Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug

Gnutella VBS Worm 263

TRingstad writes: "ZDNet has an article about a new worm infecting Gnutella users. The worm changes the gnutella.ini file to accept VBS files and places 23 Trojan files in the Gnutella download directory so that others on the network may find them. It then creates a 'victim' file with some statistics on what generation of the worm infected the user and on what date. Finally, it copies a warning, 'If I was a naughty boy, I could use scripting to get name, email, whatever file I want.'"
This discussion has been archived. No new comments can be posted.

Gnutella VBS Worm

Comments Filter:
  • Under FreeBSD or Linux, *vbs trojans aren't much of an issue...

    Silly Microsoft users, they almost deserve what they get. Why is no one suing the pants off of MS, since they practically sponsor/condone all these virii by intentionally using insecure technology?
  • by Rilke ( 12096 ) on Monday June 05, 2000 @08:42AM (#1024778)
    I agree with the user in this situation. I should be able to open any e-mail I receive, and my mail reader sure as hell shouldn't be executing any code in that email without asking me first.

    I receive unsolicited e-mail all the time, and I feel free to open it in mutt, because I know that embedded executables are not going to be run.

    The user in this situation is absolutely correct. They're running under the assumption that just *looking* at an email should never be dangerous. They're assuming not only that a nobody would write a mail reader stupid enough to execute code without asking, but that if anybody did happen to write such a stupid program, the tech support department where they work would never allow such a program to be loaded on everybody's machine.

    In a sane world, that would be a good assumption...
  • This is the way I see it. And this isn't only about the Gnutella Worm, its about viruses in general. In any truely free system (free as in free speech, of course), you can not fully prevent one person from causing harm onto another. You can restrict the system, create more restrictions and secure, but then some freedom is lost. That is because freedom relies upon people who choose not to cause harm onto other people.

    In a specific sense, this guy who created the worm is only exploiting the freedom he was granted. Thus people start locking down and all of us loose a certain amount of freedom.

    There is a very good reason why we dislike people who pull these kind of stunts. It is because we know that if we invested that kind time annd effort in creating a virus or worm, we could do it. But we don't. Because we want to keep our freedom on the internet. Because we know that no one ever said we couldn't cause harm to other people's systems. Because as long as we have freedom, we *know* we can cause harm. But we don't because we are moral beings.

    The Power of Freedom is directly our ability to influence others and ourselves. If you can't see this---if you only see the internet and other users of the internet as some sort of game, then you do not deserve the little freedom we have left.

    Time for a little maturity (speaking from a 17 year old :)

  • Is it just me, or could this (whatever it is - 'trojan horse' sounds good to me) do what it does just as well if it were compiled code, rather than a VBS? That way, it could also target the users without scripting enabled.

    To whoever wrote this: learn C, or C++, or something better than BASIC. Trust me, it'll do you wonders :)
  • Get your definitions right, ZDNet.

    I've been noticing the same things in just about every virus-related news story. My favourite mis-definition was one I saw a few weeks ago: "A worm is a virus that can replicate itself".

  • Virii/worms/trojans/whatever rarely fit nicely into only one category but rather have traits from two or more families of pestilences. This vbs propegates like a worm yet decieves like a trojan.

  • Careful now, there have been some infamous online discussions about the origins of AIDS, and HIV's apparent preferrence for certain subsets of society..

    Ignorance, thankfully, can be cured with education. Stupidity and arrogance on the other hand...

    Besides, getting rid of the 'stupid' would just raise the bar of 'average' higher. :)

  • You can get basic to work in Linux. I forgot the name of the program, but IIRC it was on Slackware 3.5. I bet you could port visual basic to Linux, and then set the premissions to 4755 with owner root for the runtime interputer, that should work.

    I think most people firgure it like this

    GNU == Unix
    UNIX == GNU/Linux
    GNU/Linux == Linux
    (GNU *anything* || anything OpenSource) == Linux

    which I am not claiming it is right, but when I first heard GNUtella, I thought it was a Unix program from the Free Software Foundations...

    What does the "tella" stand for anyways?

  • Seriously though, if Microsoft wanted to make it more security, give it user premissions like Unix,

    NT has those permissions. For Win9x to have them, they had to change the file system (FAT) and some other things, breaking their whole we-remake-DOS-once-a-year-and-you-better-buy-it compatibility. So, nothing will change.
  • Actually it is a good exercise. It seems that after a while people would learn to be more careful.
  • You should clarify that.

    Doesn't happen on your *nix box.

    --
  • Big deal. I conducted an experiment: a user gets a file that says: This is the Unix version of "I Love You" which works on the honor system. If you receive this mail, you should delete a bunch of GIFs, MP3s and binaries from your home directory, then send a copy of this email to everyone you know and then click on the following link: click this [geocities.com] in order to increment the count of systems that this virus had spread to. Thank you. ----- The worst thing is that in less than a week over 480 clicks have being recorded!
  • People have to be told that "You just don't run stuff from an untrusted source."

    And by "trusted", you have to specify not just "I know this person and he doesn't want to hurt me maliciously" but also "I trust whatever he's running on his system not to hurt me". The recent Outlook worms et al have demonstrated that any idiot running an insecure system can spread all sorts of nasties to his friends and colleagues, who normally trust him.

  • Can this really be classified as worm, since it has to be downloaded by other users? Also, how does this go about making users download it?
  • Is it just me or is this the first one out there that actively warns poeple about what it can do? Perhaps people will wake up finally.
  • by Proteus ( 1926 ) on Monday June 05, 2000 @06:46AM (#1024806) Homepage Journal
    Well, I'm glad to see that the "hacker's ethic" isn't dead yet.

