Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Serving Rootkits with Bagles

CowboyNeal posted more than 8 years ago | from the worm-in-the-apple dept.

150

Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."

cancel ×

150 comments

Sorry! There are no comments related to the filter you selected.

FIRST TROUT! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15032710)

I AM A FISH!

Re:FIRST TROUT! (-1)

Anonymous Coward | more than 8 years ago | (#15033636)

OMG, AOL!! Er, me too!! I think YFI, though. 0)))

Bagels? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15032714)

Oy vey!

P.S. FIRST PSOTS!

How to tell if you are a linux fanatic. (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15032715)

AKA a nazi fanatic loser.

1. You rejuvenate and dance when you hear a windows flaw exposed, but you conveniently ignore the thousands of security flaws exposed in linux.

2. You yell loudly TROLL! at any person's post or at any person you see posting facts that you do not want to hear about your oh so cool linux.

3. You know it's a classic case of penis envy, you don't have all the support, software and hardware available for linux and you have to let that anger out somewhere, but you don't have the brains to admit it.

4. You hate windows, hate Microsoft, but race to emulate windows, have programs to run office from within linux, and spend a $300 on a Windows emulator, only Windows fools.

5. You cannot admit that you don't have professional usage of Linux outside server markets.

6. You cannot admit that most of the joe user out there when told that there is linux will respond, what is that?

7. You cannot admit that there is no professional printing capabilities in linux.

8. You cannot admit that you are a masochist (otherwise why would someone spend hours playing with scripts,
and recompiling programs that are available for Windows?)

9. You cannot admit that there is no professional desktop publishing done on Linux.

10. You cannot admit that no one in their right mind would do professional video editing in Linux.

11. You cannot admit that linux sucks when it comes for gaming/home entertainment or education.

12. You have problems in understanding Windows, and you will blame your own incompetence on Microsoft.

13. You have problems in pointing a clicking, but have no problems in wading through cryptic scripts written by lunatics.

14. Nothing will get past that shit that fills your head, you will not admit to any facts.

15. You can't admit that naming of linux components, packages, and others are weird and fits profiles of troubled teenagers. gentoo, lgx, rpm ....

16. You feel angered because you were left out by microsoft's Media technologies, they support Mac, Sun sparc, but not linux.

17. You feel inferior deep inside but unable to admit it, you don't have a database as easy and powerful as Access.

18. You cannot tell that not a single office package outside Microsoft's is worth looking at or bothering with.

19. You don't know that your CD recorder software sucks.

20. You don't have DVD-RAM, DVD-R, DVD-RW support in your pathetic OS.

21. While the rest of the world moves on, you're stuck in a stone age technology that needs third party software to boot into GUI.

22. You act out of prejudice, you kill file domains and users of specific news readers while you ignore the bullshit that your fellow linux losers post.

23. You don't know commercial support in Linux is almost non existent.

24. You miss the fact that companies are leaving linux because of the chaos, and the cheap linux losers who are unwilling to pay and support hard work, Corel, gaming companies,...etc.

25. You are unaware that linux has no terminal services (there is a lame one that no one uses), and commercial support for it is not happening.

26. You are unaware that setting up servers on Windows takes couple of minutes while on linux, good luck playing with configuration scripts.

27. You cannot admit that support for USB on linux is laughable at best.

28. You think that Linux is better because slashdot told you so.

29. You spend countless hours flaming people because they post their opinions about your oh so cool linux and your attitude, instead of researching things for yourself and understanding fact in order not to look this stupid.

30. You think that anyone who uses linux has a clue.

31. You think that linux cannot crash.

32. You think that everyone is interested in your conspiracy theories about Microsoft (or should i say M$ in order for you, teenagers to understand?), and how they destroyed linux, ...etc.

33. You keep ignoring the fact that thousands of linux servers get hacked every year, but it takes one Windows server hacked to get you and your fellow linux idiots to dance and celebrate.

Re:How to tell if you are a linux fanatic. (-1, Offtopic)

ArsenneLupin (766289) | more than 8 years ago | (#15032814)

You cannot admit that there is no professional printing capabilities in linux.

There now is: TurboPrint [turboprint.de] .

It supports all the recent printers, including multi-functionals, and photo printers, from all major manufacturers such as Canon, HP, Epson, Brother, Lexmark, etc.

Re:How to tell if you are a linux fanatic. (2, Interesting)

HaydnH (877214) | more than 8 years ago | (#15032899)

I can't believe you responded to that! Although it did make me laugh... most of the points were hilarious, especially about "no databases for linux as powerfull as MS Access"! I'd love to know what people like Oracle & Sun(PostgreSQL) would say about that.

Re:How to tell if you are a linux fanatic. (1)

pimpimpim (811140) | more than 8 years ago | (#15032988)

"no databases for linux as powerfull as MS Access"! there is an MS Access for linux now? ;) If so, are Ballmer's kids allowed to use it or not?

Re:How to tell if you are a linux fanatic. (1, Funny)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#15032817)

Look out!! He's got a chair!!!

As long as he doesn't fly.. (1)

AnonymousPrick (956548) | more than 8 years ago | (#15032942)

airplanes into buildings, bomb innocent people, or any such violent destructive buillshit; who cares if he does hate MS?

