This one may be a variant of the recent worms. It's spreading by way of zipfile attachments. I don't have more info yet, but my $orkplace has just been hit by it and it's unknown to McAfee and Symantec at this time. It's not W32.Netsky, as best I can tell, because of the attachment filename: this one uses things like accabaacc.zip that are new to me. I don't have more info on it at this time, but will try to snare a sample in transit if it hits my home system. Just a heads-up, -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
Yes, I got that one too. To my peering alias by coincidence. ClamAV identifies it as "Worm.Bagle.A2". ClamAV added it the database today, and mentioned that it was not in most signature databases yet. On Fri, Feb 27, 2004 at 07:12:42PM -0500, Todd Vierling wrote:
This one may be a variant of the recent worms. It's spreading by way of zipfile attachments. I don't have more info yet, but my $orkplace has just been hit by it and it's unknown to McAfee and Symantec at this time.
It's not W32.Netsky, as best I can tell, because of the attachment filename: this one uses things like accabaacc.zip that are new to me. I don't have more info on it at this time, but will try to snare a sample in transit if it hits my home system.
Just a heads-up,
-- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
-- Stephen Milton - Founder/VP Internet (425) 881-8769 x102 ISOMEDIA.COM - Premium Internet Services (425) 869-9437 Fax milton@isomedia.com http://www.isomedia.com
On Fri, 27 Feb 2004, Stephen Milton wrote: : Yes, I got that one too. To my peering alias by coincidence. ClamAV : identifies it as "Worm.Bagle.A2". ClamAV added it the database today, : and mentioned that it was not in most signature databases yet. Yah, "Bagle.C" is the notation used by F-Secure. This is indeed what it was. It's annoying how easily these things spread even though they don't rely on a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so it requires opening the zipfile and then running the program inside it. Of course everyone will run it, even though it's named dygfwefuih.exe (random characters before .exe). <grumble> -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
It's annoying how easily these things spread even though they don't rely on a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so it requires opening the zipfile and then running the program inside it. Of course everyone will run it, even though it's named dygfwefuih.exe (random characters before .exe). <grumble>
Being in a zipfile is exactly why these things work: most mail systems nowadays drop executable attachments without mercy, but a zipfile may be a compressed document. Not every mail system screen incoming messages with anti-virus. People writing this worms don't know just a bit about human behaviour, they seem to keep up with trends in mail systems administration as well. Rubens
I believe the point is, your mail scanner should be able to scan something as simple as zip compressed attachments. If it can't, you may want to rethink which program you use. Most open source and commercial scanners can scan inside zip files. mike On Sat, 28 Feb 2004, Rubens Kuhl Jr. wrote:
It's annoying how easily these things spread even though they don't rely on a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so it requires opening the zipfile and then running the program inside it. Of course everyone will run it, even though it's named dygfwefuih.exe (random characters before .exe). <grumble>
Being in a zipfile is exactly why these things work: most mail systems nowadays drop executable attachments without mercy, but a zipfile may be a compressed document. Not every mail system screen incoming messages with anti-virus.
People writing this worms don't know just a bit about human behaviour, they seem to keep up with trends in mail systems administration as well.
Rubens
!DSPAM:404137ae74191246918873!
I believe the point is, your mail scanner should be able to scan something as simple as zip compressed attachments. If it can't, you may want to rethink which program you use. Most open source and commercial scanners can scan inside zip files.
mike
On Sat, 28 Feb 2004, Rubens Kuhl Jr. wrote:
It's annoying how easily these things spread even though they don't
rely
on
a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so it requires opening the zipfile and then running the program inside it. Of course everyone will run it, even though it's named dygfwefuih.exe (random characters before .exe). <grumble>
Being in a zipfile is exactly why these things work: most mail systems nowadays drop executable attachments without mercy, but a zipfile may be a compressed document. Not every mail system screen incoming messages with anti-virus.
