Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pipeline Worm Floods AIM With Botnet Drones

kdawson posted about 8 years ago | from the now-that's-a-worm dept.

196

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

cancel ×

196 comments

Sorry! There are no comments related to the filter you selected.

i love it... (5, Funny)

0110011001110101 (881374) | about 8 years ago | (#16133050)

when I get free trojans... it's so embarassing to buy them in the store...

the internet is a wonderful place

Re:i love it... (1)

Ana10g (966013) | about 8 years ago | (#16133257)

with the advent of the self checkout, I'm beginning to worry that an entire generation of adolescent males (and post-adolescent slashdotters, heh) will not have to experience that wonderful humiliating experience of purchasing trojans from the grocery store! With no common experiences, I predict a demise in the social structure binding us together! What is this world coming to?

Re:i love it... (2, Interesting)

smart.id (264791) | about 8 years ago | (#16133364)

I never understood this. What is so embarassing about someone else knowing that you are fucking somebody?

Re:i love it... (2, Funny)

Kesch (943326) | about 8 years ago | (#16133476)

It's not that. It's that he's buying the 'Extra Small' ones. (Sorry, I couldn't help it. It was too good an opportunity to pass up.)

Re:i love it... (2, Funny)

sfeinstein (442310) | about 8 years ago | (#16133710)

Heh. And I can't help pointing out that you are most certainly NOT A MARKETER. Can you imagine Trojan or any condom company selling "Extra Small"? Yeah, I'm sure they'd fly right off the shelves.

It would have to be marketed as "Tight-fit Performance Pro" or hidden in with macho words like "Maximum Super-Shrunk Thunderbolt" or something like that!

Re:i love it... (0)

Anonymous Coward | about 8 years ago | (#16133516)

That somebody else might be a friend of your [relative] or [other person who you don't want to know].

Perhaps you don't want people to know you buy [0-100] [small/medium/large] condoms.

Seriously, what's it to you?

Not everybody is comfortable acknowledging stuff like that, much less actively talking about it. Mind your own business.

When you go through several cartons a week... (1)

zstlaw (910185) | about 8 years ago | (#16133780)

Being their pastor / guidance councilor might make the situation awkward. We often have unrealistic expectations that these people will remain pure in thought. Also going through several cases a week during sex-education seminars might give a bad impression.

(I am not a pastor/concilor but a close relative ran an STD clinic that went through a couple cases a week. A bit awkward at times, especially in the bible belt. As a female people assume that you are a prostitute if you buy in that kind of bulk.)

Re:i love it... (1)

iPodUser (879598) | about 8 years ago | (#16133371)

Embarassing? How is that embarassing? It's like saying "I'm getting some tonight". More like bragging.

Re:i love it... (1)

Afrosheen (42464) | about 8 years ago | (#16133626)

True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

Re:i love it... (3, Funny)

inviolet (797804) | about 8 years ago | (#16133734)

True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

Ah, the 36-count jumbo box... I believe the name for that sized box is "The don't-have-a-Family Pack".

Re:i love it... (1)

rthille (8526) | about 8 years ago | (#16133940)

Yeah, when I was first dating my wife, we ran out and I ran to the store and bought 2 12-packs and a couple of bottles of seltzer water (gotta stay hydrated!) and the clerk's response was, "You must be doing pretty well!" And I replied, "based on what I'm buying or the shit-eating grin on my face?"

Re:i love it... (1)

mackyrae (999347) | about 8 years ago | (#16133954)

Well, if the lady at the counter plays bridge with your grandma, that seems potentially embarrassing. Or if you think the girl at the counter's a hottie, she might think you're a perv or a player or some other type of guy that makes us think you'd be a bad boyfriend, and then you can't hit on her at school the next day.

And the lesson is... (4, Insightful)

d3ac0n (715594) | about 8 years ago | (#16133080)

Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

Re:And the lesson is... (2, Funny)

OECD (639690) | about 8 years ago | (#16133136)

... and keeps our employees from IM-ing with people outside the company.