    This could easily have been a lot worse -- the author could have trashed the systems of victims. However, it is simply a warning created to illustrate a serious security hole. Kudos! This is the ethical side of hacking that was always encouraged by the community as I was learning.

    And spare the "hacker v. cracker" definition wars -- IMO, crackers are malevolent, and the author of this worm is certainly not.

    --

  • by deefer ( 82630 ) on Monday June 05, 2000 @06:47AM (#1024808) Homepage
    Is it just me, or are there more & more viruses/trojans crawling out of the woodwork of late?
    Is it an underground effort by the Linux zealots to undermine Windows? Is it a cunning ploy by Micro$lop to get people to buy W2K?
    Or is it the anti-virus vendors drumming up sales?
    Or am I just paranoid, and it's all coincidence?

    Strong data typing is for those with weak minds.

  • VBS is good just as any scripting language is good. You can script in it. I won't go as far as to say it's as good as Perl or other scripting languages, but it's used for similar purposes. Inherently, VBScript isn't bad. It's no worse than any other scripting languate. The problem is a combination of things, mostly OS and OS settings.
  • Why, again is it stupid? I know it is stupid but, why?
  • I think people are misunderstanding this situation.. Some are saying that if Gnutella were opensourced, a problem like this wouldn't exist (for various reasons.)

    This is incorrect. First of all, Gnutella's network protocol (half of which is based on HTTP) is documented, and a variety of both open and closed source clients exist.

    This trojan doesn't use any kind of a backdoor in Gnutella technology. Rather, it's spread by the users themselves. They download a file (like 'collegesex' or whatever), which is actually a .vbs script, double click it, and then the trojan does it's stuff.

    So, this is no problem with Gnutella. It's just users who don't have a strong enough security background, and who can't decern scripts from other types of files.

    This can happen to anyone, on any OS. Just so happens that Microsoft's are the easiest to use, and generally have the users that would fall for it.

    Hope this clears up some misinformation. Guys/girls, please try not to jump to conclusions about everything (like how open source would have prevented this.)
  • Something I always wanted to do back when I worked in a Windows shop -- back up the standard IT dept warnings about not opening attachments by writing a simple program to mail us back saying "User x just opened an attachment." After a round of public humiliations everyone would be told that this would be a continuous policy, and would henceforth be a disciplinary offence.

    Naturally the idea was a complete non-starter. The whole reason they used Outlook in the first place was so they could send each other pretty HTMLified mail with, like, colours ! and fonts ! and stiuff; plus they were always mailing 100Mb Excel and Access docs around to each other.
    Camaron de la Isla [flamenco-world.com] 'When I sing with pleasure, my

  • By this standard the ILOVEYOU author must also have been a white-hat -- well, grey-hat anyway -- consider, (a) 'ILOVEYOU' subjectline, without spaces, thus v easy to filter; (b) the fact that it could clearly have been /way/ more destructive.

    [off-topic] Still it doesn't seem to have had much effect on luser's behaviour. I guess we'll just have to wait for the Big One before people start to realise that an office with Microsoft /anywhere/ is a disaster waiting to happen.
    Camaron de la Isla [flamenco-world.com] 'When I sing with pleasure, my

  • Compatability with Excel spreadsheets is the main reason, I heard.

    Do you use spreadsheets alot?
  • they should call it something new. call it a boobytrap -- that's what it really is anyway. looks to me like it catches lots of them. (the cgi script posted earlier today certainly caught me. what a maroon. *bonk self*)

    eudas
  • Also, how would I go about checking a binary file I downloaded to make sure it's what I think it is and not an insidious worm?
    There are a few possibilities:
    • Download only from trusted sources. Hard to do with Gnutella, but practical with FTP or HTTP. Yes, the source could be compromised, but such a compromise would be quickly found and stopped. Don't trust your life that a download from, say, redhat.com is what it purports to be, but for most people the risk is minimal.
    • Download only files cryptographically signed by a trusted party. You've still got the problem of "who do I trust, and what if they are fooled?" but it's much more difficult to forge a cryptographic signature than to crack a server and put up a mailicious binary, and this can be used with anonymous-source downloads (i.e., Gnutella).
    • Download only source, and check it over yourself. That will only protect you against attacks you are knowledgable enough to find, and would get tedious real quick.
    • Run the binary in a sandbox or jail, where what it can do is limited. But that also means that the usefullness of the program is limited.
  • Hmm, to each his own.
    Refer to the first line again, AC...
    I rest my case...
    And posting at +2 because I am prepared to be counted by my words... I could get snotty here but... You're not worth it.

    Strong data typing is for those with weak minds.

  • I think it's because the Beatles were already the second coming, NKOTB was the third, and the Maurice Star boy groups (the Bel Biv D'Jours) kind muck up the numbers from there.

    Maybe we need, like, a Sony Music Corp Voice of a Generation, and a Warner Brothers Voice of a Generation, a Geffen Voice of a Generation and so on. That way it'd be easier to keep things straight.
  • Gnutella doesn't have much in the way of authentication or signatures for the files people download. That isn't a problem for MP3's--if you thought you downloaded Metallica and you get Pocahontas instead, nothing has been damaged. But for executables and some kinds of documents, it's a big problem.
  • by jabber ( 13196 ) on Monday June 05, 2000 @08:08AM (#1024838) Homepage
    I have developed a simple test to check your virus and computer IQ. You get enterred into a drawing for a $1000 bill, just for entering.

