W32.Sobig.E@mm Worm Spreading Rapidly 547
mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."
What Operating System? (Score:5, Funny)
Re:What Operating System? (Score:3, Funny)
Re:What Operating System? (Score:4, Funny)
Re:What Operating System? (Score:5, Funny)
Do you want to:
[ ]Contact Microsoft Support?
[ ]Dig out your backup and restore?
[ ]Finally get around to installing Red Hat?
Re:What Operating System? (Score:5, Funny)
[ ]Contact Microsoft Support?
Microsoft Support already contacted me, they sent me a virus
Re:What Operating System? (Score:3, Informative)
Re:What Operating System? (Score:5, Funny)
" The code is filed with errors which make it incapable of propagating automatically"
Obviously another Redmond product.
They don't make em like they used to (Score:5, Funny)
Yuck. The only thing worse than worms are rotten worms.
Re:They don't make em like they used to (Score:5, Funny)
Yuck. The only thing worse than worms are rotten worms.
Hey now, worms taste good for a while after they expi--. Errr, nevermind..
Re:They don't make em like they used to (Score:5, Funny)
Is this a subtle way of trying to say "Yes it's another fucking windows virus" without sounding like we're anti windows?
Sometimes it's so hard just describing windows 'features' without sounding like I'm bashing it.
Re:They don't make em like they used to (Score:5, Interesting)
The register [theregister.co.uk] is less subtle (almost advertising other platforms);
As usual, the worm affects only Windows PCs. Linux and Mac users are immune.
Re:They don't make em like they used to (Score:3, Funny)
In other news, I've found this really cool game on Linux. I wish you will enjoy it:
Just type:
Re:They don't make em like they used to (Score:5, Funny)
As usual, zsh [zsh.org] users are unaffected.
Re:They don't make em like they used to (Score:4, Funny)
Where am I, you ask?
A computer science department at a major UK university.
I mean, if we don't have the meagre amounts of Clue necessary to avoid this crap, who the hell does?
Re:They don't make em like they used to (Score:3, Insightful)
And before people start talking about executable permissions etc, recall that to become infected here you had to *unzip* a file and then *execute* it. What's the solution?
If you make people jump through hoops to execute an attachment then
Re:They don't make em like they used to (Score:3)
The one glimmer of goodness is that those of us who don't run EXEs and DOCs we
Re:They don't make em like they used to (Score:3, Funny)
At University, if someone left themselves logged into a terminal, we'd place a file named "*" in their home directory. Much hilarity ensued when they typed rm * to remove it.
PEBCAK (Score:5, Interesting)
Why be subtle about it?
I went to a seminar yesterday wherein a security guy from Microsoft (stop laughing, its not funny yet) extolled the virtures of Windows Server 2003. They have learned their lesson about security and ease-of-use being the only development consideration... guess where they learned it from? All the best practices they have implemented for Server 2003 comes from Linux, Unix, and the Open Source world. "Free How-Tos"! What an innovation!
Now if only someone can teach the MS admins and users to apply the goddamn patches that Microsoft releases! (for an example of what I'm talking about, see anything about the SQL Slammer specifically)
Re:They don't make em like they used to (Score:5, Interesting)
"In France, the 14th of July is a National Holiday. It is known as Bastille Day and celebrates the storming of the Bastille , a French prison, in 1789. This was the start of the French Revolution."
Wonder if this has any relevance? Maybe it's a signal, a secret message.. :)
But penguins eat fish.... (Score:4, Funny)
Ehwe! Poor little worms
Fortunately... (Score:5, Interesting)
Anyone else so lucky to have a system such as mine? This works well on the UTA campus network, also. At least, a worm story has been reported w/in 24 hours of every noticable long slowdown of the net for me...
Using Internet Traffic Data to Predict Worms? (Score:5, Informative)
I have been trying to do my own retrospective predection :) based on the data available at Internet Traffic Report [internettr...report.com]
As far as I can make out, all the US routers [internettr...report.com] are doing fine (green). The response time seems to have gone up a tad at 2am MST, but other than that I don't see anything unusual.
When I look at Asia [internettr...report.com], 5 out of the 21 routers are down (red) and the packet loss is up 2%. Does that mean, that the worm has hit Asia hard? I know this worm should clog up mainly mail servers, but I wonder how feasible it is to predict worm arrival/origin/etc based on this easily available information, assuming ofcourse that it's available realtime.
