Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Sharpei Virus Written In C# 243

Posted by timothy from the state-of-the-art-security-focus dept.
josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."
This discussion has been archived. No new comments can be posted.

Sharpei Virus Written In C# More

Sharpei Virus Written In C#

Comments Filter:

  • It's NOT a .NET virus! (Score:4, Informative)

    by Otis_INF ( 130595 ) on Monday March 04, 2002 @04:23AM (#3104437) Homepage
    It's a worm spread by mail via Outlook 2000 or earlier (Outlook XP strips executables) or Outlook Express that will overwrite some .NET core components. (and only when the user is able to do that, thus has the right to overwrite the file).

    The virus is _NOT_ a .net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.

    • Re:It's NOT a .NET virus! (Score:1, Funny)

      by Anonymous Coward
      With the sig too, that's beautiful irony...

    • Re:It's NOT a .NET virus! (Score:5, Funny)

      by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Monday March 04, 2002 @04:25AM (#3104442) Journal
      • The virus is _NOT_ a .net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.
      So, its a .NOT virus...

    • Re:It's NOT a .NET virus! (Score:5, Informative)

      by Masa ( 74401 ) on Monday March 04, 2002 @04:40AM (#3104477) Journal
      The virus is _NOT_ a .net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.

      Here is a description by F-Secure and it claims that one part of the virus is actually using .NET:

      http://www.fsecure.com/v-descs/blunt.shtml [fsecure.com]

      • There is a difference between using something, and messing with something.

        The .Net framework files are digitally signed. If this virus were to try to infect the .Net framework it would not like that at all.

        Unless of course Verisign handed out the keys again. :-)

        Anyway, the /. Linux/anti-MS crowd needs to become a little bit more technically inclined. They're so damn gullible to articles like this.

    • Who said it was a .NET virus? (Score:4, Funny)

      by Anonymous Coward on Monday March 04, 2002 @04:41AM (#3104479)
      Let's try your karma whoring strategy:

      It's NOT a pink elephant!

      Just trying to clear up a potential misunderstanding here: The Sharpei Virus is a worm spread by MAIL via Outlook. It has NOTHING to do with elephants, mammals in general, or any kind of pink lifeform. The virus may overwrite some files if the user has write access to them, but rest assured that you won't have to deal with 10,000 pounds of pink flesh suddenly appearing in your computer room.
    • Its a program designed to advertise the amazing new security features built into the incredible .net framework!

      Similarly, LSD is capable of demonstrating the incredible new navigation (flight) features of Windows XP, and my assault rifle is useful to demonstrate windows new, millisecond speed shutdown procedure (along with security lock to ensure that no one who is not unauthorized won't be able to boot the machine).
      Its the best, isn't it?

      I should be on MS's marketing staff.
    • Outlook 2000 also strips those executables if you security patches that have been available for almost 2 years. This may be true of Outlook 98 as well. These patches also block the mass-mailers, so the only reason the mass-mailers exist is that people are running older versions of Outlook (97 and earlier) or not patching their current versions.
      • These patches also block the mass-mailers, so the only reason the mass-mailers exist is that people are running older versions of Outlook

        <sarcasm>Must be the new AI feature that automagically separates spam from legitimate mail.</sarcasm>

        This last is a pretty broad claim. Seriously, though, what is this and how does it work? Spammers may be the only group on the planet that I hate more than MS (in the 'technical' arena, anyhow).

    • MS: Favorite OS of Criminals Everywhere (Score:4, Insightful)

      by Alien54 ( 180860 ) on Monday March 04, 2002 @09:28AM (#3104933) Journal
      Get Microst C# today. Be on the cutting edge of Microsoft Virus spreading technology.

      More successful virus writers use Microsoft compared to any other operating system. You too can be a successful virus writer. Get in on the cutting edge made by a company that knows how to mess with people.

      [/sarcasm]

      etc.

      I just call all of these these Microsoft viruses. Makes life much easier.

  • social engineering (Score:5, Funny)

    by hiroko ( 110942 ) <david@balch . c o .uk> on Monday March 04, 2002 @04:25AM (#3104445) Homepage
    You've got to love the message in the email:
    Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
    • honestly, they could have just tagged a linux tarball on and accomplished the same thing. nothing like a 22 meg e-mail to disrupt the status-quo.

