Maker Pro
Maker Pro

Worm and Virus attack

A

Active8

Jan 1, 1970
0
Active8 wrote...

I've now received over 3000 of these, each of which has a 106k
bytes-long worm. That's 320MB of downloads from my mail server
in Pittsburgh in the last 24 hours. My Comcast cable modem has
a slow upload speed of about 150k bits/sec, so if I were to have
bounced these messages, that would have taken about 5 hours of
full upload traffic. It's hard to see how folks with ordinary
POTS modems could survive such an attack.

good point, but i wasn't aware that bouncing did that. figure that with
mailwasher, you're viewing the message on the server which requires a
download, but it's still on the server. a bounce message should be just
that, a bounce message, no?

i just bounced 15 as a test. that would be 1.59MB or 12.72Mb at 14.4kbps
dial-up upload speed or 883 sec.

it took 30 sec. :)

from the help:

Clicking the Bounce box on a message or selecting E-mail/Mark for
Bouncing from the menu sends a faked “address not found” message to the
address that the message originated from. This reduces the possibility
of more spam e-mail coming from this address. Checking the Bounce box
will automatically check the Delete checkbox.

Some messages may meet the virus or spam-like material selection
criteria that is configured into MailWasher and these will automatically
be set to Bounce and Delete. However you may unset these checkboxes if
you wish to receive the mail.

end of topic

so the mail is viewed but not downloaded and the only thing sent is a
bounce message.
They're coming in at the rate of about four a minute right now.
I spent some time trying to set filters, but the quasi-random
nature of the Swen email headings makes that impractical with
my The Bat! email client. I'm ready to change programs again.

i know of no filter rule ( i'm using pegasus mail, but checked out the
bat. i think bat would be a good client and pegasus a good list server)
that would handle this random crap.

i'm up to 90 now. about 4 per hour.

BTW, mailwasher can blacklist mail from certain users, so any repeat
from the same random sender will be blaclisted. it has filters. the 2
filters that come with it (unchecked by default) are for mail sent to
"undisclosed recipient" and mail not specifically to you (me).

mike
 
W

Winfield Hill

Jan 1, 1970
0
Active8 wrote...
Win says...

good point, but i wasn't aware that bouncing did that. figure that with
mailwasher, you're viewing the message on the server which requires a
download, but it's still on the server. a bounce message should be just
that, a bounce message, no?

i just bounced 15 as a test. that would be 1.59MB or 12.72Mb at 14.4kbps
dial-up upload speed or 883 sec.

it took 30 sec. :)

from the help:

Clicking the Bounce box on a message or selecting E-mail/Mark for
Bouncing from the menu sends a faked “address not found” message to the
address that the message originated from. This reduces the possibility
of more spam e-mail coming from this address. Checking the Bounce box
will automatically check the Delete checkbox.

Some messages may meet the virus or spam-like material selection
criteria that is configured into MailWasher and these will automatically
be set to Bounce and Delete. However you may unset these checkboxes if
you wish to receive the mail.

end of topic

so the mail is viewed but not downloaded and the only thing sent is a
bounce message.

i know of no filter rule ( i'm using pegasus mail, but checked out the
bat. i think bat would be a good client and pegasus a good list server)
that would handle this random crap.

i'm up to 90 now. about 4 per hour.

BTW, mailwasher can blacklist mail from certain users, so any repeat
from the same random sender will be blaclisted. it has filters. the 2
filters that come with it (unchecked by default) are for mail sent to
"undisclosed recipient" and mail not specifically to you (me).

MailWasher, ok, thanks for the tip. I'll check it out.

Thanks,
- Win
 
K

Kevin Aylward

Jan 1, 1970
0
Winfield said:
Active8 wrote...

I've now received over 3000 of these, each of which has a 106k
bytes-long worm.

Serves you right for being so famous/popular. I only got the one.

evin Aylward
[email protected]
http://www.anasoft.co.uk
SuperSpice, a very affordable Mixed-Mode
Windows Simulator with Schematic Capture,
Waveform Display, FFT's and Filter Design.
 
