I omitted suggesting that it download the latest patches, because (as is oft pointed out) one reason many people and organizations DON'T download the latest patches for Windows is that they often break other things.
Cleaning up the computer and closing off exposed services is just as likely to break things as downloading the latest patches is. And it doesn't teach the admin anything. The best solution for fixing the problem involves the admin learning about security.
Leave the machine alone, and hope the admin will eventually be inconvenienced by the spammers and DDoS clients using his machine enough to learn how to properly secure it. In the mean time hundreds or thousands of responsible admins are also inconvenienced by being spammed and/or DDoSed.
Or trash the machine; don't just make it unbootable, completely wipe it clean. If it comes back and is still vulnerable, do it again until the sysadmin gets sick of restoring backups and properly secures it. The advantage of this approach is that it takes vulnerable machines off the network, thus inconveniencing only the person responsible for and in a position to remedy the problem.
With a javascript redirect. I couldn't get most web forums to accept the dodgy html directly and I wasn't sure others could copy it correctly, so I set up a bounce page.
If you use the direct link (as phishing scams always do), it shows up as "msie.microsoft.com" in the preview area too.
I'd be interested to know how SP2beta handles a direct link; I've read that it breaks javascript redirects under some conditions, but it's not clear that a direct link wouldn't still be displayed incorrectly.
Re:Possible test version hitting me. Anybody else?
on
More MyDoom Gloom
·
· Score: 1
Yes, for months. If you dig deeper I expect you'll find it's connecting and getting via the IP address rather than any specific hostname.
It's just another worm. I can't recall which one and, quite frankly, I don't care any more. I set up a virtuser host for sites that are actually live. Anything that connects via IP address gets a minimal "there's no page here" reply which I don't even bother logging.
Depressing, isn't it.
Re:but there's an open source version of the virus
on
More MyDoom Gloom
·
· Score: 1
FreeBSD users need only cd/usr/ports/net/mydoom and type 'make install'
nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.
sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.
Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.
Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.
Now imagine a worm that spreads fast (flood-scan the local/16 plus a few random IP's outside that with tcp syn packets, infect anyone that syns) and then immediately goes dormant. Over the next month or so it quietly makes alterations to all the files it can access. Changes numbers in databses and spreadsheets, swaps words around in documents. By the time anyone starts to notice this thing has rendered all of the current data and at least a month of backups unusable.
From the last article I read, the problem with Spirit involves having too many files in flash. So the fix involves deleting old files when they no longer need them.
They're also deleting files off Opportunity as soon as they've been transmitted and/or are no longer required, so it hopefully won't develop the same problem.
Depends who you consider is to blame; the AV companies, certainly, since they know full-well that bouncing the mail is at best pointless.
The idiot MSCE and/or PHB? Yes, absolutely.
Is there any difference between running 'spammy' AV software and hosting viagra-marketing spammers? If there is any difference I would think that the site running spammy AV software is more at fault, not less.
If you sent out a virus where the message body said "this is a virus" and the attachment was "dont_run_this.exe", from personal experience desling with windows users I expect it would be the most sucessful virus yet.
Sure, you might be able to trick someone into clicking on a PDF where they wouldn't trust an exe, but if the page is convincing enough you can probably get the user to just run the exe directly anyhow.
If you're using Internet Explorer, you should definately upgrade as soon as possible!
AV vendors know damn well that 99% of viruses spoof addresses. More than anyone else, since studying viruses and figuring out what they do is their JOB!!
The only possible excuse for this behaviour is that they get FREE ADVERTISING out of it. It's spam advertising AV software and/or mail filters, plain and simple. It should be treated the same way as any other spam.
I've done a few; most of the time I plan to reinstall and migrate the data over anyway. Windows has a habit of accumulating spyware, old drivers, lost files, and registry cruft. Reinstalling is easier and faster than cleaning it up.
The few times when I've tried to keep the install it's usually turned out to be a major hassle. I had one machine that just wouldn't boot, not even in safe mode, due to some power-management feature being missing on the new mobo. MSKB insisted that ONLY a reinstall could fix the problem, but reinstalling wasn't an option because of some no-longer-sold software that the client had lost the disks for. So in the end we put the drive back in the old box.
