MyDoom/Novarg Gloom

Just in case anybody is curious, my employer’s virus scanners filtered roughly 3,000 copies of Novarg (a.k.a. My Doom) during working hours yesteray. If that’s not a record for us, it approaches it. I know we weren’t the only one.I’ve heard Novarg/MyDoom/My Doom called the fastest spreading virus yet. I don’t have statistics on prior viruses with me, but suffice it to say, its impact certainly felt similar to the big names from the past.

Although SCO would like people to believe it was written by a Linux zealot, I’m more inclined to believe it was created by organized crime. Maybe the creators hate SCO, or maybe the anti-SCO DDoS was just an added touch to throw investigators off.

LoveLetter was the first virus outbreak to really have much impact on my professional career, and I noticed something about it. Prior to LoveLetter, I never, ever got spam at work. Not once. After LoveLetter, I started getting lots of it. I don’t believe LoveLetter’s intent was to gather e-mail addresses for spammers, but I do believe that more than one spammer, probably independently, noticed that viruses were a very efficient way to gather a large number of e-mail addresses.

I got spam before LoveLetter, and I saw viruses before LoveLetter. But I started seeing a lot more of both very soon after LoveLetter.

I don’t buy any giant conspiracy to sell anti-virus software, nor do I buy any giant conspiracy against SCO. I do believe in bored people with nothing better to do than to write viruses, and I also believe in people who can profit off their side effects.

I’ve said it once and I’ll say it again. If you run Windows, you must run anti-virus software. You can download Grisoft AVG anti-virus software for free. Don’t open unexpected e-mail attachments, even from people you know. Even if it looks safe. Don’t send unexpected e-mail attachments either–you don’t want anyone to get the idea that’s normal. Quite frankly, in this day and age, there’s no reason to open any piece of e-mail that looks suspicious for any reason. I told someone yesterday that this is war. And I think that’s pretty accurate.

If you’re an intrepid pioneer, there’s something else you can do too, in order to be part of the solution. If you join the Linux revolution, you can pretty much consider that computer immune. Macintoshes are slightly less immune, but certainly much less vulnerable than Windows. Amiga… Well, I haven’t seen the words “Amiga” and “virus” in the same sentence since 1991 or 1992. But one thing is certain: a less homogenous field is less susceptible to things like this.

 

Microsoft’s Slammer pain is good for everybody

SQL Slammer hit where it counts, including HP–historically, one of the biggest Microsoft supporters around–and Microsoft itself.
This is good. Really good.

Microsoft is one of its own biggest customers. Part of this is due to one of the worst cases of not-invented-here syndrome in the industry, and part of it is marketing. If Microsoft can run its enterprise on mostly its software, its argument that you ought to be able to run all of yours on it is much stronger.

When Microsoft feels our pain, that’s good. Problems generally get fixed. Not necessarily the way we want them fixed, but fixed. When Microsoft for whatever reason doesn’t feel our pain, things languish. Witness the development of Windows 9x late in its lifecycle, after Microsoft was able to run everything internally, including laptops, on Windows 2000. While Windows 98SE was fairly good, all things considered, Windows Me was so horrid that one of my magazine editors wrote me and asked me the least painful way to escape it. Windows Me was fast, but it was less stable than 98SE.

What happened? The patches were difficult to install, poorly tested, poorly documented, and it was extremely difficult to know when you needed them. Microsoft’s inability to keep its own servers sufficiently patched illustrates this.

Several things are likely to happen now. People will take non-Microsoft solutions more seriously and, in some cases, deploy them. A not-as-homogenous Internet is good for everybody. Meanwhile, Microsoft will be cleaning up its act, making it easier to ensure that their patches actually work and can be deployed with reasonable ease.

I still think we’ll have disasters like SQL Slammer again. But this is a good step in the right direction.

SQLSlammer takes its toll on the ‘Net

If the ‘Net was slow today, it was because of a new worm, called SQLSlammer, that infected vulnerable Windows servers running Microsoft’s SQL database.
The exploit it used was old, but it was made possible because Microsoft’s cumulative hotfixes not being cumulative, and one of the patches not included, if applied afterward, reverted the server back to its vulnerable state. This was not mentioned clearly in the documentation for the hotfixes. Probably Microsoft didn’t know–until it was too late.

