New, More Destructive Love Bug Variant 404
Everyone and their brother wrote in to say that a new and more destructive version of the ILOVEYOU virus has hit the net. Instead of deleting on a few files, this one deletes every file not in use. And even more amusing, rather then using a hardcoded subject line, it uses the host's email archive to cause the subject to change while it propogates. Intelligent mail client users continue
to be unaffected (although the ILOVEYOU sympathy virus has been annoying the heck out of us for days now... it works on the honor system: Please delete some files and mail to all your friends).
Re:First Victim! (Score:2)
Ain't work grand?
Kintanon
Re:Procmail filter to protect your users (Score:2)
Intel blocks this! (Score:2)
Hey, that's some proactive sysadmin there!
Re:virus vaccine (Score:4)
I disagree (Score:3)
As for some of the up and coming AV firms, I wouldn't put it past them, however in this case I think it's just kiddies having fun with a mechanism that someone else wrote, doing it just for grins and bragging rights.
If you want to see something scary . . . (Score:5)
It's cross-platform (as in, Unix and NON-Unix), it goes really far to evade detection and analysis (not to mention removal), and the freakiest part of it is, the whole system was designed to work in a distributed, intercommunicable fashion ("wormnet"). It's scary shit. Especially an observation the lead programmer makes near the end-- "sure, we didn't release this, but what if some other intelligent but deranged programmer out there has?"
Re:I'm curious... (Score:2)
Viruses are challenging and interesting. Some of the ideas used in them have been incorporated into modern software. Just like anything else if you don't use viruses to harm people or data their is nothing wrong with them at all. Why do linux hackers write code that they will give away. They like the challange.
I always thought that it would be cool to write a virus killer virus. It would search out a few known viruses and destroy them.
Re:i wish... (Score:2)
the "hillarystwatwarts" virus,
but even more subtle. Something that
would get repeated for a few hours or days
before people realized what they were saying.
It would probably have to be something like,
i dunno, remember the "dole means penis in iranian" rumor?
Re:Who will be the hero.. A more high level method (Score:2)
Re:Procmail filter to protect your users (Score:2)
*!^X-Loop: VBS viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\
*!^X-Loop: JS viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Jj][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.js\(.*\)/filename=\1.js.txt\2/
$ORGMAIL
Re:The Honor System Virus (Score:2)
First Victim! (Score:2)
Luckily she had the good sense to call me because of the 20 or so e-mails sent around about NOT OPENING attachements. So I talked her into deleting it without opening it. YAY! Hopefully none of the higher ups will get one, they are dumb enough to open it without thinking about it...
Sigh...
Kintanon
Who will be the hero... (Score:4)
- A.P. (seriously, folks, WHAT ELSE is VBscript for?!)
--
"One World, one Web, one Program" - Microsoft promotional ad
Here's a NEW idea: (Score:5)
What I mean is, why doesn't someone write a virus that does good? It could auto-run and disable all of the cheesy security holes that MS hasn't fixed yet. It could spread like a worm, and just go on a rampage fixing problems.
Why must virii always be bad?
Re:Has anyone here recieved one? (Score:2)
Hehe, subscribe to linux-kernel, I laughed my ass off when I got this [kernelnotes.org] email.
There followed two or three automated virus warnings no human bothered to answer. Pretty ironic it was.
Re:I'm curious... (Score:2)
-----------
Re:Procmail filter to protect your users (tool) (Score:4)
I've been using it for some time and it has protected myself and my users against almost any macro viruses I have heard about.
http://www.wolfenet.com/~jhardin/procmail-secur
Re:Linux is at fault here... (Score:4)
It has nothing to do with MS letting people run attachments without saving them first.
This is all about mapping extensions to applications.
This is a broken idea - totally. For starters it is quite simply dangerous, as the mappings happen everywhere. And installing an application might setup random mappings. But add onto that the fact that its used to associate scripts with their executor, much like the shebang line, only worse - the file needs no execute privileges. If you like, every mapped file extension automatically sets execute privileges. It is this functionality that is broken - not the mail client. And this has been in existance since DOS days, IIRC. So removing or fixing this "feature" is next to impossible.
Good luck MS fans - it's a rocky road ahead.
Re:Javalike sandbox needed (Score:2)
Re:Here'e the real problem (Score:2)
Port Outlook (and the brain-dead fondness for executing anything executable) to *nix and you'd still have as much of a problem.
Sure, Win'9* security is broken, but it's not bad security that's the problem here. I want Outlook to do anything I personally have the rights to do. I want Outlook to have a scripting language, and to offer mail services to other scripting languages (this is useful). The only thing I don't want Outlook to keep doing is executing code from anywhere that I haven't told it absolutely explicitly to do so. I don't want signing - what am I going to do ? Sue them ? I can't even email my lawyers, as they've just eaten my address book.
Win2K has brought its security concepts into the '80s, with Kerberpoodle the 2-headed mutt. We'll see how solid the implementation is, but at least they're making an effort.
Re:Who will be the hero... (Score:2)
The so called "feature" is called windows file protection. It keeps a backup of every system file in the dllcache directory and if you delete the file or overwrite it with a differnt one than is in that cache windows will replace it for you without prompting. On one of the machines I had to clean the virus off of this directory was about 300 megs.
This auto replace feature alone makes me feel real happy I use linux. Just have to support windows.
As a side note that is why every windows 2000 machine I have seen still has solitaire and minesweaper on them. They are considered to be system files.
