Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier on Attack Trends: More Complex Worms

timothy posted more than 9 years ago | from the malice-on-the-loose dept.

Worms 189

Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing W32.spybot.KEG worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC. Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"

cancel ×

189 comments

work work work... (5, Insightful)

rd4tech (711615) | more than 9 years ago | (#12754921)

We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack.
This mixed with irc connectiviy, LAN port scanning, update downloads...
Sounds like a full time job to create one. What are these people gaining anyway?

Re:work work work... (5, Insightful)

satanami69 (209636) | more than 9 years ago | (#12754927)

They turn your machine into a zombie and then sell it to spammers.

Re:work work work... (1)

killjoe (766577) | more than 9 years ago | (#12755322)

Why doesn't every corporation in the world install something to prevent worms from propagating? Do they not care or do they think they are already protected because they have a firewall?

Re:work work work... (2, Interesting)

cassidyc (167044) | more than 9 years ago | (#12755593)

And this "Something" would be what exactly?? Some mythical piece of software that has not and could never be created.

The only way to ensure that a PC never propogates anything is to never turn the damn thing on.

CJC

Re:work work work... (3, Informative)

Petersson (636253) | more than 9 years ago | (#12755431)

and then sell it to spammers

Is this the New Economics, the lost dream of IT visioneers?

BTW this Monday my company network was badly infected with yet unknown worm. It created about 15 registry values named 'Microsoft System Backup' to make itself start at lot of occasions. Still can't find anything about it on the internet.

Despite our admins, I've installed personal firewall...

Re:work work work... (1)

PrivateDonut (802017) | more than 9 years ago | (#12754947)

I personally think that many of these worms were made as an experiment then got out of hand. I heard a quote somewhere "Hack to learn, don't learn to hack" (probably off someone on /.). Imagine you create a virus, then put in a friends pc as a joke, but then it spreads although you thought your friend didn't connect to the net, he did this one time. There could also be a revenge element... "I'll teach those damn bullies to pick on me! *releases worm*"

Re:work work work... (1)

kaens (639772) | more than 9 years ago | (#12755257)

Most physical bully types that I have met already have their computers infested anyhow.

Just saying.....

Re:work work work... (5, Insightful)

pschmied (5648) | more than 9 years ago | (#12754965)

What are these people gaining, anyway?


Automated access to large numbers of systems inside big corporations and government, where they collect passwords, account names, scan for vulnerabilities and gather information from PC disk drives for evaluation and sale (corporate espionage). Use of thousands of home systems for spambots and DDoS attack fleets. It's all about organized crime and money to be made these days.



No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

Re:work work work... (4, Interesting)

bersl2 (689221) | more than 9 years ago | (#12755146)

No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?

Can one then conclude that because the common wisdom seems to favor a uniform system, this is those people's just deserts?

Re:work work work... (4, Interesting)

pschmied (5648) | more than 9 years ago | (#12755261)

Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?


Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.

The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.

As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.

-Peter

Re:work work work... (2, Interesting)

bersl2 (689221) | more than 9 years ago | (#12755355)

Sure, at the single network level, moderation is good. I also meant at the level of the entire Internet, diversity is good.

Everyone makes the "Oh, but if enough of us switch, then they'll start attacking [name of OS] too!" and commercial developers don't want to write cross-platform because it's not profitable.

I propose that this offloads much of the cost onto the user setups, who pay in lost productivity, lost or stolen data, and sometimes directly financially, because they represent a large target. I argue that there is enough of this happening that "complex" malware is being written, increasing the damage done, then perhaps the hidden costs equal or exceed that of developers' time and salary to make software work on diverse systems, something that can be recouped by raising prices slightly across the board.

It's the same supporting argument as for diversity in biological systems, except that in this case, the selection is more effective than random.

Re:work work work... (1)

QuantumG (50515) | more than 9 years ago | (#12755294)

Call my cynical, but I think the public perception of corporate espionage is even more ignorant than that of regular espionage. I mean, if corporate espionage was as rife as people think it is then surely I, or one of the many other geeks here who work in highly "secure" environments, would have been approached to engage in it. I never have, have you? What are you gunna steal? Trade secrets? Release dates for products? Customer lists? Is this stuff even remotely valuable anymore?

