Predicting Malware

Pseudonymous B*ard writes "SANS has an interesting article showing how to predict what forms future malware will take. For example, last year there were many hurricane-related scams, while this year, another bad hurricane season is predicted. SANS has noticed that the scammers are gearing up for this and that many new domains with the words Alberto, Beryl, donation, and hurricane have been registered (Alberto & Beryl are the first two names on the hurricane list). The only question now is whether hackers will be able to preempt any of these scams before they have a chance to be used?"

Hurricane scams...

[__aaclcg7560]

SANS has noticed that the scammers are gearing up for this and that many new domains with the words Alberto, Beryl, donation, and hurricane have been registered (Alberto & Beryl are the first two names on the hurricane list).

This wouldn't be a problem if the Federal government wasn't in such a hurry to shovel cash out the door everytime there's a natural disaster to some politician's poll numbers.

Re:Hurricane scams...

[corbettw]

This wouldn't be a problem if the Federal government wasn't in such a hurry to shovel cash out the door everytime there's a natural disaster to some politician's poll numbers.

Bzzzt! Wrong! This is about scammers tricking Mr. and Mrs. Citizen to send them money "to help hurricane victims". It has nothing to do with money the Feds may, or may not, send out.

Re:Hurricane scams...

That's not Malware (bad software) that's SPAM you're talking about.

It will probably involve pictures or fast money

[WillAffleckUW]

As both of those things cause people to become incredibly gullible, whether it be pictures of tennis stars or the possiblity of "inheriting" or "winning the lottery" a large sum of money.

Also, you can pretty much guarantee it will start off as a Windows malware attempt.

Its nice to see people thinking about the future

[Crashmarik]

But this boils down to Malware will likely be associated with major events. Color me unimpressed. I have another one future malware will exploit unpatched security flaws.

Oblig.

[Odin_Tiger]

Obligatory grammar post.
"Last year X, while this year X again." "And" for pete sakes. If you are comparing two things which are the same in nature but different in time, it should be "and". "While" would be used if, say, it was hurricanes last year and earthquakes this year (i.e., things which are different in their nature).

Re:Oblig.

do you mean "it was hurricanes last year while earthquakes this year"?

Re:Oblig.

[Odin_Tiger]

Nope. The word "it" has to be taken in context. In the original story, "it" meant the state of the weather. Here, "it" refers to the whole of the items under comparison, i.e., "hurricanes last year and earthquakes this year."

Big Surprise

[Umbral+Blot]

Summary of article: malware authors may try to take advantage of disasters. That's not exactly cutting edge reporting. What I would be more interested in hearing about is if malware authors start creating rumors of disasters in order to cash in anyways if nothing bad happens. Let's say Alberto fizzles. Will we still get spam asking for donations to help the newly homeless? I guess I'll have to wait and see.

Re:Big Surprise

[demonbug]

I hear there are increasing numbers of people becoming dependent on tuning out the world and only listening to audio signals that are pleasing to their ears. This self-centered madness must stop, before we lose an entire generation to its own self-centredness! Please, for the sake of the children, donate what you can today!

Re:Big Surprise

Yeah, but in this case, it has to be pretty clear that the people who registered the domains have nefarious intent, so it might not be unreasonable to get them shut down early. Or at least blacklist 'em somehow (e.g. blacklist the URLs in your spam filters).

Unless, perhaps, your name is Alberto.

Re:Big Surprise

[suv4x4]

Summary of article: malware authors may try to take advantage of disasters. That's not exactly cutting edge reporting.

Sad part is, it doesn't need to be cutting edge reporting. They got on Slashdot, cashed in the banner impressions, job well done.

It's a variation of the same issue that people create site and contents for search engines and not for people.

Re:Big Surprise

[mapkinase]

I am not really interested what kind of spam will be filling my spam folder. Google Mail anti-spam filters work with 100% accuracy and 100% precision: none of legit mail ended up in the Spam folder and none of the spam messages sneaked into the Inbox.

Non-story.

Re:Big Surprise

[elrous0]

cashed in the banner impressions, job well done.

HA! That's where they went wrong! Little did they know that no /.ers actually RTFA!

