Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Targeted Trojan Attacks Causing Concern

kdawson posted more than 7 years ago | from the with-your-name-on-it dept.

77

Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.

cancel ×

77 comments

Sorry! There are no comments related to the filter you selected.

The biggest danger are working business models (4, Interesting)

chriss (26574) | more than 7 years ago | (#16432547)

We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.

Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.

The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:

  1. Detection rate is much lower, since the development of anti malware tools today only works because the cost for the development is spread over a large number of users. Unless this can be somehow automated, effective protection will become very expensive and only affordable by larger business or people with sensitive data like the military.
  2. The revenue per customer will increase, since industrial espionage, blackmailing, insider training and other neat things available to those with the right data are much more profitable than a percentage in Viagra sales.

So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.

Re:The biggest danger are working business models (2, Informative)

frenetic3 (166950) | more than 7 years ago | (#16432727)

it does have a technical solution -- just don't let it run in the first place :) or more specifically, take the choice out of the (uninformed) end-user's hands and let the IT admin decide.

http://www.bit9.com/ [bit9.com]

lets you lock down PCs and stops anything new/unknown (from a network-wide perspective) from running without taking away admin rights.

so if someone gets snuck an evil email attachment, it would be identified by the software as new to the network and blocked at the kernel level before the OS executes it. no signatures or AV needed.

[full disclosure: yeah, i work at bit9, and the product rocks :)]

-fren

Re:The biggest danger are working business models (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#16432777)

9bit is spyware. Feel free to fuck off and die.

Re:The biggest danger are working business models (1)

Xross_Ied (224893) | more than 7 years ago | (#16433071)

How do you deal with new exe or dll installed as part of Windows update, anti-virus update, etc?

e.g. IE7 will soon be released via Windows Update.

Re:The biggest danger are working business models (1)

frenetic3 (166950) | more than 7 years ago | (#16433161)

very carefully :)

on the server, you can mark certain updaters, users, directories and/or publishers as trusted, and all files that come from these trusted origins are locally approved on each desktop (while the rest of the system remains locked down.)

this way you don't have to maintain any enormous whitelists or blacklists or anything and you only have to look at what's new/unknown (the graylist.)

-fren

Re:The biggest danger are working business models (1)

Jah-Wren Ryel (80510) | more than 7 years ago | (#16433983)

so if someone gets snuck an evil email attachment, it would be identified by the software as new to the network and blocked at the kernel level before the OS executes it. no signatures or AV needed.

So, how do you differentiate between:

1) Joe Corporte Peon receives mail with an attachment that is an evil ms-word document with rogue macros that cause stack overflows and make ms-word process do bad things
2) Joe Corporte Peon receives mail with an attachment that is an angelic ms-word document from a customer which the company is proposing a bid to

?

Re:The biggest danger are working business models (2, Interesting)

frenetic3 (166950) | more than 7 years ago | (#16434267)

well, one way to look at it is in general a lot of shellcode relies on downloading/dumping an executable file somewhere and running it; this would be blocked (the new exe would drop, but you couldn't run it), even if you're able to blow up winword.exe. yeah you could cram a bunch of executable code into the document, fine, but then that code would have to modify something/overwrite a system file (which would get blocked), or write a new exe on the disk (blocked on attempted execute) if they wanted something to stay resident beyond that instance of winword.exe.

to the pedants: fine, you might be able to contrive some rube goldbergesque way to get past it, but today most most companies are getting screwed by trivial vulnerabilities. put another way, if you had an adversary that had the resources ($) and motive to craft a malformed document that was customized to be able to jump through all of the hoops needed (no overwriting system files or writing new exes), they could probably just pay off the secretary or janitor and/or physically break in and steal the info they needed :)

in general, it's very effective against the vast majority of malware that is commonly encountered.

-d

Re:The biggest danger are working business models (1)

Jah-Wren Ryel (80510) | more than 7 years ago | (#16434465)

to the pedants: fine, you might be able to contrive some rube goldbergesque way to get past it, but today most most companies are getting screwed by trivial vulnerabilities. put another way, if you had an adversary that had the resources ($) and motive to craft a malformed document that was customized to be able to jump through all of the hoops needed (no overwriting system files or writing new exes), they could probably just pay off the secretary or janitor and/or physically break in and steal the info they needed :)

That's kind of a funny thing to say in the context of an article about the rise of attacks that are targetted for specific sites and even specific individuals -- where the goal is not necessarily general purpose 'infection' but instead possibly one-shot corporate espionage.

The biggest danger are your data, scattered. (0)

Anonymous Coward | more than 7 years ago | (#16433563)

"Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work."

Keep that in mind when your personal information is scattered all over the net.

Industrial Espionage, not spam slaves (1)

msobkow (48369) | more than 7 years ago | (#16435615)

I believe the article is talking about targetted industrial espionage, not spam slaves. Unless a target had control over a multi-gigabit backbone link, I can't see a spammer going to the effort of targetting specific machines, clusters, or users. In those cases there are admins monitoring traffic load and the spam would cause a surge in outoing SMTP/POP3 traffic and rapidly get traced. Companies with big pipes tend to have the infrastructure in place to monitor and maintain the hardware behind those pipes.

In short, I seriously doubt spam distribution would be the reason behind a targetted attack.

Targetted attacks would select an individual machine, cluster, or user because they contain or have access to resources the attacker wants. It could be source code, it could be credit card numbers, it could be internal business plans, or it could be some goof trying to stalk the cutie on the second floor.

The point is the expense of a targetted attack starts with the expense of identifying a target.

What reason does the attacker have for identifying the target?

i.e. What's the motive?

Re:Industrial Espionage, not spam slaves (1)

RMH101 (636144) | more than 7 years ago | (#16439551)

Agreed. However, at most big companies, if you have an employee name, location, IT helpdesk number and maybe extension number of an individual, then you can get a password reset for that individual and away you go.
Social engineering's easy - if you work for a large company then think how easy it would be for a random individual to get a logon ID and password for the systems you run...

