I don’t understand what you mean by the fact that only processes running as root can open ports under 1024. I have written several perl programs to automate various tasks. The programs will send me email when they have completed. It is my understanding that SMTP uses port 25. These programs do not have to be run as root.
yawndave, If you read some of the replies in this thread carefully, I think you can see why this is happening. To sum up:
Let’s say user A is infected with a virus of the sobig type. The virus looks around in User A’s computer and makes a list of all the email addresses it finds; from emails, cached web pages, and other likely places. Then it takes two addresses at random; places one addr in the TO field, and the other in the FROM field, and mails out the new message with the virus attached.
Let’s say the TO & FROM addrs are B and C. B gets the email and thinks it is from C, but it is not, it really came from A’s computer.
Worse yet, if B has a virus scanner in place, it recognizes the attached virus, strips it of infectable substance, and fires off a nasty advisory message, “we don’t allow that kind of mail here!” But where does it send this message? To C, who is only an innocent bystander, who says, “What did I do?” In this example, that’s you.
Smart virus, stupid detection program, which only adds to the confusion.
It’s worth noting that often, if you look inside the email’s “Properties” and analyse the “Header Section”, you can actually see the name of the REAL computer which is claiming to be the sending email address.
OK. So why don’t the virus scanners do that, instead of acting in a virus-like and spam-like manner themselves by sending messages to the wrong people?
In this case, it is the SMTP server (running as root or as its own specially-priviledged user) that has opened port 25 and listening for connections to it. Your script is merely connecting to a port that is already open. That can be done by anyone.
But I guess I was wrong (I said it was possible 
) about the root-only restriction on ports offering any particular security, if a rogue service could open a high-numbered one. My bad.
FYI: The latest theory of the sobig’s origin is that it started in Canada: http://canada.com/national/story.asp?id=F5CD01CE-D66F-4DDD-AA65-DEB7F30F45C3
A summary of that story from slashdot:
That doesn’t mean that the culprit is in B.C., though. Just that they covered their tracks using a computer that they exploited here. They could have done that from Tuktoyaktuk, far all we know.
its so stupid when people think people that do ‘dumb’ things on computers are so retarded and worthy to be gassed.
I mean, is it REALLY so odvious that .scr and .exe files are dangerous and .jpg and .gif files aren’t? YOU may know what a gif is and what a jpg is… but if you didn’t use a computer all the time, is there really some big flag that scrs are dangerous and gifs aren’t? its hardly knowlage your born with.
My sister got her new Dell computer the other day. Hadn’t even hooked the thing up to the internet yet and we already had the blaster bug.
What would a ‘smart’ person have done? :rolleyes:
How can we not hold Microsoft at fault when they make it so ridiculously easy for naive users to spread viruses? Consider that:
[ul]
[li]By design, their email client makes it relatively easy to run attachments containing executable code that may contain viruses. It takes at most two mouse clicks by the user to do so. In earlier versions, I believe it took only a single mouse click.[/li]
When this “feature” was announced, there were significant protests by security researchers and predictions that it would lead to a scourge of email viruses. Microsoft dismissed the protests, ignored the peril, and implemented the feature anyway, with no safeguards.
[li]Microsoft’s email client makes it difficult (if not impossible) for many users to determine whether a file attachment mailed to them is safe to open. For example (barring other security problems) image files cannot contain viruses. However, a virus-infected executable can masquerade as an image file by using the appropriate icon and by taking advantage of the “hide file extension” default in Windows. I recall a security researcher at an antivirus company stating that he almost opened one such attachment during a previous virus epidemic. If he was almost duped, surely a lot of less sophisticated people actually will be.[/li]
[li]Many of Microsoft’s document formats have been designed such that they may contain executable code (and thus viruses). Microsoft tries to ameliorate this situation by providing warnings about possible viruses when opening such a document. But after repeatedly opening legitimate documents and dismissing the warnings enough times, it becomes very easy for a user to accidentally hit the wrong button and get infected with a virus. Had Microsoft designed their document formats in a more intelligent way, such that they did not contain executable code or such that the executable code was limited in its capabilities, they could have avoided this entire problem.[/li][/ul]
Of course, some people (including the OP) will always trot out the familiar (and elitist) “users are ignorant and should know better” excuse. To some extent that may be true, but to most of the public, computers are a simply a tool and they have no desire to learn such esoterica as the difference between clicking an image icon on their desktop and clicking the same image icon in their mail message. Since Microsoft is actively marketing to the general public without either educating it about these issues or making it easy to avoid them, surely they must bear some responsibility for the problem.
Also, it’s worth noting that the dichotomy between the current situation and the “secure computing initiatives” is a false one. There are other viable and technically superior options such as sandboxing (a la the Java virtual machine). Unfortunately, you probably won’t see Microsoft adopt these options because (due poor design in previous products) it’s basically impossible for them to shoehorn their existing code into them. And besides, they don’t get control over the code running on their operating system that way.
Gee–foibles, gullibility, and ignorance? I don’t know . . . my husband and I are BOTH applying for jobs, sometimes over the internet, almost always giving our email address, so when we get something that says “Your application” in the header it’s kind of hard to resist opening it.
