Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
News

Another Windows Macro Virus Wreaks Havoc 381

mbruns wrote in to send us a CNN Story and a Symantic Bit about a new Melissa-esque virus that alters users win.ini and deletes files. Of course, only people who use that "Other" OS are at risk.
This discussion has been archived. No new comments can be posted.

Another Windows Macro Virus Wreaks Havoc

Comments Filter:
  • by Anonymous Coward
    It can also wipe out files on *nix system via Samba
  • by Anonymous Coward
    Sorry, had to get that one in. Good luck on your next launch.
  • by Anonymous Coward
    If Linux had 90% of the market, there would be PLENTY of viruses.

    Then again almost all viruses fall prety to idiots who click on these blatent .exe files. A co-worker got the message about The Worm virus, 15 minutes latter his system was down because he clicked on the .exe. What an idiot.
  • All of my windows users pull their mail from a Linux mail server. I was wondering if anyone has spliced together a virus pattern matcher that sendmail could use that would check all attachments for assorted virus and other wee beasties and on finding one have it stripped off and sent to the admin. One that could read the patterns from say Nortons virus definition file.

    Just Pondering
    tOdd
  • by Anonymous Coward
    The first widely reported Internet worm incident, resulting from a program written by Robert Morris in the late 80's, primarily disabled UNIX systems...because that's the OS most Internet-connected platforms ran in those days. Today, it is logical that a worm would target Windows, because that is what most Internet nodes are running now. Platform details are irrelevant to a worm writer -- the only thing that counts is the size of the target. It is worth noting, though, that the Morris worm exploited, among other things, buffer-overruns, which were enabled Morris' access to the SENDMAIL source code.

  • by Anonymous Coward
    E-Mail is for text. Period. If you want to share files, use FTP. Poor assholes. Perhaps this will teach them a lesson.
  • by Anonymous Coward
    It took down every server at Redhat.com, too.


    If you believed the last post, you should believe this one too.
  • by Anonymous Coward
    the best day at work.. no e-mail from bosses. :-)
  • by Anonymous Coward
    I do not agree that running a macro from an email program is a good idea given the level virus infestations out there. It would be better to require all documents to be saved to a disk.

    They should require action on the part of the user
    make them executible.

    Office macros should be limited in scope to prevent a program deleting files. I agree that that it must have seemed like a good idea to do this originally but really the security issue was clearly not thought out.

    Now that KDE and GNOME are fully embracing the idea of corba connections between components, I hope that the issue of security won't be over-looked.

    Regarding MS and it's employees being "evil", actions speak louder than words. It appears to many of us that MS's motto is "if it's good enough to take a lot of users" we'll destroy the company. Or MS needs a new revenue stream, make sure new office documents are not backwards compatible. That way people have gotta upgrade.

    But mostly it is the basic idea of "join with us - it is much easier that way". We don't want to be consumed!
  • by Anonymous Coward
    What is so bad about your brainchild is that it *allows*, even *invites* the user to do things with files other than saving them somewhere.

    You take the easy way out with "but the user should be aware of the dangers". That is not fair. As a designer you know what might happen when you double-click on a .EXE attachment, but the user is just someone you and your collegues have tought to double-click on any pictogram they get in sight, "because something interesting might happen".

    Presenting dialog boxes whenever a user does something that might have disastrous effects even worsened the situation. The users have gotten accustomed to this, and now they think "when this is going to do anything bad, it is going to warn me".

    Sure it might have seemed a nice idea to have all this functionality in the mailer, but you should have thought of the consequences and have rejected the idea. Implementing it and blaming the user for the consequences is what you get flamed for.
  • by Anonymous Coward
    I do not work for Microsoft. I am not a programmer. I am just a user and I daily use Solaris, Linux, Win95 and sometimes a Mac.

    You were saying that these virii/torjan/whatever explore the lack of information of the user rather than weeknesses of the OS. But Microsoft designs software for the user, not for the pro coder. So it must be aware that 95% (or 98%) of its userbase is computer-illiterate. It is therefore a design flaw to allow them to do things for which they are not prepared or trained for, especially when that can harm them and the machine they are using. IT IS THE FIRST RULE OF ENGINEERING, man. It is like putting a kid inside a car with auto gears. Real easy to drive to hell.

    Software engineering is not only about software, it is also about engineering. Ever heard of bulletproofing? ;-)

    A.
  • by Anonymous Coward
    Your attitude deems very inappropriate.

    You're a worker bee, unlikely to make any significant changes to how the company operates. There is little you can do or can do about people's attitude about Microsoft. We do not blame you for the fault. Did we say xxxx name is stupid. We said Microsoft is stupid and arrogant to release buggy products when they can spend just a bit more time and money to make it stable and good.

    I apologize that you may have hurt in the process, but any worker bees like you at Microsoft has little in terms of how they promote their business model.

    This is a market questions. Little do I care about how you feel or what you do. Just that Microsoft need to maintain a higher standard because over 90% of users use their software. Since you stated users are "stupid"; then it is your creation of Outlook that should help them, but you come back and slap them in the face and say they are "stupid".

    Flame me. I'm bored.

