Email worm wants to party like it's 1999 (almost)
A fast-moving email worm that began spreading on Thursday has been able to affect hundreds of thousands of computers worldwide, anti-virus provider Symantec warned. The email arrives with the subject “Here you have.” An executable screensaver that's disguised as a PDF document then tries to send the same message to everyone …
Hey, considering the creators of this worm are providing us with a (free!) valuable (free!) resource (that's free!), why not take full advantage of this situation and use the worm as a litmus test whose outcome decides whether or not a person should be allowed on the internet?
Really now, do YOU want somebody on YOUR internet that (1) opens unknown attachments (which is bad enough) and (2) surfs without virus protection (despite being a complete and utter tit)? No, of course you don't! So, do your part: if you know a friend, family member or "colleague" that has been struck by the "Here You Go" worm, give them a hearty handshake, thank them for their time and then chuck their computer out the window to the skip waiting below.
In fact, you could probably go ahead and chuck them into the skip, too, as if they don't have enough smarts to not go poking around without protection online, they're probably poking around with protection in other places, too. (ahem)
...it seems you've met the wife's brother. In that case you won't mind if I refer all his future computer problems to you, will you?
:-))
Let me buy you a pint in advance. Cheers!
But what you fail to realise is that most of the people out there in TRW are not geeks like you and I. To them a computer is just a tool that can be used to do stuff and they, rightly or wrongly, expect it to to that stuff without them having to pick and poke like they are navigating a minefield every time they use it.
Do you think it is impossible to develop a device that can provide a simple, secure, user tolerant network browsing facility? Does being p0wned simply because you inadvertently click on the wrong thing an inevitable part of using the internet or do you think the IT industry, and Microsoft in particular, should do a better job of making less fragile and p0wnable products in the first place?
Microsoft have a lot to answer for in the way PC's have evolved, especially taking into account the low user expectations of users.
Why is it that BSOD is just an accepted part of using a computer for so many people?
You yourself imply that anybody who runs a computer without a virus checker should be considered to be a moron. Why? I don't use a virus checker on my PC. I guess that makes me a moron right?
I think a lot more can and should be done to provide non technical users with products that aren't a dogs breakfast of security vulnerabilities, where userspace is so horribly intertwined with systemspace that the slightest indiscretion can cause system wide p0wnage and significant potential financial loss for the user involved.
But that's just my opinion, YMMV
...but you've got some of your facts wrong. Fist the payload was not an attachment, it was an obsfucated URL meant to look like a PDF that went to an SCR. It also propgated by PAB and company directory, so there was a chance that they knew who sent it. lUsers should know better, agreed.
Also, current desktop AV - McAffee at least - did nothing to prevent the execution or propogation.
So that being said, we were joking around about this being the pink slip virus - so again, not disagreeing per se, just clearing up the details.
"But what you fail to realise is that most of the people out there in TRW are not geeks like you and I. To them a computer is just a tool..."
Yes, but even the stupidest of people with a toolbox knows that the first thing you do with your tools is look after them so they can continue to perform the functions for which they were designed. It's just in this case, the care revolves around cowering behind a suitable firewall and AV software that isn't McAffe, rather than keeping them clean and rust-free.
It's just a difference.
"Why is it that BSOD is just an accepted part of using a computer for so many people?" That is a Linuxtard myth. I've used Windows intensively, almost daily, since Win95 fifteen years ago, and the only blue screens I can remember ever seeing on my own computers have been caused by dodgy hardware.
would that be your own fault for not having a full time bodyguard?
While I would pass you litmus test, it's more because I am a bit paranoid about introducing unknown s**t onto my computers.
As for users, it's not their fault if they expect their computer to work properly. I mean here in the real world, how often do you hear about people dying because they opened their newspaper, and there was an article that made their brain explode? And from the description here, they receieve the email from someone they know.
I blame it all on the OS writers. There seem to be 2 options for files:
Option 1. Don't open it, look at it, or even allow your pointer to move over it. (This fails because of autorun etc.)
Option 2. Run, look at etc. the file. This gives it almost complete unfettered access to everything. It can use any resource it wants, and can persist forever without any way of getting rid of it or working out what it has been up to.
In my book, execution is not an automatic right. It should be possible to say what resources any program/file can have (e.g. why should a webpage turn on my webcam?). I think everything should be run in it's own sandbox. Users shouldn't have to worry about this kind of thing.
"If they don't have enough smarts to not go poking around without protection online, they're probably poking around with protection in other places, too. (ahem)"
Or, as I said a short while back after giving up some of my time to fix a friend's badly infe[c|s]ted computer: Protecting your PC from malware is like making love to a beautiful woman... it's better to use a condom than a morning after pill. Good A/V is the condom. I am the morning after pill.
Thinking about it now, though, I should have likened myself to the STI clinic. :)
is for it to work you would have to be in higher position in work than your managers.