    • Re:social engineering (Score:5, Funny)

      by Shiny Metal S. ( 544229 ) on Monday March 04, 2002 @07:24AM (#3104695) Homepage
      This is nothing! Have you heard about the "Don't F***ing Open Me!" [bbspot.com] Virus?
      E-mail inboxes were flooded with messages this morning as a new virus quickly spread around the world. Dubbed "Don't Fucking Open Me" by anti-virus researchers, the infected e-mail follows a similar course to other viruses and replicates by sending itself out to everyone in the infected computer's Outlook and Outlook Express address book. The virus also contains two different payloads: one version formats the hard drive and displays the message "This is for your own good"; the other payload creates random Power Point presentations in the "My Documents" folder.

      Savvy users can spot the virus by its subject which is "Don't Fucking Open Me" or by the attachment which is entitled "Don't_Fucking_Open_Me.exe".

      "This virus tricks the user with an old psychological tactic called reverse psychology. Apparently the curiosity created by the message has been too much for thousands of users," said anti-virus researcher Bob Atibop. According to Atibop, this isn't the first time reverse psychology has been used. In 1998, the "Don't Pee on Your Keyboard" worm caused a flood of damage.

      Researchers have seen large infection among AOL users and middle managers, the two largest concentrations of naive and inept computer users.

      Claudia Hawkins who was infected by the virus said, "My son told me not to open attachments, but.... I mean my MOM sent it! What if she was hurt?!?"

      Another infected user too embarrassed to reveal his name said, "I thought that there was no way that this could be a virus. What kind of stupid idiot virus writer would put a dumb title on it like that? No one would ever open something that says not to open it. The virus would never spread defeating the whole purpose of it."

      Experts advise extreme caution when opening messages entitled "Don't Fucking Open Me" or "Click Here for Cash and Virus Infection".

    • Well, depending on which files it deletes and/or overwrites, it could be arguably correct.

  • Not sure I'd call this a .NET virus (Score:5, Interesting)

    by wadetemp ( 217315 ) on Monday March 04, 2002 @04:29AM (#3104455)

    If the attachment is opened, then the worm uses the Outlook address book to send messages--with a copy of the virus attached--to every address in the book. It then deletes the e-mails from the sent folder and removes the copy of itself.

    .NET exe files won't run unless the framework is present. They are "dead" exes that do nothing when double clicked. So the question is... is the bulk mailer part native code or .NET code? Read on...


    On PCs loaded with Windows XP and other .Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again.

    This *additonal* behavior that affects .NET enabled computers is the part that could possibly be written in C#, and it looks like it's not responsible for any of the bulk emailing... it just runs the native executable portion again, which does the bulk mailing. And by the way, XP is not .NET enabled. I think this is either a hoax or a very misunderstood virus.

    • Re:Not sure I'd call this a .NET virus (Score:5, Insightful)

      by muffen ( 321442 ) on Monday March 04, 2002 @07:45AM (#3104722)
      This *additonal* behavior that affects .NET enabled computers is the part that could possibly be written in C#, and it looks like it's not responsible for any of the bulk emailing...

      You are correct, this is the only part that is written in .NET compiled down to MSIL. Here's a cut from the Symantec [sarc.com] writeup: The replication code of the virus is written in C# and compiled to MSIL...

      The emailing routine is done by dropping a VBS file that enumerates the outlook addressbook sending an email to everyone in there.

      This is said to be the second virus that infects .NET files. The first one was W32.Donut [symantec.com] (even though W32.Donut doesn't actually infect the MSIL part of the executable, but the one containing the normal X86 code).

      In my opinion, we still haven't seen the first *true* .NET virus. When there is a virus that infects the MSIL (Microsoft Intermediate Language) code, then I think it qualifies as a .NET virus. All the .NET virus we have seen so far appear to be attempts by viruswriters to get media attention, and as we can see, it worked :-/
      • who could be sure?

        Microsoft has made a habit of calling everything it is releasing lately ".NET". If it infected Visual Studio, would it be a .NET virus? Face it, the MS definition is purposely nebulous, masking the fact that .NET is a Java clone.

  • What about Java virii? (Score:2, Interesting)

    by petree ( 16551 )
    If you actually step outside of the 'yet another microsoft virus' mindset you might be frightened more by the concept, although simple. Why hasn't someone (or has some one) created a virus that attacks the JRE. You could pretty well attack a large number of people by either A) attacking/modifying the JRE or B) Piggybacking java bytecode into other applications. Wouldn't one of these be just as damaging and at the current time even more wide-spread in their effect? Just a couple of thoughts.

