Sober.P Worm Accounts for 5% of all Email Traffic 451
destuxor writes "The grave insecurity of the day is the Sober.P worm which is currently pushing nearly 5% of all email traffic at the moment. Unlike previous worms, Sober can disable the Windows Firewall and Symantec Antivirus. Interestingly, patched machines are not vulnerable to the exploits used by this worm. What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?" update percentage corrected.
Interesting? (Score:3, Insightful)
What is so interesting about that? It would only be interesting if the patched machines were still vulnerable.
Here's what to do (Score:2, Insightful)
Ordinary users just have no idea. Many don't enven know about Windows Update.
Visiting windows update once in a while (Score:2, Insightful)
1. unaware users (like about all my neighbours and friends)
2. Users who do not want to patch their system into a less controlable state (hence SP2 trouble).
I think better filters at mailservers could help:
The content of the mail may be unknown (different headers all the time), but the attachment is known. A simple filter should be able to get rid of it, no need for very expensive antivirus software.
Obligatory... (Score:3, Insightful)
I use Linux...I have no problems.
(however, my email box is filled up with these stupid Sober.P-generated messages)
What will it take for people to switch? All of the news reports I've heard this week about Sober.P don't even mention that it ONLY affects MS-based PCs running Outlook. I would think that the news industry would at least do one minute of digging and include this little nugget of information to help its listeners/viewers.
TDz.
Getting People to Update... (Score:5, Insightful)
Otherwise, they just don't see the reason to, don't have the motivation to, and just plain don't care.
It's the GDGA vendor attitude that 'cornsumers' (Score:4, Insightful)
That this has become the holy grail of huge numbers of Linux afficianados is likely the worst thing there is for Linux. Instead of promoting Linux as the 'thinking man's alternative' most of it's fanbase has bought into the whole 'computer as appliance' mindset.
Give a man a bananna and he might choke on the skin. Teach him to peel and he'll be hell's bells.
use windows update - how? (Score:1, Insightful)
Re:How about... (Score:5, Insightful)
Setting aside the debatable 'inherently more secure' argument, unless distros start doing something rash like including and starting an 'apt-get update && apt-get upgrade' cron job, they're going to hit the same problems if a nasty worm comes out that affects on or more distributions of Linux (eg. a SuSE worm, etc).
What are we going to do? (Score:4, Insightful)
I dunno. Maybe we should stop running all those stories about how evil WindowsUpdate is, and how Microsoft is spying on your computer?
And proclaiming to the heavens that <insert my linux distro> doesn't need updates because it's secure?
Re:its not just windows-users (Score:1, Insightful)
I believe Linux users that are not very competent admins of their system (and that probably includes a lot of people that wouldn't include themselves) is much more of a target than they realize.
It is a problem that is going to come back and bite us that this often is ignored, or shoved under the rug, while ridiculing Windows users.
Re:Nothing really (Score:5, Insightful)
Most people don't have broadband, but most people don't have fast computers either, it might take long time to compile the source distributed update.
And your average joe won't have compiler on their machine anyway.
I'd remove compiler from linux workstations too. The normal user, who surfs and reads email on the machine, won't have any need to compile things.
If local patches were used, I wouldn't worry about gpl coders peeking the code. I'd worry about worms patching the source code and creating new holes through modifying patch sources.
potentially hazardous tool (Score:2, Insightful)
last time i severed my leg with my computer, i was reminded of this fact.
The object of linux SHOULD be to make the computer as easy to use as possible, because the people who care about how their computer actually works are a stastical minority of computer owners. The reason thses viruses spread is that people REFUSE to be educated. If your goal is to become a mainstream OS [which I'm not convinced yours is, but it seems to be the goal of the majority of the linux community], your job is to offer more noticeable features [e.g. less slowdown due to viruses, etc] than windows without addint any more required user input.
joe blow doesnt want to think about his computer. he just wants it to play deer hunter 2005 faster.
Re:"Ordinary users" (Score:1, Insightful)
Looking at the BugTraq mailing lists, it is also obvious that there are plenty of common software that runs on Linux that gets exploited on an almost daily basis.
What was your point again?
Re:"Ordinary users" (Score:1, Insightful)
But... But... "It Just Works!" (Score:3, Insightful)
Re:Solution (Score:4, Insightful)
ps... I'm not saying firewalls aren't important security tools, but when it comes to at-home desktops, bugs are the real issue... and viruses are just exploiting bugs that haven't been patched yet.
Re:How about... (Score:1, Insightful)
Of course, I may as well bring up the popular adage - that technically un-savvy users rarely install Windows anyway, and will just get the neighbourhood geek to install it, rendering the whole point moot.