Re:You think that's bad. (Score:2)
And whatever you do, don't try to remove this virus from your system. If you do, it will immediately mail the IRS and tell them you had $2,500,000 in unreported income last year. From dealing drugs.
--
Re: (Score:2)
Please, a nice distinction... (Score:2)
E.g., I do not find accounting of interest, but this does not cause me to consider myself stupid, even though it sometimes causes me hardship. (Of course I could just quit that book club, but I don't like that choice either.)
Re:When will microsoft users learn? (Score:5)
Nemx [nemx.com] called Power Tools. It runs as a service under exchange and allows stripping of attachments via extensions.
Re:Who will be the hero... (Score:2)
Since this was a proprietary IBM ROM, if you had a non-IBM PC, this instead came as software, and you'd get the boot behavior we all know if there was no OS.
Re:All Scripting Languages are Evil (Score:2)
Re:Should have been called: IHATEWINDOWS (Score:2)
Re:I see where this is going... (Score:2)
the next variant will contain a variant on the words "Trade Secret" for title, A html based Javascript click through licencse for a body (starting and ending with a load of legal mumbo jumbo and containing perhaps one sentence of warning as to what is about to happen), and a debian install starting with delete all partitions.
BTW, the only target will be M$
Something to be said for mail (Score:2)
Blocking attachments seems like a "throwing the baby out with the bathwater" kind of solution.
---
Re:Windows Virus instead of computer virus (Score:2)
So let us start terming the bug as a Windows bug or Windows virus instead of a generic computer bug. This goes a long way in getting the mindset of people that if you want to be on the Internet use a secure OS - Mac, Beos or Linux pick your choice.
I partially agree with you in that this is a Windows-specific virus. I disagree, however, with your comment indicating that the cause is lacking the security of Linux. The real issue is the availability of VBScript on the client, which in turn gives the attackers access to the local file system.
Our company runs both Windows and Linux 7x24 (with a few reboots here and there on the Windows boxes every day, of course ::wink::). We've received the ILOVEYOU attachments and just laughed at them because our e-mail clients don't support unrestricted scripting, even on the Windows machines, where we run Netscape Messenger. Netscape Messenger, while it allows JavaScript, doesn't allow unrestricted access to the file system and other Communicator resources like VBScript does.
We perceive unrestricted scripting access from the e-mail client as the real problem, not Windows itself. Any system that allows unrestricted scripting privileges (even *NIX systems) to its users is vulnerable to malice.
As for Macintosh and BeOS being "secure", I just beg to disagree. Perhaps you know something about them that I don't about them. Would you care to expand on exactly what makes them inherently secure when compared to Windows?
In conclusion: Our recommendation to our customers is very simple: Get off MS-Outlook/MS-Exchange for e-mail. IMAP and an appropriate e-mail client will do the same job without having to worry about VBScript viruses.
Talk to you later,
EugeneRe:Procmail filter to protect your users (Score:3)
host.com procmail:/etc/procmailrcs/host.com
in the mailertable file, and set the host.com file to something like:
(rules for checking spam, viruses, evil attatchments, etc.)
:0
! -oi -f $forward_message_on_properly_to_internal_mailserv
Though I don't have any pressing need to throw the above together and document what I did. Ideally, you would want to combine the above method with one of the several anti-evil-stuff procmail filters on freshmeat.net...
Re: (Score:2)
Here'e the real problem (Score:5)
The whole security system in Win9x is flawed. Windows9x was never intended to be on a network. Win98 is just a rehashed version of Win95, wich is just a rehashed Win 3.1. Single user OS's that had "root" access everywhere were fine in the early and mid '90s. That's not the case anymore. Now that everyone is hooked up to the itnernet, and other people have access to these single-user OS's such as Win9x. it's didn't matter that you had "root" back in the day, you were the only one using the system. Now many people can run code on you computer. Be it a vbs, java, etc.
A *nix variant doesn't have this problem. Unix was deigned with networks and network security in mind for over 30+ years. I couldn't if I tried to screw up my system like these vbs files do to Windows computers.
Even Win2k security is lax. For instance, how many times does a typical linux install(be it Redhat, Debian, or anything else) go "DON'T USE ROOT AS A USER!" and foces you to make a regular user account? Now look at Win2k's installation, that gives you your user name with admin. privs.
If Microsoft really wants to stop stuff like this, they need update their entire network security model to the 21st century....or at least the 1970's. Windows9x was not designed to be on a network. That's the reason it has no security. "access zones" and what have you in programs like Outlook are just a cheap hack to hide the real problem of the Windows security model. The problem being, it wasn't designed to have one.
Sendmail patch to block .vbs (Score:3)
# TURN ON CONTENT-TYPE MATCHES: uncomment lines as instructed.
Kquotetoplus dequote -s+
HContent-Type: $>CheckContent
## By Mike Schwager. http://www.enteract.com/~schwager
## http://www.schwager.com schwager@enteract.com
## INSTRUCTIONS:
## Uncomment 1 (or more) of the following ChkPat lines. Add new ChkPat
## lines if necessary, as given in the examples. Change the MIME-type
## (eg, from application / octet-stream to application / ms-word )
## if you need to, and change the name and/or file extension.
## For each pattern line, there should be a matching rule under SCheckContent.
## Do not include double quotes in the pattern line! They will be replaced
## with plus ("+") signs.
## Uncomment the SCheckContent line.
## Uncomment the appropriate rule(s).
## Change the rule(s) to use the message that you want.
## Change the message(s) as appropriate. Add new messages as appropriate.
## Watch your tabs!
D{ChkPrfx}application / octet-stream ; name=
# Here are your patterns
D{ChkPat1}.vbs
#D{ChkPat2}.exe
#D{ChkPat3}wordvirus.doc
# Here are your messages
D{ChkMsg1}REJECT- This message may contain a virus in the attached script.