Re:How to tell if you are a linux fanatic. (1)

painQuin (626852) | more than 8 years ago | (#15033019)

pretty much all of those fall into two categories.. "wrong" and "craftily worded"
the ones in the second category all start with "you can't admit that" - they are craftily worded because they are technically true: I won't admit to things that are blatantly false

Re:How to tell if you are a linux fanatic. (0)

Anonymous Coward | more than 8 years ago | (#15033688)

While I agree with you, you're correct in your assessment, I think you give the little maggot too much credit. I feel that the only way this schweinehund could have gotten something this thought out is from somebody else. Possibly M$-originated FUD?

Re:How to tell if you are a linux fanatic. (-1)

Anonymous Coward | more than 8 years ago | (#15033221)

"you don't have a database as easy and powerful as Access"


OMG! I just spilled coffee all over my keyboard - Access is called a DATABASE???? BWHAHAHA !!!

Re:How to tell if you are a linux fanatic. (0)

Anonymous Coward | more than 8 years ago | (#15033303)

11. You cannot admit that linux sucks when it comes for gaming/home entertainment or education.

I play World of Warcraft on Linux... does that count?
 
/runs back to WoW

Re:How to tell if you are a linux fanatic. (0)

Orrin Bloquy (898571) | more than 8 years ago | (#15033559)

The troll is weak with this one.

I've never met these Nazis of yours? (1, Offtopic)

a.d.trick (894813) | more than 8 years ago | (#15033635)

1. I definitly don't ignore flaws in GNU/Linux software, I run promptly off and patch them. As for Windows flaws, I find them quite interesting because they're usually not just a regular typo kind of flaw but something more deep in the archetecture, they kind that I want to learn to avoid as a budding computer programmer. Plus I'm a Windows sysadmin and so these will quite possibly affect me personally

2. I've actually never yelled anything on slashdot ( by yelling, I'm assuming you mean typing with caps on)

3. I have one penis, that is enough. Thank you.

4. I don't hate windows, it's more of a strong distaste, like the feeling I have for asparagus. Also, you'll never see me spending money on windows emulation software. I've played with Wine to get IE to work in Linux, but that is because I'm a web developer and I need to test stuff, not because I enjoy that travesty.

5. I'm not quite sure what this means, but I have it on good authority that several large bussinesses use it on there desktops. Nasa is one example, Ibm is moving there, and I think European companies have a dispropotionatly large number of deployments.

6. I don't know any linux user who would be ashamed that people don't know what linux is. It's a bug, but were working on it. https://launchpad.net/malone/bugs/1 [launchpad.net]

7. Somebody else alreay spoke to this.

8. Are kids masochists for playing with Legos for hours on ends? I do this because I enjoy it. If you don't there are many distros that do not require that sort of thing.

9. Funny, I saw an artical in newsforge about a professional publisher that used about half linux, half windows.

10. I know nothing about video editing, don't really care either.

11. Depends on what you mean. For the 'gamer' types (you know who you are) that is true. It's the main reason I still have a copy of windows. For most people I don't think that's too much of an issue. As for educational software, there's plenty for Linux.

12. I actually find this more true of windows users that linux users.

13. These lunatics are probably smarter than you or I will ever be. And I don't think any one where has a problem with clicking. It's just really inefficient for some tasks.

14. Yes, and your statement was incredibly factual. Pot, meet kettle.

15. I'm deeply confused what 'gentoo', 'lgx', and 'rpm' have to do with tenageers.

16. I'm actually quite happy with win32codecs.

17. No I'm starting to think your post should have been modded funny.

18. I'm not much of an office user, but OpenOffice works quite fine for me. I love the pdf export option, and it's equation writting capabilities suit me well as a math student. Sure it has a few issues, but I like it better than MS Office.

19. I've never had problems with recording in Gnome. It's increadiby easy too.

20. I have a CD-RW, DVD R/RW and it can read and write both CDs and DVD fine in linux.

21. I didn't need any 3rd party software to use X. To get good graphic accelleration I needed the non-free fglrx driver. But the same would be true in Windows.

22. I'm not a usenet user. But I do find emails from Outlook users with their tiny blue fonts annoying so I can sympatise.

23. Did I miss something? What happened to IBM, Redhat, Novel, HP, and several other large companies.

24. Thats fine with me. I'll continue to give my money to the companies that stay.

25. I'm not an authourity on the issue. But I've heard that the Windows one would be better off to be non-existant too.

26. I've set up Windows about 150 times now. It takes about 3-5 hours to get the computer into a state were it is ready to use. (this includes patching, and installing important software like a real web browser, office software, a firewall, AV, etc). An Ubuntu install is about 1 hour.

27. All my usb stuff Just Works(tm). Same with my brother's, and anyone else I've seen.

28. I used linux before I knew slashdot existed.

29. Ah, flamming, is fun. I need *something* to justify my existance.

30. This is generally true, for now.

31. If you make somthing idiot-proof, someone will make a better idiot.

32. It's not conspiracy theories, it's business.

33. see 31.

