ec2-3-87-147-184.compute-1.amazonaws.com | ToothyWiki | RecentChanges | Login | Webcomic
ScriptKiddie: Someone who uses malicious code written by someone else, without understanding what it does or how it works.
Vast quantities of people are coming to this page from Google, looking for Klez removal tools. Teeming hordes of lost souls...
...I feel your pain. Go [here].
MoonShadow suggests that this page be used for links to things that the average toothycat.net user (i.e. not a computer geek) ought to be worried about. He reckons the reason most people don't read BugTraq is that there is little posted that is of relevance to the average wintel home user - they don't care about Linux boxen or Cisco routers. Therefore MoonShadow will repost just the most relevant stuff here - MSIE, Outlook and common Windows-based utilities only, client rather than server software, and only those vulnerabilities which permit arbitrary code execution (most people don't care enough about DoS to upgrade).
Making stuff almost secure
- (This ought to be said, although this page is aimed at those that can't or won't use non-MS products, can't get a firewall, and have virus scanners which they update about as often as they make backups (heh). People who don't fit into this classification, see this note): Don't use Outlook. Don't use Internet Explorer. Do use a firewall. Do use a virus scanner. Those four steps will secure you against 99% of the nasties lurking out there. Keep your virus scanner up to date.
- AVG? needs a manual update to version Free-7, or updates stop come the NewYear?. Consider yourselves warned. --Vitenka
- If you have to use a Microsoft mail client use Microsoft/Outlook? in preference to Microsoft/OutlookExpress? (IMHO) - it's easier to make safe -- Senji
- Really? I will admit, I despise Microsoft/Outlook? with a passion and will probably stick with Microsoft/OutlookExpress? anyway but what do you mean by easier to make safe? - Kazuhiko
Making stuff less insecure
- Download all the critical updates for MSIE and Microsoft/Outlook? (go to http://www.windowsupdate.com). It doesn't take very long. Windows may even prompt you to do so every so often; most people don't bother because the dialogue box invariably pops up when they are in the middle of doing something interesting and they regard it as an annoyance. So do it now - it's less boring than this paragraph.
- Below is a list of commonly used software along with the earliest version which doesn't actively have exploits around for it that script kiddies can get their paws on. Usually, clicking on "Help.. About" (exact wording may vary - "about this software", etc.) will tell you the version of the software you are using.
...currently doing the rounds
- [W32.Sobig.B@mm] - this pretends to be a security update from Microsoft. Apparently it's been spreading quite rapidly recently. Don't open the attachment. Microsoft don't send out unsolicited patches by email.
- [W32/Ganda-A] - scarily tempting message bodies. I can see myself wanting to look at the attachment if I get one of these.. ^^;
- MoonShadow received a copy of [bugbear] in the mail this morning. This implies that someone who knows MoonShadow's email address is infected; MoonShadow can't tell who since the virus fakes the From: headers.
Here's the mail I got (minus the attachment). The body looks like it came from genuine correspondence, too.
- The only thing I know to narrow it down is that the faked from address is also part of the victim's address book. Not much help, I will admit - Kazuhiko
Received: from artibus.admin.cam.ac.uk ([184.108.40.206]) by lucien with esmtp (Exim 3.12 #1 (Debian)) id 18nuzw-000571-00 for <firstname.lastname@example.org>; Wed, 26 Feb 2003 06:24:56 +0000
Received: from mail18.svr.pol.co.uk ([220.127.116.11]) by artibus.admin.cam.ac.uk with esmtp (Exim 3.14 #2) id 18nv4d-0004gh-00; Wed, 26 Feb 2003 06:29:47 +0000
Received: from modem-194.ohio.dialup.pol.co.uk ([18.104.22.168] helo=percicom) by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1) id 18nmc6-0007pA-00; Tue, 25 Feb 2003 21:27:47 +0000
From: "Rob Percival" <email@example.com>
Subject: Re: House
Content-Type: multipart/mixed; boundary="----------WYWSBBKOICRU7S"
Date: Tue, 25 Feb 2003 21:27:47 +0000
X-FetchYahoo: version 2.4.3 MsgId 6426_254849_9538_1235_52066_0_4392_69182_440878785
Yep, I agree - the piggy bank thing sounds smashing. As long as we get a
real pig shaped thing. I should be able to bring a bean bag and maybe a big
bit of tarpaulin (if anyone else has got this could you bring it?). Oh, and
we need a phone...