D{ChkMsg2}REJECT- This message has a virus. -MS
SCheckContent
R$*name=$* $: $1 name= . $2
R$* $: $(quotetoplus $1 $)
R${ChkPrfx} $* $: $1
# Using these lines as a guide, match patterns; include messages
# only the character in front of "$#" should be a tab. Don't forget the tab!!
R $* ${ChkPat1} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
#R $* ${ChkPat2} $* $# error $@ 5.7.1 $: 553 ${ChkMsg2}
#R $* ${ChkPat3} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
## END CONTENT-TYPE
Re:In theory. . . (Score:4)
Macintrash files have, in fact, two invisible 4-character extensions.
The filetype -- it contains the file type which says what kind of data is in the file.
The creator -- which identifies the application that created the file, and which should be used to work with the file.
Applications have a file type of 'APPL' and the creator field identifies the application; that is, it is what ends up in the "creator" field of files generated by this application.
Additionnal trivia: Beige toaster files are, in fact, divided in two. There is a data fork , and a ressource fork . The ressource fork contains information that can be easily edited by a resource editor program, allowing to change certain aspects of, say, an executable file, like the icons, fonts, sounds and strings it uses. The data fork contains, well... (drum roll) data... (In the case of an APPLication, it is the actual binary code. GUI details are in the ressource fork). Either (of both) of those data fork can be of zero length.
It is not a bad system, except that it is totally shielded from lusers and, although it can prevent them from doing mayhem on their filesystems, it is a royal pain in the ass to change if you don't have the proper utilities.
I suppose it could be desirable to have a filesystem that allows you to have as many forks on your files as you want (did I hear somewhere that Windoze NT has something like that? Or is it Novell?), but in my opinion, nothing beats the simplicity of a "flat file" filesystem such as we enjoy so much on Linux.
However, I still don't dislike the concept of embedding file type information and whatnot within the directory entry/fdn.
--
Here's my mirror [respublica.fr]
Re:I'm curious... (Score:5)
Unfortunately, destruction is creative.
-- iCEBaLM
Adjusted scripts (Score:2)
#This goes in procmailrc:
:0 Bf
*!^X-Loop: viruscheck
*^Content-Disposition:.+
|/sbin/noiloveyou |
:0:
$ORGMAIL
#!/usr/bin/perl
#This is "/sbin/noiloveyou"
while() {
$temp=$_;
if ($temp =~
print $temp;
$temp = ;
$temp =~ s/\.vbs/_vbs\.txt/i;
$temp =~ s/\.vba/_vba\.txt/i;
$temp =~ s/\.js/_js\.txt/i;
print $temp;
next;
}
if ($temp =~
$temp =~ s/application\/x-javascript/text\/plain; charset\=us-ascii/;
print $temp;
$temp = ;
$temp =~ s/\.vbs/_vbs\.txt/i;
$temp =~ s/\.vba/_vba\.txt/i;
$temp =~ s/\.js/_js\.txt/i;
print $temp;
next;
}
print $temp;
}
#This should at least slow it down a little #bit....
# Jacques Richer -- jricher@bankri.com
Re:ZDTV says avoid email w subject FW: and .vbs fi (Score:2)
The N.Y. Times has an article (Score:3)
i wish... (Score:2)
something that would be *very* embarrassing
to say on CNN or CSPAN...
It would need to be subtle (so that the embarrassing thing would be said enough times
to take hold
Urgh... not another one. (Score:2)
I'm curious... (Score:5)
Now weary traveller, rest your head. For just like me, you're utterly dead.
Re:I'm curious... (Score:2)
Some people write viruses without any intention of releasing them to the wild. (Medical Research do the same)
Writing a Virus is similar to creating life itself. It may well live beyond your own lifetime.
Bringing down the entire world's email systems must give (the evil) a big sense of power.
Wasted, destructive talent - maybe - but these viruses are formidable weapons. The UK network staff at the house of commons (Government) had to shut off their networks entirely for the first ILOVEYOU, what would be the effects of that in a state of war?
This won't end... (Score:2)
Someone will make another, more destructive, sneakier version of the trojan worm (hey, it's a trojan horse and a worm; the next version may be a virulent trojan worm...). They'll have VBSs that generate EXEs, and vice versa, they'll take the boot sector with a virus that can relaunch the worm, they'll display amusing animations (grabbed from who-cares-where) that make the infected user think he's received a typical funny/annoying attachment.
Windows system admins: batten down the hatches! Trap all attachments and personally filter them. Get the managers to enact a strict "no unnecessary attachment" rule. Delete all "amusing" attachments and Word documents that should have been plain text (or could have been as HTML in the body), and send a nasty letter to whoever sent it.
This is, to some degree, a stupid MS problem. There are things that could have made worms like this harder to spread. However, something similar to this could work in Linux, too, given a sufficiently large ignorant user base (though it might be harder to write). If the user is dumb enough to be tricked into running anything you send him, there's no technological fix for it.
There are three possible solutions: supervise the users (as suggested above), educate the users, or tie the users' hands, so they can't do anything but use a small set of applications and move around certain types of documents. The first is a prohibitively expensive short-term fix, the latter two are long-term solutions: the second is better, but perhaps unrealistic; the third can't be done with current software, a change to some operating environment is needed (tweaking a shell for Linux should do it, though perhaps a change to the kernel would be better: create a sub-user login that has the same sort of access to a single user account as a user can have to the root account with "sudo"; sort of a weak capabilities system). I think both of the latter two are needed: you need to tie new or casual users' hands so they can't do too much damage, and at the same time you need to gradually educate them to the point where you don't have to watch them anymore.