People writing this worms don't know just a bit about human behaviour,
I'm not aware of any mail scanner that does this without running an external anti-virus or something alike, although is not that intensive to follow the zip headers (as they already do with the MIME headers in order to drop external attachments). Most scanners can accept an anti-virus plugin and them scan inside zip files, but that requires more processing power, more queue disk space, more RAM, more administration to update virus patterns, and so on. The cost/benefit usually pays off, but more complexity means less people will adopt the solution, thus making worm spreading easier. Rubens ----- Original Message ----- From: "Michael Wiacek" <lists@iroot.net> To: "Rubens Kuhl Jr." <rubens@email.com> Cc: "Todd Vierling" <tv@duh.org>; <nanog@merit.edu> Sent: Sunday, February 29, 2004 11:16 PM Subject: Re: Possibly yet another MS mail worm they
seem to keep up with trends in mail systems administration as well.
Rubens
!DSPAM:404137ae74191246918873!
On Sat, 28 Feb 2004, Todd Vierling wrote:
On Fri, 27 Feb 2004, Stephen Milton wrote: Yah, "Bagle.C" is the notation used by F-Secure. This is indeed what it was.
It's annoying how easily these things spread even though they don't rely on a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so it requires opening the zipfile and then running the program inside it. Of course everyone will run it, even though it's named dygfwefuih.exe (random characters before .exe). <grumble>
Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they want to call it this week. Its on every windows system.
-- -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com
On Mon, 1 Mar 2004, Curtis Maurand wrote: : > It's annoying how easily these things spread even though they don't rely on : > a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so : > it requires opening the zipfile and then running the program inside it. Of : > course everyone will run it, even though it's named dygfwefuih.exe (random : > characters before .exe). <grumble> : : Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they : want to call it this week. Its on every windows system. No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside. It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
On Mon, 1 Mar 2004, Todd Vierling wrote:
On Mon, 1 Mar 2004, Curtis Maurand wrote:
: Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they : want to call it this week. Its on every windows system.
No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.
It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-)
The latter is very true. My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in an email message that gets executed to have access to the rest of the system, rather than executing within a protected sandbox. Of course scripts within email messages shouldn't execute at all. Once they do execute, they have access to the OLE objects on the machine. Its a security hole big enough to drive a tank through.
-- -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com
Curtis Maurand wrote:
On Mon, 1 Mar 2004, Todd Vierling wrote:
On Mon, 1 Mar 2004, Curtis Maurand wrote:
Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they want to call it this week. Its on every windows system.
No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.
It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-)
The latter is very true.
My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in an email message that gets executed to have access to the rest of the system, rather than executing within a protected sandbox. Of course scripts within email messages shouldn't execute at all. Once they do execute, they have access to the OLE objects on the machine. Its a security hole big enough to drive a tank through.
I don't think that defines the problem very well. The current Bagle.C virus does the following: "W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers. Adds the value: gouday.exe = <SYSTEM>\readme.exe to the registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run This means that W32/Bagle-C runs every time you logon to your computer" It also uses it's own SMTP engine to replicate itself. So effectively it's opening a connection to port 80 (from an unprivileged port), listening on port 2745 (an unprivileged port), and opening connections to port 25 (from an unprivileged port). Maybe I'm missing something here, but where does access to OLE objects come into play? Also this virus would appear to function just as well even if a non-adminstrator user opened it. Sam
In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT. The problem is dumb users who DONT LISTEN. This is mostly the office crowd. The real imbeciles are people operating a broadband connection without a license. Letting a computer illeterate, typical beer guzzling, porno hunting hick have a computer with a DSL/cable connection should be a capital offense. Those are where most of the zombies are located. When you use words like "attachment" and '.exe' with them, their eyes just sort of glaze over. "Hey, all I do is point and click and it just works". We need to cleanse the gene pool of these kinds, or at least take away their dsl connections. ----- Original Message ----- From: "Sam Stickland" <sam_ml@spacething.org> To: "Curtis Maurand" <curtis@maurand.com>; "Todd Vierling" <tv@duh.org> Cc: <nanog@merit.edu> Sent: Monday, March 01, 2004 10:06 Subject: Re: Possibly yet another MS mail worm
Curtis Maurand wrote:
On Mon, 1 Mar 2004, Todd Vierling wrote:
On Mon, 1 Mar 2004, Curtis Maurand wrote:
Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they want to call it this week. Its on every windows system.
No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.
It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-)
The latter is very true.
My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in an email message that gets executed to have access to the rest of the system, rather than executing within a protected sandbox. Of course scripts within email messages shouldn't execute at all. Once they do execute, they have access to the OLE objects on the machine. Its a security hole big enough to drive a tank through.
