Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On 30-jan-04, at 7:20, Alexei Roudnev wrote: Second problem is directory structure. In Unix, when I configure IDS (osiris or Tripwire or Intact), I can just be sure, that 'bin' and 'etc' and 'sbin' and 'libexec' directories does not have any variable files - all non-static files are in /var (Solaris is an exception, they put some 'pid files into .etc, but even here, it is not a problem). But windose... you have not any directory which never changed, and I find few .dll files, changed every few days. Every application puts log and data files into it's own directory (with rare exception of applications, derived from Unix or written by people with Unix background). It makes terrible difficult to configure IDS, and makes system very vulnerable. Actually IMO putting all their crap in their own dir is a feature rather than a bug. I really hate the way unix apps just put their stuff all over the place so it's an incredible pain to get rid of it again. I think MacOS got it right: for most apps, installing just means dumping the icon wherever you want it to be, deinstalling is done by dropping it in the trash. The fact that the icon hides a directory with a bunch of different files in it is transparent to the user. And if an installer wants to mess with the system, a request to provide the administrator password comes up, even for users with administrator privilidges. Of course, it is all trade-off for functionality, but people overestimates it - many MS benefits come from it's dominance , not from functionality. I think MS's tradeoffs are mainly time to market vs even faster time to market. Hopefully they'll rip off Apple's ideas for their new stuff. Then add some zone alarm like stuff so apps can't mess with the network without the user's permission and we're in pretty good shape. And it all makes it a very good target for the viruses / worms. The fact that SMTP believes everything you tell it doesn't help either.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Fri, 30 Jan 2004, Iljitsch van Beijnum wrote: Actually IMO putting all their crap in their own dir is a feature rather than a bug. I really hate the way unix apps just put their stuff all over the place so it's an incredible pain to get rid of it again. Putting all crap in the working directory is bad design (no way to separate read-only stuff from mutable). Unix/Linux design (all over the place) is pure and simple lack of discipline, or hack before thinking approach. Plan 9 nearly got it right, but for the lack of persistent mounts (it's all in an rc file, executed at each login). I think MacOS got it right: for most apps, installing just means dumping the icon wherever you want it to be, deinstalling is done by dropping it in the trash. The fact that the icon hides a directory with a bunch of different files in it is transparent to the user. That's UI. Inside it's the same Unix crap. I think MS's tradeoffs are mainly time to market vs even faster time to market. It's mostly We don't care, we don't have to, we're The Microsoft mentality. --vadim
Re: in case nobody else noticed it, there was a mail worm released today
On Wed, Jan 28, 2004 at 07:37:09PM -0800, [EMAIL PROTECTED] said: Scott Francis [EMAIL PROTECTED] wrote: I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? Blaming it on end users is one way to look at the problem, but not a way that will result in a solution. You should be wondering, after 10+ years of virus laden MS operating systems, why they haven't fixed this stuff. Similar vulnerabilities in Unix, Mac, and other OS were fixed long ago. [snip] this is actually what I was driving at, but I've had so MANY anti-MS rants over the last few years, I thought I'd take a different tack. :) (Note: I really do not want this to degenerate into another rant against vendor M; Sorry for not sharing your disinterest in the actual reasons we continue to see these viruses and trojans infecting MS and, for all intents and purposes, only MS operating systems. oh, I share your position, believe me! It just seems that efforts to force MS to change have had little effect, and I was hoping that maybe if we attacked the issue from another angle, it might be productive. :) -- Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527 I gave you the chance of aiding me willingly, but you have elected the way of pain! -- Saruman, speaking for sysadmins everywhere pgp0.pgp Description: PGP signature
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. This is problem #1. Unfortunately, Windose is too complex and have too much legacy, so everyone must run as a administrator (try to install Visio without admin privileges...). Problem #2 - using extentions to select an application - may be, it's a very good idea, but it complicates virus (worm) problem. Problemm #3 - Monoculture.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Wed, 28 Jan 2004, Alexei Roudnev wrote: Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. This is problem #1. Unfortunately, Windose is too complex and have too much legacy, so everyone must run as a administrator (try to install Visio without admin privileges...). The whole point of the infamous *.DLL was to provide local libraries for applications like unix *.lib.so files. This was corrupted by app vendors who were too deadline focused to install their DLL's in the application directory. Of course this was abetted by the ability of an application to write into the system directories. When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a small matter of programming but it would really improve the overall security posture of Windows. Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation. Problem #2 - using extentions to select an application - may be, it's a very good idea, but it complicates virus (worm) problem. Agreed However magic numbers in the header or having the execute permission bit set bring the same problem to the table. Problemm #3 - Monoculture. This greatly exacerbates problems 1 and 2 but is not so much of a problem on its own. i.e. Apache which has over 75% of the webserver market and is infrequently compromised. Problem #4 MS applications have an unfortunate predilection to run any bit of executable code they find. i.e. a WMA file can contain executable code which media player will happily execute. This is a perfect example of just because you can do something it does not necessarily follow that you _should_ do something. This dates back to [*]BASIC and the RUN command. It was somewhat useful 10+ years ago not so much today.
