User blame IT, Microsoft for virus

Just helped you with some information. You didn't seem to know about the Linux AVs ;)

For some reason, I am running ClamAV :rolleyes:

I find it hysterical how people are quick to blame IT for things like this. One of our engineering libraries that HAD internet access, promptly picked up a virus, then harassed IT over it, amongst other things. So, IT investigated further, found out that they didn't actually need internet access, and promptly removed it.

B
 
For some reason, I am running ClamAV :rolleyes:

I find it hysterical how people are quick to blame IT for things like this. One of our engineering libraries that HAD internet access, promptly picked up a virus, then harassed IT over it, amongst other things. So, IT investigated further, found out that they didn't actually need internet access, and promptly removed it.

B

Linux gives you internet too :D
 
Annoying journalism

The article is titled: "Users blame IT, Microsoft for virus"
Yet the content of the article is clear that 53% of users blame the virus author, and only 30% the IT admin and 17% the OS...

It's like me taking a survey among a group students, finding 2 nut cases who believe that the moon is made of cheese and then writing an article claiming "Students believe moon is made of cheese" :p

Not that I am siding with one or the other side here.. these sort of articles just annoy me. :p
 
the patch for this was released around 20-25 october last year.

windows has got automatic updates, and it is the recommended setting...

i find it hard to blame microsoft...sure there are holes, people make mistakes, it gets fixed. sometimes it even gets fixed quick. yet 4 months later users still dotn have this patch installed and they blame someone else. ok.
 
Casting the blame is easy to do.

Now, reality.

the thing is, if you've got a real mission-critical production system (like a bank) where downtime is an absolute no-no then the sysadmins of said site will have a test system where they will first install the patches and updates from Microsoft - and if it breaks anything, that patch doesn't get installed.

Which means that that mission-critical system might never get patched, or just a few bits and bobs at best - and all is well until somebody manages to bypass all security regulations and unleashes a worm/trojan/TIAL (:p) onto the unpatched system. Then it is night. (I personally have seen a Windows2003 server go down hard, requiring a complete reinstall from scratch after running Windowsupdates to keep it up to date).

On the other hand, you get lazy sysadmins not wanting to patch anything, and they will just leave a system unpatched, hoping for the best.

Another possible scenario is where damagement forbade the loading of patches and updates.

Also, given our exorbitant bandwidth pricing, some companies are unable to afford Windows to update itself.

In all three cases the infection could have been avoided by remaining up to date. The fourth case Telkom is partly to blame for sucking their customers dry.

In general it is also M$'s own fault for not putting in proper protection into its own OS'es. Default deny might have helped here.
 
Last edited:
Well there are the cases of security companies writing code (viruses) to prove that it can be done. Microsoft is to blame here as well as they should already have blocked these exploits .. seeing as they wrote the program and are demanding huge sums of money for their products, they should have at least some sort of guarantee or something.

Managers are at fault too, as it is a increased cost, but true as The Librarian says , many patches just wont work on said systems ans cant be patched, so brings us full circle to the writers of the code. They intentionally wrote the code for malicious purposes.

String them up and off with their necks.....
 
Yes, and no. Many viruses are written because MS are slow to release patches, so by having a virus that exposes this, then MS are forced to act and get their code in order.

People love XP, because M$ was forced to fix all the bugs when the worms/virus hit them so hard and the companies had something to hold them accountable on. So bring the worms on, make windows worth the money you are paying for it ;)
 
Strange then, that my Ubuntu downloads kernel patches weekly...meaning there are lots of holes.

A kernel release is not indicative of a patched hole. Kernel releases include new features, faster code, added functionality, removal of redundant code etc. etc. etc.

Windows in inherently flawed with bad code because of bad system design, and a visual example of that exists with this comparison of the system calls to IIS vs Apache:

http://www.stiennon.com/images/SysCallIIS.jpg
http://www.stiennon.com/images/SysCallApache.jpg

http://www.thisisby.us/index.php/content/why_windows_is_less_secure_than_linux
 
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

*deep breath*

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

*deep breath*

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Sorry, I just find it so funny when people try to blame anything except Microsoft's shoddy operating system. I'm enjoying the view from the safety of my Kubuntu Linux computer. Who needs a virus checker?