Any trojans cause concern (3, Informative)

celardore (844933) | more than 7 years ago | (#16432629)

My work PC has been hit by trojans twice within a couple of weeks. I'm new there, so it looks bad anyway. Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work. I'm an accountant so I don't have a say in the IT nor do I care to. My boss had to bring in external guys to fix the first virus, then the second one happened and he decided to reinstall everything anyway. Cost time and money.

Any trojans cause concern-condom failure (0)

Anonymous Coward | more than 7 years ago | (#16433007)

Tell me about it. It just got through spending two hours getting rid of spyware/malware/dialware using Prevx [prevx.com] . I religiously use spybot S&D, AVG, Ad-aware, CCleaner AND I still got hit. Makes you want to hurt the ones creating this stuff.

Re:Any trojans cause concern (1)

jlarocco (851450) | more than 7 years ago | (#16433141)

I've never understood how people who claim to be "competent" get viruses, trojans, and other malware. I expect it from idiots who click on every free offer or flashy banner, but it's pretty funny to hear "competent" users say they got infected. What the hell do you people do?

Re:Any trojans cause concern (1)

MichaelSmith (789609) | more than 7 years ago | (#16433669)

I've never understood how people who claim to be "competent" get viruses, trojans, and other malware.

Chances are its another machine on his network spreading exploits around the place.

Re:Any trojans cause concern (1)

SirTalon42 (751509) | more than 7 years ago | (#16435951)

Possibly one day while using the required IE to get information online, he was going to somesite.org, but accidentally typed someste.org which could infect the system through IE, and if they were sneaky could just forward you to somesite.org so you wouldn't even notice you went to a bad site.

Re:Any trojans cause concern (2, Insightful)

MichaelSmith (789609) | more than 7 years ago | (#16433685)

Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work.

Almost certainly another machine on your network is spreading the infection. You did something about it because you are on the lookout for these problems. I suggest you use your position to bypass the IT people. Go straight to the top and get the boss to knock some heads together in the IT department. This problem is more serious than the immediate issue on your PC.

Re:Any trojans cause concern (1)

Jedi Alec (258881) | more than 7 years ago | (#16435065)

I suggest you use your position to bypass the IT people.

Sounds like a great way to go about it, especially in a company where you just started. How about filing an incident report with IT, waiting for a while and THEN reporting it to your boss if it hasn't been fixed?

I've always wondered... (0, Redundant)

Anonymous Coward | more than 7 years ago | (#16432665)

How THEY know I want a bigger schlong and that I want to shoot like a porn star. And that I can't keep it up.

Re:I've always wondered... (0, Troll)

Anonymous Coward | more than 7 years ago | (#16432989)

When I was a kid, I overheard my grandfather telling some of his friends about a technique that can be used to make a man shoot further, and maintain an erection longer.

What it basically came down to was smearing tabasco sauce on your prostate. I suppose one would put some on his finger, and then put that finger up his anus, placing the hot sauce on the prostate.

I really don't know if this works, as I haven't tried it myself. I don't recommend anyone actually do it. But you may want to research it, if you actually do suffer from erectile dysfunction.

About time? (3, Informative)

caller9 (764851) | more than 7 years ago | (#16432671)

This is the obvious evolution in organized crime via hacking. If you could infect the marketing dept of several companies directly by doing a little old fashion PI work (or looking at the company directory), you will have access to both typically non-technical people and people that have access to what is about to be spun from a company. So do some "insider" trading on that.

Ask a legitimate question and get a response. You're now whitelisted. Send them a document related to your question that happens to carry your trojan. You can now, at least, impersonate them on the network/read their mail/send mail on their behalf.

It's a crappy way to develop a bot net but it's a good way to get very specific espionage capabilites.

Why hasn't this been exposed in the past, I'm sure it's been going on for quite some time.

Re:About time? (1)

Yehooti (816574) | more than 7 years ago | (#16432941)

The bad guys have found a hole in the system and are exploiting it. They know it'll take law-enforcement years to catch up, so they reign in the cash while they can. Meanwhile, national security is also taking a hit through our potential enemies using this very technique. I don't have a clue about how much our government is addressing this threat, but I do clearly see that whatever they are doing isn't enough.

Get Ubuntu (1)

Ice Wewe (936718) | more than 7 years ago | (#16432679)

Really? I didn't notice.

Ubuntu, the ancient african for "couldn't install debian, but didn't want those damn trojans"

Re:Get Ubuntu (5, Insightful)

QuantumG (50515) | more than 7 years ago | (#16432783)

Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

Thank you for the plug, comrade (1)

NotQuiteReal (608241) | more than 7 years ago | (#16432891)

I too, prefer the more robust Linux environment for my business.

Too many of my Window-Monkies call in sick. (rooted by competetors - damn users clicking "ok").

Once I have a Linux Mail-Bot, I can lock it down and know it is mine!

Don't worry, we run our all processes "nice"!

Re:Get Ubuntu (4, Insightful)

grcumb (781340) | more than 7 years ago | (#16433051)

Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

Bull:

  • All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
  • Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.
  • Even a malicious script that surreptitiously runs
    dpkg -i nasty-payload
    is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.
  • The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.

If you wanted to make the point that there are just as many attack vectors in Ubuntu as elsewhere, go ahead. But the mere presence of an avenue of attack doesn't magically make it easy. Implying that Ubuntu is not inherently harder to compromise than Windows is prima facie wrong.

Re:Get Ubuntu (2, Interesting)

drsmithy (35869) | more than 7 years ago | (#16433083)

*All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
* Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.

Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?

[...] is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.

The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?

The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.

It's trivial. Every time you go 'sudo blah', 'blah' is running as root.

Because it is. (1)

khasim (1285) | more than 7 years ago | (#16433587)

Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?

Because it is. And I'm posting this from my home machine running Edgy.

The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?

I think you missed the definition.

The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.

