Then t' worms 'll come an' ate thee up

nicholas on 2003-06-26T08:34:01

Windows worms annoy me. As I read mail using mutt on a FreeBSD system, I ought to have no contact with them. However my e-mail address appears in perl documentation and perl mailing list archives, and it looks like people on Windows actually read these files. Or at least, they download them or cache them locally, which is enough for the scanning worms to find my address.

Most of the recent worms seem to work by social engineering, rather than exploiting any software bug, trying to tempt the user to run untrusted code.

But why does all this crap only ever originate from Windows systems? I'd contend that there is a bug - a design bug in the philosophy of Windows. You don't see people mailing each other Java bytecode and then running that outside a sandbox - so why in recent years did people happily expect to mail each other joke x86 executables? Windows is buggy to provide a user interface that makes no distinction between opening an attached data file, and running untrusted attached executable code. Even if I never use it, and never mailed anyone using it I'd be suffering because of Windows. Someone must be to blame - I demand compenstation! I'd like $1 from Bill Gates for every K of crap sent to me by Windows malware.

Last night's worm's trick seems to be to put the executable inside a zip file, in an attempt to defeat most scanners and mail filters. Judging by its sucess it was quite effective - I've just deleted over 100 of them (or their bounce reports), which was 14 meg. On my suggested compenstation scale, I'd be $14,000 richer. If only.


Windows is very broken, but..

ajt on 2003-06-26T10:31:31

I think it's fair to say that Windows is very broken, and Microsoft made a number of very poor design decisions along the way. In hind sight I think even they wish they wish they had dome some things differently now.

The ORA book Malicious Mobile Code, though somewhat overtaken by event is a very good and frightening read. Not that I used IE or Outlook before, but I'm now very anti these products now.

However engineering aside, Microsoft and others encourage a culture of trust, easy of use, and poor security practice, that is far more damaging. It's more important to them that something is easy and automatic than it is that it's safe, and the result is what we see, lots of business for anti-virus vendors.

If there were the same number of ill-educated BSD/Linux users as there are Windows users, then there would be lots of problems with these systems too. Though I will grant that the problems would be different as nix systems are different at the core to Windows, but it's always easy to do stupid things....

Re:Windows is very broken, but..

Dom2 on 2003-06-26T11:31:59

Funny, that was the same culture that brought us rsh et all on early BSD and Unix workstations. It took years to convince vendors to not ship with that stuff turned on by default and to provide secure alternatives. I don't see Microsoft being any slower or quicker.

-Dom

Re:Windows is very broken, but..

nicholas on 2003-06-26T12:26:14

I don't see Microsoft being any slower or quicker.

but also I don't see them learning from the mistakes of others. Those who do not learn from history are doomed to repeat it (apparently a quote from George Santayana)

Re:Windows is very broken, but..

Dom2 on 2003-06-26T14:08:31

I always preferred the Henry Spencer version:
Those who do not understand Unix are condemned to reinvent it, poorly.

-Dom

Zip Files

Dom2 on 2003-06-26T11:35:19

Interesting, so that'll be why I receieved this message this morning from a client:
Please note that due to action taken by our IT colleagues, we will be unable to receive .zip attachements today (26/06/03). I apologise for any inconvenience.

What kind of crappy software doesn't look inside container files for viruses. Even the abominable mailsweeper, which I thoroughly despise , handles this.

-Dom

Re:Zip Files

gav on 2003-06-26T12:38:13

One of my clients is a big company. They have a even crappier mailscanner which silently deletes attachments it doesn't like. On the other hand it's perfectly fine with exe files inside zip files though, or exe files renamed to zip files!

Somebody needs to invent some way of sending files too people without having to resort to email. It is way to low tech and inneficient.

Re:Zip Files

Dom2 on 2003-06-26T13:00:38

I kind of know why they might wish to do this actually. There was a zip file floating around somewhere which expanded vastly in size, and contained more copies of itself. It was only about a hundred Kb. :-)

-Dom

Re:Zip Files

chaoticset on 2003-06-26T17:38:04

...perhaps the web?

Re:Zip Files

nicholas on 2003-06-26T18:23:32

I couldn't either, but I could find it on my harddisk, so I put it here. Beware - it expands to 5 levels of zip files, ultimately containing 1048576 copies of a 4294967295 byte file named 0.dll. Don't try downloading it if you think you may be behind a web proxy that attempts to scan passing traffic.

Re:Zip Files

barbie on 2003-06-28T00:36:50

What kind of crappy software doesn't look inside container files for viruses.

The kind that isn't written in Perl and can't use Archive::Zip, Archive::Tar, etc to interrogate the contents, perhaps? I'm not exactly sure how the MessageLabs product does it, but to date it has stopped every unknown virus in the wild that it's come across, including the attempts to hide inside multi-zipped files or the latest 3 level extensions.

Its pretty cool to be considered one of the top anti-virus companies in the world and to know the products (well the big two) are written in Perl ;)

Re:Zip Files

nik on 2003-07-03T08:35:25

What kind of crappy software doesn't look inside container files for viruses. Even the abominable mailsweeper, which I thoroughly despise , handles this.

More likely is that their AV vendor hadn't released updates to catch the virus by this point. And given that the vendors couldn't agree on what was the definitive list of .zip files that were likely to contain the virus, blocking all .zips isn't too bad an idea, at least until you're sure that the AV software is sufficiently up to date.

N