More Traffic data in on (Score:3, Informative)
During all these events, a large Response time and Increased Packet loss is observed, as expected.
Observe that the Average Response time hit a peak simultaneously across all continents between 11:30am and 2:30am MST as noted earlier, which coincides with reports of the W32.Sobig.E@mm worm. It has since deteri
Re:Using Internet Traffic Data to Predict Worms? (Score:3, Insightful)
Then you also have the newbies who feel they have to forward *everything* they get to *everyone* they know, further slowing down the net.
The "cure" might be worse than the disease.
Somebody angry at France? (Score:5, Funny)
Well isn't this the french national holiday. Maybe somebody is angry because they didn't join the war against weapons of mass.. er, what was that war about again?
Re:Somebody angry at France? (Score:5, Funny)
cool.
viva la windows, or something.
All it takes... (Score:5, Funny)
Virused spammers? (Score:2)
Re:All it takes... (Score:5, Interesting)
My viruses were from support@dell.com. I've banned outlook, but looking through the headers, it is obvious that SOMEONE was using it.
I'm about to ban attachments alltogether and instead write a web-based document distribution system. At the very least it makes tracking the provenance of documents easier. Besides users have this habit of NEVER throwing away email, and the attachments eat up a lot of room on the server.
We run IMAP. (That's another discussion)
I knew it! (Score:2)
Unfortunately, all the suckers that set their system time back to get 'extended' shareware use periods will be spreading the worm/virus (true slashdotters never read the article) for years to come.
- Andreas
Re:I knew it! (Score:2)
Goblin
simple (Score:5, Funny)
"Primarily affect" (Score:5, Insightful)
"This worm appears to primarily affect Microsoft systems..."
What's this "primarily affect" business? It only affects Microsoft systems, just like every other friggin' virus on the face of the planet.
Re:"Primarily affect" (Score:5, Insightful)
Re:"Primarily affect" (Score:5, Funny)
Re:"Primarily affect" (Score:3, Insightful)
So mail servers running on *nix are compleatly uneffected by an increase in mail traffic? Wow, unix and its varients are more magical then I thought. Perhaps when my mail server starts getting bogged down, I can ask all my users to attach a large virus to every one of their emails, so it will run more smoothy.
Re:"Primarily affect" (Score:3, Funny)
This may indeed help. While the window's user's PC's are down for virus removal, they won't bog down the mail servers with their chain letters, flash animation attachments, screen saver attachments, and various hoaxes. Thanks for the idea; I'll try it out next time a luser attempts to send a 34 Megabyte Word document...
Re:"Primarily affect" (Score:5, Funny)
Nope, there are also viruses affecting Macs. And worms affecting Apples. For example, yesterday at the cafeteria, I had an apple whose security had been breached by a worm.
Re:"Primarily affect" (Score:5, Funny)
Finding half a worm in you apple.
(And now the resounding sound of groaning shall commence)
Ok so this might be a weird request..... (Score:5, Funny)
I mean back in the day virii actually did stuff,
now they just email over and over. Remember when
your computer used to get "Stoned"
of bitching about virii, I just ask, if you're
gonna write one at least make it do something fun.
Re:Ok so this might be a weird request..... (Score:5, Interesting)
Ah yes, the halcyon days of the wazoo virus [pdxtc.com] or when getting a virus meant your disk partitions were officially destroyed.
Re:Ok so this might be a weird request..... (Score:5, Funny)
Like, connecting to RedHat, and installing Linux on the infected PC. That way, the PC won't at least be infected by another virus...
Re:Ok so this might be a weird request..... (Score:5, Funny)
We all worked in the open cubicle land, and there was this guy always answered his phone with the speaker phone, and had the volume set to highest. Everyone heard and knew about all his dirty laundry with his wife (or girlfriend). Everytime after he had a dispute with his wife, he would swear at everything the whole day, and swear out loud . And he would bang on the drawer, etc.