    To take the test, press Alt+F4, now.
  • by Misch ( 158807 ) on Monday June 05, 2000 @08:09AM (#1024839) Homepage
    PamelaAndersonMovie.mov, collegesex.zip, MetallicaMP3crack.zip

    To quote the article, it is in files marked "Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs"

    Because of the way windows works, you may see something like "PamelaAndersonMovie.mov.vbs", much like the ILOVEYOU virus had. But more often, Windows defaults to not showing the extension on .vbs files.

    Gnutella though, will show the .vbs extension before you download. And think about it... would a good movie be only a few thousand bytes long???

    The problem is that the amount of common sense in the universe is a constant, however, the population keeps rising. This particular one can only really hit your system if you download and run it.
  • Be smart, don't run anything from an untrusted source without checking it first.

    Isn't all of Gnutella pretty much an untrusted source?

    Also, how would I go about checking a binary file I downloaded to make sure it's what I think it is and not an insidious worm? Size could be a clue sometimes, but not all the time, especially if the programmer is smart and names it to look like appropriately sized binaries. Would virus protection software catch something like this?

  • I remeber when the CIH virus came out, I thought to myself "Dam that is pretty cool". I am not malice and I am sorry for the people that had their bios flashed cause of this, but you got to admit, that is atleast (if nothing else) an intresting payload, compared to say "format C: /q"

  • Don't be so proud of this technological terror you've created ....

    http://www.securityfocus.com/vdb/bottom.html?vid =664:

    Mutt Text/Enriched Handler Buffer Overflow Vulnerability

    A buffer overflow vulnerability in Mutt's handlers for the text/enriched MIME type allows malicious
    email messages to execute commands as the user running Mutt.

    bugtraq id
    664
    object
    mutt (exec)
    class
    Boundary Condition Error
    cve
    GENERIC-MAP-NOMATCH
    remote
    Yes
    local
    Yes
    published
    September 27, 1999
    updated
    April 11, 2000
    vulnerable
    Mutt Mutt 0.95.6
    not vulnerable
    Mutt Mutt 1.0pre3

    Nothing comparable with Outlook's abominable security model, and of course it could only trash your own files ... but just cos you're on Linux doesn't mean you're 100% safe.
    Camaron de la Isla [flamenco-world.com] 'When I sing with pleasure, my
  • You can download Gnutella for a variety of platforms from the Gnutella home page [wego.com].

    Some come with source. My favorite so far is gtk_gnutella that I run on Linux.

    The one problem I notice with Gnutella is that if I leave it running for a while - even idle - I will eventually need to reboot my cable modem.

    You will need an initial host to begin connecting to GnutellaNet. One is always show on the Gnutella home page.

  • However, Gnutella is not an Email program,

    No offence (well, hell, take offense), but did you even read the post I responded to? It was specifically about email, and it was from somebody in tech support telling a user not to even read email from somebody he/she didn't know.

    Assumptions are exactly the problem. They're assuming that the attachment in the message they recieve (or the file that they downlod in THIS case.) is not harmful, and happily clicking away on it.

    I disagree, I really do. There's nothing wrong with clicking on an attachment, or at least there shouldn't be. If it's harmful, then my mailreader shouldn't run it. It's that simple. I should be able to read text documents or view pictures from my mail reader, there's no good reason to execute code from there. And if I need to do this, make me be explicit about it, by piping the file to a specific command.

    *nix isn't without sin here. Shell archives were a terrible idea, and they've rightly become quite rare. And any *nix mailreader that executed a .shar file merely because I clicked on it would be broken as designed.

    As far as Tech Support goes, do you think that they should just disallow access to run any programs on a computer at all?

    No, they should disallow the ability to run executable code directly from the mail reader. When somebody says to me "I received an unknown email", I should be able to say "Click on it and see what it is. No harm can come of that." My mailer sure as hell shouldn't execute a file just because it had a .pl extension, especially if the mailer didn't even show me the extensions by default.

  • I think news stories about attacks are like news stories about any calamity. Earthquakes, terrorist activity, draughts, illegal-alien smugglings, LAPD scandals, whatever.

    There isn't really a larger number of tornados per year, looking at the big picture. There are more people, settling in more areas, so more people reporting heretofore-unseen tornados.

    If a couple stories are on the same topic in a short time, a news service will develop a "focus" on such stories, and will pick those out from the newsfeeds like Associated Press.

    When it comes to people-induced tragedy, the news stories generate a lot of copy-cats. Columbine, Melissa, Oklahoma City, the list goes on.

    The fact that the news services sensationalize the stories, with big numbers ($5 billion cost, blah blah), it's worse. Those big numbers are what businesses are putting in their claims forms for insurance claims against lost business, whether they really lost that much business or not.

  • by |DaBuzz| ( 33869 ) on Monday June 05, 2000 @08:17AM (#1024863)
    They say don't download/run anything from a source you don't trust ... the question is, why develop a client to interact on a GLOBAL, utterly anonymous peer to peer file sharing network if you can only download stuff from people you KNOW and TRUST?

    It's kinda like saying ... "use this product to get access to files you never would have dreamed of, but don't ever download or run anything you can't get from a local friend."

    Kinda defeats the purpose doesn't it? Rather, it illustrates the inherent weakness in this whole system and how people's desire to steal software overrides their common sense of not dealing with anonymous users you can't trust.