Am I wrong (4, Insightful)

3.5 stripes (578410) | more than 8 years ago | (#15032717)

Or is it just me who's been reading about rootkits and keyloggers now becoming standard payloads in worms/virus/web exploits?

In the end, they're just another piece of cut and paste code for script kiddies.

Re:Am I wrong (1)

dilvish_the_damned (167205) | more than 8 years ago | (#15032887)

Seen it before/ will see it again.
Back when I was serious about security (and when it was easier/new) I had test systems running and I gathered all of the code/information/executables I could find and ran them against my systems setup for just this task. The most ineteresting aspect was how easy it was to embed my own payload in script kiddie fasion (knowing shit wasnt required( however I learned the x86 bootstrap via this fasion)), and then how vulnerablethe target systems were. Yep, basically DOS/windows. And then things never really got better.
I lost interest in keeping up with the script kiddies and the real programmers behind them, but I would be supprised to hear that the situation had changed in any real fasion.
I view this as "everything is status quo" in the security world. Its all different, yet it remaines the same. Its sort of comforting.

Re:Am I wrong (1)

Jessta (666101) | more than 8 years ago | (#15032905)

hmmm...root kits ey?
seems like the most pointless thing to put in malware, who runs untrusted executables they recieved in an email as an administrative user?
Some people have learn. It's been ten years of popular email use and ten years of technical people telling users not to run untrusted executables.
It's like telling someone "don't leave that random hitchhiker alone in your house while you go out to work".
I am still amazed that people don't get it. There is still definitly something wrong in the world of user education.

- Jesse McNelis

Re:Am I wrong (1)

rocjoe71 (545053) | more than 8 years ago | (#15033033)

...And its been nine years of technical people telling users not to use Outlook to read email. Even users who know better can't stop a trojan horse when the email is formatted properly. Just imagine if MS had arrived not invented ActiveScripting. Ugh, I cringe at the thought that we turned a text-based medium into something so harmful.

Re:Am I wrong (1)

SillyNickName4me (760022) | more than 8 years ago | (#15033173)

Don't worry, text based mailers, esp. that one called Pine have quite a nice collection of exploits, so the adding of activescript may have helped making it even worse, but doing away with it doesn't even come close to solving sloppy and buggy code.

Re:Am I wrong (2, Informative)

jayloden (806185) | more than 8 years ago | (#15033731)

No, it's definitely not just you. I work with [removing] IM-based viruses as a hobby project, and there has been a clear shift from simple executable file viruses to full rootkits. Along the way I've seen everything from loading with the shell or userinit to winlogon to bogus kernel drivers.

It's my personal (and professional) opinion that this is likely to become the norm. I give it another year or two before the majority of malware is all rootkit-based. It's far too easy to incorporate rootkit technology, and far too difficult to remove. It seems only a natural step in malware evolution.

I recommend Rootkits: Subverting the Windows Kernel [amazon.com] for further reading on the subject. The first two chapters were enough to convince me that rootkits are a more than viable path for malware to take. Perhaps more importantly, no matter what the security companies put into their software, once the system has been compromised, there is no way to trust the running system, period. The only way to verifiably clean a rootkit-infected system is to take it offline and scan it from a known clean (read-only) media.

Before long... (5, Funny)

totalbasscase (907682) | more than 8 years ago | (#15032721)

Next time on Slashdot: "Bagle.GE authors sued by Sony for rootkit copyright infringement!" Honestly though, maybe we should all just start carrying around rootkits on our USB keys. Plug it into your aunt's computer, and she'll never forget your birthday again (even if she wanted to).

Re:Before long... (1)

somersault (912633) | more than 8 years ago | (#15032754)

of course you have to execute a file on the drive manually, since USB drives dont subscribe t to the autoplay mentality :p

Your joking has revealed an interesting point though - would it be possible to patent rootkit technology now, or some really restrictive DRM, so that when corporations/the government get around to developing software that wants to restrict our every move, it's already been done/patended? :D I'm not aware of all the intricacies of copyright law and prior art etc, and I'm aware if a government were involved they'd likely do whatever the want.. but still an interesting point.

Re:Before long... (1)

the unbeliever (201915) | more than 8 years ago | (#15032787)

Funny, anytime I plug my USB key into my computer, WinXP asks me if I want to do something with it.

I'm sure if you dropped an autoplay.inf file on the root of the drive, Windows could be tricked into executing it.

Re:Before long... (1)

somersault (912633) | more than 8 years ago | (#15032797)

there's quite a difference between asking you if you want to view the folders on the drive, open in media player etc, and automatically running code without your permission.

Re:Before long... (1)

fbjon (692006) | more than 8 years ago | (#15033540)

The difference can be removed by the magical file autorun.inf in the root of the drive:
[autorun]
ICON=youre_fscked.ico
open=rootkit.exe

Re:Before long... (1)

fbjon (692006) | more than 8 years ago | (#15033563)

And just to disprove myself... autorun doesn't work on USB storage media. Bummer.