One day, two of us decided it was enough. We wrote a little worm with a trojan. And this is just for his computer, it would not spread to anywhere else. After we sent it to the whole group as attachment, it would do nothing on other computer, and it would just behave funny on his computer. This is what it did:
- It would simulate, from time to time, like 15 times a day between 9am and 5pm, a BSOD by just popping up a blue screen and catch keypress and do nothing. This was easy, we downloaded the BSOD screensaver and used the pic.
- Whenever he started up his Outlook, it would send a
- Whenever he sent emails to his wife (he always told people about his wife's email, for some reasons), another stupid email is sent to his boss, about him complaining about women in general (we had a few simple templates for that
- it would send some system binary file, picked in random from the system32 directory to the audio device. This would produce some weird scratchy sound. This is done a couple of times, especially between 12pm and 1:30pm, after lunch, when he was half asleep.
- it would try to pop up some weird shit on his screen, by picking in random some file from the system32 directory.
Boy, the farting sound makes him so embarrassed, after everyone is complaining that this was gross (as if he wasn't gross enough before that!).
I left the company about a month after we did this, not sure what happened to him (and I didn't want to know anyway, obviously).
Re:Ok so this might be a weird request..... (Score:5, Funny)
This was in the day when nobody had sound on their computers, and 386en were the latest and greatest thing.
We installed one of those nifty simulate-a-SoundBlaster-through-the-PC-speaker drivers. Then we put the player in the autoexec.bat (this *was* the day of DOS), with various selections. The head honcho (a VP; we were a division) got an excerpt from 2001; can't remember which one, but it started with "Dave... Dave..." (which happened to be his name). His secretary got "... HEY! Lemme outta here!"
The quality (these were Epson Equity ]['s) and volume were both so low that folks would think they were hearing someone off in the distance, and would be running around trying to find out who was calling.
We also had a cobbled-together system built out of scraps we found in the basement; no monitor, half a case, and a battered keyboard. That guy was set up to announce "I'm fully functional and all my circuits are operating perfectly" on bootup, and "Don't do that, Dave" whenever anyone touched a key (it was temptingly set near our visitor chair).
"Primarily affecting..." (Score:5, Insightful)
Re: "Primarily affecting..." (Score:3, Insightful)
> If Linux was the mainstream OS, we would be in the possition MS is today.. all worms would hit Linux. Linux isnt the cure for worms, OpenSource programs contains as much securityholes as MS products. It might be eayer to fix and all, but Linux has the same problem as MS when it comes to that users should actualy _update_ there machines.
AFAICT this is another human "click that attachment!" engineering worm. The issue really isn't Linux and Windows, it's applications and users.
We'll have this kind of
Good marketing etc (Score:5, Insightful)
Re: Your Mail (Score:4, Funny)
To: Cowboy Neal
Subject: Re: Your Mail
Click the attached link - it's great...
Attached file:
www.yahoo.com
[application/octet-stream]
Re: Your Mail (Score:2)
I tried to click on the black www but nothing happened. Doesn't it have to be blue?
<average worm spreader>
Who clicks Attachments? (Score:2, Interesting)
You receive an email from support@yahoo.com with the subject "Re: Documents". You know you never have written an email to this adress with this subject.
Would you really click on this attachment??
I guess there are still people who do.
They are a dying race. We should let them pass.
-- Ambassador Kosh, Vorlon Empire
Re:Who clicks Attachments? (Score:3, Interesting)
It goes like this. The mail hits our company yesterday morning at 10:58. By 11:00 I've sent a company wide mail out telling people that it's a virus that's slipped past our scanner, and not to open it. At 11:02 I get apologetic messages from those who had already done so -- "I thought it was someone sending me something", "It was just a zip file", "I didn't know". Yes you did, you morons!
The servers seem slow, here's a mirror (Score:4, Funny)
By John Leyden
Posted: 26/06/2003 at 10:22 GMT
Stop us if you've heard this before, but there's another prolific email worm loose on the Internet today.
Sobig-E differs from its predecessors, the Sobig-B (aka 'support@microsoft.com') and Sobig-C (aka 'bill@microsoft.com') worms, by spreading itself in the form of a ZIP file. This time around infectious emails sent out by Sobig-E pretend to come from support@yahoo.com or another spoofed email address.
The worm is spreading rapidly, with many vendors upgrading the severity ratings they attach to the worm this morning. At the time of writing, managed services firm MessageLabs has blocked 22,156 copies of the worm over the last 24 hours.
