Microsoft Mail Worms Gang War?

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

How is this an "ask slashdot"?

[epsalon]

Where's the question?

It was bound to happen...

[Pig Hogger]

It was bound to happen, given that more and more worms are written for criminal spammers. And since spammers AND criminals are stupid, they will fight each others.

Yeah, it's a gang war alright...

[oldosadmin]

and the bullets are the stupidity of most windows users. No matter how much we tell people "don't open attachments unless you know the person!" they still won't listen.

I mean, seriously, how hard is it to write malicious code if you can get the person to run any program. Heck, here's my virus:

@echo off

c:\windows\command\deltree /y c:\windows
@echo You've been 0wn3d!

This is NOT hacking... it's taking advantage of stupid people...

The mind of a Kiddie?

[Cpl Laque]

I always wondered what motivated these people. Is it as simple as recognition? Its not like they can tell anybody it was they who did it. Really it isn't even "neat" on a technical scale. So they don't do it for a challege. They don't do for noteriety. They just do it to cause trouble.
Seems like the internet version of the street vandalizer has come to pass. Sad really.

Wild, wild west

[Rick the Red]

In the late 1800's in the American west there was a boom in illegal activities (Billy the Kid, Butch and Sundance, etc.). The citizenry had enough and banded together (i.e., paid taxes) to fight back (i.e., hired police). Cyberspace is in the equivalent of the late 1800's in terms of working out who controls what. Now we, the citizenry, must decide if we want to hire the Pinkertons or establish a proper police force. Just remember, the Pinkertons were often as dirty-dealing as the crooks they were after, and the Sheriff was usually a former badguy with a badge.

Of course these viruses are for posturing

[krog]

The only reason anyone writes a virus these days is to do it. Even when there's an added payload (like a DDOS to www.sco.com), the virus is out there solely to be out there. The fact that it's due to rivaling gangs makes perfect sense.

If someone were to write a truly destructive virus (you open it, it sends itself to everyone in your inbox, then promptly writes random data over your hard drive) then we'd really see people start to take viruses seriously.

Even the most "destructive" viruses in recent history have wimped out in some way -- just consider Michelangelo, which was hard-coded to become destructive at a much later date, long after it would be discovered and patches written.

Re:I would like to point out...

[captainstupid]

Yeah, the article poster mentioned that they did "little damage". I don't think destroying .sav files with 95% probability on local and remote drives constitutes little damage.

Maybe...maybe not

[FunWithHeadlines]

Remember the first MyDoom variant had programmer comments in them and people were speculating that it was an attack on SCO because of the DDoS that was set in motion. Later we found out more details and it seemed that the DDoS was just the misdirect designed to fool the media. It worked, and all the media stories faithfully reported the SCO angle. But the real purpose of MyDoom is to create zombie machines for spamming. That angle was mostly overlooked, but is the most important part of the story. Investigation seemed to point to Russia as an origin point, and possibly organized crime behind it all.

With that in mind, those programmer comments being reported now, although they do seem to show a gang war, may just be more misdirection and once again the media fell for it. If it really is the spammers behind it all, and criminal elements doing it (yeah, I know, "spammers" and "criminal elements" are redundant), this gang war idea may just be more cover.

Meanwhile there are millions of zombie Windows boxes around the world with clueless owners not realizing they are 0wn3d. That's the real story the media should be following up on.

Is anyone else seeing this and thinking

[Anonymous Coward]

Of Neal Stephenson's thing about how in the future when you go outside you'll have to breathe through a hankerchief, a la 19th-century london, because the air will be filled with millions of malicious nanobots, and millions of helpful nanobots neatly neutralizing the malicious ones, and millions of meta-malicious nanobots that only exist to disable the neutralizers... just one big no-net-effect hacker arms race.

I wonder how long it will be and how much futher adoption of windows server operating systems we'll have to see before internet traffic starts to look like that.

So move to a better neighborhood

[Daniel Dvorkin]

If being the victim of a Microsoft worm is like being caught in the crossfire of a gang war, there's a simple solution: stay out of the line of fire. If you had a choice between one house in a safe neighborhood, and another house of roughly the same price in a neighborhood where bullets from the local crack dealers were coming through your walls at three in the morning, where would you choose to live?

Viruses?