Except that I’m on a couple of lists that clued me in about what the headers say.
But then I got an email w/attachment from my son, who’s a computer professional, and he thought it was strange that I called him up to ask if he really sent it. (“Mom, I’m a computer professional. You don’t really think I’d send you a virus, do you?”)
And I’m sure no fan of MS but blaming the corporation for this sounds about as sensible as blaming Chevrolet if some vandal puts sugar in your gas tank.
Well, if Chevrolet announced that they were removing the gas cap, widening the filler neck, painting it bright red, trumpetting “Now you can insert foreign objects into the gas tank easier than before!” but not mentioning anything about the risk in the owner’s manual, I certainly would blame the corporation. :rolleyes:
Mr. Feely what email client do you use? Pine? All the modern email clients I have seen, Eudora, netscape, mozzilla all allow you to do what you like with the attachments without a lot of fuss.
Hiding the file extensions is about the only thing in your post that I think has validity.
I find that your post is extremely elitist. You seem to be saying that anything powerful should be complicated so that ignorant users cannot do them. Why should it be a big pain in the ass to use an attachment?
For the record, I use Mutt on Red Hat Linux. The default settings of my email client do not allow attachments containing executable code to be run directly (non-executable files can be viewed directly). Regardless of what other email clients do, however, I think Microsoft deserves to be singled out here because (1) they were the first to allow direct execution of attached executables, (2) their vast market share causes them to be a much greater target and thus they have a greater security responsibility, and (3) their products are mass-marketed as being suitable for novice users.
Would you care to enlighten me as to why my other points are invalid?
I have no qualms about letting naive users shoot themselves in the foot, as long as the gun doesn’t provide them the opportunity to easily and unknowingly take out their friends, co-workers, and millions of other people on the Internet in the process. When designing software for the general public, potentially risky features should be recognized as such and sufficient safeguards should be put in place to mitigate the damage that can be caused in the hands of naive users. I don’t believe that Microsoft sufficiently accounted for the risks of these features, and as a result we have the current situation of email virus du jour.
From a pragmatic standpoint, the value of any feature must be weighed in a cost-benefit analysis over all users. It seems to me that the benefits of being able to run attached executable files are far outweighed by the costs. Do you disagree?
Mr. Feely your points that I disagree with.
-
Microsoft’s email client makes it impossible to tell if an attachment is safe.
This is no different than any other email client. -
Many microsoft documents can contain macros which could have viruses in them.
This is a Microsoft office problem. (I personally find macros very useful in some situations.) It is not an email client problem. Requiring the user to go find the document in the attachments directory or where ever they get put before they can use the file is really just a big pain in the ass. Users will switch to some other email client which does not make them jump through hoops.
But we still haven’t covered the question of why this particular virus spread so fast. Yes, it relies on human gullibility. Yes, Microsoft security isn’t as strong as it should be. But this has been true of many e-mail viruses, for many years. Why is it that this one is hitting hundreds of times harder than, say, Klez? What does it have that the others lack?
I fail to see why Outlook’s failings shoud be judged on a relative basis. If we want to eliminate these email virus epidemics, the question we should be asking is “does the design of this email client take reasonable steps to reduce or prevent the chance of virus transmission?”, not “is this email client no worse at virus transmission than email client X?”
What would be wrong with providing an option (defaulting to on) that disables the direct execution of executable attachments in Outlook? This would largely prevent the naive home user from propagating email viruses (since they would not know to disable it and would not have the knowledge to install another email client), while still allowing the knowledgeable user to make the choice for himself. If corporate IT deparments also had the ability to hardwire the option, I think we would observe a drastically reduced susceptibility to email viruses. Why shouldn’t we hold Microsoft responsible for failing to implement such an option when they released their email client?
Actually I was going for the more subtle point that Microsoft has defined file formats such that it is difficult to automatically determine the safety of files of those types. When users are continually forced to acknowledge that legitimate files are truly legitimate, it makes it easier to slip up and acknowledge a non-legitimate file as legitimate (the Chicken Little effect). This affects not just Office, but is sympomatic of a larger problem with Microsoft software in that it was not designed with security in mind from the start. As a result, the user is forced to make value judgements that otherwise could be avoided regarding the trustworthiness of files. For an experienced user this is generally not a problem, but naive users do not have adequate context to make the judgment.
From reading the Technical Details, it seems the sobig is super-aggressive at mass mailing. It creates multiple threads in an infected machine.
Unlike some other worms that, perhaps in an attempt to avoid detection, send out messages infrequently, this one is hell-bent for volume. And the more it sends out, the more likely some recipient is going to get infected.
And the faster the whole thing grows, the less likely people are to recognize its characteristics at first. It takes some finite time for the antivirus bunch to analyze and find the pattern for any new virus, then make the scan data available. If the virus can propogate in minutes, but the prevention process takes hours or days, there is an opportunity window, and it’s an exponential thing.
At least that’s my take on it. I could be wrong.
Is anyone else not getting this virus? I have 5 very active email accounts that I send and receive mail from every day and, to be completely honest, I never heard of sobig until I saw this thread.