    • Re:What about Java virii? (Score:5, Informative)

      by InfoSec ( 208475 ) on Monday March 04, 2002 @04:44AM (#3104488) Homepage
      The problem is that the JRE has a security manager which, unless the user mucks it up, won't allow virii to access the local machine or resources (i.e. address book).

      • Re:What about Java virii? (Score:2, Interesting)

        by JKR ( 198165 )
        The problem is that the JRE has a security manager which, unless the user mucks it up, won't allow virii to access the local machine or resources (i.e. address book).


        What? Java provides a default SecurityManager object which allows pretty much anything. And anyway, if you can subvert the class loader (e.g. by providing your own) you can do anything you like. The only time you'll see a SecurityManager which does anything is inside a webbrowser.

        Besides the system policy file installed by default is pretty lax. I quote from the Java SDK docs:

        The java.policy file installed with the SDK grants all permissions to standard extensions, allows anyone to listen on un-privileged ports, and...


        Jon.

        • There are some serious checks in place to make it hard (impossible?) to subvert the class loader to avoid the security manager.

          However your point still stands; if you run a .class file who's base is on your computer, you have full access to the filesystem etc. A java analogy with this virus would be an executable (IA32 native) that ran, emailed itself to everybody, and then ran a file within the JVM that did something or other (deleted files, printed 'hello, world!' or whatever) The Java zealot would scream 'But that's not a fucking Java virus, thats a normal worm that runs a java program! Where's the JVM security problem in that?' And fortunately, if unexpected, several posters have said the same about this worm.
        • What? Java provides a default SecurityManager object which allows pretty much anything.

          Huh?
          Like?

          And anyway, if you can subvert the class loader (e.g. by providing your own) you can do anything you like. The only time you'll see a SecurityManager which does anything is inside a webbrowser.

          Can you show me how to subvert the class loader with Java itself?

          (I'm not bashing you opinion, I'm really asking the questions. Showing me the links is also welcome :)
        • "Besides the system policy file installed by default is pretty lax."

          Microsoft has made the default system policy for .Net fairly strick. There was actually quite a lot of bitching about it on many .Net mailing lists because it made life more difficult for developers. But I suspect MS felt they could live with complaints of this nature, rather than make it too loose by default.

          For instance if you try to run any content off a network drive, it has no access to drives. I just tried it, and I can't even get a local directory listing. You just get a popup box warning that it can't do this.
          • That is good, there is a good security model in the basis of both .NET & NT, the problem is that the defualt permissions were always too lax, resulting in unsecure default installations, which not many bother/or had the knowledge to change.
            That is a re-assuring.

    • Re:What about Java virii? (Score:5, Informative)

      by jaavaaguru ( 261551 ) on Monday March 04, 2002 @04:47AM (#3104495) Homepage
      The JRE lives in a directory where normal users don't have write permission to. This is definitely the case in UNIX/Linux and our Win NT based machines at home are also set up this way. If someone installs something into a directory that is world writable, then they should be prepared for these kind of things to happen. If an OS insists on putting important things in silly places, then maybe software manufacturers for that OS should make their users aware of this and possible change the permissions on directories after their software has installed? If Windows XP treats users as dumbasses, why should these same users be expected to know anything about securing their system?
    • From reading the article, it seems that this is a win32 worm that patches security components in the .NET runtime before running a damaging .NET application. A program similar to this written in Java would have several disadvantages:

      1. It has no natural vector. Outlook serves well as a vehicle for socially engineered worms/viruses because it automates the execution of mobile code that arrives in attachments. The recipient only has to click on an attachment, and there is no way to know what it does unless you already know what it is. People using non-MS mail clients have to save an .EXE to disk and then manually run it.

      2. The JRE doesn't have Microsoft's assistance in getting onto every shmoe's machine out there. While XP doesn't currently have .NET support, this situation won't last long. Soon everyone will have a .NET runtime on their machine whether they're aware of it or not. And, these will be the same machines that are running Outlook.

      3. The security concerns surrounding Java and C# are quite similar. Either runtime can have a patch applied by wily native code. However, the average target machine will not have a JRE simply because it's a non-MS technology- it's not "part of the OS". (You won't find the old MS JVM on an XP machine.) If it does have a JRE, it will be deployed in the arbitrary directory that the user installed it into, which is unknown to the worm code unless it scans the disk. IIRC Microsoft puts the .NET runtime components in well-known places so this isn't a problem when making hostile C# patches. A worm written in Java would probably have to lug around its patched JRE with it- making it too heavy to spread very far.