[ThisIsFred]

Are these really viruses? Only two are actually mass-mailing worms that don't rely on Outlook's address book to send themselves. All of them rely on the user to open and run the malware program. Some of the MyDoom variants I'm seeing don't even make a feeble attempt at social engeering. Apparently most users are just downloading and executing attachments without even thinking. This despite all the warnings and hype surrounding e-mail containing "viruses".

Imagine if e-mail was just plain old ASCII text with no attachment support. *sigh*

Damn virii

[Epyn]

Well, what are you sposed to do, when you've got thousands of users doing menial stuff all day long, and the people who have to deal with this crap arent the people who can implement change? I fix virus infected machines at the state all day, but that doesnt mean i can just call someone up and ask them to block .bat files at the server, or kill msn messenger ports. They just don't care, because they have 'bigger' concerns.

Re:Wild, wild west

[chrisopherpace]

I don't have a link, but crime rates in the "wild west" are actually lower than most cities in the U.S. It was that small feature of everyone having a gun ;)

Re:So move to a better neighborhood

[Anonymous Coward]

Well, pookie-kins, it's not always possible to move to a better neighborhood. Moving to a better neighborhood costs money, as does the higher rent one would pay in the aforementioned 'better neighborhood'.

What, you think people in the ghetto *want* to live there?

Re:Insightful?

[dinivin]

Except that the subject isn't a grammatically correct question. Hell, it's not even a grammatically correct statement.

Dinivin

Instead of a pissing contest

[spidergoat2]

Why don't these "hackers" use their skills to do something productive. With the time and effort they're putting into this programming, they probably could have written some utility software that would have earned them bags of money. But where's the fun in that.

What good are the top 10 lists?

[LostCluster]

TechTV's The Screen Savers last night suggested that one of the motivations of competitive virus writers is because the anti-virus companies put out rank-order lists such as the one shown on SARC's homepage [sarc.com]. Maybe those lists should be discontinued to at least knock down some of the motivation?

Terrible coverage by media

[lotus87]

The coverage by the media on these viruses is just outright terrible. There's always the assumption that all users are affected, when in reality a number of users are completely unaffacted by these viruses (reduced internet bandwidth aside). The growing number of Linux, MacOS X, BSD, and various other unix-based flavors are largely unaffected by these attacks. Furthermore, those Windows users who keep up with patches & fixes and use firewalls are also largely unaffacted.

This piece by MSNBC is a prime example that never once clarifies that some people may not even be affected by these viruses.

For the "cyber" reporters out there: get a clue and portray more than one perspective.

"Microsoft" mail worms?

[Temporal]

Did Microsoft create them? No.

Do they exploit any vulnerability that Microsoft is responsible for creating? No. (They spread by tricking users into running the attached executables.)

I know it's fun to pretend that everything bad is Microsoft's fault (and I'm no fan of Microsoft myself), but come on... how does it make any sense to prefix something with "Microsoft" when Microsoft had absolutely nothing to do with it? What's next? "Microsoft OpenSSL vulnerability discovered"? "Microsoft recording industry sues 12-year-old kid"? "Microsoft PATRIOT act renewed"? "Hacker charged with violating the Microsoft DMCA"?

There is only one solution to the virus problem:

[That's Unpossible!]

Class action lawsuits. Hear me out.

This virus mess could be solved very rapidly: Anyone that provides internet service needs to monitor outgoing port 25 connections, and do attachment scanning. You don't even need to scan the attachments for viruses. Just look for all Windows executable file extensions (including inside .zip files), and if you find one, you quarantine your likely-infected customer so that the only webpage they can see is one served from your network explaining that they are infected. Until they take steps to clean their machines, you quarantine all outgoing traffic on their connection.

This is drastic, but unavoidable. The people that are causing these viruses to spread are (by and large) too ignorant to ever keep their machines disinfected by themselves, unless forced to. The only people that can force them to do this are the ones providing them with internet service.

Now back to the lawsuits. The ONLY way you are ever going to get the ISP's to spend money to implement this filtering/quarantine is if you sue them for allowing their infected customers to cause harm to your business. A class action lawsuit against ISP's on behalf of people doing business on the internet.

Care to join me?

People Love Drama

[ch-chuck]

If evil didn't exist, humans would have to invent it. Face it, computers are boring, but "Rival Hacker Gangs Virus Turf War" is the lifeblood of pop media newstertainment.

Here are some more down to earth email worms [dakotablueworms.com].

Re:Warnings...