You can't just ignore user ignorance. You have to make them take the bus until they learn how to drive without causing a 30-car pileup, and give them a ride when the bus doesn't go where they are headed. Don't ignore that just because they whine that the bus is slower.
Re:I'm curious... (Score:3)
Next thing: Murder as art, The art of the Heist, and the all time favorite, Keying Cars as an Expression of Angst - the Artists Perspective.
A virus is just destructive code. To me that means it is no different than a molotov cocktail. Yes there are differing degrees of harm created, but whether that harm is physical or results in the loss of work product, there is harm involved.
Upgrading a virus (Score:2)
Re:Thank god I don't use outlook (Score:2)
Re:To keep the virus fixers in business (Score:2)
Jesus, man, just point him to a dictionary site like dictionary.msn.com/find/entry .asp?search=virus [msn.com] where he can see the proper plural form within three seconds, rather than wallowing through that mental masturbatory dreck that Mr. Christiansen wrote. I hope he's not reading this, 'cause I'm not looking to offend him, but after skimming that page, I can see why people don't exactly consider Mr. Christiansen to be "well-liked."
Cheers,
ZicoKnows@hotmail.com
Big Money to be made (Score:3)
During the last couple of months, firms like ISS had a huge increase in sales. With the Love Bug and copycat viruses I'm sure the AV companies are also seeing increased profits. I wonder how much @stake consulting rates are for helping a firm defend against this sort of thing. I'm sure they're not cheap.
Love-Bug cartoons (Score:2)
Next Version (Score:4)
In addition, these viruses will ultimately not be limited to VBA. A program could easily open the default Netscape inbox text file and scan for the @ character--extracting all e-mail addresses in the entire Inbox file. The virus could also discriminate against which users it destructively effects--deleting only the files of people whose identity says they are in the aol.com domain, for instance.
I think that we have only seen the tip of the iceberg as far as intelligent viruses that are distributed by e-mail.
another nifty utility (Score:2)
When run on wscript.exe and cscript.exe (the Windows scripting hosts responsible for VBScript execution) that will display a warning that the script could contain a virus.
SlashMirror: Where to put files for fellow /.'ers
Re:I'm not a virus writer... (Score:3)
So if you're so concerned with the bandwidth on the infected machine, have the virus code monitor CPU usage and network bandwidth and restrict its own usage to, say, ten percent of maximum or less. This makes it both less destructive - you wouldn't be shutting down anyone's machine, just redirecting otherwise unused CPU cycles - and more stealthy too.
If one criterion for the "success" of a virus or worm is the scope of its circulation, then it seems to me the guy who wrote this latest thing is screwing up. (Or more likely, he just hacked a few changes onto some existing code, probably ILOVEYOU, sure wish someone would post this new one so I could have a look at it.) This is entirely aside from the incomprehensible malice that's displayed by such a nasty payload, what a jerk. You're sure going to notice when something wipes practically all the files on your PC. It seems to me that a really well-written virus would be more subtle.
Yours WDK - WKiernan@concentric.net
Who will be MY hero? (Score:2)
For example, the GPF message: Another fine general protection fault, brought to you by the folks at M$! (little animated GIF of chibi Bill Gates dancing in a pile of money, throwing up handfuls of bills)
Re:We need more tecnological diversity... (Score:3)
Perhaps. However, for better or worse, diversity is in direct competition with standards compliance.
I'm all for diversity, at least in principle, but at some level it is always going to be desirable for me to be able to read files that you wrote, and for me to be able to run programs that you wrote (even if I have to recompile them first), and for me to be able to transport those files/programs from your system to mine. So long as these things are possible, viruses and worms will also be possible.
The problem here is the unmanaged automation of those otherwise desirable manifestations of interoperability.
What we really need as a first line of defense isn't diversity. It is for a certain vendor to realize that just because an idea can be implemented doesn't mean that it should be implemented. For a second line of defense, we need a public (or at least the tribe of sysadmins) to realize that just because a feature can be used/enabled doesn't mean that it should be used/enabled.
I am sure that there will be worms and viruses as long as there are bugs in security features, but meanwhile there is no point in making life easy for the script kiddies.
For better or worse, those who have been blaming the problem on stupidity - whether of the users or of their vendors - have it right.
I happen to like the idea that Joe Cluebie can play with a computer, which is why I advocate eradicating vendor stupidity as the first line of defense. Alas, when the world's largest vendor is Clueless, Inc. [microsoft.com], and willfully unwilling to obtain a clue, we may have to fall back on the 2LoD and train Joe Cluebie for self defense instead.
--
The Honor System Virus (Score:2)
;-)
-- Your Servant,
Less disruptive if you are not dumb.. (Score:3)
So, the stupid ones will stop sending mail to the rest of us!
Polymorphic? (Score:2)
C|Net [cnet.com] and ZDNet [zdnet.com] are reporting that the new variant not only chooses random subject lines for its email carriers, but also adds comments to its own script, in an attempt to thwart fingerprinting.
My question: who actually needs email-attached scripts to have write access to the registry and filesystem? And who thought there were enough of these people to allow such access by default?
Procmail filter to protect your users (Score:5)
*!^X-Loop: viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\
$ORGMAIL
If you have any questions, please feel free to contact me about it.
