|
From: THE [online] JARGON FILE, VERSION 4.2.0, 31 JAN 2000 thanks to Eric Steven Raymond...
worm n. [from 'tapeworm' in John Brunner's novel "The Shockwave Rider", via XEROX PARC] A program that propagates itself over a network, reproducing itself as it goes. Compare virus. Nowadays the term has negative connotations, as it is assumed that only crackers write worms. Perhaps the best-known example was Robert T. Morris's Great Worm of 1988, a 'benign' one that got out of control and hogged hundreds of Suns and VAXen across the U.S. See also cracker, RTM, Trojan horse, ice.
For most people the deal comes down to a problem on Microsoft Windows systems where the client mail program is Microsoft Outlook, and/or where the Microsoft Windows Scripting Host is enabled.
So, you're talkin' Windows 98, Windows 2000, Windows NT 4.0, maybe Windows 95 if the Windows Scripting Host or Microsoft Internet Explorer 5.0 has been installed...
The basic deal is that Microsoft Outlook defaults to executing, unquestioned, an email attachment that might happen to be a Microsoft Visual Basic Script. If the Microsoft Visual Basic Script is a worm, you're dead meat...
Why does Microsoft Outlook default to executing Microsoft Visual Basic Script attachments, unquestioned? Ask Uncle Bill...
From: CRYPTO-GRAM May 15, 2000 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. "ILOVEYOU Virus" What strikes me the most about this virus is how well it social engineers the user. It comes from someone the user knows. It has an enticing subject line. In Microsoft Outlook the ".vbs" extension is supressed by default, so it looks like an innocuous ".txt" file. Even with all the admonitions not to open attachments you're not expecting, the average user doesn't stand a chance against a virus like this. Expect even worse in the future. Systems running either Microsoft Office 2000 or Internet Explorer 5.0 can be infected with these sorts of viruses even if the recipient doesn't open the attachment. That's right; if the system is running Internet Explorer with the default settings, it is vulnerable. The problem is caused by a programming bug in an Internet Explorer ActiveX control. Thank you, Microsoft. Back to the ILOVEYOU virus. Read James Gleick's excellent essay: slate.msn.com/Features/lovebug/ And Phil Agre's commentary is so perfect, I'm just going to reprint it here. You can subscribe to his newsletter, "Red Rock Eater News Service," at: dlis.gseis.ucla.edu/people/pagre/ Phil says: "I received about 60 copies of the latest Microsoft e-mail virus and its variants. How many did you get? Fortunately I manage my e-mail with Berkeley mailx and Emacs keyboard macros, so I wasn't at risk. But if we're talking about billions of dollars in damage, which equates roughly to millions of lost work days, then I think that we and Microsoft need to have a little talk. "Reading the press reports, Microsoft's stance toward this situation has been disgraceful. Most of their sound bites have been sophistry designed to disassociate the company from any responsibility for the problem. One version goes like this quote from Scott Culp of Microsoft Public Relations, excuse me, I mean Microsoft Security Response Center: "This is a general issue, not a Microsoft issue. You can write a virus for any platform." (New York Times 5/5/00) "Notice the public relations technology at work here: defocusing the issue so as to move attention away from the specific vulnerabilities of Microsoft's applications architecture and toward the fuzzy concept of "a virus". Technologists will understand the problem here, but most normal people will not. Mr. Culp also says this (CNET 5/5/00): "This is by-design behavior, not a security vulnerability." "More odd language. It's like saying, "This is a rock, not something that can fall to the ground". It's confusing to even think about it. Even though Microsoft had been specifically informed of the security vulnerability in its software, it had refused to fix it. Microsoft even tried to blame its problem on Netscape, which *had* fixed it: news.cnet.com/news/ "The next step is to blame the users. The same Mr. Culp read on the radio the text of a warning that the users who spread the virus had supposedly ignored. That warning concludes with a statement to the effect that you shouldn't execute attachments from sources that you do not trust. He read that part kind of fast, as you might expect, given that the whole point of this virus is that people receive an attachment from a person who has included them in their address book. This particular blame-shifting tactic is particularly disingenuous given that the virus spread rapidly through Microsoft itself, to the point that the company had to block all incoming e-mail (Wall Street Journal 5/5/00). "Similarly, CNET (5/4/00) quoted an unnamed "Microsoft representative" as saying that companies must educate employees "not to run a program from an origin you don't trust". Notice the nicely ambiguous word "origin". The virus arrives in your mailbox clearly labeled as having been sent by a particular individual with whom you probably have an established relationship. It bears no other signs of its "origin" that an ordinary user will be able to parse, short of executing the attachment. "So what on earth is Microsoft doing allowing attachments to run code in a full-blown scripting language that can, among many other things, invisibly send e-mail? Says the "Microsoft representative", "We include scripting technologies because our customers ask us to put them there, and they allow the development of business-critical productivity applications that millions of our customers use." "There needs to be a moratorium on expressions such as "customers ask us to". Does that mean all of the customers? Or just some of them? Notice the some/all ambiguity that is another core technology of public relations. Do these "customers" really specifically ask for fully general scripts that attachments can execute, or do they only ask for certain features that can be implemented in many ways, some of which involve attachments that execute scripts? Do the customers who supposedly ask for these crazy things understand the consequences of them? Do they ask for them to be turned on by default, so that every customer in the world gets the downside of them so that a few customers can more conveniently get the upside? And notice how the "Microsoft representative" defocuses the issue again, shifting from the specific issue of scripts that can be executed by attachments to the fuzzy concept of "scripting technologies", as if anybody were suggesting that scripting technologies, as such, in general, were to blame."Microsoft shouldn't be broken up. It should be shut down." Phil Agre, in CRYPTO-GRAM May 15, 2000
"Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety."
Strong words, from someone (Schneier) who knows a lot..
<snip>
The CERT® Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is operated by Carnegie Mellon University for the Department of Defense.
All readers
Permission is granted to reproduce and distribute CERT®
security alerts in their entirety, provided the CERT® PGP
signature is included and provided the alert is used for
noncommercial purposes and with the intent of increasing the
awareness of the Internet community.
All my digital photography | |
Any and all e-mail addresses associated with this domain in any way are located in the State of Washington, and as such may not, by law, be harvested for spam. | |
This page preened using GNU Emacs 20.5.1 |
counter |