Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Botnet Returns As Part of New Year's Attacks

samzenpus posted more than 3 years ago | from the starting-off-with-a-bang dept.

Botnet 66

Trailrunner7 writes "A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics — in combination with fast-flux — to attempt to compromise unsuspecting users. The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine."

cancel ×

66 comments

Sorry! There are no comments related to the filter you selected.

This, of course, installs a piece of malware on (5, Funny)

makubesu (1910402) | more than 3 years ago | (#34739784)

the victim's machine

So it installs flash?

Re:This, of course, installs a piece of malware on (4, Funny)

msauve (701917) | more than 3 years ago | (#34740074)

"So it installs flash?"

Steve Jobs, is that really you?!

Re:This, of course, installs a piece of malware on (1)

SmlFreshwaterBuffalo (608664) | more than 3 years ago | (#34741852)

It better be, otherwise makubesu's gonna be in a world of trouble! [slashdot.org]

Re:This, of course, installs a piece of malware on (0)

Anonymous Coward | more than 3 years ago | (#34740610)

No... it installs Shockwave.

Re:This, of course, installs a piece of malware on (1)

pinkushun (1467193) | more than 3 years ago | (#34741626)

asking the user to download a _fake_ Flash player

Nope not flash, it's fake. It's really an obscured PDF viewer.

Upon conviction of virus writing.... (2)

steelersteve13 (1372165) | more than 3 years ago | (#34739814)

One year per infected computer. HARD LABOR, not some wimpy country club prison. Assuming it can proved that there was malicious intent.

Re:Upon conviction of virus writing.... (1)

Solid StaTe_1 (446406) | more than 3 years ago | (#34739944)

Can you provide a virus writing scenario without malicious intent?

Re:Upon conviction of virus writing.... (2)

sjames (1099) | more than 3 years ago | (#34739958)

Written as an academic exercise but it got out of the lab or was stolen out of the lab and re-purposed?

Re:Upon conviction of virus writing.... (2)

the_brobdingnagian (917699) | more than 3 years ago | (#34739988)

To train security people.

Re:Upon conviction of virus writing.... (1)

monkyyy (1901940) | more than 3 years ago | (#34740528)

boredom, political contempt, or if ur attacking wikileaks 'anti-terrorism'
or that one virus that put some 3rd world country nuke program back 2 years, but thats a bit of a special case

Re:Upon conviction of virus writing.... (2)

innocent_white_lamb (151825) | more than 3 years ago | (#34741210)

Stuxnet. (Military weapon.)

Re:Upon conviction of virus writing.... (1)

Solid StaTe_1 (446406) | more than 3 years ago | (#34741530)

I'd say that in the case of Stuxnet, malice was the main objective...

Re:Upon conviction of virus writing.... (4, Funny)

jamesh (87723) | more than 3 years ago | (#34740140)

HARD LABOR, not some wimpy country club prison.

On slashdot we refer to such prisons as "federal pound-me-in-the-ass prison" and "white collar resort prison" respectively.

country club prison is better then leting rapist o (2)

Joe The Dragon (967727) | more than 3 years ago | (#34740170)

country club prison is better then letting rapists out to make room for a hacker.

Re:country club prison is better then leting rapis (0)

Anonymous Coward | more than 3 years ago | (#34740332)

I disagree. I can protect my friends and family from rapists by giving them guns.

Protection against these malware authors proves much more difficult.

Besides, they were dressing like whores, anyway.

Re:country club prison is better then leting rapis (2)

froggymana (1896008) | more than 3 years ago | (#34741138)

And I can protect my friends from viruses but giving them linux. :)

Protection against these malware authors proves to be rather simple.

Re:country club prison is better then leting rapis (0)

Anonymous Coward | more than 3 years ago | (#34741364)

Yeah, but maybe one day they'll want to actually use their computer.

Unsuspecting users (0)

Anonymous Coward | more than 3 years ago | (#34739856)

Unsuspecting of the fact that their brain has died and yet they are somehow still alive.

Re:Unsuspecting users (1)

DeadManCoding (961283) | more than 3 years ago | (#34739938)

Agreed there, there's 2 different re-directs and then a file download. I understand how people still fall for this, but it still amazes me that people go thru all of that still.

Re:Unsuspecting users (0)

Anonymous Coward | more than 3 years ago | (#34740022)

Well when Grandma or Grandma, or even out-dated and somewhat trusting mom and dad get this E-card, thinking it's from one of the kids, they will do anything in their power to open it.

This is why Windows needs an app store and a novice only mode that only allows the user to install things directly from the app store, so novice users can safely browse the intarweb.

Re:Unsuspecting users (1)

monkyyy (1901940) | more than 3 years ago | (#34740548)

or what chrome os is doing and sandboxing everything; but yeah windows really needs to up their game as their user base is the overly trusting crowd, i think not letting any 3rd party program startup on its own is a start w/o alot of flaming hoops to jump tho first would be a start

Re:Unsuspecting users (2)

hairyfeet (841228) | more than 3 years ago | (#34741102)

Actually there IS an easy way to sandbox everything, it just isn't made by MSFT. For the clueless or unsuspecting just give them a combination of Comodo Antivirus [comodo.com] or Internet Security (both free) and Comodo Time Machine [comodo.com] which is also free. Comodo AV will by default sandbox everything unless specifically told not to, with full file and registry virtualization, and I have gotten several reports from customers and family members that it has stopped some serious nasties when they clicked the wrong link.

