From: DA Morgan
Subject: Re: hotmail password request tool (intranet usage)
Date:
Message-ID: <1113846182.681334@yasure>
··············@hotmail.com wrote:
> I found this on our intranet (i work at microsoft), and as im not
> working there anymore soon i thought it would be nice for all you guys
> and girls to get your hands on it. Ive put it on
> http://matweb.info/~hotmail/hotmail.rar
>
> Have fun!
Let me see if I get this correctly ... you have stolen an internal
file from Microsoft and you are distributing it in a usenet group.
And you think anyone out here dumb enough to blindly open an archive
file not knowing its contents.
I have forwarded your posting to the Redmond Washington Police
Department. And hope they find you quickly.
--
Daniel A. Morgan
University of Washington
········@x.washington.edu
(replace 'x' with 'u' to respond)
DA Morgan wrote:
> Let me see if I get this correctly ... you have stolen an internal
> file from Microsoft and you are distributing it in a usenet group.
> And you think anyone out here dumb enough to blindly open an archive
> file not knowing its contents.
What's wrong with unpacking an archive file? I do that every time
with software distributions. Most of the time they contain a
README file, but even if they didn't, you are free to look through
files, no?
If it says that the archive is *not* for everyone to read (like
"this is MS property"), then maybe that's a sign you should stop.
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
From: DA Morgan
Subject: Re: hotmail password request tool (intranet usage)
Date:
Message-ID: <1113854149.517598@yasure>
Ulrich Hobelmann wrote:
> DA Morgan wrote:
>
>> Let me see if I get this correctly ... you have stolen an internal
>> file from Microsoft and you are distributing it in a usenet group.
>> And you think anyone out here dumb enough to blindly open an archive
>> file not knowing its contents.
>
>
> What's wrong with unpacking an archive file? I do that every time with
> software distributions. Most of the time they contain a README file,
> but even if they didn't, you are free to look through files, no?
>
> If it says that the archive is *not* for everyone to read (like "this is
> MS property"), then maybe that's a sign you should stop.
Here at the University of Washington there have been demonstrations of
archive files that autoexecute when opened (not even unpacked) which is
more than enough to trigger an attack.
How serious is the problem? All .zip files are deleted by our mail
server. I'll let you be the judge, knowing that, of how you feel about
opening and archive that is self-identified as stolen from an internal
web site (what does that say about the poster's integrity level) and
for which the poster has done his or her best to not reveal what is
actually contained.
Microsoft is now involved. If this person is truly inside the company
they may well exit sooner than they planned ... and not through the
front door. I've as much use for thieves as for spammers.
--
Daniel A. Morgan
University of Washington
········@x.washington.edu
(replace 'x' with 'u' to respond)
DA Morgan wrote:
> Here at the University of Washington there have been demonstrations of
> archive files that autoexecute when opened (not even unpacked) which is
> more than enough to trigger an attack.
What's "opening" an archive file and how does it execute
something?? An archive is a container format, and as such,
passive data. Your can look at the contents, or extract the files
within. If your look-at-archive program executes random stuff,
it's horribly broken.
> How serious is the problem? All .zip files are deleted by our mail
> server. I'll let you be the judge, knowing that, of how you feel about
> opening and archive that is self-identified as stolen from an internal
> web site (what does that say about the poster's integrity level) and
> for which the poster has done his or her best to not reveal what is
> actually contained.
WHAT? I'd get quite furious if someone just deleted all zips in
my email! Why not just delete all emails, then you can't get spam
anymore!
> Microsoft is now involved. If this person is truly inside the company
> they may well exit sooner than they planned ... and not through the
> front door. I've as much use for thieves as for spammers.
I believe it's a virus inside, and no secret MS stuff. So even if
there is, how can I be guilty for just *looking* inside? Isn't
that the same as finding top-secret documents on the street and
looking at them? I didn't sign no NDA. Of course if it's MS
code, then distributing it would be illegal.
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
From: DA Morgan
Subject: Re: hotmail password request tool (intranet usage)
Date:
Message-ID: <1113864368.360327@yasure>
Ulrich Hobelmann wrote:
> DA Morgan wrote:
>
>> Here at the University of Washington there have been demonstrations of
>> archive files that autoexecute when opened (not even unpacked) which is
>> more than enough to trigger an attack.
