Back to previous post: Knowing vs. showing

Go to Making Light's front page.

Forward to next post: A monthly family budget

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

July 18, 2006

Spoofed
Posted by Teresa at 02:47 PM * 75 comments

You know those computer viruses that take over a machine, then send out email with spoofed “from” addresses they’ve lifted from the owner’s address book? Somewhere out there is an infected computer whose owner’s address book has me in it. I’ve been getting reports of large numbers of forged emails going out with my name on them. They have suspicious attachments. Don’t open them.

Further: The bug in question is called the W32.Nyxem.D Worm. Here’s one description:

This worm spreads by internet and contains one dangerous payload action—every 3rd day of month worm overwrites files with doc, xls, mdb, mde, ppt, pps, zip, rar, pdf, psd and dmp extensions.

Click on the link for more detailed information:

W32.Nyxem.D is a mass-mailing worm that attempts to spread through network shares and lower security settings. …

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP.

Payload:

1. Turns off anti-virus applications
2. Sends itself to email addresses found on the infected computer
3. Deletes files off the computer
4. Forges the sender’s email address
5. Uses its own emailing engine
6. Downloads code from the internet
7. Reduces system security
8. Installs itself in the Registry

In short, it’s yet another bug that exploits bleeping Windows’ bleeping vulnerabilities. It’s well worth avoiding.
Comments on Spoofed:
#1 ::: xeger ::: (view all by) ::: July 18, 2006, 03:39 PM:

My empathies on being joe jobbed. It sucks.

#2 ::: Laurie Mann ::: (view all by) ::: July 18, 2006, 03:40 PM:

Oh, the joy of Outlook! I believe that's still the only software that lets hackers do that...

#3 ::: Edward Oleander ::: (view all by) ::: July 18, 2006, 03:51 PM:

So who did I just send my life savings and the title to my car to?

#4 ::: Harry Connolly ::: (view all by) ::: July 18, 2006, 04:05 PM:

Who did I just send a copy of my Spacewrecked-Adam-and-Eve story to?

#5 ::: Sean Bosker ::: (view all by) ::: July 18, 2006, 04:41 PM:

"Who did I just send a copy of my Spacewrecked-Adam-and-Eve story to?"

Hey, that's my idea!

#6 ::: murgatroyd ::: (view all by) ::: July 18, 2006, 04:45 PM:

Well, it wasn't me -- I have a Mac at home and we use Lotus Notes mail on PC at work, and believe me, *nobody* cares enough to hack into Notes mail.

We also have Norton antivirus, and it's installed so that every time I open a Word document it scans for a virus even if it's a file I just opened 5 minutes ago.

This ranks right up there with seven levels of safety packaging on the bottle of vitamin C in terms of frustration.

#7 ::: TomB ::: (view all by) ::: July 18, 2006, 04:50 PM:

I got 21 messages from "tnh" starting yesterday. More might have been blocked by my ISP's spam filters. I looked at one of the attachments and it's got the classic "This program cannot be run in DOS mode." string near the front. No worries in my case because I'm on a Mac. The one with the subject "Fwd: Crazy illegal Sex!" looked possibly interesting, but if they just want to have illegal sex with my computer then never mind.

#8 ::: Jarsto ::: (view all by) ::: July 18, 2006, 05:03 PM:

I once received spam (though not a virus) that actually listed my own e-mail address as the sender, and also as one of about twenty recipients. For a moment I was tempted to file a complaint against me with my own ISP just to see what would happen.

#9 ::: Jeffrey Smith ::: (view all by) ::: July 18, 2006, 05:22 PM:

I got one of those last week. All I could do was stare at the screen and say, "That's just not right!"

#10 ::: E-mart ::: (view all by) ::: July 18, 2006, 05:27 PM:

If the email address is "tnh@panix.com", then the virus might have just culled it from the cache of someone who visited the Making Light homepage, not necessarily someone with your address in their address book.

#11 ::: Lizzy L ::: (view all by) ::: July 18, 2006, 05:33 PM:

As Nero Wolfe would say, "Pfui!" Stupid Stuff to do with computers...

#12 ::: abi ::: (view all by) ::: July 18, 2006, 05:36 PM:

"Who did I just send a copy of my Spacewrecked-Adam-and-Eve story to?"

Hey, that's my idea!

Who did I send my telepathic aliens on the internet stole my spacewrecked-Adam-and-Eve story idea to?

#13 ::: Christopher B. Wright ::: (view all by) ::: July 18, 2006, 05:53 PM:

The ones I hate are when someone sends me suspicious looking files with *my* email address in the header.

#14 ::: nalo ::: (view all by) ::: July 18, 2006, 06:44 PM:

Yes, I got a ton of these yesterday from your imposter. Deleted them all unopened.

#15 ::: Kip W ::: (view all by) ::: July 18, 2006, 07:03 PM:

Oh, sure, promise me US$13M and then as soon as you have my bank info, it's all a "hoax" and "someone else" is using your name.