I consider Comodo Time Machine the flip side of that coin, protecting the user from themselves and their families stupidity the way Comodo AV protects them from the web. My GF is currently having to live two hours away to help with the family farm after her father had a heart attack. One day she forgot to log off before going out to make rounds on the farm and her niece got into her admin account and somehow managed to completely trash the system32 folder. Thanks to Time Machine I was able to walk her through by phone a complete restore of a machine that wouldn't even boot, and it took less than 15 minutes. Just press F11 when you see the Comodo Clock, tell the program where you want to go back to, and let it go. It was just that easy and in less than 15 minutes she was back to a perfectly running desktop.

So believe me, between dealing with clueless customers and family members that can pick up more viruses than a Bangkok whore any solution I recommend has been put through some serious stress testing, and those two Comodo apps put together makes for a pretty much idiot proof Windows. With that combo pretty much the only thing you can't fix by phone is a HDD failure, and since I recommend USB HDDs for backups set to auto backup their important folders and image the OS drive even that can be restored to health by me in less than an hour. It is a lot less stressful for them, and a lot less work for me. I'd call that a win/win all around.

Re:Unsuspecting users (1)

pinkushun (1467193) | more than 3 years ago | (#34741658)

I can't find the Linux install [ducks and covers]

+1 for this. I have family who will benefit from this :-)

Re:Unsuspecting users (2)

hairyfeet (841228) | more than 3 years ago | (#34742230)

Well I'm happy to help. Dealing with quite a few senior customers I found there really isn't any way to break them of their trusting nature, I guess because they grew up in a time when there weren't so many douchebags. But I would like to point out there are a couple of things you'll have to do, although I doubt it will affect any clueless family members.

1.-Comodo Time Machine does not like dual boots with Win 7. Linux, win9x, win2k, not a problem. But if you install windows 7 to anywhere but the C: drive it changes itself to C: on startup, for example I am running Windows 7 and even though I installed on my D: it currently says it is on C: and my XP which is on C: is on E:. it does this because win 7 file and registry virtualization requires the C: drive letter but as a side effect it freaks Time Machine out. it won't hurt anything, it just won't run.

2.-after first install and scan it will take Comodo Av or Comodo Internet Security (on XP I prefer CIS, and on Vista/7 I prefer Comodo AV, as the firewall in XP doesn't block outbound like Comodo AV and Vista/7 does) about a week to learn their usage habits. By that I mean it will ask them "Did you mean to launch this?" for the first week until it learns their apps. If you know which apps they use most often you can launch them yourself, otherwise they will have to click yes when they first launch an app. Once it has learned their patterns it is pretty unobtrusive and doesn't require an email address or constantly hit the with pop ups wanting to upsell them either. It also has a well designed control system so if someone knowledgeable such as yourself wants you can customize everything to your tastes or the desired security level, for example setting a rule that all browsers MUST run in the sandbox. It also has an excellent whitelist so once the PC is declared clean essential windows services won't cause a permission pop up.

But if you have clueless relatives or those you have to support that live a good distance the Comodo one two punch along with Ninite [ninite.com] and Filehippo Update Checker [filehippo.com] really are a Godsend. Ninite gives you a simple way to give them the latest of the most popular apps and codecs, so if say they call and say "It says I need Flash" you can send them to Ninite and tell them after running it if it still asks for Flash it is a virus. With Ninite it is easy as "check box, run installer" since it does a full web based unattended with NO TOOLBARS or other crap. And with Filehippo it will put a little icon that uses just a few dozen KB of RAM in the tray and will alert them if a third part app is out of date, because as we know third party apps like Adobe Reader when out of date (which I just give them Foxit from the Ninite site) are one of the biggest sources of malware drive bys.

But with these plus those two Comodo apps I linked to earlier you can take the hassle and guesswork out of admin duties for family PCs. Comodo AV keeps them clean, Time Machine gives you a way to restore easily by phone even if they manage to BSOD the box, Ninite gives you an easy secure way to get them the latest apps, and Filehippo lets them keep them updated so YOU don't have to. Believe me with nearly 2 decades supporting home and small business users there really is no easier way to keep a Windows box up and running smooth.

hairyfeet's imperfect solutions BLOWN AWAY 6x? (0)

Anonymous Coward | more than 3 years ago | (#34744554)

Especially in the 1st 3 URLs below:

---

http://slashdot.org/comments.pl?sid=1930156&cid=34734160 [slashdot.org]

http://slashdot.org/comments.pl?sid=1930330&cid=34737526 [slashdot.org]

http://it.slashdot.org/comments.pl?sid=1916240&cid=34612834 [slashdot.org]

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34719276 [slashdot.org]

http://slashdot.org/comments.pl?sid=1930330&cid=34737308 [slashdot.org]

http://it.slashdot.org/comments.pl?sid=1916240&cid=34647708 [slashdot.org]

---

(ROTFLMAO!)

