Posted by
Roblimo
on from the who-opened-the-cage-door? dept.
Neil Andriessen writes "Wired has released a story that tells of how Bubbleboy is now in the wild. It was found on an unnamed Japanese website. The Bubbleboy virus was mentioned in this discussion on Slashdot. A patch is now available from Microsoft.
I wonder were it will go from here."
However, I guess I can look at the bright side. I've been worried, for a long time, that a virus writer would exploit file dead-space. There's plenty of room at the end of most binary files to tuck a routine or two, then all you'd need is a bootstrap and some way to re-assemble the fragments in the correct order. A trivial task.
But what about the "bootstrap"? The virus has to be started, and the code for that needs to be in a place where stuff is normally executed, and that's where virus scanners are looking. If you hide a virus too well, it never gets executed and is no virus at all.
--
The illegal we do immediately. The unconstitutional takes a little longer. --Henry Kissinger
Did anybody ever doubt it would be?
by
jht
·
· Score: 3
I, for one, never had a moment's doubt that Bubbleboy would make it out into the open. If nothing else, the arms race between virus writers and anti-virus companies guarantees that viruses will show up in public. I wouln't even blink if you told me that it was spread by one of the antvirus companies (even by accident), because what will happen as a result?
That's right - more antivirus sales. And now that Macs are popular again, there's even viruses that affect them: for years, Mac users could putter away in safety knowing that not even virus writers developed for the platform. Now Macs aren't even safe.
I'm sorry, viruses are just not a sufficient reason (yet) to switch my whole company over to Linux.
I guess I'm just a hardened cynic. Oh well, time to go make sure I remembered to set the filter on Groupshield...
That's true, but virus scanners look for unique pieces of code. The bootstrap can afford to be extremely small - it only needs to check if the end of a sector contains a virus routine, then copy that into a block of reserved memory, based on routine number * size of routines.
That's too small a piece of code for a virus scanner to recognise. There's nothing that's unique, to identify.
-NOW-, many virus scanners also detect changes to files. -This- could successfully recognise the bootstrap, no matter how small or how carefully disguised it was. As you say, it has to be executable. But this assumes you have a record of what the file -should- look like. If you've got a disk or a file that's infected, you won't know until it starts infecting other files.
-- It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Someone please tell Roblimo to stop posting about Windows viruses. They're neither news for nerds, nor stuff that matters. Slashdot readers are extremely likely to know about the dangers of viruses, and what measures to take to prevent catching them. Most of us just sit and watch in amusement as the MS world infects itself. It really isn't interesting, so why post about it?
I couldn't disagree more. Now, there are lots of reasons why I think this is interesting and worth talking about, but disregarding all of those, the simple fact is that/. is not a Linux site, or even a non-MS site. Even if most/.ers hate their guts, a very large portion of them works with Windows networks as part of their job, and even more are employed at places where most of their coworkers use Windows. Important viruses like Bubbleboy are vital news for a large contingent of/. readers.
Beyond that, Bubbleboy isn't just any old virus; it's the first self-executing email virus, and probably the closest any virus has come to the 'ideal' of infecting a machine despite the user not doing anything wrong (no, running Windows doesn't count). Indeed, your assertion that "Slashdot readers are extremely likely to know about the dangers of viruses, and what measures to take to prevent catching them," is precisely why this story needs to be run--because Bubbleboy turns the conventional wisdom on viruses on its head a little bit. (Of course, one could argue that that's because most viruses don't actually target OS bugs, but rather legitimate functions; in some sense, Bubbleboy is more of an exploit than a virus.)
In the end, I think (and not that I haven't felt like posting "does this really belong on/." posts every once in a while) that, with the possible exception of the decision to interview John Vranesevich, it's usually not too appropriate to second guess the/. staff for posting an article. If you don't find it interesting, don't read it, and post on it. If lots of people don't find it interesting, then there won't be many posts on that subject, and eventually Rob and Roblimo and Hemos will figure it out. Furthermore, if the discourse of whatever posts there are is no good, they'll eventually catch on to that, too. And they'll be less likely to post on that subject on the future.
The thing is, it doesn't hurt you one bit for this article to be here. If the subject doesn't interest you, then fine: move along. But don't automatically presume that everyone agrees with you. Just because (wow--just clicked on your user info) you were around when/. was just a couple thousand strong doesn't mean that you automatically speak for the entire/. community now. Just because this may not have been "the sort of thing that got posted in the olden days" doesn't mean it's not what should get posted now. Besides, I may not have been around as long as you, but I've frequented/. for a decent amount of time, and certainly wouldn't have been at all surprised to see this story, or even a similar but less important one posted, say, a year ago.
