Paul R. Potts
I came into work today and started checking my e-mail. The MacOS X Mail client began downloading messages. It is still doing so. I had almost 200 new messages (on a typical day, including mailing list traffic, I might normally have 50 brief text-only messages which download quite rapidly). My mailer has been synchronizing for over an hour, and more mail seems to be pouring in, almost faster than it can be downloaded.
But the big fun is that most of them are garbage generated by worms and viruses running on Windows systems. The messages are coming in bursts, but during some of the bursts I’m getting one or more message per minute. And it has been going on around the clock. So far, I’ve received almost 170 copies of Microsoft worms.
I’m glad to see that Microsoft’s Secure Computing Initiative is showing positive results.
This is having real consequences: I’ve got real content I’ve got to get at in my mail: some code built by a contractor I’m supervising, messages from another development team which I can’t get to, and messages on developer mailing lists that may have solutions to some of the latest difficulties I’m encountering in my coding. I can only imagine how much worse this would be if my machine was a Windows box actually executing the worm while I was trying to get things done.
Now my mail server is being choked alive, and Most of these messages are allegedly from “Security Division,” “Inet Email Service,” “Net Service,” “MS Technical Bulletin,” “MS Net Mail Service,” “Microsoft Corporation Technical Services,” “MS Network Security Section,” “Admin,” “postmaster,” “Security Center,” “Microsoft Inet Message Storage System,” “Microsoft Corporation Technical Support,” “MS Corporation Network Security Division,” “Inet Service,” “Microsoft,” “MS Technical Assistance,” “Storage System,” “email storage system,” “Network Email Storage Service,” et cetera.
Subjects include “Current Network Update,” “Last Net Security Upgrade,” “Failure Notice,” “Abort Letter,” “Notice,” “Critical Pack,” “Network Upgrade,” “Undelivered Mail,” “error letter,” “Bug Message,” “New Microsoft Critical Patch,” and “Report.” Some have a blank subject. There are two general themes: fake patches, and fake bounce messages.
They all have attachments. Of course, I’m receiving them on a system with a completely different processor, so they won’t run on my machine. My disk usage for e-mail on DreamHost has gone from about ten megabytes to about seventy. The server is wallowing like a water buffalo under the weight of all this spam. (It is not technically spam, given that it is not exactly unsolicited commercial email; it’s also harder to figure out who to blame for it, since most messages are likely coming from infected machines whose owners do not realize that they are infected).
I’ve also got one message that includes at least 300 email addresses and appears to be an advertisement for an anti-virus service written in Italian. A nice effort from a member of the Coalition of the Bullied, but better luck next time, guys.
Anyway, what can we deduce from the attachment? First of all, if you’re running on machine and seeing similar mail: DO NOT EXECUTE THESE ATTACHMENTS. If the message contains web page links, DO NOT CLICK ON THEM. Don’t try to analyze the attachment like I’m about to; you’re likely to wind up installing the worm on your computer. I’m an expert. This is a Mac. Don’t try this at home.
So what is this crap?
Running “strings” over the binary executable yields some interesting results: it was written with Microsoft Visual C++. It contains the names of a lot of executables: “anti-trojan,” “bootwarn,” “findviru,” “lockdown2000,” “safeweb,” and “regedit.” It also contains the following:
These are the phrases used to communicate with an SMTP mail server. So, this executable is designed to send mail. It also contains a template e-mail message:
(Hint: the mail does not come from Microsoft), and a whole bunch of stock phrases presumably assembled at random to generate subjects and “From” lines:
And here are the strings which will generate some of the “Subject” lines:
Then there are these strings:
(Who is Jenna Jameson? I feel I should know.) It turns out these are used to give filenames to the trojan when it is propagated by file-sharing. There’s a lot more in here, but you get the idea.
CERT says:
W32/Swen.A Worm added September 19
The CERT/CC has received reports of a new mass-emailing worm, referred to as “W32/Swen.A” or “W32/Gibe.F”. This worm is similar to W32/Gibe.B in function. The worm has been reported to propagate through email, network shares, and file-sharing networks such as KaZaA and IRC. It arrives as an attachment. The subject, body, and From: address vary, but often claim to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds on the system. Additionally, this worm attempts to terminate numerous security product processes on the system.
So, what is this all about? It’s about poor propagation of security patches, poor code, and what is largely a sotware monoculture. It’s about a software monopoly which is complacent even in the face of the beginnings of public outrage over its insecurity.
There are people out there who would like you to believe that all operating systems are created equal and, thus, equally insecure. Vance Gloster on the Stickwire mailing list wrote recently:
In the bad old days, about 4 years ago, Microsoft was very irresponsible about security. While the folks at Sun who created Java were thinking hard about security with Java applets, the folks at Microsoft ignored security concerns in creating the ActiveX infrastructure. As they had been trained to evaluate issues, the Microsoft folks said, “security does not increase revenue”, and they dismissed it as irrelevant to what they were doing.
Bill Gates, though, saw that poor security could erode their user base like nothing else, and in January of 2002 he sent a memo to all of Microsoft telling them security had become their highest priority. You can read his memo at:
http://news.com.com/2009-1001-817210.html
Since then they have done a much better job at plugging security holes. Virtually every big hacker invasion (that did not depend on email attachments) exploited a hole that Microsoft had already fixed. Microsoft’s Windows Update system makes it easy to update your machine.