Won't get fooled again!

#16 ::: Annalee Flower Horne ::: (view all by) ::: July 18, 2006, 07:32 PM:

ick, that sucks.

Stupid Outlook. You'd think the bad PR that comes from every single virus on the web exploiting the program would have made a dent in its ubiquity by now.

#17 ::: Randolph Fritz ::: (view all by) ::: July 18, 2006, 07:49 PM:

Nah; the ubiquity of MS Windows is positive proof of the stupidity of business management.

...still waiting for Plan 9 to succeed, here.

#18 ::: Stefan Jones ::: (view all by) ::: July 18, 2006, 07:51 PM:

We use a variant of Plan 9 on our video servers.

It is imaginatively named "Transit."

#19 ::: Seth Breidbart ::: (view all by) ::: July 18, 2006, 09:06 PM:

xeger, that isn't a joe job. A joe job is intentional targetting of the forgery victim. This is just a virus forging an arbitrary email address in the hopes that the recipient will recognize it and open the message.

#20 ::: John M. Ford ::: (view all by) ::: July 18, 2006, 09:23 PM:

"Plan 9? Ah, yes, Plan 9 involves me forgetting my line and picking up my conveniently placed script for a cue. And while these Earth people are, as you will say in twenty more pages, idiots, their carbon-based-paper and stapling technology is far in advance of our own."

#21 ::: Ayse ::: (view all by) ::: July 19, 2006, 01:02 AM:

I always wonder how many people those scams catch. I never see them unless I'm slumming in the spam filter looking for good lines of poetry. At this point I've stopped reading any e-mail, statistically speaking: I read less than .01% of e-mail that arrives at the server addressed to me.

I no longer answer the phone, either, because even if it rings it is spam, and I have no adequate filters for spam on the phone (being unwilling to pay for caller ID).

The mail carrier keeps deciding I have moved out and for reasons unknown to me refuses to deliver mail addressed to me at my alleged home address.

As far as I can tell, technology and infrastructure improvements have made me as hard to get hold of as my 18th century ancestors who spent most of their time at sea.

(Except, of course, none of them had a cell phone and wireless internet everywhere they go. But still.)

#22 ::: Simon Haynes ::: (view all by) ::: July 19, 2006, 06:31 AM:

It's bad enough someone using your email, but I had someone report one of my software programs as a virus. (It was just a false positive.) Next thing you know a bunch of people are writing to ask why I'm hacking their machines.

#23 ::: Bryan ::: (view all by) ::: July 19, 2006, 07:13 AM:

Spacewrecked'em, hell space damn near destroyed 'em.

#24 ::: John Hawkes-Reed ::: (view all by) ::: July 19, 2006, 08:58 AM:

If anyone's been in receipt of a handful of the bogus emails, it might be worth grovelling through the headers to see if there's a common source.

A while ago, I was slightly troubled by a spate of virus-ridden mail from a handful of addresses. Five minutes digging showed a common source, and that together with some educated guessing on who else might be in someone's address-book led pretty quickly to the poor unfortunate with the festering computer.

(Ok, so I cheated a bit and posted to LJ along the lines of 'Is this your ISP? Are these people in your address-book? If so, your A-V is out of date')

#25 ::: John Stanning ::: (view all by) ::: July 19, 2006, 09:00 AM:

It's depressing that after all the publicity about viruses, there are still people dumb enough to run a PC without working, current anti-virus. Nyxem.D is six months old and should be picked up by every AV software with even moderately recently updated patterns.

This virus is *stupid*. It sent me not just one, but *twenty* messages from "tnh", all at the same time, with unlikely subjects; that ought to make anyone suspicious (not the tnh-ness of them, I mean, but the multipliciy and improbability).

By the way, I don't think I have the honour of being in the address book of any of tnh's correspondents (AFAIK). Therefore, the virus is probably using victim addresses culled from this blog.

#26 ::: Suzanne ::: (view all by) ::: July 19, 2006, 09:06 AM:

Not really you? Does that mean you don't want my decology "The Passion of Mary-Sue" after all?

Drat!

#27 ::: Giacomo ::: (view all by) ::: July 19, 2006, 09:08 AM:

In all this, it makes me sad to note that Outlook is still the best PIM program around.

Thunderbird is fine for "just email", but for everything else it falls horribly short, even with several extensions (this sentence is strangely and accidentally appropriate on several levels). Lotus Notes is a slow elephant, best-suited for managing distributed databases. Evolution on linux is, well, don't let me start. Kontact (linux/KDE) is getting there but the developers work with very limited resources.

So at the office we are still stuck with Outlook, and every day a new crack comes around...

#28 ::: Scorpio ::: (view all by) ::: July 19, 2006, 09:14 AM:

I am on the verge of trying to use Linux -- although I have only been hit by one small virus that had almost no consequences about 5 years ago.

One more thing John Brunner came very close to describing.