It's trivial. Every time you go 'sudo blah', 'blah' is running as root.

Maybe you don't understand "trivial", either.

Under a single user Windows box, it was trivial. Just clicking on porn.gif(.exe) in Outlook used to be sufficient to run that .exe as admin (which was what most Windows users were running as).

Under Ubuntu, there are more steps. And the user has to specifically type in "sudo blah". The more steps required, the more chance that the user will notice that there is a problem.

So, if 99% of Windows users get themselves infected ... but only 1% of Ubuntu users get themselves infected, then, given the same level of knowledge amongst the users, Ubuntu is more secure than Windows.

And that's just from the trojan threat.

Because Ubuntu's default installation has no open ports, it is 100% safe from worms.

And the virus threat is also limited by the restricted rights and the need to type "sudo virus-file" to "install" the virus.

Re:Because it is. (1)

drsmithy (35869) | more than 7 years ago | (#16434335)

Because it is.

No, it's not:

* Firstly, because the ignorant end user can trivially raise any program's privileges to root
* Secondly, because 99% of the things most malicious code wants to do, don't require root privileges in the first place

The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.

Er, yes, my whole point. If you want to use to install your malware, you just dress it up in something they _want_ to install. Which is what most malware does.

Maybe you don't understand "trivial", either.

A single command (or typed password) seems pretty trivial to me.

Under a single user Windows box, it was trivial. Just clicking on porn.gif(.exe) in Outlook used to be sufficient to run that .exe as admin (which was what most Windows users were running as).

Once you've gotten past the dialog boxes telling you it's a stupid thing to do, yes.

Under Ubuntu, there are more steps. And the user has to specifically type in "sudo blah". The more steps required, the more chance that the user will notice that there is a problem.

Three or four trivial steps (instead of two) still add up to a trivial process overall.

If the end user can use the system to easily download and install legitimate software (although, admittedly, I _am_ assuming you're not going to argue Linux makes this task difficult in the first place) then they can do it just as easily with malicious software.

So, if 99% of Windows users get themselves infected ... but only 1% of Ubuntu users get themselves infected, then, given the same level of knowledge amongst the users, Ubuntu is more secure than Windows.

Right. Just like because there are proportionally more black people in jail than white people, black people are more likely to commit crimes than white people. Right ?

Because Ubuntu's default installation has no open ports, it is 100% safe from worms.

XP's default configuration today has the firewall enabled. Uglier, but just as effective.

And the virus threat is also limited by the restricted rights and the need to type "sudo virus-file" to "install" the virus.

Except, as I noted previously, there's little need for malicious code to elevate its privileges to do 99% of things it might want to do.

Here, I'll demonstrate. (1)

khasim (1285) | more than 7 years ago | (#16434383)

No, it's not:

* Firstly, because the ignorant end user can trivially raise any program's privileges to root
* Secondly, because 99% of the things most malicious code wants to do, don't require root privileges in the first place

The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.

The problem is getting them to do that.

That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.

Simply saying that it can be done is as stupid as saying that an email could persuade an "ignorant end user" to smash his/her computer with a hammer.

Three or four trivial steps (instead of two) still add up to a trivial process overall.

Not when you're talking about spreading a trojan. The more steps needed, the more likely that the "ignorant end user" will do something wrong or remember something about not running untrusted crap on his/her computer.

"Trivial" in this context means:
#1. Not doing something such as patching so a worm can infect you.

#2. Doing one stupid thing such as clicking on an attachment you received via email.

The more steps that have to be followed, in a particular order, the less "trivial" it becomes to convince the "ignorant end user" to perform all those steps, in that particular order.

You can keep arguing that this is not so, but the statistics seem to contradict you. And I'm going to go with the statistics on this.

Re:Here, I'll demonstrate. (1)

drsmithy (35869) | more than 7 years ago | (#16434747)

The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.

No, it can't, because the vast, vast majority of users understand that doing that would be A Bad Thing.

The sheer volume of software that relies on the "download and run it" capability just to exist, handily demonstrates the same does not apply there.

That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.

That's because millions of people have proven it for me, and continue to do so, every day.

Getting people to run arbitrary stuff on a computer - assuming that "running arbitrary stuff" is in itself a relatively easy activity in the environment - is trivial. Just wrap it up with some porn or in a silly little game.

Not when you're talking about spreading a trojan. The more steps needed, the more likely that the "ignorant end user" will do something wrong or remember something about not running untrusted crap on his/her computer.

Except, of course, when those steps are perfectly normal because they're the steps followed to use legitimate software.

A user s more likely to give up in frustration because running something is a long, annoying process, than they are to give up trying to run it because that "hey, this might be a bad idea" lightbulb has come on.

"Trivial" in this context means:

Then it qualifies as trivial.

You can keep arguing that this is not so, but the statistics seem to contradict you. And I'm going to go with the statistics on this.

I'm not aware of any statistics that support the assertions you are making.

Re:Here, I'll demonstrate. (1)

Tim C (15259) | more than 7 years ago | (#16434795)

People run as admin under Windows because there's a lot of poorly-written software that requires it, and because it's easier. If and when the masses move to Linux, they will either run as root, or they will become used to providing their username and password everytime they install the cute little screensaver or buddy icon package they've found/their friend mailed them/etc.

Requiring admin privs is nothing but a speed bump until and unless the average end user is trained to not provide them willy-nilly. No OS can save itself from a rogue admin user, and I have no confidence that the typical end user will be any safer under Linux from trojans and other social engineering tricks. Drive-by installers and other such exploits yes, but people will simply stop using them and move to trojans.

Besides which, as the OP points out and you ignore, you don't need admin privs to create a spam botnet or similar, you just need to be able to create network connections and have a mechanism to start up at logon time.

