Forgot your password?
typodupeerror
Security

Microsoft Mail Worms Gang War? 609

Posted by CmdrTaco
from the that-makes-sense dept.
cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."
This discussion has been archived. No new comments can be posted.

Microsoft Mail Worms Gang War?

Comments Filter:
  • well... (Score:5, Funny)

    by Savatte (111615) on Thursday March 04, 2004 @02:36PM (#8466806) Homepage Journal
    Since Microsoft is in Seattle, this could be a real West Side Story.
  • by epsalon (518482) * <slash@alon.wox.org> on Thursday March 04, 2004 @02:36PM (#8466809) Homepage Journal
    Where's the question?
  • by chrisopherpace (756918) <`ten.gsnh' `ta' `ecapc'> on Thursday March 04, 2004 @02:36PM (#8466814) Homepage
    MyDoom.F does destroy word, excel, access, jpg, and other files.
    SARC [sarc.com]
    This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.
  • "Plenty of letters left in the alphabet" - J. L. Picard

  • by Pig Hogger (10379) <`moc.liamg' `ta' `reggoh.gip'> on Thursday March 04, 2004 @02:37PM (#8466829) Journal
    It was bound to happen, given that more and more worms are written for criminal spammers. And since spammers AND criminals are stupid, they will fight each others.
  • by oldosadmin (759103) on Thursday March 04, 2004 @02:38PM (#8466844) Homepage
    and the bullets are the stupidity of most windows users. No matter how much we tell people "don't open attachments unless you know the person!" they still won't listen.

    I mean, seriously, how hard is it to write malicious code if you can get the person to run any program. Heck, here's my virus:
    @echo off

    c:\windows\command\deltree /y c:\windows
    @echo You've been 0wn3d!


    This is NOT hacking... it's taking advantage of stupid people...
    • by TCaptain (115352) <[slashdot.20.tca ... spamgourmet.com]> on Thursday March 04, 2004 @02:48PM (#8467017)
      you're not kidding.

      At my office, we are using a non-standard email client that doesn't allow execution of code in any way and we still got nailed.

      why?

      The moron in the next cubicle (a PROGRAMMER no less) did this:

      1) viewed the email (after receiving 5 memos specifically saying to just delete it)
      2) clicked on the attachment
      3) selected save as
      4) opened up explorer, went LOOKING for the attachement
      5) executed it by doubleclicking.

      I mean seriously! his defense when confronted?
      "Well I wasn't sure...so...hum...we'll I wouldn't have done that at home!"

      I wanted to beat the crap out of him...
    • by S.Lemmon (147743) on Thursday March 04, 2004 @02:53PM (#8467106) Homepage
      Well, many of these viruses *do* appear to come from people they know, so your advise may be contributing to the problem. Anymore they shouldn't trust any attachment they weren't specifically expecting.

      The only other thing is to never run an executable attachment, but there's so many way to obfuscate this (especially using outlook) that most normal users really can't be expected to tell what's safe from what's not.

      One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would do. The idea is no mass-mailing worm would know to include it.

      Heck you could even use a procmail recipe to only allow attachments with the keyword in the subject - much more accurate than trying to filter out all the "bad" subject lines these viruses use.

      • One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would d

        I tried that but it didn't work for me.

        Do you think I shouldn't have chosen the word "Pwned"?
  • by NetDanzr (619387) on Thursday March 04, 2004 @02:38PM (#8466851)
    "...intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

    Actually, the evil empire isn't all that poor; it's got several billion dollard in cash. And the poor wannabe empire isn't poor either; apparently it got a $86 million cash injection [slashdot.org], thanks to the evil empire.

  • Warnings... (Score:5, Informative)

    by ackthpt (218170) * on Thursday March 04, 2004 @02:38PM (#8466853) Homepage Journal
    I'm getting some forged emails lately, badly forged at that, which look like they're coming from my ISP, "warning viruses being sent from your account", "warning immenent suspension", etc. They have a pif file atteched (which I never open) and have been coming from .lt or .gr servers (my ISP would not likely be using these.) Looks to me like another brand of worm on the rounds and there's a morbid sense of humor behind it.
    • by Dave2 Wickham (600202) * on Thursday March 04, 2004 @02:44PM (#8466949) Journal
      You mean like...
      Dear user of "Co.uk" mailing system,

      We warn you about some attacks on your e-mail account. Your computer may
      contain viruses, in order to keep your computer and e-mail account safe,
      please, follow the instructions.