RE: in case nobody else noticed it, there was a mail worm released today
Please pardon my ignorance, but I am *mightily* confused. In a message from Michel Py is the following: snip and ISTR one patch for Outlook 2000 that blocked your ability to save executables was released) It default in Outlook XP and Outlook 2003, which has prompted large numbers of persons to download Winzip, which as not stopped worms to be propagated as you pointed out. Michel. The bit I don't get is how a zip file is created such that launching it invokes winzip and then executes the malware. When I open a normal .zip file, winzip opens a pane that shows me the contents. After that I can extract a file or I can doubleclick on a file to open it - which if it is executable will cause it to execute. I haven't seen a case where simply opening a zip archive causes execution of something in its contents unless it is a self extracting archive in which case it unzips and executes, but doesn't have the .zip suffix. Would anyone explain to me how this occurs (and if RTFM with a pointer to the M is the best way, then so be it!) Thanks in advance Chris
Re: in case nobody else noticed it, there was a mail worm released today
Christopher Bird wrote: Please pardon my ignorance, but I am *mightily* confused. In a message from Michel Py is the following: snip and ISTR one patch for Outlook 2000 that blocked your ability to save executables was released) It default in Outlook XP and Outlook 2003, which has prompted large numbers of persons to download Winzip, which as not stopped worms to be propagated as you pointed out. Michel. The bit I don't get is how a zip file is created such that launching it invokes winzip and then executes the malware. When I open a normal .zip file, winzip opens a pane that shows me the contents. After that I can extract a file or I can doubleclick on a file to open it - which if it is executable will cause it to execute. I haven't seen a case where simply opening a zip archive causes execution of something in its contents unless it is a self extracting archive in which case it unzips and executes, but doesn't have the .zip suffix. Would anyone explain to me how this occurs (and if RTFM with a pointer to the M is the best way, then so be it!) I don't think that was the point Michael was trying to make. I believe he meant that MS stopped the ability to _even_ save executables attached to emails to disk in some forms of Outlook, but this did nothing to stop the spread of viruses. People simply sent executables as zipped files, which people then had to extract to run. Dispite the fact that an external program has to be used to get to to the executable, people still run them. Sam
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote: ... When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a small matter of programming but it would really improve the overall security posture of Windows. Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation. ... Actually, it's more of an issue in the registry than the file system; older apps tend to want to write the global HKLM, rather than the user-specific HKCU. But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. You can't really have it both ways; if you can install apps, you can install viruses and trojans. I don't see this being much different regardless of the OS you run. And until you have earned some battle scars, you're not afraid of the pretty toys. It would be nice, though, if there were a legitimate 'su' analog in Windows -- sorry, runas doesn't cut it. Makes it hard to normally run restricted, and explicitly enable temporary privs sometimes... /kenw Ken Wallewein KM Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
RE: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
[EMAIL PROTECTED] wrote: But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. Indeed, and the one reason being that the last thing the IT staff wants is users installing apps, because even if the user is not installing a worm or Trojan, installing software inevitably generates incompatibilities and demand for more support. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. Yep. In XP home, it's easy to have several users on the same machine but by default they all have administrative rights. [EMAIL PROTECTED] wrote: Microsoft software is inherently less safe than Linux/*BSD software. This is because Microsoft has favored usability over security. This is because the market has responded better to that tradeoff. This is because your mom doesn't want to have to hire a technical consultant to manage her IT infrastructure when all she wants to do is get email pictures of her grandkids. Exactly. Michel.