-Eric

Re:Big Surprise

... start creating rumors of disasters in order to cash in anyways ...

You mean, like Hurricane Katrina? If you read the news behind the news, you'll find that 90% of what was reported about the things going on in New Orleans were overblown, exaggerated, or unfounded. Don't look for a retraction from CNN/CBS/ABC/Fox/MSNBC of course.

Seriously

[cheaphomemadeacid]

if they succeed everything they have thought of will probably be abused :)

O/T Spelling Nazi Oblig.

It's interesting that a Grammar Nazi can't spell "for Pete's sake" correctly :)

Re:O/T Spelling Nazi Oblig.

[Odin_Tiger]

a) I spell it how I (and everybody I know) pronounce it.
b) Example is from a Brit site. I'm an American, so your slang (and it's spelling) mean jack to me.
c) GoogleBattle says I win. :P

Re:O/T Spelling Nazi Oblig.

[YttriumOxide]

Dear god... you actually SAY it like that? For Pete's sake, how can you?

I hold the answer

[Mr.+Samuel]

Clearly, the solution is to infect natural disasters with malware before they can strike.

Re:I hold the answer

So, does that mean that we could get a security patch *before* a hurricane strike? If the natural disaster is infected with a known malware, we could just produce a signature file for it beforehand! Brillant!

JP

Another question

[DaveRexel]

Shouldn't one assume that the scammers and the cr|hackers are working hand in hand with the former providing technical services and entire networks of compromised computers to the latter who perform the commercial tasks?

Happy National Day Sweden 060606 (play some Slayer please)

Re:Hurricane scams... a hoax?

[__aaclcg7560]

If you don't consider the Feds shoveling cash out the door as "easy money", I got a bridge on the West Coast that I can sell to you. :P

The next phase in Malware?

[Eco-Mono]

Two little words, kid: Pluto's Kiss. Only Linux will be spared!

Re:The next phase in Malware?

[AndrewNeo]

Would people falling unconcious be considered malware, or would they introduce a new name for that?

No way out

[nlago]

As much as I think it sucks that people would actually do such things, they do. And they have been doing it for ages (anyone up to buy a bridge?). In the "real world" people still get caught in naughty scams, but maybe they are a little more aware nowadays. When online, however, I guess most people lower the guard; maybe it is "the internet" or the fact that it is in written form that gives some sense of seriousness to them. Add to it the fact that the vast majority of internet users does not know how easy it is to register ANY domain name in the US and there you are...

A little more education might be useful here. Also, maybe there should be a little higher barriers to domain registration. In Brazil, it is a little more difficult to set-up a domain name: you have to have an actual company, otherwise you have to restrict yourself to the "personal" TLDs. This was originally put in place to avoid a parallel market for domain names (much like what exists in the US today; in Brazil, the registrar is government-managed).

In the end, however, many people are just naïve. It would be nice if that could be a compliment...

Re:Hurricane scams... a hoax?

the Feds shoveling cash out the door

The article isn't about folks scamming the feds, its about bogus "relief" sites taking money given by ordinary folks trying to help out a storm ravaged area. Like collecting door to door for AIDS relief and keeping the $$$ yourself. (assuming you don't have AIDS)

Re:One does not simply predict malware!

I'm a wizard!

My eyes!

[Billly+Gates]

Please put the old css code back please?

Kaspersky Anti-Virus is revolutionary

[Andorion]

For those of you who've never heard of it:

Kaspersky Anti-Virus is the top of the line when it comes to protecting your system from all current and future virus and malware threats. I was skeptical until I tried it, but it really does work. It protects your system at an extremely low level without degrading performance, preventing the mal in malware, and requiring you to OK the way applications access your system sort of like how ZoneAlarm confirms each time a program accesses the internet. ANY possibly harmful action is checked against and you can set up very complex exception rules, so in a few days all your regular apps are up and running like normal and absolutely nothing slips into your system without you knowing about it.

No, I don't work for them, just want to share a wonderful product.

Re:Kaspersky Anti-Virus is revolutionary

Yes, but does it work on Linux?