#29 ::: John Stanning ::: (view all by) ::: July 19, 2006, 09:24 AM:

John Hawkes-Reed: I think this one may be less traceable. All my messages apparently came from a machine named "sat-eb6dqyeu7zs", with IP address 62.12.102.18 which seems to belong to a network in Egypt. Quite likely that's spoofed too.

#30 ::: JulieB ::: (view all by) ::: July 19, 2006, 09:31 AM:

I got hit with another joe job yesterday. The originating IP was - surprise! - at AOL.

#31 ::: Kip W ::: (view all by) ::: July 19, 2006, 09:31 AM:

What an insidious virus that would be, if it just went out under a publisher's name and said, "We want your manuscript." How many do you suppose would respond to that at velocities normally only approached by certain tiny particles?

And it would be worse, in many cases, if it actually published them.

#32 ::: Fragano Ledgister ::: (view all by) ::: July 19, 2006, 09:34 AM:

My sympathies, TNH. I just had my credit card cloned (I suspect because someone was snooping on my brother's wireless connection). Definitely not fun.

#33 ::: Greg London ::: (view all by) ::: July 19, 2006, 10:26 AM:

I am getting so sick of these insecurities.
I think my next computer will be a Mac.
The mac-pc ads by Apple going around lately
have been hilarious and effective in getting
me to consider their brand. I will still need
to figure out how to run Linux. Probably will
just keep my old dual boot PC/Linux box and
use it for Linux stuff and for the odd occaision
that I need windows.

#34 ::: Mike Kozlowski ::: (view all by) ::: July 19, 2006, 10:33 AM:

Why are people blaming Outlook and Windows? This has nothing to do with Outlook (it uses its own SMTP engine), and -- as far as I can tell -- doesn't exploit any Windows vulnerabilities. It appears to require people to run attachments from email -- attachments, incidentally, that Outlook 2003 won't even allow you to run (as it blocks .pif attachments).

From what I'm seeing, it'd be virtually impossible for a person running modern Microsoft software to be infected without really trying.

#35 ::: John Hawkes-Reed ::: (view all by) ::: July 19, 2006, 10:43 AM:

John Stanning: Bother. It wouldn't surprise me if yon virus forged the first one or two Received: lines, which probably meanders into Advanced Email Divination and away from the scope of this rather compact text-box.

Hey, and indeed, ho.

#36 ::: Leslie B ::: (view all by) ::: July 19, 2006, 10:43 AM:

*coughs*

Because somebody has to do it -

http://www.ctrlaltdel-online.com/comic.php?d=20060513

#37 ::: theophylact ::: (view all by) ::: July 19, 2006, 10:56 AM:

The ones I hate are when someone sends me suspicious looking files with *my* email address in the header.

My e-mail client, Mozilla Thunderbird, automatically directs those to my junk folder, so when I actually send myself mail from my office to my home, I have to remember to look for it in "Junk".

#38 ::: Terry Karney ::: (view all by) ::: July 19, 2006, 11:08 AM:

I've avoided about 30 submissions from it. They are all from TNH, and they looked a tad suspisions, so I didn't even open them, much less any attachements.

TK

#39 ::: Randolph Fritz ::: (view all by) ::: July 19, 2006, 11:12 AM:

Mike, what are you talking about? Windows comes from the factory with some settings open and every month or two a new security, ah, "feature" is discovered. Normal users run as administrator (this may change in Vista), so any malware one accidentally runs has the full run of the machine. The MS Office suite will happily run scripts from any files they are given without a second thought or any sandboxing, meaning that opening any mail attachment makes you vulnerable--surely two clicks in error ought not be disaster?

Feh. The solutions to these problems were all known at least 25 years ago. But MS sells the ability to remotely control their systems to developers, that's why the Office suite will automatically run scripts. MS also wants to be able to nose through systems for DRM purposes, and they sell that, too. Besides, securing Windows would cost, and cut into the revenue of the anti-virus software vendors. The back doors in Windows and the Office suite are there for reasons, and I don't see MS ever closing them entirely--they like them too much.

#40 ::: Scott H ::: (view all by) ::: July 19, 2006, 12:22 PM:

"Why are people blaming Outlook and Windows?"

Because it's easy, fun, and stands a good chance of being the correct root cause of any problem.

Scott H, M.C.S.E.

#41 ::: Xopher ::: (view all by) ::: July 19, 2006, 12:48 PM:

Just read the addendum. Shit! Does this damn thing infect you only if you open an attachment?

#42 ::: C.E. Petit ::: (view all by) ::: July 19, 2006, 12:49 PM:

Kip W asked:
What an insidious virus that would be, if it just went out under a publisher's name and said, "We want your manuscript." How many do you suppose would respond to that at velocities normally only approached by certain tiny particles?

Ever been to PublishAm3rica's website? Or read Atlanta Nights?

#43 ::: Jules ::: (view all by) ::: July 19, 2006, 12:53 PM:

Mike, what are you talking about? Windows comes from the factory with some settings open and every month or two a new security, ah, "feature" is discovered.

