Another Windows Macro Virus Wreaks Havoc

Fundimental Problem / monoclonal agriculture by Anonymous Coward · 1999-06-10 19:07 · Score: 2

The fundimental problem here is neither Outlook or Windows per say, but the same problem one finds with monoclonel agriculture. That is, I do not think the same company should produce and force it's single standard version of everything on everyone. Simply put, there should never have been an Outlook group at Microsoft in the first place. Microsoft's own efforts to control the marketplace by leveraging a single code base and it's dominent platform into the application market, and by integrating the OS and applications directly in an often undocumented manner to make competitive products less desirable and making non microsoft solutions difficult to use either from undocumented file formats or undocumented extensions and modifications to commodity protocols, is what makes this possible by locking users into a single and very hetrogeneous environment at all levels from the OS itself to all the applications.

Certainly, a problem like this could occur on any platform. But a problem that only attacks Linux users with Netscape would spread far less even if Linux was 90% of the marketplace because in that Linux is an open and competitive platform for third party products AND distributions, there will never be a single mail client and single distribution for such a virus, worm, or trojan to depend on.

Wrong!!!! by Anonymous Coward · 1999-06-10 07:22 · Score: 3

please reread it. anybody who executes the binary will have files deleted, anybody can recieve it regardless of what mail client they use. it only uses the outlook api to resend itself and most ppl will have the outlook api even if they dont use outlook as their main email client.

Uninformed Linux attack dogs by Anonymous Coward · 1999-06-10 14:18 · Score: 4

I work for Microsoft. I work on Microsoft Outlook. I work on security in Microsoft Outlook. Do you all genuinely think that we dismiss fiascos like this with an airy wave of the hand? That simply is insulting. We are hard working people, and we do give a damn no matter what the guy at the terminal next to you says around bites of his twinkie. Hell, some of our own servers were down today as a precaution against this - you think we take that kind of productivity hit lightly?

I read slashdot because I have immense respect for the geek community and I'm a part of that community. But how do you suppose it feels to know that most of you despise me purely for the name of my company? There are 20,000+ geeks who work for Microsoft. All evil clones?

Let's establish a few hard facts about the "security holes" that allowed Melissa and this worm.

1) In both cases the attack was made through Outlook. In the case of Melissa, the attack was *entirely independent* of the OS. If Outlook were ported to Linux (assuming it could supply our browser needs, which judging from Netscape's half-@$$ attempt at S/MIME I sorely doubt) the e-mail servers would have been just as clogged. In the case of today's worm, the executable could very easily have deleted the user's *.c, etc files outright rather than installing itself somewhere. Why? Because...

2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture. And if you are such a novice as to run the "zips" we alert you that running unsigned exe's is dangerous as they "may include viruses or scripts". There's a similar warning when Melissa starts its mailings. You have to click OK to proceed. Microsoft can do a lot in the way of security, but we can't cure willful dumbness. The user doesn't read the caution and it's our fault? What do you want us to do? Say it twice?

3) The exploited aspects our our program were not "holes" in the sense that locking up when you receive a malformed packet would be a "hole". Every aspect of these viruses can be and is used in a positive way by people in the field. Face it, some businesses want more out of their e-mail client than plain text and remote calls to vi. Power can always be abused. The power to cut down a fifty-foot oak is the power to conduct the Texas Chainsaw Massacre as well. If somebody you don't know hands you a chainsaw and tells you to hold the blade while you turn it on, and if you do it despite the warning labels, then don't blame the manufacturer when you lose your frickin hand!

It makes me tired to read posts from people who obviously have never even seen Outlook's splash screen let alone written a VBA scriptlet. If you want to use elm, well whatever. But don't pretend you know what you're talking about when you so obviously do not.

Re:Uninformed Linux attack dogs by IntlHarvester · 1999-06-10 21:42 · Score: 2

Or, to put it another way, if you ask me 20 times a day "Are you SURE you want to do that?", the 21st time, I'll click YES before I've even read the message. Even if this was the one case in which I was making a mistake.

Very good point. Outlook gives you the "virus" warning when opening *.TXT and *.JPG files - enough to drive you nuts.