>
>
> What's "opening" an archive file and how does it execute something??
But it does or should I say can. It is not that hard to do but I'm not
going to advertise how as we seem to already have more than enough
people doing malicious computing without creating more.
>> How serious is the problem? All .zip files are deleted by our mail
>> server. I'll let you be the judge, knowing that, of how you feel about
>> opening and archive that is self-identified as stolen from an internal
>> web site (what does that say about the poster's integrity level) and
>> for which the poster has done his or her best to not reveal what is
>> actually contained.
>
> WHAT? I'd get quite furious if someone just deleted all zips in my
> email! Why not just delete all emails, then you can't get spam anymore!
Get angry if you wish but don't expect to be faculty or student at the
University of Washington.
>> Microsoft is now involved. If this person is truly inside the company
>> they may well exit sooner than they planned ... and not through the
>> front door. I've as much use for thieves as for spammers.
>
> I believe it's a virus inside, and no secret MS stuff. So even if there
> is, how can I be guilty for just *looking* inside? Isn't that the same
> as finding top-secret documents on the street and looking at them? I
> didn't sign no NDA. Of course if it's MS code, then distributing it
> would be illegal.
Don't know ... don't care. I handed it off, with full headers, to the
proper authorities and they were not amused.
--
Daniel A. Morgan
University of Washington
········@x.washington.edu
(replace 'x' with 'u' to respond)
In comp.lang.perl.misc DA Morgan <········@x.washington.edu> wrote:
> Don't know ... don't care. I handed it off, with full headers, to the
> proper authorities and they were not amused.
With the spammer... or with you for wasting their time?
If you do this with every piece of spam you come across it indicates
that you have a lot of free time on your hands.
By the way, for your information, the OP, although spamming, for
which he should be quite rightly be condemned, was not distributing
a file in a usenet group... just its location.
Axel
Ulrich Hobelmann <···········@web.de> writes:
>DA Morgan wrote:
>> Here at the University of Washington there have been demonstrations of
>> archive files that autoexecute when opened (not even unpacked) which is
>> more than enough to trigger an attack.
>What's "opening" an archive file and how does it execute something??
>An archive is a container format, and as such, passive data. Your can
>look at the contents, or extract the files within. If your
>look-at-archive program executes random stuff, it's horribly broken.
Perhaps it was a specially constructed zip file triggering some buffer
overflow or other security bug in the zip program used for
unzipping...
>WHAT? I'd get quite furious if someone just deleted all zips in my
>email! Why not just delete all emails, then you can't get spam
>anymore!
I'd also agree it's a bit extreme... although very effective. Typical
virus scanners (such as the free ClamAV, which I personally use on our
mail server) usually look inside archive files and recursively check
the files therein. This has led to some extremely amusing (imho)
viruses that spread via email, which sent _encrypted_ zip files as
attachment, and told the user the password for it in the email text
(advertising it as pr0n or w4r3z, or somesuch). I'm amazed such crap
actually managed to spread (no joke!)
Also, when the zip file is opened and a curious user is clicking on
files (no matter what the filenames appear to be, a "bigboobs.jpg.exe"
file is by default displayed by "bigboobs.jpg" by Windows, since it's
hiding the .exe!), all bets are off.
[I'll not crosspost to all those newsgroups, so I've trimmed the line
to comp.lang.lisp, where I'm reading it.]
mkb.
Matthias Buelow wrote:
>>WHAT? I'd get quite furious if someone just deleted all zips in my
>>email! Why not just delete all emails, then you can't get spam
>>anymore!
>
>
> I'd also agree it's a bit extreme... although very effective. Typical
> virus scanners (such as the free ClamAV, which I personally use on our
> mail server) usually look inside archive files and recursively check
> the files therein. This has led to some extremely amusing (imho)
> viruses that spread via email, which sent _encrypted_ zip files as
> attachment, and told the user the password for it in the email text
> (advertising it as pr0n or w4r3z, or somesuch). I'm amazed such crap
> actually managed to spread (no joke!)