Re:Before long... (0)

Anonymous Coward | more than 8 years ago | (#15033605)

It did, was fixed in SP1 iirc

Was quite useful when it worked, USB key+PC owning programs+LAN party = fun

Re:Before long... (0)

Library Spoff (582122) | more than 8 years ago | (#15032827)

This is offtopic but i'll post anyway.

The first couple of USB pen drives i owned had read/write tabs ala 3 1/2" floppy.
The last couple i've owned haven't.
I know virii nowadays aren't the copy themselves across media type, but still i always thought it was a nice feature.

Re:Before long... (1)

Tony Hoyle (11698) | more than 8 years ago | (#15033047)

Yes they do... just create an autorun.inf

U3 drives even automatically run appplications that are stored on the drive when you execute it (and the code to do that is just unprotected XML files) - it would be perfectly possible to make a virus that replicated via U3.. just that nobody uses it yet so the virus writers haven't bothered.

Re:Before long... (1)

somersault (912633) | more than 8 years ago | (#15033140)

when we had a discussion on USB security a while ago I was under the impression that autorun didnt work on USB keys. How is a program run 'automatically' if you have to 'execute it' first? And is U3 a type of drive, or a type of application that can be run? :p

The evolving virus (4, Interesting)

ndogg (158021) | more than 8 years ago | (#15032733)

I keep waiting for a virus based on genetic algorithms. I'm certain that it's only a matter of time.

Re:The evolving virus (2, Informative)

arivanov (12034) | more than 8 years ago | (#15032749)

The older DAV and co viruses from the late 90-es were polymorphic and changed their code from time to time.

In fact as far as underlying technology the current viruses have regressed back to simple non-polymorphic code. Not entirely surprising considering that they are written in a high level language nowdays. If you look at the recent crop there is anything including Delphi and VB used to write them with some EXE compression at the end applied to get the size down to a reasonable value.

Re:The evolving virus (5, Interesting)

january (906774) | more than 8 years ago | (#15032780)

Agree. This will be a breakthrough, and if anything is a mystery -- then the question, why it hasn't already happened.

Evolving computer programs -- not simple genetic algorithms, but programs that actually "thrive" on CPU time and memory, and compete for these resources -- have been already used to experimentally investigate evolution. Note that there is a serious difference between a genetic algorithm and a truly evolving program. In the former case, the fitness function is precisely defined by the programmer. In the latter, the fitness is just what it is in living organisms -- ability to pass on the genes, or code.

Check out the web page -- http://www.msu.edu/~lenski/ [msu.edu] -- of Richard Lenski, experimental evolutionist (bacteria in a test tube + computer), you will find a nice article on in silicio evolution on his web page. The guy has 4 Nature and 2 Science publications only on the topic of digital evolution.

January

j.

Re:The evolving virus (0)

Anonymous Coward | more than 8 years ago | (#15032813)

The reason viruses don't evolve is that current software systems are too brittle. A single bit error can cause a program to fail. It is possible to implement a virtual machine for a more flexible language. That's essentially what Tom Ray did in Tierra [nis.atr.jp] .

Re:The evolving virus (3, Interesting)

aug24 (38229) | more than 8 years ago | (#15032825)

The thing about genetic algorithms to date is that they have only been permitted to evolve within parameters. Evolving better weightings for poker playing bots for example. This is a highly successful technique, analogous to the way the human brain sets itself up - highly structured programming (physical brain) with variable parameters (experience).

If you allow the code itself to evolve (typically achieved with Lisp or similar cos of the convenient tree structure of the code) then the likelihood is that you can write a better program than will evolve anyway, because so many of the evolved programs are utterly useless. This, of course, is the argument for Intelligent Design, except that the planet really does have unlimited time, and there aren't anti-virus companies constantly trying to sterilise the planet (as far as we know! ;-)

Finally, most genetic algorithms require 'sex' type recombination to (randomly and hopefully) whittle away the useless code that has accumulated. This might be a little hard to implement in a cloaking virus - the one thing they don't want is to have any kind of signal that they are there!

All in all, I'll be surprised to see a truly genetic algorithm virus ever. The closest we might see are self tuning ones - eg ones that spot the user is using the machine and back off their spamming activities so that they aren't obvious.

J.

Re:The evolving virus (1)

droolfool (235314) | more than 8 years ago | (#15033332)

"except that the planet really does have unlimited time"
Huh? I'm not even pro-ID, but this nonsense.
(BTW: I'm not neither ID nor a Darwin zealot. I'd rather have a clue and don't pretend I'm so cool because I know the origin of life. Nobody really knows , *NOBODY*, period)

Re:The evolving virus (1)

Illserve (56215) | more than 8 years ago | (#15033429)

The success of evolution in creating us has nothing to do with time.

The reason evolution works for us and not for computer programs is that the language of our DNA is specifically geared to be useful for evolution. From the protein to the cell to the body, the coding system is designed so that new variations usually produce viable offspring. The fact that someone with an entire extra chromosome (Downs syndrome) can exist is a testament to the robustness of this code.

This isn't surprising. Naturally evolution would prefer to stick with a coding system that facilitates faster evolution. Anything else would get selected out.