Re:Get Ubuntu (1)

QuantumG (50515) | more than 7 years ago | (#16433181)

meh, Ubuntu's use of sudo is worse than the traditional use of su. With su you're required to enter the root password every time whereas, with sudo, you're only required to enter the users password and only once for a given period of time. As such, a program that injects code into the user's shell can easily skip to root. I know, I've written code to do it. That's without taking advantage of any suid binaries or services running as root or kernel bugs to get root. Getting root from a trojan running on a user account is not hard. Besides which, who gives a shit about root? A trojan doesn't need root to copy confidential data from a user's home directory. It doesn't need root to open a socket and send that information back home. It doesn't need root to modify or delete important files. It doesn't need root to hijack mail programs and send emails as the targetted user. This obsession with root by people who think they understand security is troubling.

Back to what I was saying about Ubuntu's repositories. It often occurs that maintainers put unsigned packages in them. It's a common complaint. Go ask them if you don't believe me. People should refuse to install these packages, as the signatures give at least some level of assurance that what you're installing is what the maintainer produced and hasn't been interfered with in transit. Of course, I say some level of assurance because there's nothing to stop an attacker from interfering with binaries (or even source) going to a maintainer who then goes and happily signs it thereby declaring to the world that it is safe. Think about it. That's what package maintainers are for.. taking stuff that isn't packaged, packing it up, signing it and puting it in a repository for users to download and run. Maybe the very first time a maintainer checks the source for a program out of the source code repository for that project they'll do a thorough analysis to ensure they are not signing their name to some piece of malware, but do you really think they do that same analysis every time they update from the repository? Of course they don't. They grab the latest source, check the bug trackers to see what state it is in. Maybe talk to the developers about what they intend on doing in future releases, then they add the Ubuntu specific patches, compile it, package it, sign it and ship it. Their connection to the source code repository could well have been compromised for all they know.. they're not going to check every line of code, and they might not notice something like a subtle security bug that has been introduced anyways.

And it's not like these people are hard to find.. it's public knowledge who maintains which packages. You're absolutely right that it is easier to get a chump to run an arbitary exe on windows - just fake mail them an attachment and say "this is so funny" and they'll run it. But how much harder is it to get thousands and thousands of people to run a trojan on linux than it is on windows? How much harder is it to get the entire install base to run a trojan? Using the techniques above (and maybe some more involving actual viruses) at the appropriate time, I'm sure I could get a trojan into some "critical security fix" that ubuntu-security is pushing out to every user of ubuntu. Doing the same for some Windows hot fix or some other big install base would be much harder.. there's just not the same opportunities to intercept and insert code.

Re:Get Ubuntu (1)

grcumb (781340) | more than 7 years ago | (#16433493)

A trojan doesn't need root to copy confidential data from a user's home directory. It doesn't need root to open a socket and send that information back home. It doesn't need root to modify or delete important files. It doesn't need root to hijack mail programs and send emails as the targetted user.

The point is that a trojan needs root to install itself, as well as to remain undetected.

This obsession with root by people who think they understand security is troubling.

Not nearly as troubling as a straw-man argument from someone who should know better. It's not a binary equation. Every aspect of security has shortcomings, which is why a clearly defined process for software installation (for example) is necessary. Root is not a magic wand with +10 trojan-blocking capability; it's simply one of the available tools in a full system. Least Privileged Access is a well-known design approach which is applied in almost every system. Versions of Windows prior to Vista are the notable exception.

You're absolutely right that it is easier to get a chump to run an arbitary exe on windows - just fake mail them an attachment and say "this is so funny" and they'll run it. But how much harder is it to get thousands and thousands of people to run a trojan on linux than it is on windows? How much harder is it to get the entire install base to run a trojan?

You're asking the wrong question. It's easy to get people to get people to execute code from a trusted source. It's supposed to be. But how easy is it to infect that trusted source? Much harder than you might think. Compared to Windows, it's incalculably more difficult, because the Ubuntu is explicit about what it trusts and what it doesn't. Until now, Windows has allowed the user to run with full control over the system, and to run un-sandboxed, executable content from virtually anywhere, including untrustworthy sources like email, websites - you name it.

And that, if we can stick to the point, is what some in this thread are trying to gloss over. The point that I was replying to is that, while many of the same attack vectors exist in Ubuntu, they are more difficult to exploit. The GP made a hand-wavy declaration that Windows and Ubuntu are identically insecure when they patently are not.

That said, you're right that people generally are too cavalier about security. But your assertion that "I'm sure I could get a trojan into some "critical security fix" that ubuntu-security is pushing out to every user of ubuntu" again ignores the lengths you would have to go to in order to plant that trojan. I've worked for a company that produced a Linux distro and I can assure you that security patches get very carefully reviewed before they're pushed out the door. You'd have a much easier time trying to get around the process than trying to sneak something through it.

Re:Get Ubuntu (1)

QuantumG (50515) | more than 7 years ago | (#16433703)

Yes, but compared to getting a trojan into a security fix for Windows it's really easy to get one into Ubuntu, are you so blind that you can't admit that? The whole problem with "trusted sources" is that we shouldn't trust them because they can't provide us with any guarentees beyond "I did my best." We should be running every program with Least Privileged Access, but no-one does that, it's too much trouble. The Gimp shouldn't have access to my Open Office documents. My email program shouldn't have access to write to a .rhosts file in my home directory. That's the kind of security you need to focus on to defeat trojans. Both linux and windows have tools that users can apply to get that kind of security (sudo as nobody, run program as..) but no-one uses them. It's just too much trouble. To make users safer we need to make this stuff automatic and integrated.

Re:Get Ubuntu (1)

grcumb (781340) | more than 7 years ago | (#16434073)

Yes, but compared to getting a trojan into a security fix for Windows it's really easy to get one into Ubuntu, are you so blind that you can't admit that?

Not at all. That's perfectly easy to admit, but completely irrelevant. The point is that all software, by default, comes from trusted sources in Ubuntu. All of it. That is not the case with Windows.