RE: in case nobody else noticed it, there was a mail worm released today
In-line... Christopher Bird wrote: Please pardon my ignorance, but I am *mightily* confused. Vivien M. wrote: and ISTR one patch for Outlook 2000 that blocked your ability to save executables was released) Michel Py wrote: It default in Outlook XP and Outlook 2003, which has prompted large numbers of persons to download Winzip, which as not stopped worms to be propagated as you pointed out. Christopher Bird wrote: The bit I don't get is how a zip file is created such that launching it invokes winzip and then executes the malware. When I open a normal .zip file, winzip opens a pane that shows me the contents. After that I can extract a file or I can doubleclick on a file to open it - which if it is executable will cause it to execute. I haven't seen a case where simply opening a zip archive causes execution of something in its contents unless it is a self extracting archive in which case it unzips and executes, but doesn't have the .zip suffix. The point is, if the user opens the zip file in the first place, and if the file name it contains does not look suspicious, the user _will_ also double-click on the file within the winzip window, which extracts the file in a temp folder _and_ executes it. Sam Stickland wrote: I don't think that was the point Michael was trying to make. I believe he meant that MS stopped the ability to _even_ save executables attached to emails to disk in some forms of Outlook, Yes. If you send me an .exe file, I can _not_ save it nor execute it. Outlook deletes the attachment, and now Exchange 2003 deletes it on the server as well before it even has a chance to get to Outlook. but this did nothing to stop the spread of viruses. People simply sent executables as zipped files, which people then had to extract to run. Dispite the fact that an external program has to be used to get to to the executable, people still run them. Exactly. Actually, there are faster ways to send executable files without zipping them: rename the file as .txt, and put a little note in the email saying that the .txt file is in reality an .exe and must be renamed. Don't even need Winzip. Voila. This latest worm is all about social engineering; remember: some users still fall for the hoaxes that claim Norton or McAffee does not detect a virus and instructs to delete a system file. Gee, some even fall for that herbal stuff that promises to put a foot in their pants. Given the number of people that have fallen for the Microsoft update and the 7-bit ascii we are seing these days, they would rename the file and run it if they believe they have to do it. Three years ago, I opened an .exe that contained a virus. At lunch with my colleagues, we discussed the Florida ballots. In the evening, I receive an email from one of my co-workers whose subject was Florida ballots containing an .exe file; given that the saddam.exe he sent before was rather entertaining, I executed it. The anti-virus signature was not available yet, busted. Social engineering it is. The bottom line is this: no matter what safeguards you put in the system, and no matter how many times you instruct users to be careful opening attachments, the one and only thing that make users think is when they open a worm and get screwed/lose data/look stupid. Michel.