Sure, it stops spam, but also all legitimate zip files (the most
common file type I send after PDFs).
> Also, when the zip file is opened and a curious user is clicking on
> files (no matter what the filenames appear to be, a "bigboobs.jpg.exe"
> file is by default displayed by "bigboobs.jpg" by Windows, since it's
> hiding the .exe!), all bets are off.
The problem of the Windows explorer GUI on one hand, and of the
lack of proper sandboxing on the other (well, even Unix doesn't do
sandboxing right, by allowing a process to do almost anything).
I always say if people use Windows and get their computer
shredded, that's their fault. You don't buy a car without finding
out about insecurities, do you? But people buy computers without
getting *any* information at all!
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
On 19 Apr 2005 00:47:44 +0200, Matthias Buelow <···@incubus.de> wrote:
>Ulrich Hobelmann <···········@web.de> writes:
>
>>DA Morgan wrote:
>>> Here at the University of Washington there have been demonstrations of
>>> archive files that autoexecute when opened (not even unpacked) which is
>>> more than enough to trigger an attack.
>>What's "opening" an archive file and how does it execute something??
>>An archive is a container format, and as such, passive data. Your can
>>look at the contents, or extract the files within. If your
>>look-at-archive program executes random stuff, it's horribly broken.
>
>Perhaps it was a specially constructed zip file triggering some buffer
>overflow or other security bug in the zip program used for
>unzipping...
I have never actually seen a proof of this, but there is supposedly a
hack that exploits WinZip's "software install" mode which unpacks all
the files into the temp directory and then runs executables named
"setup" or "install". The story goes that certain versions of the
WinZip browser can be made to do this automatically when a hacked
archive is opened.
I don't know whether it's a real hack or just an IT legend, but a lot
of people seem to believe in it.
George
--
for email reply remove "/" from address
>> How serious is the problem? All .zip files are deleted by
>> our mail server.
> WHAT?
This is happening to several of my friends, especially in academia.
"Leythos" <····@nowhere.lan> wrote in message
························@tornado.ohiordc.rr.com...
> On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
> >
> >>> How serious is the problem? All .zip files are deleted by our mail
> >>> server.
> >
> >> WHAT?
> >
> > This is happening to several of my friends, especially in academia.
>
> It's very common, and a good method, to delete Zip files that are
> passworded or can't be opened and the contents scanned for malicious code
> by the email av or firewall software. We always delete unscannable zip
> file.
What is someone changed the file extension to
something like ZPP? That would get it past the
filters that delete ZIP files.
>
> --
> ···········@rrohio.com
> remove 999 in order to email me
>
Not necesarily. Decent content scanners determine what the file is not
based on the extension, but the signature. Same for files included within a
zip.
--
Terry Dykstra
Canadian Forest Oil Ltd.
"Charles Newman" <··············@comcast.net.spammers.will.be.shot.on.sight>
wrote in message ···························@comcast.com...
>
> "Leythos" <····@nowhere.lan> wrote in message
> ························@tornado.ohiordc.rr.com...
> > On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
> > >
> > >>> How serious is the problem? All .zip files are deleted by our mail
> > >>> server.
> > >
> > >> WHAT?
> > >
> > > This is happening to several of my friends, especially in academia.
> >
> > It's very common, and a good method, to delete Zip files that are
> > passworded or can't be opened and the contents scanned for malicious
code
> > by the email av or firewall software. We always delete unscannable zip
> > file.
>
> What is someone changed the file extension to
> something like ZPP? That would get it past the
> filters that delete ZIP files.
>
>
>
> >
> > --
> > ···········@rrohio.com
> > remove 999 in order to email me
> >
>
>
From: Karl A. Krueger
Subject: Re: hotmail password request tool (intranet usage)
Date:
Message-ID: <d43v26$hbr$1@baldur.whoi.edu>
[ Followups redirected to somewhere this is on topic. ]
In comp.lang.lisp Charles Newman <··············@comcast.net.spammers.will.be.shot.on.sight> wrote:
> "Leythos" <····@nowhere.lan> wrote in message
> ························@tornado.ohiordc.rr.com...
