Gnutella "Virus" Roams 125
An anonymous reader noted a CNN story about a
Gnutella "Virus" floating around. It only affects windows, and its actually
more of a trojan then a virus, but once infected, it hijaacks your gnutella node to serve itself to other unsuspecting gnutella users. I'm sure this is only the beginning.
What if.... (Score:1)
Before someone says that once it was known that Adobe was doing that...blah blah, bad PR blah blah...say it was a "black" project and done in a closed non-adobe environment. How would you tell?
Exe file? (Score:3)
When I first read this article, I thought, hey , no problem, doesn't everyone select "automatically hide exe, vbs files" during installation? But I have certainly seen this 8192 bug even though I have this option selected. What's up with this? Does the file hide itself as another file type?
Thank GNU for Open Source (Score:1)
Is it just me, or... (Score:1)
Executables are not traded on Napster, and mp3 files are not executed by an mp3 player, so there isn't any danger of a Napster virus.
So if it's an .exe (Score:1)
Re:This is proof of concept, and not too dangerous (Score:2)
"This is not a threat... it doesn't effect me anyway..." sounds like the canonical initial cry whenever a security hole the size of the grand canyon is revealed.
It may not effect you, but if it gives the network a bad reputation or screws up enough people who aren't you it's your problem anyway.
Re:Absurd.. (Score:1)
proof-of-concept (Score:4)
Secondly, this was released this weekend, why the story now? Also, regarding the post about viruses, why people write them, I would have to say that stories like this (on slashdot, cnn, zdnet or whatever) is probably what keeps the viruses coming. PUBLICITY!
Imagine being De Guzman (Loveletter Author), 20 years old in the Phillipines, knowing that you will never leave the place. Imagine writing a 50 line VBScript that does 3 rounds around the world in 1 hour. Thats power I guess
Re:No hijacking here (Score:1)
I keep getting "nsdkjfnlnponf.htm"...who is generating those?
Re:The real reason its spreading slowly. (Score:1)
wrong (Score:2)
So there's actually plenty of danger with Napster.
Re:It may seem small... (Score:1)
Re:Yes, in the first generation (Score:2)
Re:Yes, in the first generation (Score:1)
Before that happened, I think they'd have to find a way to insert viruses in most media files (or can they do that already?) such as MP3 or MPEGs etc... since that's what most people look for. I mean knowing NOT to run an executable from a computer you don't know SHOULD be common sense no?
Re:Absurd.. (Score:2)
'nuff said.
Re:Absurd.. (Score:1)
-r-xr-xr-x 1 root wheel 2932 Jan 16 17:53
... no visual cue indeed.
Si
ps. I thought Microsoft only employed smart people 8-)
Re:Yes, in the first generation (Score:1)
Re:Absurd.. (Score:1)
Volume in drive C has no label.
Volume Serial Number is 1C8B-5434
Directory of C:\projects\meef
01/17/2001 01:58p .
01/17/2001 01:58p
11/29/2000 05:22p 1,144 Form1.frm
01/15/2001 05:01p 20,480 meef.exe
01/17/2001 01:58p 1,408 meef.frm
01/17/2001 01:58p 740 meef.vbp
01/17/2001 04:20p 50 meef.vbw
01/15/2001 05:52p 3,964 meef_pure.log
01/07/2001 11:04p 335 MSSCCPRJ.SCC
11/29/2000 05:22p 749 Project1.vbp
12/07/2000 06:11p 50 Project1.vbw
That's with "Hide Extensions of Known Types" turned on. Looks like both operating systems are doing things just fine.
Gravi? (Score:1)
Not I.
kickin' science like no one else can,
my dick is twice as long as my attention span.
Re:Absurd.. (Score:1)
Re:Gravi? (Score:1)
Re:Exe file? (Score:2)
FUD? (Score:2)
I just wonder whether this story is FUD... After all, it is Napster's interest to discourage their userbase to migrate to GNUtella.
Of course, there could also be a real bug somewhere....
--
Why people write virus's. (Score:1)
They dont need to be. (Score:1)
Sure.. We know what it would do.. If you ran it it would delete all your MP3's, or other files, so you best not use any dirty file-sharing software, hint hint, nudge nudge.
