Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

New Trojan Threatens Windows XP SP 2 241

lightdarkness writes "Symantec is reporting about a new virus called Phel (Anagram of 'help') which is a Trojan which spreads via a HTML file. All the user needs to do is go to the page, and it takes advantage of the vulnerability in the IE Help control component files. This allows the attacker to download malicious programs on to the machine. Worst part is, this is one of the exploits that even effects SP2. Microsoft is said to be working to stop the spread, and to release a patch." The exploit is apparently not the same as the help file problems disclosed last week.
This discussion has been archived. No new comments can be posted.

New Trojan Threatens Windows XP SP 2

Comments Filter:
  • by Quasar1999 ( 520073 ) on Friday December 31, 2004 @08:53AM (#11227254) Journal
    Oh... yeah... IE is great... no need to change it until longhorn...

    so what exactly processes HTML in windows again? Some third party plugin? No... IE? ahhh... what a shame... and here I thought that there was no need to do anything to IE as it is so perfect...
    • by teg ( 97890 ) on Friday December 31, 2004 @09:00AM (#11227293)

      Oh... yeah... IE is great... no need to change it until longhorn...

      In all fairness, that statement was about features. Not security.

      They'll keep on patching this Swiss Cheese after-the-fact for a long time yes, and know it.

      • by Moulinneuf ( 844899 ) on Friday December 31, 2004 @09:11AM (#11227360) Journal
        Please ! dont insult the Swiss Cheese by associating it with IE , the Swiss Cheese as less hole and far more valuable content and as an excellent quality control , unless you dont read the date marked "best before" before eating it. ;-)

        • by naelurec ( 552384 ) on Friday December 31, 2004 @10:24AM (#11227783) Homepage

          unless you dont read the date marked "best before" before eating it. ;-)

          Microsoft should have the same thing for Windows...

          • Best before plugging into a network..
          • Best before being turned on..
          • Best left in the box..

          In all honesty, when Windows is isolated (or on an isolated network) and locked down (ie users don't have any way to install new software, etc..).. its not too bad.. Unfortunately, everyone wants to plug it into that dang Internet.. hheh..

      • I've said it before and I'll say it again.

        It seems that MS holding onto IE is simply to save face, there is no real value in IE any more, Mozilla is producing the better browser plain and simple and nobody in thier right mind can argue against that.

        Microsoft should either get out of the browser market completely, or make IE7 based around Gecko, with a compatability API if they really want to support legacy cruft. I'd prefer the later, otherwise we'll end up like the IE on Mac situation where lots of peop
        • It seems that MS holding onto IE is simply to save face, there is no real value in IE any more,

          Yes, there is. Customer lock in. Making moving onto non-MS platforms harder and more costly. And keeping MS as the dominant corporate desktop platform is their spearhead into the corporate server space as well.

        • They want to destroy the WWW and replace it with their own proprietary versions of HTTP and HTML.
        • It seems that MS holding onto IE is simply to save face, there is no real value in IE any more, Mozilla is producing the better browser plain and simple and nobody in thier right mind can argue against that.

          I just don't see the sense in MS persisting with IE, I can't imagine how they can justify the expenditure when Gecko is sitting there, 10x better, and is going to cost them MUCH less than developing IE in the long run.

          The same arguments could have been made about Netscape/Mozilla back in the 1998-2002

      • In all fairness, that statement was about features. Not security.

        huh? that was "about features?" I don't think there has been any major new features added to IE since mid/late-90's. sure, it's up to date in the auto industry's development cycle.

      • "that statement was about features"

        I still don't think M$ understands why were screaming at them to update IE, we don't want features we want it to work properly.
      • Oh... yeah... IE is great... no need to change it until longhorn...

        In all fairness, that statement was about features. Not security.

        Security is a feature, especially when you think about it in today's terms. Microsoft has been pushing security enhancements as a feature since they started talking about XP SP2 many moons ago. Security enhancements have been the center piece of OS enhancements we've seen from MS lately.