Re:work work work... (2, Interesting)

killjoe (766577) | more than 9 years ago | (#12755330)

It's valuable to somebody. In any collection of documents you harvest from a company there will be mentions of their major competitiors and to those people any and all information about the competition is valuable. If I offered a company details about their competition you can bet your ass they would pay me lots of money and would not even blink at buying it.

Re:work work work... (1)

QuantumG (50515) | more than 9 years ago | (#12755354)

Yeah, they would, cause it would be illegal and people in business generally don't do things that are illegal. But hey, don't take my word for it. Go make contact with someone in a rival company and try selling them information, you'll quickly discover I'm right. Consider it a gentleman's wager, if I'm wrong you get $$$, if I'm right you get a jail sentence.

Re:work work work... (1)

killjoe (766577) | more than 9 years ago | (#12755393)

" Yeah, they would, cause it would be illegal and people in business generally don't do things that are illegal."

ROLFLMAO. Thanks for the humor dude. I haven't laughed that hard in days. That's hilarious!

But hey, while I got you let me ask you a question. All those hackers, spammers, people who control zombies, etc are they doing it for profit or fun?

Re:work work work... (1)

QuantumG (50515) | more than 9 years ago | (#12755443)

Look! I'm the cynical one ok? We can't both be cynical. So go fuckin' sell some information to a competitor, preferably with a hidden camera on your person, or STFU.

Botnets (0)

Anonymous Coward | more than 9 years ago | (#12754969)

They make the money off selling the power of botnets.

Re:work work work... (1)

xiando (770382) | more than 9 years ago | (#12754981)

It is, like very much else, all about the money. If you have enough zomibe computers then you can use them to make money. You can sell your network to spammers or someone who wants to lauch a major ddos attack against their competition, or simply use them yourselves to market what ever you have to offer.

1. Create a botnet
2. ???
3. PROFIT !!!

Re:work work work... (3, Interesting)

songofthephoenix (858004) | more than 9 years ago | (#12754983)

"What are these people gaining anyway?"

Depends on who "these people" are.

Anti viral company: Creating a greater need for their product.

Support desk: More support calls to them.

Someone with a grudge against a particular o.s: They can say that their o.s isn't as vunerable.

Script kiddie: They do it for their ego after watching hackers and getting all hot and sweaty by the site of the davinci code

Admin: Do it to get the Product Manager to allow upgrades on their networks and more staff and $$$

I would like to see a worm that goes around and patches servers for a change. It can be done.

Re:work work work... (0)

Anonymous Coward | more than 9 years ago | (#12755128)

Interesting ideas, but (no offense intended) i think they are more paranoid than realistic. For instance, there are plenty of viruses and worms in the wild that anti-viral companies don't really need to create their own. Incidentally, i believe there already exists worm(s) that try to do beneficial things like apply patches, or atleast toy prototypes have been created in academia. But one of the damaging side effects of worms is the huge amount of network traffic they incur, and "good" worms can clog up network resources just as much as "bad" worms.

Re:work work work... (1)

boisepunk (764513) | more than 9 years ago | (#12755186)

Those same worms developed in academia that implement homebrew decentralized p2p create significantly less traffic. P2p isn't the best solution for data propagation, but does solve many problems, like how to get mp3s or distributed patches in a faster way.

Re:work work work... (0)

Anonymous Coward | more than 9 years ago | (#12755403)

* from the same Anonymous Coward as before *

If the patches are large enough (and they often are), then you'll create significant amounts of additional traffic no matter how your worm propagates, IMHO. Also, there're other ways that even "good" worms can cause damage. Most patch processes involve a reboot process. Well, what if the good worm affects a system providing a crucial service, a system that shouldn't be rebooted willy-nilly? I'm thinking of systems such as those governing power grids, financial transactions, or medical services. Also, many sysadmins deliberately hold off on patch application because patches often break things or introduce new vulnerabilities, and they want to wait to see if a patch is safe to apply. I don't think anyone is really justified in taking the decision away from sysadmins.

Incidentally, according to wikipedia, there exist genuine worms that try to do patching:

http://en.wikipedia.org/wiki/Nachi_worm [wikipedia.org]

Re:work work work... (5, Informative)

Flendon (857337) | more than 9 years ago | (#12755382)

I would like to see a worm that goes around and patches servers for a change. It can be done.

