Microsoft Mail Worms Gang War?

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

well...

Since Microsoft is in Seattle, this could be a real West Side Story.

Re:well...

get your singing voices ready... WORM:
"I like to propagate in America!
DoS by me in America!
Network is down in America
Download me in America!"

Re:well...

When you're a 1337, you're a l33t all the way,
From your first kiddie script, till you r00t DEA

Re:well...

Dear kindly Peter Norton,
You gotta understand
It's just our hacker egos
That gets us outta hand.
Our friends are all spammers
Our teachers teach VB
Holy jebus that's why we are 'leet!

How is this an "ask slashdot"?

Where's the question?

Re:How is this an "ask slashdot"?

Where's the question?

Dunno, but the answer's 42.

Can I ask you a question?

A question, what is it?

It's an interrogative statement used to test knowledge, but that's not important right now.

Huh?

The first part of the question is understood, at least by those who understand such things: "[Is this a] Microsoft mailworms gang war?"

Re:Insightful?

No. He meant redundant. A redundant question is one that doesn't need to be asked, a rhetorical question is one that doesn't need to be answered. Big difference.

Re:Insightful?

Although this sentence is not a question, it ends in a question mark?

I would like to point out...

MyDoom.F does destroy word, excel, access, jpg, and other files.
SARC [sarc.com]
This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.

Re:I would like to point out...

Yeah, the article poster mentioned that they did "little damage". I don't think destroying .sav files with 95% probability on local and remote drives constitutes little damage.

Re:I would like to point out...

Little damage, my ass. However, I will point out, that on a positive note, I work in a network callcenter, every time one of these babies comes out our call volume spikes by as much as 30%. These virii are at least keeping the calls coming in, which is how we generate cash. So at least for us, it's job security on some scale.

Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches have us under our address books, so in turn we get all their email telling us 'Hi.'

Re:I would like to point out...

"Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches..."

There's nothing like convincing people to open random excutable attachments to keep your job safe.

Re:I would like to point out...

Here's a conspiracey theory for you...

Indian virus writers are writing virues to increase call volumes so more companies will outsource their anwering centers to India...

More likely some punk somewhere gets a charge off the idea that they alone can cause world wide mayhem...

Re:I would like to point out...

My god! Look what it did to my website! [lostbrain.com]

Tcd004

Won't be over soon, either

"Plenty of letters left in the alphabet" - J. L. Picard

Re:Turf?

since some of these viruses involve opening back doors, it's a turf war in the sense of who owns more zombie computers, I guess.

It was bound to happen...

It was bound to happen, given that more and more worms are written for criminal spammers. And since spammers AND criminals are stupid, they will fight each others.

Yeah, it's a gang war alright...

and the bullets are the stupidity of most windows users. No matter how much we tell people "don't open attachments unless you know the person!" they still won't listen.

I mean, seriously, how hard is it to write malicious code if you can get the person to run any program. Heck, here's my virus:

@echo off

c:\windows\command\deltree /y c:\windows
@echo You've been 0wn3d!

This is NOT hacking... it's taking advantage of stupid people...

Re:Yeah, it's a gang war alright...

you're not kidding.

At my office, we are using a non-standard email client that doesn't allow execution of code in any way and we still got nailed.

why?

The moron in the next cubicle (a PROGRAMMER no less) did this:

1) viewed the email (after receiving 5 memos specifically saying to just delete it)
2) clicked on the attachment
3) selected save as
4) opened up explorer, went LOOKING for the attachement
5) executed it by doubleclicking.

I mean seriously! his defense when confronted?
"Well I wasn't sure...so...hum...we'll I wouldn't have done that at home!"

I wanted to beat the crap out of him...

Re:Yeah, it's a gang war alright...

Well, many of these viruses *do* appear to come from people they know, so your advise may be contributing to the problem. Anymore they shouldn't trust any attachment they weren't specifically expecting.

The only other thing is to never run an executable attachment, but there's so many way to obfuscate this (especially using outlook) that most normal users really can't be expected to tell what's safe from what's not.

One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would do. The idea is no mass-mailing worm would know to include it.

Heck you could even use a procmail recipe to only allow attachments with the keyword in the subject - much more accurate than trying to filter out all the "bad" subject lines these viruses use.

