Yet Another Windows Worm 726
kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"
Alreay run into this... (Score:5, Interesting)
Re:Alreay run into this... (Score:3, Informative)
You don't have to double-click it. It open automatically when you preview.
Re:Alreay run into this... (Score:5, Informative)
http://www.microsoft.com/technet/security/bulle
Re:Alreay run into this... (Score:5, Interesting)
Over the last 2 years they have allowed windows update to drip the updates to them.
Last week Joe's hard drive crashed and he reinstalled.
I cant see him sitting there for the next 8 hours downloading patches - sure, he will run windows update if we are lucky, but he's likely to be getting his other more important (to him) stuff setup to be worrying about critical updates.
Waiting for a mail about college?
Waiting for his girlfriend to get back to him?
Whatever it is, his thoughts at best would be "I'll just quickly check my mails..........."
I dont think its entirely stupidity, its human nature.
Re:Alreay run into this... (Score:5, Funny)
This is why Linux users are less suceptible to worms...
Re:Alreay run into this... (Score:5, Funny)
Re:Alreay run into this... (Score:3, Funny)
We close the preview pane option on all of our computer repair customer's mail applications to keep the viruses from coming in this way.
Then, we explain this beautiful "preview" feature works with viruses like poking holes in your son's condoms. None of them are too keen on viruses in their computers or in becoming grandparents.
Re:Alreay run into this... (Score:5, Informative)
Pretty simple really; for Windows 2000:
For other versions of Windows, click on the link (it has instructions for 95, 98, NT and 2K; I'd imagine XP is similar to 2K but it was written in 2001 prior to XP's existence).I'm trying to find instructions for modifying the security in Outlook 2000 as well, so it doesn't do anything automatically without a) my approval at the very least, or b) me asking it to run an attachment.
If anyone has pointers/links to articles on Outlook security, please post. Thanks!
Good sources instead of product placement (Score:5, Informative)
In this case, other sites that covered this week's pair of Microsoft worms first -- and they'll cover next week's first, and so on. ZDNet, eWeek, Infoworld, Reuters, the Register and others covered it first. ZDNet has the bad habit however of sliding stories that reflect badly on MS quickly off the top pages and into obscurity.
Worms like sobig [zdnet.co.uk] and bugbear [zdnet.co.uk] only affect products with design flaws. Brian Valentine, senior vice president in charge of Microsoft's Windows development, said it best:
In short, there's nothing you can do to improve your security except upgrade to a different client: Mozilla [mozilla.org] or Opera [opera.com] instead of MSIE, Eudora [eudora.com] or others instead of OutLook, OpenOffice.org [openoffice.org] or WordPerfect instead of MS-Office. Usually by upgrading you get better functionality, ease of use in addition to stability.Re:Alreay run into this... (Score:5, Funny)
That's OK. Just go into the registry and delete this branch:
My Computer\HKEY_CLASSES_ROOT\.exe
Reboot, and I guarantee that computer won't have a problem with rogue
LookOut, end users, and mad cash. (Score:3, Insightful)
now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension
I have had it up to here (pointing to head) with all this BS with email worms/virii and the media. They are not email worms, they are Outlook worms. I could sell someone an attachment stripping solution but that is irritating. For every bug it strips out it will strip out a legitmite file as well.
I just don't know what to do with people...
Changing e-mail clients won't do anything. (Score:3, Insightful)
Re:Changing e-mail clients won't do anything. (Score:5, Informative)
Even cookies are off by default in the mail client. And you can turn off images.
So yeah I suppose people could "try" and target mozilla but I honestly don't think there is a whole lot of damage they could be allowed to do. The stuff that could potentially cause harm is off by default and the and people smart enough to turn it on are smart enough not to execute worms and viruses!
Re:LookOut, end users, and mad cash. (Score:5, Insightful)
Of course, I know the majority of people will never want to do this. Which means I can maintain my air of smug superiority indefinitely. Ha!