Welchia [symantec.com] attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.

Re:work work work... (3, Funny)

mek2600 (677900) | more than 9 years ago | (#12755019)

What are these people gaining anyway?

Chicks.

Re:work work work... (2, Funny)

Anonymous Coward | more than 9 years ago | (#12755032)

Bigger e-penis.

actually, yes. Chicks. (1)

SethJohnson (112166) | more than 9 years ago | (#12755123)



It was a network intrusion like these worms create that resulted in Paris Hilton's private Sidekick data to be comprimised. That's how the net got a hold of her private nude photos.

Re:work work work... (0)

Anonymous Coward | more than 9 years ago | (#12755037)

Its surprisingly painless to create such a beast if you know how. The reason we're seeing more blended threats is because someone had the idea to give a worm irc connectivity, took time out of there day(s) and created the implementation. Everyone else simply copied it. Although it may take hours/days/weeks to be the first to write it, it only takes minutes to copy and paste source of other worms.

That and I assume maybe they don't 'waste' as much time reading slashdot and use all the extra time on their hands to do their dirty work. ;)

Wanted (1)

boisepunk (764513) | more than 9 years ago | (#12755243)

Wanted:
One massive botnet able to DDoS a
major corporate site. Heavy comp-
ensation availible.
Email: revenge_on_corps@gmail.com

Re:work work work... (1)

ockegheim (808089) | more than 9 years ago | (#12755388)

If there was somehow real money to be made legally by reporting security flaws (and without becoming a criminal and dealing with criminals), there would be much less incentive for hackers to go to the dark side.

Dopey coder (1)

bergeron76 (176351) | more than 9 years ago | (#12754922)

This worm will certainly fail. It doesn't even try to gain access to network shares using the 'elusive' password:

"trustno1"

My idiot former roommate was a paranoid wannabe computer geek and he cherished his "cool password that I would never get because it uses numbers too".

Dolt.

Hmm, Note to self (2, Funny)

Anonymous Coward | more than 9 years ago | (#12755544)

Change password.

SWEET (0, Troll)

GRAKKAR2 (890342) | more than 9 years ago | (#12754923)

Re:SWEET (-1, Troll)

GRAKKAR3 (890359) | more than 9 years ago | (#12754977)

IM NOT A TROLL!!!!!!

Re:SWEET (-1, Offtopic)

jericho4.0 (565125) | more than 9 years ago | (#12754984)

you're an idiot then?

Re:SWEET (0)

Anonymous Coward | more than 9 years ago | (#12754995)

Your time cube is stupid.

Re:SWEET (-1, Troll)

GRAKKAR3 (890359) | more than 9 years ago | (#12755007)

please retype this with caps on for the true grakkar experience!!!!

no, im just acting like an idiot because it's funny shit!!!!!

Re:SWEET (0)

Anonymous Coward | more than 9 years ago | (#12755140)

Grakkar thanks for provinding 30 seconds of entertainment on a very boring tuesday night.

Dumb sysadmins (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12754930)

Why are the outgoing ports for IRC not firewalled in the first place?

Re:Dumb sysadmins (-1, Troll)

GRAKKAR3 (890359) | more than 9 years ago | (#12754964)

BECAUSE PORTS SUCK!!!

Re:Dumb sysadmins (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12755163)

I know only a bit about viruses and worms, but i think blocking specific ports won't solve the problem by itself, because the authors can just code their programs to use other ports. Could probably do things like sneak their traffic through port 80 (HTTP), or be even trickier and use things like SSH port-forwarding to do their evil deeds. Just my cowardly two cents.

Re:Dumb sysadmins (2, Insightful)

pschmied (5648) | more than 9 years ago | (#12755213)

Worms typically don't use the "standard" IRC ports. Most organizations don't have tough egress filtering in place, but folks should start considering, "block all outbound ports except port 80". Even so, it's still possible for nasty traffic to go out on port 80, then, isn't it?

-Peter

Re:Dumb sysadmins (1)

Omnifarious (11933) | more than 9 years ago | (#12755296)

Egress filtering is evil. The first thing I do upon encountering it is erect a tunnel.