That may be true. This particular worm, however, is just one of the old-fashioned 'lets attach an executable program to an e-mail and rely on user stupidity to get it to run' ones.

AFAIK, there hasn't been an automatic execution of e-mail content bug found for a few years now. Almost everything recent requires user interaction in some form at least.

Normal users run as administrator (this may change in Vista), so any malware one accidentally runs has the full run of the machine.

Not true. When I set up users on my XP Pro machine, the setup program made the first one an administrator and the rest were not automatically admin users.

The MS Office suite will happily run scripts from any files they are given without a second thought or any sandboxing, meaning that opening any mail attachment makes you vulnerable--surely two clicks in error ought not be disaster?

When I've tried to do this in Office97, I always get a message that says something like "The document you are opening contains macros ... blah ... danger of nasty things happening if you say yes ... Do you want to run them?". And besides, if you can get enough people to open executable attachments to build your botnet, why would you bother with such elaborate techniques as using attacks hidden in documents? You want the idiots' machines more, because they're less likely to notice what you're doing.

Yes, MS software is buggy and insecure. But other people's software is also buggy and insecure. The biggest difference is that there are more idiots using MS software.

#44 ::: Christopher Davis ::: (view all by) ::: July 19, 2006, 01:37 PM:

Some of these may have arrived at my mail server, but I wouldn't have seen them. Since I run my own server, I just set up the mail filters to discard any exe/com/bat/pif/scr files and save CPU by not needing to run a virus checker on the messages....

#45 ::: Lenny Bailes ::: (view all by) ::: July 19, 2006, 03:26 PM:

I don't want to brand myself with a "Microsoft Fellow Traveler" sticker on my virtual forehead, but Randolph's information is a little bit old. Copies of Windows XP shipped by OEM vendors, such as Dell and HP, come with Service Pack 2 installed and the software firewall pre-enabled.

A default installation of Microsoft Office 2003 sets the Macro security level at "high" for all the applications, including MS Outlook. This blocks most malware targeted at Office applications from running. The Outlook default now prohibits users from opening executable attachments. (You can still open a bogus ZIPfile attachment or HTML script, if your AV software lets you get away with that.) According to the description that Teresa linked to, this particular worm gets activated by someone stupidly opening a strange attachment on a Windows PC that lacks appropriate up-to-date antivirus software. The description doesn't specify whether the activated worm harvests email addresses only from Outlook or by systematic searches of other files on the hard disk.

Randolph's criticism of the default administrator privilege level in Windows XP is valid. But the weakest link in the operating system is still Internet Explorer, which is the gateway of choice for most current Windows malware. My experience is that the built-in Windows firewall, a good free AV utility and use of a properly-configured alternate web browser will now eliminate most malware threats in Windows XP.

Spending an extra $30 for Webroot Spysweeper will even let you continue use of Internet Explorer in relative safety, despite its vulnerabilities. (If you are a Windows user, I can't recommend Spysweeper too highly. In addition to being a preventative agent, it has amazing rescue and cleanup abilities on machines that have already been infected. No reading logs or manual file deletions involved, it just scans and expunges malware, restoring system defaults.)

#46 ::: Lenny Bailes ::: (view all by) ::: July 19, 2006, 03:52 PM:

An afterthought.

Teresa probably knows this and decided it would be an ineffective use of time. But you can sometimes reduce the flow of bogus email messages sent under your name by examining mail headers and alerting administrators of legitimate source domains for the mail servers. (Telephone calls work better than emails to abuse@xxx.net.) I've seen this work when the source is an accidentally-infected computer with an account on a small, responsible ISP. When the real mail server IPs belong to criminals, indifferent large ISPs, or sleazeballs, you can optionally publicize that fact.

#47 ::: Mark DF ::: (view all by) ::: July 19, 2006, 03:52 PM:

Has anyone else received MicroSoft's most recent Windows "update"? It's a little program that does an ID check on registered computer software before it will allow you the pleasure of Windows patches. On the one hand, I kind of understand Microsoft wanting to force unregistered users or pirates to raise their hands. On the other, given the ubiquity of Windows, just how many illegal copies can they possibly be worried about (at least in the US) that I have to show my papers for them to fix their software? I feel like I shouldn't be annoyed about this, but at the same time it feels like the ol' "If you've done nothing wrong, what's yer problem."

I haven't installed it yet, but I know I will be forced to when terrorists try to steal my Spacewrecked Adam-and-Steve-Are-Happy-In-Eden-As-Immortals-Cause-There-Ain't-No-Chicks-Stealing-Apples story.

#48 ::: rhandir ::: (view all by) ::: July 19, 2006, 04:39 PM:

Antivirus tip: AVG is free for personal use, and is less system intensive than Norton.*

Ayse, if you don't pick up your mail daily, some postal delivery people decide that it is an abandoned address. Filing complaints at the local post office fixes this, though catching the mail deliverer is usually simpler. You could experiment with filing a permanent change of address form to your current address.