--------------------------------------
Is this (Score:2)
Attack Resistant Metadata (Score:2)
Burris
Re:This is proof of concept, and not too dangerous (Score:1)
You Like Science?
Re:Absurd.. (Score:1)
Nothing new here, move along please. (Score:2)
Re:Yes, more of a Trojan (Score:1)
It may seem small... (Score:2)
The Melissa virus was (I believe) the first major virus to take advantage of the vulnerabilities of having Windows Scripting Host running (read: Outlook), and while all it did was forward an attachment to everyone in your address book, it didn't 'do much', it just so happened to clog up mail servers. Just recently we had ILOVEYOU which did a lot of damage.
Virii development is getting more and more sophisticated and as it has been said, this is just the first. Look out for greater levels of sophistication as the virus developers learn what they can do with this new platform.
--
Re:The spreading is sluggish (Score:1)
Later...
Way off (Score:2)
Re:Is this (Score:2)
Given that the other one seemed to only add itself to your download directory, while this one actively spoofs matches for any search, I'd say probably not.
Re:Thank GNU for Open Source (Score:1)
Later...
Re:Thank GNU for Open Source (Score:2)
PerES Encryption [cloverlink.net]
simple answer, more people use windows (Score:1)
Re:This is proof of concept, and not too dangerous (Score:2)
people who follow basic internet security procedures (dont open unknown exe files, for instance) won't be affected, or indeed effected, by it. would you drive a car without learning what all those signs mean?
Re:Windows Security Sucks... (Score:2)
Microsoft Works.
Windows security.
--
Re:what is wrong with people!? (Score:2)
Re:Thank GNU for Open Source (Score:1)
Cheers,
Chris
Re:Yes, in the first generation (Score:1)
If you run Gnutella under an O.S. OS, (Score:1)
So yes, thank GNU and Linus for Open Source!
Re:Exe file? (Score:2)
Yes, more of a Trojan (Score:1)
Maybe people should think before they run (Score:1)
Doh! (Score:1)
--
Re:Absurd.. (Score:5)
BdosError
Skip it (Score:1)
Absurd.. (Score:5)
--------------------------------------
Re:Yes, in the first generation (Score:1)
Notepad's icon is, oddly enough, a little notepad...
RIAA on Gnutella (Score:3)
The spreading is sluggish (Score:2)
Let's hope that this is just the beginning (Score:1)
Re:Absurd.. (Score:1)
Any more virus-friendly and the lusers will be migrating away in hordes, so the virus writers will have to find another target.
Any less virus-friendly and the virus writers will start looking for another targets.
At the moment there's a nice balance. Soft enough so that the virus writers don't have to think too hard, but the lusers still think the problem is manageable. So the virus-writers don't come after ME.
Oh, and
--
Re:Absurd.. (Score:1)
That ME is the original me, not the millenium edition.
;-)
--
I'm not that paranoid but ... (Score:1)
Re:Absurd.. (Score:1)
Is this just a win 98 thing?
This worm is kinda fun (Score:1)
I ran into this worm when a did a search on my own name for hahas. Imagine my surprise when I found several files out there that were named after me! I downloaded one and opened it with a hex viewer. After seeing the name "Mandragore" I was able to look it up and find out what was going on.
To see who has the worm do a search on Gnutella for a long nonsense string like "apuqoierk;afiekda". When you find an exact match you can see which nodes have been infected.Stupid is as Stupid Does (Score:3)
When my company infected itself with the 'AnnaKournikova' virus, it was only *after* I had sent out a general warning.
One of the VP's, who *does* know better, opened the message while he wasn't paying attention, clicked on the file, and sent it to everyone else. Everyone else, those who didn't figure it out, opened it because it was from the VP.
Yes, in the first generation (Score:5)
Your description is excellent. I would, however, view this first generation as more 'proof of concept' than anything else. Devising variants which return back variable sized documents or which return 'correct' sizes for a limites set of specific requests can't be long in coming. Likewise you may assume that future versions will examine the request strings and reply only to a subset and only some of the time. Counter measures will develop, of cours, and so will the complexity of the trojan horses.