    If someone on the street offered you an opened Coca-cola, who would be stupid enough to drink it? Change the Coca-Cola to Mad Dog 20-20 and almost any alcoholic would drink it showing that common sense is often thrown out the window to get what we think we want/need but what in a lot of cases is not good for us puts us (and in this case, our computers) at serious risk of harm.
  • Ummm... metal in a microwave,

    ... normally doesn't harm the microwaver. If shaped correctly, it may generate some sparks, but that's it. You can actually get some pretty effect by putting a CD in (please use a Windows CD for this, it won't play after this stunt).

    microwave started with nothing inside it

    Although using the nuker "empty" is not very good for it, it won't damage it either just from one time.

    drying paper towls in the microwave which then catch a light when you take them out

    Yes, the nuker is indeed a great tool when you run out of matches. Other ways include: pencils (pretty quick), bread (leave it in for a couple of minutes), chocolate (black chocolate works best: wait til it melted, then leave it for one more minute). Pencil mines are interesting too, but you need something disposable to prop them up against.

    And the classic: eggs (no fire, but count a quarter of an hour's work to clean away the mess), soap (use a very small quantity, unless you have a really large nuker).

  • How should your email client decide what is harmful and what is not? Wouldn't that be the job of Anti-Virus software?

    It's not Harmful the client should know about, it's just Executable, and that's not really all that tough. Sure, it's a tiny bit tougher when we're dealing with script files rather than binaries, but there's absolutely no reason the mail client can't know about these. I can seeing missing something like .py if somebody has installed python, but c'mon, .vbs? (I haven't used outlook in years, does the program recognize .vbs as executable and run it anyway, or does it appear to outlook to be a document file for the VBScript interpreter?)

    And more importantly, in the corporate environment, there's no excuse for not letting the administrator set these things. I should be able to configure outlook to totally ignore certain types of attachments; if the user is advanced enough to change that setting, fine, but the innocent will be protected.

    Whether or not there is a good reason to execute code (or any other executable attachments) from within your browser depends on your environment.

    I don't see this, I really don't. Why should users need to execute emailed files? Self-extracting archives? Bad idea. I can agree with you here about the web browser, but not email. I can even agree about home usage, but we're talking about a corporate environment here.

    But the nixes don't have the ease of use and UI

    Agreed, I'm anything but a unix bigot here. But this thread started with a typical "blame the (L)user" attitude for an error that I strongly feel should be placed on the mail admin and on the software. The employee got an unsolicited resume, reading it should not be a harmful act.

    And that's what really annoyed me about it, I hate this attitude. It's like forcing people to change passwords every 2 weeks "to enhance security", and then complaining because the "stupid users" are writing their passwords down on post-its. Well, of course they are. Who can remember 26 different passwords a year?

    Here I admit I'm a bit confused. I can think of several ways that I can examine a program to see what it is without running it, but not a single way for an average user to do it.

    They should be able to just click on it. If the mailer doesn't show it then it was harmful and should be deleted. And if you (not *you*, but the administrator) haven't configured your mail clients so that users can safely read their e-mail, (and there's lots of view-only software out there for Word processing files) then don't go complaining about stupid (L)users when something goes wrong.

    And even if they could,"ILOVEYOU" has certainly shown us that they'll run it anyway, "Just to see what it does".

    Oh, don't get me started on MS Word, I've fought with MS over that for almost a decade now. It would have been so incredibly simple to make Word safe in the corporate environment, and they simply refused to do it. Check out this page [dfoster.com] for a fun story of dealing with MS.

  • Umm. I can do the same thing in netscape and ncftp.

    "...and you ran it as root, you'd delete pretty much everything on your system."

    Why would I do a stupid thing like that? Give me *some* credit, will you?

    I just thought there was something special about IRC clients, like maybe letting many people on IRC know my IP address when I run as root or something.
  • Back when I read alt.comp.virus regularly, it was understood that VBA stood for virus builder's assistant.

    People keep accusing Microsoft of making low quality products, but VBA was a major improvement from NuKe's Virus Creation Labs.

  • If someone does make one, I vote for the name "IHATEYOU". Just remove "Windows scripting host" and assocaite the .vbs extension with lets say notepad.exe...

    But then again, you are still accessing someone computer and chaning someone else data without their premission. Which even if you heart is in the right place, still might get you in trouble with someone.

    Plus what would happen if you script had a bug in it? Also should companies be allowed to "worm hole" hot-fixes into your computer without your premission? When the new service pack 6 screwed up some Lotus mail program, do you think IT managers would be happy that Microsoft automatically "fixed them" without premission?
  • I actually came across an example of this just now. I was searching for some live recordings from a San Francisco radio station called KFOG, and found a file called " kfog.html" (yes, with the space out front). If you open it, it redirects you to a web page, which then sends you to a porn site (well, it would have sent me to a porn site except that the person mistyped their own IP address in the file :) ).
  • by Rilke ( 12096 ) on Monday June 05, 2000 @08:22AM (#1024888)
    No, the first big MS Word virus, way back in 95 or so, was exactly like this. It caused no damage, it just propagated itself to try to make people aware of the huge security hole in Word. The payload said something like "Now I think I've proved my point".

    MS ignored it of course, and even released a new version of Word about a year later that opened the hole even further. Melissa, et. al. followed long after that.

  • I can't answer your first question, but seems like 'worm' is as good a handle as we've got right now. Maybe this calls for a new classification.

    As to the second question, it creates shared files with names like PamelaAndersonMovie.mov, collegesex.zip, MetallicaMP3crack.zip, etc. In other words it gives them attractive sounding names in the hopes that someone will see them and come download them.
  • Yeah, a great way to get back at them sharkz: lay out boobytrapped Metallica filez: they'll catch the flu, and hopefully learn the lesson that it's better to leave us geeks alone.