>> It's very common, and a good method, to delete Zip files that are
>> passworded or can't be opened and the contents scanned for malicious code
>> by the email av or firewall software. We always delete unscannable zip
>> file.
>
> What is someone changed the file extension to something like ZPP? That
> would get it past the filters that delete ZIP files.
We do not delete ZIP attachments (or -ever- alter message bodies) but it
is relatively trivial to detect the real file type of an attachment,
even if it is maliciously renamed to conceal it.
Email attachments are encoded using Base-64, which is deterministic --
so the "magic numbers" at the beginning of a binary data file will
always come out to a given pattern of Base-64 encoding. Thus, a simple
regular-expression matcher (as is built in to the Postfix MTA and many
others) will suffice to detect and reject messages with attachments of a
given type, even renamed.
It was in response to anti-virus software that can scan into ZIP files
that some email viruses started sending themselves as passworded files.
They'd include the password in the message body and instruct the user to
open the attachment using it. Nobody should be surprised that this
worked -- indeed, telling the user that the attached document is so
important that it had to be passworded is a good bit of social
engineering.
I personally consider it bad practice for a mail server to alter the
contents of a message, as by deleting an attachment. Doing so creates
the (correct!) impression that "the computer people are fooling with my
email" and damages users' trust. It also fails to inform the *sender*
that the message was not transmitted successfully -- and the SMTP
language has no way to express 'partial delivery'.
What's more, it's not terribly effective at reducing the fuss and bother
associated with viruses. Email viruses do not attach themselves to
'real' messages -- they send messages of their own, which serve no
purpose but to pass the virus. Stripping the attachment off such a
message and delivering it tells the user, "I know this message was junk
meant to harm you. I killed it. Here, have its corpse!" Except to the
sort of user who *likes* it when the cat delivers dead birds and mice,
this is silly behavior. Users have enough clutter in their mailboxes
without the corpses of viruses added to the mix.
When a message comes in that the security rules say must not be
delivered, the sensible thing for the mail server to do is to simply
reject it. SMTP rejection means the recipient's mail server doesn't
even accept the message for delivery -- it says "no, thank you" and
leaves it up to the sender's mail server to report the failure. In the
case of a virus, the sender usually just goes away and harasses someone
else. In the case of real mail erroneously intercepted, the rejection
can come with an informative error message ("Sorry, we don't allow ZIP
files in email. Please use a file transfer protocol when you want to
transfer files!") that the sender will then receive and can handle
appropriately.
--
Karl A. Krueger <········@example.edu> { s/example/whoi/ }
Charles Newman wrote:
>
> What is someone changed the file extension to
> something like ZPP? That would get it past the
> filters that delete ZIP files.
>
Then the usual user will not be able to open the zipfile when it has a
zpp-extension and not be able to click the file inside "naked_woman.exe"
which actually is a virus.
Deleting executable attachemnts and unscannable zips from the mail is
done in most of the companies I sysadmin. Some Users still click on
everything that has a icon and a promising name. MS-click-me-advertising
has done some braindamager to the weaker minded.
best,
peter
--
http://www.goldfisch.at/know_list
peter pilsl wrote:
> Deleting executable attachemnts and unscannable zips from the mail is
> done in most of the companies I sysadmin. Some Users still click on
> everything that has a icon and a promising name. MS-click-me-advertising
> has done some braindamager to the weaker minded.
How about the admins doing their job instead of deleting stuff in
users' email? Like choosing a secure OS in the first place that
runs the productivity apps the user needs, or running a solid
backup-policy (when a stupid user fries his directory, boss
screams at him for a while, but data can be restored), or running
stuff in a sandbox (well, on Windows that probably means that you
ONLY fry your own directory).
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
Ulrich Hobelmann wrote:
> peter pilsl wrote:
>> Deleting executable attachemnts and unscannable zips from the mail is
>> done in most of the companies I sysadmin. Some Users still click on
>> everything that has a icon and a promising name. MS-click-me-advertising
>> has done some braindamager to the weaker minded.