I suppose what I'm trying to say is, let the people in charge of/. do their job. I think we'll both agree they make the right decisions most of the time, and when they don't, they're good enough to figure it out on their own.
The other thing I noted in the story was that it's patchable if you go to the microsoft site. This places the onus on users to make sure they're not infected; Microsoft can say 'look, it's available; it's not our fault if you don't download it.
Uhm, isn't that exactly what all the Linux distributions do when a security issue is found? I remember one of those "hack this box" PR things where everyone complained that they hadn't gone to the Red Hat site and installed the security-related updates.
This is considered a "new kind of virus"... People never learn from history, it would seem. This type of virus has existed with DEC VMS 5.5, and probably both earlier and later versions. Don't learn from history, and you'll sooner or later repeat it.
However, I guess I can look at the bright side. I've been worried, for a long time, that a virus writer would exploit file dead-space. There's plenty of room at the end of most binary files to tuck a routine or two, then all you'd need is a bootstrap and some way to re-assemble the fragments in the correct order. A trivial task.
This would give you an almost undetectable virus, as many virus scanners check files, not sectors, and the files themselves would be unaffected.
Even if you -did- write something that could detect a fragment, all you do is clear that fragment. It'd be child's play for anyone to re-write a single routine. The bootstrap/saver routine could probably do that.
In essence, something like this would be a virus OS, rather than a conventional virus. Conventional viruses can be dealt with, but a virus OS is a much greater challange.
-- It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Uh, you're insane. I manage my school's network, and I installed the patch on all their Win98 machines with no problems. Also on my home and work machines, still no problems. You must've done something weird.
Microsoft released this patch in August, people!
by
Wonko42
·
· Score: 4
It seems that a lot of you are jumping to some pretty dumb conclusions, bashing Microsoft when you really shouldn't be. As usual...
But anywhow, I just wanted to point out that Microsoft released the patch for this vulnerability in August. That was a few months ago; way before any viruses had actually made use of the hole. In fact, I also remember a Slashdot post being made about the patch, and it got quite a lot of media coverage. Yes, Microsoft was alerted of a vulnerability, and they fixed it, months before anything actually exploited that vulnerability.
And yes, if you use a vulnerable flavor of Windows and were too stupid to upgrade, you deserve to have your computer's Owner name and Company info reset. Heh, geez people, it's not like BubbleBoy is malicious or anything...;)
Re:Microsoft and patching
by
Just+Some+Guy
·
· Score: 3
Sure, it's the user's fault for not patching...
I have to disagree with that. If the user is informed, yet choses not to follow up, then it is their fault. However, a lot of us here tend to forget that: 1. Not everyone is a computer expert, and a lot of people don't know what a patch is, let alone where to get one or what to do with it. 2. There's nothing wrong with that.
My sister bought a new computer last year and is happily browsing and ICQ'ing away. She doesn't know Jack about security, nor do I believe she should be expected to. I mean, should every newbie make support.microsoft.com their home page, and check it for new misfeatures every time they go online? That's not reasonable. The vast majority of users simply want to get on the 'net and run around without having to bother with all of this, in much the same way that they want to use the phone without knowing the difference between packet-switched and circuit-switched networks.
Yes, I think that people should learn more about their new computers than most people usually do. However, I think that patching goes beyond the skills and abilities that the average user should be expected to know.
To make an analogy, have you checked to see if there's a recall on your car? No? Why not? Consumer Reports lists current recalls in the back of their magazine, so it's publicly accessible information, but I'd dare to state that not many people bother to check. So, if someone's defective car causes an accident, was it their fault for not taking it in for a "patch"? I guess, technically, it may be. In reality, though, I don't think that's a reasonable expectation.
-- Dewey, what part of this looks like authorities should be involved?
It isn't an antimicrosoft conspiracy
by
FreeUser
·
· Score: 4
Most computer users use Microsoft's products.
Most virus writers will, therefor, statistically use Microsoft's products.
Most virus writers will target systems with which they are familiar, which happens to be Microsoft's products.
Thus, most virus/worm/trojan products target Microsoft products.