Re:Get Ubuntu (1)

QuantumG (50515) | more than 7 years ago | (#16434135)

Here we go. You're again smoking the crack pipe. Most the stuff you use might come from people that you trust, but the vast majority of applications in the Ubuntu repository are just packages that people slapped together over the weekend ok? They don't security audit the code. They don't know it is safe. So maybe you're happy to trust them, but I'm not.

What are you talking about? (2, Interesting)

khasim (1285) | more than 7 years ago | (#16434207)

With su you're required to enter the root password every time whereas, with sudo, you're only required to enter the users password and only once for a given period of time.

What the fuck?

No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".

As such, a program that injects code into the user's shell can easily skip to root.

What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.

Go ahead. Do it.

Oh, you can't? Well I guess that your claims aren't factual.

I know, I've written code to do it. That's without taking advantage of any suid binaries or services running as root or kernel bugs to get root.


Great. The infect my machine. Go ahead.

Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.

Getting root from a trojan running on a user account is not hard.


Then do it.

I'm saying that it is hard. And with Ubuntu, it's practically impossible.

Besides which, who gives a shit about root? A trojan doesn't need root to copy confidential data from a user's home directory.


Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.

It doesn't need root to open a socket and send that information back home.


Yes, it does.

It doesn't need root to modify or delete important files. It doesn't need root to hijack mail programs and send emails as the targetted user. This obsession with root by people who think they understand security is troubling.


I am in that category. You have my email address. You know the OS, mail program and hardware platform.

If you cannot get a trojan on my machine, you cannot do what you've claimed.

Therefore, it is you who does not understand security.

Back to ... introduced anyways.

Again, you cannot crack my computer. You do not know what you're talking about.

You're absolutely right that it is easier to get a chump to run an arbitary exe on windows - just fake mail them an attachment and say "this is so funny" and they'll run it. But how much harder is it to get thousands and thousands of people to run a trojan on linux than it is on windows?

Well, you've claimed that it is easy.

Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.

Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".

Re:What are you talking about? (1)

QuantumG (50515) | more than 7 years ago | (#16435405)

You don't actually know what a trojan is do you? A trojan is a program that you want to run which contains code that does something I want to do. You run it, because you want to, the code does what I want, because I wrote it.

That cleared up, let me explain the sudo vs su thing. If you were do only ever use su, and use it sensibly, I wouldn't have much hope of getting root from a trojan. There are a couple of ways I could.. but they're pretty obvious and you'd most likely spot them. For example, when you next su I could add a parameter to the invokation of su to run a program I've dropped. You enter the root password, my program runs as root, I now have root. This works, but its really easy to detect.. if my program doesn't make a shell for you, you'll immediately notice that I didn't give you a root shell and you'll cry bloody murder. The cheapest way to avoid this is to claim you entered the wrong password even if you didn't.. but that's only really a little bit better because if you are sure you entered the wrong password you'll immediately be suspect and look deeper what happened. A seemingly promising way is to actually run a shell for you. Problem is, the program I dropped and appended to your su command will appear in the process list as the parent process of your shell. Blatantly obvious next time you do a ps.

Hijacking su does have the advantage that you can do it by adding one alias line to the user's .bashrc or .login script. To hijack sudo you need to be a little more creative. By using the ptrace api you can inject code into the user's shell (be that bash, csh, whatever) and intercept every process that is started by it. You don't need any special permissions to use the ptrace api on your own shell. The first time the user does an sudo, you do absolutely nothing. They enter their password, their command happily runs as root, done. Then for a configurable amount of time (timestamp_timeout in /etc/sudoers, defaults to 15 minutes) you can execute sudo as many times as you like and the user will not be prompted for a password. So, by default, for 15 minutes after the user has entered their password for the first time (and yes, it is hard to intercept that password, that at least is well handled) the malicious code running in the user's shell can execute any command it likes with sudo without the user being prompted to enter their password again.

Re:What are you talking about? (1)

makomk (752139) | more than 7 years ago | (#16436429)

Problem is, the program I dropped and appended to your su command will appear in the process list as the parent process of your shell. Blatantly obvious next time you do a ps.

Not necessarily. Simply fork() and then exec() the shell in the *parent* process. That way, the shell will have the same PID and parent as if it was launched directly. (The malicious process will then initially be a child of the new shell, but forking again and then calling _exit() from the parent process of that fork will soon fix that.)

Re:Get Ubuntu (1)

Venik (915777) | more than 7 years ago | (#16433953)

It is a well known fact that the biggest security flaw in Unix is the sysadmin. Years of typing su - root make you feel invincible :-)

Signatures do not guarantee security. (0)

Anonymous Coward | more than 7 years ago | (#16433057)

Signatures in no way guarantee security. They may help indicate that the package on a server is the one that was originally uploaded, but even then they're of minimal use.

It's easy enough for a mirror to replace a legitimate package with a trojaned package. And if they offer a valid signature for that trojaned package, you likely won't even know it has been compromised. You'd have to compare the signature from the mirror with that of the main distribution point.

Likewise, it's more than possible for a malicious contributor to include such an exploit within a patch also containing legitimate fixes or feature additions. Unless there is careful screening of all patches, which isn't the case all of the time, it may become part of a release. Of course, a contributor with write access to a project's code repository could also have his system hijacked, and have it used to submit such code. Again, the package signature will be valid, but the malicious code will still be there.

Signatures are pretty much usless in the first place. So it would be nice for Ubuntu to have all of their packages signed, it really wouldn't offer much benefit even if they did.

Re:Signatures do not guarantee security. (1)

Eythian (552130) | more than 7 years ago | (#16433527)

It's easy enough for a mirror to replace a legitimate package with a trojaned package. And if they offer a valid signature for that trojaned package, you likely won't even know it has been compromised. You'd have to compare the signature from the mirror with that of the main distribution point.

I think you misunderstand how the signatures work. If a mirror replaced a legit package with a trojaned one, they would either have to have it unsigned, or have it signed with a key that isn't one of the ubuntu release keys. In either case, the package manager would spout warnings about it, and it would get found out pretty quickly. Apt tools, in effect, do check the signature against those from the main distribution point. Or, more accurately, against the keys they know about. This means that the mirror couldn't replace the package and have noone the wiser.

