Slashdot Mirror

... also an analysis from F-secure about Stuxnet here.

http://www.f-secure.com/weblog/archives/00002021.html

So, what system the computer were running? Why is that information never in this news reports? Are they assuming that computers just runs, without any software on it? Don't they know that computers usually have an operation system on it to be useful?

I really had it now. I clicked through the pages and agent.btz is mentioned. Nobody had mentioned that's a Windows worm Worm:W32/Agent.BTZ http://www.f-secure.com/v-descs/worm_w32_agent_btz.shtml Platform is Windows 32, of course. Why is nobody is mentioning the operation system? Why is nobody blaming Microsoft? Oh George W. Bush was briefed on it, was he briefed on it that the worm is only useful on Windows systems and that his military is vulnerable?

His article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.

How about they mentioning that's it's increased on Windows and that Linux and other systems are save and sound? How about they ditched this system which proved times after times after times to be the only system that is vulnerable?

Uh, what better security model? From what I see Windows NT/2K/XP and say Ubuntu/Suse Linux have pretty much the same security model. OK so defaulting to admin user was a pretty stupid idea, but malware nowadays don't even care so much about admin - zombies that send spam and DDoS do not need admin privileges. So as long as you can get a user to run something, you're in.

Currently at work I'm writing stuff for unix/unixlike software+hardware asset management, and believe me it's not that difficult to write a cross plaform "zombie" script that works on Linux, OSX etc. I wouldn't do that of course but if it ever becomes profitable enough to do so, I'm sure someone in the world will do it.

After all if you have the same Windows users who would type in passwords to unzip password locked zipped files and then launch the malware[1], why wouldn't they do the same for Linux and OSX too? Think those same idiots wouldn't type in perl Britney?

[1] Examples: http://www.f-secure.com/v-descs/email-worm_w32_bagle_fy.shtml

If you only want a spam sending zombie you do not even need root privileges, so you wouldn't even need them to enter passwords.

All you need to do is set up a user cron or at job, or modify/replace/shim a commonly used user-owned program/script. Aunt May ain't gonna even notice.

I'm personally curious whether most antivirus scanners would be able to cope with perl malware. TMTOWTDI and all that (a half decent perl coder could write something that'll churn out versions of ACME:Bleach or similar, and automatically test them on multiple virus programs - so you only "release" malware that passes).

You could create something fairly innocuous, but uses LWP or wget or curl to fetch new instructions and then run those new instructions.

God, you are so stupid.

You have better manners on Macrumors. And you used to be quite reasonable before you got seduced by the fanboy environment.

If you don't want to see these adverts, don't download apps that show advertisement.

Why is it only in the Apple community that I get:

1. All options provided by your ingenuity rather than Apple are invalid and/or immoral;
2. If you don't like it, don't speak up about it - just get out of our clubhouse?

There is no f***ing way that Apple builds an infrastructure so that you see advertisements that are vetted from advertisers guaranteed to actually make payments to the developer and then allows some app to interfere with this.

So Apple creates for itself this conflict of interest, it's absolutely clear that it's taking advantage of it, and that's absolutely fine with you. How.. Apple.

This is like the way over 90% of Google's revenue is from ads so on its own browser platform it doesn't allow and host ad blocking extensions. Oh, wait, no.

(and before y'all axe)

if Apple wanted to allow iAd blocking then it would be part of the OS.

You're probably right there. Apple has a tendency not to like competing solutions on its iPhone, especially ones with more tweakability than Apple's own.

They don't because developers need money to produce apps.

Well, they need to pay Apple $99/year, yeah, but apart from that, not much more than any other decent development system. And you're surely not judging the App Store by the quantity of apps?

http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/

I've also had random luck getting this to work from a bootable USB drive that mounts the ISO as well.

Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself.

Further assume that this detection algorithm, running in kernel mode, must be loaded into memory itself.
Then further assume that the compromised kernel on which it is running has not modified the detection algorithm. (Because noone writes kernel malware)
Then further further assume that no one will spot this really obvious flaw before publishing it.

because all antivirus software is made by people who are governed by the laws of the united states...