Also, by default with Win 9x/NT, the file extension is not shown (I don't know if this applys to Outlook). All you see is a little WinZip icon. So it's conceivable that a new users could double-click on the icon not knowing it's an executable.

As for this being an Outlook specific virus, my understanding is that (unlike Melissa), it's not. If the uneducated masses (the "clods") started using Linux, they'd be just as suceptable to "Hey - you don't know me, but run this executable!" form of attack.

The fault really falls on the IT department's shoulders for not educating their user base. The only place Outlook comes in is that it's training costs are supposedly lower, and so many companies think they can get away with reducing that to no training at all.
--

--
Business. Numbers. Money. People. Computer World.
Re:Uninformed Linux attack dogs by Slamtilt · 1999-06-10 20:25 · Score: 3

2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture.
Well, no. There are self-extracting zip files which (of course) have a .exe extension but may have a zipfile-looking icon. We've deverbalized computer use to the extent that people don't read any more, they just look at the pictures. That's not microsoft's fault in particular, but it does illustrate the difficulty. "Just train them" is easily said, but not easily accomplished. As an aside, in this case it was possible to not be able to see the file extension - check out the screen shot on msnbc - the attachment is zipped_files... - the extension doesn't show.

Unix/Linux is vulnerable (only if root is dumb) by root · 1999-06-10 10:34 · Score: 2

>The real problem here is stupid users running untrusted code from random sources.

Exactly. Under Linux, I can run unchecked programs as user=jailbird'/group='playpen' and not worry about my kernel being hacked.

Under DOS/Win31/Win9x, I CANNOT RUN ANY PROGRAM IN A SECURE ENVIRONMENT. This is what the M$ supporters Just Don't Get(tm).Where everyone is a God, no one is safe. When everyone is the superuser, no computer is safe.

Re:Unix/Linux is vulnerable (only if root is dumb) by IntlHarvester · 1999-06-10 21:59 · Score: 2

Under DOS/Win31/Win9x, I CANNOT RUN ANY PROGRAM IN A SECURE ENVIRONMENT. This is what the M$ supporters Just Don't Get(tm).

Uhh, Windows NT has only been out since 1993. The file permission system is argueably better than unix's.

(If you folks are really interested in effective Linux advocacy, you should take on Windows NT rather than the end-of-the-line, broken-for-backwards-compatibilty Win 9x. It's a more credible comparison, and will make you sound less like a raving moron.)
--

--
Business. Numbers. Money. People. Computer World.

Would there *really* be lots of Linux viruses? by Frater+219 · 1999-06-10 07:59 · Score: 3

I see a lot of Windows usersand defenders claiming that if Linux dominated the corporate desktop, that the virus situation would be no better than it is for Windows now. I think this is fallacious, not to say FUD. Here's why:

1. The majority of Linux software is free (speech) software, which means that it has a lot of eyes looking at it for bugs. Further, it's also free (beer) software, meaning that its developers are less likely to be under pressure to ship a product which is not up to professionally dignified standards. Hence, fewer security holes get into released (non-beta) products..

2. Because the software is free, and because of packaging systems like Debian's APT which make upgrading easy, it is easy for users of Linux-based OSes to keep current. Further, because of freedom and an Internet-centric distribution model, developers can release patches quicker. This means that once a security hole is found, it has a shorter "useful life" to a cracker.

3. Because the Linux security model is more paranoid than Windows's, a Linux-based worm needs to actually exploit a security *hole*, i.e. *bug*, rather that using the inherent misdesigns of the system in the way Melissa does. (Read the Melissa source, if you can find it. It does not use any buffer overruns or other holes; it uses *only* standard APIs in standard ways.)

4. Finally, if Linux-based systems become established on the corporate desktop, they will come with a change in culture. Like any artifact, WIndows exemplifies and reinforces certain philosophies, ideas, and cultural roles. Linux-based OSes follow different ones. While I can't promise (nor even expect) that Linux dominance would come with radically greater user empowerment and desire on the part of the user to *learn* rather than to *fear* the system, I can only hope that it would teach the users *something*. Not to run untrusted executables, maybe?

