what gives?? Hey Microsoft, HEL-LO....

  • Thread starter Thread starter Lee Bowman
  • Start date Start date
L

Lee Bowman

It seems today that it's not raining 'Microsoft Critical Updates'.
It's pouring them!

Yesterday I got about 10. Early today, it was one per hour, and nows
it's closer to two per hour. It raises a few questions with me.

1) Who's sending them? One party or many? If one, why so many? If
they thought they could fool anyone, sending one per hour blows their
cover. I figured that maybe it's because I'm on so many lists. But
two per hour?...

2) What's the point? If it's to open a back door, who will benefit?
If it's just to harrass, then what's the payback? It just makes no
sense.

3) Since they're using not only Microsoft's name and logos, and since
the fraud blatantly degrades their image and reputation (to the naive
ones), why aren't they doing anything about it? With their billions,
there must be some way to trace it. Hell, if it were my company, i'd
put out a contract.

Any insights to motive, method, rationale behind it would be
appreciated!

One more thing. I know I could open the attachment on a safe computer
(one without any other files or programs), rename the attachment, and
analyze it as a text file. Not that that would tell me much, other
than the usual 'packed by UPX', and a bunch of binary data. I assume
this should only be done after terminating any LAN connection, to
avoid having your IP address sent out.

But, is there a way to rename the attachment without executing it? In
other words, how do I get it from the email message, but not execute
it? Thanks for any ideas.

In conclusion, the question remains: Why does Microsoft take this
shit?

Regards,
Lee Bowman
 
Yesterday I got about 10. Early today, it was one per hour, and nows
it's closer to two per hour. It raises a few questions with me.

1) Who's sending them? One party or many? If one, why so many? If
they thought they could fool anyone, sending one per hour blows their
cover. I figured that maybe it's because I'm on so many lists. But
two per hour?...
Click to expand...

Ah - you're getting the slow feed. I had two thousand overnight, and it's
only increasing. It's a virus, and as more people click on the attachment
to "install the update", so they catch the virus and start propagating it
further.
2) What's the point? If it's to open a back door, who will benefit?
If it's just to harrass, then what's the payback? It just makes no
sense.
Click to expand...

It's a virus. Much like graffiti, it doesn't often make sense. At least
some graffiti is nice to look at. Perhaps it's the desire for
"immortality", where you get to say that for one shining moment, a small
part of you was crapping in everyone's litterbox.
3) Since they're using not only Microsoft's name and logos, and since
the fraud blatantly degrades their image and reputation (to the naive
ones), why aren't they doing anything about it? With their billions,
there must be some way to trace it. Hell, if it were my company, i'd
put out a contract.
Click to expand...

I wouldn't be at all surprised to find that MS were already doing whatever
they can to track the perpetrator(s) of this one down. But it's not always
that easy. Remember, you didn't know who sent this one to you, so how do
you track it back? It can be done, but it's often a slow, hit-and-miss
progress. More likely, of course, is that the author let slip something to
someone who'll be quite comfortable exchanging that information for
something he'll find valuable (even if it's just a promise that he'll stay
on the right side of the cell door).
Any insights to motive, method, rationale behind it would be
appreciated!
Click to expand...

It's written by someone with an aberrant personality - it's a sociopathic,
antisocial act. Consider yourself lucky that you do not understand it!
One more thing. I know I could open the attachment on a safe computer
(one without any other files or programs), rename the attachment, and
analyze it as a text file. Not that that would tell me much, other
than the usual 'packed by UPX', and a bunch of binary data. I assume
this should only be done after terminating any LAN connection, to
avoid having your IP address sent out.
Click to expand...

There are already some very clever people doing just that. You might want
to join a security mailing list, and read someone else's analysis for
details.
But, is there a way to rename the attachment without executing it? In
other words, how do I get it from the email message, but not execute
it? Thanks for any ideas.
Click to expand...

I'd advise you not to do that. A little knowledge is a dangerous thing.
Take a programming course, and learn more about your system - eventually
you'll reach a stage where you'll know whether it's safe or not for you to
try this sort of analysis yourself.
In conclusion, the question remains: Why does Microsoft take this
shit?
Click to expand...

Because we wouldn't want them "policing the Internet", now, would we?

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
 
Because we wouldn't want them "policing the Internet", now, would we?
Click to expand...

Thanks for the 'heads up' info, Alun. I've calmed down, now.

Regarding the final point, I agree. Policing might be a bad thing.
In a way, the Internet's like a venue for free speech. I find that
the Internet is making journalists out of us all, and that's not a bad
thing. I'm willing to take the chaff with the wheat.

