Domain: avertlabs.com
Stories and comments across the archive that link to avertlabs.com.
Comments · 13
-
Re:After the fact rationalization
It was spam because it was nonsensical garbage that people did not want to receive, and it was automatically propagated through the mail client of the machines that it infected to their address books'.
Also, if memory serves, this was written in Visual Basic. Not Visual Basic.NET. This basically is just a glorified script that people were stupid enough to download.
This is one example of the email that got everyone:
Hello:
This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdfPlease check it and reply as soon as possible.
Cheers,
While I cannot fault a user for assuming that it is indeed a PDF file (or WMV file, or JPG file as the other emails suggest), when in fact it was a SCR file, I can fault them for clicking on it. "Jim never told me about a document, hmm and it has random caps in there, poor English and ends with 'cheers,' which they [almost] never say [unless they're British]." Some of the others are porn emails.
-
Re:headless botnets
I hope you are right, but you piqued my interest just enough that I googled it. It looks like this technique is also used to spread some fake AV software that further infects the machine. http://www.mac-net.com/1553480.page http://www.mac-net.com/1554482.page http://www.avertlabs.com/research/blog/index.php/2008/06/18/scary-screensavers-take-two/
-
Nothing new?
Looks alot like this:
http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-backdoor/
Only thing new is using Linux to rename the file. -
Pages, not sites
The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.
According to this video, the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.
Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3. -
Re:It's called a hosts file
This was the information that should have been included in the article. A link to the McAfee Avert Labs Blog:
http://www.avertlabs.com/research/blog/index.php/2008/03/12/another-mass-attack-underway/ -
Re:Steps to get infected
I should not answer this because you've posted as an "anonymous coward." It's my policy to not respond to ACs.
However, I do know of one Aussie chemistry student that was infected because, he says, he was following the article on McAfee's website that provides a link to the malware.
In that McAfee is providing a link, it seems to reinforce my notion that the companies that provide software to fix these problems may be involved in the creation of malware.
-
It is a hoax
http://www.avertlabs.com/research/blog/index.php/2007/10/11/two-dead-spammers/
And the other spammer in 2005 wasn't killed for spamming. -
Move along....story is FAKE...
according to this it seems that the story is fake
-
FAKE NEWS?
How sad.
-
Re:Fake Story?
McAfee thinks so too http://www.avertlabs.com/research/blog/index.php/2007/10/11/two-dead-spammers/
-
Re:Reap the whirlwind, MS
"But simply "runas
/user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog http://theinvisiblethings.blogspot.com/2007/02/run ning-vista-every-day.html, see section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.
This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"" - by Anonymous Coward on Tuesday May 29, @02:46PM (#19312139)
Very, VERY nice!
(I state that, mainly because I am an Opera user (and, a Joanna R. fan too))! /. mods - mod his reply UP!
(His/her technique is probably superior to the one I posted, based on his explanation I quoted above, because it makes 100% sense)
However - Either way, EITHER way: Both SHOULD do the job for folks worried about this stuff & help protect them more!
APK
P.S.=> Now, onto .rtf files being hijacked (man, what's next) -> Rich Text Malware
http://www.avertlabs.com/research/blog/index.php/2 007/05/25/rich-text-malware/
Heh, & I use these like mad (to avoid infecting others, & it is as pretty as WORD .DOC types imo, but lacking the macro virii possible in them), but it is appearing more & more that .txt IS "THE WAY" to be safe @ a 110% level! apk -
"Flamebait"?
I don't know why the parent has been modded flamebait; s/he makes an excellent point; especially about Symantec.
Mcaffee do it to -- have a look at http://www.avertlabs.com/research/blog/?p=218#comm ent-32657, an explot that gives an attacker "full access to the system". A little lower down, it is noted that the attack "requires... administrator [privileges]", but goes on to say that "a determined attacker can always find workarounds". WTF??? It's an attack the purpose of which is to malware running with admin privileges, that... requires admin privileges. Right. Sure. (He's torn apart in the comments). -
Re:Only affects rendering using the IE engine...
My apologies, article here.