[jfengel]

I've gotten this one to two of my domains. It's actually comparatively persuasive. I went so far as to open the zip file, though I certainly didn't run the .exe. Mine accuses me of sending spam from my mail server, which I suppose isn't entirely impossible, since I've been accused of sending spam before once or twice. (I send out announcements to a small set of people, and on occasion people who have fallen out of the group get irate when I haven't removed their names.)

It came directly to my mail server; it hadn't been relayed. That makes sense: anybody may contact my mail server to send mail, as long as it's to me.

But this makes a lousy worm, since most people don't own their own domains. This will 0wn only a fairly limited set of computers, compared to the bazillions of zombies you can get by fooling people who use a major ISP but don't own their own domains.

This one doesn't even really require worm-ness. It goes out only to registered mail servers, which is small enough to connect to individually by one or two dedicated computers with broadband connections.

I wasn't in the mood to trace down who was responsible for it,but I hope somebody does.

Re:Yeah, it's a gang war alright...

[S.Lemmon]

Well, many of these viruses *do* appear to come from people they know, so your advise may be contributing to the problem. Anymore they shouldn't trust any attachment they weren't specifically expecting.

The only other thing is to never run an executable attachment, but there's so many way to obfuscate this (especially using outlook) that most normal users really can't be expected to tell what's safe from what's not.

One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would do. The idea is no mass-mailing worm would know to include it.

Heck you could even use a procmail recipe to only allow attachments with the keyword in the subject - much more accurate than trying to filter out all the "bad" subject lines these viruses use.

Re:Wild, wild west

[Dr Caleb]

Just remember, the Pinkertons were often as dirty-dealing. . .

You must be too new to remember [slashdot.org]the Pinkerton [slashdot.org] post-columbine "Turn in your depressed friends [waveamerica.com] before they hurt someone" initiative.

Ther're still dirty.

Re:Wild, wild west

[jhoger]

Smells like pro-gun propaganda to me.

Off the top of my head... having a lower population density would have something to do with it too... no significant drug problems other than alcohol (and probably few 'traffic' fatalities resulting from that)

Unemployment levels are actually a good predictor of crime rates too.

And in small agrarian communities everyone knows your name. If you jack somebody in a small town everyone is going to have a good guess who did it, including the guy's family.

Any number of things other than everyone is toting a six-shooter to consider...

Re:The mind of a Kiddie?

[Cpl Laque]

I understand that absolutely. Writing a virus from scratch. Creating anything leaves most people with a feeling of accomplishment. But I am not sure if I buy into kiddies doing it bragging rights because if they brag about it they will get caught esp. if there is a reward involved. But after reading your post I had a second thought that may explain why we get all these variations aftera virus is initially released. I beleive some of these Kiddies maybe trying to improve on the original virus. Fix it, make it better. Create a more Perfect Virus. This I understand. I work in a electronics repair shop and I associate a certain amount of pride with being able to fix and improve upon existing designs. So maybe there is a little more to variation virusus.

Re:Warnings...

[sTalking_Goat]

I'm going to write a worm that sends ppl emails that say "I am a worm. Don't open my attachment."

It will be the fastest spreading worm in history...

The human race never ceases to amaze and disapoint me.

Re:"Microsoft" mail worms?

[happyfrogcow]

And who let users run arbitrary code through email, by simply "clicking" on it? And who lets users think they are opening mundane jpg's, doc's or other file types when in fact they are not?

Microsoft might be one name that comes to mind, if not the largest, most widespread software developer in the known universe.

Huh?

[Steve Franklin]

The first part of the question is understood, at least by those who understand such things: "[Is this a] Microsoft mailworms gang war?"

Re:There is only one solution to the virus problem

[dknight]

wow, so you've just made it so noone can ever send any kind of executable attachment ever again, legitimate or not. yea, that'll make EVERYONE real happy.

Personally, I send myself zip files with executables in them all the time, on purpose, for work-related stuff. Why should I not be able to do that?

Re:"Microsoft" mail worms?

[Anonymous Coward]

Well, the way Windows itself is programmed (What's that, untrusted .exe? you want to send out packets all over the place without telling the end user? by all means!) certainly doesn't help. I agree that calling it a "Microsoft" mail worm is extreme... but in many cases Microsoft (who is supposedly focusing on security, I might add) could be doing a lot more to prevent these virii.
The first time a program wants to change files outside a protected directory or use the network (be it exe, pif, et al) Windows should ask permission and require a password. For a company like M$ that could be added in a week or two. Yet, they do nothing of the sort.

Re:No more attachments.

