Sober.P Worm Accounts for 5% of all Email Traffic 451
destuxor writes "The grave insecurity of the day is the Sober.P worm which is currently pushing nearly 5% of all email traffic at the moment. Unlike previous worms, Sober can disable the Windows Firewall and Symantec Antivirus. Interestingly, patched machines are not vulnerable to the exploits used by this worm. What are we going to have to do to convince "ordinary users" to visit WindowsUpdate once in a while?" update percentage corrected.
Nothing really (Score:1, Interesting)
Re:Nothing really (Score:3, Interesting)
Most people don't have broadband; Windows Update takes a long time when all you want to do is get your email.
Now, if they graduated from an HTTP download to rsync, the download size would be significantly smaller.
An even better solution would be to have the source code on the computer, and have the machine compile the patches locally from a (much quicker to patch) source code. Of course, they'd need to find a way to securely encrypt the source code so those "evil GPL coders" don't peek.
its not just windows-users (Score:3, Interesting)
Trusting MicroSoft (Score:5, Interesting)
The problem is, MicroSoft went a long way to tell people that no, they can not trust them when it comes to privacy. People from random businesses around here are pretty paranoid now -- I've talked to the CEO of a ~300 employees big company who, albeit a non-technical user himself, went on a long tirade about not letting Windows phone home.
Re:Nothing really (Score:2, Interesting)
Windows Update is useless to dialup users (Score:3, Interesting)
Interestingly? (Score:4, Interesting)
Isn't life is full of little surprises!
Re:Nothing really (Score:5, Interesting)
Such an arrangement offloads some of the compiling process to Microsoft's servers, and obfuscates the patch.
The compiler included with the OS doesn't even have to support any other language. And it can require a signed certificate from Microsoft to accept the code.
The only way to wake people up (Score:5, Interesting)
If virus writers ever changed their tactics from one of "sneak in and just borrow their CPU cycles and bandwidth for my bot-net" to one of "let's infect, spread, then kick them in the nuts" people would take notice once again.
Several years ago there was a virus that went around replacing jpegs with copies of itself (or something). My friend had a struggling web-hosting business where he hosted websites for about 100 different small mom-and-pop shops. Even though I warned him about the risks of viruses and that he should run his site with Linux/Apache he didn't listen. That virus wiped him out.
No, he didn't have up-to-date backups. But guess what? He keeps meticulous backups now and keeps his computers patched with up-to-date virus software and only connects to his web server via ftp (no mounted shares any more).
Alas, he still hasn't embraced Linux or OS X, but at least he's not part of the problem any more.
Just think what would happen if a virus spread around and just looked for .xls files and quietly changed all the 3's to 7's? How far back would companies have to go into their backups to be sure they had a known-good copy? D'ya think they might take viruses and security more seriously then?
The last major hassle we had with a worm was primarily due to the enormous amount of traffic it generated, bringing our networks to their knees. That was an annoyance to management, but they saw it as a network problem - not a virus/worm/security problem.
One of these days some one or some group is going to unleash a virus that really IS going to do real damage. Maybe then people will realize that they aren't sitting in front of an internet toaster, but sophisticated computing device that has a tremendous impact on many aspects of all of our lives.
Re:How about... (Score:3, Interesting)
That won't work. Irresponsible users will always be irresponsible, no matter what OS they are using.
If that is your case, consider the user's responsibility and skills.
If he has no computer skills at all, just change his settings without him knowing.
If he thinks he has lots of computer know how, but really is some inexperienced (and irresponsible) n00b, I suggest tricking him into doing theing securely appealing to his 133tness ("Only ordinary mortals use IE6, we hackers use IE7 firefox edition", the firesomething extension might be useful in that case).
If he's responsible, but reluctant to change, wait for him to screw up, make him feel bad for screwing things up (just letting him know how much effort it takes to reinstall a workstation usually works) and them offer him a chance to do things securely. If doing things securely is not a hassle (activating windows update, for example), he will not change back either because the same inertia will make him stay secure, or because he sees the benefit of doing things securely.
There are more things to consider, but that should be a rough guide. Some people do not know how to use a general purpose machine, and would be happy with a "web browser" (or other) appliance. You cannot let these people loose with root priviledges.
Re:Reading the article? (Score:4, Interesting)
Maybe they're not counting spam?
My mail server saw the first one on may 2nd. As of today (the 8th) at 4am, 419 were blocked. 11883 emails came into the system over that time, so about 3.5% of our traffic was sober.p. That's not 5%, but still pretty high. It shot right past virus #2: SomeFool.Gen-1.
Re:Trusting MicroSoft (Score:2, Interesting)
People from random businesses around here are pretty paranoid now
... and still use Windows? I know the cost of migrating a lot of corporate stuff to Linux is pretty high, but if they don't even get started, their paranoia ain't getting them nowhere at all.
BTW, I've seen similar attitudes recently: a lot of companies are very untrustful w.r.t. Microsoft's crypto libs and suspect all kinds of backdoors etc.. It may be paranoia, but it may also be true (wasn't there an NSA key somewhere in Windows in the past?).
What M$ really needs to do. (Score:3, Interesting)
Also keep a numbering system on the CD's that any moron can keep track of.
Hell im sure you could get away with putting them in common places.. like bestbuy, wallmart, Safeway, etc.
Re:Nothing really (Score:1, Interesting)
Next up, WU is distributing binary deltas these days (and has been optionally for years, ...). From WU you pull a manifest describing the locations in various versions of the binary which need to be replaced/removed/inserted. Then you pull those specific offsets from Microsoft's server, and your patched binary is generated.