Re:The evolving virus (4, Interesting)

zerocool^ (112121) | more than 8 years ago | (#15033476)


If you're talking polymorphic characteristics (in viruses or animals), the phrase you're looking for is Heterozygous Advantage [wikipedia.org] . Yes, I do live with a woman who is going to vet school and who has a degree in animal science.

In computer terms, it's going to be hard for random code variations to produce a useful new code segment on their own, for exactly the reasons you describe - there needs to be "sex", or a merging of two codebases, in order to produce surrogate code.

In terms of animals, however, if I may step on my pro-evolution soapbox... This is what all those people at the Institute for Creation Research and Answers in Genesis never talk about. The natural tendancy in animals (at least, and probably in other kingdoms) is for the offspring of a non-homogonous pairing to be *better* than either of the parents. No joke, this is the way it works. Not all the time, but more often than not.

For example, my wife is pretty firmly against the homogonization of the beef industry onto black angus for meat and holstein for milk. The reason being, if you breed nothing but black angus to black angus, you're going to get black angus, which is good, but it will never get better than its parents. If you're breeding black angus and charolais, however, the genetic tendancy is that the offspring most of the time will posess the best characteristics of both parents (breeding and birthing ease with black angus, better meat with charolais).

Anyway, I have to go fix a dead UPS.

~Will

Re:The evolving virus (1)

operagost (62405) | more than 8 years ago | (#15033741)

Mixing breeds of the same species and getting better meat or milk is not an example of evolution any more than breeding two Olympic gold medalists of different races to spawn a super athlete. I don't see why a creationist would debate that. About the only people who would have a problem with your Angus-Charolais mix would be the CKK (Cow Klux Klan).

Re:The evolving virus (2, Interesting)

aug24 (38229) | more than 8 years ago | (#15033863)

Thanks for that, interesting.

I'd propose a small correction to what you say: the natural tendency of sexual reproduction is to produce creatures that are either (a)inviable, which typically miscarry or (b) similar or (c) better. This would be analogous to receiving two lots of bad code, one of each, or two lots of good code respectively.

AIUI a surprising number of the offspring of higher animals 'spontaneously' abort without the parent necessarily even knowing about it.

Cheers,
Justin.

Re: The evolving virus (1)

Black Parrot (19622) | more than 8 years ago | (#15033976)

> All in all, I'll be surprised to see a truly genetic algorithm virus ever.

I think with the continual increase in CPU power and connectivity, it's just a matter of time before they become feasible.

> The closest we might see are self tuning ones - eg ones that spot the user is using the machine and back off their spamming activities so that they aren't obvious.

Probably the first generation will use mutations to change their AV signatures.
(And that will result in genuine survival of the fittest!)

Re:The evolving virus (1)

master_p (608214) | more than 8 years ago | (#15033004)

Most probably it have not happened yet because script kiddies are not good programmers, so they have no idea on how to do it. Isn't it true that script kiddies use some sort of virus generators to make up their viruses? if so, then it would be easy to spread a virus that is a generator itself.

Re:The evolving virus (1)

Paradise Pete (33184) | more than 8 years ago | (#15033045)

Most probably it have not happened yet because script kiddies are not good programmers, so they have no idea on how to do it.

So that's what, security through immaturity? (heh). Somebody writes the scripts the kiddies use. And some of those kiddies grow up.

Re:The evolving virus (1)

Illserve (56215) | more than 8 years ago | (#15033313)

It's not a mystery at all. GA's are not well suited to this problem. See my reply to the GP.

Re:The evolving virus (2, Funny)

MurkyGoth (690195) | more than 8 years ago | (#15033392)

programs that actually "thrive" on CPU time and memory, and compete for these resources
Aah, you mean Windows, Office, Internet Explorer, Outlook...

(it's anti-Microsoft, dammit, feed me karma! :P )

Professional Attackers (1)

Craig Ringer (302899) | more than 8 years ago | (#15032900)

I'd like to disagree, but with the growing promenance of organized crime, highly profitable spam, and so on, I can't. I'm mildly surprised that one of the bigger organizations hasn't gone out and found someone who can do what they need and has few scruples about doing it when the money is right.

I can only assume that it's not worth doing - ie systems to crack are in such plentiful supply already that there's just no need to bother with real effort.

Re:The evolving virus (4, Insightful)

Illserve (56215) | more than 8 years ago | (#15032921)

It's hard to see why genetic algorithms are an inherently good way to design computer virii. The fitness landscape is not well suited to GA'S, it's too rugged. GA's need a particular structure of problem to function well, one in which every change produces an incremental benefit or impairment.

Changing which registry key a worm modifies, or what files a virus affects will cause wildly varrying effects, 99.9999% of which will cause either no discernable effect, or blue screen the system. This is not a good setup for the GA to figure out what works best.

So despite the similarity in name and function with biological viruses, computer virii (and worms, trojans etc) are not really evolvable, but need to be engineered.

Re:The evolving virus (1)

Renraku (518261) | more than 8 years ago | (#15033088)

Well, its not that viruses have gotten dumber, its that virus scanners have gotten smarter. Why take the time to code a polymorphic program that can be detected in memory anyway? 100% of it would have to be polymorphic.

