Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

When Malware Attacks Malware

kdawson posted more than 7 years ago | from the internecine dept.

Security 135

PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"

cancel ×

135 comments

Sorry! There are no comments related to the filter you selected.

that's... (3, Funny)

User 956 (568564) | more than 7 years ago | (#18001000)

When Malware Attacks Malware

You get total protonic reversal.

Re:that's... (1)

Rob T Firefly (844560) | more than 7 years ago | (#18001052)

That's bad, right?

Re:that's... (3, Funny)

geeksdave (799038) | more than 7 years ago | (#18001100)

OK important safety tip.. thanks Egon..

Re:that's... (1)

Timesprout (579035) | more than 7 years ago | (#18001138)

It is if the Bussard Collector and Main Deflector Dish are down for repairs or if you can't find some exotic substance to reverse its polarity.

If they'd just fix each other... (5, Funny)

queenb**ch (446380) | more than 7 years ago | (#18001624)

Will someone please write a worm that 1) turns Windows Update on, 2) turns the Windows Firewall on, 3) turns off the keyboard & mouse ports for Windows 3.1, 95, 98, and ME machines thus forcing the retarded end users running on these platforms to upgrade, 4) installs ClamWIN and scans the hard drive, 5) installs SpyBot Search & Destroy and scans the hard drive, and 6) administers an electric shock to the aforementioned retarded end user for not taking care of this themselves?

If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog. I don't see why your computer gets to the do the same thing on the internet with such impunity.

2 cents,

QueenB.

Re:If they'd just fix each other... (1)

operagost (62405) | more than 7 years ago | (#18002610)

Most of these worms don't work on those old versions of Windows. It's the 2000 and XP machines that are vulnerable. Also, installing software requires that one download it first, and that's a cure that's worse than the disease (see Welchia).

I like the idea of turning on Windows Update, though.

Re:If they'd just fix each other... (1)

TheNinjaroach (878876) | more than 7 years ago | (#18002750)

When Windows XP / 2000 had that buffer overflow two summers ago we found a "virus" that did almost what you're proposing. It downloaded the patch, forced a reboot and had the install waiting for next startup. It was a clever idea I had, but then we found somebody else had beaten me to the punch.

Re:If they'd just fix each other... (4, Informative)

Tony Hoyle (11698) | more than 7 years ago | (#18003294)

I wouldn't use Spybot - it's getting kinda out of date now, and doesn't detect some of the worst ones. I've *never* seen Windows Defender successfully detect a spyware infestation - it's 100% useless.

I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.

Makes me wonder how many of the bleats that 'my machine is clean therefore it must be blizzard being hacked' posts on the Wow forums have variants of similar crapware on there.. and they've fallen into the trap of believing the scanners despite the overwhelming evidence to the contrary.

* And that was a machine without IE on it and fully patched.. the thing apparently got on in a trojanned version of Acrobat Reader.

Re:If they'd just fix each other... (0)

Anonymous Coward | more than 7 years ago | (#18004106)

>>which it does in realtime.. you *can't* delete it manually

Use a LiveCD.

Re:If they'd just fix each other... (1)

cheater512 (783349) | more than 7 years ago | (#18004034)

Whats stopping the Zero day flaws?

You know there will always be at least one unpatched zero day flaw active at any time.

Re:If they'd just fix each other... (1)

smorken (990019) | more than 7 years ago | (#18004094)

If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog. I don't see why your computer gets to the do the same thing on the internet with such impunity.
This isnt a perfect analogy though. It isn't the average Joe's fault that their computer is messed up it's Microsoft's for writing crappy software and the worm writer's for being malicious. If your dog was running around through the neighborhood barking and biting, in an analogous situation, it would be because one of your undesirable neighbours has captured your dog, and, in the worm writer's case, tortured it or given it rabies or something, and in the Microsoft/crappy software case, because your dog is retarded.

Re:If they'd just fix each other... (5, Informative)

kabocox (199019) | more than 7 years ago | (#18004504)

I've found somethings that you asked for, but not all. I did don't know how to string them all together. ClamWin, and SpyBot, both say that they'll run from a bootCD. I didn't find any easy to follow admin install instructions for them. Mainly everything else is some reg files. I didn't find anything on keyboard or mouse ports of earlier versions of windows. I also didn't find anything about how to shock users. In the spirit of open sourceness, I expect someone else to actually do the real work of building a self installing zip file of ClamWin & Spybot, setting your fav. reg. settings, and having all of them autorun after a shutdown -r. I know that "it should possible." I don't know enough windows scripting in order to do it.

net stop wuauserv

Start -> Run -> gpedit.msc -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Re-prompt for restart with scheduled installations. They hid it well but it's there :^)

                                    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"RebootRelaunchTimeoutEnabled"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer
NoDevMgrUpdate value to 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall

