Microsoft Mail Worms Gang War? 609
cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."
well... (Score:5, Funny)
Re:well... (Score:4, Funny)
"I like to propagate in America!
DoS by me in America!
Network is down in America
Download me in America!"
Re:well... (Score:4, Funny)
From your first kiddie script, till you r00t DEA
Re:well... (Score:3, Funny)
I've just got a worm named MyDoom H
And suddenly this game
Will never play the same for me.
MyDoom I
I just saw a worm named MyDoom I
And suddenly I see
A blue screen staring back at me!
MyDoom J!
I don't hear any mp3s playing
All is dark and I better start praying
MyDoom K,
I just got a worm named MyDoom K...
Re:well... (Score:5, Funny)
You gotta understand
It's just our hacker egos
That gets us outta hand.
Our friends are all spammers
Our teachers teach VB
Holy jebus that's why we are 'leet!
How is this an "ask slashdot"? (Score:5, Insightful)
Re:How is this an "ask slashdot"? (Score:5, Funny)
Dunno, but the answer's 42.
Can I ask you a question? (Score:5, Funny)
It's an interrogative statement used to test knowledge, but that's not important right now.
Re:How is this an "ask slashdot"? (Score:3, Interesting)
Re:Insightful? (Score:3, Insightful)
Dinivin
Huh? (Score:4, Insightful)
Or alternately (Score:3, Informative)
Re:Insightful? (Score:4, Funny)
Re:Insightful? (Score:3, Funny)
Fry: I'm good at video games and bad at everything else. That's why I wish life were more like a video game.
Farnsworth: Can you put that in the form of a question?
Fry: Uh, what if that thing I said?
Re:Insightful? (Score:5, Insightful)
I would like to point out... (Score:5, Informative)
SARC [sarc.com]
This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.
Re:I would like to point out... (Score:5, Insightful)
Re:I would like to point out... (Score:5, Interesting)
Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches have us under our address books, so in turn we get all their email telling us 'Hi.'
Re:I would like to point out... (Score:5, Insightful)
"Of course it doesn't help that people we've helped in the past by emailing them fixes, solutions, and patches..."
There's nothing like convincing people to open random excutable attachments to keep your job safe.
Re:I would like to point out... (Score:4, Funny)
Indian virus writers are writing virues to increase call volumes so more companies will outsource their anwering centers to India...
More likely some punk somewhere gets a charge off the idea that they alone can cause world wide mayhem...
Re:I would like to point out... (Score:5, Funny)
Tcd004
Re:I would like to point out... (Score:3, Insightful)
Won't be over soon, either (Score:5, Funny)
It was bound to happen... (Score:5, Insightful)
Yeah, it's a gang war alright... (Score:5, Insightful)
I mean, seriously, how hard is it to write malicious code if you can get the person to run any program. Heck, here's my virus:
This is NOT hacking... it's taking advantage of stupid people...
Re:Yeah, it's a gang war alright... (Score:5, Interesting)
At my office, we are using a non-standard email client that doesn't allow execution of code in any way and we still got nailed.
why?
The moron in the next cubicle (a PROGRAMMER no less) did this:
1) viewed the email (after receiving 5 memos specifically saying to just delete it)
2) clicked on the attachment
3) selected save as
4) opened up explorer, went LOOKING for the attachement
5) executed it by doubleclicking.
I mean seriously! his defense when confronted?
"Well I wasn't sure...so...hum...we'll I wouldn't have done that at home!"
I wanted to beat the crap out of him...
Re:Yeah, it's a gang war alright... (Score:3, Funny)
We had and emplyee actually gather a croud around her desk to watch her open it. They were all very disappointed to see that our virus filters had stripped it!
Re:Yeah, it's a gang war alright... (Score:3)
Think about it.
Re:Yeah, it's a gang war alright... (Score:5, Insightful)
The only other thing is to never run an executable attachment, but there's so many way to obfuscate this (especially using outlook) that most normal users really can't be expected to tell what's safe from what's not.
One simple thing average users can do is to give people they communicate with some special keyword they should always add to messages they send you with an attachment. It doesn't have to be anything special - even a company name would do. The idea is no mass-mailing worm would know to include it.