But in some cases it’s not Microsoft’s fault. Try getting a pointy-haired boss to give you 15 minutes’ downtime per server so you can roll necessary security patches across your enterprise. Since many people who ultimately make IT decisions never actually administered a Windows server in their careers, a lot of bad decisions get made and servers stay unpatched, as a matter of policy, either out of fear that a patch that closes a security hole might create a new bug, or that some remote VPN user in Kenya might be trying to work during that proposed scheduled time.

Linux got a bad rap in the security press last year because it allegedly had more security vulnerabilities than Windows did last year–never mind that a vulnerability in, say, BIND would get counted several times because it’s included in every Linux distribution, so whereas a vulnerability in IIS would get counted once against Windows’ total, a vulnerability in BIND might get counted 8 times.

We’ll ignore that. Fine. Linux has a larger number of security problems and vulnerabilities than Windows does. Fact. Undeniable. Fine. Answer this question then: Has any worm affecting Linux ever had the devastating effect that SQLSlammer had? That Nimda had? The most notorious worm that affected Linux was called Slapper. Do you remember it? More than 60% of the servers on the ‘Net run on Apache. A worm affecting Apache should have been huge. It wasn’t.

Statistics are, well, statistics. Just because I can find you a set of numbers that suggests the sky is pink doesn’t make it any less blue.

Why anyone, anywhere, has a Windows server on the ‘Net with anything more than port 80 exposed is beyond me.

Trustworthy Computing? Nice buzzwords. Billy Gates has yet to put any meaning into them.

And incompetence rises. Managers didn’t learn from Nimda, so they won’t learn from this either.

Great combination. What does it mean? History will repeat itself. Something like this will happen again. Probably sooner rather than later.

Worst practices for e-mail

If you want to wreck your computer with a virus and put your neighbors’ computers at serious risk, there’s a really easy way to do it. Just be really cavalier with your e-mail habits. Approach e-mail with reckless abandon, and you’ll quickly receive your just reward.
But if you like having a computer that works well, and you kind of like your neighbors, there are things you can do to minimize your risk. If, on the other hand, you want to leave your mark on the world in a negative way, do the opposite of the things I suggest here.

1. Acquire good anti-virus software and keep it up to date. I’ve been configuring Norton AntiVirus to update itself every day. It’s excessive, but since it’s impossible to guess when the next big thing will come out, and it might hit you before you know about it, it’s the only safe way. Update every day, and keep autoprotect on, so that files are scanned as they’re created. That way, if you get a virus, it won’t get far. I also set NAV to scan the entire computer–all files, not just executable files–at least once a week.

While sweeping the network at work, I found copies of Nimda, but I also found old friends like SirCam, Happy99, PrettyPark, and Kak. Obviously people were aborting the scheduled updates and scans.

2. If you do get infected, don’t count on your antivirus package to completely clean up the mess. Visit www.sarc.com or www.antivirus.com/vinfo/virusencyclo to download a specialized removal tool for the virus your antivirus package caught. Run it to remove any residual damage your antivirus package may have missed.

3. Don’t take e-mail attachments from strangers. I take an even stronger stance than that. Frankly, when someone sends me e-mail with an attachment, the first thing I do is delete the message. I don’t even open it. I don’t care if I’ve known the guy who sent it for 10 years. Some attachments can execute without you even opening the message, so the only safe thing to do is delete it.

The only exception I make is when someone e-mails me and tells me something’s coming. Sure, I’ll look at my friend’s resume, as long as he lets me know ahead of time that it’s coming and I should look for it.

Yes, I miss some good jokes and fun games that way. But you know what? I’d rather be accused of having no sense of humor than to have to rebuild my computer. I don’t have time to rebuild my computer. I’m already too busy rebuilding the computers that belong to people who open each and every e-mail attachment they get.

The virus of the week is W32.Vote.A, which masquerades as a chance to vote for peace or war between the United States and the Middle East. It doesn’t actually let you vote; it e-mails itself to your contacts and deletes files off your drive.

