Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IM Worm Attack Cloaked in Virtual Card Hoax

CowboyNeal posted more than 7 years ago | from the giving-props dept.

31

An anonymous reader writes "There's a new Instant Messaging Worm on the loose that is wrapped up in more than a few interesting twists. The people behind the infection lure users in with a message on a Russian hosted website claiming to have 'a virtual card for you' — a reference to the famous Email hoax listed on Snopes and numerous other web hoax sites. At the point of infection, the worm opens up a picture of a heart (from a site called Quatrocantos.com that tackles web scams on a daily basis) — this picture itself related to a different 'virtual card' hoax from 2002. Bearing in mind the people behind this attack are deliberately serving up an image from a 'good guy' website related to virtual card hoaxes, the question is — are they attempting to create a real life infection out of a web-based piece of lore, making a calculated move to tie this attack into numerous Web hoaxes, possibly to confuse infected users looking for help online or simply having a little fun at the good guy's expense?"

cancel ×

31 comments

Sorry! There are no comments related to the filter you selected.

Can't it be both? (0)

Anonymous Coward | more than 7 years ago | (#16166607)

are they attempting to create a real life infection out of a web-based piece of lore, making a calculated move to tie this attack into numerous Web hoaxes, possibly to confuse infected users looking for help online or simply having a little fun at the good guy's expense?
Couldn't it be both?

Re:Can't it be both? (4, Informative)

enharmonix (988983) | more than 7 years ago | (#16166645)

Probably both, but I'd venture mostly to confuse users. From Symantec [symantec.com] :
Symantec Security Response encourages you to ignore any messages regarding this hoax. It is harmless and is intended only to cause unwarranted concern. Please ignore any messages regarding this hoax and do not pass on messages. Passing on messages about the hoax only serves to further propagate it. [emphasis theirs]
Why, any "web savvy" user knows they can safely disregard warnings about virtual cards being viruses. Frankly, I find this a little disturbing (though I guess it was bound to happen eventually)...

Slightly different. (1)

khasim (1285) | more than 7 years ago | (#16166881)

There is nothing preventing email trojans from using any subject, including "a virtual card for you". I get email all the time saying that a "friend" has sent a "card" to me. Fortunately, I run Thunderbird on Ubuntu.

The hoax was that the "virus" would wipe your hard drive and that this was already causing massive problems and there was a widespread media alert about it (what? you haven't heard yet?).

And that you should forward this warning to everyone in your addressbook.

The reality, now, is that there is an email trojan/virus that has the subject "a virtual card for you" that does not appear to be any more dangerous or noteworthy than any of the other 1,000 viruses/variants that have been released this year.

There's no need to forward this message to all of your friends and family and co-workers.

There is no widespread media frenzy about this (unless you count /.).

If you've taken the basic precautions, you won't be in any danger. If you haven't, you've probably already been infected by a dozen other ones so one more won't matter.

CHOWBOI KNEAL HOW MUCH MAN CUM HAVE YOU HAD TODAY? (1)

CmdrTaco (troll) (578383) | more than 7 years ago | (#16166889)

You stupid fat fuck, you are disgusting. Lose some weight fatty. By the way 2007 called, they said someone misspelled 'disgusting fat fuck' on your tombstone.

Re:Can't it be both? (2, Funny)

Goaway (82658) | more than 7 years ago | (#16167175)

It's NEVER both! It's always EITHER, OR! Anything else would be MADNESS!

Re:Can't it be both? (1)

YellowFellow (995078) | more than 7 years ago | (#16167471)

So does that mean we have choices of...

1) Either Or
2) Never
3) Madness
4) CowboyNeal?

Now's your chance! (1)

BlackMesaLabs (893043) | more than 7 years ago | (#16166629)

quick, Quatrocantos, replace the image with goatse!

All of it. (1, Insightful)

Abreu (173023) | more than 7 years ago | (#16166813)

are they attempting to create a real life infection out of a web-based piece of lore, making a calculated move to tie this attack into numerous Web hoaxes, possibly to confuse infected users looking for help online or simply having a little fun at the good guy's expense?

All of the above?

"Good guy" ? (0)

Anonymous Coward | more than 7 years ago | (#16167653)

I don't know what's up with this "good guy" phrase. Snopes has been known to spread some viscous lies about John Kerry and also Micheal Moore in the past. Especially when it was 2004.

The people at Snopes are entitled to their opinions, of course. It's a free country. But I wouldn't call them "good guys".

PLEASE POST UPFRONT THE OS IT TARGETS (-1, Troll)

Burz (138833) | more than 7 years ago | (#16166871)

If the worm is supposed to be assumed as being for Windows, then by all means change the name of this site to "news for Windows nerds".