>Why is it that BSOD is just an accepted part of using a computer for so many people?
BSODs are extremely rare these days. XP SP2 pretty much killed them off in my experience.
But the rest of your post I agree with.
"To them a computer is just a tool that can be used to do stuff and they, rightly or wrongly, expect it to to that stuff without them having to pick and poke like they are navigating a minefield every time they use it."
---
Yes, I believe every person coming out of a crashed car because he/she didn't know which pedal was the accelerator and which one the brake had the same complaint.
If you've been warned about the virii - and Grud knows there was enough virus scare stories in newspapers and on TV - and did nothing, it *is* your fault.
You don't have a choice if you meet a mugger. Email viruses or 419 scams need the victim to cooperate.
...and it's up to us to protect them and provide systems which work well.
Your mentality is the root of many IT problems currently - would you like it if your doctor chucked you out of his waiting room because you don't know what steatopygia means?
No - the doctor does the complicated diagnosis and writes the prescription - all you have to manage is to swallow a pill regularly.
Much better solution which I've been running for these damn, problematic, troublesome users is to get them to buy Macs or I've installed Ubuntu.
Problem solved - not just sneering at them cos they don't know assembler. We are supposed to provide solutions.
'Not the nine o'clock news' showed your type a couple of decades ago - woofers and tweeters - you've already got'em!
http://www.youtube.com/watch?v=dSINO6MKtco
'that isn't McAffe'
So not only are users supposed to be aware of AV stuff - but to know which to avoid?!?
Have you met any ordinary people? Does your Gran know how to download, install, run AV software - but not McAffe'?
As mentioned elsewhere - a far better solution is to install Ubuntu or similar - my dear ol' mum is fine with Ubuntu and she's 71.
"You yourself imply that anybody who runs a computer without a virus checker should be considered to be a moron. Why? I don't use a virus checker on my PC. I guess that makes me a moron right?"
pre·cise·ly/priˈsīslē/Adverb
1. In exact terms; without vagueness.
2. Exactly (used to emphasize the complete accuracy or truth of a statement).
Really? You've never had a piece of software cause a BSOD? Never had a Windoze update hork your system? That sounds like the a Mactard statement to me.
"...do YOU want somebody on YOUR internet that... surfs without virus protection (despite being a complete and utter tit)? No, of course you don't! "
I surf without virus protection or a firewall - who are you to tell me I'm wrong? If I want to risk infections then that's up to me. I have made the choice that the increased speed I get on my rig makes it worth the downside. I also only run a vanilla XP install without the SPs/hotfixes as the more of that stuff you apply the more clogged your system is.
I can live with a few infections but if things get too bad I simply wipe an reinstall - since I don't apply SPs etc. then this is a quick job.
We're BOsFH, after all. There are *so* many ways to make lusers suffer... Oh, you mean on the totem pole. Who ever took *that* seriously?
We could use a BOFH icon but BB will do nicely in a pinch.
Well, your computer thinks this is a good idea.
The average n00b user should not have to worry that their OS insists on ingesting every piece of crap it finds on the sidewalk in the poorest part of the city. It should just a little bit smarter than that.
@ AC Posted Friday 10th September 2010 05:30 GMT
"Also, current desktop AV - McAffee at least - did nothing to prevent the execution or propogation."
I guess that depends on when you get infected and how often you update your AV....
At 9pmGMT McAfee notified all users on their security lists that they were seeing lots of issues, at 10.30pmGMT they released an extra DAT, at 4.00amGMT they released an out of schedule DAT update while also posting a standalone stinger tool to clean and repair.
I thought they were pretty quick this time (makes a change)
And how many times have you told the users "Don't click on that!"?
"anybody who runs a computer without a virus checker should be considered to be a moron. Why? I don't use a virus checker on my PC. I guess that makes me a moron right?"
er ... yes?
The poster I was replying to implied that the users getting infected were not running AV when none of the AV vendors had sigs for this when it went crazy yesterday. Current AV or not, if a user clicked the link their machine was going to get infected. I'd agree that they were pretty quick about getting the desktop sigs out - I wasn't trying to slam them with that comment.
My concern on AV sigs is more on the mail infrastructure side. We had environments cranking out, and queueing up 100's of thousands of messages in the space of an hour or two. If this virus would have randomized itself more (different subject lines, different bodies) this could have caused epic outages just like the old days. Speedy sig updates on Mail infrastructure side are important. A few machines getting infected is one thing, crippling an entire messaging infrastructure is completely different - and what I saw yesterday was completely capable of doing it.
I love using my CPUs for stuff I wanted to do.
I run Messaging and Collab for roughly 100k seats - I know how to spell 'users'. I'm posting anonymous on El Reg and I'm not allowed to make a lUser crack without getting everyone's knickers in a twist... come on.