Re:The evolving virus (2, Interesting)

Anonymous Coward | more than 8 years ago | (#15033147)

viruses are already a form of genetic algorithm. A slowly evolving (well kind of slow at least) GA. think about it, all the components are there. The mechanism is the script kiddie. The environment is our computers. The virus codes are all mostly the same (same genes), new ones are created through cut and paste (crossover) and occasionally a new radically more effective one comes out and quickly the entire population moves to this newer, more effective (better fitness) code.

we're all part of a giant experiment!

Re:The evolving virus (1)

neersign (956437) | more than 8 years ago | (#15033267)

it's only a matter of time before CSI has a computer virus DNA scanner/fingerprinter.

It's already happened (1)

MarkusQ (450076) | more than 8 years ago | (#15033946)


It's already happened, but not through the intentional use of genetic algorithms. Back in the late 1980's, there was a virus on MSDos that was dirt simple: it would attach itself to two other .COM files provided they weren't already infected and, if the date was Friday the 13th, it would delete files off your system. Now, this might seem like a good design, from a black hat's point of view, but it isn't optimal from the viruses point of view.

Enter natural selection.

As with any repeated copying process, errors eventually creep in. Most of them, of course, undoubtedly caused the virus to fail. But by the early to mid 1990's, there were at least two variants that were seen in the wild that 1) were clearly the result of copying errors, and 2) increased the spread of the virus.

Friday the 13th/Benign did not delete files; thus, it would not suffer a population collapse every seven months or so as did the original.

Friday the 13th/Promiscuous was a sub-type of benign that would reinfect files that had already been infected (thus possibly displacing a non-promiscuous version). This made it slightly easier for users to detect, but gave it a competitive advantage over its rivals.

I think the main reason we don't see this happening with newer viruses is that they are much more complicated and there are more mechanisms in place to prevent copying errors, both of which would drive down the rate at which useful mutations appear.

--MarkusQ

Dupe! (1, Funny)

zaguar (881743) | more than 8 years ago | (#15032734)

It's a Windows security alert! I call dupe! After all the WMF flaws, this latest IE exploit [slashdot.org] and Vista delays, what else is there on /.?

Re:Dupe! (1)

totalbasscase (907682) | more than 8 years ago | (#15032753)

Don't forget the serial [slashdot.org] killers. [slashdot.org]

As seen on their blog page... (5, Informative)

True ChAoS (157946) | more than 8 years ago | (#15032752)

This has been written about before on the F-Secure security blog [f-secure.com] . There's also a nice pic of what all the different parts of bagel look like [f-secure.com] and how they interact.

Re:As seen on their blog page... (2, Funny)

fbjon (692006) | more than 8 years ago | (#15033600)

There's a better pic over here [cside4.com] .

[Off topic] It's not a worm! (5, Interesting)

january (906774) | more than 8 years ago | (#15032762)

It definitely isn't, trust me. I'm a ...biologist.

I mean the picture, of course: http://images.slashdot.org/topics/topicworms.gif [slashdot.org] -- it is an insect larva, not a worm. To be more specific -- probably a butterfly caterpillar.

You want to see a worm? Here -> http://www.desc.med.vu.nl/NL-taxi/ICE/C_elegans1.j pg [med.vu.nl] is a nice picture of C.elegans, The Model Worm (r).

January

Re:[Off topic] It's not a worm! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15032781)

No shit. I'm not a ...biologist, but somehow I was able to recognize a caterpillar even without your expert advice.

God you're lame.

Re:[Off topic] It's not a worm! (1)

mrselfdestrukt (149193) | more than 8 years ago | (#15032823)

I thought it was a puppy.

Re:[Off topic] It's not a worm! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15032902)

I thought it was the slashdot moderators' collective prick, to scale.

Re:[Off topic] It's not a worm! (1)

Hunter-Killer (144296) | more than 8 years ago | (#15032916)

Could the image be of an inchworm?

http://en.wikipedia.org/wiki/Inchworm [wikipedia.org]

Re:[Off topic] It's not a worm! (0)

january (906774) | more than 8 years ago | (#15033419)

Good point! I forgot that that's the English name for the geometer moth. Forgive me. I should not nitpick until I learn proper English (that is, most probably, never).

j.

Re:[Off topic] It's not a worm! (-1)

Anonymous Coward | more than 8 years ago | (#15033627)

I wouldn't worry. Most of us do not understand 'proper' english.

Re:[Off topic] It's not a worm! (0)

caluml (551744) | more than 8 years ago | (#15032958)

-1, Far too anal. :)

All together now... (-1, Redundant)

fuyu-no-neko (839858) | more than 8 years ago | (#15032773)

All together now...
"It's Cracker, not Hacker!"

Re:All together now... (0)

Anonymous Coward | more than 8 years ago | (#15032784)

Polly wants a "Cracker"

Re:All together now... (1)

ArsenneLupin (766289) | more than 8 years ago | (#15032801)

Polly wants a "Cracker"

Polly gets a "Bagle" instead. Polly is annoyed!

Re:All together now... (0)

Anonymous Coward | more than 8 years ago | (#15032883)

birdie num num

Re:All together now... (0)

Anonymous Coward | more than 8 years ago | (#15032786)

Thank you. I was about to have to do that.