Actachments (Score:5, Informative)
That's bullshit. You'll notice these things don't just use any old extension, they use executable extensions. If you setup your mailserver to strip .pif, .scr, .vbs etc you'll be in a much better world.
When was the last time you got a legitimate email with a .pif attachment? Never, that's when. I setup this on all of my clients networks and have yet to have grabbed a single legit email.
Re:Actachments (Score:5, Insightful)
I've been running a filter on email for about 5 years. Not ONCE has any of the email transmitted viruses / worms made it through, even to unpatched outlook and OE users.
See John Hardin's procmail filter [impsec.org] for a Very good example of how to do this.
If you are running a corporate meail server and are not filtering for known executable extensions, you are a fucking idiot. Period. There is just no excuse to EVER allow unfiltered mail through. Would you put your corporate LAN on the internet with no firewall at all? Of course not, but by not filtering email, you have a hole the size of Yankee Stadium in your protection. It's like wearing a condom with the end cut off.
The problem with anti-virus software is that it relies on the vendor to create and distribute filter definitions. It can take DAYS or WEEKS for vendors to identify a new virus, and create a definition, and for people to download the new rule set. This lag time is deadly. Antivirus software is a LAYER of security on email, but to rely on it alone is not enough.
Security is a process, and a mindset. Everyone who knows anything at all about software knows that every program has bugs. All you can do is minimize exposure, and you do that with many layers of security. These layers don't have to be intrusive, but you need them to reduce your vunerabilities.
Hey, if you want to bury your head in the sand and refuse to participate in security, that's fine with me. I charge by the hour.
Blah, blah... (Score:3, Informative)
The virus comes in as a
AV dat files have been updated already. No excuse.
We've been filtering this all day.... It's not that hard to protect yourself.
Re:Blah, blah... (Score:5, Informative)
My question, Is Eudora safe?
The Outlook exploit... (Score:5, Informative)
One more example of why HTML doesn't belong in email, aside from web bugs and other BS.
How to permanently disable HTML mail in Outlook XP (Score:5, Informative)
HKCU/Software/Microsoft/Office/10.0/Outlook/Opt
REG_DWORD: ReadAsPlain = 0x01
Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.
Thought I'd share that little tidbit.
Even simpler in Mozilla (Score:4, Informative)
Re:How to permanently disable HTML mail in Outlook (Score:5, Funny)
HKCU/Software/Microsoft/Office/10.0/Outlook/Opt
REG_DWORD: ReadAsPlain = 0x01
Outlook will convert all HTML to plain text before rendering it, and turn all embedded images, etc into attachments.
And people claim that Linux (UNIX, whatever) is hard to handle.
Re:Blah, blah... (Score:5, Informative)
Uh... Patch for what? I was unaware I could apply a "patch" that would prevent me from getting viruses. It exploits a user vulnerability (stupidity), not an OS one. And McAfee seems to disagree with you about when this was discovered. See here [nai.com]
Re:Blah, blah... (Score:3, Informative)
Re:Blah, blah... (Score:5, Informative)
Re:Blah, blah... (Score:5, Funny)
Actually, there are a lot of patches for this problem... Mozilla, Evolution, Safari...
--Richard
Re:Blah, blah... (Score:5, Informative)
Patch, for the exploit in IE.
According to Symantec and McAfee, Bugbear.B uses an IE exploit that was fixed over 2 years ago : "Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) [microsoft.com]".
Re:Reread that again. (Score:3, Informative)
Re:Blah, blah... (Score:4, Funny)
Re:Blah, blah... (Score:3, Funny)
Re:Blah, blah... (Score:3, Interesting)
Frustratingly typical day in the life of Microsoft (Score:5, Insightful)
There are some people that will point to a Linux worm or virus here
or there, but I run both Windows and Linux servers and there is
simply no comparison with the amount of worms Windows based machines
receive. Some people say it's because Windows is much more prevalent
than the Linux, but there are a lot of servers running Linux now.