Mind if I join you?

WAAAHAHAHAHAHAHAHAHA HAAAA HAAHAAHAHAHAHWHAHAHWHAHAAH AHAHWHA

*gaaaaaasp*

HEHEEEHEE WAAHAHAHAA HAA HA AHA HAA AHA

*wipes tear from left eye socket*

I have been using Ubuntu since XP pissed me off for the last time. I also use Macs, and OSX is the bomb! I almost forget what viruses are! And spyware? Or should I say spywhere?

Vista was a joke... an attempt by Microsoft to match Debian, Gentoo and MacOSX progress in development. The difference, unlike Vista, Debian, Gentoo and MacOSX actually work... oh... and I can run most windows apps with out problems...

This does of course mean that I can in theory get a Windows Virus, but these operating systems require emulators to run Windows Apps, and if something tries to run itself, you get a little message requesting authorisation...

And the best part? Sun Micro makes a appy called Virtual Box, which I used to install my legacy Windows XP on, so if I do have a need to use Windows XP I can, I just run the whole operating system like an application. It's called Windows, so run it in a window!
 
Casting the blame is easy to do.

Now, reality.

the thing is, if you've got a real mission-critical production system (like a bank) where downtime is an absolute no-no then the sysadmins of said site will have a test system where they will first install the patches and updates from Microsoft - and if it breaks anything, that patch doesn't get installed.

Which means that that mission-critical system might never get patched, or just a few bits and bobs at best - and all is well until somebody manages to bypass all security regulations and unleashes a worm/trojan/TIAL (:p) onto the unpatched system. Then it is night. (I personally have seen a Windows2003 server go down hard, requiring a complete reinstall from scratch after running Windowsupdates to keep it up to date).

On the other hand, you get lazy sysadmins not wanting to patch anything, and they will just leave a system unpatched, hoping for the best.

Another possible scenario is where damagement forbade the loading of patches and updates.

Also, given our exorbitant bandwidth pricing, some companies are unable to afford Windows to update itself.

In all three cases the infection could have been avoided by remaining up to date. The fourth case Telkom is partly to blame for sucking their customers dry.

In general it is also M$'s own fault for not putting in proper protection into its own OS'es. Default deny might have helped here.

OI!!!! :mad::mad: ..|.

I'm not the same level as worms and trojans!!! :mad::mad:

:D
 
Here is what you need to know about this Virus...

From the Windows Secrets List E-mail...

Keep the latest worm infestation off your PC

Woody Leonhard By Woody Leonhard

It's been a hellacious week for security admins all over the world: the polymorphic worm known as Downadup, Conficker, and Kido has infected millions of computers.

Fortunately, you can scan, scour, and secure your systems by following four relatively simple steps.

Remember the patch that Microsoft released suddenly — "out of cycle" in the parlance — back in October 2008? Windows Secrets followed suit with an out-of-cycle news bulletin about the patch on Oct. 24. Susan Bradley recommended that readers immediately install the update described in MS08-067 (KB article 958644) to protect against "a remote-code attack that could spread wildly across the Internet."

Just as Susan predicted, the remote-code attacks started appearing shortly thereafter. On Oct. 26, Christopher Budd of the Microsoft Security Response Center posted the following in the MSRC blog:

"We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we've not seen evidence of public, reliable exploit code showing code execution."

By mid-November, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected "over 50 distinct exploits of this vulnerability." However, MMPC said the instances were very limited: "We're getting a very small number of customer reports for these attacks."

Then Conficker.A hit the fan. (McAfee and Microsoft call the worm "Conficker," Sophos uses the name "Confick," and Symantec and F-Secure call it "Downadup"; but it's the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.

At this point, the Conficker furor should've died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren't applying key patches and a ferociously fecund variant called Conficker.B.

How Conficker differs from other worms

In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Conficker.B uses the Conficker.A approach, plus a whole lot more — as a "blended threat," it's an equal-opportunity infecter. The MMPC's TechNet blog offers an excellent, graphical overview of the ways that Conficker.B can get into your network. Here are the main attack vectors:

* Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.

* Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in. What a sneaky buzzard!

* If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.

* Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.

* Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.

That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.