Set these to "not configured"
                * Windows Firewall: Protect all network connections
                * Windows Firewall: Do not allow exceptions
                * Windows Firewall: Define program exceptions
                * Windows Firewall: Allow local program exceptions
                * Windows Firewall: Allow remote administration exception
                * Windows Firewall: Allow file and printer sharing exception
                * Windows Firewall: Allow ICMP exceptions
                * Windows Firewall: Allow Remote Desktop exception
                * Windows Firewall: Allow UPnP framework exception
                * Windows Firewall: Prohibit notifications
                * Windows Firewall: Allow logging
                * Windows Firewall: Prohibit unicast response to multicast or broadcast requests
                * Windows Firewall: Define port exceptions
                * Windows Firewall: Allow local port exceptions

http://sourceforge.net/docman/display_doc.php?doci d=28367&group_id=105508 [sourceforge.net]

Preparation

Start by installing the latest version of ClamWin, and download the latest virus definitions. See the ClamWin manual for full details on how to do this. Note that, if you are going to create a CD, you will not be able to update the virus definitions without creating a new CD, since a CD is read-only.
Copy Folders

Create a working folder in a convenient location to hold the files that are to be copied onto CD/USB, eg C:\ClamWin-CD.
In the working folder, create a folder named ClamWin.
Copy the contents of the ClamWin program folder into C:\ClamWin-CD\ClamWin. By default, the ClamWin program folder is installed to C:\Program Files\ClamWin
Create folders named log, db and quarantine in C:\ClamWin-CD\ClamWin
Copy the ClamWin database files (main.cvd & daily.cvd) into C:\ClamWin-CD\ClamWin\db. In Windows 2000/XP, the ClamWin database folder defaults to C:\Documents and Settings\USERNAME\.clamwin\db, where USERNAME is your login name (if it was installed for a single user) or C:\Documents and Settings\All Users\.clamwin\db (if it was installed for all users).
Copy this config file to C:\ClamWin-CD\ClamWin\bin\clamwin.conf

You should now have the following folders:

C:\ClamWin-CD
C:\ClamWin-CD\ClamWin\bin
C:\ClamWin-CD\ClamWin\db
C:\ClamWin-CD\ClamWin\lib
C:\ClamWin-CD\ClamWin\quarantine

Copy Files to CD/USB

Now you just need to copy the contents of C:\ClamWin-CD to a CD or USB key. Do not copy the C:\ClamWin-CD folder itself, only the contents. Exactly how this is done will depend on whether a CD or USB key is to be used, and what software is to be used.
Using the CD/USB

To use it, insert the CD/USB into the PC to be scanned. Run ClamWin by double-clicking on the ClamWin.exe file in the ClamWin\bin folder.

ClamWin should operate normally, but if run from CD or a read-only USB drive, it will have the following restrictions:

        * Files will not be quarantined
        * Internet updates will not work
        * Preferences cannot be changed

These restrictions will not apply if it is run from a USB drive with read-write permissions.

http://database.clamav.net/daily.cvd [clamav.net]

http://www.safer-networking.org/en/download/index. html [safer-networking.org]
http://www.safer-networking.org/en/faq/43.html [safer-networking.org]

I have two installations on my hard disk. Can I scan both at the same time? [link]

Yes, if you have Windows 2000, XP or 2003, Spybot-S&D does allow you to scan inactive Windows versions as well, including the registry of other installations!

To scan your system including installations on other partitions, right-click the link/icon you use to start Spybot-S&D, and add /allhives to the command line (separated by a space from the rest). If you now start Spybot-S&D through this link, it will automatically detect other installations, and scan theirs registries and files as well.

Re:If they'd just fix each other... (1)

turing_m (1030530) | more than 7 years ago | (#18004766)

OR downloads something like PCLinuxOS, reformats the hard drive and installs itself at 4:00am when no one is around to stop it. And then downloads and opens Wesnoth, ready to play. So that before they realize that the Office package isn't like MS, at least a certain percentage of the population will be hooked on one of the best OSS games out there.

When Malware Attacks Malware (1)

Joe The Dragon (967727) | more than 7 years ago | (#18002720)

NEXT ON NON STOP FOX!

Stronger malware (5, Insightful)

eviloverlordx (99809) | more than 7 years ago | (#18001070)

It just means that, in a few years, all of the malware will be significantly harder to kill. All of the weaker 'species' will have been driven to extinction (via changes in coding). It had to happen eventually. We may even see 'anti-viral resistant' strains.

Re:Stronger malware (2, Informative)

frosty_tsm (933163) | more than 7 years ago | (#18001122)

We may even see 'anti-viral resistant' strains.
Uh, don't we already see this?

Easy to kill (1)

nurb432 (527695) | more than 7 years ago | (#18001174)

Nah, its all easy to kill if you use a ROM based OS.

Just reboot.

Re:Easy to kill (3, Insightful)

maxwell demon (590494) | more than 7 years ago | (#18001702)

Given that today's ROMs are typically flash, how long until some malware just reflashes it? This would also allow the malware to take control even before the OS boots up.

Re:Easy to kill (1)

nurb432 (527695) | more than 7 years ago | (#18002236)

If the flash requires a hardware jumper to reset, then no worries.. If its software controlled, then ya, you are screwed.

I think you could set a flash IDE drive to read only, and use it for your boot/OS. Sure it could trash your data, but at least the system is ok after the reboot. If not, I think there is a market for this.

