Microsoft Mail Worms Gang War? 609
cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."
Ah, the power of /. spelling! (Score:5, Interesting)
Most of the comments tucked inside the latest bugs are brief, unprintable and poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth version of Netsky.
Hmmm, where have I seen that misspelling before? Let me think
little damage (Score:3, Interesting)
maybe little damage to the computer itself, but they definitely cost a company in terms of IT support calls, and loss productivity. Even though this cost is not easy to measure, but is certainly not a small amount.
Virus Activity (Score:5, Interesting)
These are not your stealth haxorz, these are the works of script kiddies. But of course everyone here already knew that.
Re:Turf? (Score:2, Interesting)
If you have to ask a question like that, a better one might be "How ISN'T my computer their turf?" Here's a tip: If you suddenly find all of your ports open, you may want to consider running a virus scanner.
Gangs have names (Score:2, Interesting)
Besides the "sorry but i had to" message in one of the MyDoom variants, no one has claimed authory on this "gang" attacks to evil empires. As far as we know it could be a single programmer with lots of free time and a bad temper.
Maybe is many ppl, but they are merely common intrested in a visible evil empire rather than a gang.
Server-side filters? (Score:5, Interesting)
Note that I don't want to just block all messages containing attachments with certain extensions. There are many legitimate reasons for someone to send me a zip file as an attachment.
Re:Yeah, it's a gang war alright... (Score:5, Interesting)
At my office, we are using a non-standard email client that doesn't allow execution of code in any way and we still got nailed.
why?
The moron in the next cubicle (a PROGRAMMER no less) did this:
1) viewed the email (after receiving 5 memos specifically saying to just delete it)
2) clicked on the attachment
3) selected save as
4) opened up explorer, went LOOKING for the attachement
5) executed it by doubleclicking.
I mean seriously! his defense when confronted?
"Well I wasn't sure...so...hum...we'll I wouldn't have done that at home!"
I wanted to beat the crap out of him...
What's more likely... (Score:5, Interesting)
That's where I think this is all ultimately headed. The spammers are in bed with the virus writers, who have taken the penis enlargement pills as commission. :P
suing Microsoft (Score:3, Interesting)
It's surpring no consortium (like an ISP group) has come together and filed a lawsuit against MS for having to mop up their work. It's definitely costing to pass the traffic, having to explain 12! times a day to customers that we didn't send them a moronically written "Your account is suspend for virus activity" (yes I know it's a typo). MS should definitely be dishing out some money for this. After the first 100 or so viruses from the years 2000-2002 you would figure they would get their act together, but it's the same old story. And for the users (non geek users) of MS, the grandmothers, housewives, and non techies, you would figure they would wise up to the same shit different day. Instead they still open attachments, and rather altogether, still use the same chopperating system they often have to reinstall after having been infected 12! per year.
Seriously mind boggling. As for the virus creators they too need to be punished for their actions, and severely at that. I'm skeptical about the entire 'cybercrime' terrorist approach the DOJ and others have taken on this, but this is definitely something that's getting out of hand. And if you too also work in an ISP, you would know the guys of headaches one deals with on these virus issues. Hopefully our 3rd party antispam/virus filter mail provider gets their act together. Think about the costs for a mid sized ISP on something like technical support alone. 1000 calls a day to explain why someone should not open those emails multiplied by the salaries. Wasted money.
Little damage? (Score:4, Interesting)
No more attachments. (Score:5, Interesting)
Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.
Microsoft needs to turn off the "feature" that clicking on a mail attachment runs it. It should just be "viewed", with a dumb viewer. It should be impossible to launch programs from mail attachments. Users should have to explictly save to a file and run to do that.
Re:I would like to point out... (Score:5, Interesting)
Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches have us under our address books, so in turn we get all their email telling us 'Hi.'
