Malicious E-Cards - An Analysis of Spam
smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."
Interesting take. I know my wife likes ecards because it is of course free which beats a card and stamp. She doesn't use them very often, except when she comes across a particularly funny or expressive one, and only when we forget to get a real card... :-)
---
Mod me down...I'm already -1....woot!
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
I was having a discussion with a friend the other day about Outlook email virii, and I quite frankly wasn't sure anymore. If a windows box is completely updated, is it possible for an email to be able to unload/execute a virus without a user openning an attachment or clicking on an off-email link? Any examples?
--
RumorsDaily
ActiveX actually lets a webpage rewrite your wmplayer.exe file with its own version. If an Activex control can rewrite any executable on a Windows box, then I assume that any piece of the Windows kernel is vulnerable. This leads to a larger question, which is, "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?".
What really annoys me about e-cards is that even the legitimate ones look like spam, so much so that not only does the spam filter flag them, but I have trouble deciding if someone is being nice to me or trying to exploit my system.
With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.
Let's make a difference
Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?
Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?
This story is presented as an example of the bad things that can happen from opening spam in Outlook ("If you're still using Outlook and Internet Explorer, this is a good time to find alternatives"). But the story doesn't point to any actual isssue with Outlook, only exploits in Explorer that allow downloaded code to be executed remotely. The Outlook bashing seems out of place.
--
RumorsDaily
That's the point! There's no "crapware" - it's a simple file overwrite! If you're running as Admin..., you won't notice at all - your media player will just suddenly stop working.
About a year ago, German email users have been spammed with similar e-cards, which claimed to need a special presentation plugin. The "plugin" actually dialed an expensive premium-rate service number. Despite thousands of victims complaining about high phone bills, it took about a year to stop this kind of fraud.
I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.
My solution: I renamed wscript.exe and cscript.exe so they can't execute.
There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just words. I do tech support, and I'm THRILLED when the person on "the other end of the line" sends me an HTML e-mail, because it means I can use the features of HTML mail to provide him or her a clearer, more visible explanation, and if that person has a decent Internet connection, I can even ask them to paste screenshots into their e-mails instead of trying to guess which client they have and how pasting attachments in it works, and then explaining it to them and hoping they understand.
Erik
Because Viruses can do better with some effort.
MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!
E-mail just can't beat those times.
There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?
There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.
Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.
No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!
Go to web-site, get a new OS!
And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?
To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".
Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.
I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.
I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.
Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.
I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.
What the hell?
Opinions on the Twiddler2 hand-held keyboard?
You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account? And if your talking a webmaster or sales account, then yes, turn off html, or have your IT guy set up your securities properly.
Anonymous Cowards - Oh God, How I hate you
Here's a honeypot idea: use the "spy.htm" code to add a machine to the attacker's "spy" log, then wait....