The fact of the matter is that in a professional/corporate environment users should know better than to click on mysterious, unsolicited links. Over 90%, at least, of mail on the internet is SPAM, Phishing attempts, or viruses - they will occasionally get through and users need to exercise caution. A user will occasionally bite on one of these, it comes with the territory too, and we get to clean up the mess. Ultimately it's a little extra job security for us, but don't deny us our anonymous grumbling.
That said, it wasn't IT looking for the first user that clicked on the link and started the chain reaction that almost took down the company's mail infrastructure - it was management. We were joking about this being the pink slip virus because upper management was going hunting for the first poor SOB that clicked on the link. I wouldn't think it's proper to really terminate anyone's employment because of something like this, but at the same time in professional environments users are expected to be responsible with company assets and information.
Now for home users, I really don't have a strong opinion. I notified my F&F of the situation yesterday, and while I run up to date AV on all my home machines I can't exactly say I'd be surprised if I had come home to infected machines.
I must have seen an awful lot of dodgy hardware!
It's funny how a lot of dodgy hardware started to work better with 98SE and was stable with 2000.
Then you must have been really lucky. Win95 (and 98) with rare BSOD? Yeah, right. Any hardware too, nothing dodgy. Look funny at memory allocation and the thing falls over. If you had started your series with Win 2000, the last Windows I used to a reasonable extent, I might have believed you. That seemed much more solid as far as I remember (10 years is a long time). But including Win95 and 98 in that statement seriously undermined your whole point there.
The e-mail vector on this virus that I saw with numerous clients (names that you probably know but that's all I'll say) were extremely consistent. All had the same subject line, referenced a fake shareddocuments.com PDF that was really a something.something.co.uk address with a .scr
The propogation through Outlook was extremely fast - backlogging entire environments where it was executed by just a handful of users.
Interesting anecdote, but the antispam was more useful than the antivirus - the AV vendors really weren't on their A-game today IMO
>antispam was more useful than the antivirus
Given how much we spend on AV, how come such a well-known technique has been so succesful?
What do all these heuristic modes do? sound posh?
and why does the bl**dy OS still allow stuff like this in the first place? over a decade later?
Thanks for this. Your email includes one vital detail that is totally missing from the Reg article and the Symantec & McAffee articles it references. viz; **Outlook**.
Talk of "the recipient's address book" is totally uninformative. What needs to said is "their Outlook address book on their Windows computer". If the recipient has neither then nothing will happen to their email.
I'm not Microsoft bashing. My point is that the assumption there is such a thing as "the" address book is the kind of thing you'd get from mainstream press, not an IT website. Kind of like when they say "the internet", when what they mean is Internet Explorer.
Never have and never will use Outlook. Not professionally nor personally.
This is actually the kind of thing that should have been handled easily by SpamCop, depending on how quickly the webhosts responded to the notification. Also depends on whether or not SpamCop managed to properly parse the spammer's website, which is where SpamCop fails a lot.
Actually, I wish there was something stronger than SpamCop. Besides the source of the spam email and the most obvious website, I want something that would go after ALL of the spammer's accomplices. Something with more iterations that would ask me such questions as the kinds of email addresses and how they were being used. A human metric of the plausibility and apparent threat of phishing or 419 scams. A Joe job detector so I could tell reputable companies that the spammers were damaging their reputations. (Any of you able to think of Pfizer apart from spam?)
I still like SpamCop, but it seems clear to me that they've lost most of their fire. I really want to burn the spammers.
Outlook, and the lack of security within, is the major problem here.
This thing simply won't work in other environments - for example, those using Lotus Notes have proper Execution Contros and will be completely unaffected.
I hope plenty of people who migrated to Outlook from more secure systems are affected - you made your bed...
Notes would protect you by crashing or refusing to run at all.
Runs pretty well for our Windows, Linux and Mac users. Haven't seen a virus that can propagate through Notes since v4.6 (8.5 is current) which was released in 98 maybe. With ECLs starting in R5 (1999) - they're those things that Microsoft keeps saying they're going to have but never have - it would be interesting to see someone bypass the security with an exploit like yesterday's. This hole in Outlook has been there forever.
This is the part where you say "but nobody uses Notes so nobody writes viruses for it", to which I'll retort "who cares, it does the job and doesn't get hit by viruses - does it matter why?" Been through this conversation more times than I care to recall. I'm not sure what purpose it serves to be a fanboy of anything, especially Microsoft.