I don't think that defines the problem very well. The current Bagle.C virus does the following:
"W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
Adds the value:
gouday.exe = <SYSTEM>\readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-C runs every time you logon to your computer"
It also uses it's own SMTP engine to replicate itself. So effectively it's opening a connection to port 80 (from an unprivileged port), listening on port 2745 (an unprivileged port), and opening connections to port 25 (from an unprivileged port).
Maybe I'm missing something here, but where does access to OLE objects come into play? Also this virus would appear to function just as well even if a non-adminstrator user opened it.
Sam
<quote who="John Palmer">
In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT.
Just telling people "Don't do that, it's bad." is sure to fail for the same reason you can't tell people who wash their clothes in a disease filled river to just "not wash there."
The problem is dumb users who DONT LISTEN. This is mostly the office crowd.
What makes you think they didn't listen? Not doing what you say and not listening are not the same thing.
The real imbeciles are people operating a broadband connection without a license. Letting a computer illeterate, typical beer guzzling, porno hunting hick have a computer with a DSL/cable connection should be a capital offense.
I'd hate to think about what you would do to network operators and companies who fail to filter their egress traffic. Surely they share no blame?
Those are where most of the zombies are located. When you use words like "attachment" and '.exe' with them, their eyes just sort of glaze over. "Hey, all I do is point and click and it just works".
And it does "just work" -- do the "mom test" and see. Why have attachments if they shouldn't be opened? *That* would make no sense.
We need to cleanse the gene pool of these kinds, or at least take away their dsl connections.
Some problems are social and some are technical. These are social problems that can be mitigated on a large scale by technical means. The users need to be educated at some level but the network and system operators and companies need to be responsible for what is coming and going from their network. Back to the mom test, if an email with an attached virus gets to my mom's Outlook Express client, I place the blame squarely on her mail administrator (me). -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
On Mon, 01 Mar 2004 11:14:37 CST, John Palmer <nanog@adns.net> said:
In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT.
CM Kornbluth wrote "The Marching Morons" in 1951. Horrifyingly prophetic, even only 2 generations or so later....
You wrote:
In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT.
If you do something again and again and again and it fails again and again and again you ned to ask whether you're doing the right thing. Regards, -- leo vegoda RIPE NCC Registration Services Manager
In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT. If you do something again and again and again and it fails again and again and again you ned to ask whether you're doing the right thing.
insanity is doing the same thing over and over and expecting different results. in this case, folk are replying to john palmer, a long-reknown bit of net.idiocy. procmail is your friend. randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyday there is a new, news article on this and every day everyone panics and eeryday some one says tell the government to make a law, it is time to realize that no law is going to do anything for anyone soon. In the past we just took care of the problem and we can do the same now by sharing the solutions we shared then for FREE. There are incredibily talented people in this group who lurk, I would like to see your toughts on these issues in private if you do not feel comfortable talking publicly New Netsky-D Worm Spreading Through E-Mail http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=4469850§ion=news -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBQEOCXMiimYc7OT3DEQJsJwCeNrz9cdP+nmzCzaR/cHJ5AlY7V50AnjIu t1/Wyd4XaTrjv3YiuxJIvt0k =cf72 -----END PGP SIGNATURE-----
On Mon, 01 Mar 2004 10:35:05 PST, Henry Linneweh <hrlinneweh@sbcglobal.net> said:
Everyday there is a new, news article on this and every day everyone panics and eeryday some one says tell the government to make a law, it is time to realize that no law is going to do anything for anyone soon. In the past we just took care of the problem and we can do the same now by sharing the solutions we shared then for FREE.
The basic problem is that for the average ISP, requiring the users to have a clue and to use secure software is financial suicide. <insert obligatory Randy Bush reference here>. Until something happens to change the cost/benefit ratios, we're stuck with it. Remember that vendor lock-in is an issue - why should the user spend all the time/money of obtaining new software and learning how to use it if they're currently not experiencing high amounts of cost/pain? Many users will write off "I'm only losing 2 or 3 days of work a year due to virus/worms" and balance that against "Moving to <anything else> would screw things up for 2 weeks while I relearn and reconfigure", and decide it's not worth changing...