I want Chromium OS to come out NOW*, if not sooner. Not for me -- I can install Puppy Linux and play around with dependencies and the like, learning from my mistakes. Heck, I can even run Windows without getting more than a virus or two per decade.

No, I want it for the sweet little old lady who lived a few doors down in my old apartment complex. She doesn't know the first thing about computers. She sends email like a whirling dervish of glurge -- I had to set up my Gmail to filter messages from her into a special folder, which gets several messages a day of "inspirational" forwards (half of which actually end up in the spam folder), her original poetry (kinda sweet, actually), and bizarre, rabid anti-Obama hate messages (massive pile of WTF).

Even after several rounds of explanation, she doesn't know the difference between "a computer" and "the internet". The concept of an "operating system" is absolutely impossible to comprehend -- it has no meaning. She doesn't *need* desktop applications -- she doesn't even know that they *are* desktop applications.

I set her up with a Puppy Linux installation, but that computer died and her family bought her a $40 box with some old, unpatched version of Windows on it. It met the expected fate, and she called me to ask what to do next. I recommended a $99 XP box from Micro Center, and set it up for her with "her" login lacking Admin rights (no installing software without going to the password-protected "Admin" login!). And because she really doesn't do anything but play online games, check the lottery, and send massive volumes of email, I put Google Chrome in her Startup folder -- maximized.

But I still got a call over the holiday... from her daughter, asking about anti-virus software. A good investment, but this sweet lady is on a fixed income, and I doubt she'll be able to come up with $40 a year for F-Secure Antivirus. More likely, she would buy it but never renew it, so she'd just be delaying the inevitable.

Please, Google... give me Chromium OS, for the sweet lady in the downstairs apartment. She needs it. And I need it, so that I can go back to deleting the latest "news" about the coming Obamapocalypse.

* Yes, I know it's Open Source, I could compile my own. With the time I have available for such a project (none), the chances of me doing it right are about as high as getting that sweet lady to quit worrying about Obama's birth certificate.

This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well

No, it means that the infected websites redirected visitors including Mac users. They were victims of redirection only at that point. It's the sites that people got redirected to that did the actual user-machine infecting. The article only says that six vulnerabilities were targeted but it doesn't say which. Mebroot (Master Boot Record Rootkit) is Windows based and isn't new.

"Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine."

I'm not an expert, but the Mebroot description at F-Secure appears to show Windows systems as the target. Of course other mutations could potentially be created to target vulnerabilities on OS X or other platforms, but once in it couldn't just install the same Windows rootkit.
(below from F-Secure, not article)
http://www.f-secure.com/weblog/archives/00001393.html

The actual site hosting the exploit code utilizes the following exploits:

          Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
          AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
          Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
          GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
          Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
          Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
          DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
          Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow

from article:
"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit."

For things that have been fixed, I think Mac users are generally a bit better about having OS and browser updates. Of course, like everyone else, they can still reduce significantly reduce risk by disabling browser functionality except when needed (as with NoScript and Firefox).

I'm concerned updates in other applications may be missed not only by users, but even developers.
VLC promptly was updated for some vulnerabilities in underlying ffmpeg code, but users aren't always good about keeping VLC up to date (the older version for OS X 10.4 got an update as well as the current release.

There are a many video conversion, dvd assembly and other programs built on Windows and OS X using ffmpeg behind the scenes. In some cases the developers make little or no mention of it (LGPL/GPL compliance is a problem too). These programs don't seem to be getting the newer ffmpeg builds that address the problems.

http://secunia.com/advisories/36805

Just a few notes:

1. F-Secures Orion engine is fully heuristics based (file analysis), it uses signatures only fix false positives, consistently getting great scores from VB.
2. They also now have an engine (called ExploitShield) that uses heuristics (and signatures) to prevent programs (that in themselves might be good) from doing bad things, see for example http://www.f-secure.com/weblog/archives/00001727.html (using heuristics to block the FF 3.5 JS exploit)

Full disclosure: I used to work for F-Secure (partner, ie 3rd tier, support for AV and crypto; we escalated to R&D) until 2001.