      Further details can be obtained from attached file.

      Cheers,
      The Co.uk team http://www.co.uk
      ?
    • Re:Warnings... (Score:5, Informative)

      by Hayzeus (596826) on Thursday March 04, 2004 @02:44PM (#8466951) Homepage
      I doubt humor is involved -- the point is to get people to open the zip and run the archived file -- which you have to go to some trouble to do, given that the zip is password protected (to get by email scanners). I've had a couple of users here contact me about these, but nobody has run them yet. Of course I only have a few users, most reasonably clueful. This would probably suck for larger outfits.
    • Re:Warnings... (Score:5, Insightful)

      by jfengel (409917) on Thursday March 04, 2004 @02:53PM (#8467104) Homepage Journal
      I've gotten this one to two of my domains. It's actually comparatively persuasive. I went so far as to open the zip file, though I certainly didn't run the .exe. Mine accuses me of sending spam from my mail server, which I suppose isn't entirely impossible, since I've been accused of sending spam before once or twice. (I send out announcements to a small set of people, and on occasion people who have fallen out of the group get irate when I haven't removed their names.)

      It came directly to my mail server; it hadn't been relayed. That makes sense: anybody may contact my mail server to send mail, as long as it's to me.

      But this makes a lousy worm, since most people don't own their own domains. This will 0wn only a fairly limited set of computers, compared to the bazillions of zombies you can get by fooling people who use a major ISP but don't own their own domains.

      This one doesn't even really require worm-ness. It goes out only to registered mail servers, which is small enough to connect to individually by one or two dedicated computers with broadband connections.

      I wasn't in the mood to trace down who was responsible for it,but I hope somebody does.
    • Re:Warnings... (Score:4, Informative)

      by spydir31 (312329) * <hastur@@@hasturkun...com> on Thursday March 04, 2004 @02:56PM (#8467163) Homepage
      That's Beagle.K [symantec.com] (or Beagle.J [symantec.com], it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
      I'm now blocking all encrypted zip attachments via my trusty MailScanner [mailscanner.info]
      (there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)
    • by DonGar (204570)
      I'm part owner and the system admin for a 3 person company. I find it somewhat surreal to get email from 'staff@bgb.cc' when I AM the tech staff for BGB.
  • by Daniel Dvorkin (106857) * on Thursday March 04, 2004 @02:38PM (#8466860) Homepage Journal
    From the article:

    Most of the comments tucked inside the latest bugs are brief, unprintable and poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth version of Netsky.

    Hmmm, where have I seen that misspelling before? Let me think ...
  • latest breed (Score:5, Informative)

    by A moron (37050) on Thursday March 04, 2004 @02:39PM (#8466870)
    What's interesting/annoying is that the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments which has caught quite a few mail gateways and virus companies off guard. Our mail gateway (mailscanner/f-prot/spamassassin) was unable to deal with the encrypted zip attachments and passed them on through.

    The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)
    • by leifm (641850) on Thursday March 04, 2004 @02:47PM (#8467007)
      Yeah we apparently got that. Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.
      • Re:latest breed (Score:3, Informative)

        by RobertB-DC (622190) *
        Foo: ...the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments [...] The virus companies better hurry the heck up and come up with a solution.

        Bar: Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.

        What's odd is the grandparent's suggestion that the "virus companies" (I'm not touching that one!) should find a solution.

        Solution
      • Re:latest breed (Score:4, Insightful)

        by MenTaLguY (5483) on Thursday March 04, 2004 @03:22PM (#8467478) Homepage
        The difference is that the grenade trick would only work once.
    • by gregarican (694358) on Thursday March 04, 2004 @02:50PM (#8467066) Homepage
      My company's mail server is running Norton Antivirus Corporate Edition. Although it couldn't scan the password-protected (hence encrypted) ZIP attachments of the latest Beagle variant it did report these failures as errors and quarrantined the attachments as a result. Thank God.

      What's pitiful is how the AV service automatically updates its virus definitions daily. But at the rate these variants are coming out I am manually updating in the middle of the workday as well. I almost get misty eyed back when Microsoft-based threats were just relatively minor nuisances like Word macro viruses!