The fact that such an overwhelming number of these attacks are successful, indeed devistating, is a testiment and real world demonstration of just how severely flawed Microsofts entire security paradigm continues to be. That the so-called "service" packs and security fixes generally break more than they fix (whether maliciously or through negligence) is a strong indication of how flawed Microsoft's development process and QA/QC procedures are.
Dark side of the force (Re:what I'm wondering...)
by
Hanno
·
· Score: 3
Years ago back in high school, I wrote a "virus" that basically just copied a short segment of source code to GW-Basic programs it found on the hard disk - yes, GW-Basic, that old thing for DOS 2.11 that existed before Visual Basic and Turbo Basic were known.
It didn't do any harm, it didn't "infect" EXE files and I did it just to find out if it was possible and what writing a virus is like.
Scary thing though that this simple program (just a few lines of code), despite being harmless and doing its task clearly seen in the open light (is that an English phrase, anyway) followed all the requirements to be called a virus. Today's macro viruses actually do exactly the same thing.
While I never spread "my virus", it was an interesting experience. From a pathetic viewpoint, those virus writers could be called seduced by the dark side of the force; being among crackers, script kiddies and other menaces to IT society must be like being in a street gang. They have their own set of values of what is "cool" and what gives you "respect" among the peers.
It sure would be nicer if those talented hackers (which they often are) would use their talent for something useful and write "good" software to gain a kind of respect that's actually worth gaining...
To answer your other question, I doubt that MS itself is the target. A virus must find a common platform as a host to spread itself, and Microsoft software, both Dos/Windows operating systems and Office/Outlook application software, are commonplace. This makes an obvious target.
WARNING!!!!!!! INTERNET VIRUS
by
rebrane
·
· Score: 3
The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the Internet. Apparently a new computer virus has been engineered by a user of AMERICA ONLINE that is unparalleled in its destructive capability. Other more well-known viruses such as "Stoned", "Airwolf" and "Michaelangelo" pale in comparison to the prospects of this newest creation by a warped mentality.
What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the Internet. Once a computer is infected, one of several things can happen. If the computer contains a hard drive, that will most likely be destroyed. If the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop -which can severely damage the processor if left running that way too long.
Unfortunately, most novice computer users will not realize what is happening until it is far too late. Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It always travels to new computers the same way in a text email message with the subject line reading "Good Times". Avoiding infection is easy once the file has been received- not reading it! The act of loading the file into the mail server's ASCII buffer causes the "Good Times" mainline program to initialize and execute.
The program is highly intelligent- it will send copies of itself to everyone whose e-mail address is contained in a receive-mail file or a sent-mail file, if it can find one. It will then proceed to trash the computer it is running on. The bottom line here is - if you receive a file with the subject line "Good Times", delete it immediately! Do not read it" Rest assured that whoever's name was on the "From" line was surely struck by the virus. Warn your friends and local system users of this newest threat to the Internet! It could save them a lot of time and money.
--- cut here ---
ah yes. it's true what they say about fiction becoming reality. and we have microsoft to thank.:)
Slashdot Mirror
But what about the "bootstrap"? The virus has to be started, and the code for that needs to be in a place where stuff is normally executed, and that's where virus scanners are looking. If you hide a virus too well, it never gets executed and is no virus at all.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
I, for one, never had a moment's doubt that Bubbleboy would make it out into the open. If nothing else, the arms race between virus writers and anti-virus companies guarantees that viruses will show up in public. I wouln't even blink if you told me that it was spread by one of the antvirus companies (even by accident), because what will happen as a result?
That's right - more antivirus sales. And now that Macs are popular again, there's even viruses that affect them: for years, Mac users could putter away in safety knowing that not even virus writers developed for the platform. Now Macs aren't even safe.
I'm sorry, viruses are just not a sufficient reason (yet) to switch my whole company over to Linux.
I guess I'm just a hardened cynic. Oh well, time to go make sure I remembered to set the filter on Groupshield...
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
That's too small a piece of code for a virus scanner to recognise. There's nothing that's unique, to identify.
-NOW-, many virus scanners also detect changes to files. -This- could successfully recognise the bootstrap, no matter how small or how carefully disguised it was. As you say, it has to be executable. But this assumes you have a record of what the file -should- look like. If you've got a disk or a file that's infected, you won't know until it starts infecting other files.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Someone please tell Roblimo to stop posting about Windows viruses. They're neither news for nerds, nor stuff that matters. Slashdot readers are extremely likely to know about the dangers of viruses, and what measures to take to prevent catching them. Most of us just sit and watch in amusement as the MS world infects itself. It really isn't interesting, so why post about it?