        If the rumor is true, MS is making a *huge* mistake by delaying IE enhancements unt

    • by too_poland ( 845066 ) on Friday December 31, 2004 @09:06AM (#11227334)
      Injecting Exploit 6.0 =]
    • by Anonymous Coward
      so what exactly processes HTML in windows again? Some third party plugin? No... IE? ahhh...

      Which means that the only way to avoid IE and its holes is to not use Windows at all. Microsoft's decision to make IE an integrated part of Windows is bearing fruit...

    • Oh... yeah... IE is great... no need to change it until longhorn...

      I wont repeat Ghandi's famous adage because comparing the strugle for Indian freedom to that of free software isn't remotely the same as the battle between proprietary and free software..

      However, there is a strong symmetry between the two. Microsoft all too often has ignored the competition and then nearly missed the boat only to use it's desktop dominance to muscle back in on the action.

      The problem is that this time, they've al

    • You know, I have to believe that even within Microsoft, the IE team must be extremely embarrassed.

      There is constant egg on their faces, some new young competition is eating up their market share at astonishing rates, and they are always in the bad part of the news.

      Microsoft has a cult-like culture, and this type of constant bad news does NOT go over well in those types of cultures. I'd love to hear from someone on the IE team... I bet they're wishing that they were on the Office team or something like that

      • I've heard that MS hires the best programmers they can possibly find, straight out of MIT etc. How the hell can an enormous corporation like that, with the best talent they can find, make such frequent and enormous cock-ups? Anyone from Microsoft care to comment?
      • so what exactly processes HTML in windows again? Some third party plugin? No... IE? ahhh... what a shame... and here I thought that there was no need to do anything to IE as it is so perfect...

      The purpose of using IE is that it enables Windows to have a single HTML renderer loaded up into memory for a wide variety of tasks. By switching over to HTML based help, Microsoft has consolidated various rendering engines into one (HTML, specifically IE), all while reducing the overall memory footprint used up by

  • Well at least I know reading Slashdot will be sa...
  • Does that mean they're trying to copy IE from the victims?

    Upload to...download from.
  • by o0zi ( 652605 ) on Friday December 31, 2004 @08:59AM (#11227289) Homepage
    " Worst part is, this is one of the exploits that even effects SP2."

    Oh, it causes SP2? That's absolutely terrible - it must be stopped!
    • So, in effect, the article is saying Windows Update is a trojan that spreads through mangled HTML? Makes perfect sense to me.
      • by Linker3000 ( 626634 ) on Friday December 31, 2004 @11:39AM (#11228270) Journal
        I once called the customer service team of a major UK railway company and said they needed to change their new safety posters because they had put "Opening train doors before the train has come to a complete stop can effect your safety".

        I explained it carefully to the bemused agent a couple of times and eventually got a half-hearted agreement that she'd pass on my comments to the marketing team - but I knew in my heart that she thought I was completely mad and that she was going to close the call as soon as I was off the phone.
  • by lordfener ( 842728 ) on Friday December 31, 2004 @08:59AM (#11227290)
    ...Microsoft will lose before it manages to put out a new and more secure version of IE (assuming that is even possible ;-)). I keep hearing from friends who work as IT managers that they are systematically blocking access to IE and installing Firefox on their corporate clients (although that doesn't really shut IE down). IE's getting a really bad rap even in those environments where Microsoft marketing used to have more influence than cold hard facts... and if they don't do something decisive about it rather than releasing ad-hoc patches they're going to have a hell of a time restoring confidence in their product. Then again, they've been able to boounce back before... and it's not like they don't have the money to spend on marketing!
    • by Anonymous Coward
      On my two main sites (barcoding and digital photography) with 80/20 Windows/Mac users IE now stands at about 60%. Back in September it was about 80%.
    • by eyeball ( 17206 ) on Friday December 31, 2004 @09:27AM (#11227437) Journal
      Microsoft will lose before it manages to put out a new and more secure version of IE (assuming that is even possible ;-)).