I seriously wouldn't listen to "pwufessuh haiwypheet" guys, he's only an ITT Tech student.

You've also got to consider the fact that hairyfeet here is a tech that makes his living off of others' misfortunes online, and if malware removal (a big part of his day no doubt) is non-sequitur & a thing of the past? Well, where is hairyfeet going to make his income from??

It's not in hairyfeet, or other "techies"' truly 'best interests' to have you cleaned & fortified so you cannot get malware (otherwise, again, they won't make as much monies).

Think about it...

His "solutions" in antivirus/antispyware aren't perfect, & the url's above show anyone that much.

He also isn't telling you there is far more you can do for the working concept of "layered security" either, than just his "solutions" (which again, are shown to be IMPERFECT in the url's above), funny that, eh? Not.

Re:hairyfeet's imperfect solutions BLOWN AWAY 6x? (0)

Anonymous Coward | more than 3 years ago | (#34747586)

Are you tired of all those problems on the Internet? The viruses? The spam? The netkooks who just WON'T leave you alone?

Well, did you know there's a solution to ALL YOUR PROBLEMS? Introducing ALL NEW KowalskiBeGone! It's the EXTRA SPECIAL anti-spammer tool that turns those frowns upside downs!

Here's what happens when you use a normal anti-malware tool to clean a PC infected with Kowalski.

(Screen shows head popping out of PC, wearing Ski-mask)

"Hey! Hey! Stop that! I'm one of Alexander Peter Kowalski's many anonymous admirers and you're LIBELING HIM by describing his habit of replying to all your comments with threats of legal action and bizarre misogynist insults as MALWARE!"

(Screen shows second head popping out of PC also wearing ski-mask. "Head with ski-mask' looks suspiciously like black sock over hand with a hole cut in it showing lips drawn in crude lipstick

"What Anonymous Coward says is right! Alexander Peter Kowalski is a great person, why look at all these articles he's written! Thanks to him, I now know the secret of dealing with all spammers except for Kowalski himself who isn't a spammer and that's a GROSS LIBEL he's just someone who posts the same thing over and over and over again, which is to edit my hosts file!"

(Screen shows third head popping out of PC also wearing ski-mask, looking suspiciously like the second hand... er, head.)

"Hi, I'm also not this APK person, whoever he is, but I just wanted to say that APK is in the right here and you are in the wrong! Sure, Kowalski writes applications that work terribly well as malware components such as programs to crudely hide other programs, but that's just because Kowalski writes great programs that everyone wants to use, even malware writers! How dare anyone suggest otherwise! They're just LIBELING me... er, him!"

As you can see, ordinary anti-malware tools not only don't work, they cause you to end up with even more Kowalskis than you started with!

But now watch what happens when you use All New KowalskiBeGone! Just sprinkle some of the magic formula on your PC, and watch what happens.

(Exactly the same thing happens as last time, but this time with a laugh track)

You see? Suddenly your Kowalski invasion is Kowalski Entertainment Time!

Don't believe us? Just listen to these totally real and honest testimonials!

"the use of KowalskiBeGone has worked for me in many ways. for one it makes APK hilarious, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i still get 200++ replies from APK to all my posts as i use to. but now everyone's laughing at them. if you want my opinion if you stick with KowalskiBeGone then you will be safe and entertained, but if you do get upset because it doesn't work then it will your own fault. keep up the good fight SquiggleIndustries!" - Anonymous Coward, Slashdot.org

"Its 1987 - still laughing at Kowalski! I was told last week by a co worker who just avoids mentioning APK by name, and he said I was doing overkill. I told him yes, but now I get a good laugh every time I check the responses to my posts. He said good point. I will say it again, KowalskiBeGone is FANTASTIC! Although it did kind of ruin Madagascar as it took out that penguin and now half the jokes surrounding the penguin don't make any sense" - Anonymous Coward #2, user of KowalskiBeGone

How much would you pay for a tool like this? I mean, KowalskiBeGone, obviously. How much? Well, what if we were to tell you that if you order in the next five minutes, we'll include this HILARIOUS Hosts file containing such gems as:

127.0.0.1 ad.doubleclick.net

and

127.0.0.1 ads.pointroll.net

at NO EXTRA CHARGE? And we'll EVEN pay the shipping! That's right, order now, and you get KowalskiBeGone, a HILARIOUS Hosts file, and you don't have to pay shipping and handling!

So don't delay. Order now. Call the number on your screen, and let us take care of Kowalski!

Re:Unsuspecting users (-1, Flamebait)

mcneely.mike (927221) | more than 3 years ago | (#34740090)

It still amazes ME that people still use windows for anything but playing games!

Unsuspecting? (0)

Teun (17872) | more than 3 years ago | (#34739920)

I can, be it barely, see how some computer users unsuspectingly bought one with Windows pre-installed but how unsuspecting are the companies that did this installation on all of their products?

