*************************************
* *
* DB/C Newsletter *
* July 2001 *
* *
*************************************
News and Comments
The response to DB/C FS 3.0 has been favorable, particularly from those
of you who are using one of the SQL client interfaces.
Next up is the newly renamed DB/C DX 12. (We were previously going to
call it DB/C DX 11.1, but feature creep has set in!) We expect to start
early testing of DB/C DX 12 in September, so if you are interested in helping
us get it ready to ship, email us at support@dbcsoftware.com.
The price for renewing lapsed support for DB/C DX, DB/C FS and DB/C JX
will increase substantially on October 1, 2001. In the past, a lapse in
paying for support increased the price of renewing support by 5% per lapsed
month. Starting in October, the price will increase to 10% per lapsed month.
Note - it will be less expensive to pay for support than to let it lapse.
There has been quite a bit of general media coverage of two recent
viruses - SirCam and Code Red. There have even been some dire predictions
for the havoc that Code Red will cause on August 1st. I realize that people
who loose viruses are really just common criminals. However, the ingenuity
of the virus authors has always intrigued me. Most of the viruses aren't
very novel - they're just knock-offs of earlier viruses. However, some
viruses are quite sophisticated, particularly the SirCam worm.
This month's article is about the SirCam worm. It comes from the
current issue of TidBITS, one of my favorite Internet email newsletters.
(TidBITS' focus is the Apple Macintosh.) I hope you enjoy the article as
much as I did.
Thanks to Jamie McCarthy and TidBITS for allowing us to republish
the article. The SirCam Worm article is Copyright 2001 Jamie McCarthy.
It is reprinted with permission from TidBITS #590, July 30, 2001; see
for more information.
don.wills@dbcsoftware.com
******************************************************************************
The SirCam Worm: Email Exhibitionism
by Jamie McCarthy
The SirCam email worm has been pestering me - and vast numbers of
other people around the world - all week. Luckily, it has been
only an annoyance since I use Mailsmith on Mac OS X and SirCam
infects only PCs running Microsoft Windows. Even so, over the last
ten days it has managed to coerce infected machines into sending
me 250 copies of itself attached to innocuous-sounding documents.
At about 200K apiece (with some documents being much larger),
we're talking some serious wasted bandwidth and disk space.
**How It Works** -- SirCam is a bit more clever than earlier
viruses or worms that exploit weaknesses in Windows or specific
Windows programs. SirCam uses its own SMTP engine to spam itself
not just to contacts in its victims' Windows Address Books, but to
any email addresses found in their Internet Explorer cache as
well. So I've been getting mail from total strangers who just
happened to have visited my Web site recently.
This design means that people with high-profile email addresses
have been hit a lot harder than others. "CmdrTaco" at the popular
geek news and discussion site Slashdot has received about 3,000
copies totalling 600 MB. [Here at TidBITS, we're at about 350
copies so far, but our Web site is read primarily by Mac users who
can't be infected. -Adam] So my own red badge of courage, 250
copies, may sound a little lame, but in my defense, that's not
counting what I've been getting from my biggest fan, a Prodigy DSL
user who has kindly sent me thirty SirCam-generated messages a day
since 27-Jul-01.
I don't count the Prodigy user because I run my own mail server,
which makes it easy to code up a custom filter (I use the Perl
module Mail::Audit). So I've not only been ignoring her mail, but
also sending my helpful commentary on how to stop this flood of
email directly to the president of Prodigy Communications, thirty
times a day. Haven't heard back yet.
[If you don't run your own server and your ISP isn't successfully
blocking the SirCam worm, you can reduce the annoyance level by
setting your email program to skip messages over 100K; in some
programs like Eudora, you can then create filters to look for
SirCam-generated messages and delete them from the server (as
with all destructive filters, be very careful - I'd recommend
invoking them manually until you're certain they're working
properly). The body of a SirCam-generated message always contains
fixed first and last lines in either English or Spanish, and the
attachments always have a .COM, .BAT, .PIF, or .LNK extension
(see the Web pages below for details). For those like Jamie who
run their own mail servers with filtering capabilities, it's
relatively easy to filter out all the SirCam messages because
of the similarities between each message. Here at TidBITS, we
decided to reject all messages with attachments using those file
extensions; however, this approach might create administrative
hassles for others. -Adam]
SirCam replicates in part thanks to the way Windows and at least
some Windows programs (such as older versions of Microsoft Outlook
and Outlook Express, but possibly others) operate by default.
