Microsoft Mail Worms Gang War? 609
cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."
How is this an "ask slashdot"? (Score:5, Insightful)
It was bound to happen... (Score:5, Insightful)
Yeah, it's a gang war alright... (Score:5, Insightful)
I mean, seriously, how hard is it to write malicious code if you can get the person to run any program. Heck, here's my virus:
This is NOT hacking... it's taking advantage of stupid people...
The mind of a Kiddie? (Score:2, Insightful)
Seems like the internet version of the street vandalizer has come to pass. Sad really.
Wild, wild west (Score:5, Insightful)
Of course these viruses are for posturing (Score:4, Insightful)
If someone were to write a truly destructive virus (you open it, it sends itself to everyone in your inbox, then promptly writes random data over your hard drive) then we'd really see people start to take viruses seriously.
Even the most "destructive" viruses in recent history have wimped out in some way -- just consider Michelangelo, which was hard-coded to become destructive at a much later date, long after it would be discovered and patches written.
Re:I would like to point out... (Score:5, Insightful)
Maybe...maybe not (Score:5, Insightful)
With that in mind, those programmer comments being reported now, although they do seem to show a gang war, may just be more misdirection and once again the media fell for it. If it really is the spammers behind it all, and criminal elements doing it (yeah, I know, "spammers" and "criminal elements" are redundant), this gang war idea may just be more cover.
Meanwhile there are millions of zombie Windows boxes around the world with clueless owners not realizing they are 0wn3d. That's the real story the media should be following up on.
Is anyone else seeing this and thinking (Score:5, Insightful)
I wonder how long it will be and how much futher adoption of windows server operating systems we'll have to see before internet traffic starts to look like that.
So move to a better neighborhood (Score:5, Insightful)
Viruses? (Score:5, Insightful)
Imagine if e-mail was just plain old ASCII text with no attachment support. *sigh*
Damn virii (Score:2, Insightful)
Re:Wild, wild west (Score:2, Insightful)
Re:So move to a better neighborhood (Score:2, Insightful)
What, you think people in the ghetto *want* to live there?
Re:Insightful? (Score:3, Insightful)
Dinivin
Instead of a pissing contest (Score:5, Insightful)
What good are the top 10 lists? (Score:5, Insightful)
Terrible coverage by media (Score:2, Insightful)
The coverage by the media on these viruses is just outright terrible. There's always the assumption that all users are affected, when in reality a number of users are completely unaffacted by these viruses (reduced internet bandwidth aside). The growing number of Linux, MacOS X, BSD, and various other unix-based flavors are largely unaffected by these attacks. Furthermore, those Windows users who keep up with patches & fixes and use firewalls are also largely unaffacted.
This piece by MSNBC is a prime example that never once clarifies that some people may not even be affected by these viruses.
For the "cyber" reporters out there: get a clue and portray more than one perspective.
"Microsoft" mail worms? (Score:5, Insightful)
Do they exploit any vulnerability that Microsoft is responsible for creating? No. (They spread by tricking users into running the attached executables.)
I know it's fun to pretend that everything bad is Microsoft's fault (and I'm no fan of Microsoft myself), but come on... how does it make any sense to prefix something with "Microsoft" when Microsoft had absolutely nothing to do with it? What's next? "Microsoft OpenSSL vulnerability discovered"? "Microsoft recording industry sues 12-year-old kid"? "Microsoft PATRIOT act renewed"? "Hacker charged with violating the Microsoft DMCA"?
There is only one solution to the virus problem: (Score:1, Insightful)
This virus mess could be solved very rapidly: Anyone that provides internet service needs to monitor outgoing port 25 connections, and do attachment scanning. You don't even need to scan the attachments for viruses. Just look for all Windows executable file extensions (including inside
This is drastic, but unavoidable. The people that are causing these viruses to spread are (by and large) too ignorant to ever keep their machines disinfected by themselves, unless forced to. The only people that can force them to do this are the ones providing them with internet service.
Now back to the lawsuits. The ONLY way you are ever going to get the ISP's to spend money to implement this filtering/quarantine is if you sue them for allowing their infected customers to cause harm to your business. A class action lawsuit against ISP's on behalf of people doing business on the internet.
Care to join me?
People Love Drama (Score:4, Insightful)
Here are some more down to earth email worms [dakotablueworms.com].