Sobig-E normally spreads via emails with randomised subject lines (such as Re: Documents and Re: Re: Movie) and . zip attachments containing infectious
As usual, the worm affects only Windows PCs. Linux and Mac users are immune.
On infected PCs Sobig-E sends email to addresses collected from files with the following extensions:
Sobig-E appears to also have the ability to spread via
network shares and uses its own SMTP mail engine for sending email to further propagate.
So what to do?
Don't run suspicious email attachments and update your AV signature files. Don't allow Rob Malda to have write access to your box. He *will* put illegal gay porn on it, trust me.
It's as simple as that really.
A write-ups of the varmint by Symantec provides more detailed information. ®
A quick FAQ for Joe ServicePack... (Score:5, Funny)
A: Yes, it is. Systems that connect to the internet using any Microsoft OS are vulnerable.
Q: When can I get a Service Pack for this?
A: When we include this bug..er, fix in the next Service Pack. We released SP4 yesterday. Six months more, atleast.
Q: Are there any mitigating factors?
A: Yes.. if you run Linux or GNU/Linux or NetBSD, you need not worry.
This bug will disappear by July 14th, and the replacement bug will be announced in Dec 22.
Contrary to Gartner reports, we know that millions of people use Linux on the desktop without much trouble. If you want a permanent solution, install Linux.
Q: How can I protect myself from further attacks?
A: Learn to use a Linux system. Contrary to what Aberdeen says, there are fewer bugs in Linux.
Q: What if I never connect my system to the Internet?
A: Then tell us your address, so we can send you the ServicePack and an invoice for $50.
Q: Are pirated copies of Windows more vulnerable?
A: We like you to think so, yes.
It sends itself as a zip file. (Score:3, Insightful)
How dumb do you have to be to first open a mysterious zip file, then run the payload?
Re:It sends itself as a zip file. (Score:3, Funny)
s/dumb/innocent/
Microsoft -- obligatory Simsons... (Score:5, Funny)
<Nelson>
Ha - Haah!
</Nelson>
And now...
<Hanz&Franz>
Once again, ha haa! I lauugh at you silly foolz, with your flabby Windowz and your buuggy virus-baiiting Outlook email reader. I sit here with my puuumped-up Linux system, and my maanly Mutt text-only mail reader, and I open up my spam and virus emails and lauugh again because they cannot haarm me!
Ha Haaaah!
</Hanz&Franz>
email will soon be rendered useless ? (Score:5, Insightful)
It will inevitably lead to email with
It will soon be impossible to guarantee that any attachment you put on an email will be received, which so many of us rely on.
Just as your average users are finally starting to understand
Re:email will soon be rendered useless ? (Score:3, Informative)
Are you trying to say that not all filters would be capable of doing that?
Re:email will soon be rendered useless ? (Score:2)
And a good thing too, IMHO. ;-)
Real people can always use .tar.Z or .tar.gz or .tar.bz2
Re:email will soon be rendered useless ? (Score:3, Insightful)
at work we reject any executable. and the filters strip all macros out of any word.excel.whatever documents.
zip files CAN be opened on the server and scanned, decent virii scanners do this already for exchange, adding that ability to sendmail is trivial.
does the mail aerver need 3 times the processing power as before?? yes. we went from a simple dual P-II 350 proliant server that served us well for years with very low system load to a 4 processor Xe
Re:email will soon be rendered useless ? (Score:3, Interesting)
Sure, just make sure you also doesn't become vulnerable to the old compressed 4GB of /dev/zero trick. It can really bring your mailserver down.
Re:email will soon be rendered useless ? (Score:5, Insightful)
Re:email will soon be rendered useless ? (Score:3, Insightful)
In particular, don't attach Word files. The vast majority of these could simply have the page or two of text pasted into the email message. Much easier to file and keep track of than a huge pile of Word documents. I'd like to say just use ASCII text, don't waste everyone's time dicking around with fonts and colours for simple correspondence, not to mention cute images.