Poor evil empire

"...intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

Actually, the evil empire isn't all that poor; it's got several billion dollard in cash. And the poor wannabe empire isn't poor either; apparently it got a $86 million cash injection [slashdot.org], thanks to the evil empire.

Warnings...

I'm getting some forged emails lately, badly forged at that, which look like they're coming from my ISP, "warning viruses being sent from your account", "warning immenent suspension", etc. They have a pif file atteched (which I never open) and have been coming from .lt or .gr servers (my ISP would not likely be using these.) Looks to me like another brand of worm on the rounds and there's a morbid sense of humor behind it.

Re:Warnings...

You mean like...

Dear user of "Co.uk" mailing system,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

Further details can be obtained from attached file.

Cheers,
The Co.uk team http://www.co.uk

?

Re:Warnings...

I'm going to write a worm that sends ppl emails that say "I am a worm. Don't open my attachment."

It will be the fastest spreading worm in history...

The human race never ceases to amaze and disapoint me.

Re:Warnings...

I'm going to write a worm that sends ppl emails that say "I am a worm. Don't open my attachment."

I did something like this. There was a proggie in the Win2K resource kit that slowly and gracefully shuts down all your programs, and reboots. I renamed it to do_not_run_this.exe. I sent it to the company mailing list, with a subject of VIRUS ATTACHED - DO NOT RUN. I put all over the email warnings about not running. A few minutes later, I got hassled by people: "Blah, I was working on something" "Blah, I was in the middle of a download". Unbelievable. You can see pics of the IT team that I was in here [umtstrial.co.uk], just out of interest.

Re:Warnings...

I doubt humor is involved -- the point is to get people to open the zip and run the archived file -- which you have to go to some trouble to do, given that the zip is password protected (to get by email scanners). I've had a couple of users here contact me about these, but nobody has run them yet. Of course I only have a few users, most reasonably clueful. This would probably suck for larger outfits.

Re:Warnings...

I've gotten this one to two of my domains. It's actually comparatively persuasive. I went so far as to open the zip file, though I certainly didn't run the .exe. Mine accuses me of sending spam from my mail server, which I suppose isn't entirely impossible, since I've been accused of sending spam before once or twice. (I send out announcements to a small set of people, and on occasion people who have fallen out of the group get irate when I haven't removed their names.)

It came directly to my mail server; it hadn't been relayed. That makes sense: anybody may contact my mail server to send mail, as long as it's to me.

But this makes a lousy worm, since most people don't own their own domains. This will 0wn only a fairly limited set of computers, compared to the bazillions of zombies you can get by fooling people who use a major ISP but don't own their own domains.

This one doesn't even really require worm-ness. It goes out only to registered mail servers, which is small enough to connect to individually by one or two dedicated computers with broadband connections.

I wasn't in the mood to trace down who was responsible for it,but I hope somebody does.

Re:Warnings...

That's Beagle.K [symantec.com] (or Beagle.J [symantec.com], it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
I'm now blocking all encrypted zip attachments via my trusty MailScanner [mailscanner.info]
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)

Ah, the power of /. spelling!

From the article:

Most of the comments tucked inside the latest bugs are brief, unprintable and poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth version of Netsky.

Hmmm, where have I seen that misspelling before? Let me think ...

latest breed

What's interesting/annoying is that the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments which has caught quite a few mail gateways and virus companies off guard. Our mail gateway (mailscanner/f-prot/spamassassin) was unable to deal with the encrypted zip attachments and passed them on through.

The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)

Re:latest breed

Yeah we apparently got that. Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.

Re:latest breed

The difference is that the grenade trick would only work once.

Re:latest breed

My company's mail server is running Norton Antivirus Corporate Edition. Although it couldn't scan the password-protected (hence encrypted) ZIP attachments of the latest Beagle variant it did report these failures as errors and quarrantined the attachments as a result. Thank God.

What's pitiful is how the AV service automatically updates its virus definitions daily. But at the rate these variants are coming out I am manually updating in the middle of the workday as well. I almost get misty eyed back when Microsoft-based threats were just relatively minor nuisances like Word macro viruses!