      • Re:latest breed (Score:3, Interesting)

        by Pontiac (135778)
        We run SAV (Hey they changed Norton to Symantec for the new 8x system)..

        I've set the system to update every 60 minutes.
        Also Sabari is recomending setting Antigen filters to dump zip files that are less then 40k

    • Re:latest breed (Score:3, Interesting)

      by menscher (597856)
      The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)

      Have they? Last I checked, ClamAV had just given up on the password-protected zips. Or are you referring to blocking all password-protected zips, not just infected ones?

  • Wild, wild west (Score:5, Insightful)

    by Rick the Red (307103) <Rick.The.Red@gm[ ].com ['ail' in gap]> on Thursday March 04, 2004 @02:39PM (#8466872) Journal
    In the late 1800's in the American west there was a boom in illegal activities (Billy the Kid, Butch and Sundance, etc.). The citizenry had enough and banded together (i.e., paid taxes) to fight back (i.e., hired police). Cyberspace is in the equivalent of the late 1800's in terms of working out who controls what. Now we, the citizenry, must decide if we want to hire the Pinkertons or establish a proper police force. Just remember, the Pinkertons were often as dirty-dealing as the crooks they were after, and the Sheriff was usually a former badguy with a badge.
    • Re:Wild, wild west (Score:3, Insightful)

      by Dr Caleb (121505)
      Just remember, the Pinkertons were often as dirty-dealing. . .

      You must be too new to remember [slashdot.org]the Pinkerton [slashdot.org] post-columbine "Turn in your depressed friends [waveamerica.com] before they hurt someone" initiative.

      Ther're still dirty.

  • by krog (25663) on Thursday March 04, 2004 @02:40PM (#8466878) Homepage
    The only reason anyone writes a virus these days is to do it. Even when there's an added payload (like a DDOS to www.sco.com), the virus is out there solely to be out there. The fact that it's due to rivaling gangs makes perfect sense.

    If someone were to write a truly destructive virus (you open it, it sends itself to everyone in your inbox, then promptly writes random data over your hard drive) then we'd really see people start to take viruses seriously.

    Even the most "destructive" viruses in recent history have wimped out in some way -- just consider Michelangelo, which was hard-coded to become destructive at a much later date, long after it would be discovered and patches written.
    • by Elwood P Dowd (16933) <judgmentalist@gmail.com> on Thursday March 04, 2004 @03:15PM (#8467386) Journal
      You're just plain wrong.

      People are beginning to write viruses for money. Witness the latest ICQ worm that monitors and relays all HTTPS and i-banking data back to HQ. It was modular and appeared to be written by a team of programmers.

      Klez and Bagle also both seem like for-profit endeavors. Klez seemed to be a team perfecting their methods in such a way that they were sure the world's security wouldn't clamp down in response: They had a sunset written into the program. I guarantee you there are hundreds of thousands of people with Klez on their computer out there that never got cleaned up. For a long while, after every sunset they released a slightly improved product.

      Once they got it right, they stopped. Maybe they're working on new methods, another virus, or they're looking for some spammer to pay them for 100,000 free mail relays before they release again.

      But it's not just for posturing. It's organized crime. They're going to get paid.
  • Virus gangs (Score:5, Funny)

    by Zangief (461457) on Thursday March 04, 2004 @02:40PM (#8466879) Homepage Journal
    ...kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club...

    Seems like virus writers also got oursourced to India!!
  • Maybe...maybe not (Score:5, Insightful)

    by FunWithHeadlines (644929) on Thursday March 04, 2004 @02:41PM (#8466896) Homepage
    Remember the first MyDoom variant had programmer comments in them and people were speculating that it was an attack on SCO because of the DDoS that was set in motion. Later we found out more details and it seemed that the DDoS was just the misdirect designed to fool the media. It worked, and all the media stories faithfully reported the SCO angle. But the real purpose of MyDoom is to create zombie machines for spamming. That angle was mostly overlooked, but is the most important part of the story. Investigation seemed to point to Russia as an origin point, and possibly organized crime behind it all.

    With that in mind, those programmer comments being reported now, although they do seem to show a gang war, may just be more misdirection and once again the media fell for it. If it really is the spammers behind it all, and criminal elements doing it (yeah, I know, "spammers" and "criminal elements" are redundant), this gang war idea may just be more cover.