Re:All together now... (-1, Redundant)

xenoterracide (880092) | more than 8 years ago | (#15032807)

mod up please.

Mmmmm... bagels! (5, Funny)

jtcedinburgh (626412) | more than 8 years ago | (#15032776)

Mark me OffTopic if you will (it's Friday and I'm feeling brave, so I'll take that risk), but when I first read this, I read it as:

"Hackers Serving Rootkits with Bagels"

...and I started to think how cool a hacker café would be... then I got to wondering what else you might be able to order at a hacker café:

Trojan Muffins (secret filling might bring surprise!)
DDoS Donuts (very tasty, but eat too many and they gang up on you)
L33t Latté (quintuple espresso with a single shot of milk)
Keylogger Cakes (be careful, they're watching)

...and so on (I shall spare you the rest).

Ah well, as they say in these parts 'ah'll get me coat'...

Re:Mmmmm... bagels! (2, Funny)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#15032824)

Trojan Muffins (secret filling might bring surprise!)
DDoS Donuts (very tasty, but eat too many and they gang up on you)
L33t Latté (quintuple espresso with a single shot of milk)
Keylogger Cakes (be careful, they're watching)


I think ThinkGeek just found their newest product line.

Linuxcaffe...in Canada, of course! :-) (0)

Anonymous Coward | more than 8 years ago | (#15032992)

Us canucks are way ahead of the rest of the world...;-)
True leaders in operating systems and bagels...;-)

There is indeed already a linux caffee...in Toronto, Canada! :-)

http://www.linuxcaffe.ca/ [linuxcaffe.ca]

Re:Mmmmm... bagels! (1)

woolio (927141) | more than 8 years ago | (#15033095)

Perhaps one might be interested in a glass of "SSHut the hell up!"

Just kidding - lol

Re:Mmmmm... bagels! (2, Interesting)

thefranktate (964964) | more than 8 years ago | (#15033674)

You should read the book "Golf is a Four Letter Word". It starts out with the author describing his addiction to golf, how it ruined his life, and how he was finally able to give it up. Then starts the sad part - though he has given up the game, his albatross is the need to write poems, limericks, and other wordplays all about golf. It's really, truly sad. And I think you could empathize with the guy :)

Re:Mmmmm... bagels! (1)

Low2000 (606536) | more than 8 years ago | (#15033838)

OMGWTFBBQ Ribs... Pwnage burger...

I guess Fedora Core 5 is safe... (-1, Flamebait)

Sodki (621717) | more than 8 years ago | (#15032777)

... because it doesn't allow loading of non GPL binary drivers.

Not April Fools Yet! (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15032796)

Wow! I thought 'Slashdot Admins Crapflood Their Own Website Day' was starting early this year in an attempt to actually catch people off guard, but this story is real.

Use RootkitRevealer from SysInternals.com. (4, Informative)

Futurepower(R) (558542) | more than 8 years ago | (#15032822)

SysInternals' free program RootkitRevealer [sysinternals.com] is the best way I know to reveal the presence of rootkits.

In general, any program SysInternals provides is the best in its field, I've found.

Try the just updated (March 7, 2006) version of Autoruns [sysinternals.com] to find nasty stuff running under Windows.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

Re:Use RootkitRevealer from SysInternals.com. (1)

jez9999 (618189) | more than 8 years ago | (#15033465)

That's nice, but the vast majority of crap will install itself in some standard startup places, and can be caught doing so by StartupMonitor [mlin.net] . Thanks for the link, though.

Einstein's (-1, Offtopic)

mnemonic_ (164550) | more than 8 years ago | (#15032871)

Why the FUCK doesn't Einstein's have onion bagels? That's the best god damn flavor for god's sake.

I blogged Ubuntu LiveCD to explain to noobies (5, Interesting)

ScrewTivo (458228) | more than 8 years ago | (#15032892)

I got so tired of explaining it over and over. Ultimate Spyware/Virus Blocker [blogspot.com] . If you think there is something I need to add or remove then please leave a comment.

My friend is opening up a coffee shop that will have an ap. I will make some copies of Ubuntu for the customers to use.

Now where do I find a dentist for the rootkit I received when I didn't take my own advice :)

Re:I blogged Ubuntu LiveCD to explain to noobies (-1, Troll)

hanzdamanz (727752) | more than 8 years ago | (#15032977)

Please don't propagate an OS which leaves it's root password in it's installation log [slashdot.org] as an 'Ultimate Spyware/Virus Blocker'.
If your serious about security have a look at OpenBSD [openbsd.org] .

Re:I blogged Ubuntu LiveCD to explain to noobies (0)

Anonymous Coward | more than 8 years ago | (#15033839)

  1. He's not proposing that people install it.
  2. That bug is fixed now.
  3. BSD is dead. Netcraft confirmed it years ago

Re:I blogged Ubuntu LiveCD to explain to noobies (0)

Anonymous Coward | more than 8 years ago | (#15033899)

"That bug is fixed now."

Yeah, but the same reason nobody thinks Windows is secure, whenever all the bugs are fixed...

