Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Worms Security

New Worm Installs Sniffer 491

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."
This discussion has been archived. No new comments can be posted.

New Worm Installs Sniffer

Comments Filter:
  • by Anonymous Coward on Monday September 13, 2004 @04:11PM (#10239866)
    Then dust free computers for all!
  • by Lord Grey ( 463613 ) * on Monday September 13, 2004 @04:12PM (#10239874)
    Here is propagation information on the worm WORM_SDBOT.UH from Trend Micro [trendmicro.com] (link pulled from the article):

    Network Propagation and Exploits

    This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:

    It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:

    This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:

    It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:

    This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:
    • Admin$\system32
    • C$\windows\system32
    • C$\winnt\system32
    • Ipc$
    Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?
    • But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?
      At least the crackers won't be getting a vaporware award this year. How long have people been waiting for DNF??? Maybe 3dRealms can hire some of these coders and put them to marginally better use...
    • by baadfood ( 690464 ) on Monday September 13, 2004 @04:24PM (#10240032)
      Duh! They made it themselves of course!
    • yep! (Score:5, Informative)

      by Zilfondel2 ( 662431 ) on Monday September 13, 2004 @04:38PM (#10240200)
      Yea, actually, a lot of the time the virus writers DO email them to the different antivirus companies. Having your virus added to the weekly virus definition files is part of their bragging rights.

      Do you really think there are 55,000 viruses in the wild?

      Yea yea, I worked for symantec for a couple of years.
      • Re:yep! (Score:5, Interesting)

        by f8free ( 779580 ) on Monday September 13, 2004 @04:56PM (#10240395)
        I've always wondered about that kind of thing... most especially, what's to stop the antivirus companies from writing their own virii?

        Not that they'd need to do it at this point, but talk about your perpetual business model...

        • Re:yep! (Score:5, Interesting)

          by One Louder ( 595430 ) on Monday September 13, 2004 @05:52PM (#10241019)
          ...what's to stop the antivirus companies from writing their own virii?
          The competition.

          Imagine the publicity if an anti-virus software vendor were able to prove that a virus was produced by one of its competitors.

          • Re:yep! (Score:3, Interesting)

            by f8free ( 779580 )
            That would be the biggest risk, to be sure. But tracking down the source of a virus is quite difficult, and that's when it's the work of a single (or just a few) hacker(s). Imagine if some corporate muscle were applied in burying the source. I'd worry about whistleblowers, too. Were I an ethically challenged antivirus company CEO, that is.
  • How much longer? (Score:5, Interesting)

    by cbrocious ( 764766 ) on Monday September 13, 2004 @04:12PM (#10239875) Homepage
    How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.
  • New worms... (Score:5, Interesting)

    by Nos. ( 179609 ) <andrew@nOSPAm.thekerrs.ca> on Monday September 13, 2004 @04:13PM (#10239896) Homepage
    The newest MyDoom variant has the author asking for a job...
    http://www.vnunet.com/news/1158043 [vnunet.com]
    The arnus worm speaks [zdnet.com] to infected users.
    I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".
  • Encrypt! (Score:5, Informative)

    by WD_40 ( 156877 ) on Monday September 13, 2004 @04:13PM (#10239897) Homepage
    As demonstrated at DEFCON with "The Wall of Sheep" (stupid name, cool idea) it seems that a lot of people who should know better still don't encrypt their password transmissions.

    If you haven't already, it's time to get serious about encryption.
    • Re:Encrypt! (Score:5, Interesting)

      by koreth ( 409849 ) on Monday September 13, 2004 @04:26PM (#10240049)
      That won't help you if you're infected by this worm, which does keystroke logging. You can encrypt your password six ways from Sunday and it will still have been intercepted before it ever reaches your encryption software.

      Not that I'm against encryption or anything. But it won't necessarily stop your passwords from being stolen.

      • Re:Encrypt! (Score:3, Insightful)

        by Anonymous Coward
        Yes, if you're running Windows you can get infected with this or any of the myriad other worms, some of which install keyloggers. The unique thing about this is that it installs a NETWORK SNIFFER and not a keylogger on the box, meaning that other machines on the same network can get "sniffed" even if they're not infected.

