W32.Sobig.E@mm Worm Spreading Rapidly 547
mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."
Fortunately... (Score:5, Interesting)
Anyone else so lucky to have a system such as mine? This works well on the UTA campus network, also. At least, a worm story has been reported w/in 24 hours of every noticable long slowdown of the net for me...
The Mysterious Third Force (Score:1, Interesting)
2. Spam merchants
3. ???
Is there an organized group involved in
trying to take control of the Internet
through the nefarious means of planting
virus and trojan software on a critical
mass of systems from which they can launch
deadly attacks to take over the entire
Internet?
Ahem. No MSN, Kazaa or AOL jokes please.
This is a serious question.
I opened it (Score:3, Interesting)
Who clicks Attachments? (Score:2, Interesting)
You receive an email from support@yahoo.com with the subject "Re: Documents". You know you never have written an email to this adress with this subject.
Would you really click on this attachment??
I guess there are still people who do.
They are a dying race. We should let them pass.
-- Ambassador Kosh, Vorlon Empire
Re:Ok so this might be a weird request..... (Score:5, Interesting)
Ah yes, the halcyon days of the wazoo virus [pdxtc.com] or when getting a virus meant your disk partitions were officially destroyed.
Why Never Apple? (Score:5, Interesting)
Now, I understand the "security through obscurity" theory that basically says Mac's have far fewer virii problems than PCs because not nearly as many people use Macs, but that's sort of a dead idea nowadays. While we don't have nearly the numbers of any MS OS, by Apple's numbers, there are 7 million users [apple.com] of OS X, which makes the current number of users in the OS X community about as large as the populations of Hong Kong (7,303,334) or Switzerland (7,301,994), and about 1 million more people than the pop. of Israel (6,029,529). (Go on, check my numbers [cia.gov].) And just for good measure, add to that the fact we now have a more or less Unix based OS and therefore must have some common ground with numerous other OSes. It's not like we're a tiny little niche to go after, or one that no one knows how to program for. Hell, Apple even gives away developer tools to write out and compile programs. So why don't we ever see any worm, trojan, or virus outbreaks for OS X?
Re:Who clicks Attachments? (Score:3, Interesting)
It goes like this. The mail hits our company yesterday morning at 10:58. By 11:00 I've sent a company wide mail out telling people that it's a virus that's slipped past our scanner, and not to open it. At 11:02 I get apologetic messages from those who had already done so -- "I thought it was someone sending me something", "It was just a zip file", "I didn't know". Yes you did, you morons! I've told you enough times! You will never teach people not to do this. People are stupid.
AntiVirus Companies not doing enough? (Score:2, Interesting)
Re:They don't make em like they used to (Score:5, Interesting)
The register [theregister.co.uk] is less subtle (almost advertising other platforms);
As usual, the worm affects only Windows PCs. Linux and Mac users are immune.
yeah, I'm running Windows (Score:4, Interesting)
However, I run Eudora, not Outhouse Express, and ZoneAlarm renames file attachments so they can't be opened by accident. (as in click and you got a prompt asking if you really want to do this?)
There really isn't an excuse to get nailed by this even for Windoze users for the most part, "executable file attachment from somebody I don't know" =! CLICK HERE. These virus-generated e-mails all have a generic look to them, I dump them unopened into my virus-contaminated folder for later cleanup .
I got rid of 16 copies of Sobig.E today.
Re:It sends itself as a zip file. (Score:2, Interesting)
On the other hand: Viewing, opening and running an attachment is all done with the same click of the same mouse button. Most people just don't know the difference. (People have trouble enough using outlook, because it is such an incredibly illogical programme)
And let's be honest: Even if you would put a neon sign over the e-mail that read: "Don't open this: It contains a virus!", they would just go right ahead and open it. And NEVER underestimate how many people are totally stupid (I know from experience).
Re:A (very) nice virus again (Score:5, Interesting)
To quote the parent:
Because most of the virus writers today don't know the difference between an IBM 3090 and an Atari 2600? If you think I'm kidding, look at some of the stuff from the 80's, which would see if you were infected by virus "x", and DISINFECT YOUR COMPUTER FOR YOU IF YOU WERE, before infecting you with virus "y".
It also provides an interesting "but I didn't do any harm" attemp at defense if they are actually caught and Mommy and Daddy have to cough up money for a lawyer.
Re:Linux is so C00L (Score:2, Interesting)
Actually a variant of Sobig.E perhaps? (Score:5, Interesting)
NOW, late this afternoon I get a couple of emails from the lawyers say they are appearing again, just as one pops up in my Inbox.