Re:Kaspersky Anti-Virus is revolutionary

why is parent modded troll?? Its hardly offtopic and mostly true. It seems like any reference to non linux gets a troll mod here.

Re:Kaspersky Anti-Virus is revolutionary

[ajs318]

Let's have the canonical answer to this question so we can settle it once and for all.

Any piece of software will work on Linux, if you build it on Linux from source. If they won't show you the source code, they most probably are trying to hide something from you and you should seek an alternative.

Software for minis and mainframes often used to be shipped as source code without a distribution licence, effectively still granting its user freedoms 0, 1 and 3. Absence of source code does not make copying harder, as is evidenced by the ubiquity of pirated Office and Windows; but the existence of many machines which are electronically identical and many new sysadmins makes it easier to get away with not supplying source code.

Re:One does not simply predict malware!

But you're gay

Malware timing

[symbolset]

You can be confident a major nuisance will be gaining momentum on June 30, 2006, just in time to ruin your major US holiday weekend.

Re:Hurricane scams... a hoax?

[WillAffleckUW]

Like collecting door to door for AIDS relief and keeping the $$$ yourself. (assuming you don't have AIDS)

But, if you were going to use the money to go on a safari tour in Africa, then you might have a possibility of getting it, so isn't that ok?

Hey, we had a theory that there might be a possibility of WMD, so we went to Iraq, same logic, right?

In the end, though, I think it all boils down to gullibility and people's innate desire to help out those who actually need help - a good thing - and the unscrupulous people who feed off of our good impulses.

And don't forget...

You will be able to track the world's hurricanes here. Thanks, Googlemaps! :)

Fake news

[dj245]

I would be most impressed if someone created a bunch of fake news sites that claimed that Alberto was a great disaster and millions of lives were lost with the flooding in, say, North Carolina. And blasted the mainstream press for not carrying this most important piece of national news in this great crisis. And then pointed to websites collecting donations for the millions of displaced and homeless people.

Go on, then, get to it.

Re:Fake news

That would be the Democratic party, I believe...

"There are hundreds dead in the super dome... dozens of murders, rapes"

Who is SANS, anyway?

[tb3]

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. I haven't been able to find much more than this entry on Wikipedia: "The SANS Institute (SysAdmin, Audit, Networking, and Security) is a trade name owned by the for-profit Escal Institute of Advanced Technologies. SANS provides computer security training, professional certification, and a research archive . It was founded in 1989."

And Wiki doesn't even have an entry for "Escal Institute of Advanced Technologies". Try Google, there's also next-to-nothing there. I don't like placing a lot of trust in something when I don't even know the source.

Does anyone have any more information?

Re:Who is SANS, anyway?

[Odin's+Raven]

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

Back to your main question, SANS has a for-profit side offering security training and certification, and a free side which provides articles, papers, and assorted trend-tracking information that might be of interest if you're into network security. Since Wiki is a bit light on info, consider reading About SANS and About the Internet Storm Center. As to whether it's sensationalistic/alarmist/whatever, all I can suggest is to read back through the last month or two of Handler's Diary articles and see if they sound like fud/fear-mongering or potentially useful info.

Re:Who is SANS, anyway?

[tb3]

Sorry, but I'm still not comfortable with it. The "About SANS" link you provided has quotes like, "SANS is the most trusted and by far the largest source for information security training and certification in the world." Well, says who? I'd like some third-party verification, or at least, a little more background on the 'Institute' and its owners.
What really started me wondering was the story they had a while ago about "Mac OS security reputation in tatters" or words to that effect. They had absolutely no supporting evidence, and a grand total of two links to outside sources. One of them was a site known for trying to hawk bogus spyware scanners for OS X, and the other was a Mac security discussion board that had been hacked!

Re:Who is SANS, anyway?

[Odin's+Raven]

What really started me wondering was the story they had a while ago about "Mac OS security reputation in tatters" or words to that effect. They had absolutely no supporting evidence, and a grand total of two links to outside sources. One of them was a site known for trying to hawk bogus spyware scanners for OS X, and the other was a Mac security discussion board that had been hacked!

