Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Malware Attacks Malware

Posted by kdawson on from the internecine dept.

PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"

135 comments

  1. that's... by User+956 · · Score: 3, Funny

    When Malware Attacks Malware

    You get total protonic reversal.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:that's... by Rob+T+Firefly · · Score: 1

      That's bad, right?

      --
      Slashdot Burying Stories About Slashdot Media Owned
    2. Re:that's... by geeksdave · · Score: 3, Funny

      OK important safety tip.. thanks Egon..

    3. Re:that's... by Timesprout · · Score: 1

      It is if the Bussard Collector and Main Deflector Dish are down for repairs or if you can't find some exotic substance to reverse its polarity.

      --
      Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
      What truth?
      There is no dupe
    4. Re:that's... by VolciMaster · · Score: 1

      When Malware Attacks Malware

      This sounds like a really bad Fox special

      --
      antipaucity
  2. Stronger malware by eviloverlordx · · Score: 5, Insightful

    It just means that, in a few years, all of the malware will be significantly harder to kill. All of the weaker 'species' will have been driven to extinction (via changes in coding). It had to happen eventually. We may even see 'anti-viral resistant' strains.

    --
    'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
    1. Re:Stronger malware by frosty_tsm · · Score: 2, Informative

      We may even see 'anti-viral resistant' strains. Uh, don't we already see this?
    2. Re:Stronger malware by morgan_greywolf · · Score: 5, Funny

      No way. Malware is made by an Intelligent Creator. It is what it is. Intelligent Malware Design is just as good a theory as Malware Evolution.

      --
      My blog
    3. Re:Stronger malware by Bryansix · · Score: 0, Offtopic

      I know you were trying to be funny but seriously ID and Evolution theories can co-exist. The only thing adherents to ID have a problem with is the idea that life (or code in this case) was spontaneously created by natural processes. This in fact has nothing to do with the theory of Evolution. I for one take as fact that bacteria mutate and are weeded out by natural selection and that malware code is mutated in much the same fashion although not so randomly.

    4. Re:Stronger malware by Anonymous Coward · · Score: 1, Insightful

      huh, i suppose you're right! this malware's been created by storm trojan/peacomm.. intelligent creators indeed!

      good point, even if it wasn't your intention.

    5. Re:Stronger malware by GigG · · Score: 1

      Without a doubt one of these will turn into Skynet one day.

      --
      Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
    6. Re:Stronger malware by Anonymous Coward · · Score: 0

      Sure, if you parse ID strictly, that is a possible scenario. That amounts to "religion and evolution theory can coexist", which is obviously true (we have grand numbers of Christians in the US who also accept the findings of evolutionary theory). The fact is, the ID "theory" was invented and proposed specifically to "disprove" evolutionary theory. The tenets proposed are not just an intelligent designer, but that an intelligent designer (or many intelligent designers) made living things more or less as they are (variation within "kinds" but no real speciation).

      This is much the same as the way we use evolutionary theory to speak about biological evolution, completely apart from stellar evolution. Because evolution is a word, it means "change". But it's almost like a brand name or trademark of biological evolution. In the same way, Intelligent Design entails certain baggage which is contradictory to biological evolutionary theory.

    7. Re:Stronger malware by Anonymous Coward · · Score: 0

      Religious fundies can't tolerate evolution to any degree because in their mind admitting the Bible (or whatever the text in question is) isn't 100% literal would cast doubt on all of the rest. They might even have to consider the possibility that the entire world wasn't flooded or that Mary wasn't a virgin.

    8. Re:Stronger malware by Bryansix · · Score: 0, Offtopic

      Nowhere in the Bible does it say that evolution does not occur. It does imply that Macro-Evolution or evolution from one species to another did not occur. But still it only loosely implies this.

  3. Wait...What? by Anonymous Coward · · Score: 0, Redundant

    No MSN Messenger vulnerability. MS is safe. /DNRTFA

  4. A New Variation of Life... by __aaclcg7560 · · Score: 5, Funny

    So is there going to be a screen saver that will show the good and bad malware attacking each other as the computer keeps waving a white flag?

    1. Re:A New Variation of Life... by BunnyClaws · · Score: 1

      Yes, the rival malware attacks are Germany and the Soviet Union and the Windows PC is Poland. Mac would be England and Linux is the United States. If this was a World War II scenario.

      --
      "Anything tastes good if you deep fry it."
    2. Re:A New Variation of Life... by $RANDOMLUSER · · Score: 3, Funny

      Yes, the rival malware attacks are Germany and the Soviet Union and the Windows PC is Poland. Mac would be England and Linux is the United States. If this was a World War II scenario.
      You were a math major, right?

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    3. Re:A New Variation of Life... by onepoint · · Score: 1

      OK then what is France ?

      --
      if you see me, smile and say hello.
    4. Re:A New Variation of Life... by rossz · · Score: 1

      OK then what is France ?

      Commodore 64. It has a small fanatical following, but in this modern world, is completely irrelevant.

      --
      -- Will program for bandwidth
    5. Re:A New Variation of Life... by operagost · · Score: 1

      They're the floppy drive. Useless. Or the Turbo button.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    6. Re:A New Variation of Life... by __aaclcg7560 · · Score: 1

      I think the Commodore VIC-20 would be more appropriate for France. It's small memory made it difficult to work with.

    7. Re:A New Variation of Life... by Tony+Hoyle · · Score: 1

      World War II scenario.. hmm..

      So in this scenario Linux arrives late to the party then spends the next 50 years gloating about how they bailed everyone out?

    8. Re:A New Variation of Life... by Hoi+Polloi · · Score: 1

      And the Low Countries are routers. Everyone just marches through them on the way to somewhere else.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    9. Re:A New Variation of Life... by rossz · · Score: 1

      As a student of history, I find your comment f*ing hilarious.

      --
      -- Will program for bandwidth
    10. Re:A New Variation of Life... by Garrett+Fox · · Score: 1

      Actually, isn't it about time for an updated version of the old game "Core Wars?" That one had assembly-language programs battling each other in a sandboxed memory space. Why not a more complex simulation that runs offline, on one PC, simulating a vulnerable network and the programs attacking it?

      --
      Revive the Constitution.
    11. Re:A New Variation of Life... by Opportunist · · Score: 1

      SCO. Don't do jack but demand a share of the cake.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Old News by 140Mandak262Jamuna · · Score: 4, Funny

    The well known malware Internet Explorer has been attacking another well known malware WinXP for quite sometime. So why get worked about these obscure ones?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. Easy to kill by nurb432 · · Score: 1

    Nah, its all easy to kill if you use a ROM based OS.

    Just reboot.

    --
    ---- Booth was a patriot ----
    1. Re:Easy to kill by maxwell+demon · · Score: 3, Insightful

      Given that today's ROMs are typically flash, how long until some malware just reflashes it? This would also allow the malware to take control even before the OS boots up.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Easy to kill by nurb432 · · Score: 1

      If the flash requires a hardware jumper to reset, then no worries.. If its software controlled, then ya, you are screwed.

      I think you could set a flash IDE drive to read only, and use it for your boot/OS. Sure it could trash your data, but at least the system is ok after the reboot. If not, I think there is a market for this.

      --
      ---- Booth was a patriot ----
    3. Re:Easy to kill by Hoi+Polloi · · Score: 1

      Boot off of a CD then.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    4. Re:Easy to kill by tepples · · Score: 1

      Boot off of a CD then. Unless the malware installs itself into your CD-ROM drive's firmware.
    5. Re:Easy to kill by nurb432 · · Score: 1

      Sure.. aaanndd ssllooww ddoowwn yyoouurr wwoorrk..