- [yaha] - some of the messages it can generate are very plausible and look like things you might want to run!
If you use PuTTY, and you're not using PuTTY version 0.53b(November 2002), you should think about [downloading] the latest version.
There is a vulnerability -
- that lets a malicious server run arbitrary code; an exploit (source code for such a malicious server, in fact) got posted to Bugtraq in the last day or two, so the script kiddies will be out in force.
This is actually not too urgent - if you only ssh to Hermes and toothycat.net you'll be fine (so long as you trust me not to want to poke around your machine, that is. muhaha.) But if you decide to connect to somewhere controlled by random people you don't really know and/or trust (eggham hills, say, or MUDs, or the ASCII art Star Wars server, or one of Rob's machines or whatever ;) ) you should use the latest version.
- Actually, it's not that simple, thanks to the DNS. Anyone you trust to provide you DNS can use a ManInTheMiddle? style attack to exploit these bugs by pretending to be the server you're trying to contact, as (potentially) can anyone who can sniff the DNS packets you send out (by sending faked DNS replies). -- Senji. I strongly urge all users of PuTTY to upgrade.
Note to geeks
(someone refactor if the rant below is too warlike..)
In MoonShadow's experience, telling people not to use MS stuff generally has the opposite effect. MoonShadow used to do that, then realised that to everyone else he must sound like one of those street preachers that attack you near MarketSquare by hitting you with a large sign saying "The End Is Nigh" or some such until you agree to memorise their literature, put on sackcloth and ashes and join them on the street corner with a sign of your own. In MoonShadow's experience, though, once people have been infected with a Klez or two they are quite willing to listen to advice about how to close some of the bigger holes in MS stuff, so long as the relevant incantations don't take too long to do and they don't have to do them too often. Which is a really good thing. If Linux-based (substitute OSOfChoice?, BrowserOfChoice?, MailClientOfYourChoice? or whatever) holes got the sort of attention that Windows-based (MSIE, Outlook) ones do, things like Slapper would be a lot more common; and if we convinced everyone to shift to Linux (...), holes in (...) would get that attention. Far better, in MoonShadow's opinion, if everyone learns to patch up the stuff they do use (and then maybe think about whether they want to carry on using it or not) than if everyone switches to something different and (thinking they're safe because it's not Windows, MSIE, Outlook, whatever) doesn't patch that up either.
Students don't generally buy their own computer junk. Few can afford an up-to-date virus checker (yes, having one by choice does, sadly, make you a geek; most people have one that's hopelessly out of date, for much the same reasons that most people don't download security patches without prompting from other humans) or an NAT firewall (£60-£80 is 2-3 weeks of student food! I'm talking about people who find the thought of putting a Linux box together from scrap for the purpose about as appealing as a sysadmin finds the thought of removing an average Outlook worm from every machine in the office; which is understandable).
EmperorDons his selwynCollege ComputerSupport? hat, and points out that people still within cam.ac.uk can get an up-to-date virus checker for free (and should probably do so).
MoonShadow does understand the "Yuck! Don't-use-that!" sentiment, but feels it is an unproductive one.
- After getting stung by a 'day of release' email worm (a klez variant which autoran) on lookout - which was running fully patched on a fully patched OS with the virus scanner update coming in just hours too late... I finally switched. Previously I was 'eh, I can keep outlook safe'. You can't. It is impossible. There is NO excuse to continue using that product. And since Opera is a far better browser (and sufficiently good enough email and news client) and a lot of people will switch to it on its merits. Shamefully, many worms now are parasitical but do NOT kill the host. Which will make it harder to convince people to switch. (Why do I care that I'm sending out a thousand spam emails a day? It doesn't hurt *me*. Can you help me clear all this spam out of my inbox?) Switching is not counterproductive. Show people a pop-up free browser that can turn flash animation on and off with a press of a key. The fact that it happens to be immune to script virii is just a bonus.