Harm to consumers by Brian+Kendig · 1999-06-10 06:36 · Score: 3

A worm strikes Corporate America hard because Corporate America is so strongly standardized on Microsoft Office and Microsoft Exchange... and then, because the cost and hassle of trying to find viable/compatible replacements for these applications is so high, ANOTHER worm hits Corporate America and does another round of damage, incurring further costs in terms of lost work and damage control, and STILL no one seriouly considers moving from Microsoft software to some other solution...

And yet the Department of Justice still needs to prove that Microsoft's business practices are harming consumers?

Re:Virii and platforms by Brian+Kendig · 1999-06-10 06:55 · Score: 4

Sure, viruses can be (and are) written for Unix systems; just like Windows viruses, they prey on weaknesses in the system caused by software bugs or poor administration. The difference is that the typical owner of a Unix box tends to be more knowledgeable about security than the typical owner of a Windows system, and Unix tends to have fewer security holes than Windows by virtue of having a better-developed permissions system and by having been around longer.

It's not fair to say that a ten-line script can infect a Unix system -- the mere fact that there is such a wide range of flavors of Unix available is enough to guarantee that a single ten-line script won't work on more than a small percentage of Unix systems out there. Besides, with Linux, holes are patched and patches are distributed as quickly as they're found -- often within hours of the dicovery of a security hole.

If there were as many flavors of Windows as there were of Unix, if Windows vendors had to continually compete to make their systems faster and leaner and more stable and more secure, I guarantee you that you wouldn't see viruses and trojan horses such as this one proliferate nearly as much.

The Reuters News Feed Error by Derek+Pomery · 1999-06-10 07:10 · Score: 2

"ExploreZip is known as a worm, not a virus, because it can't replicate itself. Computer viruses such as Melssa, which appeared in March, are written with the capability to reproduce through automation."

The appropriate Hacker's Dictionary sections:

Virus
"Unlike a {worm}, a virus cannot infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends (see {SEX})."

Worm
"A program that propagates itself over a network, reproducing itself as it goes. Compare {virus}. Nowadays the term has negative connotations, as it is assumed that only {cracker}s write worms."

--
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.

Virus capability is a function of focus for any OS by sphealey · 1999-06-10 20:58 · Score: 2

"This will stop when people quit using a worthless excuse for an OS like Windows, and probably not before... :\"

Keep in mind that the original research of virii was done on IBM and Honeywell mainframes. Despite the generally high level of security on those systems, the researchers doing the work did manage to write virii (probably would be called worms today) that successfully infected their targets.

It happens today that the vast majority of computers in use are Wintel, and for a number of reasons which I am sure you can fill in the bad guys therefore focus most of their efforts on Wintel. And indeed, Win(x) does have serious vulnerabilities. But if the bad guys ever turn their focus to Linux/*nix, then you will see more Linux/*nix attacks of this type. Perhaps fewer will make it into distribution, perhaps fewer will succeed. But if so the ones that do make it will be that much more destructive.

Disagree if you wish, but before turning on the flamethrower remember that arrogance it the surest path to a security breach.

sPh

Virii and platforms by RenQuanta · 1999-06-10 06:31 · Score: 2

I always get a chuckle out of these stories, to me viruses represent one of the prime deficiencies in Windows design (or lackthereof) and a capital argument for holding a company responsible for its product flaws.

I have read, however, that viruses can in fact be written for UNIX platforms, and have actually read a ten-line example script to show how it could be done. This inspite of the security structures built into UNIX's multi-user environment. It was rather frightening. There's not a whole lot of literature on this subject that is easily found, what do Slashdotters know about it?

It's not a macro virus by Tracy+Reed · 1999-06-10 06:23 · Score: 2

It's an executable.

You forward root mail to a user account by roystgnr · 1999-06-10 10:59 · Score: 2

I think it's /etc/mail/aliases to configure that, but I could be wrong.

You'd best read your root mail somehow - cron misfunctions, or people warning you about problems with your system, are often things you don't want to ignore.