Blocking "non-standard" ports (1)

jefftp (35835) | more than 9 years ago | (#12755308)

Get a Packeteer Packetshaper. Block all Peer-to-Peer application protocols and definately IRC protocols. The Packetshaper works at layer 7 instead of layer 4.

Re:Dumb sysadmins (2, Informative)

sr180 (700526) | more than 9 years ago | (#12755381)

Why even have port 80 open? Just force all web traffic to go through a proxy if you want it to be secure.

Re:Dumb sysadmins (2, Informative)

interiot (50685) | more than 9 years ago | (#12755433)

Yup, that's what my Fortune 100 company does. Only three egresses, and all of them have a username and password so viruses can't get out unless they keylog or ethersniff. It's actually quite a huge PITA for normal users.

Re:Dumb sysadmins (1)

Vellmont (569020) | more than 9 years ago | (#12755400)


but folks should start considering, "block all outbound ports except port 80"


Right, and what will happen with people running services that are blocked? That's right, they'll just start using the "magical" port 80 that lets people connect to it.

I think some port blocking makes sense. It certainly makes sense for large, tightly controlled organizations to block port 25. No one but legit mail servers should be trying to connect to port 25. That would at least protect against spreading viruses and spam.

Re:Dumb sysadmins (2, Informative)

Alioth (221270) | more than 9 years ago | (#12755613)

That's what we do here. In fact, we don't actually route anything onto the Internet, and our internal DNS servers do not resolve names outside of our network.

The only outside access is via a web proxy.

But unless you have a very restrictive 'deny,allow' rule set (which we don't, because it simply wouldn't fly here), a worm can simply look up your proxy settings and use the web proxy instead. Or it can use port 443, and use HTTP CONNECT with the proxy to a remote system listening on port 443, then encrypt the traffic. To the proxy, it'll look like normal HTTPS traffic in transit. (This is the way we get SSH access to outside systems, despite not having any routing to the Internet - our SSH client uses the proxy, and connects to a remote SSH server that is set to listen on 443).

Re:Dumb sysadmins (1)

Emetophobe (878584) | more than 9 years ago | (#12755228)

How can they block the outgoing ports? This isn't the incoming ports of the IRC server (usually 6667). The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.

Re:Dumb sysadmins (3, Informative)

The Jonas (623192) | more than 9 years ago | (#12755336)

How can they block the outgoing ports? This isn't the incoming ports of the IRC server (usually 6667)

Without going into a long explanation, destination ports for outgoing connection attempts, such as port 6667, can be blocked from leaving the originating network. Even this method can be fine-tuned as to protocol/s, and so forth.

The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.

That random port is the port of the machine attempting the outgoing connection to a port such as 6667, to put it simply. The random outgoing port is irrelevant to blocking destination ports.

A quick Google search returned these code examples from a Redhat firewall how-to page [redhat.com] using iptables:
iptables -A OUTPUT -p TCP --sport 6699 -j REJECT

and
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP


I hope this helps. Here is a Google search [google.com] to get you started.

Modern viruses attack from 2 directions (5, Insightful)

Dancin_Santa (265275) | more than 9 years ago | (#12754946)

The whole problem is twofold. The first is stupid users. How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts? The second is privilege escalation at the binary level. System-level software with any sort of hole will allow an attacking program the ability to do whatever it wants, even if the user isn't running as root (the daemon is running at that level).

We had a guy who was constantly downloading and running every attachment he ever received. We finally set him up with an ePod terminal and some crayons and haven't had a significant virus problem since. As a bonus, we get some interesting artwork to hang in the lobby.

This goes to show the benefits of Open Source software. Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

We can't take the drastic step of eliminating Windows on our networks because it is so entrenched, but the slow migration away from it one desktop at a time is giving us a whole new outlook on viruses.

Re:Modern viruses attack from 2 directions (5, Funny)

Indy Media Watch (823624) | more than 9 years ago | (#12755016)

The first is stupid users.

Sorry BOFH wannabe, they're not stupid users, they're just users.

If they aren't doing what you would like, you obviously have a training deficiency which might be your fault, not theirs.

How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts?

By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple.