Re:Easy to kill (1)

Hoi Polloi (522990) | more than 7 years ago | (#18003636)

Boot off of a CD then.

Re:Easy to kill (1)

tepples (727027) | more than 7 years ago | (#18003872)

Boot off of a CD then.
Unless the malware installs itself into your CD-ROM drive's firmware.

Re:Easy to kill (1)

nurb432 (527695) | more than 7 years ago | (#18004536)

Sure.. aaanndd ssllooww ddoowwn yyoouurr wwoorrk..

Running from a CDROM boot is slow as mud..

Re:Stronger malware (5, Funny)

morgan_greywolf (835522) | more than 7 years ago | (#18001402)

No way. Malware is made by an Intelligent Creator. It is what it is. Intelligent Malware Design is just as good a theory as Malware Evolution.

Re:Stronger malware (0, Offtopic)

Bryansix (761547) | more than 7 years ago | (#18002052)

I know you were trying to be funny but seriously ID and Evolution theories can co-exist. The only thing adherents to ID have a problem with is the idea that life (or code in this case) was spontaneously created by natural processes. This in fact has nothing to do with the theory of Evolution. I for one take as fact that bacteria mutate and are weeded out by natural selection and that malware code is mutated in much the same fashion although not so randomly.

Re:Stronger malware (0)

Anonymous Coward | more than 7 years ago | (#18003154)

Sure, if you parse ID strictly, that is a possible scenario. That amounts to "religion and evolution theory can coexist", which is obviously true (we have grand numbers of Christians in the US who also accept the findings of evolutionary theory). The fact is, the ID "theory" was invented and proposed specifically to "disprove" evolutionary theory. The tenets proposed are not just an intelligent designer, but that an intelligent designer (or many intelligent designers) made living things more or less as they are (variation within "kinds" but no real speciation).

This is much the same as the way we use evolutionary theory to speak about biological evolution, completely apart from stellar evolution. Because evolution is a word, it means "change". But it's almost like a brand name or trademark of biological evolution. In the same way, Intelligent Design entails certain baggage which is contradictory to biological evolutionary theory.

Re:Stronger malware (0)

Anonymous Coward | more than 7 years ago | (#18003594)

Religious fundies can't tolerate evolution to any degree because in their mind admitting the Bible (or whatever the text in question is) isn't 100% literal would cast doubt on all of the rest. They might even have to consider the possibility that the entire world wasn't flooded or that Mary wasn't a virgin.

Re:Stronger malware (0, Offtopic)

Bryansix (761547) | more than 7 years ago | (#18003814)

Nowhere in the Bible does it say that evolution does not occur. It does imply that Macro-Evolution or evolution from one species to another did not occur. But still it only loosely implies this.

Re:Stronger malware (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18002104)

huh, i suppose you're right! this malware's been created by storm trojan/peacomm.. intelligent creators indeed!

good point, even if it wasn't your intention.

Re:Stronger malware (1)

GigG (887839) | more than 7 years ago | (#18002594)

Without a doubt one of these will turn into Skynet one day.

IM programs and malware .. (-1, Troll)

rs232 (849320) | more than 7 years ago | (#18001072)

Why don't they make an IM program that don't get malware. No need to guess on what platform this 'IM malware' spreads.

Wait...What? (0, Redundant)

Anonymous Coward | more than 7 years ago | (#18001076)

No MSN Messenger vulnerability. MS is safe. /DNRTFA

A New Variation of Life... (5, Funny)

creimer (824291) | more than 7 years ago | (#18001096)

So is there going to be a screen saver that will show the good and bad malware attacking each other as the computer keeps waving a white flag?

Re:A New Variation of Life... (1)

BunnyClaws (753889) | more than 7 years ago | (#18001284)

Yes, the rival malware attacks are Germany and the Soviet Union and the Windows PC is Poland. Mac would be England and Linux is the United States. If this was a World War II scenario.

Re:A New Variation of Life... (3, Funny)

$RANDOMLUSER (804576) | more than 7 years ago | (#18001366)

Yes, the rival malware attacks are Germany and the Soviet Union and the Windows PC is Poland. Mac would be England and Linux is the United States. If this was a World War II scenario.
You were a math major, right?

Re:A New Variation of Life... (1)

Tony Hoyle (11698) | more than 7 years ago | (#18003362)

World War II scenario.. hmm..

So in this scenario Linux arrives late to the party then spends the next 50 years gloating about how they bailed everyone out?

Re:A New Variation of Life... (1)

onepoint (301486) | more than 7 years ago | (#18002354)

OK then what is France ?

Re:A New Variation of Life... (1)

rossz (67331) | more than 7 years ago | (#18002564)

OK then what is France ?

Commodore 64. It has a small fanatical following, but in this modern world, is completely irrelevant.

Re:A New Variation of Life... (1)

creimer (824291) | more than 7 years ago | (#18003248)

I think the Commodore VIC-20 would be more appropriate for France. It's small memory made it difficult to work with.

Re:A New Variation of Life... (1)

Hoi Polloi (522990) | more than 7 years ago | (#18003768)

And the Low Countries are routers. Everyone just marches through them on the way to somewhere else.