Re:Unsuspecting? (1)

Anonymous Coward | more than 3 years ago | (#34739994)

Nice troll. You can't blame "those windoze flaws" for users clicking on, elevating to admin, and installing malicious software. This could happen the same way on any OS that allows any form of elevation (Mac, Ubuntu, etc.). This is just users in need of education (which they will never get) and is one of the reasons that some folks SHOULD be subject to "trusted computing" (even though it pains me to say that as I absolutely hate the idea).

Old? (5, Insightful)

girlintraining (1395911) | more than 3 years ago | (#34739934)

...one of the older and more threadbare techniques in this particular game.

Criminals don't care how old it is, but rather how successful it is. Please try to remember that, people. Technology doesn't have to be new or complicated to be useful, and deriding it because it is older is telling of a lack of experience with the thing. Spam will continue to be effective because it only costs a few dollars to register a domain, a little bit less to setup a distribution point, and once you have a few compromised hosts, it pays for itself -- and then some.

Re:Old? (-1)

Anonymous Coward | more than 3 years ago | (#34739984)

You are still for faggots.

Re:Old? (2)

pyrosine (1787666) | more than 3 years ago | (#34739992)

True, but when you consider it uses a fake flash installer rather than a browser specific bug which can install the trojan/virus without their knowledge, it is shown to be rather basic. Not only that, but if there was an actual ecard, the number of reported instances would be less (so those that know they have the newest version of flash wouldnt be alarmed), so their program is less likely to end up detectable, at least for a while.

Re:Old? (1)

ArsenneLupin (766289) | more than 3 years ago | (#34741664)

(so those that know they have the newest version of flash wouldnt be alarmed)

So, make the next one a bit smarter... re-use original flash detection script, and only attempt to download the malware if the flash player is not actually the very latest version (also consider minor versions, to keep your target audience as big as possible). The download would be a wrapper around the real latest flash player, so that users won't get suspicious if they view the e-card twice.

As an added bonus, the malware could rummage through the user's cached browser passwords, and check whether any of them gives access to a CMS which happens to have flash content... and wrap that content appropriately.

Bunny (3, Funny)

Anonymous Coward | more than 3 years ago | (#34740082)

From: Joe User (sksj3838lsk@reallywarmmail.com)
To: You
Subject: Bunny
Attachment: bunnyhop.exe

Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.

Bye!
Joe

Re:Bunny (1)

Anonymous Coward | more than 3 years ago | (#34740146)

Hey Joe,

Thats would be awesome, but I am not able to locate the attachment, can you please send it again?

-- John

Re:Bunny (2)

Demonoid-Penguin (1669014) | more than 3 years ago | (#34740450)

From: Joe User (sksj3838lsk@reallywarmmail.com) To: You Subject: Bunny Attachment: bunnyhop.exe

Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.

Bye! Joe

Which email provider allows you to send executable attachments?

I've attached a free e-book explaining the weak points in your marketing campaign, and why anti-virus scanners are no substitute for knowledge, you sound like a smart individual - and I'd really appreciate your thoughts on my book, if you'd take the time to fill out the attached Word.doc and return it to me I'll send you $50US.

Thanks for your time.

Re:Bunny (1)

monkyyy (1901940) | more than 3 years ago | (#34740574)

please dont get into the spam bis my parents may fall for that .__.

Re:Bunny (1)

bmo (77928) | more than 3 years ago | (#34741508)

Which email provider allows you to send executable attachments?

Plenty. What makes you think it's difficult to send executable attachments?

--
BMO

Re:Bunny (1)

Demonoid-Penguin (1669014) | more than 3 years ago | (#34752260)

Which email provider allows you to send executable attachments?

Plenty. What makes you think it's difficult to send executable attachments?

Um, you didn't actually answer my question.... and yes I was serious, the rest of my post wasn't.

I would like to be able to send executable files as email attachments. Gmail won't let me though.

I often have to send largish files to non-techie clients with tiny size limits on their Outlook accounts - breaking up the files is easy, getting them to install WinRAR or similar, *and* getting them to re-assemble the multi-part archives is a pain. Much easier if I could just make it a self-extracting archive (they're often confused as to what a compressed archive is). But, as I said Gmail blocks executables.

So the question is - *which* email providers allow the sending of executable files?

Re:Bunny (1)

bmo (77928) | more than 3 years ago | (#34762390)

"So the question is - *which* email providers allow the sending of executable files?"

Are you *still* serious about asking this question? Really? Ok. See below.

"But, as I said Gmail blocks executables."

No it doesn't. I'll say that again, GOOGLE DOES NOT BLOCK EXECUTABLES.

Rename the executable with .removethis at the end or some such. Like this: foobar.exe becomes foobar.exe.removethis. Done. Accepted. No need to pack in a RAR or Zip. How do I know this? Because I just did it to prove it.

