Hey, that's my idea!

We also have Norton antivirus, and it's installed so that every time I open a Word document it scans for a virus even if it's a file I just opened 5 minutes ago.

This ranks right up there with seven levels of safety packaging on the bottle of vitamin C in terms of frustration.

Hey, that's my idea!

Who did I send my telepathic aliens on the internet stole my spacewrecked-Adam-and-Eve story idea to?

Won't get fooled again!

Stupid Outlook. You'd think the bad PR that comes from every single virus on the web exploiting the program would have made a dent in its ubiquity by now.

...still waiting for Plan 9 to succeed, here.

It is imaginatively named "Transit."

I no longer answer the phone, either, because even if it rings it is spam, and I have no adequate filters for spam on the phone (being unwilling to pay for caller ID).

The mail carrier keeps deciding I have moved out and for reasons unknown to me refuses to deliver mail addressed to me at my alleged home address.

As far as I can tell, technology and infrastructure improvements have made me as hard to get hold of as my 18th century ancestors who spent most of their time at sea.

(Except, of course, none of them had a cell phone and wireless internet everywhere they go. But still.)

A while ago, I was slightly troubled by a spate of virus-ridden mail from a handful of addresses. Five minutes digging showed a common source, and that together with some educated guessing on who else might be in someone's address-book led pretty quickly to the poor unfortunate with the festering computer.

(Ok, so I cheated a bit and posted to LJ along the lines of 'Is this your ISP? Are these people in your address-book? If so, your A-V is out of date')

This virus is *stupid*. It sent me not just one, but *twenty* messages from "tnh", all at the same time, with unlikely subjects; that ought to make anyone suspicious (not the tnh-ness of them, I mean, but the multipliciy and improbability).

By the way, I don't think I have the honour of being in the address book of any of tnh's correspondents (AFAIK). Therefore, the virus is probably using victim addresses culled from this blog.

Drat!

Thunderbird is fine for "just email", but for everything else it falls horribly short, even with several extensions (this sentence is strangely and accidentally appropriate on several levels). Lotus Notes is a slow elephant, best-suited for managing distributed databases. Evolution on linux is, well, don't let me start. Kontact (linux/KDE) is getting there but the developers work with very limited resources.

So at the office we are still stuck with Outlook, and every day a new crack comes around...

One more thing John Brunner came very close to describing.

And it would be worse, in many cases, if it actually published them.

From what I'm seeing, it'd be virtually impossible for a person running modern Microsoft software to be infected without really trying.

Hey, and indeed, ho.

Because somebody has to do it -

http://www.ctrlaltdel-online.com/comic.php?d=20060513

My e-mail client, Mozilla Thunderbird, automatically directs those to my junk folder, so when I actually send myself mail from my office to my home, I have to remember to look for it in "Junk".

TK

Feh. The solutions to these problems were all known at least 25 years ago. But MS sells the ability to remotely control their systems to developers, that's why the Office suite will automatically run scripts. MS also wants to be able to nose through systems for DRM purposes, and they sell that, too. Besides, securing Windows would cost, and cut into the revenue of the anti-virus software vendors. The back doors in Windows and the Office suite are there for reasons, and I don't see MS ever closing them entirely--they like them too much.

Because it's easy, fun, and stands a good chance of being the correct root cause of any problem.

Scott H, M.C.S.E.

Ever been to PublishAm3rica's website? Or read Atlanta Nights?

That may be true. This particular worm, however, is just one of the old-fashioned 'lets attach an executable program to an e-mail and rely on user stupidity to get it to run' ones.

AFAIK, there hasn't been an automatic execution of e-mail content bug found for a few years now. Almost everything recent requires user interaction in some form at least.

Normal users run as administrator (this may change in Vista), so any malware one accidentally runs has the full run of the machine.

Not true. When I set up users on my XP Pro machine, the setup program made the first one an administrator and the rest were not automatically admin users.

The MS Office suite will happily run scripts from any files they are given without a second thought or any sandboxing, meaning that opening any mail attachment makes you vulnerable--surely two clicks in error ought not be disaster?

When I've tried to do this in Office97, I always get a message that says something like "The document you are opening contains macros ... blah ... danger of nasty things happening if you say yes ... Do you want to run them?". And besides, if you can get enough people to open executable attachments to build your botnet, why would you bother with such elaborate techniques as using attacks hidden in documents? You want the idiots' machines more, because they're less likely to notice what you're doing.

Yes, MS software is buggy and insecure. But other people's software is also buggy and insecure. The biggest difference is that there are more idiots using MS software.

