Microsoft Mail Worms Gang War?

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

Ah, the power of /. spelling!

[Daniel Dvorkin]

From the article:

Most of the comments tucked inside the latest bugs are brief, unprintable and poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth version of Netsky.

Hmmm, where have I seen that misspelling before? Let me think ...

little damage

[stonebeat.org]

Typically these viruses (or more correctly, worms) do little damage to the infected computer,
maybe little damage to the computer itself, but they definitely cost a company in terms of IT support calls, and loss productivity. Even though this cost is not easy to measure, but is certainly not a small amount.

Virus Activity

[Eberlin]

Wouldn't this much virus activity raise the chances of being caught? Pride has been the downfall of a great many "1337 d00dz" who can't seem to avoid bragging about their 5|i77z. Then again, if you did stage such acts, it does nothing for your ego unless people know you did so.

These are not your stealth haxorz, these are the works of script kiddies. But of course everyone here already knew that.

Re:Turf?

[Volmarias]

How is my computer their turf?

If you have to ask a question like that, a better one might be "How ISN'T my computer their turf?" Here's a tip: If you suddenly find all of your ports open, you may want to consider running a virus scanner. :)

Gangs have names

[Jotaigna]

The Pakistany/Indian conflict is well determined as clubs have names.
Besides the "sorry but i had to" message in one of the MyDoom variants, no one has claimed authory on this "gang" attacks to evil empires. As far as we know it could be a single programmer with lots of free time and a bad temper.
Maybe is many ppl, but they are merely common intrested in a visible evil empire rather than a gang.

Server-side filters?

[Dominic_Mazzoni]

Can anyone recommend a good server-side tool to block viruses and worms? I'm using procmail now with a bunch of handwritten rules, and they work well on a bunch of older viruses, but there are so many new variations now that I can't keep up! On the client side, Bayesian filters (in Mozilla Mail and Apple Mail.app, for example) work reasonably well with spam, but they have a harder time with viruses and worms. It's also more annoying because viruses and worms are so large (30k or 100k, typically) and my local mail client has to download the entire message before filtering it out.

Note that I don't want to just block all messages containing attachments with certain extensions. There are many legitimate reasons for someone to send me a zip file as an attachment.

Re:Yeah, it's a gang war alright...

[TCaptain]

you're not kidding.

At my office, we are using a non-standard email client that doesn't allow execution of code in any way and we still got nailed.

why?

The moron in the next cubicle (a PROGRAMMER no less) did this:

1) viewed the email (after receiving 5 memos specifically saying to just delete it)
2) clicked on the attachment
3) selected save as
4) opened up explorer, went LOOKING for the attachement
5) executed it by doubleclicking.

I mean seriously! his defense when confronted?
"Well I wasn't sure...so...hum...we'll I wouldn't have done that at home!"

I wanted to beat the crap out of him...

What's more likely...

[Kyouryuu]

What I think is more likely is that some spam mail company is commissioning virus writers to create these worms in order to spread their operations. Sobig's objective, after all, seemed to be based on setting up infected machines as peer-to-peer drones for use by the author. It is a logical extension of the "monolithic" approach I'm certain most spammers follow of having several powerful computers running at all hours of the day, consuming electricity, bought and maintained, stashed away in a basement. Why not take advantage of a peer-to-peer system and infect the computers of careless Internet users and exploit their ignorance to become spam drones?

That's where I think this is all ultimately headed. The spammers are in bed with the virus writers, who have taken the penis enlargement pills as commission. :P

suing Microsoft

[segment]

It's surpring no consortium (like an ISP group) has come together and filed a lawsuit against MS for having to mop up their work. It's definitely costing to pass the traffic, having to explain 12! times a day to customers that we didn't send them a moronically written "Your account is suspend for virus activity" (yes I know it's a typo). MS should definitely be dishing out some money for this. After the first 100 or so viruses from the years 2000-2002 you would figure they would get their act together, but it's the same old story. And for the users (non geek users) of MS, the grandmothers, housewives, and non techies, you would figure they would wise up to the same shit different day. Instead they still open attachments, and rather altogether, still use the same chopperating system they often have to reinstall after having been infected 12! per year.