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: "Henry Linneweh" <hrlinneweh@sbcglobal.net> Cc: <nanog@merit.edu> Sent: Monday, March 01, 2004 12:59 Subject: Re: Possibly yet another MS mail worm On Mon, 01 Mar 2004 10:35:05 PST, Henry Linneweh <hrlinneweh@sbcglobal.net> said:
Everyday there is a new, news article on this and every day everyone panics and eeryday some one says tell the government to make a law, it is time to realize that no law is going to do anything for anyone soon. In the past we just took care of the problem and we can do the same now by sharing the solutions we shared then for FREE.
The basic problem is that for the average ISP, requiring the users to have a clue and to use secure software is financial suicide. <insert obligatory Randy Bush reference here>. Until something happens to change the cost/benefit ratios, we're stuck with it. Remember that vendor lock-in is an issue - why should the user spend all the time/money of obtaining new software and learning how to use it if they're currently not experiencing high amounts of cost/pain? Many users will write off "I'm only losing 2 or 3 days of work a year due to virus/worms" and balance that against "Moving to <anything else> would screw things up for 2 weeks while I relearn and reconfigure", and decide it's not worth changing...
I am kind of torn between new legislation to force users to clean up their machines when infected vs letting things go becuase I don't like government intervention, in general. I guess if society deems it a big enough problem, they'll push for legislation. Right now, folks don't seem to mind absorbing the cost of these worms. Till this changes, I don't think anything will get done, either on the technical or legal side.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Curtis Maurand Sent: March 1, 2004 10:38 AM To: Todd Vierling Cc: nanog@merit.edu Subject: Re: Possibly yet another MS mail worm
My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in an email message that gets executed to have access to the rest of the system, rather than executing within a protected sandbox. Of course scripts within email messages shouldn't execute at all. Once they do execute, they have access to the OLE objects on the machine. Its a security hole big enough to drive a tank through.
And I hate to point out the obvious, but that's not what we're discussing here. If you receive a .zip attachment, save it to disk, open it up in WinZip or the integrated ZIP utility (which I might add is a feature GUI OSes made outside Redmond also share), extract the .exe in it, and open it up, ActiveX/OLE/DCOM/etc has NOTHING to do with the fact that the thing is destructive and that you were allowed to run it. Sure, having an executable flag like on *NIX would make it a little harder, but you know what? If I send you a shell script on *NIX called run-me.sh in a tarball that does a rm -rf / if you're root, and tells you to be root if you're not, then your session will look like this: 1. Save blah.tar.gz to disk. 2. tar zxf blah.tar.gz 3. chmod 755 run-me.sh 4. ./run-me.sh 5. "Error. This script must be run as root." 6. su - 7. ./run-me.sh 8. Wave byebye to your filesystems. The problem then isn't technological: an alternative OS, with an equally-determined (and idiotic) user as the Windows user, provides ZERO protection against this type of attack. And if you think that step 3 or 5 provided any protection against a determined user, you're wrong. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Moreover, they can encrypt zip by password and write password inside the message. As a result, no one virus scan detect this virus. And they will find enough idiots, who opens zip, enter password and run virus. ----- Original Message ----- From: "Todd Vierling" <tv@duh.org> To: "Curtis Maurand" <curtis@maurand.com> Cc: <nanog@merit.edu> Sent: Monday, March 01, 2004 6:32 AM Subject: Re: Possibly yet another MS mail worm
On Mon, 1 Mar 2004, Curtis Maurand wrote:
: > It's annoying how easily these things spread even though they don't
rely on
: > a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so : > it requires opening the zipfile and then running the program inside it. Of : > course everyone will run it, even though it's named dygfwefuih.exe (random : > characters before .exe). <grumble> : : Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they : want to call it this week. Its on every windows system.
No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.
It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-)
-- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
participants (15)
-
Alexei Roudnev
-
Curtis Maurand
-
David A. Ulevitch
-
Henry Linneweh
-
John Palmer
-
Laurence F. Sheldon, Jr.
-
Leo Vegoda
-
Michael Wiacek
-
Randy Bush
-
Rubens Kuhl Jr.
-
Sam Stickland
-
Stephen Milton
-
Todd Vierling
-
Valdis.Kletnieks@vt.edu
-
Vivien M.