    Meanwhile there are millions of zombie Windows boxes around the world with clueless owners not realizing they are 0wn3d. That's the real story the media should be following up on.

  • little damage (Score:3, Interesting)

    by stonebeat.org (562495) on Thursday March 04, 2004 @02:41PM (#8466897) Homepage
    Typically these viruses (or more correctly, worms) do little damage to the infected computer,
    maybe little damage to the computer itself, but they definitely cost a company in terms of IT support calls, and loss productivity. Even though this cost is not easy to measure, but is certainly not a small amount.
  • by Anonymous Coward on Thursday March 04, 2004 @02:41PM (#8466900)
    Of Neal Stephenson's thing about how in the future when you go outside you'll have to breathe through a hankerchief, a la 19th-century london, because the air will be filled with millions of malicious nanobots, and millions of helpful nanobots neatly neutralizing the malicious ones, and millions of meta-malicious nanobots that only exist to disable the neutralizers... just one big no-net-effect hacker arms race.

    I wonder how long it will be and how much futher adoption of windows server operating systems we'll have to see before internet traffic starts to look like that.
  • by Daniel Dvorkin (106857) * on Thursday March 04, 2004 @02:41PM (#8466902) Homepage Journal
    If being the victim of a Microsoft worm is like being caught in the crossfire of a gang war, there's a simple solution: stay out of the line of fire. If you had a choice between one house in a safe neighborhood, and another house of roughly the same price in a neighborhood where bullets from the local crack dealers were coming through your walls at three in the morning, where would you choose to live?
  • Too many patches (Score:3, Flamebait)

    by superpulpsicle (533373) on Thursday March 04, 2004 @02:42PM (#8466927)
    This commercial IT market is becoming too patch-dependent.

    Can anyone make products out-of-the-box any more? Viruses need daily patch updates. The OS need daily patch updates. This is ridiculous.
  • Viruses? (Score:5, Insightful)

    by ThisIsFred (705426) on Thursday March 04, 2004 @02:42PM (#8466929) Journal
    Are these really viruses? Only two are actually mass-mailing worms that don't rely on Outlook's address book to send themselves. All of them rely on the user to open and run the malware program. Some of the MyDoom variants I'm seeing don't even make a feeble attempt at social engeering. Apparently most users are just downloading and executing attachments without even thinking. This despite all the warnings and hype surrounding e-mail containing "viruses".

    Imagine if e-mail was just plain old ASCII text with no attachment support. *sigh*

    • Re:Viruses? (Score:5, Funny)

      by Kaa (21510) on Thursday March 04, 2004 @02:55PM (#8467144) Homepage
      Imagine if e-mail was just plain old ASCII text with no attachment support. *sigh*

      YOU HAVE NOW RECEIVED THE UNIX VIRUS

      This virus works on the honor system:

      If you're running a variant of unix or linux, please forward this message to everyone you know and delete a bunch of your files at random.
  • Virus Activity (Score:5, Interesting)

    by Eberlin (570874) on Thursday March 04, 2004 @02:42PM (#8466931) Homepage
    Wouldn't this much virus activity raise the chances of being caught? Pride has been the downfall of a great many "1337 d00dz" who can't seem to avoid bragging about their 5|i77z. Then again, if you did stage such acts, it does nothing for your ego unless people know you did so.

    These are not your stealth haxorz, these are the works of script kiddies. But of course everyone here already knew that.
  • Server-side filters? (Score:5, Interesting)

    by Dominic_Mazzoni (125164) * on Thursday March 04, 2004 @02:47PM (#8466992) Homepage
    Can anyone recommend a good server-side tool to block viruses and worms? I'm using procmail now with a bunch of handwritten rules, and they work well on a bunch of older viruses, but there are so many new variations now that I can't keep up! On the client side, Bayesian filters (in Mozilla Mail and Apple Mail.app, for example) work reasonably well with spam, but they have a harder time with viruses and worms. It's also more annoying because viruses and worms are so large (30k or 100k, typically) and my local mail client has to download the entire message before filtering it out.