Re: in case nobody else noticed it, there was a mail worm released today
: They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into their : purse/pocket on hearing, Wallet inspector Every single person that still opens these damn attachments! :-( IN WINDOWS! scott
Re: in case nobody else noticed it, there was a mail worm released today
On Mon, Jan 26, 2004 at 09:00:40PM -0500, [EMAIL PROTECTED] said: We are seeing 2 wide spread worms right now, mydoom and dumaru.* NAI has info at http://vil.nai.com/vil/content/v_100983.htm and http://vil.nai.com/vil/content/v_100980.htm They rate of it is quite surprising. By the description, the trick / method of infection does not seem all that different than past worms viri. Makes me wonder how many people in a room would reach into their purse/pocket on hearing, Wallet inspector I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? It would seem to me that even the most clueless user would modify his/her behavior after, say, the 25th time they've been infected and had to 1) call tech support or 2) reinstall their OS (or more likely, have someone else reinstall their OS). Worms today are exploiting the same fundamental flaws they were using 10 years ago, so maybe the question above has the wrong focus. Maybe we should be asking why vendors haven't bothered to fix these problems - it's not like they haven't had enough time or examples. (Note: I really do not want this to degenerate into another rant against vendor M; for once, I really am curious as to why we're still getting bit by bugs using the same holes they were using with Windows 95 and NT 4. Worms obviously pose a significant financial cost to business, and I heard this latest one mentioned at least 3 times from various non-Internet media outlets yesterday, so public awareness isn't the probem either.) -- Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527 I gave you the chance of aiding me willingly, but you have elected the way of pain! -- Saruman, speaking for sysadmins everywhere pgp0.pgp Description: PGP signature
Re: in case nobody else noticed it, there was a mail worm released today
I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? It would seem to me that even the most clueless user would modify his/her behavior after, say, the 25th time they've been infected and had to 1) call tech support or 2) reinstall their OS (or more likely, have someone else reinstall their OS). (Uh oh... I think I am about to start something here...) What you are really touching on here is a social issue that plagues the United States (and most other cultures) repeatedly. The people want to believe in a peaceful, harmless community so we can sleep sound at night and have fluffy dreams of puppies and flowers. Time and again, we try to forget the bad experiences and focus on the benefits we receive from the conveniences we demand. Therefore, born from those conveniences, the bad element sees opportunity and strikes. This is evidenced in many facets of our world. Email, air travel, 24 hour ATMs, and roofing contractors! Can we change this? Most likely not. But can we complain about it? What else would we do on our lunch hour? Take care, Brent
Re: in case nobody else noticed it, there was a mail worm released today
Anyone heard/seen press coverage that labeled it A Microsoft worm vice computer worm..??? NPR, nyet; pcworld.com, nyet; NYT, nyet. WashPost buried it 75% of the way in: The virus was written to run on Windows software, and the worm could not be launched by users of other operating systems. but mentioned it. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: in case nobody else noticed it, there was a mail worm released today
At 07:17 AM 1/28/2004 -0800, Scott Francis wrote: I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? It would seem to me that even the most clueless user would modify his/her behavior after, say, the 25th time they've been infected and had to 1) call tech support or 2) reinstall their OS (or more likely, have someone else reinstall their OS). Several reasons, 1) in each of those 10 years there is one more years worth of human beings for whom this is their first email virus and they have no idea what it is they are clicking on. 2) some people's job legitimately involves getting lots of mail attachment and just as people reflexively click on the Are you sure you want to do X? Yes, No messages, these people reflexively open every attachment they get. 3) some people believe everything they read and will always fall for the here is the response you requested line du jour, just like there are people who believe that Elvis isn't dead but is living in an East Texas rest home (see www.bubbahotep.com :-) 4) some people never learn :-( face it, the following quote has always been true and will always be true Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. Rich Cook. jon bennett
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
Dave Temkin wrote: snip So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii. The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance. -Dave OT to me the problem is one of a mono culture. Too much of the same stuff everywhere. doesn't matter if it's MS-Windows. MacOS X or Debian GNU/Linux or bacon and eggs - too much of the same is bad for you.. /OT -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? I suspect the skill set/clue of RH users is at least an order higher that windows users. The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
OT: Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
It's not completely the fault of anything except the end-user. It's like the Jimmy Buffet song says: Evolution is mean, there's no dumbass vaccine scott On Wed, 28 Jan 2004, Dave Temkin wrote: : : They rate of it is quite surprising. By the description, the trick : : method of infection does not seem all that different than past worms : : viri. Makes me wonder how many people in a room would reach into : : their purse/pocket on hearing, Wallet inspector : : Every single person that still opens these damn attachments! :-( : : IN WINDOWS! : : So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? Or is it sendmail's fault because it was : listening on port 25 and allowed the worm to connect to it? Newsflash: : Even those using Netscape Mail, Lotus Notes, etc. on the PC were still : potentially infected due to the nesting of the virii. : : The worm was not spread through any vulnerability in the operating system, : unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and : that'll follow any operating system that Dell/Gateway pre-installs for : them. If everyone wants to flame MS, at least do it in a way that doesn't : show your own ignorance. : : : -Dave :