  • I know this, that is why I said for the runtime interputer, ok so it is spelled wrong, but you should still be able get the point of the post with a couple characters misplaced.

  • I agree with the user in this situation. I should be able to open any e-mail I receive, and my mail reader sure as hell shouldn't be executing any code in that email without asking me first.

    That makes perfect sense. However, Gnutella is not an Email program, and nothing is being executed without being asked to. Nor is anything being executed without being asked to in the case of ILOVEYOU and MS Outlook, which is what I assume you are talking about.

    I receive unsolicited e-mail all the time, and I feel free to open it in mutt, because I know that embedded executables are not going to be run.

    That's great too, but the problem isn't with just recienving email. And in the case of ILOVEYOU (if that's what we're talking about) embedded executables weren't being automatically run. I could just as easily send you a program as an attachment in Mutt, and if you ran it and it formatted your drives, it would be no different.

    The user in this situation is absolutely correct. They're running under the assumption *snip*

    Assumptions are exactly the problem. They're assuming that the attachment in the message they recieve (or the file that they downlod in THIS case.) is not harmful, and happily clicking away on it. As far as Tech Support goes, do you think that they should just disallow access to run any programs on a computer at all? That way nothing bad can happen, eh?

    -Tommy

  • which I am not claiming it is right, but when I first heard GNUtella, I thought it was a Unix program from the Free Software Foundations...

    What does the "tella" stand for anyways?


    Nutella is a chocolate spread that comes in a jar, akin to peanut butter. Its quite rich chocolate, very sweet.

    GNU + Nutella = GNUtella

    -- iCEBaLM
  • by Signal 11 ( 7608 ) on Monday June 05, 2000 @06:50AM (#1024903)
    A worm propagates automatically without user intervention - like the Great Internet Worm.. or, more recently, remote explorer. This is a trojan horse. Get your definitions right, ZDNet.

    Second, be very grateful the author was nice enough to make this a benign bug.. it could have had CIH as its payload.

  • If I were a naughty boy, I would use scripting to get name, email, or whatever file I want.
  • Before you go screaming and shouting, here are some facts I found after analyzing the script:
    • The "worm" only works if Gnutella is installed in the default directory, "C:\Program Files\Gnutella\". Since Gnutella doesn't use the registry or any other system-wide config files, it is fairly hard to pin down where it is installed. (One way, of course, would be to look at the Start Menu shortcuts, but those are optional as well. Maybe in version 1.2. <g>)
    • The user must search for the files with the particular names, download the file, and then execute it. The "worm" does not self-propagate. In fact, I'm not sure if it is even a worm. It seems more like a trojan to me. I think that the reports are automatically labeling anything written in VBScript as a worm.
    • Obviously, it rarely has an effect on any of the clones, since they don't use the same config file structure, and they usually aren't found in "C:\Program Files\Gnutella\".
    There we go, that should reduce the hype a little bit... or maybe not.

    --

  • If you check it there is no offical gnutella for linux just clones and linux doesnt deal with vbs or ini files. Get it right before you decide to rip on something you dont know about Beave
  • This is flamebait, I know, but it has to be said: I find it interesting (and dissappointing) that everyone here is so anxious to point out that this is not a worm (which is correct), yet most people had no problem with calling the ILOVEYOU trojan a worm, even though it used the exact same mechanism to propagate. (I.e. convincing stupid users to run it.)
  • by jbarnett ( 127033 ) on Monday June 05, 2000 @09:51AM (#1024911) Homepage

    I am not turning this into a whole OS security model vs stupid user war.

    If my grandparents get infected with a virus, worm or buggy program, guess who gets to clean up the mess? Me. I am trying to put some basic sense in their heads so I don't have to go over there and restore it.

    If they where running Unix or anything else I would say "Hey when someone says try `rm -rf /` you know they are kidding right?"

    I don't know or really care if it is the fault of the user or the security model of the OS, the only thing I know is that I don't like restoring a computer from OS up when it could be prevented with a few precautions (in this case information the user)

    Me sending them that program is my way to "test" them, you know those fire drills you had in school? that is what I am trying to do, it is intresting to see users reactions, but that isn't the point.

    The point is, when they have a fire in there house they will make it out alive, err I mean when there is a virus in there house they, the point was, as I stating is so that they know how to use fire to kill any virii that may be infecting there house due to biological warfare started by malcious computer users...

    As with any system (strong securtiy policy or not), you have to inform the users for the strengths and weaknesses of the system. Even if you have a extremely secure system, if you post the username and password to anyone, it becomes as secure as a overweight high school girl going to a dance...

    I am trying to stay away from the "stupid user vs insecure OS" war going on, but I think both sides agree that the user needs to be informed of basic security measures. A Unix system can be secure tell Bob posts the root password on irc...

    To test this theorgy someone please post there root password and ip on slashdot. :)

    (techinally if it was behind a firewall and had tcpwrappers installed and telnet/ftp/etc disable it still could be consider secure)

  • And I quote, from the Gnutella home page [wego.com]:

    "Some reports have been circulating in some of the online press about a 'Gnutella Worm'. This 'worm' does not exploit any weaknesses in gnutella itself, but rather weaknesses in the Windows operating system and more importantly, the user. This 'worm' will not affect anyone who doesn't manually download it, and subsequently manually run it. Gnutella does not execute any files it downloads. Be smart, don't run anything from an untrusted source without checking it first. This is an exploit of human gullibility and a weak operating system, nothing more."