Re:Modern viruses attack from 2 directions (4, Funny)

killjoe (766577) | more than 9 years ago | (#12755338)

"By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple."

I don't know where I heard this but...

"You can never make anything idiot proof because idiots are so damned ingenious"

Re:Modern viruses attack from 2 directions (1)

Da Web Guru (215458) | more than 9 years ago | (#12755609)

"As soon as you make something idiot-proof, the world builds a better idiot."

Re:Modern viruses attack from 2 directions (0)

Anonymous Coward | more than 9 years ago | (#12755488)

they're not stupid users, they're just users.

Yes, let's not be redundant.

If they aren't doing what you would like, you obviously have a training deficiency which might be your fault, not theirs.

Indeed, you clearly haven't instilled the proper mortal fear into them.

How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts?

Well, the obvious solution would be blackmail. Chances are good that they're too dull for immediate blackmail, so you may have to plant incriminating evidence first, but that shouldn't be a problem.

Or you could attach electrodes to their keyboard, mouse, coffee mug, etc. and try shock therapy. This may be less effort and more satisfying to boot.

I'd say to use your imaginiation, but that seems to be a bit lacking. Maybe when you've had more experience.

Re:Modern viruses attack from 2 directions (4, Insightful)

pschmied (5648) | more than 9 years ago | (#12755059)

The whole problem is twofold. The first is stupid users... The second is privilege escalation at the binary level.


Human stupidity is greatly amplified by weak architectures. If one lucky user gets a malicious email and executes the attachment (after unlocking the password protected zip and clicking on "Natalie_Portman_Naked.zip") that's bad enough. But cleaning up dozens or hundreds of PC systems clobbered by the resulting worm infestation is catastrophic. The industry is only starting to realize that we need better tools to fix stupid.



-Peter



Re:Modern viruses attack from 2 directions (1)

FLEB (312391) | more than 9 years ago | (#12755147)

Sledgehammer of intelligence!

(Even if it doesn't work, the effect is still about the same.)

Re:Modern viruses attack from 2 directions (1)

Minwee (522556) | more than 9 years ago | (#12755345)

If that fails there's always the Chainsaw of Natural Selection [queenofwands.net] .

Re:Modern viruses attack from 2 directions (2, Informative)

Coolpup (796096) | more than 9 years ago | (#12755310)

Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

While I agree that open source is good stuff, your logic is retarded. You basically state that if the vulnerability is known by the attacker and not security companies that there is nothing to worry about. What you meant to say is that there are enough freelance coders out there that check the code and are responsible enough to report exploits to the proper distribution channels.

Re:Modern viruses attack from 2 directions (1)

QuantumG (50515) | more than 9 years ago | (#12755327)

if you had RTFA you might have had a chance to understand that security companies don't need good hearted coders to tell them about exploits, they monitor networks and see the attackers breaking in. From this information security companies can easily expose zero-day exploits.

Re:Modern viruses attack from 2 directions (0)

Anonymous Coward | more than 9 years ago | (#12755450)

No, i think coolpup had it right. In your scenario, a security company spots the exploit because an attacker has already used the exploit to mount a successful attack. Isn't it much better if freelance coders spot and report an exploit BEFORE any attackers use that exploit for any attacks?

Re:Modern viruses attack from 2 directions (1)

QuantumG (50515) | more than 9 years ago | (#12755480)

no, it's not, because you spend a lot of time chasing non-issues instead of chasing real issues. Obviously a massive preventive effort like that performed by the OpenBSD team is a fantastic thing, but it also happens to result in a massive reduction in productivity.

Re:Modern viruses attack from 2 directions (0)

Anonymous Coward | more than 9 years ago | (#12755533)

I'm not sure i understand what you mean by a non-issue; if a vulnerability exists, it's an issue regardless of whether someone has mounted an attack using that vulnerability. Also, when you say a a reduction in productivity could result, i assume you mean that productivity is decreased if people spend more time reviewing rather than coding. But less code produced per some unit of time doesn't necessarily translate to less productivity; making existing code more secure is every bit as productive as hammering out new code that may or may not be safe, in my opinion.

Re:Modern viruses attack from 2 directions (1)

QuantumG (50515) | more than 9 years ago | (#12755545)

Ok, well to put it another way, as long as security companies respond to and fix any of the vulnerabilities they witness being exploited that is more than an adequate service.

