First Shockwave virus (amazing shite)

If this just doesn't take the cake. Sophos, antivirus company based out of the UK, was the first to detect this new strain of "viruses".

The following is quoted from www.xatrix.org :

Quote:

---

End users who browse an affected website may become infected if they download and open the Flash file on their computer.

Computer users visiting snazzy sites would get more than they bargained for if they downloaded this virus. The Shockwave virus is not yet in the wild, but it is clear proof that virus writers continue to search for new ways to infect computer users. The best defence is to keep your security software up-to-date and practise safe computing.

Sophos recommends webmasters put in place procedures and policies to ensure the integrity of the code they place on their websites, whether it be obviously executable (in the case of, for instance, EXE and COM files) or Shockwave Flash movies.

Sophos has issued a detailed analysis and protection against the SWF/LFM-926 virus.

---

Normally I don't write up on things like this since Matty_Cross does a much better job of it than I could ever do, however, this is something interesting as it's in the browser and could be machine dependent (as $ENV{} variables are passed along). Glad I don't care too much for shockwave or flash...

Yes this is crazy - there seems to be no limit on what virus creators will use to distribute their viruses. Security Focus also has an article up, here is the link:

http://www.securityfocus.com/news/303

What will they come up with next? I'm afraid to ask :)

That just made my day. Another reason why flash sucks. Well I guess it's good to know about it then download it later, lol.

Yeah...I've never been a staunch advocate of the use of "bells-and-whistles" programs to make a website spiffy. Loadtimes increase with every picture, graph, flash, shockwave, etc that has to be used in order to just make the front-end look "good". CGI is different in the aspect that while the page is loading, it's running, and when you get the data, it's current to whatever the specs of the script is.

I recommend the following for cgi scripts being used in pages, especially high-traffic ones:

1: create a "Page is loading and data is being gathered" page that's displayed while a boolean cgi-variable is set to FALSE.

2: when the data is gathered, and the cgi variable that's FALSE is set to TRUE, have it dump the data to the web page that's created on the fly (static page with dynamic content), load the page.

Fairly fast and works for me, as long as you don't try to dump half the planet to disk and expect it to write amazingly fast (unless your *nix server is really high-end hehe).

It's amazing what these people are able to do, just about anything can be infected with a virus and I'm guessing that it's only gonna get worse.

I read the other day that someone managed to shut down some types of Nokia phones by sending an SMS, which prevented them from being turned unless a new SIM card was inserted.

Greg

All these vulnerabilities are nuts! People say in the future that they want everything connected to everything (i.e. the radio to the internet) but look how things are now. LoL. You would have to spend your day downloading DAT files for your TV, hehe... :p

Quote:

---

Originally posted by uraloony
All these vulnerabilities are nuts! People say in the future that they want everything connected to everything (i.e. the radio to the internet) but look how things are now. LoL. You would have to spend your day downloading DAT files for your TV, hehe... :p

---

That would be scary. Imagine if your on a heart machine that was controlled from the hospital (via internet), if a virus or cracker took it over than you would be screwed. Or if your house was all connected and computers, then someone can annoy you by playing with water temps, lights, and everything else.

Bill gates is trying to make a house like that. Go here for the story.

It seems this virus is more a nuisance than a real security threat. As VIRUSLIST reports it needs quite a few variables in it's favour to work-

Quote:

---

Reported by VirusList
A detailed analysis of LFM has shown that the current virus is more proof-of-concept than presenting a real threat to Internet users. In order to spread, this malicious program requires several important conditions, whose simultaneous execution is highly unlikely. First of all, LFM requires that a computer has been installed with a full program version that executes Macromedia Shockwave files - special plug-in versions installed on Internet Explorer and Netscape Navigator by default are not enough for the virus to operate. Secondly, a user has to manually download the infected SMF file to his computer and start it up. Thirdly, LFM is only capable of infecting SMF files located in the same directory as the file-carrying virus.

---

As you can see it would be highly unlikely for this virus to "take hold" but all the same, it's out there!

Yeah...sounds pretty tough eh? But the main impact of risk, or so I've heard, is that a buffer overflow can be used to execute arbitrary code stored in the SWF file. "Bad" arbitrary code causes the plugin to crash the browser. "Good" arbitrary code can execute a program on the browser's computer. This can be used to propogate a virus, worm, or do other harmful tasks.

[P.S. - I got this (almost exact copy) in an email]

I've read about the vulnerability also but I've also read that it's a low threat and there's already a patch availably from macromedia.

Quote:

---

The virus, dubbed SWF/LFM.926, is low risk because it must be downloaded manually and cannot spread itself to other computers over e-mail or through Web browsers like many other viruses can, experts said.