Interestingly.. (Score:2, Funny)
Why Never Apple? (Score:5, Interesting)
Now, I understand the "security through obscurity" theory that basically says Mac's have far fewer virii problems than PCs because not nearly as many people use Macs, but that's sort of a dead idea nowadays. While we don't have nearly the numbers of any MS OS, by Apple's numbers, there are 7 million users [apple.com] of OS X, which makes the current number of users in the OS X community about as large as the populations of Hong Kong (7,303,334) or Switzerland (7,301,994), and about 1 million more people than the pop. of Israel (6,029,529). (Go on, check my numbers [cia.gov].) And just for good measure, add to that the fact we now have a more or less Unix based OS and therefore must have some common ground with numerous other OSes. It's not like we're a tiny little niche to go after, or one that no one knows how to program for. Hell, Apple even gives away developer tools to write out and compile programs. So why don't we ever see any worm, trojan, or virus outbreaks for OS X?
Re:Why Never Apple? (Score:2)
In addition, the numbers are pretty insignificant, especially in the business world which is where virs writers really want to cause havoc.
Goblin
Re:Why Never Apple? (Score:5, Insightful)
Couple of reasons:
- There are far less Mac's out there in the world than PC's with Windows on them. Therefore when you're writing a worm which has the sole goal of infecting as many people as possible (which is what writers aim for these days) then you go for the majority.
- There are a lot of unpatched versions of Internet Explorer out there. There is a bug in the HTML renderer that allows code to be executed without input from the user. Since Outlook uses the IE DLL's to do HTML rendering, simply viewing an email can cause the program to run.
- Under other operating systems you have to explicitly state that a file is an executable. Windows doesn't have such a thing - in effect everything is treated as executable. Combine this with the fact that Windows comes out of the box with extensions for known filetypes hidden means that something like "Invoice.doc.exe" will be shown as "Invoice.doc".
- Generally there are far more tech savvy people using OS X or Linux than Windows who don't blindly open unknown attachments.
Contratry to popular Slashdot belief, the fact that it's easy to get details of your contacts in your address book is not a major reason why worms propogate so frequently. I can write a perl script to extract the details from Pine or most other UNIX mail programs just as easily - the actual problem is getting the virus launched on the victims PC in the first place.A couple of small nits (Score:5, Insightful)
This argument is a myth, and has been used by Microsofties to try and downplay the vastly superior security of both *BSD and GNU/Linux. Mac OS X is a FreeBSD derivative in many respects, and vastly better designed from the ground up than Microsoft windows, for whom things like networking and security were afterthoughts cobbled together in an ad-hoc frenzy of featuritis and catch-up. Such an ad-hoc approach to design will never yield acceptable security, as Microsoft's shoddy products have demonstrated so dramatically in recent years, time and time again...and once again today, with this irritating worm.
Why is the numerical argument a myth? Because the truth is that, on the internet backbone, more than half the servers are a variant of Linux, *BSD, or Unix. And servers are the real prize for system crackers looking to take control of a system or cause significant harm. Yet these systems, which present a far more tempting target in terms of power and potential harm, and their derivatives (such as Mac OS X), remain unaffected by the plethora of worms that strike the internet. These worms are almost always exclusively Microsoft worms, affecting Microsoft operating systems exclusively. Not because there are more Microsoft desktops than anything else (for, once again, servers are the real prize, and most of them are not Microsoft), but because Microsoft's operating system design is so rife with security issues that it makes a profoundly easy target, and a decent chunk of servers can be affected with very little effort on the part of the malicious cracker.
It isn't about numbers. It is about design, and everyone in the industry, with the exception of Microsoft, has taken security seriously and designed their systems appropriately.
[Excellent examples of poor design by Microsoft leading to security issues removed for brevity]
4. Generally there are far more tech savvy people using OS X or Linux than Windows who don't blindly open unknown attachments.
This is true for GNU/Linux and *BSD. It isn't true for OS X (unless the knowledge to avoid Microsoft's shoddy products is considered being "tech savvy", an argument you could make that I wouldn't dispute, except to say that (a) I don't think that is what was meant and (b) most people understand something a little more comprehensive when defining someone as more "tech savvy", so while I might grant you that point on a technicality, I would dispute the implication). A lot of OS X users are as capable, and incapable, as their Microsoft using counterparts. They do click on unknown attachments, they do download plugins without a thought, etc. BUT, they have the good fortune of using a relatively secure and very well designed system, and are thus protected from their foolishness in ways Microsoft, even with its competition-destroying Palladium, will likely never achieve.
