|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: in case nobody else noticed it, there was a mail worm released today
In-line... > Christopher Bird wrote: > Please pardon my ignorance, but I am > *mightily* confused. >>> Vivien M. wrote: >>> and ISTR one patch for Outlook 2000 that blocked >>> your ability to save executables was released) >> Michel Py wrote: >> It default in Outlook XP and Outlook 2003, which >> has prompted large numbers of persons to download >> Winzip, which as not stopped worms to be >> propagated as you pointed out. > Christopher Bird wrote: > The bit I don't get is how a zip file is created > such that launching it invokes winzip and then > executes the malware. When I open a normal .zip > file, winzip opens a pane that shows me the > contents. After that I can extract a file or I > can "doubleclick" on a file to open it - which if > it is executable will cause it to execute. I > haven't seen a case where simply opening a zip > archive causes execution of something in its > contents unless it is a self extracting archive > in which case it unzips and executes, but doesn't > have the .zip suffix. The point is, if the user opens the zip file in the first place, and if the file name it contains does not look suspicious, the user _will_ also double-click on the file within the winzip window, which extracts the file in a temp folder _and_ executes it. > Sam Stickland wrote: > I don't think that was the point Michael was trying to > make. I believe he meant that MS stopped the ability to > _even_ save executables attached to emails to disk in > some forms of Outlook, Yes. If you send me an .exe file, I can _not_ save it nor execute it. Outlook deletes the attachment, and now Exchange 2003 deletes it on the server as well before it even has a chance to get to Outlook. > but this did nothing to stop the spread of viruses. > People simply sent executables as zipped files, which > people then had to extract to run. Dispite the fact > that an external program has to be used to get to to > the executable, people still run them. Exactly. Actually, there are faster ways to send executable files without zipping them: rename the file as .txt, and put a little note in the email saying that the .txt file is in reality an .exe and must be renamed. Don't even need Winzip. Voila. This latest worm is all about social engineering; remember: some users still fall for the hoaxes that claim Norton or McAffee does not detect a virus and instructs to delete a system file. Gee, some even fall for that herbal stuff that promises to put a foot in their pants. Given the number of people that have fallen for the "Microsoft update" and the "7-bit ascii" we are seing these days, they would rename the file and run it if they believe they have to do it. Three years ago, I opened an .exe that contained a virus. At lunch with my colleagues, we discussed the Florida ballots. In the evening, I receive an email from one of my co-workers whose subject was "Florida ballots" containing an .exe file; given that the "saddam.exe" he sent before was rather entertaining, I executed it. The anti-virus signature was not available yet, busted. Social engineering it is. The bottom line is this: no matter what safeguards you put in the system, and no matter how many times you instruct users to be careful opening attachments, the one and only thing that make users think is when they open a worm and get screwed/lose data/look stupid. Michel.
|