      4. The people who write worms won't pay any attention to Java as long as C# is around. :)

      Of course, if the executable is running with no security manager in place, you can do whatever you want even if the runtime isn't patched. I can write a Java class that does a Runtime.exec() of anything I want, and send it to you. If you execute it as an application, it has no problems. I don't know personally what security constraints are placed on C# arriving in an Outlook attachment, but I can imagine they would be roughly similar to the constraints browsers place on applets. The fact that security constraints can't easily be placed on incoming native code, and the fact that the .NET runtime is so easy to patch using a little native code, means that MS has to seriously rethink its strategy of what types of mobile code are allowed to run.
    • http://www.sophos.com/virusinfo/articles/java.html

      Been there, done that, moved on...
      There is *nothing* in Java that prevents you from writing viruses if you're running a Java application.

  • it AMAZES ME, that the security analysts who keep saying there is no such thing as a unhackable system heap laud and praise on every "unhackable *" released. the hypocrisy is not only unprofessional, but it's a grave disservice to people that look to them for direction in securing their networks. remember, there is no such thing as a perfectly secure system, we try, but we are human and thus we fail (And learn). as much as I hate to say it, to an extent the crackers do us a service by keeping us honest. and we do the world a service by trying to send them to jail.


    • it AMAZES ME, that the security analysts who keep saying there is no such thing as a unhackable system heap laud and praise on every "unhackable *" released.

      You have quotes and references to the same security analysts making both of these claims?

  • Sharpei? (Score:1, Offtopic)

    by evil_one ( 142582 )
    My ex had a half sharpei, half lasso apso. I never could tell which end it ate from.

    A worm named after a breed of dogs, cute. Does it get you in the heart?

  • Read the technical details at Symantic (Score:5, Informative)

    by Carnage4Life ( 106069 ) on Monday March 04, 2002 @04:41AM (#3104480) Homepage Journal
    I just looked at the Symantec write up for W32.HLLP.Sharpei@mm [symantec.com] and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.

    The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.

    Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.

  • What do you expect (Score:1, Insightful)

    by InfoSec ( 208475 )
    They take all of the power of Java and then throw in all of the security vulnerabilities of C/C++. It's only inevitable that C# is going to cuase all sorts of headaches for people like me (Security professionals).

    • Re:What do you expect (Score:2, Insightful)

      by Tom7 ( 102298 )
      Looks like you need to read the story more carefully -- if you get all your information from Slashdot's misleading headlines, you're going to be pretty misinformed!

      This worm really has nothing to do with C# (or even .NET). It's just a regular e-mail worm that happens to also have a .NET payload, part of which is written in C#.
    • How is it that someone calling themselves a security professional can't be bothered to take the time to actually research a topic before injecting their opinion?

      Just curious. I take it the GISSP is like the MCSE, it only requires memorization skills?

      You might want to look into GIAC.

  • M$ doesn't call Sharpei a worm (Score:5, Funny)

    by Ilan Volow ( 539597 ) on Monday March 04, 2002 @04:45AM (#3104490) Homepage
    They prefer the term "a few wrinkles here and there"

  • VIrus in attachment (Score:3, Insightful)

    by Henry V .009 ( 518000 ) on Monday March 04, 2002 @05:02AM (#3104528) Journal
    This is simply the old virus as attachment trick.

    And guess what? It's implemented in C#. And when run, it will screw up other folders on the system. Imagine, if you will, a computer language, somewhere, that somehow, could not be used to write this virus. I'm drawing a blank, but I'm sure there will be lots of +5 funny responses.

    Since my current sig just confuses everyone anyway, maybe I should change it to "$5 for a thousand pages of this!?" and save everyone the typing.

  • Proof of concept? (Score:5, Interesting)

    by Alizarin Erythrosin ( 457981 ) on Monday March 04, 2002 @05:06AM (#3104535)
    Seems to me this is more like a proof of concept virus, like that one that was written in Flash a while back, demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.

    The message body is actually a very misleading one though... I mean, who wouldn't wanna speed up Windows by 50% and make it more secure? We can't get that kind of update, even out of Microsoft!

    • Re:Proof of concept? (Score:2, Insightful)

      by gregorio ( 520049 )
      demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.