    Gnutella powerful, humans weak. Grunt, grunt.

    John S. Rhodes
    WebWord.com [webword.com] (Usability Vortal)

  • I do like the ironic sense of humour that the "victim" file has. The fact that one can use the features of Gnutella to go and see how many people have been infected by the worm is pretty original. However, as worms go, this doesn't seem to have been particularly effective at replicating itself.



    "Give the anarchist a cigarette"
  • I think they are referring to executable files in this case. At worst, a MP3 or JPG or MOV will offend you... we all know the worst that a VBS can do.

    That's why you should use the "GLOBAL, utterly anonymous peer to peer file sharing network" to do what it was supposed to do (pirate music, video, etc)... not pick up .VBS files!

    -rt-
  • What makes you think you're so superior a computer user? Ohhh, wow you can type things on a command line. That is really excellent, you ought to be commended. Oh wait a second, The command line is an interface to give the system instructions, not to actually process data. Raw power in a few lines of code, you would be hard pressed to do anything worthwhile merely from a command line. Moving files and writing the output of ls to a text file isn't my idea of raw power. Under your logic cars ought not have power steering or ABS brakes because people ought to learn how to live without them. Everyone ought to spend their time at home in fromt of a glowing screen like you do so they too can understand computers. Doesn't it suck to be a 45 year old virgin though?
  • Then it'll get downloaded tons. I wonder if this is how Napster users were snagged?
  • Comment removed based on user account deletion
  • by LaNMaN2000 ( 173615 ) on Monday June 05, 2000 @06:54AM (#1024927) Homepage
    This is a really clever infection mechanism but it is hardly the worst problem facing Gnutella. Many servers simply house large numbers of files (with appropriate names) that redirect users to the owner's porn site or places a desktop link to said porn site. Many novice users will not think to check the file size and will end up with just porn advertising instead of what they were looking for.

    I think this low signal/noise ration is what is going to hurt Gnutella. Napster avoids this problem by only allowing MP3 files. If it is a worthless file, it will only open in an MP3 player and be found to be an invalid file. On Gnutella, the user could execute a file in the appropriate program--making novices all the more vulnerable to viruses and advertising.
  • get your definitions right, people-this "worm" does not attack linux users. linux is immune to it. why? have you ever *tried* to run a vbScript in linux? it is not supported at all. plus, there isn't even an official linux gnutella client. i guess when people see GNUtella, they think linux. but it doesn't affect linux at all. now no more people can say "well, linux finally has a virus, ha ha ha!" because this doesn't have anything to do with linux.
  • Again, i spoke before I read. After reading, I still believe that this can't be classified as a worm. With the new spread of e-mail worms/virri/trojans, it seems worm has become a new buzzword. When the media classified everything as viruses, we yelled, saying it is a worm...now, it isn't a worm and they are calling it one. The problem lies in an undereducated media, and an overabundance of people willing to trust them.
  • by GoRK ( 10018 )
    In fact I hate to have to admit it but NT's permission scheme for files is far far more robust than your everyday UN*X.
  • I'm sorry, but this is just one more example of how [l]users make viruses possible. A Visual Basic script virus that needs to be activly run? Sheesh, I'd run it through a scanner and have a look at it before I ran it; Most sane people would! Even if they didn't know what they were looking for, I'm sure they'd recognise evil intent!

    But all you hear is "nasty virus writers" from the mass-media, when it's stupid, stupid users to blame.. Reminds me of a lawsuit that started in a local BBS message board back in '87. Someone posted, in jest, that format c: would fix a particular problem. Two lusers tried it, formatted their drives, and promptly retained lawyers because they thought they could sue someone else for their own stupidity. Judge tossed it out, thank God.
  • My comment was intended to be neutral.

    No offense meant or taken.
  • Visual Basic and Visual Basic Scripting are two different animals.

  • rexplorer.exe

    instead of rsh :)


  • When I first was learning Linux, I got flamed a couple times because I was IRC-ing as root. Most IRC rooms ban people running as root, because it is well REALLY stupid to do. But what always made me mad, is sure they ban me for being stupid and running root, but they don't ban any Windows95/98 users. What is up with that?

    I don't run any user programs as root, only su into it when it is needed for system admin tasks, but I now know why it is stupid. Really stupid.


  • Maybe I just read it wrong, but this is really kind of silly. You download something, then execute it. If it's malicious then you get screwed. Aren't there numerous FTP clients that allow you to execute what you've downloaded from within the client? What about IE 5.0? It allows you to execute the file you've downloaded from within the browser.

    This is just another VBS trojan like all the rest. It's not Gnutella's fault. Or do I misunderstand?

    numb
  • Every search you do through gnutella now comes back with an html page named [whatever-you-searched-for].html -- it's a page with javascript to load a porn site.

    It's just ironic when you're searching for something like Zappa and you end up a a britney spears porn site.

    Perfect metaphor for today's music industry. Last night during every commercial break Fox was touting britney as "The Voice of a Generation."

    heh. heheheheheh. hehehehehahahahahahahBAHAHAHAHAHAAAAAAA

  • Metal is perfectly okay in most commercial microwaves. Not even a spark. Design feature.

    I was going to be a pedant and say that water didn't explode, but sense got the better of me and I found a definition of explode saying 'to burst forth with sudden violence or noise from internal energy.

  • While the network can be used to exchange any files, most files are pirated copies of music and software or porn.

    I thought the majority of file transfers on Gnutella were blueberry pie recipes...
  • This is not a Gnutella issue. It's a weakness in Windows, one that has been exploited time and time again via email. This 'trojan' just happens to propogate via Gnutella.