Which company is that? I just want to be sure to avoid working there ever.

Re:And the lesson is... (2, Informative)

$RANDOMLUSER (804576) | about 8 years ago | (#16133206)

Many, many companies block AIM at the firewall. Ask at your next interview.

Re:And the lesson is... (4, Interesting)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#16133334)

Many, many companies block AIM at the firewall. Ask at your next interview.

There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.

The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.

Re:And the lesson is... (1)

TubeSteak (669689) | about 8 years ago | (#16133539)

Many, many companies block AIM at the firewall.
Are they blocking AIM or are they blocking port 5190?

Most companies are just blocking the port.
Hint: You can change what port AIM uses.

Re:And the lesson is... (3, Interesting)

Daniel_Staal (609844) | about 8 years ago | (#16133214)

Which company is that? I just want to be sure to avoid working there ever.

Don't worry. I'm sure everyone there has installed AIM on their computers without letting the IT department know.

Re:And the lesson is... (1)

toleraen (831634) | about 8 years ago | (#16133238)

Any company with an actual IT department. RTFA for an extremely good reason.

Re:And the lesson is... (1)

pluther (647209) | about 8 years ago | (#16133294)

Any company with an actual IT department.

Well damn. I wonder if Intel, Motorola, Cisco, Vodafone, or MCI will ever get "actual" IT departments, as they all currently allow employees to IM to people outside the company, through their firewalls.

Re:And the lesson is... (1)

toleraen (831634) | about 8 years ago | (#16133412)

Congrats, you've listed 5 companies who have assessed the risk of their entire network going down, taking the time to clean everyone's computers, make for goddamnedsure that everyone has every update available, etc etc, or they've paid a whole lot to ensure everything is going to be properly blocked (not 100% possible). Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.

My hat is off to them for actually fudging the numbers enough to make it worth it! Steel cajones, that's for sure.

Re:And the lesson is... (2, Insightful)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#16133783)

Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.

Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.

And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.

Re:And the lesson is... (1)

plopez (54068) | about 8 years ago | (#16133425)

size is no indicator of quality.

Re:And the lesson is... (0)

Anonymous Coward | about 8 years ago | (#16133704)

Keep telling yourself that.

And the lesson is, don't use omnipod, use jabber (4, Insightful)

spun (1352) | about 8 years ago | (#16133188)

It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

Re:And the lesson is, don't use omnipod, use jabbe (1)

d3ac0n (715594) | about 8 years ago | (#16133335)

Actually, jabber was one of the options I explored. We didn't go with it because omnipod was already in use by one of our larger branches, and it was simpler to just extend the use of the product. No servers to setup, no additional hardware needed, and low licensing costs. Omnipod worked great for us. For others it might not work so great, but it was our best option.

Oh, and yes, AIM (and YIM, MSN, ICQ and IRC) is blocked at the firewall. Most IM clients are also prevented from being installed by AD policy. I also regularly audit the PC's for unauthorized software.

Our users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

Re:And the lesson is, don't use omnipod, use jabbe (1, Insightful)

Buran (150348) | about 8 years ago | (#16133413)

Apparently you don't allow people to have social lives. Apparently, you think all your workers need to be mindless drones while at work. Guess what -- people work better when they can let their minds wander a bit when they need to during the day.

I guess that's against corporate policy, too, then, since it's quite possible to block file transfers while still allowing people to socialize.

But then, it's so much easier to use "security" as an excuse to clamp down on imagined "productivity threats".

Re:And the lesson is, don't use omnipod, use jabbe (1)

spun (1352) | about 8 years ago | (#16133422)

Well, in your case it makes sense to use omnipod, if a large part of your company is already using it. I guess it would also make sense for firms that don't have the time, inclination, or technical know-how to do it themselves. I'm not that much of an open-source zealot that I can't see there is a place for other solutions. I just finished setting up jabber where I work, so I'm kinda on a jabber kick is all. Instant messaging is really a great thing for business. Many time people have a really quick question that doesn't warrant a phone call but email would take too long. IM is perfect. After setting it up here, everyone I've talked to says they use it on a daily, if not hourly basis.