4. Don’t be the first on your block with the newest Microsoft software. Microsoft continues to refuse to take security seriously. No one in his right mind should be running Internet Explorer and Outlook Express 6.0 right now. Every single dot-oh release from Microsoft in recent memory has been an atrocity. Get Internet Explorer 5.5SP2 and stick with it. It’s fast, it’s as stable as anything Microsoft has written, and all the known holes that viruses exploit have been patched. Is the same true for 6.0? Who knows?

5. Don’t use a Microsoft e-mail client if you can help it. Microsoft’s the biggest kid on the block, so their mail clients are the most frequent targets. They also have more security holes in them than a vacant building in East St. Louis. There are a number of competent alternatives out there, including Pegasus, Netscape Messenger, and Qualcomm Eudora. (Just watch out for Euroda’s spyware–run Ad-Aware from www.lavasoftusa.com after you install Eudora.)

6. If you must use a Microsoft e-mail client, turn off the preview pane. Also, go to the client’s security options and put it in the Restricted Sites zone. That way when some idiot forwards you a message with hostile ActiveX code in it to automatically execute an attachment that e-mails itself to everyone in your inbox and address book and then low-level formats your hard drive, you won’t be affected. There is absolutely no legitimate reason for HTML e-mail to contain any ActiveX, Java, or JavaScript.

7. Don’t run any Microsoft software if you can help it. A Mac doesn’t count–the most popular Mac application is (drum roll please) Microsoft Office. Besides, there are plenty of Mac viruses out there to get you too. I’m writing this on a cheap PC running Linux. I use a tiny, lightning-fast mail client called Sylpheed. It takes up 733K on my hard drive. Outrageous, isn’t it? I use a tiny, lightning-fast Web browser called Dillo. It’s secure as a rock because it doesn’t do Java, JavaScript, or ActiveX. It renders pages instantly. It’s 240K in size. They’re both in alpha testing, but they crash less for me than Internet Explorer 5.5 and Outlook 2000SP2. And don’t be fooled by the tiny size: I compiled them for speed, not size. If I’d used size optimizations they’d be a lot smaller.

8. Don’t run your Web site on IIS. Even the Gartner Group is recommending everyone abandon IIS ASAP. It’s impossible to keep up with the patches well enough to prevent outbreaks like Nimda. Nimda knows about 16(!) security holes in IIS that it can exploit in order to send itself to people who visit your Web page. Yes, people try to hack Apache. Of course they do–70% of the Web uses it. But I hear of one Apache vulnerability a year. That compares to one IIS vulnerability a week. It is fiscally and socially irresponsible to bank your business on such an insecure, poorly written piece of software. (This site runs on Apache, and its only downtime in five months has been from a power failure. Zero crashes, no having to take it down to apply a patch. My system uptime reads 112 days.)

Nimda ate my weekend…

I left for Promise Keepers as planned late Friday morning, but not before I had a hectic morning with Nimda. Nimda didn’t spread too far (it seems most people got it from visiting Web sites, and in a lot of cases it was just pieces of it sitting dormant in browser caches), but we had no way of knowing that until we visited virtually every PC on the network. That takes a while–especially when you find people with anti-virus software that came free with a PC they bought in 1995 or 1996 whose definitions were last updated when Ace of Base was popular.
So we have a good argument in favor of kicking Norton AntiVirus into managed mode. And with the large number of unpatched copies of Internet Explorer out there, we’ve got an argument in favor of some kind of site management software so we can push installs.

The choice is pretty simple: Fork out the bucks for site management, or pay me enough overtime to make a downpayment on a house. It’s pretty obvious which decision makes sense.

As for PK, I learned a ton, and the bus ride to and from KC was fun. My buddies and I scored the very back seats. A couple of guys brought their early teenage sons, but for the most part, we were the young rowdies on our bus. (The kids in senior high were on the other bus.) I’ll talk about that later, when I have time to do it justice.

I worked 11 hours today, so I’m tired. I think it’s time for some quality time with my pillow.

When will this virus crap end?