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Jan 28, 2004, at 11:56 AM, james wrote: : So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? I suspect the skill set/clue of RH users is at least an order higher that windows users. The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more abuse capabilities in IE / Netscape than $RandomMailReader. How hard is it to tell a mail reader NEVER execute a binary? If someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like virus.doc.exe won't get executed by $luser who thinks it was a word doc. There are ways around this (copy/paste an executable into a word doc, then type Click here! in the Word doc), but it might help. Might :) -- TTFN, patrick
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
RedHAT do not allow to run an attachment, even if attachment wish to be runned - it uses 'x' flag which is not attachment's attribute. Linus useers are niot Administrator's, so virus can not infect the whole system,... Etc etc (Why RedHAT? It is the worst Lunux amongs all. Use SuSe or Mandrake). : They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into their : purse/pocket on hearing, Wallet inspector Every single person that still opens these damn attachments! :-( IN WINDOWS! So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii. The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance. -Dave
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Wed, Jan 28, 2004 at 12:07:36PM -0500, Patrick W.Gilmore said something to the effect of: On Jan 28, 2004, at 11:56 AM, james wrote: Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more abuse capabilities in IE / Netscape than $RandomMailReader. How hard is it to tell a mail reader NEVER execute a binary? If w00t. someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like virus.doc.exe won't get executed by $luser who thinks it was a word doc. I don't think it's that it's hard, so much as inconvenient. C-level-officer types ;) want point-and-click to open and launch, not to be ordered to port and manipulate attachments to access them. And since that might be too much effort...heck...why not give users a peep-hole preview function that allows them to split the screen and peak into the email without clicking on anything at all? Back-office IT heads would roll if that went away... We _can_ thank M$ for setting the bar on this one; no one expected irresponsible features like instant access to attached goodies until the Internet-for-Idiots and SMTP-for-the-generally-challenged revolutions were ushered in to the sounds of Where do you want to go today, and how much do you want to break/spend/consume while you're there? I wish I could end this with Friends don't let friends use Outlook, but I have to agree that the fault still lies primarily in the users that continually refuse to heed the warnings of A) shut that preview pain^N^Nne shee-yit off B) don't execute attachments in email, even/especially if it looks like it might be a really k00l screen saver... Long live mutt. ;) ymmv, --ra -- K. Rachael Treu, CISSP [EMAIL PROTECTED] ..this email has been brought to you by the letters 'v' and 'i'.. There are ways around this (copy/paste an executable into a word doc, then type Click here! in the Word doc), but it might help. Might :) -- TTFN, patrick
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
Unfortunately, Microsoft products seem to have a default which is set to hide file extensions and to make it very difficult to see 'multiple extensions' like the '.docmany spaces.pif' in the current worm, it is somewhat easier to dress a vampire in gerbil clothing in these systems than in others. -- -=[L]=-
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Wednesday 28 January 2004 08:37, Dave Temkin wrote: So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? If RedHat, by default had you running as root rather than an unprivledged user, it sure would be. Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. -- Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC Cry havoc, and let slip the dogs of war! Email acceptance policy: http://paradigm-omega.com/email_policy.php You're the second person to say that and it's still wrong. The virii, once resident, opens a connection to port 25 on an open SMTP server, whether it be the user's ISP relay or local server. Sure, it can't install itself into /etc/init.d, but it sure can launch itself bg instead of fg and be running until the user either kills it or reboots the box. Also, for reference to other people - the preview pane does *not* allow the execution of attachments unless they're double-clicked on and acknowledged. Again - we're not talking about another OS or Outlook exploit, only a stupid user exploit. -- David Temkin
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: Also, for reference to other people - the preview pane does *not* allow : the execution of attachments unless they're double-clicked on and : acknowledged. Again - we're not talking about another OS or Outlook : exploit, only a stupid user exploit. The feature has been fixed but it **did** at one point run apps. James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: Also, for reference to other people - the preview pane does *not* allow : the execution of attachments unless they're double-clicked on and : acknowledged. Again - we're not talking about another OS or Outlook : exploit, only a stupid user exploit. The feature has been fixed but it **did** at one point run apps. James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965 Right, and at multiple points bind and sendmail allowed the execution of code from remote systems without the system owner interacting at all. What's that got to do with today? -- David Temkin
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: What's that got to do with today? I might be reaching here, but I understand some people never upgrade or patch.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of james Sent: Wednesday, January 28, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today : What's that got to do with today? I might be reaching here, but I understand some people never upgrade or patch. True, but that happens regardless of the OS. I'm sure if we looked really hard we could find some ancient versions of bind or sendmail (complete with open relays (speak of old bad defaults...)