      What holes? Stupid users or allowing those stupid users to open attachments? Should Microsoft release some kind of version of Windows that doesn't allow stupid users to execute whatever they want?
      I don't think so, people should just stop executing unknown e-mail attachments.
      • Outlook2000 has a patch entitled "Fix stupid user", which prevents users from opening attachments. Outlook XP ships this way by default.

        Granted, the patch also does some useful things like changing the profile under which email is viewed to Restricted Sites Zone, thus disabling active scripting, etc.

        And if some user still insists on running that .EXE, the patch pops up when things connect to the Outlook COM objects and says "Hey, this thing is trying to send email.. is that ok dummy?"

  • SSSCA Impact on Viruses (Score:4, Funny)

    by heretic108 ( 454817 ) on Monday March 04, 2002 @05:06AM (#3104536)
    I worry about SSSCA.
    If it goes through, virii would definitely fall under the category of 'interactive digital devices'.
    It will be illegal to write or transmit a virus unless it contains 'approved security measures'.
    Any attempt to circumvent a virus' protection mechanism, or communicate to others the nature of a virus or possible defences against it, will be a criminal offence punishable by law
    • Maybe one can claim self defence, like being burgled and apprehending your burglars.

      If we could then project that theRIAA are an illegal cartel and that we are trying to act in self defence ... hmm pretty long shot.

      There is one oft overlook aspect to the legal system (at least in the UK) and that is that a jury does not have to return a guilty verdict even if they have been convinced that the defendant committed the act. It is quite within the power of a jury to return not guilty if they think that the law is unjust or unjustly applied. Maybe someone should try that defence sometime and see if they can make it stick!
      • In the United states atleast the Judge has the ability to override the jury verdict. Its rare to happen, but in cases when the jury DID ignore the law, the judge can still make it applicable. im not sure on the specifics, or even if its still constitutional to do that here. Anyone?

    • Re:SSSCA Impact on Viruses (Score:4, Interesting)

      by edhall ( 10025 ) <slashdot@weirdnoise.com> on Monday March 04, 2002 @06:33AM (#3104641) Homepage
      virii would definitely fall under the category of 'interactive digital devices'

      That makes no sense whatsoever. An "interactive digital device" is a piece of hardware, as defined by the SSSCA. Unless you know something about computer viruses that I don't, they hardly qualify as such.

      Even as software, they are highly unlikely to contain the likely-to-be mandated digital signature. And that's the scary part: Microsoft is promoting digital rights management as an anti-virus solution (among other things). Part of the .NET infrastructure is providing the ability of each software component to be signed. Thus the SSSCA dovetails quite nicely with Microsoft's need for better security. And it gives them the opportunity to get even more leverage over non-Microsoft software (not just virunses). Who do you think will control the certification process necessary to get a signature?

      -Ed
      • virus, n.
        1. A computer program intended to replicate itself throughout multiple computers without the user's consent.
        2. A licensing condition applied to computer software which allows users to understand and modify the programming code used.
        3. virii, pl. Computer programs written without the express support or approval of Microsoft Corporation or its strategic partners, which threatens national security by undermining Microsoft's ability to control the global use of software in personal computers.

        (Source: Microsoft - New Employees' Orientation Handbook)

  • Worm with a virus payload (Score:5, Informative)

    by prockcore ( 543967 ) on Monday March 04, 2002 @05:17AM (#3104545)
    This is actually a win32 worm, with a .net virus payload.

    " On PCs loaded with Windows XP and other .Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."

    The .net half is a true virus, and spreads among .net executables.
  • A successful widespread virus attack proves that there are actually .NET users out there.
    If no one attacks or cracks a software it's mostly not worth anything. To believe that it can't be successfully attacked is naive anyway.

    Overall, viruses bring free publicity and prove the point that the product is a roaring success.
    BTW: Who wants to be left out when all your friends have been hit by the new naughty Kournikova virus? There will be little left to discuss over a few beers.
  • Don't click on executable attachments in your email.
    Please. (Outlook team: Please don't execute everything I click on)
    Also. Don't send me messages that are really just plain text in either html or word document format.
    • It's not a single click to execute attachments, it's double click; ergo you need to be twice as stupid as some to run an executable attachment sent to you unannounced.

      • I'm glad that extra protection is in there.
        Of course in the email program I use (KMail), you have to save the executable and set the permissions to executable before any execution happens.
      • UNLESS you have Windows set to "single click to execute stuff". Yes, there is such a setting, and I've met crazy users who have it turned on. Eeeep!