Heck you could even use a procmail recipe to only allow attachments with the keyword in the subject - much more accurate than trying to filter out all the "bad" subject lines these viruses use.
Re:Yeah, it's a gang war alright... (Score:3, Funny)
I tried that but it didn't work for me.
Do you think I shouldn't have chosen the word "Pwned"?
Poor evil empire (Score:5, Funny)
Actually, the evil empire isn't all that poor; it's got several billion dollard in cash. And the poor wannabe empire isn't poor either; apparently it got a $86 million cash injection [slashdot.org], thanks to the evil empire.
Re:Poor evil empire (Score:3, Funny)
Warnings... (Score:5, Informative)
Re:Warnings... (Score:5, Funny)
Re:Warnings... (Score:5, Insightful)
It will be the fastest spreading worm in history...
The human race never ceases to amaze and disapoint me.
Re:Warnings... (Score:4, Interesting)
I did something like this. There was a proggie in the Win2K resource kit that slowly and gracefully shuts down all your programs, and reboots. I renamed it to do_not_run_this.exe. I sent it to the company mailing list, with a subject of VIRUS ATTACHED - DO NOT RUN. I put all over the email warnings about not running. A few minutes later, I got hassled by people: "Blah, I was working on something" "Blah, I was in the middle of a download". Unbelievable. You can see pics of the IT team that I was in here [umtstrial.co.uk], just out of interest.
Re:Warnings... (Score:5, Informative)
Re:Warnings... (Score:3, Interesting)
Re:Warnings... (Score:5, Insightful)
It came directly to my mail server; it hadn't been relayed. That makes sense: anybody may contact my mail server to send mail, as long as it's to me.
But this makes a lousy worm, since most people don't own their own domains. This will 0wn only a fairly limited set of computers, compared to the bazillions of zombies you can get by fooling people who use a major ISP but don't own their own domains.
This one doesn't even really require worm-ness. It goes out only to registered mail servers, which is small enough to connect to individually by one or two dedicated computers with broadband connections.
I wasn't in the mood to trace down who was responsible for it,but I hope somebody does.
Re:Warnings... (Score:4, Informative)
I'm now blocking all encrypted zip attachments via my trusty MailScanner [mailscanner.info]
(there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)
Re:Warnings... (Score:3, Funny)
Ah, the power of /. spelling! (Score:5, Interesting)
Most of the comments tucked inside the latest bugs are brief, unprintable and poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth version of Netsky.
Hmmm, where have I seen that misspelling before? Let me think
latest breed (Score:5, Informative)
The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)
Re:latest breed (Score:5, Funny)
Re:latest breed (Score:3, Informative)
Bar: Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.
What's odd is the grandparent's suggestion that the "virus companies" (I'm not touching that one!) should find a solution.
Solution
Re:latest breed (Score:4, Insightful)
Re:latest breed (Score:4, Funny)
What's pitiful is how the AV service automatically updates its virus definitions daily. But at the rate these variants are coming out I am manually updating in the middle of the workday as well. I almost get misty eyed back when Microsoft-based threats were just relatively minor nuisances like Word macro viruses!
Re:latest breed (Score:3, Interesting)
I've set the system to update every 60 minutes.
Also Sabari is recomending setting Antigen filters to dump zip files that are less then 40k
Re:latest breed (Score:3, Interesting)
Have they? Last I checked, ClamAV had just given up on the password-protected zips. Or are you referring to blocking all password-protected zips, not just infected ones?
Wild, wild west (Score:5, Insightful)
Re:Wild, wild west (Score:3, Insightful)
You must be too new to remember [slashdot.org]the Pinkerton [slashdot.org] post-columbine "Turn in your depressed friends [waveamerica.com] before they hurt someone" initiative.
Ther're still dirty.
Re:Wild, wild west (Score:4, Insightful)
Off the top of my head... having a lower population density would have something to do with it too... no significant drug problems other than alcohol (and probably few 'traffic' fatalities resulting from that)
Unemployment levels are actually a good predictor of crime rates too.
