How does the W32/Sumom.C worm propagate?
March 23, 2005 10:49 AM Subscribe
My brother's PC has become infected with the W32/Sumom.C worm. I'm resigned to re-formatting and a re-install to remove it, but how did it get there to deliver the payload? He's sure it arrived via MSN Messenger, as his kids use it heavily. Wishing to use this as an educational experience as well a chastening one, (no more Messenger!), I'd like to know if there was anything he or they should have done differently. Did they have to explicitly run the Messengered file(s), or was it all entirely automatic?
Do you have a firewall enabled? Over the past year and a half it's become impossible for me to do an install on a Windows box connected to the net without it getting infected before I complete my first batch of Windows Updates. The solution has been to install the machine while disconnected from the net, install ZoneAlarm or similar firewalls, and only then connect to the net to get my updates. Of course, you need the firewall even after the updates just to be sure.
posted by furtive at 11:14 AM on March 23, 2005
posted by furtive at 11:14 AM on March 23, 2005
Response by poster: Yup, Kerio personal firewall was running. I guess what I'm asking is, despite vehement denials, did someone do something to assist the infection? Some of the cleverly socially engineered filenames involved, (such as 'Death of crazy frog!.pif' and 'lol Busted Are Gay!.pif'), would've had great appeal to my niece and nephew.
posted by punilux at 11:22 AM on March 23, 2005
posted by punilux at 11:22 AM on March 23, 2005
punilux writes "Yup, Kerio personal firewall was running. I guess what I'm asking is, despite vehement denials, did someone do something to assist the infection? Some of the cleverly socially engineered filenames involved, (such as 'Death of crazy frog!.pif' and 'lol Busted Are Gay!.pif'), would've had great appeal to my niece and nephew."
Not quite on topic, but the newest version of Kerio can also be set to ask on both program launch and exec'ing of one program by another. That would give you at least two more prompts that serve to warn the kids. Or you could unilaterally disallow .pif and .scr. And them it would be, 'lol! Busted are teh kids!
posted by orthogonality at 11:30 AM on March 23, 2005
Not quite on topic, but the newest version of Kerio can also be set to ask on both program launch and exec'ing of one program by another. That would give you at least two more prompts that serve to warn the kids. Or you could unilaterally disallow .pif and .scr. And them it would be, 'lol! Busted are teh kids!
posted by orthogonality at 11:30 AM on March 23, 2005
Frankly, the solutions to these problems are two, and simple:
1. Avoid Microsoft products.
2. Don't open e-mail attachments.
Use Firefox for a web browser. Use Thunderbird for a mail client. Install Clamwin and run it regularly (afaik, it does not do realtime protection like some of the commercial antivirus apps do, which is a drawback). Filter all email to discard .pif and .scr attachments.
I don't consider these measures to be draconian, and in a home environment they should not be too hard to enact/enforce. Try doing the same in a corporate locale, when everyone thinks you're the bastard operator from hell, and they'll use IE if they damn well want to. Spyware and trojans abound.
posted by autojack at 11:39 AM on March 23, 2005
1. Avoid Microsoft products.
2. Don't open e-mail attachments.
Use Firefox for a web browser. Use Thunderbird for a mail client. Install Clamwin and run it regularly (afaik, it does not do realtime protection like some of the commercial antivirus apps do, which is a drawback). Filter all email to discard .pif and .scr attachments.
I don't consider these measures to be draconian, and in a home environment they should not be too hard to enact/enforce. Try doing the same in a corporate locale, when everyone thinks you're the bastard operator from hell, and they'll use IE if they damn well want to. Spyware and trojans abound.
posted by autojack at 11:39 AM on March 23, 2005
"Over the past year and a half it's become impossible for me to do an install on a Windows box connected to the net without it getting infected before I complete my first batch of Windows Updates"
Oh, come on..
posted by ascullion at 1:21 PM on March 23, 2005
Oh, come on..
posted by ascullion at 1:21 PM on March 23, 2005
Response by poster: My question was prompted by informed ignorance; I've been careful and lucky enough never to have been infected by anything this pernicious. My whole family is pretty well aware of the dangers; we all use Firefox, Kerio, AVG and Ad-Aware. In fact my bro' had updated AVG the day before this beastie was first spotted in the wild.
I simply wanted to give my niece and nephew better advice on what to look out for, and more importantly to understand for myself and them how this could've happened.
Thanks all for your replies.
And ascullion : Oh, come on.. The article's a little old, but I don't suppose the situation's got much better since it was written, sadly
posted by punilux at 1:53 PM on March 23, 2005
I simply wanted to give my niece and nephew better advice on what to look out for, and more importantly to understand for myself and them how this could've happened.
Thanks all for your replies.
And ascullion : Oh, come on.. The article's a little old, but I don't suppose the situation's got much better since it was written, sadly
posted by punilux at 1:53 PM on March 23, 2005
I read that article on The Register when it was published, and thought it was hugely dubious. Security companies have a vested influence in making users feel paranoid.