Seriously mind boggling. As for the virus creators they too need to be punished for their actions, and severely at that. I'm skeptical about the entire 'cybercrime' terrorist approach the DOJ and others have taken on this, but this is definitely something that's getting out of hand. And if you too also work in an ISP, you would know the guys of headaches one deals with on these virus issues. Hopefully our 3rd party antispam/virus filter mail provider gets their act together. Think about the costs for a mid sized ISP on something like technical support alone. 1000 calls a day to explain why someone should not open those emails multiplied by the salaries. Wasted money.

Little damage?

[dillon_rinker]

MyDoom installs a back door on every machine it is run in. If that constitutes "little damage" then I guess we should all set our root password to "root" .

No more attachments.

[Animats]

It's time to just block all E-mail attachments. If you want to send a file, do it some other way, like uploading it to a server for explicit download.

Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.

Microsoft needs to turn off the "feature" that clicking on a mail attachment runs it. It should just be "viewed", with a dumb viewer. It should be impossible to launch programs from mail attachments. Users should have to explictly save to a file and run to do that.

Re:I would like to point out...

[b0r0din]

Little damage, my ass. However, I will point out, that on a positive note, I work in a network callcenter, every time one of these babies comes out our call volume spikes by as much as 30%. These virii are at least keeping the calls coming in, which is how we generate cash. So at least for us, it's job security on some scale.

Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches have us under our address books, so in turn we get all their email telling us 'Hi.'

Re:How is this an "ask slashdot"?

[ktulu1115]

The question is which "some poor evil empire" is going to get hit next. I think our favorite software company in Redmond is a likely next target (can't say I have any sympathy with the recent story [slashdot.org])

preying on the ignorant

[subjectstorm]

here in my office (government), we had very little trouble with mydoom or any of its variants - but netsky.d, for whatever reason, was slipping through. this was on march 2, so for a few hours, we had a lot of people calling the helpdesk and complaining about the "weird beepy noises" coming from their computers.

the exchange server is configured to catch most of this crap, delete the attachments, etc. - but if ANY of it gets through to a user, the attachment WILL get opened.

the hell of it is, our security advisor sends out DAILY network alerts, telling people EXPLICITLY what to look for, what NOT to do under any circumstances, right down to the various subject lines and attachment names that these worms will manifest with. she couldn't be any clearer in her instructions if she walked into their individual offices and handed them a stone tablet, engraved by the hand of God himself and saying "Thou shalt not clicketh upon this thing."

the typical excuses we hear are something along the lines of "b-but . . . it came from a guy i know? he wouldn't send me a virus?"

sigh.

Re:latest breed

[menscher]

The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)

Have they? Last I checked, ClamAV had just given up on the password-protected zips. Or are you referring to blocking all password-protected zips, not just infected ones?

Re:Yeah, it's a gang war alright...

[wintermute740]

and the bullets are the stupidity of most windows users. No matter how much we tell people "don't open attachments unless you know the person!" they still won't listen.


That's the problem. People need to not open attachments, even if they know who sent them, unless they are expecting them. Take the two recent variants of Beagle (.J and .K)... They come from @ and look official (at least to the untrained eye)... People will either, A) be doing something they shouldn't be online, and think they're busted. Or B) be shocked at being accused of doing something illicit, and attempt to open the attachment to see what in the world they've been accused of. Makes for a fun time in tech support.

Re:Is the probelm really hard to fix?

[DR SoB]

I think I'd crap on M$ for putting that in as a default.

Here's a better solution: 99% of the population knows you have to change your oil, because they are (somewhat) educated in that regard. Why not just educate people?? There's nothing GM can do to make you change your oil c'ept show you what happens if you don't!

Your solution sounds like the default Outlook XP fix: Block any executable attachments. What kind of garbage solution is that? It's called a "Let's break it so they can't use it" fix.

Re:Of course these viruses are for posturing

[Elwood P Dowd]

You're just plain wrong.

People are beginning to write viruses for money. Witness the latest ICQ worm that monitors and relays all HTTPS and i-banking data back to HQ. It was modular and appeared to be written by a team of programmers.

Klez and Bagle also both seem like for-profit endeavors. Klez seemed to be a team perfecting their methods in such a way that they were sure the world's security wouldn't clamp down in response: They had a sunset written into the program. I guarantee you there are hundreds of thousands of people with Klez on their computer out there that never got cleaned up. For a long while, after every sunset they released a slightly improved product.