      Or a lite version. They're fighting an uphill battle -- they need to keep their code compatible with the buttload of non standard features they've introduced over the years (mainly things like activex windows-specific plugins) that people have build applications on top of. If they were to release something that was stripped down (yet retained all the functionality of something on the level with Firefox) and gave the user a choice to install the backwards-compatible mess, they might get out of this situation.

      Of course they won't because that gives people a migration path off IE (and eventually off Windows).

    • Honestly, I don't think it matters much. They could take a huge market share drop, but when they release longhorn, it will come with the new version of IE .. if that IE is "good enough", everyone will simply jump back on the bandwagon (I mean, it does come with Windows .. why have two programs that do the same thing when one of them (IE) is ALWAYS taking up resources..)

      The longer they hold out, thats one more reason people will want to upgrade to longhorn ..
  • by Spinlock_1977 ( 777598 ) <Spinlock_1977@@@yahoo...com> on Friday December 31, 2004 @09:07AM (#11227338) Journal
    Relying on Windows for security is like fighting for peace, or screwing for virginity. 'Nuff said.
  • by asliarun ( 636603 ) on Friday December 31, 2004 @09:07AM (#11227339)
    Sorry, couldn't resist the anagram. Here's the source code for the phel trojan. This trojan is written in a very high level language. By a strange temporal accident involving a singularity, an anagram, and MS's open-door policy, the source code closely resembles a certain song lyric that goes by the same name.

    The lyrics are kinda fitting, don't you think? ;-)

    [snip]
    When I was younger, so much younger than today,
    I never needed anybody's help in any way.
    But now these days are gone, I'm not so self assured,
    Now I find I've changed my mind and opened up the doors.

    Help me if you can, I'm feeling down
    And I do appreciate you being round.
    Help me, get my feet back on the ground,
    Won't you please, please help me.

    And now my life has changed in oh so many ways,
    My independence seems to vanish in the haze.
    But every now and then I feel so insecure,
    I know that I just need you like I've never done before.

    Help me if you can, I'm feeling down
    And I do appreciate you being round.
    Help me, get my feet back on the ground,
    Won't you please, please help me.
    [/snip]

    - Help by The Beatles
  • Trojan Condoms? (Score:2, Informative)

    Who says trojans are bad?

    You can pull one over your case and stop the spread of windows and aol. Shipping a trojan condom with AOL cds could also help stop the reproduction of aol users. Way to go Trojan! You set a good example for the rest of us. Windows XP std2 is a threat to us all, and with your help, we may just annihilate it yet! Of course, then you are still at risk for penguin gout, and gnu herpes.... but that's a post for a different story(most likely the double posting of this).
  • by basvdlei ( 844717 ) on Friday December 31, 2004 @09:09AM (#11227356)
    if this is what they meant with "extensible platform": http://slashdot.org/article.pl?sid=04/12/30/185323 2&tid=113 [slashdot.org]
  • Wow!, please! (Score:2, Informative)

    by xcfx ( 844022 )
    Quite frankly, I can't understand why people get "impressed", I mean, let's look at history for a while... it isn't something new -- for the past probably, let's say 7 years Microsoft has been making the same mistakes over and over. It's nothing new that every vulnerability that is found affect their "benevolents" Service Packs, happened with Service Pack 1 and now 2 in Windows XP, happened with all the Service Packs on NT, and then Windows 2000... seriously. All I have to say is, Microsoft is like a teen
  • ...how many working worms/viruses affecting Mozilla/Firefox have been written already?
    How many for MSIE?
    What's the ratio?
  • by ral315 ( 741081 ) on Friday December 31, 2004 @09:19AM (#11227403)
    The problem is, the end users who will visit these types of sites, especially in IE (the same users who will open e-mails for free Vioxx or Rolex watches)
    • by HangingChad ( 677530 ) on Friday December 31, 2004 @09:57AM (#11227625) Homepage
      The problem is, the end users who will visit these types of sites...