On the subject of installing additional software (if any is even required) - just add in some decent repositories, and point them towards Synaptic/ rpmdrake/ Yast/ whatever. It's a fundamental change of mindset, but the idea of having a central, searchable repository with descriptions and screenshots of all apps is actually really cool, and I prefer it to "the Windows way"
Re:Nothing really (Score:3, Insightful)
No, it really wouldn't, seeing as the Windows source takes days for a full build. The install size alone difference would make this a fucking retarded solution.
Re:Nothing really (Score:3, Insightful)
I can't imagine many take advantage of the SP on CD option from MS now, I don't think many more would sign up for a monthy update cd at a minimal cost ($10/yr to cover shipping,etc?) either.
If you install XP today and SP2 from a cd/whatever, you still need over 20mb of downloads to get up to date on your updates, and god forbid if you don't have SP2 around on some sort of media or local archive. How long do you think that will take on a modem? What was that average time to infection for an unpatched machine plugged into the 'net?
Users with illegal copies are afraid of W. Update (Score:3, Insightful)
What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?
From what one can read on online forums and personal experience, many people are afraid to use windows update because they do not have a valid serial, or in other words, they're using windows illegally. Unlicensed copies keep windows monopoly, but it is also giving it bad fame because people are afraid to update their system.
Re:What are we going to do? (Score:4, Insightful)
Are you kidding. When a hosed machine is rebuilt from the CD, that un-installs all the updates.. Have you tried to re-update mom's machine after a rebuild.. on a modem?
How about all the MS updates and patches on a rack at the local Best Buy? It would save a ton of re-update time on the modem. Then the real MS update could be used for this months updates instead of the last 2 years updates.
Why doesn't MS update offer to save a local copy of all patches and updates and prompt the user to either save it to a floppy or burn it on a CD to keep with the original manufacture's recovery CD set?
MS assumes the user will never rebuild the box after the hard disk is replaced and they assume the user has broadband so an update won't be a problem. (they assume Dell should take care of it)
WRONG!
ISPs should take some responsibility (Score:3, Insightful)
No ISP should be running an SMTP server that doesn't scan for viruses. It's just irresponsible. There are a few viruses that setup their own SMTP server on the users machine, yeah, but that's easily solved by blocking outgoing connections to port 25 on the network, except from the ISP's own mailserver. If all ISPs did those 2 simple things, e-mail viruses would almost be wiped out.
It's basic stuff, and it drives me nuts that precious few ISPs do any of it.
Re:Windows Update is useless to dialup users (Score:3, Insightful)
The whole point is that Windows is "broke" (indeed I'd challenge you to find any OS that isn't broke in some way). But if you keep it up-to-date with the latest patches it is at least a little less broke than before.
When you've had to chase round hundreds of PCs because a laptop user has managed to bypass all of your firewalls and e-mail checks and thus introduce a virus into your community you quickly appreciate the usefulness of Windows update. That was enough to make us install a Windows SUS server to make sure that all of our users were patched, whether they wanted to be or not.
I'm not a MicroSoft fan - I just have to work with their software. And all of the smug Mac and Linux users (I have 3 flavours of Linux at home as well as FreeBSD, so I'm not an apologist for MicroSoft, just a realist) will discover that they can also be vulnerable once they get popular enough for the script kiddies to turn their attention to them. Log on to Linux as root, which is in effect what most people do with Windows, and you - or something that you run - can do just as much damage.
It really is time to stop being complacent and think that you are safe with unpatched Windows systems or that the Mac or Linux OSes are appreciably safer. (One thing that I will say in favour of the Mac is that it doesn't set you up as an Administrator by default - it's actually quite hard to get full root access in OS X.) You should keep any OS patched, particularly with security fixes. It's a war and those little bastards are out to get us all!
Re:Getting People to Update... (Score:3, Insightful)
Nothing new, people have been running cars into the ground by not changing the oil for years. It's quite a similar analogy, preventative maintainence; handy if you are trying to convince someone to start doing it. "If you don't do this, this will happen". Keyloggers are a good one as well, worth mentioning as people might not care all that much if their PC is a spam host; instead tell them that it's logging their credit cards and address details for identity theft, and if the person is any good, they'll never know it's been done.
Re:Nothing really (Score:3, Insightful)
have you actually... you know.. tried upgrading to sp2 over dialup that costs per minute, like what the dialup is in most of the world?
of course it wouldn't be a problem if you were online on that dialup 24/7... but very few people are.
Re:It's the GDGA vendor attitude that 'cornsumers' (Score:3, Insightful)
You can buy or built a PC with significant horse power for $500 and under. The PC as household appliance or an office tool as commonplace as a typewriter made that possible.
Technological problems and technological solutions (Score:5, Insightful)
But it appears that even if a putative Service Pack 3 were flawless, there would still be massive worm activity in those who haven't patched. And if they haven't patched by now, they're not gonna, and that means we're going to be dealing with this problem for a long time to come.
It's a non-technological problem, so there may not be a technological solution. (Me, I'd like to see ISPs start throttling infected users, but that's a whole separate can of worms.)