"My company was hit pretty hard by the conficker virus." - by goltzc (1284524) on Tuesday June 30, @04:04PM (#28533883)

Whose fault is that? You CAN prevent it, you know (from striking even), by doing a few simple things, such as what is listed here:

http://it.slashdot.org/comments.pl?sid=1159209&cid=27178753

----

Regarding "stalling" CONFICKER specifically:

( From http://www.xtremepccentral.com/forums/showthread.php?s=265edfd9cff2fd6ef1993571b23d1598&t=28430&page=3 )

----

"A.) STALL SERVER SERVICE (if you don't need a LAN/WAN to connect to & all you do is hit the internet on a single standalone machine)...

AND

B.) It recommends you stall out indiscriminate usage of javascript also!

Between those 2 measures (&, possibly ,b>ALSO, a HOSTS file that stops access to this CONFICKER worm's control servers -> http://forums.opendns.com/comments.php?DiscussionID=3043 which leads to said list here -> http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt )?

Hey... YOU TELL ME, lol, IF it works, or not..."

----

It'll work... addtionally blocking ACL (access control lists) access to the autorun.inf files in the root of you drives helps also (vs. how it spreads from USB sticks etc. et al).

(Do all of the above, especially if you don't need to be sharing disks/folders/files from your system to users over the public internet or a local LAN/WAN (saving CPU cycles, RAM, &/or other forms of I/O as well you would be otherwise wasting because you are not using what the server service provides, file & print sharing), & it quite literally (@ least theoretically) should "PROOF YOU" vs. this worm).

APK

P.S.=> That was regarding the /. article titled (from near when this worm was discovered):

New Conficker Variant Increases Its Flexibility:

http://news.slashdot.org/article.pl?sid=09/02/20/239229 [slashdot.org]

on 02/20/3009 here on this website... apk

----

And, it works...

Heck, you CAN do without the server service, as a workstation on a LAN/WAN even (because iirc, workstation service allows for MOST of what you'd need anyways), & have full access to its services, like the internet for example, if you wish!

(HOWEVER - If you have to share files/folders from said system? THEN, you'll NEED the server service active!)

Otherwise? Not really - server service is NOT required, but you might have to apply your OWN updates though as an end-user minus the server service running, as stalling server service removes accessible shares & such that SERVER service provides!

(Which might adversely affect SMS & like updating from a central source in a work LAN/WAN environs (that'd be up to you & the user(s) in question though, & what your + THEIR needs are in such a situation)).

APK

P.S.=> I put that out, originally @ xtremepccentral.com, & later here on /., because it works, on many levels!

I did so, almost @ the time it began "blowing away" systems all over the place... because it worked!

Common-sense should have told you, as an administrator (assuming THAT is your role, or that of a network tech/engineer) that those were the simple steps to take (along with detectors to signal a removal candidate, but you never or should NEVER have seen it in the 1st place, if you did the above steps to your Windows NT-based machines)... apk

I installed to a company of similar size F-Secure Anti-Virus Small Business Suite. The business suite is quite cheap for a full AV-solution and includes a Central Management Tool that is available also for Linux. So basically you can control/update the windows av-clients from the Linux server if you like. I have heard no complaints from the customer yet.

I installed to a company of similar size F-Secure Anti-Virus Small Business Suite. The business suite is quite cheap for a full AV-solution and includes a Central Management Tool that is available also for Linux. So basically you can control/update the windows av-clients from the Linux server if you like. I have heard no complaints from the customer yet.

http://www.f-secure.com/en_EMEA/products/business/desktops-laptops/client-security/ Sold that to a few clients.

http://news.cnet.com/8301-13579_3-9808489-37.html
http://www.tuaw.com/2008/11/21/new-mac-os-x-malware-osx_lamzev-a/
http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://www.f-secure.com/v-descs/inqtana_a.shtml
http://blogs.zdnet.com/security/?p=2418

to begin with a few.

http://news.cnet.com/8301-13579_3-9808489-37.html
http://www.tuaw.com/2008/11/21/new-mac-os-x-malware-osx_lamzev-a/
http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://www.f-secure.com/v-descs/inqtana_a.shtml
http://blogs.zdnet.com/security/?p=2418

to begin with a few.