Giacomo wrote:
So at the office we are still stuck with Outlook, and every day a new crack comes around...
Literally true - there's a fellow releasing exploits at the rate of one a day this month. Hope he only has thirty.

Jules wrote'
AFAIK, there hasn't been an automatic execution of e-mail content bug found for a few years now. Almost everything recent requires user interaction in some form at least.
Not quite true. The WMF vulnerability doesn't necessarily require user intervention - just having a downloaded infected file on your hard disk AND have it be scanned by the indexing service or a vulnerable antivirus program is sufficent. That was new in January.(So if you reinstall a computer that was shipped with a windows install from before January '06, you need a copy of the patch for that.)

Christopher Davis wrote
Since I run my own server, I just set up the mail filters to discard any exe/com/bat/pif/scr files and save CPU by not needing to run a virus checker on the messages....
Unless you dump all attachments, this is likely a false savings. The WMF exploit's magic bits can be in any file - windows does not rely on extensions to determine if something is a WMF, it parses the headers, triggering the exploit. Compute cycles are cheap, lost data is expensive.

Lenny Bailes' advice is excellent, particularly the bit about using virtually any other browser than Internet Explorer.

Advice to switch to another operating system is being bandied about. There is no right choice, but Mac OS and Linux are less vulnerable to attacks than XP, and can be better secured without breaking important stuff. If you have a way out, take it.

I have become quite disheartened at the current increase in the number of patches XP requires - I am trapped behind a dialup connection.

-r.


*at least the Norton home version. I'm not as sure about the enterprise version.

#49 ::: Larry Brennan ::: (view all by) ::: July 19, 2006, 04:49 PM:

Ayse - re Phone Spam, you can register your home phone with the National Do Not Call Registry. I used to get a lot of junk calls, now I don't.

YMMV, but I think it's great.

#50 ::: Christopher Davis ::: (view all by) ::: July 19, 2006, 04:58 PM:

rhandir: when Mac OS X or FreeBSD become susceptible to the WMF bug, I'll worry. (There are no Windows machines involved.) The dump-bogus-extensions behavior just keeps the mail spools smaller....

#51 ::: Lucy Kemnitzer ::: (view all by) ::: July 19, 2006, 05:43 PM:

I got that windows "update" and it insists that our windows is pirated. It's not, not really: I mean we paid Microsoft for a new copy when the one that came with the machine, and with no backup disk available or makeable (you could only make a truncated boot disk specific to the one computer), was burnt up when the power supply went amok. But there were installation problems and Microsoft was no help so a clever friend installed a serial number hack for us. There is no way to prove or disprove the truth, though.

So we're ignoring the nagging. We'll deal with it later if they try to melt our computer or something.

#52 ::: rhandir ::: (view all by) ::: July 19, 2006, 05:50 PM:

Christopher Davis,
sorry, that was my bias showing.
You're right, that is an excellent way to trim the size of the mail spool. Thank God for *nix based kernels, and their general lack of undocumented "features."
-r.

#53 ::: Lenny Bailes ::: (view all by) ::: July 19, 2006, 06:01 PM:

In re the Windows WMF vulnerability: it was really an alarming IT concern for about a week. That's about how long it took for all the major Windows antivirus vendors to release updates that detected it. After that, it took Microsoft another few weeks (under community pressure) to release an official Windows update patch (ahead of their normal schedule). Fortunately, the distribution curve for infected WMF files in that first week was so low that there were very few reported incidents of successful attacks. Additionally, news networks and user-geeks spread the word about the WMF exploit all over the Internet within a day or two, thus alerting IT managers of strategies that could be employed to protect business networks.

The comparitive safety that Mac and Linux users enjoy, right now, may be due in significant portion to presenting a lower profile for malware designers. Any Mac geek can tell you that there's stuff out there aimed at OSX and Safari. But the distribution curve for that is orders of magnitude lower than for stuff aimed at Windows and Internet Explorer. (I know that's not the whole issue, statistically. There are default security precautions built into Linux and OSX that aren't defaults in Windows. This increases the attractiveness of Windows PCs to malware authors as targets.)

Windows PCs present a larger target and distribution vector for malware. But the probability of being attacked by *brand new* malware that defeats all the existing countermeasures is still low enough that most individual Windows users escape each time--assuming they have the existing, recommended countermeasures installed.

From a serious security standpoint, I think that news networks and initially low in-the-wild distribution for malware are the only things that really safeguard large Windows networks. Fortunately for Windows IT managers, so far, the news networks usually beat the distribution curve on the malware. That could change.

#54 ::: joann ::: (view all by) ::: July 19, 2006, 06:34 PM:

re Phone Spam, you can register your home phone with the National Do Not Call Registry. I used to get a lot of junk calls, now I don't.

YMMV, but I think it's great.