Re:A New Variation of Life... (1)

rossz (67331) | more than 7 years ago | (#18003846)

As a student of history, I find your comment f*ing hilarious.

Re:A New Variation of Life... (1)

operagost (62405) | more than 7 years ago | (#18002698)

They're the floppy drive. Useless. Or the Turbo button.

Process accounting (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18001330)

Someone probably could but then they'd need to identify the myriads of unknown processes running in the Windows background (and the ps list on Linux isn't becoming much easier to keep track of, either). With the complexity of modern operating systems, and the prevalence of vendor loaded junkware, it's probably a task of cataclysmic proportions to try and figure out what's legit, what's not, and what was legit (from the vendor) but has since become exploited. Vendor junkware probably isn't the highest quality code when it comes to security. A worm or trojan making use of a simple buffer overflow in IE can probably make use of exploits in third party background processes more easily than it can make use of (somewhat) more closely guarded holes in the Windows OS.

I've often marvelled that so few security experts rarely expand on the very real probability that common malware is not the end result but rather the vector. Every piece of rogue code running on the machine creates just as many new holes as the one it made use of. Many rootkits, for example, don't have much in the way of security to ensure that only the original installer has access to the newly enabled access method.

Re:A New Variation of Life... (1)

Garrett Fox (970174) | more than 7 years ago | (#18005024)

Actually, isn't it about time for an updated version of the old game "Core Wars?" That one had assembly-language programs battling each other in a sandboxed memory space. Why not a more complex simulation that runs offline, on one PC, simulating a vulnerable network and the programs attacking it?

Old News (4, Funny)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18001098)

The well known malware Internet Explorer has been attacking another well known malware WinXP for quite sometime. So why get worked about these obscure ones?

this in not new (1)

Groghunter (932096) | more than 7 years ago | (#18001324)

http://blanu.net/curious_yellow.html [blanu.net] This has been predicted for while now. I think I first read about Curious Yellow (above) 4 years ago. Still relevant today.

If I encountered Curious Yellow (0)

Anonymous Coward | more than 7 years ago | (#18002772)

I would alter my kernel to make sure it does not run. Say, something like, change the mechanism that issues a syscall, or perhaps the signature of executable files. Oh, and move the compiler to another place on disk.

HA (0)

Anonymous Coward | more than 7 years ago | (#18001346)

-ha?

This reminds me of that one worm (or whatever it's called) that spread around and tried fixing computers that were infected by another one. Too bad the damn thing clogged networks in the process.

OS? (1)

phrostie (121428) | more than 7 years ago | (#18001354)

so what OSs does this apply to?

Re:OS? (1)

nurb432 (527695) | more than 7 years ago | (#18001486)

Today or tomorrow?

Any OS would is vunerable to an extent, since 90% of the problems are caused by the users allowing things to be installed. No OS can guard against that.

Re:OS? (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18001626)

Any OS would is vunerable to an extent, since 90% of the problems are caused by the users allowing things to be installed. No OS can guard against that.

This is not true. Most problems are caused by people running software combined with the fallacious assumption by OS developers that software people run is trustworthy because the user is running it. An OS certainly can be created that accounts for running untrusted software and software with differing levels of trust and access. In fact, the bitfrost security outline for the OLPC project accounts for just such software. More commonly, SELinux setups account for software the user does not completely trust, albeit not in a user friendly way. If MS's was motivated to provide customers with a more secure and easy to use OS, they could have implemented mandatory access controls, a program format that incorporates ACLs, a framework for determining trust, and a well made GUI and stopped almost all malware on the platform. Instead they looked at the money anti-virus solutions are making cleaning up after them and thought, "gee, I'll bet we could put together a half-assed one of those and bundle it and make money." Don't judge what "OS's" can and can't do based upon Windows.

Re:OS? (1)

maxwell demon (590494) | more than 7 years ago | (#18001768)

Any OS would is vunerable to an extent, since 90% of the problems are caused by the users allowing things to be installed. No OS can guard against that.

That's wrong. The only problem is that an OS which doesn't allow you to install any software would probably a big failure ...

Re:OS? (1)

nurb432 (527695) | more than 7 years ago | (#18002290)

Ok, well you got me on that, but i agree, if you cant install *anything* it would pretty much be a embedded device relegated to control your toaster for eternity.

Re:OS? (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18002512)

The real problem is security models that assume very few levels of security. Either you install it and it can hose your machine and kill babies, or you don't run it and don't know if it was malware or not. That's just crazy. Back in the day MS Word used to pop up a dialogue box and say something along the lines of "this .doc file contains macros that may be viruses (ok)(cancel)." I knew a manger who offered $1000 to anyone who could add a button that said "open the file but don't let it infect my computer with anything." The problem, aside from the terrible UI, was the control was not granular enough. Sometimes people want to run software or open a file, but don't want to trust it with their computer security for all time. Software should run in a sandbox by default. The inconvenience of having to explicitly allow my new e-mail program to send e-mail, once is worth it if I know no other software I download will ever send any e-mail or access my address book until I explicitly permit it. Some executable that shows up in my e-mail or over IM should never, ever, be granted that permission by default. Until MS gets their head out of their butt and realizes that, we'll suffer from this crap.

