Slashdot Mirror
New IM Worm Installs Own Web Browser
Aquafinality writes "A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC. Ironically titled "The Safety Browser", its default settings actually make your PC less secure - switching on pop-ups, changing your home page and hijacking your desktop with a looped music track that plays every time you switch your computer on.
It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam? Or is IM safety a lost cause?"
It's very hard to stop people executing something thats sent to them by someone they know - but for other vector methods, perhaps people should consider an IM client that doesn't include activeX
Anyway, mildly interesting, the worm makes no attempt to hide iteself with a "You are beaten, it is useless to resist" desktop paper (!) and music on startup (from TFA) Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n' bass beats.
But not to worry XP SP2 users, you're protected.... again from TFA: snigger....
There are shills on slashdot. Apparently, I'm one of them.
Once again, fingers pointed at some conduit when the true culprit still seems to be Microsoft's OS. If I were to click the link in gaim, on a linux machine (assume for the sake of argument, this browser is platform independent and would work on a linux box)?
Probably not, because the typical default access for a linux user is unpriveleged (I've been working intensively in the linux environment, and I'll bet I've not been logged in as a priveleged user (i.e., root) more than two or three times a year during that span). But, an extremely significant percentage (I'll bet it's over 80%) of Windows users continue to be logged in with administrative priveleges -- most without knowing and understanding what that even means.
Until there's a more consistent and pervasive culture (come on Microsoft, help out with this... how about a PSA campaing?, you can afford it) where users have non-administrative logins, there's little to be done. I still see people on older machines where they haven't even bothered to configure users for their older Windows machines... and don't have the slightest concept of partitioned separate logins for distinct different users.
This isn't entirely IM's fault.
(In the meantime, if you're a serious PC user and you want some piece of mind, spring for the extra $500 for your own machine and make it yours and yours only. It's how I've set up friends who use their computers for business/profession who've nearly given up on PC technology what with (shared home) machines popping porn, running slowly, and going Toes Up on them. Sigh.)
Lost cause. Next article please.
Lies about crimes
Make "Yes" buttons, by default, HURT people physically.
I think safety is always going to be hard to push on people who don't seem to understand the importance of what you are telling them. I'm sure you'll know from your own experience how hard it is to get even your own parents to take adequate security steps. I don't understand what this virus is doing though surely you would notice a new browser and remove it? certainly not use it...
As for removing the incentive for people to do this I think it will be hard; there will always be a few "suckers" and even 1 in a million can be profitable; so it'll be hard to stop it.
*''I can't believe it's not a hyperlink.''
> Or is IM safety a lost cause?
The question is sensationalist given the context.
The article describes a particular new threat - all good and well.
However, no information on the distribution of IM attacks is given. We have no idea if they are rare or frequent. How can it then be asked if IM safety is a lost cause? the question is almost orthagonal to the article; one cannot have a meaningful opionion about IM safety in general given only information about the *existance* of a particular, new threat.
As others have said, and no doubt will continue to say, you will not change the masses' behavior. The problem is not that people will click on things that look interesting, the problem is that the program will execute something presented to it.
There is no reason that *any* instant message client should ever execute other code, privileged or not. That is not the purpose of IM- IM is not a program launcher, it is a tool for communication.
Its for Windows and Internet Explorer only :(
Why can't this run on Linux?
liqbase
does the browser pass the Acid2 test?
The difference between stupidity and genius is that genius has its limits.
Next month, an IM worm will install not just a browser, but an entire operating system. It will be Linux, but it will be setup to give the worm owner complete remote ops. It will have basic mail, IM , web browsing and word processing all via the usual open source tools, and will be made to look something like Windows. And 90% of the people who wake up to find this new OS running on their system will simply use it.
You KNOW they will. That's the level of what we're talking about.
For one thing people have become accustomed to random stuff showing up on updates and upgrades. The remore operatior will simply launch a splashscreen that says "A gift from Microsoft for your loyalty!" and people will go nuts. For another thing, there is a good deal of evidence accumulated over the many years of this malware war that the users who are keeping malware authors in business are total noobs. Many are developmentally disabled, or are children, or are computer phobes who avert their eyes when the machines "does something odd". Some are simply dumb as cabbages. They click "yeah sure, pwn me" on every dialog box because they are functioning as part of the attached peripherals a NOT an intelligent user.
No, I'm not bitter. I'm not being sarcastic. I've woken to the reality. This is our world, and we white hats are just a liitle slow on the uptake is all. What this suggests about computer ownership (like maybe you need an operator's license, as required with radio broadcasting, if you are going to traffic in the public sphere) is probably the next frontier of the discussion, that's all.
=^..^= all your rodent are belong to us
I know TC is not held in particularly high regard around here, but imagine this scenario:
1. An OS with a solid configurable TC implementation.
2. A knowledgeable computer user sets up the OS for the executablerunning IM user.
3. The OS is configured to only run applications from certain vendors (Mozilla, StarOffice, Microsoft?).
I would love to have TC for my sisters computer. She has never had the need to run any applications besides the ones I have installed.