I think a bigger concern is the potential for this to undermine anonymous P2P networks. Inspired by the RIA, MPAA, hostile governments, etc., many efforts are being made to develop systems which fully hide the identity of the parties involved. It seems that this would also hide the origin of any trojans injected into the system. If users are no longer able to trust the content they receive, will they continue to use these systems?
Re:Maybe people should think before they run (Score:1)
Re:Windows Security Sucks... Use Unix, QNX or BeOS (Score:1)
People who advocate the linux model underestimate how much real-world users won't follow the implicit or explicit security rules. Even me, using it for a number of years (slackware, redhat, a few others), and following the virus news groups off and on for a decade, I got hacked recently 'cause I just don't have the time or inclination to spend all my non-work hours patching stoopidass security holes. I have a real computer job, after all. Fortunately not much damage was done because I had so much half-configured crap on there.
But I gotta say, people who blame the user for being vulnerable, ought to be mugged.
By the way, I'm not reading email until I get around to reinstalling an OS again. It seems the first thing you need to do when your unix gets hacked is get off the net.
I haven't found it yet (Score:2)
----------------------------------
Re:This has been coming for a long time. (Score:1)
---
Re:Absurd.. (Score:1)
[x] always show extension
it is still hidden...
Re:Yes, in the first generation (Score:1)
Re:Absurd.. (Score:2)
Wait, no they wouldn't.... what am I saying?
Re:Thank GNU for Open Source (Score:2)
It conforms (mostly, it seems) to the spec for xferring data. That makes it a valid gnutella client. Without a montioring of the type of client sharing data, there is no fix.
In other words, this is as much a bug as typing:
and expecting the operating system from preventing attacks. It is not a software nor an implementation problem. Rather, it is an attack on the protocol that relies on human engineering to work. (ie, Gnutella operates on a big fundamental flaw.. all clients are kind and good)The way I see it, it was just a matter of time. Those who wish to transfer data anonymously should consider the source of the data. Fact is, unless you can authenticate the source, then expect garbage and get surprised from time to time.
In other words.. I double dog dare somebody to fix this in software. And even if they manage by some stroke of super-genius to fix it, it will not prevent similar attacks entirely.
PerES Encryption [cloverlink.net]
Re:This is proof of concept, and not too dangerous (Score:1)
didnt napster have this problem? (Score:1)
Why Windows? (Score:1)
Re:Is it just me, or... (Score:2)
actually (Score:2)
It scared me a little. This was when I was first looking into Linux and did not know much better. At the same time, I figured he knew his friends. Looking around here, I see the same thing from time to time as this little beauty from message #33 by Fross (+5 interesting) "But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)". Nod nod, wink wink, not very funny.
Thankfully, nothing bad ever happened.
Re:Windows Security Sucks... Use Unix, QNX or BeOS (Score:1)
Exactly 8,192 bytes? (Score:1)
As for the universal search matching capability, that's nothing new. Remember Flatplanet?
Virus warning signed by "Lars@aol.com" (Score:2)
RIAA to put Napster in Crapster [ridiculopathy.com]
"Lovable Lars" Fan Club [ridiculopathy.com]
Re:Thank GNU for Open Source (Score:1)
I'm not sure that's the case. Once you figure out how the search requests work (which can't be that hard, whether or not you have the source) it should be easy to for a program to send back "results" and serve up whatever file it wants in their place.
I agree that Open Source is no magic bullet. However, my hope/expectation is that, with enough people working on it (which is key to the success of Open Source), people will fix the problem, or at least plug the loophole long enough that people can get some use out of the system before the next trojan comes along.
-Erf C.
CNN's new slogan (Score:2)
Cue James Earl Jones ...
Cue music ...
This...
is the Time-Warner Propaganda Network.
Re:Absurd.. (Score:1)
No real content, just an amazed head shaking.
(jfb)
BRITNEY SPEARS NUDE MOVIE!!! NUDEBR.MPEG.EXE (Score:1)
But people are stupid. See the subject line. This is how a typical virus is initially spread. And yes, there are plenty of people stupid enough to download and run stuff like this. Curious kids who don't know better. People using computers that aren't theirs (e.g., school computers) so they don't care if they get infected. AOL users, etc.