Re:OS? (1)

skoaldipper (752281) | more than 7 years ago | (#18002386)

Among the multiple second-stage components downloaded to Windows PCs compromised by Peacomm [..]

Like you I had the same question, and apparently only Windows. In part, that's why I only use Windows with stock components (with the exception of Office) for business. For everything else, Linux. Knock knock knock on wood.

Reaction (1)

Anne Thwacks (531696) | more than 7 years ago | (#18001372)

And the Dept of Homeland security is doing what? exactly!

Re:Reaction (1)

$RANDOMLUSER (804576) | more than 7 years ago | (#18001548)

They've raised the alert level to "mauve".

Re:Reaction (0)

Anonymous Coward | more than 7 years ago | (#18002476)

Wake me when it goes to "plaid". Then i might care.

... doing what? (4, Funny)

Savage-Rabbit (308260) | more than 7 years ago | (#18001598)

And the Dept of Homeland security is doing what? exactly!
Trying to figure out who to bomb?

Re:Reaction (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18002864)

And the Dept of Homeland security is doing what? exactly!

Probably re-imaging their insecure Windows boxes to try to clean up their own systems. How many directors of computer security have quit now after saying the job was impossible given the absurd Windows only architecture they implemented there?

It begins (4, Interesting)

inviolet (797804) | more than 7 years ago | (#18001466)

esearchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware.

Thus begins the ecology of internet software. CPU cycles are simply too valuable (en masse) for one piece of malware to share with others.

Eventually, look for malware to get better and better and rooting out rival malware in order to take its place. As well, look for malware to be more cautious about consuming host resources, lest it get noticed by a user or antivirus package.

It's no different than Earthly biology. We think nothing of the colossal number of parasitic microorganisms currently hitching a ride on our metabolism. Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?). Symbiosis carries major advantages along the lines of "division of labor". How many years before real symbiosis is realized among internet-connected computers?

It would also evolve the antivirus landscape. The "OMG sterilize all machines!!!1!" mantra would change into a more relaxed problem: calculate the most efficient amount of CPU cycles to allocate among the competing tasks of:

  • detect malware through behavior analysis (the current cutting edge)
  • detect malware through recognition scanning (the tried and true way)
  • tolerate malware as long as it doesn't eat up too much CPU

That's how our bodies do it, anyway.

Re:It begins (1)

Dr. Eggman (932300) | more than 7 years ago | (#18001786)

Not yet, first we need the self replicating code to modify itself. The CPU is a harsh mistress, though, so it would have to be very small mutations, possibly to the point of making it irrelevant in the long run. Right now, it's just tic-tac-toe with overwritting Xs and Os.

Re:It begins (2, Informative)

Anonymous Coward | more than 7 years ago | (#18001836)

Ummmm... well right idea, wrong microorganisms!

Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?).


The stuff in yogurt is Lactobacillus acidophilus [wikipedia.org] .

The stuff you DON'T want in your (upper) GI is Escherichia coli [wikipedia.org] .

Re:It begins (0, Offtopic)

mcrewson (28350) | more than 7 years ago | (#18002206)

There can be only one! [wikipedia.org]

Re:It begins (1)

Ravear (923203) | more than 7 years ago | (#18002350)

[..]
That's how our bodies do it, anyway.
Yeah but with the body you don't get the option of backing up documents & re-imaging. I don't dick around anymore when I get some malware. It just isn't worth the time/effort.

Re:It begins (1)

StarvingSE (875139) | more than 7 years ago | (#18002932)

Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?).

Where do you buy yogurt, the public restroom???

Re:It begins (1)

Beardo the Bearded (321478) | more than 7 years ago | (#18003172)

That's not yogurt.

In Soviet Russia (2, Funny)

Trivial_Zeros (1058508) | more than 7 years ago | (#18001608)

In Soviet Russia, malware attacks... malware?

Ulimate Vulnerability! (1)

canipeal (1063334) | more than 7 years ago | (#18001742)

Regardless of the operating system or the applications which run upon it, the ultimate weakness at the end of the day lies upon the end user. You can only secure a system to a certain point until the user begins losing functionality, until the end user becomes more educated...well expect to see evolution in Malware.

Re:Ulimate Vulnerability! (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18002314)

Regardless of the operating system or the applications which run upon it, the ultimate weakness at the end of the day lies upon the end user. You can only secure a system to a certain point until the user begins losing functionality, until the end user becomes more educated...well expect to see evolution in Malware.

Your comment is factually correct, but also very misleading. Users are the hardest element to harden in the chain of security, but right now they are by no means the weakest link. The OS development community and security research community could easily eliminate 90% of all malware and reduce the amount of education needed for a user to safely use a computer to a tiny fraction of what they need to know now, if Windows would be modified in order to be secure and deal with the realities of the malware ecosystem.

Right now, even in vista, the granularity of security is piss poor. You have three levels: 1) don't run software, 2) run software, and 3) run software and enter your password. This is wholly insufficient. Further, the UI used to present these levels is abysmal. I don't mean bad I mean abysmal. Whether MS hires the worst UI people in the world or whether they hire good people and their decisions are overridden by marketing and management, the end result is horrible from a UI/security perspective.