I'm not saying you couldn't get a virus that quickly.. but it's ridiculous to say it happens as a matter of course.
posted by ascullion at 2:14 PM on March 23, 2005
I'm not saying you couldn't get a virus that quickly.. but it's ridiculous to say it happens as a matter of course.
posted by ascullion at 2:14 PM on March 23, 2005
I'm not saying you couldn't get a virus that quickly.. but it's ridiculous to say it happens as a matter of course.
It all depends on what kind of network you're on. If it's a corporate network behind a well maintained firewall and any infections are pounced on immediately by IT, then yes, you're probably right.
If you're on an unprotected network (like a university network, for example), then your machine WILL be infected within seconds of coming online, before you can download the Windows Updates, just as furtive described. I've seen it happen.
posted by event at 2:45 PM on March 23, 2005
It all depends on what kind of network you're on. If it's a corporate network behind a well maintained firewall and any infections are pounced on immediately by IT, then yes, you're probably right.
If you're on an unprotected network (like a university network, for example), then your machine WILL be infected within seconds of coming online, before you can download the Windows Updates, just as furtive described. I've seen it happen.
posted by event at 2:45 PM on March 23, 2005
Or you could unilaterally disallow .pif and .scr.
you might as well do this anyways. the circumstances under which you'd have a valid reason for downloading or having a pif/scr sent to you are rare and of dubious value.
If you're on an unprotected network (like a university network, for example), then your machine WILL be infected within seconds of coming online, before you can download the Windows Updates, just as furtive described. I've seen it happen.
sitting behind a router makes this not much of an issue.
posted by juv3nal at 4:18 PM on March 23, 2005
you might as well do this anyways. the circumstances under which you'd have a valid reason for downloading or having a pif/scr sent to you are rare and of dubious value.
If you're on an unprotected network (like a university network, for example), then your machine WILL be infected within seconds of coming online, before you can download the Windows Updates, just as furtive described. I've seen it happen.
sitting behind a router makes this not much of an issue.
posted by juv3nal at 4:18 PM on March 23, 2005
ascullion: It happened to me at work perhaps a month or two ago while getting a new Windows XP box up and running. Couldn't've been insecurely plugged into the network for more than ten minutes before having some minor worm pop on. My boss tells a similar tale getting a fresh XP install onto his home laptop.
It's anecdotal evidence, sure. Still, it's convincing enough that I now use a burned CD o' updates to apply to a machine before I'm willing to put it online.
posted by youhas at 4:41 PM on March 23, 2005
It's anecdotal evidence, sure. Still, it's convincing enough that I now use a burned CD o' updates to apply to a machine before I'm willing to put it online.
posted by youhas at 4:41 PM on March 23, 2005
A little off topic advice... BEWARE: RANT!
When I ever I am tied down to the chore of helping a friend or family member reload their infected and decrepit Microsloth Windoze machine, I bring along in my kit a linksys router that has a firewall built in. I find this keeps the attacks off my back until all the updates are done. In my experience "hardware" firewalls, although usually more restrictive provide the most stable security.
As for a solution to your problem, there is none. Any port you let access out on something can piggy back in on. With Windows you kinda have to be an administrator; even if you're an 86 year old woman who's just getting on the net for pumpkin pie recipes. Also, as a PC Tech for the last 10 years I can say I have NEVER seen a home computer that's windows registry wasn't toast with in six months. Windows is a disposable Operating System, back up frequently and keep your restore disks handy. Now, I am not saying Mac OS 7 - 9.22 was any better, but at least Apple has moved on to a real operating system.
Also, as a Linux and Mac OS X user I proudly say "In your FACE Windows... HA!"
It's a pity that so many people choose (or have to) use such a inferior product. I wish Apple would do a real port of Mac OS X to the x86 platform, not just the darwin core, then PC Users would have a viable choice because Linux is just not ready yet for the 86 year old grandmas of the world.
posted by Livewire Confusion at 7:11 PM on March 23, 2005
When I ever I am tied down to the chore of helping a friend or family member reload their infected and decrepit Microsloth Windoze machine, I bring along in my kit a linksys router that has a firewall built in. I find this keeps the attacks off my back until all the updates are done. In my experience "hardware" firewalls, although usually more restrictive provide the most stable security.
As for a solution to your problem, there is none. Any port you let access out on something can piggy back in on. With Windows you kinda have to be an administrator; even if you're an 86 year old woman who's just getting on the net for pumpkin pie recipes. Also, as a PC Tech for the last 10 years I can say I have NEVER seen a home computer that's windows registry wasn't toast with in six months. Windows is a disposable Operating System, back up frequently and keep your restore disks handy. Now, I am not saying Mac OS 7 - 9.22 was any better, but at least Apple has moved on to a real operating system.
Also, as a Linux and Mac OS X user I proudly say "In your FACE Windows... HA!"