Re:And the lesson is, don't use omnipod, use jabbe (4, Interesting)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#16133503)

ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.

I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.

Re:And the lesson is... (1)

tb3 (313150) | about 8 years ago | (#16133254)

Oh, random executable installed in your system32 folder, you say?

No the real lesson here is don't use that half-assed excuse for an operating system for anything more than playing video games.

Re:And the lesson is... (0)

Anonymous Coward | about 8 years ago | (#16133523)

Oh, please do continue... Oh, that's it? Nothing more? No other 'clever remarks from your side of the street? Only the same tried and true excuse over and over, only repeating what others say on a daily basis, if not for the education of others too simple minded not to catch on but for the simple pleasure it derives... Yes my friend, real lesson indeed...

I am sorry if I don't yawn (4, Insightful)

aepervius (535155) | about 8 years ago | (#16133081)

QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

Re:I am sorry if I don't yawn (1)

TubeSteak (669689) | about 8 years ago | (#16133122)

Seems to me that the main problem is between the keyboard and the chair.

Re:I am sorry if I don't yawn (1)

mrbcs (737902) | about 8 years ago | (#16133338)

hmm, Windows problem again? Seems to me that since the dot-con bubble burst, Microsoft is single-handedly reviving the tech industry. What would all the little computer shops do if they didn't have to fix worms and trojans all day long?

Re:I am sorry if I don't yawn (3, Funny)

$RANDOMLUSER (804576) | about 8 years ago | (#16133169)

...downloads the image18.com file (disguised as a jpeg). Running the file...
User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".
Sounds perfectly sane to me.

Re:I am sorry if I don't yawn (1)

The MAZZTer (911996) | about 8 years ago | (#16133556)

Yeah this is an old trick, there've been file.txt.exe files with a notepad icon for a while now.

What I do is always force file extensions on (except for shortcuts) and I sort/group by file type, so if I download an image/text file and it doesn't get stuck in the image/text file group, I know something's up.

Simple risk mitigation (3, Informative)

LinuxIsRetarded (995083) | about 8 years ago | (#16133082)

1- Don't run as an administrator.
2- Back up your profile regularly.

If you ever get bitten by something like this, it's easy to recover from.

Re:Simple risk mitigation (1)

EmbeddedJanitor (597831) | about 8 years ago | (#16133108)

Try explain that in terms that the average user will be able to understand.

Re:Simple risk mitigation (3, Funny)

russ1337 (938915) | about 8 years ago | (#16133134)

Try explain that in terms that the average user will be able to understand.
CLICK HERE [ubuntu.com]

Re:Simple risk mitigation (1)

Pacifist Brawler (987348) | about 8 years ago | (#16133240)

The only reason this attack wasn't launched against Linux was (1) that for every one computer running Linux there are a hundred running Windows and (2) if you installed Linux odds are you have good enough computer habits that you wouldn't fall for this anyway. Seriously, we don't accomplish anything by being high-and-mighty when someone starts beating on the average Windows user. Yeah, the average user with Ubuntu was safe this time, we usually are. Still, attacking AIM is isn't aimed at the people who install Linux -- it's aimed at the average user who wants their system to behave like everyone else's.

At least part of the fault is MS' (1)

Kadin2048 (468275) | about 8 years ago | (#16133379)

Not totally true. Almost all of these exploits revolve around getting the user to click on an executable file which is disguised as something else.

For example, you take an executable ("TROJAN.COM") and rename it ("FUNNY.JPG") and for reasons that have never been clear to me, the brainiacs at Microsoft designed their OS so that it will execute the latter file when you double-click on it. This seems pretty retardate; clicking on a file shouldn't imply "open or execute," it either means "open," or it means "execute," but rarely does it mean "do either one." Whether the user is trying to open the file or execute it, is pretty easy to determine from context. If the GUI is displaying "JPG" at the end of the file name, it shouldn't be executed -- period. If they really want to execute it, they can change the file name.