      That's good, blame the victim. Just what sites are those? Where's the big list of sites you shouldn't visit? We might know where to avoid, but how is Joe User going to know?

      Typical MSFT response. Instead of fixing their busted ass software they blame the victim. How's the weather in Redmond today?

      • No blame the people that write the Trojan. I have no love of microsoft but there are people that are trying to cause these problems for there own reasons. Yes Microsoft does need to improve it's security but it is not like Microsoft enjoys these bugs. For once they are not the bad guys.
    • The problem is, the end users who will visit these types of sites

      not quite... there are some cases in which a compromised web site can serve as a 'launch pad' for malware. There are "some" cases like this and not "a lot" because the vast majority of attacks are done by script kiddies who have no fsking idea what and how they are doing it.

      I had one server compromised because of a web application vulnerability... and after finishing to diagnose, fix, patch and check I could only say: "Thanks God it wasn'

    • The parent's title I agree with. Yes, users are uneducated. Whose fault is this? Microsoft.

      Widows users are quite simply left to fend for themselves after making all the color-coded peripheral connections and pushing the power button. If there's a problem, who provides support for windows? The OEM, not MS (more likely its done by a good samaritan friend/relative). Combine this with a product whose sole design goal is to be user friendly (not secure, well architected, empowering, or sufficiently docum

  • by borfast ( 752138 ) on Friday December 31, 2004 @09:21AM (#11227411) Homepage
    Microsoft is working to forensically analyze the malicious code in Phel and will work with law enforcement agencies to identify and bring to justice those responsible for the malicious activity, he said.

    They always want to catch the bad guys but Microsoft itself is never held responsible fot the damages their crippled software causes.

    As a software developer myself, I know it's almost impossible to make a big software product 100% bug free but come on... Microsoft's software is becoming ridiculous!
    • ...becoming ridiculous?
    • Microsoft's software is becoming ridiculous!

      It's been there for quite a while...

      The only good thing is that constant media coverage (it's even *slowly* trickling into mainstream media) makes more and more people aware. Few of them will look for alternatives. Many of those make the switch to firefox (because it's easy and has the added bonus of suppressing these banner ads) but only a small number actually looks for another OS - because the only viable desktop alternative is still the mac and those are ex
    • I dunno about you, but the last thing I would want is a legal climate where security bugs are punished through the courts. What's next.. coder's malpractice insurance? What will that do to OSS?

      Much safer to get the word out that Microsoft is bad at handling these issues, and that their EULA specifically protects them from any responsibility. Luckily, they seem to be doing a very good job of doing that on their own..
  • What? (Score:5, Funny)

    by Albinofrenchy ( 844079 ) on Friday December 31, 2004 @09:23AM (#11227423)
    Trojans in IE counts as news still? Its like someone throws us a surprise party every three months and we feel obliged to keep acting surprised.
    • Re:What? (Score:2, Funny)

      by AndroidCat ( 229562 )
      If someone gave me cake and presents every three months, I'd at least try to act surprised. Unfortunetly, trojan infections rarely involve cake.
  • There would be a fix by now if it where an OSS , Gnu/Linux project.
  • How about .. (Score:2, Interesting)

    by sunsrin ( 842762 )
    XPLite [litepc.com] to remove the darn thing !
  • by Heem ( 448667 )
    http://www.mozilla.org
  • Wouldn't MS just be better off writing a new browser instead of wasting all this time trying to fix IE? Surely they relise this..
  • by max born ( 739948 ) on Friday December 31, 2004 @09:55AM (#11227603)
    Customers in the U.S. who believe they have been attacked should contact their local FBI office or post their complaint online at www.ifccfbi.gov

    Non MS users should contact the FBI and tell them we don't want our tax dollars to go to phel. Let Microsoft deal with it.
    • Wow! Great point! (Score:3, Insightful)

      by xeno-cat ( 147219 )
      This is what is known as a "negative external" in economic lingo.