    Kent
    newyen@hotmail.com
  • by Anonymous Coward
    The fundamental problem that you are failing to address and that people here should be addressing is that this is possible due to Windows poor security model. Yes it would be possible for a Unix worm to propagate via email, passing along an exectuable that deletes files in ~/ and attempts to propagate using some kind of address book, relying on the clueless user to run the executable. When Linux spreads and we have as many clueless users as Windows, then I'm sure we'll see something like this. But, the difference is that the user on Win9x is root. The machine is infected, which cannot happen on a Linux machine without some mechanism not described in this problem. The second fundamental difference is that the open source community fixes it's problems nearly instantaneously. A problem that lasts for longer 24 hours is virtually unheard of. 12 hours is more the norm. You claim to work on Outlook, why haven't you released a patch that implements a sandbox type environment for executing untrusted code as somebody suggested here. Why haven't you at least released a patch that directly addresses this problem? The problem was reported as far back as the 6th according to some articles that I've read. That is nearly 96 hours.


    As for your points about being offended about peoples poor opinion of Microsoft, I'm a little surprised. I'm about to graduate with a CS degree and I'm looking at potential employers. I am disgusted by Microsoft's monopolistic behavior in the past in areas such as:

    1. adding bugs to Win 3x to break Dr-Dos
    2. failing to release full APIs to other application developers
    3. lot's of other specific examples of generally scummy behavior

    But it boils down to the following two points:
    • the consistently aggressive litigitous (sp?) behavior
    • the bald lies presented to the world cloaked under the guise of marketing

    I would not want to work for such a company that has these flaws as I don't think that they treat me well. The only counter argument that I've heard is that the pay is good.

    enjoy your 30 pieces of silver, but don't bitch when people have repugnance for such a dishonorable and dishonest company.
    --sam
  • The fundimental problem here is neither Outlook or Windows per say, but the same problem one finds with monoclonel agriculture. That is, I do not think the same company should produce and force it's single standard version of everything on everyone. Simply put, there should never have been an Outlook group at Microsoft in the first place. Microsoft's own efforts to control the marketplace by leveraging a single code base and it's dominent platform into the application market, and by integrating the OS and applications directly in an often undocumented manner to make competitive products less desirable and making non microsoft solutions difficult to use either from undocumented file formats or undocumented extensions and modifications to commodity protocols, is what makes this possible by locking users into a single and very hetrogeneous environment at all levels from the OS itself to all the applications.

    Certainly, a problem like this could occur on any platform. But a problem that only attacks Linux users with Netscape would spread far less even if Linux was 90% of the marketplace because in that Linux is an open and competitive platform for third party products AND distributions, there will never be a single mail client and single distribution for such a virus, worm, or trojan to depend on.
  • by Anonymous Coward on Thursday June 10, 1999 @03:22PM (#1856233)
    please reread it. anybody who executes the binary will have files deleted, anybody can recieve it regardless of what mail client they use. it only uses the outlook api to resend itself and most ppl will have the outlook api even if they dont use outlook as their main email client.
  • by Anonymous Coward on Thursday June 10, 1999 @10:18PM (#1856234)
    I work for Microsoft. I work on Microsoft Outlook. I work on security in Microsoft Outlook. Do you all genuinely think that we dismiss fiascos like this with an airy wave of the hand? That simply is insulting. We are hard working people, and we do give a damn no matter what the guy at the terminal next to you says around bites of his twinkie. Hell, some of our own servers were down today as a precaution against this - you think we take that kind of productivity hit lightly?

    I read slashdot because I have immense respect for the geek community and I'm a part of that community. But how do you suppose it feels to know that most of you despise me purely for the name of my company? There are 20,000+ geeks who work for Microsoft. All evil clones?

    Let's establish a few hard facts about the "security holes" that allowed Melissa and this worm.

    1) In both cases the attack was made through Outlook. In the case of Melissa, the attack was *entirely independent* of the OS. If Outlook were ported to Linux (assuming it could supply our browser needs, which judging from Netscape's half-@$$ attempt at S/MIME I sorely doubt) the e-mail servers would have been just as clogged. In the case of today's worm, the executable could very easily have deleted the user's *.c, etc files outright rather than installing itself somewhere. Why? Because...

    2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture. And if you are such a novice as to run the "zips" we alert you that running unsigned exe's is dangerous as they "may include viruses or scripts". There's a similar warning when Melissa starts its mailings. You have to click OK to proceed. Microsoft can do a lot in the way of security, but we can't cure willful dumbness. The user doesn't read the caution and it's our fault? What do you want us to do? Say it twice?

    3) The exploited aspects our our program were not "holes" in the sense that locking up when you receive a malformed packet would be a "hole". Every aspect of these viruses can be and is used in a positive way by people in the field. Face it, some businesses want more out of their e-mail client than plain text and remote calls to vi. Power can always be abused. The power to cut down a fifty-foot oak is the power to conduct the Texas Chainsaw Massacre as well. If somebody you don't know hands you a chainsaw and tells you to hold the blade while you turn it on, and if you do it despite the warning labels, then don't blame the manufacturer when you lose your frickin hand!

    It makes me tired to read posts from people who obviously have never even seen Outlook's splash screen let alone written a VBA scriptlet. If you want to use elm, well whatever. But don't pretend you know what you're talking about when you so obviously do not.
  • Huh? This doesn't exploit any problems in Windows or its applications: it's a wetware problem (gormless lusers running executables which get mailed to them).
  • No, the real reason is that on a real operating system, a clueless luser running a trojan only loses or infects his own files. Big deal. Win95 has no file security, and while NT does, the default installation seems be somewhat lax on who gets permissions to what.
  • No, I just don't have a 'single user' mentality. Yeah, a user on a Unix box catches a virus, it trashes *their* files and infects *their* executables. It doesn't do any damage to anyone else, and chances are it won't spread.