Gmail is the *only* email provider that I know of that rejects attachments because of the file name suffix. This is a bullshit strategy, but hey, I didn't come up with it. Yahoo allows executables, but they are scanned for badware first. So whatever. Google and Yahoo don't matter. The number of mail providers that filter outgoing is minuscule compared to the number of servers that do not filter at all. It's ridiculous to even attempt to list them all. For example, I don't know of a single ISP that filters outgoing mail, and that includes the evil that is Comcast. There is also *nothing* stopping you from purchasing space on a server somewhere and setting up Sendmail or Postfix and administering your own mail, if you are that insistent on being able to do anything with email.

The only thing holding you back from sending executables is your own intransigence in sticking with gmail and insisting on not renaming files while doing so.

And this business of deciding whether something is executable or not because of 3 magic letters at the end of a name is farkin' stupid and should have died with CP/M, but that is a rant for another day.

--
BMO

Re:Bunny (1)

Demonoid-Penguin (1669014) | more than 3 years ago | (#34803592)

that is a rant

Supercilious rant indeed - I clearly demonstrated what I meant by executable, just as you ignored that to demonstrate that you are a dick.

Extension pretension - that's no more relevant than separating the first dozen bytes and re-joining them after downloading. What a wanker! All that to try and rescue your script-kiddie click on my executable attachment bullshit. If the system won't execute it - it ain't executable, changing the extension or changing the magic number means - duh - changing it. Meh

threadbare? (2)

ksandom (718283) | more than 3 years ago | (#34740112)

one of the older and more threadbare techniques

If it works, expect them to use it.

Re:threadbare? (1)

jamesh (87723) | more than 3 years ago | (#34740152)

Funny isn't it... no amount of security updates in the world will make people stop for a minute and think about what they are doing.

Re:threadbare? (1)

Solid StaTe_1 (446406) | more than 3 years ago | (#34740172)

This is true... but you can minimize the damage and reduce avenues of attack with security updates

and people install it because.... why again? (0)

Anonymous Coward | more than 3 years ago | (#34740186)

> asking the user to download a fake Flash player...

If people want to install flash it's pretty clear where you get it from. Why would anyone trust a random web site that says, "Here, this is a flash player. No, really! Install it, would you please?"

Hell, that attack would work against Linux, or a Mac. The ONLY fix I can see for the problems facing the internet is for people to become a little bit less idiotic.

If someone came up to you on the street, you have no idea who they are, never seen them before, and they say, "Hey, how about letting me use some of your property!" nobody is going to be stupid enough to do it. Well, almost nobody. So why if you add, "... with a computer" to the end, do people suddenly lose any and all ability to think?

That's what we've got to fix. Until we do, spam and botnets will always be a problem. No OS can be secure enough to protect against the person it's supposed to be serving.

Is there a way to do this in a benign way? (2)

jamesh (87723) | more than 3 years ago | (#34740192)

This is something i've been thinking about for years. I want to do a mass mailout to all employees at all our clients (with the managers permission of course) in almost exactly the same way as this virus does, except instead of actually installing malicious software it keeps track of how many people click the link, and of those, how many then proceed to download the software. Far easier to send each manager a report of "x of your employees would now be infected if this was a real virus" (i'd probably not put individual employees names on there) than to fix the damage caused by viruses.

Time to get coding I guess...

Re:Is there a way to do this in a benign way? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34740578)

You should also get your resume current except for the last bit of coding you're doing.

Re:Is there a way to do this in a benign way? (1)

SheeEttin (899897) | more than 3 years ago | (#34741444)

Use a link tracking service. I believe http://bit.ly/ [bit.ly] does this.

Re:Is there a way to do this in a benign way? (0)

Anonymous Coward | more than 3 years ago | (#34744712)

I had my IT staff do just this on a Monday. After a Friday lesson/session on what NOT to do with email attachments. 2 of 6 secretaries loaded the "malware" which ratted them out. Ours was a very simple trojan that wrote to an exposed share the IP address of the machine it was run from.

I'd say with buy in from upper management, its a good idea to do it, if just to enforce the lessons you teach them about internet security.

This isn't an attack (1)

tkprit (8581) | more than 3 years ago | (#34740250)

It's more like an invitation to attack yourself.

MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.

Re:This isn't an attack (1)

PNutts (199112) | more than 3 years ago | (#34740588)

It's more like an invitation to attack yourself.

MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.

Have you checked how many toolbars she has? My mom's record is five. I offer that the definition of "tech-disabled" *is* buying into that crap.

Re:This isn't an attack (1)

Haedrian (1676506) | more than 3 years ago | (#34740606)

Tons of people would fall for this.

I mean, how many non-technical people do you know who even know what a Flash Plugin is? Hell, 10 years ago - with everyone tossing their own plugins to let you see videos - it wouldn't have been a longshot to need a new plugin to do X.

You go to this site, find out that to see this card (which you're expected to be animated) - needs a flash update of sorts, and you helpfully click the link. Tons of people would fall for that.