      Running from a CDROM boot is slow as mud..

      --
      ---- Booth was a patriot ----
    6. Re:Easy to kill by EqualOrLesserValue · · Score: 0
      In most cases: you're correct. Working with a live CD can be very slooow. However, give Slax Linux http://www.slax.org/ a try. If the infected PC has 256 Mb RAM or more (check the specs at the site) then boot Slax this way:

      $ slax copy2ram

      It puts the entire O/S in RAM and moves as fast as any installed O/S I've ever seen. The CD is ejected during boot time. If only one optical drive exists you're free to use it to make backups.

      --
      The trouble with Karma is: it always gets worse.
  7. this in not new by Groghunter · · Score: 1

    http://blanu.net/curious_yellow.html This has been predicted for while now. I think I first read about Curious Yellow (above) 4 years ago. Still relevant today.

  8. Process accounting by HomelessInLaJolla · · Score: 1

    Someone probably could but then they'd need to identify the myriads of unknown processes running in the Windows background (and the ps list on Linux isn't becoming much easier to keep track of, either). With the complexity of modern operating systems, and the prevalence of vendor loaded junkware, it's probably a task of cataclysmic proportions to try and figure out what's legit, what's not, and what was legit (from the vendor) but has since become exploited. Vendor junkware probably isn't the highest quality code when it comes to security. A worm or trojan making use of a simple buffer overflow in IE can probably make use of exploits in third party background processes more easily than it can make use of (somewhat) more closely guarded holes in the Windows OS.

    I've often marvelled that so few security experts rarely expand on the very real probability that common malware is not the end result but rather the vector. Every piece of rogue code running on the machine creates just as many new holes as the one it made use of. Many rootkits, for example, don't have much in the way of security to ensure that only the original installer has access to the newly enabled access method.

    --
    the NPG electrode was replaced with carbon blac
  9. HA by Anonymous Coward · · Score: 0

    -ha?

    This reminds me of that one worm (or whatever it's called) that spread around and tried fixing computers that were infected by another one. Too bad the damn thing clogged networks in the process.

  10. OS? by phrostie · · Score: 1

    so what OSs does this apply to?

    1. Re:OS? by nurb432 · · Score: 1

      Today or tomorrow?

      Any OS would is vunerable to an extent, since 90% of the problems are caused by the users allowing things to be installed. No OS can guard against that.

      --
      ---- Booth was a patriot ----
    2. Re:OS? by 99BottlesOfBeerInMyF · · Score: 1

      Any OS would is vunerable to an extent, since 90% of the problems are caused by the users allowing things to be installed. No OS can guard against that.

      This is not true. Most problems are caused by people running software combined with the fallacious assumption by OS developers that software people run is trustworthy because the user is running it. An OS certainly can be created that accounts for running untrusted software and software with differing levels of trust and access. In fact, the bitfrost security outline for the OLPC project accounts for just such software. More commonly, SELinux setups account for software the user does not completely trust, albeit not in a user friendly way. If MS's was motivated to provide customers with a more secure and easy to use OS, they could have implemented mandatory access controls, a program format that incorporates ACLs, a framework for determining trust, and a well made GUI and stopped almost all malware on the platform. Instead they looked at the money anti-virus solutions are making cleaning up after them and thought, "gee, I'll bet we could put together a half-assed one of those and bundle it and make money." Don't judge what "OS's" can and can't do based upon Windows.

    3. Re:OS? by maxwell+demon · · Score: 1

      Any OS would is vunerable to an extent, since 90% of the problems are caused by the users allowing things to be installed. No OS can guard against that.

      That's wrong. The only problem is that an OS which doesn't allow you to install any software would probably a big failure ...
      --
      The Tao of math: The numbers you can count are not the real numbers.
    4. Re:OS? by nurb432 · · Score: 1

      Ok, well you got me on that, but i agree, if you cant install *anything* it would pretty much be a embedded device relegated to control your toaster for eternity.

      --
      ---- Booth was a patriot ----
    5. Re:OS? by skoaldipper · · Score: 0

      Among the multiple second-stage components downloaded to Windows PCs compromised by Peacomm [..]

      Like you I had the same question, and apparently only Windows. In part, that's why I only use Windows with stock components (with the exception of Office) for business. For everything else, Linux. Knock knock knock on wood.

      --
      I hope, when they die, cartoon characters have to answer for their sins.
    6. Re:OS? by 99BottlesOfBeerInMyF · · Score: 2, Insightful

      The real problem is security models that assume very few levels of security. Either you install it and it can hose your machine and kill babies, or you don't run it and don't know if it was malware or not. That's just crazy. Back in the day MS Word used to pop up a dialogue box and say something along the lines of "this .doc file contains macros that may be viruses (ok)(cancel)." I knew a manger who offered $1000 to anyone who could add a button that said "open the file but don't let it infect my computer with anything." The problem, aside from the terrible UI, was the control was not granular enough. Sometimes people want to run software or open a file, but don't want to trust it with their computer security for all time. Software should run in a sandbox by default. The inconvenience of having to explicitly allow my new e-mail program to send e-mail, once is worth it if I know no other software I download will ever send any e-mail or access my address book until I explicitly permit it. Some executable that shows up in my e-mail or over IM should never, ever, be granted that permission by default. Until MS gets their head out of their butt and realizes that, we'll suffer from this crap.

  11. Reaction by Anne+Thwacks · · Score: 1

    And the Dept of Homeland security is doing what? exactly!

    --
    Sent from my ASR33 using ASCII
    1. Re:Reaction by $RANDOMLUSER · · Score: 1

      They've raised the alert level to "mauve".

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    2. Re:Reaction by Anonymous Coward · · Score: 0

      Wake me when it goes to "plaid". Then i might care.

    3. Re:Reaction by 99BottlesOfBeerInMyF · · Score: 1

      And the Dept of Homeland security is doing what? exactly!

      Probably re-imaging their insecure Windows boxes to try to clean up their own systems. How many directors of computer security have quit now after saying the job was impossible given the absurd Windows only architecture they implemented there?

  12. It begins by inviolet · · Score: 4, Interesting

    esearchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware.

    Thus begins the ecology of internet software. CPU cycles are simply too valuable (en masse) for one piece of malware to share with others.

    Eventually, look for malware to get better and better and rooting out rival malware in order to take its place. As well, look for malware to be more cautious about consuming host resources, lest it get noticed by a user or antivirus package.

    It's no different than Earthly biology. We think nothing of the colossal number of parasitic microorganisms currently hitching a ride on our metabolism. Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?). Symbiosis carries major advantages along the lines of "division of labor". How many years before real symbiosis is realized among internet-connected computers?

    It would also evolve the antivirus landscape. The "OMG sterilize all machines!!!1!" mantra would change into a more relaxed problem: calculate the most efficient amount of CPU cycles to allocate among the competing tasks of:

    • detect malware through behavior analysis (the current cutting edge)
    • detect malware through recognition scanning (the tried and true way)
    • tolerate malware as long as it doesn't eat up too much CPU

    That's how our bodies do it, anyway.

    --
    FATMOUSE + YOU = FATMOUSE
    1. Re:It begins by Dr.+Eggman · · Score: 1

      Not yet, first we need the self replicating code to modify itself. The CPU is a harsh mistress, though, so it would have to be very small mutations, possibly to the point of making it irrelevant in the long run. Right now, it's just tic-tac-toe with overwritting Xs and Os.

