Forgot your password?
typodupeerror
Microsoft

Microsoft Instant Messenger Virus Sweeps Net 401

Posted by michael
from the RISKs-of-homogeneous-computing dept.
Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

This discussion has been archived. No new comments can be posted.

Microsoft Instant Messenger Virus Sweeps Net

Comments Filter:
  • by Covant (103882) on Wednesday February 13, 2002 @08:06PM (#3004055) Homepage
    I was waiting for one of those super annoying forwarded URL's to cause trouble, and its finally happened.

    Why can't one single week go by without a big annoying MSFT bug / virus being exposed?

    Do people save these bugs up and release havoc at regural intervals?

    Are there people in the inside, planting seeds?

    At least it makes for good news.
  • by immanis (557955) <.moc.htogfs. .ta. .sinammi.> on Wednesday February 13, 2002 @08:08PM (#3004074) Homepage Journal

    I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.

    It worked too. Got to log into MSN as the CTO of our company, just to make a point.

    As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.

  • by einhverfr (238914) <chris.travers@gm ... om minus painter> on Wednesday February 13, 2002 @08:11PM (#3004093) Homepage Journal
    The page appears to post a hidden form with your email information to the page. I suspect that it may be a contact gatherer for spammers (a new low...) though it could have done much more.

    FormMail.pl is the perl script which recieves this information. It is pretty interesting...
  • by suwain_2 (260792) on Wednesday February 13, 2002 @08:11PM (#3004094) Journal
    Being the crazy geek I am, the very first thing I thought when I read this poll was "I wonder who owns the domain www.masenko-media.net" (the one that people are apparently sent to).


    $ whois www.masenko-media.net

    Whois Server Version 1.3

    ...

    No match for "WWW.MASENKO-MEDIA.NET".


    >>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST..."

    Okay, so no DNS, so the domain can't possibly resolve, right?


    $ hostinfo -a www.masenko-media.net
    66.96.247.55


    Okay, so it does resolve to an IP... And I can ping it, too.

  • worm primer (Score:2, Interesting)

    by elbobo (28495) on Wednesday February 13, 2002 @08:16PM (#3004133)
    just gave it a go, and it didn't affect me. running winxp with netcaptor [netcaptor.com] browser (embeds ie) and trillian [trillian.cc] (im client that connects to the msn messanger network among others)

    not that i was expecting it to work.

    what amuses me though, is how the linked page from this article reads like a very handy worm writing primer, suggesting better propogation methods -

    Optimized scanning routines, hitlist scanning, and permutation scanning can be combined to produce hyper virulent Warhol Worms. Since they are so fast, such worms would be the vehicle of choice for delivering malicious payloads to the net at large.
  • One shoe drops (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 13, 2002 @08:20PM (#3004163)
    Well, this is one of a number of Damoclean swords hanging over the Net. A couple of other widely predicted "what if..?"s have already come to pass: Nimda was the first successful implementation of one, attacking through multiple vulnerabilities; others would include yesterday's SNMP freakout, the separate possibility of routing protocol attacks, yadda yadda, oh look... you all read bugtraq|incidents|nanog, et al., and know the score, and are presumably not very vulnerable. (Although one especially interesting aspect of this and other worms is that it defeats the security posture that says "take yourself out of the top 10% of easy sites to break into [by, eg., ONLY implementing the SANS top 10/20 fixes] and the kiddies will pass you by". If you're vulnerable, you WILL be hit. ) "But I haven't got anything worth taking, why would anyone want to crack me?" *sigh*...


    The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.


    Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

    Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)

    Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
    It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.

  • Re:The solution... (Score:2, Interesting)

    by iamplasma (189832) on Wednesday February 13, 2002 @08:22PM (#3004173) Homepage
    Yes, but guess what M$ have decided to make a compulsory add-on to windows XP. Yep, that's right, Messenger. I can just wait for the argument as to why "messenger is an essential part of windows".
  • by JDizzy (85499) on Wednesday February 13, 2002 @08:23PM (#3004181) Homepage Journal
    Somebody mod this parent as "funny", or "underated" because the authore has a point, the slashdot effect should sufic to kill any of the infection sites, and with a high degree of impact.