N

Nico Coesel

Jan 1, 1970
0
Winfield Hill said:
Nico Coesel wrote...

You're suggesting folks ahould memorize your email address,
rather than put it in their address book? Instead, how about

Oops. I forgot the smiley :)
suggesting that the authors and software-engineering managers
of Microsoft's email programs and address book should check
their work before forceably installing it on our computers, no
choice allowed, by the repeatedly-convicted monopoly company?

Seriously, ISPs should block all e-mail composed by Outlook. There is
no other alternative.
 
B

Bruce Tomlin

Jan 1, 1970
0
Spehro Pefhany said:
Yes, there's a paid version, which we have bought. I don't think the
free version is spyware, just adware. One time I accidentally deleted
the ad window and it stopped working until I figured out how to bring
it back. 8-(

I used to use Eudora a long time ago, until they came up with the adware
version. The problem wasn't the adware, the problem was that they
completely rewrote the UI code for the Mac version, presumably with
oodles of C++, and window redraw was too slow. They would visibly
flicker during redraw.

Anyhow, the trick I found was to locate the cache directory for the ads,
delete it, and create an empty file of the same name. The ad window was
still there, but it couldn't download any ads, so the window was empty.
 
J

Jim Thompson

Jan 1, 1970
0
My guess is that you hadn't posted your cox email to the world -- as cox was
passing that stinking virus to me at nearly 200 per hour! Around 4 this
afternoon - the virus emails suddenly dropped off to near zero. My guess is
that Cox finally implemented a filter at that time.

-- Ed

Cox West crashed early this morning at 3:44AM MST and didn't come back
until about 9:15AM MST.

(I stopped using my Cox username and created a new mail account with a
really obscure, hard to guess, name :)

...Jim Thompson
 
J

John Larkin

Jan 1, 1970
0
Keith R. Williams said:
[...] as long as the world runs on M$
trash, we're going to have these problems.

We'll have these problems for longer than that. Indeed, we'll have these
problems for as long as email does more than convey plain text and the
Internet supports sending of nonsecure messages. May I remind folks that
MSFT didn't invent the bug, and that the first worms were not on Windows?
Virus writers target whatever platform is dominant and powerful enough to
propagate the virus. *All* nontrivial platforms have bugs that can be
exploited given enough interest.


Except that Windows is crap through and through.

Any decent operating system separates I and D-spaces, and Windows
doesn't. So buffer overrun exploits are easy. Buffer overruns are a
chronic defect in Windows, and apparently always will be.

Microsoft's QC is abysmal; they actually make money selling crappy
operating systems and applications that encourage everybody to keep
upgrading.

Microsoft seems to have the attitude that, when in doubt, execute it.
In Redmond nobody seems able to tell the difference between data and
code. So you can have viruses in Word documents, spreadsheets,
unopened email and, of course, any executable. Hell, I ran RSTS/E in
1980 on a PDP-11 and hosted my company plus four competing high
schools full of creative brats; they tried mightily, but it was
impossible to crash, even programming in assembly, and it ran for
months between power failures. This because it had a clean, simple
kernal that simply did not allow user applications to exceed defined
priviliges; Windows has no such control.

Windows defaults to least-secure settings when installed. Why?

Apple/UNIX/Linux/VMS/Solaris security lapses are measured in bugs per
year, and often clock in at zero. Windows bugs run several per week.

John
 
K

Keith R. Williams

Jan 1, 1970
0
Keith R. Williams said:
[...] as long as the world runs on M$
trash, we're going to have these problems.

We'll have these problems for longer than that. Indeed, we'll have these
problems for as long as email does more than convey plain text and the
Internet supports sending of nonsecure messages. May I remind folks that
MSFT didn't invent the bug, and that the first worms were not on Windows?
Virus writers target whatever platform is dominant and powerful enough to
propagate the virus. *All* nontrivial platforms have bugs that can be
exploited given enough interest.