Even without Product Activation, XP and 2K are almost guaranteed to completely shit themselves when faced with a significant change in hardware..
Besides that, I suspect Microsoft would consider that moving a drive you own with a copy of windows you own from one computer you own onto another computer you own is somehow STILL piracy.
Except that a site licence does not cover new computers; Microsoft expects you to pay for an OEM licence, pay again to reinstall the version you actually want, AND have a site licence.
You certainly can't transfer the OEM copy of Windows from your old computer onto your new computer. Microsoft make this absolutely clear.
More details can be found at http://microsoft.com/piracy/
(OK, not really the official MSFT patch since there isn't one yet; my link demonstrates the bug by providing a Mozilla download on a msft-parody download page, complete with microsoft.com url..)
I did actually see one project (damned if I can find it now) where an overclocker used a small silver ingot to efficiently dissapate the heat from the small surface area of the chip into the much larger area of the heatsink... and it worked.
Except that New Zealand is quite a long way from Milwaukee, Madison and Chicago. I haven't seen it in bookstores over here. It was a great site, but I have to take a stand. I won't go back.
An error has occurred while processing your request, please note the error below and contact our support line.
Error: Prior to using this web site, please change your browser settings to allow us to update your cookies. The cookies will be used to ensure that you are a registered user who has properly logged on to the site.
You may contact our Internet support line during business hours by dialing 0508-4-47669 (or +64-3-962-2606)
But I do allow cookies! Perhaps I should call that toll-free number instead.
Slashdot Mirror
reminds me of the joke about elephants painting their toenails red.. so they can hide in cherry trees...
I omitted suggesting that it download the latest patches, because (as is oft pointed out) one reason many people and organizations DON'T download the latest patches for Windows is that they often break other things.
Cleaning up the computer and closing off exposed services is just as likely to break things as downloading the latest patches is. And it doesn't teach the admin anything. The best solution for fixing the problem involves the admin learning about security.
Leave the machine alone, and hope the admin will eventually be inconvenienced by the spammers and DDoS clients using his machine enough to learn how to properly secure it. In the mean time hundreds or thousands of responsible admins are also inconvenienced by being spammed and/or DDoSed.
Or trash the machine; don't just make it unbootable, completely wipe it clean. If it comes back and is still vulnerable, do it again until the sysadmin gets sick of restoring backups and properly secures it. The advantage of this approach is that it takes vulnerable machines off the network, thus inconveniencing only the person responsible for and in a position to remedy the problem.
Can you give me a hand then; I'm trying to find Win2K or WinXP drivers for my ScanJet 5100c?
(It appears to be only supported under Win95/98, and perhaps linux using the ppscsi patch.)
With a javascript redirect. I couldn't get most web forums to accept the dodgy html directly and I wasn't sure others could copy it correctly, so I set up a bounce page.
If you use the direct link (as phishing scams always do), it shows up as "msie.microsoft.com" in the preview area too.
I'd be interested to know how SP2beta handles a direct link; I've read that it breaks javascript redirects under some conditions, but it's not clear that a direct link wouldn't still be displayed incorrectly.
Yes, for months. If you dig deeper I expect you'll find it's connecting and getting via the IP address rather than any specific hostname.
It's just another worm. I can't recall which one and, quite frankly, I don't care any more. I set up a virtuser host for sites that are actually live. Anything that connects via IP address gets a minimal "there's no page here" reply which I don't even bother logging.
Depressing, isn't it.
FreeBSD users need only cd /usr/ports/net/mydoom and type 'make install'
I think they're _stupider_ than that..
nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.
sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.
Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.
and then nukes the system it's living on..
/16 plus a few random IP's outside that with tcp syn packets, infect anyone that syns) and then immediately goes dormant. Over the next month or so it quietly makes alterations to all the files it can access. Changes numbers in databses and spreadsheets, swaps words around in documents. By the time anyone starts to notice this thing has rendered all of the current data and at least a month of backups unusable.
Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.
Now imagine a worm that spreads fast (flood-scan the local
That's the worst virus I can think of.
From the last article I read, the problem with Spirit involves having too many files in flash. So the fix involves deleting old files when they no longer need them.
