Slashdot Mirror

← Back to Domains

Domain: lurhq.com

Stories and comments across the archive that link to lurhq.com.

Comments · 82

  1. Re:Where's the hard evidence? by kris · · Score: 1 · on Sobig Worm Attacking RBL Lists?

    Go to http://lurhq.com/sobig-f.html, http://lurhq.com/sobig-e.html and http://lurhq.com/sobig.html.

    Kristian

  2. Re:Where's the hard evidence? by kris · · Score: 1 · on Sobig Worm Attacking RBL Lists?

    Go to http://lurhq.com/sobig-f.html, http://lurhq.com/sobig-e.html and http://lurhq.com/sobig.html.

    Kristian

  3. Re:Where's the hard evidence? by kris · · Score: 1 · on Sobig Worm Attacking RBL Lists?

    Go to http://lurhq.com/sobig-f.html, http://lurhq.com/sobig-e.html and http://lurhq.com/sobig.html.

    Kristian

  4. The RIAA-killer application: the music worm by Anonymous Coward · · Score: 5, Interesting · on P2P Music Sharing Remains Popular Despite RIAA
    I think the recent Sobig infestation demonstrates why the RIAA's tactics are doomed to failure. Why? Because there will ultimately be a "killer application"--the music worm.

    How will the music worm work?

    It will be distributed as an email worm. The user installs it by clicking on an attachment that arrives in an email spam. A large number people will do this knowingly, but many will be innocent "victims". Knowing users will thus have "plausible deniability".

    Once installed, it will do the following:

    1) Email itself to everybody in the user's address book, just like any other worm.

    2) Install a hidden peer-to-peer server.

    3) Identify every music file on the users computer.

    4) Make all of them available over the web via peer-to-peer sharing.

    5) Begin silently and automatically downloading music files to the user's computer and adding them to his music library, favoring additional titles by artists already represented in the user's library.

    6) An internal list will be maintained of the downloaded files, and the worm will monitor their usage. Any downloaded file that is not played within a certain period of time will be marked for eventual replacement, in order to prevent the music archive from growing too large (say 20% above the size of the permanent library or 80% of available disk space, whichever is smaller). Any file that is played will be deleted from this list and permanently added to the user's music library.

    7) Knowing users will be able to "order" specific music via a web interface by accessing a web site (actually located on the user's computer) via a web browser. The worm will silently edit the browser's history file to erase the record of this access.

    How could such a worm be combatted?

    1. Legal assaults on users would become difficult; there will be continuous trading of music over the net. Much of it will be entirely innocent; the result of the worm running on the computers of innocent "victims." This will provide a smokescreen for the activities of knowing users. It will be extremely difficult to prove that somebody is a knowing user, since the patterns of download to any individual user will be similar to knowing use. Many unknowing victims will accidentally add some of the downloaded music to their permanent libraries, because a lot of people do not keep careful track of the contents of their music libraries.

    2. Virus scanning software could be employed, but many users do not keep their antivirus software up to date. Attempts to eradicate spammer worms such as Sobig have not been particularly effective. And with the music worm case, many of the "victims" will actually be secret users, intentionally abetting the worm's presence on their computers.

    3. The music industry could distribute counter-worms, which would infect computers and delete music, or gather evidence of intentional trading. However, this would require the music industry to engage in an ongoing illegal activity. Moreover, it would be relatively unsuccessful in targeting the technically sophisticated knowing user, who would have a strong incentive to block such worms.

  5. for details see these analyses by Wilk4 · · Score: 1 · on P2P Spam?
    excellent write-ups at lurhq.com

    Sobig.a and the Spam You Received Today,
    Sobig.e - Evolution of the Worm,
    and Sobig.f Examined

  6. for details see these analyses by Wilk4 · · Score: 1 · on P2P Spam?
    excellent write-ups at lurhq.com

    Sobig.a and the Spam You Received Today,
    Sobig.e - Evolution of the Worm,
    and Sobig.f Examined

  7. for details see these analyses by Wilk4 · · Score: 1 · on P2P Spam?
    excellent write-ups at lurhq.com

    Sobig.a and the Spam You Received Today,
    Sobig.e - Evolution of the Worm,
    and Sobig.f Examined

  8. Re:Smarter Virus Writers by OECD · · Score: 1 · on P2P Spam?

    Maybe its just that the virus writer is actually starting to follow the kinds of ideas that geeks often toss out. "Oh yeah, if I was making a virus I'd have it..."

    I've wondered if he read Slashdot. I know I would if I were him.