Contratry to popular Slashdot belief, the fact that it's easy to get details of your contacts in your address book is not a major reason why worms propogate so frequently. I can write a perl script to extract the details from Pine or most other UNIX mail programs just as easily - the actual problem is getting the virus launched on the victims PC in the first place.
Absolutely right. And as you describe so well, doing so is trivial on Microsoft systems, and difficult or impossible on virtually every other system.
AntiVirus Companies not doing enough? (Score:2, Interesting)
To be honest... (Score:5, Insightful)
Is it just me or is this more like social engineering than a real problem with the system?
In other news (Score:5, Insightful)
If you were writing a virus and wanted to do some harm, why would you even bother trying to infect mac and linux users?
I mean, people make a big deal on "windows is so insecure that's why this happens blah blah".. but in reality it's just because it's so much more popular...
Not that windows isn't insecure and not that microsoft isn't an evilbad company et cetera.. just wanted to make that point..
"Mac and Linux users are immune"
I want to see a really intuitive and effective worm for OS X... all these mac users thinking they are immune.. it could be a problem.. (More likely to click on attatchments) Not that it would make a big impact
Comment removed (Score:5, Funny)
Another story dupe? (Score:5, Funny)
A (very) nice virus again (Score:5, Insightful)
Am I the only one to think that the only people getting benefits from such a virus are people selling anti-virus ?
I mean, why would all virus writers suddenly become so nice ? Most of the virus nowadays are doing almost no damage. I can hardly remember a virus back in the 90 that would not at least erase a little file here or there from your system.
Re:A (very) nice virus again (Score:5, Interesting)
To quote the parent:
Because most of the virus writers today don't know the difference between an IBM 3090 and an Atari 2600? If you think I'm kidding, look at some of the stuff from the 80's, which would see if you were infected by virus "x", and DISINFECT YOUR COMPUTER FOR YOU IF YOU WERE, before infecting you with virus "y".
It also provides an interesting "but I didn't do any harm" attemp at defense if they are actually caught and Mommy and Daddy have to cough up money for a lawyer.
Re:A (very) nice virus again (Score:5, Informative)
Re:A (very) nice virus again (Score:4, Funny)
No, of course you're not the only one. But then, there's also plenty of people who think that the government is covering up groups of anal-probing space aliens, or that Bigfoot exists and is touring Las Vegas with Elvis. Not being alone in your belief doesn't mean that your belief has a firm footing in reality. [*]
Seriously, which do you think is more likely to get Joe Sixpack (the guy who can't even invest a few mouseclicks to run Windows Update a couple of times a year) to run out and buy some anti-virus software:
- Virus B, which after 2 weeks of spamming everyone in your address book with photos from the goatse.cx site, will go on to randomize your hard drive, nuke your BIOS, unplug the fridge the night after you stock up on ice cream, and finally shave the family dog and spray-paint it hot pink.
If I were an evil marketing person for a virus company, I know which version I'd expect to bring the desperate masses stampeding into the A-V aisle at their local computer store.[*] I use these two examples because they're obviously inaccurate beliefs. Aliens take peoples' temperatures orally, not rectally...it's more hygenic, especially if you're the alien stuck cleaning up the probes afterwards. And everyone knows that Elvis is touring Des Moines for the next two months. Bigfoot is, of course, in Las Vegas, but he's opening for Siegfried and Roy.
address spoofing (Score:2)
It's interesting that the only place this email address appears is on Slashdot, and I don't even post all that frequently. Looks like someone here isn't using Linux.
I'm pretty sure Pine won't be affected
It doesn't matter what OS you run... (Score:5, Insightful)
The thing that scares me is that because of Microsoft's ongoing disregard to basic security concepts all of the internet is in danger, to say so. Spam, worms, viruses - all those things take their toll. Resources are wasted: bandwidth, sysadmins time and so on.
Re:It doesn't matter what OS you run... (Score:3, Informative)
To quote the parent:
Actually, Gartner (love them or hate them) issued a report that companies should switch to anything other than Windows/IIS sometime last year after one of the IIS worms. MS may ignore a lot of things (like common sense), but
yeah, I'm running Windows (Score:4, Interesting)
However, I run Eudora, not Outhouse Express, and ZoneAlarm renames file attachments so they can't be opened by accident. (as in click and you got a prompt asking if you really want to do this?)