      Basicaly, Microsoft does not care about the costs of security because it does not effect it's bottom line. The costs are "external" to MS.

      So, why does the government (meaning we, the people...) allow MS to cost industry, government and citizens billions of dollars without sanction? If this was Exxon spilling oil all over baby seals they would have to pay (a fraction) of the clean up costs and get all sorts of bad PR. With MS it's just Bus
  • by roca ( 43122 ) on Friday December 31, 2004 @10:11AM (#11227694) Homepage
    This is a good example of why "IE only looks bad because it has the most market share" is at best dubious, and why IE is going to continue to struggle with problems that don't affect other browsers.

    In particular, here we have problems in a scriptable ActiveX control for presenting Windows Help files. It's nice to have that available for Windows integration, and maybe for intranet Web applications (though regular Web pages are fine for the vast majority of online help), but people don't need it for regular Web surfing. There have been tons of flaws in these preloaded ActiveX controls, but Microsoft seems unwilling to change its policy to reduce this attack surface.
    • > This is a good example of why "IE only looks bad
      > because it has the most market share" is at best
      > dubious.

      Yes and no.

      The market share is certainly not the whole problem, but it is definitely part of it.

      1. In retrospect, trying to bind IE so tightly into the OS was a big mistake.

      2. The security model chosen for IE was poorly thought out, and is probably the single biggest cause of problems. However, because so much 3rd party software relies on IE behaviour, changing the security mod
  • For the exploit to succeed, an attacker would need to entice a user to visit a malicious Web site

    Why do they always try to make this sound difficult?

    Hey everybody, I've got pictures of Natalie Portman naked [inowownyourpc.ru]!

  • For those interested, check out this source code [totallygeek.com]. Virus and Trojan problems seem to just gravitate toward Microsoft products. So, Microsoft is the problem.
  • just remember (Score:5, Insightful)

    by cinnamon colbert ( 732724 ) on Friday December 31, 2004 @10:49AM (#11227955) Journal
    1) the list of FORMER competitors of MS is a long one..anyone remember DR-DOS, which always got better reviews in the trade journals ? Lets add borland, lotus, star office, etc etc. A rationale person has some humility and or fear when confronted with a proven champion, regardless of the methods the champion uses.

    2) Unlike other companies, MS can survive a disaster - (either DOS 4 or 5) was a dog that would have killed any other company; MS survived to fight another day (eg, borland died when they were late with one product). I'm sure /. readers can supply many other examples of companies that died when there single flagship product was late or buggy; only MS can live to fight another day, with its cash flow and monomply posistions.

    3) IMHO, MS has developed an unusual corp ability - the ability to throw money at a problem and solve it. IF gates and ballmer were really interested, they could release a new IE next year.

    4) Gates is laughing at /. and firefox cause they are playing the wrong game. I don't think he cares a flying f*ck about technical superiority, or bloat or stuff like that; he cares about market share. For all we know, he may be happy that the 10% of the market consisting of geeks is distracted by linux and firefox - it never makes economic sense for a biz to care about more then 80% of the market.

    5) there is something kinda pathetic and geekish and teenagerish in this constant gloating about bugs in MS products. Maybe worm writers don't write for *nix because that is not where the market is - if you r interested in making money, an not tech bragging writes, why wd u care about the geeks using linux. no money and hard to cheat - just not a soft target (the same principal by which "insurgents" choose unarmored Iraqis over armored mobile americans.
    Untill there is some reasonably similar user base, any comparision of worms or bugs or whatever you want to call them, between nix and ms, is meanignleess. Its sort of like comparing gas mileage between GM and solectra. Just not a comparison that has meaning in the real world of sales and market share.