[happyfrogcow]

That's a great idea, but where is this server space going to come from for little jimmie or his parents sending grandma a picture? On his computer? But if he has cable modem service, chances are it is against the Terms of Use to set up a server on his computer. Maybe that cable service has some small amount of web hosting space that comes along with it, in which case OK. But who is going to train all the computer illiterates how to use FTP or something similar? Then what happens in the future is to make it all simpler, someone goes ahead and just embeds this file attachment transfer system into an email client, making it seamless and feel just like before when we had email attachments. Aren't we basically back to square one? Who is going to stop the people from mindlessly saving and running the file this time?

Re:Is the probelm really hard to fix?

[NinjaPablo]

You're referring to the "This file may contain malicious code. You should only open it if you are certain it is from a trusted source." message? The one that pops up when downloading a file/attachment in IE, Outlook, and Outlook Express? The one that all the users just click "OK" on anyways? Yeah...didn't work.

Users click "OK/Yes" on messages just like they click "I Agree" on license agreements. Either that, or the from address is spoofed and they think it's safe to open it.

Re:No more attachments.

[taustin]

It's time to just block all E-mail attachments. If you want to send a file, do it some other way, like uploading it to a server for explicit download.

Then the virus will just send out an email saying "download this for free porn" and link to it. It's been done already.

As for limiting file types, good luck. Your plan would not allow web pages, for instance, and you'd kill every online game in existence.

Aren't many people having trouble finding IT jobs?

[enosys]

Aren't many people having trouble finding IT jobs? There was the dot-com crash and then outsourcing...

Re:latest breed

[MenTaLguY]

The difference is that the grenade trick would only work once.

Leave the ISP's out of it...

[Anonymous Coward]

they are not your mother, your nanny, your babysitter, or nipple giver; they provide a pipeline. YOU whitelist YOUR in-mail and *make* customers contact you via you website or the phone.

Turning isp's into "watchers" is a bad, very, very bad idea.

Good bit of social engineering

[YrWrstNtmr]

This is only a Microsoft worm/virus/trojan in the sense that it runs a Windows exe. This is NOT a failing with Outlook or Outlook Express. This code can be run from ANY client that allows attachments

[paraphrased email text below]
"Hi, I'm the admin from [YourEmailServer]. We've been getting complaints about your account, and we think you have a virus. Please open the attachment, and run the file. Password is 12345
Cheers, [YourEmailServer]

Haven't we been asking the ISP's to get on top of the virus problem? Well...here comes an email, supposedly doing just that!

"We think you have a problem, and here's how to fix it"

This exact same thing could have been targeted to the OSX environment, or a *nix script.
"Hi, due to the traffic we've noticed, we think your Mac/Linux box has been compromised. Please run this script to identify and fix the problem."

Now...most *nix users are a bit more clueful and suspicious. But, more than a few would be caught out.

(and if you, the writer(s) of these things are out there reading this...this is NOT a compliment. You are not cute, nor are you inventive. You are merely a fool. And one that will be caught. Hopefully for you, by the authorities. They will be much easier on you than we will be...we won't be using vaseline)

Re:How is this an "ask slashdot"?

[sik0fewl]

A: because this is slashdot

Re:No more attachments.

[Anonymous Coward]

Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.

From the PDF 1.5 Reference Manual [adobe.com]

8.5 Actions
Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state... In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action to be performed when the document is opened.

Looks like PDF has the potential to cause some damage too.

Re:Pretty good social engineering this time

[Jeremy Erwin]

It might have been more effective had the authors observed standard grammatical principles. After all, they are pretending to represent a institution of higher learning.

Re:suing Microsoft

[rsmith-mac]

Seriously guys, who moderated this up? The latest round of worms take advantage of exactly 0 security exploits in Windows or assorted applications; they're all social engineering. Even if Microsoft is loaded with cash, you can't seriously expect them to pay out for what is fundamentally a problem with the users. Your second idea(go after the users) makes sense, but you can't sue someone just because their users are morons, it makes no sense.

Re:Yeah, it's a gang war alright...

[Anonymous Coward]

First rule -- you gotta propagate. Destructive payload is a secondary objective. Actually, a very destructive payload isn't going to make for a very popular virus. The old analogy was like Ebola vs. the common cold. If you want to propagate, you don't want to be destroying your host...the quieter the better.

Re:I would like to point out...

[clare-ents]

"Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches..."

There's nothing like convincing people to open random excutable attachments to keep your job safe.