OSX has about 10% market share and yet no viruses.

There are OSX malware.

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://www.tuaw.com/2008/11/21/new-mac-os-x-malware-osx_lamzev-a/
http://www.spyware-techie.com/mac-malware-warning-mac-malware-osxtrojaniserviceb-showing-up-in-pirated-software/

F-Secure points out that .PIF files will have their extension hidden even if you change the display option.

Q: Will that make all file extensions visible?
A: Well, no. There are executable extensions that will STILL be hidden even if you turn the option off.

Q: What?
A: For example PIF. This file type was meant to be a shortcut to old MS-DOS programs. Problem is, you can rename any modern Windows Executable to .PIF and it will happily run when double-clicked.

Q: How do you I make PIF files visible then?
A: Via a registry key called "NeverShowExt". We'd link you to an article in the Microsoft Knowledgebase... except we couldn't find any. But here's a Web page on the topic, from GeoCities, made by some hobbyist a couple of years ago. Maybe it's the best source of information on the topic.

The original article is here: http://www.f-secure.com/weblog/archives/00001675.html George Ou has "debunked" this "fail" here: http://www.formortals.com/Default.aspx?tabid=36&EntryID=180 This is nothing more than FUD IMHO

Viurt is nasty and fairly difficult to repair. Most malware removers recommend reinstallation rather than attempt to repair damaged system files.

There's no mention of the Blaster/Sasser worm, Sircam, CIH or Magistr. All of which caused panic and damage at least on the same scale as Conficker. All of which had much more damaging payloads than any of those noted.

Seems to be a fairly dodgy, or poorly researched list.

Viurt is nasty and fairly difficult to repair. Most malware removers recommend reinstallation rather than attempt to repair damaged system files.

There's no mention of the Blaster/Sasser worm, Sircam, CIH or Magistr. All of which caused panic and damage at least on the same scale as Conficker. All of which had much more damaging payloads than any of those noted.

Seems to be a fairly dodgy, or poorly researched list.

They talked about this months ago in their blog http://www.f-secure.com/weblog/archives/00001623.html Out of context taken quote "we're not recommending Foxit."

we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF. Instead, we recommend users to find their own Adobe Reader replacement. This way we get more heterogeneous userbase, which is a good idea security-wise.

Conficker Eye Chart

Conficker Eye Chart

How to interpret:

If you see this above:It probably means this:

= Normal/Not Infected by Conficker (or using proxy)
= Possibly Infected by Conficker (C variant or greater)
= Possibly Infected by Conficker A/B variant
= Image loading turned off in browser?
Any other combination= Poor Internet connection?

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.

SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.

Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.

There is no 'grand activation date'. April 1st *or later* when it updates itself.. it's more likely to upgrade to conficker D than do anything else.

It's just not in the authors interest to do any damage - whilst people don't know they are infected they can participate in the botnet. If the virus makes itself obvious then all that potential revenue is destroyed.

The f-secure blog puts it best: http://www.f-secure.com/weblog/archives/00001636.html

F-secure was one of the first people I'm aware of to register some of the domain names that infected machines try to contact. When people were asking this question, this was their response.

On a regular day, our sinkhole sees around 1.5M-2M unique IP addresses that are infected with a various catering of malware: viruses, trojans, bots, worms and so on. Downadup.B is responsible for about 1M-1.3M of those IP addresses. So let me explain what we do with the data first:
We try to contact the ISP's where the infected IP addresses are coming from and try to get them to notify the customers to take down the infected systems. We also notify various CERT organisations in the countries where the infections are and work with them to get the infected machines offline. We also share some the data with Law Enforcement organizations in those cases where the author of the malware is known. This allows the police to get their hands on real, raw, data on the amount of infections. That data can later be used in court as evidence to get reasonable convictions.