  • Security hole in PHP allows arbitrary code to exe! (Score:1, Informative)

    by Anonymous Coward
    Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.

    For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error.

    For the stable release of Debian these problems are fixed in version 3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4.

    For the unstable and testing release of Debian these problems are fixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4.

    There is no PHP4 in the stable and unstable distribution for the arm architecture due to a compiler error.

    We recommend that you upgrade your PHP packages immediately.

    Eat that, Microsoft haters.
    • The difference is that there is no known exploit for this PHP security hole at the moment. The announcement is timely in that it allows sys admins to patch a POTENTIAL hole before they cause a problem.

      When was the last time microsoft announced a security problem before there was a known exploit in the wild?

      D.

      • Re:Security hole in PHP allows arbitrary code to e (Score:1, Insightful)

        by Anonymous Coward
        Let's see.

        Code Red
        Code Blue
        Nimda
        ILOVEYOU
        Papa
        BadTrans
        Anna
        And this list continues.

        Sharpei exploits a "hole" in Outlook that was patched over two years ago. If you don't patch, you're still vulnerable, so what do you do short of driving across the country and cramming patches down people's throats? Do you think everyone in the world has already patched their PHP problems? Can you answer that question?

  • .net and gnome... (Score:3, Insightful)

    by kevin lyda ( 4803 ) on Monday March 04, 2002 @07:41AM (#3104716) Homepage
    it seems this is not a true .net virus but it does bring up some interesting possibilities regarding the gnome project. ximian has professed to wanting gnome 4 to use the .net framework. so either they'll code it in such a way to avoid all the security issues in microsoft's .net, or they'll have the same security issues.

    in some ways either "wins." if the main linux .net implementation avoids security issues it's a pr disaster for microsoft. ditto if it has the same bugs as it will show a design flaw in .net.

    otoh it will "lose" - anti-virus companies will be against linux for taking away their product stream. and if the same security flaws show up then it removes a major distinguishing item from a linux desktop.
    • What .NET security issues? This virus spreads via email and infects files relating to .NET which have to be executed to further infect. The .NET environment is not instrumental in the attack, you could substitute in any executable in.
      .NET is not an unfeasable technology simply because it was developed by Microsoft. From what I have seen on the DotGNU Portable.NET [southern-storm.com.au] environment on *NIX, C# bitcode is able to be executed with low overhead. You could be fooled for thinking you were executing native binaries.
      • did you even read my post? like, say, the first sentence. no, this wasn't a .net virus, but it is quite likely there *will* be .net security issues in the future. they may be design flaws or implementation flaws, but there will be flaws.

  • Wording (Score:4, Funny)

    by GSV NegotiableEthics ( 560121 ) <autecfmuk001@sneakemail.com> on Monday March 04, 2002 @07:45AM (#3104721) Homepage
    Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

    Something about the wording suggests to me that this worm is intended to target only very stupid people. Does anybody reading this actually have friends who write emails like that?

    • I'll give ya an example : At my company there has been released two times a warning saying: "if you got win98, don't istall IE6(or summit like that) coz it might cause the need of a reinstallation"

      4 reinstallations done so far.....

      Probably not the case with most people that read slashdot but there are millions of users that are just "plain users", they don't care for programming / development / OS's etc etc ... they just use the PC for mail, browsing, chat and NOTHING MORE(for the simple reason that is all they need really).And they feel 100% safe for having their antivirus updated. So if a friend says: Hey, use this, it will get better, why not ?!? And imo it's not a matter of stupidity, a person that sells cars has a better chance of making a better bargain when buying a car. (no 100% direct analogy to the subject in this example:)

  • Hrm. I don't seem to ever hear about any viruses for the Java platform, even though it would theoreticaly be possible.

    And what about perl!?
  • designed to infect computers loaded with the .Net framework."

    With the proper diligence, and a competent admin -- NO computer should ever be infected with the .NET virus.

    Only a boob could ever allow such a thing to occur.

    ... heheh now this is a meme I like... if only i controlled the Media, I could infect billions with this simple mind-virus.

    Muahahahahhahah

    • "Only a boob could ever allow such a thing to occur."

      Yes and the same could be said about most UNIX systems. It takes a little intelligence to prevent your machine from being taken over by virus, worms, or trojans, buffer overruns or other exploits.