And in small agrarian communities everyone knows your name. If you jack somebody in a small town everyone is going to have a good guess who did it, including the guy's family.
Any number of things other than everyone is toting a six-shooter to consider...
Of course these viruses are for posturing (Score:4, Insightful)
If someone were to write a truly destructive virus (you open it, it sends itself to everyone in your inbox, then promptly writes random data over your hard drive) then we'd really see people start to take viruses seriously.
Even the most "destructive" viruses in recent history have wimped out in some way -- just consider Michelangelo, which was hard-coded to become destructive at a much later date, long after it would be discovered and patches written.
Re:Of course these viruses are for posturing (Score:5, Interesting)
People are beginning to write viruses for money. Witness the latest ICQ worm that monitors and relays all HTTPS and i-banking data back to HQ. It was modular and appeared to be written by a team of programmers.
Klez and Bagle also both seem like for-profit endeavors. Klez seemed to be a team perfecting their methods in such a way that they were sure the world's security wouldn't clamp down in response: They had a sunset written into the program. I guarantee you there are hundreds of thousands of people with Klez on their computer out there that never got cleaned up. For a long while, after every sunset they released a slightly improved product.
Once they got it right, they stopped. Maybe they're working on new methods, another virus, or they're looking for some spammer to pay them for 100,000 free mail relays before they release again.
But it's not just for posturing. It's organized crime. They're going to get paid.
Virus gangs (Score:5, Funny)
Seems like virus writers also got oursourced to India!!
Maybe...maybe not (Score:5, Insightful)
With that in mind, those programmer comments being reported now, although they do seem to show a gang war, may just be more misdirection and once again the media fell for it. If it really is the spammers behind it all, and criminal elements doing it (yeah, I know, "spammers" and "criminal elements" are redundant), this gang war idea may just be more cover.
Meanwhile there are millions of zombie Windows boxes around the world with clueless owners not realizing they are 0wn3d. That's the real story the media should be following up on.
little damage (Score:3, Interesting)
maybe little damage to the computer itself, but they definitely cost a company in terms of IT support calls, and loss productivity. Even though this cost is not easy to measure, but is certainly not a small amount.
Is anyone else seeing this and thinking (Score:5, Insightful)
I wonder how long it will be and how much futher adoption of windows server operating systems we'll have to see before internet traffic starts to look like that.
So move to a better neighborhood (Score:5, Insightful)
Too many patches (Score:3, Flamebait)
Can anyone make products out-of-the-box any more? Viruses need daily patch updates. The OS need daily patch updates. This is ridiculous.
Viruses? (Score:5, Insightful)
Imagine if e-mail was just plain old ASCII text with no attachment support. *sigh*
Re:Viruses? (Score:5, Funny)
YOU HAVE NOW RECEIVED THE UNIX VIRUS
This virus works on the honor system:
If you're running a variant of unix or linux, please forward this message to everyone you know and delete a bunch of your files at random.
Virus Activity (Score:5, Interesting)
These are not your stealth haxorz, these are the works of script kiddies. But of course everyone here already knew that.
Server-side filters? (Score:5, Interesting)
Note that I don't want to just block all messages containing attachments with certain extensions. There are many legitimate reasons for someone to send me a zip file as an attachment.
Re:Server-side filters? (Score:3, Informative)
and/or
AMaViS [amavis.org]
What's more likely... (Score:5, Interesting)
That's where I think this is all ultimately headed. The spammers are in bed with the virus writers, who have taken the penis enlargement pills as commission. :P
Instead of a pissing contest (Score:5, Insightful)
Aren't many people having trouble finding IT jobs? (Score:3, Insightful)
What good are the top 10 lists? (Score:5, Insightful)
"Microsoft" mail worms? (Score:5, Insightful)
Do they exploit any vulnerability that Microsoft is responsible for creating? No. (They spread by tricking users into running the attached executables.)
I know it's fun to pretend that everything bad is Microsoft's fault (and I'm no fan of Microsoft myself), but come on... how does it make any sense to prefix something with "Microsoft" when Microsoft had absolutely nothing to do with it? What's next? "Microsoft OpenSSL vulnerability discovered"? "Microsoft recording industry sues 12-year-old kid"? "Microsoft PATRIOT act renewed"? "Hacker charged with violating the Microsoft DMCA"?