The client performs the installation not the site (1)

Marrow (195242) | more than 3 years ago | (#34740466)

Ok, maybe its not fair. Maybe it is, but the truth is that the email clients and the web browsers are installing this crap on peoples machines. Without the programs to go out and make the tcpip connections, that shit would stay on their compromised boxes. Since the current click-to-proceed systems are currently -not- working, the ante should be upped and make it impossible to use these client programs to hurt the boxes they reside on.
I am talking about making it -impossible- to save a file that can run as a program. Either in zip form or in real form. No click through, no nuthin. If the consumers want to download a -program- then only their anti-virus package should be able to do that. At that point, the anti-virus program takes responsibility for the behaviour of the downloaded content.
Firefox, chrome, thunderbird, explorer, whatever. These packages are RESPONSIBLE for injecting unsafe content onto systems without an immune system. Like someone throwing manure at someone with no immune system. Or feeding peanuts to someone known to have that allergy.
I am saying that the only safe way to download content to boxes now is to use the anti-virus programs as a download/installation agent. And we have to hold the agent responsible.

Re:The client performs the installation not the si (1)

Haedrian (1676506) | more than 3 years ago | (#34740620)

If you can't download without the anti-virus, how do you download the antivirus?

Do we really want to give a process huge control over what your system can or can not do? Its not the browser's fault. Its the user's fault. *NIX has a 'runnable' bit - which prevents programs with that bit set to 0 from running. Its still the user who flicks it on. Does this protect against social attacks like this one? Nope. Neither would "THIS PROGRAM WANTS YOU TO INSTALL" - because you're expecting that.

You can't blame the browsers. You can only blame the users.

Re:The client performs the installation not the si (0)

Anonymous Coward | more than 3 years ago | (#34740686)

Uh... (1) Outlook won't directly run an executable attachment anyway. (2) Browsers won't either without raising a huge warning. (3) Browsers already scan downloads with the installed AV if present.

For this & others like it? A way to do what U (0)

Anonymous Coward | more than 3 years ago | (#34740766)

"the ante should be upped and make it impossible to use these client programs to hurt the boxes they reside on." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

Sure: It's called a custom HOSTS file! If leolati.com is within that file, blocked off in 1 of 3 ways thus (don't use the part in parenthesis after "leolati.com" though in each one):

---

127.0.0.1 leolati.com (largest & slowest of the 3, + has a "loopback operation")
0.0.0.0 leolati.com (less large/slow than the above, but has no loopback operation)
0 leolati.com (less compatible than the 2 above, has no loopback operation, & is fastest/smallest)

NOTE: 127.0.0.1 & 0.0.0.0 work on EVERY OS that has a BSD based IP Stack (pretty much ALL of them), but 0 only works afaik on Windows 2000 SP#2 & above, XP, Server 2003...

---

Once those sites are "blocked off" thus? It IS impossible for client programs, ANY WEBBOUND ONES, to hurt the boxes they reside on (because again, IF/WHEN you cannot get to those sites? You can't be harmed by them - very simple & you don't even have to turn off javascript, because you never get hit by the scripts those sites try to use to compromise your system with either (per the article quote -> "the pages to which the user is redirected are using obfuscated JavaScript and exploits to try to install the malicious file on the victim's machine.")).

---

"I am talking about making it -impossible- to save a file that can run as a program. Either in zip form or in real form. No click through, no nuthin." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

See the above - again: IF/WHEN YOU CANNOT REACH THE leolati.com SERVER THIS IS BEING SERVED UP FROM? You won't be able to be victimized by ANYTHING SAID SERVER TRIES...

---

"If the consumers want to download a -program- then only their anti-virus package should be able to do that. At that point, the anti-virus program takes responsibility for the behaviour of the downloaded content." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

You don't NEED an antivirus/antispyware program to do that for you... see above!

---

"Firefox, chrome, thunderbird, explorer, whatever." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

HOSTS files cover them, and any email programs too (since this attack comes in the form of spam mails via "greeting cards for the holidays" etc.) - any webbound program is protected by HOSTS files!

---

"These packages are RESPONSIBLE for injecting unsafe content onto systems without an immune system." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

You have your "immune system" above... &, it's GUARANTEED to work!

---

"Like someone throwing manure at someone with no immune system. Or feeding peanuts to someone known to have that allergy." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

I'll do you 1 better: How about doing what I said above, because you can't eat peanuts from a dish when you can't even SEE THE "DISH" (server that has the 'poison peanuts' in it, in other words), and you can have an allergy all day long, as long as you don't even SEE/come in contact with, the offending material (and basically, HOSTS can do that for you, when you "block out" the place the "allergen" comes from, period).

---

"I am saying that the only safe way to download content to boxes now is to use the anti-virus programs as a download/installation agent. And we have to hold the agent responsible." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

It's NOT "the only way" though... see the above: Hosts files provide another way, and QUITE POSSIBLY, a superior way (if not a better way overall IN COMBINATION with antivirus/antispyware programs too, for added "layered security")...

APK

P.S.=> For instance, here? 1st thing I did was check in my HOSTS file for leolati.com (& I was already "covered" for it, because it's blocked off here as I stated at the top, using 0.0.0.0 leolati.com here)... apk

APK == troll (1)

damaged_sectors (1690438) | more than 3 years ago | (#34741154)

"the ante should be upped and make it impossible to use these client programs to hurt the boxes they reside on." - by Marrow (195242) on Sunday January 02, @07:59PM (#34740466)

Sure: It's called a custom HOSTS file!