If I was running the show at MS and had a shred of human decency and respect for innovation in the industry this is what I would create. First, applications both included and third party now have a new format that is contained within a single directory including temp space for writing files and what is now a DLL. It would optionally include an ACL, one or more certificates for verification of the origin and binary, and location for updates. Based upon the certificate, users would be given the option to subscribe to verification services that provide a trust level for a given application and MS would provide the same. The trust level for an application would be determined by the consensus of verifications applied and the weight given them by the user and if it is pre-installed, downloaded, or loaded from CD or DVD. Based upon that trust level, the application would be restricted by a mandatory access controls framework to obey the ACL that shipped with the program combined with the ACL for that trust level (with the default being to restrict the application more stringently). If any application wanted to exceed that ACL, the user would be presented with a very strongly worded warning, explaining exactly what it wanted and presented via a good UI with no OK/Cancel crap.

This means if a user downloads some program via IM or the Web and if they run it the OS will look at the included ACL and cert and see what permission it wants and who will certify it as trustworthy, if anyone. Then, if it tries to exceed its authority, the OS will present a warning such as, "The program 'Storm' is not verified as trustworthy and would like to connect to the internet on a port normally used for sending instant messages. (Stop it from sending messages)(let it send messages once)(always let it send messages)(advanced options)."

If the user lets it send IM messages it can spread, but do nothing else. They also have to explicitly let it connect on other ports and access other resources if it is to be useful to a spammer or DoS user. Since almost all software on most machines is pre-installed and since most other software will be verified by at least one other party, these messages will be exceptionally rare and thus stand out as important and weird to users. Even if the attacker uses a buffer overflow to take over a thread, their malware will still be limited by the ACL for that originating application, so if they want to send spam they better find a buffer overflow in your e-mail client specifically.

When such a system is implemented the required user education will be a manageable level, a hour long class instead of a master's degree in computer technology. Then, if a user still installs malware and lets it have permission to do anything it wants despite the warnings and opportunities to stop it, you can go ahead and blame users as the weak link. Until then, however, you're barking up the wrong tree. Windows is terrible at safely performing tasks users want to do every day. Other OS's are better in some ways and implement parts of this, but ti is not widespread because no other OS has a serious malware problem yet.

Re:Ulimate Vulnerability! (1)

operagost (62405) | more than 7 years ago | (#18004118)

This means if a user downloads some program via IM or the Web and if they run it the OS will look at the included ACL and cert and see what permission it wants and who will certify it as trustworthy, if anyone. Then, if it tries to exceed its authority, the OS will present a warning such as, "The program 'Storm' is not verified as trustworthy and would like to connect to the internet on a port normally used for sending instant messages. (Stop it from sending messages)(let it send messages once)(always let it send messages)(advanced options)."
Gee, that sounds like every client-based firewall on the market (including XP's). The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.

Little known facts (2, Funny)

UnknowingFool (672806) | more than 7 years ago | (#18001850)

Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.

What isn't generally reported is that Peacomm uses "Your momma's so fat" insults in the DDOS attacks. By far the most devasting and hilarious DDOS this year.

why can't the goverments of the world... (1)

JustNiz (692889) | more than 7 years ago | (#18001952)

just make spamvertising illegal?

They could simply prosecute the companies that are advertising their products via spam, after all they must have either directly been the originators of the spam, or at least know who they are funding to do the dirty work.

The businesses that exist solely to send spam would dissapear overnight if their client base dissapeared.

I'm sure any government could easily be able to determine who is ultimately behind spam, simply by buying some advertised product then either tracking the credit card transaction or by working out what the supply chain is from drug batch numbers on the product etc.

Re:why can't the goverments of the world... (1)

cosmocain (1060326) | more than 7 years ago | (#18002098)

yeah, they could.

but somehow - i guess, murder is illegal in most of the countries of the world, but wait - somewhere somehow people still get murdered. hell, why?

lemme guess - some folks don't give a f* what's illegal? there HAS to be a reason.

Re:why can't the goverments of the world... (1)

dreamlax (981973) | more than 7 years ago | (#18002808)

The difference is that people who murder people and get caught go to jail. The people who spamvertise aren't even chased in the first place.

Re:why can't the goverments of the world... (0)

Anonymous Coward | more than 7 years ago | (#18002348)

I can imagine that world, and I can imagine sending spams in my competitors' names to shut them down.

Re:why can't the goverments of the world... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18002394)

They could simply prosecute the companies that are advertising their products via spam, after all they must have either directly been the originators of the spam, or at least know who they are funding to do the dirty work.

Great, then I can send spamvertisements for my competitor and they will be arrested. I can send spamvertisements for the company run by the jerk who is dating my ex-gf and he'll go to jail and she'll come to me for comfort. That's a great plan.

I'm sure any government could easily be able to determine who is ultimately behind spam, simply by buying some advertised product then either tracking the credit card transaction or by working out what the supply chain is from drug batch numbers on the product etc.

