Bubble boy pre-variant
adle...@my-deja.com
upon opening, when I tried to contact av vendors on this issue didnt get
too much assist. Submitted samples and submitted the VB code only to
hear a month later a certain AV Vendor found a new type of virus
(bubbleboy). I was wondering any one else had or seen a Bubbleboy
prevariant.
Sent via Deja.com http://www.deja.com/
Before you buy.
Nick FitzGerald
> I had seen in October a Worm that seemed to do as BubbleBoy. Infected
> upon opening, when I tried to contact av vendors on this issue didnt get
> too much assist. Submitted samples and submitted the VB code only to
> hear a month later a certain AV Vendor found a new type of virus
> (bubbleboy). I was wondering any one else had or seen a Bubbleboy
> prevariant.
Perhaps you had one of the exploits based on Georgi
Guninski's (sp?) original discovery and reporting of
the ActiveX hole that BubbleBoy subsequently used.
If so, it was most likely non-viral -- I do not
recall any suggestion that any of those exploits
were viral, although the possibility was obviously
there that this exploit could be used for viral or
Trojan purposes.
--
Nick FitzGerald
John Morris
web-based. Although benign, it could, just as easily been delivered via
Email for annoyance value.
John Morris
"Nick FitzGerald" <ni...@virus-l.demon.co.uk> wrote in message
news:01bf3078$57604940$6af0a7cb@mobilenick...
waerlog
was
> web-based. Although benign, it could, just as easily been delivered via
> Email for annoyance value.
>
> John Morris
Yes, but one wonders why Microsoft didn't issue a patch in late-august, and
if they did, why nobody applied it... It is not a big leap from HTML web
page to HTML email...
waerlog
Kruse Security Advisement
waerlog <wae...@nospam.com> skrev i en
nyhedsmeddelelse:oOkY3.2982$fy1...@tundra.ops.attcanada.net...
displayed in IE. The use of IE allows both plain text and HTML Email
messages to be viewed in Outlook Express. Security issues in Outlook Express
are handled by Internet Explorer. That´s why the hole is big enough for a
truck to drive through!! I simply can´t understand why there´s not a lot
more fuzz about this!! I believe futureattacks of virus and trojans are
being aimed against such holes. And why shouldn´t they - that´s the best and
most simple way to spread.
Kind regards
Peter Kruse (peter...@it.dk)
http://home13.inet.tele.dk/kruse
_buff0_ file://AKRUSEAAAA
what do you want to save today?
Jeffrey A. Setaro
wae...@nospam.com says...
>
> Yes, but one wonders why Microsoft didn't issue a patch in late-august, and
> if they did, why nobody applied it... It is not a big leap from HTML web
> page to HTML email...
>
Huh? What? I suspect more than a few people did apply the patch shortly
after was released (I know I did)... The problem is that most people just
don't think about, care about, or understand security. They just go about
there daily lives and never consider security (be personal or data) until
something bad happens. Unfortunately by then it's often to late to do
anything about it.
Sheesh... I've got a local company that's been hit by CIH, Melissa,
Happy99, PrettyPark, & Explore_Zip in the past 12 months and still hasn't
installed any anti-virus software. Senior management simply doesn't
understand or care about the problem.
--
Cheers-
Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99
Nick FitzGerald
> Gusinski's original exploit, published in late-august. was not Viral and
was
> web-based. Although benign, it could, just as easily been delivered via
> Email for annoyance value.
Did he not say this himself, in announcing his "discovery"?
If he didn't, I'm sure someone did *publicly* with hours...
--
Nick FitzGerald
Richard Lupu
of the security issue being known. I cannot recall the exact
date it was issued but I installed it on my machines on
Sept 15th, 1999. I am not positive but I think it
was available before that. As Zulu himself said earlier I am
surprised to all the media attention BB has caused. Any system
updated at all is protected regardless of AV software, not that
I would ever recommend not using AV Software.
Rich
On Tue, 16 Nov 1999 22:22:12 GMT, "waerlog" <wae...@nospam.com>
wrote:
>> Gusinski's original exploit, published in late-august. was not Viral and
>was
>> web-based. Although benign, it could, just as easily been delivered via
>> Email for annoyance value.
>>
>> John Morris
>
>Yes, but one wonders why Microsoft didn't issue a patch in late-august, and
>if they did, why nobody applied it... It is not a big leap from HTML web
>page to HTML email...
>
>
>waerlog
>
>
Nick FitzGerald
> Yes, but one wonders why Microsoft didn't issue a patch in late-august,
and
MS did -- it may have been early September, but I'm sure
you'll find the patch so many are now rushing to d/l is
an "old" one.
> if they did, why nobody applied it... It is not a big leap from HTML web
> page to HTML email...