Re:Get Ubuntu (1)

Rick17JJ (744063) | more than 7 years ago | (#16433775)

In Linux, email attachments aren't nearly as much of a problem. My understanding is that, with most Linux email programs, clicking an email attachment does not result in something running without asking the user first. Furthermore, the .exe attachments and active-X stuff won't run even if the user does give permission. I recently received a message with a .exe attachment and had no idea how make Windows-only stuff like that run or open. If something did somehow run the program most likely would not be running with full root (administrative) privileges.

Ordinary free downloaded software usually comes from projects at reputable well known organizations such as Source Forge [sourceforge.net] or the Free Software Foundation [fsf.org] . The programs can be downloaded in source code form and compiled and the source code is available for public inspection. I am no expert on any of this, but the source code later gets compiled and packages for particular versions of Linux such as Ubuntu (or whatever) are created and placed on repositories waiting to by downloaded by ordinary users. A Ubuntu user would then run Symantic and select which of the thousands of free programs he wants to have installed. Most Linux users do not just download and install software from just anywhere. The Ubuntu user can choose which types of repositories use. I am not sure about signature signatures and other details. I have occasionally wondered if perhaps a trojan from somewhere like that might still be possible but I haven't heard of it happening.

Even if email attachments in Linux aren't much of a problem, targeted trojans with kestroke-loggers or screen-scraping software and such might still be something to think about. Obviously, no operating system has perfect security.

Re:Get Ubuntu (1)

QuantumG (50515) | more than 7 years ago | (#16433947)

The whole point of a trojan is that the user wants to run it. If they want to run it, it doesn't matter how hard it is to run. Even if they have to download and install wine before they can run an exe attachment, they'll do it. Now you might say that is a stupid argument, because no-one is going to write a trojan exe expecting that it might be run on linux under wine and do something useful (to them) in that situation.. but remember that we're supposed to be talking about "targeted trojen attacks" here.. in which case you're more likely to send someone a tar.gz with a linux binary in it asking for help with some problem which that person is capable of solving and likely to provide you help with. A sensible person would run that binary as nobody but because of exactly the attitude that you stressed in your comment:

    If something did somehow run the program most likely would not be running with full root (administrative) privileges.

They're likely to run the binary as their regular user account. This, of course, is stupid because, although root is nice to have, it's most likely not the target of the trojan. Those confidential files in your home directory are.

Re:Get Ubuntu (1)

Rick17JJ (744063) | more than 7 years ago | (#16434329)

One of the articles said the typical attachment is "a Microsoft Office file that exploits a yet-to-be-patched vulnerability." A Linux user who receives a Microsoft Word file would open it with something like Open Office Writer, AbiWord, KOffice or TextMaker. In rare cases he or she might use some version of Microsoft Word that is running under the Codeweaver's Crossover Office [codeweavers.com] version of Wine. I wonder how the use of an alternative office application running under the alternative operating system would affect the chances of sucess? My guess is that the chances of a sucessful exploit would be much lower.

In a targeted attack there is always the possibility that the user could be convinced to do something stupid that would work. But even so, it would be significantly more difficult than with Windows, not that most businesses are going to switch to Linux or Mac OS X on the desktop anytime soon anyway.

Re:Get Ubuntu (1)

matts-reign (824586) | more than 7 years ago | (#16432923)

Writing a trojan is just as easy in linux. I myself wrote one (Really, a remote access script) in perl. It took the greater part of 5 minutes, and its done in perl. I could easily stick it into any of many perl scripts that you get from the ubuntu repositories automatically. If I was targetting you specifically, I could break into your net connection upstream and mess with some DNS requests, or one of many other methods.

Re:Get Ubuntu (3, Funny)

gbobeck (926553) | more than 7 years ago | (#16432957)

Ubuntu, the ancient african for "couldn't install debian, but didn't want those damn trojans"


And I always thought ubuntu was the ancient african word for "Wanted Linux, but refuse to RTFM in order to install Gentoo."

Headline & summary avoid the culprit: WINDOWS (2)

toby (759) | more than 7 years ago | (#16432787)

When will you start mentioning WINDOWS where appropriate? This problem is created and perpetuated by junk from MS.

The lax windows and win32 app security model... (0)

Anonymous Coward | more than 7 years ago | (#16433211)

The "junk" would have to be the garbage they call an operating system with a craptacular wannabe security model. the OS is so crippled at the 'normal user' level that most applications fail to install correctly. When's the last time someone really cared that a local administrator exploit was released in windows? We all know that windows is the swiss cheese of operating systems, and it doesn't help that most infected people have no clue how exactly they got infected this time. Are application developers largely concerned their application could weaken an end users' system? I think it's less so then a unix/unix like application developer... We've seen improvement, but it's really just a band-aid when you think of the underlying issues.

1. All executables are always executable in windows. Unix requires a permission to be applied to it before its allowed to execute.
2. Each new release of Windows need only be a "little" more secure to live up to the billboard sham you see on every install since 98 (maybe earlier) - "Most secure windows ever". I'll believe it when Linux, BSD or MacOS have me loose sleep over the same issues...

Let's take a look at sendmail. It use to be swiss cheese, but now-a-days the frequency of remote or local exploits are rare. (atleast the kind that give you access you don't deserve)

I could ramble on and on, but I'll just shut up! I don't have all day to chew the same old fat on the same dogly stupid issue of our time!!!

Re:The lax windows and win32 app security model... (3, Insightful)

QuantumG (50515) | more than 7 years ago | (#16433273)

none of this relevant to trojans. A trojan is, by definition, something the user wants to run. The fact that most linux users don't run untrusted programs in a "jail" is much the same as the fact that most windows users don't do that either. It's sad, but it's a user education problem, and we're typically not good at solving those. Ubuntu users are encouraged to use "sudo" instead of "su" to run programs as root. sudo allows a permitted user to execute a command as the superuser or another user, but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.