They're also deleting files off Opportunity as soon as they've been transmitted and/or are no longer required, so it hopefully won't develop the same problem.
Depends who you consider is to blame; the AV companies, certainly, since they know full-well that bouncing the mail is at best pointless.
The idiot MSCE and/or PHB? Yes, absolutely.
Is there any difference between running 'spammy' AV software and hosting viagra-marketing spammers? If there is any difference I would think that the site running spammy AV software is more at fault, not less.
If you sent out a virus where the message body said "this is a virus" and the attachment was "dont_run_this.exe", from personal experience desling with windows users I expect it would be the most sucessful virus yet.
I'm not kidding. I wish I was.
Great advice; the whole fucking POINT of hyperlinks is that you can click on them instead of tediously typing in some long web address.
Microsoft came up with the expression "Trustworthy Computing", and more than 5 years later Microsoft's best advice is basically "don't trust us" ??
Sure, you might be able to trick someone into clicking on a PDF where they wouldn't trust an exe, but if the page is convincing enough you can probably get the user to just run the exe directly anyhow.
If you're using Internet Explorer, you should definately upgrade as soon as possible!
and should be recognised as such.
AV vendors know damn well that 99% of viruses spoof addresses. More than anyone else, since studying viruses and figuring out what they do is their JOB!!
The only possible excuse for this behaviour is that they get FREE ADVERTISING out of it. It's spam advertising AV software and/or mail filters, plain and simple. It should be treated the same way as any other spam.
I've done a few; most of the time I plan to reinstall and migrate the data over anyway. Windows has a habit of accumulating spyware, old drivers, lost files, and registry cruft. Reinstalling is easier and faster than cleaning it up.
The few times when I've tried to keep the install it's usually turned out to be a major hassle. I had one machine that just wouldn't boot, not even in safe mode, due to some power-management feature being missing on the new mobo. MSKB insisted that ONLY a reinstall could fix the problem, but reinstalling wasn't an option because of some no-longer-sold software that the client had lost the disks for. So in the end we put the drive back in the old box.
Have you tried that?
Even without Product Activation, XP and 2K are almost guaranteed to completely shit themselves when faced with a significant change in hardware..
Besides that, I suspect Microsoft would consider that moving a drive you own with a copy of windows you own from one computer you own onto another computer you own is somehow STILL piracy.
Except that a site licence does not cover new computers; Microsoft expects you to pay for an OEM licence, pay again to reinstall the version you actually want, AND have a site licence.
You certainly can't transfer the OEM copy of Windows from your old computer onto your new computer. Microsoft make this absolutely clear.
More details can be found at http://microsoft.com/piracy/
Try this on any moderately popular page. You'll be surprised how many browsers identify themselves as MSIE, but don't fetch this gif..
Nah, I think this guy had something to do with it...
I suggest using the official Microsoft patch?
(OK, not really the official MSFT patch since there isn't one yet; my link demonstrates the bug by providing a Mozilla download on a msft-parody download page, complete with microsoft.com url..)
(Yeah, I know.. I'm an attention-whore..)
I did actually see one project (damned if I can find it now) where an overclocker used a small silver ingot to efficiently dissapate the heat from the small surface area of the chip into the much larger area of the heatsink. .. and it worked.
Citrus fruits? Now you're comparing apples with oranges!
Except that New Zealand is quite a long way from Milwaukee, Madison and Chicago. I haven't seen it in bookstores over here. It was a great site, but I have to take a stand. I won't go back.
An error has occurred while processing your request, please note the error below and contact our support line.
Error: Prior to using this web site, please change your browser settings to allow us to update your cookies. The cookies will be used to ensure that you are a registered user who has properly logged on to the site.
You may contact our Internet support line during business hours by dialing 0508-4-47669 (or +64-3-962-2606)
But I do allow cookies! Perhaps I should call that toll-free number instead.
To: webproducts@unicast.com
From: zcat@wired.net.nz
I was hoping to be able to view your new advertising, however it appears to use Flash and I get the following error from Macromedia.com:
> We are unable to locate a single Web player that best matches your platform and operating system.
If you could please tell me where I can get the flash plugin for Mozilla 1.5 under FreeBSD, I would be most appreciative. Thank You.
Bruce Kingsbury.