CA did update their signature again late in the day which opens up two possibilities:
1) The latest signature broke the ability of CA's software to catch Sobig.E or
2) This is a new variant (Sobig.F?)
Re:They don't make em like they used to (Score:5, Interesting)
"In France, the 14th of July is a National Holiday. It is known as Bastille Day and celebrates the storming of the Bastille , a French prison, in 1789. This was the start of the French Revolution."
Wonder if this has any relevance? Maybe it's a signal, a secret message.. :)
Re:They don't make em like they used to (Score:2, Interesting)
Just a little analogy play, not to be taken seriously. In actuality Linux is a penguin and not a fish.
Re:Ok so this might be a weird request..... (Score:2, Interesting)
- Randomly chose a time between 10 minutes and 3 hours to run again
- Randomly chose one or more of the following actions
- Crow like a rooster (this turned up the volume to full before crowing)
- Eject the CD drive (whether there was a cd in it or not)
- Eject the floppy if it was in there
- Print a random amount of blank paper from whatever printer she had last printed to (usually the one in her office)
- Change the theme of her desktop
- Enable Active-Desktop and set the desktop randomly to a website
Re:All it takes... (Score:5, Interesting)
My viruses were from support@dell.com. I've banned outlook, but looking through the headers, it is obvious that SOMEONE was using it.
I'm about to ban attachments alltogether and instead write a web-based document distribution system. At the very least it makes tracking the provenance of documents easier. Besides users have this habit of NEVER throwing away email, and the attachments eat up a lot of room on the server.
We run IMAP. (That's another discussion)
Sobig hit Ohio State hard (Score:3, Interesting)
I did see some people saying "When's the next service pack coming out to fix this"; this virus isn't clever enough to use exploits, it's just another lamer Email Windows worm that generates network traffic.
Here is how I got infected yesterday... (Score:5, Interesting)
2) Having recently mailed some questions to some government research agencies, I assumed this was a response to one of them, so, I opened the e-mail (I use Mozilla).
3) No message in the e-mail, just an attachment called "your_application.zip". This was a tad suspicious so I copied the file and scanned it with a corporate edition of Norton Anti-Virus last updated on June 18th.
4) Virus scan came up clean so I opened the file. After seeing that it was only a ".pif" file, I started to get concerned, tried to edit the file by right-clicking and the edit option didn't show. At this point, I'm pretty sure it's a virus.
5) Examined the header information from the e-mail and discoverd that it actually originated from another office computer and the "from" address was spoofed. Now, I'm all but certain it's a virus.
6) Went to the Symantec website and, sure enough, the virus information is there along with notification that the patch was only available since June 25th.
7) Downloaded their fix tool and checked all computers in our office for evidence of infection. Was able to clean them all.
So, even though I was relatively careful, I was still able to get infected. Primarily because:
a) The "From" address was an expected source.
b) I do occasionally get legitimate e-mails that are only an attachment with no text.
c) This particular virus was so new that my virus scanner was not sufficiently up to date.
FYI, I guess...
From the mind of a worm author (Score:2, Interesting)
I've written 3 worms. None of them have ever gotten media attention, though all three have been cataloged at the various AV sites. In other words, my worms have been successful enough to be noticed and "fought," but not successful enough to gain widespread notoriety. That's just how I wanted them.
Let me give you some insight from my perspective. I don't work for an AV company, nor do I have any relation to one. My interest in worms is purely "proof of concept." I wrote these worms for one reason: to prove that I could. More than anything, the goal for me is to see my creations spread, even if only slightly. Especially if only slightly. I don't want to unleash a Melissa, or an ILoveYou, or a Nimda - partly because I'm not out to cause a huge nuisance, and partly because I don't want my worms to gain enough attention that law enforcement starts looking into them.
The first worm I created was extraordinarily buggy, and (apparently) only worked on Win98 systems, due to variations in the Win32 API. I was using Win98 to compile at the time, and neglected to test it on other Windows versions. The second and third times around, I personally tested them on Win98, Win2K, and WinXP to make sure they were viable on all three.
None of my worms have a malicious payload. The payloads involve:
a) Dropping registry keys with vulgar names (mainly as an exercise to see whether or not AV providers would publish curse words in the virus descriptions - none of them did).
b) Popping up dialog boxes with random messages. This is more of an easter egg than a payload, really. A timer runs, and on each invocation of the timer, a random number is generated. If the generated number matches a predefined constant, the user will see a dialog box with an interesting message.
c) Creating innocuous (but possibly large) files on the local C drive. The files contain nothing, but may take up large amounts of disk space.
d) Propagation, obviously.