Okay, that was from their Spring 2006 Top 20 Vulnerabilities press release. The actual quote regarding Mac OS/X was:

Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.)

For context, this press release came out around the time of Apple's Security Update 2006-001, which included fixes for multiple remote execution exploits in multiple applications. Between Apple's own info and the Handler's Diary regarding the patches, I wouldn't exactly say that the writeup had "no supporting evidence".

Keep in mind that SANS wasn't impugning Apple's overall security, just the fan-boy attitude that Macs are somehow bullet-proof. If you read the Handler's Diary regularly you'd see similar slapdowns for fan-boys of all stripes - Linux, Firefox, whatever. Nothing is magically secure, and it's hubris to believe otherwise. In late Feb/early March, it just happened to be Apple's turn to face up to some serious security bugs. (Me, I've been running various flavors of Linux since the SLS days - I've long accepted the fact that my favorite OS and its applications are far from perfect. ;-)

I might also note that the same SANS press release devoted space to multiple slams against Microsoft products, ongoing vulnerabilities in Firefox and Mozilla, and critical bugs in database and backup tools. These just happened to be some of the top bugs for that particular time period - it's not like Apple or OS/X makes a regular appearance in the SANS Top 20 lists or in the ISC Handler's Diary.

I couldn't identify any links in the SANS or ISC writeups that pointed to bogus spyware scanners or hacked Mac discussion boards - maybe you can point those out to me. (I might've missed something, but all I could see were links to Apple, iDefense, and SecureSec.)

Re:Who is SANS, anyway?

[tb3]

From this page at SANS. The link is to www.securemac.com. Feedback on both Versiontracker and MacUpdate suggests that the SecureMac application is at best, useless and at worst, dangerous. The hacked discussion board seems to be missing from their links now. :P

I still think the actual quote is extreme and alarmist, considering we are comparing a fixed vulnerability with thousands of known exploits. I am still unaware of a single remote exploit against OS X.

Anyway, this is going off the subject a bit. I still want to know why I should treat the SANS Institute as an authoritative source, given that I know nothing about them, can find out next to nothing about them, and I find some of their data questionable.

I'll add to that the number of self-proclaimed 'internet security experts' is legion, with most of them having their own agendas.

Re:Who is SANS, anyway?

[Odin's+Raven]

The link is to www.securemac.com. Feedback on both Versiontracker and MacUpdate suggests that the SecureMac application is at best, useless and at worst, dangerous.

Fair enough - I'm not familiar with their product, but with the first three pages of Google searches essentially just regurgitating press releases from the company I'm more than willing to accept that the only source touting this software is the company itself.

The hacked discussion board seems to be missing from their links now. :P

Alas, the dynamic nature of the web strikes again. :-) Although I suppose that's actually "A Good Thing" if the discussion board was compromised.

I still want to know why I should treat the SANS Institute as an authoritative source, given that I know nothing about them, can find out next to nothing about them, and I find some of their data questionable.

I'll add to that the number of self-proclaimed 'internet security experts' is legion, with most of them having their own agendas.

Hehe, totally agree about the legions of 'experts' out there. :-) And I think that actually makes it difficult to "prove" that the ISC writeups are worth listening to. If you google for handler Jim Clausing, you'll see that he's been in IT admin and security for over 20 years, but of course there's plenty of counterexamples of people who've spent decades in the computer industry without having a clue. George Bakos, another handler, is the senior security expert at Dartmouth College's Institute for Security, but people can hold academic posts without having practical, real-world experience. Lenny Zeltser is the Information Security Practice Leader at Gemini Systems and teaches a course on analyzing malicious software, but if you don't know anything about Gemini and haven't taken the course you still don't know if he's an expert or a poser. Marcus Sachs is Deputy Director of DHS's Cyber Security R&D Center, has co-authored several books on security, and spoken at Black Hat, but ... well, again, those are just positions and words, and you probably don't want to buy/read one of those books just to decide whether you might trust a web site. (There's about 40 handlers at the ISC, but I won't run through each because it still boils down to the same thing - a bogus guru can have paper/web credentials that, on the surface, look as plausible as those of a real expert.)

