Worm and Virus attack

[Active8]

Here's Qualcomm's statement on the Aureate issue:

http://www.eudora.com/techsupport/kb/2220hq.html


Best regards,
Spehro Pefhany

tnx. you saved me a lot of time.

mike

 

[Active8]

On Fri, 19 Sep 2003 12:53:20 -0700, Jim Thompson
[snip]

Although I suppose I could get listed in someone's Outhouse address
book... it's not likely... I have no friends ;-)

...Jim Thompson

Got an addie? J/K
[snip]
- YD.

That's why I stopped using a valid E-mail address on the news groups,
plus my SIG refers you to the website... where the E-mail address is
an *image* thus not harvestable.

...Jim Thompson

another thing that works (as long as they don't built decoders into the
spam-bots ) is to use ascii code in the web page. ascii code can be in
decimal or hex. for decimal you'd use &34; for 34. i think CR LF would
be &34;&35; can't remember syntax for hex. i have a little VB app that
you can type in the text and out comes the encoded string.

mike

 

[Guest]

Sendmail is an MTA & whatever security issues its had in the past have had
nothing to do with the spread of worms.

I mentioned SENDMAIL more as an afterthought (regarding to attempts
to warn and alert rather as being "exploitable" rather than connecting
it to this or any worm in particular.

No its not.

yes, it is. Not only -- it also targets IRC'ers and others -- but
if you get hit because you actively post to USEnet, you *KNOW* that
you have been targetted ("also" is irrelevant to you)


I probably should have said "few(er)"

No they shouldn't. It spreads through Kazaa, Email, mapped drives, IRC

you just like to say "no" more than "yes" and I don't care for those
kind of debates much. let's try to "add" to our mutual insights
rather than "subtract"...

and yes, will randomly post to newsgroups on your configured news server...

it posts to newsgroups? that's news to me... it emails itself to
addresses it finds in posted news-articles (is what I understood to
be the case)

However there is no "targeting" nor any group at risk more than any other.

*I* know that *I* am "targetted" (flooded is more like it) *because*
I post to USEnet... *You* can of course believe whatever you want...

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

indeed they claim that it posts itself to newsgroups... hmmm...
well, just more proof that USEnet users are being targetted (though not
exclusively) -- you are also free not to choose that word to describe
the situation, of course...


p.s.: I'm dropping out of this thread at this point. it's not germane to the
groups it is posted in, I'm afraid...

 

[Guest]

quoting Jim Thompson

On the face of it, Challenge/Response sounds marvelous. Then you realize
it will sink the Internet with the traffic density going up astronomically.

Can you point to a web-site where that argument is being made, in
some detail? As far as I know (and can see) various such handshake
protocols are the beginning and end in the design of all "loosely
connected computer networks"...

I think blacklisting ala SpamCop/SPEWS will ultimately settle the problem.

in combination with some kind of challenge-response and "signing"
system, yes...

 

[Active8]

[snip]

Windows defaults to least-secure settings when installed. Why?

Apple/UNIX/Linux/VMS/Solaris security lapses are measured in bugs per
year, and often clock in at zero. Windows bugs run several per week.

John

not to mention - at least as far as Linux is concerned - the kernel team
(or whatever the article one of the Linux mags called it) responds
quikly to reported vulnerabilities. one guy reported that he sent
himself a malformed packet that screwed things up and they had the patch
ready within 24 hrs. it was an "In the Trenches Article."

MS, on the other hand likes to deny vulnerabilities. it's pretty
negligent, AFAIC.

mike

 

[Active8]

[...] as long as the world runs on M$
trash, we're going to have these problems.

We'll have these problems for longer than that. Indeed, we'll have these
problems for as long as email does more than convey plain text and the
Internet supports sending of nonsecure messages. May I remind folks that
MSFT didn't invent the bug, and that the first worms were not on Windows?
Virus writers target whatever platform is dominant and powerful enough to
propagate the virus. *All* nontrivial platforms have bugs that can be
exploited given enough interest.