The amount of work required to keep up with just doing updates has
finally gotten to me. Last night I noticed my Windows server was
sending packets like mad, suspicious I did a netstat -an, it was
making connections to hundreds of other machines. Tired of this
dance, I decided to just shut the windows server down. Maybe one day
I'll patch it...then again, maybe I'll just leave it shut down for
good.
Interestingly, my GNU\Debian Linux box is happily sitting right next
to it serving up pages. I haven't had to reboot it in ages, I imagine
it will be running until a nifty new kernel comes out that I just
have to have.
See ya Microsoft.
Re:Frustratingly typical day in the life of Micros (Score:5, Insightful)
Re:Frustratingly typical day in the life of Micros (Score:4, Insightful)
Re:Frustratingly typical day in the life of Micros (Score:5, Insightful)
On Unix/Linux Desktop systems there is nothing on the system as important as the user's data in his home directory.
So the whole notion that trojans/worms etc. can't hurt the systems that 'mere users' will be using as there is more and more of a push to Linux desktop systems is just plain nonsense. If it wipes out an employee's whole writeable diskspace, it's done all the damage it could possibly do. Nobody cares that everything that rolled off the Install CD is still there and might even be pristine.
Re:Frustratingly typical day in the life of Micros (Score:5, Insightful)
I don't know about you, but I administer systems with hundreds or thousands of users. It's *their* data I wish to protect, not that of the irresponsible schmoe who ran untrusted binary code.
<OBSIMOM>
But if they ask me nicely, maybe I'll keep that backup tape away from the degausser.
</OBSIMON>
Re:Frustratingly typical day in the life of Micros (Score:3, Interesting)
YOu'd have the same problem with Linux. First you have brilliant distros like Lindows that run as root by default. Then you'll have tons of people who log in as root all the time for dumb reasons like "I get sick of
Re:Frustratingly typical day in the life of Micros (Score:5, Insightful)
Which is exactly why so many worms target Apache rather than IIS.
Batting down strawmen for 12 years and counting ...
Re:Frustratingly typical day in the life of Micros (Score:5, Insightful)
Because there's nothing quite like a 100,000 machine-strong DDoS network of Redhat machines on cable modems. I hope you meant that if machines are not repelling attacks, then that would prompt bug fixes. However, as you see in the Windows world, most attacks are targetted at already-fixed issues. The machines that get infected are the ones that didn't stay up to date (or in lots of cases a few years ago, were running software they shouldn't be running, like personal Redhat machines running BIND because it was installed and started by default in an "install everything" scenario, the installation option used by most newbies because they're afraid of missing something during the initial install and not knowing how to install it later).
No, successful virus/worm/hax0r infections are never desired. Better for the issues to be found by competent and moral ("moral" being that they don't use the exploit maliciously) people before a major virus or worm is written. There are excellent patch distribution channels for both Windows and Linux these days. People really should use them. And for production servers that don't use them because they need to do validation before deploying the fix, they need to get off their asses and do the validation. There's no excuse for a 2 year old bug causing issues now. That's 1 year, 11 months, and 3 weeks of laziness (assuming it takes about a week to do a validation and deploy the fix and any resulting changes).
Re:Frustratingly typical day in the life of Micros (Score:5, Informative)
You obviously don't administer servers with Enterprise Level Code. If you did, you'd know that with Microsoft you can't simply use automatic updates. Microsoft Service Packs break systems all the time. If you run ASP.NET and Sql Server code, you get bitch slapped everytime they release a service pack or "security fix". They consistently change functionality, without warning. Then they just post on their website (three months later) that the service pack changed the way some undocumented feature worked, but you weren't supposed to use it that way anyway, so tough shit.
Ha!! Automatic updates my ass.
Re:Frustratingly typical day in the life of Micros (Score:5, Interesting)
virgin control (Score:3, Insightful)
Sounds to me like they don't use support branching in their revision control system. If they want to release a fix for old code, rather than branch at the release and make a fix, they give you all of the "goodness" that they've been working on in the meantime.