      Something most /.ers here seem to miss is that not all computer users are as computer savy as many of the readers here. Many computer users WILL grant permission to a program to run on their machine. They will execute a file even if they do not know who it is from. While this article may not be 100% accurate, as most never are, it points out that .NET is not even out 'in mass' and people are already looking for ways to exploit it. This may actually be good for windows as it will hopefully make them find more ways to tighen the security and 'dummify the system' so that user xyz does not screw up their system just by click on a file. Like integrated virus scanner.

      Personally I'd go with what I call 'registered execution'. This would require that programs that are 'registered' could execute code to do certain task. If you wrote a macro on your computer it would become registered, but if you sent that macro to someone else it would not and they would then be prompted to run that macro and if they wanted to register it. Then when virus abc is sent to user xyz and the user click on it the OS pops up a message of the program you have tried to execute is not registered, it wants to modify registry settings and blah blah. While this is not 100% foolproof, it could help in reducing virus spreadding.

      Someone here compared perl to VB. I almost fell out of my chair laughing at that comparison. Perl is not embedded in email applications on UNIX or windows like VB is in Outlook. Perl is not part of an office application that is used by 90% of computer users (of course with China moving to Linux that number will change). Perl is a script and the number of virus that are spread uusing perl vs VB is tiny. perl can be used for buffer overruns and hack attacks, but then so can VB and C/C++ or even Java.

      "and a competent admin"

      If you have ever done system administration or IT support and had to support end users then you'd know that many of these people probably should not even be using computers at home. The point is that the .NET framework WILL be attacked by virus, worms and/or trojans and at some point they will spread.

      Hmm maybe /. doesn't hate all my posts after all....

  • it's a Trojan horse actually ... (Score:4, Informative)

    by Zero__Kelvin ( 151819 ) on Monday March 04, 2002 @10:33AM (#3105175) Homepage

    The article doesn't get any of the terminology right, so I wouldn't put too much stalk in anything they say.

    It is neither a virus or a worm, though they seem to think the two terms are interchangeable ...

    It is a trojan horse. As a point of education:

    1) A Virus attaches itself to a host program, and does not necessarily require user interaction to infect additional files (e.g. it may attach to an OS device driver or other system program.) It may be attached to an application, but no coaxing is done to get the user to run it. It simply waits for the user to do so, and then goes about it's business.

    2) A Worm is a stand alone program that makes it's way through a system ... it isn't attached to anything.

    3) A Trojan horse is a program that is sent to an ignorant user, and requires them to run the program. It may appear to be a program of another sort - hiding it's behaviour - or it may immediately and blatantly do it's thing. Solicitation like the E-Mail body is always a component of a Trojan horse. The fact that it is an E-Mail attachment in no way makes this a virus. It spreads only with the help of user interaction and involves the direct solicitation of said action. It is fundamentally undifferentiated from an E-Mail asking someone to download an .exe and then run it. The fact that the downloading is performed via E-Mail attachment does not in any way change it's status from that of a Trojan.

    Come on folks ... if the Slashdotters of the world can't get this, then how will anyone else?

    • I dare ya to walk into the next room and ask that attractive young AA if her computer has a Trojan.

      In the common vernacular, "virus" has become the superclass for all these subclasses that you describe. Maybe /. should nitpick and choose the appropriate subclass, but I take no offense if they don't. However, these people that were correcting /. and saying it was a worm apparently deserve to be corrected by you.

      As far as I'm concerned, if it's on my computer, and I don't want it there, it's a "virus". Now, if I were at a technical conference discussing these things then I'd take pains to be accurate.


      • "I dare ya to walk into the next room and ask that attractive young AA if her computer has a Trojan. "

        Actually, I have social skills, so I would make sure she knew what I meant before I asked the question; there is nothing daring about it. BTW - Is an AA anything like a 'weeping young devotchka'?

        "In the common vernacular, "virus" has become the superclass for all these subclasses that you describe. "

        In the 'common vernacular' people run around claiming to write good (when of course when can only write well, or not so well, etc...) It was common 'knowledge' that the sun revolved around the earth in Copernicus' day ... you could just ask anyone on the ancient Slashot site. So my question is this ... do you have any actual valid point to make?

        "As far as I'm concerned, if it's on my computer, and I don't want it there, it's a "virus". Now, if I were at a technical conference discussing these things then I'd take pains to be accurate. "

        Perhaps you were unaware that Slashdot is a technical forum???

        • In the 'common vernacular' people run around claiming to write good (when of course when can only write well, or not so well, etc...) It was common 'knowledge' that the sun revolved around the earth in Copernicus' day ... you could just ask anyone on the ancient Slashot site. So my question is this ... do you have any actual valid point to make?