When you're a hammer.. (Score:2)
It's a good filter and all, but what if somoene actually wants to receive vb, js, com, bat, exe and God only knows what else?
This filter will protect the ignorant from themselves, but then again, so does Microsoft's 'solution' to the problem.
Re:Yeah, got it off a mailing list (Score:3)
That's only partially true. Many Unix mailreaders, including Netscape and mutt (and probably Pine) use a config file to figure out what to do with attachments - $HOME/.mailcap is a fairly standard file for that; but it can also be set up system wide. It's also being used by browsers in the same way. It's fairly trivial to configure it do something with a VB script, although on a Unix platform VB interpreters will not be very common. But Perl, python, tcl and shells are common. And it takes only one line in a single config file to have browsers and mailers of all users execute a Perl program on an application/perl mime type. (Or Python, or tcl, or whatever)
Email virusses isn't a matter of that can only happen on Windows. It happens only on Windows because Windows is far more popular than Unix. But if more and more less computer literate people move from Windows to Unix, more and more tools out of the box configured with everything turned out will appear on Unix. Including mailers that will happely try to run a program in whatever language you send them. Just look for instance at all the services Joe Q. RedHatUser has running on his Linux box.
Of course, you might argue that Unix has permissions, and users cannot delete system files. But that's details. The most important files on a computer are user files, not system files. A system can usually trivially be replaced; just re-install it from your orginal media, and run your install scripts. Companies often have an install server to make it even more easy. But user files have added value. They are the product of work. At best, they can be restored from backup, but even then there's a loss.
To sum up, the reason virusses aren't a problem on Unix is the popularity of Windows.
Let's keep it that way.
-- Abigail
Re:virus vaccine (Score:2)
Re:Should have been called: IHATEWINDOWS (Score:2)
I don't know what you do with your computer, but on my systems, user files are far, far more important than system files. I can restore /usr/bin/sh from media, and /vmlinuz by downloading the source and recompiling it. All it takes is a little time, but I would almost be able to do it blindfolded.
A thesis someone has been working on for four years, a program you've spend the previous month working on around the clock or a carefully worked picture from the GIMP have to be restored from the last successful backup - if any.
Granted, system files are important on important 24x7 servers - but you wouldn't be using them to read mail on in the first place, would you?
-- Abigail
Heh (Score:4)
I woke up this morning to my radio. (Which is unusual. It usually takes my alarm going off at full volume for about 10 minutes. The alarm goes off after 10 minutes of full-volume radio.) I heard the announcer state that there was a new strand of the ILOVEYOU virus released, much more deadly. I just rolled over and went to sleep. I pitty the fool who subjects himself to such things.
What type of real-life virus might computer viruses be comparable to? STD's? You 'sleep around' without protection, you'll get em. What might that make Microsoft products, then? :)
-------
CAIMLAS
Re:Your motivation (Score:2)
>Yeah, like biological ones. But we don't go
>around spreading them happily, do we?
Happily enough; look at STD's.
>> Some of the ideas used in them have been
>> incorporated into modern software.
> Like? I can only think of BSOD as an example
> of payload.
I've seen a production system that has a component which delivers itself to hosts around the network as a virus. It has brakes, but it's a virus. It does real work in the real world.
Warning: ILOVEYOU virus spreads to Unix systems! (Score:5)
Re:Who will be the hero... (Score:2)
DEL C:\WINDOWS\SYSTEM\CSCRIPT.EXE
This will get rid of the VBScript interpreter on your system. Mail this to all your friends!
---
Re:If you want to see something scary . . . (Score:2)
If you don't want to click the link, the summary is this virus is stopped by firewalls. It would be dead in the water in the modern internet.
Re:These are great for Linux - we need more (Score:2)
Follow the money (Score:2)
One always wonders if there's some connection between the anti-virus companies and the virus writers.
Re:Next Version (Score:2)
Here's [zerius.com] where I put it up.
Re:If you want to see something scary . . . (Score:4)
Sorry I already debunked this virus when the details were posted to Linux Today. You can read my post at http://linuxtoday.com/news_story.php3?ltsn=2000-05 -12-003-06-SC [linuxtoday.com].
If you don't want to click the link, the summary is this virus is stopped by firewalls. It would be dead in the water in the modern internet.
Re:Next Version (Score:2)
I won't rehash the arguments here, since I'm a little sick of typing them, but check my posting history if you're interested.
In theory. . . (Score:2)
I just read a news report about the new virus, and the warning they're giving about it is for people to avoid messages with
I just remembered this old Metallica song. . .
Re:Here's a NEW idea: (Score:5)
This topic comes up in virtually all intelligent virus discussions. In summary, it is not a good idea to use viral properties, even for something useful. I refer you to item F7 in the comp.virus [faqs.org] FAQ (circa 1995):
A very hotly debated topic that has flared-up dramatically several times in Virus-L/comp.virus. The answer to this is not simple and largely hinges on your definition or interpretation of the term computer virus.
By definition (see B1), viruses do not have to do something "bad" (although many people argue that the uninvited "resource wasting" that is almost inherent in viral activity is necessarily bad). From this point (and based on his somewhat esoteric definition of the term computer virus) Fred Cohen has argued that "good" or "useful" computer viruses are a serious possibility. In fact, Dr. Cohen offered a reward of $1000 for the first clearly "useful" virus--despite several potential claimants, however, he hasn't paid up.