I do feel, however, that a browser could be designed to protect the
fools that are out there from themselves, by at least warning the
person about opening attachments, or preventing direct disk access
during the opening. That would allow graphics to display, and files
to be opened, but nothing written to disk, without the user performing
an override. Besides .exe's, .scr's and .js files scare me .....
 
Lee said:
Thanks for the 'heads up' info, Alun. I've calmed down, now.

Regarding the final point, I agree. Policing might be a bad thing.
In a way, the Internet's like a venue for free speech. I find that
the Internet is making journalists out of us all, and that's not a bad
thing. I'm willing to take the chaff with the wheat.
Click to expand...

Good thing too (I agree). That does mean virus and worm writers however. If
the internet promotes free speech, a virus writer is just another person
saying something you'd rather not hear. Remember *writing* a virus is a
different act from releasing one into the wild. The difference if you will
between exercising free speech to write an anarchists cookbook... and
becoming a terrorist by actually making up pipe bombs according to one of
the 'recipes and throwing them at people.
I do feel, however, that a browser could be designed to protect the
fools that are out there from themselves, by at least warning the
person about opening attachments,
Click to expand...

To be fair, the current outlook and outlook express clients do exactly that,
in fact they go further and block access to them from the email client. We
get constant complaints from people who just want to switch that feature off
and take their chances rather than learn about how to manage their computer
use responsibly. You can lead a horse to water but you can't make them
drink.

--
 
PSS Security Response Team Alert - New E-Mail Worm: W32/Swen@MM

SEVERITY: MODERATE
DATE: September 18, 2003
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and
Web-based e-mail

**********************************************************************

WHAT IS IT?
W32/Swen@MM spreads via e-mail and network shares. The Microsoft
Product Support Services Security Team is issuing this alert to advise
customers to be on the alert for this virus as it spreads in the wild.
Customers are advised to review the information and take the appropriate
action for their environments.

IMPACT OF ATTACK: Mass Mailing, disabling processes related to security
software such as antivirus and firewall software

TECHNICAL DETAILS:
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please
visit the following links:

Network Associates:

http://vil.nai.com/vil/content/v_100662.htm

Trend Micro:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWE
N.A

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
ml

Computer Associates:

http://www3.ca.com/virusinfo/virus.aspx?ID=36939

For more information on Microsoft's Virus Information Alliance please
visit this link: http://www.microsoft.com/technet/security/virus/via.asp


Please contact your Antivirus Vendor for additional details on this
virus.


PREVENTION:

1. This worm is exploiting a previously patched vulnerability. The
vulnerability exploited is related to the following Microsoft Security
Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms01-020.asp

As always, customers are advised to install the latest security patch
for Internet Explorer. Information on the latest cumulative security
patch for
Internet Explorer can be found here:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

2. Outlook 2000 post SP2 and Outlook XP SP1 include the most recent
updates to improve the security in Outlook and other Office programs.
This includes the functionality to block potentially harmful attachment
types. If you are running either of these versions, they will (by
default) block the attachment, and you will be unable to open it.

To ensure you are using the latest version of Office click here:
http://office.microsoft.com/ProductUpdates/default.aspx

By default, Outlook 2000 pre SR1 and Outlook 98 did not include this
functionality, but it can be obtained by installing the Outlook E-mail
Security Update. More information about the Outlook E-mail Security
Update can be found here:

http://office.microsoft.com/Downloads/2000/Out2ksec.aspx

Outlook Express 6 can be configured to block access to
potentially-damaging attachments. Information about how to configure
this can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291387

Outlook Express all other versions: Previous versions of Outlook Express
do not contain attachment-blocking functionality. Please exercise
extreme caution when opening unsolicited e-mail messages with
attachments.

Web-based e-mail programs: Use of a program-level firewall can protect
you from being infected with this virus through Web-based e-mail
programs.

RECOVERY:
If your computer has been infected with this virus, please contact your
preferred antivirus vendor or Microsoft Product Support Services for
assistance with removing it.

TECHNET SECURITY LINK:
http://www.microsoft.com/technet/security/virus/alerts/swen.asp

As always please make sure to use the latest Anti-Virus detection from
your Anti-Virus vendor to detect new viruses and their variants.

If you have any questions regarding this alert please contact your
Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the
US, outside of the US please contact your local Microsoft Subsidiary.
Support for virus related issues can also be obtained from the Microsoft
Virus Support Newsgroup which can be located by clicking on the
following link
news://msnews.microsoft.com/microsoft.public.security.virus.

PSS Security Response Team

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -
 
Back
Top