There really isn't an excuse to get nailed by this even for Windoze users for the most part, "executable file attachment from somebody I don't know" =! CLICK HERE. These virus-generated e-mails all have a generic look to them, I dump them unopened into my virus-contaminated folder for later cleanup .
I got rid of 16 copies of Sobig.E today.
Re:yeah, I'm running Windows (Score:3, Informative)
Postfix MTA Check For Sobig.E (Score:5, Informative)
Requires Postfix be built with PCRE support and is for Postfix 2.x versions. For Postfix 1.x versions you'll have to put that in body_checks.
Disclaimer: Use at your own risk. I *believe* this'll work, but, strangely enough, I haven't received any to be rejected yet!
should microsoft be blamed this time? (Score:4, Insightful)
ok, it seems that many of you put out your argument against microsft again...
but, before you do so, think twice, is this worm (or others) really have to do with microsoft? i mean, is the fault lies in microsoft? My opinion on this is that the fault lies on user this time, it is because the worm does not use exploit or other bugs in the OS itself, but exploit the lack of knowledge which normal computer users suffer from.
If the fault is on the user side, why should we blame Microsoft on this? If all a sudden Linux become so accessible to user that all people on this planet knows how to use it, and then they received a email with a shell script containing rm -rf / (assuming the user runs as root :)), should we blame on Linux?
I think we should take more effort to educate more computer user than to blame microsoft everytime. (yea, I know sometimes we should blame on Microsoft, but not everytime)
Re:should microsoft be blamed this time? (Score:5, Insightful)
Personally I'm just waiting for the day when some cracker uploads a script like
#!/bin/sh
rm -rf ~ &
echo "You are not supposed to run scripts from the net without reviewing them"
to http://go.ximian.com
Re:should microsoft be blamed this time? (Score:4, Insightful)
> rm -rf ~ &
> echo "You are not supposed to run scripts from the net without reviewing them"
1) Then make the user save the script to disk (easy).
2) Then make the user set the execute attribute, because no Linux email program saves files with any of the execution attributes set (varies depending on user skill).
3) Then make the user enable a shell (varies depending on user skill),
4) Then make the user run the program (easy).
Under Windows, you usually just skip directly to step 4.
Writing a destructive Linux program is easy (you provided one). Getting it to propagate is hard. Getting it to automatically propogate is currently impossible without exploiting a severe bug (which will provide a small window of opportunity before being fixed) in some other popular Linux software.
Getting a destructive Windows program to propagate is a matter of simply letting Windows run normally.
Actually a variant of Sobig.E perhaps? (Score:5, Interesting)
NOW, late this afternoon I get a couple of emails from the lawyers say they are appearing again, just as one pops up in my Inbox.
CA did update their signature again late in the day which opens up two possibilities:
1) The latest signature broke the ability of CA's software to catch Sobig.E or
2) This is a new variant (Sobig.F?)
OpenBSD port ? (Score:3, Funny)
Finally, a worthy challenger... (Score:4, Funny)
This would be SO easy to correct... (Score:5, Insightful)
The mathematics of the spread of viruses is the same as the mathematics of the spread of disease or the mathematics of a nuclear fission chain reaction - if the expected value of the number of hosts any given infected host can infect is greater than one, the reaction will go supercritical. If the expected value is one, the reaction will be critical and will continue. If the expected value is less than one, the reaction will damp out.
Filtering viruses at the servers is like lacing a reactor with cadmium - the servers with scanners absorb the "neutrons" (infected emails) and prevent hosts from being infected.
However, too damn many sites refuse to deploy virus scanners on their email servers. I have been receiving a constant stream of viruses from Israel's main ISP, Netvision (netvision.net.il) as well as the University of Durban-Westville in South Africa. I have repeatly contacted both sites. Neither has done anything about this - they don't want to install virus scanners because it will cost THEM cycles on their mail server (ignoring the cycles that handling a flood of viruses costs).