Although there has never been a position that was widely agreed upon as a result of any of these discussions, many contributors to this forum believe that there are serious problems with the idea of implementing useful computing functionality through self-replicating programs. Vesselin Bontchev's paper originally delivered at the 1994 EICAR conference, titled "Are `Good' Computer Viruses Still a Bad Idea?", is available by anonymous FTP from ftp.informatik.uni-hamburg.de (IP = 134.100.4.42), as pub/virus/texts/viruses/goodvir.zip. *Anyone* wishing to raise this discussion in Virus-L/comp.virus again should read and carefully consider this paper before posting. It contains many strong arguments against the idea of "good computer viruses", and some prescriptions of how good viruses would have to be implemented and distributed to deserve the label "good". To date no strong arguments countering the points in this paper or otherwise arguing in favor of the concept of good viruses have been posted to the group.
The summary of points made in this paper are:
Even features such as defined lifetimes, central verification, etc. can't control self-replicating code perfectly. It is very easy for viruses to "get away". A great number of the viruses in the wild started out as merely research projects and were never intended to be released.
Allowing one program which has viral properties through one's defenses makes it easy for other programs to exploit the same hole. It's hard to tell when a "good" virus is doing its work versus a "bad" virus.
The process of infection will use up system resources-- what happens when the program hits a host that has few resources to spare?
What happens if you discover a bug in the viral code? How do you update all the installed copies?
The software could break certain systems while it works fine on others. This could make for difficult-to-track problems.
There are always increased risks with viral code, and they can't do anything that nonviral code couldn't do with lower risks.
Vesselin even goes so far as to describe some mechanisms to help mitigate the above problems, but the crux of the story is that it's still simpler and safer to rely on non-replicating code.
There are some examples of failed attempts at "good" viruses in Vesselin's brief. They include The "Anti-Virus" Virus, The "File Compressor" Virus, The "Disk Encryptor" Virus, and The "Maintenance" Virus. Some of these same ideas have been brought up in this very Slashdot discussion.
Amazing what history can teach. Damn, I'm starting to feel old...
Re:You think that's bad. (Score:2)
And now, it turns out that Good Times was real after all, they just got the name wrong and called it early...
I'm installing a subspace harmonics dampener as we speak. Don't want to take any chances.
Re:I'm curious... (Score:5)
Extrans and links (offtopic) (Score:2)
Re:This won't end...or will it? (Score:2)
You've never heard of FortRes?? We use it on some of our WinBloze boxen, and, while it doesn't stop users from trying to install stuff, they get screwed when they try to reboot, because they don't know the box pword OR the FortRes pword. Ha! Plus of course we use (constantly updated) McAfee antiviral software AND we don't run any M$ email programs (on the public boxen).
We run 50 win boxen (half and half public / staff) and the only place I saw the virus was on /. when someone posted the code. (My staff is educated enough not to open unsolicited attachments, even though some of them use Outlook. I took the time to explain the whole thing very carefully at a staff meeting after the Melissa fiasco.) So education *does* work, but only for motivated users.
I certainly agree with your last point: you can't ignore user ignorance.
Re:When will microsoft users learn? (Score:4)
It has NOTHING to do with the OS used, and everything to do with the administrator.
--
To keep the virus fixers in business (Score:2)
Most times, it's just something that would be great to watch, seeing a creation of your own cause mass destruction. Or even, knowing that it is able to cause desctruction, then seeing a naive person steal the code from your machine and send it out.
The first ILOVEYOU hit our company hard. We took the Exchange down, updated all the mail servers, and the network-wide virus scanning for all the users' computers. However, the problem was that idiot users were mapped to production web boxes, and caused the virus to spread to machines that we didn't think would ever have to be checked. It's because of this infection that now we spent hours installing AV clients on 120+ production servers.
As a whole, ILOVEYOU wasn't too drastic. It deleted some web images that we just had to restore. But it was because we got hit that we're now prepared to defend against virii like this new ILOVEYOU, which does drastic damage.
Re:These are great for Linux - we need more (Score:2)
I don't like the idea of sandboxed execution or chmoding the user permissions because they make it a pain-in-the-ass to actually do stuff that I want them to be able to do.
\begin{daydream>
What I'd like to see is to see sandboxed execution or editing (instead of executing) being the default and it should be simple as a right-click "Execute" to allow an attachment to actually execute and do stuff. I'd also like to be able to easily tell it when I want to just view the thing and when I actually want to execute.
\end{daydream}
PS: Damnit, I'm trying to post using Plain Old Text. Why won't Slashdot let me use XML tags for my "daydream"??
We need more tecnological diversity... (Score:5)
This argument deserves closer examination. True, BeOS, MacOS, and Linux users were not infected by the Love virus. Had each system had 25% market share, a single virus could only infect 25% of the population."
The ILOVEYOU virus is kindergarden [rhi.hi.is] stuff compared to what a real programmer [rhi.hi.is] could really do if he/she put their mind to it, but since experienced programmers are (most of the time) fairly matured individuals, but it would only take one fairly good hacker to release a plague [rhi.hi.is] on the world...
Re:the simple art of murder (Score:2)
I may choose to read or ignore a book about murder. I happen to like that genre actually, nearly as much as I like film noir. But still, the difference is that I *choose* to read that subject.
On the other hand a virus is basically a hit and run _crime_. As one of the other respondents above remarked, modern art, by my standards would not be considered art. I disagree because I can ignore it. I may not call it art, but someone else may. I cannot ignore a virus, even if I am running a nearly immune system.
To compound the issue, not only do viruses steal your ability ignore them, the nastier ones tend to cost money. Either the viruses destroy work product or they create work for the admin who then has to fix his network.