People did not apply it because they were mostly unaware
of it. Next, of those who heard of it, it would have
sounded so weird and esoteric, that a goodly proportion
of them would have shrugged their shoulders and decided
it sounded like too much trouble for something they did
not see as directly affecting them. This was probably
compounded by the old "if it ain't broke, don't fix it"
attitude of so many less-than-security-conscious system
admins. (And note that most SOHO/home user types do not
consider themselves as system admins and/or do not
consider that security issues matter because "we're all
friends/relatives here"...)
--
Nick FitzGerald
kurt wismer
> > Gusinski's original exploit, published in late-august. was not Viral and
> was
> > web-based. Although benign, it could, just as easily been delivered via
> > Email for annoyance value.
> >
> > John Morris
>
> Yes, but one wonders why Microsoft didn't issue a patch in late-august, and
> if they did, why nobody applied it...
i think you missed something... ms did, and people did... haven't you
noticed a lack of "in the wild" reports for bubbleboy?
--
"read my writing on the wall
no one's here to catch me when i fall
if ignorance is bliss
then knock the smile off my face"
waerlog
news:Pine.GSO.3.95.991116203715.3356E-100000@eddie...
> > Yes, but one wonders why Microsoft didn't issue a patch in late-august,
and
> > if they did, why nobody applied it...
>
> i think you missed something... ms did, and people did... haven't you
> noticed a lack of "in the wild" reports for bubbleboy?
I think I actually remember downloading that patch ages ago... I usually
just grab updates as they appear and don't pay a lot of attention to what MS
says the fiix is for, since they are innumerable...
But why is it such a big deal for our friends in the media? (btw, doesn't
Zulu's public posting of it technically make BubbleBoy in the wild, or is
that just an issue of semantics?)
waerlog
cj...@my-deja.com
adle...@my-deja.com wrote:
> I had seen in October a Worm that seemed to do as BubbleBoy. Infected
> upon opening, when I tried to contact av vendors on this issue didnt
get
> too much assist. Submitted samples and submitted the VB code only to
> hear a month later a certain AV Vendor found a new type of virus
> (bubbleboy). I was wondering any one else had or seen a Bubbleboy
> prevariant.
Which company did you contact?
We have had, for many months, even years, HTML activated code hidden in
email messages.
Bubbleboy happens to be the first one that manages to re-send itself and
spread. (Not to say it's ITW.)
Our definitions may not match the general public's. For instance, I
read all over the place people saying, "It's not a virus. It's a worm."
Those people don't work in the AV industry. The most commonly accepted
definition is that worms are a type of virus. And "viruses spread."
Jimmy
jk...@nai.com
John Morris
<cj...@my-deja.com> wrote in message news:80trs0$guq$1...@nnrp1.deja.com...
<SNIP>
> We have had, for many months, even years, HTML activated code hidden in
> email messages.
>
> Bubbleboy happens to be the first one that manages to re-send itself and
> spread. (Not to say it's ITW.)
Active Content / mobile code (java, javascript, Active X, VBscript) on the
web is a neccessary evil these days. But Active Content embedded directly in
HTML Email is just a really, really bad idea. I have never seen this
technology been used for good purposes, only bad.
As a pro-active measure against the next Bubble-Boy worm or Active X
exploit, I turned it off in my Email & newgroup browsers. I highly recommend
everyone else does so as well.
Hopefully the vendors (Microsoft, Netscape, etc) will eventually realize
active content in Email is an unwanted piece of functionality.
Cheers, John
kurt wismer
> In article <80sb2a$ecm$1...@nnrp1.deja.com>,
> adle...@my-deja.com wrote:
> > I had seen in October a Worm that seemed to do as BubbleBoy. Infected
> > upon opening, when I tried to contact av vendors on this issue didnt
> get
> > too much assist. Submitted samples and submitted the VB code only to
> > hear a month later a certain AV Vendor found a new type of virus
> > (bubbleboy). I was wondering any one else had or seen a Bubbleboy
> > prevariant.
>
> Which company did you contact?
>
> We have had, for many months, even years, HTML activated code hidden in
> email messages.
>
> Bubbleboy happens to be the first one that manages to re-send itself and
> spread. (Not to say it's ITW.)
>
> Our definitions may not match the general public's. For instance, I
> read all over the place people saying, "It's not a virus. It's a worm."
>
> Those people don't work in the AV industry. The most commonly accepted
> definition is that worms are a type of virus. And "viruses spread."
thats because you av industry types still cling to cohen... most of us
around here are talking about dr.solly's "real virus" when we say virus...
(also, have you check out the definition in f-prot's documentation lately?
i would hazard a guess that frisk is part of the av industry)
kurt wismer
> kurt wismer <a324...@cdf.toronto.edu> wrote in message
> news:Pine.GSO.3.95.991116203715.3356E-100000@eddie...
