The WMF virus...I'm thinking in paranoid mode

I have just spent an hour or so removing a virus - a really nasty one that wiped out .dll files in Norton, disabling the proggie completely including the Live Update function. It required me to piss around in the registry, stop a mysterious application from loading at start-up and then completely reinstall the AV proggie. Whether the virus was the one that was so nasty it prompted Steve Gibson to carry a link to a patch on his website I don't know. Anyway, it's not really relevant if the virus was the recent nasty, in the context of what follows. The incident got me thinking about the lack of a prompt response to the WMF virus from Microsoft.

I started musing about why Microsoft were unable to issue a patch immediately, given that a programmer (Ilfak Guilfanov), could issue a patch well ahead of Microsoft’s belated fix. Consider that the rate of infection was very rapid and required only the simplest of actions to be performed by the user. The virus could have brought down entire networks, including critical economic, and utilities, infrastructure which rely on computers that use recent Windows platforms.

The WMF virus seems to have been coded to disable AV proggies (I know that other virii can do that but bear with me) and thus create maximum alarm. The real question is why on earth Microsoft did not respond promptly to such a major threat - it's baffling. As I say above, a programmer was able to write a small patch himself. According to Symantec the virus was first identified on 28/12/05, yet Microsoft did not issue a fix until a couple of days ago, as far as I am aware. WTF is going on here?

Moreover, any savvy virus writer must realise that a major attack on the net is likely to strengthen the case for greater control. Surely that is not in the interest of the Internet community, which they are very much part of, even more so than most people. Is this just some disgruntled misfit at work?

I then remembered the very recent poll that is being run by AoL in which they ask people to comment on the need for greater control over the Internet. Presumably they meant to include Usenet and e-mail in the discussion - I haven't looked at the AoL site in any detail so I don't know if they are referring to the web as a whole or just the net. Anyway, isn't this a tad co-incidental? AoL start a big debate on the need for greater control of electronic media and then we get hit with a really nasty virus around the same time. Mmmm...maybe I am just being paranoid. Then again, maybe a major virus infection could be considered as a major turra attack...or used as the cyberspace equivalent of the Reichstag Fire...or events that are more recent in time, whereby the case for greater control then seems obvious in the minds of the public as a whole.

The release of the virus also co-incided with the news that Duke Cunningham is probably going to rat on a lot of senior colleagues in his party. It's all over the Internet (It is being discussed on Usenet too BTW). Now there have been other scandals whereby the spread of news, news that is very unwelcome to certain interests, has been very rapid due to the Internet. The Fitzgerald investigation is one example of a specific case where researchers started to join the dots – many DU’er’s are particularly good at doing just that.

There are now thousands of blogs, and related sites, that are starting to ask very awkward questions on a whole range of very, unsavoury issues. More and more people are getting hold of really good information they would not normally get through other media. And anyone can stumble across such sites by accident, read the contents and think "bloody hell"! Were it not for the plethora of such, good sites a lot of people would continue to get their information through MSM channels and think everything is just hunky dory. As we all know, the Duke Cunningham case is already all over the Internet and many people are already starting to make connections through using information that is being freely exchanged online...very quickly after it is found, articles written up and so on. But, I'm still not sure if I'm just being overly paranoid.

Then maybe I'd have been accused of paranoia if I was around in 1930's Germany and started questioning the official version. The Nazis knew full well that control of information is essential to maintaining control of the public mind>>>

The lie can be maintained only for such time as the State can shield the people from the political, economic and/or military consequences of the lie. It thus becomes vitally important for the State to use all of its powers to repress dissent, for the truth is the mortal enemy of the lie, and thus by extension, the truth becomes the greatest enemy of the State.

Joseph M. Goebbels

I think most of us accept that the Internet has the potential to blow the lid off issues that could seriously damage those who hold the reins of power in ways that would be far less easy using MSM channels. Information is power - I believe around 5 corporations now control the majority of radio, television and newspaper outlets in the US. It's not unreasonable, therefore, to suspect that virii could be deliberately released to generate public support for reining in the only real alternative to the MSM. Whoever wrote the WMF virus knew exactly what they were doing - it was designed to cause mayhem and to have a high profile as result. In effect, it has created fear and alarm. Even if the perpetrators are caught that does not remove the possibility that it was a MIHOP, or a LIHOP, or somewhere between the two.

As for me, I'm going to spend the next few days setting up SUSE Linux and then all my Windblows software is probably going to be given away to charity. SUSE comes with Open Office bundled in, a suite of proggies that is compatible with Microsoft Office. I don't play computer games, which is one real weakness of Linux, so that's not an issue either. I've had enough of the spread of virii, worms and so on that affect Windblows and constant security patches.

Now where did I put the Valium…and the Bacofoil?

...doesn't mean they aren't actually after you.

But seriously, I think the answer is simpler, or at least less conspiratorial than this. Microsoft has *never* concerned itself with correcting flaws with its products in a timely manner, no matter how necessary speed is in a given situation. They are only concerned with selling their product while dominating the market, and they've gone far past the critical point where customer service, which is what this falls under, is a major concern. (This is how they get away with increasingly intrusive methods of piracy prevention that can, literally, cause a home user to spend an entire day just installing an OS after he or she has somehow managed to prove that the install is properly licensed.) A certain level of sustained support for those products is required to sustain total immersion, but the level of "free" support provided becomes less and less necessary the greater the market-share they have. Throughout the late 80's and early 90's, Microsoft became an unfortunate addiction, and the problems of withdrawal symptoms by moving to something else are so huge for the market as a whole that it truly doesn't matter what Microsoft does or doesn't do, at least in the short term. Put another way, you'll get nothing and like it.