    Oh, yeah. Kudos to the author. Novel delivery mechanism! Better than ILUVYOU and it's attempt to spread via IRC!
  • by Signal 11 ( 7608 ) on Monday June 05, 2000 @07:02AM (#1024974)
    Or am I just paranoid, and it's all coincidence?

    Just stay online for a few more minutes and I'll have the answer for you. Also, pay no attention to the new icon in your system tray...

  • ... Here's what's really going on: Microsoft is releasing all these worms themselves. They are trying to position VB Script at the most Elite, rad cool, programming language on earth... used by all the "big" hackers, crackers, and hell, the phreaks too.. Since they couldn't come out and openly advertise a product designed for hackers (what with that pesky lawsuit and all) they advertise by example...

    Yeah, that's the ticket.

  • &lt snip &gt
    This is a UNIX email virus. It works on the honor system:

    If you're running a variant of unix , please forward this message to
    everyone you know and delete a bunch of your files at random.

    Thank you for your cooperation.
    &lt snip &gt

    The only thing this Gnutella trojan can prey upon is an idiot user and there really isn't much one can do to protect against that.

  • Heh, again, more security problems because of Microsoft's vbs engine. As I'm sure most people here realized, this worm will only affect windows machines. And windows machines run by people who aren't careful enough to check the script before they run it.

    But to be fair, it's basically the same old story from the old days when trojans, virii, and worms were distributed in .COM and .EXE files (for those of us who used DOS =) hell, there were even a couple .BAT trojans (not very effective but still)... you could download all you wanted and not a thing would happen until you ran them. Then again, that's what scan was for... =)

    You could have the same story with *nix though. What's to stop someone from writing a program that wipes out a user's directory? Or a sneaky bit of code in a program claiming to need access to root? I suppose the reason it doesn't happen as much in *nix land is because the users are generally more competent than people accustomed to simple point and click on M$ stuff; and incompetent people generally don't get root. =)

    I guess the point is, all it takes is someone dumb enough to run a script or program etc without checking it out. If you're not practicing safe computing, you'll get an STD (Stupidly Transmitted Disease).

  • Since the whole Gnutella Protocol is completely open, it's perfectly easy to write your own open-source GNUtella clone,
    I see GNUtella as being 'open' by having the open protocol.

    And by the way it's a damn easy protocol. Seems like being designed for hobby programmers, and I don't think that's bad.
    The easier it is, the more likely it will get widely accepted.

    Check the GNUtella protocol out for yourself [wego.com]

  • by carlos_benj ( 140796 ) on Monday June 05, 2000 @07:19AM (#1024988) Journal
    ... to reclassify .VBS extensions to stand for "Virus Building System"

    carlos

  • by Biff Cool ( 18858 ) on Monday June 05, 2000 @07:07AM (#1024989)
    It's not a backdoor it's just downloading a file... Opening the source won't protect idiots from their own mouse buttons if they are dead set against clicking anything they can see.

    Conscience is the inner voice which warns us that someone may be looking.

  • Comment removed based on user account deletion
  • Dialog of a true phone conversation held this morning:

    (L)user: I just received an email titled: RESUME. Should I open it?

    Support: Did you ask for this resume to be sent to you?

    (L)user: No

    Support: Do you know the person who sent it to you?

    (L)user: No

    Support: Do you get resumes as part of your job function?

    (L)user: No

    Support: Then please delete the email without opening it.

    (L)user: Are you sure? I don't want to lose anything important?

    Actually, I considered it a not so small victory for training that the user called, but it shows the point. The biggest security hole in any operating system will always be the carbon interface banging on the keys. Once these users get loose on an any system, security becomes much, much more difficult.

    The thought of possibly corrupting everyones email must be weighed against the possiblility of missing a funny chain letter... Anyone's guess who wins that one.

    (And yes, I freely acknowledge that MS makes exploiting these poor creatures incredibly easy, but its only a matter of time before they move on to linux and other OS's)

  • by DeepDarkSky ( 111382 ) on Monday June 05, 2000 @07:22AM (#1024994)
    I've used Gnutella and looked around for things, just typing them in, I was actually looking for the script of an animation film, and happened upon one of these files with the .vbs extension. Guessing that it must be some kind of VBScript virus, I downloaded it and renamed it to a .txt file and just looked at it using notepad (not that I really needed to rename it, but it was just to be safe, in case I accidentally double-click). It looked interesting enough, but I guess a lot of people do fall for it, even though the extension is not exactly hidden on it.

    There was something more interesting, though, that I discovered. Somewhere, someone figure out a way to take the search words that get sent out, and automatically create an HTML file from it. If you download it (as I have, a couple of times), thinking maybe it's an HTML file linking to some place that may have what you want, you'll find it's something else totally unrelated - somewhat akin to getting the xxx sites when searching for completely innocuous topics because they manipulated the search engines. Nonetheless, an unscrupulous (relatively speaking, given the nature of Gnutella, and because after all, who would complain?) could link to a site full of banner advertising or some such to get hits.

  • As well as the payload it supplied a link:

    Here's how to disinfect yourself [your.host].

  • by Anonymous Coward
    I mean ... with all the VBS files flying around when will somebody port Visual Basic Sripting support to linux. I am sick of having to run Windows just to get a VBS worm. Is somebody working on this already?