Re:"Ordinary users" (Score:5, Insightful)
If a student or member of faculty comes in with malware problems for the first time, I fix it for them and I give them a Gentoo Linux install CD to go away with. If they come back with viruses/spyware a second time, I tell the luser to stop bothering me, and that I gave them the solution to install last time.
Remind me not to hire you after you (maybe) graduate.
The organization I'm with got the Sober worm! (Score:2, Insightful)
The organization I work with got the Sober worm, filling up our mailboxes expontentially. Even though we are primarily a Mac house, some indidividuals probably accessed our mailserver with Windows based mail clients (at home?) and perhaps facilitated the spread of this virus.
It sure is a nasty one. I wrote a procmail recipe to block out
I'm kinda lost, with a growing procmail folder with the isolated emails (roughly 4gb in size now) -- and some like (100 emails a day) slipping thru. I've emailed all users suggesting removal tools like Stinger but still!
Anyone have some proactive suggestions? Would ClamAV prevent this from perpetuating on the server-side?
We are currently wasting bandwidth and people time to indugle ourselves in a server side solution.
Re:Nothing really (Score:2, Insightful)
To make them patch their machines...... (Score:3, Insightful)
White hats... (Score:5, Insightful)
Before everyone starts screaming that you can't release a white-hat worm, please consider the situation we are in today; Hundreds of thousands, if not millions of zombie machines are sitting out there doing the bidding of criminals to extort money from sites that fear DoS, fill our inboxes with Spam, spread virus and trojans that install keyloggers, attempt to get access to your financial and other accounts, etc.. etc..
On the one hand, we have total anarchtic hacker mayhem (today) and on the other, a sanitized Internet at the cost of using the techniques employed by the shadowy side of society.
I really doubt that many people would have issue with this. Hell, it should be done in the name of national security. Really... And anyway, if your machine is susceptible to a white hat worm, it is equallyt susceptible to the bad stuff, which means it is pretty much guaranteed that you already have a bunch of nasty stuff installed on it. A white hat worm will provide some relief.
Re:The solution? Fines (Score:3, Insightful)
Sure, Ford should be liable if your new F150 kills your neighbor by launching missiles at him when you turn it on. But they should not be liable if you new F150 kills your neighbor because you ran over them.
Most computers are reasonably safe, at least as much as the average car. But most computer users nowadays are the equivalent of drunk drivers. You don't blame Ford when their car didn't automatically stop someone from driving over someone else. You blame the drunk driver.
So, you don't blame Microsoft too much when an unpatched Windows box kills ten other unpatched Windows boxen. You fine the user who didn't patch the fucking box.
Re:White hats... (Score:5, Insightful)
Gangsters are starting to roam the streets, killing people at a rate of 8-9 people a day. Do you then propose "normal" citizens should get a gun and shoot them motherfsckers down? What if a stray shot kills an innocent? (And no, the analogy isn't inept. You *WILL* hurt innocent systems by doing this)
Are you willing to be liable for taking down a major international corporations headquarters? Killing off millions of Windows PC's that are in a different locale than the worm, because you hit a locale-specific bug in Chinese Windows? Or maybe your worm manages to knock out Cisco routers (Code Red crashed my i677DIR). Now that'd be real fun, wouldn't it?
What about the amount of bandwidth this worm creates. If this worm of yours is 220kb, and I'm getting hit by it repeatedly while surfing over GPRS, will you pay the cost? (Currently, that'd cost me almost 1 USD)
Or, your worm has a bug that overwrites a random file in the filesystem. Who will pay for the damages? "You destroyed my thesis! I've been working two months writing it!"
No matter the reasoning behind it. There are millions of different windows configurations, hundreds of different windows versions (if not thousands). How the hell are you going to QA this worm?
Stop running as admin! (Score:3, Insightful)
Re:"Ordinary users" (Score:3, Insightful)
If a student or member of faculty comes in with malware problems for the first time, I fix it for them and I give them a Gentoo Linux install CD to go away with. If they come back with viruses/spyware a second time, I tell the luser to stop bothering me, and that I gave them the solution to install last time. Linux is an OS immune to these kinds of problems.
Let's hope you get fired sometime soon.
Seriously, that's no "help" to them. You're not fulfilling the role of a "help desk". Maybe you'd like to take the support calls that Windows-only software isn't working anymore (nor under WINE)? Windows isn't a completely worthless OS.
And I suspect the reason you're giving them Gentoo is a) you're too stupid to know how to secure a Windows machine. Believe me, it's very possible. and b) you're too stupid to pick a reasonable distribution. Gentoo install is not quite what a "luser" needs if they want Linux. Try Knoppix next time, if you really want to continue your anti-Windows crusade.
And do you think you're really converting anybody? You're just turning people away from the helpdesk and sending them to friends who actually know the answer.