Re: in case nobody else noticed it, there was a mail worm released today
Scott Francis [EMAIL PROTECTED] wrote: I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? Blaming it on end users is one way to look at the problem, but not a way that will result in a solution. You should be wondering, after 10+ years of virus laden MS operating systems, why they haven't fixed this stuff. Similar vulnerabilities in Unix, Mac, and other OS were fixed long ago. They're not patched in Windows because MS doesn't have to. MS doesn't write secure code because they are a monopoly and maintain that status by introducing subtle OS bugs that plague competitive third party applications. They don't publish an API for many of their system calls so nobody can write secure code other than MS themselves. They also run as much of their own software as possible in priviliged mode for performance (to avoid context switching). You'll never seen any real security from this type of business model. (Note: I really do not want this to degenerate into another rant against vendor M; Sorry for not sharing your disinterest in the actual reasons we continue to see these viruses and trojans infecting MS and, for all intents and purposes, only MS operating systems. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
RE: in case nobody else noticed it, there was a mail worm released today
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Marquis Sent: January 28, 2004 10:37 PM To: [EMAIL PROTECTED] Subject: Re: in case nobody else noticed it, there was a mail worm released today (Note: I really do not want this to degenerate into another rant against vendor M; Sorry for not sharing your disinterest in the actual reasons we continue to see these viruses and trojans infecting MS and, for all intents and purposes, only MS operating systems. If Microsoft is the problem, you care to tell me why I haven't gotten infected by a single one of those emailed viruses/worms/trojans despite years of running MS software? (And for that matter, neither have my parents... Apparently, years of yelling at them that 3+ meg binary Christmas cards from their friends were not worth opening, or their friends learned the hard way and hence stopped sending them) I don't think my MS software is any different from anyone else's, except that A) I don't open .SCR attachments B) I actually believe Windows/Office Update is for me, not for the random dude/gal working down at the Burger King down the street. So why is it that idiots doing/not doing these things can't be the problem, but MS must be? And, care to tell me why, as someone else pointed out, if I were to switch to Evolution on your random GNU/Linux distribution, someone couldn't write a similar worm. The reason they don't do it is because there isn't a critical mass of Evolution/GNU/Linux/glibcX.Y to make a big stink... And there is such a critical mass for MS. Let me put it this way: if you know one bank has 100 million dollars in the vault, and another has 5000 dollars, wouldn't you expect most of the bank robbers to focus on robbing the first bank, irrelevant of whether the first bank's fault is better protected than the second's? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: in case nobody else noticed it, there was a mail worm released today
At 11:05 PM 1/28/2004 -0500, Vivien M. wrote: Let me put it this way: if you know one bank has 100 million dollars in the vault, and another has 5000 dollars, wouldn't you expect most of the bank robbers to focus on robbing the first bank, irrelevant of whether the first bank's fault is better protected than the second's? And if you were a customer of the 100 million dollar bank and their vault was not much much much better protected than the 5000 dollar bank you would be quite justified in vigorously complaining about their irresponsible behavior. jon
RE: in case nobody else noticed it, there was a mail worm released today
On Wed, 28 Jan 2004, Vivien M. wrote: And, care to tell me why, as someone else pointed out, if I were to switch to Evolution on your random GNU/Linux distribution, someone couldn't write a similar worm. Rhetorical questions illustrate a lack of technical rational, thanks. But do re-read the message you're referring to, specifically, the section regarding unpublished APIs and context switching. If you need more in-depth reasons see any of the URLs listed at http://www.msfree.com/. The reason they don't do it is because there isn't a critical mass of Evolution/GNU/Linux/glibcX.Y to make a big stink... And there is such a critical mass for MS. No, sorry, false analogy though it does account for some portion of MS' mess. The larger reason is that viruses are substantially easier to write for Outlook, Exchange, et al. For another example look at Unix Apache's market share (75%) and it's vulnerability share (1%). As Java applications make clear, it doesn't matter what your market share is if the software is secure in the first place. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