    Now watch as this virus takes down whole offices of Windows 9x networked machines.
  • Unix-like systems are vulnerable, just like any other system, but it tends to be more difficult for virii to propagate than on something like DOS because virii are (should) only be able to do bad things that the user they're running as could do anyway. Virii and Stupid User Syndrome can kill a user's files, but it can't kill the whole system unless root is affected with S.U.S too or if there's buggy privlidged software on the system.
  • by hogwaller ( 421 )
    go to MS's "Privacy and Security" site..


    http://www.microsoft.com/info/pr ivacy_security.htm [microsoft.com]


    404 as of about 11:30am EDT.:)

    --------------------------
    Your Favorite OS Sucks.
    ^D

  • The only real way to prevent local DOS attacks is to keep a close eye on system resources and a cattle-prod at your desk.
    --
  • What about the (in)famous Internet Worm? That infected and traveled through a lot of different flavors of UNIX. Something like that happening again is not impossible.
  • Incorrect. Since there are security holes in the OS, an unchecked program can still do damage in your "secure" environment. For example, up until about a year ago, any program could make itself suid root by exploiting an X security flaw (since X was set suid root in most cases).

    Sure, Linux/UNIX is more safe when running unchecked programs, but it is still incorrect to say that it is a completely secure environment to run unchecked code in. Unchecked code is dangerous, no matter what OS you're running.
  • But do we really have software diversity? Most major mailservers run Sendmail - a new serious Sendmail security flaw (in addition to the hundreds already in existance) could make it very easy to compromise a large majority of mail hosts. If a worm can compromise even 5% of the systems, it'd be able to cause serious damage.
  • Duh. That's not a virus. Where's the spreading code? At best, that's a trojan.


    ...phil
  • >>
    And for anyone so silly to think Linux or any other OS isn't as vulnerable
    >>

    Yes, it would be silly to claim that Linux is invulnerable to viruses. But I certainly do think that Linux is nowhere near AS vulnerable as Windows or MacOS is.
  • It's not a closed-source virus that's the problem. It's a closed-source _operating_system_. Are you really that stupid?
  • Posted by Dr Evil:

    I think even with the popularity of windows, Macintosh has 800x as many viruses. Its just too easy:

    1) no memory protection.. you can alter anything in memory if you want.
    2) toolbox- interrupt-driven drawing and system code with a patchable table.. I want to make the text drawing functions say 'iM 'lEEt' instead of what you want it to say
    3) no file protection.. you can easily destroy sytem files as well as user files

    Shoot, they have viruses that are SO creative for the mac (like the oscar virus) that people purposely install them because they are so coll. How is that for ironic?
    (Whoaa, that is cool, can I get a copy of ... wait, I already have it! coooool!)

    -David
  • Posted by Dr Evil:

    That is because you can't even find out what day it is with the date/time control panel unless you are an administrator. I hate NT.
  • Posted by Dr Evil:

    funnily enough, spammers never seem to give me
    their real email addresses when spamming me.. you
    cannot ask them to stop, but you also couldn't
    buy the thing they are advertising IF YOU WANTED
    TO..
    *grin*
  • Posted by Dr Evil:

    How about 'no executables' for starters, then start working down to
    'No VBScript' and 'no macros'

    I want an option to turn off all macro support in Office.
  • Posted by Dr Evil:

    you have to understand that my users have a child-like understanding of the evils of the world... "Oh look, didn't the administrator say something about running executabelle.. somethings? Oh well, the icon is sooo cute, all nice and shiny, ..

    (Speaking from my admin days)
    -David
  • Posted by Dr Evil:

    just, luckily because I run linux, I am not ignorant.
  • Posted by The Incredible Mr. Limpett:

    My guess...Microsoft.


    HAHAHAHAHA That would be sweeeeeet!
    ----
    "Wars, conflict, it's all business. One murder makes a
    villain. Millions a hero. Numbers sanctify."
  • I use a program called amavis [aachalon.de] that replaces procmail. It supports multiple scanners (I use uvscan with a cronjob to update the info every day). If there's a virus attached to the message, it's bounced back and a warning is sent to root. I haven't seen it in action except for a virus test pattern since my mailserver only has 2 users, but it seems pretty good :)
  • When will this stop?

    When everyone stops using Windows. Maybe 2004.

    :-)

    --
    Get your fresh, hot kernels right here [kernel.org]!

  • mh ...

    if you did "find . -type f -exec grep "@" {} \;" though ...
  • I don't wholly agree with you here. Yes, users are the core problem w/virus replication. Anyone dumb enough to open an attachment in email that they weren't expecting is going to get infected eventually....but isn't the mere fact that it's so easy to WRITE a virus for Windows part of the problem too?
  • You read mail as root?
  • "Last time you checked" meaning "last time I couldn't really see, but my guess was" that they were more secure?
  • This will stop when clueless users finally learn that there's a REASON you're not supposed to just run things that come in the email.

    Or we could solve it using a Darwinian approach. To: all From: info@nih.gov Subject:Health hazards of email

    Warning, reading email is hazardous to your health and can cause life threatening brain blockage. Anyone who frequently reads email should stick their tongue in a lamp socket at least twice daily as a protective measure.

  • >If Linux had 90% of the market, there would be PLENTY of viruses

    And 99% of these Virus wouldn't work at all due to the fact most Unix/Linux/BSD users do not operate their systems as the root user, and the remaining 1% wouldn't cause the kind of hardcore damage that we're becoming used to seeing with the new generation of virus that run on Microsoft-based OS's.
  • >I could easily write a perl script that would delete a users $HOME directory.