Now, why won't we automatically disinfect the machines? The reason is simple: we would be knowingly, and with intent, be accessing the infected computer and giving it commands without having a prior permission from the owner. In most countries that equals to unlawful access which gets you an appointment in court. Some laws do weigh things by judging "a greater good", but in this case it does not help. Imagine the world being a huge porcelain store, inside a black box with only two holes for your hands allowing access. You can put your hands in the box but can't see what you're doing. Now, try to remove all the dust without breaking anything...

There are several things that might go wrong and the consequences could be severe. Imagine if we, while disinfecting, would knock out life support systems in hospitals. Or radar systems in major airfields. Or traffic lights in a major city. Or any other of imaginable and unimaginable scenarios that would be bound to happen taking into consideration the scale of this thing.

And it doesn't matter where we offered the disinfection from. We are a corporation with presence in various countries. The disinfected victims would be in those countries, suing us there. The place where we caused the damage from does not matter, its the place where the damage happened.

To make automatic, remote, unwilling disinfection ever possible there is a need for an international treaty. And an internation body of authority that will decide what to disinfect, who to disinfect and when to disinfect. And unfortunately I don't see that one coming in near future. I wouldn't bet foreign militaries or intelligence organizations being too happy about anyone tampering with their systems, regardless of the intent.

We've had long talks about remotely disinfecting machines and everyone in here is in unanimous vote on not doing it for the above reasons. And don't think it's a happy moment seeing hundreds of thousands, or millions, of machines being infected. Still, we do our best to get them fixed.

Here are some more, sorted by last release date:

http://www.freedrweb.com/livecd
(Dr Web, February 2009)
http://dnl-eu3.kaspersky-labs.com/devbuilds/RescueDisk/
(Kaspersky December 2008)
http://www.f-secure.com/linux-weblog/2008/11/
(FSecure November 2008)
http://free-av.de/en/tools/12/avira_antivir_rescue_system.html
(Avira, ???)
http://www.mwti.net/products/mwav/mwav.asp
(MicroWorld, ???)

Regarding "stalling" CONFICKER specifically:

( From http://www.xtremepccentral.com/forums/showthread.php?s=265edfd9cff2fd6ef1993571b23d1598&t=28430&page=3 )

----

"A.) STALL SERVER SERVICE (if you don't need a LAN/WAN to connect to & all you do is hit the internet on a single standalone machine)...

AND

B.) It recommends you stall out indiscriminate usage of javascript also!

Between those 2 measures (&, possibly ALSO, a HOSTS file that stops access to this CONFICKER worm's control servers -> http://forums.opendns.com/comments.php?DiscussionID=3043 which leads to said list here -> http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt)?

Hey... YOU TELL ME, lol, IF it works, or not..."

----

It'll work... addtionally blocking ACL (access control lists) access to the autorun.inf files in the root of you drives helps also (vs. how it spreads from USB sticks etc. et al).

(Do all of the above, especially if you don't need to be sharing disks/folders/files from your system to users over the public internet or a local LAN/WAN (saving CPU cycles, RAM, &/or other forms of I/O as well you would be otherwise wasting because you are not using what the server service provides, file & print sharing), & it quite literally (@ least theoretically) should "PROOF YOU" vs. this worm).

APK

P.S.=> That was regarding the /. article titled (from near when this worm was discovered):

New Conficker Variant Increases Its Flexibility:

http://news.slashdot.org/article.pl?sid=09/02/20/239229

on 02/20/3009 here on this website... apk

available for months:

http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

I don't know that I'd be willing to run anything from some unheard of company, especially from Romania!

Also, I thought the Windows Malicious Software Removal tool was removing Conficker now. Anyone know if that's the case or not?