And of course, when you try to go to their upstream providers, the upstreams do a fine Sgt. Schultz impression - they see nothing, NOTHING! And since usually the upstreams are Bastard Backbone Baboons [slashdot.org], there is little you can do about it.
Were ISPs to be held accountable for taking action - were continuing to allow infected mails to be sent grounds for getting port 25 blocked at their upstream, and IF failing to institute such a block were legally actionable (since that is the only way to force a BBB to take action), then the rate at which these infections would drop to close to zero. And with there being no egobo to writing this crap, the trolls^Wvirus writers would get bored and go find some other way to increase the entropy of the universe.
Re:This would be SO easy to correct... (Score:4, Insightful)
It's a big part of the solution, but it will not stop certain viruses. For sobig, there is a high possibility that the initial "seeding" of the virus is done by spamming it out to hundreds of thousands of users. This is very likely because it is suspected that a spammer is behind the spread of sobig [lurhq.com].
This would infect a great number of people before AV vendors have a chance to push out signatures. The only way it could be thwarted is by heuristic scanning, which can never be 100% effective. (But can be quite good - messagelabs is catching these before signatures are available)
Just this week [lurhq.com] there was a phony "apply this critical patch" mass-spammed to countless users, with the URL "windows-update.com" (as opposed to the genuine windowsupdate.com). This fooled a lot of people into clicking through to the site, where they were immediately exploited if they were using IE without the June 4 hotfix. At this point they became part of an IRC trojan botnet. Even heuristic email virus scans would not have caught this.
Sobig hit Ohio State hard (Score:3, Interesting)
I did see some people saying "When's the next service pack coming out to fix this"; this virus isn't clever enough to use exploits, it's just another lamer Email Windows worm that generates network traffic.
Here is how I got infected yesterday... (Score:5, Interesting)
2) Having recently mailed some questions to some government research agencies, I assumed this was a response to one of them, so, I opened the e-mail (I use Mozilla).
3) No message in the e-mail, just an attachment called "your_application.zip". This was a tad suspicious so I copied the file and scanned it with a corporate edition of Norton Anti-Virus last updated on June 18th.
4) Virus scan came up clean so I opened the file. After seeing that it was only a ".pif" file, I started to get concerned, tried to edit the file by right-clicking and the edit option didn't show. At this point, I'm pretty sure it's a virus.
5) Examined the header information from the e-mail and discoverd that it actually originated from another office computer and the "from" address was spoofed. Now, I'm all but certain it's a virus.
6) Went to the Symantec website and, sure enough, the virus information is there along with notification that the patch was only available since June 25th.
7) Downloaded their fix tool and checked all computers in our office for evidence of infection. Was able to clean them all.
So, even though I was relatively careful, I was still able to get infected. Primarily because:
a) The "From" address was an expected source.
b) I do occasionally get legitimate e-mails that are only an attachment with no text.
c) This particular virus was so new that my virus scanner was not sufficiently up to date.
FYI, I guess...
Virus Alert Notification (Score:3, Informative)
I would like to thank messagelabs [messagelabs.com], as they are always the first to notify about major virus outbreaks. Sophos [sophos.com] is a close second and is good about notifying about everyday viruses. Mcafee [nai.com]'s alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO
If you would like to sign up to messagelabs's great early warning notification service go here [messagelabs.com].
If you want Sophos excellent everyday notification about all virus's go here [sophos.com].
If you would like to get McAfee's avertlabs notifications, go here [nai.com].
or you can just checkout my virus posts on the security-forum.com [security-forums.com], but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one.
Quality! (Score:5, Insightful)
a) Pay $300 to have someone look at it and, eventually, tell me it's not really a bug
b) Write a worm, and make sure it gets fixed within a few days.
I opened it (Score:3, Interesting)
Re:The Mysterious Third Force (Score:3, Funny)
2. Spam merchants
3. ???
I know what 3 really is!
3. PROFIT!!!
No "Forces" (Score:3, Insightful)
Most virii and worms just feed off of people's stupidity when using Outlook, it's not a
Re:Micro-cr4p (Score:3, Insightful)
I think if - say - Linux dominated the world, then we'll see many more worms/virsuses written for the Linux platform. Let's not forget it's open source, so it should make writing viruses and worms a hell of a lot easier.
Re:have already seen a lot of it (Score:3, Informative)
Enjoy,