New virus trick

---

From: helpdesk@tellumat.com  Add to Address Book
To: joftech@yahoo.com
Subject: Re: Order
Date: Thu, 25 Aug 2005 13:05:21 +0530

Thanks!

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com

Attachments
Attachment scanning provided by:

Files:
all_in_all_newsfeed.zip (31k) Save to Computer - Save to Yahoo! Briefcase
Delete Reply Forward Not Spam Move...
Previous | Next | Back to Messages www.messagelabs.com
Save

---

The above message from my mailbox is a virus (Netsky). I doubted the message - I know a virus when I see one - but I still proceeded to open it and lo and behold Yahoo Mail was smart enough to detect it. It's a zip file and it was purported to have been scanned by "messagelabs". Can anyone see the ingenuity of this nicely crafted e-mail?

Now I have to block the downloading of zip files on my gateway; I only used to block exe, dll, cab, shb, vbs, etc before.

Like my security paradigm whether you know the sender or not think twice and be prepared before you open.

Use Linux

c0dec:

use linux

I have been using Linux as a gateway for the past 3 years now. Strickly terminal/ssh though.

I open any mail without thinking. Virus? What is so called?

Linux viruses could easily be written, it's just not worth it for most hackers. Chances are that the kind of people who use Linux don't have much money for a hacker to steal.

Viruses are not written basically to steal money,as if windows users are all millionaires or sumthing. Most windows users are using pirated copies.Correct me if am wrong? Viruses are written just to create havoc. The reason they cannot work so well in Linux is that by design, Linux systems are security conscious. You can't do anything that will affect the running of the system without signing in as SU(super user) or root.

Windows we all know is not like that. That is how come, macros can be written to take advantage of Activex lapses using IE and Outllok. Look at the "I love you" virus. Apart from this is number. Since you guys are the most available, why would I target a less than 10% OS users of Mac OS , BSD, Linux when I have a chance of making a name by infecting the 90% who use windoze.

Chances are that the kind of people who use Linux don't have much money for a hacker to steal.

@seun am quite surprised to hear that statement from you. do you think hackers are yahoo boyz; the motivation behind virus coding is not normally for the financial gain, you can hack just for the fun of it, it's only until recently that some organized criminals have started to give incentives to blackhats to hack systems.

And basically there are 3 type of hackers, Whitehats, grayhat and the most dreaded blackhat. All network security experts are expected to be whitehats but some get their blood poisoned.

Mostly virus writers are teenagers that just want to get a kick for doing what they did. Just like that slammer coder.

Anyway Linux users are billionaire, even Microsoft used to use Linux for their websites too, thanks to Akamai.

Accepted. I didn't think that statement through before publishing it.

Hmm... I wonder how your customers would feel seeing that they cannot download executables! How about this? Why don't you run a content filter for the downloads? Use a content filter with your proxy cache (if you use one) and use a free antivirus engine like ClamAV. As a matter of fact most of the antivirus companies (at least I know Pandasoftware) have free Linux versions of their antivirus software. You could easily pay for the updates and have the software do the scanning of the downloaded files before they reach the client systems.

Funny enough I saw something like mod_clamav for Apache! Hmm... I wondering how that could be used.

Hmm... I wonder how your customers would feel seeing that they cannot download executables!

@timba, i have a policy of not allowing the downloading of the following file (exe, dll, zip, mp3, iso etc) to just anyone, apart from the fact about viruses the are bandwidth hog. If they want to download them they notify me and i allow them to do that once they are through i put on the lock again.

I sounds crazy to be formating system everyday. Viruses can wreck havoc on your network if you are not careful. I hope you also know that these viruses can turn your pcs into spambox.

So it's just better to protect yourself than stressing yourself.

ah, security debates about windows vs linux is there nothing better

Personally I am of the beleif that if a hacker really wanted to stuff with your stuff it wouldn't matter what o/s you were running they could do it!

@joftech, if it's your organizational policy to disallow downloads with those extensions, it's okay but have you considered what could happen if someone downloads a file with a .txt extension but the Content-Type is that of VBScript or something like that - it would provide the same effect (depending on the browser) as downloading a .vbs file. May be you should consider blocking by content type instead of by file extension.

Secondly, from experience, I've found out that if you have Windows^TM (since the OS seems to be the one giving the most problems) installed on your client systems, having them automatically download updates (which are executables) and installing them is a good thing - trust me it would save you a lot of headache especially when there's a worm epidemic.

On the network I administer, we use a proxy cache that throttles the bandwidth allocated to a request when the file size of the download is really large. That way, you could choose to download an ISO and it would not become a bandwidth hog for the rest of the Internet users.

Third, a well configured firewall would stop the activities of a number of worms even if they do infect any of your systems. I once had a problem with a mass-mailing worm and I was able to stop the activity of the worm sending itself as a mail attachment by blocking access to the SMTP. The only problem I had with the worm was that it kept trying to resolve MX records for a number of mail destinations - I'm still looking for ways of blocking MX lookup requests from the DNS server (since we don't need it). Do you know how?

I'm still looking for ways of blocking MX lookup requests from the DNS server (since we don't need it)

which DNS are u using?

BIND 9