    With the Windows port of Perl most likey so if Windows had $HOME directorys. With the Linux/Unix/BSD Perl ports? Not so fast. How would you get the Perl script to obtain the root privages it would need to delete the users's $HOME directory if you don't have root acess?
  • >The worm then searches the local file drive for the following file >types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp,

    Really looks like this thing could've been written by one of those former temps that Microsoft tried to screw over doesn't it?

    After all revenge is a dish best servered cold....
  • >Do you all genuinely think that we dismiss fiascos like this with an >airy wave of the hand?

    Sure you clowns do. Otherwise why would this kind of stuff still be going on *YEARS* after Office and the rest of your shoddy crap has been released and these problems exposed? The problem is that you people just don't give a shit.
  • You're kidding right? Someone could quite trivially cook up something like zippped_files.exe that would work across diverse Unixen nevermind just Linux.

    Bourne shell can be used as a cross-Unix system testing enviroment. There is nothing stopping someone from doing the same thing for trojans.

    It would actually be EASIER as Unix is built for autamation.
  • That doesn't replicate...

    cd ~/Mail
    grep "@" .* | sed 's/^.*.*$//g' | sed 's/^.* .*$//g' | sort -u

    For which mail clients would this not produce a useful list of new victims?
  • Actually, that's fairly bloody malicious to the people who have their data in those files.
    Phil Fraering "Humans. Go Fig." - Rita
  • See
    http://www.news.com/News/Item/0,4,37687,00.html? owv
  • >The real problem here is stupid users running untrusted code from random sources.

    Exactly. Under Linux, I can run unchecked programs as user=jailbird'/group='playpen' and not worry about my kernel being hacked.

    Under DOS/Win31/Win9x, I CANNOT RUN ANY PROGRAM IN A SECURE ENVIRONMENT. This is what the M$ supporters Just Don't Get(tm).Where everyone is a God, no one is safe. When everyone is the superuser, no computer is safe.
  • I see a lot of Windows usersand defenders claiming that if Linux dominated the corporate desktop, that the virus situation would be no better than it is for Windows now. I think this is fallacious, not to say FUD. Here's why:

    1. The majority of Linux software is free (speech) software, which means that it has a lot of eyes looking at it for bugs. Further, it's also free (beer) software, meaning that its developers are less likely to be under pressure to ship a product which is not up to professionally dignified standards. Hence, fewer security holes get into released (non-beta) products..

    2. Because the software is free, and because of packaging systems like Debian's APT which make upgrading easy, it is easy for users of Linux-based OSes to keep current. Further, because of freedom and an Internet-centric distribution model, developers can release patches quicker. This means that once a security hole is found, it has a shorter "useful life" to a cracker.

    3. Because the Linux security model is more paranoid than Windows's, a Linux-based worm needs to actually exploit a security *hole*, i.e. *bug*, rather that using the inherent misdesigns of the system in the way Melissa does. (Read the Melissa source, if you can find it. It does not use any buffer overruns or other holes; it uses *only* standard APIs in standard ways.)

    4. Finally, if Linux-based systems become established on the corporate desktop, they will come with a change in culture. Like any artifact, WIndows exemplifies and reinforces certain philosophies, ideas, and cultural roles. Linux-based OSes follow different ones. While I can't promise (nor even expect) that Linux dominance would come with radically greater user empowerment and desire on the part of the user to *learn* rather than to *fear* the system, I can only hope that it would teach the users *something*. Not to run untrusted executables, maybe?
  • People constantly talk about viruses as if they are always contained in user-executable code. Remember, though, that a large percentage of viruses are actually boot viruses, that even those of us running Linux/FreeBSD on x86 boxen are vulnerable to as well! Having LILO hosed by a boot virus is not unheard of... lots of people dual-boot between Win and Linux, and leaving an infected floppy disk in the drive is just too easy!
  • Do Symantec and McAfee write viruses to boost up sales?



    I work for a hospital. Do we cause people to get sick when revenues go down? That's the dumbest conspiracy...

  • by Brian Kendig ( 1959 ) on Thursday June 10, 1999 @02:36PM (#1856273) Homepage
    A worm strikes Corporate America hard because Corporate America is so strongly standardized on Microsoft Office and Microsoft Exchange... and then, because the cost and hassle of trying to find viable/compatible replacements for these applications is so high, ANOTHER worm hits Corporate America and does another round of damage, incurring further costs in terms of lost work and damage control, and STILL no one seriouly considers moving from Microsoft software to some other solution...

    And yet the Department of Justice still needs to prove that Microsoft's business practices are harming consumers?

  • by Brian Kendig ( 1959 ) on Thursday June 10, 1999 @02:55PM (#1856274) Homepage
    Sure, viruses can be (and are) written for Unix systems; just like Windows viruses, they prey on weaknesses in the system caused by software bugs or poor administration. The difference is that the typical owner of a Unix box tends to be more knowledgeable about security than the typical owner of a Windows system, and Unix tends to have fewer security holes than Windows by virtue of having a better-developed permissions system and by having been around longer.

    It's not fair to say that a ten-line script can infect a Unix system -- the mere fact that there is such a wide range of flavors of Unix available is enough to guarantee that a single ten-line script won't work on more than a small percentage of Unix systems out there. Besides, with Linux, holes are patched and patches are distributed as quickly as they're found -- often within hours of the dicovery of a security hole.