It's a pity that so many people choose (or have to) use such a inferior product. I wish Apple would do a real port of Mac OS X to the x86 platform, not just the darwin core, then PC Users would have a viable choice because Linux is just not ready yet for the 86 year old grandmas of the world.
posted by Livewire Confusion at 7:11 PM on March 23, 2005
ascullion: I would just like to chime in also and say that unless you are behind a firewall, there is an excellent chance that your windows installation will be infected before it even finishes installing. Depending what one gets, it might not be obvious/detectable to the average person that anything has even happened until much later, if ever.
Personally, I use windows, but only with a hardware and software firewall. I also avoid IE and MS email clients and religiously patch my software. I have yet to be infected with a virus or malware, whereas every single person I know personally who owns a windows computer (who isn't taking CS in school) has.
The computer security industry may have an interest in keeping people paranoid, but honestly, people aren't nearly paranoid enough. Just because the industry has an interest in keeping people paranoid doesn't mean being paranoid isn't warranted.
posted by recursive at 7:00 AM on March 24, 2005
Personally, I use windows, but only with a hardware and software firewall. I also avoid IE and MS email clients and religiously patch my software. I have yet to be infected with a virus or malware, whereas every single person I know personally who owns a windows computer (who isn't taking CS in school) has.
The computer security industry may have an interest in keeping people paranoid, but honestly, people aren't nearly paranoid enough. Just because the industry has an interest in keeping people paranoid doesn't mean being paranoid isn't warranted.
posted by recursive at 7:00 AM on March 24, 2005
My zipcode is #6 for my state! It's about time someone around here got some recognition.
posted by recursive at 7:02 AM on March 24, 2005
posted by recursive at 7:02 AM on March 24, 2005
Best answer: Did they have to explicitly run the Messengered file(s), or was it all entirely automatic?
Quite possibly it was entirely automatic.
Bugtraq ID #12506:
Generally speaking, the suggestions in this thread to run a firewall, run anti-virus software, regularly check for spyware, etc are all good ones (and should the system be running on a fulltime connection like cable or DSL, I'd add a NAT translation router to that list of basic precautions.) In this particular case, only patching (which may or may not have been available at the time) would have prevented the infection.
Secunia has a compendium of various AV vendor info on this particular IM worm under it's various names, with suggestions for removal.
(I'd also suggest the principle of least privilege for anyone running Windows, which is useful against a wide array of vulnerabilities. Here's how -- add a strong password to your adminstrative account, and create a second user with limited rights. Remain logged in as that limited user unless you require administrator rights, in which case fast user switching or logging out/in is available to install software or make systemwide changes. As with any security-related decision, there is a tradeoff of some inconvenience for that added layer of protection...in this case, some Win32 software requires admin rights to run. You may not be able to work as seamlessly, depending on which application you need to run that needs admin rights, it may find you switching back more than is feasible.)
The best suggestion for basic home user security? Get a Mac ;-)
...or if you don't want to shell out for new hardware and software, buy a second drive or partition your existing one and install Linux. Or short of that even, consider using a Knoppix bootable CD in those times you just want to browse and IM.
posted by edverb at 4:53 PM on March 25, 2005
Quite possibly it was entirely automatic.
Bugtraq ID #12506:
A remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user.I'm not sure specifically if the virus on your brother's PC exploited this particular vulnerability, but it's certainly possible on an unpatched system. The vulnerability was disclosed on Feb 08, 2005, which does not exclude the possibility of infection prior to that date, a condition which persists for as long as the system is unpatched.
Attack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts.
However, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include:
User display pictures
Custom icons that are displayed inline in instant messages
Thumbnails of transferred images
Background images
Generally speaking, the suggestions in this thread to run a firewall, run anti-virus software, regularly check for spyware, etc are all good ones (and should the system be running on a fulltime connection like cable or DSL, I'd add a NAT translation router to that list of basic precautions.) In this particular case, only patching (which may or may not have been available at the time) would have prevented the infection.
Secunia has a compendium of various AV vendor info on this particular IM worm under it's various names, with suggestions for removal.
(I'd also suggest the principle of least privilege for anyone running Windows, which is useful against a wide array of vulnerabilities. Here's how -- add a strong password to your adminstrative account, and create a second user with limited rights. Remain logged in as that limited user unless you require administrator rights, in which case fast user switching or logging out/in is available to install software or make systemwide changes. As with any security-related decision, there is a tradeoff of some inconvenience for that added layer of protection...in this case, some Win32 software requires admin rights to run. You may not be able to work as seamlessly, depending on which application you need to run that needs admin rights, it may find you switching back more than is feasible.)
The best suggestion for basic home user security? Get a Mac ;-)
...or if you don't want to shell out for new hardware and software, buy a second drive or partition your existing one and install Linux. Or short of that even, consider using a Knoppix bootable CD in those times you just want to browse and IM.
posted by edverb at 4:53 PM on March 25, 2005
Response by poster: Thanks edverb for the thorough research and reply. In the end, I re-formatted and removed Messenger and they're off and running again with reduced privileges, as you outlined above.
posted by punilux at 6:28 AM on March 28, 2005
posted by punilux at 6:28 AM on March 28, 2005
This thread is closed to new comments.
posted by punilux at 10:58 AM on March 23, 2005