Re:How is this an "ask slashdot"? (Score:3, Interesting)
preying on the ignorant (Score:3, Interesting)
the exchange server is configured to catch most of this crap, delete the attachments, etc. - but if ANY of it gets through to a user, the attachment WILL get opened.
the hell of it is, our security advisor sends out DAILY network alerts, telling people EXPLICITLY what to look for, what NOT to do under any circumstances, right down to the various subject lines and attachment names that these worms will manifest with. she couldn't be any clearer in her instructions if she walked into their individual offices and handed them a stone tablet, engraved by the hand of God himself and saying "Thou shalt not clicketh upon this thing."
the typical excuses we hear are something along the lines of "b-but . . . it came from a guy i know? he wouldn't send me a virus?"
sigh.
Re:latest breed (Score:3, Interesting)
Have they? Last I checked, ClamAV had just given up on the password-protected zips. Or are you referring to blocking all password-protected zips, not just infected ones?
Re:Yeah, it's a gang war alright... (Score:2, Interesting)
That's the problem. People need to not open attachments, even if they know who sent them, unless they are expecting them. Take the two recent variants of Beagle (.J and
Re:Is the probelm really hard to fix? (Score:3, Interesting)
Here's a better solution: 99% of the population knows you have to change your oil, because they are (somewhat) educated in that regard. Why not just educate people?? There's nothing GM can do to make you change your oil c'ept show you what happens if you don't!
Your solution sounds like the default Outlook XP fix: Block any executable attachments. What kind of garbage solution is that? It's called a "Let's break it so they can't use it" fix.
Re:Of course these viruses are for posturing (Score:5, Interesting)
People are beginning to write viruses for money. Witness the latest ICQ worm that monitors and relays all HTTPS and i-banking data back to HQ. It was modular and appeared to be written by a team of programmers.
Klez and Bagle also both seem like for-profit endeavors. Klez seemed to be a team perfecting their methods in such a way that they were sure the world's security wouldn't clamp down in response: They had a sunset written into the program. I guarantee you there are hundreds of thousands of people with Klez on their computer out there that never got cleaned up. For a long while, after every sunset they released a slightly improved product.
Once they got it right, they stopped. Maybe they're working on new methods, another virus, or they're looking for some spammer to pay them for 100,000 free mail relays before they release again.
But it's not just for posturing. It's organized crime. They're going to get paid.
Re:No more attachments. (Score:3, Interesting)
That's just the risk of attachments. The only way to be quite safe is not to open _or_ view any attachment that is sent to you by someone you do not know (and if course disable things like a preview pane).
Re:Warnings... (Score:3, Interesting)
Re:"Microsoft" mail worms? (Score:3, Interesting)
Being able to open a document attached to an e-mail with a single click is user-friendly, and is a feature I quite like having, even in my non-Microsoft e-mail client. It makes sense to prevent users from running actual executables with a single click (and every e-mail client I've seen does so), but it is not possible for the e-mail client to keep a complete list of dangerous vs. safe file types. Zips in particular are used legitimately in e-mails far more often than not, so why should you expect your e-mail client to stop you from opening one?
The real problem here is the trusted-executable paradigm on which all major operating systems are based. All variants of Unix (which, in my book, includes Windows) assume that you trust any executable you run. In other words, they assume that you know exactly what you are doing. Obviously, users don't always know what they are doing, and the OS should be there to watch and double-check with the user when anything suspicious happens. The OS should ask the user if they really want to allow this program to access the internet (spreading itself). It should ask if they really want to install that backdoor and let it run on startup. It should explain what each question means so that the user can make an informed decision.
If OS's did these things, not only would viruses no longer spread, but things like spyware and adware installed by programs like RealPlayer would no longer function. In fact, because it would be so obvious when a program contained spyware, companies would probably be less inclined to try to include it in the first place.
So why does no OS do this? Probably because it would take some work to implement. Who wants to be the first?