F-Secure Rescue

You laugh, but that situation is just what F-Secure describes for an unrelated bit of Facebook malware. FTFA:

As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence. It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites. Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic.... They're both.

You laugh, but that situation is just what F-Secure describes for an unrelated bit of Facebook malware. FTFA:

As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence. It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites. Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic.... They're both.

Once the millions hear that they can get $50 back from Microsoft by refusing the EULA click-through, AND they can get an OS that doesn't need an anti-virus program, AND that most of their existing software, including games, will still work, they'll switch.

Saving $50 when a computer cost $5,000 didn't make sense. Saving $50 and getting rid of the virus problem (and its' associated costs) when a computer costs $250 makes a LOT of sense.

conflicker/downadup, antivirus2009.exe, coolwebsearch, etc., will keep on giving people incentives to switch.

It isn't exactly filesystem specific, though it does depend on being a filesystem that Windows will recognize. It infects USB by putting an autorun.inf on the device to install itself. The nasty bit is that, to the average user, it looks like the executable is just the windows dialog to open the device as a folder. f-secure.com has a nice writeup on it.

"Ever wish you had one of those big LED displays to keep you up to date on e-mails, stock quotes, server uptimes, or weather?

Yeah, I used to wish exactly that, but I took the easy (well, I did have to reverse-engineer the serial protocol, but that was fairly easy) way out and went to the hardware store and bought one. It's been serving my team very well since then. :-)

In case someone wonders how many of these adresses are online today:
#for adr in $(cat downadup_domain_blocklist_17_31.txt); do ping -c 1 -w 1 "$adr"; done > result.txt
#cat result.txt |grep -B 1 -c "bytes from"
132
So I wonder, which of these are registered by f-secure and which by the badguys?

http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.

F-Secure estimates 8.9 million infected machines.. http://www.f-secure.com/weblog/archives/00001584.html

If you don't know which one this is, check out this link:
http://www.f-secure.com/hoaxes/msemtrk.shtml

The page doesn't document every variation, but it has quite a few. The variant I generally encounter says it's TRUE, was on Good Morning America, and has been verified by a lawyer zOMG! This particular hoax e-mail is amongst the older ones, has bitten me twice, and I fear it's going to repeat.

The first indecent was at the last company I worked for, which employed 100,000+ employees globally and 75% of that were in the US. Some moron forwarded it from his Hotmail account to his work e-mail. From there he opened the GAL, started at the top, and selected the max number of entries (256 IIRC) that would fit in the TO line, then proceeded to do the same for the CC line. A mail storm ensued as about 20 other idiots did a Reply All and replaced some of the entries with addresses of their friends. From there a few more goofballs did Reply Alls saying to stop or to take them off the list. This caused e-mail processing in a 20+ server Exchange cluster to come to a screaming halt forcing the Exchange Admin team, that thankfully I wasn't a part of, to shut it all down. The CEO or a VP sent out a mass mail telling everyone not to pull those shenanigans again.

At my current employer, one of the sales reps almost did the same thing exactly. We didn't have a mail storm thankfully since the company only employs about 120 people and there aren't a whole lot of DLs and mail-enabled PFs. I believe one grunt did a Reply All calling BS and a couple of others sending a WTF via Reply All. With the company being so small, we were able to stop the idiocy quickly.

Here are two examples of (modern) Mac malware:

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://www.f-secure.com/v-descs/trojan-downloader_osx_jahlev_a.shtml

Here are two examples of (modern) Mac malware:

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://www.f-secure.com/v-descs/trojan-downloader_osx_jahlev_a.shtml

There are at least F-Secure Rescue CD and Helix Incident Response and Forensics CD

TFA links to the website (botmaster.net...you probably don't want to go there) that sells XRumer. And what do I see for contact information? botmaster.net@gmail.com.

Sure hope they don't get spammed. Whatever you do, don't publish that email address! botmaster.net@gmail.com -- don't do it!