      --
      Demented But Determined.
    2. Re:It begins by Anonymous Coward · · Score: 2, Informative
      Ummmm... well right idea, wrong microorganisms!

      Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?).


      The stuff in yogurt is Lactobacillus acidophilus.

      The stuff you DON'T want in your (upper) GI is Escherichia coli.
    3. Re:It begins by mcrewson · · Score: 0, Offtopic

      There can be only one!

    4. Re:It begins by Ravear · · Score: 1

      [..]
      That's how our bodies do it, anyway. Yeah but with the body you don't get the option of backing up documents & re-imaging. I don't dick around anymore when I get some malware. It just isn't worth the time/effort.
    5. Re:It begins by StarvingSE · · Score: 1

      Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?).

      Where do you buy yogurt, the public restroom???

      --
      I got nothin'
    6. Re:It begins by Beardo+the+Bearded · · Score: 1

      That's not yogurt.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    7. Re:It begins by AeroIllini · · Score: 3, Insightful

      That's an interesting analogy, and I agree that malware will get consistently more advanced, eventually creating mutatable (and thus evolvable) strains that will evade anti-malware programs without the intervention of the programmer.

      However, there's a rather glaring flaw in the analogy, and it's this: in the biological world, the various bacteria that live in or on us do not have purpose. They are simply life forms, doing the things that life forms do (which is eat, shit, and make babies) in an environment that suits them. If they end up overrunning that environment and making us sick, it's not because they wanted to make us sick. If our bodies happen to be the perfect environment for them, and they happen to eat things in a way that is beneficial to us, it's not because they decided to help us out. They are just being bacteria. Symbiosis and infection are merely products of parallel evolution and happy coincidence.

      In contrast, malware is written by people, and people do have motives for the things they do. Bacteria don't do this; they just do their thing with the eating and the shitting and the baby-making, and any macroscopic results are not due to the decisions of the bacteria.

      Malware is written with purpose. That purpose could be to show the user ads, or participate in a botnet, or collect spammable email addresses, or whatever. But saying that anti-virus programs will ignore the "harmless" malware overlooks the fact that there is no harmless malware. There doesn't exist any malware that's going to go to the trouble of infecting your machine and propogating, and then not do anything. No one would program one. That means that all malware is either black hat (adware, botnet, spyware, etc.) or white hat (attacks other malware). Even if it's not using CPU resources, it is doing some other damage, such as annoying the user or enabling spam (in the case of black hat) or violating the freedom of a user to choose what software they have installed on their machine (in the case of white hat). Either way, all malware should be cleaned by anti-malware programs. In the world of software programmed by people, there's no such thing as harmless piggybacking.

      ****
      Note: I am aware of the parallels of my argument with Intelligent Design. It was not my intent to start a flamewar.

      --
      For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
    8. Re:It begins by hyfe · · Score: 1
      CPU time is, by itself atleast, is inconsequencal.

      Time Used by User isn't. Malware adds to this in in primarely three different ways, choked connections and laggy internet, direct intervention like pop-ups, and lastly, by bogging the machine down, either through hooking into places it shouldn't hook into, or through eating CPU-cycles.

      In my experience atleast, the first two are way more prevailent than the latter.

      --
      "" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
    9. Re:It begins by Opportunist · · Score: 1

      Just 'cause you paint that stuff white doesn't make it yogurt, pal. But if it contains e. coli, I'd certainly market it as probiotic as well. The taste is probably the same, after all. At least ... I imagine, I do NOT want to participate in an empirical experiment!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re:It begins by inviolet · · Score: 1

      But saying that anti-virus programs will ignore the "harmless" malware overlooks the fact that there is no harmless malware. There doesn't exist any malware that's going to go to the trouble of infecting your machine and propogating, and then not do anything. No one would program one. That means that all malware is either black hat (adware, botnet, spyware, etc.) or white hat (attacks other malware). Even if it's not using CPU resources, it is doing some other damage, such as annoying the user or enabling spam (in the case of black hat) or violating the freedom of a user to choose what software they have installed on their machine (in the case of white hat). Either way, all malware should be cleaned by anti-malware programs. In the world of software programmed by people, there's no such thing as harmless piggybacking.

      That will very suddenly change once there is a business model in place for distributed computing. At that time, it will be profitable to run a botnet to crunch computational problems for profit. The malware could be used to quietly steal 10% of the CPU power of a million idle (i.e. consumer) workstations.

      Or it may steal a small fraction of the user's usually-underutilized network connection, perhaps to crawl the web.

      In both senses, the piggybacking is not meaningfully harmful. And because antivirus efforts cost money, effort, CPU cycles, diskspace, and frustration, it would be rational to forego it all in favor of a well-behaved strain of malware. The malware would simply be allowed (consciously or otherwise) to reside in your computer... as long as it doesn't take too much and is good at fending off the other malware.

      --
      FATMOUSE + YOU = FATMOUSE
  13. ... doing what? by Savage-Rabbit · · Score: 4, Funny

    And the Dept of Homeland security is doing what? exactly! Trying to figure out who to bomb?
    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  14. In Soviet Russia by Trivial_Zeros · · Score: 2, Funny

    In Soviet Russia, malware attacks... malware?

  15. If they'd just fix each other... by queenb**ch · · Score: 5, Funny

    Will someone please write a worm that 1) turns Windows Update on, 2) turns the Windows Firewall on, 3) turns off the keyboard & mouse ports for Windows 3.1, 95, 98, and ME machines thus forcing the retarded end users running on these platforms to upgrade, 4) installs ClamWIN and scans the hard drive, 5) installs SpyBot Search & Destroy and scans the hard drive, and 6) administers an electric shock to the aforementioned retarded end user for not taking care of this themselves?

    If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog. I don't see why your computer gets to the do the same thing on the internet with such impunity.

    2 cents,

    QueenB.

    --
    HDGary secures my bank :/
    1. Re:If they'd just fix each other... by operagost · · Score: 1

      Most of these worms don't work on those old versions of Windows. It's the 2000 and XP machines that are vulnerable. Also, installing software requires that one download it first, and that's a cure that's worse than the disease (see Welchia).

      I like the idea of turning on Windows Update, though.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    2. Re:If they'd just fix each other... by TheNinjaroach · · Score: 1

      When Windows XP / 2000 had that buffer overflow two summers ago we found a "virus" that did almost what you're proposing. It downloaded the patch, forced a reboot and had the install waiting for next startup. It was a clever idea I had, but then we found somebody else had beaten me to the punch.

      --
      I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
    3. Re:If they'd just fix each other... by Tony+Hoyle · · Score: 4, Informative

      I wouldn't use Spybot - it's getting kinda out of date now, and doesn't detect some of the worst ones. I've *never* seen Windows Defender successfully detect a spyware infestation - it's 100% useless.

      I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.

      Makes me wonder how many of the bleats that 'my machine is clean therefore it must be blizzard being hacked' posts on the Wow forums have variants of similar crapware on there.. and they've fallen into the trap of believing the scanners despite the overwhelming evidence to the contrary.

      * And that was a machine without IE on it and fully patched.. the thing apparently got on in a trojanned version of Acrobat Reader.

    4. Re:If they'd just fix each other... by cheater512 · · Score: 1

      Whats stopping the Zero day flaws?

      You know there will always be at least one unpatched zero day flaw active at any time.