          Yes. There is a time and a place for technical jargon. You are confusing the "common vernacular" with "common mistakes". "Write good" may become acceptable over time as language evolves, whereas the position of the Sun is an objective scientific fact.

          Efforts to use precise technical jargon all the time will actually result in ineffective communication. Judging when and where to use what kind of language is an important skill. It might be more convenient for you to use multiple words that convey fine shades of meaning, but you stand a good chance of losing your audience when you do that.

          This reminds me of the whole "cracker" vs. "hacker" debate. You know who won that, and you should know why.

          Perhaps you were unaware that Slashdot is a technical forum.

          Chuckle. LOL.


          • ""Write good" may become acceptable over time as language evolves, whereas the position of the Sun is an objective scientific fact."

            "Write good" is never acceptable except to those who are members of the ignorant set, in which you are clearly a proud member.

            "Efforts to use precise technical jargon all the time will actually result in ineffective communication. Judging when and where to use what kind of language is an important skill."

            I would only add that you really should begin acquiring such skills at some point, preferably before you reply to another of my posts.

            "This reminds me of the whole "cracker" vs. "hacker" debate. You know who won that, and you should know why."

            Indeed, it is a rough analogue to the 'nigger' vs. African-American debate. You can tell the ignorant one by the term he or she chooses.

            • Your contentiousness is exceeded only by the irony of your .sig.


              • "Your contentiousness is exceeded only by the irony of your .sig."

                I see what you mean. Clearly someone with a truly open mind would believe whatever you say, no matter how completely off base you are. Those with a truly open mind would never correct anybody no matter how absurd their coments are, because having an open mind means believing everything you hear, no matter how contradictory. The irony is just overwhelming.

                Either that, or you truly are a trolling ignoramus. I'm open to that possibility as well, of course.

  • .NET Security (Score:4, Informative)

    by rabtech ( 223758 ) on Monday March 04, 2002 @10:37AM (#3105191) Homepage
    By default, the .NET framework will not run untrusted code and allow it to do anything of note.

    You will notice that the host EXE being sent over email is native x86 code, NOT MSIL. Therefore, it has no security permissions of note.

    If you were to attempt to write a pure-C# virus and mass-email it, you wouldn't get very far as the user would actually have to tell the framework to grant execute permissions to the downloaded code.

    I even have to grant permissions to the files I myself write with Visual Studio.NET; they won't execute by default.

    Lastly, Outlook 2000 w/security patches and Outlook XP both automatically disallow the user to download or execute EXE attatchments, period. Unfortunately, this makes it a hassle having to ZIP all EXE files before sending them (and VBS files, etc.), but that's a small price to pay to protect us from idiot users. My only complaint with Outlook security is that Outlook Express does not do this by default.

    I think Microsoft is doing a better job these days; they still have things to address of course. Sometimes I think people just misunderstand though... calls for the removal of VBScript are like asking *nix distributors not to ship Perl with their installs; its kind of silly.

    Fortunately, with XP Home, you don't have a bunch of home users running as Admin all the time; I think that's a big key right there.
  • This is an example of an increasing bias in Cnet and Zdnet reporting - the desire to push out information as fast as possible and as loosely checked as possible grows daily.

    But i have to take the /. team to task a little - a small amount of research would have seen that the virus may be the first written in C# but its not designed to attack .NET. It makes use of some .NET frameworks components to spread but its simply a mass mailing worm and an exe file to boot, it creates a VBS.

    Now to look at at that in another way.

    1. Systems vulnerable to this are 2 years behind the curve - if you still allow .exe and .vbs into your environment in any form your not qualified to work in it.
    2. Not keeping virus scanners up to date is asking for it
    3. These guys simply did the invitable and made a virus in the new language - its been done with every language and OS platform since computers began and will no doubt continue.

    I dont want to attack anyone but i would suggest that we might all be benefited by spending 5 minutes researching before we comment (and to the anti MS crowd - if you cant be bothere finding out the truth dont comment - to be honest the attacks on every mention of microsoft is getting tedious and pointless and i suspect is driving people away from open source - enough is enough - you dont like MS - they are evil - we know so dont keep telling us)

    It depresses me that the level of technical discussion of anything non linux on here is lower than a snakes arse - i wish we could see the same passion that is applied to Kernal Updates applied to other areas.

    Editors - check your sources please !!

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close