Re:"Microsoft" mail worms? (Score:5, Insightful)
Microsoft might be one name that comes to mind, if not the largest, most widespread software developer in the known universe.
Re:"Microsoft" mail worms? (Score:3, Interesting)
Being able to open a document attached to an e-ma
People Love Drama (Score:4, Insightful)
Here are some more down to earth email worms [dakotablueworms.com].
suing Microsoft (Score:3, Interesting)
It's surpring no consortium (like an ISP group) has come together and filed a lawsuit against MS for having to mop up their work. It's definitely costing to pass the traffic, having to explain 12! times a day to customers that we didn't send them a moronically written "Your account is suspend for virus activity" (yes I know it's a typo). MS should definitely be dishing out some money for this. After the first 100 or so viruses from the years 2000-2002 you would figure they would get their act together, but it's the same old story. And for the users (non geek users) of MS, the grandmothers, housewives, and non techies, you would figure they would wise up to the same shit different day. Instead they still open attachments, and rather altogether, still use the same chopperating system they often have to reinstall after having been infected 12! per year.
Seriously mind boggling. As for the virus creators they too need to be punished for their actions, and severely at that. I'm skeptical about the entire 'cybercrime' terrorist approach the DOJ and others have taken on this, but this is definitely something that's getting out of hand. And if you too also work in an ISP, you would know the guys of headaches one deals with on these virus issues. Hopefully our 3rd party antispam/virus filter mail provider gets their act together. Think about the costs for a mid sized ISP on something like technical support alone. 1000 calls a day to explain why someone should not open those emails multiplied by the salaries. Wasted money.
Re:suing Microsoft (Score:5, Insightful)
Little damage? (Score:4, Interesting)
Re:Little damage? (Score:3, Funny)
No more attachments. (Score:5, Interesting)
Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.
Microsoft needs to turn off the "feature" that clicking on a mail attachment runs it. It should just be "viewed", with a dumb viewer. It should be impossible to launch programs from mail attachments. Users should have to explictly save to a file and run to do that.
Re:No more attachments. (Score:3, Insightful)
Re:No more attachments. (Score:3, Interesting)
That's just the risk of attachments. The only way to be quite safe is not to open _or_ view any attachment that is sent to you
Re:No more attachments. (Score:3, Insightful)
Then the virus will just send out an email saying "download this for free porn" and link to it. It's been done already.
As for limiting file types, good luck. Your plan would not allow web pages, for instance, and you'd kill every online game in existence.
Re:No more attachments. (Score:3, Insightful)
Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.
From the PDF 1.5 Reference Manual [adobe.com]
8.5 Actions
Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state... In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action t
Evil empire? (Score:3, Funny)
preying on the ignorant (Score:3, Interesting)
the exchange server is configured to catch most of this crap, delete the attachments, etc. - but if ANY of it gets through to a user, the attachment WILL get opened.
the hell of it is, our security advisor sends out DAILY network alerts, telling people EXPLICITLY what to look for, what NOT to do under any circumstances, right down to the various subject lines and attachment names that these worms will manifest with. she couldn't be any clearer in her instructions if she walked into their individual offices and handed them a stone tablet, engraved by the hand of God himself and saying "Thou shalt not clicketh upon this thing."
the typical excuses we hear are something along the lines of "b-but . . . it came from a guy i know? he wouldn't send me a virus?"
sigh.
It's real simple people... (Score:3, Informative)
Either route to holding folder or just drop as we do. The number of legitimate
Other than users who still forward us the defanged emails even after being repeatedly told not to do so, we have had no impact to the firm whatsoever.
Pretty good social engineering this time (Score:5, Informative)
From: support@xxx.edu
To: me@cc.xxx.edu
Subject: Warning about your e-mail account.
Parts/Attachments:
1 Shown 10 lines Text
2 12 KB Application
Dear user of "xxx.edu" mailing system,
We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.
For more information see the attached file.
Cheers,
The xxx.edu team http://www.xxx.edu
[ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
[ Cannot display this part. Press "V" then "S" to save in a file. ]
------
Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.