    If there were as many flavors of Windows as there were of Unix, if Windows vendors had to continually compete to make their systems faster and leaner and more stable and more secure, I guarantee you that you wouldn't see viruses and trojan horses such as this one proliferate nearly as much.

  • "ExploreZip is known as a worm, not a virus, because it can't replicate itself. Computer viruses such as Melssa, which appeared in March, are written with the capability to reproduce through automation."

    The appropriate Hacker's Dictionary sections:

    Virus
    "Unlike a {worm}, a virus cannot infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends (see {SEX})."

    Worm
    "A program that propagates itself over a network, reproducing itself as it goes. Compare {virus}. Nowadays the term has negative connotations, as it is assumed that only {cracker}s write worms."
  • > I work on security in Microsoft Outlook.

    So what are you people coming up with to deal with these things?

    Personally, I would like to see a sandbox (compare with java's security model) if possible built into some future windows release - that way, untrusted programs could be run in a secure environment (where they would be prevented from messing with any files/registry keys outside a certain hierarchy, and also prevented from other things at the users' discretion) - I know that this goes against the (Microsoft) corporate policy of only doing signing-based security, but there are problems with the current signing security that I won't go into here. (Basically, signed .exe files aren't routine - even if they were, how long do you think it's going to take for a worm that resigns itself each time it sends itself on?)
  • Maybe he actually thought he could hit the Microsoft campus. I could see the headline "XYZ virus destroys Windows 2000!".

    Why not didn't Mitnick do the same to solaris?

  • Then how about comparing how Windows apps running on NT handle multiple users. I prefer the Unix style over the each app setting up its own user space. Even NT assumes that each person has his own computer and software installs don't work for every user and each user who wants to access the program has to have administrator privileges to re-install it.
  • I noted with interest your point about a "homogeneous network environment to infect". This only goes to show how important diversity in OSes is.

    I remember a writeup of the Melissa virus in a decidedly non-techie UK Sunday paper, which hit the nail on the head saying "In computing as well as in biology, monocultures are a bad thing"

  • I'm wondering why the authors of these type of attacks bother with all of the social engineering that they do. They bother to name the file Zip_files.exe, and tell the (l)user that "these are the files you requested", etc.

    I'm wondering why they waste all that effort.

    Just name the file molest_my_hard_drive.exe and put in the message:

    Please open this file. I'm an aspiring virus writing script kiddie and really want this to get spread far and wide so that I can get arrested. It would really help my self esteem, and might even make me feel 31337. Don't forget to let it run for a few hours before calling your MIS department.

    I guarantee that it would have the exact same effect.
  • I always recommend that UNIX/Linux folk read the IDG book, 'The Unix-Hater's Handbook', for a scathing discussion of UNIX's security model. Lots and lots of the comments apply mainly to UNIX circa 1991 and are obviated by things like Perl, Ptyhon, and Java, but there's a lot there that will improve your perspective on things.

    For all that Microsoft made mistakes in NT, and for all that NT has had less time to mature than UNIX has, and for all the times that Microsoft acts like the company that brought CP/M and single-user computing generally to the masses, elements of the NT security model are actually superior to the stock UNIX model in many ways, the lack of a necessarily all-powerful root account and setuid scripts/files being one of them.

    The biggest protection Linux has from viruses is that it is not an effective monoculture the way that Windows/Office is, and that there isn't the rampant cross-application integration/incest that Windows depends on.


  • It might be interesting to read this [geek-girl.com].


    It seems that the virus is also found in mails from some engineers from microsoft which might mean that this virus is constructed to hit Microsofts source.


    I'm not such an conspiracy believer, but this could explain why this virus is explicitely hitting code files, which is not anything normal windows users would have a lot on it's disk

  • "This will stop when people quit using a worthless excuse for an OS like Windows, and probably not before... :\"

    Keep in mind that the original research of virii was done on IBM and Honeywell mainframes. Despite the generally high level of security on those systems, the researchers doing the work did manage to write virii (probably would be called worms today) that successfully infected their targets.

    It happens today that the vast majority of computers in use are Wintel, and for a number of reasons which I am sure you can fill in the bad guys therefore focus most of their efforts on Wintel. And indeed, Win(x) does have serious vulnerabilities. But if the bad guys ever turn their focus to Linux/*nix, then you will see more Linux/*nix attacks of this type. Perhaps fewer will make it into distribution, perhaps fewer will succeed. But if so the ones that do make it will be that much more destructive.

    Disagree if you wish, but before turning on the flamethrower remember that arrogance it the surest path to a security breach.

    sPh
  • The problem, as I see it, is that Microsoft picks the WRONG defaults. They do this in many of their programs.

    You know that the typical user will just run everything they get.

    You know that they will click the OK button without reading the dialog boxes.

    These points have been demonstrated over and over again. They cannot be disputed.

    So you should set the defaults so that they don't get a chance to run the executable unless they have specificly enabled that ability. And you shouldn't prompt them to change that default. If they don't know that they can change it, and they don't know how to go about changing it, it should stay turned off.

    The people who want to use it can then turn it on, and the rest of the lusers won't be hurt by this feature that they aren't using anyway.

    Why should you do this? Because you're credibility is on the line. Because the world is watching MS products delete user files, and they don't find it very funny. They aren't going to care that the users all pressed the okay button. They are going to ask why it was so easy. And if there is a way to turn off that warning, if users can say they didn't get that warning this time, it will be worse.