Re:The lax windows and win32 app security model... (2, Insightful)

Jah-Wren Ryel (80510) | more than 7 years ago | (#16434015)

but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.

Because it isn't easy.

If this were an itch I was prepared to scratch, I would look into creating a static image of a virtual-machine that could be used just for running questionable stuff. Then I would look at putting hooks into programs like thunderbird that would make it automagically invoke the VM for attachments.

Beyond the integration into regularly used applications, the main problems to overcome mainly deal with when to allow the VM to do i/o to files outside of the VM (i.e. legitimate stuff) versus when to keep all activity completely "locked up" in the VM (i.e. unexpected/undesirable behavior). Since the image is static, maybe all I/O would just be within the VM and then when the VM exits, have something compare the final state of the VM with the static image and any changes to in approved areas could be copied out, while all other changes are thrown to the window once it reverts back to the original static image.

Re:The lax windows and win32 app security model... (1)

QuantumG (50515) | more than 7 years ago | (#16434123)

All in all, I like to sum it up as such: neither the security model of unix, nor the *cough* security model of Windows were designed for a under-educated user running untrusted applications. These security models are all about multiple users and the educated discretionary granting of permissions between those users. The Windows security model goes a little further than the unix security model in that it has things to say about sharing those permissions over networks, and there are Mandatory Access Control security models that go beyond both of them and say things about permissions that are not at the discretion of the users, but there is no good security model, that I'm aware of, for isolating and controlling the behaviour of the programs which users run in these security models. There have been attempts of course. "Application firewalls".. "capabilities".. but there's no multimillion dollar research going into this like there was put into those other security models. Why? Because all that research was done by the military.. and the military really doesn't have any need to a security model that makes it safe to run arbitary programs because, unlike us consumers, they just don't do that.

Re:The lax windows and win32 app security model... (1)

Tim C (15259) | more than 7 years ago | (#16434923)

the OS is so crippled at the 'normal user' level that most applications fail to install correctly.

Unlike with Linux, where all applications fail to install as normal users? Oh sure, you can (usually) compile from source and install to ~/bin, but then you can get Windows apps (such as Eclipse) that you just unzip and drop into whatever folder you choose.

I am not aware of any system-wide installation service (eg rpm, deb, msi, etc) that doesn't require admin privs.

Are application developers largely concerned their application could weaken an end users' system? I think it's less so then a unix/unix like application developer...

Developers in general are clueless about security. Just a few days ago there was an article here about how many web apps are vulnerable to SQL injection attacks. To me, that is utterly unforgivable, and yet they are. There are far more developers writing software for Windows, so you are bound to have far more unsecure apps.

All executables are always executable in windows. Unix requires a permission to be applied to it before its allowed to execute.

Technically under Windows you have to have execute permission for the file in question. However, this is automatically granted to the creator/owner of the file, so it's something of a moot issue. Also, given that executable permission for a file on Linux is just a 'chmod +x $filename' away, I don't really see your point. It's a speed bump, nothing more; I've received email viruses that are in password protected zip files - you have to open the zip file, enter the password, then run the enclosed app, and yet they still spread. Do you really think having to perform the extra step of chmoding a file is going to stop the sort of person that will do that?

Re:Headline & summary avoid the culprit: WINDO (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16434273)

Linux doesn't by itself save you from cross-platform vectors. Flash on Linux has had exploitable problems. PDF viewers for Linux have had buffer overflows and (2003)If a victim clicks on a malicious hyperlink, an attacker could execute arbitrary shell commands with the victim's privileges. [ciac.org] Linux makes it harder to run executable machine code by mistake but that covers only part of the perimeter.

I don't like to see people hurt by using Windows, and also don't like to see people hurt by overconfidence.

Re:Headline & summary avoid the culprit: WINDO (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16436265)

Although Windows indeed has a crappy security track record, there is absolutely no reason to believe Linux and a lot of the software that people run on it is any better. The reason: you can't compare the security of one system with that of another, because you cannot rule out bias in the test. At best, you can make an educated guess.

And, last I checked, GNU/Linux distros didn't very much protect against social engineering and trojans.

The new face of corporatre crime (3, Insightful)

skrew (111096) | more than 7 years ago | (#16432797)

This is a disturbing trend; in the anonymous information age, trust is the only way to guarantee security. Prediction: anticipate alot more 'orwellian' security implementations, retina, fingerprint etc. to ensure traceable DNA identification of infiltrators from within organization who spread virii or covert trojan operations. This is why Open Source is the future, in a closed source project/organization, only those who have the knowledge can perceive compromisation, but with Open Source software the world communtiy of geeks can verify that code is secure. Similarly, a more open trust based corporate model might better deter trojan aggressors.

Not all that surprising (4, Insightful)

Jarjarthejedi (996957) | more than 7 years ago | (#16432833)

Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...

Re:Not all that surprising (2, Informative)

rabidcitizen (1013429) | more than 7 years ago | (#16433595)

It seems to me that what the article points out is that we are moving beyond the phone call impersonation to get a password (Mitnick style) to more sophisticated exploitations of trust relationships and social engineering attacks. We are looking at attacks that can get by many power users - am I going to take the time to question requests and attachments from any of the 20,000+ identities I have in my client datatbase and address book whose requests I must handle same business day and who I must assume are to be trusted? Probably not. Will my IT staff have the resources and the time to properly configure countermeasures? I sure hope so...

The cost of researching a victim seems high ... (3, Interesting)

lazzaro (29860) | more than 7 years ago | (#16433027)

As a business proposition, the cost of researching a victim seems high in lots of ways -- it's not work for a dummy, it takes time, and the hits have to pay for all of the misses. At the very least, it has to use "mass customization" to succeed -- software that customizes a con to a victim in non-trivial ways. But yet if they go that route, it becomes easier to fight it with conventional spam and phishing tools, because software can spot the "mass" part.