It's helpful, but not perfect. I get any number of cold calls from charitable organizations, way too many political calls, and a lot of wrong-numbers for a security firm that's one digit off from our number. None of those can be prevented by the Do Not Call thing. It is, however, extremely satisfying to be able to say to the very occasional actual violator, "Now what was your exact business name again? And your address? Ah. And you *do* realize you are in complete violation of the Do Not Call rules, seeing as how I've registered with both the state and national databases?" and then hear the "Mrrfle."

#55 ::: Kip W ::: (view all by) ::: July 19, 2006, 08:02 PM:

C.E. Petit, I was talking about something that shows up in your mailbox, not a web site you go to. And it would have the name of a publisher on it -- someone reputable, like, say, TNH.

#56 ::: Magenta Griffith ::: (view all by) ::: July 19, 2006, 09:17 PM:

Re phone spam: this is why I have an answering machine. I can listen to what the person on the other end is saying. My friends all know to start leaving a message, and I usually pick up. My mother hasn't figured this out yet, so I can avoid her if I can't deal with her at the time. Sales and political calls get recorded, and either deleted unheard, or played at my leisure. All for $30 spent several years ago.

I also use rotary dial phones. I don't acidentally dial people with my chin, and they last forever.

#57 ::: rhandir ::: (view all by) ::: July 19, 2006, 10:04 PM:

Lenny Bailes,
You said all the stuff I wanted to, but more fluently. Are you sure I'm not your psychic sockpuppet or something?

Everyone else,
What he said.
-r.

#58 ::: Seth Breidbart ::: (view all by) ::: July 19, 2006, 10:59 PM:

Simon, if you want bogus complaints, try running an NTP or DNS server. ("Hey, your Port 53 is attacking me!")

There's a reason such complaints are referred to as "GWF".

#59 ::: Larry Brennan ::: (view all by) ::: July 19, 2006, 11:24 PM:

Yeah, those Port 53s are perceived as being so dangerous that it's getting hard to find an apartment where you're allowed to have one. And forget about taking them out on the street without a muzzle.

#60 ::: Ayse ::: (view all by) ::: July 20, 2006, 12:27 AM:

rhandir:
Ayse, if you don't pick up your mail daily, some postal delivery people decide that it is an abandoned address. Filing complaints at the local post office fixes this, though catching the mail deliverer is usually simpler.

That's an excellent idea. I will set the trap tonight. I'm sure a simple drop-net will work well; she's kind of a slow mover.

...
GABYAW: I ended up filing a complaint with the postmaster a couple months ago, who gave me the inexplicable argument that the fact that I receive so little mail must mean I don't live there. "You don't get a utility bill, so of course we assumed you had moved out," he said, as if by getting bills online I have ceased to have an earthly presence.

#61 ::: Christopher Davis ::: (view all by) ::: July 20, 2006, 12:52 AM:

Seth Breidbart: my favorite was the guy who sent security@mywork a snort log showing that we were attacking him, because snort said "possible Mutated IA32 NOP Sled detected".

We were "attacking" him from port 80 of our web server, to some ephemeral port on his box. Gene sequence files that contain nothing but strings like "GTTTTCATTCTAAATT" look like possible attacks to spp_fnord...who knew?

#62 ::: Larry Brennan ::: (view all by) ::: July 20, 2006, 01:35 AM:

Ayse: as if by getting bills online I have ceased to have an earthly presence.

I'm reminded of the Bloom County where Oliver Wendel Jones makes his father disappear by deleting his records from the IRS database.

#63 ::: Randolph Fritz ::: (view all by) ::: July 20, 2006, 02:28 AM:

For those of you who think MS Windows security is not so bad, this news today: "An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company."

(http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html)

First two comments on /.:

"Darwinism works!" "Well, it surely wasn't Intelligent Design that did it."

(http://it.slashdot.org/article.pl?sid=06/07/20/042253)

Nyah!

#64 ::: Andrew Brown ::: (view all by) ::: July 20, 2006, 04:06 AM:

I have (touch wood) run windows 2k without a virus scanner for five years now and never been caught out. The trick is to use a good firewall (kerio personal firewall in this case) a good spam filter, and to shun Outlook and IE even if outlook is a good pim. Common sense also helps.

#65 ::: J Thomas ::: (view all by) ::: July 20, 2006, 08:45 AM:

I am not an expert on this topic and I believe there are fewer experts than there are people who think they're experts.

My personal experience has been that the more free AV setups I tried out, the more viruses I found and also the more viruses I got. Some AV software is malware itself, and paying for it is no protection.

I eventually found a keylogger that everything had missed. I found it by monitoring my traffic.

I was reasonably sure there were other things I didn't find, that had replaced some essential Windows files. But I couldn't download and run the correct versions because they wouldn't let me. Or maybe I was being paranoid. But I had no good way to tell. Were the occasional inexplicable events because of somebody's backdoor, or were they just Windows?