/. is not a Linux site, or even a non-MS site. Even if most /.ers hate their guts, a very large portion of them works with Windows networks as part of their job, and even more are employed at places where most of their coworkers use Windows. Important viruses like Bubbleboy are vital news for a large contingent of /. readers.
/." posts every once in a while) that, with the possible exception of the decision to interview John Vranesevich, it's usually not too appropriate to second guess the /. staff for posting an article. If you don't find it interesting, don't read it, and post on it. If lots of people don't find it interesting, then there won't be many posts on that subject, and eventually Rob and Roblimo and Hemos will figure it out. Furthermore, if the discourse of whatever posts there are is no good, they'll eventually catch on to that, too. And they'll be less likely to post on that subject on the future.
/. was just a couple thousand strong doesn't mean that you automatically speak for the entire /. community now. Just because this may not have been "the sort of thing that got posted in the olden days" doesn't mean it's not what should get posted now. Besides, I may not have been around as long as you, but I've frequented /. for a decent amount of time, and certainly wouldn't have been at all surprised to see this story, or even a similar but less important one posted, say, a year ago.
/. do their job. I think we'll both agree they make the right decisions most of the time, and when they don't, they're good enough to figure it out on their own.
I couldn't disagree more. Now, there are lots of reasons why I think this is interesting and worth talking about, but disregarding all of those, the simple fact is that
Beyond that, Bubbleboy isn't just any old virus; it's the first self-executing email virus, and probably the closest any virus has come to the 'ideal' of infecting a machine despite the user not doing anything wrong (no, running Windows doesn't count). Indeed, your assertion that "Slashdot readers are extremely likely to know about the dangers of viruses, and what measures to take to prevent catching them," is precisely why this story needs to be run--because Bubbleboy turns the conventional wisdom on viruses on its head a little bit. (Of course, one could argue that that's because most viruses don't actually target OS bugs, but rather legitimate functions; in some sense, Bubbleboy is more of an exploit than a virus.)
In the end, I think (and not that I haven't felt like posting "does this really belong on
The thing is, it doesn't hurt you one bit for this article to be here. If the subject doesn't interest you, then fine: move along. But don't automatically presume that everyone agrees with you. Just because (wow--just clicked on your user info) you were around when
I suppose what I'm trying to say is, let the people in charge of
The other thing I noted in the story was that it's patchable if you go to the microsoft site. This places the onus on users to make sure they're not infected; Microsoft can say 'look, it's available; it's not our fault if you don't download it.
Uhm, isn't that exactly what all the Linux distributions do when a security issue is found? I remember one of those "hack this box" PR things where everyone complained that they hadn't gone to the Red Hat site and installed the security-related updates.
However, I guess I can look at the bright side. I've been worried, for a long time, that a virus writer would exploit file dead-space. There's plenty of room at the end of most binary files to tuck a routine or two, then all you'd need is a bootstrap and some way to re-assemble the fragments in the correct order. A trivial task.
This would give you an almost undetectable virus, as many virus scanners check files, not sectors, and the files themselves would be unaffected.
Even if you -did- write something that could detect a fragment, all you do is clear that fragment. It'd be child's play for anyone to re-write a single routine. The bootstrap/saver routine could probably do that.
In essence, something like this would be a virus OS, rather than a conventional virus. Conventional viruses can be dealt with, but a virus OS is a much greater challange.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Uh, you're insane. I manage my school's network, and I installed the patch on all their Win98 machines with no problems. Also on my home and work machines, still no problems. You must've done something weird.
But anywhow, I just wanted to point out that Microsoft released the patch for this vulnerability in August. That was a few months ago; way before any viruses had actually made use of the hole. In fact, I also remember a Slashdot post being made about the patch, and it got quite a lot of media coverage. Yes, Microsoft was alerted of a vulnerability, and they fixed it, months before anything actually exploited that vulnerability.
And yes, if you use a vulnerable flavor of Windows and were too stupid to upgrade, you deserve to have your computer's Owner name and Company info reset. Heh, geez people, it's not like BubbleBoy is malicious or anything... ;)
Sure, it's the user's fault for not patching...