The best solution would just be to make the system to refuse to execute code that's not identified in the filesystem as being an executable, say with the suffix and a special icon. A MacOS-style warning the first time any executable is run would also be helpful.

On Linux, you could pretty easily create these safeguards using the execute bit, and linking that to a visible flag in the GUI on the file, and by making all files download by default with the execute-bit set off. It still wouldn't prevent PEBKAC vulnerabilities completely (because if people think there are naked pictures of Angelina Jolie inside, they're going to override any warning you give them), but it would be a big improvement.

At least part of the fault for these exploits lie squarely with Microsoft and the tendency of Windows to coddle users one instant and then throw them to the wolves the next.

Ubuntu actually kind of has this (1)

michaelwigle (822387) | about 8 years ago | (#16133611)

I don't know all the file types this does and doesn't work for but I know that if the execute bit is turned on for an open office document I get the following message:
"Do you want to run "Daily notes and messages.doc", or display its contents?" - "Daily notes and messages.doc" is an executable text file.
Quite handy. I just click on "Display" instead of "Run" and it's all good. Even with PEBKAC the user wants their pr0n "displayed" and they might hit the right button. If the execute bit is off then it just opens in OOo. This doesn't work for all files (I tried with a gif and it opened without prompting about executing) so I don't know how much protection this affords but it's in the right direction at least.

Re:Simple risk mitigation (2, Insightful)

Buran (150348) | about 8 years ago | (#16133474)

The only reason this attack wasn't launched against Linux was

(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.

Re:Simple risk mitigation (1)

tchuladdiass (174342) | about 8 years ago | (#16133473)

Not always an option, if you want to keep your wife and kids happy.
In my case, there is one system that runs windows (the main "family" computer). After the last couple of infections (even with no one logging in as administrator), I've found a way to nip it at the source.
The two major malware infection routes were AIM and Web (they don't do much email on that machine). So, I've got Wine set up on my Linux server with AIM and IE. Windows box has the appropriate icons linked to a Cygwin script that launches a local X server rootless (if it isn't already running), then remotely executes AIM or IE from my server. Net result is that it looks like they are running locally, no one knows the difference, but any malware attacks will only be able to see the Wine container in the server (running under a restricted account). Problem solved.

Re:Simple risk mitigation (1)

russ1337 (938915) | about 8 years ago | (#16133614)

[Ubuntu is] Not always an option, if you want to keep your wife and kids happy..... I've got Wine set up on my Linux server with AIM and IE. Windows box has the appropriate icons linked to a Cygwin script that launches a local X server rootless (if it isn't already running), then remotely executes AIM or IE from my server.
I'm not sure why you went to all that trouble... I just switched our family computer to Ubuntu and loaded chat tools etc. They are fine with it as the icons are there for all the tools they use, and it suits everybody just fine! I just check it once-in-a-while to see if it needs updates, and that is the limit of my involvment/support! Since i've swiched over to Ubuntu I've had more time for BF:2, and less time fixing the bloody computer.

Re:Simple risk mitigation (0)

Anonymous Coward | about 8 years ago | (#16133615)

Nice solution, beats RDP/VNC. Mind sharing the Cygwin script (with sensitive information obfuscated)?

Re:Simple risk mitigation (3, Insightful)

(54)T-Dub (642521) | about 8 years ago | (#16133138)

1- Don't run as an administrator.
Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

Re:Simple risk mitigation (1)

pe1chl (90186) | about 8 years ago | (#16133269)

Easy: use this method. when a given piece of software does not run, complain at its supplier. ask your money back. remove it from the system. spread the word far and wide.

Software that requires an admin account is soooooooooo 1995. it should be considered obsolete.
When its supplier does not want to fix it, he deserves to go out of business.