Wait for it... (5, Interesting)

chill (34294) | more than 7 years ago | (#16433085)

I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.

That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.

Re:Wait for it... (1)

MrNaz (730548) | more than 7 years ago | (#16433697)

You mean like "A million WGA clients suddenly cry out in terror and were suddenly http 503'd." ?

Recent Trojans - Very good social Engineering (5, Interesting)

Anonymous Coward | more than 7 years ago | (#16433693)

I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.

The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".

The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.

Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.

Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.

My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?

Re:Recent Trojans - Very good social Engineering (2, Insightful)

bconway (63464) | more than 7 years ago | (#16433951)

Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened.

Wow, those are some decent execs. Ours would just try the URL 3 or 4 more times and then move on, forgetting about it.

blame the end users .. (1)

rs232 (849320) | more than 7 years ago | (#16434905)

"A number of users .. cut and paste the URL .. the broswer was quickly re-directed .. and infected the user's PC with a key logger"

Why don't you advise the high-level executives to use a browser that don't install malware just by typing in a URL. The same goes for your Granny.

Recent Trojans - Very good social Engineering (Score:5, Interesting)

Re:Recent Trojans - Very good social Engineering (1)

Sloppy (14984) | more than 7 years ago | (#16436627)

Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message.

It would fool me too, I guess, until I got to the part where the compromised site told me to type "su" followed by my root password, and then told me to install a key-logger after that.

In your situation, the user's error wasn't just that they got SEed. Their main problem is that they were running a web browser that has a long, long, incredibly long history, of repeated redundantly repeated ad-nauseously repetitively long monotonously repetitive history of being incredibly dangerous for non-rocket-scientists to use. How the hell does viewing a page cause external code to execute with full privileges?

People, we have known about the hideously alien values held by MSIE's designers, ever since ActiveX was introduced in -- what, 1995? That's eleven fucking years. How is it possible for someone to work in a "top 10 financial institution" in a capacity other than janitor, to not have heard in the last eleven years that MSIE should never, ever, ever be used for anything other than an SSL connection (with frequent paranoid checking of the cert to make sure you really connnected to who you think you connected to) to an Intranet application server? The very fact that MSIE was still installed and capable of loading a page from the Internet with a few clicks, is a hint that perhaps someone should be fired over this.

SE ain't your problem here. Living in denial of a well known threat is the problem.

yuo FAil It (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16433969)

it's g@oing, [goat.cx]

LULZ (3, Informative)

Jessta (666101) | more than 7 years ago | (#16433993)

LULZ
oh, indeed. The main reason your anti-virus software is pointless.
If a piece of malicious software is well known enough for your anti-virus company to know about it, then a patch for the issue will be out very soon. Anti-virus software will only protect you from script kiddies and not someone that actually would have a good reason to steal your data. i.e your competition.

They did it to Valve (3, Interesting)

inviolet (797804) | more than 7 years ago | (#16434347)

It was a targeted Trojan that got into Valve and stole the source-code to Half-Life 2, right off the project lead's workstation. IIRC, it arrived via a bug in Outlook's message-preview facility.

Re:They did it to Valve (1)

derago (582951) | more than 7 years ago | (#16434869)

Actually ... nevermind ;)

Learing trojan detectors (1)

S3D (745318) | more than 7 years ago | (#16434397)

There were anti-viruses in the past, which wern't relying on the virus signature only, but were trying to detect new, unknown viruses too. Dr. Web was the one, but it seems they dropped this feature later (or at least not advertising it any more). Probaly it was not cost-effective than. Seems the time have come to revive this approach again. Of cause it's not easy, require very sofisticated statistical learning, bayesian networks [wikipedia.org] or neural networks [wikipedia.org] , may be even genetic algorithms [wikipedia.org] and very good understanding of underlying OS, but it may have become cost-effective again.

virus companies talk up scare .. (1)

rs232 (849320) | more than 7 years ago | (#16434885)

Virus companies talk up scare, again. Why don't business users use a computer that don't get 'viruses'.

step 1. stop running as admin (1)

dioscaido (541037) | more than 7 years ago | (#16435673)

If you do, these email or IM bombs will not be able to root the system, or open firewall ports. At most the user's folder is busted, and once deleted and restored the machine is clean.

Lots of corps do this even with Win2k/XP.

Tailored SPAM (1)

LinuxLuver (775817) | more than 7 years ago | (#16442101)

In recent weeks I've seen a growing amount of spam with subjects that appear to be constructed with my interests in mind. At first I dismissed them, but there are now so many I am beginning to wonder if the spammers haven't been monitoring my e-mail or browsing history to help them construct subjects they know I'm more likely to notice / read.

One simple rule - no executable attachments (1)

yuna49 (905461) | more than 7 years ago | (#16444263)

I'm really puzzled why anyone continues to accept mail with executable attachments of any kind.

When I first started fighting viruses and spam for my clients, the very first thing we did was block executable files at the mail server. This was in 1997 and required nothing more than a simple /etc/procmailrc file that scanned the message body for executable attachments.

Nowadays, of course, we have much more full-featured software like MailScanner to handle this. This isn't really rocket science, folks. 99+% of people in most organizations have no reason to receive an executable file; if they don't get them, they can't run them.

The new vector seems to be email with clickable links that redirect to an executable. One solution is obviously to install a browser like Firefox that won't run a downloaded file by default, but that still enables lusers to download the file to the desktop then run it. Our current solution for this problem is blocking executables with Squid. Push all web requests through the proxy transparently and block access to URLs ending in .exe, etc.

I really don't understand why policies like these aren't SOP at all organizations, especially organizations large and wealthy enough to have executives worth targeting with malware.

Re:One simple rule - no executable attachments (0)

Anonymous Coward | more than 7 years ago | (#16448719)

If you had read TFA you would have noticed them saying executables aren't a problem, it's zero day exploits in office documents that are killing them here.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>