RE: in case nobody else noticed it, there was a mail worm released today
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Marquis Sent: January 28, 2004 11:31 PM To: [EMAIL PROTECTED] Subject: RE: in case nobody else noticed it, there was a mail worm released today The reason they don't do it is because there isn't a critical mass of Evolution/GNU/Linux/glibcX.Y to make a big stink... And there is such a critical mass for MS. No, sorry, false analogy though it does account for some portion of MS' mess. The larger reason is that viruses are substantially easier to write for Outlook, Exchange, et al. For another example look at Unix Apache's market share (75%) and it's vulnerability share (1%). And look at the people who administer/use these things. MS' problem, if you ask me, isn't poor engineering (though I'll grant you I'm sure there stuff could be designed WAY better). The problem is that, as would seem logical for a publicly-traded company out to maximize profits for its shareholders, it designed its stuff to be used/administered by the broadest range of people. Hence, they make it easy to setup (at the cost of security, absolutely), and easy to forget about (especially as it crashes less than it used to)... And then, people don't install the security patches and have no idea about what proper security practices are. So when they find out about the new cool screensaver... Oops. Open source projects aren't out to maximize profits, generally... And they don't generally aim at ease of setup. Whoever sets up Apache using vi to edit httpd.conf needs to have at least a fractional degree of clue. Not enough clue, no doubt... But some clue. Setting up the MS equivalent can probably be done by the random guy on the street wearing a blindfold and with one hand tied to the chair with a Cat 5 UTP cable. That's the problem. Someone made the argument to me privately that the problem is that MS lets you run attachments from Outlook, while other clients would require you to save the files to disk. That's not a solution: if these people are like my parents used to be, they'd dutifully save the attachment, open up a file manager, and open it up to see the cool new screensaver their best friend sent them (hey, even if it's a virus, I have an antivirus is the usual excuse). Sure, that's three steps instead of one, but for as long as the HUMAN behind the keyboard wants to open the attachments, whether it takes two clicks or fifty keystrokes, that attachment will get open. Why doesn't this happen to Evolution users? My guess is, if you a) know what Linux is, b) know how to set it up, and c) know what Evolution is, you have enough CLUE to know that executable attachments from your friends that come with a gramatically-incorrect email body are trouble. MS has made a business of putting computers into the hands of people who do not have that clue, and do not want to acquire that clue. The fact that they've been INCREDIBLY successful at doing it is the problem. Sure, they could put a few more hoops to slow the viruses down... but for as long as the person behind the keyboard wants to run the attachment, a way will be found (and ISTR one patch for Outlook 2000 that blocked your ability to save executables was released), and whoever tries to stop them will be seen as the mean party here. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: in case nobody else noticed it, there was a mail worm released today
Vivien M. wrote: Someone made the argument to me privately that the problem is that MS lets you run attachments from Outlook, while other clients would require you to save the files to disk. That's not a solution: if these people are like my parents used to be, they'd dutifully save the attachment, open up a file manager, and open it up to see the cool new screensaver their best friend sent them (hey, even if it's a virus, I have an antivirus is the usual excuse). Sure, that's three steps instead of one, but for as long as the HUMAN behind the keyboard wants to open the attachments, whether it takes two clicks or fifty keystrokes, that attachment will get open. Indeed. I remember the good old days when I was working with an OS called Flex, which was designed mainly for S-100 machines running the 6809 processor (ISTR that it was a competitor to something called OS/9). Anyway, when one wanted to delete a file or do something like that, it asked are you sure and your had to type y and then it asked are you really sure and you had to type y again. After a while our brains rewired our fingers so whenever the y key was required it was hit twice in a row, which eventually led to new words (spell check was unknown at the time) such as yyankee, honeyy, new-yyorker, and so on. We ended up hacking the kernel so it did not ask twice and ISTR one patch for Outlook 2000 that blocked your ability to save executables was released) It default in Outlook XP and Outlook 2003, which has prompted large numbers of persons to download Winzip, which as not stopped worms to be propagated as you pointed out. Michel.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