I have to disagree with that. If the user is informed, yet choses not to follow up, then it is their fault. However, a lot of us here tend to forget that:
1. Not everyone is a computer expert, and a lot of people don't know what a patch is, let alone where to get one or what to do with it.
2. There's nothing wrong with that.
My sister bought a new computer last year and is happily browsing and ICQ'ing away. She doesn't know Jack about security, nor do I believe she should be expected to. I mean, should every newbie make support.microsoft.com their home page, and check it for new misfeatures every time they go online? That's not reasonable. The vast majority of users simply want to get on the 'net and run around without having to bother with all of this, in much the same way that they want to use the phone without knowing the difference between packet-switched and circuit-switched networks.
Yes, I think that people should learn more about their new computers than most people usually do. However, I think that patching goes beyond the skills and abilities that the average user should be expected to know.
To make an analogy, have you checked to see if there's a recall on your car? No? Why not? Consumer Reports lists current recalls in the back of their magazine, so it's publicly accessible information, but I'd dare to state that not many people bother to check. So, if someone's defective car causes an accident, was it their fault for not taking it in for a "patch"? I guess, technically, it may be. In reality, though, I don't think that's a reasonable expectation.
Dewey, what part of this looks like authorities should be involved?
Most computer users use Microsoft's products.
Most virus writers will, therefor, statistically use Microsoft's products.
Most virus writers will target systems with which they are familiar, which happens to be Microsoft's products.
Thus, most virus/worm/trojan products target Microsoft products.
The fact that such an overwhelming number of these attacks are successful, indeed devistating, is a testiment and real world demonstration of just how severely flawed Microsofts entire security paradigm continues to be. That the so-called "service" packs and security fixes generally break more than they fix (whether maliciously or through negligence) is a strong indication of how flawed Microsoft's development process and QA/QC procedures are.
The Future of Human Evolution: Autonomy
Years ago back in high school, I wrote a "virus" that basically just copied a short segment of source code to GW-Basic programs it found on the hard disk - yes, GW-Basic, that old thing for DOS 2.11 that existed before Visual Basic and Turbo Basic were known.
It didn't do any harm, it didn't "infect" EXE files and I did it just to find out if it was possible and what writing a virus is like.
Scary thing though that this simple program (just a few lines of code), despite being harmless and doing its task clearly seen in the open light (is that an English phrase, anyway) followed all the requirements to be called a virus. Today's macro viruses actually do exactly the same thing.
While I never spread "my virus", it was an interesting experience. From a pathetic viewpoint, those virus writers could be called seduced by the dark side of the force; being among crackers, script kiddies and other menaces to IT society must be like being in a street gang. They have their own set of values of what is "cool" and what gives you "respect" among the peers.
It sure would be nicer if those talented hackers (which they often are) would use their talent for something useful and write "good" software to gain a kind of respect that's actually worth gaining...
To answer your other question, I doubt that MS itself is the target. A virus must find a common platform as a host to spread itself, and Microsoft software, both Dos/Windows operating systems and Office/Outlook application software, are commonplace. This makes an obvious target.
------------------
------------------
You may like my a cappella music
The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the Internet. Apparently a new computer virus has been engineered by a user of AMERICA ONLINE that is unparalleled in its destructive capability. Other more well-known viruses such as "Stoned", "Airwolf" and "Michaelangelo" pale in comparison to the prospects of this newest creation by a warped
:)
mentality.
What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the Internet. Once a computer is infected, one of several things can happen. If the computer contains a hard drive, that will most likely be destroyed. If the program is not stopped, the computer's processor will be placed in
an nth-complexity infinite binary loop -which can severely damage the processor if left running that way too long.
Unfortunately, most novice computer users will not realize what is happening until it is far too late. Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It always travels to new computers the same way in a text email message with the subject line reading "Good Times". Avoiding infection is easy once the file has been received- not reading it! The act of loading the file into the mail server's ASCII buffer causes the "Good Times" mainline program to initialize and execute.
The program is highly intelligent- it will send copies of itself to everyone whose e-mail address is contained in a receive-mail file or a sent-mail file, if it can find one. It will then proceed to trash the computer it is running on. The bottom line here is - if you receive a file with the subject line "Good Times", delete it immediately! Do not read it" Rest assured that whoever's name was on the "From" line was surely struck by the virus. Warn your friends and local system users of this newest threat to the Internet! It could save them a lot of time and money.
--- cut here ---
ah yes. it's true what they say about fiction becoming reality. and we have microsoft to thank.
--neil