    Note that I don't want to just block all messages containing attachments with certain extensions. There are many legitimate reasons for someone to send me a zip file as an attachment.
  • by Kyouryuu (685884) on Thursday March 04, 2004 @02:48PM (#8467020) Homepage
    What I think is more likely is that some spam mail company is commissioning virus writers to create these worms in order to spread their operations. Sobig's objective, after all, seemed to be based on setting up infected machines as peer-to-peer drones for use by the author. It is a logical extension of the "monolithic" approach I'm certain most spammers follow of having several powerful computers running at all hours of the day, consuming electricity, bought and maintained, stashed away in a basement. Why not take advantage of a peer-to-peer system and infect the computers of careless Internet users and exploit their ignorance to become spam drones?

    That's where I think this is all ultimately headed. The spammers are in bed with the virus writers, who have taken the penis enlargement pills as commission. :P

  • by spidergoat2 (715962) on Thursday March 04, 2004 @02:48PM (#8467027) Journal
    Why don't these "hackers" use their skills to do something productive. With the time and effort they're putting into this programming, they probably could have written some utility software that would have earned them bags of money. But where's the fun in that.
  • by LostCluster (625375) * on Thursday March 04, 2004 @02:49PM (#8467038)
    TechTV's The Screen Savers last night suggested that one of the motivations of competitive virus writers is because the anti-virus companies put out rank-order lists such as the one shown on SARC's homepage [sarc.com]. Maybe those lists should be discontinued to at least knock down some of the motivation?
  • by Temporal (96070) on Thursday March 04, 2004 @02:50PM (#8467052) Journal
    Did Microsoft create them? No.

    Do they exploit any vulnerability that Microsoft is responsible for creating? No. (They spread by tricking users into running the attached executables.)

    I know it's fun to pretend that everything bad is Microsoft's fault (and I'm no fan of Microsoft myself), but come on... how does it make any sense to prefix something with "Microsoft" when Microsoft had absolutely nothing to do with it? What's next? "Microsoft OpenSSL vulnerability discovered"? "Microsoft recording industry sues 12-year-old kid"? "Microsoft PATRIOT act renewed"? "Hacker charged with violating the Microsoft DMCA"?
    • by happyfrogcow (708359) on Thursday March 04, 2004 @02:57PM (#8467177)
      And who let users run arbitrary code through email, by simply "clicking" on it? And who lets users think they are opening mundane jpg's, doc's or other file types when in fact they are not?

      Microsoft might be one name that comes to mind, if not the largest, most widespread software developer in the known universe.
      • MyDoom is attached as a zip containing an executable. It does not appear as a jpg, doc, or other file type. It appears as a zip. What would you expect to happen when you click on a zip attachment? The e-mail program is probably not designed to explicitly recognize zips, so it sends it off to the OS's default handler for zip files. That handler happily allows the user to open the contents since it has no idea that the thing came from an untrusted source.

        Being able to open a document attached to an e-ma
  • People Love Drama (Score:4, Insightful)

    by ch-chuck (9622) on Thursday March 04, 2004 @02:50PM (#8467056) Homepage
    If evil didn't exist, humans would have to invent it. Face it, computers are boring, but "Rival Hacker Gangs Virus Turf War" is the lifeblood of pop media newstertainment.

    Here are some more down to earth email worms [dakotablueworms.com].

  • suing Microsoft (Score:3, Interesting)

    by segment (695309) <sil@politri x . org> on Thursday March 04, 2004 @02:50PM (#8467067) Homepage Journal

    It's surpring no consortium (like an ISP group) has come together and filed a lawsuit against MS for having to mop up their work. It's definitely costing to pass the traffic, having to explain 12! times a day to customers that we didn't send them a moronically written "Your account is suspend for virus activity" (yes I know it's a typo). MS should definitely be dishing out some money for this. After the first 100 or so viruses from the years 2000-2002 you would figure they would get their act together, but it's the same old story. And for the users (non geek users) of MS, the grandmothers, housewives, and non techies, you would figure they would wise up to the same shit different day. Instead they still open attachments, and rather altogether, still use the same chopperating system they often have to reinstall after having been infected 12! per year.

    Seriously mind boggling. As for the virus creators they too need to be punished for their actions, and severely at that. I'm skeptical about the entire 'cybercrime' terrorist approach the DOJ and others have taken on this, but this is definitely something that's getting out of hand. And if you too also work in an ISP, you would know the guys of headaches one deals with on these virus issues. Hopefully our 3rd party antispam/virus filter mail provider gets their act together. Think about the costs for a mid sized ISP on something like technical support alone. 1000 calls a day to explain why someone should not open those emails multiplied by the salaries. Wasted money.