    There's a good overview of Sobig.a through e here

  9. Re:Interesting Thing about Sobig... by PapaZit · · Score: 1 · on Microsoft Virus Spam: SoBig.F
    Take a look at this analysis of Sobig.a and this paper charting the evolution of Sobig.

    They suspect that it's spammers (or other shady elements) covering their tracks.

  10. Re:Interesting Thing about Sobig... by PapaZit · · Score: 1 · on Microsoft Virus Spam: SoBig.F
    Take a look at this analysis of Sobig.a and this paper charting the evolution of Sobig.

    They suspect that it's spammers (or other shady elements) covering their tracks.

  11. Re:Interesting Thing about Sobig... by Anonymous Coward · · Score: 0 · on Microsoft Virus Spam: SoBig.F

    Hey, I found the answer! This stuff is spread by spammers. It doesn't deactivate, it switches to an open proxy.

  12. Re:hmm by httptech · · Score: 1 · on Microsoft Virus Spam: SoBig.F
    I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.

    Thanks.

    Before I update the paper I'm waiting to see if there are any substantial changes in the second and third stages - these won't be known for a couple of days probably, depending on the worm author's schedule, but it could be as early as tonight. So far though, the functionality is almost the same as described in the Sobig.e paper.

  13. hmm by cetan · · Score: 5, Informative · on Microsoft Virus Spam: SoBig.F

    I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.

  14. Re:Well engineered worms by Vainglorious+Coward · · Score: 2, Insightful · on HomeSec Warns Again About Microsoft's Insecurity
    In case you hadn't noticed, few virus writers are developing malicious code.

    While it's generally true that historically, most viruses have had feeble or non-existent payloads, the evidence is strong that some of the waves of infection this year have been created by spam gangs, using viral infections to install proxy software.

  15. A Modest Proposal: The Music Worm by Anonymous Coward · · Score: 5, Interesting · on How to Tell if the RIAA Wants You
    The RIAA's fight against music sharing is becoming increasingly desperate, their current tactics are to seek legislation that elevates music sharing from a civil to a criminal offense (thereby obtaining a taxpayer subsidy for the pursuit of users), while attempting to prosecute individual users (or their parents, if they are underage). Basically, these tactics are based upon the "war against drugs," which has had moderate success. But in the case of music sharing, the RIAA's tactics are doomed to failure. Why? Because there will ultimately be a "killer application"--the music worm.

    How will the music worm work?

    It will be distributed as an email worm. The user installs it by clicking on an attachment that arrives in an email spam. A large number people will do this knowingly, but many will be innocent "victims". Knowing users will thus have "plausible deniability".

    Once installed, it will do the following:

    1) Email itself to everybody in the user's address book, just like any other worm.

    2) Install a hidden peer-to-peer server.

    3) Identify every music file on the users computer.

    4) Make all of them available over the web via peer-to-peer sharing.

    5) Begin silently and automatically downloading music files to the user's computer and adding them to his music library, favoring additional titles by artists already represented in the user's library.

    6) An internal list will of the downloaded files, and the worm will monitor their usage. Any downloaded file that is not played within a certain period of time will be marked for eventual replacement, in order to prevent the music archive from growing too large (say 20% above the size of the permanent library or 80% of available disk space, whichever is smaller). Any file that is played will be deleted from this list and permanently added to the user's music library. 7) Knowing users will be able to "order" specific music via a web interface by accessing a web site (actually located on the user's computer) via a web browser. The worm will silently edit the browser's history file to erase the record of this access.

    How could such a worm be combatted?

    1. Legal assaults on users would become difficult; there will be continuous trading of music over the net. Much of it will be entirely innocent; the result of the worm running on the computers of innocent "victims." This will provide a smokescreen for the activities of knowing users. It will be extremely difficult to prove that somebody is a knowing user, since the patterns of download to any individual user will be similar to knowing use. Many unknowing victims will accidentally add some of the downloaded music to their permanent libraries, because a lot of people do not keep careful track of the contents of their music libraries.

    2. Virus scanning and firewall software could be employed, but many users do not keep their protective software up to date. Attempts to eradicate similar worms employed by spammers have not been particularly effective. And with the music worm case, many of the "victims" would actually be secret users, intentionally abetting the worm's presence on their computers.

    3. The RIAA could distribute counter-worms, which would infect computers and delete music, or gather evidence of intentional trading. However, this would require the music industry itself to engage in an ongoing illegal activity. Moreover, it would be relatively unsuccessful in targeting the technically sophisticated knowing user, who would have a strong incentive to block such worms.

