Slashdot Mirror
Malicious E-Cards - An Analysis of Spam
smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."
While I commend the original article as an interesting dissection of an attempted attack via spam, the heading is a little sensational. It mentions Russian spyware sites, but the site in question is Spylog.com, a reputable Russian monitoring site. Not everything on the Russian internet is malicious, and Spylog does some good work on reporting statistics about the Russian internet.
Just a minor correction.
Once again /. offers excellent analysis. spylog.com is not spyware. It's site statistics. In fact the article author says spylog.com is used to gather statistics. Slashdot editors don't read the articles?
Win98 is supposed to be gone, or no longer supported.
Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.
Problem solved. Without a script blocker or any other third-party garbage.
Use Evolution instead of Outlook? Bewa
How do you think Outlook displays mail? Last I checked, it embeds the IE control.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I think you have to be Administrator for the re-write to work. Then again, most of the people I know run as administrator, so ...
Quote from that article:
Conclusion
If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.
Or alternatively,
you can use an HTML disabler like noHTML for Outlook Express
Massive by Design
There's Trend Micro's HouseCall, which is an ActiveX applet that runs virus scans. Actually, most diagnostic web sites have ActiveX. Also, PowerLeap's InSPECS system requires IE with ActiveX enabled.
This or a very similar attack has been around since at least November, 2003. It make use of an exploit that is suppose to be fixed by the latest IE patach:
Cumulative Security Update for Internet Explorer (832894)
> Hey Microsoft -- this would a HINT for inbound type files:
> $ chmod 700 a.exe
Similarly, deny Execute permssions in %temp% to regular users and even power users with NTFS permissions. Sure this isn't done by default, but it only needs to be set once.
In a corporate environment under Win2K or XP, you can deny Execute permissions for the entire Documents and Settings folder, where each user's %temp% is stored, and also for %systemroot%\temp if you actually still run 16-bit programs.
Use Evolution instead of Outlook? Bewa
Support shareware :-)
A feeling of having made the same mistake before: Deja Foobar
Tell you what sparky -- YOU try that across a enterprise type installation. Actually there is ONE (1) remaining application running across any of my networks that requires Windows (2K) boxes to remain until something else is phased in: AUTOCAD.
Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user. I'd love to see you get AEC content networked and working on a local machine as a regular user. Good luck.
Fortunately the engineering types are special. They've got TWO computers now. 90% of their work is done on CAD which is Windows right now -- the other 10% they tap the Mac for services (file processing, email, web, word, whatever).
Every other sub-system requiring Windows has been replaced (for us -- started in 2000) and I have to agree with you 100% otherwise: regular users have no reason to run anything as administrator or "root". Just can't do that in the Windows world...
sure, and then your CD burner doesn't work. or your scanner doesn't scan. there are LOTS of end user programs out there that assume and require that you run with Admin priviledges.
That being said, having IE download and run executables remains risky even if you are not admin: a trojan/backdoor can just as easily run from your home directory or your own "Startup Items" folder.
the intrepid attacker can then run all manner of other exploits/social engineering once he has a local irc zombie. Of course, the sad truth is that none of this is necessary. Just send a plain zipped virus.exe and lots of people WILL run it.
Go check it out. It's really, really, good, and free, as in, well, um, beer?
I have spent too many hours building elaborate rule sets, banning Class A IP's, keyword filters, etcetera. The spam still gets through and it carries nasty payload half the time. Bayesian...bayesian... bayesian...
Switch off HTML formating for Outlook.
; EN-US;307594 on how to do it.
See http://support.microsoft.com/default.aspx?scid=kb
I'm forced to use IE at work with the "prompt before accepting activeX components" option turned on. You think pop-ups are bad, you should try this! It seems to be used for any kind of plugin (flash, etc), and most pages with adverts, even slashdot, contain activeX of some kind. It really highlights how dangerous IE is - even when you're prompted, you don't know what you're accepting - you could be trying to view a PDF file - and if you accept it you are compromising your system, even if it's just user files at risk. When you consider the number of people routinely running potentially dangerous activeX components without realising it just by surfing the internet...it's unbelievable.
If I seem short sighted, it is because I stand on the shoulders of midgets
How do e-card services make money?
The less moral ones sell the email addresses they hervest from every ecard- both sender and destination.