Re:Warnings... (Score:5, Insightful)
It came directly to my mail server; it hadn't been relayed. That makes sense: anybody may contact my mail server to send mail, as long as it's to me.
But this makes a lousy worm, since most people don't own their own domains. This will 0wn only a fairly limited set of computers, compared to the bazillions of zombies you can get by fooling people who use a major ISP but don't own their own domains.
This one doesn't even really require worm-ness. It goes out only to registered mail servers, which is small enough to connect to individually by one or two dedicated computers with broadband connections.
I wasn't in the mood to trace down who was responsible for it,but I hope somebody does.
Re:Yeah, it's a gang war alright... (Score:5, Insightful)
The only other thing is to never run an executable attachment, but there's so many way to obfuscate this (especially using outlook) that most normal users really can't be expected to tell what's safe from what's not.
One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would do. The idea is no mass-mailing worm would know to include it.
Heck you could even use a procmail recipe to only allow attachments with the keyword in the subject - much more accurate than trying to filter out all the "bad" subject lines these viruses use.
Re:Wild, wild west (Score:3, Insightful)
You must be too new to remember [slashdot.org]the Pinkerton [slashdot.org] post-columbine "Turn in your depressed friends [waveamerica.com] before they hurt someone" initiative.
Ther're still dirty.
Re:Wild, wild west (Score:4, Insightful)
Off the top of my head... having a lower population density would have something to do with it too... no significant drug problems other than alcohol (and probably few 'traffic' fatalities resulting from that)
Unemployment levels are actually a good predictor of crime rates too.
And in small agrarian communities everyone knows your name. If you jack somebody in a small town everyone is going to have a good guess who did it, including the guy's family.
Any number of things other than everyone is toting a six-shooter to consider...
Re:The mind of a Kiddie? (Score:2, Insightful)
Re:Warnings... (Score:5, Insightful)
It will be the fastest spreading worm in history...
The human race never ceases to amaze and disapoint me.
Re:"Microsoft" mail worms? (Score:5, Insightful)
Microsoft might be one name that comes to mind, if not the largest, most widespread software developer in the known universe.
Huh? (Score:4, Insightful)
Re:There is only one solution to the virus problem (Score:3, Insightful)
Personally, I send myself zip files with executables in them all the time, on purpose, for work-related stuff. Why should I not be able to do that?
Re:"Microsoft" mail worms? (Score:1, Insightful)
The first time a program wants to change files outside a protected directory or use the network (be it exe, pif, et al) Windows should ask permission and require a password. For a company like M$ that could be added in a week or two. Yet, they do nothing of the sort.
Re:No more attachments. (Score:3, Insightful)
Re:Is the probelm really hard to fix? (Score:3, Insightful)
Users click "OK/Yes" on messages just like they click "I Agree" on license agreements. Either that, or the from address is spoofed and they think it's safe to open it.
Re:No more attachments. (Score:3, Insightful)
Then the virus will just send out an email saying "download this for free porn" and link to it. It's been done already.
As for limiting file types, good luck. Your plan would not allow web pages, for instance, and you'd kill every online game in existence.
Aren't many people having trouble finding IT jobs? (Score:3, Insightful)
Re:latest breed (Score:4, Insightful)
Leave the ISP's out of it... (Score:1, Insightful)
Turning isp's into "watchers" is a bad, very, very bad idea.
Good bit of social engineering (Score:5, Insightful)
[paraphrased email text below]
"Hi, I'm the admin from [YourEmailServer]. We've been getting complaints about your account, and we think you have a virus. Please open the attachment, and run the file. Password is 12345
Cheers, [YourEmailServer]
Haven't we been asking the ISP's to get on top of the virus problem? Well...here comes an email, supposedly doing just that!
"We think you have a problem, and here's how to fix it"
This exact same thing could have been targeted to the OSX environment, or a *nix script.
"Hi, due to the traffic we've noticed, we think your Mac/Linux box has been compromised. Please run this script to identify and fix the problem."
Now...most *nix users are a bit more clueful and suspicious. But, more than a few would be caught out.