  16. People already don't patch their Windows boxes... by daveo0331 · · Score: 1 · on Gates Provides Windows Crash Statistic

    And as a result, all the worms and viruses keep spreading, slowing down the network, and helping spammers. Now they're going to make people pay to download the patches? Imagine some guy rear-ending you on the highway because GM made his car with faulty brakes, and charged money to fix the problem, and the car owner decided he couldn't/wouldn't pay the money. Remember, most of these viruses/worms affect everyone, not just the people with infected boxes. The last thing we want to give people is another reason to not apply the patches.

  17. Re:My approach by Vainglorious+Coward · · Score: 2, Informative · on The Growing Field Guide To Spam Techniques
    the only really reliable approach I've found is IP blacklists for repeat offenders

    I also use IP blacklists (locally compiled and various RBLs) but this is becoming less effective as the spam gangs are moving to using their own army of proxies rather than the traditional exploitation of open relays or throw-away accounts. I'm not saying that ISPs shouldn't be responsible for what emanates from their networks, but these trojaned users are a very different kettle of fish than spammers having "pink contracts" with spam-friendly ISPs.

  18. they mentioned sobig... by twitter · · Score: 1 · on NYT Reports Porn Spam Hijacking Network
    but the thing is so slimy, no one really knows how it works yet, except that its another fine mess brought to you by Microsoft's crappy software. I did not think it would take long for credit to be given where credit is due.

    Why don't you go back to your intersts, Interests: Space, music, psychological warfare and put up a firewall or something to protect your fine FrontPage work from evil hackers? I see your host runs Red Hat for you, but do you know what your home computer is doing for you?

  19. Re:FUD by httptech · · Score: 3, Funny · on NYT Reports Porn Spam Hijacking Network
    It's not FUD. You have to realize the concept of a reverse-proxy is not something most NY Times readers are going to understand, so those details get left out a lot. But this really is what's happening. More technical details are here:

    http://www.lurhq.com/migmaf.html

    Also search Google Groups for "onlycoredomains.com"

  20. Technical details by httptech · · Score: 4, Informative · on NYT Reports Porn Spam Hijacking Network

    There is a technical writeup here:
    http://www.lurhq.com/migmaf.html
    Mirror: http://www.joestewart.org/migmaf.html

  21. Ollydbg by httptech · · Score: 4, Informative · on Learning Reverse Engineering
    Hadn't seen this mentioned in the book or in any comments so far: If you are wanting to get started reverse-engineering on Windows, you don't need to shell out big bucks (or pirate) softice unless you plan to do hard-core driver/kernel debugging. Seriously, check out Ollydbg It's freeware AND it kicks ass. I'm using it to do almost all my reverse engineering now.

    Here are a couple of beginner-level articles I've written on reverse-engineering malicious code:

    Reverse Engineering Hostile Code

    Alien Autopsy: Reverse Engineering Win32 Trojans on Linux

  22. Ollydbg by httptech · · Score: 4, Informative · on Learning Reverse Engineering
    Hadn't seen this mentioned in the book or in any comments so far: If you are wanting to get started reverse-engineering on Windows, you don't need to shell out big bucks (or pirate) softice unless you plan to do hard-core driver/kernel debugging. Seriously, check out Ollydbg It's freeware AND it kicks ass. I'm using it to do almost all my reverse engineering now.

    Here are a couple of beginner-level articles I've written on reverse-engineering malicious code:

    Reverse Engineering Hostile Code

    Alien Autopsy: Reverse Engineering Win32 Trojans on Linux

  23. Technical writeup of the SoBig worm by schm00 · · Score: 1 · on Writing Viruses for Fun and Profit

    There's a really nice technical writeup of the mechanics and evolution of the SoBig worm here. Fairly scary stuff.

  24. Re:This would be SO easy to correct... by httptech · · Score: 3, Insightful · on W32.Sobig.E@mm Worm Spreading Rapidly
    > JUST RUN A DAMN VIRUS SCANNER ON THE FREAKING EMAIL SERVER!

    It's a big part of the solution, but it will not stop certain viruses. For sobig, there is a high possibility that the initial "seeding" of the virus is done by spamming it out to hundreds of thousands of users. This is very likely because it is suspected that a spammer is behind the spread of sobig.

    This would infect a great number of people before AV vendors have a chance to push out signatures. The only way it could be thwarted is by heuristic scanning, which can never be 100% effective. (But can be quite good - messagelabs is catching these before signatures are available)

    Just this week there was a phony "apply this critical patch" mass-spammed to countless users, with the URL "windows-update.com" (as opposed to the genuine windowsupdate.com). This fooled a lot of people into clicking through to the site, where they were immediately exploited if they were using IE without the June 4 hotfix. At this point they became part of an IRC trojan botnet. Even heuristic email virus scans would not have caught this.