Warning - ignore the poster quoted above - APK is an infamous, banned, abusive, stalking, mentally deranged, troll - who refuses to take his medication, as part of his condition is the delusion that "he knows better than the doctors"

At best his proposed cure for "everything" is a partial, weak solution, requiring constant prescient maintenance *with* admin/root access - a 14+MB ineffectual solutions that *might* have been of some, immeasurably small, use in 1995.

Away with you foul troll, back to cross-linking to your many aliases, fake references, and your bullshit "developer" status, and stalking the polite and blameless.

You are the only compelling argument for the government censoring the internet.

Is an adhominem attack the best you've got? (0)

Anonymous Coward | more than 3 years ago | (#34741250)

See my subject-line above. When you can come back, on topic, and technically disprove anything I stated above, then, you'd actually be on topic, like you're supposed to be, and you'd actually have posted something worth reading.

As to partial weak solution? Ok - I'll let the words of others here, speak for me, instead:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122 [slashdot.org]

---

Same here too, & I can produce more like that if anyone wants them... mvps.org's forums is a place that can do far more than I can mind you, also.

---

"Warning - ignore the poster quoted above - APK is an infamous, banned, abusive, stalking, mentally deranged, troll - who refuses to take his medication, as part of his condition is the delusion that "he knows better than the doctors" - by damaged_sectors (1690438) on Sunday January 02, @11:39PM (#34741154)

When you get your PHD in psychiatry, plus a license to practice it, each to your name along with a formally admistered examination of my mental state given in professional surroundings?

Then?

Then, you can get back to us then with your "snap-prognosis" there, Dr. Quack - the "/. 'Sidewalk Psychiatrist"/Professor Wannabe PHD act - because then @ least, it wouldn't be one of your own "delusions of grandeur"...

(And again, you're off topic & trolling)

---

"Away with you foul troll, back to cross-linking to your many aliases, fake references, and your bullshit "developer" status, and stalking the polite and blameless." - by damaged_sectors (1690438) on Sunday January 02, @11:39PM (#34741154)

You have the nerve to call ME a "troll"? LOL - look at the post of yours I am quoting from, for Pete's sake! Some nerve...

(& anything I've ever posted about myself is just fact in things I've managed to do over time in the computer sciences arena (& obviously things you've never managed to accomplish yourself)).

---

"At best his proposed cure for "everything" is a partial, weak solution, requiring constant prescient maintenance *with* admin/root access - a 14+MB ineffectual solutions that *might* have been of some, immeasurably small, use in 1995." - by damaged_sectors (1690438) on Sunday January 02, @11:39PM (#34741154)

So what - it only takes less than a minute to:

---

1.) Download an updated HOSTS file from reputable/reliable sources
2.) Copy it over your existing HOSTS file

---

Done!

UAC is easy enough to override via the click of a button to do so, & you're done (in my case, as of literally 2 minutes ago? I am 100% GUARANTEED PROTECTED VS. 920,296 KNOWN MALICIOUS SITES/SERVERS HERE - are you??)

---

"You are the only compelling argument for the government censoring the internet." - by damaged_sectors (1690438) on Sunday January 02, @11:39PM (#34741154)

Look, whatever medication it is you are supposed to be taking (what with all your wannabe medical advice above, etc., lol)? You had best start taking it again, ok?

APK

P.S.=> You sound like you need it, or something like it, if the best you have here is some tasteless attempt @ adhominem attack (attacking myself, rather than any technical points I made in my post you replied to)... apk

Re:Is an adhominem attack the best you've got? (1)

damaged_sectors (1690438) | more than 3 years ago | (#34748892)

See my subject-line above. When you can come back, on topic, and technically disprove anything I stated above, then, you'd actually be on topic, like you're supposed to be, and you'd actually have posted something worth reading.

Yep - I see it, though given the (entirely predictable) post it's just a peedie hypocritical. My repudiation of your host file based malware panacea needs no expansion - it's adequately summarizes the points made by others many times before.

Your claims have been been shown as worthless dozens of times by people whose opinions I find worthy of respect.

You vs. Bruce Schneier? I don't think so. Have you ever managed to convince anyone that you're not a raving loon? If so how long did it take before they added you to their personal blacklist of witling fools to be ignored?.

I've previously given you a lot of time by reading, and considering your claims. You wasted my time - I want my money back, but you are factually bankrupt. I guess I'll just have to live with the loss.

Yawn. fin.

Back up your claims bigmouth: Where? (0)

Anonymous Coward | more than 3 years ago | (#34749168)

"Your claims have been been shown as worthless dozens of times by people whose opinions I find worthy of respect." - by damaged_sectors (1690438) on Monday January 03, @06:23PM (#34748892)

Where's that? Show us! Good luck - THAT never happened here, not once... in fact, I'd like to see WHERE you got your information from, & specifically, on this forums!

Show us that much...