The Ubuntu devs are not serious about security if they allowed a bug like THAT to happen. OpenBSD wins, security-wise.

(by the way, original guy with the website: one thing you might add is making the text readable- it's pretty small and strains the eyes in firefox, and is just plain painful in Opera)

Human intervention still needed... (1, Insightful)

clevershark (130296) | more than 8 years ago | (#15032893)

No matter how nasty worms get a user still has to execute them for his/her PC to become infected -- and even then with a decent setup there's still the possibility/probability of a correctly-setup anti-virus prog checking the message between the user's click(s) and the execution of the malware.

So, malware makers are not so much "ahead of the game" as "still reliant on the problem that exists between the keyboard and the chair."

Re:Human intervention still needed... (1)

Tim C (15259) | more than 8 years ago | (#15033139)

No matter how nasty worms get a user still has to execute them for his/her PC to become infected

No. That's the whole point of a worm - it spreads itself without need for user intervention. Typically they exploit holes in server software, using buffer overruns and similar to cause it to execute a copy of their code. They then infect the machine and look for other hosts to spread to.

Bagle and similar email-borne "worms" generally are not true worms, in that they generally do require user intervention. While they spread themselves (by grabbing address out of the email address book and mailing copies of themselves to each), the user has to actually execute the attachment. Thus they are not strictly worms.

Note that true worms, such as slammer and the Morris worm, are relatively very rare, as they're so much harder to write.

Re:Human intervention still needed... (0)

Anonymous Coward | more than 8 years ago | (#15033548)

Ok, so If I get a group to hack www.nai.com and plop my worm into the latest sdat.exe file that everyone downloads and installs for their antivirus it would spread faster than any worm seen to date.

All a skilled scum-hat cracker needsto do is compromise a very popular site that has an EXE as a update download for the unsuspecting users to gleefully download and run.

Not hard to do.

Re:Human intervention still NOT needed... (1)

danskal (878841) | more than 8 years ago | (#15033581)

I don't know where this myth comes from, but you only need to look at Microsoft's own security bulletins to see that this just isn't the case. Unchecked buffers resulting in buffer overflows mean that a cracker can install and run any code he likes, without you ever knowing about it.

For example [eweek.com]

Here is an excerpt:

Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.

Worse than that, the bad guy doesn't need to install a virus, so your virus checker probably won't notice. And even spyware scanners will only work if the bad guy uses code that the AdAware guys and their friends know about.

This, my friends, is why everyone is switching to Firefox

--------
Hey, who needs a sig? Not me!! Oh wait...

Re:Human intervention still needed... (1)

reclusivemonkey (703154) | more than 8 years ago | (#15033752)

No matter how nasty worms get a user still has to execute them for his/her PC to become infected
DING! WRONG ANSWER
Seriously, how the hell did this get modded "Insightful"??? Obviously a low /. UID is no guarantee of technical acumen.

Please educate yourself; http://www.webopedia.com/DidYouKnow/Internet/2004/ virus.asp [webopedia.com]

A new taste treat (2, Funny)

digitaldc (879047) | more than 8 years ago | (#15032955)

Your O/S locks with Bagels, sir.

Shows what the hackers know... (1)

ProstheticSwan (754025) | more than 8 years ago | (#15033329)

You call these bagels?!

Ever Notice That (0, Offtopic)

popo (107611) | more than 8 years ago | (#15033413)

Mac users typically know very little about windows or linux, and yet they still claim they use the "best" operating system?

The Mac equation is a minimal set of software options and guaranteed interoperability. Its idiot proof. That's what people like about it.

Its also IMHO what sucks about it.

I have a mac, I have a pc and I have an okay linux box.

The mac is for sure the sexiest, but its option poor. Mac users feel free to flame away, but if you can't back it up with a logical comparison, then you've only furthered my point.

Re:Ever Notice That (-1, Troll)

popo (107611) | more than 8 years ago | (#15033876)

"The Mac equation is a minimal set of software options and guaranteed interoperability. Its idiot proof. That's what people like about it."

How in the f*ck is this "Offtopic" you nimrod?

From the Symantec Web site (1)

Radioheadhead (611950) | more than 8 years ago | (#15033579)

Search Results for: Bagle.GE produced zero results

Mmm, bagles... (2, Funny)

antdude (79039) | more than 8 years ago | (#15033617)

... who doesn't want free yummy bagles to eat? Oh, you mean the computer types... [grin]

where's the logic in creating such bad programs? (1)

PrescriptionWarning (932687) | more than 8 years ago | (#15033707)

assuming that programmers use logic as I do in my programming, why make these things? if you're out to prove something why not make a useful program that gets noticed merely because of how great it is as it helps people do something, rather than something harmful and invasive.

no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do it cyberally(?). If its a point they're trying to prove, besides the fact that they are complete jackasses, then I do believe it has been lost in the translation. I'd much rather be known for creating something terribly awesome, not awesomely terrible.

Re:where's the logic in creating such bad programs (1)

edmicman (830206) | more than 8 years ago | (#15033903)

I'd much rather be known for creating something terribly awesome, not awesomely terrible.


I, for one, would rather be infamous, than famous.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>