Storm Botnet Returns As Part of New Year's Attacks 66
Trailrunner7 writes "A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics — in combination with fast-flux — to attempt to compromise unsuspecting users. The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine."
This, of course, installs a piece of malware on (Score:5, Funny)
the victim's machine
So it installs flash?
Re:This, of course, installs a piece of malware on (Score:5, Funny)
Steve Jobs, is that really you?!
Re: (Score:2)
Re: (Score:2)
asking the user to download a _fake_ Flash player
Nope not flash, it's fake. It's really an obscured PDF viewer.
Upon conviction of virus writing.... (Score:1)
Re: (Score:3)
Written as an academic exercise but it got out of the lab or was stolen out of the lab and re-purposed?
Re: (Score:3)
Re: (Score:1)
boredom, political contempt, or if ur attacking wikileaks 'anti-terrorism'
or that one virus that put some 3rd world country nuke program back 2 years, but thats a bit of a special case
Re: (Score:2)
Stuxnet. (Military weapon.)
Re:Upon conviction of virus writing.... (Score:5, Funny)
HARD LABOR, not some wimpy country club prison.
On slashdot we refer to such prisons as "federal pound-me-in-the-ass prison" and "white collar resort prison" respectively.
country club prison is better then leting rapist o (Score:3)
country club prison is better then letting rapists out to make room for a hacker.
Re: (Score:2)
And I can protect my friends from viruses but giving them linux. :)
Protection against these malware authors proves to be rather simple.
Re: (Score:2)
Re: (Score:1)
or what chrome os is doing and sandboxing everything; but yeah windows really needs to up their game as their user base is the overly trusting crowd, i think not letting any 3rd party program startup on its own is a start w/o alot of flaming hoops to jump tho first would be a start
Re: (Score:3)
Re: (Score:2)
I can't find the Linux install [ducks and covers]
+1 for this. I have family who will benefit from this :-)
Re: (Score:3)
Unsuspecting? (Score:1)
Re: (Score:1)
Old? (Score:5, Insightful)
...one of the older and more threadbare techniques in this particular game.
Criminals don't care how old it is, but rather how successful it is. Please try to remember that, people. Technology doesn't have to be new or complicated to be useful, and deriding it because it is older is telling of a lack of experience with the thing. Spam will continue to be effective because it only costs a few dollars to register a domain, a little bit less to setup a distribution point, and once you have a few compromised hosts, it pays for itself -- and then some.
Re: (Score:2)
Re: (Score:2)
(so those that know they have the newest version of flash wouldnt be alarmed)
So, make the next one a bit smarter... re-use original flash detection script, and only attempt to download the malware if the flash player is not actually the very latest version (also consider minor versions, to keep your target audience as big as possible). The download would be a wrapper around the real latest flash player, so that users won't get suspicious if they view the e-card twice.
As an added bonus, the malware could rummage through the user's cached browser passwords, and check whether any of t
Bunny (Score:3, Funny)
From: Joe User (sksj3838lsk@reallywarmmail.com)
To: You
Subject: Bunny
Attachment: bunnyhop.exe
Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.
Bye!
Joe
Re: (Score:1)
Hey Joe,
Thats would be awesome, but I am not able to locate the attachment, can you please send it again?
-- John
Re: (Score:3)
From: Joe User (sksj3838lsk@reallywarmmail.com) To: You Subject: Bunny Attachment: bunnyhop.exe
Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.
Bye! Joe
Which email provider allows you to send executable attachments?
I've attached a free e-book explaining the weak points in your marketing campaign, and why anti-virus scanners are no substitute for knowledge, you sound like a smart individual - and I'd really appreciate your thoughts on my book, if you'd take the time to fill out the attached Word.doc and return it to me I'll send you $50US.
Thanks for your time.
Re: (Score:1)
please dont get into the spam bis my parents may fall for that .__.
Re: (Score:2)
Which email provider allows you to send executable attachments?
Plenty. What makes you think it's difficult to send executable attachments?
--
BMO
Re: (Score:2)
Which email provider allows you to send executable attachments?
Plenty. What makes you think it's difficult to send executable attachments?
Um, you didn't actually answer my question.... and yes I was serious, the rest of my post wasn't.
I would like to be able to send executable files as email attachments. Gmail won't let me though.
I often have to send largish files to non-techie clients with tiny size limits on their Outlook accounts - breaking up the files is easy, getting them to install WinRAR or similar, *and* getting them to re-assemble the multi-part archives is a pain. Much easier if I could just make it a self-extracting archive (they'
Re: (Score:2)
"So the question is - *which* email providers allow the sending of executable files?"
Are you *still* serious about asking this question? Really? Ok. See below.
"But, as I said Gmail blocks executables."
No it doesn't. I'll say that again, GOOGLE DOES NOT BLOCK EXECUTABLES.
Rename the executable with .removethis at the end or some such. Like this: foobar.exe becomes foobar.exe.removethis. Done. Accepted. No need to pack in a RAR or Zip. How do I know this? Because I just did it to prove it.
Gmail is th
Re: (Score:2)
that is a rant
Supercilious rant indeed - I clearly demonstrated what I meant by executable, just as you ignored that to demonstrate that you are a dick.