Dumbass.
Re:Nothing really (Score:2, Interesting)
Re:The only way to wake people up (Score:1, Interesting)
Re:The only way to wake people up (Score:2, Interesting)
For the virus writers who use infected PCs for botnets, releasing a virus which goes as far as fscking the victims HDD is a waste of what could have been a perfectly useable zombie. Why do something that brings attention to the infection when stealth reeps greater rewards?
As for the virus writers who aren't looking to boost their ePenis with a bigger botnet, I too have often wondered why more malicious worms and viruses arent released. Perhaps its the fear that damage on the scale of totally erased HDDs will result in more attention from law enforcement and this put them, the writers, at greater risk.
In either case, while it's certainly a warzone of malicious code for unprepared computers connected to the internet, I'm certainly glad it hasn't reverted to a more destructive time; on the off case I'm affected before a patch or fix could be issued. Atleast now all I would have to worry about is unplugging my router, not sifting through piles of CDs looking for backups while quietly weeping at the thought of my more recent pr0n being lost :(.
One big problem with Windows Update (Score:3, Interesting)
I've had a lot of Windows patches kill applications. Most notably Adobe Premiere, Internet Explorer, Visual Studio, and a load of older third party shareware/freeware apps. Often enough a reinstall of the application fixes it, sometimes... not.
The biggest problem isn't a lack of patches being applied although it is a big problem. The biggest problem is that people still insist on using e-mail as a way of conveying web-like information without regard to its origin or nature. I know a lot of people, some family, who would never ever visit shady porn sites and the like who nevertheless, display all their e-mails in full HTML format with Active X, Javascript, and the rest turned on full blast. Then they select each e-mail in turn, opening it by default in the preview pane of MSOE and just to make sure it really is spam, will also click on the attachments as well.
Of course, I was seeing this same thing more than seven years ago in corporate offices never mind home PCs. Absolutely nothing has changed. Any time a user allows code to run, they take the chance that code will be designed to undo their protective shields including anti-virus, anti-spyware, and firewall services. Those services are not designed to act like viruses themselves and resist deactivation (with the exception of NAV which acts that way by an idiot structural flaw rather than purposeful design) at all costs. Oops.
What Microsoft could do is create a bootloader that worked from a separate partition and scanned the as yet not activated main OS partition for rootkits and viruses and removed them before the OS could be started along with them. Problem is, we can't ever know that MS didn't fark the system up with spyware of their own to check that DRM wasn't messed with, that we weren't using warez'd MS products, or even working on behalf of the *AA agencies to root out and destroy MP3s and so on.
Another solution is to make all web applications including and especially MSIE work only inside a virtual machine within Windows where it was quarantined from outside system interaction and had to pass a fine-grained security checkpoint to interact in any way with the outside short of mere audio-visual output. In other words, scripting that was doing something with a web page would generally work, something that wanted to browse the file structure would have to be signed, the user would have to constantly say yea or nay and enter a password. Anything to slow down the interaction, log it, control it.
I seriously doubt we will ever see it of course.
I got infected........ (Score:3, Interesting)
Re:What are we going to do? (Score:3, Interesting)
Not too long ago I walked into a little computer training "shop" in a supermarket near me (in Dublin, admittedly the shop is probably 2-3 miles from MS main Dublin headquarters) and there in amongst all their brochures extolling the wonders of their courses was a small cd display stand with Windows XP2 update cds.
If the world was sane, the payback to MS customers (including the indirect ones getting Windows pre-installed) for "Product Activation" should be simple access to new installation CDs! So if your computer dies, you should be able to contact MS and get a new CD sent out for your new install which will have service packs (and preferably all critical and security updates) applied, so you can actually install it without having to disconnect your network (I would imagine 95%+ of all windows users are not aware of the dangers to a new windows installation). It's no good doing a new install and going straight to windows updates, but how many Windows users are going to think differently if/when they need to re-install?
Next time someone tells you installing Linux is hard, ask them how they deal with the security issues of installing XP, and if they don't know what you mean, provide a little explanation!
Open source malware. (Score:3, Interesting)
Step 1: Develop the ultimate virus/worm platform -- include a bytecode engine, polymorphism, have it jack into something Freenet-like so users could manually update the network.
Step 2: Get lots of press for your examples of honeynets completely nuked, and how long it took. Show estimates of how long it would take to destroy every computer on Earth with Internet access (including flashing the motherboard, etc.) and predict a Y2K-like apocalypse if terrorists ever get their hands on this and there's tons of unpatched Windows machines.
Step 3: Watch the news media declare vulnerable platforms like Windows and OSX to be "unpatriotic". Watch thousands of developers and hardware vendors and, yes, even end-users rush to put everything on something actually secure, like Linux or BSD.
Remember: Linux IS more secure now, because would-be terrorists (all the teenage hackers of the world) have an incentive to fix Linux instead of try to break it.
Step 4: If Step 3 fails, watch someone, somewhere, sometime, actually finish the job. In a matter of hours, every insecure box in the world goes down, hard, never to rise again. Hard drives wiped, firmware flashed... It'd be a massacre. Then, when the world finally wakes up, watch Step 3 again.
Remember, if I implemented this plan, I'd never actually pull the trigger. I wouldn't be doing anything illegal. That is, unless Congress decided to pass some DMCA-like laws to prevent the development of anything which could be used to 0wn people...