    5. Re:If they'd just fix each other... by smorken · · Score: 1

      If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog. I don't see why your computer gets to the do the same thing on the internet with such impunity. This isnt a perfect analogy though. It isn't the average Joe's fault that their computer is messed up it's Microsoft's for writing crappy software and the worm writer's for being malicious. If your dog was running around through the neighborhood barking and biting, in an analogous situation, it would be because one of your undesirable neighbours has captured your dog, and, in the worm writer's case, tortured it or given it rabies or something, and in the Microsoft/crappy software case, because your dog is retarded.
    6. Re:If they'd just fix each other... by Anonymous Coward · · Score: 0

      >>which it does in realtime.. you *can't* delete it manually

      Use a LiveCD.

    7. Re:If they'd just fix each other... by kabocox · · Score: 5, Informative

      I've found somethings that you asked for, but not all. I did don't know how to string them all together. ClamWin, and SpyBot, both say that they'll run from a bootCD. I didn't find any easy to follow admin install instructions for them. Mainly everything else is some reg files. I didn't find anything on keyboard or mouse ports of earlier versions of windows. I also didn't find anything about how to shock users. In the spirit of open sourceness, I expect someone else to actually do the real work of building a self installing zip file of ClamWin & Spybot, setting your fav. reg. settings, and having all of them autorun after a shutdown -r. I know that "it should possible." I don't know enough windows scripting in order to do it.

      net stop wuauserv

      Start -> Run -> gpedit.msc -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Re-prompt for restart with scheduled installations. They hid it well but it's there :^)

      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
      "RebootRelaunchTimeoutEnabled"=dword:00000000
      "NoAutoRebootWithLoggedOnUsers"=dword:00000001

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer
      NoDevMgrUpdate value to 0

      HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall

      Set these to "not configured"
      * Windows Firewall: Protect all network connections
      * Windows Firewall: Do not allow exceptions
      * Windows Firewall: Define program exceptions
      * Windows Firewall: Allow local program exceptions
      * Windows Firewall: Allow remote administration exception
      * Windows Firewall: Allow file and printer sharing exception
      * Windows Firewall: Allow ICMP exceptions
      * Windows Firewall: Allow Remote Desktop exception
      * Windows Firewall: Allow UPnP framework exception
      * Windows Firewall: Prohibit notifications
      * Windows Firewall: Allow logging
      * Windows Firewall: Prohibit unicast response to multicast or broadcast requests
      * Windows Firewall: Define port exceptions
      * Windows Firewall: Allow local port exceptions

      http://sourceforge.net/docman/display_doc.php?doci d=28367&group_id=105508

      Preparation

      Start by installing the latest version of ClamWin, and download the latest virus definitions. See the ClamWin manual for full details on how to do this. Note that, if you are going to create a CD, you will not be able to update the virus definitions without creating a new CD, since a CD is read-only.
      Copy Folders

      Create a working folder in a convenient location to hold the files that are to be copied onto CD/USB, eg C:\ClamWin-CD.
      In the working folder, create a folder named ClamWin.
      Copy the contents of the ClamWin program folder into C:\ClamWin-CD\ClamWin. By default, the ClamWin program folder is installed to C:\Program Files\ClamWin
      Create folders named log, db and quara

    8. Re:If they'd just fix each other... by turing_m · · Score: 1

      OR downloads something like PCLinuxOS, reformats the hard drive and installs itself at 4:00am when no one is around to stop it. And then downloads and opens Wesnoth, ready to play. So that before they realize that the Office package isn't like MS, at least a certain percentage of the population will be hooked on one of the best OSS games out there.

      --
      If I have seen further it is by stealing the Intellectual Property of giants.
    9. Re:If they'd just fix each other... by Anonymous Coward · · Score: 0

      "If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog"

      Bzzzt. Wrong!

    10. Re:If they'd just fix each other... by dosquatch · · Score: 2, Informative

      4) installs ClamWIN and scans the hard drive,

      What, install by force a package without a realtime scanner 'cause the user can't be bothered, and then think they'll bother doing manual scans? Methinks you've suffered an oversight...

      I've taken to suggesting AVG to all of my friends and family. Free, autoupdates, realtime scanner, scheduled daily full scan. Routinely outperforms both Norton and McAfee in lab catch tests. Otherwise, I'm all for your list.

      --
      "Hey, the third matrix movie would have been good except for the plot,story, and acting." --AC
    11. Re:If they'd just fix each other... by dosquatch · · Score: 2, Informative

      I wouldn't use Spybot - it's getting kinda out of date now, and doesn't detect some of the worst ones.

      Spybot regularly updates both signatures and detection methods. No, it's not perfect, but I've yet to meet the perfect scanner. I find that a combined dose of Spybot, AdAware, and a good AV program does a very good job of keeping Windows systems clean.

      --
      "Hey, the third matrix movie would have been good except for the plot,story, and acting." --AC
    12. Re:If they'd just fix each other... by sh3l1 · · Score: 0

      It windows defender fixed a virus I had a while back

      --
      Help Me! I'm trapped in the tubes! Oh noes! Here comes a internet!
    13. Re:If they'd just fix each other... by MaufTarkie · · Score: 2, Informative

      I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.

      I'll give you this advice for free: rename HijackThis. You'll see your Virtumundo in the O2 and O20s. In fact, that's good advice any time you want to see what's on a system. Rename it to a random name, most malware look for a specific executable name and hide themselves.

      Also, you can remove Vundo manually w/o a BSOD; you just have to know a few tricks and it's not trivial. There are free tools out there that will do this automatically after you know what the load points are.

      --
      Without you I'm one step closer to happiness without violence.
    14. Re:If they'd just fix each other... by that+this+is+not+und · · Score: 2, Interesting

      It could also be said that it's the ISP's fault, for letting machines 'shout' all over the net on ports not ordinarily used by typical end users.

      Now, I know that it disturbs people to talk like this, but the aforementioned 'dumb' Windows end user doesn't need more than a few ports open for connection to his/her machine.

      So if draconian measures are being bandied about in this thread, maybe anything but Port 80 should be blocked at the ISP at 'the last mile' connection by default. Need anything more, 'by special request' is the way it goes. Why should security be deployed at the end-user level if it's to protect 'a whole network.' That begs any rogue operator to be able to reck havoc at the client level, i.e. the way things are now.

      Go ahead and rant, all you folks running 'servers' on your brother's old 486 box in the basement.

    15. Re:If they'd just fix each other... by aybiss · · Score: 0

      I must say that it is possible to kill most 'hard' viruses yourself with a copy of rootkitrevealer, unlocker and some understanding of windows services and startup applications works. If you go and explicitly install a virus (obediently rebooting afterwards of course) you will always have a harder time removing in than a malicious ActiveX or something. Spybot is still a great tool as far as looking at your startup (and stopping things readding themselves), installed BHOs and stuff. What I find more annoying is the massively bloated virus scanners that get so easily disabled - Norton's is practically always in a state where it can't even uninstall itself by the time I get to see it.

      I'll just add that HijackThis logs are the worst thing to ever happen to searching for security information on the web. All you can turn up these days is log after log of chumps that are infected with everything under the sun.

      And yes, cleaning spyware and viruses *is* my job.

      --
      It's OK Bender, there's no such thing as 2.
    16. Re:If they'd just fix each other... by geminidomino · · Score: 1

      I find that Bazooka is an awesome detector, but doesn't have an automatic repair capability. It usually finds what the others miss.

    17. Re:If they'd just fix each other... by queenb**ch · · Score: 1

      In all honesty, I can't recommend AVG anymore. They don't update the free customers nearly as often as they update their paid products. This leaves the free customers vulnerable or infected for weeks-months at a time.