I actually find it interesting to download these and run them through 'strings' to see what's there. Silly messages, "Ha ha ha ha!", long lists of IP addresses and hostnames and port numbers. Then probe the sites to see what I can find there.
Use FURI then ! (Score:1)
Re:Absurd.. (Score:2)
No hijacking here (Score:5)
It's pretty easy to determine which Gnutella users are infected. Just do a search for 'nsdkjfnlnponf' or some other completely nonsense phrase. You'll get a bunch of matches, all files 8,192 bytes long. These are infected nodes.
--
Re:The spreading is sluggish (Score:2)
Re:Thank GNU for Open Source (Score:3)
Ummm.... you do realize it's the Open Source nature of this project that makes it so OPEN to this type of exploit, right?
I don't use GNUtella myself - while the project does sound interesting, I've had too many of my friends tell me they completely gave up on the system months ago because too many hacked clients were appearing and spamming the entire system.
I am not going to make the claim that making this project closed source is a viable solution to correcting this problem. HOWEVER, I won't make the rather insipid statement that the problem will go away because the project is Open Source, either.
Open Source is a great idea. BUT, it is not a magic bullet.
Bill Gate's response. (Score:2)
When questioned on weather this has anything to do with bad security in Windows Bill Gates replied:
"HA! Bad security in Windows? See the GNU at the beginning? That is what's causing this. Anything to do with GNU WILL cause harm to your computer, eat your filesystem, documents, grandma, etc... Besides the only ones getting effected are evil music theives..."
Bill was later seen walking away with a bag with the words "RIAA Bribe money" over his shoulder.
Re:I want to make a SETI@Home virus... (Score:2)
"I think so Brain, but where are we going to find a rhinoceros in heat at this time of year?"
---
Re:Why people write virus's. (Score:2)
Erm, but if no one was attempting to exploit any weaknesses, why bother with security at all?
...j
Re:The spreading is sluggish (Score:2)
Re:Absurd.. (Score:5)
Top 10 ways to make Windows *more* virus/worm friendly:
10. MS Virus SDK
9. "START virus" button on task bar
8. Paperclip with virus hints
7. "Auto replicate and spread" option in Outlook
6. WORM.CAB
5. Bundle virus protection in Windows
4. Require Windows virus updates be done via Hotmail
3. Virus32.dll
2. Tell Microsoft that people are giving away viruses for free in an "Un-American" way.
1. Two words: DOT NET
Re:The spreading is sluggish (Score:2)
...j
Re:Absurd.. (Score:2)
--
Re:Yes, in the first generation (Score:2)
I mean knowing NOT to run an executable from a computer you don't know SHOULD be common sense no?
It was only a few years ago that, as a system administrator, I reassured users that there was no possibly way they could get a virus from reading email. This was in response to the GoodTimes 'virus' [biola.edu]. Little did I suspect that our, um, good friends at Microsoft would allow Outlook to run scripts.
You can't assume that only executables will spread viruses in future. However, this isn't the main point. If users hear that they may get a virus using a particular P2P network - even if they have to be morons to catch it - how many will avoid the P2P network anyway?
Re:Absurd.. (Score:2)
"a.out" anyone?
-konstant
Yes! We are all individuals! I'm not!
Re:Thank GNU for Open Source (Score:2)
Re:Absurd.. (Score:2)
This is proof of concept, and not too dangerous (Score:5)
Ultimately this is not a threat. It is quite obvious to spot (if someone is searching for, for instance "chemical brothers" it'll return "chemical brothers.exe", which is an unexpected result, ie no track name and not an mp3 or so), though i have seen a variation that tries to disguise the fact that it is an exe (i've seen some spurious entries in "file type" entries under the Gnucleus client), and even if infected, your machine runs as a server for the virus - as far as i can tell, this won't make your machine run as a server when you're not running a gnutella client/server anyway, it'll simply return itself when someone's search hits your machine.
Many (sensible) clients already screen out several types of files, such as
/Fross
The real reason its spreading slowly. (Score:2)