Another Windows Macro Virus Wreaks Havoc

mbruns wrote in to send us a CNN Story and a Symantic Bit about a new Melissa-esque virus that alters users win.ini and deletes files. Of course, only people who use that "Other" OS are at risk.

Wrong!!!!

please reread it. anybody who executes the binary will have files deleted, anybody can recieve it regardless of what mail client they use. it only uses the outlook api to resend itself and most ppl will have the outlook api even if they dont use outlook as their main email client.

Uninformed Linux attack dogs

I work for Microsoft. I work on Microsoft Outlook. I work on security in Microsoft Outlook. Do you all genuinely think that we dismiss fiascos like this with an airy wave of the hand? That simply is insulting. We are hard working people, and we do give a damn no matter what the guy at the terminal next to you says around bites of his twinkie. Hell, some of our own servers were down today as a precaution against this - you think we take that kind of productivity hit lightly?

I read slashdot because I have immense respect for the geek community and I'm a part of that community. But how do you suppose it feels to know that most of you despise me purely for the name of my company? There are 20,000+ geeks who work for Microsoft. All evil clones?

Let's establish a few hard facts about the "security holes" that allowed Melissa and this worm.

1) In both cases the attack was made through Outlook. In the case of Melissa, the attack was *entirely independent* of the OS. If Outlook were ported to Linux (assuming it could supply our browser needs, which judging from Netscape's half-@$$ attempt at S/MIME I sorely doubt) the e-mail servers would have been just as clogged. In the case of today's worm, the executable could very easily have deleted the user's *.c, etc files outright rather than installing itself somewhere. Why? Because...

2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture. And if you are such a novice as to run the "zips" we alert you that running unsigned exe's is dangerous as they "may include viruses or scripts". There's a similar warning when Melissa starts its mailings. You have to click OK to proceed. Microsoft can do a lot in the way of security, but we can't cure willful dumbness. The user doesn't read the caution and it's our fault? What do you want us to do? Say it twice?

3) The exploited aspects our our program were not "holes" in the sense that locking up when you receive a malformed packet would be a "hole". Every aspect of these viruses can be and is used in a positive way by people in the field. Face it, some businesses want more out of their e-mail client than plain text and remote calls to vi. Power can always be abused. The power to cut down a fifty-foot oak is the power to conduct the Texas Chainsaw Massacre as well. If somebody you don't know hands you a chainsaw and tells you to hold the blade while you turn it on, and if you do it despite the warning labels, then don't blame the manufacturer when you lose your frickin hand!

It makes me tired to read posts from people who obviously have never even seen Outlook's splash screen let alone written a VBA scriptlet. If you want to use elm, well whatever. But don't pretend you know what you're talking about when you so obviously do not.

Would there *really* be lots of Linux viruses?

I see a lot of Windows usersand defenders claiming that if Linux dominated the corporate desktop, that the virus situation would be no better than it is for Windows now. I think this is fallacious, not to say FUD. Here's why:

1. The majority of Linux software is free (speech) software, which means that it has a lot of eyes looking at it for bugs. Further, it's also free (beer) software, meaning that its developers are less likely to be under pressure to ship a product which is not up to professionally dignified standards. Hence, fewer security holes get into released (non-beta) products..

2. Because the software is free, and because of packaging systems like Debian's APT which make upgrading easy, it is easy for users of Linux-based OSes to keep current. Further, because of freedom and an Internet-centric distribution model, developers can release patches quicker. This means that once a security hole is found, it has a shorter "useful life" to a cracker.

3. Because the Linux security model is more paranoid than Windows's, a Linux-based worm needs to actually exploit a security *hole*, i.e. *bug*, rather that using the inherent misdesigns of the system in the way Melissa does. (Read the Melissa source, if you can find it. It does not use any buffer overruns or other holes; it uses *only* standard APIs in standard ways.)

4. Finally, if Linux-based systems become established on the corporate desktop, they will come with a change in culture. Like any artifact, WIndows exemplifies and reinforces certain philosophies, ideas, and cultural roles. Linux-based OSes follow different ones. While I can't promise (nor even expect) that Linux dominance would come with radically greater user empowerment and desire on the part of the user to *learn* rather than to *fear* the system, I can only hope that it would teach the users *something*. Not to run untrusted executables, maybe?

Harm to consumers

A worm strikes Corporate America hard because Corporate America is so strongly standardized on Microsoft Office and Microsoft Exchange... and then, because the cost and hassle of trying to find viable/compatible replacements for these applications is so high, ANOTHER worm hits Corporate America and does another round of damage, incurring further costs in terms of lost work and damage control, and STILL no one seriouly considers moving from Microsoft software to some other solution...

And yet the Department of Justice still needs to prove that Microsoft's business practices are harming consumers?

Re:Virii and platforms

Sure, viruses can be (and are) written for Unix systems; just like Windows viruses, they prey on weaknesses in the system caused by software bugs or poor administration. The difference is that the typical owner of a Unix box tends to be more knowledgeable about security than the typical owner of a Windows system, and Unix tends to have fewer security holes than Windows by virtue of having a better-developed permissions system and by having been around longer.

It's not fair to say that a ten-line script can infect a Unix system -- the mere fact that there is such a wide range of flavors of Unix available is enough to guarantee that a single ten-line script won't work on more than a small percentage of Unix systems out there. Besides, with Linux, holes are patched and patches are distributed as quickly as they're found -- often within hours of the dicovery of a security hole.