      2 cents,

      QueenB.

      --
      HDGary secures my bank :/
    18. Re:If they'd just fix each other... by dosquatch · · Score: 1

      AVG updates definitions almost daily. The scanning engine, maybe not as often as the paid product, but I'm alright with that. In fact, I more or less expect that - they are a business, after all. I find that the regularly updated free product works much, much better than the, say, 18-month out of date copy of Norton I found on my Mom's machine because, "it keeps wanting me to pay it, but I never use that program."

      I've gotta visit more often.

      At any rate, AVG isn't the only free-AV game in town. Avast!, AntiVirPE, and BitDefender are all solid products as well. If you can and are willing to purchase a product, it usually is worth it as the paid products tend to have more features and get more attention from the parent companies. If you can not or will not pay for a product, the free products (the four I've mentioned, anyway) all do a very good job.

      --
      "Hey, the third matrix movie would have been good except for the plot,story, and acting." --AC
  16. Ulimate Vulnerability! by canipeal · · Score: 1

    Regardless of the operating system or the applications which run upon it, the ultimate weakness at the end of the day lies upon the end user. You can only secure a system to a certain point until the user begins losing functionality, until the end user becomes more educated...well expect to see evolution in Malware.

    1. Re:Ulimate Vulnerability! by 99BottlesOfBeerInMyF · · Score: 2, Insightful

      Regardless of the operating system or the applications which run upon it, the ultimate weakness at the end of the day lies upon the end user. You can only secure a system to a certain point until the user begins losing functionality, until the end user becomes more educated...well expect to see evolution in Malware.

      Your comment is factually correct, but also very misleading. Users are the hardest element to harden in the chain of security, but right now they are by no means the weakest link. The OS development community and security research community could easily eliminate 90% of all malware and reduce the amount of education needed for a user to safely use a computer to a tiny fraction of what they need to know now, if Windows would be modified in order to be secure and deal with the realities of the malware ecosystem.

      Right now, even in vista, the granularity of security is piss poor. You have three levels: 1) don't run software, 2) run software, and 3) run software and enter your password. This is wholly insufficient. Further, the UI used to present these levels is abysmal. I don't mean bad I mean abysmal. Whether MS hires the worst UI people in the world or whether they hire good people and their decisions are overridden by marketing and management, the end result is horrible from a UI/security perspective.

      If I was running the show at MS and had a shred of human decency and respect for innovation in the industry this is what I would create. First, applications both included and third party now have a new format that is contained within a single directory including temp space for writing files and what is now a DLL. It would optionally include an ACL, one or more certificates for verification of the origin and binary, and location for updates. Based upon the certificate, users would be given the option to subscribe to verification services that provide a trust level for a given application and MS would provide the same. The trust level for an application would be determined by the consensus of verifications applied and the weight given them by the user and if it is pre-installed, downloaded, or loaded from CD or DVD. Based upon that trust level, the application would be restricted by a mandatory access controls framework to obey the ACL that shipped with the program combined with the ACL for that trust level (with the default being to restrict the application more stringently). If any application wanted to exceed that ACL, the user would be presented with a very strongly worded warning, explaining exactly what it wanted and presented via a good UI with no OK/Cancel crap.

      This means if a user downloads some program via IM or the Web and if they run it the OS will look at the included ACL and cert and see what permission it wants and who will certify it as trustworthy, if anyone. Then, if it tries to exceed its authority, the OS will present a warning such as, "The program 'Storm' is not verified as trustworthy and would like to connect to the internet on a port normally used for sending instant messages. (Stop it from sending messages)(let it send messages once)(always let it send messages)(advanced options)."

      If the user lets it send IM messages it can spread, but do nothing else. They also have to explicitly let it connect on other ports and access other resources if it is to be useful to a spammer or DoS user. Since almost all software on most machines is pre-installed and since most other software will be verified by at least one other party, these messages will be exceptionally rare and thus stand out as important and weird to users. Even if the attacker uses a buffer overflow to take over a thread, their malware will still be limited by the ACL for that originating application, so if they want to send spam they better find a buffer overflow in your e-mail client specifically.

      When such a system is implemented the required user education will be a manageable level, a hour long class instead of a master's degree in computer technology. Then, if a user stil

    2. Re:Ulimate Vulnerability! by operagost · · Score: 1

      This means if a user downloads some program via IM or the Web and if they run it the OS will look at the included ACL and cert and see what permission it wants and who will certify it as trustworthy, if anyone. Then, if it tries to exceed its authority, the OS will present a warning such as, "The program 'Storm' is not verified as trustworthy and would like to connect to the internet on a port normally used for sending instant messages. (Stop it from sending messages)(let it send messages once)(always let it send messages)(advanced options)."
      Gee, that sounds like every client-based firewall on the market (including XP's). The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.
      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    3. Re:Ulimate Vulnerability! by Opportunist · · Score: 1

      The security of a system is the minimum of the machine's security and the user's ability.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Ulimate Vulnerability! by 99BottlesOfBeerInMyF · · Score: 1

      Gee, that sounds like every client-based firewall on the market (including XP's). The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.

      In a way. A client based firewall is insufficient because it is too easy for something to escalate privileges and get around it. A MAC ACL is built into the core of the OS and deals not only with network access, but also access to hardware resources, system services, and files. With a client based firewall a worm can still overwrite some other binary or run a buffer overflow and start sending spam regardless of what the firewall wants. With MAC, it can't overwrite anything and if it overruns a buffer it can only perform the limited actions for the binary that overflowed.

      Another aspect to this is currently Windows applications often do not install to a contained location and do not have a good install process, so keeping them contained and prevented from maliciously overwriting data at install time is a serious problem (especially on Vista).

      The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.

      Application signing, by itself, is not all that useful unless it is automatically applied to determine levels of trust, behind the scenes and without user intervention. Further, it needs very granular levels of trust beyond simple good app or bad app. I might trust some Adobe app enough to run because I have to have it for my job, but at the same time I might not trust it enough to have arbitrary internet access, like connecting to some random site in Europe whenever it starts up (one did this for no reason anyone I found could explain). If that same app shipped with an ACL from Adobe, they would have to choose if that was part of it and explain why it needed that permission. Third party verification companies could easily publish their own ACLs as well, which would stop such unneeded behavior and override the one that shipped with it. To make this clean, an official update mechanism and license/registration service and protocol would need to be established, but since those are also very nice features for end users and developers, it would be easy to push the industry in that direction, especially when you have a monopoly. Sadly, this same sort of security is a lot harder to get widely deployed on Linux, because there is no centralized decision making. MS and maybe Apple could implement this and people would go along with it to the benefit of all. Hopefully some day they will.

    5. Re:Ulimate Vulnerability! by 99BottlesOfBeerInMyF · · Score: 1

      The security of a system is the minimum of the machine's security and the user's ability.

      I mostly agree, but it is a bit more complex than that. The machine's security includes its ability to inform the user and do what the user wants by making the right controls available to the user in a convenient way. Users are willing, for the most part, to spend a few hours learning the rules to safe computer use, provided they can still accomplish their normal tasks while following the rules. Right now they don't bother because that is not an option. They need years of training to learn to safely use a computer to do what they want and even an expert cannot always do what they want with given resources.