Who in his or her right mind believes the customer is always right? Not I. I’ve seen too many customers who hadn’t a clue about what they wanted, or worse, who deliberately fibbed when the nice survey taker with the clipboard asked them what they’d like: “Mrs. Ferguson, would you like your next car better if it had a heated cup holder?”
The Mrs. (and Mr.) Fergusons of our great land always want a better cup holder, gearshift, trunk, rearview mirror, hood ornament–whatever it might be. We didn’t get to be a consumer society by not consuming everything we could lay our hands on, and in ever bigger, ever better shapes and sizes.

— Robert A. Lutz, Guts

And that, my friends, is why you can’t get anything done with your computers anymore because they’re virus breeding grounds. Microsoft or Adobe come along and ask if you’d like some useless feature, like being able to script inside Outlook or Acrobat, and of course the clueless embeciles say, sure! I might need that feature someday! More likely, that feature will be used against you someday. But we just don’t know how to say no. We gotta have the newest, the slickest, the most feature-filled. Never mind we never touch 90% of the feature bloat, and we complain that it’s too complicated, and the only people who ever use most of the capabilities on the machines on our desks are the virus writers.

BeOS sure has a lot of appeal to me right now–a no-frills OS that’s just an OS, nothing more, nothing less, with simple apps that just get the job done. And all at blazing speed. So the company’s about to go under. BFD. I stuck with my Amiga through Commodore’s troubles, and even for a couple of years after the company evaporated. If the machine works, I don’t really care who else is running the same stuff I’m running. What about support? It’s not like Microsoft fixes its bugs either, so if I’m gonna run an OS that isn’t going to be fixed, it might as well be one that started off good in the first place.

What to do with unexpected attachments

Virus insanity. Dark and early yesterday morning, a warning from the good Dr. Keyboard made its way across the Atlantic and into my inbox. “Beware nakedwife.exe,” it said, with a postscript: “Who would open an unexpected executable anyway?”

Bright and early yesterday morning, I responded. “About 90% of the users I support. Thanks for the heads up.”

Fortunately for me, our e-mail administrator remembered the chaos wrought by LoveLetter nearly a year ago and filtered out the attachment at the server side. If what’s now known as W32.naked ever arrived at my place of employment, Outlook literally never knew what hit it.

Unfortunately for everyone else, the vast majority of people–including people savvy enough to build their own PCs and even network them–seem to just blindly open any attachment people send to them. And that’s how computers get infected, and messes like W32.naked spread.

When an unexpected attachment arrives, there are two and only two safe things to do with it:

1a. Update your virus definitions
1b. Detach the attachment, saving it to your desktop or someplace else
1c. Scan the attachment for viruses, and if it’s infected, delete it immediately.
1d. Verify the attachment is indeed what it claims to be. Open it in WordPad before opening it elsewhere. You’ll develop an eye for what a JPEG file looks like in WordPad, or an MP3 file, etc. Open a few files you already know are JPEGs and MP3s to get your eye trained. If what you see is what appears to be executable code, the file’s not what it appears to be. Delete it immediately.
1e. If you must, now that you’ve verified the file isn’t anything dangerous, open it for your viewing pleasure.

Steps 1c and 1d can be interchanged.

Or:

2. Delete the file.
(optional step 2b). E-mail the person and kindly ask them not to send you that kind of stuff anymore.

I don’t have time for process 1. At work I’ve got computers to set up, computers to fix, documentation to write, meetings to attend, people sticking their heads in my cube (I really must look into getting a pair of Mastiffs to keep at my cube’s entryway to keep that from happening), so e-mail attachments at work go straight to file 13 about 90 percent of the time. Hello, strange file. Now that I’ve met you would you object to never seeing each other again? You can leave a message but I’ll only press erase, let’s skip hello and go straight to goodbye. Now that you’ve seen the doctor, don’t call me anymore. I think you get the point.

It’s much better to miss the occasional joke than to lose data and then have to spend all day reinstalling everything. Whatever happened to telling jokes in person, anyway? Seems a lost art these days…

There really isn’t a good way to automate the process and keep your computer safe. Trust me, if there were, wouldn’t you think I’d have figured it out? You’re talking to the guy who spent a week trying to figure out how to get Windows 9x to boot out of a ramdisk, after all.