    Take a clue from something simple like the setup/config for pine. You have to turn things on if you want to use them. If you don't know to look at the setup/config you might never know about them. Until they are turned on, you are never prompted for them. They just aren't there.

  • Does anyone know how to filet out .exe attachments in sendmail? Are there any other extensions that should be filtered out besides .exe, .com, .bat?
  • I always get a chuckle out of these stories, to me viruses represent one of the prime deficiencies in Windows design (or lackthereof) and a capital argument for holding a company responsible for its product flaws.

    I have read, however, that viruses can in fact be written for UNIX platforms, and have actually read a ten-line example script to show how it could be done. This inspite of the security structures built into UNIX's multi-user environment. It was rather frightening. There's not a whole lot of literature on this subject that is easily found, what do Slashdotters know about it?
  • It's an executable.
  • I think it's /etc/mail/aliases to configure that, but I could be wrong.

    You'd best read your root mail somehow - cron misfunctions, or people warning you about problems with your system, are often things you don't want to ignore.
  • Unix users seem to have a sense of invincibility based on Unix's invulerability to boot sector viruses, floppy viruses, and similar things that require a simple OS kernel and an "every user is root" security model.

    That invulnerability doesn't apply to worms (like this, like Melissa). All you need for a worm to work is a homogenous network environment to infect and an exploit to use for the infection. Maybe Unix users are really more savvy and won't fall for trojan horses (the easy "exploit"), but there was a worm created that spread via the imapd hole last year, and any similar exploit allowing so much as a "nobody" shell to be opened on your system could be used for the same purposes.

    Do you know what services are running on your Linux box, and have you shut down the ones you don't need? Do you subscribe to bugtraq, redhat-watch-list, or whatever security mailing list is kept up for your distribution?

    These were good ideas before, to prevent single crack attempts when exploits were found. Now they're much more important good ideas, as any cracker above the "script kiddie" level is going to be using self-propagating code to start forest fires of attacks.

    Maybe the majority of those attacks will be stupid "email attachment" worms like those currently plaguing Windows, and thus incapable of harming system files... but if someone exploits the backticks in /etc/mailcap to delete $HOME, how much better are you going to feel because /usr was untouchable?

    For school & work Linux systems I created a preconfigured freshrpms package which includes a cron job to regularly check the redhat errata, download any updated packages, and mail root when something new appears. It's a step in the right direction - Linux is a secure system because bugs are so quickly found and fixed, but it won't be publically perceived as a secure system if security-unconscious newbies never see or apply those fixes.
  • NT has greater file security than Linux so I don't quite get your point.

    Do explain.. How does NT have better file security?

  • by aphr0 ( 7423 ) on Thursday June 10, 1999 @07:08PM (#1856329)
    I work for a medical research place. So, would you consider it to be funny if a researcher was set back in important research because they happen to use ms office? They're doctors, not techs. I don't consider anyone who destroys data to be 'doing us all a favor'. The guy is an asshole, plain and simple.

    Something funny to do would be to delete ms office itself, not the associated files.
  • by aphr0 ( 7423 ) on Thursday June 10, 1999 @07:34PM (#1856330)
    Why do so many of you feel the need to laugh at the ms office users and defend the virus writer? Most people in an office environment have no computer experience beyond doing normal office work. They're not educated by their IT department on the dangers of opening attachments. They just want to do their work so they can feed and clothe their kids. I don't think it's funny or cool that some guy wrote a virus that will destroy the work of others. Would you like it if mechanics started kicking your windows in and slashing your tires because you don't know how to overhaul your engine? Afterall, you're not elite and smart in the ways of cars, so you have no right to be driving.

    Just because someone doesn't know what you consider to be common sense isn't a reason to hurt them. New users need to be educated and computer security policies need to be implimented. It's not the users' fault that they use MS Office. It's what they were told to use, so they happily use it, unaware of the bugs in it. And they don't care. They just want to finish up a presentation or a word document and get on with their lives. Not everyone's life revolves around computers. Some people work away from monitors for long periods of time.
  • I guess you are right. In the OSS case, software installation proceeds along these steps:

    1. Download source code.
    2. Examine source code to make sure it doesn't do anything nasty.
    3. Compile and install.
    4. Run.

    Okay, hands up any OSS advocate that actually performs step 2.

    OSS does _not_ provide more security than the effort you are willing to put into it does.


  • If you think the discussion is over because root is sacred, you should look into how these kinds of viri work.

    In an NT system, the virus can only delete the files for which the user has write access. There is no comprimise of "system" security.

    The fault lies with poor design on Microsoft's part. The fact that there is no Linux equivalant only proves that noone has a macro-enabled Office suite running on Linux.

    Well - look out - here comes Corel Office. Can you execute malicious viruses there? Nobody really knows because they only have like 2% of the market. Although, it might be worth it to someone to teach Linux users a lesson or two.
    --

  • Office 2000 (released just now) supposedly contains features which prevents Macro viruses. Perhaps this was unleashed by some unnamed party to speed up Office 2000 deployment.

    (All of you paranoid Microsoft haters should feel ashamed that you didn't think of that first!)
    --
  • Or, to put it another way, if you ask me 20 times a day "Are you SURE you want to do that?", the 21st time, I'll click YES before I've even read the message. Even if this was the one case in which I was making a mistake.

    Very good point. Outlook gives you the "virus" warning when opening *.TXT and *.JPG files - enough to drive you nuts.

    Also, by default with Win 9x/NT, the file extension is not shown (I don't know if this applys to Outlook). All you see is a little WinZip icon. So it's conceivable that a new users could double-click on the icon not knowing it's an executable.