I run Notes 8.5.1, and it's a pile of poo. I don't care if it doesn't get hit by viruses, it doesn't do the job. Your immediate accusation of "fanboy" is way off the mark. I do like Outlook, FWIW, but I despise Notes for reasons that have nothing to do with a particular penchant for Microsoft software, rather to do with a craptacular UI, unreliability, slowness, and numerous "WTF?" moments in a given day. I have never used a piece of software that caused me such pure rage, and it's exacerbated by the fact that Notes fanboys such as yourself cannot fathom that anyone might not love their precious pile of flaming feces. In point of fact, I know that I cannot possibly reason with you or convince you that my perspective has any merit, because I have tried and tried to do so with Notes aficionados in the past, and two things are always clear: they are absolutely convinced their chosen product is the best in the world, and they have never really used any competing product, so they're not aware that the rest of the world has moved on in terms of usability, functionality, and aesthetics.
In short, there's one area where Outlook could use a minor improvement, which is security, and there are numerous areas where Notes could use major improvement. But go ahead and flame away . . . fanboy.
All I can say is that your experience is inconsistent with my users. The only time I've heard complaints like yours was from users who had machines that didn't meet the minimum requirements (which, to be honest, are pretty high for the new Eclipse-based platform) or had misconfigured/misbehaving local anti-virus. Your servers might be running like crap too, which will manifest on the desktop in many circumstances.
Most of the hostility to Notes in my experience is from people who haven't seen it since R4.x or haven't seen it all. One guy I know from Microsoft that I was sitting in a meeting with, who I know for a fact has never seen or used it, declared it "a Dinosaur". The "if it's not Microsoft it's shite" mindset is very pervasive in the corporate world so uninformed knee jerk reactions that look and sound just like yours are par for the course. If you speak from first hand experience you're entitled to your view on things - fine with me.
Just know as well that I've had the same type of complaints with my company's Outlook and OCS implementations (I work for an IT Service shop and my group manages both Lotus and Microsoft stacks). Poor architecture, management, and infrastructure can screw up Microsoft just the same that it can screw up Lotus. I've seen very good/responsive/stable and bad/flaky/unstable examples of both.
got called out of bed at 5 Am to get this sorted out for a few of my customers. wasn't really a big deal, closed the door for those messages coming in and killed the ones that already arrived.
Would be an "If you have to ask the price, then you probably can't afford it" deal
Oh dear, and to think loads of people will still open these unsolicited files....
it mentions that the "executable screensaver disguised as a PDF" is actually part of an URL inside the message body that the idiots need to click
not an attachment
not a failure of Outlook to stop someone running something
not a failure of Windows to stop Outlook from running something
it's a failure of the web browser to stop the user from downloading a file
I've clicked links from inside Thunderbird on an Ubuntu box and fuck me, the OS let me! It even opened up directly in FireFox without prompting me that it was going to do so! So unless I was also running Firefox plugins like NoScript and AdBlock, my Ubuntu box is just as vulnerable to this kind of attack as all those Windows Lusers(TM). Not to this particular payload, granted, but a payload designed to rape FireFox is gonna get me good unless I've gone out and installed 3rd party software (plugins) to protect me from internets harm.
Of course, don't let that stop you from immediately making assumptions about this obviously being only applicable to Windows, so you can tout your obvious Linux superiority... :P
It's not set up correctly then !
Firefox on Linux will NOT run binary executables and even scripting languages should be set-up to ask.
Back in the heyday of AnnaK, I Love You, etc - we used to jokingly refer to Outlook as the Microsoft Virus Propagation Utility. I don't write viruses, but from the sidelines it looks REALLY easy to write code to go underneath Outlook and start spamming the crap out of everyone.
Maybe it's unrealistic for me to expect that there would be some security at the application layer to prevent this from occurring.
Am I the only one that disables that as pretty much the first thing on a new Windows install? Mount the device, sure; but don't do anything else. Don't even bring up an irritating dialog asking me what I want to launch it with, or a file browser or anything. Just mount the sucker and be done with it.
> Am I the only one that disables that as pretty much the first thing on a new Windows install?
Probably. At least on this side of the pond there's a well established cult of elevating ignorance and a tendency to treat computing as something that you need to be extra smart in order to understand in the least tiny way.
So most people are probably not "fixing" their systems.
They really shouldn't come pre-broken to begin with.
Defaults should be sensible and sane.
Seems they've still not fixed the problem that was about with the "I love you" worm. Autorun ought to be knocked out of the kernel, but no, seems to be still there. Oh well, it'll no doubt keep my Windows skills alive, and a fair bit of the IT industry going.
Have turned off autorun on all my windoze machines, often by installing Suse on top of them.
But my $MEGACORP flaptop has some sort of "fixed image" corporate tool. You turn off autorun, or change the default printer away from 'Microsoft XPS Document Writer' and within a few minutes it has changed back the way they like it. At which point I go 'ho hum' and let them get on with it.
Does anyone know what 'm2nl.bat' (which is not a bat file) does? $MEGACORP seems to not mind it infecting my memory sticks.
Sign up, sign up for The Register's weekly IT security newsletter - click here