To prove this, get 2 fresh email addresses. send an ecard from one to the other. Watch the spam roll in.
CD burners: Roxio EasyCD Creator 5 and later work as regular users.
Scanners: I know HP doesn't support some older scanners under Win2K. Later HP ones, especially USB based ones, work fine as a regular user. The combo printer/scanners I've seen work fine as a regular user.
Programs that require Admin: That's why we have competition. I've massaged some badly behaving apps into working as a regular user - it's not hard to loosen up the minimums an app "needs". It's even easier to go to their competition (Quickbooks vs Simply Accounting: One works as a regular user, one requires "power user." Which one did I recommend?)
As for the plain "zipped-idiot.exe" e-mail? That's what Outlook 2000 and later are for: "Outlook has blocked access to the following attachments: this-is-a-bomb.exe/scr/bat/com/etc"
Use Evolution instead of Outlook? Bewa
> and not a happy compromise like Win 2K's "Power User"
Power User is pretty powerfull. I believe it can overwrite files in the Program Files folder, so is almost as dangerous as Administrator. I'm usually running as Restricted User on Win2K, the RunAs service works reasonably well for installing new software or tinkering in Computer Manager.
> Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch
> to a normal user in a blink..
Can't you log on as a normal user and then do a `run as administrator` on it?
spam filter:
"viagra", +9
"herbal", +6
"natural", +6
"to be removed", +5
"free", +2
"!!!", +2
You get the point. You can toggle things like loading external graphics etc. It is really a mail client for power users. Shareware, but one of the few programs I ever purchased.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
XP does have "power user"
This argument has been going on forever.
And, IMHO, is only partly correct.
Windows and it's apps have many "by design" security flaws.
Short list:
- Horrible data-binding in many apps (IE/Outlook/etc)
- Enabling scripts in emails to run in the local zone
- No warnings for insecure passwords
- NetBIOS open by default for the internet
- IIS, period
- Null sessions
- Password hashing flaw (l0pth)
Some of these are fixed, some are not.
Apache runs on the majority of servers, and it isn't by far hacked as much... just figure.
The path I walk alone is endlessly long.
30 minutes by bike, 15 by bus.
ActiveX is not sandboxed at all like Java is. So, like any powerful tool, it can be used for both good and bad.
Windows Update depends on ActiveX to determine which updates a user already has. Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.
When it comes down to it, ActiveX controls are just as powerful as any other executable, which is why the user is presented with a security certificate before they run. I think the critical flaw in ActiveX is right there at that dialog box, because the default answer is "Yes" and users don't read the whole thing to understand what it means.
features of HTML mail ... paste screenshots
And pasting a screen shot into a word processing document, then attaching that is not OK? Yes, a little more work, but the benefit is safer Internet use for the rest of us.
Email is Email. HTML is for Web pages. The marriage of the two (Thanks Bill!) makes SPAM more dangerous, lets the email sender track you (via 1x1 images), and makes email messages MUCH larger thereby wasting bandwidth.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
.
I have been putting my spam with full headers here, and hope that people investigating can use the info in the headers like IP addresses, gateways, aliases etc. As it is cached in Google so the results should show up for specific keywords.
If you are spam hunters, please be my guest and fry some spammers a***
.
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
It gets worse. Microsoft does not provide a standalone download to update IE. The only way to get the update is to run the stubb they provide which starts up IE as Administrator!! No wonder many machines get p0wn3d during patching.
I always send them to myself, to an address that already gets TONS of spam. Then I simply forward the card to whoever, and let them know I sent it to myself to respect their e-mail privacy.
Which brings up a good question. Would anyone be offended or mad at someone who sent you an ecard to an e-mail address you keep clean of spam?
Quitters never win, Winners never quit, But those who never win and never quit are idiots.
The image being part of the message is supposed to be a good thing?
I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.
Why shuttle around bloated email attachments?
---
What sucks is that Microsoft (thanks, Bill!) decided to use IE as the viewer for emailed HTML (specifically, it's the core part of IE that's being recycled in Outlook, effectively IE). So not only can an Outlook bug get you, you'll get double-dipped by any IE bugs that are out there. Lovely!