---

"You vs. Bruce Schneier? I don't think so." - by damaged_sectors (1690438) on Monday January 03, @06:23PM (#34748892)

First of all, are you he? No!

Secondly?? I'd take him on, on HOSTS files & layered security's effectiveness, ANY DAY OF THE WEEK!

---

"Have you ever managed to convince anyone that you're not a raving loon?" - by damaged_sectors (1690438) on Monday January 03, @06:23PM (#34748892)

Plenty of people, thing is, have YOU done the same? LOL, judging from your "foaming at the mouth" rants & adhominem attacks of myself?? I doubt it.

APK

P.S.=> Again, if ALL YOU HAVE, is your adhominem attacks, & unsubstantiated claims (see above @ the top of this post)? You've got NOTHING... period! And, you KNOW it... apk

Re:For this & others like it? A way to do what (1)

Haedrian (1676506) | more than 3 years ago | (#34742512)

It'll take me all of 5 minutes (and 10 dollars) to register 'leolati1.com' and bypass your host file tinkering. Once you adapt from that - I can go with 'leolati2' or letters, or random numbers at the end.

Blacklists don't work. Especially not when its blacklisting an internet domain which can be replaced very quickly.

You must be a malware maker haedrian... apk (0)

Anonymous Coward | more than 3 years ago | (#34743648)

"It'll take me all of 5 minutes (and 10 dollars) to register 'leolati1.com' and bypass your host file tinkering. Once you adapt from that - I can go with 'leolati2' or letters, or random numbers at the end." - by Haedrian (1676506) on Monday January 03, @06:57AM (#34742512)

And it'll take me all of 30 seconds to add them to my hosts file, updating it (while you wasted many minutes AND YOUR MONEY)...

How's that suit you?

---

"Blacklists don't work." - by Haedrian (1676506) on Monday January 03, @06:57AM (#34742512)

This gent, along with myself, disagree with you:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122

---

So much for your "opinions" haedrian.

(You're already outnumbered here, 2:1, by folks like TestedDonut and myself, who tell the truth (unlike yourself)).

APK

P.S.=> Go back to making your malware, because only a malware maker would try to state the outright b.s. you just have... apk

Re:The client performs the installation not the si (1)

cbiltcliffe (186293) | more than 3 years ago | (#34740998)

Great idea.

So someone like me, who doesn't run antivirus, because I've never been infected, ever, in over 20 years, can never actually download anything, because the antivirus software that's not on my machine is the only program allowed to download anything?

Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
Browsers are for surfing the Internet.

Why should you move functionality from where it makes sense, to where it doesn't? From there, it's just a short step to unmaintainable spaghetti code.

Re:The client performs the installation not the si (1)

VortexCortex (1117377) | more than 3 years ago | (#34742034)

Great idea.

I agree, so does my Security Gateway. [astaro.com]

Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.

1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit? How can you ever be 100% sure that your infected system really is disinfected without scanning from another untainted OS and/or machine? Once you're infected, it's wipe & re-image time...

P.S. Modern bot-nets run silently -- You could be infected right now & not know it. My gateway alerts me to suspicious network activity...

Why should you move functionality from where it makes sense, to where it doesn't?

I can update just the gateway and all machines behind it benefit, instead of having all the machines install new AV signatures.

Granted, I primarily use Linux, but I have several Windows boxes I use for compatibility testing. It's a pain to keep them all up to date (even with VMs & disk images), or to scan them all via net-boot or boot CD periodically. I can avoid the entire mess if I scan all inbound data.

From there, it's just a short step to unmaintainable spaghetti code.

I disagree... It doesn't have to be spaghetti code (really a moot point: No matter how pristine and elegant the code is, it's always one developer away from becoming spaghetti code).

Considering that the alternatives are praying to $deity that MS will patch your systems before they're infected, or keeping a large, invasive, processor intensive AV software suite up to date & running on each machine, I think an external real-time network AV is an elegant solution.

(If performance is needed I place my Fedora system or Game Console in the DMZ).

Re:The client performs the installation not the si (1)

cbiltcliffe (186293) | more than 3 years ago | (#34750994)

Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.

1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit?

It's not. But nowhere in my post did I say it's for removing viruses that have already infected the machine it's running on.

It's for removing viruses from email, removing viruses from network traffic, removing viruses from USB drives, etc,etc. For crappy viruses, it can also remove them from the currently running system. However, you're right; root-kitted machines cannot generally be cleaned by A/V running in the infected environment.

However, this is all semantic bullshit, and largely irrelevant to my original point, which was this:

There's a big difference between:

a) downloading something with your browser, and your A/V saying "Wait a minute while I check that."

and

b) wanting to download something, so your browser says "I can't do this," then says to your A/V software "Hey...download this URL for me, here's a bunch of cookies you might need, session ID, and all sorts of POST data, and you'd better include this referrer URL, or you might get banned. Oh.....can you let me know when you've got that downloaded, so I can tell the user that it's done?"

Probly cuz making botnets is so easy (1)

rastoboy29 (807168) | more than 3 years ago | (#34741720)

And until it remains so, this is going to be going on constantly.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>