It wasn't hard getting rid of the obvious stuff. But when the internet connection just slowed down, and the router indicated we were getting a whole lot of traffic that none of us noticed, and I couldn't reset the router's connections because it said I didn't have the password....

I switched to linux just out of FUD. My wife refuses to switch because it's too inconvenient. So OK, I run Firefox. Firefox exploits are potentially just as bad as linux exploits. Sometimes I turn the javascript plugin on. Javascript exploits are potentially as bad as linux exploits. Very occasionally I load the flash extension. Flash exploits are potentially as bad as linux exploits.

People send me Word documents and I try to look at them in my linux Word viewer. Sometimes they work and sometimes they don't. When they don't, is it that my Word viewer is flawed or is it that the document was infected in a way that messes up the viewer? Maybe if I had Word it would get infected but would display the document correctly anyway.

It's no problem to run a Windows machine and keep it going at 40% efficiency. Buy fast enough hardware and you won't notice the difference. The malware that causes you obvious problems is incompetent malware.

But if you want to get rid of the subtle things, the things that make some effort to hide themselves like that keylogger, you'll never know whether you got them all.

It's a little comfort that I can boot linux from a CD-ROM and get nothing from the hard disk until I want to. And I can re-install the OS to hard disk in 3 minutes, leaving all my data. So if I have something bad on that disk outside the OS it will only show up when I run an application from the hard disk, or when I let the OS read an updated file from the hard disk, or, well, most any time. It's a little comfort though.

Not like having system files that the system couldn't read the MS signature on, and download the files from MS and install them and somehow afterward the system still can't read the MS signature and the old files are back.

But the kids' DVDs don't work right with the current linux DVD-readers, and they complain. Some of their online games need shockwave and there isn't any. Every now and then I have a hard disk crash or something, and I have to play with the system to get it running again. (It hasn't happened since I stopped using the old hard disk, I hope it was hardware.) My wife carefully refrains from saying she told me so. Her machine with Windows has its performance degrade so gracefully that she doesn't notice. Just every now and then she notices the internet has slowed down.

#66 ::: Martyn Drake ::: (view all by) ::: July 20, 2006, 09:25 AM:

Viral infections are the result of (unwillingly educated) computer users who will click on everything and anything and then after a few days wonder why their machines are so slow; and that suddenly all those pop-ups are showing up causing them much annoyance. Even worse is that these people just ACCEPT it and close all the pop-ups and continue working - thinking "it's just one of those things". Aghh!

And you'd be surprised just where the viruses are launched/ originate from. Over the recent months I've tracked down the origins of the type of virus that Theresa mentions from peers in the film industry and the advertising/PR industries. The IT departments of those responsible for spreadng it should be shot.

I've given enough warning to people in my charge about opening dodgy attachments from people they do not know. The worse culprits, however, are usually our own parents (or parents in-law) in which they buy a new computer, start using it, and then find that keep getting viruses and other malware and wonder why it's happening. You go over and spend the weekend fixing it - only for it to happen again.

Ironically, I've just been reading about MySpace.com with has unwittingly been responsible for dishing out malware via a SINGLE banner ad! See the Washington Post for more information.

I'm now running OS X both at work and at home and don't have any anti-virus software. At work we run Linux and OS X (we're a visual effects company - Linux/UNIX is King here) and those that usually have to run Windows (producers, important folk, etc.) are heavily fortified against virii and then there's the network anti-virus and firewalls on top of that. And we do educate our users.

Windows is the main culprit in all of this, and if what I'm reading about Vista is true, it's really not going to get that much better.

Technology (and the Internet) is wonderful, at the right hands ;)

#67 ::: Lenny Bailes ::: (view all by) ::: July 20, 2006, 09:58 AM:

Randolph, the problem referred to in that Washington Post article is the WMF flaw that was discussed here, upstream. I won't swear to this in blood, but I believe you can only get infected by clicking on the graphic file with Internet Explorer--under a copy of Windows that lacks either the February Microsoft security patch or a currently-updated real-time antivirus blocker.

I'm not trying to saying that Windows' susceptibility to vulnerabilities like this is trivial -- who knows what new flaws will be discovered, next week? I'm only saying that this particular one is known and was neutralized for "responsible" Windows users before it had a chance to inflict much damage. The fact that some widely-accessed websites are now infection vectors for unprepared Windows users is still a public nuisance. Again, the news networks may be ahead of the distribution curve, as far as the number of real infection incidents experienced by end users of MySpace. The Washington Post article doesn't have much information on that.

#68 ::: Lenny Bailes ::: (view all by) ::: July 20, 2006, 10:04 AM:

Correction to above: unprepared Windows users can get infected simply by visiting a site that has a hacked WMF file as a banner ad with Internet Explorer. Using Internet Explorer under Windows to visit websites that you've never been to before is not really a good idea.

#69 ::: Rob Rusick ::: (view all by) ::: July 20, 2006, 10:38 AM:

Randolph Fritz: For those of you who think MS Windows security is not so bad, this news today: "An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company."