Re:Is the probelm really hard to fix?

[pclminion]

Why, oh why, oh why, would ANYONE, EVER, run any unverifiable code on his computer?

Considering the number of people I've encountered who don't even know what a "program" is (all they know are that there are a set of different boxes on their screen, each of which does something different), how can you expect them to understand what executable code is, or how it gets run, or why it shouldn't be run?

You've seen polarized power plugs, right? The ones with one blade slightly wider than the other. This is to prevent people with no knowledge of electricity from inserting the plug into the receptacle in a way that will blow up their equipment.

Microsoft software is like having unpolarized plugs. To someone who knows what they are doing, this is not a problem, but for the average user, the useless ability to plug it in backwards has no beneficial properties whatsoever.

There should be no way to run an executable from a mail client. Not even a dialog that asks "Are you sure you want to run this?" People avoid thinking by simply clicking "Yes" to any question they are asked. It needs to be forbidden to execute an attachment. If you really, really must, then you can save it to a folder somewhere, then run it from there.

Microsoft's practices of allowing users to perform any bone-headed, ill-advised actions they wish, should rank right up there with the irresponsibility of not supplying polarized plugs for electrical equipment. In fact, this situation is even more serious, since an incorrectly inserted power plug only has the potential to destroy the machine and/or the user, whereas a virus infection in a corporate network can potentially impact thousands of people.

Re:How is this an "ask slashdot"?

[Short Circuit]

It had to have the word "Microsoft" in the title.

Re:Insightful?

[Tango42]

No. He meant redundant. A redundant question is one that doesn't need to be asked, a rhetorical question is one that doesn't need to be answered. Big difference.

Re:Yeah, it's a gang war alright...

[198348726583297634]

If one of my employees had done that, I would have let them go. Stupidity is forgivable, ignoring company directives isn't always.

Re:I would like to point out...

[itwerx]

That would be even funnier if the links worked in the second page...

Re:Yeah, it's a gang war alright...

[SmackCrackandPot]

One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would do.

Unfortunately, the virus could always just search through your sent and received mail and search for matching lines that would be in the signature or at the top of the message, and use these.

Re:"Microsoft" mail worms?

[girl_geek_antinomy]

I'm a Vet Med student. In what we call the *Real World*, we have viruses too.

We have human viruses, and canine viruses ( like Canine Distemper Virus - CVD), and porcine viruses (like Porcine Parvo Virus PPV). You name viruses for what they infect first, and for what they are and what they do second.

These 'viruses' and 'worms' all infect Windows. Not MacOS, not Linux, not BSD. Not Soliaris, or RISK OS, or any of the other OSes that have been or are in use.

Funny, that.

Re: bullets; the stupidity of users?

[King_TJ]

The most powerful way to bypass security has always been "social engineering" - so why would you think it'll be different for virii?

If people actually do wisen up and stop opening email attachments they're unsure about, the virus writers will just come up with more creative ways to convince you to run the code. Write a small applet that lets them play a contest game to win money - only, nobody is really going to win anything, and it drops a trojan horse on the PC. Send mail that looks like a legitimate attached form from the ISP, requesting some sort of info your ISP might actually need. (Heck, one popular method seems to currently be bundling "malware" with legitimate freeware apps people want to download and use - like p2p music sharing packages, pop-up blockers, and time synchronizing clients.) Who knows? This problem isn't going to go away just by trying to "educate it away", telling people not to read the stuff they get in their email.

Personally, I think virus scanners are generally a bit "behind the times" in this war. EG. How many scanners have you seen that allow starting up without having to boot the actual OS that's being used, so they can remove a virus without it getting a chance to execute in RAM first? Of these, how many can scan an NTFS file system when started up in that manner? (To my knowledge, only the expensive "Avast BART" product currently offers all of this.) Modern trojan horses and virii are often shutting down the virus scanner processes so scanners can't remove them. They even do such things as prevent "regedit" from running, so you can't just prune them from the registry and reboot. (Of course, so far, many are coded poorly enough so you can just rename regedit to something else and then run it -- but that's bound to change.)

Just a few files

[Alan Cox]

One of the problems with the destruction of files is that it implies this virus author isn't interested in commercial games (as such people want their virus well hidden). Thats worry because they are then not trying to hide within a system (like a well evolved natural virus) but can be quite happy to kill the host.. and all it takes is a bios erase or randomly setting the IDE disk password on all modern IDE hard disks and its factory return time.