If there were as many flavors of Windows as there were of Unix, if Windows vendors had to continually compete to make their systems faster and leaner and more stable and more secure, I guarantee you that you wouldn't see viruses and trojan horses such as this one proliferate nearly as much.

Unix isn't invulerable

Unix users seem to have a sense of invincibility based on Unix's invulerability to boot sector viruses, floppy viruses, and similar things that require a simple OS kernel and an "every user is root" security model.

That invulnerability doesn't apply to worms (like this, like Melissa). All you need for a worm to work is a homogenous network environment to infect and an exploit to use for the infection. Maybe Unix users are really more savvy and won't fall for trojan horses (the easy "exploit"), but there was a worm created that spread via the imapd hole last year, and any similar exploit allowing so much as a "nobody" shell to be opened on your system could be used for the same purposes.

Do you know what services are running on your Linux box, and have you shut down the ones you don't need? Do you subscribe to bugtraq, redhat-watch-list, or whatever security mailing list is kept up for your distribution?

These were good ideas before, to prevent single crack attempts when exploits were found. Now they're much more important good ideas, as any cracker above the "script kiddie" level is going to be using self-propagating code to start forest fires of attacks.

Maybe the majority of those attacks will be stupid "email attachment" worms like those currently plaguing Windows, and thus incapable of harming system files... but if someone exploits the backticks in /etc/mailcap to delete $HOME, how much better are you going to feel because /usr was untouchable?

For school & work Linux systems I created a preconfigured freshrpms package which includes a cron job to regularly check the redhat errata, download any updated packages, and mail root when something new appears. It's a step in the right direction - Linux is a secure system because bugs are so quickly found and fixed, but it won't be publically perceived as a secure system if security-unconscious newbies never see or apply those fixes.

Re:Benevolent Virus?

I work for a medical research place. So, would you consider it to be funny if a researcher was set back in important research because they happen to use ms office? They're doctors, not techs. I don't consider anyone who destroys data to be 'doing us all a favor'. The guy is an asshole, plain and simple.

Something funny to do would be to delete ms office itself, not the associated files.

elitists?

Why do so many of you feel the need to laugh at the ms office users and defend the virus writer? Most people in an office environment have no computer experience beyond doing normal office work. They're not educated by their IT department on the dangers of opening attachments. They just want to do their work so they can feed and clothe their kids. I don't think it's funny or cool that some guy wrote a virus that will destroy the work of others. Would you like it if mechanics started kicking your windows in and slashing your tires because you don't know how to overhaul your engine? Afterall, you're not elite and smart in the ways of cars, so you have no right to be driving.

Just because someone doesn't know what you consider to be common sense isn't a reason to hurt them. New users need to be educated and computer security policies need to be implimented. It's not the users' fault that they use MS Office. It's what they were told to use, so they happily use it, unaware of the bugs in it. And they don't care. They just want to finish up a presentation or a word document and get on with their lives. Not everyone's life revolves around computers. Some people work away from monitors for long periods of time.

Re:Uninformed Linux attack dogs

2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture.

Well, no. There are self-extracting zip files which (of course) have a .exe extension but may have a zipfile-looking icon. We've deverbalized computer use to the extent that people don't read any more, they just look at the pictures. That's not microsoft's fault in particular, but it does illustrate the difficulty. "Just train them" is easily said, but not easily accomplished. As an aside, in this case it was possible to not be able to see the file extension - check out the screen shot on msnbc [msnbc.com] - the attachment is zipped_files... - the extension doesn't show.

I see a bigger problem here

Out of the 80K windows viruses out there, how many are open source? I refuse to run any virus unless I can compile it myself.

Re:Benevolent Virus? Not Quite!

Um, .c, .cpp and .asm files are hardly Microsoft Office files, unless you happen to have source...

They are, respectively, C program, C++ program, and assembler program source files. Not nice at all.

But my Java programs are safe :-)

(Oh, and .xls, not .sls, is the usual Excel file extension, but that's probably a typo.)

Thank you for infecting me

OK, let the flames begin.

I want to thank whoever wrote the virus as I was infected by this and had my .doc and .xls files zapped. The recovery was easy enough and since I don't use those programs all that much I wasn't a major loser in this.

1. I now have an even greater incentive to get the tape drive I should have gotten long ago to back my system up.

2. I now also have an even greater incentive to De-windows my machines and make the move to Linux. So, I signed up for the Linux Basic Course at TMCC [tmcc.edu] here in Reno that will be given by Jay at Aztech [aztech-cs.com] and Sam at USAWorks! [usaworks.com], the bigwigs at our local LUG [rlug.org]. They've been gently prodding me for long enough now anyway.

I got the virus from someone at one of our military installations and I can only imagine that it's run quite ramapantly through the US Federal Goverment as almost all our government installations use MS exclusively. Whoever wrote that it affected only MS Outlook users was wrong. I don't use Outlook or MSIE, I use NN4.6 and the virus did share the negativity with me. However, it is true that only MS Outlook users can resend it.

Anyway, thanks again, anonymous programmer, you did me a favor.

Benevolent Virus?

"The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp, thereby deleting Microsoft Word, Excel, and PowerPoint files."

Okay. Whoever wrote this has a GREAT sense of humor. Besides the fact that it purports itself via address-book resends, much like the Melissa virus, it destroys files associated with M$ Office. It's not fatal; it's not going to crash your OS, it's not going to reformat your hard drive. It just deletes M$ Office files.

Legality be damned, this guy is doing us all a favor :)