        The upshot is that all of those people who normally ignore virus alerts because they run Linux [Slashdot audience] need to confirm they encrypt everything and then go about ignoring these
      • Re:Encrypt! (Score:5, Interesting)

        by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Monday September 13, 2004 @06:03PM (#10241152) Homepage Journal
        I used to use an encryption program that attempted to get around keystroke loggers...by remapping your keyboard when you were in the password box. A keystroke logger would see gobbeltygook...granted, it was a simple cipher, but since there isn't enough information in a single 16 character password to generate a key for such a cipher, it was still pretty secure.

        I stopped using it when I got my mac, because built in AES-128 is just easier than mucking about with encrypted disk drivers and suchlike. I don't have that much to keep secure anyway...just some receipts, beer recipes and incriminating photos
      • by JaredOfEuropa ( 526365 ) on Monday September 13, 2004 @06:57PM (#10241671) Journal
        You can beat keystroke loggers by entering your password a few letters at a time in random order, using the mouse to place the cursor at the correct location in the half-finished password. I don't think there's a keystroke logger that is able to work out where you clicked in the password entry box.

        Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.
      • Re:Encrypt! (Score:5, Informative)

        by rainer_d ( 115765 ) on Monday September 13, 2004 @07:53PM (#10242144) Homepage
        > You can encrypt your password six ways from
        > Sunday and it will still have been intercepted
        > before it ever reaches your encryption software.

        Indeed. But there's that nice Squirrelmail plugin that lets you use a virtual keyboard to enter your password ;-)

        Rainer
  • A few points (Score:5, Interesting)

    by Meostro ( 788797 ) * on Monday September 13, 2004 @04:13PM (#10239898) Homepage Journal
    1. A Link to Trend Micro's SDBot.UH [trendmicro.com] analysis

    2. I love the fact that this worm drops itself as BLING.EXE

    3. This worm uses carnivore network sniffer and checks for the following strings
    As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.

    4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
    • It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
    • It attempts to steal CD keys for some games.
    • It installs a network sniffer
    • It has an interface with 26 commands that the bad guys can use on an 0wned box
    • It can log keystrokes
    It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.

    I'm still waiting for the really bad one...
    • Re:A few points (Score:5, Interesting)

      by savagedome ( 742194 ) on Monday September 13, 2004 @04:18PM (#10239957)
      I'm still waiting for the really bad one...

      A really bad one would look for Excel/Word files and modify a couple of data entries in a huge list of numbers.

      Kind of like someone breaking into the house, leaving something obnoxious under the fridge that starts smelling bad really gradually over a period of few months.

      Imagine the look on the PHB's face when 6 months down the line he realizes while doing some entires in the sheet that the p/e ratio is negative!
      • by ricotest ( 807136 ) on Monday September 13, 2004 @04:38PM (#10240202)
        As soon as your comment was posted, a dozen hackers got to work on a virus that does exactly what you describe. Thanks for helping fuck up my reports, asshole.
      • the bad one (Score:5, Insightful)

        by Clover_Kicker ( 20761 ) <clover_kicker@yahoo.com> on Monday September 13, 2004 @04:50PM (#10240325)
        I'm waiting for a virus that greps all your documents for each name in your address book.

        If a document contains a person's name, email it to them.

        I can see it now, salary spreadsheets and confidential memos flying around to the very people who are not allowed to see them...
      • Re:A few points (Score:5, Interesting)

        by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Monday September 13, 2004 @04:58PM (#10240421) Journal
        The really bad ones are already out in the wild, and they do not damage your data.

        They wait 'till you go to an HTTPS site and then they log your keystrokes. It's about cash money for the villains, and not doing anything to get caught.
        • Re:A few points (Score:4, Interesting)

          by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Monday September 13, 2004 @06:13PM (#10241248) Homepage Journal
          I saw a few nasty viruses back in college...Empire Monkey was one, wrecked your MBR and just enough data to mean a reinstall was inevitable. One that manipulated the MBR and the lock-up bug on the Pentium processor. Finally, there was a notorious Word virus called Meat Grinder. Did nothing for the first few dozen saves, then overwrote your file on disk with complete gibberish.