Re:Modern viruses attack from 2 directions (0)

Anonymous Coward | more than 9 years ago | (#12755598)

Let me get this straight... your network is more secure when people who are not security companies find exploits and use them against you?

Yeah that's the most retarded thing I've ever heard..
I suppose now you or someone else will retort with " Oh but it's fixed faster" or some crap.. It's not fixed if you don't know about it.. the fact remains is if someone is pwning you and knows what they are doing, you might never detect it for quite some time... Just because someone is using an exploit that is not known by the public does *NOT* automatically mean that said exploit is going to make said exploit come out into the open any faster..

And don't worry, people who believe that open source is the end all, be all for security are just fooling themselves. Users will ALWAYS find a way to screw shit up, regardless of OS.. Requiring a root password or SU to root WILL NOT STOP THEM. They won't even think about it.. "But I want this cool screensaver program.!!!"

IIS == Thumper (4, Funny)

hedley (8715) | more than 9 years ago | (#12754961)

Nice to see the industries stock thumper is still #1 for attracting worms and looks to be still #1 in the future. Upon sighting wormsign one only need look closeby for a compromised IIS box.

Hedley

Re:IIS == Thumper (0)

Anonymous Coward | more than 9 years ago | (#12755003)

"As more and more companies migrate to Windows 2003 and IIS 6, however, we expect attacks against IIS to decrease."

Yet another reason.... (1, Funny)

Anonymous Coward | more than 9 years ago | (#12754962)

To upgrade to Lornhorn, so your spyware, viri, and worms are more secure and stable!

Upgrade today... Oh wait.

TFA in a nutshell (2, Funny)

SleepyHappyDoc (813919) | more than 9 years ago | (#12754982)

Uh, things are going to continue the way they have been going, probably.

I found this essay most unimpressive.

Lures and jigs (3, Funny)

UnAmericanPunk (310528) | more than 9 years ago | (#12755004)

This [homestarrunner.com] is all I could think of when reading this.

"...we've got a KEG... of worms... and phytoplankton"

Schneier (4, Informative)

pHatidic (163975) | more than 9 years ago | (#12755045)

If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview [itconversations.com] . Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.

Schneier and the SF Public Library (4, Interesting)

IO ERROR (128968) | more than 9 years ago | (#12755249)

Bruce Schneier is my hero. His blog [schneier.com] has been in my feed reader for quite a while.

Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.

He's pretty cool (0)

Anonymous Coward | more than 9 years ago | (#12755265)

I loved him in Jaws.

Re:Schneier and the SF Public Library (1)

pHatidic (163975) | more than 9 years ago | (#12755420)

Cool. I have Practical Cryptography and I'd say that it is worth checking out of the library to read the first few chapters but not worth buying. He gives some good practical advice, but then he tries to give overviews of the algorithms by giving the math equations without explaining how they work. I guess this might be ok if you are a math major, but for the rest of us I'd say Applied Cryptography would be a better bet because supposedly (meaning I haven't read it) he actually explains the maths. Now I hate math as much as the next guy, but I gave up with Practical Cryptography because it just didn't make enough sense without the math.

Now if we could only... (5, Funny)

Anonymous Coward | more than 9 years ago | (#12755054)

"Bruce Schneier has posted an interesting entry on expected attack trends to his blog."

...develop a worm that attacks trendy blogs.

Anatomy of the Web Application Worm (5, Informative)

mrkitty (584915) | more than 9 years ago | (#12755101)

For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
http://www.cgisecurity.com/articles/worms.shtml [cgisecurity.com]

John "F" Kerry (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12755113)

You wouldn't know it by reading slashdot, but The Boston Herald got ahold of John F. Kerry's Yale grades. Turns out that "Gentleman C" George Bush (1 D) is a better scholar than "Genius" John Kerry (5 Ds). Maybe you should ask for a refund on your fancy european boarding schools John!

Not only that, but GWB did better on the military aptitude tests as well.

Of course, GWB also had better grades than Al Gore (the guy who flunked out of divinity school and law school). One wonders whether George is smarter than people give him credit for, or Democrats are just dumber than they think they are.

that would be illegal in New South Wales Australia (2, Informative)

Amakiell (743758) | more than 9 years ago | (#12755170)

New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.