A default installation of Microsoft Office 2003 sets the Macro security level at "high" for all the applications, including MS Outlook. This blocks most malware targeted at Office applications from running. The Outlook default now prohibits users from opening executable attachments. (You can still open a bogus ZIPfile attachment or HTML script, if your AV software lets you get away with that.) According to the description that Teresa linked to, this particular worm gets activated by someone stupidly opening a strange attachment on a Windows PC that lacks appropriate up-to-date antivirus software. The description doesn't specify whether the activated worm harvests email addresses only from Outlook or by systematic searches of other files on the hard disk.

Randolph's criticism of the default administrator privilege level in Windows XP is valid. But the weakest link in the operating system is still Internet Explorer, which is the gateway of choice for most current Windows malware. My experience is that the built-in Windows firewall, a good free AV utility and use of a properly-configured alternate web browser will now eliminate most malware threats in Windows XP.

Spending an extra $30 for Webroot Spysweeper will even let you continue use of Internet Explorer in relative safety, despite its vulnerabilities. (If you are a Windows user, I can't recommend Spysweeper too highly. In addition to being a preventative agent, it has amazing rescue and cleanup abilities on machines that have already been infected. No reading logs or manual file deletions involved, it just scans and expunges malware, restoring system defaults.)

Teresa probably knows this and decided it would be an ineffective use of time. But you can sometimes reduce the flow of bogus email messages sent under your name by examining mail headers and alerting administrators of legitimate source domains for the mail servers. (Telephone calls work better than emails to abuse@xxx.net.) I've seen this work when the source is an accidentally-infected computer with an account on a small, responsible ISP. When the real mail server IPs belong to criminals, indifferent large ISPs, or sleazeballs, you can optionally publicize that fact.

I haven't installed it yet, but I know I will be forced to when terrorists try to steal my Spacewrecked Adam-and-Steve-Are-Happy-In-Eden-As-Immortals-Cause-There-Ain't-No-Chicks-Stealing-Apples story.

Ayse, if you don't pick up your mail daily, some postal delivery people decide that it is an abandoned address. Filing complaints at the local post office fixes this, though catching the mail deliverer is usually simpler. You could experiment with filing a permanent change of address form to your current address.

Giacomo wrote:
So at the office we are still stuck with Outlook, and every day a new crack comes around...
Literally true - there's a fellow releasing exploits at the rate of one a day this month. Hope he only has thirty.

Jules wrote'
AFAIK, there hasn't been an automatic execution of e-mail content bug found for a few years now. Almost everything recent requires user interaction in some form at least.
Not quite true. The WMF vulnerability doesn't necessarily require user intervention - just having a downloaded infected file on your hard disk AND have it be scanned by the indexing service or a vulnerable antivirus program is sufficent. That was new in January.(So if you reinstall a computer that was shipped with a windows install from before January '06, you need a copy of the patch for that.)

Christopher Davis wrote
Since I run my own server, I just set up the mail filters to discard any exe/com/bat/pif/scr files and save CPU by not needing to run a virus checker on the messages....
Unless you dump all attachments, this is likely a false savings. The WMF exploit's magic bits can be in any file - windows does not rely on extensions to determine if something is a WMF, it parses the headers, triggering the exploit. Compute cycles are cheap, lost data is expensive.

Lenny Bailes' advice is excellent, particularly the bit about using virtually any other browser than Internet Explorer.

Advice to switch to another operating system is being bandied about. There is no right choice, but Mac OS and Linux are less vulnerable to attacks than XP, and can be better secured without breaking important stuff. If you have a way out, take it.

I have become quite disheartened at the current increase in the number of patches XP requires - I am trapped behind a dialup connection.

-r.

*at least the Norton home version. I'm not as sure about the enterprise version.

YMMV, but I think it's great.

So we're ignoring the nagging. We'll deal with it later if they try to melt our computer or something.

The comparitive safety that Mac and Linux users enjoy, right now, may be due in significant portion to presenting a lower profile for malware designers. Any Mac geek can tell you that there's stuff out there aimed at OSX and Safari. But the distribution curve for that is orders of magnitude lower than for stuff aimed at Windows and Internet Explorer. (I know that's not the whole issue, statistically. There are default security precautions built into Linux and OSX that aren't defaults in Windows. This increases the attractiveness of Windows PCs to malware authors as targets.)

Windows PCs present a larger target and distribution vector for malware. But the probability of being attacked by *brand new* malware that defeats all the existing countermeasures is still low enough that most individual Windows users escape each time--assuming they have the existing, recommended countermeasures installed.

From a serious security standpoint, I think that news networks and initially low in-the-wild distribution for malware are the only things that really safeguard large Windows networks. Fortunately for Windows IT managers, so far, the news networks usually beat the distribution curve on the malware. That could change.