      For example, a guy I met in a chat room sends me a binary he claims is a game. If I want to install and run that game, but don't want to risk the security of my computer, I better be a bloody security expert. Even making a non-admin account on Windows and installing it there is not really a secure method because of all the local escalations for Windows and it is certainly way beyond the capabilities of the average user and is far, far, far from convenient. To really be safe I need to acquire a VM, install a copy of Windows in that VM, properly restrict the VM, and install and run the "game" in that VM.

      With a security setup designed for the realities of today's environment, I should just double click on it and the OS should assume it is untrusted and restrict it properly unless it can verify the certification for the program with a trusted third party.

    6. Re:Ulimate Vulnerability! by Opportunist · · Score: 1

      The ultimate first problem is that you SHOULD NOT run code from an unverified source. Period. A computer cannot make the decision what to trust and what not to (at least, in my opinion, it should not make that decision. MS and the whole TCPA bunch think otherwise, but ... I digress).

      You cannot "sandbox" an all purpose system to the point where the execution of a binary cannot cause harm to any part of it. At the very least, every file accessable with the account's privileges is in danger. Even if it's only read access, it can mean that the file can be copied and transfered. And every application that has the right to run "as admin" which can be executed by the user is just as much a security hole. This is independent of the OS you're using, unless you restrict the account to the point where it is almost unable to actually do anything sensible, but then you might not be able to install and run that game either.

      The ultimate key to security is the person using the system. You don't even need to go as far and ponder escalation hacks or loopholes, all you need is a yesclicker in front of the keyboard, and no matter how tight your security may be, it will crumble.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    7. Re:Ulimate Vulnerability! by 99BottlesOfBeerInMyF · · Score: 1

      The ultimate first problem is that you SHOULD NOT run code from an unverified source. Period.

      Tasks are not defined by what people should do in some mythical fairyland, but need to be based upon what people actually do. People want to run binaries they don't trust. Binaries are all trusted to differing degrees. I trust Photoshop because I have little choice. I need to use it. That does not mean Adobe should have the ability to do anything they want on my machine. I might want to run Halo, but I sure as hell don't trust some programmer at MS did not include a back door for my computer in it. I trust OpenSSH to some degree, but I don't have the time or skill to properly audit the code and don't implicitly trust that it has no exploitable buffer overflows.

      The initial assumption for any valid security system in our current climate should be that binaries should not be trusted any more than necessary.

      A computer cannot make the decision what to trust and what not to

      You mean like firewalls shouldn't be deciding that I don't want traffic on port 20 on a default install? Determining what level of trust should be assigned to an application is a process that should be automated for most people, but should also involve human decision making. Applications can be signed and certified and various vendors or certification agencies can have differing levels of authority. People can even subscribe to services that verify software and provide opinions about the level and types of trust for an application, much as people now subscribe to anti-virus services.

      You cannot "sandbox" an all purpose system to the point where the execution of a binary cannot cause harm to any part of it.

      You don't sandbox a system, you sandbox each application with different permissions for each.

      At the very least, every file accessable with the account's privileges is in danger. And every application that has the right to run "as admin" which can be executed by the user is just as much a security hole.

      Please go read up on mandatory access controls. This is exactly what they are designed to prevent. Just because I'm running some random executable is no reason my OS should assume it should be able to read my e-mail address book file, even if my e-mail program does have access to that file. The point is to restrict each application to the resources it actually needs. This way, if some program wants to do something unexpected, the user is given the option of stopping it and if an application is subverted, it still can't do anything the original parent could not. Suppose there is a buffer overflow in an image reader so that a maliciously crafted image can execute code with the same privileges. Since it is an image reader and does not need internet access or the ability to overwrite parts of the kernel, this vulnerability can be useless to worm writers on a properly secure system. Understand?

      This is independent of the OS you're using, unless you restrict the account to the point where it is almost unable to actually do anything sensible, but then you might not be able to install and run that game either.

      The point of MAC is to make more granular restrictions than the user account, restricting by application, not by user. You can still run games, the games just can't do anything they want and are restricted by default. As for what OS's I'm talking about any Linux distro with SELinux enabled, TrustedBSD, and Solaris all have MAC frameworks. Apple is known to be developing one for OS X and there is a port of the TrustedBSD one for OS X if you want to install it yourself.

      The ultimate key to security is the person using the system.

      I long for the day when the user is the weakest link in the security chain, but they are a long way from that right now. Fix the OS security first, than educate users for what little remains.

      You don't even need to go as far and ponder escalation hacks or loopholes, all you need is a yescl

  17. Little known facts by UnknowingFool · · Score: 2, Funny

    Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.

    What isn't generally reported is that Peacomm uses "Your momma's so fat" insults in the DDOS attacks. By far the most devasting and hilarious DDOS this year.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  18. why can't the goverments of the world... by JustNiz · · Score: 1

    just make spamvertising illegal?

    They could simply prosecute the companies that are advertising their products via spam, after all they must have either directly been the originators of the spam, or at least know who they are funding to do the dirty work.

    The businesses that exist solely to send spam would dissapear overnight if their client base dissapeared.

    I'm sure any government could easily be able to determine who is ultimately behind spam, simply by buying some advertised product then either tracking the credit card transaction or by working out what the supply chain is from drug batch numbers on the product etc.

    1. Re:why can't the goverments of the world... by cosmocain · · Score: 1

      yeah, they could.

      but somehow - i guess, murder is illegal in most of the countries of the world, but wait - somewhere somehow people still get murdered. hell, why?

      lemme guess - some folks don't give a f* what's illegal? there HAS to be a reason.

    2. Re:why can't the goverments of the world... by Anonymous Coward · · Score: 0

      I can imagine that world, and I can imagine sending spams in my competitors' names to shut them down.

    3. Re:why can't the goverments of the world... by 99BottlesOfBeerInMyF · · Score: 1

      They could simply prosecute the companies that are advertising their products via spam, after all they must have either directly been the originators of the spam, or at least know who they are funding to do the dirty work.

      Great, then I can send spamvertisements for my competitor and they will be arrested. I can send spamvertisements for the company run by the jerk who is dating my ex-gf and he'll go to jail and she'll come to me for comfort. That's a great plan.

      I'm sure any government could easily be able to determine who is ultimately behind spam, simply by buying some advertised product then either tracking the credit card transaction or by working out what the supply chain is from drug batch numbers on the product etc.

      Really, how would they do this? Suppose I send spamvertisements for my competitor and a guy who sees one orders a product. His credit card pays my competitor who knew nothing of the spam and my competitor goes to jail for doing nothing. That sounds fair aside from the whole innocent until proven guilty thing.

    4. Re:why can't the goverments of the world... by Anonymous Coward · · Score: 0

      Do we really want the government stepping in an monitoring each and every one of our machines so they can track the spammers back to their source? I don't want the government in my computer any more than the spammers. Do you? Not to mention there isn't a government on the planet who's competant to actually make it work.

      No. What we -really- need is a way to de-incentive the spammers and malware authors. They're in it for the money. The gains still far outweigh the risks. The solution is to tip the balance the other way, to increase the risk so it FAR outweighs the reward.

      Own a botnet built of infected machines? Fine. Time for some good old-fashioned vigilanteism. Time to take the sonofabiatch out back and fucking KILL him. No fine. No jail time. Just a 9mm to the back of the head and post video of "Spammer getting what he deserves" on YouTube.

      Two or three spammers DIE for being spammers, and we'll see the rate of malware production drop like a rock.

    5. Re:why can't the goverments of the world... by dreamlax · · Score: 1

      The difference is that people who murder people and get caught go to jail. The people who spamvertise aren't even chased in the first place.