Re:that would be illegal in New South Wales Austra (1)

general_re (8883) | more than 9 years ago | (#12755227)

New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.

What about my situation? I mean, my boss is pretty big, but I don't know if he has any attachments...

Re:that would be illegal in New South Wales Austra (1)

shadow0_0 (59720) | more than 9 years ago | (#12755434)

The trick is to figure out if you are being monitored or not. Has that law been passed? Last I heard, it was only a proposal.

JUST IN! (0, Troll)

Pres. Ronald Reagan (659566) | more than 9 years ago | (#12755209)

JOHN KERRY OFFICIALLY DUMBER THAN PRESIDENT GEORGE WALKER BUSH!

Communist rag confirms. [boston.com]

Hope all you communists are satisfied with your votes.

Re:JUST IN! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12755365)

In related news, John Kerry looked much gayer than President George Walker Bush while in college.

Seriously, that is a horrible picture. I thought my picture was bad, but Jesus Fucking Christ.

What? (0)

Anonymous Coward | more than 9 years ago | (#12755392)

I'm not a flaming liberal, but that story might be fake:

In his Navy application, Kerry made clear that he spent much of his college time on extracurricular activities, including the Yale Political Union, the Debating Association, soccer, hockey, fencing, and membership in the elite Skull and Bones Society.

Um, no. Skull and Bones is like Fight Club. The first rule of Skull and Bones is do not talk about Skull and Bones. The second rule of Skull and Bones is DO NOT TALK ABOUT SKULL AND BONES. To this day, neither Kerry or Bush has confirmed or denied their involvement or non-involvement in the alleged secret society Skull and Bones.

Are We Glad.... (4, Insightful)

Ecko7889 (882690) | more than 9 years ago | (#12755221)

Aren't we so glad Microsoft is getting into the Anti-Virus Business.....oh wait...don't they make the OS?

What happened to fixing the OS, so an AV isn't needed?

Why do I even bother?

Re:Are We Glad.... (1)

unleashedgamers (855464) | more than 9 years ago | (#12755497)

Aren't we so glad Microsoft is getting into the Anti-Virus Business.....oh wait...don't they make the OS?
What happened to fixing the OS, so an AV isn't needed?


Money (More)

One day there'll be a worm so complex (5, Funny)

salparadyse (723684) | more than 9 years ago | (#12755233)

... that to all itents and purposes it looks like an Operating System. It will give the use a limited amount of funciontality in order to maintain it's cover. Secretly it will report back to its maker about what you do on your computer and... Oh, wait a minute...

obligatory (0, Flamebait)

IEBEYEBALL (827052) | more than 9 years ago | (#12755242)

and we have microsoft to thank for all of this.

Engrish (1)

hereschenes (813329) | more than 9 years ago | (#12755264)

LOL ... love the Engrish in the Trend Micro page (near the bottom):
Search a new malware

Hopefully... (1)

game kid (805301) | more than 9 years ago | (#12755379)

...we can easily though malware into the floor have fun [wikipedia.org] too.

Let's decompose and enjoy kicking worm ass.

Re:Hopefully... (1)

jericho4.0 (565125) | more than 9 years ago | (#12755435)

engrish galore. [engrish.com]

Crime that targets the shady (4, Funny)

tloh (451585) | more than 9 years ago | (#12755300)

from the article:"We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks."

While mainstream web services are cringing in anticipation of becoming targets, it is quit amusing to watch what seems to be one kind of filth devouring another.

Re:Crime that targets the shady (1)

rev_g33k_101 (886348) | more than 9 years ago | (#12755347)

So is it real crime? Or is it more of a vigilante justice?

The question boils down to why the attacks are happening; money, greed, power, or is it to right wrongs?

I think it's a little from column A, a little from column B

It started off as way to right wrongs, but then it went corporate

And like many things when it goes corporate it goes sour

Re:Crime that targets the shady (1)

thouth (815259) | more than 9 years ago | (#12755563)

"Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks." "it is quit amusing to watch what seems to be one kind of filth devouring another." Gamer's arn't filth! Well, maybe there are a little filthy from not showering *every*week, but not actual filth!

the 4 steps (0)

Anonymous Coward | more than 9 years ago | (#12755380)

1.- install windows
2.- use internet explorer to surf the internet (infecting the machine the moment you use it)
3.- A zombie is born
4.- profit!