YMMV, but I think it's great.

It's helpful, but not perfect. I get any number of cold calls from charitable organizations, way too many political calls, and a lot of wrong-numbers for a security firm that's one digit off from our number. None of those can be prevented by the Do Not Call thing. It is, however, extremely satisfying to be able to say to the very occasional actual violator, "Now what was your exact business name again? And your address? Ah. And you *do* realize you are in complete violation of the Do Not Call rules, seeing as how I've registered with both the state and national databases?" and then hear the "Mrrfle."

I also use rotary dial phones. I don't acidentally dial people with my chin, and they last forever.

Everyone else,
What he said.
-r.

There's a reason such complaints are referred to as "GWF".

That's an excellent idea. I will set the trap tonight. I'm sure a simple drop-net will work well; she's kind of a slow mover.

...
GABYAW: I ended up filing a complaint with the postmaster a couple months ago, who gave me the inexplicable argument that the fact that I receive so little mail must mean I don't live there. "You don't get a utility bill, so of course we assumed you had moved out," he said, as if by getting bills online I have ceased to have an earthly presence.

We were "attacking" him from port 80 of our web server, to some ephemeral port on his box. Gene sequence files that contain nothing but strings like "GTTTTCATTCTAAATT" look like possible attacks to spp_fnord...who knew?

I'm reminded of the Bloom County where Oliver Wendel Jones makes his father disappear by deleting his records from the IRS database.

(http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html)

First two comments on /.:

"Darwinism works!" "Well, it surely wasn't Intelligent Design that did it."

(http://it.slashdot.org/article.pl?sid=06/07/20/042253)

Nyah!

My personal experience has been that the more free AV setups I tried out, the more viruses I found and also the more viruses I got. Some AV software is malware itself, and paying for it is no protection.

I eventually found a keylogger that everything had missed. I found it by monitoring my traffic.

I was reasonably sure there were other things I didn't find, that had replaced some essential Windows files. But I couldn't download and run the correct versions because they wouldn't let me. Or maybe I was being paranoid. But I had no good way to tell. Were the occasional inexplicable events because of somebody's backdoor, or were they just Windows?

It wasn't hard getting rid of the obvious stuff. But when the internet connection just slowed down, and the router indicated we were getting a whole lot of traffic that none of us noticed, and I couldn't reset the router's connections because it said I didn't have the password....

I switched to linux just out of FUD. My wife refuses to switch because it's too inconvenient. So OK, I run Firefox. Firefox exploits are potentially just as bad as linux exploits. Sometimes I turn the javascript plugin on. Javascript exploits are potentially as bad as linux exploits. Very occasionally I load the flash extension. Flash exploits are potentially as bad as linux exploits.

People send me Word documents and I try to look at them in my linux Word viewer. Sometimes they work and sometimes they don't. When they don't, is it that my Word viewer is flawed or is it that the document was infected in a way that messes up the viewer? Maybe if I had Word it would get infected but would display the document correctly anyway.

It's no problem to run a Windows machine and keep it going at 40% efficiency. Buy fast enough hardware and you won't notice the difference. The malware that causes you obvious problems is incompetent malware.

But if you want to get rid of the subtle things, the things that make some effort to hide themselves like that keylogger, you'll never know whether you got them all.

It's a little comfort that I can boot linux from a CD-ROM and get nothing from the hard disk until I want to. And I can re-install the OS to hard disk in 3 minutes, leaving all my data. So if I have something bad on that disk outside the OS it will only show up when I run an application from the hard disk, or when I let the OS read an updated file from the hard disk, or, well, most any time. It's a little comfort though.

Not like having system files that the system couldn't read the MS signature on, and download the files from MS and install them and somehow afterward the system still can't read the MS signature and the old files are back.

But the kids' DVDs don't work right with the current linux DVD-readers, and they complain. Some of their online games need shockwave and there isn't any. Every now and then I have a hard disk crash or something, and I have to play with the system to get it running again. (It hasn't happened since I stopped using the old hard disk, I hope it was hardware.) My wife carefully refrains from saying she told me so. Her machine with Windows has its performance degrade so gracefully that she doesn't notice. Just every now and then she notices the internet has slowed down.

And you'd be surprised just where the viruses are launched/ originate from. Over the recent months I've tracked down the origins of the type of virus that Theresa mentions from peers in the film industry and the advertising/PR industries. The IT departments of those responsible for spreadng it should be shot.

I've given enough warning to people in my charge about opening dodgy attachments from people they do not know. The worse culprits, however, are usually our own parents (or parents in-law) in which they buy a new computer, start using it, and then find that keep getting viruses and other malware and wonder why it's happening. You go over and spend the weekend fixing it - only for it to happen again.