Or is this already possible with any OS? The ability to specify a list of allowed executables and the disability for a user application to change the list.
When you try to make everything idiot-proof, you just raise the quality of the remaining idiots.
--- Asking inconvenient questions for over 30 years...
Split the friggin' internet in half.
Give out odd numbered IP addresses to Linux users, and even numbered addresses to Windows Users.
Then Linux computers just turn off access from even numbered source addresses.
Problem solved.
Ok - time for bed.
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
As long as people will click "yes" to install/run some random bit of software, Mac/Linux/*BSD/etc. are not going to be any better than Windows. These aren't holes in the OS, they are holes in the user. Much of the malware (spam zombies, SSH password scanners, etc.) doesn't need any special privileges to run, so it could run as a normal user.
Something like SELinux may help, but then email/IRC messages can just come with instructions for the chcon command to run (people open encrypted ZIPs with the password in the body already; putting a command to "fix" a download is not that different).
Internet Explorer 7!
We can browse if we want to,
we can leave your friends behind
Cause your friends dont browse and if they dont browse
Well theyre are no friends of mine
I say, we can browse where we want to,
catch a virus we will never find
And we can act like we come from out of this OS
Leave the real one far behind,
It's not the OS's fault, nor is it the IM program's fault. It's the fault of ignorant computer users, no matter what OS they use, doing stupid things that they know they shouldn't be doing, even when they're told constantly.
Thankfully, their ignorance means more money and work for me in my business to fix their problems that they brought on themselves.
If they're stupid enough to open something from a program that they know could be bad, then they do deserve whatever they get.
It used to be smart people using dumb computers - now it's dumb people using smart computers.
Your email has been returned due to insufficent voltage.
In my 20 years of system administration I have often had people come to me and say "Peter, I just clicked the wrong button and my computer's acting funny." I've less often had people say "Peter, I downloaded a file to the desktop and opened it and my computer's acting funny." I've had several people say "Peter, I just clicked the wrong button AGAIN and I think I'm infected."
.NET-in-the-browser into the next Active Desktop disaster.
I've never had the same person come to me twice with "I've downloaded and opened a file and I'm infected." Give people even a small breathing space to think about what they're doing, without that reflex "gotta push a button" effect, and social social engineering is MUCH harder.
So...
You can solve this for most people simply by not including a mechanism for running untrusted content. Don't pop up a dialog box asking "What do you want to do with this application you just downloaded? (Open) (Show) (Ignore)". Don't even ask "The file you just asked to open is an appliaction? (Infect Me) (Cancel)". Just don't put the user in the position of deciding, right then, what to do with the file. Ever.
Firefox: get rid of the XPI install-from-web stuff. Let the user download the XPI and open it explicitly.
Apple: Dont' "open safe files after downloading"... there are no "safe files".
Microsoft: get rid of ActiveX and security zones and for god's sake don't try and make
All of the above: If it's a file you've got a safe application for... a *safe application*, not a *safe file*... open it explicitly IN THAT APPLICATION. Don't go "this is a ZIP file so I'll open it in whatever random program the user has for opening archives". Keep a database of safe programs to use on untrusted content like you keep a database of plugins people have explicitly installed. This would resolve SO MANY security issues... damnit.
(don't treat archives as "safe files", but that's another rant)
(in fact there's a lot of ranting I could add here...)
What you're thinking of is something called "Tuxissa" which was
an April Fool's Joke around 1999 after "Melissa" had hit the
internet. The basic premise was to take
the Microsoft virus/worm attack of the day and piggyback
onto it kickstart or something like it.
The only problem at the time was the bandwidth requirements for
getting millions of basic Linux installs on all those Windows
boxes was prohibitive -- No one server could feed all those
client installs --- at least not in 1999.
However, now that we have Bittorrent and it's fairly robust,
Tuxissa now seems much more doable. In fact, it would be
the easiest way for a sysadmin who was tasked to convert
a local Microsoft network into a Linux network to go --
just pick the known exploit of the week and marry it up with
kickstart+bittorrent and seed server and away you go ---
boom! Instant Ubuntu/SuSe/Fedora/Debian/Slackware/whatever
local network.
--Johnny
what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam?
Clearly there isn't enough evolutionary pressure on the heard. What the good guys need to do is build computers that explode when the user does something stupid.
-Grey
Silver Clipboard: Time Management Tips
Maybe some uberuser should make a "Click here for Brittney Spears Pics" trojan that wipes the computer. It could load a little program that runs at startup and nukes the PC from orbit.
Any other bots and spyware on that machine go away, and the user ends up with a clean factory restore (after his brother-in-law comes over to show him how to use the restore disks).
Over time, this could be modified to seek out zombie machines directly.
Bigtime Consulting - "We're the best because we cost the most"
By reading the article, it seems it's just general user clicking on "OK" rather than "Save As" worm. How is it different if the delivery is done through email or popup or iframe on some website listed on Google or Yahoo or whatever cross link sites? Or AIM for that matter? How about Gaim? or How about Jabber?