Actually, that bit of code just downloads the malicious .EXE. It's a bit dodgy that it's allowed to do it automatically (after all, it could be asking for http://spy.malware.com/cgi-bin/report?firstname=Jo hn&lastname=Doe&underwear_type=boxers...), but it's not an instant security breach itself. The actual bug is...
...which overwrites Media Player with the downloaded malware using ADODB.Stream (which probably never should have been enabled as a trusted ActiveX control in the first place, and certainly shouldn't be automatically overwriting files without user intervention).
Range Voting: preference intensity matters
I dunno about shift-click, but I just click the little wheel on my mouse on a link and Mozilla opens it in a new tab. Which I (personally) think is way friendlier...
On Firefox 0.8, Shift-click certainly *does* open a new window, so I don't know what you are talking about. However, I've gotten so used to middle-click (open in new tab), which is quicker, that I had not checked before. Get Firefox instead.
TANSTAAFL
Windows 2000 and up have "run as" functionality, which allow you to run binaries as another user (normally Administrator). Just right-click on it.
I have everyone running as "Power Users" on Win2k desktops, and I'm considering trying to get that down to the lower setting where nothing can be installed.
WMBC freeform/independent online radio.
I still use IE because Mozilla doesn't SHIFT+Click with the same behavior (open in new window) as IE ... I won't even talk about that stupid dinosaur splash screen.
Wow, are you trolling or what? First of all, as of this writing, shift-clicking on a link in FireFox (formerly Firebird) does open it in a new window, although god knows why you'd want to do that when you can middle-click to open it in a tab in the background instead.
Secondly, the "stupid dinosaur splash screen" (which I loved) has been gone for about 4 release versions of Mozilla now, to be replaced with a hideously drab orange box with 'Mozilla' written in it. Now that we've compromised on an ugly splash screen, no one's happy. Hooray for attempting to pander to everyone!
Random and weird software I've written.
Remember Pivx Labs, the folks that used to host the "21 unpatched vulnerabilities in IE" page and has since switched to being a slight MS apologist? They've got a nice product which is (currently) free. What they basically did was to tighten down Windows via things from standard settings to registry tweaks to a degree which most users won't notice. Several of the recently discovered IE vulnerabilities wouldn't have worked, and Blaster wouldn't have worked either under these settings.
After trying it on my workstation for a couple of weeks, I've started deploying it to others. It seems to interfere with Norton Antivirus, though not McAffee (which is what UMBC machines should be using anyway).
I also send out the desktops with Mozilla, Media Player Classic, RealAlternative, etc. If people want IM, I try to recommend GAIM. Open source apps tend to have been "written in a more paranoid age" as another poster put it, and also can't as easily get away with doing dumb crap. I also remove the IE and Outlook shortcuts from the desktop (but leave the IE shortcut in the start menu, because the eternally pending PeopleSoft requires it).
WMBC freeform/independent online radio.
Clickety click.
God invented whiskey so the Irish would not rule the world.
Switch back to Slashdot's D1 system.
If you are in the area, and have sufficient curiosity, you can use this map to guide you to the location mentioned above.
DISCLAIMER: it is possible that the UK NIC has the wrong information. It is possible that adversting.co.uk have nothing to do with a.exe (their web server may have been compromised).
View -> Message Body As -> Plain Text
The "Administrators". "Users", and "Power Users" groups all exist on WinXP home&pro. Of course, you need to know to go into the MMC computer management snap in and change the users' groups manually.
//Information does not want to be free; it wants to breed.
Ecards, party organise sites also.
I also nicely ask people who send me 'interesting' stuff (jokes/politics/whatever) and cc people I don't know not to do it again. The second offense, I am ruder. I have had no spam ever on my 3 yr old yahoo address...
I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.
Where to start.. I finally ditched the Bat! after my five years last week.. and good riddance.
The UI has not evolved, sure lots of new features get added over the years, but they all end up as hacks into an already clumsy interface.
The UI is a classic case of a few -really- good features (I do appreciate them) surrounded by poo. Auto-formating in the text is useless, NEVER paste some code and try to annotate it, turning it off leaves everything else looking ugly. Even Outlook manages to format it's messages better.
The UI displays a classic 'designed by the developers' illness. They can't see it's flaws because they're too embedded in the development. If they'd just employ a professional UI designer to re-jig it, and actually do the things suggested, then it would be a world-beater.