Really, how would they do this? Suppose I send spamvertisements for my competitor and a guy who sees one orders a product. His credit card pays my competitor who knew nothing of the spam and my competitor goes to jail for doing nothing. That sounds fair aside from the whole innocent until proven guilty thing.

Re:why can't the goverments of the world... (0)

Anonymous Coward | more than 7 years ago | (#18002712)

Do we really want the government stepping in an monitoring each and every one of our machines so they can track the spammers back to their source? I don't want the government in my computer any more than the spammers. Do you? Not to mention there isn't a government on the planet who's competant to actually make it work.

No. What we -really- need is a way to de-incentive the spammers and malware authors. They're in it for the money. The gains still far outweigh the risks. The solution is to tip the balance the other way, to increase the risk so it FAR outweighs the reward.

Own a botnet built of infected machines? Fine. Time for some good old-fashioned vigilanteism. Time to take the sonofabiatch out back and fucking KILL him. No fine. No jail time. Just a 9mm to the back of the head and post video of "Spammer getting what he deserves" on YouTube.

Two or three spammers DIE for being spammers, and we'll see the rate of malware production drop like a rock.

Re:why can't the goverments of the world... (1)

JPribe (946570) | more than 7 years ago | (#18003106)

Two or three spammers DIE for being spammers, and we'll see the rate of malware production drop like a rock.

Right, because drugs kill and everyone runs from those(ecstasy is a great example). Driving is one of the most dangerous things you can do...but you still drive everywhere. Being in the mob is dangerous, or a bookie, drug dealer, human trafficking, the list goes on. All an order of magnitude more dangerous than simple spamming...with a hell of a lot more 9mm shots to the head. All still wildly popular.

Yeah, that'll work.

It's more than that (3, Interesting)

httptech (5553) | more than 7 years ago | (#18002150)

I'm the author of the technical writeup detailing the attack on the rival spam group. But the only reason I was investigating the DDoS attacks launched by the Storm Worm/Peacomm/Nuwar is due to my own site being attacked [joestewart.org] after I detailed the pump-and-dump stock spam operation of the Rustock trojan. It is getting riskier to publish research on viruses and spam. I believe since spammers were able to take out Blue Security by DDoS attack, they are getting bolder in who they target. There's no downside for them.

DDoS (1)

Gary W. Longsine (124661) | more than 7 years ago | (#18002938)

Was it actually confirmed that spammers were able to DDoS Blue Security out of existence? Last I recall the evidence for that was weak.

Re:It's more than that (1)

Bearhouse (1034238) | more than 7 years ago | (#18004412)

Hey, give us their URL, we'll /. the bastards...

Nothing new here (0)

Anonymous Coward | more than 7 years ago | (#18002184)

This has been around for years. It's called Norton Antivirus

Code wariors (1)

Applekid (993327) | more than 7 years ago | (#18002246)

I have visions of Tron-esque gladiators fighting for the right to make the mainframe belong to the penis enlargment spam zombie network or the penny stock spam zombie network.

Also, it might be neat pitting malware against each other in a Code War [wikipedia.org] type of visible environment.

This is old news, at least 2002 or earlier (1)

Afecks (899057) | more than 7 years ago | (#18002288)

The aplore [symantec.com] worm used the same trick in 2002 except it setup a web server on each computer and sent a URL pointing to it in IM windows. I'm sure there are earlier examples but that is the first one off the top of my head.

Popular spinoff (2, Funny)

physicsboy500 (645835) | more than 7 years ago | (#18002316)

I vote they make a spinoff of Robot Wars

I can see it now...

Malware wars... watch rival malware rip each other apart!

"Oh my god, Malwarior just executed an amazing kill maneuver!"

"it looks like Spymaster is only hanging on by a thread!

"Oh... and he's done for. Spymaster is terminated... add him to the hexdump!"

It Seems to me... (1)

Eric Damron (553630) | more than 7 years ago | (#18002508)

that a large percentage of malware is designed to turn the user's PC into a mail spamming bot. I, for the life of me, do not understand how this can be effective if ISPs took even moderate precautions.

1. Don't allow your users to send port 25 traffic to any address but your own mail server.
2. Don't allow any one user to send massive quantities of email. Most user's won't need to send thousands of emails in a single day.
3. Use blackhole lists to prevent SPAM from networks that don't follow the above rules.

It seems like the above three rules would put a big roadblock for spammers. Am I missing something?

Re:It Seems to me... (0, Troll)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18002790)

1. Don't allow your users to send port 25 traffic to any address but your own mail server.

Repeat after me... the internet is not the web, the internet is not the web. I'd kind of rather ISPs did not arbitrarily block ports because one OS is so unbelievably insecure that it does not even inform users before it starts spamming e-mail to the world, when that is a common occurrence on that platform.