I guess all the security companies are heading toward community based databases. Other similar products include
F-Secure Deepguard: http://www.f-secure.com/deepguard
Threatfire: http://www.threatfire.com/ (recently acquired by Symantec... so they are in the game now)
DriveSentry: http://www.drivesentry.com/
Prevx: http://www.prevx.com/

Fsecure has details on a trojan that does this and also has a screenshot of what the desktop looks like.

If you have the same thing, your people's computers ARE infected.

http://www.f-secure.com/v-descs/trojan_w32_pakes_csg.shtml

From the summary:

Trojan:W32/Pakes.CSG attempts to get "rogueware" installed on the victim's computer by claiming the computer is infected by spyware.

It also makes changes to the system registry and posts information about the computer to a remote server.

We might just do that. After all, we are already announcing broken builds on a LED sign and with sound effects. :-)

The idea of multiple propagation routes for malware of all types {and in which category I also lump viruses...} has already been done...

It's very possible that companies like Adobe or TurboTax would do well with that kind of arrangement. For TurboTax or Adobe software, I'll bet the cost of the packaging + the retail markup they give Amazon or CompUSA is 30% or more of the price. And they still have to pay for advertising, to make people aware of the product.

In the case of iPhone applications, Apple's handling the advertising, the promotion, the packaging (well, it's not necessary anymore, but you get the idea), the retail markup and credit card fees. It's a solid deal - neither a ripoff for them nor a freebee for developers, but a good honest deal benefitting both sides.

I strongly suspect that if there was TurboTax(tm) for iPhone(tm) that was sold for a similar price to TurboTax for Mac or PC, Intuit would make about the same overall margin for it.

So I have now concluded, reasonably in my view, that Apple's proposed monopoly is fair - they are not abusing their position by charging above market for their services. Now, we address the question of why we couldn't simply have unfettered freedom to develop phone software.

I am one of the few Slashdotters who has witnessed the painful effects of a phone virus. It's no joke since phone software can make calls on your behalf to high-toll numbers or send expensive text messages. The virus I encountered sent MMS messages continuously to everyone in the phone owner's address book. My friend, who got it on her phone in the Philippines, was faced with a $300 phone bill when it was all over - and being a middle class person in a very poor country, that would be like a $3,000 phone bill for us -- just impossible to pay.

This situation is not the RIAA. The analogy would be if someone created a song designed to destroy your stereo, so you would have to buy a new one, or that would sneak advertisements in your music stream and cause your stereo to crash. As far as I know, nobody has yet created a song that would do either of those things, and so there is no reason to censor songs in order to protect your stereo equipment. But people have, and will, created software that will do very similar things to this example, and so Apple has to step in to make sure its customers are protected. In practice, it's not unlike including anti-virus software in the OS, except that anti-virus software is horribly ineffective, so the focus is on keeping evil software out of your phone in the first place.

So I can see both sides. As a developer, of course I don't want to pay for the certificate. But from the point of view of a phone maker who needs to protect his brand, It's genuinely necessary for any submitted software to be checked before it goes on a phone. This is a very small price to pay to avoid harmful software, which does exist. Nokia, the maker of my friend's phone, fixed this problem by requiring developer certificates in the same way Apple is, and so you don't hear much about harmful phone software. But without the certificates and other precautions, there's the real possibility of bad problems ahead.

Apple's system protects everyone involved and ensures a dynamic, powerful market for phone software. We have to sacrifice a little freedom because we are being allowed to tamper with people's phones, which are their lives. If you think otherwise, OpenMoko and Android beckon.

D

At the bottom of the linked article, there is another link: Gmer -- MBR. At the end of that long technical article it says: "Rootkit removal: To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr."

To use it, you first go into the Windows XP Recovery Console. Then run FixMBR /? for parameters. Save the MBR (Master Boot Record) first.

Here is a discussion on the Microsoft web site about tools for fixing the MBR without the Recovery Console. I've never tried them; I've always used the FixMBR utility that comes with the Recovery Console.