    • Re:suing Microsoft (Score:5, Insightful)

      by rsmith-mac (639075) on Thursday March 04, 2004 @03:39PM (#8467782)
      Seriously guys, who moderated this up? The latest round of worms take advantage of exactly 0 security exploits in Windows or assorted applications; they're all social engineering. Even if Microsoft is loaded with cash, you can't seriously expect them to pay out for what is fundamentally a problem with the users. Your second idea(go after the users) makes sense, but you can't sue someone just because their users are morons, it makes no sense.
  • Little damage? (Score:4, Interesting)

    by dillon_rinker (17944) on Thursday March 04, 2004 @02:51PM (#8467085) Homepage
    MyDoom installs a back door on every machine it is run in. If that constitutes "little damage" then I guess we should all set our root password to "root" .
  • No more attachments. (Score:5, Interesting)

    by Animats (122034) on Thursday March 04, 2004 @02:52PM (#8467099) Homepage
    It's time to just block all E-mail attachments. If you want to send a file, do it some other way, like uploading it to a server for explicit download.

    Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.

    Microsoft needs to turn off the "feature" that clicking on a mail attachment runs it. It should just be "viewed", with a dumb viewer. It should be impossible to launch programs from mail attachments. Users should have to explictly save to a file and run to do that.

    • That's a great idea, but where is this server space going to come from for little jimmie or his parents sending grandma a picture? On his computer? But if he has cable modem service, chances are it is against the Terms of Use to set up a server on his computer. Maybe that cable service has some small amount of web hosting space that comes along with it, in which case OK. But who is going to train all the computer illiterates how to use FTP or something similar? Then what happens in the future is to make it
    • Nope, does not work. If you followed the news lately, you would have read that the first vulnerability and the corresponding proof-of-concept exploit after the MS win2k source leak involved a buffer overflow caused by a hex-edited image file. As Outlook will probably use IE for viewing, you are still vulnerable to attack. The Acrobat reader has also had a series of vulnerabilities.

      That's just the risk of attachments. The only way to be quite safe is not to open _or_ view any attachment that is sent to you
    • by taustin (171655)
      It's time to just block all E-mail attachments. If you want to send a file, do it some other way, like uploading it to a server for explicit download.

      Then the virus will just send out an email saying "download this for free porn" and link to it. It's been done already.

      As for limiting file types, good luck. Your plan would not allow web pages, for instance, and you'd kill every online game in existence.
    • by Anonymous Coward

      Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.

      From the PDF 1.5 Reference Manual [adobe.com]

      8.5 Actions
      Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state... In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action t

  • by Facetious (710885) on Thursday March 04, 2004 @02:53PM (#8467102) Journal
    "...and sometimes inflicting DoS on some poor evil empire." Or in the case of sco.com, an evil feifdom.
  • by subjectstorm (708637) on Thursday March 04, 2004 @02:55PM (#8467135) Journal
    here in my office (government), we had very little trouble with mydoom or any of its variants - but netsky.d, for whatever reason, was slipping through. this was on march 2, so for a few hours, we had a lot of people calling the helpdesk and complaining about the "weird beepy noises" coming from their computers.

    the exchange server is configured to catch most of this crap, delete the attachments, etc. - but if ANY of it gets through to a user, the attachment WILL get opened.

    the hell of it is, our security advisor sends out DAILY network alerts, telling people EXPLICITLY what to look for, what NOT to do under any circumstances, right down to the various subject lines and attachment names that these worms will manifest with. she couldn't be any clearer in her instructions if she walked into their individual offices and handed them a stone tablet, engraved by the hand of God himself and saying "Thou shalt not clicketh upon this thing."

    the typical excuses we hear are something along the lines of "b-but . . . it came from a guy i know? he wouldn't send me a virus?"

    sigh.

  • by ashitaka (27544) on Thursday March 04, 2004 @02:55PM (#8467140) Homepage
    Put in a mail filter [advosys.ca]. Dop all .PIF, .EXE, .COM, etc., etc., including (nad this is the clever bit) all .ZIPs.

    Either route to holding folder or just drop as we do. The number of legitimate .ZIPs we receive is so low that telling the sender to rename the attachment is feasible. They are also getting hammered by Bagle et al. so they understand.