Re:Pretty good social engineering this time (Score:3, Insightful)
Good bit of social engineering (Score:5, Insightful)
[paraphrased email text below]
"Hi, I'm the admin from [YourEmailServer]. We've been getting complaints about your account, and we think you have a virus. Please open the attachment, and run the file. Password is 12345
Cheers, [YourEmailServer]
Haven't we been asking the ISP's to get on top of the virus problem? Well...here comes an email, supposedly doing just that!
"We think you have a problem, and here's how to fix it"
This exact same thing could have been targeted to the OSX environment, or a *nix script.
"Hi, due to the traffic we've noticed, we think your Mac/Linux box has been compromised. Please run this script to identify and fix the problem."
Now...most *nix users are a bit more clueful and suspicious. But, more than a few would be caught out.
(and if you, the writer(s) of these things are out there reading this...this is NOT a compliment. You are not cute, nor are you inventive. You are merely a fool. And one that will be caught. Hopefully for you, by the authorities. They will be much easier on you than we will be...we won't be using vaseline)
...little damage... (Score:5, Informative)
Yeah most are not too damaging, but here's my story.
Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.
- Last week our AV server downloaded updates at 8am as usual.
- At 11am Symantec released new signature for MyDoom.F.
- At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
- At 8pm automatic backups kick off
- At 11pm backups complete, having successfully backed up ruined shares.
- At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
- At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.
Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.
Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.
Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.
A simple solution (Score:4, Interesting)
"A new company policy is hereby enacted: It is forbidden for any user on the corporate network to execute any binary email attachment of any kind, including any attachment from anyone within the network. We will occassionally enforce this measure by sending dummy attachments to all corporate users which will report your workstation to network operations should you click on the attachment. Doing so will be grounds for immediate dismissal. We reserve the right to be sneaky, so your best policy for keeping your job secure is to simply never click on an attachment. Thanks, and have a nice week."
Microsoft... (Score:3)
Who do you want to DOS today?
When will Microsoft be held responsible for aiding terrorists?
It's not Linux that is the tool of terrorists, it's Windows.
I wonder... (Score:3)
Why nobody ever came up with default mail server configuration which prohibits any executable content? And not only
So far nobody. You have to patch qmail and add qmail-scanner if you want to do this. Is there a checkbox in microsoft exchange? An option in sendmail.cf?
Fuck.
Re:Turf? (Score:5, Informative)
Re:"some poor evil empire..." (Score:3, Funny)
Yeah, but they've been secretly building their own Deathstar, which is hidden behind the Moon, for years now. I'm not so worried about the Evil Empire using it as when it gets 0wn3d.
Re:There is only one solution to the virus problem (Score:3, Insightful)
Personally, I send myself zip files with executables in them all the time, on purpose, for work-related stuff. Why should I not be able to do that?
Re:Is the probelm really hard to fix? (Score:3, Insightful)
Users click "OK/Yes" on messages just like they click "I Agree" on license agreements. Either that, or the from address is spoofed and they think it's safe to open it.
Re:Is the probelm really hard to fix? (Score:3, Interesting)
Here's a better solution: 99% of the population knows you have to change your oil, because they are (somewhat) educated in that regard. Why not just educate people?? There's nothing GM can do to make you change your oil c'ept show you what happens if you don't!
Your solution sounds like the default Outlook XP fix: Block any executable attachments. What kind of garbage solution is that? It's called a "Let's break it so they can't use it" f
Re:Is the probelm really hard to fix? (Score:4, Informative)
Re:Is the probelm really hard to fix? (Score:3, Insightful)
Considering the number of people I've encountered who don't even know what a "program" is (all they know are that there are a set of different boxes on their screen, each of which does something different), how can you expect them to understand what executable code is, or how it gets run, or why it shouldn't be run?
You've seen polarized power plugs, right? The ones with one blade slightly wider than the other. This is to
Re:MS Address Book lock down? (Score:4, Informative)
But since these worms also searches in a wide range of other filetypes (.txt,.doc,.html,etc etc) for valid email addresses to send to, it makes little difference.