(and if you, the writer(s) of these things are out there reading this...this is NOT a compliment. You are not cute, nor are you inventive. You are merely a fool. And one that will be caught. Hopefully for you, by the authorities. They will be much easier on you than we will be...we won't be using vaseline)
Re:How is this an "ask slashdot"? (Score:2, Insightful)
A: because this is slashdot
Re:No more attachments. (Score:3, Insightful)
Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.
From the PDF 1.5 Reference Manual [adobe.com]
8.5 Actions
Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state... In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action to be performed when the document is opened.
Looks like PDF has the potential to cause some damage too.
Re:Pretty good social engineering this time (Score:3, Insightful)
Re:suing Microsoft (Score:5, Insightful)
Re:Yeah, it's a gang war alright... (Score:1, Insightful)
Re:I would like to point out... (Score:5, Insightful)
"Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches..."
There's nothing like convincing people to open random excutable attachments to keep your job safe.
Re:Is the probelm really hard to fix? (Score:3, Insightful)
Considering the number of people I've encountered who don't even know what a "program" is (all they know are that there are a set of different boxes on their screen, each of which does something different), how can you expect them to understand what executable code is, or how it gets run, or why it shouldn't be run?
You've seen polarized power plugs, right? The ones with one blade slightly wider than the other. This is to prevent people with no knowledge of electricity from inserting the plug into the receptacle in a way that will blow up their equipment.
Microsoft software is like having unpolarized plugs. To someone who knows what they are doing, this is not a problem, but for the average user, the useless ability to plug it in backwards has no beneficial properties whatsoever.
There should be no way to run an executable from a mail client. Not even a dialog that asks "Are you sure you want to run this?" People avoid thinking by simply clicking "Yes" to any question they are asked. It needs to be forbidden to execute an attachment. If you really, really must, then you can save it to a folder somewhere, then run it from there.
Microsoft's practices of allowing users to perform any bone-headed, ill-advised actions they wish, should rank right up there with the irresponsibility of not supplying polarized plugs for electrical equipment. In fact, this situation is even more serious, since an incorrectly inserted power plug only has the potential to destroy the machine and/or the user, whereas a virus infection in a corporate network can potentially impact thousands of people.
Re:How is this an "ask slashdot"? (Score:2, Insightful)
Re:Insightful? (Score:5, Insightful)
Re:Yeah, it's a gang war alright... (Score:2, Insightful)
Re:I would like to point out... (Score:3, Insightful)
Re:Yeah, it's a gang war alright... (Score:3, Insightful)
Unfortunately, the virus could always just search through your sent and received mail and search for matching lines that would be in the signature or at the top of the message, and use these.
Re:"Microsoft" mail worms? (Score:3, Insightful)
We have human viruses, and canine viruses ( like Canine Distemper Virus - CVD), and porcine viruses (like Porcine Parvo Virus PPV). You name viruses for what they infect first, and for what they are and what they do second.
These 'viruses' and 'worms' all infect Windows. Not MacOS, not Linux, not BSD. Not Soliaris, or RISK OS, or any of the other OSes that have been or are in use.
Funny, that.
Re: bullets; the stupidity of users? (Score:3, Insightful)
If people actually do wisen up and stop opening email attachments they're unsure about, the virus writers will just come up with more creative ways to convince you to run the code. Write a small applet that lets them play a contest game to win money - only, nobody is really going to win anything, and it drops a trojan horse on the PC. Send mail that looks like a legitimate attached form from the ISP, requesting some sort of info your ISP might actually need. (Heck, one popular method seems to currently be bundling "malware" with legitimate freeware apps people want to download and use - like p2p music sharing packages, pop-up blockers, and time synchronizing clients.) Who knows? This problem isn't going to go away just by trying to "educate it away", telling people not to read the stuff they get in their email.
Personally, I think virus scanners are generally a bit "behind the times" in this war. EG. How many scanners have you seen that allow starting up without having to boot the actual OS that's being used, so they can remove a virus without it getting a chance to execute in RAM first? Of these, how many can scan an NTFS file system when started up in that manner? (To my knowledge, only the expensive "Avast BART" product currently offers all of this.) Modern trojan horses and virii are often shutting down the virus scanner processes so scanners can't remove them. They even do such things as prevent "regedit" from running, so you can't just prune them from the registry and reboot. (Of course, so far, many are coded poorly enough so you can just rename regedit to something else and then run it -- but that's bound to change.)
Just a few files (Score:3, Insightful)