Wild, wild west

In the late 1800's in the American west there was a boom in illegal activities (Billy the Kid, Butch and Sundance, etc.). The citizenry had enough and banded together (i.e., paid taxes) to fight back (i.e., hired police). Cyberspace is in the equivalent of the late 1800's in terms of working out who controls what. Now we, the citizenry, must decide if we want to hire the Pinkertons or establish a proper police force. Just remember, the Pinkertons were often as dirty-dealing as the crooks they were after, and the Sheriff was usually a former badguy with a badge.

Re:Wild, wild west

Smells like pro-gun propaganda to me.

Off the top of my head... having a lower population density would have something to do with it too... no significant drug problems other than alcohol (and probably few 'traffic' fatalities resulting from that)

Unemployment levels are actually a good predictor of crime rates too.

And in small agrarian communities everyone knows your name. If you jack somebody in a small town everyone is going to have a good guess who did it, including the guy's family.

Any number of things other than everyone is toting a six-shooter to consider...

Of course these viruses are for posturing

The only reason anyone writes a virus these days is to do it. Even when there's an added payload (like a DDOS to www.sco.com), the virus is out there solely to be out there. The fact that it's due to rivaling gangs makes perfect sense.

If someone were to write a truly destructive virus (you open it, it sends itself to everyone in your inbox, then promptly writes random data over your hard drive) then we'd really see people start to take viruses seriously.

Even the most "destructive" viruses in recent history have wimped out in some way -- just consider Michelangelo, which was hard-coded to become destructive at a much later date, long after it would be discovered and patches written.

Re:Of course these viruses are for posturing

You're just plain wrong.

People are beginning to write viruses for money. Witness the latest ICQ worm that monitors and relays all HTTPS and i-banking data back to HQ. It was modular and appeared to be written by a team of programmers.

Klez and Bagle also both seem like for-profit endeavors. Klez seemed to be a team perfecting their methods in such a way that they were sure the world's security wouldn't clamp down in response: They had a sunset written into the program. I guarantee you there are hundreds of thousands of people with Klez on their computer out there that never got cleaned up. For a long while, after every sunset they released a slightly improved product.

Once they got it right, they stopped. Maybe they're working on new methods, another virus, or they're looking for some spammer to pay them for 100,000 free mail relays before they release again.

But it's not just for posturing. It's organized crime. They're going to get paid.

Virus gangs

...kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club...

Seems like virus writers also got oursourced to India!!

Maybe...maybe not

Remember the first MyDoom variant had programmer comments in them and people were speculating that it was an attack on SCO because of the DDoS that was set in motion. Later we found out more details and it seemed that the DDoS was just the misdirect designed to fool the media. It worked, and all the media stories faithfully reported the SCO angle. But the real purpose of MyDoom is to create zombie machines for spamming. That angle was mostly overlooked, but is the most important part of the story. Investigation seemed to point to Russia as an origin point, and possibly organized crime behind it all.

With that in mind, those programmer comments being reported now, although they do seem to show a gang war, may just be more misdirection and once again the media fell for it. If it really is the spammers behind it all, and criminal elements doing it (yeah, I know, "spammers" and "criminal elements" are redundant), this gang war idea may just be more cover.

Meanwhile there are millions of zombie Windows boxes around the world with clueless owners not realizing they are 0wn3d. That's the real story the media should be following up on.

little damage

Typically these viruses (or more correctly, worms) do little damage to the infected computer,
maybe little damage to the computer itself, but they definitely cost a company in terms of IT support calls, and loss productivity. Even though this cost is not easy to measure, but is certainly not a small amount.

Is anyone else seeing this and thinking

Of Neal Stephenson's thing about how in the future when you go outside you'll have to breathe through a hankerchief, a la 19th-century london, because the air will be filled with millions of malicious nanobots, and millions of helpful nanobots neatly neutralizing the malicious ones, and millions of meta-malicious nanobots that only exist to disable the neutralizers... just one big no-net-effect hacker arms race.

I wonder how long it will be and how much futher adoption of windows server operating systems we'll have to see before internet traffic starts to look like that.

So move to a better neighborhood

If being the victim of a Microsoft worm is like being caught in the crossfire of a gang war, there's a simple solution: stay out of the line of fire. If you had a choice between one house in a safe neighborhood, and another house of roughly the same price in a neighborhood where bullets from the local crack dealers were coming through your walls at three in the morning, where would you choose to live?