Re:Simple risk mitigation (1)

theRiallatar (584902) | about 8 years ago | (#16133361)

Programs which require Admin can be fixed with a quick round of cacls to fix write permissions to the install directory in question (if it's Program Files) and to the appropriate Registry keys, without opening you up to full-write to program files, system32 and the registry.

Learn some basic sysadmin skills and you don't have to worry about programs not running more than once. The other, lazy option is to just create a shortcut with the Run As.... property. Give it an admin account and password and save it for that program. Everything else runs as standard user this way.

Re:Simple risk mitigation (1)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#16133657)

Learn some basic sysadmin skills and you don't have to worry about programs not running more than once.

The sad thing is, on the world's most popular operating system people have to learn obscure methods that the average user will not comprehend or bother with in order to just run programs. Worse yet, on a consumer desktop where most people want to run executables they don't trust, there is no way to easily run them in an untrusted mode that does not give them default access to the entire user account. It is almost as though innovation had been stifled for the last decade due to some crazy subversion of capitalist market forces... like a monopoly.

Re:Simple risk mitigation (1)

cortana (588495) | about 8 years ago | (#16133848)

If you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

Re:Simple risk mitigation (2, Insightful)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#16133964)

you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.

Re:Simple risk mitigation (1)

pe1chl (90186) | about 8 years ago | (#16133746)

Programs which require Admin can be fixed with a quick round of cacls to fix write permissions to the install directory in question (if it's Program Files)

I know that, but:

1 - I consider those programs broken, and so does Microsoft

2 - I think the end-user should not be bothered by this, but the programmer should fix it or find a more adequate occupation.

Re:Simple risk mitigation (1)

jandrese (485) | about 8 years ago | (#16133795)

Basic? How in the world is someone supposed to figure out what ACLs they need to set when the application just spits out a "permission error" and quits? Oh, maybe it'll be in the system log? (checks) Nope, by law no useful information is allowed to be put in the system log. If a program wants to write something to the log, it must be of the form "error: Everything is OK" or "error: giving up" and must be repeated 100 times a second.

My experiance is that if a Windows application dies due to permission trouble, unless you have some sort of diagnostic that no regular user has ever heard of hooked to the application, your chances of figuring out exactly what permission it's having trouble with is nill.

Re:Simple risk mitigation (1)

EXrider (756168) | about 8 years ago | (#16133867)

Actually Filemon and Regmon [sysinternals.com] can help very much with troubleshooting permissions. I used them to get Great Plains 7 (which is a fucking M$ product btw) running under regular user accounts, extremely time consuming, but worth it in the end.

I agree though... lots of shitty legacy software to deal with. So true on the Event Log LOL.

Re:Simple risk mitigation (0)

Anonymous Coward | about 8 years ago | (#16133430)

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Is a year and 3 months long enough?

Re:Simple risk mitigation (1)

Kaenneth (82978) | about 8 years ago | (#16133488)

Running an application that requires you to run as Admin for no good reason is like buying a wallet with a chip that voice announces at random intervals how much cash you have on you.

Solutions (3, Informative)

Beryllium Sphere(tm) (193358) | about 8 years ago | (#16133569)

Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.

Re:Simple risk mitigation (1)

gutnor (872759) | about 8 years ago | (#16133847)

OK I have been running in non-admin account for over 5 years ( at home since Win2000 with its magic RunAs command ( I know this is sad to think of a su-like command as magic :-) ) )
The rest of my family have happily used it for well over 2 years. No incident, no malware crap on their pc. Basically their pc run as new (no windows rotting) and they almost never need any support.