          Saw a graduate student reduced to sobbing over that last one...her teacher was a real prick and wouldn't take anything late for any reason and she had not been educated on the importance of multiple backups. It was 2 am the day before it was due and no amount of Norton Disk Doctor was going to save her (luckily, she'd been on a machine the day before and just shut it down, we had 13 of 20 pages autosaved). I had to call him the next day, and he didn't believe me. I wound up refering him to the head of academic computing, who essentially told the guy that this was the worst virus he'd ever seen and it would be utterly heartless not to give the girl an extension. Dr. Wolf was the MAN.

          All of these spread via diskettes and public terminals. Be glad nobody's applied these concepts to an internet worm. We'd be fucked.
          • Re:A few points (Score:3, Interesting)

            by bobbozzo ( 622815 )
            There was a destructive internet worm recently.
            It attacked PC's via a hole in BlackICE firewall.

            After reproducing for a little while, it began randomly overwriting sectors on the HD. Eventually your OS (and probably a lot of data) would be fubar.

            URL: http://www.f-secure.com/v-descs/witty.shtml [f-secure.com]
      • by EngMedic ( 604629 ) on Monday September 13, 2004 @07:56PM (#10242163) Homepage
        I still think the best (worst?) virus would delete one card at random from solitare....
    • Re:A few points (Score:3, Insightful)

      by Amiga Lover ( 708890 )
      It attempts to steal CD keys for some games.

      This was part of my argument for the ridiculousness of a developer making an app delete a user's home directory when a pirated key is found.

      1. user buys shareware. one of the honest 1%, if statistics can be believed.
      2. user loses unique use of the shareware key to worm/keygen
      3. shareware key spreads, and is labelled a pirate version
      4. original user updates their shareware app, shareware app nukes their home folder.
  • I'm still waiting... (Score:3, Interesting)

    by 00Sovereign ( 106393 ) on Monday September 13, 2004 @04:13PM (#10239901)
    for the "INDUCEd PATRIOT" worm that detects P2P traffic and then promptly shuts down the computer.
  • Oh no (Score:4, Funny)

    by antifoidulus ( 807088 ) on Monday September 13, 2004 @04:14PM (#10239904) Homepage Journal
    my password to asianthumbs.org may have been jepeordized!
    Oh no, I have said too much!
    Damn you autopr0n, why, why did you have to die!!!
  • by Anonymous Coward on Monday September 13, 2004 @04:14PM (#10239911)
    .. if your network smells bad.
  • Squawker (Score:5, Interesting)

    by swordboy ( 472941 ) on Monday September 13, 2004 @04:14PM (#10239913) Journal
  • by Jailbrekr ( 73837 ) <jailbrekr@digitaladdiction.net> on Monday September 13, 2004 @04:15PM (#10239920) Homepage
    If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer (unless it is also a server). Sadly, I fear that alot of the consumer "switches" on the market do not do proper routing, and have insufficient mac routing tables.
    • I fear that alot of the consumer "switches" on the market do not do proper routing

      All home routers I've seen (dlink, linksys, smc, belkin) do route, but only between the outside and the inside. On the inside, the 4 ports are on a regular hub, so no routing. This is appropriate for the normal usage pattern, 4 computers connected through the router to the evel internet. The sniffer would work fine. If the thing can sniff bank-account passwords from victims' home computers, it should give the author more
      • by Anonymous Coward on Monday September 13, 2004 @05:10PM (#10240562)
        Hubs, switches and routers are three different pieces of network equipment.

        Hubs are collapsed ethernet busses: Every attached device can see every ethernet frame sent by any other attached device.

        Switches work on a higher layer: They inspect the frames and send only broadcast frames to all devices. For the rest of the frames, they maintain a table of MAC-layer addresses of all devices attached to the switch ports. Targeted frames only get sent to the port to which the target device is connected.

        Routers work on an even higher level: They inspect IP packets and do with them about the same as what switches do with ethernet frames. Routers are generally more flexible about the rules regarding the packet flow than switches. It is not uncommon for routers to have the ability to perform switch-like ethernet level functions as well, but conceptually routing and switching are two different beasts.