  • Is it just me, or are there more & more viruses/trojans crawling out of the woodwork of late?
    Is it an underground effort by the Linux zealots to undermine Windows? Is it a cunning ploy by Micro$lop to get people to buy W2K?
    Or is it the anti-virus vendors drumming up sales?
    Or am I just paranoid, and it's all coincidence?


    It's the flavor of the month combined with typical sensationalist "journalism." Combine big, largely made up numbers ("ILOVEYOU virus causes $5 billion in damage to U.S. corporations!") with the current headline addicted nature of news in the United States and you've got the press hyping up every new bug as a potential digital Chernobyl. With the Elian story winding down and no recent spectacular celebrity deaths, the press will continue jumping on every virus as a potential huge ratings/eyeballs grabbing headline for the time being.
  • If you read the Evolution thread, they're adding VBS capability, but unlike Windows, they're keeping it in a sandbox with restrictions.
  • It sounds more like a Trojan Horse (a tempting 'gift' left outside the city gates) but that term has already been taken.
  • by jbarnett ( 127033 ) on Monday June 05, 2000 @07:17AM (#1025019) Homepage

    Back in my day we didn't have any scripting launage to code virii/worms in, we had to do it in hard code ASM, by hand, without an assembler, in the middle of winter, without power in middle of a frozen lake. Back then, there wasn't "documenations", we had to reverse engineer the processer to get the correct op codes, then write are own assmebler.

    Then when we wanted to run the file, we had to transfer it via 340K 5 1/4 floppy disk, we didn't have networks, the Internet or fancy hard drives.

    Then once the floppy was in the users machine, we had to call up and have the user run 4 differant executables, this took a lot of social engineering.

    Seriously though, who says Microsoft isn't invonative? If you want to write a virii/worm for DOS you needed with ASM or C/C++, which is differant for the typically script kiddie to understand. Hand someone Visual Basic for dummies book and with a week have a worm that can prograte around the Internet within the matter of days. Thank you Microsoft for your weak securtiy premissions and easy to use high power octane scripting launage.

    Seriously though, if Microsoft wanted to make it more security, give it user premissions like Unix, but if they want to keep it easy to use, have a popup box when something (program/script/command) wanted to access/write/read another users file and say "This program needs to run at a differant user level: level foo, are you sure you want to run this?" and when they click "ok" it gives them a popup box to enter username/password for level foo and if they are entered correctly it runs the program with higher premissions. Easy to use and somewhat secure. Just have Unix or Unix like premissions, with the easy of use of Microsofts pop up and dialog boxes, the user won't even have to touch the command line (btw command.com sucks compared to bash, and edit is pathetic compared to vi, I won't wish Microsoft command line interface to my worst enemy)

  • This thing doesn't actually exploit anything in gnutella proper, but rather the dumbshit user and the weak OS he's running. For this thing to actually propagate, the user has to :

    • a) Manually select the file for download, with its VBS extension glaring in their face

      b) Manually go into the Gnutella download directory and execute it.

    In other words, if you get "infected" by this thing, it's your own damned fault.
  • by Greyfox ( 87712 ) on Monday June 05, 2000 @07:34AM (#1025023) Homepage Journal
    This is why whenever anyone says wistfully that we need MS Office on Linux, you should kick them square in the nuts.

    I don't believe you'll find a less security-aware company on the face of the planet. If they did port Office to Linux I have no doubt in my mind that it'll need root privs, and include all the happy horseshit that's been getting Windows users infected for years.

    You can keep MS and the virusses that come with them.

  • Here's [nai.com] a link to Network Associates' (makers of Dr Solomons' and McAfee VirusScan) technical info on the Gnutella Worm, which also contains a complete listing of all the filenames created by the worm. Eerily, it's virus number 98666 on their database.
  • You answered your own question. A malicious piece of code disguised as an attractive piece of code is called a trojan.
  • Part of the kick of virus writers seems to be the enjoyment of watching your own code destroy peoples machines. And that's just gotten tremendously simple since MS has opened up half the world's computers.

    Think back to Robert Morris. Now that was a hack, and took signficant skill. Nowadays, every two-bit script kiddie can tear mail servers up after half a day of perusing a book on VBS.

    Propagation is simple these days because everybody's got e-mail and the apps and OS they're using are tremendously easy to infect.

  • ...and I understand that it was cross-platform, too. Spread to MacOS and Novell Netware within a few hours.

    Nasty.

  • by jbarnett ( 127033 ) on Monday June 05, 2000 @07:39AM (#1025035) Homepage

    I just tested this, I emailed my grandparents and told them to NEVER execute an attachment. I told them it was probably a worm or virus, when into the whole anti-virus/windows progranda and told them not to even click one executables for people they know and exchange email with regular and even trust. They understood it pretty well.

    I wrote a quick, "Hello World" command line program in C, emailed it to them, and guess what, they ran it. I just told them 5 minutes ago that it would probably be a virus, did they question it? No, they ran it blindly.

    It just printed the string "some one just told you not to double click on executables, if I virus or worm, you would have to restore from backup, do you even have a backup. Glad I like your mug"

    They emailed me back saying "opps". I think they better understand now, the real test is when I email them here in a couple weeks and see if they remember then.

    They aren't computer savy, they chat with old army buddies via email and view cooking guides on the web, they are "normal users" and don't really have a concept of virii or malice users, even when it is clearly explained to them. Sure they understand it, but do they practice it?

    I am going to wait a couple weeks then email the same program from an unknown (atleast to them) hotmail or yahoo email account and see if it "stuck" with them

  • Anything that spreads Vacation Bible School files is a good thing, in my book.

    MJP

With your bare hands?!?

Working...