Unix isn't invulerable by roystgnr · 1999-06-10 08:23 · Score: 4

Unix users seem to have a sense of invincibility based on Unix's invulerability to boot sector viruses, floppy viruses, and similar things that require a simple OS kernel and an "every user is root" security model.

That invulnerability doesn't apply to worms (like this, like Melissa). All you need for a worm to work is a homogenous network environment to infect and an exploit to use for the infection. Maybe Unix users are really more savvy and won't fall for trojan horses (the easy "exploit"), but there was a worm created that spread via the imapd hole last year, and any similar exploit allowing so much as a "nobody" shell to be opened on your system could be used for the same purposes.

Do you know what services are running on your Linux box, and have you shut down the ones you don't need? Do you subscribe to bugtraq, redhat-watch-list, or whatever security mailing list is kept up for your distribution?

These were good ideas before, to prevent single crack attempts when exploits were found. Now they're much more important good ideas, as any cracker above the "script kiddie" level is going to be using self-propagating code to start forest fires of attacks.

Maybe the majority of those attacks will be stupid "email attachment" worms like those currently plaguing Windows, and thus incapable of harming system files... but if someone exploits the backticks in /etc/mailcap to delete $HOME, how much better are you going to feel because /usr was untouchable?

For school & work Linux systems I created a preconfigured freshrpms package which includes a cron job to regularly check the redhat errata, download any updated packages, and mail root when something new appears. It's a step in the right direction - Linux is a secure system because bugs are so quickly found and fixed, but it won't be publically perceived as a secure system if security-unconscious newbies never see or apply those fixes.

Re:It's not a virus by edgy · 1999-06-10 07:54 · Score: 2

NT has greater file security than Linux so I don't quite get your point.

Do explain.. How does NT have better file security?

Re:Benevolent Virus? by aphr0 · 1999-06-10 11:08 · Score: 3

I work for a medical research place. So, would you consider it to be funny if a researcher was set back in important research because they happen to use ms office? They're doctors, not techs. I don't consider anyone who destroys data to be 'doing us all a favor'. The guy is an asshole, plain and simple.

Something funny to do would be to delete ms office itself, not the associated files.

elitists? by aphr0 · 1999-06-10 11:34 · Score: 5

Why do so many of you feel the need to laugh at the ms office users and defend the virus writer? Most people in an office environment have no computer experience beyond doing normal office work. They're not educated by their IT department on the dangers of opening attachments. They just want to do their work so they can feed and clothe their kids. I don't think it's funny or cool that some guy wrote a virus that will destroy the work of others. Would you like it if mechanics started kicking your windows in and slashing your tires because you don't know how to overhaul your engine? Afterall, you're not elite and smart in the ways of cars, so you have no right to be driving.

Just because someone doesn't know what you consider to be common sense isn't a reason to hurt them. New users need to be educated and computer security policies need to be implimented. It's not the users' fault that they use MS Office. It's what they were told to use, so they happily use it, unaware of the bugs in it. And they don't care. They just want to finish up a presentation or a word document and get on with their lives. Not everyone's life revolves around computers. Some people work away from monitors for long periods of time.

Re:Closed source == unknown security by toriver · 1999-06-10 17:17 · Score: 2

I guess you are right. In the OSS case, software installation proceeds along these steps:

Download source code.
Examine source code to make sure it doesn't do anything nasty.
Compile and install.
Run.

Okay, hands up any OSS advocate that actually performs step 2.

OSS does _not_ provide more security than the effort you are willing to put into it does.

Nothing to do with Root/Admin authority by IntlHarvester · 1999-06-10 09:19 · Score: 2

If you think the discussion is over because root is sacred, you should look into how these kinds of viri work.

In an NT system, the virus can only delete the files for which the user has write access. There is no comprimise of "system" security.

The fault lies with poor design on Microsoft's part. The fact that there is no Linux equivalant only proves that noone has a macro-enabled Office suite running on Linux.

Well - look out - here comes Corel Office. Can you execute malicious viruses there? Nobody really knows because they only have like 2% of the market. Although, it might be worth it to someone to teach Linux users a lesson or two.
--