    6) Since the game gates is playing is market share and sales and PROFITS, maybe he is not that interested in the OS or the browser - maybe they think OSs and Browsers will become commodity objects, and the money is in apps.
    think about ibm selling its pc division - companies exist to make money, not technically superior produdts. Sometimes you can win on technical superiority; sometimes not

    • (4) is an good point, but I think there is more to it as well. Once companies reach a certain size, they gain the attention of political people of all stripes. The attorneys and lobbyists are probably telling Gates to get IE down to 60% market share. That way there is still a reason for web developers to write to its specialized features/defects (whatever one wants to call them). The lower market share will provide decent defense against the "monopoly" witch hunters, and so becomes an important business con
      • There are lots of kids running linux boxes which are poorly managed. One of these days a swarm of them will be hacked with much negative publicity. It will be interesting to observe the reaction.

        The reaction will be to blame the users for not patching. This is Linux here! It's not like we're talking about M$. M$ is evil, and even when something comes out that takes advantage of a vuln that was patched months ago (I know that the vuln discussed here is not like that, so everybody just sit back down) it'
  • by elecngnr ( 843285 ) on Friday December 31, 2004 @10:55AM (#11227997)

    /begin{Sarcasm}



    You know, when I found out that Microsoft would no longer develop IE for Macs, I was so sad.



    \end{Sarcasm}

    • At least with Mac OS X, I do have the option
      of totally and completely removing the included
      MS IE. And that is one of the very first things
      that I recommend new Mac owners do, and install
      the F/OSS FireFox & Thunderbird software.

      With all the problems and vulnerabilities that
      are associated with Microsoft OSes, one must
      wonder why any US government agency (like the
      US Navy and the Dept. of Homeland Security) would
      even consider a MS product, let alone to base
      their agencies on.
  • by aichpvee ( 631243 ) on Friday December 31, 2004 @11:13AM (#11228099) Journal
    I would like to take this moment to accept the apologies of all the assholes who said things like, "windows is secure, just upgrade to sp2." I'm sure that all of you feel much better after saying that you are sorry and admitting that you were wrong.
  • Won't this also occur in email with Outlook and Outlook Express? They use the same control that IE does to process the html.

    This could make for a much worse case than having to visit a web site. Just have the preview pane open with these apps and get a spam than contains the exploit.

  • This allows the attacker to download malicious programs on to the machine.

    Does anyone use the word "UPLOAD" anymore?

  • It is simply difficult to keep a Windows based machine secure, no matter how diligently a person visits Windows Update.

    Yesterday I updated DirectX on my w2k machine. So I went to Windows Update and first downloaded all the new critical updates. So now my machine is "secure" (as far as MS is concerned). So I proceed to have Windows Update install DirectX 9.1. So now I have a secure box with the latest DirectX, right? Nope. I just happened to go back to Windows Update searching for something else, and
    • This just proves that there is not one person in Redmond that can even spell security, much less actually do something about it.

      If M$ would ever start with a clean hard drive and write their next OS from scratch, they might fix most of this. Instead they just add to the exising buggy crap they've had for fourteen years.
  • If you didnt know that Microsoft makes an alternative to XP called Windows Server 2003, now is your time to find out.

    It is the most no-nonsense version of Windows I've seen since 2000, perhaps more so.

  • IE cannot be fixed (Score:3, Insightful)

    by IchBinEinPenguin ( 589252 ) on Friday December 31, 2004 @11:52PM (#11232137)
    Security has to be part of the initial design, you can't retrofit it.
    A motorcycle will always be inherently less save than a volvo, no matter what else you do to it. (sure, a safe rider can be safer than an idiot in a volvo).
    The design decisions that went into IE make it impossible to secure, no difficult, not expensive, but IMPOSSIBLE.
    ActiveX is the most obvious example where functionality/usability/ease-of-use totally overrode security in the design. You can't fix that, just like you can't make a motorcycle safe by adding seatbelts (more here: http://sans.org/rr/whitepapers/awareness/1509.php) .
    Saying it's the users fault is like giving someone a book of matches in a dynamite factory and saying "it's your fault for lighting the match".
    IE is a wonderful inTRAnet explorer, filling out timesheets in a low-risk network. Using it on the inTERnet is like entering a demolition derby on a motorbike.

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...