Of course I’m mostly preaching to the choir here. But maybe this is a new concept to someone out there…

LoveLetter is just a symptom of worse things to come

The virus parade continues. I saw some really disturbing speculation on BetaNews today. Of course there’s the news of 10 variants on VBS.LoveLetter. Worse yet, there’s speculation of what kind of havoc a trojan horse jumping on ICQ could cause. I don’t know if ICQ is scriptable, but what if someone implemented a program that contacts the ICQ network (possibly by borrowing code from one of the open-source Linux ICQ clones), then sends itself to all of your ICQ contacts? A lot of ICQ users indiscriminately accept and run any file sent to them. Just another conduit. Hopefully it’s beyond most virus writers. (Most virus writers are on my programming level. If I download a real program, you know, like an open-source Linux utility, I’m pretty clueless about four lines in. I can follow virus code, because it’s simple.)
Microsoft really needs to start giving a rip about security. I know it’s fashionable to bash MS, but I was bashing them back in 1990 and never really stopped, so hear me out. There’s just far too much exploitable scripting capability in contemporary MS products. Worse yet, these languages don’t abort on errors anymore, which creates a breeding ground for new viruses. When two viruses merge, the code still executes. The gibberish that in days of old would have stopped the program today gets passed over and the program keeps running. I can see popping up a dialog box that says “Run-time error,” with two buttons (continue and abort). I longed for that years ago when I still aspired to be a programmer. But no, that’s not dummy-proof enough.

Well, guess what? Now our computers are so dummy-proof that they’re time bombs. Thanks Bill. Now we still can’t get any work done. Used to be because it was too hard to figure out. Now it’s because our computers keep getting their system files wiped out.

I saw an Amiga 1200 on eBay for about $75 the other day. Time to throw these MS-infected PCs out the door of a low-flying plane over the Redmond campus, (yes, I know there’s a perfectly good possibility they’ll hit someone) and replace them with real computers that are reliable and not afraid of asking the user a question.

But I know good and well I’ll probably just abandon Windows as a primary OS and just run it in VMWare sessions. At least then, when Windows decides to take a dump all over itself (or let some virus do it), the mess is confined. Not that I have a virus problem because I open things in Notepad before doing anything with them, but we’ve already been through that.

Another observation. This one’s shorter, I promise. Are we so love-starved that we’ll open some attachment called “love letter” without even looking at it? That all of our better judgment gets suspended until it’s too late? (I ask as U2’s “Who’s Gonna Ride Your Wild Horses,” which might as well be about my last serious relationship, comes on over my.mp3.com–very funny.)

Hey, there’s a song in there somewhere. “Love by Outlook.” Hmm. Time to go give the synth a workout.

Oh yeah. That question I asked. I don’t have a good answer for it. An evangelist in Columbia thought he had the ultimate answer. Didn’t work. So I ended up moving to St. Louis to get a new start. New old familiar territory, got a new job, signed a book deal, and life was good again. I doubt that’ll work for everyone else. But it’s a lot better than an e-mail attachment.

Dave’s rules for safe e-mail usage

Dave’s rules for safe e-mail usage. Please feel free to copy and paste and save this for future use. Print it out and hang copies next to your users’ monitors if you want. Make a poster out of it, I don’t care.
1. Don’t execute unexpected attachments. There’s a lot of cutesy stuff going around out there. Do you know where it came from? Do you know that the person who sent it to you scanned it for viruses? Five bucks says they didn’t. Happy99.exe is a good example–it shot off nice fireworks, then proceeded to e-mail itself to people for you and replace a critical system file. How nice of it. I don’t care how funny or how cute some attachment is, I don’t run it. Period. I don’t have time to scan it for viruses, so I can’t run it safely, and I certainly don’t have time to recover from a formatted hard drive, so I delete all unexpected attachments. Usually I make time to mail the user who sent it and tell them not to send me that crap.