It's also simply a flaw in their business model. Open Source products would have immediately incorporated the first available comprehensive fix for the flaw. A large number of OSS flaws are fixed *before* they are even announced or at least within a few days of discovery by a third-party review. The last "zero-day" exploit found in Firefox, for example, was patched in less than a week. But, MS doesn't work like that, *can't* work like that, because of how closely they guard their source code and how they manage projects. IOW, how slow Microsoft has been to move on this is not news. It's typical. They have a standard release cycle for updates and patches, and they almost never violate it. In most cases, they couldn't even they wanted to, again, because of how they work. What is truly amazing is that MS actually developed its own patch for the exploit in as little time as they have.

P.S. If you need any help with SUSE, give a shout. (I'm over in the Computer Help and Support forum regularly.) After flirting with it for years, I finally committed myself to kicking the MS addiction totally and have been running SUSE almost exclusively since last summer. I still have a Windoze install for games and video capture, but that's mostly because I bought my video hardware with Microsoft in mind and not Linux. Recent updates to the X windows system may even remove that need once they are implemented.

I've used various flavours of Linux before (Red Hat and Xandros) and I'm a member of my local Linux User Group which is based in a university computing department.

The main reason I've not went back to Linux is modem hassle. I tried to get SUSE to recognise a usb-driven ADSL modem but usb modems are a bugger to set up on Linux in my experience. As for trying to get SUSE to recognise an internal Winmodem...waste of time...apart from a few that use Rockwell chipsets most rely on the CPU to do the work that would be done if the Winmodem had all the hardware required to qualify as a true modem. I'm going to buy an external modem that runs through either a serial port or a LAN port - SUSE will recognise it without any problem apparently (It's the X4 made by Zoom and has a built in firewall)

You are probably correct about M$'s approach to customer care. Nevertheless, I find it baffling that a programmer, who is unlikely to have access to the source code, could write a patch before M$ did. Maybe it's just laziness/poor customer care.

I've never tried editing vids on Linux - I use Pinnacle Studio off a Windblows platform for that and it works just dandy. I'll miss Photoshop too - the Gimp isn't bad but Photoshop (and Paintshop Pro) knocks the Gimp into a cocked hat.

Thanks for your detailed reply - appreciated.

On edit - maybe I'll just run a dual-boot and use Windblows for apps that Linux isn't good at...sigh.

The reason Guilfanov was able to do it is that it wasn't really a patch in the traditional sense. He modified no files, IOW. The announcement of the flaw indicated the problem, which was with an escape function of the gdi32.dll allowing the execution of code. All he did was modify the .dll as it sat in memory so that it ignored any calls to this function. The problem with it is that if the call was legitimate and necessary for a program's execution, it would break that program. MS had to develop something at the source level that would close the flaw and maintain functionality. It was actually a rather daunting task, because it is a system-level design flaw, and I grudgingly must give MS credit for having dealt with it as quickly as they did. Of course, I feel justified in taking it back again for the original design problem, which should have been obvious, but apparently wasn't.

As for Gimp, I've seen some amazing work done with it, and I know people who can make it sing and swear it is more powerful than any Windows based offering. The problem with it -- and they'll admit this too -- is that it's a pain in the ass to learn how to use. Seems like half the functions are "hidden," i.e. the UI sucks wind, imo.

I do the dual boot thing myself. I just haven't booted Windoze in awhile. I keep it segregated on its own hard drive and intentionally set it up so that Windoze can't even "see" my Linux drive.

If you've payed for SW already anyway, and just using Linux for the security, you might want to try purchasing Crossover Office to get some of your must have apps to run.

Oh, and any DUer needing help with a Linux (especially Debian based) bailout is free to PM me since I don't read the computer help forum. No guarantee I'll respond, but if you're desperate don't hesitate.

Can't address the technicalities, not my area of expertise, but it makes sense as the internet has to be perceived as a real threat to their agenda.

So here's my paranoid question for you: I have Norton Internet Security and it requires that I activate it everytime I boot up the computer. Does that make a whole lot of sense? Basically, I have to check in with their site every day.

Norton has an auto update facility which is fine; Norton is probably connecting to the Symantec server every time you log on in order to retrieve updated virus signatures etc. I'd need more info though before I could comment in detail.

PM me if you want more advice - don't post anything here that might give out your IP (computer address) And don't let me have anything more than the bare minimum of information.

I'll PM tomorrow morning if I get the pop-up.

Check your Windows Updates for the patch to this...I am serious people, this is a bad one....

getting it working correctly. I'm not a tech person, but am good at following directions. Gosh, it was really bad! If you don't already have it DOWNLOAD THE PATCH NOW!!

I got the patch 2 days ago. it was only 1 or 200k. Something MS programmers should be able to do in an overtime shift. Ole Bill is chummy with the WH, who knows what, if anything, may be going on there.