So, add bad version
Re:Frustratingly typical day in the life of Micros (Score:5, Insightful)
time out.
any admin who sets production servers to be "automatically updated" deserves to be terminated with prejudice.
you test all patches before deployment.
Re:Frustratingly typical day in the life of Micros (Score:3, Insightful)
I think I've seen about enough of this particular strawman.
Nobody has to run anything on these servers; all they require is network connectvity. These worms propagate via network shares as well as e-mail. All it takes is one infected machine with a persistent connection to any pr
old bullshit. (Score:5, Informative)
Just wait until:
a.) Everybody decides to hate Linus.
b.) Linux machines can be counted in the millions.
a. is unlikely. How can anyone hate free software? Oh yeah, it's putting you out of business. Microsoft does an admirable job of astroturfing congressmen and Slashdot, but they have yet to put out a good free software worm. The intersection of people with the skill to write free software worms and the number of people who hate free software is vanishinly small. Competent people like free software, get used to it. Windoze on the other hand is just about universally hated and just as easy to break.
b. Linux machines can be counted in the millions. Desktop machines. If you figure 10% of US desktops are running some form of free software, you get millions of computers. The rest of the world has plenty of free computers as well. Yet I don't see anything breaking down mutt, pine, balsa or even Mozilla's email client. AOL's windowze messenger once had a problem but only on Microsoft platforms. GAIM and others had no peoblems at all.
To sum it all up for you, nothing is as bad as the Microsoft monoculture of poor quality software. Free software is more diverse, of better quality and is universally loved.
Re:old bullshit. (Score:5, Insightful)
Pine has had a number of problems with maliciously coded attachments. These were real-world exploits, not theoretical ones.
Linux isn't immune from viruses - email or otherwise - even though in practise it suffers less. The troll before you was telling a half-truth when he claimed that Linux is safer because (a) everybody loves Linux even though (b) nobody uses it. Those two factors are real and they do contribute; it's silly to deny it. However there are dozens of other factors, eg:
Protecting Linux against viruses is one of those "eternal vigilance" things. Don't get smug because Linux is relatively free from problems today while Windows is copping a flogging. Yes, I think Microsoft brought most of it on themselves and yes, I think Linux (and UNIX) is more immune by design. However I think it's naive to think that things will stay like this forever. Linux viruses are on their way. Be ready to eat your words in 5 years time when Linux becomes more popular and Linux viruses become commonplace.
Re:Frustratingly typical day in the life of Micros (Score:5, Informative)
Yes, the server community is different from userland and every piece of software will have its flaws, but popularity is not proportional to the amount of worms and viruses, lack of quality is.
it's a good one! (Score:5, Interesting)
Re:it's a good one! (Score:3, Interesting)
The scary thing is how much it looked like a valid bug report, combining an infected users previous submission with falsified info that fit the context.
Freakish.
The antivirus software accompanying MDaemon (Win32) didn't catch it, so if you're running that try doing an independent scan with something e
Re:it's a good one! (Score:3, Interesting)
This is a great way for the worm to get likely seeming messages to fool move victims.
Re:Woah.... (Score:3, Funny)
New M$ initiative (Score:4, Funny)
I never have a problem with these worms. I downloaded Windows Robin(TM) a long time ago!
It's a fun one. (Score:5, Interesting)
Re:It's a fun one. (Score:5, Informative)
Tell me about it. (Score:5, Informative)
the annoying part is that as complex as you can make software, you can't fix the people who are morons, which is where the real problem lies.
oh well.
Re:and that will work how? (Score:5, Interesting)
Strangely, our business can continue to operate without problems or delays even if the staff can't email screensavers to their friends.
Poor Windows.... (Score:5, Funny)
How to Fix MS Software (Score:5, Interesting)
Seems to me that would be the way to get these things fixed permanantly. Make a worm that would call MS tech support on peoples modems. Or any other MS 800 number. Untill something costs them a LOT of money, these will continue to show up.