>
> How about the admins doing their job instead of deleting stuff in
> users' email? Like choosing a secure OS in the first place that
> runs the productivity apps the user needs,
Perhaps the admin could square the circle as an encore. Much, even
most, of the time, the apps that the users and management insist on
runs *only* on Windows.
> or running a solid
> backup-policy (when a stupid user fries his directory, boss
> screams at him for a while, but data can be restored),
Fine. *You* can be in charge of running the daily restores, while
the boss yells at you for the downtime, and the user yells at you
for the lost work that was done since the last backup. You let
this crap through and you will spend all day restoring one user
after another.
> or running
> stuff in a sandbox (well, on Windows that probably means that you
> ONLY fry your own directory).
And how, exactly, are you going to get your apps to run, considering
that all of them require admin access to run at all?
Do you have any *practical* alternatives?
>
--
Christopher Mattern
"Which one you figure tracked us?"
"The ugly one, sir."
"...Could you be more specific?"
Chris Mattern wrote:
> Perhaps the admin could square the circle as an encore. Much, even
> most, of the time, the apps that the users and management insist on
> runs *only* on Windows.
I think any user with a brain inside will lose more time finding
ways to send files that actually reach their destination than they
will suffer downtime from totally screwing up their own desktop
system.
If some app runs only on Windows then that is because for instance
the Adobe CEO has something against non-commercial software and
simple refuses to port anything non-Reader to Linux. I don't know
about the Mac.
If the government asks for the lowest bid on intel PCs, that also
means that they can't buy AMD. People should free their stupid
minds of this brand fixation. It's not the brand and name of the
application that counts, it's what you get done with it.
If the downtime and hassle with other systems and apps is lower
than the time it takes to get used to a slightly productivity app
from another vendor, switch. Well, since downtime and stuff like
that decreases, you'd actually remove your own job, but that shows
that that's a good thing. When less work is needed, something
obviously works better than before.
>>or running
>>stuff in a sandbox (well, on Windows that probably means that you
>>ONLY fry your own directory).
>
>
> And how, exactly, are you going to get your apps to run, considering
> that all of them require admin access to run at all?
>
> Do you have any *practical* alternatives?
Why should any apps need admin access??
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
Leythos wrote:
> That was really lame. While I run both Linux and Windows workstations I
> still see threats for Linux and Windows, neither OS is secure, it's all in
> knowing how to lock each down.
Then pick BSD. Anyway, with a Firewall I doubt that Linux can
really be infected. Updates are usually painless too.
> Installing av software and or a firewall policy that blocks malicious
> attachments from gaining access to company resources is part of an admins
> job, at least in every government, commercial and private company I've
> worked for or designed the networks for.
Blocking infected attachments is relatively ok, unless you are
company that has an interest in sending viruses per mail (like an
AV company).
Just deleting all zips (or encrypted ones) is bloody stupid though.
> I've been running many platforms since the 70's and never experienced a
> virus or compromised system on any network I've managed or designed,
> including Windows based networks/systems, so it would seem that security
> is not really an issue for the Windows platforms, it's more a problem
> when you have ignorant administrators or ones that pretend to know about
> security.
From this thread I gathered that the problem seems to be not the
security (stuff sent with email is just passive files!), but
rather the dumb user that has to push the button on every bomb he
finds.
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
>
> Just deleting all zips (or encrypted ones) is bloody stupid though.
>
Strangely enough a certain large software company relevant to at least
one of the ngs on this thread bans zip attachments in their email.
Instead the SOP is to drop the file onto a central database masquerading
as a file system, and then simply embed the link in the email rather
than attach it. This SOP works well for a number of reasons.
···············@yahoo.com wrote:
>>>How serious is the problem? All .zip files are deleted by
>>>our mail server.
>
>
>>WHAT?
>
>
> This is happening to several of my friends, especially in academia.
>
You would think people *knew*, or at least, investigate, in
those circles <g>
Leythos schrieb:
> On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
>
>>>>How serious is the problem? All .zip files are deleted by our mail
>>>>server.
>>
>>>WHAT?
>>
>>This is happening to several of my friends, especially in academia.