  • by Anonymous Coward on Wednesday February 13, 2002 @08:35PM (#3004254)
    "A fully coordinated worm, where the worms explicitly coordinate their attack on the network, is a theoretical possibility but has not been seen in practice due to the difficulty in coding and coordinating the worms."

    Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.

    An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.

    As I recall, there was a story on /. some time ago about the impossibility of removing viruses from a computer network without shutting the network down under certain conditions.

    Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!
  • by rhavyn (12490) on Wednesday February 13, 2002 @08:55PM (#3004352)
    Hmm ... or maybe it's because that problem with Linux went away a long time ago. A default workstation install of Red Hat Linux 7.2 has zero open ports and a firewall that blocks access to all ports under 1024.

    Now, obviously if someone sets up a server and doesn't patch, that person is an idiot (and that is true no matter what OS he/she is running). Unfortunately for your argument, we're talking about an instant messenger client and a web browser, not things that are likely to be installed on a server. The fact is, you can't exploit my Linux system via Mozilla/Konq/Galeon/Netscape, yet every other week, a new way to exploit Windows using IE pops up.

    So, in conclusion, your argument is completely irrelevant to the topic at hand ... there has never been an exploit like this released against Linux, there is an exploit like this released against Windows about once a month ... I think we can safely start saying it's Microsoft's fault at some point.
  • by lessthan0 (176618) on Wednesday February 13, 2002 @08:57PM (#3004363)
    And next week, when the next batch of critical security flaws is revealed, follow the Microsoft DIR cycle...

    1. Download the patch.
    2. Install the patch.
    3. Reboot.

    Plan to do this every week on all your critical servers, work machines and home PCs. Just do this every week forever, or as long as you run a Microsoft OS and be done with it.

  • Re:The Code (Score:2, Interesting)

    by meanman (86374) on Wednesday February 13, 2002 @09:06PM (#3004392)
    > msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
    > msnWin.resizeTo(1, 1);
    > msnWin.moveTo(10000, 10000);
    > msnWin.document.title = "Please Wait...";

    This is a particularly annoying tactic that some popup ads use, where you create a new full screen window (only works in IE) then resize it and move it. The result is a window that has no border at all, and the malicious ad can then display a 'windows like' dialog image that can easily fool your average windows user into clicking.
  • by brain159 (113897) on Wednesday February 13, 2002 @09:37PM (#3004534) Journal
    quite probably unrelated to this is a few days ago my website got hit by some apparent script which was searching for "open" formmail.pl scripts to abuse by trying to send an email off to some random guy (I guess formmail.pl is fairly standard - the owner of the site whose script is being used may be an innocent relay in the warhol worm/virus). Here's the apache log line of when my site was scanned, just in case anyone else has spotted similar:

    24.90.121.snip - - [12/Feb/2002:00:38:16 -0500] "GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject= bbx%2Eflarp%2Enet%2Fcgi%2Dbin%2Fformmail%2Epl&reci pient=icases0ber%40aol%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 295 "-" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"

    It's RoadRunner cable modem service apparently, and the browser info is obviously going to be rubbish.

  • by Random Bystander (548230) on Wednesday February 13, 2002 @09:48PM (#3004588)

    Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

    Firstly, statistics, even the 'raw' ones provided by Netcraft, can be read with any spin you choose to apply (as you have done)

    Secondly, you're not looking at sites that are active, just ones that have a webserver running. This includes about 2/3 of machines that aren't actually active servers. Check the figures yourself. 36.7 million polled, 13-ish million active. The more relevant graph is the second one provided, showing the count and growth of active servers, not just plain numbers of them.

The test of intelligent tinkering is to save all the parts. -- Aldo Leopold

Working...