, in a spiral to the ground
A couple of people in my office just got bopped by this today. It also nukes files on network drives that are mapped on the target computer, which included a couple of our important file servers...
----------Forwarded message--------------
From: Simple Nomad
I'm in the process of cleanup - my day job employer got hit, and we're NT
with no 95/98 to speak of. Here are some interesting tidbits that I
haven't seen on some of the commercial Anti-Virus web sites regarding NT.
Payload:
- The trojan can come into any email client, obviously. If executed, it
will proceed to go active in memory. In other words, you do not need
Outlook for the Payload to activate, just a Win32 machine. A Notes mail
client user probably did the most damage in our environment to network NT
file servers.
- It will have a process running called _setup.exe, zipped_f.exe, and
possibly explore.exe.
- One of our users reported seeing explore.exe running as an application,
although I wasn't able to confirm this.
- It deletes files with *.h, *.c, *.cpp, *.asm, *.doc, *.xls, and *.ppt
extensions on all drives (C through Z) that are currently mapped.
- Every few minutes it will repeat the deletion process. This is
particularly nasty if you are trying to do restores to network drives
while the virus is still active in your environment.
Progation:
- On the Melissa-style method of propagation, it checks the user's Inbox
in Outlook. The Outlook client does not have to be running, as the trojan
uses MAPI calls.
- Propagation is triggered by the arrival of a new message into the
Outlook's Inbox.
- Once triggered, the virus takes the first two names in the header and
uses it to plug into the text of the message. If more than one user name
is in the message header (possible if you are using distribution lists or
role-based mail boxes that forward mail to multiple people) it is possible
the names will not be in the correct order. Also if you use Lastname,
Firstname as a naming convention you will get Lastname, plugged into the
messages.
- It creates the message with the names and attaches the trojan, naming it
zipped_files.exe with the happy message as reported on most Anti-Virus
vendor sites.
- In other words, you send an email to billg@microsoft.com with a subject
of Microsoft Sucks, he's infected and his machine is up and running, you
will get a reply with a subject of Re: Microsoft Sucks with the
attachment. I mean he says he'll get back with you and to read the
attached zipped docs, and you being Joe/Josey corporate user check it out.
False message saying it's a corrupt zip, blah, blah, blah, and now you're
sending out trojans.
We got hit when email was sent to some engineers at Microsoft, and the
reply came back with the trojan. The nature of the email sent to Microsoft
was "where is the info we requested" so it seemed natural that the
attachment was supposed to be a self-extracting zip. That's right,
Microsoft got hit, so I would guess a few source code files and Office
docs were wiped. Hopefully as Microsoft starts the slow process of
restoring Office docs and source code (!) they will discover what the
rest of us have known all along -- the security model is less than ideal
(which is, um, an understatement).
Another interesting note, the APIs that the Exchange Anti-Virus vendors
use to scan Exchange mailstores only scan on messages inbound to the
mailstore. This means that outbound messages are not scanned. We had an
affected machine that replied to messages from the Internet with the
trojan attachment as our Exchange outbound goes straight to a Unix machine
on its way to the Internet. Fortunately we had a process running on the
Unix box to catch inbound and outbound email with the attachments named
zipped_files.exe and it was stopped, but this was why we saw our Exchange
AntiVirus *not* catch the message. Why do the Anti-Virus vendors only use
APIs that catch inbound messages? Because that is all Microsoft has given
them. Most of the vendors have really been pressuring Microsoft to release
info about coding to check for outbound messages.
Final tidbits (sorry if this message isn't very coherent, it's late and
I've been up a long time): the trojan was written using Borland Delphi,
and was possibly compiled on April 14, 1999. Obviously the virus writer
got the idea for the propagation method from Melissa, and one can only
wonder what the next worm/trojan/virus will do.
First off, I and a lot of the folks here are software engineers as well, so spare us your sermons from on-high.
/MAPI stuff to increase their productivity? I never have and nobody that I know in this field (and I know a lot) has either. The only people that use this stuff are the *virus writers*. But nooooooo, M$ needs an excuse (read "profits") to foist yet another version of their already bloated-to-critical-mass software upon us, so they add these useless "features", change the file formats so they're not backward compatible, and give our management a little song-and-dance about increased producivity. Eventually enough ppl buy the new version and everyone else is forced to do likewise in order to be able to exchange information.
>> Do you all genuinely think that we dismiss fiascos like this with an airy wave of the hand?
I can't speak for everyone else here, but speaking personally, yes I do.
>> If Outlook were ported to Linux...the e-mail servers would have been just as clogged.
Exactly. The bugs that you've injected into your poorly engineered SW could wreak havoc in the Linux/UNIX world as well. Don't do as any favors with a port.
>> The power to cut down a fifty-foot oak is the power to conduct the Texas Chainsaw Massacre as well.
No, what you guys are doing is akin to handing a loaded gun to everyone that walks into a bar and then saying "have fun, but don't shoot anybody".