        At least cheap home switches can be tricked into passing frames to the "wrong" ports in several ways. One method is to flood the MAC-address-to-port table. Most switches then fall back into hub mode. Generally speaking, non-manageable switches and switches without clearly-defined reactions to MAC flooding are not security devices. You should assume that an attacker can read your packets on a switched network.
    • If you flood the arp cache of most switches they will failover to behaving like a hub. There are other tricks as well.

      Switches don't route, they switch: they're a layer 2 device.

      I have a AU$25 switch that *is* a switch. I've tested it (not hard to test: I used tcpdump). Noone seems to be building hubs anymore because it's become so damn cheap to build a switch.

      Also the "switching" nature of a switch is more for performance reasons rather than security. A switch can store the packets in a small buffer the
  • by MisterP ( 156738 ) * on Monday September 13, 2004 @04:15PM (#10239926)
    "When I read these things it kind of makes me wonder why it took this long."

    I often wonder the same thing. With all the different worms that infect unpatced Windows machines, why hasn't someone wrote one that effectively deletes everything on the machine just short of rendering itself unable to propogate?

    • by newend ( 796893 ) on Monday September 13, 2004 @04:22PM (#10240004)
      If you delete everything on the machine, then the virus can't propagate. What would have to happen is the virus would have to have a delay, and then there is a risk that it will be discovered before the payload (deletion) takes place. Futher, I think most of the virus writers think of it more as a game, and don't really want to destroy data so much as see what they can accomplish. Would you rather destroy Rome or own it?
  • by grolschie ( 610666 ) on Monday September 13, 2004 @04:16PM (#10239933)
    ...or does the term "packet sniffer" remind anyone of someones pet dog?
  • by Skedoozy ( 675706 ) on Monday September 13, 2004 @04:16PM (#10239934)
    We need someone to go after these people with the intensity that the RIAA goes after 13 year old girls who don't want to pay for Hoobastank songs. If only the hackers would start going after people like the RIAA instead of trying to screw the everyday person out of their information so they can buy more mods for their Xbox. Then we could air it on MTV as Celebrity Geek Match!
    • The RIAA is doing the only thing that copyright owners CAN do to protect their copyrights: they're pursuing legal damages for material copied without permission. They don't know whether it's 13 year old girls or the fucking mafia...all they have is a list of IP addresses of people serving one or more copyrighted songs. What are they supposed to do when it turns out that some of these file sharers are young kids or grand parents or the handicapped? Say, "oops, sorry, you're allowed to infringe however you
  • by soulsteal ( 104635 ) <soulsteal@EINSTE ... minus physicist> on Monday September 13, 2004 @04:16PM (#10239940) Homepage
    ..but I, for one, don't care about our network-sniffing overlords.
  • Scary (Score:4, Insightful)

    by StevenHenderson ( 806391 ) <[moc.liamg] [ta] [nosrednehevets]> on Monday September 13, 2004 @04:19PM (#10239959)
    Personally, I find this scary as shit. I think virii like this are going to be the reasons to compel a lot of middle-ability users to switch to Linux. Hell, I might cast off Windows now once and for all...
    • Re:Scary (Score:3, Insightful)

      by DogDude ( 805747 )
      Personally, I find this scary as shit. I think virii like this are going to be the reasons to compel a lot of middle-ability users to switch to Linux.

      The only thing that Linux has got going for itself right now is security through obscurity. If Linux ever becomes popular as a desktop platform, I'm willing to bet my life that we'll start seeing worms targeting it, too.
      • Re:Scary (Score:3, Insightful)

        by SCHecklerX ( 229973 )
        nowadays, most linux distros ship with most services disabled by default, with the option of enabling iptables as part of the install. True, there could be a daemon that could propagate a worm, but it is not as likely to be running on an end user workstation.

        Compare this to windows, which has no easy way to disable dcom, rpc, and such.