Let’s look at this claim: I have a clean XP Home box from Dell here that had never been patched since purchased (perhaps a year go). I went to patch it. I found that Microsoft’s site identified over SEVENTY patches!
Needless to say, it took the better part of a work day to decide which ones to install, download them, install, and reboot three or four times, then navigate back to the site each time. Microsoft throws everything into the “patch” system: documentation updates, adware, spyware, “security” in the form of added DRM.
Vance goes on:
So does Microsoft really just write terrible code, and that is the problem? Maybe, but so does everyone else.
To which I replied:
Well, yes, all code must be assumed to be buggy and security-hole-ridden until proven otherwise. And unfortunately there is no way to “prove” otherwise except to gradually gain confidence in a code base that has been tested “the hard way” over the years. But Microsoft does seem to have an amazing culture of prima donna hacking and premature optimization. Read the war strories of some of Microsoft’s programming management (Steve McConnell writes quite openly about Microsoft’s programming culture).
Vance continued:
In reality, even very smart programmers make errors that can be exploited. Until we get better at testing for these things, software, whether on a Mac or on Linux or on Windows (or even on your souped-up Commodore 64), will have vulnerabilities. About all you can ask for is for the authors to be responsive in creating updates. The open source community, with a few exceptions, has been very responsive, as has Microsoft over the last year or so. Apple has not been as aggressive about doing updates, but they argue that their users have had few problems. This is what Microsoft was saying several years ago. If you are interested in Apple security updates you can find them at the address below. There is a new one as of about a week ago for OSX.
But this is misleading. Apple has not been “aggressive” about releasing updates, but this is because they have not had as many security holes to fix. As security holes are uncovered in the underlying Darwin OS components, many of which are quite arcane and have never led to exploits, Apple has been quite decent about releasing patches. In my reply I wrote:
Yes, MacOS X is based on BSD UNIX, but this is really a blessing in disguise: BSD has been around a lot longer than Windows 3.X/9X/200X/XX and, being open-source, has had the benefit of decades of hackers competing with each other to find security holes and bugs. When security holes are found in the BSD layer Apple is aggressive about patching them.
…
Apple’s culture is not Microsoft’s. Apple, being the one with the small market share who must prove themselves and can’t resort to monopolistic practices, simply can’t afford Microsoft’s arrogance and carelessness with its customers. Apple doesn’t “argue” that their users have had few security problems. MacOS X, formerly OpenSTEP, formerly NEXTStep, aka BSD UNIX, with a dash of Mach, has a reliability record that no commercial OS except perhaps Solaris (System V) can aspire to.
Apple’s core OS is open source; I have the source on my machine. Most of it is BSD (with a 20-year-plus pedigree).
I’ve seen Windows boxes compromised at every place I’ve worked; in practice, having a Windows server on a network is generally a security disaster. I’ve had Linux boxes rooted as well.
Having an OSX box rooted is astonishingly rare. It’s like a Sun vulnerability. It happens, but not often. BSD servers have a record for reliability that even Linux boxes can’t match. MacOS X comes set up with reasonable security out of the box: no FTP, no Telnet (something Linux distributions are only recently beginning to try). By contrast, an XP box on the network is a promiscuous whore begging to be hacked: services running all over the place, ports open left and right, many which can’t even be turned off. (And Lord knows, we’re trying; 99% of the disturbing activity we track on our network is coming from our XP boxes. I know this because we’ve got a consulting investigating strange activities on our network, reading TCP/IP dump files and trying to figure out why our network constantly behaves as if under a denial-of-service attack. What he’s found is that it correlates very well with spyware, file-sharing trojans, and Windows XP shenanigans).
Apple’s built-in software update also works much better in practice. It notifies you of patches, and there are a small number of them (less than one a month). It’s much less onerous. And they don’t try to blame all the security flaws in the OS on the end-user’s failure to spend half his or her working day trying to keep up with a bewildering array of patches.
It’s doubly ironic today that I’m being inundated with fake security patches. Apple has heard and taken to heart the story of the OS Vendor Who Cried Wolf, while Microsoft blames the customer and inundates us with irrelevant patches.
To be fair, there isn’t much that Microsoft can do if users download and install trojan horses, or happily bypass warnings to run executables they received in incoming email messages.
Now the worm writers are exploiting the very lassitude, hopelessness, and blind trust that this approach has engendered in its users, and it isn’t a pretty picture.
So. Want to fix the security holes in your Microsoft system? Unplug it. Want to make the internet a healthier place? Run another operating system. It doesn’t have to be MacOS X, but that would be a good choice. A recent BSD release would do you just fine, or Linux if you wish. And you might find that you learn something and save money at the same time.
UPDATE: The Register has a great piece here that talks about the meme that “if Linux or MacOS was as widely used as Windows, there would be just as many viruses written for those platforms.” It just isn’t true; Windows has unique qualities that make it inherently insecure, and this isn’t just anti-Microsoft propaganda; the design and default configuration of the Windows OS make it so. See http://www.theregister.co.uk/content/56/33226.html.