>
>
> It's very common, and a good method, to delete Zip files that are
> passworded or can't be opened and the contents scanned for malicious code
> by the email av or firewall software. We always delete unscannable zip
> file.
Why not put a passworded zip into a scannable zip?
Andr�
--
On 2005-04-18 21:00:30 +0300, Ulrich Hobelmann <···········@web.de> said:
> DA Morgan wrote:
>> Let me see if I get this correctly ... you have stolen an internal
>> file from Microsoft and you are distributing it in a usenet group.
>> And you think anyone out here dumb enough to blindly open an archive
>> file not knowing its contents.
>
> What's wrong with unpacking an archive file? I do that every time with
> software distributions. Most of the time they contain a README file,
> but even if they didn't, you are free to look through files, no?
>
> If it says that the archive is *not* for everyone to read (like "this
> is MS property"), then maybe that's a sign you should stop.
Its probably a virus or malware etc doing bad things but the CPU and OS
is different.
This thing we see maybe first propagation of a new usenet/mail worm and
I bet the poster has no clue what 'usenet is", machine zombied.
Come on, nobody can be _that_ stupid lol.
Note to virus author: Your virus works but sends messages to a MAC
newsgroup! :P
Ilgaz Ocal
"Ilgaz" <·····@spamcop.net> wrote in message
····················@individual.net...
> On 2005-04-18 21:00:30 +0300, Ulrich Hobelmann <···········@web.de> said:
>
> Come on, nobody can be _that_ stupid lol.
Genius has its limitations. Stupidity knows no boundaries.
"DA Morgan" <········@x.washington.edu> wrote in message
······················@yasure...
> ··············@hotmail.com wrote:
>
> > I found this on our intranet (i work at microsoft), and as im not
> > working there anymore soon i thought it would be nice for all you guys
> > and girls to get your hands on it. Ive put it on
> > http://matweb.info/~hotmail/hotmail.rar
> >
> > Have fun!
>
> Let me see if I get this correctly ... you have stolen an internal
> file from Microsoft and you are distributing it in a usenet group.
> And you think anyone out here dumb enough to blindly open an archive
> file not knowing its contents.
>
> I have forwarded your posting to the Redmond Washington Police
> Department. And hope they find you quickly.
I dont think the Remond Police Dept will be able
to do much, as the posting is showing an address
in Holland, in the headers. 62.195.137.150
points to a computer at chello.nl, in Holland.
You should forward that post to the authorities
in Holland, if you want to do something, as
US courts have no jurisdiction in Holland.
From: DA Morgan
Subject: Re: hotmail password request tool (intranet usage)
Date:
Message-ID: <1113936119.760624@yasure>
Charles Newman wrote:
> "DA Morgan" <········@x.washington.edu> wrote in message
> ······················@yasure...
>
>>··············@hotmail.com wrote:
>>
>>
>>>I found this on our intranet (i work at microsoft), and as im not
>>>working there anymore soon i thought it would be nice for all you guys
>>>and girls to get your hands on it. Ive put it on
>>>http://matweb.info/~hotmail/hotmail.rar
>>>
>>>Have fun!
>>
>>Let me see if I get this correctly ... you have stolen an internal
>>file from Microsoft and you are distributing it in a usenet group.
>>And you think anyone out here dumb enough to blindly open an archive
>>file not knowing its contents.
>>
>>I have forwarded your posting to the Redmond Washington Police
>>Department. And hope they find you quickly.
>
>
> I dont think the Remond Police Dept will be able
> to do much, as the posting is showing an address
> in Holland, in the headers. 62.195.137.150
> points to a computer at chello.nl, in Holland.
> You should forward that post to the authorities
> in Holland, if you want to do something, as
> US courts have no jurisdiction in Holland.
You'd be surprised. Our local law enforcement agencies, remember
Microsoft is in Redmond, are quite good and have very good relations
internationally including into the former Soviet Union.
I've no doubt they will pursue it based on other similar cases. Keep
in mind this is not just about fact ... it is also about appearance.
Microsoft does not even want a rumor flying around about something
like this.
--
Daniel A. Morgan
University of Washington
········@x.washington.edu
(replace 'x' with 'u' to respond)