It is true that several years ago it was a real nightmare to setup. Especially with all the program designed for Win95. But after the release of WindowsXP every major suite have been "ported" to run nicely in normal user account. It took a little more time for sharewares ( and strangely multiplatform opensource software ... god knows why )

Basically if a user is a Mac-like user: buy a nice little machine, run software from major vendors or well known shareware. There is no problem to setup the Windows machine as normal user. And you hear from them much less past the first few days. My rule of thumb is, if you think you can migrate this user in Ubuntu, MacOS or anything like that, that means this user is also ready to run Windows as a normal user. (Setting up the beast requires a little use to - not neat and pretty out of the box like MacOS)

The only 2 problems: first if you configure the machine for a gamer/poweruser wannabe since most games, tweaking/system utilities still sucks and requires a little "training". Second problem: if you have "typical"(as in AOL/MySpace) windows user that install tons of shit, care about nothing and don't want to enter his admin password to install NudeBritneySpear.exe. There is nothing you can do for them and unfortunatly they represent the vast majority of computer users. If you install them MacOS or Ubuntu, they will think this system sucks because it doesn't fit their need (FreeSmileys doesn't run). Sad reality.

Re:Simple risk mitigation (2, Informative)

Software (179033) | about 8 years ago | (#16133875)

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.
Yep, do it all the time. Even taught the wife how to do it. See http://blogs.msdn.com/aaron_margosis/archive/2005/ 03/11/394244.aspx [msdn.com] for details, but the basic idea is to run a batch file when you want to be an admin. The batch file gives you admin privileges, starts a process (usually iexplore.exe file:///c:/ , which gives you a normal Windows Explorer), then takes away your admin privileges. Here's the file:
setlocal
set _Admin_=%COMPUTERNAME%\Administrator
set _Group_=Administrators
set _Prog_="C:\Progra~1\Intern~1\iexplore.exe file:///c:/"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
runas /savecred /u:%_Admin_% "%~s0 %_User_%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %1 to group %_Group_%...
net localgroup %_Group_% %1 /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /savecred /u:%1 %_Prog_%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %1 from group %_Group_%...
net localgroup %_Group_% %1 /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal
Instead of iexplore.exe, you can use Quicken.exe, for example. The advantages of using iexplore.exe is that you can launch other processes, such as installation programs, easily. Don't forget PrivBar [msdn.com] , either, to show you what your current privilege level is.

Re:Simple risk mitigation (1)

uolirod (1001639) | about 8 years ago | (#16133292)

Uh, anybody smart enough to do that wouldn't find themselves in that predicament, now would they?

Re:Simple risk mitigation (1)

Deanalator (806515) | about 8 years ago | (#16133890)

1. Its not hard in windows to go from user->admin if you are executing arbitrary code
2. Its not hard to infect backups

is this really a worm when user interaction is req (0)

Anonymous Coward | about 8 years ago | (#16133085)

It seems this is no different then someone sending you
an executable via smtp and the user clicks on it..

imagine a person sending you a link in a msg box,
you click it and another box pops up asking if you
want to run this program...

sounds like a silly thing to me that deserves little attention
from a security standpoint and has more to do with user education.

Good thing it's AIM ... (2, Funny)

(54)T-Dub (642521) | about 8 years ago | (#16133094)

... because it's a well known fact that most AOL users have higher than average internet savvy.

Now I have more reason than ever to install trillian/gaim on newb computers.

Re:Good thing it's AIM ... (3, Funny)

fr175 (999487) | about 8 years ago | (#16133115)

... because it's a well known fact that most AOL users have higher than average internet savvy.
Me too!

Re:Good thing it's AIM ... (2, Interesting)

fr175 (999487) | about 8 years ago | (#16133162)

Now I have more reason than ever to install trillian/gaim on newb computers.
AOL silliness aside, according to (my understanding of) TFA (and, yes, I am new here), this worm spreads by getting users to run a .com file which is disquised as a .jpg. The .com then infects the users System32 directory and the magic happens. Wouldn't GAIM and Trillian both be vulnerable to this, if they are running on Win machines?

Re:Good thing it's AIM ... (1)

toleraen (831634) | about 8 years ago | (#16133276)

You'd still be vulnerable, but you likely wouldn't spam the linked virus to everyone on your list using gaim/trillian. I would assume that the virus is programmed to expect AIM running, and it probably wouldn't interface with other programs. Then again, IANAP.