    • Re:Scary (Score:4, Insightful)

      by Greyfox ( 87712 ) on Monday September 13, 2004 @06:02PM (#10241137) Homepage Journal
      Yeah, but the average user doesn't care about security. If they did, they'd have actually run Windows update and patched their systems against the vulnerabilities that this worm exploits. Same said users would move over to Linux, never patch their systems and have their systems taken over the next time a remote exploit is found.

      In fact, the average user either got a copy of Windows with their computer and never upgraded it, or they pirated a version of Windows and are not able to download updates. They always say the same thing too. "Oh, I'm just one computer out on the net! They'd never notice my computer out there!"

      That's why I think Internet usage should require a license. If you connect to it without knowing what you're doing, you're putting everyone in danger. Potentially at least as much danger as broadcasting on a ham radio without knowing what you're doing.

  • by stickystyle ( 799509 ) on Monday September 13, 2004 @04:20PM (#10239968) Homepage
    Most networks are switched these days, making this pointless. Why not install a keylogger???
    Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.
  • by ARRRLovin ( 807926 ) on Monday September 13, 2004 @04:20PM (#10239977)
    ......ran windows update on all infected machines? Would people get pissed?

    • by still_sick ( 585332 ) on Monday September 13, 2004 @05:16PM (#10240650)
      ......ran windows update on all infected machines? Would people get pissed?

      Would people get pissed? HELL YES.

      I recall one particularly annoying weekend when my computer DVD player stopped working. Something screwed up or something - whatever it was, the damn video was not being decoded properly.

      Tried everything I could think of. New Drive, New Drivers, endless newsgroup searching, blah blah blah to no avail.

      Then it occured to me that between the time that my DVD player last worked and then did not, I had installed Win2k SP4.

      So just as a test I went and uninstalled the bastard, everything worked FINE after that - with the original HW/SW configuration.

      So now I'm not installing SP4 because it BREAKS MY SYSTEM - not because I'm unaware of it, or too stupid to install it.

      I don't need nor want some dumbass "I'm smarter than you, and doing this for your own good" 1337 prick trying to install SP4 for me.
      • I don't need nor want some dumbass "I'm smarter than you, and doing this for your own good" 1337 prick trying to install SP4 for me

        A worm like this would only be able to get into computers that are unprotected, so assuming you're a security concious fellow, you wouldn't have to worry about it. Now, if your computer was vulnerable, wouldn't it be better that your computer gets patched (and possibly screws up your dvd player) than having an unprotected machine waiting to get hosed by some hacker?

        I'm actu

  • by rwven ( 663186 ) on Monday September 13, 2004 @04:20PM (#10239979)
    ...Afterwards it took me over an hour to unscrew the side of my case to get my nose out...
  • Use of switches? (Score:3, Insightful)

    by chrispyman ( 710460 ) on Monday September 13, 2004 @04:21PM (#10239983)
    Since its pretty rare these days to see either a computer attached to a hub (vs a switch) and its also unlikely to see a Windows based router, wouldn't this make the worms payload only applicable in most cases to the computer that gets infects. Also, I note it spreads through several other well known exploits, and you'd think people would have realized to patch and cleanup against these after MSBlast and Nimda.
    • Switches are all well and good, but you forget about cable modems. While downstream traffic is only sent to the modem, all upstream traffic using QAM encoding techniques is a shared medium, so a sniffer on that wire could get some interesting traffic.

      Packet sniffers are not a good thing to have just running, but an auto-propogating one is even worse, and should not be taken lightly.
  • by teamhasnoi ( 554944 ) <teamhasnoi@yahoo.cLIONom minus cat> on Monday September 13, 2004 @04:28PM (#10240086) Journal
    is that it's a never-ending job, when the user is at the keyboard, doing things that I would never do.

    I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac.

    This is usually met with, 'Wha? Really?"

    Yup. I'm enjoying the stories of crazy Windows happenings, virus mystery, and constant crashing (Yeah, XP is ok, but not when you have 127 viruses, trojans, spyware and keyloggers all vying for a clock cycle and outgoing port.)

    And I'm especially loving not working on Windows boxes.

  • by Ungrounded Lightning ( 62228 ) on Monday September 13, 2004 @04:29PM (#10240102) Journal
    ... a new worm installs a network sniffer ... it kind of makes me wonder why it took this long.