    Other than users who still forward us the defanged emails even after being repeatedly told not to do so, we have had no impact to the firm whatsoever.
  • by GillBates0 (664202) on Thursday March 04, 2004 @02:55PM (#8467145) Homepage Journal
    Date: Wed, 03 Mar 2004 10:03:48 -0800
    From: support@xxx.edu
    To: me@cc.xxx.edu
    Subject: Warning about your e-mail account.
    Parts/Attachments:
    1 Shown 10 lines Text
    2 12 KB Application

    Dear user of "xxx.edu" mailing system,

    We warn you about some attacks on your e-mail account. Your computer may
    contain viruses, in order to keep your computer and e-mail account safe,
    please, follow the instructions.

    For more information see the attached file.

    Cheers,
    The xxx.edu team http://www.xxx.edu

    [ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

    ------
    Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.
  • by YrWrstNtmr (564987) on Thursday March 04, 2004 @03:24PM (#8467526)
    This is only a Microsoft worm/virus/trojan in the sense that it runs a Windows exe. This is NOT a failing with Outlook or Outlook Express. This code can be run from ANY client that allows attachments

    [paraphrased email text below]
    "Hi, I'm the admin from [YourEmailServer]. We've been getting complaints about your account, and we think you have a virus. Please open the attachment, and run the file. Password is 12345
    Cheers, [YourEmailServer]

    Haven't we been asking the ISP's to get on top of the virus problem? Well...here comes an email, supposedly doing just that!

    "We think you have a problem, and here's how to fix it"

    This exact same thing could have been targeted to the OSX environment, or a *nix script.
    "Hi, due to the traffic we've noticed, we think your Mac/Linux box has been compromised. Please run this script to identify and fix the problem."

    Now...most *nix users are a bit more clueful and suspicious. But, more than a few would be caught out.

    (and if you, the writer(s) of these things are out there reading this...this is NOT a compliment. You are not cute, nor are you inventive. You are merely a fool. And one that will be caught. Hopefully for you, by the authorities. They will be much easier on you than we will be...we won't be using vaseline)
  • ...little damage... (Score:5, Informative)

    by blunte (183182) on Thursday March 04, 2004 @03:54PM (#8467997)
    Typically these viruses (or more correctly, worms) do little damage to the infected computer


    Yeah most are not too damaging, but here's my story.

    Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.

    - Last week our AV server downloaded updates at 8am as usual.
    - At 11am Symantec released new signature for MyDoom.F.
    - At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
    - At 8pm automatic backups kick off
    - At 11pm backups complete, having successfully backed up ruined shares.
    - At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
    - At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.

    Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.

    Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.

    Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.
  • A simple solution (Score:4, Interesting)

    by pclminion (145572) on Thursday March 04, 2004 @04:06PM (#8468189)
    Here's a simple solution for corporations, to try to stem the tide of idiots who double-click on attachments. Distribute a company-wide memo stating something along the lines of the following:

    "A new company policy is hereby enacted: It is forbidden for any user on the corporate network to execute any binary email attachment of any kind, including any attachment from anyone within the network. We will occassionally enforce this measure by sending dummy attachments to all corporate users which will report your workstation to network operations should you click on the attachment. Doing so will be grounds for immediate dismissal. We reserve the right to be sneaky, so your best policy for keeping your job secure is to simply never click on an attachment. Thanks, and have a nice week."

  • by Progman3K (515744) on Thursday March 04, 2004 @04:09PM (#8468239)
    Enabling terrorists...

    Who do you want to DOS today?

    When will Microsoft be held responsible for aiding terrorists?

    It's not Linux that is the tool of terrorists, it's Windows.
  • by burbilog (92795) on Thursday March 04, 2004 @04:39PM (#8468708) Homepage
    why executables still allowed in e-mail after all YEARS of worm history? There are only a few legitimate reasons for them and everything could be done in other way. And it's obviously that education users and even presenting them a warning doesn't work.

    Why nobody ever came up with default mail server configuration which prohibits any executable content? And not only .exe and .scr, but all a.out, elf and company too.

    So far nobody. You have to patch qmail and add qmail-scanner if you want to do this. Is there a checkbox in microsoft exchange? An option in sendmail.cf?

    Fuck.

1 Mole = 007 Secret Agents

Working...