If you want to call it art, fine, as long as the creator makes it performance art. Like boxing
Re:It's a *worm*, not a virus! (Score:2)
You mean it was a worm written by a cracker, not a virus written by a hacker?
Anyhow, I never really cared much for language purism. Language evolves. That's not to say that these distinctions aren't important within certain technological circles. If I were writing a technical article for some journal on computer security, I would want to get it right. But for the mainstream, "virus written by a hacker" is plainly the accepted terminology.
Another way to look at this is that "virus" is being used as a general term for all potentially destructive computer programs, and that "trojan", "worm" and "hostile applet" are just subclasses of "virus".
Now you /. people can sit there and gripe all day about what people ought to say, but you're not going to win.
Wouldn't it be more interesting to simply look at these things as linguistic trends rather than errors?
In a sense, English and other languages are the first collaborative Open Source project ever. Yet so many /.ers fail to realize that, and refuse to participate, because they are hung up on language purism.
Re:Good Times (Score:2)
Thought you might like to know...
Apparently , a new computer virus has been engineered by a user of America Online that is
unparalleled in its destructive capability. Other, more well-known viruses such as Stoned,
Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a
warped mentality.
What makes this virus so terrifying is the fact that no program needs to be exchanged for a new
computer to be infected. It can be spread through the existing e-mail systems of the InterNet.
Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It
always travels to new computers the same way - in a text e-mail message with the subject line
reading simply "Good Times". Avoiding infection is easy once the file has been received - not
reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good
Times" mainline program to initialize and execute.
The program is highly intelligent - it will send copies of itself to everyone whose e-mail
address is contained in a received-mail file or a sent-mail file, if it can find one. It will
then proceed to trash the computer it is running on.
The bottom line here is - if you receive a file with the subject line "Good TImes", delete it
immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was
surely struck by the virus. Warn your friends and local system users of this newest threat to
the InterNet! It could save them a lot of time and money.
The Good Times virus described by that message never existed. You can claim that the message itself is a virus, but then it wouldn't be the Good Times virus, it would be the "meta-Good Times virus." (And if I get you to repeat this description to your friends, you could call that the "meta-meta-Good-Times virus," and then they could spread the "meta-meta-meta-Good-Times virus" and so on... GEB, here we come! =])
Re:It's a *worm*, not a virus! (Score:2)
I think this is partially a case of technical people feeling they are elite and need to correct people who could care less, much like an English teacher who corrects your speech that no one else sees a problem with. You have to speak the language of the people when you report in the media. It's not that the reporters don't know what a worm is (though I'm sure many don't), it's that you (and your other 1%) are not their target audience.
Skip the login (Score:2)
A certain amount of turbulence is good (Score:4)
So it is with a dynamic community of computers. Somebody who doesn't have a scanner will die. Somebody who rarely updates the sig files will die. Somebody who doesn't think it can happen to them will die. Someone who doesn't pay attention and goes on as normal will die. Somebody who is more thorough and less trusting or ignorant will survive. Remember not all of these screaming headlines are about viruses at all. They are simply a matter of benhavior and social engineering. Do you think as many people would have been infected if the ILY worm had a heading that said "opening this note will destroy or damage your machine and the machines of everyone in your addressbook." OF course not.
Which leads me off in another tangent. How to get more people to open destructive messages since everyday we're more jaded and suspicious? Well if I was a badguy what I'd do is use the message header to refer to some online purchase. Sure, if you didn't buy anything then you'd be less likely to open the message but the people who did would probably open the message approaching 100%. So what is a poor website to do? It seems that one avenue that should be pursued for this and for eComm generally is a way to generate a CRC at the point of purchase and then send the confirmation/receipt with the CRC in the header so that before you do anything you manually cross check the numbers to insure they match. Or something like that. I guess I'll stop blathering now.
You think that's bad. (Score:5)
Pay close attention to this warning!
If you receive an email entitled "Bad-times," delete it immediately. Do
not open it. Apparently this one is pretty nasty. It will not only erase
everything on your hard drive, but it will also delete anything on disks
within 20 feet of your computer through the use of subspace field
harmonics. It demagnetizes the stripes on ALL of your credit cards. It
reprograms your ATM access code, screws up the tracking on your VCR and
uses subspace field harmonics to scratch any CD's you attempt to play. It
will program your phone auto dial to call only your mother-in-law's
number. This virus will mix antifreeze into your fish tank. It will drink
all your beer. (For God's sake man are you listening?) It will leave
dirty socks on the coffee table when you are expecting company. It will
replace your shampoo with Nair and your Nair with Rogaine, all the while
dating your current boy/girlfriend behind your back and billing their
hotel rendezvous to your Visa card. It will cause you to run with
scissors and throw things in a way that is only fun until someone loses an
eye. It will rewrite your backup files, changing all your active verbs to
passive tense and incorporating undetectable misspellings, which grossly
change the interpretations of key sentences. If the "Bad-times" message
is opened in a Windows95/98 environment, it will leave the toilet seat up
and leave your hair dryer plugged in dangerously close to a full bathtub.
It will not only remove the forbidden tags from your mattresses and
pillows; it will also refill your skim milk with whole milk.
*********WARN AS MANY PEOPLE AS YOU CAN.*********
Hope I don't get that one.
Ah, the sweet symmetry of cross-pollination (Score:4)
We're genetically engineering bacteria to eat oil spills, and designing cancer cells to secrete insulin. We're cloning sheep and making real viruses to attack malignant tumors.