Certainly worms have been around since the beginning of computers
(even before email). However OE makes the propagation totally
transparent. YOY does anyone make attachment auto-execute even a
possibility, much less the default?

the idea is that you can view an image or hear a sound file via
COM/OLE/ActiveX. the e-mail client is the container for say an image
viewer. the virus enters as a tweaked MIME type that makes it look like
a media file. but the freakin' client doesn't check the file extension
and runs it within the container. just like when IE asks if you want to
open or save that exe link you clicked. excel spreadsheets, images,
acrobat files... all can be run in the IE "container" thanks to COM/OLE.

i read somewhere that when the idiots at MS found out that OLE was
espanol for something good, they changed the name

mike

 

[Rene Tschaggelar]

Swen's size is within 147000 to 161000 bytes.
Are you able to reject on size range?

Not automatically.
Sort the mails by size and tick.
BTW, fitering for the subject should be sufficient.

Rene

 

[Terry]

Rene Tschaggelar threw some tea leaves on the floor

Not automatically.
Sort the mails by size and tick.
BTW, fitering for the subject should be sufficient.

Rene

I saw a list of the name variations the viruses generates and its
pretty big, I do not think that filtering on subject will do the job.

I've received only three so far:
SUBJECT: Last Network Critical Patch
SUBJECT: Newest Microsoft Security Update
SUBJECT: Latest Internet Security Pack

However all three contained "September 2003, Cumulative Patch" in the
body, so perhaps that's the key ?

 

[Paul Hovnanian P.E.]

Rene Tschaggelar threw some tea leaves on the floor


I saw a list of the name variations the viruses generates and its
pretty big, I do not think that filtering on subject will do the job.

I've received only three so far:
SUBJECT: Last Network Critical Patch
SUBJECT: Newest Microsoft Security Update
SUBJECT: Latest Internet Security Pack

I've logged a few with:

SUBJECT: Undeliverable Message: Returned To Mailer
SUBJECT: Virus Alert

However all three contained "September 2003, Cumulative Patch" in the
body, so perhaps that's the key ?

I don't know what's in the above messages. My procmail rules file them
all in /dev/null

 

[Ben Bradley]

In sci.electronics.design, [email protected] (Aubrey McIntosh)
wrote:

I have received almost 700 copies of worm or virus mail to this
account in the past 24 hours.

This has been the GIBE virus, the new "returned mail" item.

Anyone else?

People are talking about obscene volumes, thousands per day, but
I'm "only" getting a few dozen a day. I actually receive email (and
spam) at my posting address, but I'm getting these at the address with
'nospam' removed (yes, I have several such demunged aliases, they've
all received spam).
There may be several versions of this floating around, a "really
popular" one that just deletes/skips addresses with the string 'spam',
and a less-popular one that does demungings.

 

[Ben Bradley]

In sci.electronics.design, John Larkin

[...] as long as the world runs on M$
trash, we're going to have these problems.

We'll have these problems for longer than that. Indeed, we'll have these
problems for as long as email does more than convey plain text and the
Internet supports sending of nonsecure messages. May I remind folks that
MSFT didn't invent the bug, and that the first worms were not on Windows?
Virus writers target whatever platform is dominant and powerful enough to
propagate the virus. *All* nontrivial platforms have bugs that can be
exploited given enough interest.

Except that Windows is crap through and through.

IMHO, you're underestimating the problem. :-(

Windows defaults to least-secure settings when installed. Why?

I was told it defaults to "most feature-laden" but then that was a
MS marketing person talking...

Apple/UNIX/Linux/VMS/Solaris security lapses are measured in bugs per
year, and often clock in at zero. Windows bugs run several per week.

That's not really a fair comparison. If all OS'es had the same
market penetration, then it would be a fair comparison.
Of course, even in a fair comparison, Microsoft would STILL have
one or two orders of magitude more bugs than the next most buggy OS.

 

[Ben Bradley]

In sci.electronics.design, Active8

too bad the free Eudora is spyware. not sure about the not free one, if
there is such a thing.

Which version? I still run Eudora Light 3.0 I got on my Mindspring
CD.

 

[Ben Bradley]

quoting Jim Thompson

Can you point to a web-site where that argument is being made, in
some detail? As far as I know (and can see) various such handshake

It's been discussed extensively on SPAM-L in recent months, I don't
know all the arguments as I didn't read that closely, but most people
(including sysadmins who have to deal with the problems) don't like
C/R. If you subscribe you can search the archives.

 

[Ralph & Diane Barone]

Not automatically.
Sort the mails by size and tick.
BTW, fitering for the subject should be sufficient.