And you now have to upgrade ($$$) to the latest version to stay current. It's just the same as the old one, hardly any worthwhile new features. A money-spinning enforced upgrade of the most cynical sort.
If you want it's fantastic filtering systems, wonderful templates, clever widgets, superb PGP support etc.. and are prepared to put a lot of effort and patience into learning and using it, then I heartily recommend it.
If all you want to do is write emails to people, and read ones you receive, save yourself time and money by looking elsewhere.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
I try and make my kids run using an account without Administrator rights on their games machine, unfortunately that is a complete nightmare. Every few minutes it's "Dad... I can't install Megablaster 2 Railgun Edition" or "Dad... Flopsy Bear Print Studio says access denied".
And this is after spending a great deal of time putting friendly NTFS permissions onto their "c:\games" directory. If only makers of entertainment software would clean up their act! Surely these things don't actually NEED to have root all over the place.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
Here's a whole page of dialers that do stuff like that. A bigger problem in Europe I've heard.
then it's OK for you to write viruses and trojans (like weatherbug).
From everything I've read, WeatherBug isn't a trojan...it's adware and will put banners on your desktop for the service it provides, but they're rather up-front about that.
Perhaps you mean WeatherCast?
Yes, that works fine until your friend gets an email virus and sends an infected mail to you.
"What really annoys me about e-cards is that even the legitimate ones look like spam"
Send people a tutorial on how to _attach_ the cute picture to the email, and write the text themselves?
Saves us all time...
The only real "exploit" here is the activeX installer. Most email clients render plain-text URLs clickable anyway.
.exe but think activeX, expecially when its "signed," means that its safe.
There's a reason why this stuff is written with activex controls - they look official like they're from the operating system. Disable activex and watch the spyware go away. It seems most people know not to download an
Out of curiosity, I tried to make my own version of the exploit. I didn't overwrite WMP, but I had it write a file to disk.
On Win2k/IE6, I get two warning dialogs.
On my coworker's XP machine, it just plain doesn't work.
Maybe if we had done stuff with HTML mail instead of inside IE it would have worked...
I'll add;
- Using file name extentions to identify files and to choose what will process the contents those files
- Hiding those same extentions by default
These alone are a large part of the problem with Windows security.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I downloaded a.exe out of curiousity, and have been analysing it. The file contains a number of very interesting strings, which make it quite obvious that this program attempts to hijack the user's personal login information as they log in to various popular Internet banking services.
... continues for 152 more of these.
:(. I would have taken great delight in deleting the lists of account numbers that had undoubtedly accumulated.
The strings are (trivially) encrypted, by XOR'ing each character with 255. They make frightening reading. I have listed some of them below.
Of particular interest are the five at the top. Seems as if the details are uploaded to one of two FTP sites, and the exploit may affect people using Opera as well as IE. Don't know how though - Opera has never seemed anywhere near as buggy.
64.191.23.212 21 ircd thepassw0rd https
http
Internet Explorer
Opera
69.93.102.218 21 logi bbzaza123 hangseng
HSBC
bank
ufjbank
I tried to log in to those FTP sites, but no luck
I'm amazed that no-one has yet posted an analysis of the final payload 'a.exe'.
This decompresses and drops 'ra32.exe', 'lanext.dll' and 'lanman.dll' into the Application Data\Microsoft folder, and sets ra32.exe to run on startup through a HKCU\Software\MS\Win\CV\Run registry entry.
These files act as a keylogger. When they sees one of a built-in list of online bank sites being used, it logs keypresses for a bit and uploads the result via FTP to a server controlled by the attacker.
Bizarrely, for me in Windows 2000, it also opens an alert box with the message 'timediff' every 60 seconds. Bug?
No, you are wrong.
A very simple example is an HREF that seems to be pointing to a trustworthy site, but really points elsewhere.
In fact, Slashdot specifically includes defenses against such simple tricks.
For example, http://www.TrustworthySite.com.
In a plain text reader, it would be obvious that really links to http://www.NastyEvilDoer.com
Here's what I do: Bitty Browser & Andromeda
It does. See here:
# c66
http://bugzilla.mozilla.org/show_bug.cgi?id=44863
Unfortunately, there's no UI for this functionality yet.
Ronny