Although Windows requires filename extensions on all files, it
hides those extensions from the user by default, and email
programs can do the same. When the worm arrives as the batch file
"COVERAGE OF PEARL HARBOR ATTACK.doc.bat" (an actual example), it
appears to Outlook users as "COVERAGE OF PEARL HARBOR ATTACK.doc"
- seemingly a Microsoft Word document. Double-clicking it opens
the document, but while the user is trying to figure out why
they've received it, the worm infects the PC.
Even this allegedly user-friendly extension hiding feature (which
is slated to appear in Mac OS X 10.1 as well) wouldn't be
sufficient to allow exploitation on many systems, but for the
fact that older versions of Microsoft Outlook don't warn users
that double-clicking an attachment can have serious security
implications. Many other email programs do, and in both July of
1999 and June of 2000 Microsoft patched Outlook to warn users of
potentially dangerous attachments, but downloading and installing
a security patch requires far more attention to security issues
than most users are willing to pay.
**Email Voyeurism** -- The cool thing about the SirCam worm is
that it disseminates itself within a random file from its victims'
desktop or My Documents folder. So every time I receive a copy of
SirCam, I also get a peek into a stranger's hard disk.
Normally I'm not the voyeuristic type, but when goodies arrive
unbidden, I have a hard time throwing them away. I've had splendid
schadenfreudigen fun all week, opening the attachments in BBEdit
and reading private files from other people's lives. Some are
short and dull, others are long and interesting. I've been trading
excerpts with friends over IRC. SirCam has turned into Pokemon:
"Gotta catch 'em all!"
Here are just some of my more interesting finds:
* Form letters and documents detailing job responsibilities for
various positions at Berne University.
* An excerpt from the poem "Dulce et decorum est."
* A monthly lease contract for a band rehearsal studio ("The room
must be left clean, free of damage, and ready to rent to the next
tenant.")
* A half-finished script for a mediation exercise - it ends with
the author dropping into first person: "I'm having allergies right
now, I can't continue. this sucks. My nose is so clogged up."
* A detailed "request for quotation" - with "CONFIDENTIAL" stamped
proudly on it - regarding one Australian company and sent to me
from a different Australian company.
* A weekly schedule for Ivanhoe East Primary School (tea and
coffee are 50 cents a day; good luck to the "boy's" hockey team).
* J____ S____'s contract as a camera operator (eighty bucks an
hour, not bad).
* The complete screenplay to the film Ferris Bueller's Day Off.
* A power-of-attorney letter ("This is to appoint my sister, D____
T____, to act on my behalf in arriving at any legal agreement in
regards to the rental matters of the above mentioned condominium
unit.")
* The name, street address, phone number, work history, and career
goals of that Prodigy user who's been spamming me thirty times a
day.
* A cover letter for a summer internship position at an ironworks.
I contacted the ironworks applicant and we traded a few email
messages back and forth. She doesn't use Microsoft products
herself, but the firm she applied to does.
Therein lies the most frightening thing about this worm: her cover
letter has been sitting on the ironworks' hard disks for months,
and she had no control over its being sent to me. She would never
have known if I hadn't dropped her a line.
I honestly don't much mind my inbox being clogged: I have a cable
modem and I can filter at the server. But despite my best efforts
to avoid Microsoft products - Linux at the server, OpenBSD for a
firewall, Mac OS X on my desktop - my privacy may still have been
compromised. Many of my friends use Windows, and I trust _them_ to
keep secrets about the private information we've shared. The
problem is that I can no longer trust their computers. No matter
how careful we are, the insecure monocultures of Windows and
Outlook turn us all into exhibitionists.
SirCam isn't benign - there's a 1 in 20 chance it will delete all
files on infected hard disks on the 16th of October, and on any
other day there's a 1 in 50 chance it will fill up infected hard
disks. There have been significantly more destructive worms: what
makes SirCam special is the way it randomly exposes our private
information to the world. Perhaps potential embarrassment will
encourage individuals to exercise caution in computing, and also
inspire software companies to produce programs that not only
protect users but also help them become part of the solution.
******************************************************************************
DB/C Class Schedule
Class: DB/C DX and JX Language Fundamentals
Date: September, 2001
Location: Oak Brook, Illinois
For information, send email to admin@dbcsoftware.com.
******************************************************************************
Subscribing to the DB/C Newsletter
If you don't already have the DB/C Newsletter delivered to your email
address and would like to have it emailed to you monthly, just send an
email message to 'dbcnews-subscribe@dbcsoftware.com'. The newsletter will
be delivered to the email address from which the message was sent.