> > > Yes, but one wonders why Microsoft didn't issue a patch in late-august,
> and
> > > if they did, why nobody applied it...
> >
> > i think you missed something... ms did, and people did... haven't you
> > noticed a lack of "in the wild" reports for bubbleboy?
>
> I think I actually remember downloading that patch ages ago... I usually
> just grab updates as they appear and don't pay a lot of attention to what MS
> says the fiix is for, since they are innumerable...
>
> But why is it such a big deal for our friends in the media?
because that's the way the media works... the more sensational the story
the better their pay...
> (btw, doesn't
> Zulu's public posting of it technically make BubbleBoy in the wild, or is
> that just an issue of semantics?)
no, the public posting puts it in the public domain, it's not in the wild
until it's invecting innocent users...
Nick FitzGerald
> Active Content / mobile code (java, javascript, Active X, VBscript) on
the
> web is a neccessary evil these days. But Active Content embedded directly
in
> HTML Email is just a really, really bad idea. I have never seen this
> technology been used for good purposes, only bad.
Agreed...
> As a pro-active measure against the next Bubble-Boy worm or Active X
> exploit, I turned it off in my Email & newgroup browsers. I highly
recommend
> everyone else does so as well.
But have you??
Several of the IE security holes have involved methods
of getting something you should be warned of, or that
should just silently drop, depending on your
"security", settings to activate. What *other*, as
yet not publicly exposed methods will be found?
And who will find them first? The MS-hating computer
security guys out to show the world how bad MS'
security awareness really is, or one of the real bad
guys?
If you want to be much safer of MS insecurity issues,
just say no to anything vaguely IE-related. Use a
text-only mailer, or one that can definitely be
securely made to only do text (i.e. that you are sure
you can disable HTML support in). Use a non-IE-based
browser, and not that does not mean "non-MS" as some
of the alternative browsers have no "native" HTML
viewing technology, depending instead on the ActiveX
encapsulations of IE's HTML viewers and thus may have
exactly the same MS security problems.
> Hopefully the vendors (Microsoft, Netscape, etc) will eventually realize
> active content in Email is an unwanted piece of functionality.
I was very saddened to see Netsacpe add support for
such things to their mailer (not that I particularly
like, or would ever use, it anyway). I guess they were
bending in the same wind as MS -- clueless IT people at
**really big** clients saying "we must have X because
it would be very useful/cool/whatever" and not having
the balls to stand up to that client and say "well, if
that's what you really want, get it somewhere else as
we will no compromise the security of our other users".
A bit of open exposure of some of the behind the scenes
strong-arming that is attempted, and often (usually?)
succeeds, between some of those companies would be a
good thing...
--
Nick FitzGerald
Dmitry Gryaznov
>
> On Wed, 17 Nov 1999 cj...@my-deja.com wrote:
>
> > In article <80sb2a$ecm$1...@nnrp1.deja.com>,
> > adle...@my-deja.com wrote:
> > > I had seen in October a Worm that seemed to do as BubbleBoy. Infected
> > > upon opening, when I tried to contact av vendors on this issue didnt
> > get
> > > too much assist. Submitted samples and submitted the VB code only to
> > > hear a month later a certain AV Vendor found a new type of virus
> > > (bubbleboy). I was wondering any one else had or seen a Bubbleboy
> > > prevariant.
> >
> > Which company did you contact?
> >
> > We have had, for many months, even years, HTML activated code hidden in
> > email messages.
> >
> > Bubbleboy happens to be the first one that manages to re-send itself and
> > spread. (Not to say it's ITW.)
> >
> > Our definitions may not match the general public's. For instance, I
> > read all over the place people saying, "It's not a virus. It's a worm."
> >
> > Those people don't work in the AV industry. The most commonly accepted
> > definition is that worms are a type of virus. And "viruses spread."
>
> thats because you av industry types still cling to cohen... most of us
> around here are talking about dr.solly's "real virus" when we say virus...
So? "real worm" is a type of "real virus", that's it.
--
Sincerely,
Dmitry O. Gryaznov
kurt wismer
> kurt wismer wrote:
> >
> > On Wed, 17 Nov 1999 cj...@my-deja.com wrote:
[snip]
> > > Our definitions may not match the general public's. For instance, I
> > > read all over the place people saying, "It's not a virus. It's a worm."
> > >
> > > Those people don't work in the AV industry. The most commonly accepted
> > > definition is that worms are a type of virus. And "viruses spread."
> >
> > thats because you av industry types still cling to cohen... most of us
> > around here are talking about dr.solly's "real virus" when we say virus...
>
> So? "real worm" is a type of "real virus", that's it.
well, in that case dr. solly is a "real cohen"... ('cause the actual cohen
is unspecific and not very useful in real life)