Certainly worms have been around since the beginning of computers
(even before email). However OE makes the propagation totally
transparent. YOY does anyone make attachment auto-execute even a
possibility, much less the default?

Essentialy worms/viruses are allowed to propagate like wildfire
because we have such a mono culture. A little diversity wouldn't
hurt, along with a certain software manufacturer that cares
something about security.
If you want to not catch viruses, you have two choices: adopt a non-dominant
platform (and accept that many programs will not be available to you) or
adopt the dominant program, keep it aggressively up to date, and take
precautions.

The problem with this particular worm is that it's effectively a
DoS attack on the entire Internet. I don't *have* to be infected
to have wasted many hours cleaning up.
If you want to not receive virus-related mail, you have two
choices: don't let anyone know your email (and accept that many people won't
be able to reach you easily)

I won't get a virus if I never power the computer on either.
....hardly a good choice.
or install effective filtering mechanisms,
ideally upstream from your inbox.

Which is what I've spent most of today doing. It's a PITA
though. I finally figured out that they aren't using the "To:"
or "CC:" for the address, so I've filtered on these. It's still
a PITA because my ISP doesn't do complex filtering, so I had to
do an "OR" by shuffling the email off to another account if it
was addressed to me.
 
G

Guest

Jan 1, 1970
0
quoting Bruce Tomlin said:
I used to use Eudora a long time ago, until they came up with the adware
version. replace the ad cache directory with an empty file... no ads!

with a little insight and effort the PC-version can be 'quieted' also
(hint: use a free software firewall like Sygate)
....Eudora did loose a bunch of entries from my addressbook recently...
but I doubt that that was 'in revenge' for nor letting it "call home"
(though I can't be sure, of course... :(


p.s. why was this cross-posted to sci.electronics.design anyways?
I'll take that out (of my FollowUp-To-header)
 
G

Guest

Jan 1, 1970
0
quoting Winfield Hill said:
I've now received over 3000 of these, each with a 106k bytes-long worm.

you must have received an (increasing) number of bounces also,
without the worm (ISPs are installing filters and dropping the
attachments), plus bounces of "Can't be delivered, no such address.

That's 320MB of downloads from my mail server in Pittsburgh in 24 hours.
hard to see how folks with ordinary POTS modems could survive such an attack.

simple: one uses a decent mail-agent and ISP (the latter is hard to
figure out beforehand); one doesn't download but the headers (IMAP)
or only complete messages shorter than X k (Eudora) with X set to
between 10k and 70k (would work for most)

They're coming in at the rate of about four a minute right now.
I spent some time trying to set filters, but the quasi-random nature of
the Swen email headings makes that impractical with my The Bat! email client.
I'm ready to change programs again.

sweN --> News if you stop posting to USEnet the rate should
go down within a day or two...
:)

sometimes I can't help but wonder is such worms are written by
people who are disgusted with deficiencies in current computing
platforms: talking to MicroSloth (and sendmail, for that matter)
authors for several decades about lurking problems didn't get
anything addressed, telling ISP's about DOS-attack problems,
mail-floods (both message size and number of messages), forging,
snooping, etc... didn't get any of them to take any steps.

I just checked, and it's somewhere between funny and pathetic to
see how many users here have hundreds of megabytes waiting for
them in the mail-queue... I wonder how many ISPs are learning
the hard way about this problem (waiting to happen again) and
how many lusers will get their courage up to bitch at their ISP
to get their shit together and PREPARE for this kind of event
to happen again and again and again... and to be ready to react
quickly and effectively, without poor lusers getting overwhelmed
and losing the email that they actually want to receive.

this particular attack is targetting the USEnet community as
a whole (those who don't post there should see little... and
may wonder what the hoopla is all about) and the theory is that
its some spammer(s) who are trying to retaliate and inconvenience
(keep otherwise busy) those netizens who are trying to fight the
email spam problem... could be, but maybe not.