Extension pretension - that's no more relevant than separating the first dozen bytes and re-joining them after downloading. What a wanker! All that to try and rescue your script-kiddie click on my executable attachment bullshit. If the system won't execute it - it ain't executable, changing the extension or changing the magic number means - duh - changing it. Meh
threadbare? (Score:2)
one of the older and more threadbare techniques
If it works, expect them to use it.
Re: (Score:2)
Funny isn't it... no amount of security updates in the world will make people stop for a minute and think about what they are doing.
Is there a way to do this in a benign way? (Score:3)
This is something i've been thinking about for years. I want to do a mass mailout to all employees at all our clients (with the managers permission of course) in almost exactly the same way as this virus does, except instead of actually installing malicious software it keeps track of how many people click the link, and of those, how many then proceed to download the software. Far easier to send each manager a report of "x of your employees would now be infected if this was a real virus" (i'd probably not put individual employees names on there) than to fix the damage caused by viruses.
Time to get coding I guess...
Re: (Score:3, Insightful)
You should also get your resume current except for the last bit of coding you're doing.
Re: (Score:2)
This isn't an attack (Score:1)
It's more like an invitation to attack yourself.
MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.
Re: (Score:2)
It's more like an invitation to attack yourself.
MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.
Have you checked how many toolbars she has? My mom's record is five. I offer that the definition of "tech-disabled" *is* buying into that crap.
Re: (Score:2)
Tons of people would fall for this.
I mean, how many non-technical people do you know who even know what a Flash Plugin is? Hell, 10 years ago - with everyone tossing their own plugins to let you see videos - it wouldn't have been a longshot to need a new plugin to do X.
You go to this site, find out that to see this card (which you're expected to be animated) - needs a flash update of sorts, and you helpfully click the link. Tons of people would fall for that.
The client performs the installation not the site (Score:2)
Ok, maybe its not fair. Maybe it is, but the truth is that the email clients and the web browsers are installing this crap on peoples machines. Without the programs to go out and make the tcpip connections, that shit would stay on their compromised boxes. Since the current click-to-proceed systems are currently -not- working, the ante should be upped and make it impossible to use these client programs to hurt the boxes they reside on.
I am talking about making it -impossible- to save a file that can ru
Re: (Score:2)
If you can't download without the anti-virus, how do you download the antivirus?
Do we really want to give a process huge control over what your system can or can not do? Its not the browser's fault. Its the user's fault. *NIX has a 'runnable' bit - which prevents programs with that bit set to 0 from running. Its still the user who flicks it on. Does this protect against social attacks like this one? Nope. Neither would "THIS PROGRAM WANTS YOU TO INSTALL" - because you're expecting that.
You can't blame the b
APK == troll (Score:1)
Warning - ignore the poster quoted above - APK is an infamous, banned, abusive, stalking, mentally deranged, troll - who refuses to take his medication, as part of his condition is the delusion that "he knows better than the doctors"
At best his proposed cure for "everything" is a partial, weak solution, requiring constant prescient maintenance *with* admin/root access - a 14+MB ineffectual solutions that *might* have been of some, immeasurably small, use in 1995.
Aw
Re: (Score:1)
See my subject-line above. When you can come back, on topic, and technically disprove anything I stated above, then, you'd actually be on topic, like you're supposed to be, and you'd actually have posted something worth reading.
Yep - I see it, though given the (entirely predictable) post it's just a peedie hypocritical. My repudiation of your host file based malware panacea needs no expansion - it's adequately summarizes the points made by others many times before.
Your claims have been been shown as worthless dozens of times by people whose opinions I find worthy of respect.
You vs. Bruce Schneier? I don't think so. Have you ever managed to convince anyone that you're not a raving loon? If so how long did it take before they added
Re: (Score:2)
It'll take me all of 5 minutes (and 10 dollars) to register 'leolati1.com' and bypass your host file tinkering. Once you adapt from that - I can go with 'leolati2' or letters, or random numbers at the end.
Blacklists don't work. Especially not when its blacklisting an internet domain which can be replaced very quickly.
Re: (Score:2)
Great idea.
So someone like me, who doesn't run antivirus, because I've never been infected, ever, in over 20 years, can never actually download anything, because the antivirus software that's not on my machine is the only program allowed to download anything?
Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
Browsers are for surfing the Internet.
Why should you move functionality from where it makes sense, to where it doesn't? From there, it's ju
Re: (Score:2)
Great idea.
I agree, so does my Security Gateway. [astaro.com]
Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit? How can you ever be 100% sure that your infected system really is disinfected without scanning from another untainted OS and/or machine? Once you're infected, it's wipe & re-image time...
P.S. Modern bot-nets run silently -- You cou
Re: (Score:2)
Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit?
It's not. But nowhere in my post did I say it's for removing viruses that have already infected the machine it's running on.
It's for removing viruses from email, removing viruses from network traffic, removing viruses from USB drives, etc,etc. For crappy viruses, it can also remove them from the currently running system. However, you're right; root-kitted machines cannot generally be cleaned by A/V running in the infected environment.
However, this is all semantic bullshit, and largely irrelevant to my or
Probly cuz making botnets is so easy (Score:2)