Link to Washington Post Windows WMF exploit article by Brian Krebs.

I wasn't (very) worried about the Windows WMF exploit; we have automated Windows patching running on our XP and Win2000 machines, and AVG too.

Don't know whether anti-virus would have helped in that instance, but it shouldn't hurt. J Thomas is right to warn that some anti-virus apps are malware in disguise, but AVG has a good rep, so I'm trusting it (so far). It also has a system of automatic updates.

But this article by Brian Krebs was the first I'd heard of a Flash exploit, and (as described in one of the articles) Flash does not have a system of automated patches. Apparently this security hole has already been used (also on MySpace sites) to spread a worm.

After reading that, I had to spend some time making sure that both Firefox and IE had this patch installed on all the machines used here (fortunately, a small lab).

AFAIK, Linux and Mac machines would also have been vulnerable to this Flash hack.

You can take that last statement with a grain of salt; I am not an expert in computer security, and don't aspire to become one.

#70 ::: Randolph Fritz ::: (view all by) ::: July 20, 2006, 10:56 AM:

"Viral infections are the result of (unwillingly educated) computer users who will click on everything "

Or just don't download the huge number of patches that MS puts out. Or use legitimate documents that happen to be infested.

The bridge fell down because you walked on it--it's your fault. Feh. I'm outta this one!

#71 ::: Skwid ::: (view all by) ::: July 20, 2006, 11:43 AM:

99.9% of malware can be easily avoided by the combination of a hardware router, a software firewall, and non-MS Mail and Browser apps.

And Mike is wrong in one aspect about how this is almost certainly Outlook's fault: most viruses of the sort that harvest addresses for spoofing and destinations target the Outlook address book. Use of a non-Outlook address book would probably have prevented this.

#72 ::: Christopher Davis ::: (view all by) ::: July 20, 2006, 12:10 PM:

Rob Rusick: AFAIK, Linux and Mac machines would also have been vulnerable to this Flash hack.

Yup. Apple shipped an updated Flash player in Security Update 2006-003. Macs aren't magically immune by a long shot.

#73 ::: Lenny Bailes ::: (view all by) ::: July 20, 2006, 12:24 PM:

Randolph (if you're still reading): I sympathize with your basic irritation at Windows.

It wouldn't displease me, if someone succeeded in slapping Microsoft with a class action suit, indemnifying them for any and all documented claims by Windows or non-Windows users of financial damage traceable to the WMF flaw in unpatched user copies of Windows. (And while they're at it, compel Microsoft to pay for a mass mailing to all registered Windows users, informing them that *unpatched versions aren't safe.*)

#74 ::: J Thomas ::: (view all by) ::: July 20, 2006, 01:14 PM:

99.9% of malware can be easily avoided by the combination of a hardware router, a software firewall, and non-MS Mail and Browser apps.

This reminds me of a discussion I used to occasionally have with caving buddies, which went "There are 5000 known caves in georgia. how many unknown caves are there?"

There was a related question that actually had a statistical answer. There were a number of known caves with 6 entrances, and a number with 5, and 4, and 3, and so on, and that fit a poisson distribution so you could reasonably estimate the number of caves with zero entrances.

I'd figure that smart crackers would have learned by now. Make something that infects a computer and immediately starts making millions of calls to every computer it can find, and it will spread pretty fast for a little while and then it will stumble over somebody who's ready for it, it gets reported and a fix is put out, and very soon it turns into just an annoyance, a few copies will be making millions of calls that mostly don't get anywhere.

Far better to spread carefully. Infect one machine, have it call home. Upload a collection of tools that will call home occasionally, that are very hard to get rid of. Don't call attention to yourself. Check which AV software is present and don't upload anything that isn't resistant to that software. Why get a million computers to do something stupid for a few days when you can have ten thousand for as long as you want?

If you find out about an intrusive virus spreading, you might do what you can to protect your machines. Ideally you'd want the nominal owners to think they've never gotten a virus and they don't really need protection. But their machines are 100% working for you while their users aren't using them, and 10% working for you when they are.

If a virus preferentially spreads to people who don't have sophisticated defenses, why would it be discovered at all?

Oh well. I downloaded Antivir for linux today after Lenny recommended it. I'd used Antivir for Windows and liked it, although some experts complained about it calling home too much etc. But it insists on installing in /usr/lib and that's read-only on my system, even for root. I'll have to burn a new CD. before I can try it.

#75 ::: Lenny Bailes ::: (view all by) ::: July 20, 2006, 04:59 PM:

Indemnify Microsoft ==> substitute: "compel them to compensate plaintiffs." I always get the meaning of "indemnify" backwards until I look it up--possibly because my brain associates it with "damn."

Welcome to Making Light's comment section. The moderators are Avram Grumer, Jim Macdonald, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

If you are a spammer, your fate is in the hands of Jim Macdonald, and your foot shall slide in due time.

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 by Patrick & Teresa Nielsen Hayden. All rights reserved.