Re:How to Fix MS Software (Score:3, Interesting)
Modem.. (Score:3, Insightful)
The article says that an infected machine will try to get on to the internet, and will try dialing the modem if it has to.
Surely the most interesting machines are those with fast good connections - not people on crappy slow modems...
This is from the assumption that the computers would be used for a DDoS.
Has a worm ever been used for anything other than a DDoS?
Re:Modem.. (Score:3, Informative)
If some program tries to open a socket through the Windows TCP/IP stack, and you have configured it (in Internet Options) to dial when needed, Winsock will do so.
This has got nothing to do with this particular worm. It doesn't know wether the line is a t1 or a 33.6 modem line.
Re:Modem.. (Score:5, Interesting)
This worm does try hard to get on the 'net. Copied from Symantec [symantec.com].
Looks like they're trying to obtain passwords to bank specific systems.Re:Modem.. (Score:3, Interesting)
For some value of "interesting," maybe (Score:5, Insightful)
These machines are unlikely to be interfaced with a public net at all, especially not sitting on a fat pipe; but many of them have to network _somehow_. Regular modems, ISDN, etc. aren't quite dead yet.
Patch Available (Score:5, Funny)
Quick, get your patch here [redhat.com]
Re:Patch Available (Score:5, Funny)
Crap. It broke my machine. I can't play GTA anymore!
Re:Patch Available (Score:5, Informative)
Sure you can [transgaming.com].
Re:Patch Available (Score:3, Interesting)
Hurry! Go here [gentoogames.com] to play your games with the new patch!
Conflict of intrest... (Score:3, Insightful)
Re:Conflict of intrest... (Score:4, Insightful)
They consistently overplay the danger of computer infections, as the more scared people are the more biz they will make.
Look at their adds and see what scare tactics they use.
Commercial Idea (Score:5, Insightful)
"Did you get hit by that new worm?"
"No, I run Linux."
Re:Commercial Idea (Score:4, Funny)
"Do you read PC Gamer?"
"No, I run Linux."
Re:Commercial Idea (Score:4, Funny)
"No, I run Linux."
Once you've gone hack, you'll never go back (Score:4, Funny)
Re:Commercial Idea (Score:5, Funny)
"Do you have a sex life?"
"No, I read PC Gamer."
Re:Commercial Idea (Score:5, Funny)
"No, I run Linux."
Y'know, the money you save by not buying Windows and Office will more than pay for your 2 game consoles of choice. Or, if your two consoles of choice are out of stock, you could just get an X-box.
It's a nasty one (Score:5, Interesting)
On a related note, anti-virus programs is one place where I can actually see a potential useful application of "trusted computing" (no, not necessarily Palladium). If there could be some way to to tell the OS "Look, I don't care if you're the administrator or not: the only programs that are allowed to terminate the anti-virus scanner process are the scanner itself, and, say, Task Manager". By using keys to prove their identity, it _might_ make it a lot harder for virii to terminate anti-virus programs. (Note to slashbots: I'm not saying Palladium is good because it will do this (I don't even know if it does). I'm saying this is one potential application of some as-yet-undeveloped implemenation of "trusted computing".
Re:It's a nasty one (Score:5, Informative)
If a program was able to tell the OS that it could be shut down by programs signed by keys A, B, and C, that would suffice. You modify the PE or Elf format to include signatures. Mandatory Acess Controls can also prevent one program run by user D from killing another program run by user D.
Making users non-administrators and running virus checkers as seperate users would also prevent some potential problems. Mail clients could use IPC to pass emails to the virus checkers and get a thumbs-up or thumbs-down.
Now, as far as Palladium goes, I think there's a pretty simple alternative.