Ironically, I've just been reading about MySpace.com with has unwittingly been responsible for dishing out malware via a SINGLE banner ad! See the Washington Post for more information.

I'm now running OS X both at work and at home and don't have any anti-virus software. At work we run Linux and OS X (we're a visual effects company - Linux/UNIX is King here) and those that usually have to run Windows (producers, important folk, etc.) are heavily fortified against virii and then there's the network anti-virus and firewalls on top of that. And we do educate our users.

Windows is the main culprit in all of this, and if what I'm reading about Vista is true, it's really not going to get that much better.

Technology (and the Internet) is wonderful, at the right hands ;)

I'm not trying to saying that Windows' susceptibility to vulnerabilities like this is trivial -- who knows what new flaws will be discovered, next week? I'm only saying that this particular one is known and was neutralized for "responsible" Windows users before it had a chance to inflict much damage. The fact that some widely-accessed websites are now infection vectors for unprepared Windows users is still a public nuisance. Again, the news networks may be ahead of the distribution curve, as far as the number of real infection incidents experienced by end users of MySpace. The Washington Post article doesn't have much information on that.

Link to Washington Post Windows WMF exploit article by Brian Krebs.

I wasn't (very) worried about the Windows WMF exploit; we have automated Windows patching running on our XP and Win2000 machines, and AVG too.

Don't know whether anti-virus would have helped in that instance, but it shouldn't hurt. J Thomas is right to warn that some anti-virus apps are malware in disguise, but AVG has a good rep, so I'm trusting it (so far). It also has a system of automatic updates.

But this article by Brian Krebs was the first I'd heard of a Flash exploit, and (as described in one of the articles) Flash does not have a system of automated patches. Apparently this security hole has already been used (also on MySpace sites) to spread a worm.

After reading that, I had to spend some time making sure that both Firefox and IE had this patch installed on all the machines used here (fortunately, a small lab).

AFAIK, Linux and Mac machines would also have been vulnerable to this Flash hack.

You can take that last statement with a grain of salt; I am not an expert in computer security, and don't aspire to become one.

Or just don't download the huge number of patches that MS puts out. Or use legitimate documents that happen to be infested.

The bridge fell down because you walked on it--it's your fault. Feh. I'm outta this one!

And Mike is wrong in one aspect about how this is almost certainly Outlook's fault: most viruses of the sort that harvest addresses for spoofing and destinations target the Outlook address book. Use of a non-Outlook address book would probably have prevented this.

Yup. Apple shipped an updated Flash player in Security Update 2006-003. Macs aren't magically immune by a long shot.

It wouldn't displease me, if someone succeeded in slapping Microsoft with a class action suit, indemnifying them for any and all documented claims by Windows or non-Windows users of financial damage traceable to the WMF flaw in unpatched user copies of Windows. (And while they're at it, compel Microsoft to pay for a mass mailing to all registered Windows users, informing them that *unpatched versions aren't safe.*)

This reminds me of a discussion I used to occasionally have with caving buddies, which went "There are 5000 known caves in georgia. how many unknown caves are there?"

There was a related question that actually had a statistical answer. There were a number of known caves with 6 entrances, and a number with 5, and 4, and 3, and so on, and that fit a poisson distribution so you could reasonably estimate the number of caves with zero entrances.

I'd figure that smart crackers would have learned by now. Make something that infects a computer and immediately starts making millions of calls to every computer it can find, and it will spread pretty fast for a little while and then it will stumble over somebody who's ready for it, it gets reported and a fix is put out, and very soon it turns into just an annoyance, a few copies will be making millions of calls that mostly don't get anywhere.

Far better to spread carefully. Infect one machine, have it call home. Upload a collection of tools that will call home occasionally, that are very hard to get rid of. Don't call attention to yourself. Check which AV software is present and don't upload anything that isn't resistant to that software. Why get a million computers to do something stupid for a few days when you can have ten thousand for as long as you want?

If you find out about an intrusive virus spreading, you might do what you can to protect your machines. Ideally you'd want the nominal owners to think they've never gotten a virus and they don't really need protection. But their machines are 100% working for you while their users aren't using them, and 10% working for you when they are.

If a virus preferentially spreads to people who don't have sophisticated defenses, why would it be discovered at all?

Oh well. I downloaded Antivir for linux today after Lenny recommended it. I'd used Antivir for Windows and liked it, although some experts complained about it calling home too much etc. But it insists on installing in /usr/lib and that's read-only on my system, even for root. I'll have to burn a new CD. before I can try it.