    6. Re:why can't the goverments of the world... by JPribe · · Score: 1

      Two or three spammers DIE for being spammers, and we'll see the rate of malware production drop like a rock.

      Right, because drugs kill and everyone runs from those(ecstasy is a great example). Driving is one of the most dangerous things you can do...but you still drive everywhere. Being in the mob is dangerous, or a bookie, drug dealer, human trafficking, the list goes on. All an order of magnitude more dangerous than simple spamming...with a hell of a lot more 9mm shots to the head. All still wildly popular.

      Yeah, that'll work.

      --

      Why go fast when you can go anywhere? O|||||||O
  19. It's more than that by httptech · · Score: 3, Interesting

    I'm the author of the technical writeup detailing the attack on the rival spam group. But the only reason I was investigating the DDoS attacks launched by the Storm Worm/Peacomm/Nuwar is due to my own site being attacked after I detailed the pump-and-dump stock spam operation of the Rustock trojan. It is getting riskier to publish research on viruses and spam. I believe since spammers were able to take out Blue Security by DDoS attack, they are getting bolder in who they target. There's no downside for them.

    1. Re:It's more than that by Bearhouse · · Score: 1

      Hey, give us their URL, we'll /. the bastards...

  20. Nothing new here by Anonymous Coward · · Score: 0

    This has been around for years. It's called Norton Antivirus

  21. Code wariors by Applekid · · Score: 1

    I have visions of Tron-esque gladiators fighting for the right to make the mainframe belong to the penis enlargment spam zombie network or the penny stock spam zombie network.

    Also, it might be neat pitting malware against each other in a Code War type of visible environment.

    --
    More Twoson than Cupertino
  22. This is old news, at least 2002 or earlier by Afecks · · Score: 1

    The aplore worm used the same trick in 2002 except it setup a web server on each computer and sent a URL pointing to it in IM windows. I'm sure there are earlier examples but that is the first one off the top of my head.

  23. Popular spinoff by physicsboy500 · · Score: 2, Funny

    I vote they make a spinoff of Robot Wars

    I can see it now...

    Malware wars... watch rival malware rip each other apart!

    "Oh my god, Malwarior just executed an amazing kill maneuver!"

    "it looks like Spymaster is only hanging on by a thread!

    "Oh... and he's done for. Spymaster is terminated... add him to the hexdump!"

    --
    The original generic sig.
  24. It Seems to me... by Eric+Damron · · Score: 1

    that a large percentage of malware is designed to turn the user's PC into a mail spamming bot. I, for the life of me, do not understand how this can be effective if ISPs took even moderate precautions.

    1. Don't allow your users to send port 25 traffic to any address but your own mail server.
    2. Don't allow any one user to send massive quantities of email. Most user's won't need to send thousands of emails in a single day.
    3. Use blackhole lists to prevent SPAM from networks that don't follow the above rules.

    It seems like the above three rules would put a big roadblock for spammers. Am I missing something?

    --
    The race isn't always to the swift... but that's the way to bet!
    1. Re:It Seems to me... by 99BottlesOfBeerInMyF · · Score: 0, Troll

      1. Don't allow your users to send port 25 traffic to any address but your own mail server.

      Repeat after me... the internet is not the web, the internet is not the web. I'd kind of rather ISPs did not arbitrarily block ports because one OS is so unbelievably insecure that it does not even inform users before it starts spamming e-mail to the world, when that is a common occurrence on that platform.

      Here's a counter-suggestion. How about if MS gets off their butts and makes their OS reasonably secure so that it isn't easier to hijack Windows box and use it to send spam than it is to configure a proper e-mail server on that same OS. The assumption that all software run on a Windows machine should be trusted and allowed to do basically whatever it wants should have died long ago. Lets not treat symptoms by shutting down all the commonly used ports and protocols malware uses to perform malicious attacks, since that only makes it get around them by doing things like hijacking user's e-mail accounts to send the spam. Instead why don't we pressure MS to solve the bloody problem. In fact, I know exactly how to motivate them. It is called "the capitalist free market." Break MS into two companies forbidden from collusion and both with all the rights to the Windows code and patents to date. In three years both will have new version on the market and both will be reasonably secure because they will be motivated directly by greed to give customers what they want, including security. But I guess enforcing our existing laws against criminals is harder than passing a new law to castrate internet access for responsible users, huh?

    2. Re:It Seems to me... by wizkid · · Score: 1

      Some people do run SECURE mailservers from the isp account. So this isn't a good solution. MS fixing there software, and users learning how to setup and maintain there system is the first step. A computer is NOT a toaster, and requires maintenance.
      requiring SPF would be a major step in reducing the spam. But you need to get usage of SPF past the critical mass point. Spam is increasing expotentially, and sooner or later the infratructure supporting it is going to collapse. When email becomes useless, then it will get fixed.... maybe.

      --
      I take no responsibility for what I say. Even though I'm never wrong :)
    3. Re:It Seems to me... by wizkid · · Score: 1

      And I forgot, you also need to beat people that by stuff from Spam senseless with a CLUE STICK, until they stop supporting spammers. I think this may be starting to happen, due the fact phishing/spoofing attacks are on the rise.

      --
      I take no responsibility for what I say. Even though I'm never wrong :)
    4. Re:It Seems to me... by crabpeople · · Score: 1

      "1. Don't allow your users to send port 25 traffic to any address but your own mail server."

      Yeah maybe i'd use my ISP's mailserver if they didnt tag all my mail, forward me shittonnes of spam and have a roundtrip time measured in hours.

      Maybe I should pay $300 for a break pad change too eh? Instead of doing it myself properly. I obviously should leave it up to the 17 year old "professional" trainee down at speedy.

      --
      I'll just use my special getting high powers one more time...
    5. Re:It Seems to me... by rossz · · Score: 1

      My isp (http://www.sonic.net) puts limits on ports by default, but you can easily change this via a web interface. Most users will never need to change the default (and secure) settings. Some, myself included, are technically competent enough to know where they're doing and will open up the ports. Simple and effective.

      --
      -- Will program for bandwidth
    6. Re:It Seems to me... by Hoi+Polloi · · Score: 1

      How about opening up liability laws to make software manufacturers as responsible as any other manufacturer? Build a car with a known, or should have reasonably known, flaw and get sued hard. Build an OS with security holes everywhere and get sued hard. It is time to stop coddling them.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    7. Re:It Seems to me... by Eric+Damron · · Score: 1

      Well, the only problem to your suggestion is that waiting on Microsoft to secure its OS is about as productive as pissing into the wind. Other than that I totally agree.

      --
      The race isn't always to the swift... but that's the way to bet!
    8. Re:It Seems to me... by Eric+Damron · · Score: 1

      Well, it would mean that a few people would not be able to run there own mail servers. But really, I don't think that there is any way to get everyone to secure their PCs. So, I believe that My suggestion is the only practical alternative to uncontrolled spam.

      --
      The race isn't always to the swift... but that's the way to bet!
    9. Re:It Seems to me... by Opportunist · · Score: 1

      How do you want to prove it was the OS that caused the problem? The system can be as solid and stable, as secure and tight as can be, if the user is dumb enough to execute the spambot with administrator privileges, the system can't (and should not!) keep him from doing that.

      If you want to make OS manufacturers liable, I want users liable for their sheer idiocy as well!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re:It Seems to me... by Hoi+Polloi · · Score: 1

      How about OS's or browsers that are vulnerable to javascript hacks, etc?