---

Macromedia will release information on the virus and patch at http://www.macromedia.com/support/flash/.

More info available here.


Remote_Access_

Quote:

---

Macromedia will release a workaround to disable the file association between Flash files and the local Flash player within a couple of days, Macromedia's Santangeli said. In addition, the company plans to close the hole in the player by the next version.
Quote from C|Net article

---

I would really have to ask, what kind of a work around is disabling the file associations. If the user is a flash developer, (and you know there are lots of them) then this will just get in be a nuisance.


quote:
--------------------------------------------------------------------------------
The virus, dubbed SWF/LFM.926, is low risk because it must be downloaded manually and cannot spread itself to other computers over e-mail or through Web browsers like many other viruses can, experts said.
--------------------------------------------------------------------------------

Ever been to Joe Cartoon ? This site is packed with flash animations for which its easy for a general user to download and play later from their computer.
While this Flash virus is just a proof-of-concept virus, and has a low spread threat, it is still a danger, as flash is one of the most common things found on the internet.
I have seen people who can't even send emails properly figuring out how to leech the flash animations off sites.. its not hard to do, and they share them... this makes the propagation of the virus a lot easier...

Quote:

---

Originally posted by Matty_Cross


I have seen people who can't even send emails properly figuring out how to leech the flash animations off sites.. its not hard to do, and they share them... this makes the propagation of the virus a lot easier...

---

How very true....


"Hey look everyone! Frog in a blender! How funny! Lets double click it! That's the funniest thing I've seen!............How come my PC wont boot?"


Remember The Preacher telling us about people on his network using Tiny Firewall? "What's this Sub7 thing that keeps asking for access? I'd better just let it so it stops bothering me."


You can have the best security in the world but most vulnerabilities come come from the inside.......Mainly, peoples stupidity or ignorance.

Quote:

---

I would really have to ask, what kind of a work around is disabling the file associations. If the user is a flash developer, (and you know there are lots of them) then this will just get in be a nuisance.

---

It's exactly that, hehe...a 'workaround' whereas an actual "fix" would involve a code change or something of the kind, not just disabling something. Programmers are often stuck in meetings and spending less than half their day actually programming and still expected to meet deadlines so they end up hurrying to make it and overlook something invariably important. This is just the beginning I'm afraid and now it's time for people like us to step up and figure out how these things work so we can fix them. Being one step ahead of the game is a good thing and this is where open source really shines. That's just my opinion though...

Conf1rm3d_K1ll had it right by saying that the threat a lot of times comes from users from within your network. You can place a lot of security on the perimeter, but there are some things that your users can do to still infect systems. And the bad thing, they don't know the difference; we try to educate them, but that's never 100%. We just have to constantly be on our toes and watching out as best as we can. Viruses are just something we will be living with - whether it's a simple script file that comes in via email or the newly recognized Flash exploits (although not a huge problem now, but potentially could be). We'll just have to deal with them.

Quote:

---

Originally posted by Vorlin


It's exactly that, hehe...a 'workaround' whereas an actual "fix" would involve a code change or something of the kind, not just disabling something. Programmers are often stuck in meetings and spending less than half their day actually programming and still expected to meet deadlines so they end up hurrying to make it and overlook something invariably important. This is just the beginning I'm afraid and now it's time for people like us to step up and figure out how these things work so we can fix them. Being one step ahead of the game is a good thing and this is where open source really shines. That's just my opinion though...

---

Well, generally, workarounds are to allevate the problem that is faced, but in a temporary manner, whereas the fix is the solid solution to the problem.

I don't see this as being a workaround, as it doesn't actually help anything. It just makes the problem more unbearable by taking away from the functionality of your system.

But that's just my view on the matter. ;)
Rather than applying the workaround, I think I'll just wait for my antivirus software to detect it.

Quote:

---

Rather than applying the workaround, I think I'll just wait for my antivirus software to detect it.

---

Yeah, hehe...aren't those guys pretty much on top of it all? Then again, for all we know, these "virus writers" could very well be on the antivirus' companies payroll (not like that hasn't been brought up countless times, haha).

Quote:

---

Originally posted by Vorlin


Yeah, hehe...aren't those guys pretty much on top of it all? Then again, for all we know, these "virus writers" could very well be on the antivirus' companies payroll (not like that hasn't been brought up countless times, haha).

---

You know, I've wondered that before, hmmm :) How would we ever know? The same goes for releasing things like movies, music CD's, etc, before they are even released to the public - somebody is corrupt working from the inside and giving this stuff out. So I wouldn't be at all surprised if there were some virus writers working at antivirus companies. Who knows :)