How easy is it for people to shoot themselves in the foot with SOBIG-E?

[Gary Flynn]

Don't they have to both unzip the file and then choose
to run the included executable? You'd think the two step
process would give their minds time to catch up with their
mouse finger.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

 

[Karel]

Don't they have to both unzip the file and then choose
to run the included executable? You'd think the two step
process would give their minds time to catch up with their
mouse finger.

Selfextracting zip file perhaps Mr. Security Engineer-Technical Services
guy?

 

[FromTheRafters]

Don't they have to both unzip the file and then choose
to run the included executable? You'd think the two step
process would give their minds time to catch up with their
mouse finger.

I always thought that this was a fallacy. If someone
is going to run an unknown executable, why would
it matter if it took one extra step to do so.

In some peoples minds, it may appear all the more
credible for its being "zipped", and as .zip files are
usually of non-executable filetype, many filters will
allow them to pass right through even though it may
be set up to stop all of the "executable" filetypes.

Then it is perhaps only a context menu click or two
away from being activated.

 

[FromTheRafters]

Selfextracting zip file perhaps Mr. Security Engineer-Technical Services
guy?

That would be a .exe executable filetype, no?

 

[Hud]

Don't they have to both unzip the file and then choose
to run the included executable? You'd think the two step
process would give their minds time to catch up with their
mouse finger.

I get the impression from the IT group where I work just using Outlook in the
Auto-preview mode is enough to get it running. Mine came form Tycocorp.com
and was titled Re: your resume.

I get the impression from some of the other posts that it is setup to appear
to come from many different major corporations.

Hud

 

[akhibby]

I get the impression from the IT group where I work just using Outlook in the
Auto-preview mode is enough to get it running. Mine came form Tycocorp.com
and was titled Re: your resume.

I get the impression from some of the other posts that it is setup to appear
to come from many different major corporations.

Hud

My sole copy so far - I'm not popular it seems, I recall getting lots not so
long ago - supposedly came from a university virus list, the file was
"your_details.zi" so it kinda looks like the PIF problem has now extended to
the new version and ZIP extension, however the archive contained
"details.PIF" so he might've fixed the PIF portion.

That's the trouble with VXers, you just don't get any quality control, D- at
best.

Ian

 

[kurt wismer]

Selfextracting zip file perhaps Mr. Security Engineer-Technical Services
guy?

no, as a matter of fact it's a plain *.zip file...

of course windows explorer in xp pro (and perhaps xp home) has native
support for zip archives... and even outside of xp, winzip and it's
cousins are pretty ubiquitous...

in spite of that, i think gary is still right, there are extra clicks
involved in activating this thing than you would expect from something
that hopes to be successful... on the other hand, i'm often surprised at
how successful folks can be when plumbing the depths of human stupidity,
so who knows...

 

[kurt wismer]

I always thought that this was a fallacy. If someone
is going to run an unknown executable, why would
it matter if it took one extra step to do so.

true, but don't you have to be *more* click-happy in this case? it's not
a simple double click here...

In some peoples minds, it may appear all the more
credible for its being "zipped", and as .zip files are
usually of non-executable filetype, many filters will
allow them to pass right through even though it may
be set up to stop all of the "executable" filetypes.

that is probably the most reasonable explanation, right there... the zip
file is to get it past content filters...

fewer folks, per capita, may click far enough in to do themselves any
harm, but the trade off is to potentially reach a much larger audience...

 

[FromTheRafters]

true, but don't you have to be *more* click-happy in this case? it's not
a simple double click here...

True enough, it is the difference between being incredibly stupid,
and being *more* incredibly stupid. ;o)

that is probably the most reasonable explanation, right there... the zip
file is to get it past content filters...

fewer folks, per capita, may click far enough in to do themselves any
harm, but the trade off is to potentially reach a much larger audience...

I think that you might be overestimating the difficulty of the extra
clicking vs. the benefit of not being as often filtered. Perhaps this
Sobig family is time constrained in order to provide the coder with
a statistical analysis of these different methods.

I still use pkunzip (from the pk204g package) to unzip files. The other
user of this machine (my sister ~ pretty savvy, but is still learning how
to be {overly} cautious), has been shown several times how to make
use of this utility for her zipped receipts. She still asks me to extract
the files (and scan them) for her. If I install FreeZip (or another really
easy to use context menu or double-click associated utility), she will
do it herself and likely forget the "and scan them" part.

 

[FromTheRafters]

My sole copy so far - I'm not popular it seems, I recall getting lots not so
long ago - supposedly came from a university virus list, the file was
"your_details.zi" so it kinda looks like the PIF problem has now extended to
the new version and ZIP extension, however the archive contained
"details.PIF" so he might've fixed the PIF portion.

That's the trouble with VXers, you just don't get any quality control, D- at
best.

The missing letter is evidently due to the interaction of the coder
not sticking strictly to the protocol, and only some mail handlers
taking exception to that fact. It may be that the coder now wants
to leave that error in so as to not skew the statistical differences
between the other (minor) changes being tested.