Rene

I managed to kill it with three filters.

1) Delete anything with "audio/x-wav" in the body

2) Delete anything with "Microsoft" in the From field

3) Delete anything with "September 2003, Cumulative Patch" in the body

 

[Terry]

Ben Bradley threw some tea leaves on the floor

In sci.electronics.design, John Larkin

[...] as long as the world runs on M$
trash, we're going to have these problems.

We'll have these problems for longer than that. Indeed, we'll have these
problems for as long as email does more than convey plain text and the
Internet supports sending of nonsecure messages. May I remind folks that
MSFT didn't invent the bug, and that the first worms were not on Windows?
Virus writers target whatever platform is dominant and powerful enough to
propagate the virus. *All* nontrivial platforms have bugs that can be
exploited given enough interest.

Except that Windows is crap through and through.

IMHO, you're underestimating the problem. :-(
Hahahah!

Windows defaults to least-secure settings when installed. Why?

I was told it defaults to "most feature-laden" but then that was a
MS marketing person talking...
Interesting.

Apple/UNIX/Linux/VMS/Solaris security lapses are measured in bugs per
year, and often clock in at zero. Windows bugs run several per week.

That's not really a fair comparison. If all OS'es had the same
market penetration, then it would be a fair comparison.

How can they, MICROS~1 uses its monopoly power to insure that they
can't ?

<deletia>

 

[Dusty Rhodes]

In sci.electronics.design, [email protected] (Aubrey McIntosh)
wrote:



People are talking about obscene volumes, thousands per day, but
I'm "only" getting a few dozen a day.

I haven't seen so much as single one, at least not the MS scam version. Only
very rarely do I see others. I figured it was due to effective counter
measures at Texas.net, but I'm not seeing it on any of my other accounts,
either. Ah, the benefits of living right, I suppose.

Cheers,

Dusty

 

[Mark Fergerson]

Ben Bradley wrote:



I haven't seen so much as single one, at least not the MS scam version. Only
very rarely do I see others. I figured it was due to effective counter
measures at Texas.net, but I'm not seeing it on any of my other accounts,
either. Ah, the benefits of living right, I suppose.

It's likely because you munged your reply address
(included "THISPART") right off the bat. When the harvesters
go through the newsgroups and adds yours to their list, it
doesn't work so you get no reflections.

I just wish I'd munged mine earlier. Sigh.

Mark L. Fergerson

 

[Dusty Rhodes]

It's likely because you munged your reply address
(included "THISPART") right off the bat. When the harvesters
go through the newsgroups and adds yours to their list, it
doesn't work so you get no reflections.

I just wish I'd munged mine earlier. Sigh.

It does appear to be aimed at Usenet users. Not only are regular users
seeing higher volumes of the worm via e-mail than others, it's now being
posted to many groups, which strikes me as particularly stupid. If one knows
enough to mung one's return addy, it is very likely one also knows better
than to download and run some alleged MS patch posted to Usenet by random
idiots.

At least the worm authors/distributors were/are clueless, as are most script
kiddy wannabes. Imagine the potential damage had they bothered to
incorporate any of the mung removing systems in use by the spamwhore
harvesters.

Cheers,

Dusty

 

[Dusty Rhodes]

I'm getting about 100 per day on my regular email address that has
never been used on usenet. They may be harvesting from other locations
as well, as I have use my regular email on bulletin boards. my usenet
address is getting hammered as well, but I expect that all the time in
any case.

I haven't looked at the worm, but I'd guess it also uses address books to
spread itself. You may have been in the address book of a clueless luser,
making you a target. Were targets selected mainly from online resources,
there are several accounts I'd expect to see HUGE volume on, as those
addresses have been widely disseminated all over the Net and especially the
Web.

Cheers,

Dusty

 

[Not Me]

It does appear to be aimed at Usenet users. Not only are regular users
seeing higher volumes of the worm via e-mail than others, it's now being
posted to many groups, which strikes me as particularly stupid. If one knows
enough to mung one's return addy, it is very likely one also knows better
than to download and run some alleged MS patch posted to Usenet by random
idiots.

I'm getting about 100 per day on my regular email address that has
never been used on usenet. They may be harvesting from other locations
as well, as I have use my regular email on bulletin boards. my usenet
address is getting hammered as well, but I expect that all the time in
any case.