LinuxSA Mailing list archives

  From: Alan Kennington <akenning@topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Sun, 29 Jul 2001 13:50:33 +0930

Re: Blocking the SirCam & Code Red viruses

On Sun, Jul 29, 2001 at 01:05:05AM +0930, Tim R Ansell wrote:
> Fraser Farrell wrote:
> > 
> > In case you have been holidaying on Planet Zed this month:
> > 
> >  - SirCam is yet another Outlook / Outlook Express virus which
> > repeatedly auto-mails itself to every address it can find. Along with
> > a file randomly selected from the victim's computer.
> > 
> 
> I read up on this virus and i would like to say that this virus doesn't
> only effect people who use Outlook. It effects anyone who use Internet
> Explorer and anyone who is silly enough to run the attachment.
> If you look at documentation on this virus such as
> http://vil.nai.com/vil/virusMethodOfInfection.asp?virus_k=99141 you will
> see that the virus is of the executable sort (not your normal Visual
> Basic script) and even speaks SMTP. 
> Not only does is scan the windows address book, it also scans all the
> HTML files in your Internet Explorer cache.
[....]


Tim,

Good value! Many people have been telling me that
they're getting SirCam from people they've never heard of before.
It's had a lot of people scratching their heads trying to work
out how all these people know them.

So now I know who's running MS software and has been browsing
my web pages recently!

This sort of argues in favour of just not using the mailto:
construction in HTML, because anyone who really
wants to make contact can do a copy/paste anyway.

But even if SirCam isn't currently able to parse e-mail addresses
without the mailto: anchor prefix, a later variant _may_ be able
to do so. So I guess that even if I get rid of all my mailto: links,
I still won't be safe in future. This location:
http://vil.nai.com/vil/virusChar.asp?virus_k=99141
doesn't make it clear if the mailto: URL prefix within
an anchor-link is required for mail address recognition.

Of course, given the way the linuxSA archives are published,
all of our e-mail addresses are out there for everyone to cache.
(And google etc. make indexes of linuxSA archives, which could
be quite embarrassing for some people in 5 years time when a
prospective employer enters their name into a search engine and
finds out what kind of e-mails they send to public forums!
I'd recommend anyone who has posted to linuxSA to enter something like
    "My Name" linuxsa
into their favourite browsers and see what comes up.)

-----------------------------------------------------
On the subject of MS blameworthiness, I think it's still fair
to criticise them for making it possible for users
to click to execute raw executables and scripts.

About 2 years ago, someone on linuxSA sent out an MS binary
and asked people to click on it.
It then proceeded to put up a window saying that it was
deleting all files, one by one, and listed them at great
speed on the screen. Then when you clicked on one of the buttons,
a panel came up saying "Just kidding!".

I don't think anyone would be understanding of that sort of humour
any more.

-----------------------------------------------------
Just while I happen to be on the rostrum, I reckon that if you
extrapolate out the exponential increase in Internet abuse over the
past 13 years (since _the_ Internet worm in 1988) out to the near
future, then the Internet will be pretty much unusable in 6-12 months.
Already, a disproportionate amount of numand and bandwidth resources
are being used up by network abuse, and throwing a few token script
kiddies in the clanger isn't going to fix this.
What is really needed is a world-wide move towards prevention of
IP address spoofing and clickable executables.
After 1988, there was a serious move to address the "finger"-related
vulnerabilities at that time. 
Another serious world-wide tightening up of the system is needed now.

Cheers,
Alan Kennington.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject