Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of nicholas (3034)

Thursday June 26, 2003
03:34 AM

Then t' worms 'll come an' ate thee up

[ #13075 ]

Windows worms annoy me. As I read mail using mutt on a FreeBSD system, I ought to have no contact with them. However my e-mail address appears in perl documentation and perl mailing list archives, and it looks like people on Windows actually read these files. Or at least, they download them or cache them locally, which is enough for the scanning worms to find my address.

Most of the recent worms seem to work by social engineering, rather than exploiting any software bug, trying to tempt the user to run untrusted code.

But why does all this crap only ever originate from Windows systems? I'd contend that there is a bug - a design bug in the philosophy of Windows. You don't see people mailing each other Java bytecode and then running that outside a sandbox - so why in recent years did people happily expect to mail each other joke x86 executables? Windows is buggy to provide a user interface that makes no distinction between opening an attached data file, and running untrusted attached executable code. Even if I never use it, and never mailed anyone using it I'd be suffering because of Windows. Someone must be to blame - I demand compenstation! I'd like $1 from Bill Gates for every K of crap sent to me by Windows malware.

Last night's worm's trick seems to be to put the executable inside a zip file, in an attempt to defeat most scanners and mail filters. Judging by its sucess it was quite effective - I've just deleted over 100 of them (or their bounce reports), which was 14 meg. On my suggested compenstation scale, I'd be $14,000 richer. If only.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • by ajt (2546) on 2003.06.26 5:31 (#21438) Homepage Journal

    I think it's fair to say that Windows is very broken, and Microsoft made a number of very poor design decisions along the way. In hind sight I think even they wish they wish they had dome some things differently now.

    The ORA book Malicious Mobile Code [oreilly.com], though somewhat overtaken by event is a very good and frightening read. Not that I used IE or Outlook before, but I'm now very anti these products now.

    However engineering aside, Microsoft and others encourage a culture of trust, easy of use, and poor security practice, that is far more damaging. It's more important to them that something is easy and automatic than it is that it's safe, and the result is what we see, lots of business for anti-virus vendors.

    If there were the same number of ill-educated BSD/Linux users as there are Windows users, then there would be lots of problems with these systems too. Though I will grant that the problems would be different as nix systems are different at the core to Windows, but it's always easy to do stupid things....

    --
    -- "It's not magic, it's work..."
    • Funny, that was the same culture that brought us rsh et all on early BSD and Unix workstations. It took years to convince vendors to not ship with that stuff turned on by default and to provide secure alternatives. I don't see Microsoft being any slower or quicker.

      -Dom

  • Interesting, so that'll be why I receieved this message this morning from a client:
    Please note that due to action taken by our IT colleagues, we will be unable to receive .zip attachements today (26/06/03). I apologise for any inconvenience.

    What kind of crappy software doesn't look inside container files for viruses. Even the abominable mailsweeper, which I thoroughly despise , handles this.

    -Dom

    • One of my clients is a big company. They have a even crappier mailscanner which silently deletes attachments it doesn't like. On the other hand it's perfectly fine with exe files inside zip files though, or exe files renamed to zip files!

      Somebody needs to invent some way of sending files too people without having to resort to email. It is way to low tech and inneficient.
      • I kind of know why they might wish to do this actually. There was a zip file floating around somewhere which expanded vastly in size, and contained more copies of itself. It was only about a hundred Kb. :-)

        -Dom

      • ...perhaps the web?
        --

        ------------------------------
        You are what you think.
        • I couldn't either, but I could find it on my harddisk, so I put it here [ccl4.org]. Beware - it expands to 5 levels of zip files, ultimately containing 1048576 copies of a 4294967295 byte file named 0.dll. Don't try downloading it if you think you may be behind a web proxy that attempts to scan passing traffic.

    • What kind of crappy software doesn't look inside container files for viruses.

      The kind that isn't written in Perl and can't use Archive::Zip, Archive::Tar, etc to interrogate the contents, perhaps? I'm not exactly sure how the MessageLabs [messagelabs.com] product does it, but to date it has stopped every unknown virus in the wild that it's come across, including the attempts to hide inside multi-zipped files or the latest 3 level extensions.

      Its pretty cool to be considered one of the top anti-virus companies in the world

    • What kind of crappy software doesn't look inside container files for viruses. Even the abominable mailsweeper, which I thoroughly despise , handles this.

      More likely is that their AV vendor hadn't released updates to catch the virus by this point. And given that the vendors couldn't agree on what was the definitive list of .zip files that were likely to contain the virus, blocking all .zips isn't too bad an idea, at least until you're sure that the AV software is sufficiently up to date.

      N