Microsoft Mail Worms Gang War? 609
cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."
I would like to point out... (Score:5, Informative)
SARC [sarc.com]
This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.
Warnings... (Score:5, Informative)
Re:Turf? (Score:5, Informative)
latest breed (Score:5, Informative)
The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)
Re:Warnings... (Score:5, Informative)
It's real simple people... (Score:3, Informative)
Either route to holding folder or just drop as we do. The number of legitimate
Other than users who still forward us the defanged emails even after being repeatedly told not to do so, we have had no impact to the firm whatsoever.
Pretty good social engineering this time (Score:5, Informative)
From: support@xxx.edu
To: me@cc.xxx.edu
Subject: Warning about your e-mail account.
Parts/Attachments:
1 Shown 10 lines Text
2 12 KB Application
Dear user of "xxx.edu" mailing system,
We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.
For more information see the attached file.
Cheers,
The xxx.edu team http://www.xxx.edu
[ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
[ Cannot display this part. Press "V" then "S" to save in a file. ]
------
Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.
Re:Warnings... (Score:4, Informative)
I'm now blocking all encrypted zip attachments via my trusty MailScanner [mailscanner.info]
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)
Re:latest breed (Score:3, Informative)
Bar: Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.
What's odd is the grandparent's suggestion that the "virus companies" (I'm not touching that one!) should find a solution.
Solution to what? Clueless users who blindly follow any official-sounding directions they receive in email?
In defense of the clueless users, though, the latest email had halfway decent human engineering. I didn't get it, but our IT Security folks sent a warning about it. Here's the message -- note that site is our corporate web site. If you overlook the obviously broken English ("Pay attention on attached file."), you could almost convince yourself:
actually (Score:1, Informative)
(that's east side of Lake Washington, for you non-residents).
Re:Server-side filters? (Score:3, Informative)
and/or
AMaViS [amavis.org]
Re:Is the probelm really hard to fix? (Score:4, Informative)
Or alternately (Score:3, Informative)
Re:Server-side filters? (Score:2, Informative)
...little damage... (Score:5, Informative)
Yeah most are not too damaging, but here's my story.
Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.
- Last week our AV server downloaded updates at 8am as usual.
- At 11am Symantec released new signature for MyDoom.F.
- At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
- At 8pm automatic backups kick off
- At 11pm backups complete, having successfully backed up ruined shares.
- At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
- At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.
Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.
Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.
Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.
Re:Yeah, it's a gang war alright... (Score:1, Informative)
don't open email attachments, delete them
if you get email from someone you do not know with an attachment delete the email
if you get an email from someone you know with an attachment you aren't expecting delete the email and contact the person who appears to have sent you the email
if you get an email with an attachment you are expecting but it does not look correct - email is poorly written, bad grammar, ambiguous or perhap threatening wording delet the email and contact the IS department.
We even have a special email account set aside so people can forward potentially suspect emails where they can be opened and examined (no, they are not read with any email client)
It's been pretty successful in our small company and easier to acomplish in our small company. It's too bad we were sold to a larger company as I would have been curious to know if we would be able to maintain this level of awareness in the staff as we grew larger. I am only hoping that our people will continue to be aware of the email they are getting and the attachments and that they can teach a few others this deceptively easy thing.
Of course they ras, and should be running up to date antivirus software updated at least weekly, if not more frequently.
procmail recipe for bagle.j (Score:1, Informative)
* UEsDBAoAAAAAA
#bagle.j encrypted
* UEsDBAoAAQAAA
Re:MS Address Book lock down? (Score:4, Informative)
But since these worms also searches in a wide range of other filetypes (.txt,.doc,.html,etc etc) for valid email addresses to send to, it makes little difference.
Re:Of course these viruses are for posturing (Score:3, Informative)
f%^ken annoying (Score:2, Informative)
Re:...unless you know the person! (Score:3, Informative)
Re:Server-side filters? (Score:2, Informative)
Re:Yeah, it's a gang war alright... (Score:3, Informative)
* ^Content-Type: multipart
{
*
{
# LOG="${NL}Possible virus:${NL}Matched Expression = ${MATCH}${NL}"
}
}
Re:...little damage... (Score:2, Informative)
Found over 5800 copies of the virus the next day when the signatures were updated. And the little sod had deleted over 8Gb of ducuments, spreadsheets and databases. We had an Access database that had been in use all day, so was ok, but come 5pm and people exited it and go home. One staffer remembers they had still to finish something, and attempts to get back in - nothing left. This was about 3 minutes after last person exited.
But wait there's more.
The very next day (after finding the virus everywhere, and starting to recover through backups), I sent an e-mail out about what had happaned and what people should not do.
I created a new e-mail address (unlike any that we use) and used it to send an exe file to everyone. We put the file within a zip file just like the fun virus that we were still recovering from. The included file was a small program that would e-mail us if it was run, with the name of the user who did it - only thing done on the users computer was bring up a dialog box saying software updated.
This was the text of the e-mail
--
Hi,
I am a qasi e-mail program automatically sending you a freeware virus.
Please open the attached zipped file and double click on the attachment
to receive the virus update.
Have a nice day,
--
go on - guess.
We had a staff member open the message, open the zip, and run the executable...
This was after me sending a message reminding that people should not do any of this!!!!
Thankfully I had many staff that actually e-mailed me a copy that they had received the message, or even called me to let me know.
We'll have another go early next month. I'll try the zip with password trick. Fortunatly because we wrote it in-house there's no way it'll trigger the virus software.
Re:Aye (Score:2, Informative)