Otherwise stop wasting people's time!

Re:PLEASE POST UPFRONT THE OS IT TARGETS (1)

Ucklak (755284) | more than 7 years ago | (#16166913)

I believe the ttile should be 'MS IM Worm Attack Cloaked in Virtual Card Hoax'

Re:PLEASE POST UPFRONT THE OS IT TARGETS (1)

pedalman (958492) | more than 7 years ago | (#16167275)

After all, Netcraft has confirmed it.

Stupid (3, Insightful)

Dan East (318230) | more than 7 years ago | (#16167151)

It's rather stupid for them to link to an image out of their control - especially considering it is hosted by their "enemy". Now Quatrocantos can change the image to display a warning that the user's computer was infected. I think that is more of an insult to or vendetta against Quatrocantos than it is some sort of cloaking or other intelligent design.

Dan East

Re:Stupid? Maybe not. (1)

Gary W. Longsine (124661) | more than 7 years ago | (#16172579)

If they can infect several thousands of systems within the first hour or two, maybe that's good enough to suit their purposes. Some of the email virus or network worm propagation techniques were "stupid" in the sense that they could be easily blocked -- once people knew how it worked. The TFTP callback used by several different worms springs to mind, very easily blocked with a filter rule in a router. In the first few hours, however, hundreds of thousands of systems were infected. Stupid is as stupid does, I guess. In this case stupid owned a bunch of systems before people could respond.

Newsworthy? (1)

madsheep (984404) | more than 7 years ago | (#16167545)

All kinds of viruses, trojans, and worms that we hear about on an almost daily basis now are nothing new and if you notice the articles they normally do not claim they are. Trojans going around on MSN, AIM, Yahoo!, Jabber, IRC, E-mail, Microsoft Messenger, Randor random web searching, or anywhere else have been around for many many years now. Is this even newsworthy? In my opinion it is not.

This is not "news for nerds"... (1)

Old Man Kensey (5209) | more than 7 years ago | (#16167737)

...or for anyone else who's checked the contents of their spam folder lately. I've been getting announcements that "you've been sent an e-card" with a link to an .exe on a bare IP address or a foreign site with a nonsensical DNS name for... years? Many months, definitely.

Re:This is not "news for nerds"... (1)

RKBA (622932) | more than 7 years ago | (#16169511)

Very true. There is no way to protect fools against themselves. What's really funny is to receive an email embedded with HTML and various images in Thunderbird. It just shows image "placeholders" all over the place and some of the raw HTML, har, har. The only thing that gets through is plain ASCII text. :-)

Template for this story (3, Insightful)

Sloppy (14984) | more than 7 years ago | (#16168001)

Hostile code was sent to prospective victims, in the hopes that they would either be dumb enough to run it, or dumb enough to run client software that "helpfully" runs it for them. Of course, the hostile code should be run without any sandboxing, with all the same capabilities as the victim.

Now take this template, and fill it in with irrelevant and uninteresting details. Maybe the hostile code poses as something the victim has seen before. Maybe stress how amazing it is that people still fall for it. Maybe stress how amazing it is that people still run client software that supports easy execution of hostile code. Maybe leave all this out, so that the victims' ignorance isn't mentioned and therefore the hostile code sounds all the more threatening -- i.e. IT COULD HAPPEN TO YOU, SO YOU BETTER BE SCARED (small print: if you're a fucking idiot who hasn't learned anything in the last decade or so). Now your article is ready to be submitted to Slashdot as a major story.

Re:Template for this story (1)

Anonymous Coward | more than 7 years ago | (#16168139)

i love the consistently asshole-ish comments when a story about a virus/worm/trojan/whatever hits windows.

"small print: if you're a fucking idiot who hasn't learned anything in the last decade or so)"

well done professor internet, what a pity that there are INDEED "fucking idiots" who will click on pretty much anything put in front of them. I've no doubt quite a few of these net noobs will stumble upon that article (or others like it) and happily avoid infection.

the thing that makes the writeup interesting, is the fact that

a) it goes beyond simply referencing the usual "virtual card" scam because in this case it is actually serving up images from a site dedicated to tackling online hoaxes - i havent heard about someone doing that before, therefore i'd like to read it. if i hadnt seen this on slashdot, i'd have missed it. so screw you.

b) the image served up directly relates to an older hoax about virtual cards, so theres all kinds of interesting contextual nonsense you can read into it if you so choose.

i guess now all we need is the entire discussion being hijacked by linux fanboys, who seem to have the wonderful habit of turning ANY attempted discussion about a new windows based threat into LINUX ROOLZ, LOL.