    As for this being an Outlook specific virus, my understanding is that (unlike Melissa), it's not. If the uneducated masses (the "clods") started using Linux, they'd be just as suceptable to "Hey - you don't know me, but run this executable!" form of attack.

    The fault really falls on the IT department's shoulders for not educating their user base. The only place Outlook comes in is that it's training costs are supposedly lower, and so many companies think they can get away with reducing that to no training at all.
    --
  • Under DOS/Win31/Win9x, I CANNOT RUN ANY PROGRAM IN A SECURE ENVIRONMENT. This is what the M$ supporters Just Don't Get(tm).

    Uhh, Windows NT has only been out since 1993. The file permission system is argueably better than unix's.

    (If you folks are really interested in effective Linux advocacy, you should take on Windows NT rather than the end-of-the-line, broken-for-backwards-compatibilty Win 9x. It's a more credible comparison, and will make you sound less like a raving moron.)
    --

  • Yeah, it's not a "bug-fix", it's a "feature"!

    Considering that O2000 comes on two or three CDs, maybe calling it a "patch" is the right word either.

    (O2000 allows a developer to sign macro code, so along with the bug-fixes, I'd classify this as a feature.)
    --

  • I should comment that I have no idea how this would work because there's no existing Microsoft certificate infrastructure in place. Perhaps the same way as ActiveX signing ("Always trust content from Microsoft Corporation?"), but getting that to work right with a private certificate is a big deployment hassle.

    Note that the reason Lotus Notes is largely immune from macro virus attacks is that it has a built-in certificate infrastructure (can't login without it). It's unlikely that the Fortune 500's favorite mail system is going to get outlawed.
    --

  • Find an NT box and look at the stock permissions. There's holes for sure, but your post is largely FUD.
    --
  • Not to start any flames, but do you ever wonder if a *nix fan wrote this virus to persuade people away from Windows systems? It's a fucked up thing to do, but I'm sure more than a few admins have started looking at *nixes after the recent flood of Windows-specific viruses...
  • I asked Rob myself because I made a stupid AC post earlier. The answer was no.

    BTW, conspiracy theory #2: Do Symantec and McAfee write viruses to boost up sales? Hmm...
  • by Slamtilt ( 17405 ) on Friday June 11, 1999 @04:25AM (#1856381)
    2) In both cases the user had to voluntarily *choose* to run the virus with their own permissions. For goodness sake, the email says, "take a look at these zip files" but the attachment is an exe! Only a clod would fall for such as obvious imposture.
    Well, no. There are self-extracting zip files which (of course) have a .exe extension but may have a zipfile-looking icon. We've deverbalized computer use to the extent that people don't read any more, they just look at the pictures. That's not microsoft's fault in particular, but it does illustrate the difficulty. "Just train them" is easily said, but not easily accomplished. As an aside, in this case it was possible to not be able to see the file extension - check out the screen shot on msnbc [msnbc.com] - the attachment is zipped_files... - the extension doesn't show.
  • Out of the 80K windows viruses out there, how many are open source? I refuse to run any virus unless I can compile it myself.
  • by AJWM ( 19027 ) on Thursday June 10, 1999 @02:48PM (#1856393) Homepage
    Um, .c, .cpp and .asm files are hardly Microsoft Office files, unless you happen to have source...

    They are, respectively, C program, C++ program, and assembler program source files. Not nice at all.

    But my Java programs are safe :-)

    (Oh, and .xls, not .sls, is the usual Excel file extension, but that's probably a typo.)
  • From "The Top-Secret Microsoft Plan for World Domination (don't tell the DOJ":

    23.1.7: Application features

    Applications that have a lot of features sell better than ones that have few features. However, there is little or no correspondence between the quality of said features and the profitability of an application. Thus, programmers should concentrate on creating many new features as quickly as possible. If the features don't actually work, customers will simply have to avoid using them.

  • by spartan ( 30665 ) <joe AT samolian DOT com> on Thursday June 10, 1999 @06:33PM (#1856420)

    OK, let the flames begin.

    I want to thank whoever wrote the virus as I was infected by this and had my .doc and .xls files zapped. The recovery was easy enough and since I don't use those programs all that much I wasn't a major loser in this.

    1. I now have an even greater incentive to get the tape drive I should have gotten long ago to back my system up.

    2. I now also have an even greater incentive to De-windows my machines and make the move to Linux. So, I signed up for the Linux Basic Course at TMCC [tmcc.edu] here in Reno that will be given by Jay at Aztech [aztech-cs.com] and Sam at USAWorks! [usaworks.com], the bigwigs at our local LUG [rlug.org]. They've been gently prodding me for long enough now anyway.

    I got the virus from someone at one of our military installations and I can only imagine that it's run quite ramapantly through the US Federal Goverment as almost all our government installations use MS exclusively. Whoever wrote that it affected only MS Outlook users was wrong. I don't use Outlook or MSIE, I use NN4.6 and the virus did share the negativity with me. However, it is true that only MS Outlook users can resend it.

    Anyway, thanks again, anonymous programmer, you did me a favor.

  • By Monday the newest item on the Linux feature list will be: "It prevents MS Outlook and Office from running."