    What's new about that?

    Network sniffers installed on compromised machines is the ENTIRE REASON DMZs were invented - so the network sniffer can only sniff the DMZ, not the LAN behind the second packet-filtering router/bridge.

    DMZs have been standard practice for over a decade. If there's anything new about this, it's just that it's the first time a worm in the wild has been identified as installing a sniffer.

    But that's hardly surprising. The explosion of professionally-engineered worms is quite recent, as is consumer-level deployment of multi-machine LANs behind firewall+NAT appliances. (I'd expect packet-sniffing cracks aimed at businesses to be more targeted rather than worm-style scatterguns, if only to reduce their chances of discovery.) Seems to me the time became ripe JUST NOW for general deployment of a sniffer-installing Microsoft-exploiting worm.
  • oh no (Score:4, Funny)

    by teamhasnoi ( 554944 ) <teamhasnoi@yahoo.cLIONom minus cat> on Monday September 13, 2004 @04:31PM (#10240124) Journal
    Please don't forward this link [transitive.com] to any virus authors!

    We could all be doooooooomed!

  • SSL for everything (Score:5, Interesting)

    by Matt Perry ( 793115 ) <[moc.oohay] [ta] [45ttam.yrrep]> on Monday September 13, 2004 @04:32PM (#10240141)
    from the hope-you're-using-ssl-for-everything dept.
    Why aren't we using SSL for everything? Why aren't we building strong encryption into everything? I started wondering this several months ago when I had to run VNC on a windows box and had no way to secure it. Sure, under linux you can tunnel it over SSH, but that wasn't an option on a windows machine.

    And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?

    • by hab136 ( 30884 )
      how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?

      The idea is that you can verify the certificate belongs to who it says it belongs to (like www.yourbank.com), without exchanging any other communication (such as SSH's fingerprints) - you just verify the site's signature from Verisign (or whomever). SSH relies on you confirming the fingerprint the first time you connect.

      You can generate your own SSL certs if you don't c

  • Question (Score:3, Informative)

    by prostoalex ( 308614 ) on Monday September 13, 2004 @04:33PM (#10240143) Homepage Journal
    Cannot check this right now, but wouldn't it be possible to write a Windows executable that writes to the HOSTS file? The file is at a known location, and couldn't you add a line to redirect msn.com and yahoo.com to your own site?

    Seems like a fairly simple exploit.
  • by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Monday September 13, 2004 @04:34PM (#10240155) Homepage
    This is strange - I found a bling.exe on a Windows machine at work a while ago, as it was spewwing out 445 if I remember rightly - several weeks. I searched for info on it, and I didn't find anything, which I thought was strange.
    I think I must have got hit by an early-adopter version.
  • by ChiralSoftware ( 743411 ) <info@chiralsoftware.net> on Monday September 13, 2004 @04:36PM (#10240173) Homepage
    Remember back to the days of MS-DOS? Everything was very minimal and non-bloated, but still, things were slow. As computers got faster, software didn't get faster. It just got more bloated to take advantage of all that new speed and memory available. Today I have dozens of windows open, a media player, and IDE, mail reader, etc, and you need 256mb to run Linux or Windows XP. That's bloat. But, they do a lot more than they used to. Much much more.

    And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.

    It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS [eros-os.org] are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.

    • by evn ( 686927 ) on Monday September 13, 2004 @05:12PM (#10240602)

      drip-drip-drip method of torture

      So all I have to do is wait a couple more years! Then I will buy a naked machine, connect it to the internet, and in minutes a full OS will be installed by a worm! The best part is that it will probably be more up to date than the Windows machines spreading this garbage.

      Maybe I should patch emacs to propagate itself and get the jump on the script kiddies ;)

  • by account_deleted ( 4530225 ) on Monday September 13, 2004 @04:37PM (#10240196)
    Comment removed based on user account deletion
    • by Dr.Dubious DDQ ( 11968 ) on Monday September 13, 2004 @05:15PM (#10240631) Homepage

      Heck, I'm still waiting for the one that uses the infected PC's existing saved emails to attach itself to and forward itself with. It'll be "funny" when major corporate executives start having their private, confidential, Microsoft(r) Outlook(tm) corporate emails spewed out to random people on the internet along with the virus...corporate budget planning emails, deal negotiations...it's all there...