- MoonShadow: All software is buggy. (Google: eudora greymagic Google: opera greymagic Google: opera sandblad). You were unlucky. The same situation can occur whatever vector the virus uses to spread - what got you was the fact that it took a nonzero amount of time to produce the virus scanner update. Virus authors want to maximise the effect of the virus, so they target the most commonly used software. A widespread change of software, therefore, will merely serve to shift their attention. What is needed is not software advocacy, but a sense of responsibility. Virii are, sadly, a fact of life. The more people download virus updates as soon as they are available, the more people know not to run random poo they get sent, the shorter the lifespan of a virus. I'm not saying people shouldn't change from MS software; I'm saying that changing from MS software is woefully insufficient as a means of protecting against virii and ScriptKiddies, and using your computer responsibly is far more important. In fact, you've said so yourself: "Why do I care that I'm sending out a thousand spam emails a day?" If I have that attitude, changing from MS software because X pestered me to won't stop me wreaking havoc. We should be looking to change people's attitude first. And that is best done by concrete examples of holes, effects and remedies. You presumably had experiences that hammered into you the advisability of patching and virus scanning; your statement above certainly implies you went through a period of disillusion with Outlook before you made the decision to shift. I am arguing that unless people have those experiences, or can clearly see concrete examples of danger, they will take no action.
- Does any of that make sense?
- Sure it does. But changing someone's habits is hard, while forcing them to change their browser is easier. You have somewhat missed my initial point though (whilst raising an interesting point of your own) My initial point was that for YEARS I was being met with incredulous stares when I confessed to using outlook. My explanation: "It i simply the best client out there, and I can keep on top of the bugs". The problem is that you can't keep on top of the bugs, it has so damn many. All software has some, yes - but IE seems to have far more than its fair share. And executing code in email is just a dumb idea, even if it DID manage to restrict t to only 'safe' operations. Eventually, despite the best vigilance possible, I got stung and finally acted on my "Homogeneous environment is bad" instinct. Which is the answer to your 'if everyone switched' argument. If everyone switched to a different (buggy) set of programs then mass worms would have an incredibly hard time propagating.
- A 'homogeneous environment', on the other hand, has a lot of very obvious advantages (people need to learn to use only one system and can then use any, there's much more experience out there to ask if you have problems, and they're likely to be closer, than if everyone uses their own, secutiry holes once found need only be fixed once and distributed rather than each programming team having to do it, easier interoperability above the lowest common demoninator of standards support, etc etc) that shouldn't be dismissed. There is a good case that these, especially the arguments about ease-of-use which is, after all, the most important aspect of a computer for the vast majority of the human race forced to interact with one on a daily or even occasional basis, outweigh any non-bug-spreading considerations, especially if the homogeneous environment is question is not utterly riddled with security problems. In other words, while a particular homogeneous environment might be bad, as a general principle homogeneity is a good one.
- (Perhaps this bit should be moved to a separate HomogenousComputingEnvironment? page.) A homogeneous environment does have obvious interoperability benefits but I think it also contradicts innovation - for instance if everyone uses Netscape's web browser (as was the case for a while) then Netscape have, whether they wanted or not and whether or not they are suited to it, an effective lock on innovation on the web. Better, rather, to agree the interfaces between bits of software, so that many different implementations of web browsers, mail clients, spreadsheets, etc, can interoperate effectively. The best might "win" - or different users might find that different implementations of the same idea appeal to them, leading to a diverse software base forever.
- The security benefits of a diverse installed base are possible to overplay, too. UNIX users can be affected by Windows security holes not because they are directly attacked but because bits of the internet fail to keep up with the load (as for instance with that UDP-based worm attacking the MS SQL server); Windows users can be affected by UNIX security holes if someone cracks a web server that they then enter their credit card details into (can't think of a specific example but there is bound to be one). I don't see any reason to believe that this is a peculiarity of the current world rather than a general problem.
- looks like one to me