...next time it will be another subset of the online community
(users of some software, website, or communication protocol) who
will be victimized, thrown for a loop, and more and more people
will get turned off to the whole online experience and technology.

Vandals and Anarchists clearly have a new playground, as do all the
snakeoil salesmen and con artists of the world... (not mentioning
criminal and political organizations, and business mainsleaze...
it's going to be a long next couple of years, I fear)
 
Y

YD

Jan 1, 1970
0
On 19 Sep 2003 12:02:11 -0700, Winfield Hill <[email protected]>
wrote:

Don Pearce wrote...

On 19 Sep 2003 10:51:14 -0700, Aubrey >McIntosh wrote:

I have received almost 700 copies of worm or virus mail
to this account [snipped] in the past 24 hours.

This has been the GIBE virus, the new "returned mail" item.

Anyone else?

Everyone. At 700 you have come off lightly.

I got over 1000 at home this morning, over 450 of them
arriving in a single 5 minute period at about 0640 EST.
Strangely, I got almost none at my work email.

Thanks,
- Win

Those of us running Eudora got NONE ;-)

...Jim Thompson

Netscape, none, but I don't see how one's email client affects this.
At least with Netscape, unopened mail doesn't execute.

What do the virus messages look like?

John

Eudora's address book isn't hijackable as Outhouse Excuse's is.

Although I suppose I could get listed in someone's Outhouse address
book... it's not likely... I have no friends ;-)

...Jim Thompson

Got an addie? J/K :)

Seems the thing scours the news spool and other sources besides OE's
address book. My techie.com account used to get 2 or 3 'MS updates' a
day, this latest variant has it overrun, some 200 or 300 a day since
Wednesday.

- YD.
 
Y

YD

Jan 1, 1970
0
Nico Coesel wrote...

You're suggesting folks ahould memorize your email address,
rather than put it in their address book? Instead, how about
suggesting that the authors and software-engineering managers
of Microsoft's email programs and address book should check
their work before forceably installing it on our computers, no
choice allowed, by the repeatedly-convicted monopoly company?

p.s. I've hand-inspected and erased more than 2300 virus emails
in my non-microsoft mailbox in the last 16 hours. This was made
necessary in order to read the 35 legitimate emails I received.
I'm beginning to get really angry now.

Thanks,
- Win

Filter by subject line and sender, they don't vary all that much. I
know it's a bit of added hassle but you need to do it only once.

Netscape for mail, Opera for browsing (mail on trial), Forté Agent for
news, Zone Alarm firewall, occasional peeks in the registry settings,
close watch on unexpected activities. Seems to be keeping me safe
enough.

- YD.
 
J

Jim Thompson

Jan 1, 1970
0
On Fri, 19 Sep 2003 12:53:20 -0700, Jim Thompson
[snip]
Although I suppose I could get listed in someone's Outhouse address
book... it's not likely... I have no friends ;-)

...Jim Thompson

Got an addie? J/K :)
[snip]
- YD.

That's why I stopped using a valid E-mail address on the news groups,
plus my SIG refers you to the website... where the E-mail address is
an *image* thus not harvestable.

...Jim Thompson
 
C

Colin Bloch

Jan 1, 1970
0
sometimes I can't help but wonder is such worms are written by
people who are disgusted with deficiencies in current computing
platforms: talking to MicroSloth (and sendmail, for that matter)

Sendmail is an MTA & whatever security issues its had in the past
have had nothing to do with the spread of worms.
this particular attack is targetting the USEnet community as

No its not.
a whole (those who don't post there should see little... and

No they shouldn't.

It spreads through Kazaa, Email, mapped drives, IRC and yes, will
randomly post to newsgroups on your configured news server (or
just pick one if you don't have one configured.) However there
is no "targeting" nor any group at risk more than any other.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

CAB
 
F

Frank Buss

Jan 1, 1970
0
Colin Bloch said:
Sendmail is an MTA & whatever security issues its had in the past
have had nothing to do with the spread of worms.