  • hope-you're-using-ssl-for-everything

    Mmmm, cos that would prevent the key stroke logger from working. It's probably more dangerous if you are using SSL, as you will have that warm fuzzy feeling that all is well, and you'll tap away all your privatest things.

    Bad encryption is worse than no encryption.

  • by loqi ( 754476 ) on Monday September 13, 2004 @04:43PM (#10240257)
    A lot of /.'ers have pointed out that most networks are switched nowadays; however, there are still plenty of networks out there that aren't.

    Every mid-level enthusiast home network I've known was just running a dumb hub, and I'm also familiar with a university that ran hubs per floor in the dorms (you couldn't get floor 8's data on floor 9, but as for everyone on floor 9...). This worm still has a plenty big playground.
  • by zaqattack911 ( 532040 ) on Monday September 13, 2004 @04:52PM (#10240345) Journal
    How does it Normally spread?
    What windows vulnerabilities is it using?
    is it an email attachment? what is the attachement called .. or its variants??

    For christ sake...

    Love, Zaq
  • by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Monday September 13, 2004 @04:55PM (#10240383) Journal
    Perhaps it took this long because the bad guys were busy installing keystroke recorders so that they could defeat encrypted network traffic. Also, switched networks help keep the impact of the sniffing to the infected computer -- unless the network terminates at an infected computer -- thus making this less as threat to large organization using 100% switched networks...
  • by daemonc ( 145175 ) on Monday September 13, 2004 @07:29PM (#10241929)
    I'm still waiting for a worm that installs Linux on the infected computer.

    Propogation:
    Scan random IP addresses, use multiple Windows exploits, etc. This part has been done a thousand times before, no need to reinvent the wheel.

    Payload:
    1. The worm itself
    2. Grub for Dos [yginfo.net]
    3. The contents of a network install disk [redhat.com]

    Behavior:
    1. Upon infection, the worm will install Grub for Dos, and copy the contents of the network boot disk into c:\boot, but will not modify the boot.ini file.
    2. The worm process will run in the background, and attempt to propogate itself.
    3. At a predefined interval, the worm will pop up a window that says: "Your computer has been infected by the so-and-so worm. To install Linux and prevent this from ever happening again, click OK." (This worm should be socially responsible. We don't want to force Linux on the masses, just gently persuade them using Windows lack of security as a tool.)
    4. Continue to propogate as long as the user clicks "Cancel".
    5. When the user clicks "OK":
    5a. ping a mirror list [redhat.com] to find the fastest mirror
    5b. write a kickstart [linuxdevcenter.com] to the boot directory to use that mirror.
    5c. modify the boot.ini file to boot Grub.
    5d. Reboot the machine, and it shall be cleansed!
  • by Beryllium Sphere(tm) ( 193358 ) on Monday September 13, 2004 @07:33PM (#10241960) Journal
    nVIR on the early Macintoshes would use the Macintalk speech engine to say "Don't Panic". One source says nVIR got discovered in January 1987.
  • by Mulletproof ( 513805 ) on Monday September 13, 2004 @08:30PM (#10242379) Homepage Journal
    "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye"

    AMAZING. The first virus that has the capacity to destroy not only the victim's computer, but his BRAIN as well. I swear, these guys need to start hiring professional comedians to do their dirty work, or we're all screwed.

  • PromiscDetect (Score:5, Informative)

    by rsteele19 ( 150541 ) on Monday September 13, 2004 @08:35PM (#10242403) Homepage
    The Netcraft article noted that checking to see if your network adapter is in promiscuous mode is a good way to tell if your machine has a sniffer running on it. Unfortunately, they did not mention how one can go about doing this.

    If you're using Linux, just run
    ifconfig -a
    and look for the string "PROMISC".

    If, however, you're using Windows, you need to get a utility called PromicDetect [ntsecurity.nu]. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.

    Source: Computerworld [computerworld.com]

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...