Once they got it right, they stopped. Maybe they're working on new methods, another virus, or they're looking for some spammer to pay them for 100,000 free mail relays before they release again.

But it's not just for posturing. It's organized crime. They're going to get paid.

Re:No more attachments.

[O0o0Oblubb!O0o0O]

Nope, does not work. If you followed the news lately, you would have read that the first vulnerability and the corresponding proof-of-concept exploit after the MS win2k source leak involved a buffer overflow caused by a hex-edited image file. As Outlook will probably use IE for viewing, you are still vulnerable to attack. The Acrobat reader has also had a series of vulnerabilities.

That's just the risk of attachments. The only way to be quite safe is not to open _or_ view any attachment that is sent to you by someone you do not know (and if course disable things like a preview pane).

Re:Warnings...

[Neon Spiral Injector]

Just went into ClamAV CVS today, a configuration option to reject encrypted ZIPs.

Re:"Microsoft" mail worms?

[Temporal]

MyDoom is attached as a zip containing an executable. It does not appear as a jpg, doc, or other file type. It appears as a zip. What would you expect to happen when you click on a zip attachment? The e-mail program is probably not designed to explicitly recognize zips, so it sends it off to the OS's default handler for zip files. That handler happily allows the user to open the contents since it has no idea that the thing came from an untrusted source.

Being able to open a document attached to an e-mail with a single click is user-friendly, and is a feature I quite like having, even in my non-Microsoft e-mail client. It makes sense to prevent users from running actual executables with a single click (and every e-mail client I've seen does so), but it is not possible for the e-mail client to keep a complete list of dangerous vs. safe file types. Zips in particular are used legitimately in e-mails far more often than not, so why should you expect your e-mail client to stop you from opening one?

The real problem here is the trusted-executable paradigm on which all major operating systems are based. All variants of Unix (which, in my book, includes Windows) assume that you trust any executable you run. In other words, they assume that you know exactly what you are doing. Obviously, users don't always know what they are doing, and the OS should be there to watch and double-check with the user when anything suspicious happens. The OS should ask the user if they really want to allow this program to access the internet (spreading itself). It should ask if they really want to install that backdoor and let it run on startup. It should explain what each question means so that the user can make an informed decision.

If OS's did these things, not only would viruses no longer spread, but things like spyware and adware installed by programs like RealPlayer would no longer function. In fact, because it would be so obvious when a program contained spyware, companies would probably be less inclined to try to include it in the first place.

So why does no OS do this? Probably because it would take some work to implement. Who wants to be the first?

Re:Too many patches

[4b696e67]

Yes, I agree. The main problem with all the modern virus scanners is that the can't detect viruses FROM THE FUTURE. What we really need is for someone to put together a program that anticipates the form that next year's viruses will take and then automatically deletes them. Better yet, we need a program that predicts where the viruses will come from and then has the writers arrested before they even make the code. Problem solved!

I know that was meant as a joke, but you actually are on the right track. In my opinion virus scanners shouldn't just be looking for virus "signatures", but look for "malicious code". For example look for blocks of code that would send e-mail out to everyone in your address book or put hidden keys in the registry.

I'm not a Windows programmer, but I am sure there are specific calls to libraries that can be detected in a dangerous sequence that could flag the executable as a potential virus. Just running strings on a virus I got mailed today reveals calls to InternetOpenA, ShellExecuteA, URLDownloadToFileA, etc. A virus scanner that semi-disassemled an executable to more or less see if it would do damage would be a far better approach.

Another approach would be for the virus scanner to actually execute the virus in a chrooted/jailed environment to see what it does.

I'm just brainstorming here. Your comment got me thinking.

Re:latest breed

[Pontiac]

We run SAV (Hey they changed Norton to Symantec for the new 8x system)..

I've set the system to update every 60 minutes.
Also Sabari is recomending setting Antigen filters to dump zip files that are less then 40k

A simple solution

[pclminion]

Here's a simple solution for corporations, to try to stem the tide of idiots who double-click on attachments. Distribute a company-wide memo stating something along the lines of the following:

"A new company policy is hereby enacted: It is forbidden for any user on the corporate network to execute any binary email attachment of any kind, including any attachment from anyone within the network. We will occassionally enforce this measure by sending dummy attachments to all corporate users which will report your workstation to network operations should you click on the attachment. Doing so will be grounds for immediate dismissal. We reserve the right to be sneaky, so your best policy for keeping your job secure is to simply never click on an attachment. Thanks, and have a nice week."