That's it. Again, it's mostly proof of concept, my motivation is to see my worms show up at AV sites.
Have I been tempted to include a malicious payload? You bet I have. But again, I'm not out to get arrested, and while I'm fairly confident in my ability to create an untraceable executable and launch it in an anonymous manner, I'm not willing to bet my freedom on it. Writing a worm to begin with is enough of a risk. Writing a worm that kills tens or hundreds of thousands of PCs? No thanks, I'll leave that up to someone else.
It would be damned easy to adapt one of my two "successful" worms to delete 100 random files on drive C each time it runs. This would be enough to fuck up nearly any Windows machine after a few boots. Destruction is easy, it's just not necessarily a goal.
I hope this gives you some insight into the mind of a worm author.
Re:email will soon be rendered useless ? (Score:3, Interesting)
Sure, just make sure you also doesn't become vulnerable to the old compressed 4GB of /dev/zero trick. It can really bring your mailserver down.
PEBCAK (Score:5, Interesting)
Why be subtle about it?
I went to a seminar yesterday wherein a security guy from Microsoft (stop laughing, its not funny yet) extolled the virtures of Windows Server 2003. They have learned their lesson about security and ease-of-use being the only development consideration... guess where they learned it from? All the best practices they have implemented for Server 2003 comes from Linux, Unix, and the Open Source world. "Free How-Tos"! What an innovation!
Now if only someone can teach the MS admins and users to apply the goddamn patches that Microsoft releases! (for an example of what I'm talking about, see anything about the SQL Slammer specifically)
Re:A couple of small nits (Score:2, Interesting)
This argument is a myth, and has been used by Microsofties to try and downplay the vastly superior security of both *BSD and GNU/Linux. Mac OS X is a FreeBSD derivative in many respects, and vastly better designed from the ground up than Microsoft windows, for whom things like networking and security were afterthoughts cobbled together in an ad-hoc frenzy of featuritis and catch-up.
ROFL! I think you will find that it is Windows that has DACLs, and you will also find that networking was a core component of NT 3.5; perhaps you are still stuck in the days of Windows 95?
Such an ad-hoc approach to design will never yield acceptable security, as Microsoft's shoddy products have demonstrated so dramatically in recent years, time and time again...and once again today, with this irritating worm.
Actually this worm requires that open an unknown attatched ZIP file from an email message, extract the executable, then run it. How, exactly, is that Microsoft's fault?
[removed your crap about numbers]
Actually, most people don't check their email on their servers, so your entire argument is pointless. Email viruses are targetted at the largest base of email clients, which happens to be Windows email clients.
It isn't about numbers. It is about design, and everyone in the industry, with the exception of Microsoft, has taken security seriously and designed their systems appropriately.
Ha! Squeaked the itty bitty mouse.
First of all, Microsoft has done a lot to make security easier to configure on Windows 2000. Some of us were reading the best practices documents and implementing proper security long before that, but others were not so Microsoft developed tools (URLScan, Baseline Security Analyser, etc).
Microsoft also expended a lot of effort making sure that the next version, server 2003, was secure out of the box, and when additional services are installed that they do so in a maximally secured state. The various wizards do a good job of alerting the admin to possible problems.
The last step is the security model of the dotNET runtime. Essentially, it is an entirely new paradigm that causes code to assume additional security restrictions based on administratively set policies and the source of the executable. If an executable originally came from an email, the runtime can know that and handle security in an appropriate way. But these things take time, and you always have the native code hole. I don't see any way around that.
P.S. You can mark things executable or not in Windows. It is the "traverse folder / execute file" right. You see, since Windows supports DACLs on Folders and Files, Registry keys, and indeed
For example, if you save all downloaded files from email or the web to C:\temp then you can right-click temp and go to the security tab. Click Advanced. Click Add. Select "Everyone". Now on the permissions entry tab, click "Traverse Folder / Execute File" in the DENY column. Then select "apply onto" as "Files Only". OK your way out of all that.
Now no one can execute files in c:\temp or its subfolders, since the entry will be inherited by subfolders by default.
You can go so far as to set that up on your entire drive, but I would strongly suggest disabling inherited permissions (select COPY when prompted) on Program Files and the Windows (or WINNT) folder. Otherwise, you may find yourself screwed.
Mac/DOS, Talking Heads/Ramones analogy (Score:2, Interesting)
I recalled a similar question a few years ago in comp.sys.mac.advocacy. With the help of Google, I was able to pull D.M. Procida's comparisons between gobbing and writing viruses [google.com]:
I don't pretend that this is a realistic answer; but it is an interesting take.