Re:Good thing it's AIM ... (0)

Anonymous Coward | about 8 years ago | (#16133290)

When I click on a .jpg URL, Firefox handles it. Why would Windows let a .jpg fuck me over if I'm not using IE?

Re:Good thing it's AIM ... (0)

Anonymous Coward | about 8 years ago | (#16133313)

Windows, by default, hides exensions of files in explorer. It also allows anything with the extension of ".exe" to be executed. Name a file "hotpron.jpg.exe," explorer will hide the extension, leaving "hotpron.jpg," while still executing the file when the user clicks on it.

Re:Good thing it's AIM ... (5, Informative)

russ1337 (938915) | about 8 years ago | (#16133372)

This worm spreads by getting users to run a .com file which is disquised as a .jpg.
I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:

www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Re:Good thing it's AIM ... (0)

Anonymous Coward | about 8 years ago | (#16133650)

What were you doing looking at doggy porn?

Oh wait, you said dodgy... :-P

Re:Good thing it's AIM ... (0)

Anonymous Coward | about 8 years ago | (#16133563)

GAIM FTW. Even though in order to connect to MSN I have to run a beta it still kicks ass.

Snore.... (1, Troll)

Farfnagel (898722) | about 8 years ago | (#16133097)

Wake me up when this crap can affect my Linux comnputer.

Not to Worry (5, Funny)

Aqua_boy17 (962670) | about 8 years ago | (#16133109)

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Re:Not to Worry (2, Funny)

revery (456516) | about 8 years ago | (#16133352)

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Senator Ted Stevens responds:
Yes, but you see, the tubes are connected to pipes, and those pipes are connected to larger pipes, and then there are canals, and dams and reservoirs, and other things that are even more complex and convoluted. So you can see by my use of the words "complex" and "convoluted", that it's all terribly complicated. But you are right about one thing: thank God it's not a tube-line attack - I don't know if that's the right word or not - but the tubes, they are the most important part of all the Internets, because that's where we access them, and by "we", I mean me and you.

Next question?

Damn spotlight! (0)

Anonymous Coward | about 8 years ago | (#16133112)

Sometimes I hate Spotlight, I'm trying to find that folder so I can look for unwanted executables but it's coming back with no results. Did the OP spell it correctly?

Why this is important. (1)

AltGrendel (175092) | about 8 years ago | (#16133131)

You probably understand how this works, but I'm sure you can think of someone in your family that you might want to call and warn about this. Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?

And if you don't guess who they'll call first about how their computer has gotten SLOW again.

Re:Why this is important. (1)

fotbr (855184) | about 8 years ago | (#16133171)

My family has figured out that I don't do tech support.

Re:Why this is important. (1)

Rob T Firefly (844560) | about 8 years ago | (#16133303)

Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?
I love them a tiny bit less every time I have to do a PC rescue because "it was from someone who would never send me a virus!"

Re:Why this is important. (1)

protohiro1 (590732) | about 8 years ago | (#16133932)

With friends and family who ask me for computer advice I have a new policy. When they tell me they are thinking of getting a new computer and ask for advice I always recommend a Mac Mini or Macbook. When they tell me that a dell or something is cheaper I tell them my new policy: no free support for Windows, sorry. (I'm not a mac zealot either...I don't use any macs anymore, but my wife, sister and parents do because of this policy)

using aim (2, Funny)

thedrunkensailor (992824) | about 8 years ago | (#16133156)

using aim is like being kicked in the balls

Re:using aim (1)

Architect_sasyr (938685) | about 8 years ago | (#16133481)

Oh come on, don't lie on /.

Being kicked in the balls is simpler and much more enjoyable. PLUS you can tell what the person who is doing the kicking is saying to you without a translation tool...

oldversion.com (0)

Anonymous Coward | about 8 years ago | (#16133544)

You must've not heard of http://www.oldversion.com./ [www.oldversion.com] I use version 5.1.3036 myself.