Here's a counter-suggestion. How about if MS gets off their butts and makes their OS reasonably secure so that it isn't easier to hijack Windows box and use it to send spam than it is to configure a proper e-mail server on that same OS. The assumption that all software run on a Windows machine should be trusted and allowed to do basically whatever it wants should have died long ago. Lets not treat symptoms by shutting down all the commonly used ports and protocols malware uses to perform malicious attacks, since that only makes it get around them by doing things like hijacking user's e-mail accounts to send the spam. Instead why don't we pressure MS to solve the bloody problem. In fact, I know exactly how to motivate them. It is called "the capitalist free market." Break MS into two companies forbidden from collusion and both with all the rights to the Windows code and patents to date. In three years both will have new version on the market and both will be reasonably secure because they will be motivated directly by greed to give customers what they want, including security. But I guess enforcing our existing laws against criminals is harder than passing a new law to castrate internet access for responsible users, huh?

Re:It Seems to me... (1)

rossz (67331) | more than 7 years ago | (#18003800)

My isp (http://www.sonic.net) puts limits on ports by default, but you can easily change this via a web interface. Most users will never need to change the default (and secure) settings. Some, myself included, are technically competent enough to know where they're doing and will open up the ports. Simple and effective.

Re:It Seems to me... (1)

Hoi Polloi (522990) | more than 7 years ago | (#18003854)

How about opening up liability laws to make software manufacturers as responsible as any other manufacturer? Build a car with a known, or should have reasonably known, flaw and get sued hard. Build an OS with security holes everywhere and get sued hard. It is time to stop coddling them.

Re:It Seems to me... (1)

Eric Damron (553630) | more than 7 years ago | (#18004942)

Well, the only problem to your suggestion is that waiting on Microsoft to secure its OS is about as productive as pissing into the wind. Other than that I totally agree.

Re:It Seems to me... (1)

wizkid (13692) | more than 7 years ago | (#18003018)

Some people do run SECURE mailservers from the isp account. So this isn't a good solution. MS fixing there software, and users learning how to setup and maintain there system is the first step. A computer is NOT a toaster, and requires maintenance.
requiring SPF would be a major step in reducing the spam. But you need to get usage of SPF past the critical mass point. Spam is increasing expotentially, and sooner or later the infratructure supporting it is going to collapse. When email becomes useless, then it will get fixed.... maybe.

Re:It Seems to me... (1)

wizkid (13692) | more than 7 years ago | (#18003072)

And I forgot, you also need to beat people that by stuff from Spam senseless with a CLUE STICK, until they stop supporting spammers. I think this may be starting to happen, due the fact phishing/spoofing attacks are on the rise.

Re:It Seems to me... (1)

Eric Damron (553630) | more than 7 years ago | (#18004980)

Well, it would mean that a few people would not be able to run there own mail servers. But really, I don't think that there is any way to get everyone to secure their PCs. So, I believe that My suggestion is the only practical alternative to uncontrolled spam.

Re:It Seems to me... (1)

crabpeople (720852) | more than 7 years ago | (#18003084)

"1. Don't allow your users to send port 25 traffic to any address but your own mail server."

Yeah maybe i'd use my ISP's mailserver if they didnt tag all my mail, forward me shittonnes of spam and have a roundtrip time measured in hours.

Maybe I should pay $300 for a break pad change too eh? Instead of doing it myself properly. I obviously should leave it up to the 17 year old "professional" trainee down at speedy.

hasn't... (4, Funny)

Anonymous Coward | more than 7 years ago | (#18002632)

Hasn't norton a/v been doing exactly this for years? Malware, fighting malware? :)

Two wrongs make a right? / Swordfish (2, Insightful)

Zantetsuken (935350) | more than 7 years ago | (#18002810)

I'm not really sure, and depending on how vicious this is, but sometimes maybe 2 wrongs do make a right... For those of you who haven't seen the movie "Swordfish" they pretty much use terrorism to dissuade other terrorist actions. Perhaps this type of virus/worm/etc could be a good thing for us, that for most virus/worm/spam creators it will become such a pain in the ass to wreak their havoc, it won't be worth it for them (would you keep intentionally making/distributing virus/etc if it meant you got DDoS'ed so hard your server melts every month, costing you money on hardware?)

But then again, perhaps 2 wrongs don't make a right...

Re:Two wrongs make a right? / Swordfish (0)

Anonymous Coward | more than 7 years ago | (#18003994)

An eye for an eye until everyone is blind.

Or... (1)

cadeon (977561) | more than 7 years ago | (#18003478)

Or we could just us a unix security model, and when something wants to sudo, force it to ask the console user for a password. Microsoft steals ideas all the time. Why can't they steal the unix model, and be done with it?

Re:Or... (1)

Tim C (15259) | more than 7 years ago | (#18004690)

Or we could just us a unix security model, and when something wants to sudo, force it to ask the console user for a password.

That only happens if you're not running as root. On Windows, if you're not logged in as a member of the Administrators group, either you'll be prompted for some credentials (rare) or it'll fail with an error (much more common).

Don't blame MS because people run as admin; blame third party software developers for assuming people do, and for requiring admin access even when they don't need it.

When worms collide (0)

Anonymous Coward | more than 7 years ago | (#18004902)

<Powerman5000>
...this is what it's like when worms collide...
...this is what it's like when worms collide...
...this is what it's like when wORMS COLLIDE!! AUUUUAAAGGGH!!!
</Powerman5000>

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>