Somehow, the symmetry of a worm that scours the Internet exploiting M$ security holes in an effort to fix them is.. poetic. Sort of like autonomous garbage collection.
Arguably, any virus/worm that deletes Windows system files is already trying to do this; but in a very heavy-handed way. A lighter touch is called for. Disabling the registry settings that allow auto-invokation of scripts attached to email is one good way to make the world a better place.
And hey! How could anyone (besides Micros~1) get upset over a benevolent virus?
Maybe it could even open a pop-up on the screen every 20 minutes, to remind the user to stretch their hands to prevent RSI?
Maybe it could replace the talking paper-clip with a talking Penguin? "I see you're trying to write a letter. Wouldn't you rather write it on actual paper, and add some humanity to your interpersonal communicaton?" "I noticed your key-stroke rate drop over the last hour. You seem tired. Shall I have some pizza delivered?"
Re:These are great for Linux - we need more (Score:3)
Code coming from an unverified source (i.e. not from a trusted installer) should not be allowed to run outside a sandbox. It works fine for Java on the web. The same treatment should apply to anything coming in an email.
Furthermore, any file extracted from an email should be marked non-executable. (The user can chmod it - if they know enough to do that, they can probably understand the risk). Archives are a bit more tricky, but changing umask(2) to 666 before invoking an archive program (such as tar) should do the trick I guess.
The Evolution folks are implementing a Visual Basic clone in their new gnome client. But they are doing it properly, using a Java-like security model.
All Scripting Languages are Evil (Score:3)
Has anyone considered blaming Netscape and Sun for the even greater, incremental loss of money from JavaScript? How many billions of dollars in coding, design, and bandwidth have gone into popup windows, status bar theft, and rollovers?
Perl is such a spirit fouling venture that there is even a monastic commune [perlmonks.org] for people who grok it.
bash scripting is by far the greatest sin, for it mimics C in an almost mocking way -- K&R would not be pleased...
--
It's a *worm*, not a virus! (Score:4)
Viruses infect other executables, such that the original functionality is still there, but the viral code is executed when the program is first run, which gives it a chance to spread to other executables and/or become resident in memory.
Worms, on the other paw, are self-contained programs which contain nothing but the worm itself.
The definitions of these things are hardly new, they have been around for YEARS. I suggest reading section B2 of the comp.virus FAQ [claws-and-paws.com] for more information.
Re:Who will be the hero... (Score:4)
> DEL C:\WINDOWS\SYSTEM\CSCRIPT.EXE
This is really the solution if people refuse to switch from lookout. (I had switched everyone I could when I arrived at the company, but some refuse to leave "what they know.")
So here is my solution in a Novell Netware enviroment.
-Using NAL (Novell Application Launcher), create a new application object in NWAdmin. Don't have it launch any program, Name it something like "Remove VBS."
-Modify the "Files" tab by adding "wscript.exe" and "cscript.exe" to be deleted (In otherwords click file, in target select those programs, and put the check in "Target to be deleted.)
-Associate with everyone group with force run status
Now everyone is going to be better off. Some would complain that now people can't write scripts in VB on their machines, but guess what I never got any complaints. Maybe it has something to do with the fact that anyone writing scripts knows better then to open unknown attachements, or even to use outlook.
Note- This process could be done with the login script but NAL gives you more control. For instance I have used NAL to remove registry entries (or add), reset Netscape preferences, and similar to above, have NAL delete "normal.dot" every login to help prevent the spread of Macros. At my previous job, I even went so far as to have NAL rename the vbe folder in office to turn off macros all together, and created a NAL application called "Word with Macros, Excel with Macros" that would rename the directory before launching, and rename it at close, but alas, they use the macros in Excel at the current place...
Re:These are great for Linux - we need more (Score:4)
First, executability is determined by access bits, not by file extension. This means that normally downloaded files like attachments get saved un-executable, meaning that users have to intentionally try to change the access bits on the files to execute them, not just click on them.
Secondly, unless the root user is the one reading the email and running attachments, the virus/worm is limited by security/permissions rights to what it can do. While it can do damage to a single user's files, it can't very easily blast other user's files or system files. On Windows 9x, there is basically no security, so viruses/worms like ILOVEYOU are free to twink with the registry, etc.
Thirdly, the homogenous nature of the Windows world makes it a much easier and more attractive target for virus/worm authors. It is pretty safe to assume that virtually all Windows 9x clients will have Outlook and all the associated DLLs on their system. There is no single email client in the Linux world that is so ubiquitous. That makes it more difficult to write viruses/worms that will affect a large percentage of Linux users because the virus/worm creators can't make the kind of assumptions about how to read things like address books, etc. that they can under Windows. This is unlikely to change any time soon, because the Linux world is much more diverse than the Windows world.
While you are right up to a point that in many ways it is the users that are stupid, Outlook and Windows make the problem worse by making it so much easier for the users to shoot themselves in the foot. And to a certain extent, Windows is plagued with a much higher percentage of stupid users because it intentionally caters to the least common denominator. To a certain extent, as Linux gets easier to use, it may start to see more of the semi-stupid users.
Re:Who will be the hero... (Score:5)
(For those forced to do Windows/Outlook.)
My Computer
-Tools
-Folder Options
-File Types
-VBScript Script File
-Advanced
-Click on "Edit" in the list box
-Set Default
After you do this, the default action for a VBS file is to edit it in notepad. (And you can still run it by right clicking and selecting "open" from the menu.)
Repeat for any other dangerous filetypes.
Comment removed (Score:5)
Re:To keep the virus fixers in business (Score:3)
Bad Mojo [rps.net]