David Lawley wrote, and others echo'ed similar sentiments about non-Windows / non-MS mail clients:
> I also am immune despite using Outlook Express. None of those viruses > infected my machine. > > If you think not running Windows is immunity you are fooling > yourself, the number of viruses being written is rapidly turning to > Linux/unix/mac (most seriously the Apache server Virus, do you have > an active Apache server in your Linux system?Do you know?)as > reported recently on www.theregister.co.uk. and www.slashdot.org . Remember the good old F00F (hexadecimal F zero zero F) opcode exploit on the Pentium processor. If the CPU tried to run that opcode, the "foof", your computer was clagged totally. This got done to death particularly in campus computing environments where Intel servers running multi-user Unix were involved. Thankfully the fix wasn't terribly difficult - just a tad embarrassing for Intel ... And of course, there have been numerous buffer overflow exploits in most incarnations of basic *nix implementations of things like DNS / BIND. Some of these can lead to denial of service and/or takeover of root privileges. Because most are based on a common ancestry of BSD-derived code, the flaws tend to be spread across a wide number of vendors. Intel's architecture is particularly vulnerable because the buffer/stack overflow mechanisms are so well documented (compared to say, Alpha / VAX / Sparc or similar). And, of course, most hackers can pick up cheap Intel hardware and free O/S-es like Linux, FreeBSD, etc much more easily than they can buy HP / SUN / IBM RISC boxes. > I did not need AV software to stop it just a brain! Partially correct David ! There was probably an element of good luck involved too. Outlook Express (OE) or Outlook (full version) with the Preview Pane enabled can run certain attachment types completely without the intervention of the user (even a "smart brained" one like you). Preview Pane actually allows HTML e-mails to fire up an in-process version of Internet Explorer (IE), which can then wrongly handle certain MIME types. A now-classic exploit involves telling OE / IE that the attachment is one handled by Media Player e.g. MID or WAV, but actually it has mis-formed headers and is really an executable type like EXE or SCR. The result, instead of playing the music, you "face the music" when it runs a virus / worm instead. If your e-mail selection bar is set at the newest e-mail to arrive, e.g. when you start up OE first thing after logging on, and the virus / worm is at that "first viewed" position, then it can happen completely without any operator intervention required. Rule # 1, disable the Preview Pane There are various Microsoft patches available which prevent certain exploits, and which are mentioned in my original posting, and on the anti-virus software vendors sites, e.g. Microsoft Security Patch MS01-027 Rule # 2, keep your system up-to-date with all the latest patches, especially for Outlook/Outlook Express, Internet Explorer and Media Player, all of which are regular targets for hackers. > If you open an attachment with 2 extension ie w32bugbear*.jpg.pif > you get what you deserve. Per the above, you don't even need to open the attachment explicitely. Just opening the e-mail with the attachment in it is enough. BugBear manufactures subject and body text from existing messages in the victim's own e-mail folders. So, to a recipient who is in the victim's address book, the messages look very convincing. Certainly far more so than some random or personally meaningless "Make money now" or "I've got a webcam on my nude body" e-mails which we traditionally have seen in the past (e.g. Good Times). You can't even write a good e-mail filter rule because there's nothing really consistent in the BugBear payload (apart from the dual-dotted extension of the attachment, which no e-mail client I've yet seen can detect and quarantine). I've even seen one BugBear e-mail which I was viewing via OpenWebMail (a web- based open source mail client used by my ISP) and it still attempted to fire up the attachment completely without my intervention. Thankfully my proxy server (Squid) requires the user to EXPLICITELY type in the username/password (unlike MS-Proxy which uses NT/LANMAN domain login credentials without prompting) before granting access to the newly fired up IE session. > Never open attachments with the extension .scr these are scripts and almost > certainly viri. WRONG - on Windows, the .SCR extension is actually a screen saver (or that's what the virus writers are hoping you'll associate it with). Do a search in your WINDOWS / WINNT directory for the ".SCR" files that come with Windows. Windows Scripting Host uses different extensions, e.g. .VBS for Visual Basic Script. > > I recieved the latest virus from Gary Brasher, if you are out there > Gary you have it! Probably WRONG again, unless you're a clever sleuth. BugBear is very clever in that it manufactures the From: address using a mix-and-match method that combines domains and usernames from addresses in your mail folders. If you review the full mail headers you'll see that the domain name of the "From:" header is normally nothing like the domain name of the first mail server used to propagate the BugBear-laden message. > There is no such thing as an immune operating system(With the > exception of O/S 2 so old and primitive virus writers cant be > bothered)Wake up guys! Try OpenVMS - perhaps not immune, but never targetted, even though many of the world's stock exchanges and financial institutions rely on it ! Well secured, "heavy iron" with none of the "seemlessly integrated applications that domainate the user's desktop experience" like Microsoft Windows + Office + Outlook + Internet Explorer + Media Player is trying to do. > As a boss of mine once put it you can make a system foolproof but > not idiot proof! IF you make a system foolproof, there'll always be a better fool ! Regards Jason Armistead > David Lawley > > ----- Original Message ----- > From: "Leigh Bunting" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, October 01, 2002 11:43 PM > Subject: Re: [aus-soaring] Latest E-mail virus (part 2) > > > Jason Armistead wrote: > > > > > So, if you haven't updated your DAT files TODAY, you are at risk. > > > > No I'm not. Like Mark Newton, I'm immune. Note my byline below -> > > -- > > Leigh Bunting > > Colonel Light Gardens > > South Australia > > <Open Windows and let the bugs in> -- * You are subscribed to the aus-soaring mailing list. * To Unsubscribe: send email to [EMAIL PROTECTED] * with "unsubscribe aus-soaring" in the body of the message * or with "help" in the body of the message for more information.