Perhaps re-examining the actual exploit rather than delivery medium as the cause would be a good way to head toward right direction in my opinion.
"Don't let fools fool you. They are the clever ones."
UNIX/LINUX place a lot of restrictions on what can be modified by the user, and is part of where their good security comes from. Perhaps if children using AIM weren't logged in under the admin account or one with similar priviledges it would prevent the whole system from being hyjacked, and would just cause that account to need to be deleted. I don't know how much Windows limits user accounts, but if this isn't within the ability of Windows, it's quite sad.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
How about making a new virus that, immediately after the user does something stupid enough to install it, turns the volume up to the max in windows, and starts looping a wav file that says "MORON ALERT!! W00PWOOPWOOP! MORON ALERT!!" and starts flashing their monitor red and blue, refusing any user input until they type "I have learned today that I should be more careful about the things I click on".
Oh yeah, and it sends itself to everyone in his address book, so that the shame can be shared among others.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Maybe we can't put the genie back into the bottle, but I think the real problem is that every Internet-enabled application these days is bastardized into a file transfer mechanism. IM programs should be for typing messages back and forth between two or more people. Why should IM even have the ability to transfer files?
well - just make a "nice worm" that tells you
...
"hi, your computer is obviously insecure - may I install
[] firefox
[] thunderbird
[] AVG free (Antivirus)
[] hijackthis
[] and one of the following freeware firewalls: [insert firewalls here]
for you? - P.S. I'll install the software from official mirrors, no faked, phishing software - if I wanted to harm you, I could have done this already
[No] [Yes]
may I also interest you in
[] OpenOffice
[] miranda
[] bsplayer
[]
[No] [Yes]
May I recommend myself to your friends?
[No] [Yes]
thank you for your interest
I'll remove myself from your system now. goodbye!
[OK]
I think most people that stick with ms software do this because they have no clue how to install alternative software (seriously - my family uses PCs for 14 years now and still they call me and ask me how to install this and that software) so make a "worm" that assists you in making your pc more secure (and shows you that you need it at the same time) maybe put in links to small, easy-to-understand "getting started" sites...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Does anyone have a link to the really bad music this worm subjects its victims to? Hearing it would seriously enhance my sense of schadenfreude...
--JoeProgram Intellivision!
That sounds a hell of a lot like the browser that gets installed with the new version of AIM. During install I tried telling it not to install the browser but it did anyway, was amazingly slow and had lots of pop ups. It sounds pretty similar to this worm.
I've always pictured the color of OS zealotry as a sort of bright flamingo pinkish hue
Maybe so, but the rest of us don't deserve what we get. Even if I'm a careful computer user and never get compromised, I still have to deal with the resulting spam, DDOS attacks, increased IT costs, etc, caused by people who do. Therefore it's in everybody's best interest to make security more idiot-proof -- we can't just say "to hell with the n00bs", because we still have to live on the same Internet as them.
I don't care if it's 90,000 hectares. That lake was not my doing.
The only solution to this problem is to kill all the people.
Unfortunately we can't do that yet, so the problem remains unsolveable.
Relabelling the "Yes" and "No" buttons to the actual result of clicking it (e.g. "Install this software") might combat the reflex action and force people to actually read the message instead of just jumping to the Yes button.
Build computers with a robot arm that will reach out and smack the user in the back of the head every time they're about to run an EXE from a IM or popup.
A slightly lower-tech implementation has worked for me. When my friends ask me to fix their computer for the 30 billionth time after they infected it, I smack them in the back of the head and tell them not to be a moron, and then send them on to pay the Geek Squad to deal with their problems.
Where these people used to be reinfecting themselves on a weekly basis, they seem to have stopped now, so a combination of physical and wallet pain seems to be the best motivation to not be a retard.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Why? Because it becomes just another hoop to jump through. They don't consider the implications behind their action. The computer wants something, they give it what it wants to it'll shut up and let them get back to doing what they want to do.
Admin passwords are useful for knowledgable users because if you do something that shouldn't require admiin, but asks for it you can step back and think why it's asking, and approve or deny it based on more information. However clueless users won't do that, they won't know what should and shouldn't need it, so they'll just blanketly issue the admin password.
I've already witnessed this on other platforms (MacOS) that ask for admin. I was chatting with a guy while he was tinkering with his Mac, it popped up and asked for admin and he said "Huh, that shouldn't need admin"... as he was typing in his admin password (3 letters long). He even recognised that this might be a situation where it wasn't needed (it was actually, nothing harmful) but just gave it the password anyhow.
So while I think the privledge escalation is Vista is a nice try, and certianly something I'll use personally, I think it will ultimately make no difference for normal users. They'll just make it go away whenever it pops up, and they'll do that by giving it the password it wants.
A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC... It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above?
If you get infected, your IM might ask you if you want to get rid of a dangerous IM worm, just click yes and you'll be ok.
You also get very cheap C1ALi5, dunno what is it, but it seems like a great deal, so I ordered a bunch.