Really what I'd like to see is L4 or another nanokernel and a few low-level drivers in the frimware along with a Forth interpreter for OpenFirmware. Your firmware would be a viable but minimalist OS, where before booting you could edit the fingerprintsof PKs allowed to sign kernels. Booting would simply be playing two-kernel-monte with the firmware kernel and a signed kernel off the HD. 1 MB and 2 MB EEPROMs are cheap enough that putting a viable OS in the firmware is looking quite attractive. Imagine having a rescue floppy built into your mobo. The QNX demo floppy shows you can do a hell of a lot in 1,440 KB.
My SGI Indy firmware loads the Linux kernel directly off the HD and directly executes it. The firmware doesn't have a fully functional kernel like LinuxBIOS, but it suffices for a bootloader in firmware. It would be easy to add signature checking to the process, along with a small menu for entering/deleting PK fingerprints. If you ship with the fingerprints from the dozen most common OS vendors, 99.99% of people will not touch the settings or know they're even there, but you still get all of the integrity guarantees of Palladium. You would of course make NVRAM locked out at a hardware level durring the boot process, wich could only be undone by triggering a POST. This solution requires no new harware besides the NVRAM lockout, and the NVRAM lockout really isn't that important if you can assume the OS will prevent writing to NVRAM. The NVRAM lockout could be skipped in the first generation for the sake of easing adoption.
Like I said earlier, my SGI firmware already does most of what's needed, as does LinuxBIOS. Apple and Sun firmware is already quite advanced and I don't imagine adding the required functionality would be that hard. Really the only advantage Palladium adds over current hardware with a BIOS upgrade is DRM. Palldium also carries a lot of baggage. I would love to see AMD come out with an improved x86-64 BIOS that includes most of the bootloader along with signature checking, if not a full nanokernel OS in firmware. Hardware NVRAM locking would also be nice.
Fools! (Score:5, Interesting)
Overnight, the channel plays a Flash-based word game, where viewers SMS in answers. It's running on a Windows PC, and the screen currently being broadcast to 7 million homes is....
McAfee dialog box: 'bugbear.b High Virus Advisory....'
Hmmm.
(wandering OT - the channel, 'Friendly TV' is apparently being run by students on work experience. A nightly live-broadcast show is 'Girl Talk', where... girls... talk... about... things. Whatever comes into their heads. Oh, and they get progressively more drunk as the evening progresses, which no doubt helps.)
ugh (Score:3, Insightful)
I guess it is helpful for admins to see virus warnings on slashdot though.
this is why.. (Score:3, Interesting)
for the longest time, i've been attempting to defend windows ever since 2k stopped being the 'absolute junk' syndrome. i read about this earlier in the day, and started ranting in irc.
well, since it's easier to bitch than act, i decided to act. i went directly to the local apple store and bought an ibook.
i have -never- been happier. this is literally the best of breed machine i have ever used. all the benefits of unix without the hassle of windows.
so, this is totally offtopic, but as a govt. employee who deals with this sort of thing every day, my old home pc is now strictly a local lan CF/oracle development box, and every damn machine i buy from now on will be apple.
And again.... (Score:3, Insightful)
IT'S NOT HARD PEOPLE.
Educate the user (Score:5, Insightful)
Re:Educate the user (Score:3, Interesting)
Most of them are using Windows, but there are a few who are still using their old Macs. When the ILOVEYOU virus was making the rounds, the email servers were crushed by the volume of mail generated by people who
JDBGMGR!!!!! (Score:3, Funny)
Come on people, patch your OS's (Score:5, Interesting)
Microsoft fixed this vulnerability more then 2 years ago. Why do people not update their software?
According to Symantec [symantec.com], Bugbear.B "uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment [microsoft.com] vulnerability".
Just in time... (Score:3, Interesting)
The Fun Of Reading Other People's E-Mail (Score:5, Funny)
This is amazing (Score:5, Interesting)
hep-lat is the Los Alamos eprint Archive [lanl.gov] subject code for high energy physics on lattice models. The email refers to a paper on "A new proposal for the fermion doubling problem" which is supposedly attached (instead you get the
The subject line is matched amazingly well to the recipient list. I thought "that looks interesting, I might have a look even though I probably wasn't supposed to get it."