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    11. Re:It Seems to me... by Opportunist · · Score: 1

      Fine. Now prove (as a layman, or as someone who cannot afford hiring a professional to actually verify the flow of the infection) that it was a hack and not user stupidity. And keep in mind that many viruses and trojans destroy a system after they had their fun.

      Good luck. You're the one suing, so the burden of proof is on you.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:It Seems to me... by wizkid · · Score: 1


      You obviously didn't read my posts very well. Using SPF would eliminate the boneheads who don't patch or fix there pcs . Yet would allow registered mail servers to send mail. It would force dial up and broadband pc's to send all their mail through registered mail servers, which would force ISP's to block/stop the outgoing spam within the domain. If they don't and there customers can't send mail, then they go out of business. Maybe you should have read what I had said, and if you don't know what SPF is, then that just shows that you don't know anything about what's been developed, but not implemented to help control spam and your just talking out your butt. If more of the major ISP's start blocking non-spf validated mail, then it would hinder, and eventually choke off most the botnet created mail that we're seeing today. For it to work, most, if not all mail servers would have to start using it to validate mail. The only way to get around it would be to spoof DNS. and that's not easy to do because they'd have to spoof the receiving end, not the sending end.

      --
      I take no responsibility for what I say. Even though I'm never wrong :)
    13. Re:It Seems to me... by Eric+Damron · · Score: 1

      You're right, I didn't do a very good job reading your post. :-( Sorry.

      I don't know enough about SPF to know if it would work. Can spammer's somehow fake it?

      Any workable solution that maintains our interent freedoms is better than locking the internet down of course.

      --
      The race isn't always to the swift... but that's the way to bet!
    14. Re:It Seems to me... by wizkid · · Score: 1


      Spammers can't fake it, because it's on the receiving end. They can register fake domains and spam from them until they get listed, and they can hijack dns servers, and fake entries. And it's also not the original intended use for DNS, so it has it's apponents there. They've added a record type for DNS now, a record type of 99 I think it is.
      Hey, there's no perfect solution, accept maybe hot lead landing at high velocity between all the spammer's eyes. But it would damage the botnets output extensively. The other thing, that the US has shown a great resistance to is to work with the other countries to go after spammers. Every EU country, and lots of others critizized the US for the 2003 you-CAN-SPAM act. Oh Well.
            W.Kid

      --
      I take no responsibility for what I say. Even though I'm never wrong :)
  25. hasn't... by Anonymous Coward · · Score: 4, Funny

    Hasn't norton a/v been doing exactly this for years? Malware, fighting malware? :)

  26. When Malware Attacks Malware by Joe+The+Dragon · · Score: 1

    NEXT ON NON STOP FOX!

  27. If I encountered Curious Yellow by Anonymous Coward · · Score: 0

    I would alter my kernel to make sure it does not run. Say, something like, change the mechanism that issues a syscall, or perhaps the signature of executable files. Oh, and move the compiler to another place on disk.

  28. Two wrongs make a right? / Swordfish by Zantetsuken · · Score: 2, Insightful

    I'm not really sure, and depending on how vicious this is, but sometimes maybe 2 wrongs do make a right... For those of you who haven't seen the movie "Swordfish" they pretty much use terrorism to dissuade other terrorist actions. Perhaps this type of virus/worm/etc could be a good thing for us, that for most virus/worm/spam creators it will become such a pain in the ass to wreak their havoc, it won't be worth it for them (would you keep intentionally making/distributing virus/etc if it meant you got DDoS'ed so hard your server melts every month, costing you money on hardware?)

    But then again, perhaps 2 wrongs don't make a right...

    1. Re:Two wrongs make a right? / Swordfish by Anonymous Coward · · Score: 0

      An eye for an eye until everyone is blind.

  29. DDoS by Gary+W.+Longsine · · Score: 1

    Was it actually confirmed that spammers were able to DDoS Blue Security out of existence? Last I recall the evidence for that was weak.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  30. Or... by cadeon · · Score: 1

    Or we could just us a unix security model, and when something wants to sudo, force it to ask the console user for a password. Microsoft steals ideas all the time. Why can't they steal the unix model, and be done with it?

    1. Re:Or... by Tim+C · · Score: 1

      Or we could just us a unix security model, and when something wants to sudo, force it to ask the console user for a password.

      That only happens if you're not running as root. On Windows, if you're not logged in as a member of the Administrators group, either you'll be prompted for some credentials (rare) or it'll fail with an error (much more common).

      Don't blame MS because people run as admin; blame third party software developers for assuming people do, and for requiring admin access even when they don't need it.

      --
      It's official. Most of you are morons.
    2. Re:Or... by cadeon · · Score: 1
      Well stated, however:

      The reason the third party developers assume people run as admin is because Microsoft has built the OS assuming they do. Basically the MS security stack is backwards- they start with an admin user and then restrict rights (in many different ways) down to whatever level is desired- the unix way is to start with a totally restricted account, and then add rights as needed. A fresh user on a unix box doesn't even have access to the optical drive by default.

      If the thinking was right at the OS level, developers would follow suit.

  31. When worms collide by Anonymous Coward · · Score: 0


    ...this is what it's like when worms collide...
    ...this is what it's like when worms collide...
    ...this is what it's like when wORMS COLLIDE!! AUUUUAAAGGGH!!!
    </Powerman5000>

  32. zomg thunderdome by AIfa · · Score: 1

    Two program enter, one program leaves

  33. stupid question... by Anonymous Coward · · Score: 0

    Are Macs directly affected ? DDoS affects everyone but I'm wondering if this can screw with the actual OS.

  34. Toleration is not a reasonable policy by oKAMi-InfoSec · · Score: 1

    tolerate malware as long as it doesn't eat up too much CPU
    In real life, most users already do this...albeit unwittingly or because they think they will gain a benefit:
    • In terms of malware - one of the reasons people find out they have an infected computer is because it stops performing as "quickly" as it used to.
    • In terms of spyware - people believe that the toolbar gizmo will benefit them...somehow
    The problem with proposing the "toleration policy" as a reasonable solution is that it is not reasonable...

    If I can define an infection well enough to allow it because it doesn't suck up many CPU cycles...then I should just as easily be able to define it and remove/block it just as I do any other malware infection.
    --
    Chalmer
  35. It has been done by an.echte.trilingue · · Score: 1
    It has been done. It was called Welchia. It didn't work out too well. From wikipedia:

    While this worm did no apparent damage to individual systems -- indeed, it actually helped to secure certain systems -- it did create vast amounts of traffic by its transmission method, thereby slowing down the Internet and the Microsoft website. The worm also made some systems unstable by its workings, and, once the patches had been installed, it rebooted the system. Because of these effects, the worm was perceived as a threat, and a patch was released by all major anti-viral companies.
    http://en.wikipedia.org/wiki/Welchia
    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  36. CmdrTaco: help, being beat up by mod trolls .. by rs232 · · Score: 1

    Seeing as it's being totally abused don't you think it's time to disable it.

    In this year 2007, why are we still talking about viruses, spam and malware. Why don't they make a desktop OS that don't get 'malware' merely by opening an email attachment or clicking on a web link.

    IM programs and malware .. (Score:-1, Troll)
    http://slashdot.org/comments.pl?sid=222234&cid=180 01072

    --
    davecb5620@gmail.com
    1. Re:CmdrTaco: help, being beat up by mod trolls .. by Vegeta99 · · Score: 1

      I have mod points, but I'm not modding your post back up.

      What you said is the same as replying to an article about a homicide and saying "Well why don't we lock up all the murderers?"

      Don't state the obvious in a discussion and expect not to be squelched.