2. Think twice before double-clicking on attachments, expected or unexpected. Do you know what it is? If you can’t tell a GIF or a JPEG from a Word document or an executable, you have no business double-clicking on attachments. Delete whatever it is. It’s better to miss the joke than to end up with a formatted hard drive (which you don’t have time for–see #1).

3. When in doubt, ask questions. Don’t be afraid to shoot back an e-mail message asking what an unexpected piece of mail is before opening it. You think if my editor sent off an unexpected piece of mail saying O’Reilly’s cancelled my new book, I wouldn’t ask questions? Why should an unexpected attachment from him be any different?

4. Change your stationery. On one of my work computers, where I have to use Outlook (company policy–maybe that’ll change now), I changed my stationery. In addition to my name and title and contact info, I include a line that reads, “This message should have arrived without attachments. If there are attachments, DON’T OPEN THEM!” I have to remember to delete that line manually on the rare occasions when I do send attachments. But if a virus ever hits and I do inadvertently run it, at least its cargo goes out with a warning.

5. Don’t send people executable attachments. Better yet, don’t send them unarchived Word and Excel documents either. Zip them up first. They’ll transfer faster because they’re smaller when they’re zipped, and the person on the receiving end can have better peace of mind, because viruses generally don’t send out zipped copies of themselves, and infecting a zip file is much more difficult than infecting an unarchived file.

6. Avoid using attachments whenever you can. You have network drives at work? Use them. Save it to the network, then send a message telling your coworkers where to find it. Just found a hot new shareware program? Send the world a link to it, rather than the program itself. Involving fewer computers in the file transfer speeds up the transfer and lowers risks.

7. If you must view Word, Excel, and other MS Office attachments, do so with something other than Office. View Word documents in WordPad. Yes, WordPad is slow and dumb. That’s the point. It’s too dumb to let the virus do anything. Microsoft provides Excel and PowerPoint viewers. Download them and use them to view attached e-mail. Those viewers are too dumb to let viruses do anything too.

8. Fight the machine. The more you deviate from the norm (Windows 98, Outlook and the rest of MS Office, Internet Explorer), the less susceptible you are to viruses. Why do virus writers target MS Office on Windows? Well, besides it being the second-best virus toolkit in existence, it’s also extremely common. If I’m a bored loser who wants to hear about my own exploits on the news, I’m going to aim for the largest audience possible. That happens to be Windows/Office/IE. I can’t avoid MS Word, but I’ll take my computers to the pawn shop before I use Outlook and IE exclusively.

Alternative applications and OSs aren’t just trendier, they’re safer. If StarOffice or WordPerfect Office running under Linux will let you get your work done, think about it. You may be in the minority, but you’re a lot safer.

LoveLetter ruins my day

I hate viruses. So. I stumble in to work Thursday. I make the mistake of checking my mail before I’ve had my coffee. Mail from a VIP. “Please kindly check this …” I read no further. I spy an attachment, so I do exactly–in my mind–what it asks. I open the attachment in Notepad and look at it. Hmm. A VBscript program written by someone who doesn’t like school. Hmm. Wait, why’s this thing messing with the registry? Why’s this thing making copies of some files and deleting others? Crap! This is a virus! Who else did she send this to? Meanwhile a neighbor’s jabbering away at me about something or another. “Shuddup!” I tell him as I print it out. I print the code (4 pages I think), grab it, circle a couple of offending lines of code, then rush upstairs. Yep, you’ve got it. We were infected with the now-notorious “Iloveyou” virus.
Yeah, loser. I love you too, but only because Jesus says I have to love my enemies. So, God bless you, whoever you are. You’re gonna need that and more. Bad.

I located two infected computers, then I called the wisest, coolest head in the organization (our Unix ubermeister) for advice on how to proceed. This was a good 2-3 hours before Symantec had a fix posted on its Web site. He said he and one of our ace programmers had dissected the code and determined all of the changes it makes. He had registry entries to fix and files to look for. Armed with that info, I was able to put out the fire pretty quickly (silently reminding myself that using Netscape and Eudora instead of Internet Exploiter and Outlook sometimes really has its advantages), but it turned into a very draining day.