Re:Too many patches (Score:2, Interesting)
I know that was meant as a joke, but you actually are on the right track. In my opinion virus scanners shouldn't just be looking for virus "signatures", but look for "malicious code". For example look for blocks of code that would send e-mail out to everyone in your address book or put hidden keys in the registry.
I'm not a Windows programmer, but I am sure there are specific calls to libraries that can be detected in a dangerous sequence that could flag the executable as a potential virus. Just running strings on a virus I got mailed today reveals calls to InternetOpenA, ShellExecuteA, URLDownloadToFileA, etc. A virus scanner that semi-disassemled an executable to more or less see if it would do damage would be a far better approach.
Another approach would be for the virus scanner to actually execute the virus in a chrooted/jailed environment to see what it does.
I'm just brainstorming here. Your comment got me thinking.
Re:latest breed (Score:3, Interesting)
I've set the system to update every 60 minutes.
Also Sabari is recomending setting Antigen filters to dump zip files that are less then 40k
A simple solution (Score:4, Interesting)
"A new company policy is hereby enacted: It is forbidden for any user on the corporate network to execute any binary email attachment of any kind, including any attachment from anyone within the network. We will occassionally enforce this measure by sending dummy attachments to all corporate users which will report your workstation to network operations should you click on the attachment. Doing so will be grounds for immediate dismissal. We reserve the right to be sneaky, so your best policy for keeping your job secure is to simply never click on an attachment. Thanks, and have a nice week."
College Campuses (Score:2, Interesting)
staff@osu.edu.
That's over 30,000 users, right there, on broadband. Multiply that by every campus in the world... I was honestly even curious about it, until I saw the attachment file. Their biggest weakness in it, actually, was that it sent several copies, each with a different user@osu.edu. That made it more suspicious.
Re:Warnings... (Score:4, Interesting)
I did something like this. There was a proggie in the Win2K resource kit that slowly and gracefully shuts down all your programs, and reboots. I renamed it to do_not_run_this.exe. I sent it to the company mailing list, with a subject of VIRUS ATTACHED - DO NOT RUN. I put all over the email warnings about not running. A few minutes later, I got hassled by people: "Blah, I was working on something" "Blah, I was in the middle of a download". Unbelievable. You can see pics of the IT team that I was in here [umtstrial.co.uk], just out of interest.
a modest proposal (Score:2, Interesting)
1. Microsoft should immediately patch exchange and outlook so that no attachments that include executable files can be transmitted. You get word files, pdfs, plain text, jpegs and similar "passive" file formats. any scripting gets filtered out of html or spreadsheets. An archive (tar, zip, etc) doesn't get transmitted if it contains bad stuff or is not readable. And you can't override this by just clicking "yes" or "okay" upon receipt of a message.
2. viruses propagate similar to spam. ms exchange or other MTAs should make note of 50000+ very similar messages being tossed about and immediately blacklist compromised machines, then go into mail accounts and yank out virus messages that haven't been downloaded yet. Messages with attachments should be subject to a short extra wait time (5 min) to slow propagation and give the system time to react.
3. email attachments, even non-executable ones, should be opened in a restricted environment, e.g. chroot jail, java sandbox, or a refreshable vmware image. if the virus goes nuts, just delete the environment and kill its processes. don't allow outbound connections from the sandbox. In the long run, web pages and downloaded files should be treated similarly.
Yes, virus writers will find workarounds and attack new security holes. But microsoft has an obligation to fix existing security holes and at least make the virus writers look for new ones.
Yes, some people will be annoyed that their excel macros get lost. But it is time to start setting up a social environment where email is about sending a message that you type in yourself to communicate, not just a file sharing system for forwarding zip files.
Re:a modest proposal (Score:2, Interesting)
Re:Wild, wild west (Score:2, Interesting)
Re:Warnings... (Score:3, Interesting)
This email was made even more confusing when I received numerous other *real* emails from my mail system saying my mail had viruses in it.