An Idea? (Score:3, Funny)
BugBear then goes searching for a modem (Score:4, Interesting)
BugBear then goes searching for a modem, enables it, then tries to get the computer to dial out, probably to reach the virus author. âoeHe really wanted to get into those machines,â Kuo said. U.S. financial institutions probably arenâ(TM)t at risk from this technique, Kuo said, because most donâ(TM)t have modems attached to their critical computers any more.
Today I was at fry's electronics, and I saw a Quickbooks POS (point of sale, not peice of shit) system on display for small to medium business. This started getting me thinking back to my earlier days of consulting.
One of the companies I did work for had a retail chain of mall stores. At night the registers would dump their management reports to our AS/400 machine and someone would make neat reports out of them. It wasn't a huge amount of data, so each store would just phone home on those really nice $300 courier modems.
Most of our store managers kept in touch with us via outlook/exchange server.
Now another interesting side note is veriphone uses POTS lines for nearly %100 of their credit card processing. Tons of small stores have networks in them now, managers reading e-mail and such.
So which of these financial institutions has its shit so well together that they don't need modems? I just wanted to point out the author of the article is a stupidhead. Boo!
Re:and again (Score:5, Insightful)
A much better solution than b), is to completely remove Outlook. Especially if you're only using it as a mail reader.
Re:and again (Score:4, Informative)
Please read the fucking article. Not only is the email attachment not random, because it pretends to be a reply to an email that you've recently sent to an infected person (among other tricks), but it also doesn't have to be opened, because it uses an IE exploit to run itself as soon as it shows up in Outlook's preview window.
Re:This went through my workplace like wildfire to (Score:5, Interesting)
Sounds like you're using a Socks server to connect to MSN - 1080 is the default Socks proxy port, not MSN messenger.
SOCK server (or Bugbear.B ) on port 1080 (Score:5, Informative)
Backdoor routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
Re:Not just a .exe (Score:3, Informative)
Re:windows vs *nix (Score:3, Insightful)
Re:windows vs *nix - un-informed is un-informed (Score:5, Insightful)
The point being...? Really, you have done nothing to assist our underinformed cyrax777. Let me help, please.
First, causing the box to crash or not is irrelevant, as is what program allowed the compromise - a compromised machine is no longer yours. Time to re-install the whole machine.
The reason *nix is much harder to infect in the first place is users run with user privileges, as do all the child processes that they create. Thus, the e-mail client cannot over-write any system files since it lacks the autority to do so. This is where "rooting" the box comes from - you need to elevate your normal privs to super user status in order to do any real damage. You can tell most *nixes that "This user account can never elevate it's priveleges", and it likely never will. System services, like say the Apache HTTP server, are usually set up to run as under-priveleged users as well, so compromising them leads to even more difficulty controlling the whole machine - there's very few opennings in the *nix security armour. In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs. IIS on NT/Win2K is the same way - out of the box it runs under the SYSTEM account. If one of these is compromised, it's not your machine anymore. Now you know where a lot of the issues with Windows security lie.
This reflects one of the design philosophies of *nix: only give users the privileges they need, and have a huge, well defined wall between them and the system. Windows seems to come from the other end - give it all, and try to take away what's dangerous. IMHO, that's where Windows fails - miserably.
Soko
Re:windows vs *nix - un-informed is un-informed (Score:5, Interesting)
What's your point? The login screen saver logs users in, so it makes sense that it has some sort of advanced privileges. (Maybe it doesn't need all of SYSTEM, true...)
And the screen saver is well protected in winnt, believe it or not. It runs in a separate secure desktop, just like the ctrl-alt-del desktop does.
Now I agree that the security architecture of windows has flaws, but c'mon, there's got to be a better example than login.scr...
Re:Ya know (Score:3, Insightful)
So don't complain too much about the zealo