So I think the best I can give you is the "proof is in the pudding" approach. Read a month or two of the Handler's Diary entries. See if you believe that the articles are relevant and accurate. See if there's any major incidents that are not mentioned. (After all, if we really wanted a blog that missed major bugs while misreporting/overhyping other bugs, well, we're both already reading Slashdot. ;-) Ask yourself if this is the work of a bunch of punters, or if this is a credible source of security info. Obviously I have my opinion regarding the site, but hey, that's just me - what I find interesting and informative might well be boring and/or irrelevant to another person. (For instance, someone who deals exclusively with OS/X systems might find all the entries on Windows, Unix, Cisco, etc to effectively be "noise". Doesn't mean the articles are wrong or badly-written, just that 99% of them are going to be irrelevant.)

Re:Who is SANS, anyway?

[tb3]

Okay, I take your point. It looks like those diaries are worth looking into. And I'm reasonably interested in Windows issues anyway, given that I have a few Windows boxes to look after, and I'm always looking for more ammo to convince people to switch. :p

Thanks for all your input, I think I now have a better idea of what's going on.

I predict future malware will take the shape......

[mAineAc]

Of programs that take advantage of flaws in Internet Explorer and Windows. ;)

I like the foresightedness of it

[SnuffySmith]

another bad hurricane season is predicted ... the scammers are gearing up for this

These guys aren't just assholes; they take the long view of things: "So, you can see from this chart, in Q2 and Q3, we've got our shit-heel plan well mapped out. And our top asshole thinkers are hard at work in R&D, developing asshole plans for Q4 and the Christmas season."

Why do a few domains imply malware???

[WoTG]

IMHO, the far more likely purpose of registering domains related to the next hurricane names are simply for SPAM. When the hurricanes hit, tens of thousands of people will mistype or find some other way of ending up on what I expect will be plain old ad serving pages. Considering the miniscule costs of setting this up, I'd suspect that it would make a few bucks. Especially compared to some of the other ad based domains I've stumbled on in the past...

old methods

[SekShunAte]

i guess my old crystal ball and tarot cards just aren't cutting it anymore. I foresaw future malware being based on Vista.

Re:O/T re: sig

[WilliamSChips]

Only if you know why Forth is called Forth.

Say what?

[Omega+Blue]

I am not sure about you, but to me malware is clearly distinct from e-mail scams.

Malware is a program that do nasty things to your computer. e-mail scams have nothing to do with that.

Re:O/T re: sig

[Odin_Tiger]

: SIG ( -- ) CR ." The fourth wave of attackers approaches. Go forth, and conquer them!" ;
SIG

Looking up "Hello, world!" format for weird languages on wikipedia ftw. :D

the SANSturions

[lon3st4r]

In the near future, Doc Terror, and his cyborg companion Hacker, unleash their forces to conquer Earth and spread malware!

Only one force can stop this evil: a handful of brave men; in specially created exoframes they can sniff packets anywhere to fuse with incredible anti-malware weapons. Beamed down from the space station Sky Vault, becoming man and machine,

Power Xtreme!

The SANS turions

* lon3st4r *

Forms?

[geminidomino]

He will come in one of the pre-chosen forms. During the rectification of the Vuldrini, the malware came as a large and moving Torg! Then, during the third reconciliation of the last of the McKetrick supplicants, they chose a new form for him: that of a giant Slor! Many Shuvs and Zuuls knew what it was to be roasted in the depths of the Slor that day, I can tell you!

Re:I predict future malware will take the shape...

[someone1234]

Stupidity is the major vector, though.

another bad season is *not* predicted

From the summary:

... while this year, another bad hurricane season is predicted ...

Actually, the NOAA and NWS are telling us that last year's hurricane season was unusally busy (translation: most years have fewer storms than that), and that this year will see fewer hurricanes.

Many scientists have explained in detail that the average temperature of the water in the Gulf of Mexico is much lower this year, which means hurricanes won't be as strong / plentiful as they were last year.

Oh yeah, before I forget ... it's still all Bush's fault. And eeeeviiil Halliburton (cue LotR music for orcses).