College Campuses

[mdarksbane]

I go to Ohio State University, and for the past week I and most people I have know have been receiving these message from

staff@osu.edu.

That's over 30,000 users, right there, on broadband. Multiply that by every campus in the world... I was honestly even curious about it, until I saw the attachment file. Their biggest weakness in it, actually, was that it sent several copies, each with a different user@osu.edu. That made it more suspicious.

Re:Warnings...

[caluml]

I'm going to write a worm that sends ppl emails that say "I am a worm. Don't open my attachment."

I did something like this. There was a proggie in the Win2K resource kit that slowly and gracefully shuts down all your programs, and reboots. I renamed it to do_not_run_this.exe. I sent it to the company mailing list, with a subject of VIRUS ATTACHED - DO NOT RUN. I put all over the email warnings about not running. A few minutes later, I got hassled by people: "Blah, I was working on something" "Blah, I was in the middle of a download". Unbelievable. You can see pics of the IT team that I was in here [umtstrial.co.uk], just out of interest.

a modest proposal

[fred fleenblat]

Simple three point plan for eliminating e-mail viruses:

1. Microsoft should immediately patch exchange and outlook so that no attachments that include executable files can be transmitted. You get word files, pdfs, plain text, jpegs and similar "passive" file formats. any scripting gets filtered out of html or spreadsheets. An archive (tar, zip, etc) doesn't get transmitted if it contains bad stuff or is not readable. And you can't override this by just clicking "yes" or "okay" upon receipt of a message.

2. viruses propagate similar to spam. ms exchange or other MTAs should make note of 50000+ very similar messages being tossed about and immediately blacklist compromised machines, then go into mail accounts and yank out virus messages that haven't been downloaded yet. Messages with attachments should be subject to a short extra wait time (5 min) to slow propagation and give the system time to react.

3. email attachments, even non-executable ones, should be opened in a restricted environment, e.g. chroot jail, java sandbox, or a refreshable vmware image. if the virus goes nuts, just delete the environment and kill its processes. don't allow outbound connections from the sandbox. In the long run, web pages and downloaded files should be treated similarly.

Yes, virus writers will find workarounds and attack new security holes. But microsoft has an obligation to fix existing security holes and at least make the virus writers look for new ones.

Yes, some people will be annoyed that their excel macros get lost. But it is time to start setting up a social environment where email is about sending a message that you type in yourself to communicate, not just a file sharing system for forwarding zip files.

Re:a modest proposal

[headblur]

it's the job of the mail server admin to set security (and virusscan) settings appropriate for his users. and it's the job of the everyday user not to be an idiot by opening unexpected attachments. the REAL problem with machine suceptibility to viruses lies with the *user*, not the software.

Re:Wild, wild west

[timbit]

Yeah, great idea... except for the fact that when the citizenry had enough and banded together, they didn't pay taxes and hired police. No sir, they got themselves banded together, went and found themselves a length of rope, and put all of them trees they had out there to good use... Now, I'm all for vigilante justice and all, but there are these city slickers runnin around now in them nice fancy black suits, and they don't take kindly to ordinary fellas like us takin the law into our own hands. Course, don't let me discourage you. No sir! I sure won't be the one to send no telegram to them fancy suit boys if ya'll string a few of them virus writers / spammers up. And rest assured, the rest of the folks here at /. are quite reasonable... Most of us, anyways...

Re:Warnings...

[Drakonian]

Is this modded funny because of the Co.uk? What about when the script makes one that makes perfect sense, like the one I received:

Hello user of Ucalgary.ca e-mail server,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

For more information see the attached file.

For security reasons attached file is password protected. The password is "60456".

Best wishes,
The Ucalgary.ca team http://www.ucalgary.ca

I think we (Slashdot readers in general) are being a little pompous if we think that this isn't convincing at all. I think it's the most convincing virus I've ever seen. There is only one serious grammar mistake, which is better than most Slashdot posts. The concept of seeing an attached file for details would seem reasonable to many people. Even the password protected thing makes a fair amount of sense.

This email was made even more confusing when I received numerous other *real* emails from my mail system saying my mail had viruses in it.