Let's face it, how many people use 1/10 of the VBA
So the fact is, this isn't about giving "power" to the user, because (the non-virus-writing) user doesn't use the VBA junk anyway. It's about marketing & profits.
Look at the jargon file.
Look up cracker, and then look up hacker.
Enough said.
It is called "Run As User..." and allows regular Users to run Administrative tools on a per-launch basis, allowing them to run Disk Administrator, for instance.
Josh Straub
tookycat@bigfoot.com
All this talk of virus/trojans/etc... has anyone come up with a preventative to a 5 liner fork attack on linux??? I wrote this quickie about 4 years ago, and it took out my system in a flash. I decided that I would try it on my sparc today, and an i386 linux system (both running RH6.0) and it made both systems unusable, requiring a reboot. My AIX box has a limiter (max processes per user, my default is 1000 on my RS6000) to user processes, but I have yet to find a limiter under linux short of plowing through source code.
This is not so much a bug/security glitch, but if you have a malicious user, he/she could take the system out in a snap (read-- no root access required)
Any suggestions appreciated.
Actually, I think that there have been only 1 or 2 MacOS viruses in the last few years. Just because it's easy doesn't mean anyone's going to bother...
I work for one of the many departmental networks around my campus. Unfortunatly, they happen to run Windows on all of their client machines. Although I personally have Linux setup on my office machine and my machines at home, the rest of the dept. does not. It just so happens that when one of these annoying macro viruses that M$ Windows is so damn prone to aquiring turns up on our network, I'm the guy that has to fix it. I can't tell you enough how sick I am of these macro viruses. As it turns out, our network is rarely affected by them, but nevertheless, I get a slew of phone calls and emails from scared department employees who just MUST have the latest virus scanner installed so they don't get such viruses. I'm certainly glad that this sort of thing does not effect my own systems... but I know there are many of you who, like me, this effects indirectly.
Just my two pennies.
Mark
Aargh! The CNN article doesn't even mention that only Windows/Outlook users are affected. It's like posting a warning about drowning and not mentioning that it only happens IF YOU'RE HELD UNDER WATER.
I realized the implications of the other file extensions after I posted. However, it's interesting that CNN decided to *ignore* the meanings of those file extensions and focus exclusively on your favorite package and mine, M$ Office. I'm wondering if they just forgot or figured that their audience was too stupid to know what programming was.
-
test
-
"The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp, thereby deleting Microsoft Word, Excel, and PowerPoint files."
:)
Okay. Whoever wrote this has a GREAT sense of humor. Besides the fact that it purports itself via address-book resends, much like the Melissa virus, it destroys files associated with M$ Office. It's not fatal; it's not going to crash your OS, it's not going to reformat your hard drive. It just deletes M$ Office files.
Legality be damned, this guy is doing us all a favor
-
This is not the typical reason that virii get through, but I've certainly been cursing micros~1 for THAT design decision today.
Come on people. stop and think about it.
First, the only truly secure computer is the one that's never been turned on, is sealed in a box, and put somewhere unreachable. Meaning, there's no such thing as a completely secure system.
Second, there's that old saw about a pinch of prevention being woth a pound of cure. There are TOO MANY PEOPLE who just click-n-open ANY attachment, without bothering to stop and think. Was I expecting this attachment? Does the tone of the e-mail sound like my friend who it came from?
Third is these damned new-fangled e-mail programs that open stuff FOR the user! Dammit, the dumbing down of everyting is REALLY getting on my nerves! (On my *nix box, I use PINE as my reader for now. On my M$ box(es. My wife has one at home, and I have to use one in the office) I use Eudora Pro (latest version) with the "suto-open" crap turned off, and dis-allowing HTML executables. Can we say "JAVA-bomb?" (Who remembers ANSI bombs? Anyone?
Finally, there is the wild idea of having decent anti-virus software on both the (corporate) e-mail server AND on the user's client machine.
I'm a Linux user AND a Window$ user. There are things that I like about both. I'm nowhere NEAR the level of knowledge of *nix that I want to be, but I have installed Slakware on a laptop (CPQ, LTE 5000 series) AND had X working on it, so I'm not afraid of this stuff. But, even back in the old BBS days, I had stuff on my computers to try to prevent malicious programs zapping me. To this day, I use preventive medicine, rather than bitching that I got shot for bein' stupid.
None of *my own* computers have ever been infected with a malicious program. Some of the ones that I have WORKED on have gotten popped. But what company that uses M$ progs as it's main-stay (Excel and Word, notably) have never had even one macro-virus inside?
Please, quit with the jihad. Train who you can. help the rest.
Take it easy,
Geordon
It is by caffiene alone I set my mind in motion. It is by the beans of java that thoughts acquire speed, hands acquire
"The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, .ptp, thereby deleting Microsoft Word, Excel,
... never mind that it might
and
and PowerPoint files."
Fairly clear what that CNN reported recognises
as valuable data
actually delete something valuable like source
...
"I went to see the pool of wisdom but it was empty. Someone has drained the pool of wisdom." - Todd Jones