Not for the current worm. I received yesterday ca. 100 virus eMails, today
300, hoping the big providers will install sending filters, if the costs
are getting to high for them. But I don't want to think about what could be
possible, if a worm attacks sendmail and uses all the eMail addresses of
it.

Any comments about this program: http://tmda.net ?

I don't have time at the moment to install it on my server, but it looks
like a good solution to all spam and virus problems.
 
J

Jim Thompson

Jan 1, 1970
0
Not for the current worm. I received yesterday ca. 100 virus eMails, today
300, hoping the big providers will install sending filters, if the costs
are getting to high for them. But I don't want to think about what could be
possible, if a worm attacks sendmail and uses all the eMail addresses of
it.

Any comments about this program: http://tmda.net ?

I don't have time at the moment to install it on my server, but it looks
like a good solution to all spam and virus problems.

On the face of it, Challenge/Response sounds marvelous. Then you
realize it will sink the Internet with the traffic density going up
astronomically.

I think blacklisting ala SpamCop/SPEWS will ultimately settle the
problem.

...Jim Thompson
 
F

Frank Buss

Jan 1, 1970
0
Jim Thompson said:
On the face of it, Challenge/Response sounds marvelous. Then you
realize it will sink the Internet with the traffic density going up
astronomically.

Why? It sends only one mail for an incoming virus mail or spam. If the
destination address is invalid and a response mail is received, I hope the
program can recognize it, otherwise...
I think blacklisting ala SpamCop/SPEWS will ultimately settle the
problem.

Currently I've installed SpamPal, but all theses programs are not perfect.
The challenge/response concept looks perfect; at least until the spammers
integrate it in their programs, but then you can enhance the challenge:
I've read about a challenge, where the user must click on a point on an
image and the position is described by text or a text, which is difficult
for OCR programs to recognize, must be typed in a web form.
 
R

Richard Hosking

Jan 1, 1970
0
The problem with this worm is that it is a DoS attack on lots of mailservers
I have had about 2000 of these in the last 2 days - I wonder if it is those
who are using NGs - a lot of the frequent posters on this NG are affected.
I have talked to my ISP - the worm avoids most of their filter settings. It
appears to disguise its source address. This will be one of the biggest
attacks yet I think. It doesnt matter which E mail clent you use as the worm
clogs up your mailbox at the ISP level.

Richard



Spehro Pefhany said:
On 19 Sep 2003 12:02:11 -0700, Winfield Hill <[email protected]>
wrote:

Don Pearce wrote...

On 19 Sep 2003 10:51:14 -0700, Aubrey >McIntosh wrote:

I have received almost 700 copies of worm or virus mail
to this account [snipped] in the past 24 hours.

This has been the GIBE virus, the new "returned mail" item.

Anyone else?

Everyone. At 700 you have come off lightly.

I got over 1000 at home this morning, over 450 of them
arriving in a single 5 minute period at about 0640 EST.
Strangely, I got almost none at my work email.

Thanks,
- Win

Those of us running Eudora got NONE ;-)

...Jim Thompson

Netscape, none, but I don't see how one's email client affects this.
At least with Netscape, unopened mail doesn't execute.

What do the virus messages look like?

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

A lot of them look like the "Microsoft" message that starts about
halfway down the above page. Or a fake bounced e-mail message.

I've gotten about 1500 of them (at 140K+ each) in the last 30 hours.
8-( Of course I'm not about to execute an unknown file, but it's
clogging things up like a mailbomb attack- and some incoming mails got
bounced overnight.

Best regards,
Spehro Pefhany
http://www.speff.com
 
T

Tony Williams

Jan 1, 1970
0
Winfield Hill said:
They're coming in at the rate of about four a minute right now.
I spent some time trying to set filters, but the quasi-random
nature of the Swen email headings makes that impractical with
my The Bat! email client. I'm ready to change programs again.

Swen's size is within 147000 to 161000 bytes.
Are you able to reject on size range?
 
Top