Re:Template for this story (1)

Sloppy (14984) | more than 7 years ago | (#16169371)

what a pity that there are INDEED "fucking idiots" who will click on pretty much anything put in front of them. I've no doubt quite a few of these net noobs will stumble upon that article (or others like it) and happily avoid infection.

Or they can read the article template, and as soon as they realize "hey wait, the malware spreaders will try to trick me by making malware appear unthreatening?" then they'll happily avoid infection forever because they'll begin a policy of not executing whatever arbitrary code they happen to find somewhere on the Internet.

i guess now all we need is the entire discussion being hijacked by linux fanboys, who seem to have the wonderful habit of turning ANY attempted discussion about a new windows based threat into LINUX ROOLZ, LOL.

If reading suggestions that people should not run malware makes you think someone is saying "LINUX ROOLZ" then maybe you're a Linux fanboy. And if you think "will click on pretty much anything put in front of them" is the same as "will execute anything you send them with maximum privleges" then maybe you're a Windows hater. Hey, I didn't say anything about Linux or Windows; you're the one who figured out which shoes fit who, and mentioned specific platforms. :-)

Gosh, could you be one of the people who has learned something in the last decade? I bet it took a lot less than 10 years for you to do it, too. Congratulations. Now let's get back to mocking the slow learners who keep doing the same dumb things over and over, expecting a result other than a repetition of the usual disaster.

Conjecture (1)

LordRefaIV (1004775) | more than 7 years ago | (#16168991)

Given that there are direct references to two different virtual card hoaxes in the "attack" itself maybe everyone's looking at it from the wrong slant...

My gut reaction is that this is some (extreme) degree of internet art. This article [about.com] about hoaxes being essentially viruses in and of themselves says a lot about what may have motivated this particular form of expression.

Maybe whoever made this virus was making a statement about what is "known" (What is well known not to be a virus). They may have also been making a statement about anti-hoax information and/or the "truth".

I didn't read the initial article, mind you -- but the blurb cut seemed to have everything essential in it already.

Re:Conjecture (0)

Anonymous Coward | more than 7 years ago | (#16169085)

"My gut reaction is that this is some (extreme) degree of internet art."

"I didn't read the initial article, mind you -- but the blurb cut seemed to have everything essential in it already."

The story submitter left out the part about the financial data theft, so that's about as extreme as you can get, art wise.

Re:Conjecture (1)

LordRefaIV (1004775) | more than 7 years ago | (#16171503)

S'why I mentioned that I didn't read the article expressly. I know it happens a lot, and I'd rather people think I think I'm being insightful because I'm lazy... as opposed to a cocky SOB that doesn't feel the need to read things before sounding off on them.

It was a fun thought while it lasted.

Old News (1)

jproffer (766368) | more than 7 years ago | (#16172307)

This news is a bit stale - the attack started several weeks ago, and most AV vendors detect the binary in question..

Re:Old News (0)

Anonymous Coward | more than 7 years ago | (#16172783)

actually, thats not true - i nabbed one of the files and ran it through virustotal and (yesterday) only something like eight AV vendors picked it up - hardly "most".

don't use eCards! (1)

AlgorithMan (937244) | more than 7 years ago | (#16173839)

when you send an eCard to someone, you have to submit your email adress and the email adress of the recipient... and guess what - the eCard providers sell these email adresses to spammers! - surprise surprise! did you think they had done the programming work and offer the service and their traffic for free?

I read all the traffic and learned nothing (1)

Douglas Goodall (992917) | more than 7 years ago | (#16179549)

I was interested as to whether there was anything new to learn about this attack that would make me safer in the future. I use all the operating systems because I can write programs for all of them. Each has it's benefits and it's liabilities. Reading through these responses was a complete waste of time and used up today's quota of time for reading /.

"malicious thingy" (1)

tt074295 (1005785) | more than 7 years ago | (#16230465)

Much of the work done by several programs are invisible to user. People behind it attempt to attack dumb user by hiding themeselves behind this 'good guy' image. User absolutely has no idea of what they had received by accessing all the files, programs and webpages. Then the virus attack everything the infected user touch. Moral of the story: "Update the antivirus regularly to detect any 'malicious thingy' and ignore spam emails."

Re:"malicious thingy" (1)

Mr.BoBo-TT074226 (1005779) | more than 7 years ago | (#16241831)

i agree...

virus..... (1)

Mr.BoBo-TT074226 (1005779) | more than 7 years ago | (#16241861)

come on...of course virus are always on the loose...that is why there are a thingy that is called 'antivirus'. it could check if there is any error in the system.so....update your antiviruses...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>