Summary (1)

mcrbids (148650) | more than 9 years ago | (#12755391)

"It's going to get worse".

Hopefully, that'll save time before you go RTFA...

Spybot (1)

sankyuu (847178) | more than 9 years ago | (#12755457)

Why did they name the worm WORM SPYBOT.ID? Won't they run into copyright trouble with Spybot [safer-networking.org] the Anti-Spyware company?
What if a worm was named Windows XP or Longhorn, or even Linux?

Re:Spybot (0)

Anonymous Coward | more than 9 years ago | (#12755496)

The guys behind Spybot S&D are not a company, and they're not in the USA. It's mostly one german guy who makes it in his spare time, not an evil corporation that sues people just for fun.

Besides, I think the word spybot existed before 'spybot - search & destroy' was offered.

Re:Spybot (1)

DeltaQH (717204) | more than 9 years ago | (#12755603)

Thats a good idea...

Worm? (1)

ThaReetLad (538112) | more than 9 years ago | (#12755511)

Hey what's with the slashdot "worm" image? Its a caterpillar, not a worm. Look, it has legs!

Why can't companies guard against this crap? (0, Flamebait)

ZosX (517789) | more than 9 years ago | (#12755536)

First of all shouldn't most IDS systems pick up on this worm if it has been announced enough to be named and is obviously now a known exploit? I don't know if Kerio picks up on this worm, but I'd imagine they would have some sort of security update in the near future, and I'm sure it has to be in some signature databases. Secondly, what exactly does this affect? Unpatched windows systems? I'm sure anyone running a network that knows what they are doing (tm) would have clear safeguards for this kind of thing. Hell, even Kerio personal firewall will not let anything execute that I know of, and for the rare times that websites try to pass on some sort of java virus, Norton usually detects it before it hits the cache.

Secondly is there any excuse anymore other than incompetence and companies that are operating on a small budget? Someone needs to make a firewall device that the windows network can be plugged into (think small company lan /w web and e-mail) that offers relatively little configuration and just basically works right out of the box. Even my cheap ass linksys router does some basic port forwarding and such.

Oh, it needs to be cheap and update itself with new security rules (IDS, firmware, etc) on a fairly constant basis, for a relatively low fee you could have it send security logs to the manufacturing company, which could say add rules or manipulate the box. Honestly, I think a well thought out firewall running on a fairly secure NOS would go an awfully long way in protecting their assets.

I think we are going to see some clever attacks in the future. I can think of so many ways that a network could be easily compromised and a trusted connection could be made. Think of all the business travelers that head out with their Cen-f'in-trino and connect to the nearest open hotspot then proceed to log right into a VPN session. Think of company wireless hotspot spoofing and imagine sending the visitor directly to the real network with their intercepted log in. How easy would something like that be? Hell you could even throw something like that in a backpack. How would they find *that*? I don't think that many companies have realized the gaping holes that they have left in their networks. Any company that thinks FedEx is secure enough to send unencrypted tapes is likely going to have a few more suprises along the way. I predict that the future is going to get worse for a lot of companies *cough*banks*cough before it gets better.

BTW, if this post is incoherent, my apologies. It *is* rather late. And to the FBI agent who may come across this message: Go find some real criminals. The last I heard, there are still plenty of real crimes still being committed on a daily basis. Murder, rape, child exploitation, etc. Why not devote some time on the big stuff?

Re:Why can't companies guard against this crap? (1)

ZosX (517789) | more than 9 years ago | (#12755570)


W32.Spybot.KEG is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting vulnerabilities.

technical details

When W32.Spybot.KEG is executed, it performs the following actions:

1. Creates the following copy of itself:

%System%\p6.exe


Sounds pretty sophisticated if you read all the details. Notice the line about how when it "is executed." Maybe we need to figure out how we can give everyone virus protection for free. Seriously. This kind of thing is far too easily prevented, especially at the corp level.

There are even freeware opensourced scanners these days that I hear are pretty good even if they do miss a few trojans here and there.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...