Re:oldversion.com (1)

thedrunkensailor (992824) | about 8 years ago | (#16133659)

Hmm? you actually use AOL license software (albiet "old" versions)? if you're going to do it at least use GAIM you heretic.

I know who wrote it!!! Desolator144 did!!! (0)

Anonymous Coward | about 8 years ago | (#16133159)

Desolator144 wrote it! [slashdot.org]

Just make sure you don't have the .Net framework installed, and if you happen to see any worms trying to download it, turn your computer off.

Of course, he "The Best Programmer in the World", so we're probably all screwed.

since there's a flood... (-1, Offtopic)

rice_burners_suck (243660) | about 8 years ago | (#16133167)

Drones and botnets, eh? Since there's such a flood going on, let's have another one: A flood of information about Taglit-birthright israel with Sachlav Educational Experience. [birthrightisrael.com] Registration is right NOW, and will close in less than a week. If you're eligible (click the link to find out), you can have an amazing and uplifting experience in Israel, free. Hey, this post ain't offtopic: I used the words "drones" and "botnets" in this post. Heh heh heh...

srhit (-1, Flamebait)

Anonymous Coward | about 8 years ago | (#16133224)

and Micha3l Smi7h

Does it run (0)

Anonymous Coward | about 8 years ago | (#16133225)

on Linux?

Tubes Dammit! (1)

GillBates0 (664202) | about 8 years ago | (#16133244)

It's TUBES dammit not PIPES!!11!

And the definition of Tubeworm [wikipedia.org] probably needs to be rewritten.

I love these kinds of attacks (2, Funny)

JoeyJoeJo (595732) | about 8 years ago | (#16133354)

I'm a student employed by the university to fix students' computers in my dorm building. Everyone will click on these links, some more than once. But why do I love these attacks? The hot chicks that will inevitably click the link. I love this job.

Re:I love these kinds of attacks (0)

Anonymous Coward | about 8 years ago | (#16133453)

because 'hot chicks' ALWAYS fall for the geek fixing their computer

...i wish

Re:I love these kinds of attacks (3, Funny)

JoeyJoeJo (595732) | about 8 years ago | (#16133513)

Dear Penthouse, I never thought it would happen to me....

Re:I love these kinds of attacks (0)

Anonymous Coward | about 8 years ago | (#16133542)

The hot chicks that will inevitably click the link. I love this job.
Make sure you port your stream from their webcam to a URL that WE can see... don't hog it!

AIM threat (1)

allfunandgames (1000948) | about 8 years ago | (#16133402)

Um...This won't affect my Mac one bit :P *yawn* I kinda feel bad for PeeCee users though. Well not really. You get what you pay for. It's just unfortunate that you chose the cheap route. It's kinda like eating at McDonald's and expecting to stay healthy.

Too much like Battlestar Galactica? (0)

Anonymous Coward | about 8 years ago | (#16133492)

These types of stories make me think of the new Battlestar Galactica. One "infection" in the wrong place, and everything important gets taken over. Unfortunately, we don't need to be seduced a hot blonde, just a link to something that we find interesting from somebody we think we can trust. You have to wonder if the real world result might be the same as the show......

And Still (1)

Beefslaya (832030) | about 8 years ago | (#16133816)

Microsoft insists that Users should have access to key system files...to maintain functionality.
ugh..

fuckers stole my system32 folder (2, Funny)

quonsar (61695) | about 8 years ago | (#16133946)

lessee... /, bin, boot, debootstrap, dev, etc, home, initrd, lib, media, mnt, opt, proc, root, sbin, srv, sys, tmp, usr, var - nope, it's GONE!

The question I shouldn't ask was (1)

towsonu2003 (928663) | about 8 years ago | (#16133947)

do the viruses run on linux? or should we file a bug report for that?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>