  25. Re:This would be SO easy to correct... by httptech · · Score: 3, Insightful · on W32.Sobig.E@mm Worm Spreading Rapidly
    > JUST RUN A DAMN VIRUS SCANNER ON THE FREAKING EMAIL SERVER!

    It's a big part of the solution, but it will not stop certain viruses. For sobig, there is a high possibility that the initial "seeding" of the virus is done by spamming it out to hundreds of thousands of users. This is very likely because it is suspected that a spammer is behind the spread of sobig.

    This would infect a great number of people before AV vendors have a chance to push out signatures. The only way it could be thwarted is by heuristic scanning, which can never be 100% effective. (But can be quite good - messagelabs is catching these before signatures are available)

    Just this week there was a phony "apply this critical patch" mass-spammed to countless users, with the URL "windows-update.com" (as opposed to the genuine windowsupdate.com). This fooled a lot of people into clicking through to the site, where they were immediately exploited if they were using IE without the June 4 hotfix. At this point they became part of an IRC trojan botnet. Even heuristic email virus scans would not have caught this.

  26. Re:A (very) nice virus again by httptech · · Score: 4, Informative · on W32.Sobig.E@mm Worm Spreading Rapidly

    There is a payload, but it is not immediately obvious. Like every sobig variant, its job is to download a second stage trojan. Check out the whole story of what sobig.a (and likely all the rest) are supposed to do after infecting you: http://www.lurhq.com/sobig.html

  27. Too little, too late by httptech · · Score: 5, Informative · on FTC vs. Open SMTP Relays
    Most spammers no longer use open SMTP relays. They have shifted to buying several broadband connections and pumping spam through open HTTP/Socks proxies. This gives them the advantage of being able to randomize/personalize messages to get past spam filters. Also it lets them actively test for bad addresses, since they are maintaining an end-to-end SMTP connection and can read the protocol responses. In the old method of "relay rape" the bouncebacks never made it back to the spammers, so their list integrity would degrade over time.

    Here are some articles covering proxy abuse and the Sobig virus/Spam connection which detail some of the current techniques of spammers and how to fight them.

  28. Too little, too late by httptech · · Score: 5, Informative · on FTC vs. Open SMTP Relays
    Most spammers no longer use open SMTP relays. They have shifted to buying several broadband connections and pumping spam through open HTTP/Socks proxies. This gives them the advantage of being able to randomize/personalize messages to get past spam filters. Also it lets them actively test for bad addresses, since they are maintaining an end-to-end SMTP connection and can read the protocol responses. In the old method of "relay rape" the bouncebacks never made it back to the spammers, so their list integrity would degrade over time.

    Here are some articles covering proxy abuse and the Sobig virus/Spam connection which detail some of the current techniques of spammers and how to fight them.

  29. Re:wtf is going on here? by httptech · · Score: 4, Interesting · on Fizzer Worm Uninstalling Itself
    More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

    An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

    It's called "Crossing the Line: Ethics for the Security Professional"

  30. Open proxies by httptech · · Score: 3, Interesting · on How to Become A Spammer

    This is the primary method of spam distribution today. If the spammers are smart, they are staying away from the Sobig.a proxies on port 1180/1182 due to the fact they will allow anti-spammers to quickly track down the spammer's real IP address. If it truly is a handful of big time spammers sending the bulk of the email, one could make a pretty big impact on them this way.

  31. Untraceable by httptech · · Score: 2, Informative · on Spamming Trojan "Proxy Guzu"
    "It's untraceable. I hate to put that in print, but it's the truth."

    If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.

    See this analysis of Sobig and Spam for more details.

    Of course, this MBIWYL (may be illegal where you live)

  32. Spammers and proxies by httptech · · Score: 5, Informative · on Will Bounties Cure The Spam Problem?
    Spammers almost always use proxy servers to disguise their true IP address. This blind dependence on an army of proxies is actually a weakness. The more proxies they use, the more likely one is actually a honeypot (honeyproxy). Recently it was discovered that the Internet is being seeded with hidden proxy servers by the Sobig.a (BigBoss) virus. Unfortunately for the spammers, the password for the proxy server console was also discovered, allowing anti-spammers to watch their comings and goings and log their true IP addresses. Not that I recommend doing that, (as it could be illegal in most countries), but the password is here:

    http://www.lurhq.com/sobig.html