The worm's tricky twist on autorun.inf

Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B's autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.

Let's say I put an autorun.inf file on an empty USB drive that includes the following command:

[Autorun]
open=ACoolProgram.exe

Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.

http://mybroadband.co.za/photos/data/500/W20090122-Autoruns1.jpg

Autoplay reacting to a normal autorun.inf
Figure 1. Vista's Autoplay displaying the results of a normal autorun.inf file.

On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista's Autoplay dialog. This autorun.inf file does that very thing:

[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
open=ACoolProgram.exe

When this file is placed on a USB drive that's inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.

http://mybroadband.co.za/photos/data/500/W20090122-Autoruns2.jpg

Autoplay reacting to a fancy autorun.inf
Figure 2. Vista's AutoPlay with a slightly altered autorun.inf file.

Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it's going to open a folder when in fact it's going to run an executable program.

When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.

Guide to cleaning and preventing Conficker

As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.

I don't blindly accept F-Secure's analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.

Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC's automatic-update function, too — getting rid of the worm is surprisingly easy.

* Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company's online password checker. If somebody other than you controls your computer's admin password, make sure that person understands the gravity of this situation.

* Step 2: Make sure you've installed the patch described in MS08-067. Open Control Panel's Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC's patches.

The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn't installed, browse to Microsoft's Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.

* Step 3: Run Microsoft's Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I've heard about. The easiest way to get MSRT is through Windows Update, but if you can't get through to that service on the infected PC, borrow a computer and download the tool from Microsoft's site.

* Step 4: Disable AutoPlay. If Figure 2 doesn't convince you of the risk of using Windows' AutoPlay feature, nothing will. Simply stated, you don't need AutoPlay that much. Follow the advice in Scott Dunn's Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.

Those four steps will ensure that your PC isn't one of the million — or nine million, or 12 million — machines currently playing host to the Conficker worm and its variants.
 
This also from Slashdot...

"Microsoft's advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."

Here is the ComputerWorld Article...

Microsoft's advice on Downadup leaves users open to attack, says US-CERT
Instructions for disabling Windows' Autorun are flawed, security group says

January 21, 2009 (Computerworld) Microsoft Corp.'s advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.

In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."

The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features.

Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the "autorun.inf" on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.

The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives. The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine. Then, when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user or the user even knowing.

The result: another PC hacked by Downadup.

Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. According to US-CERT, Microsoft's advice is useless.

"The 'Autorun' and 'NoDriveTypeAutorun' registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems," the organization said. "Setting the Autorun registry value to '0' will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."

Likewise, the recommended "0xFF" setting for the NoDriveTypeAutorun registry entry, which Microsoft says "disables Autoplay on all drives," won't protect users from infection if they happen to double-click on the drive's icon in Windows Explorer, said US-CERT.

Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.

"Once these changes have been made, all of the Autorun code-execution scenarios described above will be mitigated because Windows will no longer parse autorun.inf files to determine which actions to take," read the US-CERT warning.

One security researcher said he was surprised that Microsoft didn't catch its recommendation errors, particularly in light of the ongoing Downadup attacks. "Seems unbecoming of Microsoft not to have been the one posting this information on a blog of theirs," said Andrew Storms, director of security operations at nCircle Network Security Inc.

He also bemoaned the need to edit the registry to disable Autorun. "Not only [is] editing the registry outside the [reach] of most people, but now we have learned that the information from the source is not complete," Storms added in an exchange via instant messaging.

Microsoft did not immediately reply to a request for comment on US-CERT's alert.
 
And here is another solution...

http://nunobrito.eu/ninja/

Ninja is the freeware zero-configuration program designed for guarding computers against viruses transmitted by USB pendisks.

This ninja awaits quietly in the system tray for the times whenever a USB pendisk is inserted on the computer which will be examined to uncover the commonly malicious or virulent files known as "autorun.inf" and "ctfmon.exe" amongst many others.

To keep things simple, ninja is fully portable, self-contained and requires no installation.

Besides removing known virulent files, this tool will also immunize your pendisk and create a folder called autorun.inf with special protection permissions to protect your pendisk from being infected again when plugged on contaminated computers.

Get it now! :p
 
Top
Sign up to the MyBroadband newsletter
X