I suspect the skill set/clue of RH users is at least an order higher that windows users. really, based on experience that would be surprising, rh is now so easy to get and install, securing it is still problematic for most users The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. hmm i've not checked, i thought this virus came as executables so you need to click a couple boxes before it will run,. Steve James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
RE: in case nobody else noticed it, there was a mail worm released today
This lovely little worm will start beating on the door at www.sco.com come Feb 1/04. Interesting huh? At 09:01 PM 26/01/2004 -0500, Wojtek Zlobicki wrote: The worm is being talked about on news.com and all the major virus vendors already have advisories on their websites. The worm in my case masqueraded as a Mailer Daemon bounce. Source email address appeared to be valid and matching a domain of a website I visited recently (but have not for a long time). Anyone know the worm generates the sending domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Monday, January 26, 2004 8:52 PM To: [EMAIL PROTECTED] Subject: in case nobody else noticed it, there was a mail worm released today my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
RE: in case nobody else noticed it, there was a mail worm released today
This lovely little worm will start beating on the door at www.sco.com come Feb 1/04. Interesting huh? Wonder if we should all be proactive to prevent the DoS attack, and drop the A records for www.sco.com now? Just in case any customers' clocks are set forward ;-) This virus, so far, has been the most prolific (in terms of copies per hour) I've seen on a number of sites' (our own included) virus scanning servers, not a good sign. It did slow down by around 10% at COB AEDT but I wouldn't be surprised to see a big surge as the US business day starts. Even just my personal inbox is getting around 5/minute (direct copies combined with bounces from forged messages). Interestingly, the vast majority of the bounces are to an address that has never been used to send mail, and is only rarely given over the phone, david@domain-of-isp-i-work-for. One of the virus scanners here is getting around 20/second. David.
Re: in case nobody else noticed it, there was a mail worm released today
: They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into their : purse/pocket on hearing, Wallet inspector Every single person that still opens these damn attachments! :-( scott
Re: in case nobody else noticed it, there was a mail worm released today
Paul Vixie [1/27/2004 7:22 AM] : my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order. MyDoom / Novarg etc http://news.com.com/2100-7349_3-5147605.html?tag=nefd_top -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: in case nobody else noticed it, there was a mail worm released today
We are seeing 2 wide spread worms right now, mydoom and dumaru.* NAI has info at http://vil.nai.com/vil/content/v_100983.htm and http://vil.nai.com/vil/content/v_100980.htm They rate of it is quite surprising. By the description, the trick / method of infection does not seem all that different than past worms viri. Makes me wonder how many people in a room would reach into their purse/pocket on hearing, Wallet inspector ---Mike At 08:52 PM 26/01/2004, Paul Vixie wrote: my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
RE: in case nobody else noticed it, there was a mail worm released today
The worm is being talked about on news.com and all the major virus vendors already have advisories on their websites. The worm in my case masqueraded as a Mailer Daemon bounce. Source email address appeared to be valid and matching a domain of a website I visited recently (but have not for a long time). Anyone know the worm generates the sending domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Monday, January 26, 2004 8:52 PM To: [EMAIL PROTECTED] Subject: in case nobody else noticed it, there was a mail worm released today my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