    I am an avid Linux user, at home and work. However, I have no illusions that Linux/Unix security is better at preventing viruses from infecting a machine. According to "A Short Course on Computer Viruses" (see below book info), the smallest virus which only reproduces was a bourne shell script of 8 characters. Though you need about 5 lines for one which will replicate, evolve, do data diddling for damange and work on most Unix systems. I am no expert on viruses, but from what I have read, viruses easily cross user bounderies and security levels. The problem is that no modern OS's have any sort of mechanism to maintain integrity of files. This is usally handled by 3rd party add on applications, like virus scanners, tripwire, etc...

    Anyhow, for those of you who wish to read more about viruses, and interesting/sneaky things which can be done with them, check out:

    A Short Course On Computer Viruses
    Dr. Frederick B. Cohen
    ISBN 0-471-00769-2
  • One of our users (using Netscape for mail) got it from someone at Compaq *rrrgggh*. It wiped our NT file server clean of all .doc .xls and .ppt files. Fortunately we trust our critical files to a Linux Samba server -UNSCATHED!!!

    I'd check again; if anyone had a network drive mapped out to the Samba server, your files on there were at risk (assuming that the user had write privs. on the Samba side).
  • ... will be the one that exploits bugs in the ASP extensions that Microsoft will shove down into the kernel of Win2000 (in an effort to beat Apache at dynamic page serving). Imagine this:

    1. Someone finds a bug in IIS/Win2000 that allows a malformed web request to run arbitrary code delivered by the attacking system.

    2. A virus/worm is written that delivers itself to the victim system via this expoit. I imagine a small bit of seed code would exploit a buffer overflow or some such, and would then download the entire package from a web page on the attacking system.

    3. The main package runs and sets up a similar web page on the new system, and then starts a process that probes for other NT systems that it can attack.

    Something like this could sweep like wildfire through the Internet, taking down every single NT web server. Scary thought. If I were an NT admin, it would keep me up at night.

    Now keep in mind that I have no knowlege that such a bug exists, nor am I advocating its exploitation if it does. But given MS's track record with security and the closed source nature of Windows, this kind of thing very well COULD exist.

    I think I'll be sticking with Linux.

    Thad

  • are you really this stupid and ignorant that you think that just because you use linux that you are invulnerable to this type of attack? i certainly hope not because if you are then you are the problem because this type of attack succedes not because of flaws in an operating system but because of the ignorance of its users.

    While it is true that this type of attack depends heavily on the unwitting participation of the victim, it is also true that Windows leaves itself much more open to exploitation. At least on a Linux box when Average Joe User runs some milicious code, it does NOT alter core system functionality.

    Linux (and UNIX) is inherently more secure than Windows and can do a much better job of protecting the user from his or her own stupidity.

    Thad

  • wrong! they only protect the user from damaging the system but not their onw stupidity. users can just as easly accidentally delete their own files under linux as they could under windows. you argument dosent hold water because you dont seem to truely understand the problem.

    On the contrary, I understand the problem all too well. I have administered large networks of Windows PCs and UNIX workstations. With UNIX, the worst the user can do is nuke their own files... then I have to restore them from backups. On a windows PC, they hose the entire OS to the point that it must be reinstalled, allong with all of their apps and data. This would happen all too often! The same argument holds true for home systems. In most families I've talked to, there is one person who acts as *system administrator* and the others are just users. I'm the sysadmin for my family (even though it is scattered all over the country), and believe me, I wish they were all running Linux. Windows eats its own head way too easily. I've spent long hours talking relatives through problems that would never occur on Linux.

    Thad

  • A couple of people in my office just got bopped by this today. It also nukes files on network drives that are mapped on the target computer, which included a couple of our important file servers...
  • an open source OS would make a lot of difference in terms of how long it takes for the security hole to be closed. I don't think the poster was suggesting that virus source should be open (though that would be cool I suppose). The virus is exploiting already know vulnerabilities in windows. In GNU and *BSD systems such vulnerabilities are usually closed within hours of their being reported (of course it is still important for sysadms to actually apply the patches when they come out...)
  • I work for one of the many departmental networks around my campus. Unfortunatly, they happen to run Windows on all of their client machines. Although I personally have Linux setup on my office machine and my machines at home, the rest of the dept. does not. It just so happens that when one of these annoying macro viruses that M$ Windows is so damn prone to aquiring turns up on our network, I'm the guy that has to fix it. I can't tell you enough how sick I am of these macro viruses. As it turns out, our network is rarely affected by them, but nevertheless, I get a slew of phone calls and emails from scared department employees who just MUST have the latest virus scanner installed so they don't get such viruses. I'm certainly glad that this sort of thing does not effect my own systems... but I know there are many of you who, like me, this effects indirectly.

    Just my two pennies.

    Mark
  • Aargh! The CNN article doesn't even mention that only Windows/Outlook users are affected. It's like posting a warning about drowning and not mentioning that it only happens IF YOU'RE HELD UNDER WATER.
  • by RimRod ( 57834 ) on Thursday June 10, 1999 @02:32PM (#1856477)
    "The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp, thereby deleting Microsoft Word, Excel, and PowerPoint files."

    Okay. Whoever wrote this has a GREAT sense of humor. Besides the fact that it purports itself via address-book resends, much like the Melissa virus, it destroys files associated with M$ Office. It's not fatal; it's not going to crash your OS, it's not going to reformat your hard drive. It just deletes M$ Office files.

    Legality be damned, this guy is doing us all a favor :)

  • "The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls,
    and .ptp, thereby deleting Microsoft Word, Excel,
    and PowerPoint files."

    Fairly clear what that CNN reported recognises
    as valuable data ... never mind that it might
    actually delete something valuable like source
    ...

The difficult we do today; the impossible takes a little longer.

Working...