Microsoft Instant Messenger Virus Sweeps Net 401
Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.
There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.
Sophistication: moderate. Damage: only your pride.
Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.
Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?
Other clients? (Score:5, Insightful)
Mark
Anyone surprised? (Score:2, Insightful)
Anyone who is shocked is a bit of a fool. It was only a matter of time, really, until one of M$'s many security holes in messenger was exploited. Kinda sad to think what will happen in the future as OS becomes more and more integrated with the internet. Your personal data (courtesy of passport) might be spread around if you replied to a IM, or data loss.
Don't use microsoft products, so I am not vulnerable. Happy me.
Re:Forwards are evil / Virus news (Score:2, Insightful)
The media loves that crap. They descend on it like a shark smelling blood. Any other product could have worse bugs, and they would be all Ho Hum, but a MS bug/virus? whooo boy, feeding frenzy!!
Also, because the people who write the Virii target MS (it might just be easier too.) because of the LARGE install base of it. You can write a Linux virus, and it nails like 100 people, but you could write the same bug targeting MS products, and you can nail 100,000! You do the math.
No system is 100% secure. Period, end of story.
MS products in general, are like swiss fricking cheese though. My big complaint is the "Turn It on By default" attitude of MS Products. I had the Messenger on my system, and after adding a couple of co-workers, never used it. I got nailed by the bug today, and was quite annoyed by it. Fortunatly, the payload is non destructive, or I would have been PISSED. Leave it off by default, and IF i want it, I'll turn it on.
badger
Re:The Code (Score:4, Insightful)
Damage: not just your pride-- being bombarded with lots of spam? (I guess that is TBD)
It's only a matter of time... (Score:4, Insightful)
It's been said many times before, but I'll say it again, any monoculture is far more vulnerable to attack than a diverse system. Relying on one system, be it Microsoft or even Linux, is foolish.
The destruction of the Microsoft monopoly is not just a matter of helping improve competition, it is a serious security matter. No amount of campaign donations or legal semantics should distract the government from its task of providing security.
This is dumber than a mail worm (Score:3, Insightful)
But /. is right, it is a Warhol virus : all the posters who reported this non-news got their 15 minutes of fame on Slashdot.
Re:Not a Messenger flaw (Score:5, Insightful)
Is that why I keep getting probed with NIMDA? Because people just install the patch and are done with it?
Re:Not a Messenger flaw (Score:3, Insightful)
And while we're at it, this isn't a Warhol worm either.
I don't see the optimized scanning routine for initial propagation. I don't see a precompiled target list or any innovative ways to scan the network. And if you wanted to do maximum damage, you'd release it on a Friday night before this weekend.
Unless the spam from the formmail.pl script contains a very clever exploit to set the stage for a second round of infection, I'm calling this one a false alarm. It's an annoyance, but not a Warhol worm by any stretch of the imagination.
Re:interesting article on the reg (Score:2, Insightful)
Yes, and there has been a patch for this problem. So what did you expect MS to do? Spam all the IM users to install the patch? C'mon.
Btw, WindowsUpdate prompts you to install this patch, I don't see what else should have been done about it ("this bug should not have been there" rants don't count as a solution).
Re:Well, that's one less effectual site for vector (Score:2, Insightful)
Plus, since the topic author knew the exact URL from somewhere, it must have already been fairly widespread before it got here
Re:One shoe drops (Score:5, Insightful)
Where is Windows Update? (Score:3, Insightful)
Why the hell does it take Microsoft so long to get patches onto Windows Update, which most users use to get their updates (those that look)?
Like, when I heard about the SNMP problem yesterday, I went to rhn.redhat.com, found an update for snmp, did a select all for all my linux boxes i adminster at work, scheduled them to be updated, done. I got look for an SNMP update for my Windows servers, none found.
It's just annoying... Microsoft has billions for R&D, takes weeks to get a patch out on Windows update, yet some kid can write autorpm that does the same kinda thing for linux in his spare time...
Re:Gee... (Score:2, Insightful)
Windows 95 is pretty stable if you use it as a single-tasking OS. I mean, there are still point-of-sale systems running DOS, and that provides just slightly less memory protection than Windows 95 does. Just don't blame the OS vendor for a shoddily-written third-party program.
It's evolved (Score:2, Insightful)
URGENT - Go to http://users.skynet.be/dark.angel/cool.htm
I went, but Mozilla crashed on accessing the site so I wasn't affected. Then I got a clone message, and the evil purpose rapdily became clear. Anyone peaked at this to see if the code is essentially the same?
--
From Phil
You need to get through these people. (Score:1, Insightful)
"I suggest you do not follow the link"
Say:
Don't click on the link unless you want your computer to be fucked.
Re:This is dumber than a mail worm (Score:1, Insightful)
Re:Not a Messenger flaw (Score:3, Insightful)
Maybe the problems you're talking about went away in Windows? For someone who is so up to date on Linux, you should learn a little about Windows before you bash it for past problems.
Re:Not a Messenger flaw (Score:4, Insightful)
Microsoft software really doesn't have significantly more problems than any other software. Microsoft is simply a large target, and so many and more people spend much more time finding those holes (often for malicious purposes, sadly).
IE has the biggest marketshare, and Windows has the biggest desktop marketshare, but the reason that people attack Windows systems is it's easy. I wish people would stop kidding themselves with the market share excuse. MS software has serious design flaws which makes it very easy to exploit a flaw in the browser to extract data from the registry and mail that off to some email address. Under windows, that is easy, under Linux there are multiple different browsers, you don't know what email client might be available, there is no central place to grab system/user info and there is no easy way to automate the process. The same type of exploit is used over and over and over again, yet for every patch MS releases, someone finds a new way to write an exploit that uses the same basic method. How long, exactly, do you think it's going to take before Microsoft recognizes this and fixes the design flaws instead of releasing patches which amount to little more then sticking their finger in the crack in the dam?
Re:The Code (Score:3, Insightful)
Re:Explanation of code (Score:2, Insightful)
What is even more amusing is how the media, including Slashdot, seem to have misunderstood the bulletin entirely. This is not a flaw in MSN Messenger, this is a flaw in Internet Explorer - called crossdomain scripting. .NET application and thus miscredited that Microsoft product instead.
Using MSN Messenger for our example was - just that, an example. We could as easily have used a
Another amusing aspect is how people tie this together with the "privacy disclosure" vulnerability found last week in MSN Messenger. These are 2 completely different things. The "privacy disclosure" gives a malicious programmer the names (and possibly email adresses) of the user and his friends.
This vulnerability allows you to hijack the users MSN Messenger - the application itself ! This is why you can send messages through it, as you can do anything with the application that a normal enduser would be able to - including, but not limited to, sending messages, emails and files and co-starting appplications on the users machine (yes, this allows you to remote control a users entire Windows machine !).
Now, that should have cleared up a few things.
With regards to the latest "superpatch", Microsoft claims that it "eliminates all known security vulnerabilities affecting Internet Explorer 5.01, 5.5 and 6.0.".
As you can see on our vulnerability highlight page [jscript.dk], this is not true.
It is still very much possible for a malicious programmer to read a users local files and execute arbitrary commands - even when you are fully patched !
Re:Not a Messenger flaw (Score:3, Insightful)
A couple of things:
As someone thats "so up to date on windows", you should learn a little about it before you start to talk about it.
Everything has problems microsoft just puts the problems into the hands of people that cannot fix it, the end user.